Lines Matching +full:t1 +full:- +full:framing
8 in-kernel NAT.
19 .Op Ar rule | first-last ...
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
183 .Ar preproc-flags
195 in-kernel NAT services.
210 in rule-number order
233 .Cm keep-state ,
234 .Cm record-state ,
237 .Cm set-limit
243 i.e., rules that match packets with the same 5-tuple
248 .Cm check-state ,
249 .Cm keep-state
252 rule, and are typically used to open the firewall on-demand to
255 .Cm keep-state
259 .Cm check-state
261 .Cm record-state
263 .Cm set-limit
265 .Cm check-state .
314 .Bl -tag -width indent
465 .Bd -literal -offset indent
468 +----------->-----------+
475 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
518 .Bd -literal -offset indent
556 Keywords are case-sensitive, whereas arguments may
557 or may not be case-sensitive depending on their nature
560 Some arguments (e.g., port or address lists) are comma-separated
567 .Bd -literal -offset indent
568 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
569 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
570 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
574 .Bd -ragged -offset indent
575 .Bk -words
593 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
610 Fragmentation, Hop-by-Hop options,
612 .It IPv6 Flow-ID
635 .Bl -tag -width indent
652 non-default rule number by the value of the sysctl variable
657 non-default value is used instead.
684 to simulate the effect of multiple paths leading to out-of-order
689 .Cm keep-state
691 .Cm check-state
707 .Bd -literal -offset indent
715 .Bd -literal -offset indent
738 Once the limit is reached, logging can be re-enabled by
755 and to start doing policy-based filtering.
797 keyword, a 32-bit numeric mark is assigned to the packet.
837 .Cm check-state
839 .Cm keep-state
865 .Bl -tag -width indent
869 .It Cm check-state Op Ar :flowname | Cm :any
875 .Cm Check-state
878 .Cm check-state
880 .Cm keep-state
887 .Cm keep-state
908 Change the next-hop on matching packets to
967 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
972 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
974 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
1077 command-line utility currently requires every action except
1078 .Cm check-state
1087 .Bd -literal -offset indent
1092 ipfw -c list
1110 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1111 .Cm isolated , net-prohib , host-prohib , tosnet ,
1112 .Cm toshost , filter-prohib , host-precedence
1114 .Cm precedence-cutoff .
1129 .Cm no-route, admin-prohib, address
1220 .It Cm tcp-setmss Ar mss
1232 .Cm tcp-setmss
1258 Alternatively, direction-based (like
1262 ) and source-based (like
1267 .Bd -literal -offset indent
1289 operators -- i.e., all must match in order for the
1298 .Pq Em or-blocks
1320 .Bd -ragged -offset indent
1336 .Bl -tag -width indent
1338 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1343 .Bl -tag -width indent
1366 .Em or-block )
1375 .Em ( or-block
1381 .Ar | addr-list | addr-set
1383 .Bl -tag -width indent
1395 If an optional 32-bit unsigned
1412 .It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
1413 .It Ar ip-addr :
1415 .Bl -tag -width indent
1416 .It Ar numeric-ip | hostname
1417 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1437 This form is advised only for non-contiguous
1442 error-prone.
1444 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1445 .It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
1467 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1468 or 1.2.3.0/24{128,35-55,89}
1472 .It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
1473 .It Ar ip6-addr :
1475 .Bl -tag -width indent
1476 .It Ar numeric-ip | hostname
1503 This form is advised only for non-contiguous
1508 error-prone.
1529 .Em or-block
1537 .Pq Ql -
1542 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1544 Fragmented packets which have a non-zero offset (i.e., not the first
1554 Zero or more of these so-called
1559 .Em or-blocks .
1562 .Bl -tag -width indent
1566 You can have comment-only rules, which are listed as having a
1572 .It Cm defer-immediate-action | defer-action
1576 .Cm record-state
1578 .Cm keep-state
1582 .Cm record-state
1584 .Cm defer-immediate-action
1591 .It Cm diverted-loopback
1594 .It Cm diverted-output
1597 .It Cm dst-ip Ar ip-address
1600 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1603 .It Cm dst-port Ar ports
1615 Hop-to-hop options
1645 .It Cm flow-id Ar labels
1650 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1657 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1678 .Pq Dv non-zero fragment offset .
1683 Empty list of options defaults to matching on non-zero fragment offset.
1719 time-to-live exceeded
1750 .It Cm ipid Ar id-list
1754 .Ar id-list ,
1758 .It Cm iplen Ar len-list
1761 .Ar len-list ,
1835 .It Cm ipttl Ar ttl-list
1837 .Ar ttl-list ,
1844 .It Cm keep-state Op Ar :flowname
1857 .Cm check-state
1869 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1877 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1892 .It Cm { MAC | mac } Ar dst-mac src-mac
1894 .Ar dst-mac
1896 .Ar src-mac
1903 .Bl -enum -width indent
1928 .It Cm mac-type Ar mac-type
1931 .Ar mac-type
1934 (i.e., one or more comma-separated single values or ranges).
1939 .Cm -N
1943 .It Cm record-state
1945 .Cm keep-state
1948 .Cm check-state
1950 .Cm keep-state .
2010 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2014 .Cm check-state
2023 to a non-zero value.
2032 .It Cm src-ip Ar ip-address
2035 .It Cm src-ip6 Ar ip6-address
2038 .It Cm src-port Ar ports
2041 .It Cm tagged Ar tag-list
2043 .Ar tag-list ,
2071 .It Cm tcpdatalen Ar tcpdatalen-list
2073 .Ar tcpdatalen-list ,
2097 a non-zero offset.
2101 .It Cm tcpmss Ar tcpmss-list
2103 .Ar tcpmss-list ,
2111 .It Cm tcpwin Ar tcpwin-list
2113 .Ar tcpwin-list ,
2156 .Dl ip verify unicast reverse-path
2158 This option can be used to make anti-spoofing rules to reject all
2173 .Dl ip verify unicast source reachable-via any
2175 This option can be used to make anti-spoofing rules to reject all
2187 This option can be used to make anti-spoofing rules to reject all
2200 .Ar table-name .
2215 .Bl -tag -width indent
2216 .It Ar table-type : Ar addr | iface | number | flow | mac
2217 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2218 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2219 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2240 Each entry is represented by 32-bit unsigned integer.
2267 .Bl -tag -width indent
2268 .It Ar create-options : Ar create-option | create-options
2269 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2270 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2283 .It Cm or-flush
2294 .Bl -tag -width indent
2295 .It Ar modify-options : Ar modify-option | modify-options
2296 .It Ar modify-option : Cm limit Ar number
2322 However, non-zero error code is returned in that case.
2327 to indicate all-or-none add request.
2334 However, non-zero error code is returned in that case.
2337 .Ar table-key
2340 .Ar table-key
2349 .Bl -tag -width indent
2357 Shows generic table information and algo-specific data.
2361 .Bl -tag -width indent
2362 .It Ar algo-desc : algo-name | "algo-name algo-data"
2363 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2371 Separate auto-growing hashes for IPv4 and IPv6.
2378 Mostly optimized for /64 and byte-ranged IPv6 masks.
2385 Auto-growing hash storing flow entries.
2401 .Ar value-mask .
2406 .Bl -tag -width indent
2407 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2408 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2475 .Bd -ragged -offset indent
2490 .Bd -ragged -offset indent
2499 .Bd -ragged -offset indent
2503 .Cm to Ar new-set
2507 .Bd -ragged -offset indent
2509 .Cm set swap Ar first-set second-set
2521 .Cm check-state , keep-state , record-state , limit
2523 .Cm set-limit
2528 .Cm keep-state ,
2529 .Cm record-state ,
2532 .Cm set-limit
2539 .Em src-ip/src-port dst-ip/dst-port
2547 .Cm keep-state
2553 .Cm check-state, keep-state
2567 .Dl "ipfw add check-state :OUTBOUND"
2568 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2575 .Dl "ipfw add check-state :OUTBOUND"
2576 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2609 .Bl -hang -offset XXXX
2628 are first grouped into flows according to a mask on the 5-tuple.
2648 .Bd -literal -offset indent
2650 +---------+ weight Wx +-------------+
2651 | |->-[flow]-->--| |-+
2652 -->--| QUEUE x | ... | | |
2653 | |->-[flow]-->--| SCHEDuler N | |
2654 +---------+ | | |
2655 ... | +--[LINK N]-->--
2656 +---------+ weight Wy | | +--[LINK N]-->--
2657 | |->-[flow]-->--| | |
2658 -->--| QUEUE y | ... | | |
2659 | |->-[flow]-->--| | |
2660 +---------+ +-------------+ |
2661 +-------------+
2671 value of the packet's 5-tuple after applying SCHED_MASK.
2672 As an example, using ``src-ip 0xffffff00'' creates one instance
2678 ``src-ip 0x000000ff''
2723 variable to a non-zero value.
2731 .Bd -ragged -offset indent
2732 .Cm pipe Ar number Cm config Ar pipe-configuration
2734 .Cm queue Ar number Cm config Ar queue-configuration
2736 .Cm sched Ar number Cm config Ar sched-configuration
2741 .Bl -tag -width indent -compact
2765 .It Cm delay Ar ms-delay
2799 of a packet, e.g., because of MAC level framing, contention on
2808 .Bd -literal -offset indent
2812 L +-- loss-level x
2819 +-------*------------------->
2831 .Bl -tag -width indent
2839 .It Cm loss-level Ar L
2862 .Bd -literal -offset indent
2865 loss-level 0.86
2879 .Bl -tag -width indent -compact
2890 The following case-insensitive parameters can be configured for a
2893 .Bl -tag -width indent -compact
2896 .Bl -tag -width indent -compact
2900 FIFO has O(1) per-packet time complexity, with very low
2901 constants (estimate 60-80ns on a 2GHz desktop machine)
2909 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2914 costs (roughly, 100-150ns per packet)
2920 costs (roughly, 200-250ns per packet).
2922 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2923 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2924 (old sub-queues and new sub-queues) for providing brief periods of priority to
2926 By default, the total number of sub-queues is 1024.
2927 FQ-CoDel's internal, dynamically
2928 created sub-queues are controlled by separate instances of CoDel AQM.
2930 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2932 but uses per sub-queue PIE AQM instance to control the queue delay.
2948 .Bl -tag -width indent
2966 specifies the total number of flow queues (sub-queues) that fq_*
2968 By default, 1024 sub-queues are created when an instance
2991 .Bl -tag -width XXXX -compact
2992 .It Cm buckets Ar hash-table-size
3001 .It Cm mask Ar mask-specifier
3027 .Cm dst-ip Ar mask ,
3028 .Cm dst-ip6 Ar mask ,
3029 .Cm src-ip Ar mask ,
3030 .Cm src-ip6 Ar mask ,
3031 .Cm dst-port Ar mask ,
3032 .Cm src-port Ar mask ,
3033 .Cm flow-id Ar mask ,
3051 .It Cm plr Ar packet-loss-rate
3055 .Ar packet-loss-rate
3056 is a floating-point number between 0 and 1, with 0 meaning no
3059 When invoked with four arguments, the simple Gilbert-Elliott
3061 .Bd -literal -offset indent
3063 .----------------.
3065 .------------. .------------.
3068 '------------' '------------'
3070 '----------------'
3083 K = 1 - k ; H = 1 - h
3086 quick re-use of loss probability when giving only a single argument.
3104 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3139 .Bl -tag -width indent
3153 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3176 ECN-enabled TCP flows when queue delay becomes high.
3202 en-queue process, with the aim of achieving high throughput while keeping queue
3219 .Bl -tag -width indent
3240 enable or disable ECN marking for ECN-enabled TCP flows.
3246 enable or disable drop probability de-randomisation.
3247 De-randomisation eliminates
3249 De-randomisation is enabled by default.
3284 Information necessary to route link-local packets to an
3288 Care should be taken to ensure that link-local packets are not passed to
3293 .Bl -bullet
3304 use an auto-recovery script such as the one in
3310 .Bl -bullet
3329 reported as being dropped by rule -1.
3337 .Bd -literal -offset indent
3343 .Bd -literal -offset indent
3367 support in-kernel NAT using the kernel version of
3376 .Bd -ragged -offset indent
3377 .Bk -words
3381 .Ar nat-configuration
3386 .Bl -tag -width indent
3413 .It Cm port_range Ar lower-upper
3417 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3429 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3435 by port forwarding on the NAT, or tunnelling through an in-between server.
3441 .Bl -tag -width indent
3483 .Bd -ragged -offset indent
3484 .Bk -words
3490 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3496 configuration can be done in real-time through the
3509 supports in-kernel IPv6/IPv4 network address and protocol translation.
3510 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3513 among several IPv6-only clients.
3553 .Bd -ragged -offset indent
3554 .Bk -words
3558 .Ar create-options
3563 .Bl -tag -width indent
3573 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3578 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3647 .It Cm -log
3653 .It Cm -allow_private
3660 .Bd -ragged -offset indent
3661 .Bk -words
3672 it can be configured to pass IPv4 clients to IPv6-only servers.
3675 .Bd -ragged -offset indent
3676 .Bk -words
3680 .Ar create-options
3685 .Bl -tag -width indent
3687 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3702 .It Cm -log
3708 .It Cm -allow_private
3719 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3722 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3725 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3726 over IPv6-only networks with help of remote NAT64 translator.
3729 .Bd -ragged -offset indent
3730 .Bk -words
3734 .Ar create-options
3739 .Bl -tag -width indent
3741 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3744 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3751 .It Cm -log
3759 .It Cm -allow_private
3769 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3771 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3780 .Bd -ragged -offset indent
3781 .Bk -words
3785 .Ar create-options
3790 .Bl -tag -width indent
3828 .Bl -tag -width indent
3858 .Bl -tag -width indent
3862 responds to receipt of global OOTB ASCONF-AddIP:
3863 .Bl -tag -width indent
3865 No response (unless a partially matching association exists -
3888 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3892 and is not an INIT or ASCONF-AddIP packet:
3893 .Bl -tag -width indent
3914 multi-homed local hosts to function with the
3918 ASCONF-AddIP.
3943 SHUTDOWN-COMPLETE.
3947 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3953 will only be an INIT or ASCONF-AddIP packet.
3962 Level of detail in the system log messages (0 \- minimal, 1 \- event,
3963 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
3967 Timeout value while waiting for SHUTDOWN-COMPLETE.
3974 .Bl -tag -width indent
4015 Defines the default total number of flow queues (sub-queues) that
4056 Defines the default total number of flow queues (sub-queues) that
4101 If set to a non-zero value,
4175 Delta between rule numbers when auto-generating them.
4184 The default rule number (read-only).
4197 (read-only).
4200 .Cm keep-state
4260 .Bl -tag -width indent
4285 sub-options:
4286 .Bl -tag -width indent
4290 with their in-kernel status.
4331 of the address sets and or-blocks and write extremely
4343 going out to vlans 100-1000:
4346 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4350 option could be used to do automated anti-spoofing by adding the
4363 option could be used to do similar but more restricted anti-spoofing
4437 .Dl "ipfw add check-state"
4439 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4446 .Cm check-state ,
4447 .Cm keep-state
4452 .Cm check-state
4458 .Cm record-state
4460 .Cm defer-action
4469 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4470 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4478 stateful rules can be subject to denial-of-service attacks
4479 by a SYN-flood which opens a huge number of dynamic rules.
4489 .Dl ipfw -at list
4493 .Dl ipfw -a list
4548 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4562 Procedure Calls, and where the round-trip-time of the
4571 Per-flow queueing can be useful for a variety of purposes.
4591 on a net with per-host limits, rather than per-network limits:
4595 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4596 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4609 .Dl "ipfw table T1 create type addr"
4610 .Dl "ipfw table T1 add 192.168.2.0/24 1"
4611 .Dl "ipfw table T1 add 192.168.0.0/27 4"
4612 .Dl "ipfw table T1 add 192.168.0.2 1"
4614 .Dl "ipfw add pipe tablearg ip from 'table(T1)' to any"
4626 In the following example per-interface firewall is created:
4641 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4663 Here if everything goes well, you press control-C before the "sleep"
4675 .Dl "ipfw -S set 18 show"
4714 .Bd -literal -offset 2n
4725 .Bd -literal -offset 2n
4737 .Cm record-state
4739 .Cm defer-action
4744 .Cm keep-state
4756 .Dl "ipfw add allow record-state defer-action"
4762 .Dl "ipfw add check-state"
4770 .Cm check-state
4772 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4902 .An Poul-Henning Kamp ,
4906 .An Rasool Al-Saadi .
4908 .An -nosplit
4913 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4915 Some early work (1999-2000) on the
4925 .An -nosplit
4926 In-kernel NAT support written by
4942 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
4946 Rasool Al-Saadi.
4977 Dummynet drops all packets with IPv6 link-local addresses.