Commit Graph

374 Commits

Author SHA1 Message Date
piso
39ed0e3e6d Mention the nat command in the synopsis and in the action section.
Approved by: glebius (mentor)
2007-02-15 14:32:26 +00:00
mlaier
56fe8a82e8 Fix a parsing bug when specifying more than one address with dotted decimal
netmask.

Reported by:	Igor Anishchuk
PR:		kern/107565
MFC after:	3 days
2007-01-07 03:02:02 +00:00
piso
0db606a3b1 Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
trhodes
0142d3db4c Add a note about rule syntax compared to the shell used so users do not get
frustraited when:
ipfw add 201 deny ip from any to table(2) in via xl1
returns "Badly placed ( )'s"

PR:	73638
2006-10-09 22:12:08 +00:00
keramida
58ae44274d When addr/mask examples are given, show both a host and network
address, to avoid confusing the users that a full address is
always required.

Submitted by:   Josh Paetzel <josh@tcbug.org> (through freebsd-doc)
MFC after:	3 days
2006-10-04 19:29:05 +00:00
maxim
54f179c406 o Check for a required "pathname" argument presence.
PR:		bin/95146
Submitted by:	candy-sendpr@kgc.co.jp
MFC after:	3 weeks
2006-09-29 08:00:40 +00:00
ru
731fda35ce Markup fixes. 2006-09-18 11:55:10 +00:00
jhay
9e8a4daa6b Check the length of the ipv4 and ipv6 address lists. It must be less
than F_LEN_MASK.

MFC after:	5 days
2006-09-16 19:27:40 +00:00
jhay
3f597283a3 Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command

ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129

turns into icmp6types 1,2,32,33,34,...94,95,128,129

PR:		102422 (part 1)
Submitted by:	Andrey V. Elsukov <bu7cher at yandex.ru>
MFC after:	5 days
2006-09-16 06:34:30 +00:00
dwmalone
e0dfe3d7df A pipe bandwidth of 10MBits/s should probably
be understood as    10Mbits/s not 10MBytes/s.

Submitted by:	Gavin McCullagh <gavin.mccullagh@nuim.ie>
MFC after:	1 week
2006-08-23 14:29:18 +00:00
dwmalone
b6bc6170e9 Regigle parens to try and get the intended affect. This should fix people
having trouble with the "me6" keyword. Also, we were using inet_pton on
the wrong variable in one place.

Reviewed by:	mlaier (previous version of patch)
Obtained from:	Sascha Blank (inet_pton change)
MFC after:	1 week
2006-08-20 20:10:36 +00:00
julian
27a5402d35 Fix typo. 2006-08-20 05:42:58 +00:00
julian
2e81f075ec comply with style police
Submitted by:	ru
MFC after:	1 month
2006-08-18 22:36:05 +00:00
julian
ff9e317817 Allow ipfw to forward to a destination that is specified by a table.
for example:
  fwd tablearg ip from any to table(1)
where table 1 has entries of the form:
1.1.1.0/24 10.2.3.4
208.23.2.0/24 router2

This allows trivial implementation of a secondary routing table implemented
in the firewall layer.

I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.

Reviewed by:	Glebius
MFC after:	1 month
2006-08-17 22:49:50 +00:00
julian
6e2c7c961f Take IP_FIREWALL_EXTENDED out of the man page too.
MFC after: 1 week
2006-08-17 00:46:06 +00:00
stefanf
e39de9bd5c Use the SLIST_NEXT macro instead of sle_next.
Checked with:	cmp(1)
2006-08-05 13:58:50 +00:00
oleg
1d7baed662 Specify correct argument range for tag/untag keywords.
Approved by:	glebius (mentor)
2006-07-25 11:07:31 +00:00
oleg
7a65db868d Add support of 'tablearg' feature for:
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
	pipe 1 tag tablearg ip from table(1) to any
	allow ip from any to table(2) tagged tablearg
	allow tcp from table(3) to any 25 setup limit src-addr tablearg

sbin/ipfw/ipfw2.c:
1) new macros
   GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
   PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
   like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.

Approved by:	glebius (mentor)
MFC after:	1 month
2006-06-15 09:39:22 +00:00
mlaier
5b7662dfe9 Print dynamic rules for IPv6 as well.
PR:		bin/98349
Submitted by:	Mark Andrews
MFC after:	2 weeks
2006-06-02 05:17:17 +00:00
oleg
499297c74c Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by:	Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by:	Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by:	glebius (mentor)
Idea from:	OpenBSD PF
MFC after:	1 month
2006-05-24 13:09:55 +00:00
mlaier
efe765e265 For src/dest parsing take off the netmask before checking for AF with
inet_pton.  This fixes cases like "fe02::/16".

PR:		bin/91245
Reported by:	Fredrik Lindberge
2006-05-14 03:53:04 +00:00
mlaier
67242844ae Update manpage for net.inet6.ip6.fw.enable sysctl.
Requested by:	bz
2006-05-12 18:09:33 +00:00
julian
44c3768939 Amazing.. two screwups in one commit.
I'm piling on thise pointy hats on top of each other.
At least they nest..
2006-03-31 12:54:17 +00:00
julian
bce212e4e5 I can't believe that no-one noticed that I broke ipfw table del
for over a month!
put {}  around if clause with multiple statements
2006-03-31 12:40:09 +00:00
ume
a9ea2a9a09 Revert `proto ip' back to the previous behavior. The kernel side of
ipfw2 doesn't allow zero as protocol number.

MFC after:	3 days
2006-03-05 15:55:46 +00:00
julian
82537e7f96 oops, mismerge from working sources.. not only add new code,
but remove old code!
2006-02-14 03:13:12 +00:00
julian
9c8fd45ad2 Stop ipfw from aborting when asked to delete a table entry that
doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from  something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week
2006-02-14 03:10:29 +00:00
ru
a954ec97e7 Fix a markup glitch. 2006-02-03 16:41:13 +00:00
glebius
6373a62268 Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore. 2006-01-13 16:44:56 +00:00
glebius
d154659c53 Document 'tablearg' keyword.
Wording by:	emaste
2006-01-13 15:48:38 +00:00
ru
e279c872b1 [mdoc] add missing space before a punctuation type argument. 2005-12-13 17:07:52 +00:00
glebius
d5ab5191cf Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.

An example usage:

  ipfw pipe 1000 config bw 1000Kbyte/s
  ipfw pipe 4000 config bw 4000Kbyte/s
  ipfw table 1 add x.x.x.x 1000
  ipfw table 1 add x.x.x.y 4000
  ipfw pipe tablearg ip from table(1) to any

In the example above the rule will throw different packets to different pipes.

TODO:
  - Support "skipto" action, but without searching all rules.
  - Improve parser, so that it warns about bad rules. These are:
    - "tablearg" argument to action, but no "table" in the rule. All
      traffic will be blocked.
    - "tablearg" argument to action, but "table" searches for entry with
      a specific value. All traffic will be blocked.
    - "tablearg" argument to action, and two "table" looks - for src and
      for dst. The last lookup will match.
2005-12-13 12:16:03 +00:00
glebius
5d0fbfa49f Cleanup _FreeBSD_version. 2005-12-09 13:03:30 +00:00
ume
b9221a7b29 We couldn't specify the rule for filtering tunnel traffic since an
IPv6 support was committed:

- Stop treating `ip' and `ipv6' as special in `proto' option as they
  conflict with /etc/protocols.

- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.

- When protocol is specified as numeric, treat it as it is even it is
  41 (ipv6).

- Allow zero for protocol as it is valid number of `ip'.

Still, we cannot specify an IPv6 over an IPv4 tunnel like before such
as:

	pass ipv6 from any to any

But, now, you can specify it like:

	pass ip4 from any to any proto ipv6

PR:		kern/89472
Reported by:	Ga l Roualland <gael.roualland__at__dial.oleane.com>
MFC after:	1 week
2005-11-29 15:25:09 +00:00
glebius
9cc098a3bd Catch up with ip_dummynet.h rev. 1.38 and fix build. 2005-11-29 12:01:26 +00:00
glebius
7abe9e6ffe Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),
thus removing a few XXXes.
  Document the ABI breakage in UPDATING.
2005-11-29 08:59:41 +00:00
ru
4de1ee30af -mdoc sweep. 2005-11-18 10:36:29 +00:00
csjp
855920faa4 Restore the documentation about uid, gid or prison based rules requiring
that debug.mpsafenet be set to 0. It is still possible for dead locks to
occur while these filtering options are used due to the layering violation
inherent in their implementation.

Discussed:	-current, rwatson, glebius
2005-10-23 16:15:02 +00:00
mlaier
7754dd4daf Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly.
Reminded by:	ru
2005-09-28 08:18:55 +00:00
bz
5434a58808 * Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by:	sysctl handling derived from patch from ume needed for ip6fw
Obtained from:	is_icmp6_query and send_reject6 derived from similar
		functions of netinet6,ip6fw
Reviewed by:	ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after:	6 days
2005-08-13 11:02:34 +00:00
cperciva
e8f7047163 Bump document date. Remove EOL whitespace introduced in previous
commit.  Start new line at sentence break in previous commit.

Approved by:	re (implicit, fixing a commit made 5 minutes ago)
2005-07-01 10:04:33 +00:00
cperciva
9fc0d88f30 Document some limitations of uid/gid rules.
Approved by:	re (rwatson)
MFC after:	3 days
2005-07-01 09:51:10 +00:00
ru
064bdbb814 Markup fixes.
Approved by:	re (blanket)
2005-06-14 11:24:56 +00:00
mlaier
163c101c2c add_proto() now fills proto for us so stop to 'guess' the protocol from the
command and rather trust the value add_proto filled in.  While here, fix an
oversight in the pretty printing of ip6/4 options.
2005-06-07 14:11:17 +00:00
green
497a5998af Better explain, then actually implement the IPFW ALTQ-rule first-match
policy.  It may be used to provide more detailed classification of
traffic without actually having to decide its fate at the time of
classification.

MFC after:	1 week
2005-06-04 19:04:31 +00:00
mlaier
f2254cf702 Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.
This is the last requirement before we can retire ip6fw.

Reviewed by:	dwhite, brooks(earlier version)
Submitted by:	dwhite (manpage)
Silence from:	-ipfw
2005-06-03 01:10:28 +00:00
mlaier
ce2b072e9f Unbreak handling of "ip[v]6" protocol and option flag. No more segfaults
and not every protocol is IPv6.
2005-05-21 03:27:33 +00:00
glebius
4be4400945 'ngtee' also depends on net.inet.ip.fw.one_pass. 2005-05-11 12:58:15 +00:00
glebius
32e61f472f IPFW version 2 is the only option now in HEAD. Do not confuse
users of future releases with instructions about building IPFW2
on RELENG_4.
2005-05-04 13:14:57 +00:00
brooks
3f77e18f9b Fix a the previous commit. I wanted to remove the if and always run the
body not remove both.

Reported by:	ceri
Pointy hat:	brooks
2005-04-26 20:22:31 +00:00