PERFORCE change 16110 for review

Robert Watson rwatson at freebsd.org
Fri Aug 16 13:51:48 GMT 2002


http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16110

Change 16110 by rwatson at rwatson_tislabs on 2002/08/16 06:51:26

	Integ changes from trustedbsd base tree: include fo_stat/fo_poll
	credential changes, also libutil SETLABEL->SETMAC rename.
	Further tweaks will be needed to get all compiling again.

Affected files ...

.. //depot/projects/trustedbsd/mac/bin/cp/cp.1#4 integrate
.. //depot/projects/trustedbsd/mac/include/stdbool.h#3 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/inet_ntop.c#5 integrate
.. //depot/projects/trustedbsd/mac/lib/libkvm/kvm_proc.c#6 integrate
.. //depot/projects/trustedbsd/mac/lib/libutil/login_cap.h#5 integrate
.. //depot/projects/trustedbsd/mac/libexec/comsat/comsat.8#4 integrate
.. //depot/projects/trustedbsd/mac/sbin/fsck_ffs/setup.c#10 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw.8#9 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw2.c#6 integrate
.. //depot/projects/trustedbsd/mac/sbin/nfsiod/nfsiod.c#6 integrate
.. //depot/projects/trustedbsd/mac/share/man/man4/uhid.4#3 integrate
.. //depot/projects/trustedbsd/mac/share/misc/iso3166#4 integrate
.. //depot/projects/trustedbsd/mac/sys/alpha/osf1/osf1_misc.c#10 integrate
.. //depot/projects/trustedbsd/mac/sys/compat/linux/linux_stats.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/dev/usb/ohci.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/usb/ulpt.c#9 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/fdescfs/fdesc_vnops.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/fifofs/fifo_vnops.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/msdosfs/msdosfs_denode.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/ia64/ia64/vm_machdep.c#13 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_descrip.c#28 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_event.c#11 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/sys_generic.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/sys_pipe.c#23 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/sys_socket.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#36 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#24 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#78 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_vnops.c#51 integrate
.. //depot/projects/trustedbsd/mac/sys/modules/cam/Makefile#3 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_debug.h#2 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_timer.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#19 integrate
.. //depot/projects/trustedbsd/mac/sys/nfsclient/nfs_lock.c#11 integrate
.. //depot/projects/trustedbsd/mac/sys/nfsclient/nfs_lock.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/pci/uhci_pci.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/include/pcb.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/include/pmap.h#12 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/include/tlb.h#9 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/genassym.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/pmap.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/support.S#2 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/trap.c#13 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/disklabel.h#9 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/file.h#12 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/msg.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/protosw.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/socketvar.h#24 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/ucred.h#17 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/vnode.h#44 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/biff/biff.1#6 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/calendar/calendars/calendar.freebsd#12 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/rpc.lockd/kern.c#3 integrate

Differences ...

==== //depot/projects/trustedbsd/mac/bin/cp/cp.1#4 (text+ko) ====

@@ -33,9 +33,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\"	@(#)cp.1	8.3 (Berkeley) 4/18/94
-.\" $FreeBSD: src/bin/cp/cp.1,v 1.24 2002/08/09 10:38:34 ru Exp $
+.\" $FreeBSD: src/bin/cp/cp.1,v 1.25 2002/08/16 03:13:59 johan Exp $
 .\"
-.Dd April 18, 1994
+.Dd July 23, 2002
 .Dt CP 1
 .Os
 .Sh NAME

==== //depot/projects/trustedbsd/mac/include/stdbool.h#3 (text+ko) ====

@@ -23,7 +23,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/include/stdbool.h,v 1.5 2002/06/19 06:04:37 obrien Exp $
+ * $FreeBSD: src/include/stdbool.h,v 1.6 2002/08/16 07:33:14 alfred Exp $
  */
 
 #ifndef _STDBOOL_H_
@@ -37,7 +37,7 @@
 #define	true	1
 
 #define	bool	_Bool
-#if __STDC_VERSION__ < 199901L
+#if __STDC_VERSION__ < 199901L && __GNUC__ < 3
 typedef	int	_Bool;
 #endif
 

==== //depot/projects/trustedbsd/mac/lib/libc/net/inet_ntop.c#5 (text+ko) ====

@@ -18,7 +18,7 @@
 static char rcsid[] = "$Id: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libc/net/inet_ntop.c,v 1.10 2002/08/14 20:40:35 robert Exp $");
+__FBSDID("$FreeBSD: src/lib/libc/net/inet_ntop.c,v 1.11 2002/08/15 21:19:31 robert Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -30,8 +30,6 @@
 #include <stdio.h>
 #include <string.h>
 
-#define SPRINTF(x) ((socklen_t)sprintf x)
-
 /*
  * WARNING: Don't even consider trying to compile this on a system where
  * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
@@ -79,13 +77,12 @@
 inet_ntop4(const u_char *src, char *dst, socklen_t size)
 {
 	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
 
-	if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) {
+	if ((socklen_t)snprintf(dst, size, fmt, src[0], src[1], src[2], src[3])
+	    >= size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
-	strcpy(dst, tmp);
 	return (dst);
 }
 
@@ -164,7 +161,7 @@
 			tp += strlen(tp);
 			break;
 		}
-		tp += SPRINTF((tp, "%x", words[i]));
+		tp += sprintf(tp, "%x", words[i]);
 	}
 	/* Was it a trailing run of 0x00's? */
 	if (best.base != -1 && (best.base + best.len) ==

==== //depot/projects/trustedbsd/mac/lib/libkvm/kvm_proc.c#6 (text+ko) ====

@@ -34,11 +34,11 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.50 2002/06/30 20:13:53 julian Exp $
+ * $FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.51 2002/08/16 07:01:42 alfred Exp $
  */
 
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.50 2002/06/30 20:13:53 julian Exp $");
+__FBSDID("$FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.51 2002/08/16 07:01:42 alfred Exp $");
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)kvm_proc.c	8.3 (Berkeley) 9/23/93";
@@ -52,6 +52,9 @@
  */
 
 #include <sys/param.h>
+#define _KERNEL
+#include <sys/ucred.h>
+#undef _KERNEL
 #include <sys/user.h>
 #include <sys/proc.h>
 #include <sys/exec.h>

==== //depot/projects/trustedbsd/mac/lib/libutil/login_cap.h#5 (text+ko) ====

@@ -22,7 +22,7 @@
  * Low-level routines relating to the user capabilities database
  *
  *	Was login_cap.h,v 1.9 1997/05/07 20:00:01 eivind Exp
- * $FreeBSD: src/lib/libutil/login_cap.h,v 1.7 2002/08/11 01:48:43 rwatson Exp $
+ * $FreeBSD: src/lib/libutil/login_cap.h,v 1.8 2002/08/16 02:14:21 rwatson Exp $
  */
 
 #ifndef _LOGIN_CAP_H_
@@ -47,7 +47,7 @@
 #define LOGIN_SETUMASK		0x0020		/* set umask, obviously */
 #define LOGIN_SETUSER		0x0040		/* set user (via setuid) */
 #define LOGIN_SETENV		0x0080		/* set user environment */
-#define LOGIN_SETLABEL		0x0100		/* set user MAC label */
+#define LOGIN_SETMAC		0x0100		/* set user default MAC label */
 #define LOGIN_SETALL		0x01ff		/* set everything */
 
 #define BI_AUTH		"authorize"		/* accepted authentication */

==== //depot/projects/trustedbsd/mac/libexec/comsat/comsat.8#4 (text+ko) ====

@@ -30,9 +30,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)comsat.8	8.1 (Berkeley) 6/4/93
-.\" $FreeBSD: src/libexec/comsat/comsat.8,v 1.11 2002/08/13 11:05:04 ru Exp $
+.\" $FreeBSD: src/libexec/comsat/comsat.8,v 1.12 2002/08/16 03:08:25 johan Exp $
 .\"
-.Dd June 4, 1993
+.Dd July 9, 2002
 .Dt COMSAT 8
 .Os
 .Sh NAME

==== //depot/projects/trustedbsd/mac/sbin/fsck_ffs/setup.c#10 (text+ko) ====

@@ -36,10 +36,9 @@
 static const char sccsid[] = "@(#)setup.c	8.10 (Berkeley) 5/9/95";
 #endif
 static const char rcsid[] =
-  "$FreeBSD: src/sbin/fsck_ffs/setup.c,v 1.35 2002/07/31 12:01:14 mux Exp $";
+  "$FreeBSD: src/sbin/fsck_ffs/setup.c,v 1.36 2002/08/16 07:34:19 alfred Exp $";
 #endif /* not lint */
 
-#define DKTYPENAMES
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <sys/disklabel.h>

==== //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw.8#9 (text+ko) ====

@@ -1,7 +1,12 @@
 .\"
-.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.105 2002/08/10 15:04:40 luigi Exp $
+.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.106 2002/08/16 10:31:47 luigi Exp $
 .\"
-.Dd May 31, 2001
+.de NOIPFW
+.br
+(\\$1 NOT IN IPFW)
+.br
+..
+.Dd August 13, 2002
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -13,11 +18,6 @@
 .Cm add
 .Ar rule
 .Nm
-.Op Fl q
-.Cm delete
-.Op Cm set
-.Op Ar number ...
-.Nm
 .Op Fl adeftNS
 .Brq Cm list | show
 .Op Ar number ...
@@ -26,16 +26,20 @@
 .Cm flush
 .Nm
 .Op Fl q
-.Brq Cm zero | resetlog
+.Brq Cm delete | zero | resetlog
 .Op Cm set
 .Op Ar number ...
+.Pp
+.Nm
+.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
+.Nm
+.Cm set move
+.Op Cm rule
+.Ar number Cm to Ar number
 .Nm
-.Op Fl q
-.Brq Cm disable | enable
-.Cm set
-.Op Ar number ...
+.Cm set swap Ar number number
 .Nm
-.Cm show sets
+.Cm set show
 .Pp
 .Nm
 .Brq Cm pipe | queue
@@ -68,6 +72,22 @@
 traffic shaper in
 .Fx .
 .Pp
+.Em NOTE:
+this manual page refers to the newer version of
+.Nm
+introduced in July 2002, also known as
+.Nm ipfw2 .
+The commands listed here are a superset of the old
+firewall, which we will call
+.Nm ipfw1
+when it is necessary to distinguish between the two.
+See the
+.Sx IPFW2 ENHANCEMENTS
+Section for a list of features which are not present in
+.Nm ipfw1 .
+This list can also be useful to revise your ruleset and
+write them more efficiently.
+.Pp
 An
 .Nm
 configuration, or
@@ -126,10 +146,10 @@
 rule, and are typically used to open the firewall on-demand to
 legitimate traffic only.
 See the
-.Sx RULE FORMAT
+.Sx STATEFUL FIREWALL
 and
 .Sx EXAMPLES
-sections below for more information on the stateful behaviour of
+Sections below for more information on the stateful behaviour of
 .Nm .
 .Pp
 All rules (including dynamic ones) have a few associated counters:
@@ -157,6 +177,19 @@
 .Cm resetlog
 commands.
 .Pp
+Also, each rule belongs to one of 32 different
+.Em sets
+, and there are
+.Nm
+commands to atomically manipulate sets, such as enable,
+disable, swap sets, move all rules in a set to another
+one, delete all rules in a set. These can be useful to
+install temporary configurations, or to test them.
+See Section
+.Sx SETS OF RULES
+for more information on
+.Em sets .
+.Pp
 The following options are available:
 .Bl -tag -width indent
 .It Fl a
@@ -174,8 +207,7 @@
 Don't ask for confirmation for commands that can cause problems
 if misused,
 .No i.e. Cm flush .
-.Em Note ,
-if there is no tty associated with the process, this is implied.
+If there is no tty associated with the process, this is implied.
 .It Fl N
 Try to resolve addresses and service names in output.
 .It Fl q
@@ -206,7 +238,9 @@
 and the remainder of the ruleset is not processed.
 Access to the console would then be required to recover.
 .It Fl S
-While listing rules, show the set each rule belongs to.
+While listing rules, show the
+.Em set
+each rule belongs to.
 If this flag is not specified, disabled rules will not be
 listed.
 .It Fl s Op Ar field
@@ -265,7 +299,7 @@
 .Cm queue
 commands are used to configure the traffic shaper, as shown in the
 .Sx TRAFFIC SHAPER CONFIGURATION
-section below.
+Section below.
 .Sh PACKET FLOW
 .Nm
 can be invoked from multiple places in the protocol stack,
@@ -404,7 +438,7 @@
 If this is not possible (e.g. because we would go beyond the
 maximum allowed rule number), the same number of the last
 non-default value is used instead.
-.It Ar set_number
+.It Cm set Ar set_number
 Each rule is associated to a
 .Ar set_number
 in the range 0..31, with the latter reserved for the
@@ -535,7 +569,7 @@
 (for bandwidth limitation, delay, etc.).
 See the
 .Sx TRAFFIC SHAPER CONFIGURATION
-section for further information.
+Section for further information.
 The search terminates; however, on exit from the pipe and if
 the
 .Xr sysctl 8
@@ -568,7 +602,7 @@
 socket bound to port
 .Ar port .
 The search terminates and the original packet is accepted
-(but see section
+(but see Section
 .Sx BUGS
 below).
 .It Cm unreach Ar code
@@ -630,13 +664,17 @@
 .Op Ar options
 .br
 .Cm MAC Ar dst-mac src-mac mac-type
+.Op Cm from Ar src Cm to Ar dst
 .Op Ar options
 .Ed
 .Pp
-where fields have the following meaning:
+where the second format allows you to specify MAC header fields
+instead (or in addition) of the IPv4 header fields.
+.Pp
+Rule fields have the following meaning:
 .Bl -tag -width indent
 .It Ar proto
-An IP protocol specified by number or name (for a complete
+An IPv4 protocol specified by number or name (for a complete
 list see
 .Pa /etc/protocols ) .
 The
@@ -652,7 +690,6 @@
 containing one or more of them,
 optionally followed by
 .Em port numbers.
-followed by a set of port numbers.
 .It Ar ip address :
 An address (or set of addresses) specified in one of the following
 ways, optionally preceded by a
@@ -699,7 +736,7 @@
 bitmask, it takes constant time and dramatically reduces
 the complexity of rulesets.
 .El
-.It Cm port numbers
+.It port numbers
 With protocols which support port numbers (such as TCP and UDP), optional
 .Cm ports
 may be specified as one or more ports or port ranges, separated
@@ -741,6 +778,28 @@
 See the
 .Cm frag
 option for details on matching fragmented packets.
+.It dst-mac, src-mac
+Destination and source MAC addresses, specified as
+groups of hex digits separated by commas, and optionally
+followed by a mask indicating how many bits are significant:
+.Pp
+.Dl "ipfw add allow MAC 10:20:30:40:50:60/30 any any
+.Pp
+Note that the order of MAC addresses (destination first,
+source second) is
+the same as on the wire, but the opposite of the one used for
+IP addresses.
+.It mac-type
+The value of the Ethernet Type field, specified in the same way as
+.Cm port numbers
+(i.e. one or more comma-separated single values or ranges).
+You can use symbolic names for known values such as
+.Em vlan , ipv4, ipv6 .
+The values can be enter as decimal or hexadecimal, but they
+are always printed as hexadecimal (unless the
+.Cm -N
+option is used, in which case symbolic resolution will be
+attempted).
 .El
 .Ss RULE OPTIONS
 Additional match patterns can be used within
@@ -1016,12 +1075,127 @@
 .Ar user
 may be matched by name or identification number.
 .El
+.Sh SETS OF RULES
+Each rule belongs to one of 32 different
+.Em sets
+, numbered 0 to 31.
+Set 31 is reserved for the default rule.
+.Pp
+By default, rules are put in set 0, unless you use the
+.Cm set N
+attribute when entering a new rule.
+Sets can be individually and atomically enabled or disabled,
+so this mechanism permits an easy way to store multiple configurations
+of the firewall and quickly (and atomically) switch between them.
+The command to enable/disable sets is
+.Pp
+.Nm
+.Cm set disable Ar number ... Op Cm enable Ar number ...
+.Pp
+where multiple
+.Cm enable
+or
+.Cm disable
+sections can be specified.
+Command execution is atomic on all the sets specified in the command.
+By default, all sets are enabled.
+.Pp
+When you disable a set, its rules behave as if they were not existing
+in the firewall configuration, with only one exception:
+.Bl -bullet
+.It
+dynamic rules created from a rule before it had been disabled
+will still be active until they expire. In order to delete
+dynamic rules you have to explicitly delete the parent rule
+which generated them;
+.El
+The set number of rules can be changed with the command
+.Pp
+.Nm   
+.Cm set move
+.Brq Cm rule Ar rule-number | old-set
+.Cm to Ar new-set
+.Pp
+Also, you can atomically swap two rulesets with the command
+.Pp
+.Nm
+.Cm set swap Ar first-set second-set
+.Pp
+See the
+.Sx EXAMPLES
+Section on some possible uses of sets of rules.
 .Sh STATEFUL FIREWALL
-To be completed.
+Stateful operation is a way for the firewall to dynamically
+create rules for specific flows when packets that
+match a given pattern are detected. Support for stateful
+operation comes through the
+.Cm check-state , keep-state
+and
+.Cm limit
+options of
+.Nm rules.
+.Pp
+Dynamic rules are created when a packet matches a
+.Cm keep-state
+or
+.Cm limit
+rule, causing the creation of a
+.Em dynamic
+rule which will match all and only packets with
+a given
+.Em protocol
+between a
+.Em src-ip/src-port dst-ip/dst-port
+pair of addresses (
+.Em src
+and
+.Em dst
+are used here only to denote the initial match addresses, but they
+are completely equivalent afterwards).
+Dynamic rules will be checked at the first
+.Cm check-state, keep-state
+or
+.Cm limit
+occurrence, and the action performed upon a match will be the same
+as in the parent rule.
+.Pp
+Note that no additional attributes other than protocol and IP addresses
+and ports are checked on dynamic rules.
+.Pp
+The typical use of dynamic rules is to keep a closed firewall configuration,
+but let the first TCP SYN packet from the inside network install a
+dynamic rule for the flow so that packets belonging to that session
+will be allowed through the firewall:
+.Pp
+.Dl "ipfw add check-state"
+.Dl "ipfw add allow tcp from my-subnet to any setup"
+.Dl "ipfw add deny tcp from any to any"
+.Pp
+A similar approach can be used for UDP, where an UDP packet coming
+from the inside will install a dynamic rule to let the response through
+the firewall:
+.Pp
+.Dl "ipfw add check-state"
+.Dl "ipfw add allow udp from my-subnet to any"
+.Dl "ipfw add deny udp from any to any"
+.Pp
+Dynamic rules expire after some time, which depends on the status
+of the flow and the setting of some
+.Cm sysctl
+variables.
+See Section
+.Sx SYSCTL VARIABLES
+for more details.
+For TCP sessions, dynamic rules can be instructed to periodically
+send keepalive packets to refresh the state of the rule when it is
+about to expire.
+.Pp
+See Section
+.Sx EXAMPLES
+for more examples on how to use dynamic rules.
 .Sh TRAFFIC SHAPER CONFIGURATION
-The
 .Nm
-utility is also the user interface for the
+is also the user interface for the
 .Xr dummynet 4
 traffic shaper.
 The shaper operates by dividing packets into
@@ -1124,22 +1298,6 @@
 .Em net.inet.ip.dummynet.hash_size ,
 allowed range is 16 to 1024.
 .Pp
-.It Cm queue Brq Ar slots | size Ns Cm Kbytes
-Queue size, in
-.Ar slots
-or
-.Cm KBytes .
-Default value is 50 slots, which
-is the typical queue size for Ethernet devices.
-Note that for slow speed links you should keep the queue
-size short or your traffic might be affected by a significant
-queueing delay.
-E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit
-or 20s of queue on a 30Kbit/s pipe.
-Even worse effect can result if you get packets from an
-interface with a much larger MTU, e.g. the loopback interface
-with its 16KB packets.
-.Pp
 .It Cm mask Ar mask-specifier
 The
 .Xr dummynet 4
@@ -1167,6 +1325,14 @@
 weight of the queue, and all flows insisting on the same pipe
 share bandwidth proportionally to their weight.
 .Pp
+.It Cm noerror
+When a packet is dropped by a dummynet queue or pipe, the error
+is normally reported to the caller routine in the kernel, in the
+same way as it happens when a device queue fills up. Setting this
+option reports the packet as successfully delivered, which can be
+needed for some experimental setups where you want to simulate
+loss or congestion at a remote router.
+.Pp
 .It Cm plr Ar packet-loss-rate
 Packet loss rate.
 Argument
@@ -1175,6 +1341,22 @@
 loss, 1 meaning 100% loss.
 The loss rate is internally represented on 31 bits.
 .Pp
+.It Cm queue Brq Ar slots | size Ns Cm Kbytes
+Queue size, in
+.Ar slots
+or
+.Cm KBytes .
+Default value is 50 slots, which
+is the typical queue size for Ethernet devices.
+Note that for slow speed links you should keep the queue
+size short or your traffic might be affected by a significant
+queueing delay.
+E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit
+or 20s of queue on a 30Kbit/s pipe.
+Even worse effect can result if you get packets from an
+interface with a much larger MTU, e.g. the loopback interface
+with its 16KB packets.
+.Pp
 .It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p
 Make use of the RED (Random Early Detection) queue management algorithm.
 .Ar w_q
@@ -1290,36 +1472,32 @@
 .Xr sysctl 8
 command what value is actually in use) and meaning:
 .Bl -tag -width indent
+.It Em net.inet.ip.fw.autoinc_step : No 100
+Delta beween rule numbers when auto-generating them.
+The value must be in the range 1..1000.
+.It Em net.inet.ip.fw.curr_dyn_buckets : Em net.inet.ip.fw.dyn_buckets
+The current number of buckets in the hash table for dynamic rules
+(readonly).
 .It Em net.inet.ip.fw.debug : No 1
 Controls debugging messages produced by
 .Nm .
-.It Em net.inet.ip.fw.one_pass : No 1
-When set, the packet exiting from the
-.Xr dummynet 4
-pipe is not passed though the firewall again.
-Otherwise, after a pipe action, the packet is
-reinjected into the firewall at the next rule.
-.It Em net.inet.ip.fw.verbose : No 1
-Enables verbose messages.
-.It Em net.inet.ip.fw.enable : No 1
-Enables the firewall.
-Setting this variable to 0 lets you run your machine without
-firewall even if compiled in.
-.It Em net.inet.ip.fw.verbose_limit : No 0
-Limits the number of messages produced by a verbose firewall.
 .It Em net.inet.ip.fw.dyn_buckets : No 256
-.It Em net.inet.ip.fw.curr_dyn_buckets : No 256
-The configured and current size of the hash table used to
-hold dynamic rules.
-This must be a power of 2.
-The table can only be resized when empty, so in order to
-resize it on the fly you will probably have to
+The number of buckets in the hash table for dynamic rules.
+Must be a power of 2, up to 1^^20.
+It only takes effect when all dynamic rules have expired, so you
+are advised to use a
 .Cm flush
-and reload the ruleset.
+command to make sure that the hash table is resized.
 .It Em net.inet.ip.fw.dyn_count : No 3
 Current number of dynamic rules
 (read-only).
-.It Em net.inet.ip.fw.dyn_max : No 1000
+.It Em net.inet.ip.fw.dyn_keepalive : No 1
+Enables generation of keepalive packets for
+.Cm keep-state
+rules on TCP sessions. A keepalive is generated to both
+sides of the connection every 5 seconds for the last 20
+seconds of the lifetime of the rule.
+.It Em net.inet.ip.fw.dyn_max : No 8192
 Maximum number of dynamic rules.
 When you hit this limit, no more dynamic rules can be
 installed until old ones expire.
@@ -1333,7 +1511,31 @@
 rules.
 Upon the initial SYN exchange the lifetime is kept short,
 then increased after both SYN have been seen, then decreased
-again during the final FIN exchange or when a RST
+again during the final FIN exchange or when a RST is received.
+Both
+.Em dyn_fin_lifetime
+and
+.Em dyn_rst_lifetime
+must be strictly lower than 5 seconds, the period of
+repetition of keepalives. The firewall enforces that.
+.It Em net.inet.ip.fw.enable : No 1
+Enables the firewall.
+Setting this variable to 0 lets you run your machine without
+firewall even if compiled in.
+.It Em net.inet.ip.fw.one_pass : No 1
+When set, the packet exiting from the
+.Xr dummynet 4
+pipe is not passed though the firewall again.
+Otherwise, after a pipe action, the packet is
+reinjected into the firewall at the next rule.
+.Pp
+Note: bridged and layer 2 packets coming out of a pipe
+are never reinjected in the firewall irrespective of the
+value of this variable.
+.It Em net.inet.ip.fw.verbose : No 1
+Enables verbose messages.
+.It Em net.inet.ip.fw.verbose_limit : No 0
+Limits the number of messages produced by a verbose firewall.
 .It Em net.link.ether.ipfw : No 0
 Controls whether layer-2 packets are passed to
 .Nm .
@@ -1343,7 +1545,68 @@
 .Nm .
 Default is no.
 .El
+.Sh IPFW2 ENHANCEMENTS
+This Section lists the features that have been introduced in
+.Nm ipfw2
+and were not present in
+.Nm ipfw1 .
+We list them in order of the potential impact that they can
+have in writing your rulesets.
+You might want to consider using these features in order to
+write your rulesets in a more efficient way.
+.Bl -tag -width indent
+.It Address sets
+.Nm ipfw1
+does not supports address sets (those in the form
+.Ar addr/masklen{num,num,...}
+)
+.It Port specifications
+.Nm ipfw1
+only allows one port range when specifying TCP and UDP ports, and
+is limited to 10 entries instead of the 15 allowed by
+.Nm ipfw2 .
+Also, in
+.Nm ipfw1
+you can only specify ports when the rule is requesting
+.Cm tcp
+or
+.Cm udp
+packets. With
+.Nm ipfw2
+you can put port specifications in rules matching all packets,
+and the match will be attempted only on those packets carrying
+protocols which include port identifiers.
+.It Or-blocks
+.Nm ipfw1
+does not support Or-blocks. All match operators are implicitly
+connected by
+.Cm and
+operators.
+.It keepalives
+.Nm ipfw1
+does not generate keepalives for stateful sessions.
+As a consequence, it might cause idle sessions to drop because
+the lifetime of the dynamic rules expires.
+.It Sets of rules
+.Nm ipfw1
+does not implement sets of rules.
+.It MAC header filtering and Layer-2 firewalling.
+.Nm ipfw1
+does not implement filtering on MAC header fields, nor it is
+invoked on packets from
+.Cm ether_demux()
+and
+.Cm ether_output_frame().
+The sysctl variable
+.Em net.link.ether.ipfw
+has no effect there.
+.El
 .Sh EXAMPLES
+There are far too many possible uses of
+.Nm
+so this Section will only give a small set of examples.
+.Pp
+.Ss BASIC PACKET FILTERING
 This command adds an entry which denies all tcp packets from
 .Em cracker.evil.org
 to the telnet port of
@@ -1375,6 +1638,24 @@
 .Cm deny
 rule.
 .Pp
+If you administer one or more subnets, you can take advantage of the
+.Nm ipfw2
+syntax to specify address sets and or-blocks and write extremely
+compact rulesets which selectively enable services to blocks
+of clients, as below:
+.Pp
+.Dl "goodguys=\*q{ 10.1.2.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }\*q"
+.Dl "badguys=\*q10.1.2.0/24{8,38,60}\*q"
+.Dl ""
+.Dl "ipfw add allow ip from ${goodguys} to any"
+.Dl "ipfw add deny ip from ${badguys} to any"
+.Dl "... normal policies ..."
+.Pp
+The
+.Nm ipfw1
+syntax would require a separate rule for each IP in the above
+example.
+.Ss DYNAMIC RULES
 In order to protect a site from flood attacks involving fake
 TCP packets, it is safer to use dynamic rules:
 .Pp
@@ -1434,6 +1715,7 @@
 .Pp
 .Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in
 .Pp
+.Ss TRAFFIC SHAPING
 The following rules show some of the applications of
 .Nm
 and
@@ -1525,6 +1807,27 @@
 .Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in"
 .Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
 .Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
+.Ss SETS OF RULES
+To add a set of rules atomically, e.g. set 18:
+.Pp
+.Dl "ipfw disable set 18"
+.Dl "ipfw add NN set 18 ...         # repeat as needed"
+.Dl "ipfw enable set 18"
+.Pp
+To delete a set of rules atomically the command is simply:
+.Pp
+.Dl "ipfw delete set 18"
+.Pp
+To test a ruleset and disable it and regain control if something goes wrong:
+.Pp
+.Dl "ipfw disable set 18"
+.Dl "ipfw add NN set 18 ...         # repeat as needed"
+.Dl "ipfw enable set 18 ; echo done; sleep 30 && ipfw disable set 18"
+.Pp
+Here if everything goes well, you press control-C before the "sleep"
+terminates, and your ruleset will be left active. Otherwise, e.g. if
+you cannot access your box, the ruleset will be disabled after
+the sleep terminates thus restoring the previous situation.
 .Sh SEE ALSO
 .Xr cpp 1 ,
 .Xr m4 1 ,

==== //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw2.c#6 (text+ko) ====

@@ -17,7 +17,7 @@
  *
  * NEW command line interface for IP firewall facility
  *
- * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.9 2002/08/10 15:10:15 luigi Exp $
+ * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.10 2002/08/16 10:31:47 luigi Exp $
  */
 
 #include <sys/param.h>
@@ -223,6 +223,7 @@
 	TOK_ICMPTYPES,
 
 	TOK_PLR,
+	TOK_NOERROR,
 	TOK_BUCKETS,
 	TOK_DSTIP,
 	TOK_SRCIP,
@@ -241,6 +242,7 @@
 
 struct _s_x dummynet_params[] = {
 	{ "plr",		TOK_PLR },
+	{ "noerror",		TOK_NOERROR },
 	{ "buckets",		TOK_BUCKETS },
 	{ "dst-ip",		TOK_DSTIP },
 	{ "src-ip",		TOK_SRCIP },
@@ -502,8 +504,10 @@
 			p[1] = b;
 		} else if (*s == ',' || *s == '\0' ) {
 			p[0] = p[1] = a;
-		} else	/* invalid separator */
-			break;
+		} else {	/* invalid separator */
+			errx(EX_DATAERR, "invalid separator <%c> in <%s>\n",
+				*s, av);
+		}
 		av = s+1;
 	}
 	if (i > 0) {
@@ -737,17 +741,29 @@
  * show_ipfw() prints the body of an ipfw rule.
  * Because the standard rule has at least proto src_ip dst_ip, we use
  * a helper function to produce these entries if not provided explicitly.
+ *
+ * Special case: if we have provided a MAC header, and no IP specs,
+ * just leave it alone.
+ * Also, if we have providea a MAC header and no IP protocol, print it
+ * as "all" instead of "ip".
  */
-#define	HAVE_PROTO	1
-#define	HAVE_SRCIP	2
-#define	HAVE_DSTIP	4
-#define	HAVE_MAC	8
+#define	HAVE_PROTO	0x0001
+#define	HAVE_SRCIP	0x0002
+#define	HAVE_DSTIP	0x0004
+#define	HAVE_MAC	0x0008
+#define	HAVE_MACTYPE	0x0010
 
+#define	HAVE_IP		(HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
 static void
 show_prerequisites(int *flags, int want)
 {
+	if ( (*flags & (HAVE_MAC | HAVE_MACTYPE))  == HAVE_MAC) {
+	     printf(" any");	/* MAC type */
+	     *flags |= HAVE_MACTYPE;
+	}
+		
 	if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
-		printf(" ip");
+		printf( (*flags & HAVE_MAC) ? " all" : " ip");
 	if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
 		printf(" from any");
 	if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
@@ -907,6 +923,9 @@
 			break;
 
 		case O_MAC_TYPE:
+			if ( (flags & HAVE_MAC) == 0)
+				printf(" MAC");
+			flags |= (HAVE_MAC | HAVE_MACTYPE);
 			print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE);
 			break;
 
@@ -1340,7 +1359,116 @@
 	}
 }
 
+/*
+ * This one handles all set-related commands
+ * 	ipfw set { show | enable | disable }
+ * 	ipfw set swap X Y
+ * 	ipfw set move X to Y
+ * 	ipfw set move rule X to Y
+ */
 static void
+sets_handler(int ac, char *av[])
+{
+	u_int32_t set_disable, masks[2];
+	int i, nbytes;
+	u_int16_t rulenum;
+	u_int8_t cmd, new_set;
+
+	ac--;
+	av++;
+
+	if (!ac)
+		errx(EX_USAGE, "set needs command");
+	if (!strncmp(*av, "show", strlen(*av)) ) {
+		void *data;
+		char *msg;
+
+		nbytes = sizeof(struct ip_fw);
+		if ((data = malloc(nbytes)) == NULL)
+			err(EX_OSERR, "malloc");
+		if (getsockopt(s, IPPROTO_IP, IP_FW_GET, data, &nbytes) < 0)
+			err(EX_OSERR, "getsockopt(IP_FW_GET)");
+		set_disable = (u_int32_t)(((struct ip_fw *)data)->next_rule);
+
+		for (i = 0, msg = "disable" ; i < 31; i++)
+			if (  (set_disable & (1<<i))) {
+				printf("%s %d", msg, i);
+				msg = "";
+			}
+		msg = (set_disable) ? " enable" : "enable";
+		for (i = 0; i < 31; i++)
+			if ( !(set_disable & (1<<i))) {
+				printf("%s %d", msg, i);

>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message



More information about the trustedbsd-cvs mailing list