Date: Fri, 28 Apr 2023 05:52:39 GMT From: Eugene Grosbein <eugen@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: f1c5c9353c0e - stable/13 - ipfw.8: MFC: improve description for interface matching Message-ID: <202304280552.33S5qdB9019483@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by eugen: URL: https://cgit.FreeBSD.org/src/commit/?id=f1c5c9353c0ea70fcf058666fbbfa648ad3637c6 commit f1c5c9353c0ea70fcf058666fbbfa648ad3637c6 Author: Eugene Grosbein <eugen@FreeBSD.org> AuthorDate: 2023-04-25 11:12:11 +0000 Commit: Eugene Grosbein <eugen@FreeBSD.org> CommitDate: 2023-04-28 05:52:15 +0000 ipfw.8: MFC: improve description for interface matching The manual describes "if*" form only while kernel uses fnmatch(3) and allows use for more versatile shell-like patterns. Note that explicitly and provide an example. (cherry picked from commit 9f5dc374d0dadb6947a9bd9ff8ff44931e1b6422) --- sbin/ipfw/ipfw.8 | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 3c5308b29821..40299e70ed27 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 4, 2022 +.Dd April 25, 2023 .Dt IPFW 8 .Os .Sh NAME @@ -1912,13 +1912,24 @@ However, this option doesn't imply an implicit .Cm check-state in contrast to .Cm keep-state . -.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any +.It Cm recv | xmit | via Brq Ar ifX | Ar ifmask | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any Matches packets received, transmitted or going through, respectively, the interface specified by exact name .Po Ar ifX Pc , -by device name -.Po Ar if* Pc , +by device mask +.Po Ar ifmask Pc , by IP address, or through some interface. +.Pp +Interface +name may be matched against +.Ar ifmask +with +.Xr fnmatch 3 +according to the rules used by the shell (f.e. tun*). +See also the +.Sx EXAMPLES +section. +.Pp Table .Ar name may be used to match interface by its kernel ifindex. @@ -4217,6 +4228,12 @@ of clients, as below: .Dl "ipfw add deny ip from ${badguys} to any" .Dl "... normal policies ..." .Pp +Allow any transit packets coming from single vlan 10 and +going out to vlans 100-1000: +.Pp +.Dl "ipfw add 10 allow out recv vlan10 \e" +.Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }" +.Pp The .Cm verrevpath option could be used to do automated anti-spoofing by adding the @@ -4740,6 +4757,7 @@ can be changed in a similar way as for .Sh SEE ALSO .Xr cpp 1 , .Xr m4 1 , +.Xr fnmatch 3 , .Xr altq 4 , .Xr divert 4 , .Xr dummynet 4 ,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202304280552.33S5qdB9019483>