aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw/ipfw.8
Commit message (Collapse)AuthorAgeFilesLines
* ipfw(8): Fix a few mandoc related issuesGordon Bergling2020-12-191-48/+50
| | | | | | | | | | | | | | | | - no blank before trailing delimiter - missing section argument: Xr inet_pton - skipping paragraph macro: Pp before Ss - unusual Xr order: syslogd after sysrc - tab in filled text There were a few multiline NAT examples which used the .Dl macro with tabs. I converted them to .Bd, which is a more suitable macro for that case. MFC after: 1 week Notes: svn path=/head/; revision=368804
* ipfw(8): Bugfixes for some issues reported by mandocGordon Bergling2020-10-031-48/+61
| | | | | | | | | | | - whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp MFC after: 1 week Notes: svn path=/head/; revision=366402
* ipfw(8): Fix typo in man pageFernando Apesteguía2020-08-211-2/+2
| | | | | | | | | | s/exmaple/example Approved by: manpages (gbe@) Differential Revision: https://reviews.freebsd.org/D26147 Notes: svn path=/head/; revision=364459
* ipfw: make the "frag" keyword accept additional options "mf",Gleb Smirnoff2020-08-111-8/+25
| | | | | | | | | | | | | "df", "rf" and "offset". This allows to match on specific bits of ip_off field. For compatibility reasons lack of keyword means "offset". Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D26021 Notes: svn path=/head/; revision=364117
* Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.Alexander V. Chernikov2020-01-241-1/+4
| | | | | | | | | | | | | | | | In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added. This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware. Also, we add a new NAT option to ipfw called unreg_cgn, which is like unreg_only, but also is RFC 6598-aware. The reason for the new flags/options is to avoid breaking existing networks, especially those which rely on RFC 6598 as an external address. Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D22877 Notes: svn path=/head/; revision=357092
* Add "tcpmss" opcode to match the TCP MSS value.Andrey V. Elsukov2019-06-211-1/+7
| | | | | | | | | | | | | | | | | With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC Notes: svn path=/head/; revision=349267
* Add `missing` and `or-flush` options to "ipfw table <NAME> create"Andrey V. Elsukov2019-05-241-2/+9
| | | | | | | | | | | | | | | | command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D18339 Notes: svn path=/head/; revision=348235
* Typo fix in ipfw.8: amd -> andBenedict Reuschling2019-04-211-2/+2
| | | | | | | | | | | | | | | There is an (obvious) typo in the following sentence: "Please note, that keep-state amd limit imply implicit check-state for ..." Replace the "amd" with "and", bump .Dd. PR: 237438 Submitted by: michael@galassi.us MFC after: 3 days Notes: svn path=/head/; revision=346490
* Reapply r345274 with build fixes for 32-bit architectures.Andrey V. Elsukov2019-03-191-11/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345293
* Revert r345274. It appears that not all 32-bit architectures haveAndrey V. Elsukov2019-03-181-18/+10
| | | | | | | necessary CK primitives. Notes: svn path=/head/; revision=345275
* Update NAT64LSN implementation:Andrey V. Elsukov2019-03-181-10/+18
| | | | | | | | | | | | | | | | | | | | | | | | o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345274
* Add NAT64 CLAT implementation as defined in RFC6877.Andrey V. Elsukov2019-03-181-0/+71
| | | | | | | | | | | | | | | | | | | | | | | | CLAT is customer-side translator that algorithmically translates 1:1 private IPv4 addresses to global IPv6 addresses, and vice versa. It is implemented as part of ipfw_nat64 kernel module. When module is loaded or compiled into the kernel, it registers "nat64clat" external action. External action named instance can be created using `create` command and then used in ipfw rules. The create command accepts two IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted, IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used. # ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX # ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out # ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in Obtained from: Yandex LLC Submitted by: Boris N. Lytochkin MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345264
* Modify struct nat64_config.Andrey V. Elsukov2019-03-181-11/+17
| | | | | | | | | | | | | | | | | | | | | | | | Add second IPv6 prefix to generic config structure and rename another fields to conform to RFC6877. Now it contains two prefixes and length: PLAT is provider-side translator that translates N:1 global IPv6 addresses to global IPv4 addresses. CLAT is customer-side translator (XLAT) that algorithmically translates 1:1 IPv4 addresses to global IPv6 addresses. Use PLAT prefix in stateless (nat64stl) and stateful (nat64lsn) translators. Modify nat64_extract_ip4() and nat64_embed_ip4() functions to accept prefix length and use plat_plen to specify prefix length. Retire net.inet.ip.fw.nat64_allow_private sysctl variable. Add NAT64_ALLOW_PRIVATE flag and use "allow_private" config option to configure this ability separately for each NAT64 instance. Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Notes: svn path=/head/; revision=345262
* Fix typos and caps for ipfw(8) man page.Guangyuan Yang2019-03-011-16/+16
| | | | | | | | | MFC after: 3 days PR: 236030 Submitted by: olgeni Notes: svn path=/head/; revision=344709
* Grammar tweaks in ipfw manual page.Tom Rhodes2019-02-281-4/+4
| | | | Notes: svn path=/head/; revision=344665
* Add ability to request listing and deleting only for dynamic states.Andrey V. Elsukov2018-12-041-5/+4
| | | | | | | | | | | | | | | | | | | | This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but after rules reloading some state must be deleted. Added new flag '-D' for such purpose. Retire '-e' flag, since there can not be expired states in the meaning that this flag historically had. Also add "verbose" mode for listing of dynamic states, it can be enabled with '-v' flag and adds additional information to states list. This can be useful for debugging. Obtained from: Yandex LLC MFC after: 2 months Sponsored by: Yandex LLC Notes: svn path=/head/; revision=341472
* Small language fix after r340978.Eugene Grosbein2018-11-261-1/+1
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=340979
* ipfw.8: add new section to EXAMPLES:Eugene Grosbein2018-11-261-0/+51
| | | | | | | | | | | SELECTIVE MIRRORING If your network has network traffic analyzer connected to your host directly via dedicated interface or remotely via RSPAN vlan, you can selectively mirror some ethernet layer2 frames to the analyzer. ... Notes: svn path=/head/; revision=340978
* Fix a minor typo in ipfw(8) manual page.Guangyuan Yang2018-11-231-1/+1
| | | | | | | | | PR: 230747 Submitted by: f.toscan@hotmail.it MFC after: 1 week Notes: svn path=/head/; revision=340792
* Fix incorrect DSCP value range from 0..64 to 0..63.Guangyuan Yang2018-11-211-2/+2
| | | | | | | | | | PR: 232786 Submitted by: Sergey Akhmatov <sergey@akhmatov.ru> Reviewed by: AllanJude MFC after: 1 week Notes: svn path=/head/; revision=340717
* Fix part of the SYNOPSIS documenting LIST OF RULES AND PREPROCESSINGEugene Grosbein2018-11-131-11/+11
| | | | | | | | | | that is still referred as last section of the SYNOPSIS later but was erroneously situated in the section IN-KERNEL NAT. MFC after: 1 month Notes: svn path=/head/; revision=340394
* Add ability to use dynamic external prefix in ipfw_nptv6 module.Andrey V. Elsukov2018-11-121-1/+10
| | | | | | | | | | | | | | | | Now an interface name can be specified for nptv6 instance instead of ext_prefix. The module will track if_addr_ext events and when suitable IPv6 address will be added to specified interface, it will be configured as external prefix. When address disappears instance becomes unusable, i.e. it doesn't match any packets. Reviewed by: 0mp (manpages) Tested by: Dries Michiels <driesm dot michiels gmail com> MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D17765 Notes: svn path=/head/; revision=340360
* ipfw.8: fix small syntax error in an exampleEugene Grosbein2018-11-081-1/+1
| | | | | | | MFC after: 3 days Notes: svn path=/head/; revision=340249
* ipfw(8): clarify layer2 processing abilitiesEugene Grosbein2018-11-041-0/+21
| | | | | | | | | | | | Make it clear that ipfw action set for layer2 frames it a bit limited. PR: 59835 Reviewed by: yuripv MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D17719 Notes: svn path=/head/; revision=340110
* Retire IPFIREWALL_NAT64_DIRECT_OUTPUT kernel option. And add abilityAndrey V. Elsukov2018-10-211-3/+43
| | | | | | | | | | | | | | | | | | to switch the output method in run-time. Also document some sysctl variables that can by changed for NAT64 module. NAT64 had compile time option IPFIREWALL_NAT64_DIRECT_OUTPUT to use if_output directly from nat64 module. By default is used netisr based output method. Now both methods can be used, but they require different handling by rules. Obtained from: Yandex LLC MFC after: 3 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D16647 Notes: svn path=/head/; revision=339542
* Add description, parameters, options, sysctl and examples of using AQMs to ↵Guangyuan Yang2018-09-271-3/+426
| | | | | | | | | | | | | ipfw man page. CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet exist in FreeBSD 11 and 10.3. Submitted by: ralsaadi@swin.edu.au Reviewed by: AllanJude Approved by: re (gjb) MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D12507 Notes: svn path=/head/; revision=338977
* Restore the behaviour changed in r337536, when bad `ipfw delete` commandAndrey V. Elsukov2018-08-101-3/+8
| | | | | | | | | | | | | returns error. Now -q option only makes it quiet. And when -f flag is specified, the command will ignore errors and continue executing with next batched command. MFC after: 2 weeks Notes: svn path=/head/; revision=337574
* Add "record-state", "set-limit" and "defer-action" rule options to ipfw.Andrey V. Elsukov2018-07-091-8/+101
| | | | | | | | | | | | | | | | | | "record-state" is similar to "keep-state", but it doesn't produce implicit O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the same feature as "record-state", it is single opcode without implicit O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic states. When rule with this opcode is matched, the rule's action will not be executed, instead dynamic state will be created. And when this state will be matched by "check-state", then rule action will be executed. This allows create a more complicated rulesets. Submitted by: lev MFC after: 1 month Differential Revision: https://reviews.freebsd.org/D1776 Notes: svn path=/head/; revision=336132
* Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),Jamie Gritton2018-07-031-4/+4
| | | | | | | | | | | | | sockstat(1), ugidfw(8) These are the last of the jail-aware userland utilities that didn't work with names. PR: 229266 MFC after: 3 days Differential Revision: D16047 Notes: svn path=/head/; revision=335921
* Remove extra "ipfw" from example.Andrey V. Elsukov2018-06-281-4/+4
| | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=335759
* Update NAT64 documentation, now we support any IPv6 prefixes.Andrey V. Elsukov2018-05-091-9/+11
| | | | | | | MFC after: 1 month Notes: svn path=/head/; revision=333406
* Fix typo.Oleg Bulyzhin2018-04-111-1/+1
| | | | | | | MFC after: 1 week Notes: svn path=/head/; revision=332403
* Remove note that `fwd tablearg` is supported only by IPv4. IPv6 isAndrey V. Elsukov2018-03-191-2/+2
| | | | | | | | | supported too. MFC after: 1 week Notes: svn path=/head/; revision=331203
* Do not try to reassemble IPv6 fragments in "reass" rule.Andrey V. Elsukov2018-03-121-2/+2
| | | | | | | | | | | | ip_reass() expects IPv4 packet and will just corrupt any IPv6 packets that it gets. Until proper IPv6 fragments handling function will be implemented, pass IPv6 packets to next rule. PR: 170604 MFC after: 1 week Notes: svn path=/head/; revision=330792
* DSCP values passed to setdscp need to be lowercase.Nick Hibma2018-02-131-22/+22
| | | | | | | | | | See definition of f_ipdscp values. They are compared against using bcmp which is case sensitive. MFC after: 1 week Notes: svn path=/head/; revision=329197
* Fix a few more speelling errorsEitan Adler2017-12-281-1/+1
| | | | | | | | | Reviewed by: bjk Reviewed by: jilles (incl formal "accept") Differential Revision: https://reviews.freebsd.org/D13650 Notes: svn path=/head/; revision=327259
* Add to ipfw support for sending an SCTP packet containing an ABORT chunk.Michael Tuexen2017-11-261-1/+9
| | | | | | | | | | | | | | | | This is similar to the TCP case. where a TCP RST segment can be sent. There is one limitation: When sending an ABORT in response to an incoming packet, it should be tested if there is no ABORT chunk in the received packet. Currently, it is only checked if the first chunk is an ABORT chunk to avoid parsing the whole packet, which could result in a DOS attack. Thanks to Timo Voelker for helping me to test this patch. Reviewed by: bcr@ (man page part), ae@ (generic, non-SCTP part) Differential Revision: https://reviews.freebsd.org/D13239 Notes: svn path=/head/; revision=326233
* Fix a bug which avoided that rules for matching port numbers for SCTPMichael Tuexen2017-10-021-3/+3
| | | | | | | | | | | packets where actually matched. While there, make clean in the man-page that SCTP port numbers are supported in rules. MFC after: 1 month Notes: svn path=/head/; revision=324216
* ipfw: Note that bandwidth can take G suffix in the manpageEmmanuel Vadot2017-06-231-1/+1
| | | | | | | Reported by: Jose Luis Duran (github) Notes: svn path=/head/; revision=320276
* ipfw.8: Note that the ipfw_nat kernel module must be loaded or that theEmmanuel Vadot2017-06-011-0/+5
| | | | | | | | | | IPFIREWALL_NAT options must be in the kernel config in order to use in-kernel nat. MFC after: 3 days Notes: svn path=/head/; revision=319406
* Add `ipfw table all destroy` support.Andrey V. Elsukov2017-05-021-1/+3
| | | | | | | | PR: 212669 MFC after: 1 week Notes: svn path=/head/; revision=317682
* Add ipfw_pmod kernel module.Andrey V. Elsukov2017-04-031-1/+15
| | | | | | | | | | | | | | | | | | | | | | The module is designed for modification of a packets of any protocols. For now it implements only TCP MSS modification. It adds the external action handler for "tcp-setmss" action. A rule with tcp-setmss action does additional check for protocol and TCP flags. If SYN flag is present, it parses TCP options and modifies MSS option if its value is greater than configured value in the rule. Then it adjustes TCP checksum if needed. After handling the search continues with the next rule. Obtained from: Yandex LLC MFC after: 2 weeks Relnotes: yes Sponsored by: Yandex LLC No objection from: #network Differential Revision: https://reviews.freebsd.org/D10150 Notes: svn path=/head/; revision=316435
* Change the syntax of ipfw's named states.Andrey V. Elsukov2017-03-151-15/+15
| | | | | | | | | | | | | Since the state name is an optional argument, it often can conflict with other options. To avoid ambiguity now the state name must be prefixed with a colon. Obtained from: Yandex LLC MFC after: 2 week Sponsored by: Yandex LLC Notes: svn path=/head/; revision=315305
* Add support for non-contiguous IPv6 masks in ipfw(8) rules.Andrey V. Elsukov2016-10-181-1/+19
| | | | | | | | | | | | | For example fe::640:0:0/ffff::ffff:ffff:0:0 will match addresses fe:*:*:*:0:640:*:* Submitted by: Eugene Mamchits <mamchits at yandex-team dot ru> Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC Notes: svn path=/head/; revision=307570
* Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecatedBjoern A. Zeeb2016-08-211-3/+2
| | | | | | | more than 7 years ago in favour of a sysctl in r192648. Notes: svn path=/head/; revision=304572
* Add `stats reset` command implementation to NPTv6 moduleAndrey V. Elsukov2016-08-131-1/+1
| | | | | | | | | | to be able reset statistics counters. Obtained from: Yandex LLC Sponsored by: Yandex LLC Notes: svn path=/head/; revision=304049
* Add ipfw_nat64 module that implements stateless and stateful NAT64.Andrey V. Elsukov2016-08-131-2/+223
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The module works together with ipfw(4) and implemented as its external action module. Stateless NAT64 registers external action with name nat64stl. This keyword should be used to create NAT64 instance and to address this instance in rules. Stateless NAT64 uses two lookup tables with mapped IPv4->IPv6 and IPv6->IPv4 addresses to perform translation. A configuration of instance should looks like this: 1. Create lookup tables: # ipfw table T46 create type addr valtype ipv6 # ipfw table T64 create type addr valtype ipv4 2. Fill T46 and T64 tables. 3. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 4. Create NAT64 instance: # ipfw nat64stl NAT create table4 T46 table6 T64 5. Add rules that matches the traffic: # ipfw add nat64stl NAT ip from any to table(T46) # ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96 6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Stateful NAT64 registers external action with name nat64lsn. The only one option required to create nat64lsn instance - prefix4. It defines the pool of IPv4 addresses used for translation. A configuration of instance should looks like this: 1. Add rule to allow neighbor solicitation and advertisement: # ipfw add allow icmp6 from any to any icmp6types 135,136 2. Create NAT64 instance: # ipfw nat64lsn NAT create prefix4 A.B.C.D/28 3. Add rules that matches the traffic: # ipfw add nat64lsn NAT ip from any to A.B.C.D/28 # ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96 4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96 via NAT64 host. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6434 Notes: svn path=/head/; revision=304046
* Add named dynamic states support to ipfw(4).Andrey V. Elsukov2016-07-191-11/+35
| | | | | | | | | | | | | | | | | | | | | The keep-state, limit and check-state now will have additional argument flowname. This flowname will be assigned to dynamic rule by keep-state or limit opcode. And then can be matched by check-state opcode or O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize compatibility with old rulesets default flowname introduced. It will be assigned to the rules when user has omitted state name in keep-state and check-state opcodes. Also if name is ambiguous (can be evaluated as rule opcode) it will be replaced to default. Reviewed by: julian Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6674 Notes: svn path=/head/; revision=303018
* Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6Andrey V. Elsukov2016-07-181-1/+60
| | | | | | | | | | | | | | | | | as defined in RFC 6296. The module works together with ipfw(4) and implemented as its external action module. When it is loaded, it registers as eaction and can be used in rules. The usage pattern is similar to ipfw_nat(4). All matched by rule traffic goes to the NPT module. Reviewed by: hrs Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D6420 Notes: svn path=/head/; revision=303012
* Belatedly bump .Dd date for Dummynet AQM import in r300779.Don Lewis2016-06-021-1/+1
| | | | Notes: svn path=/head/; revision=301180
generated by cgit v1.3 (git 2.53.0) at 2026-05-27 18:06:24 +0000