From owner-dev-commits-src-all@freebsd.org Sun Jan 3 13:35:10 2021 Return-Path: Delivered-To: dev-commits-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 585C64D2332; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4D80B625sVz4vmM; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 3B159545; Sun, 3 Jan 2021 13:35:10 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 103DZAaO045457; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 103DZA9U045456; Sun, 3 Jan 2021 13:35:10 GMT (envelope-from git) Date: Sun, 3 Jan 2021 13:35:10 GMT Message-Id: <202101031335.103DZA9U045456@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Bergling Subject: git: 2b29cc2621be - stable/12 - MFC r366402: ipfw(8): Bugfixes for some issues reported by mandoc MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gbe X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: 2b29cc2621be4781298262cb3c0264932e99f459 Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for all branches of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2021 13:35:10 -0000 The branch stable/12 has been updated by gbe (doc committer): URL: https://cgit.FreeBSD.org/src/commit/?id=2b29cc2621be4781298262cb3c0264932e99f459 commit 2b29cc2621be4781298262cb3c0264932e99f459 Author: Gordon Bergling AuthorDate: 2020-10-03 18:30:01 +0000 Commit: Gordon Bergling CommitDate: 2021-01-03 13:34:02 +0000 MFC r366402: ipfw(8): Bugfixes for some issues reported by mandoc - whitespace at end of input line - new sentence, new line - skipping paragraph macro: Pp before Pp (cherry picked from commit 8636dd5703dbacff4e8f88385f98c9251526b751) --- sbin/ipfw/ipfw.8 | 109 +++++++++++++++++++++++++++++++------------------------ 1 file changed, 61 insertions(+), 48 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 4a0853274af3..c99a9252c693 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -527,9 +527,9 @@ ipfw add 10 skipto 4000 all from any to any layer2 out ether_demux and bdg_forward). .Pp Also note that only actions -.Cm allow, -.Cm deny, -.Cm netgraph, +.Cm allow , +.Cm deny , +.Cm netgraph , .Cm ngtee and related to .Cm dummynet @@ -682,7 +682,7 @@ to simulate the effect of multiple paths leading to out-of-order packet delivery. .Pp Note: this condition is checked before any other condition, including -ones such as +ones such as .Cm keep-state or .Cm check-state @@ -991,7 +991,8 @@ It is possible to use the .Cm tablearg keyword with a skipto for a .Em computed -skipto. Skipto may work either in O(log(N)) or in O(1) depending +skipto. +Skipto may work either in O(log(N)) or in O(1) depending on amount of memory and/or sysctl variables. See the .Sx SYSCTL VARIABLES @@ -1454,7 +1455,7 @@ or a hostname) and the mask of .Ar mask , specified as allowed by -.Xr inet_pton. +.Xr inet_pton . As an example, fe::640:0:0/ffff::ffff:ffff:0:0 will match fe:*:*:*:0:640:*:*. This form is advised only for non-contiguous @@ -1528,7 +1529,8 @@ Alias for .Cm layer2 . .It Cm defer-immediate-action | defer-action A rule with this option will not perform normal action -upon a match. This option is intended to be used with +upon a match. +This option is intended to be used with .Cm record-state or .Cm keep-state @@ -1539,8 +1541,9 @@ Rules with both and .Cm defer-immediate-action create a dynamic rule and continue with the next rule without actually -performing the action part of this rule. When the rule is later activated -via the state table, the action is performed as usual. +performing the action part of this rule. +When the rule is later activated via the state table, the action is +performed as usual. .It Cm diverted Matches only packets generated by a divert socket. .It Cm diverted-loopback @@ -1604,7 +1607,7 @@ Matches IPv6 packets containing any of the flow labels given in is a comma separated list of numeric flow labels. .It Cm frag Ar spec Matches IPv4 packets whose -.Cm ip_off +.Cm ip_off field contains the comma separated list of IPv4 fragmentation options specified in .Ar spec . @@ -1793,7 +1796,8 @@ packet is found. The .Ar :flowname is used to assign additional to addresses, ports and protocol parameter -to dynamic rule. It can be used for more accurate matching by +to dynamic rule. +It can be used for more accurate matching by .Cm check-state rule. The @@ -2212,8 +2216,8 @@ One or more entries can be added to a table at once using command. Addition of all items are performed atomically. By default, error in addition of one entry does not influence -addition of other entries. However, non-zero error code is returned -in that case. +addition of other entries. +However, non-zero error code is returned in that case. Special .Cm atomic keyword may be specified before @@ -2224,8 +2228,8 @@ One or more entries can be removed from a table at once using .Cm delete command. By default, error in removal of one entry does not influence -removing of other entries. However, non-zero error code is returned -in that case. +removing of other entries. +However, non-zero error code is returned in that case. .Pp It may be possible to check what entry will be found on particular .Ar table-key @@ -2983,10 +2987,12 @@ and are integer numbers specifying thresholds for queue management (thresholds are computed in bytes if the queue has been defined in bytes, in slots otherwise). -The two parameters can also be of the same value if needed. The +The two parameters can also be of the same value if needed. +The .Nm dummynet also supports the gentle RED variant (gred) and ECN (Explicit Congestion -Notification) as optional. Three +Notification) as optional. +Three .Xr sysctl 8 variables can be used to control the RED behaviour: .Bl -tag -width indent @@ -3266,7 +3272,7 @@ Skip instance in case of global state lookup (see below). .El .Pp Some specials value can be supplied instead of -.Va nat_number: +.Va nat_number : .Bl -tag -width indent .It Cm global Looks up translation state in all configured nat instances. @@ -3370,7 +3376,7 @@ Thus translator host should be configured as IPv4 and IPv6 router. Also this means, that a packet is handled by firewall twice. First time an original packet is handled and consumed by translator, and then it is handled again as translated packet. -This behavior can be changed by sysctl variable +This behavior can be changed by sysctl variable .Va net.inet.ip.fw.nat64_direct_output . Also translated packet can be tagged using .Cm tag @@ -3400,7 +3406,8 @@ in the states table will be dropped by translator. Make sure that translation rules handle packets, destined to configured prefix. .It Cm prefix6 Ar ipv6_prefix/length The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator -to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64. +to represent IPv4 addresses. +This IPv6 prefix should be configured in DNS64. The translator implementation follows RFC6052, that restricts the length of prefixes to one of following: 32, 40, 48, 56, 64, or 96. The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. @@ -3475,9 +3482,9 @@ you are able to see each handled packet before and after translation. .It Cm -log Turn off logging of all handled packets via BPF. .It Cm allow_private -Turn on processing private IPv4 addresses. By default IPv6 packets with -destinations mapped to private address ranges defined by RFC1918 are not -processed. +Turn on processing private IPv4 addresses. +By default IPv6 packets with destinations mapped to private address ranges +defined by RFC1918 are not processed. .It Cm -allow_private Turn off private address handling in .Nm nat64 @@ -3493,7 +3500,6 @@ To inspect a states table of stateful NAT64 the following command can be used: .Ek .Ed .Pp -.Pp Stateless NAT64 translator doesn't use a states table for translation and converts IPv4 addresses to IPv6 and vice versa solely based on the mappings taken from configured lookup tables. @@ -3514,7 +3520,8 @@ The following parameters can be configured: .Bl -tag -width indent .It Cm prefix6 Ar ipv6_prefix/length The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator -to represent IPv4 addresses. This IPv6 prefix should be configured in DNS64. +to represent IPv4 addresses. +This IPv6 prefix should be configured in DNS64. .It Cm table4 Ar table46 The lookup table .Ar table46 @@ -3530,9 +3537,9 @@ interface. .It Cm -log Turn off logging of all handled packets via BPF. .It Cm allow_private -Turn on processing private IPv4 addresses. By default IPv6 packets with -destinations mapped to private address ranges defined by RFC1918 are not -processed. +Turn on processing private IPv4 addresses. +By default IPv6 packets with destinations mapped to private address ranges +defined by RFC1918 are not processed. .It Cm -allow_private Turn off private address handling in .Nm nat64 @@ -3544,12 +3551,12 @@ packets differs from stateful translator. If corresponding addresses was not found in the lookup tables, the packet will not be dropped and the search continues. .Pp -.Pp .Ss XLAT464 CLAT translation XLAT464 CLAT NAT64 translator implements client-side stateless translation as defined in RFC6877 and is very similar to statless NAT64 translator -explained above. Instead of lookup tables it uses one-to-one mapping -between IPv4 and IPv6 addresses using configured prefixes. +explained above. +Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6 +addresses using configured prefixes. This mode can be used as a replacement of DNS64 service for applications that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet over IPv6-only networks with help of remote NAT64 translator. @@ -3571,8 +3578,8 @@ The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator to represent source IPv4 addresses. .It Cm plat_prefix Ar ipv6_prefix/length The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator -to represent destination IPv4 addresses. This IPv6 prefix should be configured -on a remote NAT64 translator. +to represent destination IPv4 addresses. +This IPv6 prefix should be configured on a remote NAT64 translator. .It Cm log Turn on logging of all handled packets via BPF through .Ar ipfwlog0 @@ -3580,7 +3587,8 @@ interface. .It Cm -log Turn off logging of all handled packets via BPF. .It Cm allow_private -Turn on processing private IPv4 addresses. By default +Turn on processing private IPv4 addresses. +By default .Nm nat64clat instance will not process IPv4 packets with destination address from private ranges as defined in RFC1918. @@ -3632,7 +3640,8 @@ and .Cm ext_if options are mutually exclusive. .It Cm prefixlen Ar length -The length of specified IPv6 prefixes. It must be in range from 8 to 64. +The length of specified IPv6 prefixes. +It must be in range from 8 to 64. .El .Pp Note that the prefix translation rules are silently ignored when IPv6 packet @@ -4086,7 +4095,7 @@ Controls the output method used by module: .Bl -tag -width indent .It Cm 0 -A packet is handled by +A packet is handled by .Nm ipfw twice. First time an original packet is handled by @@ -4277,11 +4286,11 @@ ruleset to minimize the amount of work scanning the ruleset. Your mileage may vary. .Pp For more complex scenarios with dynamic rules -.Cm record-state +.Cm record-state and .Cm defer-action can be used to precisely control creation and checking of dynamic rules. -Example of usage of these options are provided in +Example of usage of these options are provided in .Sx NETWORK ADDRESS TRANSLATION (NAT) Section. .Pp @@ -4552,21 +4561,24 @@ or it could be split in: .Dl "ipfw nat 5 config redirect_port tcp" .Dl " 192.168.0.1:80,192.168.0.10:22,192.168.0.20:25 500" .Pp -Sometimes you may want to mix NAT and dynamic rules. It could be achieved with +Sometimes you may want to mix NAT and dynamic rules. +It could be achieved with .Cm record-state and .Cm defer-action -options. Problem is, you need to create dynamic rule before NAT and check it +options. +Problem is, you need to create dynamic rule before NAT and check it after NAT actions (or vice versa) to have consistent addresses and ports. Rule with .Cm keep-state option will trigger activation of existing dynamic state, and action of such -rule will be performed as soon as rule is matched. In case of NAT and +rule will be performed as soon as rule is matched. +In case of NAT and .Cm allow rule packet need to be passed to NAT, not allowed as soon is possible. .Pp -There is example of set of rules to achieve this. Bear in mind that this -is example only and it is not very useful by itself. +There is example of set of rules to achieve this. +Bear in mind that this is example only and it is not very useful by itself. .Pp On way out, after all checks place this rules: .Pp @@ -4579,10 +4591,11 @@ And on way in there should be something like this: .Dl "ipfw add check-state" .Pp Please note, that first rule on way out doesn't allow packet and doesn't -execute existing dynamic rules. All it does, create new dynamic rule with +execute existing dynamic rules. +All it does, create new dynamic rule with .Cm allow -action, if it is not created yet. Later, this dynamic rule is used on way -in by +action, if it is not created yet. +Later, this dynamic rule is used on way in by .Cm check-state rule. .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM @@ -4593,7 +4606,7 @@ AQM can be configured for .Nm dummynet .Cm pipe or -.Cm queue. +.Cm queue . .Pp To configure a .Cm pipe @@ -4665,7 +4678,7 @@ to 10ms, we do: .Dl "ipfw sched 1 config pipe 1 type fq_codel target 10ms noecn" .Pp Similar to -.Cm fq_codel, +.Cm fq_codel , to configure .Cm fq_pie scheduler using different configurations parameters for traffic from