PERFORCE change 146644 for review

Gleb Kurtsou gk at FreeBSD.org
Mon Aug 4 18:47:31 UTC 2008 

http://perforce.freebsd.org/chv.cgi?CH=146644

Change 146644 by gk at gk_h1 on 2008/08/04 18:46:31

	document arp-op, {src,dst}-arp.  sort options in alphabetical order
	update ipfw usage

Affected files ...

.. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#5 edit
.. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#9 edit

Differences ...

==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#5 (text+ko) ====

@@ -390,7 +390,7 @@
 .Cm ip6_input() .
 Note that as a rule only incoming packets are tagged, but
 .Cm bridge
-appends tag to outgoing packets.
+appends tag to outgoing packets too.
 Therefore dynamic rules (like rules created by 
 .Cm keep-state
 option) do not check specified MAC header options if there is no
@@ -1146,6 +1146,19 @@
 You can have comment-only rules, which are listed as having a
 .Cm count
 action followed by the comment.
+.It Cm arp-op Ar arp-op
+Matches Address Resolution Protocol (ARP) packets whose 
+.Em Operation
+field corresponds to one of those specified as argument.
+.Ar arp-op
+is specified in the same way as port numbers (i.e., one or more
+comma-separated single values or ranges).  You can use symbolic names
+for known values such as
+.Em request , reply , rev_request , rev_reply , inv_request , inv_reply .
+Values can be entered as decimal or hexadecimal (if prefixed by 0x), and
+they are always printed as hexadecimal (unless the
+.Cm -N
+option is used, in which case symbolic resolution will be attempted).
 .It Cm bridged
 Alias for
 .Cm layer2 .
@@ -1157,6 +1170,16 @@
 .It Cm diverted-output
 Matches only packets going from a divert socket back outward to the IP
 stack output for delivery.
+.It Cm dst-arp Ar dst-arp
+Matches Address Resolution Protocol (ARP) packets whose 
+.Em Target protocol address (TPA)
+and optionally
+.Em Target hardware address (THA)
+fields correspond to entry in the lookup table
+.Ar dst-arp .
+See the
+.Sx LOOKUP TABLES
+section below for more information on lookup tables.
 .It Cm dst-ether Ar dst-ether
 Match packets with a given destination MAC address
 .Ar dst-ether Ns ,
@@ -1177,6 +1200,19 @@
 specified as argument.
 .It Cm established
 Matches TCP packets that have the RST or ACK bits set.
+.It Cm ether-type Ar ether-type
+Matches packets whose Ethernet Type field
+corresponds to one of those specified as argument.
+.Ar ether-type
+is specified in the same way as
+.Cm port numbers
+(i.e., one or more comma-separated single values or ranges).
+You can use symbolic names for known values such as
+.Em vlan , ipv4, ipv6 .
+Values can be entered as decimal or hexadecimal (if prefixed by 0x),
+and they are always printed as hexadecimal (unless the
+.Cm -N
+option is used, in which case symbolic resolution will be attempted).
 .It Cm ext6hdr Ar header
 Matches IPv6 packets containing the extended header given by
 .Ar header .
@@ -1381,19 +1417,6 @@
 specified.
 Currently,
 only IPv4 flows are supported.
-.It Cm ether-type Ar ether-type
-Matches packets whose Ethernet Type field
-corresponds to one of those specified as argument.
-.Ar ether-type
-is specified in the same way as
-.Cm port numbers
-(i.e., one or more comma-separated single values or ranges).
-You can use symbolic names for known values such as
-.Em vlan , ipv4, ipv6 .
-Values can be entered as decimal or hexadecimal (if prefixed by 0x),
-and they are always printed as hexadecimal (unless the
-.Cm -N
-option is used, in which case symbolic resolution will be attempted).
 .It Cm proto Ar protocol
 Matches packets with the corresponding IP protocol.
 .It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any
@@ -1442,6 +1465,16 @@
 Matches TCP packets that have the SYN bit set but no ACK bit.
 This is the short form of
 .Dq Li tcpflags\ syn,!ack .
+.It Cm src-arp Ar src-arp
+Matches Address Resolution Protocol (ARP) packets whose 
+.Em Sender protocol address (SPA)
+and optionally
+.Em Sender hardware address (SHA)
+fields correspond to entry in the lookup table
+.Ar src-arp .
+See the
+.Sx LOOKUP TABLES
+section below for more information on lookup tables.
 .It Cm src-ether Ar src-ether
 Match packets with a given source MAC address
 .Ar src-ether Ns ,
@@ -1742,16 +1775,13 @@
 .Em dst
 are used here only to denote the initial match addresses, but they
 are completely equivalent afterwards).
-If rule specifies
-.Em src-ether
-and/or
-.Em dst-ether
-address they are also used to match packets.
+If rule specifies ethernet source or destination address it is also used
+by dynamic rule to match packets.
 But note that packets without
 .Cm l2tag
 appended to them match against such dynamic rules, because
 .Cm l2tag
-presents only in incoming or outgoing packets, but not in both.
+usually presents only in incoming or outgoing packets, but not in both.
 Dynamic rules will be checked at the first
 .Cm check-state, keep-state
 or

==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#9 (text+ko) ====

@@ -2793,7 +2793,8 @@
 "IPLIST:	{ ip | ip/bits | ip:mask }[,IPLIST]\n"
 "ETHERADDR:	{ any | multicast | ether }\n"
 "OPTION_LIST:	OPTION [OPTION_LIST]\n"
-"OPTION:	bridged | diverted | diverted-loopback | diverted-output |\n"
+"OPTION:	arp-op LIST | bridged | diverted | diverted-loopback |\n"
+"	{dst-arp|src-arp} table(t[,v]) | diverted-output |\n"
 "	{dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n"
 "	{dst-port|src-port} LIST |\n"
 "	estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n"

More information about the p4-projects mailing list