| #
09025a71 |
| 10-May-2024 |
Ben Wilber <ben@desync.com> |
ipfw: correctly report table manipulation errors
Let ipfw(8) report the actual error instead of the error that
may have come from calling printf().
Reviewed by: imp
Pull Request: https://github.com
ipfw: correctly report table manipulation errors
Let ipfw(8) report the actual error instead of the error that
may have come from calling printf().
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1221
show more ...
|
|
Revision tags: release/13.3.0, release/14.0.0 |
|
| #
b3e76948 |
| 16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
Remove $FreeBSD$: two-line .h pattern
Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/
|
| #
f5e73306 |
| 27-Jun-2023 |
John Baldwin <jhb@FreeBSD.org> |
ipfw: Remove set but unused variables.
Reported by: GCC
Differential Revision: https://reviews.freebsd.org/D40654
|
| #
fc727ad6 |
| 25-Apr-2023 |
Boris Lytochkin <lytboris@gmail.com> |
ipfw: add [fw]mark implementation for ipfw
Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that
ipfw: add [fw]mark implementation for ipfw
Packet Mark is an analogue to ipfw tags with O(1) lookup from mbuf while
regular tags require a single-linked list traversal.
Mark is a 32-bit number that can be looked up in a table
[with 'number' table-type], matched or compared with a number with optional
mask applied before comparison.
Having generic nature, Mark can be used in a variety of needs.
For example, it could be used as a security group: mark will hold a security
group id and represent a group of packet flows that shares same access
control policy.
Reviewed By: pauamma_gundo.com
Differential Revision: https://reviews.freebsd.org/D39555
MFC after: 1 month
show more ...
|
|
Revision tags: release/13.2.0, release/12.4.0 |
|
| #
81cac390 |
| 04-Jun-2022 |
Arseny Smalyuk <smalukav@gmail.com> |
ipfw: add support radix tables and table lookup for MAC addresses
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
w
ipfw: add support radix tables and table lookup for MAC addresses
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.
Usage example:
ipfw table 1 create type mac
ipfw table 1 add 11:22:33:44:55:66/48
ipfw add skipto tablearg src-mac 'table(1)'
ipfw add deny src-mac 'table(1, 100)'
ipfw add deny lookup dst-mac 1
Note: sysctl net.link.ether.ipfw=1 should be set to enable ipfw
filtering on L2.
Reviewed by: melifaro
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D35103
show more ...
|
|
Revision tags: release/13.1.0, release/12.3.0, release/13.0.0 |
|
| #
13ad237a |
| 25-Feb-2021 |
Andrey V. Elsukov <ae@FreeBSD.org> |
ipfw: make algo name argument optional for some table types
Most of table types currently supported by ipfw have only one
algorithm implementation. When user creates such tables, allow
to omit algo
ipfw: make algo name argument optional for some table types
Most of table types currently supported by ipfw have only one
algorithm implementation. When user creates such tables, allow
to omit algo name in arguments. E.g. now it is possible:
ipfw table T1 create type number
ipfw table T2 create type iface
ipfw table T3 create type flow
PR: 233072
MFC after: 1 week
Sponsored by: Yandex LLC
show more ...
|
|
Revision tags: release/12.2.0 |
|
| #
268a20a0 |
| 14-Jul-2020 |
Adrian Chadd <adrian@FreeBSD.org> |
[ipfw] quieten maybe-uninitialized errors in ipfw when compiled under mips-gcc-6.3.0.
This is mostly an exercise to set variables to NULL/0 when declared, but
one was ensuring a string variable was
[ipfw] quieten maybe-uninitialized errors in ipfw when compiled under mips-gcc-6.3.0.
This is mostly an exercise to set variables to NULL/0 when declared, but
one was ensuring a string variable was set before printing it.
We should never see "<unknown>" in a printed rule; if we do then this code
definitely has some bugs that need addressing.
show more ...
|
| #
56707bee |
| 13-Jul-2020 |
Mark Johnston <markj@FreeBSD.org> |
ipfw(8): Fix most warnings with the default WARNS level.
- Add missing const and static qualifiers.
- Avoid shadowing the global "co" by renaming it to "g_co".
- Avoid mixing signedness in loop boun
ipfw(8): Fix most warnings with the default WARNS level.
- Add missing const and static qualifiers.
- Avoid shadowing the global "co" by renaming it to "g_co".
- Avoid mixing signedness in loop bound checks.
- Leave -Wcast-align warnings disabled for now.
Reviewed by: ae, melifaro
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D25456
show more ...
|
|
Revision tags: release/11.4.0, release/12.1.0, release/11.3.0 |
|
| #
0269ae4c |
| 06-Jun-2019 |
Alan Somers <asomers@FreeBSD.org> |
MFHead @348740
Sponsored by: The FreeBSD Foundation
|
| #
05ab1ef6 |
| 24-May-2019 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add `missing` and `or-flush` options to "ipfw table <NAME> create"
command to simplify firewall reloading.
The `missing` option suppresses EEXIST error code, but does check that
existing table has t
Add `missing` and `or-flush` options to "ipfw table <NAME> create"
command to simplify firewall reloading.
The `missing` option suppresses EEXIST error code, but does check that
existing table has the same parameters as new one. The `or-flush` option
implies `missing` option and additionally does flush for table if it
is already exist.
Submitted by: lev
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D18339
show more ...
|
| #
9e43c218 |
| 10-Feb-2019 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r343807 through r343955.
|
| #
10e3bebf |
| 07-Feb-2019 |
Bryan Drewery <bdrewery@FreeBSD.org> |
Fix build of r343877
MFC after: 2 weeks
X-MFC-with: r343877
Pointyhat to: bdrewery
|
| #
2b3d6647 |
| 07-Feb-2019 |
Bryan Drewery <bdrewery@FreeBSD.org> |
ipfw table list: Fix showing header outside of 'all'.
Properly pass down is_all to table_show_list(). This restores the behavior
before r272840 so that only 'ipfw table all list' shows the headers.
ipfw table list: Fix showing header outside of 'all'.
Properly pass down is_all to table_show_list(). This restores the behavior
before r272840 so that only 'ipfw table all list' shows the headers.
MFC after: 2 weeks
Relnotes: yes
show more ...
|
|
Revision tags: release/12.0.0, release/11.2.0 |
|
| #
4e0a8b61 |
| 08-Mar-2018 |
Conrad Meyer <cem@FreeBSD.org> |
ipfw(8): Fix endianness for Legacy and Ipv4 table hostname values
The lookup_host() helper subroutine emits a struct in_addr value in network
byte order via caller passed pointer. However, the tabl
ipfw(8): Fix endianness for Legacy and Ipv4 table hostname values
The lookup_host() helper subroutine emits a struct in_addr value in network
byte order via caller passed pointer. However, the table value is expected
to be stored in host byte order. On little-endian machines, this produced a
reversed endian table value for Legacy or IPv4 table types when the value
was a hostname (instead of a plain IP address).
Fix by using ntohl() on the output 32-bit address.
While here, avoid some aliasing violations by storing the lookup_host()
output in an intermediate object of the correct type.
PR: 226429
Reported by: bugs.freebsd.org AT mx.zzux.com (also: Tested by)
Security: ipfw hostname table rules could potentially not act as admin intended
Sponsored by: Dell EMC Isilon
show more ...
|
| #
6ef82c0a |
| 27-Feb-2018 |
Alan Somers <asomers@FreeBSD.org> |
fix typo in ipfw(8). No functional change.
Submitted by: zxzharmlesszxz
Pull Request: https://github.com/freebsd/freebsd/pull/132
|
| #
c2c014f2 |
| 07-Nov-2017 |
Hans Petter Selasky <hselasky@FreeBSD.org> |
Merge ^/head r323559 through r325504.
|
| #
0a8f81bc |
| 22-Oct-2017 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead@r324837
While here, diff reduce some of the changes in sys/boot by moving
MK_COVERAGE=no to sys/boot/Makefile.inc .
|
| #
092f8ba3 |
| 13-Oct-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Return 'errno' value from the table_do_modify_record(), it is expected
by table_modify_record().
This makes quiet operations with tables really quiet.
PR: 222953
MFC after: 1 week
|
|
Revision tags: release/10.4.0, release/11.1.0 |
|
| #
ea1e967c |
| 19-May-2017 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r318380 through r318559.
|
| #
52772a85 |
| 17-May-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Allow zero port specification in table entries with type flow.
PR: 217620
MFC after: 1 week
|
| #
be27b311 |
| 04-May-2017 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r317503 through r317807.
|
| #
421c5838 |
| 02-May-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add `ipfw table all destroy` support.
PR: 212669
MFC after: 1 week
|
| #
e028ccda |
| 02-May-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add sets support for ipfw table info/list/flush commands.
PR: 212668
MFC after: 1 week
|
|
Revision tags: release/11.0.1, release/11.0.0 |
|
| #
27067774 |
| 16-Aug-2016 |
Dimitry Andric <dim@FreeBSD.org> |
Merge ^/head r303250 through r304235.
|
| #
f76e5f20 |
| 14-Aug-2016 |
Enji Cooper <ngie@FreeBSD.org> |
MFhead @ r304061
|