From owner-p4-projects Fri Aug 16 6:39:46 2002 Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id AE58737B401; Fri, 16 Aug 2002 06:38:33 -0700 (PDT) Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D42737B400 for ; Fri, 16 Aug 2002 06:38:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FA7E43E81 for ; Fri, 16 Aug 2002 06:38:32 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from freefall.freebsd.org (perforce@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g7GDcWJU097823 for ; Fri, 16 Aug 2002 06:38:32 -0700 (PDT) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g7GDcV3l097820 for perforce@freebsd.org; Fri, 16 Aug 2002 06:38:31 -0700 (PDT) Date: Fri, 16 Aug 2002 06:38:31 -0700 (PDT) Message-Id: <200208161338.g7GDcV3l097820@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 16109 for review To: Perforce Change Reviews Sender: owner-p4-projects@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16109 Change 16109 by rwatson@rwatson_tislabs on 2002/08/16 06:37:53 IFC from the FreeBSD main tree to TrustedBSD base: in particular, merge the fo_stat()/fo_poll() changes back to our branches. Affected files ... .. //depot/projects/trustedbsd/base/bin/cp/cp.1#4 integrate .. //depot/projects/trustedbsd/base/include/stdbool.h#3 integrate .. //depot/projects/trustedbsd/base/lib/libc/net/inet_ntop.c#5 integrate .. //depot/projects/trustedbsd/base/lib/libkvm/kvm_proc.c#7 integrate .. //depot/projects/trustedbsd/base/lib/libutil/login_cap.h#4 integrate .. //depot/projects/trustedbsd/base/libexec/comsat/comsat.8#4 integrate .. //depot/projects/trustedbsd/base/sbin/fsck_ffs/setup.c#10 integrate .. //depot/projects/trustedbsd/base/sbin/ipfw/ipfw.8#10 integrate .. //depot/projects/trustedbsd/base/sbin/ipfw/ipfw2.c#6 integrate .. //depot/projects/trustedbsd/base/sbin/nfsiod/nfsiod.c#6 integrate .. //depot/projects/trustedbsd/base/share/man/man4/uhid.4#3 integrate .. //depot/projects/trustedbsd/base/share/misc/iso3166#4 integrate .. //depot/projects/trustedbsd/base/sys/alpha/osf1/osf1_misc.c#9 integrate .. //depot/projects/trustedbsd/base/sys/compat/linux/linux_stats.c#6 integrate .. //depot/projects/trustedbsd/base/sys/dev/usb/ohci.c#15 integrate .. //depot/projects/trustedbsd/base/sys/dev/usb/ulpt.c#9 integrate .. //depot/projects/trustedbsd/base/sys/fs/fdescfs/fdesc_vnops.c#5 integrate .. //depot/projects/trustedbsd/base/sys/fs/fifofs/fifo_vnops.c#12 integrate .. //depot/projects/trustedbsd/base/sys/fs/msdosfs/msdosfs_denode.c#6 integrate .. //depot/projects/trustedbsd/base/sys/ia64/ia64/vm_machdep.c#12 integrate .. //depot/projects/trustedbsd/base/sys/kern/kern_descrip.c#21 integrate .. //depot/projects/trustedbsd/base/sys/kern/kern_event.c#10 integrate .. //depot/projects/trustedbsd/base/sys/kern/sys_generic.c#14 integrate .. //depot/projects/trustedbsd/base/sys/kern/sys_pipe.c#16 integrate .. //depot/projects/trustedbsd/base/sys/kern/sys_socket.c#8 integrate .. //depot/projects/trustedbsd/base/sys/kern/uipc_socket.c#19 integrate .. //depot/projects/trustedbsd/base/sys/kern/uipc_socket2.c#18 integrate .. //depot/projects/trustedbsd/base/sys/kern/vfs_syscalls.c#26 integrate .. //depot/projects/trustedbsd/base/sys/kern/vfs_vnops.c#24 integrate .. //depot/projects/trustedbsd/base/sys/modules/cam/Makefile#3 integrate .. //depot/projects/trustedbsd/base/sys/netinet/ip_fw2.c#4 integrate .. //depot/projects/trustedbsd/base/sys/netinet/tcp_debug.h#2 integrate .. //depot/projects/trustedbsd/base/sys/netinet/tcp_timer.h#4 integrate .. //depot/projects/trustedbsd/base/sys/netinet/udp_usrreq.c#14 integrate .. //depot/projects/trustedbsd/base/sys/nfsclient/nfs_lock.c#9 integrate .. //depot/projects/trustedbsd/base/sys/nfsclient/nfs_lock.h#4 integrate .. //depot/projects/trustedbsd/base/sys/pci/uhci_pci.c#4 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/include/pcb.h#4 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/include/pmap.h#12 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/include/tlb.h#10 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/genassym.c#16 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/pmap.c#22 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/support.S#2 integrate .. //depot/projects/trustedbsd/base/sys/sparc64/sparc64/trap.c#14 integrate .. //depot/projects/trustedbsd/base/sys/sys/disklabel.h#9 integrate .. //depot/projects/trustedbsd/base/sys/sys/file.h#10 integrate .. //depot/projects/trustedbsd/base/sys/sys/msg.h#3 integrate .. //depot/projects/trustedbsd/base/sys/sys/protosw.h#4 integrate .. //depot/projects/trustedbsd/base/sys/sys/socketvar.h#19 integrate .. //depot/projects/trustedbsd/base/sys/sys/ucred.h#10 integrate .. //depot/projects/trustedbsd/base/sys/sys/vnode.h#23 integrate .. //depot/projects/trustedbsd/base/usr.bin/biff/biff.1#6 integrate .. //depot/projects/trustedbsd/base/usr.bin/calendar/calendars/calendar.freebsd#13 integrate .. //depot/projects/trustedbsd/base/usr.sbin/rpc.lockd/kern.c#5 integrate Differences ... ==== //depot/projects/trustedbsd/base/bin/cp/cp.1#4 (text+ko) ==== @@ -33,9 +33,9 @@ .\" SUCH DAMAGE. .\" .\" @(#)cp.1 8.3 (Berkeley) 4/18/94 -.\" $FreeBSD: src/bin/cp/cp.1,v 1.24 2002/08/09 10:38:34 ru Exp $ +.\" $FreeBSD: src/bin/cp/cp.1,v 1.25 2002/08/16 03:13:59 johan Exp $ .\" -.Dd April 18, 1994 +.Dd July 23, 2002 .Dt CP 1 .Os .Sh NAME ==== //depot/projects/trustedbsd/base/include/stdbool.h#3 (text+ko) ==== @@ -23,7 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/include/stdbool.h,v 1.5 2002/06/19 06:04:37 obrien Exp $ + * $FreeBSD: src/include/stdbool.h,v 1.6 2002/08/16 07:33:14 alfred Exp $ */ #ifndef _STDBOOL_H_ @@ -37,7 +37,7 @@ #define true 1 #define bool _Bool -#if __STDC_VERSION__ < 199901L +#if __STDC_VERSION__ < 199901L && __GNUC__ < 3 typedef int _Bool; #endif ==== //depot/projects/trustedbsd/base/lib/libc/net/inet_ntop.c#5 (text+ko) ==== @@ -18,7 +18,7 @@ static char rcsid[] = "$Id: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $"; #endif /* LIBC_SCCS and not lint */ #include -__FBSDID("$FreeBSD: src/lib/libc/net/inet_ntop.c,v 1.10 2002/08/14 20:40:35 robert Exp $"); +__FBSDID("$FreeBSD: src/lib/libc/net/inet_ntop.c,v 1.11 2002/08/15 21:19:31 robert Exp $"); #include #include @@ -30,8 +30,6 @@ #include #include -#define SPRINTF(x) ((socklen_t)sprintf x) - /* * WARNING: Don't even consider trying to compile this on a system where * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. @@ -79,13 +77,12 @@ inet_ntop4(const u_char *src, char *dst, socklen_t size) { static const char fmt[] = "%u.%u.%u.%u"; - char tmp[sizeof "255.255.255.255"]; - if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) { + if ((socklen_t)snprintf(dst, size, fmt, src[0], src[1], src[2], src[3]) + >= size) { errno = ENOSPC; return (NULL); } - strcpy(dst, tmp); return (dst); } @@ -164,7 +161,7 @@ tp += strlen(tp); break; } - tp += SPRINTF((tp, "%x", words[i])); + tp += sprintf(tp, "%x", words[i]); } /* Was it a trailing run of 0x00's? */ if (best.base != -1 && (best.base + best.len) == ==== //depot/projects/trustedbsd/base/lib/libkvm/kvm_proc.c#7 (text+ko) ==== @@ -34,11 +34,11 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.50 2002/06/30 20:13:53 julian Exp $ + * $FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.51 2002/08/16 07:01:42 alfred Exp $ */ #include -__FBSDID("$FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.50 2002/06/30 20:13:53 julian Exp $"); +__FBSDID("$FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.51 2002/08/16 07:01:42 alfred Exp $"); #if defined(LIBC_SCCS) && !defined(lint) static char sccsid[] = "@(#)kvm_proc.c 8.3 (Berkeley) 9/23/93"; @@ -52,6 +52,9 @@ */ #include +#define _KERNEL +#include +#undef _KERNEL #include #include #include ==== //depot/projects/trustedbsd/base/lib/libutil/login_cap.h#4 (text+ko) ==== @@ -22,7 +22,7 @@ * Low-level routines relating to the user capabilities database * * Was login_cap.h,v 1.9 1997/05/07 20:00:01 eivind Exp - * $FreeBSD: src/lib/libutil/login_cap.h,v 1.7 2002/08/11 01:48:43 rwatson Exp $ + * $FreeBSD: src/lib/libutil/login_cap.h,v 1.8 2002/08/16 02:14:21 rwatson Exp $ */ #ifndef _LOGIN_CAP_H_ @@ -47,7 +47,8 @@ #define LOGIN_SETUMASK 0x0020 /* set umask, obviously */ #define LOGIN_SETUSER 0x0040 /* set user (via setuid) */ #define LOGIN_SETENV 0x0080 /* set user environment */ -#define LOGIN_SETALL 0x00ff /* set everything */ +#define LOGIN_SETMAC 0x0100 /* set user default MAC label */ +#define LOGIN_SETALL 0x01ff /* set everything */ #define BI_AUTH "authorize" /* accepted authentication */ #define BI_REJECT "reject" /* rejected authentication */ ==== //depot/projects/trustedbsd/base/libexec/comsat/comsat.8#4 (text+ko) ==== @@ -30,9 +30,9 @@ .\" SUCH DAMAGE. .\" .\" @(#)comsat.8 8.1 (Berkeley) 6/4/93 -.\" $FreeBSD: src/libexec/comsat/comsat.8,v 1.11 2002/08/13 11:05:04 ru Exp $ +.\" $FreeBSD: src/libexec/comsat/comsat.8,v 1.12 2002/08/16 03:08:25 johan Exp $ .\" -.Dd June 4, 1993 +.Dd July 9, 2002 .Dt COMSAT 8 .Os .Sh NAME ==== //depot/projects/trustedbsd/base/sbin/fsck_ffs/setup.c#10 (text+ko) ==== @@ -36,10 +36,9 @@ static const char sccsid[] = "@(#)setup.c 8.10 (Berkeley) 5/9/95"; #endif static const char rcsid[] = - "$FreeBSD: src/sbin/fsck_ffs/setup.c,v 1.35 2002/07/31 12:01:14 mux Exp $"; + "$FreeBSD: src/sbin/fsck_ffs/setup.c,v 1.36 2002/08/16 07:34:19 alfred Exp $"; #endif /* not lint */ -#define DKTYPENAMES #include #include #include ==== //depot/projects/trustedbsd/base/sbin/ipfw/ipfw.8#10 (text+ko) ==== @@ -1,7 +1,12 @@ .\" -.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.105 2002/08/10 15:04:40 luigi Exp $ +.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.106 2002/08/16 10:31:47 luigi Exp $ .\" -.Dd May 31, 2001 +.de NOIPFW +.br +(\\$1 NOT IN IPFW) +.br +.. +.Dd August 13, 2002 .Dt IPFW 8 .Os .Sh NAME @@ -13,11 +18,6 @@ .Cm add .Ar rule .Nm -.Op Fl q -.Cm delete -.Op Cm set -.Op Ar number ... -.Nm .Op Fl adeftNS .Brq Cm list | show .Op Ar number ... @@ -26,16 +26,20 @@ .Cm flush .Nm .Op Fl q -.Brq Cm zero | resetlog +.Brq Cm delete | zero | resetlog .Op Cm set .Op Ar number ... +.Pp +.Nm +.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ... +.Nm +.Cm set move +.Op Cm rule +.Ar number Cm to Ar number .Nm -.Op Fl q -.Brq Cm disable | enable -.Cm set -.Op Ar number ... +.Cm set swap Ar number number .Nm -.Cm show sets +.Cm set show .Pp .Nm .Brq Cm pipe | queue @@ -68,6 +72,22 @@ traffic shaper in .Fx . .Pp +.Em NOTE: +this manual page refers to the newer version of +.Nm +introduced in July 2002, also known as +.Nm ipfw2 . +The commands listed here are a superset of the old +firewall, which we will call +.Nm ipfw1 +when it is necessary to distinguish between the two. +See the +.Sx IPFW2 ENHANCEMENTS +Section for a list of features which are not present in +.Nm ipfw1 . +This list can also be useful to revise your ruleset and +write them more efficiently. +.Pp An .Nm configuration, or @@ -126,10 +146,10 @@ rule, and are typically used to open the firewall on-demand to legitimate traffic only. See the -.Sx RULE FORMAT +.Sx STATEFUL FIREWALL and .Sx EXAMPLES -sections below for more information on the stateful behaviour of +Sections below for more information on the stateful behaviour of .Nm . .Pp All rules (including dynamic ones) have a few associated counters: @@ -157,6 +177,19 @@ .Cm resetlog commands. .Pp +Also, each rule belongs to one of 32 different +.Em sets +, and there are +.Nm +commands to atomically manipulate sets, such as enable, +disable, swap sets, move all rules in a set to another +one, delete all rules in a set. These can be useful to +install temporary configurations, or to test them. +See Section +.Sx SETS OF RULES +for more information on +.Em sets . +.Pp The following options are available: .Bl -tag -width indent .It Fl a @@ -174,8 +207,7 @@ Don't ask for confirmation for commands that can cause problems if misused, .No i.e. Cm flush . -.Em Note , -if there is no tty associated with the process, this is implied. +If there is no tty associated with the process, this is implied. .It Fl N Try to resolve addresses and service names in output. .It Fl q @@ -206,7 +238,9 @@ and the remainder of the ruleset is not processed. Access to the console would then be required to recover. .It Fl S -While listing rules, show the set each rule belongs to. +While listing rules, show the +.Em set +each rule belongs to. If this flag is not specified, disabled rules will not be listed. .It Fl s Op Ar field @@ -265,7 +299,7 @@ .Cm queue commands are used to configure the traffic shaper, as shown in the .Sx TRAFFIC SHAPER CONFIGURATION -section below. +Section below. .Sh PACKET FLOW .Nm can be invoked from multiple places in the protocol stack, @@ -404,7 +438,7 @@ If this is not possible (e.g. because we would go beyond the maximum allowed rule number), the same number of the last non-default value is used instead. -.It Ar set_number +.It Cm set Ar set_number Each rule is associated to a .Ar set_number in the range 0..31, with the latter reserved for the @@ -535,7 +569,7 @@ (for bandwidth limitation, delay, etc.). See the .Sx TRAFFIC SHAPER CONFIGURATION -section for further information. +Section for further information. The search terminates; however, on exit from the pipe and if the .Xr sysctl 8 @@ -568,7 +602,7 @@ socket bound to port .Ar port . The search terminates and the original packet is accepted -(but see section +(but see Section .Sx BUGS below). .It Cm unreach Ar code @@ -630,13 +664,17 @@ .Op Ar options .br .Cm MAC Ar dst-mac src-mac mac-type +.Op Cm from Ar src Cm to Ar dst .Op Ar options .Ed .Pp -where fields have the following meaning: +where the second format allows you to specify MAC header fields +instead (or in addition) of the IPv4 header fields. +.Pp +Rule fields have the following meaning: .Bl -tag -width indent .It Ar proto -An IP protocol specified by number or name (for a complete +An IPv4 protocol specified by number or name (for a complete list see .Pa /etc/protocols ) . The @@ -652,7 +690,6 @@ containing one or more of them, optionally followed by .Em port numbers. -followed by a set of port numbers. .It Ar ip address : An address (or set of addresses) specified in one of the following ways, optionally preceded by a @@ -699,7 +736,7 @@ bitmask, it takes constant time and dramatically reduces the complexity of rulesets. .El -.It Cm port numbers +.It port numbers With protocols which support port numbers (such as TCP and UDP), optional .Cm ports may be specified as one or more ports or port ranges, separated @@ -741,6 +778,28 @@ See the .Cm frag option for details on matching fragmented packets. +.It dst-mac, src-mac +Destination and source MAC addresses, specified as +groups of hex digits separated by commas, and optionally +followed by a mask indicating how many bits are significant: +.Pp +.Dl "ipfw add allow MAC 10:20:30:40:50:60/30 any any +.Pp +Note that the order of MAC addresses (destination first, +source second) is +the same as on the wire, but the opposite of the one used for +IP addresses. +.It mac-type +The value of the Ethernet Type field, specified in the same way as +.Cm port numbers +(i.e. one or more comma-separated single values or ranges). +You can use symbolic names for known values such as +.Em vlan , ipv4, ipv6 . +The values can be enter as decimal or hexadecimal, but they +are always printed as hexadecimal (unless the +.Cm -N +option is used, in which case symbolic resolution will be +attempted). .El .Ss RULE OPTIONS Additional match patterns can be used within @@ -1016,12 +1075,127 @@ .Ar user may be matched by name or identification number. .El +.Sh SETS OF RULES +Each rule belongs to one of 32 different +.Em sets +, numbered 0 to 31. +Set 31 is reserved for the default rule. +.Pp +By default, rules are put in set 0, unless you use the +.Cm set N +attribute when entering a new rule. +Sets can be individually and atomically enabled or disabled, +so this mechanism permits an easy way to store multiple configurations +of the firewall and quickly (and atomically) switch between them. +The command to enable/disable sets is +.Pp +.Nm +.Cm set disable Ar number ... Op Cm enable Ar number ... +.Pp +where multiple +.Cm enable +or +.Cm disable +sections can be specified. +Command execution is atomic on all the sets specified in the command. +By default, all sets are enabled. +.Pp +When you disable a set, its rules behave as if they were not existing +in the firewall configuration, with only one exception: +.Bl -bullet +.It +dynamic rules created from a rule before it had been disabled +will still be active until they expire. In order to delete +dynamic rules you have to explicitly delete the parent rule +which generated them; +.El +The set number of rules can be changed with the command +.Pp +.Nm +.Cm set move +.Brq Cm rule Ar rule-number | old-set +.Cm to Ar new-set +.Pp +Also, you can atomically swap two rulesets with the command +.Pp +.Nm +.Cm set swap Ar first-set second-set +.Pp +See the +.Sx EXAMPLES +Section on some possible uses of sets of rules. .Sh STATEFUL FIREWALL -To be completed. +Stateful operation is a way for the firewall to dynamically +create rules for specific flows when packets that +match a given pattern are detected. Support for stateful +operation comes through the +.Cm check-state , keep-state +and +.Cm limit +options of +.Nm rules. +.Pp +Dynamic rules are created when a packet matches a +.Cm keep-state +or +.Cm limit +rule, causing the creation of a +.Em dynamic +rule which will match all and only packets with +a given +.Em protocol +between a +.Em src-ip/src-port dst-ip/dst-port +pair of addresses ( +.Em src +and +.Em dst +are used here only to denote the initial match addresses, but they +are completely equivalent afterwards). +Dynamic rules will be checked at the first +.Cm check-state, keep-state +or +.Cm limit +occurrence, and the action performed upon a match will be the same +as in the parent rule. +.Pp +Note that no additional attributes other than protocol and IP addresses +and ports are checked on dynamic rules. +.Pp +The typical use of dynamic rules is to keep a closed firewall configuration, +but let the first TCP SYN packet from the inside network install a +dynamic rule for the flow so that packets belonging to that session +will be allowed through the firewall: +.Pp +.Dl "ipfw add check-state" +.Dl "ipfw add allow tcp from my-subnet to any setup" +.Dl "ipfw add deny tcp from any to any" +.Pp +A similar approach can be used for UDP, where an UDP packet coming +from the inside will install a dynamic rule to let the response through +the firewall: +.Pp +.Dl "ipfw add check-state" +.Dl "ipfw add allow udp from my-subnet to any" +.Dl "ipfw add deny udp from any to any" +.Pp +Dynamic rules expire after some time, which depends on the status +of the flow and the setting of some +.Cm sysctl +variables. +See Section +.Sx SYSCTL VARIABLES +for more details. +For TCP sessions, dynamic rules can be instructed to periodically +send keepalive packets to refresh the state of the rule when it is +about to expire. +.Pp +See Section +.Sx EXAMPLES +for more examples on how to use dynamic rules. .Sh TRAFFIC SHAPER CONFIGURATION -The .Nm -utility is also the user interface for the +is also the user interface for the .Xr dummynet 4 traffic shaper. The shaper operates by dividing packets into @@ -1124,22 +1298,6 @@ .Em net.inet.ip.dummynet.hash_size , allowed range is 16 to 1024. .Pp -.It Cm queue Brq Ar slots | size Ns Cm Kbytes -Queue size, in -.Ar slots -or -.Cm KBytes . -Default value is 50 slots, which -is the typical queue size for Ethernet devices. -Note that for slow speed links you should keep the queue -size short or your traffic might be affected by a significant -queueing delay. -E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit -or 20s of queue on a 30Kbit/s pipe. -Even worse effect can result if you get packets from an -interface with a much larger MTU, e.g. the loopback interface -with its 16KB packets. -.Pp .It Cm mask Ar mask-specifier The .Xr dummynet 4 @@ -1167,6 +1325,14 @@ weight of the queue, and all flows insisting on the same pipe share bandwidth proportionally to their weight. .Pp +.It Cm noerror +When a packet is dropped by a dummynet queue or pipe, the error +is normally reported to the caller routine in the kernel, in the +same way as it happens when a device queue fills up. Setting this +option reports the packet as successfully delivered, which can be +needed for some experimental setups where you want to simulate +loss or congestion at a remote router. +.Pp .It Cm plr Ar packet-loss-rate Packet loss rate. Argument @@ -1175,6 +1341,22 @@ loss, 1 meaning 100% loss. The loss rate is internally represented on 31 bits. .Pp +.It Cm queue Brq Ar slots | size Ns Cm Kbytes +Queue size, in +.Ar slots +or +.Cm KBytes . +Default value is 50 slots, which +is the typical queue size for Ethernet devices. +Note that for slow speed links you should keep the queue +size short or your traffic might be affected by a significant +queueing delay. +E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit +or 20s of queue on a 30Kbit/s pipe. +Even worse effect can result if you get packets from an +interface with a much larger MTU, e.g. the loopback interface +with its 16KB packets. +.Pp .It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p Make use of the RED (Random Early Detection) queue management algorithm. .Ar w_q @@ -1290,36 +1472,32 @@ .Xr sysctl 8 command what value is actually in use) and meaning: .Bl -tag -width indent +.It Em net.inet.ip.fw.autoinc_step : No 100 +Delta beween rule numbers when auto-generating them. +The value must be in the range 1..1000. +.It Em net.inet.ip.fw.curr_dyn_buckets : Em net.inet.ip.fw.dyn_buckets +The current number of buckets in the hash table for dynamic rules +(readonly). .It Em net.inet.ip.fw.debug : No 1 Controls debugging messages produced by .Nm . -.It Em net.inet.ip.fw.one_pass : No 1 -When set, the packet exiting from the -.Xr dummynet 4 -pipe is not passed though the firewall again. -Otherwise, after a pipe action, the packet is -reinjected into the firewall at the next rule. -.It Em net.inet.ip.fw.verbose : No 1 -Enables verbose messages. -.It Em net.inet.ip.fw.enable : No 1 -Enables the firewall. -Setting this variable to 0 lets you run your machine without -firewall even if compiled in. -.It Em net.inet.ip.fw.verbose_limit : No 0 -Limits the number of messages produced by a verbose firewall. .It Em net.inet.ip.fw.dyn_buckets : No 256 -.It Em net.inet.ip.fw.curr_dyn_buckets : No 256 -The configured and current size of the hash table used to -hold dynamic rules. -This must be a power of 2. -The table can only be resized when empty, so in order to -resize it on the fly you will probably have to +The number of buckets in the hash table for dynamic rules. +Must be a power of 2, up to 1^^20. +It only takes effect when all dynamic rules have expired, so you +are advised to use a .Cm flush -and reload the ruleset. +command to make sure that the hash table is resized. .It Em net.inet.ip.fw.dyn_count : No 3 Current number of dynamic rules (read-only). -.It Em net.inet.ip.fw.dyn_max : No 1000 +.It Em net.inet.ip.fw.dyn_keepalive : No 1 +Enables generation of keepalive packets for +.Cm keep-state +rules on TCP sessions. A keepalive is generated to both +sides of the connection every 5 seconds for the last 20 +seconds of the lifetime of the rule. +.It Em net.inet.ip.fw.dyn_max : No 8192 Maximum number of dynamic rules. When you hit this limit, no more dynamic rules can be installed until old ones expire. @@ -1333,7 +1511,31 @@ rules. Upon the initial SYN exchange the lifetime is kept short, then increased after both SYN have been seen, then decreased -again during the final FIN exchange or when a RST +again during the final FIN exchange or when a RST is received. +Both +.Em dyn_fin_lifetime +and +.Em dyn_rst_lifetime +must be strictly lower than 5 seconds, the period of +repetition of keepalives. The firewall enforces that. +.It Em net.inet.ip.fw.enable : No 1 +Enables the firewall. +Setting this variable to 0 lets you run your machine without +firewall even if compiled in. +.It Em net.inet.ip.fw.one_pass : No 1 +When set, the packet exiting from the +.Xr dummynet 4 +pipe is not passed though the firewall again. +Otherwise, after a pipe action, the packet is +reinjected into the firewall at the next rule. +.Pp +Note: bridged and layer 2 packets coming out of a pipe +are never reinjected in the firewall irrespective of the +value of this variable. +.It Em net.inet.ip.fw.verbose : No 1 +Enables verbose messages. +.It Em net.inet.ip.fw.verbose_limit : No 0 +Limits the number of messages produced by a verbose firewall. .It Em net.link.ether.ipfw : No 0 Controls whether layer-2 packets are passed to .Nm . @@ -1343,7 +1545,68 @@ .Nm . Default is no. .El +.Sh IPFW2 ENHANCEMENTS +This Section lists the features that have been introduced in +.Nm ipfw2 +and were not present in +.Nm ipfw1 . +We list them in order of the potential impact that they can +have in writing your rulesets. +You might want to consider using these features in order to +write your rulesets in a more efficient way. +.Bl -tag -width indent +.It Address sets +.Nm ipfw1 +does not supports address sets (those in the form +.Ar addr/masklen{num,num,...} +) +.It Port specifications +.Nm ipfw1 +only allows one port range when specifying TCP and UDP ports, and +is limited to 10 entries instead of the 15 allowed by +.Nm ipfw2 . +Also, in +.Nm ipfw1 +you can only specify ports when the rule is requesting +.Cm tcp +or +.Cm udp +packets. With +.Nm ipfw2 +you can put port specifications in rules matching all packets, +and the match will be attempted only on those packets carrying +protocols which include port identifiers. +.It Or-blocks +.Nm ipfw1 +does not support Or-blocks. All match operators are implicitly +connected by +.Cm and +operators. +.It keepalives +.Nm ipfw1 +does not generate keepalives for stateful sessions. +As a consequence, it might cause idle sessions to drop because +the lifetime of the dynamic rules expires. +.It Sets of rules +.Nm ipfw1 +does not implement sets of rules. +.It MAC header filtering and Layer-2 firewalling. +.Nm ipfw1 +does not implement filtering on MAC header fields, nor it is +invoked on packets from +.Cm ether_demux() +and +.Cm ether_output_frame(). +The sysctl variable +.Em net.link.ether.ipfw +has no effect there. +.El .Sh EXAMPLES +There are far too many possible uses of +.Nm +so this Section will only give a small set of examples. +.Pp +.Ss BASIC PACKET FILTERING This command adds an entry which denies all tcp packets from .Em cracker.evil.org to the telnet port of @@ -1375,6 +1638,24 @@ .Cm deny rule. .Pp +If you administer one or more subnets, you can take advantage of the +.Nm ipfw2 +syntax to specify address sets and or-blocks and write extremely +compact rulesets which selectively enable services to blocks +of clients, as below: +.Pp +.Dl "goodguys=\*q{ 10.1.2.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }\*q" +.Dl "badguys=\*q10.1.2.0/24{8,38,60}\*q" +.Dl "" +.Dl "ipfw add allow ip from ${goodguys} to any" +.Dl "ipfw add deny ip from ${badguys} to any" +.Dl "... normal policies ..." +.Pp +The +.Nm ipfw1 +syntax would require a separate rule for each IP in the above +example. +.Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: .Pp @@ -1434,6 +1715,7 @@ .Pp .Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in .Pp +.Ss TRAFFIC SHAPING The following rules show some of the applications of .Nm and @@ -1525,6 +1807,27 @@ .Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in" .Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" .Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes" +.Ss SETS OF RULES +To add a set of rules atomically, e.g. set 18: +.Pp +.Dl "ipfw disable set 18" +.Dl "ipfw add NN set 18 ... # repeat as needed" +.Dl "ipfw enable set 18" +.Pp +To delete a set of rules atomically the command is simply: +.Pp +.Dl "ipfw delete set 18" +.Pp +To test a ruleset and disable it and regain control if something goes wrong: +.Pp +.Dl "ipfw disable set 18" +.Dl "ipfw add NN set 18 ... # repeat as needed" +.Dl "ipfw enable set 18 ; echo done; sleep 30 && ipfw disable set 18" +.Pp +Here if everything goes well, you press control-C before the "sleep" +terminates, and your ruleset will be left active. Otherwise, e.g. if +you cannot access your box, the ruleset will be disabled after +the sleep terminates thus restoring the previous situation. .Sh SEE ALSO .Xr cpp 1 , .Xr m4 1 , ==== //depot/projects/trustedbsd/base/sbin/ipfw/ipfw2.c#6 (text+ko) ==== @@ -17,7 +17,7 @@ * * NEW command line interface for IP firewall facility * - * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.9 2002/08/10 15:10:15 luigi Exp $ + * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.10 2002/08/16 10:31:47 luigi Exp $ */ #include @@ -223,6 +223,7 @@ TOK_ICMPTYPES, TOK_PLR, + TOK_NOERROR, TOK_BUCKETS, TOK_DSTIP, TOK_SRCIP, @@ -241,6 +242,7 @@ struct _s_x dummynet_params[] = { { "plr", TOK_PLR }, + { "noerror", TOK_NOERROR }, { "buckets", TOK_BUCKETS }, { "dst-ip", TOK_DSTIP }, { "src-ip", TOK_SRCIP }, @@ -502,8 +504,10 @@ p[1] = b; } else if (*s == ',' || *s == '\0' ) { p[0] = p[1] = a; - } else /* invalid separator */ - break; + } else { /* invalid separator */ + errx(EX_DATAERR, "invalid separator <%c> in <%s>\n", + *s, av); + } av = s+1; } if (i > 0) { @@ -737,17 +741,29 @@ * show_ipfw() prints the body of an ipfw rule. * Because the standard rule has at least proto src_ip dst_ip, we use * a helper function to produce these entries if not provided explicitly. + * + * Special case: if we have provided a MAC header, and no IP specs, + * just leave it alone. + * Also, if we have providea a MAC header and no IP protocol, print it + * as "all" instead of "ip". */ -#define HAVE_PROTO 1 -#define HAVE_SRCIP 2 -#define HAVE_DSTIP 4 -#define HAVE_MAC 8 +#define HAVE_PROTO 0x0001 +#define HAVE_SRCIP 0x0002 +#define HAVE_DSTIP 0x0004 +#define HAVE_MAC 0x0008 +#define HAVE_MACTYPE 0x0010 +#define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP) static void show_prerequisites(int *flags, int want) { + if ( (*flags & (HAVE_MAC | HAVE_MACTYPE)) == HAVE_MAC) { + printf(" any"); /* MAC type */ + *flags |= HAVE_MACTYPE; + } + if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) - printf(" ip"); + printf( (*flags & HAVE_MAC) ? " all" : " ip"); if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP)) printf(" from any"); if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP)) @@ -907,6 +923,9 @@ break; case O_MAC_TYPE: + if ( (flags & HAVE_MAC) == 0) + printf(" MAC"); + flags |= (HAVE_MAC | HAVE_MACTYPE); print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE); break; @@ -1340,7 +1359,116 @@ } } +/* + * This one handles all set-related commands + * ipfw set { show | enable | disable } + * ipfw set swap X Y + * ipfw set move X to Y + * ipfw set move rule X to Y + */ static void +sets_handler(int ac, char *av[]) +{ + u_int32_t set_disable, masks[2]; + int i, nbytes; + u_int16_t rulenum; + u_int8_t cmd, new_set; + + ac--; + av++; + + if (!ac) + errx(EX_USAGE, "set needs command"); + if (!strncmp(*av, "show", strlen(*av)) ) { + void *data; + char *msg; + + nbytes = sizeof(struct ip_fw); + if ((data = malloc(nbytes)) == NULL) + err(EX_OSERR, "malloc"); + if (getsockopt(s, IPPROTO_IP, IP_FW_GET, data, &nbytes) < 0) + err(EX_OSERR, "getsockopt(IP_FW_GET)"); + set_disable = (u_int32_t)(((struct ip_fw *)data)->next_rule); + + for (i = 0, msg = "disable" ; i < 31; i++) + if ( (set_disable & (1<>> TRUNCATED FOR MAIL (1000 lines) <<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe p4-projects" in the body of the message