Date: Mon, 4 Aug 2008 18:47:25 GMT From: Gleb Kurtsou <gk@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 146644 for review Message-ID: <200808041847.m74IlPL6029076@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=146644 Change 146644 by gk@gk_h1 on 2008/08/04 18:46:31 document arp-op, {src,dst}-arp. sort options in alphabetical order update ipfw usage Affected files ... .. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#5 edit .. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#9 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#5 (text+ko) ==== @@ -390,7 +390,7 @@ .Cm ip6_input() . Note that as a rule only incoming packets are tagged, but .Cm bridge -appends tag to outgoing packets. +appends tag to outgoing packets too. Therefore dynamic rules (like rules created by .Cm keep-state option) do not check specified MAC header options if there is no @@ -1146,6 +1146,19 @@ You can have comment-only rules, which are listed as having a .Cm count action followed by the comment. +.It Cm arp-op Ar arp-op +Matches Address Resolution Protocol (ARP) packets whose +.Em Operation +field corresponds to one of those specified as argument. +.Ar arp-op +is specified in the same way as port numbers (i.e., one or more +comma-separated single values or ranges). You can use symbolic names +for known values such as +.Em request , reply , rev_request , rev_reply , inv_request , inv_reply . +Values can be entered as decimal or hexadecimal (if prefixed by 0x), and +they are always printed as hexadecimal (unless the +.Cm -N +option is used, in which case symbolic resolution will be attempted). .It Cm bridged Alias for .Cm layer2 . @@ -1157,6 +1170,16 @@ .It Cm diverted-output Matches only packets going from a divert socket back outward to the IP stack output for delivery. +.It Cm dst-arp Ar dst-arp +Matches Address Resolution Protocol (ARP) packets whose +.Em Target protocol address (TPA) +and optionally +.Em Target hardware address (THA) +fields correspond to entry in the lookup table +.Ar dst-arp . +See the +.Sx LOOKUP TABLES +section below for more information on lookup tables. .It Cm dst-ether Ar dst-ether Match packets with a given destination MAC address .Ar dst-ether Ns , @@ -1177,6 +1200,19 @@ specified as argument. .It Cm established Matches TCP packets that have the RST or ACK bits set. +.It Cm ether-type Ar ether-type +Matches packets whose Ethernet Type field +corresponds to one of those specified as argument. +.Ar ether-type +is specified in the same way as +.Cm port numbers +(i.e., one or more comma-separated single values or ranges). +You can use symbolic names for known values such as +.Em vlan , ipv4, ipv6 . +Values can be entered as decimal or hexadecimal (if prefixed by 0x), +and they are always printed as hexadecimal (unless the +.Cm -N +option is used, in which case symbolic resolution will be attempted). .It Cm ext6hdr Ar header Matches IPv6 packets containing the extended header given by .Ar header . @@ -1381,19 +1417,6 @@ specified. Currently, only IPv4 flows are supported. -.It Cm ether-type Ar ether-type -Matches packets whose Ethernet Type field -corresponds to one of those specified as argument. -.Ar ether-type -is specified in the same way as -.Cm port numbers -(i.e., one or more comma-separated single values or ranges). -You can use symbolic names for known values such as -.Em vlan , ipv4, ipv6 . -Values can be entered as decimal or hexadecimal (if prefixed by 0x), -and they are always printed as hexadecimal (unless the -.Cm -N -option is used, in which case symbolic resolution will be attempted). .It Cm proto Ar protocol Matches packets with the corresponding IP protocol. .It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any @@ -1442,6 +1465,16 @@ Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of .Dq Li tcpflags\ syn,!ack . +.It Cm src-arp Ar src-arp +Matches Address Resolution Protocol (ARP) packets whose +.Em Sender protocol address (SPA) +and optionally +.Em Sender hardware address (SHA) +fields correspond to entry in the lookup table +.Ar src-arp . +See the +.Sx LOOKUP TABLES +section below for more information on lookup tables. .It Cm src-ether Ar src-ether Match packets with a given source MAC address .Ar src-ether Ns , @@ -1742,16 +1775,13 @@ .Em dst are used here only to denote the initial match addresses, but they are completely equivalent afterwards). -If rule specifies -.Em src-ether -and/or -.Em dst-ether -address they are also used to match packets. +If rule specifies ethernet source or destination address it is also used +by dynamic rule to match packets. But note that packets without .Cm l2tag appended to them match against such dynamic rules, because .Cm l2tag -presents only in incoming or outgoing packets, but not in both. +usually presents only in incoming or outgoing packets, but not in both. Dynamic rules will be checked at the first .Cm check-state, keep-state or ==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#9 (text+ko) ==== @@ -2793,7 +2793,8 @@ "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n" "ETHERADDR: { any | multicast | ether }\n" "OPTION_LIST: OPTION [OPTION_LIST]\n" -"OPTION: bridged | diverted | diverted-loopback | diverted-output |\n" +"OPTION: arp-op LIST | bridged | diverted | diverted-loopback |\n" +" {dst-arp|src-arp} table(t[,v]) | diverted-output |\n" " {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n" " {dst-port|src-port} LIST |\n" " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808041847.m74IlPL6029076>