aboutsummaryrefslogtreecommitdiff
path: root/sbin/ipfw
Commit message (Collapse)AuthorAgeFilesLines
* ipfw: make 'ipfw show' output compatible with 'ipfw add' commandAndrey V. Elsukov2025-02-211-0/+7
| | | | | | | | | | | | | | If rule was added in compact form and rule body is empty, print 'proto ip' opcode to be compatible with ipfw(8) syntax parser. Before: $ ipfw add allow proto ip 000700 allow After: $ ipfw add allow proto ip 000700 allow proto ip (cherry picked from commit 706a03f61bbb6e0cf10e6c3727966495b30d763e)
* ipfw.8: Adjust section for loader tunablesZhenlei Huang2023-10-021-11/+11
| | | | | | | | | | | | Move the descriptions of loader tunables from section 'SYSCTL VARIABLES' to section 'LOADER TUNABLES'. See also 49197c391b3d (ipfw: Add sysctl flag CTLFLAG_TUN to loader tunables). MFC after: 2 days Differential Revision: https://reviews.freebsd.org/D41981 (cherry picked from commit 12349f38898f231ca803dcf526bac88cb1b5cd2b)
* Remove $FreeBSD$: two-line nroff patternWarner Losh2023-08-161-2/+0
| | | | Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/
* Remove $FreeBSD$: one-line sh patternWarner Losh2023-08-162-2/+0
| | | | Remove /^\s*#[#!]?\s*\$FreeBSD\$.*$\n/
* Remove $FreeBSD$: one-line .c patternWarner Losh2023-08-164-8/+0
| | | | Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
* Remove $FreeBSD$: two-line .h patternWarner Losh2023-08-168-16/+0
| | | | Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
* ipfw: Remove set but unused variables.John Baldwin2023-06-276-14/+7
| | | | | Reported by: GCC Differential Revision: https://reviews.freebsd.org/D40654
* ipfw: add state/comment testsAlexander V. Chernikov2023-06-161-2/+61
|
* ipfw: use function return value to fetch insn argument.Alexander V. Chernikov2023-06-153-22/+17
| | | | | | | This is a prerequsite for splitting compile_rule() into smaller chunks. MFC after: 2 weeks
* ipfw: add eaction testsAlexander V. Chernikov2023-06-151-0/+33
| | | | MFC after: 2 weeks
* ipfw: simplify action case parserAlexander V. Chernikov2023-06-131-32/+74
| | | | | | | | | Remove "goto charg" from the action parser. This is a prerequisite for the further split of the gigantic compile_rule(). Differential Revision: https://reviews.freebsd.org/D40490 MFC after: 2 weeks
* ipfw(8): add ioctl/instruction generation testsAlexander V. Chernikov2023-06-135-5/+454
| | | | | Differential Revision: https://reviews.freebsd.org/D40488 MFC after: 2 weeks
* ipfw/ipfw2: Fix typosElyes Haouas2023-06-021-1/+1
| | | | | | Signed-off-by: Elyes Haouas <ehaouas@noos.fr> Reviewed by: imp Pull Request: https://github.com/freebsd/freebsd-src/pull/653
* spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSDWarner Losh2023-05-123-3/+3
| | | | | | | | | The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
* ipfw: add [fw]mark implementation for ipfwBoris Lytochkin2023-04-254-37/+156
| | | | | | | | | | | | | | | | Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while regular tags require a single-linked list traversal. Mark is a 32-bit number that can be looked up in a table [with 'number' table-type], matched or compared with a number with optional mask applied before comparison. Having generic nature, Mark can be used in a variety of needs. For example, it could be used as a security group: mark will hold a security group id and represent a group of packet flows that shares same access control policy. Reviewed By: pauamma_gundo.com Differential Revision: https://reviews.freebsd.org/D39555 MFC after: 1 month
* ipfw.8: improve description for interface matchingEugene Grosbein2023-04-251-4/+22
| | | | | | | | The manual describes "if*" form only while kernel uses fnmatch(3) and allows use for more versatile shell-like patterns. Note that explicitly and provide an example. MFC after: 3 days
* Update/fix Makefile.depend for userlandSimon J. Gerraty2023-04-191-1/+1
|
* ipfw.8: there never was a "skip-action" actionCeri Davies2023-01-251-2/+2
| | | | | | | | It was renamed during review of D1776 but this entry slipped through. PR: 243284 Reported by: pprocacci@gmail.com Obtained from: Chad Jacob Milios <milios@ccsys.com>
* ipfw: Add missing 'va' code point nameJose Luis Duran2023-01-132-1/+4
| | | | | | | | Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name. Reviewed By: melifaro, pauamma Differential Revision: https://reviews.freebsd.org/D37508 MFC after: 2 weeks
* ipfw: Fix ipfw/dnctl detectionGoran Mekic2022-11-221-1/+2
| | | | | | | | Running "dnctl" vs "/sbin/dnctl" gave different results, because we looked at the entire argv[0] string, rather than the basename. Reviewed by: kp Differential Revision: https://reviews.freebsd.org/D37431
* ipfw: make it possible to specify MTU for "unreach needfrag" actionGleb Smirnoff2022-08-172-2/+23
| | | | | Reviewed by: ae, pauamma Differential revision: https://reviews.freebsd.org/D36140
* ipfw: add support radix tables and table lookup for MAC addressesArseny Smalyuk2022-06-044-39/+162
| | | | | | | | | | | | | | | | | | | | | | | | By analogy with IP address matching, add a way to use ipfw radix tables for MAC matching. This is implemented using new ipfw table with mac:radix type. Also there are src-mac and dst-mac lookup commands added. Usage example: ipfw table 1 create type mac ipfw table 1 add 11:22:33:44:55:66/48 ipfw add skipto tablearg src-mac 'table(1)' ipfw add deny src-mac 'table(1, 100)' ipfw add deny lookup dst-mac 1 Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw filtering on L2. Reviewed by: melifaro Obtained from: Yandex LLC MFC after: 1 month Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D35103
* ipfw.8: spell "layer2" consistently throughout the manual pageEugene Grosbein2022-05-131-3/+3
| | | | MFC after: 1 week
* dnctl: Support reading config from file like ipfw(8)Kristof Provost2022-01-031-51/+64
| | | | | | | | Extend the dnctl (dummynet config) tool to be able to read commands from a file, just like ipfw already does. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D33627
* ipfw: Introduce dnctlKristof Provost2021-09-085-116/+189
| | | | | | | | | | | | | | Introduce a link to the ipfw command, dnctl, for dummynet configuration. dnctl only handles dummynet configuration, and is part of the effort to support dummynet in pf. /sbin/ipfw continues to accept pipe, queue and sched commands, but these can now also be issued via the new dnctl command. Reviewed by: donner MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30465
* ipfw: use unsigned int for dummynet bandwidthLuiz Otavio O Souza2021-08-191-6/+7
| | | | | | | | | | | This allows the maximum value of 4294967295 (~4Gb/s) instead of previous value of 2147483647 (~2Gb/s). Reviewed by: np, scottl Obtained from: pfSense MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31582
* ipfw(8): Fix a typo in an error messageGordon Bergling2021-08-111-1/+1
| | | | | | - s/suport/support/ MFC after: 5 days
* ipfw.8: synopsis misses nat show formLutz Donnerhacke2021-06-041-5/+11
| | | | | | | | | | Document the existing behavior, which is currently only available by reading third party documentation or the source code itself. PR: 254617 Submitted by: Oliver Kiddle MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D30189
* ipfw.8: Fix table exampleLutz Donnerhacke2021-05-111-4/+4
| | | | | | | | | | Fix some erronous lines in the example section. PR: 248943 Submitted by: Jose Luis Duran MFC after: 2 weeks Reviewers: ae, manpages (gbe) Differential Revision: https://reviews.freebsd.org/D30191
* sbin/ipfw: Allow tablearg as hostnameLutz Donnerhacke2021-05-111-1/+2
| | | | | | | | | | Hostnames starting with "tablearg" are considered as a functional argument instead of a literal. Reported by: ae Reviewers: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30208
* sbin/ipfw: Fix parsing error in table based forwardLutz Donnerhacke2021-05-081-45/+42
| | | | | | | | | | | | | The argument parser does not recognise the optional port for an "tablearg" argument. Fix simplifies the code by make the internal representation expicit for the parser. PR: 252744 MFC: 1 week Reported by: <bugs.freebsd.org@mx.zzux.com> Approved by: nc Tested by: <bugs.freebsd.org@mx.zzux.com> Differential Revision: https://reviews.freebsd.org/D30164
* sbin/ipfw: Fix null pointer deference when printing countersLutz Donnerhacke2021-05-021-23/+26
| | | | | | | | | | | | ipfw -[tT] prints statistics of the last access. If the rule was never used, the counter might be not exist. This happens unconditionally on inserting a new rule. Avoid printing statistics in this case. PR: 255491 Reported by: Haisheng Zhouz Reviewed by: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D30046
* ipfw: update man page example for nat show logRoman Bogorodskiy2021-04-071-3/+3
| | | | | | | | In d6164b77f8b779cd7357387dcfcd3407f1457579 the ability to show ranges of nat log entries was removed. PR: 254192 Reviewed by: allanjude
* ipfw: make algo name argument optional for some table typesAndrey V. Elsukov2021-02-251-2/+18
| | | | | | | | | | | | | Most of table types currently supported by ipfw have only one algorithm implementation. When user creates such tables, allow to omit algo name in arguments. E.g. now it is possible: ipfw table T1 create type number ipfw table T2 create type iface ipfw table T3 create type flow PR: 233072 MFC after: 1 week Sponsored by: Yandex LLC
* Allow setting alias port ranges in libalias and ipfw. This will allow a systemNeel Chauhan2021-02-024-1/+47
| | | | | | | | | to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user, subnet) can have their own dedicated port aliasing ranges. Reviewed by: donner, kp Approved by: 0mp (mentor), donner, kp Differential Revision: https://reviews.freebsd.org/D23450
* ipfw(8) crashes when ext6hdr option is omittedEvgeniy Khramtsov2021-02-011-0/+1
| | | | | | | | | | Verify that the option is passed, error out if it's not. The problem can be trivially triggered with `ipfw add allow ext6hdr`. PR: 253169 Reviewed by: kp@ MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D28447
* ipfw(8): Fix a few mandoc related issuesGordon Bergling2020-12-191-48/+50
| | | | | | | | | | | | | | | | - no blank before trailing delimiter - missing section argument: Xr inet_pton - skipping paragraph macro: Pp before Ss - unusual Xr order: syslogd after sysrc - tab in filled text There were a few multiline NAT examples which used the .Dl macro with tabs. I converted them to .Bd, which is a more suitable macro for that case. MFC after: 1 week Notes: svn path=/head/; revision=368804
* ipfw(8): Bugfixes for some issues reported by mandocGordon Bergling2020-10-031-48/+61
| | | | | | | | | | | - whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp MFC after: 1 week Notes: svn path=/head/; revision=366402
* Fix compatibility regression after r364117.Andrey V. Elsukov2020-09-111-9/+16
| | | | | | | | | | Properly handle the case, when some opcode keywords follow after the `frag` opcode without additional options. Reported by: Evgeniy Khramtsov <evgeniy at khramtsov org> Notes: svn path=/head/; revision=365628
* Change printf format string to include the extra blankStefan Eßer2020-09-011-1/+1
| | | | | | | | | | | | | | This is a follow up change to r364321 after a discussion about the style. All near by places use extra blanks in format strings, and while use of the format string to provide the extra blank may need more cycles than adding 1 to twidth, it generates shorter code and is clearer in the opinion of some reviewers of the previous change. Not objected to by: emaste MFC after: 3 days Notes: svn path=/head/; revision=365030
* ipfw(8): Fix typo in man pageFernando Apesteguía2020-08-211-2/+2
| | | | | | | | | | s/exmaple/example Approved by: manpages (gbe@) Differential Revision: https://reviews.freebsd.org/D26147 Notes: svn path=/head/; revision=364459
* ipfw: line up `ipfw -t list` with and without timestampEd Maste2020-08-171-1/+1
| | | | | | | | | | | | | | | | | | | From the PR: When I run `ipfw -t list` on release/12 or current, I get misaligned output between lines that do and do not have a last match timestamp, like so: 00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 (specifically, the "allow" and "deny" strings do not line up) PR: 248608 Submitted by: Taylor Stearns MFC after: 3 days Notes: svn path=/head/; revision=364321
* ipfw: make the "frag" keyword accept additional options "mf",Gleb Smirnoff2020-08-112-10/+43
| | | | | | | | | | | | | "df", "rf" and "offset". This allows to match on specific bits of ip_off field. For compatibility reasons lack of keyword means "offset". Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D26021 Notes: svn path=/head/; revision=364117
* Fix SIGSEGV in ipfw(8) when NAT64 prefix length is omitted.Andrey V. Elsukov2020-08-052-0/+6
| | | | | | | | | Submitted by: Evgeniy Khramtsov <evgeniy at khramtsov org> MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D25734 Notes: svn path=/head/; revision=363904
* [ipfw] quieten maybe-uninitialized errors in ipfw when compiled under ↵Adrian Chadd2020-07-144-11/+10
| | | | | | | | | | | | mips-gcc-6.3.0. This is mostly an exercise to set variables to NULL/0 when declared, but one was ensuring a string variable was set before printing it. We should never see "<unknown>" in a printed rule; if we do then this code definitely has some bugs that need addressing. Notes: svn path=/head/; revision=363173
* ipfw(8): Handle unaligned pointers in pr_u64.Mark Johnston2020-07-132-2/+2
| | | | | | | | | | | | | | struct _ipfw_dyn_rule is defined as packed, and as a result, its uint64_t fields are misaligned on some 32-bit platforms. Since pr_u64() is explicitly supposed to handle this case, avoid using a uint64_t * for the input pointer to make sure that the compiler won't (correctly) warn about the misalignment. Reported by: jenkins MFC with: r363164 Notes: svn path=/head/; revision=363166
* ipfw(8): Fix most warnings with the default WARNS level.Mark Johnston2020-07-1313-282/+308
| | | | | | | | | | | | | | - Add missing const and static qualifiers. - Avoid shadowing the global "co" by renaming it to "g_co". - Avoid mixing signedness in loop bound checks. - Leave -Wcast-align warnings disabled for now. Reviewed by: ae, melifaro MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D25456 Notes: svn path=/head/; revision=363164
* ipfw: Support the literal IPv6 address syntax in the fwd command.Mark Johnston2020-06-251-24/+35
| | | | | | | | | | Discussed with: rgrimes, Lutz Donnerhacke Submitted by: Neel Chauhan <neel AT neelc DOT org> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24011 Notes: svn path=/head/; revision=362619
* ipfw(8): In fill_ip6(), use a single statement for both "me" and "me6".Mark Johnston2020-06-241-7/+2
| | | | | | | | | | Submitted by: Neel Chauhan <neel AT neelc DOT org> Reviewed by: rgrimes, Lutz Donnerhacke MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D24403 Notes: svn path=/head/; revision=362582
* Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroyAndrey V. Elsukov2020-03-243-7/+30
| | | | | | | | | | | | | | | | | | | NAT instance. The NAT44 group of opcodes for IP_FW3 socket option is modern way to control NAT instances and this method can be used in future to switch from numeric to named NAT instances, like was done for ipfw tables. The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control plane that doesn't support versioned operations. This interface will be retired soon. Reviewed by: melifaro MFC after: 10 days Sponsored by: Yandex LLC Notes: svn path=/head/; revision=359271
generated by cgit v1.3 (git 2.53.0) at 2026-05-12 13:08:34 +0000