ipfw: migrate ipfw to 32-bit size rule numbers

This changes ABI due to the changed opcodes and includes the
following:
* rule numbers and named object indexes converted to 32-bits
* all hardcoded

ipfw: migrate ipfw to 32-bit size rule numbers

This changes ABI due to the changed opcodes and includes the
following:
* rule numbers and named object indexes converted to 32-bits
* all hardcoded maximum rule number was replaced with
IPFW_DEFAULT_RULE macro
* now it is possible to grow maximum numbers or rules in
build time
* several opcodes converted to ipfw_insn_u32 to keep rulenum:
O_CALL, O_SKIPTO
* call stack modified to keep u32 rulenum. The behaviour of
O_CALL opcode was changed to avoid possible packets looping.
Now when call stack is overflowed or mbuf tag allocation
failed, a packet will be dropped instead of skipping to next
rule.
* 'return' action now have two modes to specify return point:
'next-rulenum' and 'next-rule'
* new lookup key added for O_IP_DST_LOOKUP opcode 'lookup rulenum'
* several opcodes converted to keep u32 named object indexes
in special structure ipfw_insn_kidx
* tables related opcodes modified to use two structures:
ipfw_insn_kidx and ipfw_insn_table
* added ability for table value matching for specific value type
in 'table(name,valtype=value)' opcode
* dynamic states and eaction code converted to use u32 rulenum
and named objects indexes
* added insntod() and insntoc() macros to cast to specific
ipfw instruction type
* default sockopt version was changed to IP_FW3_OPVER=1
* FreeBSD 7-11 rule format support was removed
* added ability to generate special rtsock messages via log opcode
* added IP_FW_SKIPTO_CACHE sockopt to enable/disable skipto cache.
It helps to reduce overhead when many rules are modified in batch.
* added ability to keep NAT64LSN states during sets swapping

Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D46183

show more ...

ipfw : Enable support for EIM NAT

Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by: igoro, thj
Differential Revision: https://reviews.freebs

ipfw : Enable support for EIM NAT

Enable support for endpoint-independent mapping ("full cone NAT") via
Libalias's UDP NAT.

Reviewed by: igoro, thj
Differential Revision: https://reviews.freebsd.org/D46689D

show more ...

Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

ipfw: use function return value to fetch insn argument.

This is a prerequsite for splitting compile_rule() into smaller
chunks.

MFC after: 2 weeks

ipfw(8): add ioctl/instruction generation tests

Differential Revision: https://reviews.freebsd.org/D40488
MFC after: 2 weeks

ipfw: add [fw]mark implementation for ipfw

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that

ipfw: add [fw]mark implementation for ipfw

Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table
[with 'number' table-type], matched or compared with a number with optional
mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs.
For example, it could be used as a security group: mark will hold a security
group id and represent a group of packet flows that shares same access
control policy.

Reviewed By: pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D39555
MFC after: 1 month

show more ...

ipfw: add support radix tables and table lookup for MAC addresses

By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
w

ipfw: add support radix tables and table lookup for MAC addresses

By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.

Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1

Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.

Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103

show more ...

ipfw: Introduce dnctl

Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/

ipfw: Introduce dnctl

Introduce a link to the ipfw command, dnctl, for dummynet configuration.
dnctl only handles dummynet configuration, and is part of the effort to
support dummynet in pf.

/sbin/ipfw continues to accept pipe, queue and sched commands, but these can
now also be issued via the new dnctl command.

Reviewed by: donner
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30465

show more ...

Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port ali

Allow setting alias port ranges in libalias and ipfw. This will allow a system
to be a true RFC 6598 NAT444 setup, where each network segment (e.g. user,
subnet) can have their own dedicated port aliasing ranges.

Reviewed by: donner, kp
Approved by: 0mp (mentor), donner, kp
Differential Revision: https://reviews.freebsd.org/D23450

show more ...

ipfw(8): Handle unaligned pointers in pr_u64.

struct _ipfw_dyn_rule is defined as packed, and as a result, its
uint64_t fields are misaligned on some 32-bit platforms. Since
pr_u64() is explicitly

ipfw(8): Handle unaligned pointers in pr_u64.

struct _ipfw_dyn_rule is defined as packed, and as a result, its
uint64_t fields are misaligned on some 32-bit platforms. Since
pr_u64() is explicitly supposed to handle this case, avoid using a
uint64_t * for the input pointer to make sure that the compiler won't
(correctly) warn about the misalignment.

Reported by: jenkins
MFC with: r363164

show more ...

ipfw(8): Fix most warnings with the default WARNS level.

- Add missing const and static qualifiers.
- Avoid shadowing the global "co" by renaming it to "g_co".
- Avoid mixing signedness in loop boun

ipfw(8): Fix most warnings with the default WARNS level.

- Add missing const and static qualifiers.
- Avoid shadowing the global "co" by renaming it to "g_co".
- Avoid mixing signedness in loop bound checks.
- Leave -Wcast-align warnings disabled for now.

Reviewed by: ae, melifaro
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D25456

show more ...

Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy
NAT instance.

The NAT44 group of opcodes for IP_FW3 socket option is modern way
to control NAT instances and this method can be use

Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy
NAT instance.

The NAT44 group of opcodes for IP_FW3 socket option is modern way
to control NAT instances and this method can be used in future to
switch from numeric to named NAT instances, like was done for ipfw
tables.
The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control
plane that doesn't support versioned operations. This interface will
be retired soon.

Reviewed by: melifaro
MFC after: 10 days
Sponsored by: Yandex LLC

show more ...

Merge ^/head r356931 through r357118.

Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.

In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC

Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.

In libalias, a new flag PKT_ALIAS_UNREGISTERED_RFC6598 is added.
This is like PKT_ALIAS_UNREGISTERED_ONLY, but also is RFC 6598 aware.
Also, we add a new NAT option to ipfw called unreg_cgn, which is like
unreg_only, but also is RFC 6598-aware. The reason for the new
flags/options is to avoid breaking existing networks, especially those
which rely on RFC 6598 as an external address.

Submitted by: Neel Chauhan <neel AT neelc DOT org>
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D22877

show more ...

MFHead @349476

Sponsored by: The FreeBSD Foundation

Add "tcpmss" opcode to match the TCP MSS value.

With this opcode it is possible to match TCP packets with specified
MSS option, whose value corresponds to configured in opcode value.
It is allowed t

Add "tcpmss" opcode to match the TCP MSS value.

With this opcode it is possible to match TCP packets with specified
MSS option, whose value corresponds to configured in opcode value.
It is allowed to specify single value, range of values, or array of
specific values or ranges. E.g.

# ipfw add deny log tcp from any to any tcpmss 0-500

Reviewed by: melifaro,bcr
Obtained from: Yandex LLC
MFC after: 1 week
Sponsored by: Yandex LLC

show more ...

MFHead @348740

Sponsored by: The FreeBSD Foundation

Remove unused token that was added in r348235.

MFC after: 2 weeks

Add `missing` and `or-flush` options to "ipfw table <NAME> create"
command to simplify firewall reloading.

The `missing` option suppresses EEXIST error code, but does check that
existing table has t

Add `missing` and `or-flush` options to "ipfw table <NAME> create"
command to simplify firewall reloading.

The `missing` option suppresses EEXIST error code, but does check that
existing table has the same parameters as new one. The `or-flush` option
implies `missing` option and additionally does flush for table if it
is already exist.

Submitted by: lev
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18339

show more ...

MFHead @345353

Reapply r345274 with build fixes for 32-bit architectures.

Update NAT64LSN implementation:

o most of data structures and relations were modified to be able support
large number of translati

Reapply r345274 with build fixes for 32-bit architectures.

Update NAT64LSN implementation:

o most of data structures and relations were modified to be able support
large number of translation states. Now each supported protocol can
use full ports range. Ports groups now are belongs to IPv4 alias
addresses, not hosts. Each ports group can keep several states chunks.
This is controlled with new `states_chunks` config option. States
chunks allow to have several translation states for single alias address
and port, but for different destination addresses.
o by default all hash tables now use jenkins hash.
o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
special prefix "::" value should be used for this purpose when instance
is created.
o due to modified internal data structures relations, the socket opcode
that does states listing was changed.

Obtained from: Yandex LLC
MFC after: 1 month
Sponsored by: Yandex LLC

show more ...

MFHead@r345275

Revert r345274. It appears that not all 32-bit architectures have
necessary CK primitives.

Update NAT64LSN implementation:

o most of data structures and relations were modified to be able support
large number of translation states. Now each supported protocol can
use full ports range.

Update NAT64LSN implementation:

o most of data structures and relations were modified to be able support
large number of translation states. Now each supported protocol can
use full ports range. Ports groups now are belongs to IPv4 alias
addresses, not hosts. Each ports group can keep several states chunks.
This is controlled with new `states_chunks` config option. States
chunks allow to have several translation states for single alias address
and port, but for different destination addresses.
o by default all hash tables now use jenkins hash.
o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
special prefix "::" value should be used for this purpose when instance
is created.
o due to modified internal data structures relations, the socket opcode
that does states listing was changed.

Obtained from: Yandex LLC
MFC after: 1 month
Sponsored by: Yandex LLC

show more ...

Add NAT64 CLAT implementation as defined in RFC6877.

CLAT is customer-side translator that algorithmically translates 1:1
private IPv4 addresses to global IPv6 addresses, and vice versa.
It is imple

Add NAT64 CLAT implementation as defined in RFC6877.

CLAT is customer-side translator that algorithmically translates 1:1
private IPv4 addresses to global IPv6 addresses, and vice versa.
It is implemented as part of ipfw_nat64 kernel module. When module
is loaded or compiled into the kernel, it registers "nat64clat" external
action. External action named instance can be created using `create`
command and then used in ipfw rules. The create command accepts two
IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted,
IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used.

# ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX
# ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out
# ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in

Obtained from: Yandex LLC
Submitted by: Boris N. Lytochkin
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC

show more ...