PERFORCE change 143890 for review
Gleb Kurtsou
gk at FreeBSD.org
Sat Jun 21 18:27:18 UTC 2008
http://perforce.freebsd.org/chv.cgi?CH=143890
Change 143890 by gk at gk_h1 on 2008/06/21 18:27:01
update man pages and ipfw usage
Affected files ...
.. //depot/projects/soc2008/gk_l2filter/sbin-ifconfig/ifconfig.8#2 edit
.. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#2 edit
.. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#6 edit
.. //depot/projects/soc2008/gk_l2filter/share-man4/if_bridge.4#2 edit
Differences ...
==== //depot/projects/soc2008/gk_l2filter/sbin-ifconfig/ifconfig.8#2 (text+ko) ====
@@ -240,6 +240,27 @@
If the Address Resolution Protocol is enabled,
the host will perform normally,
sending out requests and listening for replies.
+.It Cm l2tag
+Special tag containing source and destination layer 2 addresses will be
+attached to every packet passing through interface.
+Note that only incoming or outgoing packets may be tagged (but not both), it is
+interface dependant.
+.It Fl l2tag
+Disable special packet tagging with layer 2 addresses.
+.It Cm l2filter
+Perform layer 2 filtering of packets passing through interface.
+This option doesn't imply
+.Cm l2tag
+option.
+With
+.Cm l2filter
+specified packets are passed to firewall as they were received from wire.
+But
+.Cm l2tag
+just tags packet and usual layer 3 filtering is performed.
+.It Fl l2filter
+Disable layer 2 filtering.
+Higher level filtering will perform normally.
.It Cm broadcast
(Inet only.)
Specify the address to use to represent broadcasts to the
==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#2 (text+ko) ====
@@ -45,7 +45,7 @@
.Cm set show
.Pp
.Nm
-.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Op Ar value
+.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Oo Cm ether Ar etheraddr Oc Op Ar value
.Nm
.Cm table Ar number Cm delete Ar addr Ns Op / Ns Ar masklen
.Nm
@@ -332,9 +332,9 @@
to temporarily disable the firewall to regain access to the network,
allowing you to fix the problem.
.Sh PACKET FLOW
-A packet is checked against the active ruleset in multiple places
-in the protocol stack, under control of several sysctl variables.
-These places and variables are shown below, and it is important to
+A packet is checked against the active ruleset in multiple places in the
+protocol stack, under control of several sysctl variables and interface flags.
+These places and variables and flags are shown below, and it is important to
have this picture in mind in order to design a correct ruleset.
.Bd -literal -offset indent
^ to upper layers V
@@ -342,11 +342,12 @@
+----------->-----------+
^ V
[ip(6)_input] [ip(6)_output] net.inet(6).ip(6).fw.enable=1
+ | | (l2tag interface flag)
| |
^ V
- [ether_demux] [ether_output_frame] net.link.ether.ipfw=1
+ [ether_demux] [ether_output_frame] l2filter interface flag
| |
- +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
+ +-->----[bridge]----->--+ l2filter interface flag
^ V
| to devices |
.Ed
@@ -370,13 +371,39 @@
or
.Cm ip6_input() .
.Pp
+Note that packets do
+.Em not
+contain IP header when invoked from
+.Cm ether_demux() , ether_output_frame()
+or
+.Cm bridge .
+.Pp
+In order to filter by both MAC and IP headers interface flag
+.Cm l2tag
+should be used.
+When enabled a special tag containing MAC header is appended to incoming
+packets. Tag is used when
+.Nm
+invoked from
+.Cm ip_input()
+or
+.Cm ip6_input() .
+Note that as a rule only incoming packets are tagged, but
+.Cm bridge
+appends tag to outgoing packets.
+Therefore dynamic rules (like rules created by
+.Cm keep-state
+option) do not check specified MAC header options if there is no
+.Cm l2tag
+tag appended to packet.
+.Pp
Also note that each packet is always checked against the complete ruleset,
irrespective of the place where the check occurs, or the source of the packet.
If a rule contains some match patterns or actions which are not valid
for the place of invocation (e.g.\& trying to match a MAC header within
.Cm ip_input
or
-.Cm ip6_input ),
+.Cm ip6_input ) Ns ,
the match pattern will not match, but a
.Cm not
operator in front of such patterns
@@ -390,7 +417,7 @@
.Cm skipto
rules can be useful here, as an example:
.Bd -literal -offset indent
-# packets from ether_demux or bdg_forward
+# packets from ether_demux or bridge
ipfw add 10 skipto 1000 all from any to any layer2 in
# packets from ip_input
ipfw add 10 skipto 2000 all from any to any not layer2 in
@@ -401,7 +428,7 @@
.Ed
.Pp
(yes, at the moment there is no way to differentiate between
-ether_demux and bdg_forward).
+ether_demux and bridge).
.Sh SYNTAX
In general, each keyword or argument must be provided as
a separate command line argument, with no leading or trailing
@@ -1121,6 +1148,15 @@
.It Cm diverted-output
Matches only packets going from a divert socket back outward to the IP
stack output for delivery.
+.It Cm dst-ether Ar dst-ether
+Match packets with a given destination MAC address
+.Ar dst-ether Ns ,
+specified as the
+.Cm any
+keyword (matching any MAC address),
+.Cm muticast
+keyword (matching multicast MAC addresses), or six groups of hex digits
+separated by colons.
.It Cm dst-ip Ar ip-address
Matches IPv4 packets whose destination IP is one of the address(es)
specified as argument.
@@ -1336,48 +1372,10 @@
specified.
Currently,
only IPv4 flows are supported.
-.It Cm { MAC | mac } Ar dst-mac src-mac
-Match packets with a given
-.Ar dst-mac
-and
-.Ar src-mac
-addresses, specified as the
-.Cm any
-keyword (matching any MAC address), or six groups of hex digits
-separated by colons,
-and optionally followed by a mask indicating the significant bits.
-The mask may be specified using either of the following methods:
-.Bl -enum -width indent
-.It
-A slash
-.Pq /
-followed by the number of significant bits.
-For example, an address with 33 significant bits could be specified as:
-.Pp
-.Dl "MAC 10:20:30:40:50:60/33 any"
-.Pp
-.It
-An ampersand
-.Pq &
-followed by a bitmask specified as six groups of hex digits separated
-by colons.
-For example, an address in which the last 16 bits are significant could
-be specified as:
-.Pp
-.Dl "MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any"
-.Pp
-Note that the ampersand character has a special meaning in many shells
-and should generally be escaped.
-.Pp
-.El
-Note that the order of MAC addresses (destination first,
-source second) is
-the same as on the wire, but the opposite of the one used for
-IP addresses.
-.It Cm mac-type Ar mac-type
+.It Cm ether-type Ar ether-type
Matches packets whose Ethernet Type field
corresponds to one of those specified as argument.
-.Ar mac-type
+.Ar ether-type
is specified in the same way as
.Cm port numbers
(i.e., one or more comma-separated single values or ranges).
@@ -1435,6 +1433,15 @@
Matches TCP packets that have the SYN bit set but no ACK bit.
This is the short form of
.Dq Li tcpflags\ syn,!ack .
+.It Cm src-ether Ar src-ether
+Match packets with a given source MAC address
+.Ar src-ether Ns ,
+specified as the
+.Cm any
+keyword (matching any MAC address),
+.Cm muticast
+keyword (matching multicast MAC addresses), or six groups of hex digits
+separated by colons.
.It Cm src-ip Ar ip-address
Matches IPv4 packets whose source IP is one of the address(es)
specified as an argument.
@@ -1591,6 +1598,8 @@
is not specified, it defaults to 32.
When looking up an IP address in a table, the most specific
entry will match.
+Optionally each entry specifies MAC address
+.Pq Cm ether Ar etheraddr Ns .
Associated with each entry is a 32-bit unsigned
.Ar value ,
which can optionally be checked by a rule matching code.
@@ -1716,6 +1725,16 @@
.Em dst
are used here only to denote the initial match addresses, but they
are completely equivalent afterwards).
+If rule specifies
+.Em src-ether
+and/or
+.Em dst-ether
+address they are also used to match packets.
+But note that packets without
+.Cm l2tag
+appended to them match against such dynamic rules, because
+.Cm l2tag
+presents only in incoming or outgoing packets, but not in both.
Dynamic rules will be checked at the first
.Cm check-state, keep-state
or
==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#6 (text+ko) ====
@@ -2728,7 +2728,7 @@
" redirect_port linkspec|redirect_proto linkspec}\n"
"set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
"set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"
-"table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n"
+"table N {add ip[/bits] [ether ETHERADDR] [value] | delete ip[/bits] | flush | list}\n"
"\n"
"RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
"ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n"
@@ -2742,6 +2742,7 @@
"IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }\n"
"IP6LIST: { ip6 | ip6/bits }[,IP6LIST]\n"
"IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n"
+"ETHERADDR: { any | multicast | ether }\n"
"OPTION_LIST: OPTION [OPTION_LIST]\n"
"OPTION: bridged | diverted | diverted-loopback | diverted-output |\n"
" {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n"
@@ -2750,9 +2751,10 @@
" iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n"
" ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
" icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB |\n"
-" mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
-" setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
-" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n"
+" {src-ether|dst-ether} ETHERADDR | ether-type LIST | proto LIST |\n"
+" {recv|xmit|via} {IF|IPADDR} | setup | {tcpack|tcpseq|tcpwin} NN |\n"
+" tcpflags SPEC | tcpoptions SPEC | tcpdatalen LIST |\n"
+" verrevpath | versrcreach | antispoof\n"
);
exit(0);
}
==== //depot/projects/soc2008/gk_l2filter/share-man4/if_bridge.4#2 (text+ko) ====
@@ -171,6 +171,14 @@
to only allow IP packets to pass (subject to firewall rules), set to
.Li 0
to unconditionally pass all non-IP Ethernet frames.
+.It Va net.link.bridge.pfil_layer2_arp
+Set to
+.Li 1
+to enable layer2 ARP filtering with
+.Xr pfil 9 ,
+set to
+.Li 0
+to disable it.
.It Va net.link.bridge.pfil_member
Set to
.Li 1
@@ -192,36 +200,6 @@
Set to
.Li 0
to disable this feature.
-.It Va net.link.bridge.ipfw
-Set to
-.Li 1
-to enable layer2 filtering with
-.Xr ipfirewall 4 ,
-set to
-.Li 0
-to disable it.
-This needs to be enabled for
-.Xr dummynet 4
-support.
-When
-.Va ipfw
-is enabled,
-.Va pfil_bridge
-and
-.Va pfil_member
-will be disabled so that IPFW
-is not run twice; these can be re-enabled if desired.
-.It Va net.link.bridge.ipfw_arp
-Set to
-.Li 1
-to enable layer2 ARP filtering with
-.Xr ipfirewall 4 ,
-set to
-.Li 0
-to disable it.
-Requires
-.Va ipfw
-to be enabled.
.El
.Pp
ARP and REVARP packets are forwarded without being filtered and others
More information about the p4-projects
mailing list