From nobody Thu Nov 14 21:00:00 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XqCG85FBzz5d86b; Thu, 14 Nov 2024 21:00:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XqCG82F1Gz482L; Thu, 14 Nov 2024 21:00:00 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731618000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YjmcjtWw2CCUyYsiVkKWoJ4P8JKrvBDKvWbn/VVRouI=; b=Pr0fkii1d6IH096+5z78t4/DuoR7AXsjeM/yE4mJxa2nLt9dSK1h2B+qLicbmXMO2h/HB0 aIp4ZhiChuF/UszDdk5GzJYJ21HqrocjySayd8YL9EF4vtnS1nPsz2K0KTWBt0mpq2kt3l 6JcN09Pip/vXwGM8zK+8meNn7ucE3bPoa0YQR7LfoqhbDHE1+Ny2wXW0cpuJhFgjLk76F0 d/eusjbinru7GIJTAo/+fOYq2qLjUD+MUGSjL1m+FzBmeRZpl4oU88cZYbO/gFw6Ae7y2J 1UygBtXQ0LZ2D33cTrlwBcG9cPQJaWajkFTykwL59anTULbnxa8UlYlu8l6U0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731618000; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=YjmcjtWw2CCUyYsiVkKWoJ4P8JKrvBDKvWbn/VVRouI=; b=fTHRmW1eRQam7e+n0m4iBeVVyQmZEwDcnsOLlbuBwZHYSaXT128VOuhzvFo0BbBVGTnxJA /xOtjUILG9zNPVpF35dIhcosvSjKI4kT8UfwQrNAc0tHwJJ7h32pk20rX+JEB1ut8iW/ep rlfVbEOS2UmuXzOSN+ODIPhNaAIDbrL+1sXSkB55YtLvxjbwbQmDc0uvBKonBM0bbSxZhE rdQ8lZ/Xfpecn7o+Lh9jxPffKHvokx2Y6nAtGiosBZWCHPWq6+x0xvBI1SeqLIj2IunGBL diuigh4TP81tbfF3JvS1My3+HjmZ6nG/sheZmMUEZxbUzjrV/QpLclOy5dOf1A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731618000; a=rsa-sha256; cv=none; b=o79CBCNWq2LY57SkSyITJjJFErADon7seY8bBHqAO+Ol33OTu1SYnwU+SUtFtxsQeNUdQN 22KPKBzvkJ1nrGxwd5k3s/0dcCXdr4CPoNcGbxROvsQovpieaYm5wgcH4QLWphMRAjiZSx p6qGhPcaPDjHjMjd699R9IyHV6KJBmZtwwLYP0x/6Yd7njUMLUwWvR1FiDizL+cED1m6q6 yQNmvlQMLrYy2ki3Tea1Sl79ppbPpTlepOiW6KefSChmTe3pZ0/CnDj7FCqlQ4wCC0U/nR MwCLJ9F5EKzNwUeQfMt7Hol9HAnd6N0n7TBTWX767xlYY69JHvh9GkdlvJ/JoQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XqCG81rgczvBD; Thu, 14 Nov 2024 21:00:00 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AEL00fJ075361; Thu, 14 Nov 2024 21:00:00 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AEL00Qk075307; Thu, 14 Nov 2024 21:00:00 GMT (envelope-from git) Date: Thu, 14 Nov 2024 21:00:00 GMT Message-Id: <202411142100.4AEL00Qk075307@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Mitchell Horne Subject: git: e413da135819 - main - manuals: fix "PP after SS | SH" warnings List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: mhorne X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e413da1358194fe2e3c75a914b9192ffbc67dfdd Auto-Submitted: auto-generated The branch main has been updated by mhorne: URL: https://cgit.FreeBSD.org/src/commit/?id=e413da1358194fe2e3c75a914b9192ffbc67dfdd commit e413da1358194fe2e3c75a914b9192ffbc67dfdd Author: Graham Percival AuthorDate: 2024-11-13 01:17:24 +0000 Commit: Mitchell Horne CommitDate: 2024-11-14 20:59:43 +0000 manuals: fix "PP after SS | SH" warnings The full mandoc warnings were: skipping paragraph macro: PP after SS skipping paragraph macro: PP after SH The rendered output (in ascii and html) is not affected by this commit. Fixes made by script in https://github.com/Tarsnap/freebsd-doc-scripts Signed-off-by: Graham Percival Reviewed by: jlduran, mhorne MFC after: 1 week Sponsored by: Tarsnap Backup Inc. Pull Request: https://github.com/freebsd/freebsd-src/pull/1524 --- sbin/ipf/ipf/ipf.4 | 1 - sbin/ipf/ipf/ipf.5 | 37 ------------------------------------- sbin/ipf/ipf/ipf.8 | 3 --- sbin/ipf/ipf/ipfilter.5 | 1 - sbin/ipf/ipfs/ipfs.8 | 3 --- sbin/ipf/ipftest/ipftest.1 | 1 - sbin/ipf/ipmon/ipmon.5 | 3 --- sbin/ipf/ipmon/ipmon.8 | 2 -- sbin/ipf/ipnat/ipnat.1 | 1 - sbin/ipf/ipnat/ipnat.4 | 1 - sbin/ipf/ipnat/ipnat.5 | 9 --------- sbin/ipf/ipnat/ipnat.8 | 1 - sbin/ipf/ippool/ippool.5 | 6 ------ sbin/ipf/ippool/ippool.8 | 1 - sbin/ipf/ipscan/ipscan.5 | 1 - sbin/ipf/ipscan/ipscan.8 | 1 - sbin/ipf/ipsend/ipresend.1 | 3 --- sbin/ipf/ipsend/ipsend.1 | 3 --- sbin/ipf/ipsend/ipsend.5 | 2 -- sbin/ipf/ipsend/iptest.1 | 2 -- 20 files changed, 82 deletions(-) diff --git a/sbin/ipf/ipf/ipf.4 b/sbin/ipf/ipf/ipf.4 index c474d5d895de..c5b3bac34947 100644 --- a/sbin/ipf/ipf/ipf.4 +++ b/sbin/ipf/ipf/ipf.4 @@ -6,7 +6,6 @@ ipf \- packet filtering kernel interface .br #include .SH IOCTLS -.PP To add and delete rules to the filter list, three 'basic' ioctls are provided for use. The ioctl's are called as: .LP diff --git a/sbin/ipf/ipf/ipf.5 b/sbin/ipf/ipf/ipf.5 index 423e0de1b34e..32e9913353a0 100644 --- a/sbin/ipf/ipf/ipf.5 +++ b/sbin/ipf/ipf/ipf.5 @@ -2,7 +2,6 @@ .SH NAME ipf, ipf.conf \- IPFilter firewall rules file format .SH DESCRIPTION -.PP The ipf.conf file is used to specify rules for the firewall, packet authentication and packet accounting components of IPFilter. To load rules specified in the ipf.conf file, the ipf(8) program is used. @@ -29,7 +28,6 @@ the direction of the packet (in or out) address patterns or "all" to match any address information .RE .SS Long lines -.PP For rules lines that are particularly long, it is possible to split them over multiple lines implicitly like this: .PP @@ -45,7 +43,6 @@ pass in on bgeo proto tcp from 1.1.1.1 port > 1000 \\ to 2.2.2.2 port < 5000 flags S keep state .fi .SS Comments -.PP Comments in the ipf.conf file are indicated by the use of the '#' character. This can either be at the start of the line, like this: .PP @@ -60,7 +57,6 @@ Or at the end of a like, like this: pass in proto icmp from any to any # Allow all ICMP packets in .fi .SH Firewall rules -.PP This section goes into detail on how to construct firewall rules that are placed in the ipf.conf file. .PP @@ -69,7 +65,6 @@ firewall rule set or which packets should be blocked or allowed in. Some suggestions will be provided but further reading is expected to fully understand what is safe and unsafe to allow in/out. .SS Filter rule keywords -.PP The first word found in any filter rule describes what the eventual outcome of a packet that matches it will be. Descriptions of the many and various sections that can be used to match on the contents of packet headers will @@ -131,7 +126,6 @@ rule to match a packet is a pass, if there is a later matching rule that is a block and no further rules match the packet, then it will be blocked. .SS Matching Network Interfaces -.PP On systems with more than one network interface, it is necessary to be able to specify different filter rules for each of them. In the first instance, this is because different networks will send us @@ -158,7 +152,6 @@ block in on bge0 all pass out on bge0 all .fi .SS Address matching (basic) -.PP The first and most basic part of matching for filtering rules is to specify IP addresses and TCP/UDP port numbers. The source address information is matched by the "from" information in a filter rule @@ -197,7 +190,6 @@ is processing that part of the configuration file, leading to long delays, if not errors, in loading the filter rules. .RE .SS Protocol Matching -.PP To match packets based on TCP/UDP port information, it is first necessary to indicate which protocol the packet must be. This is done using the "proto" keyword, followed by either the protocol number or a name which @@ -209,7 +201,6 @@ block out proto udp from any to 10.1.1.1 pass in proto icmp from any to 192.168.0.0/16 .fi .SS Sending back error packets -.PP When a packet is just discarded using a block rule, there is no feedback given to the host that sent the packet. This is both good and bad. If this is the desired behaviour and it is not desirable to send any feedback about packets @@ -317,7 +308,6 @@ block return-icmp-as-dest(port-unr) in proto udp \\ from any to 192.168.1.0/24 .fi .SS TCP/UDP Port Matching -.PP Having specified which protocol is being matched, it is then possible to indicate which port numbers a packet must have in order to match the rule. Due to port numbers being used differently to addresses, it is therefore @@ -361,7 +351,6 @@ If there is no desire to mention any specific source or destintion information in a filter rule then the word "all" can be used to indicate that all addresses are considered to match the rule. .SS IPv4 or IPv6 -.PP If a filter rule is constructed without any addresses then IPFilter will attempt to match both IPv4 and IPv6 packets with it. In the next list of rules, each one can be applied to either network protocol @@ -399,13 +388,11 @@ protocol family qualifier: pass in family inet6 proto udp from any to any port = 53 .fi .SS First match vs last match -.PP To change the default behaviour from being the last matched rule decides the outcome to being the first matched rule, the word "quick" is inserted to the rule. .SH Extended Packet Matching .SS Beyond using plain addresses -.PP On firewalls that are working with large numbers of hosts and networks or simply trying to filter discretely against various hosts, it can be an easier administration task to define a pool of addresses and have @@ -475,7 +462,6 @@ with. pass in proto icmp from any to (bge0)/32 .fi .SS Using address pools -.PP Rather than list out multiple rules that either allow or deny specific addresses, it is possible to create a single object, call an address pool, that contains all of those addresses and reference that in the @@ -505,7 +491,6 @@ There are different operational characteristics with each, so there may be some situations where a pool works better than hash and vice versa. .SS Matching TCP flags -.PP The TCP header contains a field of flags that is used to decide if the packet is a connection request, connection termination, data, etc. By matching on the flags in conjunction with port numbers, it is @@ -562,7 +547,6 @@ pass out quick proto tcp from any port = 22 to any flags SA By itself, filtering based on the TCP flags becomes more work but when combined with stateful filtering (see below), the situation changes. .SS Matching on ICMP header information -.PP The TCP and UDP are not the only protocols for which filtering beyond just the IP header is possible, extended matching on ICMP packets is also available. The list of valid ICMP types is different for IPv4 @@ -627,7 +611,6 @@ unreach (unreachable, whoreq (WRU request), whorep (WRU reply). .SH Stateful Packet Filtering -.PP Stateful packet filtering is where IPFilter remembers some information from one or more packets that it has seen and is able to apply it to future packets that it receives from the network. @@ -694,7 +677,6 @@ use of these protocols being more for query-response than for ongoing connections. For all other protocols the timeout is 60 seconds in both directions. .SS Stateful filtering options -.PP The following options can be used with stateful filtering: .HP limit @@ -812,7 +794,6 @@ If there is no IP protocol implied by addresses or other features of the rule, IPFilter will assume that no netmask is an all ones netmask for both IPv4 and IPv6. .SS Tieing down a connection -.PP For any connection that transits a firewall, each packet will be seen twice: once going in and once going out. Thus a connection has 4 flows of packets: @@ -851,7 +832,6 @@ pass in on bge0,bge1 out-via bge1,bge0 proto tcp \\ from any to any port = 22 flags S keep state .fi .SS Working with packet fragments -.PP Fragmented packets result in 1 packet containing all of the layer 3 and 4 header information whilst the data is split across a number of other packets. .PP @@ -883,7 +863,6 @@ An example of how this is done is as follows: pass in proto udp from any port = 2049 to any with frags keep frags .fi .SH Building a tree of rules -.PP Writing your filter rules as one long list of rules can be both inefficient in terms of processing the rules and difficult to understand. To make the construction of filter rules easier, it is possible to place them in groups. @@ -947,7 +926,6 @@ to deliver spam, I could load the following rule to complement the above: block in quick from 10.1.1.1 to any group spammers .fi .SS Decapsulation -.PP Rule groups also form a different but vital role for decapsulation rules. With the following simple rule, if IPFilter receives an IP packet that has an AH header as its layer 4 payload, IPFilter would adjust its view of the @@ -982,7 +960,6 @@ It is possible to construct a decapsulate rule without the group head at the end that ipf(8) will accept but such rules will not result in anything happening. .SS Policy Based Routing -.PP With firewalls being in the position they often are, at the boundary of different networks connecting together and multiple connections that have different properties, it is often desirable to have packets flow @@ -1034,7 +1011,6 @@ pass in on bge0 to bge1:1.1.1.1 reply-to hme1:2.1.1.2 \\ to any port = 80 flags S keep state .fi .SS Matching IPv4 options -.PP The design for IPv4 allows for the header to be upto 64 bytes long, however most traffic only uses the basic header which is 20 bytes long. The other 44 bytes can be used to store IP options. These options are @@ -1115,7 +1091,6 @@ ump (Upstream Multicast Packet), visa (Experimental Access Control) and zsu (Experimental Measurement). .SS Security with CIPSO and IPSO -.PP IPFilter supports filtering on IPv4 packets using security attributes embedded in the IP options part of the packet. These options are usually only used on networks and systems that are using lablled security. Unless you know that @@ -1139,7 +1114,6 @@ block in quick all with opt sec-class unclass pass in all with opt sec-class secret .fi .SS Matching IPv6 extension headers -.PP Just as it is possible to filter on the various IPv4 header options, so too it is possible to filter on the IPv6 extension headers that are placed between the IPv6 header and the transport protocol header. @@ -1153,7 +1127,6 @@ mobility (IP mobility), none, routing. .SS Logging -.PP There are two ways in which packets can be logged with IPFilter. The first is with a rule that specifically says log these types of packets and the second is a qualifier to one of the other keywords. Thus it is @@ -1211,7 +1184,6 @@ pass in log level local1.info proto tcp \\ ipfstat(8) reports how many packets have been successfully logged and how many failed attempts to log a packet there were. .SS Filter rule comments -.PP If there is a desire to associate a text string, be it an administrative comment or otherwise, with an IPFilter rule, this can be achieved by giving the filter rule a comment. The comment is loaded with the rule into the @@ -1224,7 +1196,6 @@ pass out quick proto tcp from any port = 80 \\ to any comment "all web server traffic is ok" .fi .SS Tags -.PP To enable filtering and NAT to correctly match up packets with rules, tags can be added at with NAT (for inbound packets) and filtering (for outbound packets.) This allows a filter to be correctly mated with its @@ -1249,7 +1220,6 @@ such as grep, extracting log records of interest is simplified. block in quick log ... set-tag(log=33) .fi .SH Filter Rule Expiration -.PP IPFilter allows rules to be added into the kernel that it will remove after a specific period of time by specifying rule-ttl at the end of a rule. When listing rules in the kernel using ipfstat(8), rules that are going @@ -1264,7 +1234,6 @@ pass in on fxp0 proto tcp from any \\ to port = 22 flags S keep state rule-ttl 30 .fi .SH Internal packet attributes -.PP In addition to being able to filter on very specific network and transport header fields, it is possible to filter on other attributes that IPFilter attaches to a packet. These attributes are placed in a rule after the @@ -1332,7 +1301,6 @@ block in all pass in all with not bad .fi .SH Tuning IPFilter -.PP The ipf.conf file can also be used to tune the behaviour of IPFilter, allowing, for example, timeouts for the NAT/state table(s) to be set along with their sizes. The presence and names of tunables may change @@ -1543,7 +1511,6 @@ update_ipid when set, turns on changing the IP id field in NAT'd packets to a random number. .SS Table of visible variables -.PP A list of all of the tunables, their minimum, maximum and current values is as follows. .PP @@ -1602,7 +1569,6 @@ udp_timeout 1 MAXINT 240 update_ipid 0 1 0 .fi .SH Calling out to internal functions -.PP IPFilter provides a pair of functions that can be called from a rule that allow for a single rule to jump out to a group rather than walk through a list of rules to find the group. If you've got multiple @@ -1637,7 +1603,6 @@ group-map in role=ipf number=1010 { 1.1.1.1 group = 1020, 3.3.0.0/16 group = 1030; }; .fi .SS IPFilter matching expressions -.PP An experimental feature that has been added to filter rules is to use the same expression matching that is available with various commands to flush and list state/NAT table entries. The use of such an expression @@ -1647,7 +1612,6 @@ precludes the filter rule from using the normal IP header matching. pass in exp { "tcp.sport 23 or tcp.sport 50" } keep state .fi .SS Filter rules with BPF -.PP On platforms that have the BPF built into the kernel, IPFilter can be built to allow BPF expressions in filter rules. This allows for packet matching to be on arbitrary data in the packt. The use of a BPF expression @@ -1665,7 +1629,6 @@ accurately reconstruct the original text filter. The end result is that while ipf.conf() can be easy to read, understanding the output from ipfstat might not be. .SH VARIABLES -.PP This configuration file, like all others used with IPFilter, supports the use of variable substitution throughout the text. .PP diff --git a/sbin/ipf/ipf/ipf.8 b/sbin/ipf/ipf/ipf.8 index 38cac51435d1..fba145b0c785 100644 --- a/sbin/ipf/ipf/ipf.8 +++ b/sbin/ipf/ipf/ipf.8 @@ -22,7 +22,6 @@ ipf \- alters packet filtering lists for IP packet input and output <\fIfilename\fP> [...]] .SH DESCRIPTION -.PP \fBipf\fP opens the filenames listed (treating "\-" as stdin) and parses the file for a set of rules which are to be added or removed from the packet filter rule set. @@ -176,9 +175,7 @@ IPF_PREDEFINED='my_server="10.1.1.1"; my_client="10.1.1.2";' .SH SEE ALSO ipftest(1), mkfilters(1), ipf(4), ipl(4), ipf(5), ipfstat(8), ipmon(8), ipnat(8) .SH DIAGNOSTICS -.PP Needs to be run as root for the packet filtering lists to actually be affected inside the kernel. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipf/ipfilter.5 b/sbin/ipf/ipf/ipfilter.5 index 0bba0f4bad02..0a1da67d70cd 100644 --- a/sbin/ipf/ipf/ipfilter.5 +++ b/sbin/ipf/ipf/ipfilter.5 @@ -2,7 +2,6 @@ .SH NAME IP Filter .SH DESCRIPTION -.PP IP Filter is a package providing packet filtering capabilities for a variety of operating systems. On a properly setup system, it can be used to build a firewall. diff --git a/sbin/ipf/ipfs/ipfs.8 b/sbin/ipf/ipfs/ipfs.8 index a58d02db078a..cf668cc09400 100644 --- a/sbin/ipf/ipfs/ipfs.8 +++ b/sbin/ipf/ipfs/ipfs.8 @@ -40,7 +40,6 @@ ipfs \- saves and restores information for NAT and state tables. .B \-i , .SH DESCRIPTION -.PP \fBipfs\fP allows state information created for NAT entries and rules using \fIkeep state\fP to be locked (modification prevented) and then saved to disk, allowing for the system to experience a reboot, followed by the restoration @@ -117,10 +116,8 @@ operation and unlocked once complete. .SH SEE ALSO ipf(8), ipl(4), ipmon(8), ipnat(8) .SH DIAGNOSTICS -.PP Perhaps the -W and -R operations should set the locking but rather than undo it, restore it to what it was previously. Fragment table information is currently not saved. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipftest/ipftest.1 b/sbin/ipf/ipftest/ipftest.1 index 11b64e288600..5c5fe60901a0 100644 --- a/sbin/ipf/ipftest/ipftest.1 +++ b/sbin/ipf/ipftest/ipftest.1 @@ -34,7 +34,6 @@ interface ] .SH DESCRIPTION -.PP \fBipftest\fP is provided for the purpose of being able to test a set of filter rules without having to put them in place, in operation and proceed to test their effectiveness. The hope is that this minimises disruptions diff --git a/sbin/ipf/ipmon/ipmon.5 b/sbin/ipf/ipmon/ipmon.5 index ccca214b26a6..c6a4b6c12a42 100644 --- a/sbin/ipf/ipmon/ipmon.5 +++ b/sbin/ipf/ipmon/ipmon.5 @@ -52,7 +52,6 @@ The lines above would save all ipf log entries to /var/log/ipf-log, send all of the entries for NAT (ipnat related) to syslog and generate an email to root for each log entry from the state tables. .SH SYNTAX - MATCHING -.PP In the above example, the matching segment was confined to matching on the type of log entry generated. The full list of fields that can be used here is: @@ -189,7 +188,6 @@ it can then be used in any .I do statement. .SH EXAMPLES -.PP Some further examples are: .nf @@ -208,7 +206,6 @@ match { dstip 127.0.0.1; } do { local("local options"); }; # .fi .SH MATCHING -.PP All entries of the rules present in the file are compared for matches - there is no first or last rule match. .SH FILES diff --git a/sbin/ipf/ipmon/ipmon.8 b/sbin/ipf/ipmon/ipmon.8 index cb6567e316b0..901d1a2a804e 100644 --- a/sbin/ipf/ipmon/ipmon.8 +++ b/sbin/ipf/ipmon/ipmon.8 @@ -27,7 +27,6 @@ ipmon \- monitors /dev/ipl for logged packets .B ] .SH DESCRIPTION -.LP \fBipmon\fP opens \fB/dev/ipl\fP for reading and awaits data to be saved from the packet filter. The binary data read from the device is reprinted in human readable form, however, IP#'s are not mapped back to hostnames, nor are @@ -191,5 +190,4 @@ recorded data. .SH SEE ALSO ipl(4), ipmon(5), ipf(8), ipfstat(8), ipnat(8) .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipnat/ipnat.1 b/sbin/ipf/ipnat/ipnat.1 index f24141546171..0e41ccc42b2a 100644 --- a/sbin/ipf/ipnat/ipnat.1 +++ b/sbin/ipf/ipnat/ipnat.1 @@ -8,7 +8,6 @@ ipnat \- user interface to the NAT ] .B \-f <\fIfilename\fP> .SH DESCRIPTION -.PP \fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the file for a set of rules which are to be added or removed from the IP NAT. .PP diff --git a/sbin/ipf/ipnat/ipnat.4 b/sbin/ipf/ipnat/ipnat.4 index 2a866d4a8f19..d848378d8e98 100644 --- a/sbin/ipf/ipnat/ipnat.4 +++ b/sbin/ipf/ipnat/ipnat.4 @@ -10,7 +10,6 @@ ipnat \- Network Address Translation kernel interface .br #include .SH IOCTLS -.PP To add and delete rules to the NAT list, two 'basic' ioctls are provided for use. The ioctl's are called as: .LP diff --git a/sbin/ipf/ipnat/ipnat.5 b/sbin/ipf/ipnat/ipnat.5 index b01892f9749d..2b391f119450 100644 --- a/sbin/ipf/ipnat/ipnat.5 +++ b/sbin/ipf/ipnat/ipnat.5 @@ -3,7 +3,6 @@ .SH NAME ipnat, ipnat.conf \- IPFilter NAT file format .SH DESCRIPTION -.PP The .B ipnat.conf file is used to specify rules for the Network Address Translation (NAT) @@ -30,7 +29,6 @@ to text that appears before the "->" and the "right hand side" (RHS) for text that appears after it. In essence, the LHS is the packet matching and the RHS is the new data to be used. .SH VARIABLES -.PP This configuration file, like all others used with IPFilter, supports the use of variable substitution throughout the text. .nf @@ -280,7 +278,6 @@ of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next IP address with the \fBmap\fP command. .SS Extended matching -.PP If it is desirable to match on both the source and destination of a packet before applying an address translation to it, this can be achieved by using the same from-to syntax as is used in \fBipf.conf\fP(5). What follows @@ -322,7 +319,6 @@ the defined pool only has /24's or /32's. Pools may also be used .I wherever the from-to syntax in \fBipnat.conf\fR(5) is allowed. .SH INBOUND DESTINATION TRANSLATION (redirection) -.PP Redirection of packets is used to change the destination fields in a packet and is supported for packets that are moving \fIin\fP on a network interface. While the same general syntax for @@ -465,7 +461,6 @@ rdr le0,ppp0 9.8.7.6/32 port 80 -> 1.1.1.1,1.1.1.2 port 80 tcp round-robin frag age 40/40 sticky mssclamp 1000 tag tagged .fi .SH REWRITING SOURCE AND DESTINATION -.PP Whilst the above two commands provide a lot of flexibility in changing addressing fields in packets, often it can be of benefit to translate \fIboth\fP source \fBand\fR destination at the same time or to change @@ -549,7 +544,6 @@ rewrite from any to any port = 80 -> src 1.1.2.3 - 1.1.2.6 dst 2.2.3.4 - 2.2.3.6; .fi .SH DIVERTING PACKETS -.PP If you'd like to send packets to a UDP socket rather than just another computer to be decapsulated, this can be achieved using a .B divert @@ -598,7 +592,6 @@ are flushed out, it is expected that the operator will similarly flush the NAT table and thus NAT sessions are not removed when the NAT rules are flushed out. .SH RULE ORDERING -.PP .B NOTE: Rules in .B ipnat.conf @@ -655,7 +648,6 @@ rdr le0 from 1.1.1.0/24 to 192.2.2.1 port 80 -> 127.0.0.1 3128 tcp .PP Then no packets will match the 2nd rule, they'll all match the first. .SH IPv6 -.PP In all of the examples above, where an IPv4 address is present, an IPv6 address can also be used. All rules must use either IPv4 addresses with both halves of the NAT rule or IPv6 addresses for both halves. Mixing @@ -667,7 +659,6 @@ For shorthand notations such as "0/32", the equivalent for IPv6 is implicit direction that the address should be IPv6, not IPv4. To be unambiguous with 0/0, for IPv6 use ::0/0. .SH KERNEL PROXIES -.PP IP Filter comes with a few, simple, proxies built into the code that is loaded into the kernel to allow secondary channels to be opened without forcing the packets through a user program. The current state of the proxies is listed diff --git a/sbin/ipf/ipnat/ipnat.8 b/sbin/ipf/ipnat/ipnat.8 index 2ef14a971831..b3893f117709 100644 --- a/sbin/ipf/ipnat/ipnat.8 +++ b/sbin/ipf/ipnat/ipnat.8 @@ -15,7 +15,6 @@ ipnat \- user interface to the NAT subsystem ] .B \-f <\fIfilename\fP> .SH DESCRIPTION -.PP \fBipnat\fP opens the filename given (treating "\-" as stdin) and parses the file for a set of rules which are to be added or removed from the IP NAT. .PP diff --git a/sbin/ipf/ippool/ippool.5 b/sbin/ipf/ippool/ippool.5 index 3b5c4d0f2bf6..d631de355a0e 100644 --- a/sbin/ipf/ippool/ippool.5 +++ b/sbin/ipf/ippool/ippool.5 @@ -38,7 +38,6 @@ heirarchical matching, so it is possible to define a subnet as matching but then exclude specific addresses from it. .SS Evolving Configuration -.PP Over time the configuration syntax used by ippool.conf(5) has evolved. Originally the syntax used was more verbose about what a particular value was being used for, for example: @@ -65,7 +64,6 @@ configuration syntax and all output using "ippool -l" will also be in the new configuration syntax. .SS IPFilter devices and pools -.PP To cater to different administration styles, ipool.conf(5) allows you to tie a pool to a specific role in IPFilter. The recognised role names are: .HP @@ -89,7 +87,6 @@ all pools that are defined for the "all" role are available to all types of rules, be they NAT rules in ipnat.conf(5) or firewall rules in ipf.conf(5). .SH Address Pools -.PP An address pool can be used in ipf.conf(5) and ipnat.conf(5) for matching the source or destination address of packets. They can be referred to either by name or number and can hold an arbitrary number of address patterns to @@ -163,7 +160,6 @@ block in from pool/microsoft to any Note that there are limitations on the output returned by whois servers so be aware that their output may not be 100% perfect for your goal. .SH Destination Lists -.PP Destination lists are provided for use primarily with NAT redirect rules (rdr). Their purpose is to allow more sophisticated methods of selecting which host to send traffic to next than the simple round-robin technique @@ -242,7 +238,6 @@ pool all/dstlist (name servers; policy weighted connection;) { bge0:1.1.1.2; bge0:1.1.1.4; bge1:1.1.1.5; bge1:1.1.1.9; }; .fi .SH Group maps -.PP Group maps are provided to allow more efficient processing of packets where there are a larger number of subnets and groups of rules for those subnets. Group maps are used with "call" rules in ipf.conf(5) that @@ -282,7 +277,6 @@ The limitation with group maps is that only the source address or the destination address can be used to map the packet to the starting group, not both, in your ipf.conf(5) file. .SH Hash Tables -.PP The hash table is operationally similar to the address pool. It is used as a store for a collection of address to match on, saving the need to write a lengthy list of rules. As with address pools, searching diff --git a/sbin/ipf/ippool/ippool.8 b/sbin/ipf/ippool/ippool.8 index 1ff9911a87d8..c879c97b01dd 100644 --- a/sbin/ipf/ippool/ippool.8 +++ b/sbin/ipf/ippool/ippool.8 @@ -28,7 +28,6 @@ ippool \- user interface to the IPFilter pools .B ippool -s [-dtv] .SH DESCRIPTION -.PP .B Ippool is used to manage information stored in the IP pools subsystem of IPFilter. Configuration file information may be parsed and loaded into the kernel, diff --git a/sbin/ipf/ipscan/ipscan.5 b/sbin/ipf/ipscan/ipscan.5 index 72b3f92a25a0..76738b607080 100644 --- a/sbin/ipf/ipscan/ipscan.5 +++ b/sbin/ipf/ipscan/ipscan.5 @@ -3,7 +3,6 @@ .SH NAME ipscan, ipscan.conf \- ipscan file format .SH DESCRIPTION -.PP WARNING: This feature is to be considered experimental and may change significantly until a final implementation is drawn up. .PP diff --git a/sbin/ipf/ipscan/ipscan.8 b/sbin/ipf/ipscan/ipscan.8 index 292d5764519a..da4068a1e8f2 100644 --- a/sbin/ipf/ipscan/ipscan.8 +++ b/sbin/ipf/ipscan/ipscan.8 @@ -10,7 +10,6 @@ ipscan \- user interface to the IPFilter content scanning ] .B \-f <\fIfilename\fP> .SH DESCRIPTION -.PP \fBipscan\fP opens the filename given (treating "\-" as stdin) and parses the file to build up a content scanning configuration to load into the kernel. Currently only the first 16 bytes of a connection can be compared. diff --git a/sbin/ipf/ipsend/ipresend.1 b/sbin/ipf/ipsend/ipresend.1 index 529c1649b756..e7714349e6af 100644 --- a/sbin/ipf/ipsend/ipresend.1 +++ b/sbin/ipf/ipsend/ipresend.1 @@ -20,7 +20,6 @@ ipresend \- resend IP packets out to network <\fIfilename\fP> ] .SH DESCRIPTION -.PP \fBipresend\fP was designed to allow packets to be resent, once captured, back out onto the network for use in testing. \fIipresend\fP supports a number of different file formats as input, including saved snoop/tcpdump @@ -97,10 +96,8 @@ The input file is composed of text descriptions of IP packets. .SH SEE ALSO snoop(1m), tcpdump(8), etherfind(8c), ipftest(1), ipresend(1), iptest(1), bpf(4), dlpi(7p) .SH DIAGNOSTICS -.PP Needs to be run as root. .SH BUGS -.PP Not all of the input formats are sufficiently capable of introducing a wide enough variety of packets for them to be all useful in testing. If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipsend/ipsend.1 b/sbin/ipf/ipsend/ipsend.1 index d0770c41775e..57d29ba8569a 100644 --- a/sbin/ipf/ipsend/ipsend.1 +++ b/sbin/ipf/ipsend/ipsend.1 @@ -35,7 +35,6 @@ ipsend \- sends IP packets <\fIwindow\fP> ] [TCP-flags] .SH DESCRIPTION -.PP \fBipsend\fP can be compiled in two ways. The first is used to send one-off packets to a destination host, using command line options to specify various attributes present in the headers. The \fIdestination\fP must be given as @@ -103,8 +102,6 @@ enable verbose mode. .SH SEE ALSO ipsend(1), ipresend(1), iptest(1), protocols(4), bpf(4), dlpi(7p) .SH DIAGNOSTICS -.PP Needs to be run as root. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com diff --git a/sbin/ipf/ipsend/ipsend.5 b/sbin/ipf/ipsend/ipsend.5 index 998957a030c9..440cb0a5f23b 100644 --- a/sbin/ipf/ipsend/ipsend.5 +++ b/sbin/ipf/ipsend/ipsend.5 @@ -7,7 +7,6 @@ text file which fits the grammar described below. The purpose of this grammar is to allow IP packets to be described in an arbitary way which also allows encapsulation to be so done to an arbitary level. .SH GRAMMAR -.LP .nf line ::= iface | arp | send | defrouter | ipv4line . @@ -80,7 +79,6 @@ databodyopts ::= "len" number | "value" string | "file" filename . icmpechoopts ::= "icmpseq" number | "icmpid" number . .fi .SH COMMANDS -.PP Before sending any packets or defining any packets, it is necessary to describe the interface(s) which will be used to send packets out. .TP diff --git a/sbin/ipf/ipsend/iptest.1 b/sbin/ipf/ipsend/iptest.1 index afc907042a83..5ccebc681cbc 100644 --- a/sbin/ipf/ipsend/iptest.1 +++ b/sbin/ipf/ipsend/iptest.1 @@ -23,7 +23,6 @@ iptest \- automatically generate a packets to test IP functionality <\fIsource\fP> ] .SH DESCRIPTION -.PP \fBiptest\fP ... .SH OPTIONS .TP @@ -98,5 +97,4 @@ Only one of the numeric test options may be given when \fIiptest\fP is run. .PP Needs to be run as root. .SH BUGS -.PP If you find any, please send email to me at darrenr@pobox.com