From nobody Tue Apr 25 11:16:29 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q5KFV1h2kz473hc; Tue, 25 Apr 2023 11:16:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q5KFV1BvJz48jJ; Tue, 25 Apr 2023 11:16:30 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1682421390; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2s8JgHYRFafGGW5zMmOuQ45oH7CFNWVzxjiBWAnKtN0=; b=eDxbTj63R7W5+Gh6NOu4J/FX8mUxr5FOu9BhZ8GfADuJzURUHN965Tzc75ygpriE58zXKg 1g6UUQhK06UhJgtIdBFR4rZgZPXRWDh689aReyL9zRcOsdcrQ4htR3yJKCgqVYQxQHP6P+ LEmnoornAjcqC0OfBFNjes3wZ7kv77EAsv0RRsdqvisgLKPb5rSyFeHdGD/f/l84N81I1/ TdDbyqZw4P4wPQRVXwlDZgN3a4KMehAN7FgFtpJOTLx9Gp0CKO/eSgzx0B8AH6M1/T9oWo kKFNS/efHN+7SgOGrRwUx3QAidIomn9sHt1kqv24sRZIZ3S7uolDZ2AwWrPy7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1682421390; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=2s8JgHYRFafGGW5zMmOuQ45oH7CFNWVzxjiBWAnKtN0=; b=i4nAo8LSAXoIX5CSCtt2ZZPX5yqDI2QV3MFCvCKQHXtz9kOi0Xr2hnxvvpKkQg/WZ84XMc cWGnGOb8B7RsueGOk+xkn5fdwi1N70fe5V+9C1eYfHmVj7YSlOc3RF28kmYerrvaSK/27N IO2J12qVCofWvj3w/08LQQDG0UOMv0ARpWjKoxQ5AynLuvjnd6nN7rb7L+ZhkLz9+5QTzK KbmH9cmdE2QVsypIynUIs4n4PL87xAVH/t0jimSbEDdbXNZiW/U65BZ7i6xnE0oJsf6qZc fZyzY+eR282qn+fuB1SgRkiszAjZM45MCHggXFb97MufPrbG7OPQ1vU/GDmnpw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1682421390; a=rsa-sha256; cv=none; b=SXLxJQovcvY4I9KfgEnf5CZ50wy61NH1xtgS5tKq+eFdG1Dlk4Y9553dSVsRCBjeRMCOey 4PIZDFP6DVBLhA3bzeecmNp9ghr2qhGNYE4LLR4iRhm2etJOtEZwBegXKqNrjRgIFIGmI1 +Lk6rTCo9udEH7il6a6qEb5j45CFUhJoFRVafEsaDn3vPHAKA+JI5w9bTbNrVnhig2gPEp VQGWRcRNa0pcIFUrXdChPJOdPp/EcDJlW3/mTiX7/pBinvDHmrUtaW1TOujUMdEtmgBsH0 hZm3vRT+UaF0Is6TZ5b29Wb4YAnCTXrifLlKaMOaVqGrYiQ5FRym7dP8WjDHzQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q5KFV0FhWz15BG; Tue, 25 Apr 2023 11:16:30 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33PBGTwW013181; Tue, 25 Apr 2023 11:16:29 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33PBGTBu013180; Tue, 25 Apr 2023 11:16:29 GMT (envelope-from git) Date: Tue, 25 Apr 2023 11:16:29 GMT Message-Id: <202304251116.33PBGTBu013180@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Eugene Grosbein Subject: git: 9f5dc374d0da - main - ipfw.8: improve description for interface matching List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: eugen X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 9f5dc374d0dadb6947a9bd9ff8ff44931e1b6422 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by eugen: URL: https://cgit.FreeBSD.org/src/commit/?id=9f5dc374d0dadb6947a9bd9ff8ff44931e1b6422 commit 9f5dc374d0dadb6947a9bd9ff8ff44931e1b6422 Author: Eugene Grosbein AuthorDate: 2023-04-25 11:12:11 +0000 Commit: Eugene Grosbein CommitDate: 2023-04-25 11:16:22 +0000 ipfw.8: improve description for interface matching The manual describes "if*" form only while kernel uses fnmatch(3) and allows use for more versatile shell-like patterns. Note that explicitly and provide an example. MFC after: 3 days --- sbin/ipfw/ipfw.8 | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index ef66f89a4d89..884797304b78 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd January 25, 2023 +.Dd April 25, 2023 .Dt IPFW 8 .Os .Sh NAME @@ -1918,13 +1918,24 @@ However, this option doesn't imply an implicit .Cm check-state in contrast to .Cm keep-state . -.It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any +.It Cm recv | xmit | via Brq Ar ifX | Ar ifmask | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc | Ar ipno | Ar any Matches packets received, transmitted or going through, respectively, the interface specified by exact name .Po Ar ifX Pc , -by device name -.Po Ar if* Pc , +by device mask +.Po Ar ifmask Pc , by IP address, or through some interface. +.Pp +Interface +name may be matched against +.Ar ifmask +with +.Xr fnmatch 3 +according to the rules used by the shell (f.e. tun*). +See also the +.Sx EXAMPLES +section. +.Pp Table .Ar name may be used to match interface by its kernel ifindex. @@ -4223,6 +4234,12 @@ of clients, as below: .Dl "ipfw add deny ip from ${badguys} to any" .Dl "... normal policies ..." .Pp +Allow any transit packets coming from single vlan 10 and +going out to vlans 100-1000: +.Pp +.Dl "ipfw add 10 allow out recv vlan10 \e" +.Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }" +.Pp The .Cm verrevpath option could be used to do automated anti-spoofing by adding the @@ -4746,6 +4763,7 @@ can be changed in a similar way as for .Sh SEE ALSO .Xr cpp 1 , .Xr m4 1 , +.Xr fnmatch 3 , .Xr altq 4 , .Xr divert 4 , .Xr dummynet 4 ,