#
b3e76948 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
#
2b5dd8b8 |
|
15-Jun-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw: use function return value to fetch insn argument. This is a prerequsite for splitting compile_rule() into smaller chunks. MFC after: 2 weeks
|
#
9f44a47f |
|
11-Jun-2023 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
ipfw(8): add ioctl/instruction generation tests Differential Revision: https://reviews.freebsd.org/D40488 MFC after: 2 weeks
|
#
fc727ad6 |
|
24-Apr-2023 |
Boris Lytochkin <lytboris@gmail.com> |
ipfw: add [fw]mark implementation for ipfw Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
|
#
81cac390 |
|
04-Jun-2022 |
Arseny Smalyuk <smalukav@gmail.com> |
ipfw: add support radix tables and table lookup for MAC addresses By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
|
#
0b95680e |
|
25-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
ipfw: Introduce dnctl Introduce a link to the ipfw command, dnctl, for dummynet configuration. dnctl only handles dummynet configuration, and is part of the effort to support dummynet in pf. /sbin/ipfw continues to accept pipe, queue and sched commands, but these can now also be issued via the new dnctl command. Reviewed by: donner MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30465
|
#
a08cdb6c |
|
02-Feb-2021 |
Neel Chauhan <nc@FreeBSD.org> |
Allow setting alias port ranges in libalias and ipfw. This will allow a system to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user, subnet) can have their own dedicated port aliasing ranges. Reviewed by: donner, kp Approved by: 0mp (mentor), donner, kp Differential Revision: https://reviews.freebsd.org/D23450
|
#
165236a1 |
|
13-Jul-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw(8): Handle unaligned pointers in pr_u64. struct _ipfw_dyn_rule is defined as packed, and as a result, its uint64_t fields are misaligned on some 32-bit platforms. Since pr_u64() is explicitly supposed to handle this case, avoid using a uint64_t * for the input pointer to make sure that the compiler won't (correctly) warn about the misalignment. Reported by: jenkins MFC with: r363164
|
#
56707bee |
|
13-Jul-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw(8): Fix most warnings with the default WARNS level. - Add missing const and static qualifiers. - Avoid shadowing the global "co" by renaming it to "g_co". - Avoid mixing signedness in loop bound checks. - Leave -Wcast-align warnings disabled for now. Reviewed by: ae, melifaro MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D25456
|
#
db1102f2 |
|
23-Mar-2020 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy NAT instance. The NAT44 group of opcodes for IP_FW3 socket option is modern way to control NAT instances and this method can be used in future to switch from numeric to named NAT instances, like was done for ipfw tables. The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control plane that doesn't support versioned operations. This interface will be retired soon. Reviewed by: melifaro MFC after: 10 days Sponsored by: Yandex LLC
|
#
75b89337 |
|
24-Jan-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw. In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22877
|
#
978f2d17 |
|
21-Jun-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "tcpmss" opcode to match the TCP MSS value. With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
09899450 |
|
27-May-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove unused token that was added in r348235. MFC after: 2 weeks
|
#
05ab1ef6 |
|
24-May-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add `missing` and `or-flush` options to "ipfw table <NAME> create" command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D18339
|
#
d18c1f26 |
|
19-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Reapply r345274 with build fixes for 32-bit architectures. Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
d6369c2d |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Revert r345274. It appears that not all 32-bit architectures have necessary CK primitives.
|
#
d7a1cf06 |
|
17-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
5c04f73e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add NAT64 CLAT implementation as defined in RFC6877. CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used. # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC
|
#
b11efc1e |
|
18-Mar-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Modify struct nat64_config. Add second IPv6 prefix to generic config structure and rename another fields to conform to RFC6877. Now it contains two prefixes and length: PLAT is provider-side translator that translates N:1 global IPv6 addresses to global IPv4 addresses. CLAT is customer-side translator (XLAT) that algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses. Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn) translators. Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept prefix length and use plat_plen to specify prefix length. Retire net.inet.ip.fw.nat64_allow_private sysctl variable. Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to configure this ability separately for each NAT64 instance. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
d66f9c86 |
|
04-Dec-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to request listing and deleting only for dynamic states. This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC
|
#
b2b56606 |
|
12-Nov-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ability to use dynamic external prefix in ipfw_nptv6 module. Now an interface name can be specified for nptv6 instance instead of ext_prefix. The module will track if_addr_ext events and when suitable IPv6 address will be added to specified interface, it will be configured as external prefix. When address disappears instance becomes unusable, i.e. it doesn't match any packets. Reviewed by: 0mp (manpages) Tested by: Dries Michiels <driesm dot michiels gmail com> MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D17765
|
#
f7c4fdee |
|
09-Jul-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add "record-state", "set-limit" and "defer-action" rule options to ipfw. "record-state" is similar to "keep-state", but it doesn't produce implicit O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the same feature as "record-state", it is single opcode without implicit O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic states. When rule with this opcode is matched, the rule's action will not be executed, instead dynamic state will be created. And when this state will be matched by "check-state", then rule action will be executed. This allows create a more complicated rulesets. Submitted by: lev MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D1776
|
#
782360de |
|
09-May-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Bring in some last changes in NAT64 implementation: o Modify ipfw(8) to be able set any prefix6 not just Well-Known, and also show configured prefix6; o relocate some definitions and macros into proper place; o convert nat64_debug and nat64_allow_private variables to be VNET-compatible; o add struct nat64_config that keeps generic configuration needed to NAT64 code; o add nat64_check_prefix6() function to check validness of specified by user IPv6 prefix according to RFC6052; o use nat64_check_private_ip4() and nat64_embed_ip4() functions instead of nat64_get_ip4() and nat64_set_ip4() macros. This allows to use any configured IPv6 prefixes that are allowed by RFC6052; o introduce NAT64_WKPFX flag, that is set when IPv6 prefix is Well-Known IPv6 prefix. It is used to reduce overhead to check this; o modify nat64lsn_cfg and nat64stl_cfg structures to use nat64_config structure. And respectivelly modify the rest of code; o remove now unused ro argument from nat64_output() function; o remove __FreeBSD_version ifdef, NAT64 was not merged to older versions; o add commented -DIPFIREWALL_NAT64_DIRECT_OUTPUT flag to module's Makefile as example. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC
|
#
bd32e335 |
|
12-Apr-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove printing of "not" keyword from print_ip6() function. After r331668 handling of F_NOT flag done in one place by print_instruction() function. Also remove unused argument from print_ip[6]() functions. MFC after: 1 week
|
#
aed02679 |
|
27-Mar-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework ipfw rules parsing and printing code. Introduce show_state structure to keep information about printed opcodes. Split show_static_rule() function into several smaller functions. Make parsing and printing opcodes into several passes. Each printed opcode is marked in show_state structure and will be skipped in next passes. Now show_static_rule() function is simple, it just prints each part of rule separately: action, modifiers, proto, src and dst addresses, options. The main goal of this change is avoiding occurrence of wrong result of `ifpw show` command, that can not be parsed by ipfw(8). Also now it is possible to make some simple static optimizations by reordering of opcodes in the rule. PR: 222705 Discussed with: melifaro MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
33d72c30 |
|
20-Dec-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
Revert r327005 - SPDX tags for license similar to BSD-2-Clause. After consultation with SPDX experts and their matching guidelines[1], the licensing doesn't exactly match the BSD-2-Clause. It yet remains to be determined if they are equivalent or if there is a recognized license that matches but it is safer to just revert the tags. Let this also be a reminder that on FreeBSD, SPDX tags are only advisory and have no legal value (but IANAL). Pointyhat to: pfg Thanks to: Rodney Grimes, Gary O'Neall [1] https://spdx.org/spdx-license-list/matching-guidelines
|
#
d17aef79 |
|
19-Dec-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
SPDX: These are fundamentally BSD-2-Clause. They just omit the introductory line and numbering.
|
#
665c8a2e |
|
26-Nov-2017 |
Michael Tuexen <tuexen@FreeBSD.org> |
Add to ipfw support for sending an SCTP packet containing an ABORT chunk. This is similar to the TCP case. where a TCP RST segment can be sent. There is one limitation: When sending an ABORT in response to an incoming packet, it should be tested if there is no ABORT chunk in the received packet. Currently, it is only checked if the first chunk is an ABORT chunk to avoid parsing the whole packet, which could result in a DOS attack. Thanks to Timo Voelker for helping me to test this patch. Reviewed by: bcr@ (man page part), ae@ (generic, non-SCTP part) Differential Revision: https://reviews.freebsd.org/D13239
|
#
ab1d4880 |
|
02-Oct-2017 |
Michael Tuexen <tuexen@FreeBSD.org> |
Whitespace changes: Remove leading spaces followed by a tab.
|
#
aac74aea |
|
02-Apr-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_pmod kernel module. The module is designed for modification of a packets of any protocols. For now it implements only TCP MSS modification. It adds the external action handler for "tcp-setmss" action. A rule with tcp-setmss action does additional check for protocol and TCP flags. If SYN flag is present, it parses TCP options and modifies MSS option if its value is greater than configured value in the rule. Then it adjustes TCP checksum if needed. After handling the search continues with the next rule. Obtained from: Yandex LLC MFC after: 2 weeks Relnotes: yes Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10150
|
#
6d3c367d |
|
28-Dec-2016 |
Marius Strobl <marius@FreeBSD.org> |
Fix a bug in r272840; given that the optlen parameter of setsockopt(2) is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong 32-bit half on big-endian LP64 machines when simply casting the 64-bit size_t optlen to a socklen_t pointer. While at it and given that the intention of do_get3() apparently is to hide/wrap the fact that socket options are used for communication with ipfw(4), change the optlen parameter of do_set3() to be of type size_t and as such more appropriate than uintptr_t, too. MFC after: 3 days
|
#
757b5d87 |
|
15-Nov-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add missing support of named lookup tables to the IPv6 code. PR: 214419 MFC after: 1 week Sponsored by: Yandex LLC
|
#
d8caf56e |
|
13-Aug-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nat64 module that implements stateless and stateful NAT64. The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434
|
#
b867e84e |
|
18-Jul-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6 as defined in RFC 6296. The module works together with ipfw(4) and implemented as its external action module. When it is loaded, it registers as eaction and can be used in rules. The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module. Reviewed by: hrs Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6420
|
#
b04471d8 |
|
11-Jul-2016 |
Cy Schubert <cy@FreeBSD.org> |
r302561 broke buildworld. This patch fixes that. MFC after: 3 days X-MFC with: r302561
|
#
91336b40 |
|
26-May-2016 |
Don Lewis <truckman@FreeBSD.org> |
Import Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE). Centre for Advanced Internet Architectures Implementing AQM in FreeBSD * Overview <http://caia.swin.edu.au/freebsd/aqm/index.html> * Articles, Papers and Presentations <http://caia.swin.edu.au/freebsd/aqm/papers.html> * Patches and Tools <http://caia.swin.edu.au/freebsd/aqm/downloads.html> Overview Recent years have seen a resurgence of interest in better managing the depth of bottleneck queues in routers, switches and other places that get congested. Solutions include transport protocol enhancements at the end-hosts (such as delay-based or hybrid congestion control schemes) and active queue management (AQM) schemes applied within bottleneck queues. The notion of AQM has been around since at least the late 1990s (e.g. RFC 2309). In recent years the proliferation of oversized buffers in all sorts of network devices (aka bufferbloat) has stimulated keen community interest in four new AQM schemes -- CoDel, FQ-CoDel, PIE and FQ-PIE. The IETF AQM working group is looking to document these schemes, and independent implementations are a corner-stone of the IETF's process for confirming the clarity of publicly available protocol descriptions. While significant development work on all three schemes has occured in the Linux kernel, there is very little in FreeBSD. Project Goals This project began in late 2015, and aims to design and implement functionally-correct versions of CoDel, FQ-CoDel, PIE and FQ_PIE in FreeBSD (with code BSD-licensed as much as practical). We have chosen to do this as extensions to FreeBSD's ipfw/dummynet firewall and traffic shaper. Implementation of these AQM schemes in FreeBSD will: * Demonstrate whether the publicly available documentation is sufficient to enable independent, functionally equivalent implementations * Provide a broader suite of AQM options for sections the networking community that rely on FreeBSD platforms Program Members: * Rasool Al Saadi (developer) * Grenville Armitage (project lead) Acknowledgements: This project has been made possible in part by a gift from the Comcast Innovation Fund. Submitted by: Rasool Al-Saadi <ralsaadi@swin.edu.au> X-No objection: core MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D6388
|
#
2acdf79f |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add External Actions KPI to ipfw(9). It allows implementing loadable kernel modules with new actions and without needing to modify kernel headers and ipfw(8). The module registers its action handler and keyword string, that will be used as action name. Using generic syntax user can add rules with this action. Also ipfw(8) can be easily modified to extend basic syntax for external actions, that become a part base system. Sample modules will coming soon. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
7b34dbe4 |
|
14-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix output formatting of O_UNREACH6 opcode. Obtained from: Yandex LLC
|
#
5dc5a0e0 |
|
03-Nov-2015 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Implement `ipfw internal olist` command to list named objects. Reviewed by: melifaro Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
8963c505 |
|
26-Apr-2015 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Generalize object reference handling in ipfw rules. No ABI changes.
|
#
0cba2b28 |
|
31-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add support for multi-field values inside ipfw tables. This is the last major change in given branch. Kernel changes: * Use 64-bytes structures to hold multi-value variables. * Use shared array to hold values from all tables (assume each table algo is capable of holding 32-byte variables). * Add some placeholders to support per-table value arrays in future. * Use simple eventhandler-style API to ease the process of adding new table items. Currently table addition may required multiple UH drops/ acquires which is quite tricky due to atomic table modificatio/swap support, shared array resize, etc. Deal with it by calling special notifier capable of rolling back state before actually performing swap/resize operations. Original operation then restarts itself after acquiring UH lock. * Bump all objhash users default values to at least 64 * Fix custom hashing inside objhash. Userland changes: * Add support for dumping shared value array via "vlist" internal cmd. * Some small print/fill_flags dixes to support u32 values. * valtype is now bitmask of <skipto|pipe|fib|nat|dscp|tag|divert|netgraph|limit|ipv4|ipv6>. New values can hold distinct values for each of this types. * Provide special "legacy" type which assumes all values are the same. * More helpers/docs following.. Some examples: 3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6 3:41 [1] zfscurr0# ipfw table mimimi info +++ table(mimimi), set(0) +++ kindex: 2, type: addr references: 0, valtype: skipto,limit,ipv4,ipv6 algorithm: addr:radix items: 0, size: 296 3:42 [1] zfscurr0# ipfw table mimimi add 10.0.0.5 3000,10,10.0.0.1,2a02:978:2::1 added: 10.0.0.5/32 3000,10,10.0.0.1,2a02:978:2::1 3:42 [1] zfscurr0# ipfw table mimimi list +++ table(mimimi), set(0) +++ 10.0.0.5/32 3000,0,10.0.0.1,2a02:978:2::1
|
#
912430f6 |
|
23-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Merge buffer-printing changes from from projects/ipfw as preparation for branch merge. Requested by: luigi
|
#
4df4dada |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move one step further towards libipfw: convert show_static_rule() to bpprint-output style, so one can now output human-readable rule representation to preallocated buffer.
|
#
be695df9 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Update table_handler cmd list * Implement partial cmd matching inside table handler.
|
#
1940fa77 |
|
12-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Change tablearg value to be 0 (try #2). Most of the tablearg-supported opcodes does not accept 0 as valid value: O_TAG, O_TAGGED, O_PIPE, O_QUEUE, O_DIVERT, O_TEE, O_SKIPTO, O_CALLRET, O_NETGRAPH, O_NGTEE, O_NAT treats 0 as invalid input. The rest are O_SETDSCP and O_SETFIB. 'Fix' them by adding high-order bit (0x8000) set for non-tablearg values. Do translation in kernel for old clients (import_rule0 / export_rule0), teach current ipfw(8) binary to add/remove given bit. This change does not affect handling SETDSCP values, but limit O_SETFIB values to 32767 instead of 65k. Since currently we have either old (16) or new (2^32) max fibs, this should not be a big deal: we're definitely OK for former and have to add another opcode to deal with latter, regardless of tablearg value.
|
#
4f43138a |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add the abilify to lock/unlock given table from changes. Example: # ipfw table si lock # ipfw table si info +++ table(si), set(0) +++ kindex: 0, type: cidr, locked valtype: number, references: 0 algorithm: cidr:radix items: 0, size: 288 # ipfw table si add 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Adding record failed: table is locked # ipfw table si unlock # ipfw table si add 4.5.6.7 added: 4.5.6.7/32 0 # ipfw table si lock # ipfw table si delete 4.5.6.7 ignored: 4.5.6.7/32 0 ipfw: Deleting record failed: table is locked # ipfw table si unlock # ipfw table si delete 4.5.6.7 deleted: 4.5.6.7/32 0
|
#
3a845e10 |
|
11-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add support for batched add/delete for ipfw tables * Add support for atomic batches add (all or none). * Fix panic on deleting non-existing entry in radix algo. Examples: # si is empty # ipfw table si add 1.1.1.1/32 1111 2.2.2.2/32 2222 added: 1.1.1.1/32 1111 added: 2.2.2.2/32 2222 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 4444 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 4444 ipfw: Adding record failed: record already exists ^^^^^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444 # ipfw table si atomic add 3.3.3.3/32 3333 4.4.4.4/32 4400 5.5.5.5/32 5555 added(reverted): 3.3.3.3/32 3333 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 5555 ipfw: Adding record failed: record already exists ^^^^^ Returns error and reverts added records # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 1111 2.2.2.2/32 2222 4.4.4.4/32 4444
|
#
adf3b2b9 |
|
08-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add IP_FW_TABLE_XMODIFY opcode * Since there seems to be lack of consensus on strict value typing, remove non-default value types. Use userland-only "value format type" to print values. Kernel changes: * Add IP_FW_XMODIFY to permit table run-time modifications. Currently we support changing limit and value format type. Userland changes: * Support IP_FW_XMODIFY opcode. * Support specifying value format type (ftype) in tablble create/modify req * Fine-print value type/value format type.
|
#
46d52008 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Implement atomic ipfw table swap. Kernel changes: * Add opcode IP_FW_TABLE_XSWAP * Add support for swapping 2 tables with the same type/ftype/vtype. * Make skipto cache init after ipfw locks init. Userland changes: * Add "table X swap Y" command.
|
#
358b9d09 |
|
03-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Move "talist" and "iflist" cmds into newly-create "internal" ipfw(8) cmd. * Add "table X detail" cmd and show detailed algo info there instead of "info".
|
#
4c0c07a5 |
|
01-Aug-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Permit limiting number of items in table. Kernel changes: * Add TEI_FLAGS_DONTADD entry flag to indicate that insert is not possible * Support given flag in all algorithms * Add "limit" field to ipfw_xtable_info * Add actual limiting code into add_table_entry() Userland changes: * Add "limit" option as "create" table sub-option. Limit modification is currently impossible. * Print human-readable errors in table enry addition/deletion code.
|
#
914bffb6 |
|
31-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new "flow" table type to support N=1..5-tuple lookups * Add "flow:hash" algorithm Kernel changes: * Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups * Add IPFW_TABLE_FLOW table type * Add "struct tflow_entry" as strage for 6-tuple flows * Add "flow:hash" algorithm. Basically it is auto-growing chained hash table. Additionally, we store mask of fields we need to compare in each instance/ * Increase ipfw_obj_tentry size by adding struct tflow_entry * Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info * Increase algoname length: 32 -> 64 (algo options passed there as string) * Assume every table type can be customized by flags, use u8 to store "tflags" field. * Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback. * Fix bug in cidr:chash resize procedure. Userland changes: * add "flow table(NAME)" syntax to support n-tuple checking tables. * make fill_flags() separate function to ease working with _s_x arrays * change "table info" output to reflect longer "type" fields Syntax: ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash] Examples: 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' 00200 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 0:03 [2] zfscurr0# ipfw show 00200 0 0 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 617 59416 allow ip from any to any 0:03 [2] zfscurr0# telnet -s 10.0.0.92 78.46.89.105 80 Trying 78.46.89.105... .. 0:04 [2] zfscurr0# ipfw show 00200 5 272 count tcp from me to 78.46.89.105 dst-port 80 flow table(fl2) 65535 682 66733 allow ip from any to any
|
#
9d099b4f |
|
29-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Dump available table algorithms via "ipfw talist" cmd. Kernel changes: * Add type/refcount fields to table algo instances. * Add IP_FW_TABLES_ALIST opcode to export available algorihms to userland. Userland changes: * Fix cores on empty input inside "ipfw table" handler. * Add "ipfw talist" cmd to print availabled kernel algorithms. * Change "table info" output to reflect long algorithm config lines.
|
#
68394ec8 |
|
28-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add generic ipfw interface tracking API * Rewrite interface tables to use interface indexes Kernel changes: * Add generic interface tracking API: - ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates state & bumps ref) - ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to update ifindex) - ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer) - ipfw_iface_unref(unlocked, drops reference) Additionally, consumer callbacks are called in interface withdrawal/departure. * Rewrite interface tables to use iface tracking API. Currently tables are implemented the following way: runtime data is stored as sorted array of {ifidx, val} for existing interfaces full data is stored inside namedobj instance (chained hashed table). * Add IP_FW_XIFLIST opcode to dump status of tracked interfaces * Pass @chain ptr to most non-locked algorithm callbacks: (prepare_add, prepare_del, flush_entry ..). This may be needed for better interaction of given algorithm an other ipfw subsystems * Add optional "change_ti" algorithm handler to permit updating of cached table_info pointer (happens in case of table_max resize) * Fix small bug in ipfw_list_tables() * Add badd (insert into sorted array) and bdel (remove from sorted array) funcs Userland changes: * Add "iflist" cmd to print status of currently tracked interface * Add stringnum_cmp for better interface/table names sorting
|
#
ac35ff17 |
|
03-Jul-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Fully switch to named tables: Kernel changes: * Introduce ipfw_obj_tentry table entry structure to force u64 alignment. * Support "update-on-existing-key" "add" bahavior (TEI_FLAGS_UPDATED). * Use "subtype" field to distingush between IPv4 and IPv6 table records instead of previous hack. * Add value type (vtype) field for kernel tables. Current types are number,ip and dscp * Fix sets mask retrieval for old binaries * Fix crash while using interface tables Userland changes: * Switch ipfw_table_handler() to use named-only tables. * Add "table NAME create [type {cidr|iface|u32} [valtype {number|ip|dscp}] ..." * Switch ipfw_table_handler to match_token()-based parser. * Switch ipfw_sets_handler to use new ipfw_get_config() for mask retrieval. * Allow ipfw set X table ... syntax to permit using per-set table namespaces.
|
#
6c2997ff |
|
29-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
* Add new IP_FW_XADD opcode which permits to a) specify table ids as names b) add multiple rules at once. Partially convert current code for atomic addition of multiple rules.
|
#
563b5ab1 |
|
28-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Suppord showing named tables in ipfw(8) rule listing. Kernel changes: * change base TLV header to be u64 (so size can be u32). * Introduce ipfw_obj_ctlv generc container TLV. * Add IP_FW_XGET opcode which is now used for atomic configuration retrieval. One can specify needed configuration pieces to retrieve via flags field. Currently supported are IPFW_CFG_GET_STATIC (static rules) and IPFW_CFG_GET_STATES (dynamic states). Other configuration pieces (tables, pipes, etc..) support is planned. Userland changes: * Switch ipfw(8) to use new IP_FW_XGET for rule listing. * Split rule listing code get and show pieces. * Make several steps forward towards libipfw: permit printing states and rules(paritally) to supplied buffer. do not die on malloc/kernel failure inside given printing functions. stop assuming cmdline_opts is global symbol.
|
#
f1220db8 |
|
14-Jun-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Move further to eliminate next pieces of number-assuming code inside tables. Kernel changes: * Add IP_FW_OBJ_FLUSH opcode (flush table based on its name/set) * Add IP_FW_OBJ_DUMP opcode (dumps table data based on its names/set) * Add IP_FW_OBJ_LISTSIZE / IP_FW_OBJ_LIST opcodes (get list of kernel tables) Userland changes: * move tables code to separate tables.c file * get rid of tables_max * switch "all"/list handling to new opcodes
|
#
fc5e1956 |
|
01-Jun-2014 |
Hiren Panchasara <hiren@FreeBSD.org> |
ECN marking implenetation for dummynet. Changes include both DCTCP and RFC 3168 ECN marking methodology. DCTCP draft: http://tools.ietf.org/html/draft-bensley-tcpm-dctcp-00 Submitted by: Midori Kato (aoimidori27@gmail.com) Worked with: Lars Eggert (lars@netapp.com) Reviewed by: luigi, hiren
|
#
9968f056 |
|
12-Feb-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix world build WITHOUT_PF. Sponsored by: Nginx, Inc.
|
#
1058f177 |
|
28-Nov-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel <umka@localka.net> MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
ae01d73c |
|
20-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after: 2 weeks
|
#
579ed7bd |
|
03-Mar-2013 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Implement buffer size checking in ipfw(8) add cmd. PR: bin/65961 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> MFC after: 2 weeks
|
#
9527ec6e |
|
29-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add new rule actions "call" and "return" to ipfw. They make possible to organize subroutines with rules. The "call" action saves the current rule number in the internal stack and rules processing continues from the first rule with specified number (similar to skipto action). If later a rule with "return" action is encountered, the processing returns to the first rule with number of "call" rule saved in the stack plus one or higher. Submitted by: Vadim Goncharov Discussed by: ipfw@, luigi@
|
#
1875bbfe |
|
14-Jun-2011 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Implement "global" mode for ipfw nat. It is similar to natd(8) "globalport" option for multiple NAT instances. If ipfw rule contains "global" keyword instead of nat_number, then for each outgoing packet ipfw_nat looks up translation state in all configured nat instances. If an entry is found, packet aliased according to that entry, otherwise packet is passed unchanged. User can specify "skip_global" option in NAT configuration to exclude an instance from the lookup in global mode. PR: kern/157867 Submitted by: Alexander V. Chernikov (previous version) Tested by: Eugene Grosbein
|
#
ffbeadc4 |
|
18-Apr-2011 |
Gleb Smirnoff <glebius@FreeBSD.org> |
More whitespace fixes. Checked with: md5, diff -x -w
|
#
ae99fd0e |
|
12-Nov-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
The first customer of the SO_USER_COOKIE option: the "sockarg" ipfw option matches packets associated to a local socket and with a non-zero so_user_cookie value. The value is made available as tablearg, so it can be used as a skipto target or pipe number in ipfw/dummynet rules. Code by Paul Joe, manpage by me. Submitted by: Paul Joe MFC after: 1 week
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
37133ba7 |
|
19-Apr-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Slightly different handling of printf/snprintf for unaligned uint64_t, which should improve readability, and also to ease the port to platforms that do not support %llu MFC after: 3 days
|
#
8018e843 |
|
23-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
MFC of a large number of ipfw and dummynet fixes and enhancements done in CURRENT over the last 4 months. HEAD and RELENG_8 are almost in sync now for ipfw, dummynet the pfil hooks and related components. Among the most noticeable changes: - r200855 more efficient lookup of skipto rules, and remove O(N) blocks from critical sections in the kernel; - r204591 large restructuring of the dummynet module, with support for multiple scheduling algorithms (4 available so far) See the original commit logs for details. Changes in the kernel/userland ABI should be harmless because the kernel is able to understand previous requests from RELENG_8 and RELENG_7. For this reason, this changeset would be applicable to RELENG_7 as well, but i am not sure if it is worthwhile.
|
#
72662a75 |
|
15-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits of ip->ip_tos) in a table. This can be useful to direct traffic to different pipes/queues according to the DSCP of the packet, as follows: ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue This change is a no-op (but harmless) until the two-line kernel side is committed, which will happen shortly.
|
#
fe0506d7 |
|
09-Mar-2010 |
Marcel Moolenaar <marcel@FreeBSD.org> |
Create the altix project branch. The altix project will add support for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting is a two-module system, consisting of a base compute module and a CPU expansion module. SGI's NUMAFlex architecture can be an excellent platform to test CPU affinity and NUMA-aware features in FreeBSD.
|
#
cc4d3c30 |
|
02-Mar-2010 |
Luigi Rizzo <luigi@FreeBSD.org> |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet. The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions. In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ. Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland. Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time. Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits. CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
#
472099c4 |
|
15-Dec-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
implement a new match option, lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N which searches the specified field in table N and sets tablearg accordingly. With dst-ip or src-ip the option replicates two existing options. When used with other arguments, the option can be useful to quickly dispatch traffic based on other fields. Work supported by the Onelab project. MFC after: 1 week
|
#
6882bf4d |
|
24-Jun-2009 |
Oleg Bulyzhin <oleg@FreeBSD.org> |
- fix dummynet 'fast' mode for WF2Q case. - fix printing of pipe profile data. - introduce new pipe parameter: 'burst' - how much data can be sent through pipe bypassing bandwidth limit.
|
#
4bb7ae9d |
|
08-Apr-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Add emulation of delay profiles, which lets you model various types of MAC overheads such as preambles, link level retransmissions and more. Note- this commit changes the userland/kernel ABI for pipes (but not for ordinary firewall rules) so you need to rebuild kernel and /sbin/ipfw to use dummynet features. Please check the manpage for details on the new feature. The MFC would be trivial but it breaks the ABI, so it will be postponed until after 7.2 is released. Interested users are welcome to apply the patch manually to their RELENG_7 tree. Work supported by the European Commission, Projects Onelab and Onelab2 (contract 224263).
|
#
eb2e4119 |
|
01-Apr-2009 |
Paolo Pisati <piso@FreeBSD.org> |
Implement an ipfw action to reassemble ip packets: reass.
|
#
23c608c8 |
|
01-Feb-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
put the altq-related functions into a separate file. Minor cleanup of the includes used by the various source files, including annotations of why certain headers are used.
|
#
16e3606f |
|
28-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Avoid the use of duplicated typedefs -- see the comment for details.
|
#
50a99912 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
fix printing of uint64_t values, so we can use WARNS=2
|
#
ead75a59 |
|
26-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Put nat and ipv6 support in their own files. Usual moving of code with no changes from ipfw2.c to the newly created files, and addition of prototypes to ipfw2.h I have added forward declarations for ipfw_insn_* in ipfw2.h to avoid a global dependency on ip_fw.h
|
#
4e9c8ae7 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Put dummynet-related code in a separate file. To this purpose, add prototypes for global functions in ipfw2.h and move there also the list of tokens used in various places in the code.
|
#
3c0c8717 |
|
27-Jan-2009 |
Luigi Rizzo <luigi@FreeBSD.org> |
Start splitting the monster file in smaller blocks. In this episode: - introduce a common header with a minimal set of common definitions; - bring the main() function and options parser in main.c - rename the main functions with an ipfw_ prefix No code changes except for the introduction of a global variable, resvd_set_number, which stores the RESVD_SET value from ip_fw.h and is used to remove the dependency of main.c from ip_fw.h (and the subtree of dependencies) for just a single constant.
|