All of the do_cmd() calls are in dummynet.c and specify the socket
option at compile time; none of these removed cases are used in ipfw
after the v3 work.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53378
(cherry picked from commit 0e2e0fb955adf15a217949bc4cc337d53d2c7259)
(cherry picked from commit 6b1e5d4d20a94b5bebd726eb6d1df8dca2738f8e)
IP_DUMMYNET_GET is no longer used in ipfw(1).
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53348
(cherry picked from commit 28e52dea96809c7904e498759ee1f79bda929a82)
(cherry picked from commit 73c105268cc6138015241b080bc7945c6cde0fa6)
The failed allocation in the error pertains to IP_FW_XADD, not
IP_FW_ADD.
Reviewed by: ae
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53359
(cherry picked from commit 498e56142660c8dd864c878e820252358c9a15cf)
(cherry picked from commit c22437c8b574878241a3c897a095ae6939e66743)
Dummynet v3 switched to IP_DUMMYNET3 but did not update these
warnings/errors.
Fixes: cc4d3c30ea ("Bring in the most recent version of ipfw and dummynet, developed")
Sponsored by: The FreeBSD Foundation
Differential Revision: sbin/ipfw/ipfw2.c
(cherry picked from commit 1f95a517880bae5fc0a9fe4463a8f2ec36ed734a)
(cherry picked from commit a5dd21c7dd1f3c8103c2fc6a1caa5635d70671aa)
If the user specified a prefix length with either the internal or
external prefix, we'd jump to check_prefix where we'd dereference p
which was most likely uninitialized.
Instead, store the various prefix lengths separately and check them
all after the loop.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D50597
(cherry picked from commit 64bc9ac8cd9a42259aeb1715d4e14902aa83fcac)
If rule was added in compact form and rule body is empty, print
'proto ip' opcode to be compatible with ipfw(8) syntax parser.
Before:
$ ipfw add allow proto ip
000700 allow
After:
$ ipfw add allow proto ip
000700 allow proto ip
(cherry picked from commit 706a03f61bbb6e0cf10e6c3727966495b30d763e)
Move the descriptions of loader tunables from section 'SYSCTL VARIABLES'
to section 'LOADER TUNABLES'.
See also 49197c391b3d (ipfw: Add sysctl flag CTLFLAG_TUN to loader tunables).
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D41981
(cherry picked from commit 12349f38898f231ca803dcf526bac88cb1b5cd2b)
Remove "goto charg" from the action parser.
This is a prerequisite for the further split of the gigantic
compile_rule().
Differential Revision: https://reviews.freebsd.org/D40490
MFC after: 2 weeks
The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.
Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix
Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table
[with 'number' table-type], matched or compared with a number with optional
mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs.
For example, it could be used as a security group: mark will hold a security
group id and represent a group of packet flows that shares same access
control policy.
Reviewed By: pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D39555
MFC after: 1 month
The manual describes "if*" form only while kernel uses fnmatch(3)
and allows use for more versatile shell-like patterns.
Note that explicitly and provide an example.
MFC after: 3 days
It was renamed during review of D1776 but this entry slipped through.
PR: 243284
Reported by: pprocacci@gmail.com
Obtained from: Chad Jacob Milios <milios@ccsys.com>
Running "dnctl" vs "/sbin/dnctl" gave different results, because we
looked at the entire argv[0] string, rather than the basename.
Reviewed by: kp
Differential Revision: https://reviews.freebsd.org/D37431
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.
Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1
Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.
Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103
Extend the dnctl (dummynet config) tool to be able to read commands from
a file, just like ipfw already does.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D33627
Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.
/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.
Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30465
This allows the maximum value of 4294967295 (~4Gb/s) instead of previous
value of 2147483647 (~2Gb/s).
Reviewed by: np, scottl
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31582
Document the existing behavior, which is currently only available by
reading third party documentation or the source code itself.
PR: 254617
Submitted by: Oliver Kiddle
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30189
Fix some erronous lines in the example section.
PR: 248943
Submitted by: Jose Luis Duran
MFC after: 2 weeks
Reviewers: ae, manpages (gbe)
Differential Revision: https://reviews.freebsd.org/D30191
Hostnames starting with "tablearg" are considered as a functional
argument instead of a literal.
Reported by: ae
Reviewers: ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30208
The argument parser does not recognise the optional port for an
"tablearg" argument. Fix simplifies the code by make the internal
representation expicit for the parser.
PR: 252744
MFC: 1 week
Reported by: <bugs.freebsd.org@mx.zzux.com>
Approved by: nc
Tested by: <bugs.freebsd.org@mx.zzux.com>
Differential Revision: https://reviews.freebsd.org/D30164
ipfw -[tT] prints statistics of the last access. If the rule was never
used, the counter might be not exist. This happens unconditionally on
inserting a new rule. Avoid printing statistics in this case.
PR: 255491
Reported by: Haisheng Zhouz
Reviewed by: ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30046
Most of table types currently supported by ipfw have only one
algorithm implementation. When user creates such tables, allow
to omit algo name in arguments. E.g. now it is possible:
ipfw table T1 create type number
ipfw table T2 create type iface
ipfw table T3 create type flow
PR: 233072
MFC after: 1 week
Sponsored by: Yandex LLC
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port aliasing ranges.
Reviewed by: donner, kp
Approved by: 0mp (mentor), donner, kp
Differential Revision: https://reviews.freebsd.org/D23450
Verify that the option is passed, error out if it's not.
The problem can be trivially triggered with `ipfw add allow ext6hdr`.
PR: 253169
Reviewed by: kp@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28447
- no blank before trailing delimiter
- missing section argument: Xr inet_pton
- skipping paragraph macro: Pp before Ss
- unusual Xr order: syslogd after sysrc
- tab in filled text
There were a few multiline NAT examples which used the .Dl macro with
tabs. I converted them to .Bd, which is a more suitable macro for that case.
MFC after: 1 week
Properly handle the case, when some opcode keywords follow after
the `frag` opcode without additional options.
Reported by: Evgeniy Khramtsov <evgeniy at khramtsov org>
This is a follow up change to r364321 after a discussion about the style.
All near by places use extra blanks in format strings, and while use of the
format string to provide the extra blank may need more cycles than adding 1
to twidth, it generates shorter code and is clearer in the opinion of some
reviewers of the previous change.
Not objected to by: emaste
MFC after: 3 days
From the PR:
When I run `ipfw -t list` on release/12 or current, I get misaligned
output between lines that do and do not have a last match timestamp,
like so:
00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
(specifically, the "allow" and "deny" strings do not line up)
PR: 248608
Submitted by: Taylor Stearns
MFC after: 3 days
"df", "rf" and "offset". This allows to match on specific
bits of ip_off field.
For compatibility reasons lack of keyword means "offset".
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D26021
