Commit Graph

613 Commits

Author SHA1 Message Date
eadler
8903492b33 - Add fallthrough comment
Approved by:	pluknet
Found with:	Coverity Prevent(tm)
CID:		10125
2011-12-24 22:37:27 +00:00
glebius
8df3e0017d Fix parsing of redirect_addr argument.
PR:		kern/162739
MFC after:	3 days
2011-11-23 18:38:08 +00:00
eadler
6efa0e7f22 - fix duplicate "a a" in some comments
Submitted by:	eadler
Approved by:	simon
MFC after:	3 days
2011-11-13 17:06:33 +00:00
glebius
e5be97e3f0 Note that NAT instance argument can be tablearg.
PR:		misc/162265
Submitted by:	Paul Procacci <pprocacci gmail.com>
2011-11-10 12:05:26 +00:00
bz
eccbdd061b Add support for IPv6 to ipfw fwd:
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.

Obtained from:	David Dolson at Sandvine Incorporated
		(original version for ipfw fwd IPv6 support)
Sponsored by:	Sandvine Incorporated
PR:		bin/117214
MFC after:	4 weeks
Approved by:	re (kib)
2011-08-20 17:05:11 +00:00
jhb
5181cb930b Fix a regression where a rule containing a source port option after a
destination IP would incorrectly display the source port as a destination
port.

Reviewed by:	luigi
Approved by:	re (kib)
MFC after:	1 week
2011-08-17 14:39:45 +00:00
ae
6b5f802b89 Add new rule actions "call" and "return" to ipfw. They make
possible to organize subroutines with rules.

The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.

Submitted by:	Vadim Goncharov
Discussed by:	ipfw@, luigi@
2011-06-29 10:06:58 +00:00
ae
083452d2eb Improve error reporting. Use corresponding error message when file to be
preprocessed is missing. Also suggest to use absolute pathname if -p option
is specified.

PR:             bin/156653
MFC after:      2 weeks
2011-06-29 06:45:44 +00:00
glebius
f235f56e2d Actually, if code had followed style(9), there would be less stupid errors
like the one fixed in r223416.

Noticed by:	julian
2011-06-24 12:55:16 +00:00
glebius
5b5e9b6b99 One more braino from me.
Pointy hat to:	glebius
Submitted by:	Alexander V. Chernikov <melifaro ipfw.ru>
2011-06-22 08:20:01 +00:00
benl
2071e3510a Fix clang warnings.
Approved by:	philip (mentor)
2011-06-18 13:56:33 +00:00
glebius
f405f6d6f8 - Fix my braino in the 220835, when I used strtok(). It isn't
applicable here, since modifies the string. Switch to strchr().
- Restore support for undocumented optional parameters of
  redir_port and redir_proto, that were disabled in 220835.
- While here, change !isalpha() checks on optinal parameters
  for isdigit().

Submitted by:	Alexander V. Chernikov <melifaro ipfw.ru>
PR:		kern/143653
2011-06-17 12:12:52 +00:00
ae
a060389e5b Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.

If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.

User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.

PR:		kern/157867
Submitted by:	Alexander V. Chernikov (previous version)
Tested by:	Eugene Grosbein
2011-06-14 13:35:24 +00:00
ae
7b7c6f4e74 Check nat id a bit more strictly. 2011-06-14 13:02:26 +00:00
ae
779a285118 Initialize co.use_set variable before parsing each new rule.
PR:		bin/134975
MFC after:	2 weeks
2011-06-06 11:10:38 +00:00
ae
32b65a86d0 Increase buffer size for the command line.
PR:		bin/125370
Submitted by:	sem
MFC after:	2 weeks
2011-06-06 10:52:26 +00:00
ae
5251d374e6 Add tablearg support for ipfw setfib.
PR:		kern/156410
MFC after:	2 weeks
2011-05-30 05:37:26 +00:00
pluknet
6a8a361b92 mdoc:
- use a proper macro for interface name ipfw0.
- add missing section number for bpf cross reference.
2011-05-17 12:58:19 +00:00
glebius
54d630d4cb Rewrite NAT configuration parser, so that memory allocation size is
calculated dynamically.

PR:		kern/143653
2011-04-19 15:03:12 +00:00
glebius
54ea1a10a5 More whitespace fixes.
Checked with:	md5, diff -x -w
2011-04-18 22:09:03 +00:00
glebius
57baf3da41 Whitespace fixes.
Checked with:	md5, diff -w
2011-04-18 21:18:22 +00:00
luigi
e7ccc85b8f The first customer of the SO_USER_COOKIE option:
the "sockarg" ipfw option matches packets associated to
a local socket and with a non-zero so_user_cookie value.
The value is made available as tablearg, so it can be used
as a skipto target or pipe number in ipfw/dummynet rules.

Code by Paul Joe, manpage by me.

Submitted by:	Paul Joe
MFC after:	1 week
2010-11-12 13:05:17 +00:00
uqs
62105f8979 mdoc: make pages render with mandoc
It's a bit more pedantic regarding .Bl list elements. This has an added
benefit of unbreaking the ipfw(8) manpage, where groff was silently
skipping one list element.
2010-10-21 12:27:13 +00:00
luigi
67f7009c39 document logging through bpf 2010-10-13 22:07:57 +00:00
uqs
8ae3afcfad mdoc: drop redundant .Pp and .LP calls
They have no effect when coming in pairs, or before .Bl/.Bd
2010-10-08 12:40:16 +00:00
brucec
76d7244728 Fix incorrect usage of 'assure' and 'insure'.
Approved by: rrs (mentor)
2010-08-28 16:32:01 +00:00
des
3fcf5283af expand_number(3) takes a uint64_t * now.
MFC after:	3 weeks
2010-08-19 11:19:21 +00:00
joel
dd1fff9bcb Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki while
translating these manual pages.  Minor corrections by me.

Submitted by:	Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>
2010-08-16 15:18:30 +00:00
glebius
4261fd06bd Document that the "ngtee" action no longer accepts packet, and
thus don't depend on one_pass flag anymore.

This is a POLA violation, but it is quite difficult to restore
the old behavior with new code. Also, the new behavior matches
behavior of the older "tee" action, and this is more intuitive.
2010-07-27 14:31:39 +00:00
luigi
696b5f7a91 better printing of headers when listing flows 2010-07-15 14:34:56 +00:00
luigi
bb53438218 fix 64-bit build
Reported by:	Robert Noland
2010-04-19 16:35:47 +00:00
luigi
063c00f467 Slightly different handling of printf/snprintf for unaligned uint64_t,
which should improve readability, and also to ease the port to
platforms that do not support %llu

MFC after:	3 days
2010-04-19 15:11:45 +00:00
luigi
32deede1ae fix a buffer overflow with large (100k+) number of input lines.
MFC after:	3 days
2010-04-12 08:27:53 +00:00
ume
69c698c974 Set net.inet6.ip6.fw.enable as well. 2010-04-06 12:28:08 +00:00
luigi
45fd7e5066 fix another bug in "ipfw set N ..."
Submitted by:	Marcin Wisnicki
2010-03-24 23:06:16 +00:00
gavin
9cc3706fd5 Tweak language to make one point potentially clearer for non-native spekers
PR:		bin/121424
Submitted by:	"Julian H. Stacey" <jhs berklix.org>
2010-03-20 14:42:16 +00:00
luigi
ea650b19a1 accept lower case m as a synonym for Mega (bit/s or bytes/s). 2010-03-15 18:26:09 +00:00
luigi
b958ac2aee print correctly commands of the form
ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 }

(note that the above example could be better written as

	ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8

Submitted by:	Riccardo Panicucci
2010-03-15 18:20:51 +00:00
luigi
3c242d0b3e + implement (two lines) the kernel side of 'lookup dscp N' to use the
dscp as a search key in table lookups;

+ (re)implement a sysctl variable to control the expire frequency of
  pipes and queues when they become empty;

+ add 'queue number' as optional part of the flow_id. This can be
  enabled with the command

        queue X config mask queue ...

  and makes it possible to support priority-based schedulers, where
  packets should be grouped according to the priority and not some
  fields in the 5-tuple.
  This is implemented as follows:
  - redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but
    without changing the size or shape of the structure, so there are
    no ABI changes. On passing, also document how other fields are
    used, and remove some useless assignments in ip_fw2.c

  - implement small changes in the userland code to set/read the field;

  - revise the functions in ip_dummynet.c to manipulate masks so they
    also handle the additional field;

There are no ABI changes in this commit.
2010-03-15 17:14:27 +00:00
luigi
3a68724891 Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits
of ip->ip_tos) in a table. This can be useful to direct traffic to
different pipes/queues according to the DSCP of the packet, as follows:

    ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue

This change is a no-op (but harmless) until the two-line kernel
side is committed, which will happen shortly.
2010-03-15 15:43:35 +00:00
luigi
0d5da117aa implement listing of a subset of pipes/queues/schedulers.
The filtering of the output is done in the kernel instead of userland
to reduce the amount of data transfered.
2010-03-11 22:42:33 +00:00
luigi
d3ede2e999 add back DPADD (removed by mistake in a previous commit) 2010-03-08 14:43:55 +00:00
luigi
859f5adfa0 more documentation on new dummynet features. 2010-03-05 14:13:58 +00:00
luigi
7053937fa6 make the listing of queues/pipes/schedulers handle the case of
data size increasing while we fetch the info.
2010-03-04 16:56:36 +00:00
luigi
b486493f31 fix handling of sets 2010-03-04 16:55:32 +00:00
luigi
9b5097a55e reduce diffs with the cross-platform version (windows needs
some extra initialization)
2010-03-04 16:54:56 +00:00
luigi
302fda42a4 remove stale comment 2010-03-04 16:08:51 +00:00
luigi
5ceeac4aa8 Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch.  This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.

The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.

In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.

Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.

Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.

Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.

CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
2010-03-02 17:40:48 +00:00
ru
4d27ff91d0 Fixed dependencies (make checkdpadd). 2010-02-25 20:24:19 +00:00
luigi
84d17b9dde implement a new match option,
lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N

which searches the specified field in table N and sets tablearg
accordingly.
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.

Work supported by the Onelab project.

MFC after:	1 week
2009-12-15 09:46:27 +00:00
luigi
507718c519 fix the indentation for addr: values
MFC after:	3 days
2009-12-15 09:32:35 +00:00
luigi
d0b8e66dba restore setting of sin_len (was removed in 1.146 last february) as
it seems that now it is necessary for 'forward' to work outside lo0.
The bug (and fix) was reported on 8.0. This patch probably applies
to RELENG_7 as well.
It seems that 'pf' has a similar bug.

Submitted by:	Lytochkin Boris
MFC after:	3 days
2009-12-06 18:04:26 +00:00
luigi
62461e96f5 fix argument type in the call to expand_number
Submitted by:	gcc 4.3
MFC after:	3 days
2009-12-04 14:18:30 +00:00
luigi
98a49a6613 use qsort_r instead of heapsort;
staticize two functions.

MFC after:	3 days
2009-12-03 12:23:48 +00:00
netchild
10efa8a238 Fix minor resource leak in a function.
Reviewed by:	luigi
MFC after:	1 week
2009-11-21 10:46:49 +00:00
brueffer
2100141d0b Fix setfib(1) section number.
PR:		133765
Submitted by:	Konstantin Zolotukhin <erebus@gorodok.net>
MFC after:	3 days
2009-09-18 14:17:00 +00:00
oleg
0c8702bb1e - 'burst' description rewritten.
Submitted by:	Ben Kaduk
Approved by:	re (kib)
2009-06-26 19:49:06 +00:00
maxim
c26bbc521d o Kill grammar nits.
PR:		docs/136061
Submitted by:	Ben Kaduk
MFC after:	1 week
2009-06-26 05:09:00 +00:00
oleg
11197296ca - fix dummynet 'fast' mode for WF2Q case.
- fix printing of pipe profile data.
- introduce new pipe parameter: 'burst' - how much data can be sent through
  pipe bypassing bandwidth limit.
2009-06-24 22:57:07 +00:00
luigi
bf5db0adae Permit the specification of bandwidth values within
"profile" files (bandwidth is mandatory when using a
profile, so it makes sense to have everything in one place).

Update the manpage accordingly.

Submitted by:	Marta Carbone
2009-06-08 14:32:29 +00:00
luigi
d90175e4d6 add a missing format in a printf
Detected building with gcc 4.3.3

MFC after:	3 days
2009-06-08 10:53:18 +00:00
luigi
78a4bbf287 Several ipfw options and actions use a 16-bit argument to indicate
pipes, queues, tags, rule numbers and so on.
These are all different namespaces, and the only thing they have in
common is the fact they use a 16-bit slot to represent the argument.

There is some confusion in the code, mostly for historical reasons,
on how the values 0 and 65535 should be used. At the moment, 0 is
forbidden almost everywhere, while 65535 is used to represent a
'tablearg' argument, i.e. the result of the most recent table() lookup.

For now, try to use explicit constants for the min and max allowed
values, and do not overload the default rule number for that.

Also, make the MTAG_IPFW declaration only visible to the kernel.

NOTE: I think the issue needs to be revisited before 8.0 is out:
the 2^16 namespace limit for rule numbers and pipe/queue is
annoying, and we can easily bump the limit to 2^32 which gives
a lot more flexibility in partitioning the namespace.

MFC after:	5 days
2009-06-05 16:16:07 +00:00
luigi
2e85daee53 remove a printf that was only useful for debugging.
MFC after:	3 days
2009-06-05 13:11:34 +00:00
trhodes
c9f2c65c9f Kill hard sentence break added in the previous revision. 2009-04-11 08:52:02 +00:00
luigi
5c7675fccb Add emulation of delay profiles, which lets you model various
types of MAC overheads such as preambles, link level retransmissions
and more.

Note- this commit changes the userland/kernel ABI for pipes
(but not for ordinary firewall rules) so you need to rebuild
kernel and /sbin/ipfw to use dummynet features.

Please check the manpage for details on the new feature.

The MFC would be trivial but it breaks the ABI, so it will
be postponed until after 7.2 is released.

Interested users are welcome to apply the patch manually
to their RELENG_7 tree.

Work supported by the European Commission, Projects Onelab and
Onelab2 (contract 224263).
2009-04-09 12:46:00 +00:00
maxim
d45acb8459 o Grammar. 2009-04-08 17:46:45 +00:00
luigi
7543af0746 Various cleanup of text, moving a couple of paragraphs
above to avoid referencing undefined terms (humans are not compilers
but still care about these things).

Change some .Sh to .Ss to better reflect the structure of the text.

No new content.
2009-04-08 15:18:21 +00:00
trhodes
263a066905 Remove contractions, reword a sentence to avoid a double negative,
and bump document date for previous change.

OKed by:	piso
2009-04-07 13:51:41 +00:00
piso
30d15f06f1 Improve a bit reass documentation:
-document fragment handling sysctls
-mention some caveats about fragments handling (and to deal with it)
2009-04-05 15:24:27 +00:00
piso
c9b4c10995 Implement an ipfw action to reassemble ip packets: reass. 2009-04-01 20:23:47 +00:00
brueffer
4bb1b51862 Mdoc style, spelling, grammar and wording fixes. This manpage needs more work. 2009-03-19 10:42:07 +00:00
luigi
359ccc0fed move a variable declaration to the beginning of the block
(unfortunately, it is far away; we need to pack this code in
a better way).
2009-03-05 08:08:09 +00:00
luigi
b29749721a remove some signed/unsigned and one const/!const warning 2009-03-05 08:01:58 +00:00
luigi
d5c4f3cf08 mark a function static, as it is 2009-03-05 08:01:19 +00:00
piso
d34fad2923 Add SCTP NAT support.
Submitted by: CAIA (http://caia.swin.edu.au)
2009-02-07 18:49:42 +00:00
luigi
af5756126e Explain that we assume AF_INET and only use the addr and port field
from a struct sockaddr_in, so there is no need to initialize sin_len
2009-02-02 11:02:19 +00:00
luigi
bec0413580 remove duplicate #include 2009-02-02 10:58:05 +00:00
luigi
23001c70f6 put the altq-related functions into a separate file.
Minor cleanup of the includes used by the various source files,
including annotations of why certain headers are used.
2009-02-01 16:00:49 +00:00
luigi
427f135f75 Avoid the use of duplicated typedefs -- see the comment for details. 2009-01-28 11:43:12 +00:00
luigi
5f74942998 fix printing of uint64_t values, so we can use WARNS=2 2009-01-27 20:26:45 +00:00
luigi
66a879082d fix wrong variable usage... 2009-01-27 12:24:53 +00:00
luigi
8a3b5c8587 Put nat and ipv6 support in their own files.
Usual moving of code with no changes from ipfw2.c to the
newly created files, and addition of prototypes to ipfw2.h

I have added forward declarations for ipfw_insn_* in ipfw2.h
to avoid a global dependency on ip_fw.h
2009-01-27 12:01:30 +00:00
luigi
5153c1f1c4 Put dummynet-related code in a separate file.
To this purpose, add prototypes for global functions in ipfw2.h
and move there also the list of tokens used in various places in the code.
2009-01-27 11:06:59 +00:00
luigi
836697aeba never mind, for the time being let's stick with WARNS=0 until
we sort out all proper printf formats.
2009-01-27 11:03:47 +00:00
luigi
80a7476516 Start splitting the monster file in smaller blocks.
In this episode:
- introduce a common header with a minimal set of common definitions;
- bring the main() function and options parser in main.c
- rename the main functions with an ipfw_ prefix

No code changes except for the introduction of a global variable,
resvd_set_number, which stores the RESVD_SET value from ip_fw.h
and is used to remove the dependency of main.c from ip_fw.h
(and the subtree of dependencies) for just a single constant.
2009-01-27 10:18:55 +00:00
luigi
4e134bba31 put the usage() function inline, it was only 1 line and used once;
slightly reformat the help() text;
slightly correct the text for the 'extraneous filename' error message;
2009-01-27 09:27:13 +00:00
luigi
a1283d8086 put all options in a single struct, and document them.
This will allow us to easily restore the original values when processing
commands from a file (where each individual line can have its own options).
2009-01-27 09:06:25 +00:00
luigi
f4b57841c3 I believe this is safe to build with WARNS=2 now 2009-01-27 09:04:29 +00:00
luigi
3b18b2924e remove a couple of rarely used #define;
change PRINT_UINT from a macro to a function (renaming is
postponed to reduce clutter)
2009-01-27 07:40:16 +00:00
luigi
b193317a46 wrap all malloc/calloc/realloc calls so they exit on failure
without having to check in each place.

Remove an wrong strdup from previous commit.
2009-01-26 14:26:35 +00:00
luigi
a9074e77b8 Some implementations of getopt() expect that argv[0] is always the
program name, and ignore that entry.  ipfw2.c code instead skips
this entry and starts with options at offset 0, relying on a more
tolerant implementation of the library.

This change fixes the issue by always passing a program name
in the first entry to getopt. The motivation for this change
is to remove a potential compatibility issue should we use
a different getopt() implementation in the future.

No functional changes.

Submitted by:	Marta Carbone (parts)
MFC after:	4 weeks
2009-01-26 14:03:39 +00:00
luigi
6cbadf0764 remove some useless #include,
document why timeconv.h is needed

MFC after:	3 days
2009-01-22 23:25:28 +00:00
luigi
cee4a08b62 Fix a number of (innocuous) warnings, and remove a useless test.
There are still several signed/unsigned warnings left, which
require a bit more study for a proper fix.

This file has grown beyond reasonable limits.

We really need to split it into separate components (ipv4, ipv6,
dummynet, nat, table, userland-kernel communication ...) so we can
make mainteinance easier.

MFC after:	1 weeks
2009-01-20 18:16:31 +00:00
piso
8af3d78dd2 Import sctp nat support in ipfw obtained from CAIA - http://caia.swin.edu.au. 2008-12-28 17:16:32 +00:00
piso
982a9ea01c Update the ipfw man page to reflect last change (-q option with nat option).
MFC after:	3 days
2008-12-18 21:46:18 +00:00
piso
9102cbe344 Honor the quiet (-q) option while adding a nat rule.
Submitted by:	Andrey V. Elsukov<bu7cher@yandex.ru>
MFC after:	3 days
2008-12-18 21:37:31 +00:00
maxim
be9cccafc2 o Remove a debug code and restore an accidentally deleted code
in a previous commit.
2008-10-14 17:59:39 +00:00
maxim
c9e34ff82a o Do nothing in show_nat() for a test mode (-n). This prevents
show_nat() from endless loop and makes work ipfw -n nat <...>.

PR:		bin/128064
Submitted by:	sem
MFC after:	1 month
2008-10-14 17:53:26 +00:00
rik
192de0a030 Fix the build.
Noted by: ganbold@
2008-09-27 15:58:54 +00:00
rik
4d3e47c771 * add all keyword for table list & flush actions.
* add tables_max sysctl.
* add default_rule sysctl.

PR:		127058 (partially)
2008-09-27 15:09:00 +00:00
rik
187806f48e Add keyword all in addtion to the table number for the 'list' and the
'flush' actions on tables.  Part of PR: 127058.

PR:		127058 (based on)
MFC after:	1 month
2008-09-27 14:30:34 +00:00
keramida
24cc0f58d6 Unbreak the build. 2008-09-22 04:12:27 +00:00
rik
89ba9c24ee Add the check of the table number. 2008-09-21 21:46:56 +00:00
rik
9e1d29763a Move table list to a separate function. 2008-09-21 12:54:09 +00:00
rik
a76a4a93e9 Free allocated memory. 2008-09-20 19:25:02 +00:00
rik
87be3efbcd Remove some unused variables. 2008-09-20 16:46:19 +00:00
rik
2600b8bb7d Style(9) the show_nat() function. 2008-09-20 16:17:49 +00:00
rik
a32f707733 Do not do the useless job for an empty table.
MFC after:	1 month
2008-09-20 15:54:22 +00:00
rik
65828aa4c7 Use IPFW_DEFAULT_RULE instead of hardcoded value since now it is
available.

MFC after:	5 days.
2008-09-06 17:23:37 +00:00
ivoras
fff9c7a248 Trivial typo fix.
Approved by:	gnn (mentor)
2008-08-27 15:30:09 +00:00
julian
2c8efa0a9d Slight wordsmithing. prompted by danger@ 2008-08-01 23:31:28 +00:00
julian
4bfc008c7a Document the use of the tablearg keyword together with the skipto command. 2008-08-01 22:34:01 +00:00
julian
1a38a92356 Note that setfib is not a terminal rule. 2008-07-24 18:39:36 +00:00
julian
816e721312 Change two variables to size_t to improve portability.
Submitted by:	Xin Li
2008-05-10 15:02:56 +00:00
julian
1dfc5c98a4 Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)

Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.

From my notes:

-----

  One thing where FreeBSD has been falling behind, and which by chance I
  have some time to work on is "policy based routing", which allows
  different
  packet streams to be routed by more than just the destination address.

  Constraints:
  ------------

  I want to make some form of this available in the 6.x tree
  (and by extension 7.x) , but FreeBSD in general needs it so I might as
  well do it in -current and back port the portions I need.

  One of the ways that this can be done is to have the ability to
  instantiate multiple kernel routing tables (which I will now
  refer to as "Forwarding Information Bases" or "FIBs" for political
  correctness reasons). Which FIB a particular packet uses to make
  the next hop decision can be decided by a number of mechanisms.
  The policies these mechanisms implement are the "Policies" referred
  to in "Policy based routing".

  One of the constraints I have if I try to back port this work to
  6.x is that it must be implemented as a EXTENSION to the existing
  ABIs in 6.x so that third party applications do not need to be
  recompiled in timespan of the branch.

  This first version will not have some of the bells and whistles that
  will come with later versions. It will, for example, be limited to 16
  tables in the first commit.
  Implementation method, Compatible version. (part 1)
  -------------------------------
  For this reason I have implemented a "sufficient subset" of a
  multiple routing table solution in Perforce, and back-ported it
  to 6.x. (also in Perforce though not  always caught up with what I
  have done in -current/P4). The subset allows a number of FIBs
  to be defined at compile time (8 is sufficient for my purposes in 6.x)
  and implements the changes needed to allow IPV4 to use them. I have not
  done the changes for ipv6 simply because I do not need it, and I do not
  have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.

  Other protocol families are left untouched and should there be
  users with proprietary protocol families, they should continue to work
  and be oblivious to the existence of the extra FIBs.

  To understand how this is done, one must know that the current FIB
  code starts everything off with a single dimensional array of
  pointers to FIB head structures (One per protocol family), each of
  which in turn points to the trie of routes available to that family.

  The basic change in the ABI compatible version of the change is to
  extent that array to be a 2 dimensional array, so that
  instead of protocol family X looking at rt_tables[X] for the
  table it needs, it looks at rt_tables[Y][X] when for all
  protocol families except ipv4 Y is always 0.
  Code that is unaware of the change always just sees the first row
  of the table, which of course looks just like the one dimensional
  array that existed before.

  The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
  are all maintained, but refer only to the first row of the array,
  so that existing callers in proprietary protocols can continue to
  do the "right thing".
  Some new entry points are added, for the exclusive use of ipv4 code
  called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
  which have an extra argument which refers the code to the correct row.

  In addition, there are some new entry points (currently called
  rtalloc_fib() and friends) that check the Address family being
  looked up and call either rtalloc() (and friends) if the protocol
  is not IPv4 forcing the action to row 0 or to the appropriate row
  if it IS IPv4 (and that info is available). These are for calling
  from code that is not specific to any particular protocol. The way
  these are implemented would change in the non ABI preserving code
  to be added later.

  One feature of the first version of the code is that for ipv4,
  the interface routes show up automatically on all the FIBs, so
  that no matter what FIB you select you always have the basic
  direct attached hosts available to you. (rtinit() does this
  automatically).

  You CAN delete an interface route from one FIB should you want
  to but by default it's there. ARP information is also available
  in each FIB. It's assumed that the same machine would have the
  same MAC address, regardless of which FIB you are using to get
  to it.

  This brings us as to how the correct FIB is selected for an outgoing
  IPV4 packet.

  Firstly, all packets have a FIB associated with them. if nothing
  has been done to change it, it will be FIB 0. The FIB is changed
  in the following ways.

  Packets fall into one of a number of classes.

  1/ locally generated packets, coming from a socket/PCB.
     Such packets select a FIB from a number associated with the
     socket/PCB. This in turn is inherited from the process,
     but can be changed by a socket option. The process in turn
     inherits it on fork. I have written a utility call setfib
     that acts a bit like nice..

         setfib -3 ping target.example.com # will use fib 3 for ping.

     It is an obvious extension to make it a property of a jail
     but I have not done so. It can be achieved by combining the setfib and
     jail commands.

  2/ packets received on an interface for forwarding.
     By default these packets would use table 0,
     (or possibly a number settable in a sysctl(not yet)).
     but prior to routing the firewall can inspect them (see below).
     (possibly in the future you may be able to associate a FIB
     with packets received on an interface..  An ifconfig arg, but not yet.)

  3/ packets inspected by a packet classifier, which can arbitrarily
     associate a fib with it on a packet by packet basis.
     A fib assigned to a packet by a packet classifier
     (such as ipfw) would over-ride a fib associated by
     a more default source. (such as cases 1 or 2).

  4/ a tcp listen socket associated with a fib will generate
     accept sockets that are associated with that same fib.

  5/ Packets generated in response to some other packet (e.g. reset
     or icmp packets). These should use the FIB associated with the
     packet being reponded to.

  6/ Packets generated during encapsulation.
     gif, tun and other tunnel interfaces will encapsulate using the FIB
     that was in effect withthe proces that set up the tunnel.
     thus setfib 1 ifconfig gif0 [tunnel instructions]
     will set the fib for the tunnel to use to be fib 1.

  Routing messages would be associated with their
  process, and thus select one FIB or another.
  messages from the kernel would be associated with the fib they
  refer to and would only be received by a routing socket associated
  with that fib. (not yet implemented)

  In addition Netstat has been edited to be able to cope with the
  fact that the array is now 2 dimensional. (It looks in system
  memory using libkvm (!)). Old versions of netstat see only the first FIB.

  In addition two sysctls are added to give:
  a) the number of FIBs compiled in (active)
  b) the default FIB of the calling process.

  Early testing experience:
  -------------------------

  Basically our (IronPort's) appliance does this functionality already
  using ipfw fwd but that method has some drawbacks.

  For example,
  It can't fully simulate a routing table because it can't influence the
  socket's choice of local address when a connect() is done.

  Testing during the generating of these changes has been
  remarkably smooth so far. Multiple tables have co-existed
  with no notable side effects, and packets have been routes
  accordingly.

  ipfw has grown 2 new keywords:

  setfib N ip from anay to any
  count ip from any to any fib N

  In pf there seems to be a requirement to be able to give symbolic names to the
  fibs but I do not have that capacity. I am not sure if it is required.

  SCTP has interestingly enough built in support for this, called VRFs
  in Cisco parlance. it will be interesting to see how that handles it
  when it suddenly actually does something.

  Where to next:
  --------------------

  After committing the ABI compatible version and MFCing it, I'd
  like to proceed in a forward direction in -current. this will
  result in some roto-tilling in the routing code.

  Firstly: the current code's idea of having a separate tree per
  protocol family, all of the same format, and pointed to by the
  1 dimensional array is a bit silly. Especially when one considers that
  there is code that makes assumptions about every protocol having the
  same internal structures there. Some protocols don't WANT that
  sort of structure. (for example the whole idea of a netmask is foreign
  to appletalk). This needs to be made opaque to the external code.

  My suggested first change is to add routing method pointers to the
  'domain' structure, along with information pointing the data.
  instead of having an array of pointers to uniform structures,
  there would be an array pointing to the 'domain' structures
  for each protocol address domain (protocol family),
  and the methods this reached would be called. The methods would have
  an argument that gives FIB number, but the protocol would be free
  to ignore it.

  When the ABI can be changed it raises the possibilty of the
  addition of a fib entry into the "struct route". Currently,
  the structure contains the sockaddr of the desination, and the resulting
  fib entry. To make this work fully, one could add a fib number
  so that given an address and a fib, one can find the third element, the
  fib entry.

  Interaction with the ARP layer/ LL layer would need to be
  revisited as well. Qing Li has been working on this already.

  This work was sponsored by Ironport Systems/Cisco

Reviewed by:    several including rwatson, bz and mlair (parts each)
Obtained from:  Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
dwmalone
f889878484 Dummynet has a limit of 100 slots queue size (or 1MB, if you give
the limit in bytes) hard coded into both the kernel and userland.
Make both these limits a sysctl, so it is easy to change the limit.
If the userland part of ipfw finds that the sysctls don't exist,
it will just fall back to the traditional limits.

(100 packets is quite a small limit these days. If you want to test
TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.)

Note these sysctls in the man page and warn against increasing them
without thinking first.

MFC after:      3 weeks
2008-02-27 13:52:33 +00:00
piso
a4b4ccad07 Add table/tablearg support to ipfw's nat.
MFC After: 1 week
2008-02-24 15:37:45 +00:00
piso
47b2af9c1c -Fix display of nat range.
-Whitespace elimination.

Bug spotted by: Luiz Otavio O Souza
MFC After: 3 days
2008-02-21 22:55:54 +00:00
piso
6733058442 Fix display of multiple nat rules.
Bug spotted by: Luiz Otavio O Souza
PR:	120734
MFC After: 3 days
2008-02-18 20:26:34 +00:00
julian
be6b4b9b61 Instead of using a heuristic to decide whether to display
table 'values' as IP addresses, use an explicit argument (-i).
This is a 'POLA' issue. This is a low risk change and should be MFC'd
to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3.
(not sure about 6.2).

Fix suggested by: Eugene Grosbein
PR: 	120720
MFC After: 3 days
2008-02-18 19:56:09 +00:00
yar
7d4cb18f11 Add a note that ipfw states do not implicitly match ICMP error messages. 2008-02-07 11:00:42 +00:00
rwatson
1dcfe4a494 Hide ipfw internal data structures behind IPFW_INTERNAL rather than
exposing them to all consumers of ip_fw.h.  These structures are
used in both ipfw(8) and ipfw(4), but not part of the user<->kernel
interface for other applications to use, rather, shared
implementation.

MFC after:	3 days
Reported by:	Paul Vixie <paul at vix dot com>
2008-01-25 14:38:27 +00:00
maxim
3646748d3a o Fix ipfw(8) command line parser bug: "ipfw nat 1 config if" requires an argument.
PR:		bin/119815
Submitted by:	Dierk Sacher
MFC after:	1 week
2008-01-20 08:31:35 +00:00
oleg
3ced3975d9 Calculate p.fs.lookup_step correctly. This should prevent zeroing of
w_q_lookup table (used in RED algorithm for (1 - w_q)^t computation).

MFC after:	1 months
2007-12-17 10:25:56 +00:00
danger
bae95962d0 Polish this manual page a bit:
- refer to the dummynet(4) man page only once, later use rather
  the .Nm macro.
- use .Va macro when refering to the sysctl variables
- grammar and markup fixes

Reviewed by:	keramida, trhodes, ru (roughly)
MFC-after:	1 week
2007-11-26 00:36:40 +00:00
oleg
4e6e975846 - New sysctl variable: net.inet.ip.dummynet.io_fast
If it is set to zero value (default) dummynet module will try to emulate
  real link as close as possible (bandwidth & latency): packet will not leave
  pipe faster than it should be on real link with given bandwidth.
  (This is original behaviour of dummynet which was altered in previous commit)
  If it is set to non-zero value only bandwidth is enforced: packet's latency
  can be lower comparing to real link with given bandwidth.

- Document recently introduced dummynet(4) sysctl variables.

Requested by:	luigi, julian
MFC after:	3 month
2007-11-17 21:54:57 +00:00
maxim
e0b9f6a2b2 o Fix indentation. No functional changes. 2007-10-27 22:04:19 +00:00
rpaulo
0b7a220b01 Change IPTOS_CE to IPTOS_ECN_CE.
Approved by:	njl (mentor)
2007-10-19 18:24:19 +00:00
rpaulo
04560c1155 Comply with the removal of IPTOS_CE and IPTOS_ECT.
Discussed on freebsd-net with no objections.

Approved by:	njl (mentor), rwatson
2007-10-19 12:48:02 +00:00
maxim
23403e167c o Fix a typo in ipfw table usage example.
PR:		docs/117172
Submitted by:	novel
MFC after:	1 week
2007-10-14 09:12:46 +00:00
maxim
9f9cc8d8af o Cosmetic: fix the issue when "ipfw(8) show" produces "not" twice:
$ ipfw -n add 1 allow layer2 not mac-type ip
00001 allow ip from any to any layer2 not not mac-type 0x0800

PR:		bin/115372
Submitted by:	Andrey V. Elsukov
Approved by:	re (hrs)
MFC after:	3 weeks
2007-09-23 16:29:22 +00:00
maxim
3eb0fa1342 o Fix bug I introduced in the previous commit (ipfw set extention):
pack a set number correctly.

Submitted by:	oleg

o Plug a memory leak.

Submitted by:	oleg and Andrey V. Elsukov
Approved by:	re (kensmith)
MFC after:	1 week
2007-08-26 18:38:31 +00:00
bz
3793d89229 Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.
Also rename the related functions in a similar way.
There are no functional changes.

For a packet coming in with IPsec tunnel mode, the default is
to only call into the firewall with the "outer" IP header and
payload.

With this option turned on, in addition to the "outer" parts,
the "inner" IP header and payload are passed to the
firewall too when going through ip_input() the second time.

The option was never only related to a gif(4) tunnel within
an IPsec tunnel and thus the name was very misleading.

Discussed at:			BSDCan 2007
Best new name suggested by:	rwatson
Reviewed by:			rwatson
Approved by:			re (bmah)
2007-08-05 16:16:15 +00:00
csjp
7f5da49f3d Remove references to mpsafenet. This option no longer exists.
Approved by:	re@ (bmah)
2007-08-04 20:35:42 +00:00
maxim
2139af42ea o Make ipfw set more robust -- now it is possible:
- to show a specific set: ipfw set 3 show
    - to delete rules from the set: ipfw set 9 delete 100 200 300
    - to flush the set: ipfw set 4 flush
    - to reset rules counters in the set: ipfw set 1 zero

PR:		kern/113388
Submitted by:	Andrey V. Elsukov
Approved by:	re (kensmith)
MFC after:	6 weeks
2007-06-18 17:52:37 +00:00
maxim
4941ee4a2a o Teach get_mac_addr_mask() to not silently accept incorrect MAC
addresses.
o Swap a couple of magic 6s by ETHER_ADDR_LEN.

PR:		bin/80913
Submitted by:	Andrey V. Elsukov
MFC after:	1 month
2007-05-09 18:31:49 +00:00
bz
ab603b3a9c Add support for filtering on Routing Header Type 0 and
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.

MFC after:	3 weeks
2007-05-04 11:15:41 +00:00
maxim
185e6bdacb o Make ipfw(8) show rules with mac/mac-type options correctly.
Before:

$ ipfw -n add 100 count icmp from any to any mac-type 0x01
00100 count icmp 0x0001
$ ipfw -n add 100 count icmp from any to any mac any any
00100 count icmp MAC any any any

After:

$ ipfw -n add 100 count icmp from any to any mac-type 0x01
00100 count icmp from any to any mac-type 0x0001
$ ipfw -n add 100 count icmp from any to any mac any any
00100 count icmp from any to any MAC any any

PR:		bin/112244
Submitted by:	Andrey V. Elsukov
MFC after:	1 month
2007-04-30 17:39:30 +00:00
maxim
708ec25681 o Add missed w/space in the error message.
Spotted by:	Ivan Voras
MFC after:	1 week
2007-04-17 16:36:24 +00:00
piso
39ed0e3e6d Mention the nat command in the synopsis and in the action section.
Approved by: glebius (mentor)
2007-02-15 14:32:26 +00:00
mlaier
56fe8a82e8 Fix a parsing bug when specifying more than one address with dotted decimal
netmask.

Reported by:	Igor Anishchuk
PR:		kern/107565
MFC after:	3 days
2007-01-07 03:02:02 +00:00
piso
0db606a3b1 Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
trhodes
0142d3db4c Add a note about rule syntax compared to the shell used so users do not get
frustraited when:
ipfw add 201 deny ip from any to table(2) in via xl1
returns "Badly placed ( )'s"

PR:	73638
2006-10-09 22:12:08 +00:00
keramida
58ae44274d When addr/mask examples are given, show both a host and network
address, to avoid confusing the users that a full address is
always required.

Submitted by:   Josh Paetzel <josh@tcbug.org> (through freebsd-doc)
MFC after:	3 days
2006-10-04 19:29:05 +00:00
maxim
54f179c406 o Check for a required "pathname" argument presence.
PR:		bin/95146
Submitted by:	candy-sendpr@kgc.co.jp
MFC after:	3 weeks
2006-09-29 08:00:40 +00:00
ru
731fda35ce Markup fixes. 2006-09-18 11:55:10 +00:00
jhay
9e8a4daa6b Check the length of the ipv4 and ipv6 address lists. It must be less
than F_LEN_MASK.

MFC after:	5 days
2006-09-16 19:27:40 +00:00
jhay
3f597283a3 Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command

ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129

turns into icmp6types 1,2,32,33,34,...94,95,128,129

PR:		102422 (part 1)
Submitted by:	Andrey V. Elsukov <bu7cher at yandex.ru>
MFC after:	5 days
2006-09-16 06:34:30 +00:00
dwmalone
e0dfe3d7df A pipe bandwidth of 10MBits/s should probably
be understood as    10Mbits/s not 10MBytes/s.

Submitted by:	Gavin McCullagh <gavin.mccullagh@nuim.ie>
MFC after:	1 week
2006-08-23 14:29:18 +00:00
dwmalone
b6bc6170e9 Regigle parens to try and get the intended affect. This should fix people
having trouble with the "me6" keyword. Also, we were using inet_pton on
the wrong variable in one place.

Reviewed by:	mlaier (previous version of patch)
Obtained from:	Sascha Blank (inet_pton change)
MFC after:	1 week
2006-08-20 20:10:36 +00:00