#
31cf66d7 |
|
17-Dec-2023 |
Richard Scheffenegger <rscheff@FreeBSD.org> |
dummynet: add simple gilbert-elliott channel model Have a simple Gilbert-Elliott channel model in dummynet to mimick correlated loss behavior of realistic environments. This allows simpler testing of burst-loss environments. Reviewed By: tuexen, kp, pauamma_gundo.com, #manpages Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D42980
|
#
12349f38 |
|
27-Sep-2023 |
Zhenlei Huang <zlei@FreeBSD.org> |
ipfw.8: Adjust section for loader tunables Move the descriptions of loader tunables from section 'SYSCTL VARIABLES' to section 'LOADER TUNABLES'. See also 49197c391b3d (ipfw: Add sysctl flag CTLFLAG_TUN to loader tunables). MFC after: 2 days Differential Revision: https://reviews.freebsd.org/D41981
|
#
fa9896e0 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line nroff pattern Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
|
#
fc727ad6 |
|
24-Apr-2023 |
Boris Lytochkin <lytboris@gmail.com> |
ipfw: add [fw]mark implementation for ipfw Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
|
#
9f5dc374 |
|
25-Apr-2023 |
Eugene Grosbein <eugen@FreeBSD.org> |
ipfw.8: improve description for interface matching The manual describes "if*" form only while kernel uses fnmatch(3) and allows use for more versatile shell-like patterns. Note that explicitly and provide an example. MFC after: 3 days
|
#
da52fc46 |
|
25-Jan-2023 |
Ceri Davies <ceri@FreeBSD.org> |
ipfw.8: there never was a "skip-action" action It was renamed during review of D1776 but this entry slipped through. PR: 243284 Reported by: pprocacci@gmail.com Obtained from: Chad Jacob Milios <milios@ccsys.com>
|
#
bdd60b22 |
|
13-Jan-2023 |
Jose Luis Duran <jlduran@gmail.com> |
ipfw: Add missing 'va' code point name Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name. Reviewed By: melifaro, pauamma Differential Revision: https://reviews.freebsd.org/D37508 MFC after: 2 weeks
|
#
05b9737f |
|
17-Aug-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
ipfw: make it possible to specify MTU for "unreach needfrag" action Reviewed by: ae, pauamma Differential revision: https://reviews.freebsd.org/D36140
|
#
81cac390 |
|
04-Jun-2022 |
Arseny Smalyuk <smalukav@gmail.com> |
ipfw: add support radix tables and table lookup for MAC addresses By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
|
#
9d7cefc2 |
|
13-May-2022 |
Eugene Grosbein <eugen@FreeBSD.org> |
ipfw.8: spell "layer2" consistently throughout the manual page MFC after: 1 week
|
#
0b95680e |
|
25-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
ipfw: Introduce dnctl Introduce a link to the ipfw command, dnctl, for dummynet configuration. dnctl only handles dummynet configuration, and is part of the effort to support dummynet in pf. /sbin/ipfw continues to accept pipe, queue and sched commands, but these can now also be issued via the new dnctl command. Reviewed by: donner MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30465
|
#
c8250c5a |
|
10-May-2021 |
Lutz Donnerhacke <donner@FreeBSD.org> |
ipfw.8: synopsis misses nat show form Document the existing behavior, which is currently only available by reading third party documentation or the source code itself. PR: 254617 Submitted by: Oliver Kiddle MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D30189
|
#
802637be |
|
10-May-2021 |
Lutz Donnerhacke <donner@FreeBSD.org> |
ipfw.8: Fix table example Fix some erronous lines in the example section. PR: 248943 Submitted by: Jose Luis Duran MFC after: 2 weeks Reviewers: ae, manpages (gbe) Differential Revision: https://reviews.freebsd.org/D30191
|
#
066a576c |
|
07-Apr-2021 |
Roman Bogorodskiy <novel@FreeBSD.org> |
ipfw: update man page example for nat show log In d6164b77f8b779cd7357387dcfcd3407f1457579 the ability to show ranges of nat log entries was removed. PR: 254192 Reviewed by: allanjude
|
#
a08cdb6c |
|
02-Feb-2021 |
Neel Chauhan <nc@FreeBSD.org> |
Allow setting alias port ranges in libalias and ipfw. This will allow a system to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user, subnet) can have their own dedicated port aliasing ranges. Reviewed by: donner, kp Approved by: 0mp (mentor), donner, kp Differential Revision: https://reviews.freebsd.org/D23450
|
#
bae74ca9 |
|
18-Dec-2020 |
Gordon Bergling <gbe@FreeBSD.org> |
ipfw(8): Fix a few mandoc related issues - no blank before trailing delimiter - missing section argument: Xr inet_pton - skipping paragraph macro: Pp before Ss - unusual Xr order: syslogd after sysrc - tab in filled text There were a few multiline NAT examples which used the .Dl macro with tabs. I converted them to .Bd, which is a more suitable macro for that case. MFC after: 1 week
|
#
8636dd57 |
|
03-Oct-2020 |
Gordon Bergling <gbe@FreeBSD.org> |
ipfw(8): Bugfixes for some issues reported by mandoc - whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp MFC after: 1 week
|
#
71230912 |
|
21-Aug-2020 |
Fernando ApesteguĂa <fernape@FreeBSD.org> |
ipfw(8): Fix typo in man page s/exmaple/example Approved by: manpages (gbe@) Differential Revision: https://reviews.freebsd.org/D26147
|
#
825398f9 |
|
11-Aug-2020 |
Gleb Smirnoff <glebius@FreeBSD.org> |
ipfw: make the "frag" keyword accept additional options "mf", "df", "rf" and "offset". This allows to match on specific bits of ip_off field. For compatibility reasons lack of keyword means "offset". Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D26021
|
#
75b89337 |
|
24-Jan-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw. In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22877
|
#
978f2d17 |
|
21-Jun-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "tcpmss" opcode to match the TCP MSS value. With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
05ab1ef6 |
|
24-May-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add `missing` and `or-flush` options to "ipfw table <NAME> create" command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D18339
|
#
da343996 |
|
21-Apr-2019 |
Benedict Reuschling <bcr@FreeBSD.org> |
Typo fix in ipfw.8: amd -> and There is an (obvious) typo in the following sentence: "Please note, that keep-state amd limit imply implicit check-state for ..." Replace the "amd" with "and", bump .Dd. PR: 237438 Submitted by: michael@galassi.us MFC after: 3 days
|
#
d18c1f26 |
|
19-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Reapply r345274 with build fixes for 32-bit architectures. Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
d6369c2d |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Revert r345274. It appears that not all 32-bit architectures have necessary CK primitives.
|
#
d7a1cf06 |
|
17-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
5c04f73e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add NAT64 CLAT implementation as defined in RFC6877. CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used. # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC
|
#
b11efc1e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Modify struct nat64_config. Add second IPv6 prefix to generic config structure and rename another fields to conform to RFC6877. Now it contains two prefixes and length: PLAT is provider-side translator that translates N:1 global IPv6 addresses to global IPv4 addresses. CLAT is customer-side translator (XLAT) that algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses. Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn) translators. Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept prefix length and use plat_plen to specify prefix length. Retire net.inet.ip.fw.nat64_allow_private sysctl variable. Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to configure this ability separately for each NAT64 instance. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
65847dc9 |
|
01-Mar-2019 |
Guangyuan Yang <ygy@FreeBSD.org> |
Fix typos and caps for ipfw(8) man page. MFC after: 3 days PR: 236030 Submitted by: olgeni
|
#
bdf56516 |
|
28-Feb-2019 |
Tom Rhodes <trhodes@FreeBSD.org> |
Grammar tweaks in ipfw manual page.
|
#
d66f9c86 |
|
04-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to request listing and deleting only for dynamic states. This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC
|
#
3b783970 |
|
26-Nov-2018 |
Eugene Grosbein <eugen@FreeBSD.org> |
Small language fix after r340978. MFC after: 3 days
|
#
3a498c2e |
|
26-Nov-2018 |
Eugene Grosbein <eugen@FreeBSD.org> |
ipfw.8: add new section to EXAMPLES: SELECTIVE MIRRORING If your network has network traffic analyzer connected to your host directly via dedicated interface or remotely via RSPAN vlan, you can selectively mirror some ethernet layer2 frames to the analyzer. ...
|
#
e9e747ef |
|
22-Nov-2018 |
Guangyuan Yang <ygy@FreeBSD.org> |
Fix a minor typo in ipfw(8) manual page. PR: 230747 Submitted by: f.toscan@hotmail.it MFC after: 1 week
|
#
14b520ea |
|
20-Nov-2018 |
Guangyuan Yang <ygy@FreeBSD.org> |
Fix incorrect DSCP value range from 0..64 to 0..63. PR: 232786 Submitted by: Sergey Akhmatov <sergey@akhmatov.ru> Reviewed by: AllanJude MFC after: 1 week
|
#
d95e8d64 |
|
13-Nov-2018 |
Eugene Grosbein <eugen@FreeBSD.org> |
Fix part of the SYNOPSIS documenting LIST OF RULES AND PREPROCESSING that is still referred as last section of the SYNOPSIS later but was erroneously situated in the section IN-KERNEL NAT. MFC after: 1 month
|
#
b2b56606 |
|
12-Nov-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to use dynamic external prefix in ipfw_nptv6 module. Now an interface name can be specified for nptv6 instance instead of ext_prefix. The module will track if_addr_ext events and when suitable IPv6 address will be added to specified interface, it will be configured as external prefix. When address disappears instance becomes unusable, i.e. it doesn't match any packets. Reviewed by: 0mp (manpages) Tested by: Dries Michiels <driesm dot michiels gmail com> MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D17765
|
#
6ff080c4 |
|
08-Nov-2018 |
Eugene Grosbein <eugen@FreeBSD.org> |
ipfw.8: fix small syntax error in an example MFC after: 3 days
|
#
5a2b0b0d |
|
04-Nov-2018 |
Eugene Grosbein <eugen@FreeBSD.org> |
ipfw(8): clarify layer2 processing abilities Make it clear that ipfw action set for layer2 frames it a bit limited. PR: 59835 Reviewed by: yuripv MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D17719
|
#
aa271561 |
|
21-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add ability to switch the output method in run-time. Also document some sysctl variables that can by changed for NAT64 module. NAT64 had compile time option IPFIREWALL_NAT64_DIRECT_OUTPUT to use if_output directly from nat64 module. By default is used netisr based output method. Now both methods can be used, but they require different handling by rules. Obtained from: Yandex LLC MFC after: 3 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D16647
|
#
c049e7c4 |
|
27-Sep-2018 |
Guangyuan Yang <ygy@FreeBSD.org> |
Add description, parameters, options, sysctl and examples of using AQMs to ipfw man page. CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet exist in FreeBSD 11 and 10.3. Submitted by: ralsaadi@swin.edu.au Reviewed by: AllanJude Approved by: re (gjb) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D12507
|
#
f4d5e7d8 |
|
10-Aug-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Restore the behaviour changed in r337536, when bad `ipfw delete` command returns error. Now -q option only makes it quiet. And when -f flag is specified, the command will ignore errors and continue executing with next batched command. MFC after: 2 weeks
|
#
f7c4fdee |
|
09-Jul-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "record-state", "set-limit" and "defer-action" rule options to ipfw. "record-state" is similar to "keep-state", but it doesn't produce implicit O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the same feature as "record-state", it is single opcode without implicit O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic states. When rule with this opcode is matched, the rule's action will not be executed, instead dynamic state will be created. And when this state will be matched by "check-state", then rule action will be executed. This allows create a more complicated rulesets. Submitted by: lev MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D1776
|
#
de68a320 |
|
03-Jul-2018 |
Jamie Gritton <jamie@FreeBSD.org> |
Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8), sockstat(1), ugidfw(8) These are the last of the jail-aware userland utilities that didn't work with names. PR: 229266 MFC after: 3 days Differential Revision: D16047
|
#
0df37a20 |
|
28-Jun-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove extra "ipfw" from example. MFC after: 1 week
|
#
c54e0abb |
|
08-May-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Update NAT64 documentation, now we support any IPv6 prefixes. MFC after: 1 month
|
#
e5e8324f |
|
11-Apr-2018 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Fix typo. MFC after: 1 week
|
#
b43b604b |
|
19-Mar-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove note that `fwd tablearg` is supported only by IPv4. IPv6 is supported too. MFC after: 1 week
|
#
12c080e6 |
|
12-Mar-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Do not try to reassemble IPv6 fragments in "reass" rule. ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets that it gets. Until proper IPv6 fragments handling function will be implemented, pass IPv6 packets to next rule. PR: 170604 MFC after: 1 week
|
#
9ea81ab5 |
|
13-Feb-2018 |
Nick Hibma <n_hibma@FreeBSD.org> |
DSCP values passed to setdscp need to be lowercase. See definition of f_ipdscp values. They are compared against using bcmp which is case sensitive. MFC after: 1 week
|
#
837fe325 |
|
27-Dec-2017 |
Eitan Adler <eadler@FreeBSD.org> |
Fix a few more speelling errors Reviewed by: bjk Reviewed by: jilles (incl formal "accept") Differential Revision: https://reviews.freebsd.org/D13650
|
#
665c8a2e |
|
26-Nov-2017 |
Michael Tuexen <tuexen@FreeBSD.org> |
Add to ipfw support for sending an SCTP packet containing an ABORT chunk. This is similar to the TCP case. where a TCP RST segment can be sent. There is one limitation: When sending an ABORT in response to an incoming packet, it should be tested if there is no ABORT chunk in the received packet. Currently, it is only checked if the first chunk is an ABORT chunk to avoid parsing the whole packet, which could result in a DOS attack. Thanks to Timo Voelker for helping me to test this patch. Reviewed by: bcr@ (man page part), ae@ (generic, non-SCTP part) Differential Revision: https://reviews.freebsd.org/D13239
|
#
94590638 |
|
02-Oct-2017 |
Michael Tuexen <tuexen@FreeBSD.org> |
Fix a bug which avoided that rules for matching port numbers for SCTP packets where actually matched. While there, make clean in the man-page that SCTP port numbers are supported in rules. MFC after: 1 month
|
#
c2dbd123 |
|
23-Jun-2017 |
Emmanuel Vadot <manu@FreeBSD.org> |
ipfw: Note that bandwidth can take G suffix in the manpage Reported by: Jose Luis Duran (github)
|
#
b3fc23db |
|
01-Jun-2017 |
Emmanuel Vadot <manu@FreeBSD.org> |
ipfw.8: Note that the ipfw_nat kernel module must be loaded or that the IPFIREWALL_NAT options must be in the kernel config in order to use in-kernel nat. MFC after: 3 days
|
#
421c5838 |
|
02-May-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add `ipfw table all destroy` support. PR: 212669 MFC after: 1 week
|
#
aac74aea |
|
02-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_pmod kernel module. The module is designed for modification of a packets of any protocols. For now it implements only TCP MSS modification. It adds the external action handler for "tcp-setmss" action. A rule with tcp-setmss action does additional check for protocol and TCP flags. If SYN flag is present, it parses TCP options and modifies MSS option if its value is greater than configured value in the rule. Then it adjustes TCP checksum if needed. After handling the search continues with the next rule. Obtained from: Yandex LLC MFC after: 2 weeks Relnotes: yes Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10150
|
#
6ed14738 |
|
15-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Change the syntax of ipfw's named states. Since the state name is an optional argument, it often can conflict with other options. To avoid ambiguity now the state name must be prefixed with a colon. Obtained from: Yandex LLC MFC after: 2 week Sponsored by: Yandex LLC
|
#
23b93085 |
|
18-Oct-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add support for non-contiguous IPv6 masks in ipfw(8) rules. For example fe::640:0:0/ffff::ffff:ffff:0:0 will match addresses fe:*:*:*:0:640:*:* Submitted by: Eugene Mamchits <mamchits at yandex-team dot ru> Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
77ecef37 |
|
21-Aug-2016 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated more than 7 years ago in favour of a sysctl in r192648.
|
#
57fb3b7a |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add `stats reset` command implementation to NPTv6 module to be able reset statistics counters. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
d8caf56e |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nat64 module that implements stateless and stateful NAT64. The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434
|
#
ed22e564 |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add named dynamic states support to ipfw(4). The keep-state, limit and check-state now will have additional argument flowname. This flowname will be assigned to dynamic rule by keep-state or limit opcode. And then can be matched by check-state opcode or O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize compatibility with old rulesets default flowname introduced. It will be assigned to the rules when user has omitted state name in keep-state and check-state opcodes. Also if name is ambiguous (can be evaluated as rule opcode) it will be replaced to default. Reviewed by: julian Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6674
|
#
b867e84e |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6 as defined in RFC 6296. The module works together with ipfw(4) and implemented as its external action module. When it is loaded, it registers as eaction and can be used in rules. The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module. Reviewed by: hrs Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6420
|
#
a25ffb5a |
|
01-Jun-2016 |
Don Lewis <truckman@FreeBSD.org> |
Belatedly bump .Dd date for Dummynet AQM import in r300779.
|
#
2530ed9e |
|
13-Mar-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix `ipfw fwd tablearg'. Use dedicated field nh4 in struct table_value to obtain IPv4 next hop address in tablearg case. Add `fwd tablearg' support for IPv6. ipfw(8) uses INADDR_ANY as next hop address in O_FORWARD_IP opcode for specifying tablearg case. For IPv6 we still use this opcode, but when packet identified as IPv6 packet, we obtain next hop address from dedicated field nh6 in struct table_value. Replace hopstore field in struct ip_fw_args with anonymous union and add hopstore6 field. Use this field to copy tablearg value for IPv6. Replace spare1 field in struct table_value with zoneid. Use it to keep scope zone id for link-local IPv6 addresses. Since spare1 was used internally, replace spare0 array with two variables spare0 and spare1. Use getaddrinfo(3)/getnameinfo(3) functions for parsing and formatting IPv6 addresses in table_value. Use zoneid field in struct table_value to store sin6_scope_id value. Since the kernel still uses embedded scope zone id to represent link-local addresses, convert next_hop6 address into this form before return from pfil processing. This also fixes in6_localip() check for link-local addresses. Differential Revision: https://reviews.freebsd.org/D2015 Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
f7e00d4b |
|
29-Dec-2014 |
Joel Dahl <joel@FreeBSD.org> |
mdoc: remove EOL whitespace.
|
#
d4d112e3 |
|
23-Nov-2014 |
Joel Dahl <joel@FreeBSD.org> |
Misc mdoc fixes: - Remove superfluous paragraph macros. - Remove/fix empty or incorrect macros. - Sort sections into conventional order. - Terminate quoted strings properly. - Remove EOL whitespace.
|
#
ca807c8a |
|
24-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fix documentation issue. PR: 194581 Submitted by: madpilot
|
#
5371ab14 |
|
03-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Document new table values. Sponsored by: Yandex LLC
|
#
c21034b7 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Replace "cidr" table type with "addr" type. Suggested by: luigi
|
#
fd0869d5 |
|
14-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Document internal commands. * Do not require/set default table type if algo name is specified. * Add TA_FLAG_READONLY option for algorithms.
|
#
75d79421 |
|
13-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Document table set-awareness in ipfw(8).
|
#
658331e5 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Document most of the changes that have happened.
|
#
df2d82e0 |
|
23-Jun-2014 |
Joel Dahl <joel@FreeBSD.org> |
mdoc: remove superfluous paragraph macros.
|
#
bd0891ce |
|
20-Jun-2014 |
Baptiste Daroussin <bapt@FreeBSD.org> |
use .Mt to mark up email addresses consistently (part1) PR: 191174 Submitted by: Franco Fichtner <franco@lastsummer.de>
|
#
fc5e1956 |
|
01-Jun-2014 |
Hiren Panchasara <hiren@FreeBSD.org> |
ECN marking implenetation for dummynet. Changes include both DCTCP and RFC 3168 ECN marking methodology. DCTCP draft: http://tools.ietf.org/html/draft-bensley-tcpm-dctcp-00 Submitted by: Midori Kato (aoimidori27@gmail.com) Worked with: Lars Eggert (lars@netapp.com) Reviewed by: luigi, hiren
|
#
78c161f2 |
|
21-Dec-2013 |
Chris Rees <crees@FreeBSD.org> |
Minor grammar fix PR: docs/185057 Submitted by: Yuri (yuri@rawbw.com) Approved by: gjb (mentor)
|
#
fb2b51fa |
|
18-Dec-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add net.inet.ip.fw.dyn_keep_states sysctl which re-links dynamic states to default rule instead of flushing on rule deletion. This can be useful while performing ruleset reload (think about `atomic` reload via changing sets). Currently it is turned off by default. MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
8310a2b8 |
|
24-Jul-2013 |
Stefan EĂźer <se@FreeBSD.org> |
Remove duplicated parapgraph. MFC after: 3 days
|
#
2063b2c0 |
|
11-Apr-2013 |
Joel Dahl <joel@FreeBSD.org> |
Minor spelling and grammar fixes.
|
#
b22247c2 |
|
21-Mar-2013 |
Joel Dahl <joel@FreeBSD.org> |
Remove EOL whitespace.
|
#
ae01d73c |
|
20-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks
|
#
ffdbf9da |
|
01-Nov-2012 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove the recently added sysctl variable net.pfil.forward. Instead, add protocol specific mbuf flags M_IP_NEXTHOP and M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup only when this flag is set. Suggested by: andre
|
#
c1de64a4 |
|
25-Oct-2012 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove the IPFIREWALL_FORWARD kernel option and make possible to turn on the related functionality in the runtime via the sysctl variable net.pfil.forward. It is turned off by default. Sponsored by: Yandex LLC Discussed with: net@ MFC after: 2 weeks
|
#
2aecf1d1 |
|
18-Sep-2012 |
Benjamin Kaduk <bjk@FreeBSD.org> |
Fix grammar in the portion about FIBs. Also, cross-reference setfib(2) instead of setfib(1) for the 16-FIB limit. PR: docs/157452 Approved by: hrs (mentor)
|
#
3a99e819 |
|
17-Sep-2012 |
Benjamin Kaduk <bjk@FreeBSD.org> |
Whitespace cleanup for ipfw.8 -- start each sentence on a new line, and put a comma after e.g. and i.e.. While here, wrap long lines. PR: docs/157452 Approved by: hrs (mentor)
|
#
8e683241 |
|
16-Jul-2012 |
Isabell Long <issyl0@FreeBSD.org> |
In ipfw(8), make the text about dynamic rules consistent. PR: docs/120539 Approved by: gabor (mentor) MFC after: 5 days
|
#
8efbd296 |
|
09-Jul-2012 |
Hiroki Sato <hrs@FreeBSD.org> |
Make ipfw0 logging pseudo-interface clonable. It can be created automatically by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8) after a boot. Discussed on: freebsd-ipfw@
|
#
82cecbea |
|
03-Jul-2012 |
Isabell Long <issyl0@FreeBSD.org> |
- Make ipfw's sched rules case insensitive, for user-friendliness. - Add a note to the ipfw(8) man page about the rules no longer being case sensitive. - Fix some typos in the man page. PR: docs/164772 Reviewed by: bz Approved by: gabor (doc mentor, src committer) MFC after: 2 weeks
|
#
2bd61de0 |
|
09-Jun-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Update maximum number of tables available in ipfw to reflect changes done in r233478. Approved by: kib(mentor) MFC after: 3 days
|
#
5da44209 |
|
12-May-2012 |
Joel Dahl <joel@FreeBSD.org> |
mdoc: use Po and Pc macros instead of parens. Also avoid starting a line with Ns.
|
#
50d675f7 |
|
28-Mar-2012 |
Eitan Adler <eadler@FreeBSD.org> |
Remove trailing whitespace per mdoc lint warning Disussed with: gavin No objection from: doc Approved by: joel MFC after: 3 days
|
#
732d27b3 |
|
25-Mar-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
- Permit number of ipfw tables to be changed in runtime. net.inet.ip.fw.tables_max is now read-write. - Bump IPFW_TABLES_MAX to 65535 Default number of tables is still 128 - Remove IPFW_TABLES_MAX from ipfw(8) code. Sponsored by Yandex LLC Approved by: kib(mentor) MFC after: 2 weeks
|
#
091eeb48 |
|
25-Mar-2012 |
Joel Dahl <joel@FreeBSD.org> |
Remove superfluous paragraph macro.
|
#
f8bee51a |
|
12-Mar-2012 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
- Add ipfw eXtended tables permitting radix to be used for any kind of keys. - Add support for IPv6 and interface extended tables - Make number of tables to be loader tunable in range 0..65534. - Use IP_FW3 opcode for all new extended table cmds No ABI changes are introduced. Old userland will see valid tables for IPv4 tables and no entries otherwise. Flush works for any table. IP_FW3 socket option is used to encapsulate all new opcodes: /* IP_FW3 header/opcodes */ typedef struct _ip_fw3_opheader { uint16_t opcode; /* Operation opcode */ uint16_t reserved[3]; /* Align to 64-bit boundary */ } ip_fw3_opheader; New opcodes added: IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST ipfw(8) table argument parsing behavior is changed: 'ipfw table 999 add host' now assumes 'host' to be interface name instead of hostname. New tunable: net.inet.ip.fw.tables_max controls number of table supported by ipfw in given VNET instance. 128 is still the default value. New syntax: ipfw add skipto tablearg ip from any to any via table(42) in ipfw add skipto tablearg ip from any to any via table(4242) out This is a bit hackish, special interface name '\1' is used to signal interface table number is passed in p.glob field. Sponsored by Yandex LLC Reviewed by: ae Approved by: ae (mentor) MFC after: 4 weeks
|
#
1748d1e5 |
|
28-Feb-2012 |
Gavin Atkinson <gavin@FreeBSD.org> |
Correct capitalization of "Hz" in user-visible text (manpages, printf(), etc). MFC after: 3 days
|
#
600103fc |
|
06-Feb-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Bump .Dd for r231076. Submitted by: bz
|
#
23ccd3d9 |
|
06-Feb-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Make the 'tcpwin' option of ipfw(8) accept ranges and lists. Submitted by: sem
|
#
0809c540 |
|
09-Nov-2011 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Note that NAT instance argument can be tablearg. PR: misc/162265 Submitted by: Paul Procacci <pprocacci gmail.com>
|
#
8a006adb |
|
20-Aug-2011 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add support for IPv6 to ipfw fwd: Distinguish IPv4 and IPv6 addresses and optional port numbers in user space to set the option for the correct protocol family. Add support in the kernel for carrying the new IPv6 destination address and port. Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change the address in the IP header. Add support for IPv6 forwarding to a non-local destination. Add a regession test uitilizing VIMAGE to check all 20 possible combinations I could think of. Obtained from: David Dolson at Sandvine Incorporated (original version for ipfw fwd IPv6 support) Sponsored by: Sandvine Incorporated PR: bin/117214 MFC after: 4 weeks Approved by: re (kib)
|
#
9527ec6e |
|
29-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add new rule actions "call" and "return" to ipfw. They make possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
|
#
1875bbfe |
|
14-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Implement "global" mode for ipfw nat. It is similar to natd(8) "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
|
#
41b60837 |
|
29-May-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add tablearg support for ipfw setfib. PR: kern/156410 MFC after: 2 weeks
|
#
3e71d7d0 |
|
16-May-2011 |
Sergey Kandaurov <pluknet@FreeBSD.org> |
mdoc: - use a proper macro for interface name ipfw0. - add missing section number for bpf cross reference.
|
#
ae99fd0e |
|
12-Nov-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
The first customer of the SO_USER_COOKIE option: the "sockarg" ipfw option matches packets associated to a local socket and with a non-zero so_user_cookie value. The value is made available as tablearg, so it can be used as a skipto target or pipe number in ipfw/dummynet rules. Code by Paul Joe, manpage by me. Submitted by: Paul Joe MFC after: 1 week
|
#
2914feeb |
|
20-Oct-2010 |
Ulrich Spörlein <uqs@FreeBSD.org> |
mdoc: make pages render with mandoc It's a bit more pedantic regarding .Bl list elements. This has an added benefit of unbreaking the ipfw(8) manpage, where groff was silently skipping one list element.
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
81ab1174 |
|
13-Oct-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
document logging through bpf
|
#
0d9deed5 |
|
07-Oct-2010 |
Ulrich Spörlein <uqs@FreeBSD.org> |
mdoc: drop redundant .Pp and .LP calls They have no effect when coming in pairs, or before .Bl/.Bd
|
#
e7f8dd75 |
|
28-Aug-2010 |
Rebecca Cran <brucec@FreeBSD.org> |
Fix incorrect usage of 'assure' and 'insure'. Approved by: rrs (mentor)
|
#
c2025a76 |
|
16-Aug-2010 |
Joel Dahl <joel@FreeBSD.org> |
Fix typos, spelling, formatting and mdoc mistakes found by Nobuyuki while translating these manual pages. Minor corrections by me. Submitted by: Nobuyuki Koganemaru <n-kogane@syd.odn.ne.jp>
|
#
fa597729 |
|
27-Jul-2010 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Document that the "ngtee" action no longer accepts packet, and thus don't depend on one_pass flag anymore. This is a POLA violation, but it is quite difficult to restore the old behavior with new code. Also, the new behavior matches behavior of the older "tee" action, and this is more intuitive.
|
#
8018e843 |
|
23-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
MFC of a large number of ipfw and dummynet fixes and enhancements done in CURRENT over the last 4 months. HEAD and RELENG_8 are almost in sync now for ipfw, dummynet the pfil hooks and related components. Among the most noticeable changes: - r200855 more efficient lookup of skipto rules, and remove O(N) blocks from critical sections in the kernel; - r204591 large restructuring of the dummynet module, with support for multiple scheduling algorithms (4 available so far) See the original commit logs for details. Changes in the kernel/userland ABI should be harmless because the kernel is able to understand previous requests from RELENG_8 and RELENG_7. For this reason, this changeset would be applicable to RELENG_7 as well, but i am not sure if it is worthwhile.
|
#
67d438cc |
|
20-Mar-2010 |
Gavin Atkinson <gavin@FreeBSD.org> |
Tweak language to make one point potentially clearer for non-native spekers PR: bin/121424 Submitted by: "Julian H. Stacey" <jhs berklix.org>
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
34ae8434 |
|
05-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
more documentation on new dummynet features.
|
#
cc4d3c30 |
|
02-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet. The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions. In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ. Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland. Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time. Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits. CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
#
472099c4 |
|
15-Dec-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
implement a new match option, lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N which searches the specified field in table N and sets tablearg accordingly. With dst-ip or src-ip the option replicates two existing options. When used with other arguments, the option can be useful to quickly dispatch traffic based on other fields. Work supported by the Onelab project. MFC after: 1 week
|
#
2f12516b |
|
15-Dec-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix the indentation for addr: values MFC after: 3 days
|
#
225cdb4e |
|
09-Oct-2009 |
Christian Brueffer <brueffer@FreeBSD.org> |
MFC: r197312 Fix setfib(1) section number. Approved by: re (kib)
|
#
8fba046b |
|
18-Sep-2009 |
Christian Brueffer <brueffer@FreeBSD.org> |
Fix setfib(1) section number. PR: 133765 Submitted by: Konstantin Zolotukhin <erebus@gorodok.net> MFC after: 3 days
|
#
a6f14448 |
|
26-Jun-2009 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
- 'burst' description rewritten. Submitted by: Ben Kaduk Approved by: re (kib)
|
#
067e91e8 |
|
25-Jun-2009 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Kill grammar nits. PR: docs/136061 Submitted by: Ben Kaduk MFC after: 1 week
|
#
6882bf4d |
|
24-Jun-2009 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
- fix dummynet 'fast' mode for WF2Q case. - fix printing of pipe profile data. - introduce new pipe parameter: 'burst' - how much data can be sent through pipe bypassing bandwidth limit.
|
#
7a459517 |
|
08-Jun-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Permit the specification of bandwidth values within "profile" files (bandwidth is mandatory when using a profile, so it makes sense to have everything in one place). Update the manpage accordingly. Submitted by: Marta Carbone
|
#
81bdd4cb |
|
11-Apr-2009 |
Tom Rhodes <trhodes@FreeBSD.org> |
Kill hard sentence break added in the previous revision.
|
#
4bb7ae9d |
|
08-Apr-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add emulation of delay profiles, which lets you model various types of MAC overheads such as preambles, link level retransmissions and more. Note- this commit changes the userland/kernel ABI for pipes (but not for ordinary firewall rules) so you need to rebuild kernel and /sbin/ipfw to use dummynet features. Please check the manpage for details on the new feature. The MFC would be trivial but it breaks the ABI, so it will be postponed until after 7.2 is released. Interested users are welcome to apply the patch manually to their RELENG_7 tree. Work supported by the European Commission, Projects Onelab and Onelab2 (contract 224263).
|
#
d8ec4cde |
|
08-Apr-2009 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Grammar.
|
#
de243032 |
|
08-Apr-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Various cleanup of text, moving a couple of paragraphs above to avoid referencing undefined terms (humans are not compilers but still care about these things). Change some .Sh to .Ss to better reflect the structure of the text. No new content.
|
#
c4abdf1c |
|
07-Apr-2009 |
Tom Rhodes <trhodes@FreeBSD.org> |
Remove contractions, reword a sentence to avoid a double negative, and bump document date for previous change. OKed by: piso
|
#
0240be03 |
|
05-Apr-2009 |
Paolo Pisati <piso@FreeBSD.org> |
Improve a bit reass documentation: -document fragment handling sysctls -mention some caveats about fragments handling (and to deal with it)
|
#
eb2e4119 |
|
01-Apr-2009 |
Paolo Pisati <piso@FreeBSD.org> |
Implement an ipfw action to reassemble ip packets: reass.
|
#
cdd14cca |
|
19-Mar-2009 |
Christian Brueffer <brueffer@FreeBSD.org> |
Mdoc style, spelling, grammar and wording fixes. This manpage needs more work.
|
#
37ce2656 |
|
07-Feb-2009 |
Paolo Pisati <piso@FreeBSD.org> |
Add SCTP NAT support. Submitted by: CAIA (http://caia.swin.edu.au)
|
#
a21e097b |
|
18-Dec-2008 |
Paolo Pisati <piso@FreeBSD.org> |
Update the ipfw man page to reflect last change (-q option with nat option). MFC after: 3 days
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
e927c2b2 |
|
27-Sep-2008 |
Roman Kurakin <rik@FreeBSD.org> |
* add all keyword for table list & flush actions. * add tables_max sysctl. * add default_rule sysctl. PR: 127058 (partially)
|
#
0d6ff382 |
|
27-Aug-2008 |
Ivan Voras <ivoras@FreeBSD.org> |
Trivial typo fix. Approved by: gnn (mentor)
|
#
2cc8ab2a |
|
01-Aug-2008 |
Julian Elischer <julian@FreeBSD.org> |
Slight wordsmithing. prompted by danger@
|
#
bc20b62b |
|
01-Aug-2008 |
Julian Elischer <julian@FreeBSD.org> |
Document the use of the tablearg keyword together with the skipto command.
|
#
c7d1bf0b |
|
24-Jul-2008 |
Julian Elischer <julian@FreeBSD.org> |
Note that setfib is not a terminal rule.
|
#
8b07e49a |
|
09-May-2008 |
Julian Elischer <julian@FreeBSD.org> |
Add code to allow the system to handle multiple routing tables. This particular implementation is designed to be fully backwards compatible and to be MFC-able to 7.x (and 6.x) Currently the only protocol that can make use of the multiple tables is IPv4 Similar functionality exists in OpenBSD and Linux. From my notes: ----- One thing where FreeBSD has been falling behind, and which by chance I have some time to work on is "policy based routing", which allows different packet streams to be routed by more than just the destination address. Constraints: ------------ I want to make some form of this available in the 6.x tree (and by extension 7.x) , but FreeBSD in general needs it so I might as well do it in -current and back port the portions I need. One of the ways that this can be done is to have the ability to instantiate multiple kernel routing tables (which I will now refer to as "Forwarding Information Bases" or "FIBs" for political correctness reasons). Which FIB a particular packet uses to make the next hop decision can be decided by a number of mechanisms. The policies these mechanisms implement are the "Policies" referred to in "Policy based routing". One of the constraints I have if I try to back port this work to 6.x is that it must be implemented as a EXTENSION to the existing ABIs in 6.x so that third party applications do not need to be recompiled in timespan of the branch. This first version will not have some of the bells and whistles that will come with later versions. It will, for example, be limited to 16 tables in the first commit. Implementation method, Compatible version. (part 1) ------------------------------- For this reason I have implemented a "sufficient subset" of a multiple routing table solution in Perforce, and back-ported it to 6.x. (also in Perforce though not always caught up with what I have done in -current/P4). The subset allows a number of FIBs to be defined at compile time (8 is sufficient for my purposes in 6.x) and implements the changes needed to allow IPV4 to use them. I have not done the changes for ipv6 simply because I do not need it, and I do not have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it. Other protocol families are left untouched and should there be users with proprietary protocol families, they should continue to work and be oblivious to the existence of the extra FIBs. To understand how this is done, one must know that the current FIB code starts everything off with a single dimensional array of pointers to FIB head structures (One per protocol family), each of which in turn points to the trie of routes available to that family. The basic change in the ABI compatible version of the change is to extent that array to be a 2 dimensional array, so that instead of protocol family X looking at rt_tables[X] for the table it needs, it looks at rt_tables[Y][X] when for all protocol families except ipv4 Y is always 0. Code that is unaware of the change always just sees the first row of the table, which of course looks just like the one dimensional array that existed before. The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign() are all maintained, but refer only to the first row of the array, so that existing callers in proprietary protocols can continue to do the "right thing". Some new entry points are added, for the exclusive use of ipv4 code called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(), which have an extra argument which refers the code to the correct row. In addition, there are some new entry points (currently called rtalloc_fib() and friends) that check the Address family being looked up and call either rtalloc() (and friends) if the protocol is not IPv4 forcing the action to row 0 or to the appropriate row if it IS IPv4 (and that info is available). These are for calling from code that is not specific to any particular protocol. The way these are implemented would change in the non ABI preserving code to be added later. One feature of the first version of the code is that for ipv4, the interface routes show up automatically on all the FIBs, so that no matter what FIB you select you always have the basic direct attached hosts available to you. (rtinit() does this automatically). You CAN delete an interface route from one FIB should you want to but by default it's there. ARP information is also available in each FIB. It's assumed that the same machine would have the same MAC address, regardless of which FIB you are using to get to it. This brings us as to how the correct FIB is selected for an outgoing IPV4 packet. Firstly, all packets have a FIB associated with them. if nothing has been done to change it, it will be FIB 0. The FIB is changed in the following ways. Packets fall into one of a number of classes. 1/ locally generated packets, coming from a socket/PCB. Such packets select a FIB from a number associated with the socket/PCB. This in turn is inherited from the process, but can be changed by a socket option. The process in turn inherits it on fork. I have written a utility call setfib that acts a bit like nice.. setfib -3 ping target.example.com # will use fib 3 for ping. It is an obvious extension to make it a property of a jail but I have not done so. It can be achieved by combining the setfib and jail commands. 2/ packets received on an interface for forwarding. By default these packets would use table 0, (or possibly a number settable in a sysctl(not yet)). but prior to routing the firewall can inspect them (see below). (possibly in the future you may be able to associate a FIB with packets received on an interface.. An ifconfig arg, but not yet.) 3/ packets inspected by a packet classifier, which can arbitrarily associate a fib with it on a packet by packet basis. A fib assigned to a packet by a packet classifier (such as ipfw) would over-ride a fib associated by a more default source. (such as cases 1 or 2). 4/ a tcp listen socket associated with a fib will generate accept sockets that are associated with that same fib. 5/ Packets generated in response to some other packet (e.g. reset or icmp packets). These should use the FIB associated with the packet being reponded to. 6/ Packets generated during encapsulation. gif, tun and other tunnel interfaces will encapsulate using the FIB that was in effect withthe proces that set up the tunnel. thus setfib 1 ifconfig gif0 [tunnel instructions] will set the fib for the tunnel to use to be fib 1. Routing messages would be associated with their process, and thus select one FIB or another. messages from the kernel would be associated with the fib they refer to and would only be received by a routing socket associated with that fib. (not yet implemented) In addition Netstat has been edited to be able to cope with the fact that the array is now 2 dimensional. (It looks in system memory using libkvm (!)). Old versions of netstat see only the first FIB. In addition two sysctls are added to give: a) the number of FIBs compiled in (active) b) the default FIB of the calling process. Early testing experience: ------------------------- Basically our (IronPort's) appliance does this functionality already using ipfw fwd but that method has some drawbacks. For example, It can't fully simulate a routing table because it can't influence the socket's choice of local address when a connect() is done. Testing during the generating of these changes has been remarkably smooth so far. Multiple tables have co-existed with no notable side effects, and packets have been routes accordingly. ipfw has grown 2 new keywords: setfib N ip from anay to any count ip from any to any fib N In pf there seems to be a requirement to be able to give symbolic names to the fibs but I do not have that capacity. I am not sure if it is required. SCTP has interestingly enough built in support for this, called VRFs in Cisco parlance. it will be interesting to see how that handles it when it suddenly actually does something. Where to next: -------------------- After committing the ABI compatible version and MFCing it, I'd like to proceed in a forward direction in -current. this will result in some roto-tilling in the routing code. Firstly: the current code's idea of having a separate tree per protocol family, all of the same format, and pointed to by the 1 dimensional array is a bit silly. Especially when one considers that there is code that makes assumptions about every protocol having the same internal structures there. Some protocols don't WANT that sort of structure. (for example the whole idea of a netmask is foreign to appletalk). This needs to be made opaque to the external code. My suggested first change is to add routing method pointers to the 'domain' structure, along with information pointing the data. instead of having an array of pointers to uniform structures, there would be an array pointing to the 'domain' structures for each protocol address domain (protocol family), and the methods this reached would be called. The methods would have an argument that gives FIB number, but the protocol would be free to ignore it. When the ABI can be changed it raises the possibilty of the addition of a fib entry into the "struct route". Currently, the structure contains the sockaddr of the desination, and the resulting fib entry. To make this work fully, one could add a fib number so that given an address and a fib, one can find the third element, the fib entry. Interaction with the ARP layer/ LL layer would need to be revisited as well. Qing Li has been working on this already. This work was sponsored by Ironport Systems/Cisco Reviewed by: several including rwatson, bz and mlair (parts each) Obtained from: Ironport systems/Cisco
|
#
2b2c3b23 |
|
27-Feb-2008 |
David Malone <dwmalone@FreeBSD.org> |
Dummynet has a limit of 100 slots queue size (or 1MB, if you give the limit in bytes) hard coded into both the kernel and userland. Make both these limits a sysctl, so it is easy to change the limit. If the userland part of ipfw finds that the sysctls don't exist, it will just fall back to the traditional limits. (100 packets is quite a small limit these days. If you want to test TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.) Note these sysctls in the man page and warn against increasing them without thinking first. MFC after: 3 weeks
|
#
f94a7fc0 |
|
24-Feb-2008 |
Paolo Pisati <piso@FreeBSD.org> |
Add table/tablearg support to ipfw's nat. MFC After: 1 week
|
#
0943a3b7 |
|
18-Feb-2008 |
Julian Elischer <julian@FreeBSD.org> |
Instead of using a heuristic to decide whether to display table 'values' as IP addresses, use an explicit argument (-i). This is a 'POLA' issue. This is a low risk change and should be MFC'd to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3. (not sure about 6.2). Fix suggested by: Eugene Grosbein PR: 120720 MFC After: 3 days
|
#
5702f0f0 |
|
07-Feb-2008 |
Yaroslav Tykhiy <ytykhiy@gmail.com> |
Add a note that ipfw states do not implicitly match ICMP error messages.
|
#
89396d25 |
|
25-Nov-2007 |
Daniel Gerzo <danger@FreeBSD.org> |
Polish this manual page a bit: - refer to the dummynet(4) man page only once, later use rather the .Nm macro. - use .Va macro when refering to the sysctl variables - grammar and markup fixes Reviewed by: keramida, trhodes, ru (roughly) MFC-after: 1 week
|
#
8d1e3aed |
|
17-Nov-2007 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
- New sysctl variable: net.inet.ip.dummynet.io_fast If it is set to zero value (default) dummynet module will try to emulate real link as close as possible (bandwidth & latency): packet will not leave pipe faster than it should be on real link with given bandwidth. (This is original behaviour of dummynet which was altered in previous commit) If it is set to non-zero value only bandwidth is enforced: packet's latency can be lower comparing to real link with given bandwidth. - Document recently introduced dummynet(4) sysctl variables. Requested by: luigi, julian MFC after: 3 month
|
#
09a35a34 |
|
19-Oct-2007 |
Rui Paulo <rpaulo@FreeBSD.org> |
Change IPTOS_CE to IPTOS_ECN_CE. Approved by: njl (mentor)
|
#
47bc471a |
|
14-Oct-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix a typo in ipfw table usage example. PR: docs/117172 Submitted by: novel MFC after: 1 week
|
#
cc977adc |
|
05-Aug-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL. Also rename the related functions in a similar way. There are no functional changes. For a packet coming in with IPsec tunnel mode, the default is to only call into the firewall with the "outer" IP header and payload. With this option turned on, in addition to the "outer" parts, the "inner" IP header and payload are passed to the firewall too when going through ip_input() the second time. The option was never only related to a gif(4) tunnel within an IPsec tunnel and thus the name was very misleading. Discussed at: BSDCan 2007 Best new name suggested by: rwatson Reviewed by: rwatson Approved by: re (bmah)
|
#
f5cbef3c |
|
04-Aug-2007 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Remove references to mpsafenet. This option no longer exists. Approved by: re@ (bmah)
|
#
d069a5d4 |
|
18-Jun-2007 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Make ipfw set more robust -- now it is possible: - to show a specific set: ipfw set 3 show - to delete rules from the set: ipfw set 9 delete 100 200 300 - to flush the set: ipfw set 4 flush - to reset rules counters in the set: ipfw set 1 zero PR: kern/113388 Submitted by: Andrey V. Elsukov Approved by: re (kensmith) MFC after: 6 weeks
|
#
7a92401a |
|
04-May-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add support for filtering on Routing Header Type 0 and Mobile IPv6 Routing Header Type 2 in addition to filter on the non-differentiated presence of any Routing Header. MFC after: 3 weeks
|
#
8c67c5a3 |
|
15-Feb-2007 |
Paolo Pisati <piso@FreeBSD.org> |
Mention the nat command in the synopsis and in the action section. Approved by: glebius (mentor)
|
#
ff2f6fe8 |
|
29-Dec-2006 |
Paolo Pisati <piso@FreeBSD.org> |
Summer of Code 2005: improve libalias - part 2 of 2 With the second (and last) part of my previous Summer of Code work, we get: -ipfw's in kernel nat -redirect_* and LSNAT support General information about nat syntax and some examples are available in the ipfw (8) man page. The redirect and LSNAT syntax are identical to natd, so please refer to natd (8) man page. To enable in kernel nat in rc.conf, two options were added: o firewall_nat_enable: equivalent to natd_enable o firewall_nat_interface: equivalent to natd_interface Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet to continue being checked by the firewall ruleset after being (de)aliased. NOTA BENE: due to some problems with libalias architecture, in kernel nat won't work with TSO enabled nic, thus you have to disable TSO via ifconfig (ifconfig foo0 -tso). Approved by: glebius (mentor)
|
#
1cc7aa7d |
|
09-Oct-2006 |
Tom Rhodes <trhodes@FreeBSD.org> |
Add a note about rule syntax compared to the shell used so users do not get frustraited when: ipfw add 201 deny ip from any to table(2) in via xl1 returns "Badly placed ( )'s" PR: 73638
|
#
223ccb54 |
|
04-Oct-2006 |
Giorgos Keramidas <keramida@FreeBSD.org> |
When addr/mask examples are given, show both a host and network address, to avoid confusing the users that a full address is always required. Submitted by: Josh Paetzel <josh@tcbug.org> (through freebsd-doc) MFC after: 3 days
|
#
8266d476 |
|
18-Sep-2006 |
Ruslan Ermilov <ru@FreeBSD.org> |
Markup fixes.
|
#
1b97421a |
|
19-Aug-2006 |
Julian Elischer <julian@FreeBSD.org> |
Fix typo.
|
#
afad78e2 |
|
18-Aug-2006 |
Julian Elischer <julian@FreeBSD.org> |
comply with style police Submitted by: ru MFC after: 1 month
|
#
c487be96 |
|
17-Aug-2006 |
Julian Elischer <julian@FreeBSD.org> |
Allow ipfw to forward to a destination that is specified by a table. for example: fwd tablearg ip from any to table(1) where table 1 has entries of the form: 1.1.1.0/24 10.2.3.4 208.23.2.0/24 router2 This allows trivial implementation of a secondary routing table implemented in the firewall layer. I expect more work (under discussion with Glebius) to follow this to clean up some of the messy parts of ipfw related to tables. Reviewed by: Glebius MFC after: 1 month
|
#
3095bda4 |
|
16-Aug-2006 |
Julian Elischer <julian@FreeBSD.org> |
Take IP_FIREWALL_EXTENDED out of the man page too. MFC after: 1 week
|
#
84fd82e8 |
|
25-Jul-2006 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Specify correct argument range for tag/untag keywords. Approved by: glebius (mentor)
|
#
254c4725 |
|
15-Jun-2006 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Add support of 'tablearg' feature for: - 'tag' & 'untag' action parameters. - 'tagged' & 'limit' rule options. Rule examples: pipe 1 tag tablearg ip from table(1) to any allow ip from any to table(2) tagged tablearg allow tcp from table(3) to any 25 setup limit src-addr tablearg sbin/ipfw/ipfw2.c: 1) new macros GET_UINT_ARG - support of 'tablearg' keyword, argument range checking. PRINT_UINT_ARG - support of 'tablearg' keyword. 2) strtoport(): do not silently truncate/accept invalid port list expressions like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup. Approved by: glebius (mentor) MFC after: 1 month
|
#
6a7d5cb6 |
|
24-May-2006 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9). Since tags are kept while packet resides in kernelspace, it's possible to use other kernel facilities (like netgraph nodes) for altering those tags. Submitted by: Andrey Elsukov <bu7cher at yandex dot ru> Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru> Approved by: glebius (mentor) Idea from: OpenBSD PF MFC after: 1 month
|
#
270404f5 |
|
12-May-2006 |
Max Laier <mlaier@FreeBSD.org> |
Update manpage for net.inet6.ip6.fw.enable sysctl. Requested by: bz
|
#
c6ec0226 |
|
05-Mar-2006 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
Revert `proto ip' back to the previous behavior. The kernel side of ipfw2 doesn't allow zero as protocol number. MFC after: 3 days
|
#
21899082 |
|
13-Feb-2006 |
Julian Elischer <julian@FreeBSD.org> |
Stop ipfw from aborting when asked to delete a table entry that doesn't exist or add one that is already present, if the -q flag is set. Useful for "ipfw -q /dev/stdin" when the command above is invoked from something like python or TCL to feed commands down the throat of ipfw. MFC in: 1 week
|
#
f9395aff |
|
03-Feb-2006 |
Ruslan Ermilov <ru@FreeBSD.org> |
Fix a markup glitch.
|
#
7f3c5f6a |
|
13-Jan-2006 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Forget about ipfw1 and ipfw2. We aren't in RELENG_4 anymore.
|
#
331655f1 |
|
13-Jan-2006 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Document 'tablearg' keyword. Wording by: emaste
|
#
a5b0d905 |
|
13-Dec-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
[mdoc] add missing space before a punctuation type argument.
|
#
36c263cc |
|
29-Nov-2005 |
Hajimu UMEMOTO <ume@FreeBSD.org> |
We couldn't specify the rule for filtering tunnel traffic since an IPv6 support was committed: - Stop treating `ip' and `ipv6' as special in `proto' option as they conflict with /etc/protocols. - Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'. - When protocol is specified as numeric, treat it as it is even it is 41 (ipv6). - Allow zero for protocol as it is valid number of `ip'. Still, we cannot specify an IPv6 over an IPv4 tunnel like before such as: pass ipv6 from any to any But, now, you can specify it like: pass ip4 from any to any proto ipv6 PR: kern/89472 Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com> MFC after: 1 week
|
#
4e9e907d |
|
18-Nov-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
-mdoc sweep.
|
#
cd5f2f95 |
|
23-Oct-2005 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Restore the documentation about uid, gid or prison based rules requiring that debug.mpsafenet be set to 0. It is still possible for dead locks to occur while these filtering options are used due to the layering violation inherent in their implementation. Discussed: -current, rwatson, glebius
|
#
13f52609 |
|
28-Sep-2005 |
Max Laier <mlaier@FreeBSD.org> |
Redirect bridge(4) to if_bridge(4) and rename sysctl accordingly. Reminded by: ru
|
#
9066356b |
|
13-Aug-2005 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
* Add dynamic sysctl for net.inet6.ip6.fw. * Correct handling of IPv6 Extension Headers. * Add unreach6 code. * Add logging for IPv6. Submitted by: sysctl handling derived from patch from ume needed for ip6fw Obtained from: is_icmp6_query and send_reject6 derived from similar functions of netinet6,ip6fw Reviewed by: ume, gnn; silence on ipfw@ Test setup provided by: CK Software GmbH MFC after: 6 days
|
#
e5610d52 |
|
01-Jul-2005 |
Colin Percival <cperciva@FreeBSD.org> |
Bump document date. Remove EOL whitespace introduced in previous commit. Start new line at sentence break in previous commit. Approved by: re (implicit, fixing a commit made 5 minutes ago)
|
#
4beacf66 |
|
01-Jul-2005 |
Colin Percival <cperciva@FreeBSD.org> |
Document some limitations of uid/gid rules. Approved by: re (rwatson) MFC after: 3 days
|
#
55c82bf0 |
|
14-Jun-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
Markup fixes. Approved by: re (blanket)
|
#
5278d40b |
|
04-Jun-2005 |
Brian Feldman <green@FreeBSD.org> |
Better explain, then actually implement the IPFW ALTQ-rule first-match policy. It may be used to provide more detailed classification of traffic without actually having to decide its fate at the time of classification. MFC after: 1 week
|
#
57cd6d26 |
|
02-Jun-2005 |
Max Laier <mlaier@FreeBSD.org> |
Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well. This is the last requirement before we can retire ip6fw. Reviewed by: dwhite, brooks(earlier version) Submitted by: dwhite (manpage) Silence from: -ipfw
|
#
0c0e9713 |
|
10-May-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
'ngtee' also depends on net.inet.ip.fw.one_pass.
|
#
0af8180f |
|
04-May-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
IPFW version 2 is the only option now in HEAD. Do not confuse users of future releases with instructions about building IPFW2 on RELENG_4.
|
#
8195404b |
|
18-Apr-2005 |
Brooks Davis <brooks@FreeBSD.org> |
Add IPv6 support to IPFW and Dummynet. Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
|
#
099dd043 |
|
22-Feb-2005 |
Andre Oppermann <andre@FreeBSD.org> |
Bring back the full packet destination manipulation for 'ipfw fwd' with the kernel compile time option: options IPFIREWALL_FORWARD_EXTENDED This option has to be specified in addition to IPFIRWALL_FORWARD. With this option even packets targeted for an IP address local to the host can be redirected. All restrictions to ensure proper behaviour for locally generated packets are turned off. Firewall rules have to be carefully crafted to make sure that things like PMTU discovery do not break. Document the two kernel options. PR: kern/71910 PR: kern/73129 MFC after: 1 week
|
#
0227791b |
|
13-Feb-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
Expand *n't contractions.
|
#
dc490fa2 |
|
07-Feb-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Sort SEE ALSO. Submitted by: ru
|
#
16765436 |
|
05-Feb-2005 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Document how interaction with ng_ipfw node is configured.
|
#
6087df9e |
|
18-Jan-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
Sort sections.
|
#
5b1eeb71 |
|
15-Jan-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
Markup nits.
|
#
21414470 |
|
10-Jan-2005 |
Ruslan Ermilov <ru@FreeBSD.org> |
Scheduled mdoc(7) sweep.
|
#
02a85ee0 |
|
09-Dec-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Update the IPFW man page to reflect reality. mpsafenet=0 is no longer required when using ucred based rules. Pointed out by: seanc (thanks!) MFC after: 1 month
|
#
20f13585 |
|
03-Nov-2004 |
Ceri Davies <ceri@FreeBSD.org> |
Be more clear that "bridged" is a synonym for "layer2". PR: docs/44400 Submitted by: Constantin Stefanov <cstef at mail dot ru>
|
#
24fc79b0 |
|
22-Oct-2004 |
Andre Oppermann <andre@FreeBSD.org> |
Refuse to unload the ipdivert module unless the 'force' flag is given to kldunload. Reflect the fact that IPDIVERT is a loadable module in the divert(4) and ipfw(8) man pages.
|
#
93962a3a |
|
09-Oct-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Add a note to the man page warning users about possible lock order reversals+system lock ups if they are using ucred based rules while running with debug.mpsafenet=1. I am working on merging a shared locking mechanism into ipfw which should take care of this problem, but it still requires a bit more testing and review.
|
#
26dc3270 |
|
07-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Reference altq(4) instead of pf.conf(5). Tip of the hat to: mlaier
|
#
c99ee9e0 |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Add support to IPFW for matching by TCP data length.
|
#
391a0e33 |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Add the documentation for IPFW's diverted(-loopback|-output) matches.
|
#
974dfe30 |
|
02-Oct-2004 |
Brian Feldman <green@FreeBSD.org> |
Add to IPFW the ability to do ALTQ classification/tagging.
|
#
bf899c64 |
|
19-Sep-2004 |
Ruslan Ermilov <ru@FreeBSD.org> |
Prepare for 5.x soon becoming -STABLE. Pointed out by: -current users
|
#
7c0102f5 |
|
13-Sep-2004 |
Andre Oppermann <andre@FreeBSD.org> |
Make 'ipfw tee' behave as inteded and designed. A tee'd packet is copied and sent to the DIVERT socket while the original packet continues with the next rule. Unlike a normally diverted packet no IP reassembly attemts are made on tee'd packets and they are passed upwards totally unmodified. Note: This will not be MFC'd to 4.x because of major infrastucture changes. PR: kern/64240 (and many others collapsed into that one)
|
#
a8247db1 |
|
12-Aug-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Remove trailing whitespace and change "prisoniD" to "prisonID". Pointed out by: simon Approved by: bmilekic (mentor)
|
#
31c88a30 |
|
12-Aug-2004 |
Christian S.J. Peron <csjp@FreeBSD.org> |
Add the ability to associate ipfw rules with a specific prison ID. Since the only thing truly unique about a prison is it's ID, I figured this would be the most granular way of handling this. This commit makes the following changes: - Adds tokenizing and parsing for the ``jail'' command line option to the ipfw(8) userspace utility. - Append the ipfw opcode list with O_JAIL. - While Iam here, add a comment informing others that if they want to add additional opcodes, they should append them to the end of the list to avoid ABI breakage. - Add ``fw_prid'' to the ipfw ucred cache structure. - When initializing ucred cache, if the process is jailed, set fw_prid to the prison ID, otherwise set it to -1. - Update man page to reflect these changes. This change was a strong motivator behind the ucred caching mechanism in ipfw. A sample usage of this new functionality could be: ipfw add count ip from any to any jail 2 It should be noted that because ucred based constraints are only implemented for TCP and UDP packets, the same applies for jail associations. Conceptual head nod by: pjd Reviewed by: rwatson Approved by: bmilekic (mentor)
|
#
5f9541ec |
|
09-Aug-2004 |
Andre Oppermann <andre@FreeBSD.org> |
New ipfw option "antispoof": For incoming packets, the packet's source address is checked if it belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. Usage example: ipfw add deny ip from any to any not antispoof in Manpage education by: ru
|
#
55db762b |
|
21-Jul-2004 |
Andre Oppermann <andre@FreeBSD.org> |
Extend versrcreach by checking against the rt_flags for RTF_REJECT and RTF_BLACKHOLE as well. To quote the submitter: The uRPF loose-check implementation by the industry vendors, at least on Cisco and possibly Juniper, will fail the check if the route of the source address is pointed to Null0 (on Juniper, discard or reject route). What this means is, even if uRPF Loose-check finds the route, if the route is pointed to blackhole, uRPF loose-check must fail. This allows people to utilize uRPF loose-check mode as a pseudo-packet-firewall without using any manual filtering configuration -- one can simply inject a IGP or BGP prefix with next-hop set to a static route that directs to null/discard facility. This results in uRPF Loose-check failing on all packets with source addresses that are within the range of the nullroute. Submitted by: James Jun <james@towardex.com>
|
#
9806e231 |
|
02-Jul-2004 |
Ruslan Ermilov <ru@FreeBSD.org> |
Mechanically kill hard sentence breaks.
|
#
cd8b5ae0 |
|
09-Jun-2004 |
Ruslan Ermilov <ru@FreeBSD.org> |
Introduce a new feature to IPFW2: lookup tables. These are useful for handling large sparse address sets. Initial implementation by Vsevolod Lobko <seva@ip.net.ua>, refined by me. MFC after: 1 week
|
#
5cbcfccb |
|
23-May-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix usage example. PR: docs/67065 Submitted by: David Syphers
|
#
22b5770b |
|
23-Apr-2004 |
Andre Oppermann <andre@FreeBSD.org> |
Add the option versrcreach to verify that a valid route to the source address of a packet exists in the routing table. The default route is ignored because it would match everything and render the check pointless. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unrouteable source addresses. Example: ipfw add 1000 deny ip from any to any not versrcreach also known in Cisco-speak as: ip verify unicast source reachable-via any Reviewed by: luigi
|
#
a155540f |
|
27-Mar-2004 |
Ceri Davies <ceri@FreeBSD.org> |
Backout revision 1.140; it seems that the previous version is clear enough. Requested by: ru
|
#
16212808 |
|
26-Mar-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o The lenght of the port list is limited to 30 entries in ipfw2 not to 15. PR: docs/64534 Submitted by: Dmitry Cherkasov MFC after: 1 week
|
#
cdfd991b |
|
22-Mar-2004 |
Ceri Davies <ceri@FreeBSD.org> |
Clarify the description of the "established" option. PR: docs/50391 Submitted by: root@edcsm.jussieu.fr MFC after: 1 week
|
#
c6609fcd |
|
22-Jan-2004 |
Mike Makonnen <mtm@FreeBSD.org> |
grammar
|
#
3abea06d |
|
14-Jan-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o -c (compact) flag is ipfw2 feature. PR: bin/56328 MFC after: 3 days
|
#
d06b32b0 |
|
14-Jan-2004 |
Maxim Konovalov <maxim@FreeBSD.org> |
o -f (force) in conjunction with -p (preprocessor) is ipfw2 feature. MFC after: 3 days
|
#
cec4ab6a |
|
24-Dec-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Legitimate -f (force) flags for -p (preprocessor) case. PR: bin/60433 Submitted: Bjoern A. Zeeb MFC after: 3 weeks
|
#
ac6cec51 |
|
12-Dec-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add a -b flag to /sbin/ipfw to print only action and comment for each rule, thus omitting the entire body. This makes the output a lot more readable for complex rulesets (provided, of course, you have annotated your ruleset appropriately!) MFC after: 3 days
|
#
d559f5c3 |
|
01-Dec-2003 |
Sam Leffler <sam@FreeBSD.org> |
Include opt_ipsec.h so IPSEC/FAST_IPSEC is defined and the appropriate code is compiled in to support the O_IPSEC operator. Previously no support was included and ipsec rules were always matching. Note that we do not return an error when an ipsec rule is added and the kernel does not have IPsec support compiled in; this is done intentionally but we may want to revisit this (document this in the man page). PR: 58899 Submitted by: Bjoern A. Zeeb Approved by: re (rwatson)
|
#
d1f602f7 |
|
25-Sep-2003 |
Ralf S. Engelschall <rse@FreeBSD.org> |
fix typo: s/sytem/system/
|
#
94679655 |
|
10-Sep-2003 |
Peter Pentchev <roam@FreeBSD.org> |
Document the alternate way of matching MAC addresses: by a bitmask. PR: 56021 Submitted by: Glen Gibb <grg@ridley.unimelb.edu.au> MFC after: 1 month
|
#
a0e26ba0 |
|
22-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add a note that net.inet.ip.fw.autoinc_step is ipfw2-specific
|
#
3004afca |
|
15-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Userland side of: Allow set 31 to be used for rules other than 65535. Set 31 is still special because rules belonging to it are not deleted by the "ipfw flush" command, but must be deleted explicitly with "ipfw delete set 31" or by individual rule numbers. This implement a flexible form of "persistent rules" which you might want to have available even after an "ipfw flush". Note that this change does not violate POLA, because you could not use set 31 in a ruleset before this change. Suggested by: Paul Richards
|
#
1b43a426 |
|
12-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add a '-T' flag to print the timestamp as numeric value instead of converting it with ctime(). This is a lot more convenient for postprocessing. Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
|
#
7d3f8357 |
|
12-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Document the existence of comments in ipfw rules, the new flags handled when reading from a file, and clarify that only numeric values are allowed for icmptypes. MFC after: 3 days
|
#
a10c9747 |
|
08-Jul-2003 |
Daniel Harris <dannyboy@FreeBSD.org> |
Correct to match reality regarding interface names. PR: 51006 Submitted by: "Dmitry Pryanishnikov" <dmitry@atlantis.dp.ua> mdoc clue by: "Simon L. Nielsen" <simon@nitro.dk> MFC after: 10 days
|
#
4d233f6b |
|
08-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
* introduce a section on SYNTAX to document the handling spaces and comma-separated lists of arguments; * reword the description of address specifications, to include previous and current changes for address sets and lists; * document the new '-n' flag. * update the section on differences between ipfw1 and ipfw2 (this is becoming boring!) MFC after: 3 days
|
#
c3e5b9f1 |
|
04-Jul-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Implement the 'ipsec' option to match packets coming out of an ipsec tunnel. Should work with both regular and fast ipsec (mutually exclusive). See manpage for more details. Submitted by: Ari Suutari (ari.suutari@syncrontech.com) Revised by: sam MFC after: 1 week
|
#
064d54a2 |
|
23-Jun-2003 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix sets of rules usage example. PR: docs/53625 Submitted by: Kostyuk Oleg <cub@cub.org.ua> MFC after: 1 week
|
#
44c884e1 |
|
22-Jun-2003 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add support for multiple values and ranges for the "iplen", "ipttl", "ipid" options. This feature has been requested by several users. On passing, fix some minor bugs in the parser. This change is fully backward compatible so if you have an old /sbin/ipfw and a new kernel you are not in trouble (but you need to update /sbin/ipfw if you want to use the new features). Document the changes in the manpage. Now you can write things like ipfw add skipto 1000 iplen 0-500 which some people were asking to give preferential treatment to short packets. The 'MFC after' is just set as a reminder, because I still need to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately change the size of certain kernel structures; not that it matters a lot since ipfw2 is entirely optional and not the default...) PR: bin/48015 MFC after: 1 week
|
#
010dabb0 |
|
14-Mar-2003 |
Crist J. Clark <cjc@FreeBSD.org> |
Add a 'verrevpath' option that verifies the interface that a packet comes in on is the same interface that we would route out of to get to the packet's source address. Essentially automates an anti-spoofing check using the information in the routing table. Experimental. The usage and rule format for the feature may still be subject to change.
|
#
8b5381e0 |
|
03-Mar-2003 |
Ruslan Ermilov <ru@FreeBSD.org> |
/modules is gone long ago, use the safe equivalents.
|
#
16b3d354 |
|
03-Feb-2003 |
Christian Brueffer <brueffer@FreeBSD.org> |
Correct examples for stateful inspection PR: 47817 Submitted by: Simon L.Nielsen <simon@nitro.dk> Reviewed by: ceri, luigi
|
#
6690be9e |
|
11-Jan-2003 |
Matthew Dillon <dillon@FreeBSD.org> |
It turns out that we do not need to add a new ioctl to unbreak a default-to-deny firewall. Simply turning off IPFW via a preexisting sysctl does the job. To make it more apparent (since nobody picked up on this in a week's worth of flames), the boolean sysctl's have been integrated into the /sbin/ipfw command set in an obvious and straightforward manner. For example, you can now do 'ipfw disable firewall' or 'ipfw enable firewall'. This is far easier to remember then the net.inet.ip.fw.enable sysctl. Reviewed by: imp MFC after: 3 days
|
#
c41a3921 |
|
04-Jan-2003 |
Giorgos Keramidas <keramida@FreeBSD.org> |
Fix a reference to the order of SYNOPSIS lines. Submitted by: Olivier Cherrier <Olivier.Cherrier@cediti.be> on freebsd-net MFC after: 3 days
|
#
ca6e3cb0 |
|
23-Dec-2002 |
Kelly Yancey <kbyanc@FreeBSD.org> |
Make preprocessor support more generic by passing all command-line options after -p except for the last (the ruleset file to process) to the preprocessor for interpretation. This allows command-line options besides -U and -D to be passed to cpp(1) and m4(1) as well as making it easier to use other preprocessors. Sponsored By: NTT Multimedia Communications Labs MFC after: 1 week
|
#
99652d0e |
|
26-Nov-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Update documentation to match the behaviour of ipfw with respect to net.inet.ip.fw.one_pass. Add to notes to explain the exact behaviour of "prob xxx" and "log" options. Virtually approved by: re (mentioned in rev.1.19 of ip_fw2.c)
|
#
4d5fe224 |
|
28-Oct-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Misc fixes from Chris Pepper, plus additional explainations on dummynet operation. MFC after: 3 days
|
#
927a76bb |
|
12-Oct-2002 |
Sean Chittenden <seanc@FreeBSD.org> |
Increase the max dummynet hash size from 1024 to 65536. Default is still 1024. Silence on: -net, -ipfw 4weeks+ Reviewed by: dd Approved by: knu (mentor) MFC after: 3 weeks
|
#
8bca8947 |
|
22-Sep-2002 |
Maxim Konovalov <maxim@FreeBSD.org> |
o Fix a typo. o Remove EOL spaces. Submitted by: Harold Gutch <logix@foobar.franken.de> (typo patch) Approved by: luigi MFC after: 3 days
|
#
eea54e13 |
|
08-Sep-2002 |
Marc Fonvieille <blackend@FreeBSD.org> |
Typo: s/o packet/on packet/ PR: docs/42543 Submitted by: Michael Lyngbøl <lyngbol@bifrost.lyngbol.dk>
|
#
ce66ddb7 |
|
21-Aug-2002 |
Tom Rhodes <trhodes@FreeBSD.org> |
s/filesystem/file system/g as discussed on -developers
|
#
f0ac20f7 |
|
20-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Whoops, the manpage lied... ipfw2 has always accepted addr:mask specifications.
|
#
5a155b40 |
|
18-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
One more (hopefully the last one) step in cleaning up the syntax, following Julian's good suggestion: since you can specify any match pattern as an option, rules now have the following format: [<proto> from <src> to <dst>] [options] i.e. the first part is now entirely optional (and left there just for compatibility with ipfw1 rulesets). Add a "-c" flag to show/list rules in the compact form (i.e. without the "ip from any to any" part) when possible. The default is to include it so that scripts processing ipfw's canonical output will still work. Note that as part of this cleanup (and to remove ambiguity), MAC fields now can only be specified in the options part. Update the manpage to reflect the syntax. Clarify the behaviour when a match is attempted on fields which are not present in the packet, e.g. port numbers on non TCP/UDP packets, and the "not" operator is specified. E.g. ipfw add allow not src-port 80 will match also ICMP packets because they do not have port numbers, so "src-port 80" will fail and "not src-port 80" will succeed. For such cases it is advised to insert further options to prevent undesired results (e.g. in the case above, "ipfw add allow proto tcp not src-port 80"). We definitely need to rewrite the parser using lex and yacc!
|
#
e706181b |
|
18-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Major cleanup of the parser and printing routines in an attempt to render the syntax less ambiguous. Now rules can be in one of these two forms <action> <protocol> from <src> to <dst> [options] <action> MAC dst-mac src-mac mac-type [options] however you can now specify MAC and IP header fields as options e.g. ipfw add allow all from any to any mac-type arp ipfw add allow all from any to any { dst-ip me or src-ip me } which makes complex expressions a lot easier to write and parse. The "all from any to any" part is there just for backward compatibility. Manpage updated accordingly.
|
#
654399a4 |
|
16-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Complete list of differences between ipfw1 and ipfw2.
|
#
99e5e645 |
|
16-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
sys/netinet/ip_fw2.c: Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops for firewall-generated packets (the constant has to go in sys/mbuf.h). Better comments on keepalive generation, and enforce dyn_rst_lifetime and dyn_fin_lifetime to be less than dyn_keepalive_period. Enforce limits (up to 64k) on the number of dynamic buckets, and retry allocation with smaller sizes. Raise default number of dynamic rules to 4096. Improved handling of set of rules -- now you can atomically enable/disable multiple sets, move rules from one set to another, and swap sets. sbin/ipfw/ipfw2.c: userland support for "noerror" pipe attribute. userland support for sets of rules. minor improvements on rule parsing and printing. sbin/ipfw/ipfw.8: more documentation on ipfw2 extensions, differences from ipfw1 (so we can use the same manpage for both), stateful rules, and some additional examples. Feedback and more examples needed here.
|
#
ac4ed01f |
|
10-Aug-2002 |
Luigi Rizzo <luigi@FreeBSD.org> |
Major revision of the ipfw manpage, trying to make it up-to-date with ipfw2 extensions and give examples of use of the new features. This is just a preliminary commit, where i simply added the basic syntax for the extensions, and clean up the page (e.g. by listing things in alphabetical rather than random order). I would appreciate feedback and possible corrections/extensions by interested parties. Still missing are a more detailed description of stateful rules (with keepalives), interaction with of stateful rules and natd (don't do that!), examples of use with the recently introduced rule sets. There is an issue related to the MFC: RELENG_4 still has ipfw as a default, and ipfw2 is optional. We have two options here: MFC this page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes, or create a new ipfw2(8) manpage just for -stable users. I am all for the first approach, but of course am listening to your comments.
|
#
b7563355 |
|
25-Jul-2002 |
Sheldon Hearn <sheldonh@FreeBSD.org> |
Add SEE ALSO references to papers handling RED.
|
#
e1205e80 |
|
06-Jul-2002 |
Philippe Charnier <charnier@FreeBSD.org> |
The .Nm utility
|
#
0f56b10c |
|
01-May-2002 |
Crist J. Clark <cjc@FreeBSD.org> |
Enlighten those who read the FINE POINTS of the documentation a bit more on how ipfw(8) deals with tiny fragments. While we're at it, add a quick log message to even let people know we dropped a packet. (Note that the second FINE POINT is somewhat redundant given the first, but since the code is there, leave the docs for it.) MFC after: 1 day
|
#
6bfa9828 |
|
10-Jan-2002 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: tidy up the markup in revision 1.96.
|
#
e036a58d |
|
02-Jan-2002 |
Robert Watson <rwatson@FreeBSD.org> |
o Note that packets diverted using a 'divert' socket, and then reinserted by a userland process, will lose a number of packet attributes, including their source interface. This may affect the behavior of later rules, and while not strictly a BUG, may cause unexpected behavior if not clearly documented. A similar note for natd(8) might be desirable.
|
#
c1201321 |
|
02-Jan-2002 |
Yaroslav Tykhiy <ytykhiy@gmail.com> |
Move the discussion of how many times a packet will pass through ipfirewall(4) to the IMPLEMENTATION NOTES section because it considers kernel internals and may confuse newbies if placed at the very beginning of the manpage (where it used to be previously.) Not objected by: luigi
|
#
5b20d7fa |
|
02-Jan-2002 |
Yaroslav Tykhiy <ytykhiy@gmail.com> |
Clarify the "show" ipfw(8) command. PR: docs/31263 Permitted by: luigi
|
#
a66dbdf3 |
|
02-Jan-2002 |
Yaroslav Tykhiy <ytykhiy@gmail.com> |
Fix a typo: wierd -> weird
|
#
116f97b0 |
|
28-Dec-2001 |
Julian Elischer <julian@FreeBSD.org> |
Fix documentation to match reality
|
#
b6ee4524 |
|
21-Dec-2001 |
Yaroslav Tykhiy <ytykhiy@gmail.com> |
Implement matching IP precedence in ipfw(4). Submitted by: Igor Timkin <ivt@gamma.ru>
|
#
43ce89e1 |
|
14-Dec-2001 |
Ralf S. Engelschall <rse@FreeBSD.org> |
At least once mention the long names of WF2Q+ (Worst-case Fair Weighted Fair Queueing) and RED (Random Early Detection) to both give the reader a hint what they are and to make it easier to find out more information about them.
|
#
075908f1 |
|
14-Oct-2001 |
Dima Dorfman <dd@FreeBSD.org> |
Repair typo. PR: 31262 Submitted by: <swear@blarg.net>
|
#
4ae29521 |
|
01-Oct-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: fix markup.
|
#
b53adbbf |
|
29-Sep-2001 |
Bill Fumerola <billf@FreeBSD.org> |
now that jlemon has added a hash table to lookup locally configured ip addresses (and the macros that ipfw(4) use to lookup data for the 'me' keyword have been converted) remove a comment about using 'me' being a "computationally expensive" operation. while I'm here, change two instances of "IP number" to "IP address"
|
#
830cc178 |
|
27-Sep-2001 |
Luigi Rizzo <luigi@FreeBSD.org> |
Two main changes here: + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details. + merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages! MFC after: 1 week
|
#
c4d9468e |
|
07-Aug-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: Avoid using parenthesis enclosure macros (.Pq and .Po/.Pc) with plain text. Not only this slows down the mdoc(7) processing significantly, but it also has an undesired (in this case) effect of disabling hyphenation within the entire enclosed block.
|
#
9fe48c6e |
|
10-Jul-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: removed HISTORY info from the .Os call.
|
#
70d51341 |
|
09-Jul-2001 |
Dima Dorfman <dd@FreeBSD.org> |
mdoc(7) police: remove extraneous .Pp before and/or after .Sh.
|
#
fb478e5d |
|
06-Jun-2001 |
Chris Costello <chris@FreeBSD.org> |
Mention Alexandre Peixoto's share/examples/ipfw/change_rules.sh in the checklist. MFC after: 1 week
|
#
266b63f4 |
|
04-Jun-2001 |
Dag-Erling Smørgrav <des@FreeBSD.org> |
Invert the meaning of the -d option (i.e. default to *not* list dynamic rules, but list them if -d was specified). Avoid listing expired dynamic rules unless the (new) -e option was specified. If specific rule numbers were listed on the command line, and the -d flag was specified, only list dynamic rules that match the specified rule numbers. Try to partly clean up the bleeding mess this file has become. If there is any justice in this world, the responsible parties (you know who you are!) should expect to wake up one morning with a horse's head in their bed. The code still looks like spaghetti, but at least now it's *properly intented* spaghetti (hmm? did somebody say "tagliatelle"?).
|
#
78e4a314 |
|
20-May-2001 |
David Malone <dwmalone@FreeBSD.org> |
Add a flag to "ipfw show" which supresses the display of dynamic rules. Also, don't show dynamic rules if you only asked to see a certain rule number. PR: 18550 Submitted by: Lyndon Nerenberg <lyndon@orthanc.ab.ca> Approved by: luigi MFC after: 2 weeks
|
#
7350bb3a |
|
16-Mar-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: removed hard sentence break introduced in rev 1.82.
|
#
32de5052 |
|
15-Mar-2001 |
Dima Dorfman <dd@FreeBSD.org> |
Explain that TCP fragments with an offset of 1 are reported as being dropped by rule -1 if logging is enabled. PR: 25796 Submitted by: Crist J. Clark <cjclark@alum.mit.edu> Approved by: nik
|
#
dc60ef4a |
|
22-Feb-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
Document that the IPFW messages are logged via syslogd(8).
|
#
d4339464 |
|
15-Feb-2001 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: normalize the construct.
|
#
63ca8f4a |
|
14-Feb-2001 |
Sheldon Hearn <sheldonh@FreeBSD.org> |
Fix grammar nit in previous commit.
|
#
bb07ec8c |
|
13-Feb-2001 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Introduce a new feature in IPFW: Check of the source or destination address is configured on a interface. This is useful for routers with dynamic interfaces. It is now possible to say: 0100 allow tcp from any to any established 0200 skipto 1000 tcp from any to any 0300 allow ip from any to any 1000 allow tcp from 1.2.3.4 to me 22 1010 deny tcp from any to me 22 1020 allow tcp from any to any and not have to worry about the behaviour if dynamic interfaces configure new IP numbers later on. The check is semi expensive (traverses the interface address list) so it should be protected as in the above example if high performance is a requirement.
|
#
d90d7015 |
|
27-Dec-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
Prepare for mdoc(7)NG.
|
#
1252c1bb |
|
18-Dec-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
Prepare for mdoc(7)NG.
|
#
f4d874a1 |
|
22-Nov-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: do not split author names in the AUTHORS section.
|
#
7c7fb079 |
|
20-Nov-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
mdoc(7) police: use the new features of the Nm macro.
|
#
32e5e4cf |
|
15-Nov-2000 |
Ben Smithurst <ben@FreeBSD.org> |
more removal of trailing periods from SEE ALSO.
|
#
0ec2d7d3 |
|
30-Oct-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
IPFW does not discard *any* IP fragments with OFF=1, only TCP ones.
|
#
de2e7393 |
|
10-Oct-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
Only interpret the last command line argument as a file to be preprocessed if it is specified as an absolute pathname. PR: bin/16179
|
#
79a74459 |
|
06-Oct-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
Document the latest firewall knobs.
|
#
3ea420e3 |
|
29-Sep-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
Document that net.inet.ip.fw.one_pass only affects dummynet(4). Noticed by: Peter Jeremy<peter.jeremy@alcatel.com.au>
|
#
e439c30c |
|
12-Jun-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
Fixed style bugs of rev 1.66.
|
#
9714563d |
|
08-Jun-2000 |
Dan Moschuk <dan@FreeBSD.org> |
Add tcpoptions to ipfw. This works much in the same way as ipoptions do. It also squashes 99% of packet kiddie synflood orgies. For example, to rate syn packets without MSS, ipfw pipe 10 config 56Kbit/s queue 10Packets ipfw add pipe 10 tcp from any to any in setup tcpoptions !mss Submitted by: Richard A. Steenbergen <ras@e-gerbil.net>
|
#
afb87ed2 |
|
08-Jun-2000 |
Luigi Rizzo <luigi@FreeBSD.org> |
Document new dummynet functionality, namely WF2Q+ and RED
|
#
353fa3b6 |
|
03-May-2000 |
Sheldon Hearn <sheldonh@FreeBSD.org> |
Remove extraneous Dv macro that slipped in, in rev 1.64.
|
#
0f956897 |
|
30-Apr-2000 |
Brian Feldman <green@FreeBSD.org> |
Allow overriding of net.inet.ip.fw.verbose_limit; if you want to make a rule that logs without a log limit, use "logamount 0" in addition to "log".
|
#
ac13e0c5 |
|
28-Feb-2000 |
Ruslan Ermilov <ru@FreeBSD.org> |
A huge rewrite of the manual page (mostly -mdoc related). Reviewed by: luigi, sheldonh
|
#
d69f84c0 |
|
10-Feb-2000 |
Luigi Rizzo <luigi@FreeBSD.org> |
Support and document new stateful ipfw features. Approved-by: jordan
|
#
8c020cb7 |
|
08-Jan-2000 |
Luigi Rizzo <luigi@FreeBSD.org> |
Support per-flow queueing in dummynet. Implement masks on UDP/TCP ports. Large rewrite of the manpage. Work supported by Akamba Corp.
|
#
56345b0f |
|
05-Dec-1999 |
Archie Cobbs <archie@FreeBSD.org> |
Turn on 'ipfw tee'. Update man page. Please note (from the man page): Packets that match a tee rule should not be immediately accepted, but should continue going through the rule list. This may be fixed in a later version. I hope to fix this soon in a separate commit.
|
#
42c9b5b9 |
|
19-Oct-1999 |
Ruslan Ermilov <ru@FreeBSD.org> |
Remove one obsoleted entry from the BUGS section.
|
#
7f3dea24 |
|
27-Aug-1999 |
Peter Wemm <peter@FreeBSD.org> |
$Id$ -> $FreeBSD$
|
#
32e79246 |
|
21-Aug-1999 |
Brian Feldman <green@FreeBSD.org> |
To christen the brand new security category for syslog, we get IPFW using syslog(3) (log(9)) for its various purposes! This long-awaited change also includes such nice things as: * macros expanding into _two_ comma-delimited arguments! * snprintf! * more snprintf! * linting and criticism by more people than you can shake a stick at! * a slightly more uniform message style than before! and last but not least * no less than 5 rewrites! Reviewed by: committers
|
#
f0706ad4 |
|
11-Aug-1999 |
Luigi Rizzo <luigi@FreeBSD.org> |
Userland and manual page changes for probabilistic rule match. Because the kernel change was done in a backward-compatible way, you don't need to recompile ipfw if you don't want to use the new feature.
|
#
0b6c1a83 |
|
01-Aug-1999 |
Brian Feldman <green@FreeBSD.org> |
Make ipfw's logging more dynamic. Now, log will use the default limit _or_ you may specify "log logamount number" to set logging specifically the rule. In addition, "ipfw resetlog" has been added, which will reset the logging counters on any/all rule(s). ipfw resetlog does not affect the packet/byte counters (as ipfw reset does), and is the only "set" command that can be run at securelevel >= 3. This should address complaints about not being able to set logging amounts, not being able to restart logging at a high securelevel, and not being able to just reset logging without resetting all of the counters in a rule.
|
#
7a2aab80 |
|
19-Jun-1999 |
Brian Feldman <green@FreeBSD.org> |
This is the much-awaited cleaned up version of IPFW [ug]id support. All relevant changes have been made (including ipfw.8).
|
#
689b0bd1 |
|
14-Jun-1999 |
Ruslan Ermilov <ru@FreeBSD.org> |
Document the usage of escape character in a service name. PR: 7101 Reminded by: jhs
|
#
39aa78dd |
|
29-May-1999 |
Kris Kennaway <kris@FreeBSD.org> |
Manpage cleanup, move $Id$ to #ifndef lint, remove unused includes, grammatical fixes. Submitted by: Philippe Charnier
|
#
dc90479c |
|
29-Apr-1999 |
Guy Helmer <ghelmer@FreeBSD.org> |
Add ICMP types to list of information about each packet.
|
#
b67579bd |
|
27-Apr-1999 |
Guy Helmer <ghelmer@FreeBSD.org> |
Explain when packets are tesed by the firewall rules and what attributes of packets can be tested. PR: docs/7437
|
#
e5a49961 |
|
08-Apr-1999 |
Guy Helmer <ghelmer@FreeBSD.org> |
Convert LKM/modload to KLD/kldload. Add ref to kldload(8). Submitted by: Nathan Ahlstrom <nrahlstr@winternet.com>
|
#
6f206f2e |
|
21-Jan-1999 |
Archie Cobbs <archie@FreeBSD.org> |
Fix misleading wording in ipfw(8) man page. PR: docs/9603
|
#
b46dfa40 |
|
16-Dec-1998 |
Guy Helmer <ghelmer@FreeBSD.org> |
Mention affect of securelevel 3 and higher on attempts to change filter lists. Prompted by: PR docs/7785
|
#
b31a3861 |
|
06-Dec-1998 |
Archie Cobbs <archie@FreeBSD.org> |
Disallow ipfw "tee" rules until it is actually implemented. PR: bin/8471
|
#
aa045fa4 |
|
23-Nov-1998 |
Joerg Wunsch <joerg@FreeBSD.org> |
Preprocessor support for `ipfw [-q] ... file'. This allows for more flexible ipfw configuration files using `variables' to describe frequently used items in the file, like the local IP address(es), interface names etc. Both m4 and cpp are useful and supported; with m4 being a little more unusual to the common C programmer, things like automatic rule numbering can be achieved fairly easy. While i was at it, i've also untangled some of the ugly style inside main(), and fixed a bug or two (like not being able to use blank lines when running with -q). A typical call with preprocessor invocation looks like ipfw -p m4 -Dhostname=$(hostname) /etc/fwrules Someone should probably add support for this feature to /etc/rc.firewall.
|
#
62cf03cd |
|
04-Aug-1998 |
Peter Hawkins <thepish@FreeBSD.org> |
PR: 7475 Added support for -q (suppress output) when firewall rules are taken from a file. Solves PR 7475
|
#
f9e354df |
|
05-Jul-1998 |
Julian Elischer <julian@FreeBSD.org> |
Support for IPFW based transparent forwarding. Any packet that can be matched by a ipfw rule can be redirected transparently to another port or machine. Redirection to another port mostly makes sense with tcp, where a session can be set up between a proxy and an unsuspecting client. Redirection to another machine requires that the other machine also be expecting to receive the forwarded packets, as their headers will not have been modified. /sbin/ipfw must be recompiled!!! Reviewed by: Peter Wemm <peter@freebsd.org> Submitted by: Chrisy Luke <chrisy@flix.net>
|
#
dcf2c48f |
|
18-May-1998 |
Daniel O'Callaghan <danny@FreeBSD.org> |
Reminded by: Alex Nash Bring man page up to date with -q flag behaviour.
|
#
432a1104 |
|
18-May-1998 |
Masafumi Max NAKANE <max@FreeBSD.org> |
Typo fix.
|
#
d6b37778 |
|
07-Apr-1998 |
Martin Cracauer <cracauer@FreeBSD.org> |
(evil) hackers -> crackers
|
#
68085a0e |
|
19-Mar-1998 |
Philippe Charnier <charnier@FreeBSD.org> |
.Sh AUTHOR -> .Sh AUTHORS. Use .An/.Aq.
|
#
ce78a1f6 |
|
11-Feb-1998 |
Alexander Langer <alex@FreeBSD.org> |
Alter ipfw's behavior with respect to fragmented packets when the packet offset is non-zero: - Do not match fragmented packets if the rule specifies a port or TCP flags - Match fragmented packets if the rule does not specify a port and TCP flags Since ipfw cannot examine port numbers or TCP flags for such packets, it is now illegal to specify the 'frag' option with either ports or tcpflags. Both kernel and ipfw userland utility will reject rules containing a combination of these options. BEWARE: packets that were previously passed may now be rejected, and vice versa. Reviewed by: Archie Cobbs <archie@whistle.com>
|
#
19b7e28d |
|
06-Jan-1998 |
Alexander Langer <alex@FreeBSD.org> |
Support listing/showing specific rules supplied on the command line. Use error codes from <sysexits.h>.
|
#
c7a0bf04 |
|
04-Dec-1997 |
Julian Elischer <julian@FreeBSD.org> |
Allow ipfw to accept comments and blank lines. This makes ipfw config files a LOT more readable.
|
#
bf5cbf35 |
|
29-Sep-1997 |
Wolfram Schneider <wosch@FreeBSD.org> |
Sort cross refereces in section SEE ALSO.
|
#
ff486369 |
|
09-Sep-1997 |
Peter Wemm <peter@FreeBSD.org> |
Mention the IPFIREWALL_DEFAULT_TO_ACCEPT option and it's effect on rule 65535
|
#
875a6115 |
|
09-Sep-1997 |
Peter Wemm <peter@FreeBSD.org> |
Fix typo (65434 -> 65534)
|
#
39f5ba2d |
|
21-Aug-1997 |
Daniel O'Callaghan <danny@FreeBSD.org> |
Bring comment on '-a' flag in line with reality.
|
#
135a88d8 |
|
23-Jun-1997 |
Julian Elischer <julian@FreeBSD.org> |
Allow ipfw to look up service names from /etc/services (or NIS if turned on) note.. this would be dangerous if your ipfw was blocking NIS access :) Submitted by: archie@whistle.com (Archie Cobbs)
|
#
e4676ba6 |
|
01-Jun-1997 |
Julian Elischer <julian@FreeBSD.org> |
Submitted by: Whistle Communications (archie Cobbs) these are quite extensive additions to the ipfw code. they include a change to the API because the old method was broken, but the user view is kept the same. The new code allows a particular match to skip forward to a particular line number, so that blocks of rules can be used without checking all the intervening rules. There are also many more ways of rejecting connections especially TCP related, and many many more ... see the man page for a complete description.
|
#
20aaa0e7 |
|
15-May-1997 |
Masafumi Max NAKANE <max@FreeBSD.org> |
Typo. PR: 3600 Submitted by: Josh Gilliam <soil@quick.net>
|
#
c6a01512 |
|
14-May-1997 |
Alexander Langer <alex@FreeBSD.org> |
Minor rewording of the examples section.
|
#
f607e2c3 |
|
10-Feb-1997 |
Daniel O'Callaghan <danny@FreeBSD.org> |
Add '-q' quiet flag for flush/add/zero commands; add 'show' command as synonym for '-a list'; stop SEGV when specifying 'via' with no interface; change 2 instances of strcpy() to strncpy(). This is a candidate for 2.2
|
#
839cc09e |
|
16-Jan-1997 |
Adam David <adam@FreeBSD.org> |
implement "not" keyword for inverting the address logic
|
#
bc41bb3f |
|
22-Dec-1996 |
Mike Pritchard <mpp@FreeBSD.org> |
Minor mdoc/style fixes.
|
#
00f10981 |
|
05-Nov-1996 |
John Polstra <jdp@FreeBSD.org> |
Fix a spelling error. 2.2 Candidate.
|
#
7de7ab65 |
|
14-Sep-1996 |
Alexander Langer <alex@FreeBSD.org> |
Note that -N is only effective when ipfw is displaying chain entries.
|
#
1285c95c |
|
31-Aug-1996 |
Nate Williams <nate@FreeBSD.org> |
Because 'ipfw flush' is such a dangerous command (given that most firewalls are remote, and this command will kill the network connection to them), prompt the user for confirmation of this command. Also, add the '-f' flag which ignores the need for confirmation the command, and if there is no controlling tty (isatty(STDIN_FILENO) !=0) assume '-f'. If anyone is using ipfw flush in scripts it shouldn't affect them, but you may want to change the script to use a 'ipfw -f flush'. Reviewed by: alex
|
#
85cf659a |
|
22-Aug-1996 |
Mike Pritchard <mpp@FreeBSD.org> |
Use the .Fx macro where appropriate.
|
#
978eb210 |
|
13-Aug-1996 |
Paul Traina <pst@FreeBSD.org> |
Completely rewrite handling of protocol field for firewalls, things are now completely consistent across all IP protocols and should be quite a bit faster. Use getprotoname() extensively, performed minor cleanups of admin utility. The admin utility could use a good kick in the pants. Basicly, these were the minimal changes I could make to the code to get it up to tollerable shape. There will be some future commits to clean up the basic architecture of the firewall code, and if I'm feeling ambitious, I may pull in changes like NAT from Linux and make the firewall hooks comletely generic so that a user can either load the ipfw module or the ipfilter module (cf Darren Reed). Discussed with: fenner & alex
|
#
593f7481 |
|
04-Aug-1996 |
Alexander Langer <alex@FreeBSD.org> |
Filter by IP protocol. Submitted by: fenner (with modifications by me) Bring in the interface unit wildcard flag fix from rev 1.15.4.8.
|
#
93e0e116 |
|
10-Jul-1996 |
Julian Elischer <julian@FreeBSD.org> |
Adding changes to ipfw and the kernel to support ip packet diversion.. This stuff should not be too destructive if the IPDIVERT is not compiled in.. be aware that this changes the size of the ip_fw struct so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
|
#
f8cc1596 |
|
01-Jul-1996 |
Alexander Langer <alex@FreeBSD.org> |
Correct definition of 'established' keyword.
|
#
70006145 |
|
28-Jun-1996 |
Alexander Langer <alex@FreeBSD.org> |
Fix port specification syntax. Submitted by: nate
|
#
a85b3068 |
|
15-Jun-1996 |
Alexander Langer <alex@FreeBSD.org> |
Fix a typo in the view accounting records example.
|
#
3f21e412 |
|
14-Jun-1996 |
Alexander Langer <alex@FreeBSD.org> |
Bring the man page more into line with reality.
|
#
72ee2a8b |
|
24-Feb-1996 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Update to match kernel code.
|
#
41955e91 |
|
23-Feb-1996 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Update -current ipfw program as well. I hope it all compiles...
|
#
cfe3bbfd |
|
13-Feb-1996 |
Poul-Henning Kamp <phk@FreeBSD.org> |
Document that the firewall will no longer reorder the rules.
|
#
e71057d8 |
|
29-Jan-1996 |
Mike Pritchard <mpp@FreeBSD.org> |
Fix a bunch of spelling errors.
|
#
01fc1ee9 |
|
25-Oct-1995 |
Nate Williams <nate@FreeBSD.org> |
Convert manpage to -mandoc macros. Submitted by: Gary Palmer <gary@palmer.demon.co.uk> Minor cleanup by me in the English.
|
#
38a98b22 |
|
31-Aug-1995 |
Gary Palmer <gpalmer@FreeBSD.org> |
Correct minor nit - to filter out SYN packets, the keyword is `syn' not `tcpsyn' (which matches `tcp' which blocks all tcp packets)
|
#
009f85df |
|
02-Mar-1995 |
Ugen J.S. Antsilevich <ugen@FreeBSD.org> |
Update manpage..BTW,if somebody wit good English would go through it and fix it would be a really good idea.
|
#
ce83f1d6 |
|
27-Feb-1995 |
Ugen J.S. Antsilevich <ugen@FreeBSD.org> |
Fixed manpage..ldeny,lreject and log options are there and others not.. Submitted by: torstenb@FreeBSD.ORG
|
#
ab7d7f58 |
|
24-Feb-1995 |
Ugen J.S. Antsilevich <ugen@FreeBSD.org> |
Change utility to accept interface name along with IP as "via" argument
|
#
96fd3f53 |
|
17-Feb-1995 |
Ugen J.S. Antsilevich <ugen@FreeBSD.org> |
Finally document "via" feature..
|
#
742d9f28 |
|
09-Feb-1995 |
Ugen J.S. Antsilevich <ugen@FreeBSD.org> |
Ok..at least this man page is up to date now To be continued..
|
#
2a7abc91 |
|
11-Dec-1994 |
Andreas Schulz <ats@FreeBSD.org> |
Changed a reboot(1) to a reboot(8).
|
#
c9a156d5 |
|
17-Nov-1994 |
Jordan K. Hubbard <jkh@FreeBSD.org> |
New man pages from Ugen. Delete my old, first attempt. I only hope that the english in Ugen's two replacement pages is not too impenetrable! :-) [Note: Poul - please pull these into the BETA branch along with the other firewall changes] Submitted by: ugen
|