mirror of
https://git.FreeBSD.org/src.git
synced 2024-11-29 08:08:37 +00:00
ipf: Fix some typos
Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
This commit is contained in:
parent
7bd6cbbf69
commit
c1f6704bf8
@ -31,7 +31,7 @@ address patterns or "all" to match any address information
|
||||
.SS Long lines
|
||||
.PP
|
||||
For rules lines that are particularly long, it is possible to split
|
||||
them over multiple lines implicity like this:
|
||||
them over multiple lines implicitly like this:
|
||||
.PP
|
||||
.nf
|
||||
pass in on bgeo proto tcp from 1.1.1.1 port > 1000
|
||||
@ -536,7 +536,7 @@ URG - this bit is set to indicate that the packet contains urgent data
|
||||
.HP
|
||||
R
|
||||
RST - this bit is set only in packets that are a reply to another
|
||||
that has been received but is not targetted at any open port
|
||||
that has been received but is not targeted at any open port
|
||||
.HP
|
||||
C
|
||||
CWN
|
||||
@ -686,7 +686,7 @@ Once a TCP connection has reached the established state, the default
|
||||
timeout allows for it to be idle for 5 days before it is removed from
|
||||
the state table. The timeouts for the other TCP connection states
|
||||
vary from 240 seconds to 30 seconds.
|
||||
Both UDP and ICMP state entries have asymetric timeouts where the timeout
|
||||
Both UDP and ICMP state entries have asymmetric timeouts where the timeout
|
||||
set upon seeing packets in the forward direction is much larger than
|
||||
for the reverse direction. For UDP the default timeouts are 120 and
|
||||
12 seconds, for ICMP 60 and 6 seconds. This is a reflection of the
|
||||
@ -890,8 +890,8 @@ construction of filter rules easier, it is possible to place them in groups.
|
||||
A rule can be both a member of a group and the head of a new group.
|
||||
.PP
|
||||
Using filter groups requires at least two rules: one to be in the group
|
||||
one one to send matchign packets to the group. If a packet matches a
|
||||
filtre rule that is a group head but does not match any of the rules
|
||||
one one to send matching packets to the group. If a packet matches a
|
||||
filter rule that is a group head but does not match any of the rules
|
||||
in that group, then the packet is considered to have matched the head
|
||||
rule.
|
||||
.PP
|
||||
@ -1037,7 +1037,7 @@ pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\
|
||||
.PP
|
||||
The design for IPv4 allows for the header to be upto 64 bytes long,
|
||||
however most traffic only uses the basic header which is 20 bytes long.
|
||||
The other 44 bytes can be uesd to store IP options. These options are
|
||||
The other 44 bytes can be used to store IP options. These options are
|
||||
generally not necessary for proper interaction and function on the
|
||||
Internet today. For most people it is sufficient to block and drop
|
||||
all packets that have any options set. This can be achieved with this
|
||||
@ -1090,7 +1090,7 @@ some of the nodes the packet must go through, with the ssrr option,
|
||||
every next hop router must be specified.
|
||||
.PP
|
||||
The complete list of IPv4 options that can be matched on is:
|
||||
addext (Address Extention),
|
||||
addext (Address Extension),
|
||||
cipso (Classical IP Security Option),
|
||||
dps (Dynamic Packet State),
|
||||
e-sec (Extended Security),
|
||||
@ -1357,7 +1357,7 @@ A list of the currently available variables inside IPFilter that may
|
||||
be tuned from ipf.conf are as follows:
|
||||
.HP
|
||||
active
|
||||
set through -s command line switch of ipf(8). See ipf(8) for detals.
|
||||
set through -s command line switch of ipf(8). See ipf(8) for details.
|
||||
.HP
|
||||
chksrc
|
||||
when set, enables reverse path verification on source addresses and
|
||||
@ -1430,7 +1430,7 @@ sets the size of the in-kernel log buffer in bytes.
|
||||
log_suppress
|
||||
when set, IPFilter will check to see if the packet it is logging is
|
||||
similar to the one it previously logged and if so, increases
|
||||
the occurance count for that packet. The previously logged packet
|
||||
the occurrence count for that packet. The previously logged packet
|
||||
must not have yet been read by ipmon(8).
|
||||
.HP
|
||||
min_ttl
|
||||
@ -1467,8 +1467,8 @@ when the fill percentage of the NAT table exceeds this mark, more
|
||||
aggressive flushing is enabled.
|
||||
.HP
|
||||
nat_table_wm_low
|
||||
this sets the percentage at which the NAT table's agressive flushing
|
||||
will turn itself off at.
|
||||
this sets the percentage at which the NAT table's aggressive flushing
|
||||
will turn itself off.
|
||||
.HP
|
||||
rdr_rules_size
|
||||
size of the hash table to store rdr rules.
|
||||
@ -1492,7 +1492,7 @@ state_size
|
||||
size of the hash table used for stateful filtering
|
||||
.HP
|
||||
state_wm_freq
|
||||
this controls how often the agressive flushing should be run once the
|
||||
this controls how often the aggressive flushing should be run once the
|
||||
state table exceeds state_wm_high in percentage full.
|
||||
.HP
|
||||
state_wm_high
|
||||
@ -1500,7 +1500,7 @@ when the fill percentage of the state table exceeds this mark, more
|
||||
aggressive flushing is enabled.
|
||||
.HP
|
||||
state_wm_low
|
||||
this sets the percentage at which the state table's agressive flushing
|
||||
this sets the percentage at which the state table's aggressive flushing
|
||||
will turn itself off at.
|
||||
.HP
|
||||
tcp_close_wait
|
||||
|
@ -123,7 +123,7 @@ file
|
||||
syslog
|
||||
.PP
|
||||
ipsend(1)
|
||||
generates arbitary IP packets for ethernet connected machines.
|
||||
generates arbitrary IP packets for ethernet connected machines.
|
||||
.PP
|
||||
ipresend(1)
|
||||
reads in a data file of saved IP packets (ie
|
||||
|
@ -323,7 +323,7 @@ int main(int argc, char *argv[])
|
||||
case 'm' :
|
||||
filter = parseipfexpr(optarg, NULL);
|
||||
if (filter == NULL) {
|
||||
fprintf(stderr, "Error parseing '%s'\n",
|
||||
fprintf(stderr, "Error parsing '%s'\n",
|
||||
optarg);
|
||||
exit(1);
|
||||
}
|
||||
|
@ -149,7 +149,7 @@ For TCP connections exiting a connection such as PPPoE where the MTU is
|
||||
slightly smaller than normal ethernet, it can be useful to reduce the
|
||||
Maximum Segment Size (MSS) offered by the internal machines to match,
|
||||
reducing the liklihood that the either end will attempt to send packets
|
||||
that are too big and result in fragmentation. This is acheived using the
|
||||
that are too big and result in fragmentation. This is achieved using the
|
||||
.B mssclamp
|
||||
option with TCP
|
||||
.B map
|
||||
@ -220,7 +220,7 @@ that requires the destination port number to be 21 if this rule is to be
|
||||
activated. The word "ftp" is the proxy identifier that the kernel will
|
||||
try and resolve internally, "tcp" the protocol that packets must match.
|
||||
.PP
|
||||
See below for a list of proxies and their relative staus.
|
||||
See below for a list of proxies and their relative status.
|
||||
.PP
|
||||
To associate NAT rules with filtering rules, it is possible to set and
|
||||
match tags during either inbound or outbound processing. At present the
|
||||
@ -355,7 +355,7 @@ rdr le0 from 1.1.0.0/16 to any -> 192.168.1.3
|
||||
rdr le0 ! from 1.1.0.0/16 to any -> 192.168.1.4
|
||||
.fi
|
||||
.PP
|
||||
If there is a consective set of addresses you wish to spread the packets
|
||||
If there is a consecutive set of addresses you wish to spread the packets
|
||||
over, then this can be done in one of two ways, the word "range" optional
|
||||
to preserve:
|
||||
.nf
|
||||
@ -382,9 +382,9 @@ rdr le0 0/0 -> 192.168.1.5,192.168.1.7 round-robin
|
||||
rdr le0 0/0 -> 192.168.1.9 round-robin
|
||||
.fi
|
||||
.PP
|
||||
If there are a large number of redirect rules and hosts being targetted
|
||||
If there are a large number of redirect rules and hosts being targeted
|
||||
then it may be desirable to have all those from a single source address
|
||||
be targetted at the same destination address. To achieve this, the
|
||||
be targeted at the same destination address. To achieve this, the
|
||||
word
|
||||
.B sticky
|
||||
is appended to the rule like this:
|
||||
@ -399,9 +399,9 @@ The
|
||||
.B sticky
|
||||
feature can only be combined with
|
||||
.B round-robin
|
||||
and the use of comma.
|
||||
and the use of a comma.
|
||||
.PP
|
||||
For TCP and UDP packets, it is possible to both match on the destiantion
|
||||
For TCP and UDP packets, it is possible to both match on the destination
|
||||
port number and to modify it. For example, to change the destination port
|
||||
from 80 to 3128, we would use a rule like this:
|
||||
.nf
|
||||
@ -572,7 +572,7 @@ On the LHS is a normal set of matching capabilities but on the RHS it is
|
||||
a requirement to specify both the source and destination addresses and
|
||||
ports.
|
||||
.PP
|
||||
As this feature is intended to be used with targetting packets at sockets
|
||||
As this feature is intended to be used with targeting packets at sockets
|
||||
and not IPFilter running on other systems, there is no rule provided to
|
||||
\fIundivert\fR packets.
|
||||
.TP
|
||||
|
@ -20,7 +20,7 @@ match-char ::= "*" | "?" | "."
|
||||
.fi
|
||||
.PP
|
||||
In this example an ip-address is a dotted-quad IPv4 address and a port-number
|
||||
is a number betwee 1 and 65535, inclusive. The match string is must be of
|
||||
is a number between 1 and 65535, inclusive. The match string is must be of
|
||||
same length as the literal string that it is matching (literal). The length
|
||||
of either string is limited to 16 bytes.
|
||||
.PP
|
||||
|
@ -144,7 +144,7 @@ static ipf_error_entry_t ipf_errors[IPF_NUM_ERRORS] = {
|
||||
{ 116, "error copying in match array" },
|
||||
{ 117, "match array type is not IPFOBJ_IPFEXPR" },
|
||||
{ 118, "bad size for match array" },
|
||||
{ 119, "cannot allocate memory for match aray" },
|
||||
{ 119, "cannot allocate memory for match array" },
|
||||
{ 120, "error copying in match array" },
|
||||
{ 121, "error verifying contents of match array" },
|
||||
{ 122, "need write permissions to set ipf lock status" },
|
||||
|
@ -75,7 +75,7 @@ parseipfexpr(char *line, char **errorptr)
|
||||
for (ops = strtok(temp, ";"); ops != NULL; ops = strtok(NULL, ";")) {
|
||||
arg = strchr(ops, '=');
|
||||
if ((arg < ops + 2) || (arg == NULL)) {
|
||||
error = "bad 'arg' vlaue";
|
||||
error = "bad 'arg' value";
|
||||
goto parseerror;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user