PERFORCE change 16110 for review
Robert Watson
rwatson at freebsd.org
Fri Aug 16 13:51:48 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=16110
Change 16110 by rwatson at rwatson_tislabs on 2002/08/16 06:51:26
Integ changes from trustedbsd base tree: include fo_stat/fo_poll
credential changes, also libutil SETLABEL->SETMAC rename.
Further tweaks will be needed to get all compiling again.
Affected files ...
.. //depot/projects/trustedbsd/mac/bin/cp/cp.1#4 integrate
.. //depot/projects/trustedbsd/mac/include/stdbool.h#3 integrate
.. //depot/projects/trustedbsd/mac/lib/libc/net/inet_ntop.c#5 integrate
.. //depot/projects/trustedbsd/mac/lib/libkvm/kvm_proc.c#6 integrate
.. //depot/projects/trustedbsd/mac/lib/libutil/login_cap.h#5 integrate
.. //depot/projects/trustedbsd/mac/libexec/comsat/comsat.8#4 integrate
.. //depot/projects/trustedbsd/mac/sbin/fsck_ffs/setup.c#10 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw.8#9 integrate
.. //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw2.c#6 integrate
.. //depot/projects/trustedbsd/mac/sbin/nfsiod/nfsiod.c#6 integrate
.. //depot/projects/trustedbsd/mac/share/man/man4/uhid.4#3 integrate
.. //depot/projects/trustedbsd/mac/share/misc/iso3166#4 integrate
.. //depot/projects/trustedbsd/mac/sys/alpha/osf1/osf1_misc.c#10 integrate
.. //depot/projects/trustedbsd/mac/sys/compat/linux/linux_stats.c#11 edit
.. //depot/projects/trustedbsd/mac/sys/dev/usb/ohci.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/dev/usb/ulpt.c#9 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/fdescfs/fdesc_vnops.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/fifofs/fifo_vnops.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/fs/msdosfs/msdosfs_denode.c#8 integrate
.. //depot/projects/trustedbsd/mac/sys/ia64/ia64/vm_machdep.c#13 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_descrip.c#28 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/kern_event.c#11 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/sys_generic.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/sys_pipe.c#23 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/sys_socket.c#12 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_socket.c#36 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/uipc_socket2.c#24 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_syscalls.c#78 integrate
.. //depot/projects/trustedbsd/mac/sys/kern/vfs_vnops.c#51 integrate
.. //depot/projects/trustedbsd/mac/sys/modules/cam/Makefile#3 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/ip_fw2.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_debug.h#2 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/tcp_timer.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/netinet/udp_usrreq.c#19 integrate
.. //depot/projects/trustedbsd/mac/sys/nfsclient/nfs_lock.c#11 integrate
.. //depot/projects/trustedbsd/mac/sys/nfsclient/nfs_lock.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/pci/uhci_pci.c#4 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/include/pcb.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/include/pmap.h#12 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/include/tlb.h#9 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/genassym.c#14 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/pmap.c#20 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/support.S#2 integrate
.. //depot/projects/trustedbsd/mac/sys/sparc64/sparc64/trap.c#13 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/disklabel.h#9 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/file.h#12 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/msg.h#3 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/protosw.h#4 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/socketvar.h#24 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/ucred.h#17 integrate
.. //depot/projects/trustedbsd/mac/sys/sys/vnode.h#44 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/biff/biff.1#6 integrate
.. //depot/projects/trustedbsd/mac/usr.bin/calendar/calendars/calendar.freebsd#12 integrate
.. //depot/projects/trustedbsd/mac/usr.sbin/rpc.lockd/kern.c#3 integrate
Differences ...
==== //depot/projects/trustedbsd/mac/bin/cp/cp.1#4 (text+ko) ====
@@ -33,9 +33,9 @@
.\" SUCH DAMAGE.
.\"
.\" @(#)cp.1 8.3 (Berkeley) 4/18/94
-.\" $FreeBSD: src/bin/cp/cp.1,v 1.24 2002/08/09 10:38:34 ru Exp $
+.\" $FreeBSD: src/bin/cp/cp.1,v 1.25 2002/08/16 03:13:59 johan Exp $
.\"
-.Dd April 18, 1994
+.Dd July 23, 2002
.Dt CP 1
.Os
.Sh NAME
==== //depot/projects/trustedbsd/mac/include/stdbool.h#3 (text+ko) ====
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/include/stdbool.h,v 1.5 2002/06/19 06:04:37 obrien Exp $
+ * $FreeBSD: src/include/stdbool.h,v 1.6 2002/08/16 07:33:14 alfred Exp $
*/
#ifndef _STDBOOL_H_
@@ -37,7 +37,7 @@
#define true 1
#define bool _Bool
-#if __STDC_VERSION__ < 199901L
+#if __STDC_VERSION__ < 199901L && __GNUC__ < 3
typedef int _Bool;
#endif
==== //depot/projects/trustedbsd/mac/lib/libc/net/inet_ntop.c#5 (text+ko) ====
@@ -18,7 +18,7 @@
static char rcsid[] = "$Id: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
#endif /* LIBC_SCCS and not lint */
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libc/net/inet_ntop.c,v 1.10 2002/08/14 20:40:35 robert Exp $");
+__FBSDID("$FreeBSD: src/lib/libc/net/inet_ntop.c,v 1.11 2002/08/15 21:19:31 robert Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -30,8 +30,6 @@
#include <stdio.h>
#include <string.h>
-#define SPRINTF(x) ((socklen_t)sprintf x)
-
/*
* WARNING: Don't even consider trying to compile this on a system where
* sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX.
@@ -79,13 +77,12 @@
inet_ntop4(const u_char *src, char *dst, socklen_t size)
{
static const char fmt[] = "%u.%u.%u.%u";
- char tmp[sizeof "255.255.255.255"];
- if (SPRINTF((tmp, fmt, src[0], src[1], src[2], src[3])) > size) {
+ if ((socklen_t)snprintf(dst, size, fmt, src[0], src[1], src[2], src[3])
+ >= size) {
errno = ENOSPC;
return (NULL);
}
- strcpy(dst, tmp);
return (dst);
}
@@ -164,7 +161,7 @@
tp += strlen(tp);
break;
}
- tp += SPRINTF((tp, "%x", words[i]));
+ tp += sprintf(tp, "%x", words[i]);
}
/* Was it a trailing run of 0x00's? */
if (best.base != -1 && (best.base + best.len) ==
==== //depot/projects/trustedbsd/mac/lib/libkvm/kvm_proc.c#6 (text+ko) ====
@@ -34,11 +34,11 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.50 2002/06/30 20:13:53 julian Exp $
+ * $FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.51 2002/08/16 07:01:42 alfred Exp $
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.50 2002/06/30 20:13:53 julian Exp $");
+__FBSDID("$FreeBSD: src/lib/libkvm/kvm_proc.c,v 1.51 2002/08/16 07:01:42 alfred Exp $");
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)kvm_proc.c 8.3 (Berkeley) 9/23/93";
@@ -52,6 +52,9 @@
*/
#include <sys/param.h>
+#define _KERNEL
+#include <sys/ucred.h>
+#undef _KERNEL
#include <sys/user.h>
#include <sys/proc.h>
#include <sys/exec.h>
==== //depot/projects/trustedbsd/mac/lib/libutil/login_cap.h#5 (text+ko) ====
@@ -22,7 +22,7 @@
* Low-level routines relating to the user capabilities database
*
* Was login_cap.h,v 1.9 1997/05/07 20:00:01 eivind Exp
- * $FreeBSD: src/lib/libutil/login_cap.h,v 1.7 2002/08/11 01:48:43 rwatson Exp $
+ * $FreeBSD: src/lib/libutil/login_cap.h,v 1.8 2002/08/16 02:14:21 rwatson Exp $
*/
#ifndef _LOGIN_CAP_H_
@@ -47,7 +47,7 @@
#define LOGIN_SETUMASK 0x0020 /* set umask, obviously */
#define LOGIN_SETUSER 0x0040 /* set user (via setuid) */
#define LOGIN_SETENV 0x0080 /* set user environment */
-#define LOGIN_SETLABEL 0x0100 /* set user MAC label */
+#define LOGIN_SETMAC 0x0100 /* set user default MAC label */
#define LOGIN_SETALL 0x01ff /* set everything */
#define BI_AUTH "authorize" /* accepted authentication */
==== //depot/projects/trustedbsd/mac/libexec/comsat/comsat.8#4 (text+ko) ====
@@ -30,9 +30,9 @@
.\" SUCH DAMAGE.
.\"
.\" @(#)comsat.8 8.1 (Berkeley) 6/4/93
-.\" $FreeBSD: src/libexec/comsat/comsat.8,v 1.11 2002/08/13 11:05:04 ru Exp $
+.\" $FreeBSD: src/libexec/comsat/comsat.8,v 1.12 2002/08/16 03:08:25 johan Exp $
.\"
-.Dd June 4, 1993
+.Dd July 9, 2002
.Dt COMSAT 8
.Os
.Sh NAME
==== //depot/projects/trustedbsd/mac/sbin/fsck_ffs/setup.c#10 (text+ko) ====
@@ -36,10 +36,9 @@
static const char sccsid[] = "@(#)setup.c 8.10 (Berkeley) 5/9/95";
#endif
static const char rcsid[] =
- "$FreeBSD: src/sbin/fsck_ffs/setup.c,v 1.35 2002/07/31 12:01:14 mux Exp $";
+ "$FreeBSD: src/sbin/fsck_ffs/setup.c,v 1.36 2002/08/16 07:34:19 alfred Exp $";
#endif /* not lint */
-#define DKTYPENAMES
#include <sys/param.h>
#include <sys/stat.h>
#include <sys/disklabel.h>
==== //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw.8#9 (text+ko) ====
@@ -1,7 +1,12 @@
.\"
-.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.105 2002/08/10 15:04:40 luigi Exp $
+.\" $FreeBSD: src/sbin/ipfw/ipfw.8,v 1.106 2002/08/16 10:31:47 luigi Exp $
.\"
-.Dd May 31, 2001
+.de NOIPFW
+.br
+(\\$1 NOT IN IPFW)
+.br
+..
+.Dd August 13, 2002
.Dt IPFW 8
.Os
.Sh NAME
@@ -13,11 +18,6 @@
.Cm add
.Ar rule
.Nm
-.Op Fl q
-.Cm delete
-.Op Cm set
-.Op Ar number ...
-.Nm
.Op Fl adeftNS
.Brq Cm list | show
.Op Ar number ...
@@ -26,16 +26,20 @@
.Cm flush
.Nm
.Op Fl q
-.Brq Cm zero | resetlog
+.Brq Cm delete | zero | resetlog
.Op Cm set
.Op Ar number ...
+.Pp
+.Nm
+.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
+.Nm
+.Cm set move
+.Op Cm rule
+.Ar number Cm to Ar number
.Nm
-.Op Fl q
-.Brq Cm disable | enable
-.Cm set
-.Op Ar number ...
+.Cm set swap Ar number number
.Nm
-.Cm show sets
+.Cm set show
.Pp
.Nm
.Brq Cm pipe | queue
@@ -68,6 +72,22 @@
traffic shaper in
.Fx .
.Pp
+.Em NOTE:
+this manual page refers to the newer version of
+.Nm
+introduced in July 2002, also known as
+.Nm ipfw2 .
+The commands listed here are a superset of the old
+firewall, which we will call
+.Nm ipfw1
+when it is necessary to distinguish between the two.
+See the
+.Sx IPFW2 ENHANCEMENTS
+Section for a list of features which are not present in
+.Nm ipfw1 .
+This list can also be useful to revise your ruleset and
+write them more efficiently.
+.Pp
An
.Nm
configuration, or
@@ -126,10 +146,10 @@
rule, and are typically used to open the firewall on-demand to
legitimate traffic only.
See the
-.Sx RULE FORMAT
+.Sx STATEFUL FIREWALL
and
.Sx EXAMPLES
-sections below for more information on the stateful behaviour of
+Sections below for more information on the stateful behaviour of
.Nm .
.Pp
All rules (including dynamic ones) have a few associated counters:
@@ -157,6 +177,19 @@
.Cm resetlog
commands.
.Pp
+Also, each rule belongs to one of 32 different
+.Em sets
+, and there are
+.Nm
+commands to atomically manipulate sets, such as enable,
+disable, swap sets, move all rules in a set to another
+one, delete all rules in a set. These can be useful to
+install temporary configurations, or to test them.
+See Section
+.Sx SETS OF RULES
+for more information on
+.Em sets .
+.Pp
The following options are available:
.Bl -tag -width indent
.It Fl a
@@ -174,8 +207,7 @@
Don't ask for confirmation for commands that can cause problems
if misused,
.No i.e. Cm flush .
-.Em Note ,
-if there is no tty associated with the process, this is implied.
+If there is no tty associated with the process, this is implied.
.It Fl N
Try to resolve addresses and service names in output.
.It Fl q
@@ -206,7 +238,9 @@
and the remainder of the ruleset is not processed.
Access to the console would then be required to recover.
.It Fl S
-While listing rules, show the set each rule belongs to.
+While listing rules, show the
+.Em set
+each rule belongs to.
If this flag is not specified, disabled rules will not be
listed.
.It Fl s Op Ar field
@@ -265,7 +299,7 @@
.Cm queue
commands are used to configure the traffic shaper, as shown in the
.Sx TRAFFIC SHAPER CONFIGURATION
-section below.
+Section below.
.Sh PACKET FLOW
.Nm
can be invoked from multiple places in the protocol stack,
@@ -404,7 +438,7 @@
If this is not possible (e.g. because we would go beyond the
maximum allowed rule number), the same number of the last
non-default value is used instead.
-.It Ar set_number
+.It Cm set Ar set_number
Each rule is associated to a
.Ar set_number
in the range 0..31, with the latter reserved for the
@@ -535,7 +569,7 @@
(for bandwidth limitation, delay, etc.).
See the
.Sx TRAFFIC SHAPER CONFIGURATION
-section for further information.
+Section for further information.
The search terminates; however, on exit from the pipe and if
the
.Xr sysctl 8
@@ -568,7 +602,7 @@
socket bound to port
.Ar port .
The search terminates and the original packet is accepted
-(but see section
+(but see Section
.Sx BUGS
below).
.It Cm unreach Ar code
@@ -630,13 +664,17 @@
.Op Ar options
.br
.Cm MAC Ar dst-mac src-mac mac-type
+.Op Cm from Ar src Cm to Ar dst
.Op Ar options
.Ed
.Pp
-where fields have the following meaning:
+where the second format allows you to specify MAC header fields
+instead (or in addition) of the IPv4 header fields.
+.Pp
+Rule fields have the following meaning:
.Bl -tag -width indent
.It Ar proto
-An IP protocol specified by number or name (for a complete
+An IPv4 protocol specified by number or name (for a complete
list see
.Pa /etc/protocols ) .
The
@@ -652,7 +690,6 @@
containing one or more of them,
optionally followed by
.Em port numbers.
-followed by a set of port numbers.
.It Ar ip address :
An address (or set of addresses) specified in one of the following
ways, optionally preceded by a
@@ -699,7 +736,7 @@
bitmask, it takes constant time and dramatically reduces
the complexity of rulesets.
.El
-.It Cm port numbers
+.It port numbers
With protocols which support port numbers (such as TCP and UDP), optional
.Cm ports
may be specified as one or more ports or port ranges, separated
@@ -741,6 +778,28 @@
See the
.Cm frag
option for details on matching fragmented packets.
+.It dst-mac, src-mac
+Destination and source MAC addresses, specified as
+groups of hex digits separated by commas, and optionally
+followed by a mask indicating how many bits are significant:
+.Pp
+.Dl "ipfw add allow MAC 10:20:30:40:50:60/30 any any
+.Pp
+Note that the order of MAC addresses (destination first,
+source second) is
+the same as on the wire, but the opposite of the one used for
+IP addresses.
+.It mac-type
+The value of the Ethernet Type field, specified in the same way as
+.Cm port numbers
+(i.e. one or more comma-separated single values or ranges).
+You can use symbolic names for known values such as
+.Em vlan , ipv4, ipv6 .
+The values can be enter as decimal or hexadecimal, but they
+are always printed as hexadecimal (unless the
+.Cm -N
+option is used, in which case symbolic resolution will be
+attempted).
.El
.Ss RULE OPTIONS
Additional match patterns can be used within
@@ -1016,12 +1075,127 @@
.Ar user
may be matched by name or identification number.
.El
+.Sh SETS OF RULES
+Each rule belongs to one of 32 different
+.Em sets
+, numbered 0 to 31.
+Set 31 is reserved for the default rule.
+.Pp
+By default, rules are put in set 0, unless you use the
+.Cm set N
+attribute when entering a new rule.
+Sets can be individually and atomically enabled or disabled,
+so this mechanism permits an easy way to store multiple configurations
+of the firewall and quickly (and atomically) switch between them.
+The command to enable/disable sets is
+.Pp
+.Nm
+.Cm set disable Ar number ... Op Cm enable Ar number ...
+.Pp
+where multiple
+.Cm enable
+or
+.Cm disable
+sections can be specified.
+Command execution is atomic on all the sets specified in the command.
+By default, all sets are enabled.
+.Pp
+When you disable a set, its rules behave as if they were not existing
+in the firewall configuration, with only one exception:
+.Bl -bullet
+.It
+dynamic rules created from a rule before it had been disabled
+will still be active until they expire. In order to delete
+dynamic rules you have to explicitly delete the parent rule
+which generated them;
+.El
+The set number of rules can be changed with the command
+.Pp
+.Nm
+.Cm set move
+.Brq Cm rule Ar rule-number | old-set
+.Cm to Ar new-set
+.Pp
+Also, you can atomically swap two rulesets with the command
+.Pp
+.Nm
+.Cm set swap Ar first-set second-set
+.Pp
+See the
+.Sx EXAMPLES
+Section on some possible uses of sets of rules.
.Sh STATEFUL FIREWALL
-To be completed.
+Stateful operation is a way for the firewall to dynamically
+create rules for specific flows when packets that
+match a given pattern are detected. Support for stateful
+operation comes through the
+.Cm check-state , keep-state
+and
+.Cm limit
+options of
+.Nm rules.
+.Pp
+Dynamic rules are created when a packet matches a
+.Cm keep-state
+or
+.Cm limit
+rule, causing the creation of a
+.Em dynamic
+rule which will match all and only packets with
+a given
+.Em protocol
+between a
+.Em src-ip/src-port dst-ip/dst-port
+pair of addresses (
+.Em src
+and
+.Em dst
+are used here only to denote the initial match addresses, but they
+are completely equivalent afterwards).
+Dynamic rules will be checked at the first
+.Cm check-state, keep-state
+or
+.Cm limit
+occurrence, and the action performed upon a match will be the same
+as in the parent rule.
+.Pp
+Note that no additional attributes other than protocol and IP addresses
+and ports are checked on dynamic rules.
+.Pp
+The typical use of dynamic rules is to keep a closed firewall configuration,
+but let the first TCP SYN packet from the inside network install a
+dynamic rule for the flow so that packets belonging to that session
+will be allowed through the firewall:
+.Pp
+.Dl "ipfw add check-state"
+.Dl "ipfw add allow tcp from my-subnet to any setup"
+.Dl "ipfw add deny tcp from any to any"
+.Pp
+A similar approach can be used for UDP, where an UDP packet coming
+from the inside will install a dynamic rule to let the response through
+the firewall:
+.Pp
+.Dl "ipfw add check-state"
+.Dl "ipfw add allow udp from my-subnet to any"
+.Dl "ipfw add deny udp from any to any"
+.Pp
+Dynamic rules expire after some time, which depends on the status
+of the flow and the setting of some
+.Cm sysctl
+variables.
+See Section
+.Sx SYSCTL VARIABLES
+for more details.
+For TCP sessions, dynamic rules can be instructed to periodically
+send keepalive packets to refresh the state of the rule when it is
+about to expire.
+.Pp
+See Section
+.Sx EXAMPLES
+for more examples on how to use dynamic rules.
.Sh TRAFFIC SHAPER CONFIGURATION
-The
.Nm
-utility is also the user interface for the
+is also the user interface for the
.Xr dummynet 4
traffic shaper.
The shaper operates by dividing packets into
@@ -1124,22 +1298,6 @@
.Em net.inet.ip.dummynet.hash_size ,
allowed range is 16 to 1024.
.Pp
-.It Cm queue Brq Ar slots | size Ns Cm Kbytes
-Queue size, in
-.Ar slots
-or
-.Cm KBytes .
-Default value is 50 slots, which
-is the typical queue size for Ethernet devices.
-Note that for slow speed links you should keep the queue
-size short or your traffic might be affected by a significant
-queueing delay.
-E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit
-or 20s of queue on a 30Kbit/s pipe.
-Even worse effect can result if you get packets from an
-interface with a much larger MTU, e.g. the loopback interface
-with its 16KB packets.
-.Pp
.It Cm mask Ar mask-specifier
The
.Xr dummynet 4
@@ -1167,6 +1325,14 @@
weight of the queue, and all flows insisting on the same pipe
share bandwidth proportionally to their weight.
.Pp
+.It Cm noerror
+When a packet is dropped by a dummynet queue or pipe, the error
+is normally reported to the caller routine in the kernel, in the
+same way as it happens when a device queue fills up. Setting this
+option reports the packet as successfully delivered, which can be
+needed for some experimental setups where you want to simulate
+loss or congestion at a remote router.
+.Pp
.It Cm plr Ar packet-loss-rate
Packet loss rate.
Argument
@@ -1175,6 +1341,22 @@
loss, 1 meaning 100% loss.
The loss rate is internally represented on 31 bits.
.Pp
+.It Cm queue Brq Ar slots | size Ns Cm Kbytes
+Queue size, in
+.Ar slots
+or
+.Cm KBytes .
+Default value is 50 slots, which
+is the typical queue size for Ethernet devices.
+Note that for slow speed links you should keep the queue
+size short or your traffic might be affected by a significant
+queueing delay.
+E.g., 50 max-sized ethernet packets (1500 bytes) mean 600Kbit
+or 20s of queue on a 30Kbit/s pipe.
+Even worse effect can result if you get packets from an
+interface with a much larger MTU, e.g. the loopback interface
+with its 16KB packets.
+.Pp
.It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p
Make use of the RED (Random Early Detection) queue management algorithm.
.Ar w_q
@@ -1290,36 +1472,32 @@
.Xr sysctl 8
command what value is actually in use) and meaning:
.Bl -tag -width indent
+.It Em net.inet.ip.fw.autoinc_step : No 100
+Delta beween rule numbers when auto-generating them.
+The value must be in the range 1..1000.
+.It Em net.inet.ip.fw.curr_dyn_buckets : Em net.inet.ip.fw.dyn_buckets
+The current number of buckets in the hash table for dynamic rules
+(readonly).
.It Em net.inet.ip.fw.debug : No 1
Controls debugging messages produced by
.Nm .
-.It Em net.inet.ip.fw.one_pass : No 1
-When set, the packet exiting from the
-.Xr dummynet 4
-pipe is not passed though the firewall again.
-Otherwise, after a pipe action, the packet is
-reinjected into the firewall at the next rule.
-.It Em net.inet.ip.fw.verbose : No 1
-Enables verbose messages.
-.It Em net.inet.ip.fw.enable : No 1
-Enables the firewall.
-Setting this variable to 0 lets you run your machine without
-firewall even if compiled in.
-.It Em net.inet.ip.fw.verbose_limit : No 0
-Limits the number of messages produced by a verbose firewall.
.It Em net.inet.ip.fw.dyn_buckets : No 256
-.It Em net.inet.ip.fw.curr_dyn_buckets : No 256
-The configured and current size of the hash table used to
-hold dynamic rules.
-This must be a power of 2.
-The table can only be resized when empty, so in order to
-resize it on the fly you will probably have to
+The number of buckets in the hash table for dynamic rules.
+Must be a power of 2, up to 1^^20.
+It only takes effect when all dynamic rules have expired, so you
+are advised to use a
.Cm flush
-and reload the ruleset.
+command to make sure that the hash table is resized.
.It Em net.inet.ip.fw.dyn_count : No 3
Current number of dynamic rules
(read-only).
-.It Em net.inet.ip.fw.dyn_max : No 1000
+.It Em net.inet.ip.fw.dyn_keepalive : No 1
+Enables generation of keepalive packets for
+.Cm keep-state
+rules on TCP sessions. A keepalive is generated to both
+sides of the connection every 5 seconds for the last 20
+seconds of the lifetime of the rule.
+.It Em net.inet.ip.fw.dyn_max : No 8192
Maximum number of dynamic rules.
When you hit this limit, no more dynamic rules can be
installed until old ones expire.
@@ -1333,7 +1511,31 @@
rules.
Upon the initial SYN exchange the lifetime is kept short,
then increased after both SYN have been seen, then decreased
-again during the final FIN exchange or when a RST
+again during the final FIN exchange or when a RST is received.
+Both
+.Em dyn_fin_lifetime
+and
+.Em dyn_rst_lifetime
+must be strictly lower than 5 seconds, the period of
+repetition of keepalives. The firewall enforces that.
+.It Em net.inet.ip.fw.enable : No 1
+Enables the firewall.
+Setting this variable to 0 lets you run your machine without
+firewall even if compiled in.
+.It Em net.inet.ip.fw.one_pass : No 1
+When set, the packet exiting from the
+.Xr dummynet 4
+pipe is not passed though the firewall again.
+Otherwise, after a pipe action, the packet is
+reinjected into the firewall at the next rule.
+.Pp
+Note: bridged and layer 2 packets coming out of a pipe
+are never reinjected in the firewall irrespective of the
+value of this variable.
+.It Em net.inet.ip.fw.verbose : No 1
+Enables verbose messages.
+.It Em net.inet.ip.fw.verbose_limit : No 0
+Limits the number of messages produced by a verbose firewall.
.It Em net.link.ether.ipfw : No 0
Controls whether layer-2 packets are passed to
.Nm .
@@ -1343,7 +1545,68 @@
.Nm .
Default is no.
.El
+.Sh IPFW2 ENHANCEMENTS
+This Section lists the features that have been introduced in
+.Nm ipfw2
+and were not present in
+.Nm ipfw1 .
+We list them in order of the potential impact that they can
+have in writing your rulesets.
+You might want to consider using these features in order to
+write your rulesets in a more efficient way.
+.Bl -tag -width indent
+.It Address sets
+.Nm ipfw1
+does not supports address sets (those in the form
+.Ar addr/masklen{num,num,...}
+)
+.It Port specifications
+.Nm ipfw1
+only allows one port range when specifying TCP and UDP ports, and
+is limited to 10 entries instead of the 15 allowed by
+.Nm ipfw2 .
+Also, in
+.Nm ipfw1
+you can only specify ports when the rule is requesting
+.Cm tcp
+or
+.Cm udp
+packets. With
+.Nm ipfw2
+you can put port specifications in rules matching all packets,
+and the match will be attempted only on those packets carrying
+protocols which include port identifiers.
+.It Or-blocks
+.Nm ipfw1
+does not support Or-blocks. All match operators are implicitly
+connected by
+.Cm and
+operators.
+.It keepalives
+.Nm ipfw1
+does not generate keepalives for stateful sessions.
+As a consequence, it might cause idle sessions to drop because
+the lifetime of the dynamic rules expires.
+.It Sets of rules
+.Nm ipfw1
+does not implement sets of rules.
+.It MAC header filtering and Layer-2 firewalling.
+.Nm ipfw1
+does not implement filtering on MAC header fields, nor it is
+invoked on packets from
+.Cm ether_demux()
+and
+.Cm ether_output_frame().
+The sysctl variable
+.Em net.link.ether.ipfw
+has no effect there.
+.El
.Sh EXAMPLES
+There are far too many possible uses of
+.Nm
+so this Section will only give a small set of examples.
+.Pp
+.Ss BASIC PACKET FILTERING
This command adds an entry which denies all tcp packets from
.Em cracker.evil.org
to the telnet port of
@@ -1375,6 +1638,24 @@
.Cm deny
rule.
.Pp
+If you administer one or more subnets, you can take advantage of the
+.Nm ipfw2
+syntax to specify address sets and or-blocks and write extremely
+compact rulesets which selectively enable services to blocks
+of clients, as below:
+.Pp
+.Dl "goodguys=\*q{ 10.1.2.0/24{20,35,66,18} or 10.2.3.0/28{6,3,11} }\*q"
+.Dl "badguys=\*q10.1.2.0/24{8,38,60}\*q"
+.Dl ""
+.Dl "ipfw add allow ip from ${goodguys} to any"
+.Dl "ipfw add deny ip from ${badguys} to any"
+.Dl "... normal policies ..."
+.Pp
+The
+.Nm ipfw1
+syntax would require a separate rule for each IP in the above
+example.
+.Ss DYNAMIC RULES
In order to protect a site from flood attacks involving fake
TCP packets, it is safer to use dynamic rules:
.Pp
@@ -1434,6 +1715,7 @@
.Pp
.Dl ipfw divert 5000 ip from 192.168.2.0/24 to any in
.Pp
+.Ss TRAFFIC SHAPING
The following rules show some of the applications of
.Nm
and
@@ -1525,6 +1807,27 @@
.Dl "ipfw add pipe 2 ip from any to 192.168.2.0/24 in"
.Dl "ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
.Dl "ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
+.Ss SETS OF RULES
+To add a set of rules atomically, e.g. set 18:
+.Pp
+.Dl "ipfw disable set 18"
+.Dl "ipfw add NN set 18 ... # repeat as needed"
+.Dl "ipfw enable set 18"
+.Pp
+To delete a set of rules atomically the command is simply:
+.Pp
+.Dl "ipfw delete set 18"
+.Pp
+To test a ruleset and disable it and regain control if something goes wrong:
+.Pp
+.Dl "ipfw disable set 18"
+.Dl "ipfw add NN set 18 ... # repeat as needed"
+.Dl "ipfw enable set 18 ; echo done; sleep 30 && ipfw disable set 18"
+.Pp
+Here if everything goes well, you press control-C before the "sleep"
+terminates, and your ruleset will be left active. Otherwise, e.g. if
+you cannot access your box, the ruleset will be disabled after
+the sleep terminates thus restoring the previous situation.
.Sh SEE ALSO
.Xr cpp 1 ,
.Xr m4 1 ,
==== //depot/projects/trustedbsd/mac/sbin/ipfw/ipfw2.c#6 (text+ko) ====
@@ -17,7 +17,7 @@
*
* NEW command line interface for IP firewall facility
*
- * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.9 2002/08/10 15:10:15 luigi Exp $
+ * $FreeBSD: src/sbin/ipfw/ipfw2.c,v 1.10 2002/08/16 10:31:47 luigi Exp $
*/
#include <sys/param.h>
@@ -223,6 +223,7 @@
TOK_ICMPTYPES,
TOK_PLR,
+ TOK_NOERROR,
TOK_BUCKETS,
TOK_DSTIP,
TOK_SRCIP,
@@ -241,6 +242,7 @@
struct _s_x dummynet_params[] = {
{ "plr", TOK_PLR },
+ { "noerror", TOK_NOERROR },
{ "buckets", TOK_BUCKETS },
{ "dst-ip", TOK_DSTIP },
{ "src-ip", TOK_SRCIP },
@@ -502,8 +504,10 @@
p[1] = b;
} else if (*s == ',' || *s == '\0' ) {
p[0] = p[1] = a;
- } else /* invalid separator */
- break;
+ } else { /* invalid separator */
+ errx(EX_DATAERR, "invalid separator <%c> in <%s>\n",
+ *s, av);
+ }
av = s+1;
}
if (i > 0) {
@@ -737,17 +741,29 @@
* show_ipfw() prints the body of an ipfw rule.
* Because the standard rule has at least proto src_ip dst_ip, we use
* a helper function to produce these entries if not provided explicitly.
+ *
+ * Special case: if we have provided a MAC header, and no IP specs,
+ * just leave it alone.
+ * Also, if we have providea a MAC header and no IP protocol, print it
+ * as "all" instead of "ip".
*/
-#define HAVE_PROTO 1
-#define HAVE_SRCIP 2
-#define HAVE_DSTIP 4
-#define HAVE_MAC 8
+#define HAVE_PROTO 0x0001
+#define HAVE_SRCIP 0x0002
+#define HAVE_DSTIP 0x0004
+#define HAVE_MAC 0x0008
+#define HAVE_MACTYPE 0x0010
+#define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
static void
show_prerequisites(int *flags, int want)
{
+ if ( (*flags & (HAVE_MAC | HAVE_MACTYPE)) == HAVE_MAC) {
+ printf(" any"); /* MAC type */
+ *flags |= HAVE_MACTYPE;
+ }
+
if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
- printf(" ip");
+ printf( (*flags & HAVE_MAC) ? " all" : " ip");
if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
printf(" from any");
if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
@@ -907,6 +923,9 @@
break;
case O_MAC_TYPE:
+ if ( (flags & HAVE_MAC) == 0)
+ printf(" MAC");
+ flags |= (HAVE_MAC | HAVE_MACTYPE);
print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE);
break;
@@ -1340,7 +1359,116 @@
}
}
+/*
+ * This one handles all set-related commands
+ * ipfw set { show | enable | disable }
+ * ipfw set swap X Y
+ * ipfw set move X to Y
+ * ipfw set move rule X to Y
+ */
static void
+sets_handler(int ac, char *av[])
+{
+ u_int32_t set_disable, masks[2];
+ int i, nbytes;
+ u_int16_t rulenum;
+ u_int8_t cmd, new_set;
+
+ ac--;
+ av++;
+
+ if (!ac)
+ errx(EX_USAGE, "set needs command");
+ if (!strncmp(*av, "show", strlen(*av)) ) {
+ void *data;
+ char *msg;
+
+ nbytes = sizeof(struct ip_fw);
+ if ((data = malloc(nbytes)) == NULL)
+ err(EX_OSERR, "malloc");
+ if (getsockopt(s, IPPROTO_IP, IP_FW_GET, data, &nbytes) < 0)
+ err(EX_OSERR, "getsockopt(IP_FW_GET)");
+ set_disable = (u_int32_t)(((struct ip_fw *)data)->next_rule);
+
+ for (i = 0, msg = "disable" ; i < 31; i++)
+ if ( (set_disable & (1<<i))) {
+ printf("%s %d", msg, i);
+ msg = "";
+ }
+ msg = (set_disable) ? " enable" : "enable";
+ for (i = 0; i < 31; i++)
+ if ( !(set_disable & (1<<i))) {
+ printf("%s %d", msg, i);
>>> TRUNCATED FOR MAIL (1000 lines) <<<
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list