Commit Graph

381 Commits

Author SHA1 Message Date
bz
3793d89229 Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.
Also rename the related functions in a similar way.
There are no functional changes.

For a packet coming in with IPsec tunnel mode, the default is
to only call into the firewall with the "outer" IP header and
payload.

With this option turned on, in addition to the "outer" parts,
the "inner" IP header and payload are passed to the
firewall too when going through ip_input() the second time.

The option was never only related to a gif(4) tunnel within
an IPsec tunnel and thus the name was very misleading.

Discussed at:			BSDCan 2007
Best new name suggested by:	rwatson
Reviewed by:			rwatson
Approved by:			re (bmah)
2007-08-05 16:16:15 +00:00
csjp
7f5da49f3d Remove references to mpsafenet. This option no longer exists.
Approved by:	re@ (bmah)
2007-08-04 20:35:42 +00:00
maxim
2139af42ea o Make ipfw set more robust -- now it is possible:
- to show a specific set: ipfw set 3 show
    - to delete rules from the set: ipfw set 9 delete 100 200 300
    - to flush the set: ipfw set 4 flush
    - to reset rules counters in the set: ipfw set 1 zero

PR:		kern/113388
Submitted by:	Andrey V. Elsukov
Approved by:	re (kensmith)
MFC after:	6 weeks
2007-06-18 17:52:37 +00:00
maxim
4941ee4a2a o Teach get_mac_addr_mask() to not silently accept incorrect MAC
addresses.
o Swap a couple of magic 6s by ETHER_ADDR_LEN.

PR:		bin/80913
Submitted by:	Andrey V. Elsukov
MFC after:	1 month
2007-05-09 18:31:49 +00:00
bz
ab603b3a9c Add support for filtering on Routing Header Type 0 and
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.

MFC after:	3 weeks
2007-05-04 11:15:41 +00:00
maxim
185e6bdacb o Make ipfw(8) show rules with mac/mac-type options correctly.
Before:

$ ipfw -n add 100 count icmp from any to any mac-type 0x01
00100 count icmp 0x0001
$ ipfw -n add 100 count icmp from any to any mac any any
00100 count icmp MAC any any any

After:

$ ipfw -n add 100 count icmp from any to any mac-type 0x01
00100 count icmp from any to any mac-type 0x0001
$ ipfw -n add 100 count icmp from any to any mac any any
00100 count icmp from any to any MAC any any

PR:		bin/112244
Submitted by:	Andrey V. Elsukov
MFC after:	1 month
2007-04-30 17:39:30 +00:00
maxim
708ec25681 o Add missed w/space in the error message.
Spotted by:	Ivan Voras
MFC after:	1 week
2007-04-17 16:36:24 +00:00
piso
39ed0e3e6d Mention the nat command in the synopsis and in the action section.
Approved by: glebius (mentor)
2007-02-15 14:32:26 +00:00
mlaier
56fe8a82e8 Fix a parsing bug when specifying more than one address with dotted decimal
netmask.

Reported by:	Igor Anishchuk
PR:		kern/107565
MFC after:	3 days
2007-01-07 03:02:02 +00:00
piso
0db606a3b1 Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
trhodes
0142d3db4c Add a note about rule syntax compared to the shell used so users do not get
frustraited when:
ipfw add 201 deny ip from any to table(2) in via xl1
returns "Badly placed ( )'s"

PR:	73638
2006-10-09 22:12:08 +00:00
keramida
58ae44274d When addr/mask examples are given, show both a host and network
address, to avoid confusing the users that a full address is
always required.

Submitted by:   Josh Paetzel <josh@tcbug.org> (through freebsd-doc)
MFC after:	3 days
2006-10-04 19:29:05 +00:00
maxim
54f179c406 o Check for a required "pathname" argument presence.
PR:		bin/95146
Submitted by:	candy-sendpr@kgc.co.jp
MFC after:	3 weeks
2006-09-29 08:00:40 +00:00
ru
731fda35ce Markup fixes. 2006-09-18 11:55:10 +00:00
jhay
9e8a4daa6b Check the length of the ipv4 and ipv6 address lists. It must be less
than F_LEN_MASK.

MFC after:	5 days
2006-09-16 19:27:40 +00:00
jhay
3f597283a3 Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command

ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129

turns into icmp6types 1,2,32,33,34,...94,95,128,129

PR:		102422 (part 1)
Submitted by:	Andrey V. Elsukov <bu7cher at yandex.ru>
MFC after:	5 days
2006-09-16 06:34:30 +00:00
dwmalone
e0dfe3d7df A pipe bandwidth of 10MBits/s should probably
be understood as    10Mbits/s not 10MBytes/s.

Submitted by:	Gavin McCullagh <gavin.mccullagh@nuim.ie>
MFC after:	1 week
2006-08-23 14:29:18 +00:00
dwmalone
b6bc6170e9 Regigle parens to try and get the intended affect. This should fix people
having trouble with the "me6" keyword. Also, we were using inet_pton on
the wrong variable in one place.

Reviewed by:	mlaier (previous version of patch)
Obtained from:	Sascha Blank (inet_pton change)
MFC after:	1 week
2006-08-20 20:10:36 +00:00
julian
27a5402d35 Fix typo. 2006-08-20 05:42:58 +00:00
julian
2e81f075ec comply with style police
Submitted by:	ru
MFC after:	1 month
2006-08-18 22:36:05 +00:00
julian
ff9e317817 Allow ipfw to forward to a destination that is specified by a table.
for example:
  fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2

This allows trivial implementation of a secondary routing table implemented
in the firewall layer.

I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.

Reviewed by:	Glebius
MFC after:	1 month
2006-08-17 22:49:50 +00:00
julian
6e2c7c961f Take IP_FIREWALL_EXTENDED out of the man page too.
MFC after: 1 week
2006-08-17 00:46:06 +00:00
stefanf
e39de9bd5c Use the SLIST_NEXT macro instead of sle_next.
Checked with:	cmp(1)
2006-08-05 13:58:50 +00:00
oleg
1d7baed662 Specify correct argument range for tag/untag keywords.
Approved by:	glebius (mentor)
2006-07-25 11:07:31 +00:00
oleg
7a65db868d Add support of 'tablearg' feature for:
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
	pipe 1 tag tablearg ip from table(1) to any
	allow ip from any to table(2) tagged tablearg
	allow tcp from table(3) to any 25 setup limit src-addr tablearg

sbin/ipfw/ipfw2.c:
1) new macros
   GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
   PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
   like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.

Approved by:	glebius (mentor)
MFC after:	1 month
2006-06-15 09:39:22 +00:00
mlaier
5b7662dfe9 Print dynamic rules for IPv6 as well.
PR:		bin/98349
Submitted by:	Mark Andrews
MFC after:	2 weeks
2006-06-02 05:17:17 +00:00
oleg
499297c74c Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by:	Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by:	Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by:	glebius (mentor)
Idea from:	OpenBSD PF
MFC after:	1 month
2006-05-24 13:09:55 +00:00
mlaier
efe765e265 For src/dest parsing take off the netmask before checking for AF with
inet_pton.  This fixes cases like "fe02::/16".

PR:		bin/91245
Reported by:	Fredrik Lindberge
2006-05-14 03:53:04 +00:00
mlaier
67242844ae Update manpage for net.inet6.ip6.fw.enable sysctl.
Requested by:	bz
2006-05-12 18:09:33 +00:00
julian
44c3768939 Amazing.. two screwups in one commit.
I'm piling on thise pointy hats on top of each other.
At least they nest..
2006-03-31 12:54:17 +00:00
julian
bce212e4e5 I can't believe that no-one noticed that I broke ipfw table del
for over a month!
put {}  around if clause with multiple statements
2006-03-31 12:40:09 +00:00
ume
a9ea2a9a09 Revert `proto ip' back to the previous behavior. The kernel side of
ipfw2 doesn't allow zero as protocol number.

MFC after:	3 days
2006-03-05 15:55:46 +00:00
julian
82537e7f96 oops, mismerge from working sources.. not only add new code,
but remove old code!
2006-02-14 03:13:12 +00:00
julian
9c8fd45ad2 Stop ipfw from aborting when asked to delete a table entry that
doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from  something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week
2006-02-14 03:10:29 +00:00
ru
a954ec97e7 Fix a markup glitch. 2006-02-03 16:41:13 +00:00
glebius
6373a62268 Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore. 2006-01-13 16:44:56 +00:00
glebius
d154659c53 Document 'tablearg' keyword.
Wording by:	emaste
2006-01-13 15:48:38 +00:00
ru
e279c872b1 [mdoc] add missing space before a punctuation type argument. 2005-12-13 17:07:52 +00:00
glebius
d5ab5191cf Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.

An example usage:

  ipfw pipe 1000 config bw 1000Kbyte/s
  ipfw pipe 4000 config bw 4000Kbyte/s
  ipfw table 1 add x.x.x.x 1000
  ipfw table 1 add x.x.x.y 4000
  ipfw pipe tablearg ip from table(1) to any

In the example above the rule will throw different packets to different pipes.

TODO:
  - Support "skipto" action, but without searching all rules.
  - Improve parser, so that it warns about bad rules. These are:
    - "tablearg" argument to action, but no "table" in the rule. All
      traffic will be blocked.
    - "tablearg" argument to action, but "table" searches for entry with
      a specific value. All traffic will be blocked.
    - "tablearg" argument to action, and two "table" looks - for src and
      for dst. The last lookup will match.
2005-12-13 12:16:03 +00:00
glebius
5d0fbfa49f Cleanup _FreeBSD_version. 2005-12-09 13:03:30 +00:00
ume
b9221a7b29 We couldn't specify the rule for filtering tunnel traffic since an
IPv6 support was committed:

- Stop treating `ip' and `ipv6' as special in `proto' option as they
  conflict with /etc/protocols.

- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.

- When protocol is specified as numeric, treat it as it is even it is
  41 (ipv6).

- Allow zero for protocol as it is valid number of `ip'.

Still, we cannot specify an IPv6 over an IPv4 tunnel like before such
as:

	pass ipv6 from any to any

But, now, you can specify it like:

	pass ip4 from any to any proto ipv6

PR:		kern/89472
Reported by:	Ga l Roualland <gael.roualland__at__dial.oleane.com>
MFC after:	1 week
2005-11-29 15:25:09 +00:00
glebius
9cc098a3bd Catch up with ip_dummynet.h rev. 1.38 and fix build. 2005-11-29 12:01:26 +00:00
glebius
7abe9e6ffe Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),
thus removing a few XXXes.
  Document the ABI breakage in UPDATING.
2005-11-29 08:59:41 +00:00
ru
4de1ee30af -mdoc sweep. 2005-11-18 10:36:29 +00:00
csjp
855920faa4 Restore the documentation about uid, gid or prison based rules requiring
that debug.mpsafenet be set to 0. It is still possible for dead locks to
occur while these filtering options are used due to the layering violation
inherent in their implementation.

Discussed:	-current, rwatson, glebius
2005-10-23 16:15:02 +00:00
mlaier
7754dd4daf Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.
Reminded by:	ru
2005-09-28 08:18:55 +00:00
bz
5434a58808 * Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by:	sysctl handling derived from patch from ume needed for ip6fw
Obtained from:	is_icmp6_query and send_reject6 derived from similar
		functions of netinet6,ip6fw
Reviewed by:	ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after:	6 days
2005-08-13 11:02:34 +00:00
cperciva
e8f7047163 Bump document date. Remove EOL whitespace introduced in previous
commit.  Start new line at sentence break in previous commit.

Approved by:	re (implicit, fixing a commit made 5 minutes ago)
2005-07-01 10:04:33 +00:00
cperciva
9fc0d88f30 Document some limitations of uid/gid rules.
Approved by:	re (rwatson)
MFC after:	3 days
2005-07-01 09:51:10 +00:00
ru
064bdbb814 Markup fixes.
Approved by:	re (blanket)
2005-06-14 11:24:56 +00:00