ipfw : Enable support for EIM NAT

Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by: igoro, thj
Differential Revision: https://reviews.freebs

ipfw : Enable support for EIM NAT

Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by: igoro, thj
Differential Revision: https://reviews.freebsd.org/D46689D

show more ...

dummynet: add simple gilbert-elliott channel model

Have a simple Gilbert-Elliott channel model in
dummynet to mimick correlated loss behavior of
realistic environments. This allows simpler testing
o

dummynet: add simple gilbert-elliott channel model

Have a simple Gilbert-Elliott channel model in
dummynet to mimick correlated loss behavior of
realistic environments. This allows simpler testing
of burst-loss environments.

Reviewed By: tuexen, kp, pauamma_gundo.com, #manpages
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D42980

show more ...

ipfw.8: Adjust section for loader tunables

Move the descriptions of loader tunables from section 'SYSCTL VARIABLES'
to section 'LOADER TUNABLES'.

See also 49197c391b3d (ipfw: Add sysctl flag CTLFLA

ipfw.8: Adjust section for loader tunables

Move the descriptions of loader tunables from section 'SYSCTL VARIABLES'
to section 'LOADER TUNABLES'.

See also 49197c391b3d (ipfw: Add sysctl flag CTLFLAG_TUN to loader tunables).

MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D41981

show more ...

Remove $FreeBSD$: two-line nroff pattern

Remove /^\.\\"\n\.\\"\s*\$FreeBSD\$$\n/

ipfw: add [fw]mark implementation for ipfw

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that

ipfw: add [fw]mark implementation for ipfw

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table
[with 'number' table-type], matched or compared with a number with optional
mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs.
For example, it could be used as a security group: mark will hold a security
group id and represent a group of packet flows that shares same access
control policy.

Reviewed By: pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D39555
MFC after: 1 month

show more ...

ipfw.8: improve description for interface matching

The manual describes "if*" form only while kernel uses fnmatch(3)
and allows use for more versatile shell-like patterns.
Note that explicitly and p

ipfw.8: improve description for interface matching

The manual describes "if*" form only while kernel uses fnmatch(3)
and allows use for more versatile shell-like patterns.
Note that explicitly and provide an example.

MFC after: 3 days

show more ...

ipfw.8: there never was a "skip-action" action

It was renamed during review of D1776 but this entry slipped through.

PR: 243284
Reported by: pprocacci@gmail.com
Obtained from: Chad Jacob Milios <m

ipfw.8: there never was a "skip-action" action

It was renamed during review of D1776 but this entry slipped through.

PR: 243284
Reported by: pprocacci@gmail.com
Obtained from: Chad Jacob Milios <milios@ccsys.com>

show more ...

ipfw: Add missing 'va' code point name

Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name.

Reviewed By: melifaro, pauamma
Differential Revision: https://reviews.freebsd.org/D37508
MFC a

ipfw: Add missing 'va' code point name

Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name.

Reviewed By: melifaro, pauamma
Differential Revision: https://reviews.freebsd.org/D37508
MFC after: 2 weeks

show more ...

ipfw: make it possible to specify MTU for "unreach needfrag" action

Reviewed by: ae, pauamma
Differential revision: https://reviews.freebsd.org/D36140

ipfw: add support radix tables and table lookup for MAC addresses

By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
w

ipfw: add support radix tables and table lookup for MAC addresses

By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.

Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1

Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.

Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103

show more ...

ipfw.8: spell "layer2" consistently throughout the manual page

MFC after: 1 week

ipfw: Introduce dnctl

Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/

ipfw: Introduce dnctl

Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.

Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30465

show more ...

ipfw.8: synopsis misses nat show form

Document the existing behavior, which is currently only available by
reading third party documentation or the source code itself.

PR: 254617
Submitted by: Oli

ipfw.8: synopsis misses nat show form

Document the existing behavior, which is currently only available by
reading third party documentation or the source code itself.

PR: 254617
Submitted by: Oliver Kiddle
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D30189

show more ...

ipfw.8: Fix table example

Fix some erronous lines in the example section.

PR: 248943
Submitted by: Jose Luis Duran
MFC after: 2 weeks
Reviewers: ae, manpages (gbe)
Differential Revision: https://r

ipfw.8: Fix table example

Fix some erronous lines in the example section.

PR: 248943
Submitted by: Jose Luis Duran
MFC after: 2 weeks
Reviewers: ae, manpages (gbe)
Differential Revision: https://reviews.freebsd.org/D30191

show more ...

ipfw: update man page example for nat show log

In d6164b77f8b779cd7357387dcfcd3407f1457579 the ability to show
ranges of nat log entries was removed.

PR: 254192
Reviewed by: allanjude

Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port ali

Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port aliasing ranges.

Reviewed by: donner, kp
Approved by: 0mp (mentor), donner, kp
Differential Revision: https://reviews.freebsd.org/D23450

show more ...

ipfw(8): Fix a few mandoc related issues

- no blank before trailing delimiter
- missing section argument: Xr inet_pton
- skipping paragraph macro: Pp before Ss
- unusual Xr order: syslogd after sysr

ipfw(8): Fix a few mandoc related issues

- no blank before trailing delimiter
- missing section argument: Xr inet_pton
- skipping paragraph macro: Pp before Ss
- unusual Xr order: syslogd after sysrc
- tab in filled text

There were a few multiline NAT examples which used the .Dl macro with
tabs. I converted them to .Bd, which is a more suitable macro for that case.

MFC after: 1 week

show more ...

ipfw(8): Bugfixes for some issues reported by mandoc

- whitespace at end of input line
- new sentence, new line
- skipping paragraph macro: Pp before Pp

MFC after: 1 week

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

ipfw(8): Fix typo in man page

s/exmaple/example

Approved by: manpages (gbe@)
Differential Revision: https://reviews.freebsd.org/D26147

Merge ^/head r364082 through r364250.

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

ipfw: make the "frag" keyword accept additional options "mf",
"df", "rf" and "offset". This allows to match on specific
bits of ip_off field.

For compatibility reasons lack of keyword means "offset

ipfw: make the "frag" keyword accept additional options "mf",
"df", "rf" and "offset". This allows to match on specific
bits of ip_off field.

For compatibility reasons lack of keyword means "offset".

Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D26021

show more ...

Merge ^/head r356931 through r357118.

Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.

In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC

Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.

In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware.
Also, we add a new NAT option to ipfw called unreg_cgn, which is like
unreg_only, but also is RFC 6598-aware. The reason for the new
flags/options is to avoid breaking existing networks, especially those
which rely on RFC 6598 as an external address.

Submitted by: Neel Chauhan <neel AT neelc DOT org>
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D22877

show more ...