1
0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-11 14:10:34 +00:00
Commit Graph

179 Commits

Author SHA1 Message Date
Alexander V. Chernikov
2d6fcc3912 Remove unused variable. 2013-03-20 10:36:38 +00:00
Alexander V. Chernikov
ae01d73c04 Add ipfw support for setting/matching DiffServ codepoints (DSCP).
Setting DSCP support is done via O_SETDSCP which works for both
IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4.
Dscp can be specified by name (AFXY, CSX, BE, EF), by value
(0..63) or via tablearg.

Matching DSCP is done via another opcode (O_DSCP) which accepts several
classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).

Many people made their variants of this patch, the ones I'm aware of are
(in alphabetic order):

Dmitrii Tejblum
Marcelo Araujo
Roman Bogorodskiy (novel)
Sergey Matveichuk (sem)
Sergey Ryabin

PR:		kern/102471, kern/121122
MFC after:	2 weeks
2013-03-20 10:35:33 +00:00
Alexander V. Chernikov
f71133f64f Do not suddenly fail on some rulesets if -n (syntax check only) is specified
and ipfw(4) module is not loaded.

MFC after:	2 weeks
2013-03-04 19:01:38 +00:00
Alexander V. Chernikov
579ed7bd05 Implement buffer size checking in ipfw(8) add cmd.
PR:		bin/65961
Submitted by:	Eugene Grosbein <eugen@grosbein.pp.ru>
MFC after:	2 weeks
2013-03-03 14:05:03 +00:00
Alexander V. Chernikov
136b1ada11 Fix ipfw table argument parsing/printing.
Fix style.

PR:		kern/175909
Submitted by:	Daniel Hagerty <hag@linnaean.org>
MFC after:	2 weeks
2013-03-02 18:51:26 +00:00
Luigi Rizzo
a4a16855c3 remove the last __unused instance in sbin/ipfw.
This particular function (show_prerequisites() ) we should actually
remove the argument from the callers as well, but i'll do it at a
later time.
2012-07-30 11:02:22 +00:00
Luigi Rizzo
6a7bb02d77 Fix some compile errors at high WARNS, including one
for an uninitialized variable.

unused parameters and variables are annotated with
	(void)foo;	/* UNUSED */
instead of __unused, because this code needs to build
also on linux and windows.
2012-07-30 10:55:23 +00:00
Alexander V. Chernikov
732d27b32d - Permit number of ipfw tables to be changed in runtime.
net.inet.ip.fw.tables_max is now read-write.

- Bump IPFW_TABLES_MAX to 65535
Default number of tables is still 128

- Remove IPFW_TABLES_MAX from ipfw(8) code.

Sponsored by Yandex LLC

Approved by:    kib(mentor)

MFC after:      2 weeks
2012-03-25 20:37:59 +00:00
Alexander V. Chernikov
f8bee51a69 - Add ipfw eXtended tables permitting radix to be used for any kind of keys.
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds

No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.

IP_FW3 socket option is used to encapsulate all new opcodes:
 /* IP_FW3 header/opcodes */
 typedef struct _ip_fw3_opheader {
        uint16_t opcode;        /* Operation opcode */
        uint16_t reserved[3];   /* Align to 64-bit boundary */
 } ip_fw3_opheader;

New opcodes added:
 IP_FW_TABLE_XADD, IP_FW_TABLE_XDEL, IP_FW_TABLE_XGETSIZE, IP_FW_TABLE_XLIST

ipfw(8) table argument parsing behavior is changed:
 'ipfw table 999 add host' now assumes 'host' to be interface name instead of
 hostname.

New tunable:
 net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
 VNET instance. 128 is still the default value.

New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out

This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.

Sponsored by Yandex LLC

Reviewed by:    ae
Approved by:    ae (mentor)

MFC after:      4 weeks
2012-03-12 14:07:57 +00:00
Gleb Smirnoff
23ccd3d976 Make the 'tcpwin' option of ipfw(8) accept ranges and lists.
Submitted by:	sem
2012-02-06 11:35:29 +00:00
Ulrich Spörlein
4b85a12f71 Spelling fixes for sbin/ 2012-01-07 16:09:33 +00:00
Bjoern A. Zeeb
8a006adb24 Add support for IPv6 to ipfw fwd:
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.

Obtained from:	David Dolson at Sandvine Incorporated
		(original version for ipfw fwd IPv6 support)
Sponsored by:	Sandvine Incorporated
PR:		bin/117214
MFC after:	4 weeks
Approved by:	re (kib)
2011-08-20 17:05:11 +00:00
John Baldwin
e89359c21e Fix a regression where a rule containing a source port option after a
destination IP would incorrectly display the source port as a destination
port.

Reviewed by:	luigi
Approved by:	re (kib)
MFC after:	1 week
2011-08-17 14:39:45 +00:00
Andrey V. Elsukov
9527ec6e52 Add new rule actions "call" and "return" to ipfw. They make
possible to organize subroutines with rules.

The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.

Submitted by:	Vadim Goncharov
Discussed by:	ipfw@, luigi@
2011-06-29 10:06:58 +00:00
Ben Laurie
5f301949ef Fix clang warnings.
Approved by:	philip (mentor)
2011-06-18 13:56:33 +00:00
Andrey V. Elsukov
1875bbfe54 Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.

If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.

User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.

PR:		kern/157867
Submitted by:	Alexander V. Chernikov (previous version)
Tested by:	Eugene Grosbein
2011-06-14 13:35:24 +00:00
Andrey V. Elsukov
41b6083752 Add tablearg support for ipfw setfib.
PR:		kern/156410
MFC after:	2 weeks
2011-05-30 05:37:26 +00:00
Gleb Smirnoff
ffbeadc45a More whitespace fixes.
Checked with:	md5, diff -x -w
2011-04-18 22:09:03 +00:00
Gleb Smirnoff
5221106c04 Whitespace fixes.
Checked with:	md5, diff -w
2011-04-18 21:18:22 +00:00
Luigi Rizzo
ae99fd0e07 The first customer of the SO_USER_COOKIE option:
the "sockarg" ipfw option matches packets associated to
a local socket and with a non-zero so_user_cookie value.
The value is made available as tablearg, so it can be used
as a skipto target or pipe number in ipfw/dummynet rules.

Code by Paul Joe, manpage by me.

Submitted by:	Paul Joe
MFC after:	1 week
2010-11-12 13:05:17 +00:00
Luigi Rizzo
d55ebfbd4e fix 64-bit build
Reported by:	Robert Noland
2010-04-19 16:35:47 +00:00
Luigi Rizzo
37133ba702 Slightly different handling of printf/snprintf for unaligned uint64_t,
which should improve readability, and also to ease the port to
platforms that do not support %llu

MFC after:	3 days
2010-04-19 15:11:45 +00:00
Hajimu UMEMOTO
c323a5fa93 Set net.inet6.ip6.fw.enable as well. 2010-04-06 12:28:08 +00:00
Luigi Rizzo
c72c2330d0 fix another bug in "ipfw set N ..."
Submitted by:	Marcin Wisnicki
2010-03-24 23:06:16 +00:00
Luigi Rizzo
f68f58e5eb print correctly commands of the form
ipfw add 100 allow ip from { 1.2.3.4 or 5.6.7.8 }

(note that the above example could be better written as

	ipfw add 100 allow dst-ip 1.2.3.4,5.6.7.8

Submitted by:	Riccardo Panicucci
2010-03-15 18:20:51 +00:00
Luigi Rizzo
72662a7566 Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits
of ip->ip_tos) in a table. This can be useful to direct traffic to
different pipes/queues according to the DSCP of the packet, as follows:

    ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue

This change is a no-op (but harmless) until the two-line kernel
side is committed, which will happen shortly.
2010-03-15 15:43:35 +00:00
Luigi Rizzo
c751221af4 fix handling of sets 2010-03-04 16:55:32 +00:00
Luigi Rizzo
cc4d3c30ea Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch.  This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.

The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.

In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.

Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.

Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.

Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.

CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
2010-03-02 17:40:48 +00:00
Luigi Rizzo
472099c4b0 implement a new match option,
lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N

which searches the specified field in table N and sets tablearg
accordingly.
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.

Work supported by the Onelab project.

MFC after:	1 week
2009-12-15 09:46:27 +00:00
Luigi Rizzo
6e47ca1bc5 restore setting of sin_len (was removed in 1.146 last february) as
it seems that now it is necessary for 'forward' to work outside lo0.
The bug (and fix) was reported on 8.0. This patch probably applies
to RELENG_7 as well.
It seems that 'pf' has a similar bug.

Submitted by:	Lytochkin Boris
MFC after:	3 days
2009-12-06 18:04:26 +00:00
Luigi Rizzo
91dbeea7b6 add a missing format in a printf
Detected building with gcc 4.3.3

MFC after:	3 days
2009-06-08 10:53:18 +00:00
Luigi Rizzo
b87ce5545b Several ipfw options and actions use a 16-bit argument to indicate
pipes, queues, tags, rule numbers and so on.
These are all different namespaces, and the only thing they have in
common is the fact they use a 16-bit slot to represent the argument.

There is some confusion in the code, mostly for historical reasons,
on how the values 0 and 65535 should be used. At the moment, 0 is
forbidden almost everywhere, while 65535 is used to represent a
'tablearg' argument, i.e. the result of the most recent table() lookup.

For now, try to use explicit constants for the min and max allowed
values, and do not overload the default rule number for that.

Also, make the MTAG_IPFW declaration only visible to the kernel.

NOTE: I think the issue needs to be revisited before 8.0 is out:
the 2^16 namespace limit for rule numbers and pipe/queue is
annoying, and we can easily bump the limit to 2^32 which gives
a lot more flexibility in partitioning the namespace.

MFC after:	5 days
2009-06-05 16:16:07 +00:00
Paolo Pisati
eb2e411915 Implement an ipfw action to reassemble ip packets: reass. 2009-04-01 20:23:47 +00:00
Luigi Rizzo
a52e28c7dd Explain that we assume AF_INET and only use the addr and port field
from a struct sockaddr_in, so there is no need to initialize sin_len
2009-02-02 11:02:19 +00:00
Luigi Rizzo
23c608c8f6 put the altq-related functions into a separate file.
Minor cleanup of the includes used by the various source files,
including annotations of why certain headers are used.
2009-02-01 16:00:49 +00:00
Luigi Rizzo
50a99912c1 fix printing of uint64_t values, so we can use WARNS=2 2009-01-27 20:26:45 +00:00
Luigi Rizzo
ead75a59f1 Put nat and ipv6 support in their own files.
Usual moving of code with no changes from ipfw2.c to the
newly created files, and addition of prototypes to ipfw2.h

I have added forward declarations for ipfw_insn_* in ipfw2.h
to avoid a global dependency on ip_fw.h
2009-01-27 12:01:30 +00:00
Luigi Rizzo
4e9c8ae7b5 Put dummynet-related code in a separate file.
To this purpose, add prototypes for global functions in ipfw2.h
and move there also the list of tokens used in various places in the code.
2009-01-27 11:06:59 +00:00
Luigi Rizzo
3c0c871777 Start splitting the monster file in smaller blocks.
In this episode:
- introduce a common header with a minimal set of common definitions;
- bring the main() function and options parser in main.c
- rename the main functions with an ipfw_ prefix

No code changes except for the introduction of a global variable,
resvd_set_number, which stores the RESVD_SET value from ip_fw.h
and is used to remove the dependency of main.c from ip_fw.h
(and the subtree of dependencies) for just a single constant.
2009-01-27 10:18:55 +00:00
Luigi Rizzo
0e22daad2d put the usage() function inline, it was only 1 line and used once;
slightly reformat the help() text;
slightly correct the text for the 'extraneous filename' error message;
2009-01-27 09:27:13 +00:00
Luigi Rizzo
db7c522411 put all options in a single struct, and document them.
This will allow us to easily restore the original values when processing
commands from a file (where each individual line can have its own options).
2009-01-27 09:06:25 +00:00
Luigi Rizzo
be39e0b2b1 remove a couple of rarely used #define;
change PRINT_UINT from a macro to a function (renaming is
postponed to reduce clutter)
2009-01-27 07:40:16 +00:00
Luigi Rizzo
5f356082eb wrap all malloc/calloc/realloc calls so they exit on failure
without having to check in each place.

Remove an wrong strdup from previous commit.
2009-01-26 14:26:35 +00:00
Luigi Rizzo
c562063980 Some implementations of getopt() expect that argv[0] is always the
program name, and ignore that entry.  ipfw2.c code instead skips
this entry and starts with options at offset 0, relying on a more
tolerant implementation of the library.

This change fixes the issue by always passing a program name
in the first entry to getopt. The motivation for this change
is to remove a potential compatibility issue should we use
a different getopt() implementation in the future.

No functional changes.

Submitted by:	Marta Carbone (parts)
MFC after:	4 weeks
2009-01-26 14:03:39 +00:00
Luigi Rizzo
e5dbf7366f remove some useless #include,
document why timeconv.h is needed

MFC after:	3 days
2009-01-22 23:25:28 +00:00
Luigi Rizzo
daa9733afd Fix a number of (innocuous) warnings, and remove a useless test.
There are still several signed/unsigned warnings left, which
require a bit more study for a proper fix.

This file has grown beyond reasonable limits.

We really need to split it into separate components (ipv4, ipv6,
dummynet, nat, table, userland-kernel communication ...) so we can
make mainteinance easier.

MFC after:	1 weeks
2009-01-20 18:16:31 +00:00
Paolo Pisati
3fc7bd58bc Honor the quiet (-q) option while adding a nat rule.
Submitted by:	Andrey V. Elsukov<bu7cher@yandex.ru>
MFC after:	3 days
2008-12-18 21:37:31 +00:00
Maxim Konovalov
20e58023f4 o Remove a debug code and restore an accidentally deleted code
in a previous commit.
2008-10-14 17:59:39 +00:00
Maxim Konovalov
92531c02e6 o Do nothing in show_nat() for a test mode (-n). This prevents
show_nat() from endless loop and makes work ipfw -n nat <...>.

PR:		bin/128064
Submitted by:	sem
MFC after:	1 month
2008-10-14 17:53:26 +00:00
Roman Kurakin
e7ef3e9494 Fix the build.
Noted by: ganbold@
2008-09-27 15:58:54 +00:00