Commit Graph

321 Commits

Author SHA1 Message Date
blackend
2e05beb8f2 Typo: s/o packet/on packet/
PR:		docs/42543
Submitted by:	Michael Lyngbøl <lyngbol@bifrost.lyngbol.dk>
2002-09-08 09:01:08 +00:00
trhodes
136be46680 s/filesystem/file system/g as discussed on -developers 2002-08-21 18:11:48 +00:00
luigi
e149c638d4 Whoops, the manpage lied... ipfw2 has always accepted addr:mask
specifications.
2002-08-21 05:57:41 +00:00
luigi
be3fb71639 One more (hopefully the last one) step in cleaning up the syntax,
following Julian's good suggestion: since you can specify any match
pattern as an option, rules now have the following format:

	[<proto> from <src> to <dst>] [options]

i.e. the first part is now entirely optional (and left there just
for compatibility with ipfw1 rulesets).

Add a "-c" flag to show/list rules in the compact form
(i.e. without the "ip from any to any" part) when possible.
The default is to include it so that scripts processing ipfw's
canonical output will still work.
Note that as part of this cleanup (and to remove ambiguity), MAC
fields now can only be specified in the options part.

Update the manpage to reflect the syntax.

Clarify the behaviour when a match is attempted on fields which
are not present in the packet, e.g. port numbers on non TCP/UDP
packets, and the "not" operator is specified. E.g.

	ipfw add allow not src-port 80

will match also ICMP packets because they do not have port numbers, so
"src-port 80" will fail and "not src-port 80" will succeed. For such
cases it is advised to insert further options to prevent undesired results
(e.g. in the case above, "ipfw add allow proto tcp not src-port 80").

We definitely need to rewrite the parser using lex and yacc!
2002-08-19 12:36:54 +00:00
luigi
7a01faeb98 Major cleanup of the parser and printing routines in an attempt to
render the syntax less ambiguous.

Now rules can be in one of these two forms

	<action> <protocol> from <src> to <dst> [options]
	<action> MAC dst-mac src-mac mac-type [options]

however you can now specify MAC and IP header fields as options e.g.

	ipfw add allow all from any to any mac-type arp
	ipfw add allow all from any to any { dst-ip me or src-ip me }

which makes complex expressions a lot easier to write and parse.
The "all from any to any" part is there just for backward compatibility.

Manpage updated accordingly.
2002-08-19 04:52:15 +00:00
luigi
f683cf16ad Complete list of differences between ipfw1 and ipfw2. 2002-08-16 14:27:22 +00:00
luigi
6d2f675ff7 sys/netinet/ip_fw2.c:
Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops
    for firewall-generated packets (the constant has to go in sys/mbuf.h).

    Better comments on keepalive generation, and enforce dyn_rst_lifetime
    and dyn_fin_lifetime to be less than dyn_keepalive_period.

    Enforce limits (up to 64k) on the number of dynamic buckets, and
    retry allocation with smaller sizes.

    Raise default number of dynamic rules to 4096.

    Improved handling of set of rules -- now you can atomically
    enable/disable multiple sets, move rules from one set to another,
    and swap sets.

sbin/ipfw/ipfw2.c:

    userland support for "noerror" pipe attribute.

    userland support for sets of rules.

    minor improvements on rule parsing and printing.

sbin/ipfw/ipfw.8:

    more documentation on ipfw2 extensions, differences from ipfw1
    (so we can use the same manpage for both), stateful rules,
    and some additional examples.
    Feedback and more examples needed here.
2002-08-16 10:31:47 +00:00
luigi
d7e57fda87 Fix one parsing bug introduced by last commit, and correct parsing
and printing of or-blocks in address, ports and options lists.
2002-08-10 15:10:15 +00:00
luigi
7e0588a056 Major revision of the ipfw manpage, trying to make it up-to-date
with ipfw2 extensions and give examples of use of the new features.

This is just a preliminary commit, where i simply added the basic
syntax for the extensions, and clean up the page (e.g. by listing
things in alphabetical rather than random order).
I would appreciate feedback and possible corrections/extensions
by interested parties.

Still missing are a more detailed description of stateful rules
(with keepalives), interaction with of stateful rules and natd (don't do
that!), examples of use with the recently introduced rule sets.

There is an issue related to the MFC: RELENG_4 still has ipfw as a
default, and ipfw2 is optional. We have two options here: MFC this
page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes,
or create a new ipfw2(8) manpage just for -stable users.  I am all
for the first approach, but of course am listening to your comments.
2002-08-10 15:04:40 +00:00
luigi
e3c4c6c9da One bugfix and one new feature.
The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.

The new feature (all this description will go in the manpage):

each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:

	ipfw add 100 set 23 allow ip from any to any

If "set N" is not specified, the rule belongs to set 0.

Individual sets can be disabled, enabled, and deleted with the commands:

	ipfw disable set N
	ipfw enable set N
	ipfw delete set N

Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.

All sets are enabled by default. The enable/disable status of the sets
can be shown with the command

	ipfw show sets

Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:

To add a set of rules atomically:

	ipfw disable set 18
	ipfw add ... set 18 ...		# repeat as needed
	ipfw enable set 18

To delete a set of rules atomically

	ipfw disable set 18
	ipfw delete set 18
	ipfw enable set 18

To test a ruleset and disable it and regain control if something
goes wrong:

	ipfw disable set 18
	ipfw add ... set 18 ...         # repeat as needed
	ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18

    here if everything goes well, you press control-C before
    the "sleep" terminates, and your ruleset will be left
    active. Otherwise, e.g. if you cannot access your box,
    the ruleset will be disabled after the sleep terminates.

I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
2002-08-10 04:37:32 +00:00
luigi
41b5da4c20 Fix generation of check-state rules, which i broke in last commit. 2002-08-04 05:16:19 +00:00
luigi
5f890d455e Forgot this one: properly initialize an address set when the set
size is less than 32 bits (/28 mask or more).
Also remove a debugging fprintf().
2002-07-31 22:42:08 +00:00
luigi
9503b6d5cd Two bugfixes:
+ the header file contains two different opcodes (O_IPOPTS and O_IPOPT)
    for what is the same thing, and sure enough i used one in the kernel
    and the other one in userland. Be consistent!

  + "keep-state" and "limit" must be the last match pattern in a rule,
    so no matter how you enter them move them to the end of the rule.
2002-07-31 22:31:47 +00:00
sheldonh
a68ade16e2 Add SEE ALSO references to papers handling RED. 2002-07-25 09:37:11 +00:00
luigi
8c163527e8 A bunch of minor fixes:
* accept "icmptype" as an alias for "icmptypes";
* remove an extra whitespace after "log" rules;
* print correctly the "limit" masks;
* correct a typo in parsing dummynet arguments (this caused a coredump);
* do not allow specifying both "check-state" and "limit", they are
  (and have always been) mutually exclusive;
* remove an extra print of the rule before installing it;
* make stdout buffered -- otherwise, if you log its output with syslog,
  you will see one entry for each printf(). Rather unpleasant.
2002-07-13 15:57:23 +00:00
bde
34bfc91385 Uncommented WARNS=0. ipfw2.c is full of printf format errors that are
fatal on alphas.

Fixed setting of WARNS.  WARNS should never be set unconditionally, since
this breaks testing of different WARNS values by setting it at a higher
level (e.g., on the command line).
2002-07-11 17:33:37 +00:00
bde
91dbf8726e Fixed some world breakage caused by not updating clients when <timeconv.h>
was split off from <time.h>.  This became fatal here when -Werror was
reenabled.
2002-07-08 19:49:52 +00:00
charnier
a2accd01f0 The .Nm utility 2002-07-06 19:34:18 +00:00
luigi
95e13a442b Implement the last 2-3 missing instructions for ipfw,
now it should support all the instructions of the old ipfw.

Fix some bugs in the user interface, /sbin/ipfw.

Please check this code against your rulesets, so i can fix the
remaining bugs (if any, i think they will be mostly in /sbin/ipfw).

Once we have done a bit of testing, this code is ready to be MFC'ed,
together with a bunch of other changes (glue to ipfw, and also the
removal of some global variables) which have been in -current for
a couple of weeks now.

MFC after: 7 days
2002-07-05 22:43:06 +00:00
luigi
a9ab854862 The new ipfw code.
This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.

The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).

The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c .  Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw).  The old files are still there, and will be removed
in due time.

I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.

In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.

On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like

ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any

This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.

Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:

        10.20.30.0/26{18,44,33,22,9}

which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).

Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.

The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
2002-06-27 23:02:18 +00:00
luigi
4253c81449 Handle symbolic names for common ethernet types (ip, arp etc.)
Remove custom definitions (IP_FW_TCPF_SYN etc.) of TCP header flags
which are the same as the original ones (TH_SYN etc.)
2002-05-13 10:19:59 +00:00
luigi
b5fe0c436b Main functional change is the implementation of matching of MAC header
fields as discussed in the commit to ip_fw.c:1.186

On top of this, a ton of non functional changes to clean up the code,
write functions to replace sections of code that were replicated
multiple times (e.g. the printing or matching of flags and options),
splitting long sections of inlined code into separate functions,
and the like.

I have tested the code quite a bit, but some typos (using one variable
in place of another) might have escaped.

The "embedded manpage" is a bit inconsistent, but i am leaving fixing
it for later. The current format makes no sense, it is over 40 lines
long and practically unreadable. We can either split it into sections
( ipfw -h options  , ipfw -h pipe , ipfw -h queue ...)
or remove it altogether and refer to the manpage.
2002-05-12 20:52:21 +00:00
luigi
8b2204b3d0 Fix a couple of problems which could cause panics at runtime:
+ setting a bandwidth too large for a pipe (above 2Gbit/s) could
   cause the internal representation (which is int) to wrap to a
   negative number, causing an infinite loop in the kernel;

 + (see PR bin/35628): when configuring RED parameters for a queue,
   the values are not passed to the kernel resulting in panics at
   runtime (part of the problem here is also that the kernel does
   not check for valid parameters being passed, but this will be
   fixed in a separate commit).

These are both critical fixes which need to be merged into 4.6-RELEASE.

MFC after: 1 day
2002-05-05 21:34:10 +00:00
cjc
6b0c9026c6 Enlighten those who read the FINE POINTS of the documentation a bit
more on how ipfw(8) deals with tiny fragments. While we're at it, add
a quick log message to even let people know we dropped a packet. (Note
that the second FINE POINT is somewhat redundant given the first, but
since the code is there, leave the docs for it.)

MFC after:	1 day
2002-05-01 06:29:16 +00:00
dillon
c3dbbbabdf I've been meaning to do this for a while. Add an underscore to the
time_to_xxx() and xxx_to_time() functions.  e.g. _time_to_xxx()
instead of time_to_xxx(), to make it more obvious that these are
stopgap functions & placemarkers and not meant to create a defacto
standard.  They will eventually be replaced when a real standard
comes out of committee.
2002-01-19 23:20:02 +00:00
ru
ffe4658ba9 mdoc(7) police: tidy up the markup in revision 1.96. 2002-01-10 15:41:06 +00:00
rwatson
73b0b24639 o Note that packets diverted using a 'divert' socket, and then
reinserted by a userland process, will lose a number of packet
  attributes, including their source interface.  This may affect
  the behavior of later rules, and while not strictly a BUG, may
  cause unexpected behavior if not clearly documented.  A similar
  note for natd(8) might be desirable.
2002-01-03 01:00:23 +00:00
yar
2124e2c87c Move the discussion of how many times a packet will pass through
ipfirewall(4) to the IMPLEMENTATION NOTES section because it
considers kernel internals and may confuse newbies if placed
at the very beginning of the manpage (where it used to be previously.)

Not objected by:	luigi
2002-01-02 20:48:21 +00:00
yar
59ca9f3607 Clarify the "show" ipfw(8) command.
PR:		docs/31263
Permitted by:	luigi
2002-01-02 20:16:15 +00:00
yar
009b0965a2 Fix a typo: wierd -> weird 2002-01-02 19:46:14 +00:00
julian
993dd6cae8 Fix documentation to match reality 2001-12-28 22:24:26 +00:00
yar
7ee7696269 Implement matching IP precedence in ipfw(4).
Submitted by:   Igor Timkin <ivt@gamma.ru>
2001-12-21 18:43:37 +00:00
rse
b502c619cd At least once mention the long names of WF2Q+ (Worst-case Fair Weighted
Fair Queueing) and RED (Random Early Detection) to both give the reader
a hint what they are and to make it easier to find out more information
about them.
2001-12-14 21:51:28 +00:00
obrien
9baf2f1b03 Default to WARNS=2.
Binary builds that cannot handle this must explicitly set WARNS=0.

Reviewed by:	mike
2001-12-04 02:19:58 +00:00
luigi
707bb64e49 sync the code with the one in stable (mostly formatting changes). 2001-11-04 23:19:46 +00:00
luigi
6e698c7168 Fix a typo in a format string, and fix error checking for missing
masks in "limit" rules.
2001-11-01 08:45:02 +00:00
joe
57e1d6d8b2 More white space changes. 2001-10-29 03:46:28 +00:00
joe
258d90583a More stylistic tidying. 2001-10-29 03:25:49 +00:00
joe
7745d91e4f Remove training white spaces, and some other style violations. 2001-10-29 00:37:24 +00:00
dillon
3e277dbdb4 Properly convert long to time_t 2001-10-28 20:19:14 +00:00
joe
bf1d5c5646 Remove some extraneous spaces from the usage message. 2001-10-28 02:10:40 +00:00
dd
7d0e6121af Repair typo.
PR:		31262
Submitted by:	<swear@blarg.net>
2001-10-14 22:46:05 +00:00
ru
6575ea6b22 mdoc(7) police: fix markup. 2001-10-01 14:13:36 +00:00
billf
5d69c42a56 now that jlemon has added a hash table to lookup locally configured ip
addresses (and the macros that ipfw(4) use to lookup data for the 'me'
keyword have been converted) remove a comment about using 'me' being a
"computationally expensive" operation.

while I'm here, change two instances of "IP number" to "IP address"
2001-09-29 06:33:42 +00:00
luigi
0fb106cc3f Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
luigi
571d41f160 A bunch of minor changes to the code (see below) for readability, code size
and speed. No new functionality added (yet) apart from a bugfix.
MFC will occur in due time and probably in stages.

BUGFIX: fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (there is a PR on this).

OTHER CHANGES: minor changes to the internal struct for static and dynamic rules.
Requires rebuild of ipfw binary.

Add comments to show how data structures are linked together.
(It probably makes no sense to keep the chain pointers separate
from actual rule descriptors. They will be hopefully merged soon.

keep a (sysctl-readable) counter for the number of static rules,
to speed up IP_FW_GET operations

initial support for a "grace time" for expired connections, so we
can set timeouts for closing connections to much shorter times.

merge zero_entry() and resetlog_entry(), they use basically the
same code.

clean up and reduce replication of code for removing rules,
both for readability and code size.

introduce a separate lifetime for dynamic UDP rules.

fix a problem in old code which prevented reallocation of
the hash table for dynamic rules (PR ...)

restructure dynamic rule descriptors

introduce some local variables to avoid multiple dereferencing of
pointer chains (reduces code size and hopefully increases speed).
2001-09-20 13:52:49 +00:00
ru
3486bb456a Non-decimal ``skipto'' rule numbers are meaningless.
Noticed by:	"Marc G. Fournier" <scrappy@hub.org>
MFC after:	3 days
2001-09-19 15:12:14 +00:00
ru
4345758876 mdoc(7) police:
Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text.
Not only this slows down the mdoc(7) processing significantly, but it also
has an undesired (in this case) effect of disabling hyphenation within the
entire enclosed block.
2001-08-07 15:48:51 +00:00
ru
77328d8cba Fixed one more breakage introduced in 1.103 cleanup.
ICMP types were reported incorrectly:

# ipfw add allow icmp from any to any icmptypes 0,8

PR:		bin/29185
Submitted by:	Mike Durian <durian@boogie.com>
2001-08-06 13:03:38 +00:00
obrien
783238c99f style(9) 2001-08-01 07:05:51 +00:00
cjc
caf592b72e Error messaging in ipfw(8) was out of hand, almost 50 lines of usage
information for any command line error, the actual error message
almost always (and sometimes irretrievably) lost scrolling off the top
of the screen. Now just print the error. Give ipfw(8) no arguments for
the old usage summary.

Thanks to Lyndon Nerenberg <lyndon@orthanc.ab.ca> for the patch and
PR, but I had already done this when ru pointed out the PR.

PR:		bin/28729
Approved by:	ru
MFC after:	1 week
2001-07-22 06:40:11 +00:00
ru
7cef49ff86 mdoc(7) police: removed HISTORY info from the .Os call. 2001-07-10 11:04:34 +00:00
cjc
4596097b70 Fix rule parsing breakage introduced in 1.103 cleanup. 'tcp' and
'icmp' rules could drop into infinite loops when given bad arguments.

Reviewed by:	ru, des
Approved by:	ru
2001-07-10 05:44:51 +00:00
dd
eaa6ee03b8 mdoc(7) police: remove extraneous .Pp before and/or after .Sh. 2001-07-09 09:54:33 +00:00
kris
172724d2a0 Silence format string warnings.
MFC after:	2 weeks
2001-07-01 22:00:26 +00:00
chris
67d20a6cbe Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in the
checklist.

MFC after:	1 week
2001-06-06 20:56:56 +00:00
des
d2c56fe110 Invert the meaning of the -d option (i.e. default to *not* list dynamic rules,
but list them if -d was specified).

Avoid listing expired dynamic rules unless the (new) -e option was specified.

If specific rule numbers were listed on the command line, and the -d flag was
specified, only list dynamic rules that match the specified rule numbers.

Try to partly clean up the bleeding mess this file has become.  If there is
any justice in this world, the responsible parties (you know who you are!)
should expect to wake up one morning with a horse's head in their bed.  The
code still looks like spaghetti, but at least now it's *properly intented*
spaghetti (hmm?  did somebody say "tagliatelle"?).
2001-06-04 23:56:26 +00:00
dwmalone
05e29fb52c Add a flag to "ipfw show" which supresses the display of dynamic
rules.  Also, don't show dynamic rules if you only asked to see a
certain rule number.

PR:		18550
Submitted by:	Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Approved by:	luigi
MFC after:	2 weeks
2001-05-20 10:01:39 +00:00
ru
029dfd12d6 Update comment to match ipfw/ipfw.c,v 1.95. 2001-04-13 06:49:47 +00:00
bde
1e9f669d37 Fixed some printf format errors (don't assume that ntohl() returns u_long). 2001-04-05 07:37:55 +00:00
ru
86642a4ab4 - Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.
2001-03-26 14:33:27 +00:00
ru
56b5d7535b Set the default manual section for sbin/ to 8. 2001-03-20 18:13:31 +00:00
ru
fc46a7fba6 mdoc(7) police: removed hard sentence break introduced in rev 1.82. 2001-03-16 07:39:46 +00:00
dd
7f44238897 Explain that TCP fragments with an offset of 1 are reported as being
dropped by rule -1 if logging is enabled.

PR:		25796
Submitted by:	Crist J. Clark <cjclark@alum.mit.edu>
Approved by:	nik
2001-03-16 01:28:11 +00:00
ru
9177fc64e9 Document that the IPFW messages are logged via syslogd(8). 2001-02-22 09:12:44 +00:00
ru
93da2eda0f mdoc(7) police: normalize the construct. 2001-02-15 08:36:20 +00:00
sheldonh
fb1e228ffb Fix grammar nit in previous commit. 2001-02-14 15:03:20 +00:00
phk
be4fee4a9b Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface.  This is useful for routers with
dynamic interfaces.  It is now possible to say:

        0100 allow       tcp from any to any established
        0200 skipto 1000 tcp from any to any
        0300 allow       ip from any to any
        1000 allow       tcp from 1.2.3.4 to me 22
        1010 deny        tcp from any to me 22
        1020 allow       tcp from any to any

and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.

The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
2001-02-13 14:12:37 +00:00
rwatson
c4fb1f7419 o IPFW incorrectly handled filtering in the presence of previously
reserved and now allocated TCP flags in incoming packets.  This patch
  stops overloading those bits in the IP firewall rules, and moves
  colliding flags to a seperate field, ipflg.  The IPFW userland
  management tool, ipfw(8), is updated to reflect this change.  New TCP
  flags related to ECN are now included in tcp.h for reference, although
  we don't currently implement TCP+ECN.

o To use this fix without completely rebuilding, it is sufficient to copy
  ip_fw.h and tcp.h into your appropriate include directory, then rebuild
  the ipfw kernel module, and ipfw tool, and install both.  Note that a
  mismatch between module and userland tool will result in incorrect
  installation of firewall rules that may have unexpected effects.  This
  is an MFC candidate, following shakedown.  This bug does not appear
  to affect ipfilter.

Reviewed by:	security-officer, billf
Reported by:	Aragon Gouveia <aragon@phat.za.net>
2001-01-09 03:10:30 +00:00
ru
6c6a7d3786 Prepare for mdoc(7)NG. 2000-12-27 14:40:52 +00:00
ru
7fe8bd2b88 Prepare for mdoc(7)NG. 2000-12-18 15:16:24 +00:00
ru
835a46c9c2 mdoc(7) police: do not split author names in the AUTHORS section. 2000-11-22 09:35:58 +00:00
ru
ea31070695 mdoc(7) police: use the new features of the Nm macro. 2000-11-20 16:52:27 +00:00
ben
bd94b89a9a more removal of trailing periods from SEE ALSO. 2000-11-15 16:44:24 +00:00
ru
6667b54a02 IPFW does not discard *any* IP fragments with OFF=1, only TCP ones. 2000-10-30 09:44:20 +00:00
ru
26ce601f70 Allow for IP_FW_ADD to be used in getsockopt(2) incarnation as
well, in which case return the rule number back into userland.

PR:		bin/18351
Reviewed by:	archie, luigi
2000-10-12 07:59:14 +00:00
ru
721d9c664e Reset globals for every new command read from preprocessed file. 2000-10-11 13:02:30 +00:00
ru
d7a5334858 Only interpret the last command line argument as a file to
be preprocessed if it is specified as an absolute pathname.

PR:		bin/16179
2000-10-11 12:17:06 +00:00
ru
7a20b52ef4 Convert this Makefile to the usual style. 2000-10-06 11:18:11 +00:00
ru
dba872611a Document the latest firewall knobs. 2000-10-06 11:17:06 +00:00
ru
fab87e4edb Respect the protocol when looking the port up by service name.
PR:		21742
2000-10-04 07:59:19 +00:00
ru
4c234c7966 Do not force argument to ``ipid'' modifier be in hex, and
accept value of zero as valid for IP Identification field.
2000-10-03 11:23:29 +00:00
ru
948e4e6d8c Fixed the printing of TCP flags. 2000-10-03 10:37:03 +00:00
billf
e80d3292ca Add new fields for more granularity:
IP: version, tos, ttl, len, id
	TCP: seq#, ack#, window size

Reviewed by:	silence on freebsd-{net,ipfw}
2000-10-02 03:03:31 +00:00
ru
105baa72f0 Document that net.inet.ip.fw.one_pass only affects dummynet(4).
Noticed by:	Peter Jeremy<peter.jeremy@alcatel.com.au>
2000-09-29 08:39:06 +00:00
imp
22208cf490 optreset is declared in unistd.h now. 2000-08-16 07:36:30 +00:00
billf
96eac2843a Fix a paste-o in the tcpoptions check (not a security problem, just a
error in the usage printf())

Reviewed by:	rwatson
2000-07-17 03:02:15 +00:00
kris
b6f7c1eb1a Don't call sprintf() with no format string. 2000-07-10 08:22:21 +00:00
billf
a0d2bc60bb Reorder the "prob" section in the output of list/show so it can be copy/pasted
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
2000-06-18 02:48:19 +00:00
luigi
021d03f5bf Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
ru
7050356974 Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
dan
c3897dad80 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
luigi
31f827d91f Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
luigi
aefe1c98be userland side of WF2Q+ support in dummynet.
Manpage coming later...
2000-06-08 10:08:39 +00:00
sheldonh
5087dcbf10 Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
asmodai
c442c7bb98 Remove unused include, and place sys includes at top, which enabled
us to remove this include.
2000-05-01 20:19:44 +00:00
green
345524b782 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
ru
543d5b0485 A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by:	luigi, sheldonh
2000-02-28 15:21:12 +00:00
luigi
83467efa87 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
luigi
f6954f1a86 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
luigi
d83a053c96 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
archie
a90457c20c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
ru
d73b3f074e Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
green
6ea78090c5 Make the "uid" and "gid" code better. Now it can detect invalid user
names/numbers.

Reviewed by:	chris
1999-09-03 18:18:46 +00:00
peter
76f0c923fe $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
green
e3f950dd51 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
luigi
a97a8415d6 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
luigi
fca87bca8c Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
green
d848a791d1 Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
green
280f8f95b4 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
ru
dc3c0e0e20 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
ru
3bb755ec02 Workaround the problem that the first (and only first) port name
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
1999-06-11 09:43:53 +00:00
ru
d77ca2fb02 Fix the parsing of ip addresses on a command line.
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
ru
b1cc23e0b1 Spelling corrections for dummynet.
Reviewed by:	des,luigi
1999-06-02 05:59:48 +00:00
kris
bd85d67256 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
luigi
20a6693414 close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
ghelmer
7af69b2bdc Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
ghelmer
5509f489bb Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
ghelmer
12f0f111e6 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
archie
d2ea85ad41 Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
archie
1af6c2ec4a Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
luigi
ceacd398c6 Remove coredump when running "ipfw pipe" without more arguments.
PR: 8937
1998-12-27 11:23:05 +00:00
ghelmer
fe4bef1579 Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00
luigi
12bd4907ac ipfw changes for dummynet. manpages still missing 1998-12-14 18:43:03 +00:00
archie
566ad38652 Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
joerg
f17aeea6de Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
alex
b7f776d8de The flags type was recently changed from u_short to u_int, breaking
icmptypes.

PR:		8067
Submitted by:	Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com>

While I'm here, staticize functions.
1998-09-28 22:56:37 +00:00
thepish
73c173acec PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
julian
22a5d80812 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
danny
ade4291d50 Reminded by: Alex Nash
Bring man page up to date with -q flag behaviour.
1998-05-19 12:50:35 +00:00
max
1298bb5776 Typo fix. 1998-05-19 03:10:14 +00:00
danny
1cc49ca972 PR: 6641
Submitted by:	Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Make -q work for zeroing a specific rule.
1998-05-15 12:38:07 +00:00
phk
3aab9d8b31 When ipfw reads its rules from an input file, the optind variable is
not reinitialized to 1 after calling getopt. This results in parsing
errors on all but the first rule. An added patch also allows '#'
comments at the end of a line.

PR:		6379
Reviewed by:	phk
Submitted by:	Neal Fachan <kneel@ishiboo.com>
1998-04-22 06:20:20 +00:00
cracauer
0009308669 (evil) hackers -> crackers 1998-04-08 12:00:48 +00:00
charnier
8e69ba3343 .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq. 1998-03-19 07:46:04 +00:00
alex
1129389306 Get the arguments to show_usage right (like the MFC'ed code in -stable).
Submitted by:	bde
1998-03-13 02:31:21 +00:00
alex
0fbf800481 Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00
alex
35f59936c3 Bump up packet and byte counters to 64-bit unsigned ints. As a
consequence, ipfw's list command now adjusts its output at runtime
based on the largest packet/byte counter values.

NOTE:
  o The ipfw struct has changed requiring a recompile of both kernel
    and userland ipfw utility.

  o This probably should not be brought into 2.2.

PR:		3738
1998-01-08 03:03:54 +00:00
alex
0ff0dd536e Format mismatch in error message.
Submitted by:	bde
1998-01-08 00:27:31 +00:00
alex
c2173ecb3e Support listing/showing specific rules supplied on the command line.
Use error codes from <sysexits.h>.
1998-01-07 02:23:04 +00:00
alex
4e04c4e039 Display a better error message and use a non-zero exit code when
zero/delete operations fail.

PR:		4231
Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-01-06 00:11:57 +00:00
alex
367097735d Put the return value of getopt into an int, not a char. 1997-12-26 03:24:26 +00:00
julian
e434f4878b Allow ipfw to accept comments and blank lines.
This makes ipfw config files a LOT more readable.
1997-12-05 02:43:26 +00:00
wosch
8ee659dd96 Sort cross refereces in section SEE ALSO. 1997-09-29 19:11:55 +00:00
peter
821f87d72d Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on
rule 65535
1997-09-10 04:02:37 +00:00
peter
f8ab40fb46 Fix typo (65434 -> 65534) 1997-09-10 03:52:50 +00:00
danny
dfd8a56d45 Bring comment on '-a' flag in line with reality. 1997-08-21 07:30:08 +00:00
alex
dc3ab85890 Support interface names up to 15 characters in length. In order to
accommodate the expanded name, the ICMP types bitmap has been
reduced from 256 bits to 32.

A recompile of kernel and user level ipfw is required.

To be merged into 2.2 after a brief period in -current.

PR:		bin/4209
Reviewed by:	Archie Cobbs <archie@whistle.com>
1997-08-08 14:36:29 +00:00
brian
fa74c6b5cf Allow service names as the divert/tee arg. 1997-07-25 03:13:46 +00:00
julian
b2627a7a7f Allow ipfw to look up service names from /etc/services (or NIS if turned on)
note.. this would be dangerous if your ipfw was blocking NIS access :)

Submitted by: archie@whistle.com (Archie Cobbs)
1997-06-23 22:32:13 +00:00