MFC: 1.197
Add a note about rule syntax compared to the shell used so users do not get
frustraited when:
ipfw add 201 deny ip from any to table(2) in via xl1
returns "Badly placed ( )'s"
PR: 73638
Approved by: re (hrs)
Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command
ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129
turns into icmp6types 1,2,32,33,34,...94,95,128,129
PR: 102422 (part 1)
Submitted by: Andrey V. Elsukov <bu7cher at yandex.ru>
Approved by: re (hrs)
For src/dest parsing take off the netmask before checking for AF with
inet_pton. This fixes cases like "fe02::/16".
PR: bin/91245
Reported by: Fredrik Lindberge
Reminded by: oleg
src/sys/netinet/ip_dummynet.c rev. 1.101
- Fix following rules: pipe X (tag|altq) Y ...
src/sys/netinet/ip_fw.h rev. 1.106
src/sys/netinet/ip_fw2.c rev. 1.132 1.134 1.135
src/sbin/ipfw/ipfw2.c rev. 1.89 1.91
src/sbin/ipfw/ipfw.8 rev. 1.188 1.189 1.190
- Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.
Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
- install_state(): style(9) cleanup
- Add support of 'tablearg' feature for:
a) 'tag' & 'untag' action parameters.
b) 'tagged' & 'limit' rule options.
- Minor imporvements to ipfw parser:
a) new macros:
GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
PRINT_UINT_ARG - support of 'tablearg' keyword.
b) strtoport(): do not silently truncate/accept invalid port list expressions
like: '1,2-abc' or '1,2-3-4' or '1,2-3x4', style(9) cleanup.
install_state() should properly initialize 'addr_type' field of newly created
flows for O_LIMIT rules.
MFC src/sbin/ipfw/ipfw2.c rev.1.90 (mlaier):
Print dynamic rules for IPv6 as well.
PR: bin/98349
Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.
IPv6 support was committed:
- Stop treating `ip' and `ipv6' as special in `proto' option as they
conflict with /etc/protocols.
- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.
- When protocol is specified as numeric, treat it as it is even it is
41 (ipv6).
- Allow zero for protocol as it is valid number of `ip'.
sbin/ipfw/ipfw.8: 1.180
src/sbin/ipfw/ipfw2.c: 1.80
rev. 1.108, 1.109 src/sys/netinet/ip_fw2.c
rev. 1.101 src/sys/netinet/ip_fw.h
rev. 1.77 src/sbin/ipfw/ipfw2.c
rev. 1.176 src/sbin/ipfw/ipfw.8
* Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.
* Fix build without INET6 and IPFIREWALL compiled into kernel.[1]
Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Spotted and tested by: Michal Mertl <mime at traveller.cz>[1]
Approved by: re (kensmith)
policy. It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.
MFC after: 1 week
This is the last requirement before we can retire ip6fw.
Reviewed by: dwhite, brooks(earlier version)
Submitted by: dwhite (manpage)
Silence from: -ipfw
with the kernel compile time option:
options IPFIREWALL_FORWARD_EXTENDED
This option has to be specified in addition to IPFIRWALL_FORWARD.
With this option even packets targeted for an IP address local
to the host can be redirected. All restrictions to ensure proper
behaviour for locally generated packets are turned off. Firewall
rules have to be carefully crafted to make sure that things like
PMTU discovery do not break.
Document the two kernel options.
PR: kern/71910
PR: kern/73129
MFC after: 1 week
This commit replaces those with two new functions that simplify the code
and produce warnings that the syntax is deprecated. A small number of
sensible abbreviations may be explicitly added based on user feedback.
There were previously three types of strncmp use in ipfw:
- Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av
to match string or any shortened form of it. I have replaced this
with a new function _substrcmp(av, "string") which returns 0 if av
is a substring of "string", but emits a warning if av is not exactly
"string".
- The next type was two instances of strncmp(av, "by", 2) which allowed
the abbreviation of bytes to "by", "byt", etc. Unfortunately, it
also supported "bykHUygh&*g&*7*ui". I added a second new function
_substrcmp2(av, "by", "bytes") which acts like the strncmp did, but
complains if the user doesn't spell out the word "bytes".
- There is also one correct use of strncmp to match "table(" which might
have another token after it without a space.
Since I changed all the lines anyway, I also fixed the treatment of
strncmp's return as a boolean in many cases. I also modified a few
strcmp cases as well to be fully consistent.
reversals+system lock ups if they are using ucred based rules
while running with debug.mpsafenet=1.
I am working on merging a shared locking mechanism into ipfw which
should take care of this problem, but it still requires a bit more
testing and review.
