ipfw: migrate ipfw to 32-bit size rule numbers

This changes ABI due to the changed opcodes and includes the
following:
* rule numbers and named object indexes converted to 32-bits
* all hardcoded

ipfw: migrate ipfw to 32-bit size rule numbers

This changes ABI due to the changed opcodes and includes the
following:
* rule numbers and named object indexes converted to 32-bits
* all hardcoded maximum rule number was replaced with
IPFW_DEFAULT_RULE macro
* now it is possible to grow maximum numbers or rules in
build time
* several opcodes converted to ipfw_insn_u32 to keep rulenum:
O_CALL, O_SKIPTO
* call stack modified to keep u32 rulenum. The behaviour of
O_CALL opcode was changed to avoid possible packets looping.
Now when call stack is overflowed or mbuf tag allocation
failed, a packet will be dropped instead of skipping to next
rule.
* 'return' action now have two modes to specify return point:
'next-rulenum' and 'next-rule'
* new lookup key added for O_IP_DST_LOOKUP opcode 'lookup rulenum'
* several opcodes converted to keep u32 named object indexes
in special structure ipfw_insn_kidx
* tables related opcodes modified to use two structures:
ipfw_insn_kidx and ipfw_insn_table
* added ability for table value matching for specific value type
in 'table(name,valtype=value)' opcode
* dynamic states and eaction code converted to use u32 rulenum
and named objects indexes
* added insntod() and insntoc() macros to cast to specific
ipfw instruction type
* default sockopt version was changed to IP_FW3_OPVER=1
* FreeBSD 7-11 rule format support was removed
* added ability to generate special rtsock messages via log opcode
* added IP_FW_SKIPTO_CACHE sockopt to enable/disable skipto cache.
It helps to reduce overhead when many rules are modified in batch.
* added ability to keep NAT64LSN states during sets swapping

Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D46183

show more ...

ipfw: make 'ipfw show' output compatible with 'ipfw add' command

If rule was added in compact form and rule body is empty, print
'proto ip' opcode to be compatible with ipfw(8) syntax parser.

Bef

ipfw: make 'ipfw show' output compatible with 'ipfw add' command

If rule was added in compact form and rule body is empty, print
'proto ip' opcode to be compatible with ipfw(8) syntax parser.

Before:
$ ipfw add allow proto ip
000700 allow
After:
$ ipfw add allow proto ip
000700 allow proto ip

MFC after: 1 week

show more ...

ipfw: Use nitems(foo) instead of sizeof(foo)/sizeof(foo[0])

Pull Request: https://github.com/freebsd/freebsd-src/pull/888
Signed-off-by: Elyes Haouas <ehaouas@noos.fr>

ipfw: Remove repeated words

Remove repeated words in error message.

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/887

Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

ipfw: use function return value to fetch insn argument.

This is a prerequsite for splitting compile_rule() into smaller
chunks.

MFC after: 2 weeks

ipfw: simplify action case parser

Remove "goto charg" from the action parser.
This is a prerequisite for the further split of the gigantic
compile_rule().

Differential Revision: https://reviews.fre

ipfw: simplify action case parser

Remove "goto charg" from the action parser.
This is a prerequisite for the further split of the gigantic
compile_rule().

Differential Revision: https://reviews.freebsd.org/D40490
MFC after: 2 weeks

show more ...

ipfw(8): add ioctl/instruction generation tests

Differential Revision: https://reviews.freebsd.org/D40488
MFC after: 2 weeks

ipfw/ipfw2: Fix typos

Signed-off-by: Elyes Haouas <ehaouas@noos.fr>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/653

ipfw: add [fw]mark implementation for ipfw

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that

ipfw: add [fw]mark implementation for ipfw

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table
[with 'number' table-type], matched or compared with a number with optional
mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs.
For example, it could be used as a security group: mark will hold a security
group id and represent a group of packet flows that shares same access
control policy.

Reviewed By: pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D39555
MFC after: 1 month

show more ...

ipfw: Add missing 'va' code point name

Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name.

Reviewed By: melifaro, pauamma
Differential Revision: https://reviews.freebsd.org/D37508
MFC a

ipfw: Add missing 'va' code point name

Per RFC 5865, add the 'va' (VOICE-ADMIT, 101100) symbolic name.

Reviewed By: melifaro, pauamma
Differential Revision: https://reviews.freebsd.org/D37508
MFC after: 2 weeks

show more ...

ipfw: make it possible to specify MTU for "unreach needfrag" action

Reviewed by: ae, pauamma
Differential revision: https://reviews.freebsd.org/D36140

ipfw: add support radix tables and table lookup for MAC addresses

By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
w

ipfw: add support radix tables and table lookup for MAC addresses

By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.

Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1

Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.

Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103

show more ...

ipfw: Introduce dnctl

Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/

ipfw: Introduce dnctl

Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.

Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30465

show more ...

ipfw(8): Fix a typo in an error message

- s/suport/support/

MFC after: 5 days

sbin/ipfw: Allow tablearg as hostname

Hostnames starting with "tablearg" are considered as a functional
argument instead of a literal.

Reported by: ae
Reviewers: ae
MFC after: 1 week
Differential R

sbin/ipfw: Allow tablearg as hostname

Hostnames starting with "tablearg" are considered as a functional
argument instead of a literal.

Reported by: ae
Reviewers: ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30208

show more ...

sbin/ipfw: Fix parsing error in table based forward

The argument parser does not recognise the optional port for an
"tablearg" argument. Fix simplifies the code by make the internal
representation

sbin/ipfw: Fix parsing error in table based forward

The argument parser does not recognise the optional port for an
"tablearg" argument. Fix simplifies the code by make the internal
representation expicit for the parser.

PR: 252744
MFC: 1 week
Reported by: <bugs.freebsd.org@mx.zzux.com>
Approved by: nc
Tested by: <bugs.freebsd.org@mx.zzux.com>
Differential Revision: https://reviews.freebsd.org/D30164

show more ...

sbin/ipfw: Fix null pointer deference when printing counters

ipfw -[tT] prints statistics of the last access. If the rule was never
used, the counter might be not exist. This happens unconditionall

sbin/ipfw: Fix null pointer deference when printing counters

ipfw -[tT] prints statistics of the last access. If the rule was never
used, the counter might be not exist. This happens unconditionally on
inserting a new rule. Avoid printing statistics in this case.

PR: 255491
Reported by: Haisheng Zhouz
Reviewed by: ae
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D30046

show more ...

ipfw(8) crashes when ext6hdr option is omitted

Verify that the option is passed, error out if it's not.
The problem can be trivially triggered with `ipfw add allow ext6hdr`.

PR: 253169
Reviewed by

ipfw(8) crashes when ext6hdr option is omitted

Verify that the option is passed, error out if it's not.
The problem can be trivially triggered with `ipfw add allow ext6hdr`.

PR: 253169
Reviewed by: kp@
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D28447

show more ...

Fix compatibility regression after r364117.

Properly handle the case, when some opcode keywords follow after
the `frag` opcode without additional options.

Reported by: Evgeniy Khramtsov <evgeniy at

Fix compatibility regression after r364117.

Properly handle the case, when some opcode keywords follow after
the `frag` opcode without additional options.

Reported by: Evgeniy Khramtsov <evgeniy at khramtsov org>

show more ...

Change printf format string to include the extra blank

This is a follow up change to r364321 after a discussion about the style.
All near by places use extra blanks in format strings, and while use

Change printf format string to include the extra blank

This is a follow up change to r364321 after a discussion about the style.
All near by places use extra blanks in format strings, and while use of the
format string to provide the extra blank may need more cycles than adding 1
to twidth, it generates shorter code and is clearer in the opinion of some
reviewers of the previous change.

Not objected to by: emaste
MFC after: 3 days

show more ...

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)

ipfw: line up `ipfw -t list` with and without timestamp

From the PR:
When I run `ipfw -t list` on release/12 or current, I get misaligned
output between lines that do and do not have a last

ipfw: line up `ipfw -t list` with and without timestamp

From the PR:
When I run `ipfw -t list` on release/12 or current, I get misaligned
output between lines that do and do not have a last match timestamp,
like so:

00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8

(specifically, the "allow" and "deny" strings do not line up)

PR: 248608
Submitted by: Taylor Stearns
MFC after: 3 days

show more ...

Merge ^/head r364082 through r364250.

MFH

Sponsored by: Rubicon Communications, LLC (netgate.com)