Commit Graph

131 Commits

Author SHA1 Message Date
Kris Kennaway
ada79f6035 Don't call sprintf() with no format string. 2000-07-10 08:22:21 +00:00
Bill Fumerola
976a1c9106 Reorder the "prob" section in the output of list/show so it can be copy/pasted
into add without problems.

The previous commit had the other half of this original patch which handled
tcpflags/tcpflgs confusion in output/input.
2000-06-18 02:48:19 +00:00
Luigi Rizzo
8a0b95d610 Fix behaviour of "ipfw pipe show" -- previous code gave
ambiguous data to the userland program (kernel operation was
safe, anyways).
2000-06-14 10:07:22 +00:00
Ruslan Ermilov
e439c30cf4 Fixed style bugs of rev 1.66. 2000-06-12 09:43:00 +00:00
Dan Moschuk
9714563d83 Add tcpoptions to ipfw. This works much in the same way as ipoptions do.
It also squashes 99% of packet kiddie synflood orgies.  For example, to
rate syn packets without MSS,

ipfw pipe 10 config 56Kbit/s queue 10Packets
ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss

Submitted by:  Richard A. Steenbergen <ras@e-gerbil.net>
2000-06-08 15:34:51 +00:00
Luigi Rizzo
afb87ed2fd Document new dummynet functionality, namely WF2Q+ and RED 2000-06-08 13:38:57 +00:00
Luigi Rizzo
6c28099089 userland side of WF2Q+ support in dummynet.
Manpage coming later...
2000-06-08 10:08:39 +00:00
Sheldon Hearn
353fa3b66d Remove extraneous Dv macro that slipped in, in rev 1.64. 2000-05-03 08:59:44 +00:00
Jeroen Ruigrok van der Werven
f1fb54a2f5 Remove unused include, and place sys includes at top, which enabled
us to remove this include.
2000-05-01 20:19:44 +00:00
Brian Feldman
0f95689794 Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a
rule that logs without a log limit, use "logamount 0" in addition to "log".
2000-04-30 06:44:11 +00:00
Ruslan Ermilov
ac13e0c5a0 A huge rewrite of the manual page (mostly -mdoc related).
Reviewed by:	luigi, sheldonh
2000-02-28 15:21:12 +00:00
Luigi Rizzo
20aed43d30 Use correct field for dst_port when displaying masks on dynamic pipes. 2000-02-13 11:46:59 +00:00
Luigi Rizzo
d69f84c0b4 Support and document new stateful ipfw features.
Approved-by: jordan
2000-02-10 14:25:26 +00:00
Luigi Rizzo
8c020cb775 Support per-flow queueing in dummynet.
Implement masks on UDP/TCP ports.
Large rewrite of the manpage.

Work supported by Akamba Corp.
2000-01-08 11:19:19 +00:00
Archie Cobbs
56345b0f5c Turn on 'ipfw tee'. Update man page. Please note (from the man page):
Packets that match a tee rule should not be immediately accepted,
    but should continue going through the rule list.  This may be fixed
    in a later version.

I hope to fix this soon in a separate commit.
1999-12-06 01:00:24 +00:00
Ruslan Ermilov
42c9b5b974 Remove one obsoleted entry from the BUGS section. 1999-10-20 12:59:35 +00:00
Brian Feldman
1efcedf596 Make the "uid" and "gid" code better. Now it can detect invalid user
names/numbers.

Reviewed by:	chris
1999-09-03 18:18:46 +00:00
Peter Wemm
7f3dea244c $Id$ -> $FreeBSD$ 1999-08-28 00:22:10 +00:00
Brian Feldman
32e7924603 To christen the brand new security category for syslog, we get IPFW
using syslog(3) (log(9)) for its various purposes! This long-awaited
change also includes such nice things as:
	* macros expanding into _two_ comma-delimited arguments!
	* snprintf!
	* more snprintf!
	* linting and criticism by more people than you can shake a stick at!
	* a slightly more uniform message style than before!
	 and last but not least
	* no less than 5 rewrites!

Reviewed by:	committers
1999-08-21 18:35:55 +00:00
Luigi Rizzo
e2bd328224 Whoops, forgot one line in previous patch. 1999-08-12 05:32:11 +00:00
Luigi Rizzo
f0706ad422 Userland and manual page changes for probabilistic rule match.
Because the kernel change was done in a backward-compatible way,
you don't need to recompile ipfw if you don't want to use the new
feature.
1999-08-11 15:36:13 +00:00
Brian Feldman
0b6c1a832d Make ipfw's logging more dynamic. Now, log will use the default limit
_or_ you may specify "log logamount number" to set logging specifically
the rule.
   In addition, "ipfw resetlog" has been added, which will reset the
logging counters on any/all rule(s). ipfw resetlog does not affect
the packet/byte counters (as ipfw reset does), and is the only "set"
command that can be run at securelevel >= 3.
   This should address complaints about not being able to set logging
amounts, not being able to restart logging at a high securelevel,
and not being able to just reset logging without resetting all of the
counters in a rule.
1999-08-01 16:57:24 +00:00
Brian Feldman
7a2aab80b0 This is the much-awaited cleaned up version of IPFW [ug]id support.
All relevant changes have been made (including ipfw.8).
1999-06-19 18:43:33 +00:00
Ruslan Ermilov
689b0bd1d4 Document the usage of escape character in a service name.
PR:		7101
Reminded by:	jhs
1999-06-15 12:56:38 +00:00
Ruslan Ermilov
0a81860b0b Workaround the problem that the first (and only first) port name
can't have a dash character (it is treated as a ``range'' operator).
One could now use such a name by escaping the ``-'' characters.
For example:

# ipfw add 1 count tcp from any to any "ms\-sql\-s"
# ipfw add 2 count tcp from any ftp\\-data-ftp to any

PR:		7101
1999-06-11 09:43:53 +00:00
Ruslan Ermilov
43866c3e76 Fix the parsing of ip addresses on a command line.
PR:		5047
Reviewed by:	des
Test case:	ipfw add allow ip from 127.1 to any
1999-06-04 11:20:59 +00:00
Ruslan Ermilov
06e70c77bb Spelling corrections for dummynet.
Reviewed by:	des,luigi
1999-06-02 05:59:48 +00:00
Kris Kennaway
39aa78dd44 Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes,
grammatical fixes.

Submitted by:	Philippe Charnier
1999-05-29 08:12:38 +00:00
Luigi Rizzo
e142fadecb close pr 10889:
+ add a missing call to dn_rule_delete() when flushing firewall
  rules, thus preventing possible panics due to dangling pointers
  (this was already done for single rule deletes).
+ improve "usage" output in ipfw(8)
+ add a few checks to ipfw pipe parameters and make it a bit more
  tolerant of common mistakes (such as specifying kbit instead of Kbit)

PR: kern/10889
Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00
Guy Helmer
dc90479cca Add ICMP types to list of information about each packet. 1999-04-29 19:14:17 +00:00
Guy Helmer
b67579bd36 Explain when packets are tesed by the firewall rules and what attributes
of packets can be tested.

PR:		docs/7437
1999-04-28 02:49:29 +00:00
Guy Helmer
e5a49961b1 Convert LKM/modload to KLD/kldload. Add ref to kldload(8).
Submitted by:	Nathan Ahlstrom <nrahlstr@winternet.com>
1999-04-08 13:56:25 +00:00
Archie Cobbs
14112159be Fix bug where 'ipfw list' would choke if there were a large number of rules. 1999-01-22 01:46:32 +00:00
Archie Cobbs
6f206f2ef2 Fix misleading wording in ipfw(8) man page.
PR: docs/9603
1999-01-21 19:51:04 +00:00
Luigi Rizzo
d120b1c1fc Remove coredump when running "ipfw pipe" without more arguments.
PR: 8937
1998-12-27 11:23:05 +00:00
Guy Helmer
b46dfa405c Mention affect of securelevel 3 and higher on attempts to change filter lists.
Prompted by:	PR docs/7785
1998-12-16 17:10:03 +00:00
Luigi Rizzo
b13ebaaa5c ipfw changes for dummynet. manpages still missing 1998-12-14 18:43:03 +00:00
Archie Cobbs
b31a38612b Disallow ipfw "tee" rules until it is actually implemented.
PR:		bin/8471
1998-12-07 05:54:37 +00:00
Joerg Wunsch
aa045fa499 Preprocessor support for `ipfw [-q] ... file'.
This allows for more flexible ipfw configuration files using
`variables' to describe frequently used items in the file, like the
local IP address(es), interface names etc.  Both m4 and cpp are useful
and supported; with m4 being a little more unusual to the common C
programmer, things like automatic rule numbering can be achieved
fairly easy.

While i was at it, i've also untangled some of the ugly style inside
main(), and fixed a bug or two (like not being able to use blank lines
when running with -q).

A typical call with preprocessor invocation looks like

	ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules

Someone should probably add support for this feature to /etc/rc.firewall.
1998-11-23 10:54:28 +00:00
Alexander Langer
abe7f210b5 The flags type was recently changed from u_short to u_int, breaking
icmptypes.

PR:		8067
Submitted by:	Jonathan Hanna <jh@cr1003333-a.crdva1.bc.wave.home.com>

While I'm here, staticize functions.
1998-09-28 22:56:37 +00:00
Peter Hawkins
62cf03cd85 PR: 7475
Added support for -q (suppress output) when firewall rules are taken from a
file. Solves PR 7475
1998-08-04 14:41:37 +00:00
Julian Elischer
f9e354df42 Support for IPFW based transparent forwarding.
Any packet that can be matched by a ipfw rule can be redirected
transparently to another port or machine. Redirection to another port
mostly makes sense with tcp, where a session can be set up
between a proxy and an unsuspecting client. Redirection to another machine
requires that the other machine also be expecting to receive the forwarded
packets, as their headers will not have been modified.

/sbin/ipfw must be recompiled!!!

Reviewed by:	Peter Wemm <peter@freebsd.org>
Submitted by: Chrisy Luke <chrisy@flix.net>
1998-07-06 03:20:19 +00:00
Daniel O'Callaghan
dcf2c48fc9 Reminded by: Alex Nash
Bring man page up to date with -q flag behaviour.
1998-05-19 12:50:35 +00:00
Masafumi Max NAKANE
432a1104b6 Typo fix. 1998-05-19 03:10:14 +00:00
Daniel O'Callaghan
0eaa45335d PR: 6641
Submitted by:	Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
Make -q work for zeroing a specific rule.
1998-05-15 12:38:07 +00:00
Poul-Henning Kamp
4419bba9fb When ipfw reads its rules from an input file, the optind variable is
not reinitialized to 1 after calling getopt. This results in parsing
errors on all but the first rule. An added patch also allows '#'
comments at the end of a line.

PR:		6379
Reviewed by:	phk
Submitted by:	Neal Fachan <kneel@ishiboo.com>
1998-04-22 06:20:20 +00:00
Martin Cracauer
d6b37778e9 (evil) hackers -> crackers 1998-04-08 12:00:48 +00:00
Philippe Charnier
68085a0ef1 .Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq. 1998-03-19 07:46:04 +00:00
Alexander Langer
585054bfa6 Get the arguments to show_usage right (like the MFC'ed code in -stable).
Submitted by:	bde
1998-03-13 02:31:21 +00:00
Alexander Langer
ce78a1f6dd Alter ipfw's behavior with respect to fragmented packets when the packet
offset is non-zero:

  - Do not match fragmented packets if the rule specifies a port or
    TCP flags
  - Match fragmented packets if the rule does not specify a port and
    TCP flags

Since ipfw cannot examine port numbers or TCP flags for such packets,
it is now illegal to specify the 'frag' option with either ports or
tcpflags.  Both kernel and ipfw userland utility will reject rules
containing a combination of these options.

BEWARE: packets that were previously passed may now be rejected, and
vice versa.

Reviewed by:	Archie Cobbs <archie@whistle.com>
1998-02-12 00:57:06 +00:00