From owner-svn-src-projects@FreeBSD.ORG Fri Oct 3 15:36:59 2014 Return-Path: Delivered-To: svn-src-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 87B7B143; Fri, 3 Oct 2014 15:36:59 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 683F8D5D; Fri, 3 Oct 2014 15:36:59 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s93FaxER032409; Fri, 3 Oct 2014 15:36:59 GMT (envelope-from melifaro@FreeBSD.org) Received: (from melifaro@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s93FaxkU032408; Fri, 3 Oct 2014 15:36:59 GMT (envelope-from melifaro@FreeBSD.org) Message-Id: <201410031536.s93FaxkU032408@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: melifaro set sender to melifaro@FreeBSD.org using -f From: "Alexander V. Chernikov" Date: Fri, 3 Oct 2014 15:36:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r272477 - projects/ipfw/sbin/ipfw X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Oct 2014 15:36:59 -0000 Author: melifaro Date: Fri Oct 3 15:36:58 2014 New Revision: 272477 URL: https://svnweb.freebsd.org/changeset/base/272477 Log: Document new table values. Sponsored by: Yandex LLC Modified: projects/ipfw/sbin/ipfw/ipfw.8 Modified: projects/ipfw/sbin/ipfw/ipfw.8 ============================================================================== --- projects/ipfw/sbin/ipfw/ipfw.8 Fri Oct 3 15:07:43 2014 (r272476) +++ projects/ipfw/sbin/ipfw/ipfw.8 Fri Oct 3 15:36:58 2014 (r272477) @@ -118,6 +118,8 @@ in-kernel NAT. .Cm internal iflist .Nm .Cm internal talist +.Nm +.Cm internal vlist .Sh DESCRIPTION The .Nm @@ -1918,18 +1920,6 @@ Matches packet fields specified by type suboptions with table entries. .El .Pp -The following value format types are supported: -.Bl -tag -width indent -.It Ar value-ftype : Ar number | ip -.It Cm number -Default for -.Ar number -value type. -Shows values as unsigned integer. -.It Cm ip -Show values as IPv4 addresses. -.El -.Pp Tables require explicit creation via .Cm create before use. @@ -1937,13 +1927,12 @@ before use. The following creation options are supported: .Bl -tag -width indent .It Ar create-options : Ar create-option | create-options -.It Ar create-option : Cm type Ar table-type | Cm ftype Ar value-ftype | Cm algo Ar algo-desc | +.It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc | .Cm limit Ar number | Cm locked .It Cm type Table key type. -.It Cm ftype -Table value format type. -Affects userland formatting only. +.It Cm valtype +Table value mask. .It Cm algo Table algorithm to use (see below). .It Cm limit @@ -1958,10 +1947,7 @@ keyword. The following options can be changed: .Bl -tag -width indent .It Ar modify-options : Ar modify-option | modify-options -.It Ar modify-option : Cm ftype Ar value-ftype | Cm limit Ar number -.It Cm ftype -Set table value format type. -Affects userland formatting only. +.It Ar modify-option : Cm limit Ar number .It Cm limit Alter maximum number of items that may be inserted into table. .El @@ -1974,8 +1960,6 @@ commands. .Pp Tables of the same .Ar type -and -.Ar valtype can be swapped with each other using .Cm swap Ar name command. @@ -2035,8 +2019,7 @@ The following lookup algorithms are supp Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see .Xr route 4 ) . Default choice for -.Ar -addr +.Ar addr type. .It Cm addr:hash Separate auto-growing hashes for IPv4 and IPv6. @@ -2066,12 +2049,36 @@ This can significantly reduce number of If two tables are used in a rule, the result of the second (destination) is used. .Pp +Each record may hold one or more values according to +.Ar value-mask . +This mask is set on table creation via +.Cm valtype +option. The following value types are supported: .Bl -tag -width indent -.It Ar value-type : Ar number -.It Cm number -Default value type. -If value is not specified, defaults to 0. +.It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask +.It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert | +.Ar netgraph | limit | ipv4 +.It Cm skipto +rule number to jump to. +.It Cm pipe +Pipe number to use. +.It Cm fib +fib number to match/set. +.It Cm nat +nat number to jump to. +.It Cm dscp +dscp value to match/set. +.It Cm tag +tag number to match/set. +.It Cm divert +port number to divert traffic to. +.It Cm netgraph +hook number to move packet to. +.It Cm limit +maximum number of connections. +.It Cm ipv4 +IPv4 nexthop to fwd packets to. .El .Pp The @@ -2083,20 +2090,14 @@ action parameters: rule options: .Cm limit, tagged. .Pp -When used with -.Cm fwd -it is possible to supply table entries with values -that are in the form of IP addresses or hostnames. -See the -.Sx EXAMPLES -Section for example usage of tables and the tablearg keyword. -.Pp When used with the .Cm skipto action, the user should be aware that the code will walk the ruleset -up to a rule equal to, or past, the given number, -and should therefore try keep the -ruleset compact between the skipto and the target rules. +up to a rule equal to, or past, the given number. +.Pp +See the +.Sx EXAMPLES +Section for example usage of tables and the tablearg keyword. .Sh SETS OF RULES Each rule or table belongs to one of 32 different .Em sets @@ -3473,15 +3474,16 @@ action, the table entries may include ho .Pp In the following example per-interface firewall is created: .Pp -.Dl "ipfw table IN create type iface" -.Dl "ipfw table IN add vlan20 12000" -.Dl "ipfw table IN add vlan30 13000" -.Dl "ipfw table OUT create type iface" +.Dl "ipfw table IN create type iface valtype skipto,fib" +.Dl "ipfw table IN add vlan20 12000,12" +.Dl "ipfw table IN add vlan30 13000,13" +.Dl "ipfw table OUT create type iface valtype skipto" .Dl "ipfw table OUT add vlan20 22000" .Dl "ipfw table OUT add vlan30 23000" .Dl ".." -.Dl "ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(IN)' in" -.Dl "ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(OUT)' out" +.Dl "ipfw add 100 ipfw setfib tablearg ip from any to any recv 'table(IN)' in" +.Dl "ipfw add 200 ipfw skipto tablearg ip from any to any recv 'table(IN)' in" +.Dl "ipfw add 300 ipfw skipto tablearg ip from any to any xmit 'table(OUT)' out" .Pp The following example illustrate usage of flow tables: .Pp