Lines Matching +full:atomic +full:- +full:threshold +full:- +full:us
8 in-kernel NAT.\&
19 .Op Ar rule | first-last ...
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
174 .Cm internal monitor Op Ar filter-comment
185 .Ar preproc-flags
197 in-kernel NAT services.
212 in rule-number order
235 .Cm keep-state ,
236 .Cm record-state ,
239 .Cm set-limit
245 i.e., rules that match packets with the same 5-tuple
250 .Cm check-state ,
251 .Cm keep-state
254 rule, and are typically used to open the firewall on-demand to
257 .Cm keep-state
261 .Cm check-state
263 .Cm record-state
265 .Cm set-limit
267 .Cm check-state .
316 .Bl -tag -width indent
467 .Bd -literal -offset indent
470 +----------->-----------+
477 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
520 .Bd -literal -offset indent
558 Keywords are case-sensitive, whereas arguments may
559 or may not be case-sensitive depending on their nature
562 Some arguments (e.g., port or address lists) are comma-separated
569 .Bd -literal -offset indent
570 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
571 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
572 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
576 .Bd -ragged -offset indent
577 .Bk -words
595 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
612 Fragmentation, Hop-by-Hop options,
614 .It IPv6 Flow-ID
637 .Bl -tag -width indent
654 non-default rule number by the value of the sysctl variable
659 non-default value is used instead.
665 is of fundamental importance for atomic ruleset manipulation.
686 to simulate the effect of multiple paths leading to out-of-order
691 .Cm keep-state
693 .Cm check-state
700 Unless per-rule log destination is specified by
711 .Bd -literal -offset indent
719 .Bd -literal -offset indent
742 Once the limit is reached, logging can be re-enabled by
754 is a comma-separated list of log destinations for logging
757 .Bl -tag -width indent
782 .Bd -ragged -offset indent
800 and to start doing policy-based filtering.
842 keyword, a 32-bit numeric mark is assigned to the packet.
882 .Cm check-state
884 .Cm keep-state
910 .Bl -tag -width indent
914 .It Cm check-state Op Ar :flowname | Cm :any
920 .Cm Check-state
923 .Cm check-state
925 .Cm keep-state
932 .Cm keep-state
953 Change the next-hop on matching packets to
1012 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address
1017 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
1019 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)\&
1122 command-line utility currently requires every action except
1123 .Cm check-state
1132 .Bd -literal -offset indent
1137 ipfw -c list
1155 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1156 .Cm isolated , net-prohib , host-prohib , tosnet ,
1157 .Cm toshost , filter-prohib , host-precedence
1159 .Cm precedence-cutoff .
1174 .Cm no-route, admin-prohib, address
1265 .It Cm tcp-setmss Ar mss
1277 .Cm tcp-setmss
1303 Alternatively, direction-based (like
1307 ) and source-based (like
1312 .Bd -literal -offset indent
1343 .Pq Em or-blocks
1365 .Bd -ragged -offset indent
1381 .Bl -tag -width indent
1383 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1388 .Bl -tag -width indent
1411 .Em or-block )
1420 .Em ( or-block
1426 .Ar | addr-list | addr-set
1428 .Bl -tag -width indent
1440 If an optional 32-bit unsigned
1457 .It Ar addr-list : ip-addr Ns Op , Ns Ar addr-list
1458 .It Ar ip-addr :
1460 .Bl -tag -width indent
1461 .It Ar numeric-ip | hostname
1462 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1482 This form is advised only for non-contiguous
1487 error-prone.
1489 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1490 .It Ar list : Bro Ar num | num-num Brc Ns Op , Ns Ar list
1512 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1513 or 1.2.3.0/24{128,35-55,89}
1517 .It Ar addr6-list : ip6-addr Ns Op , Ns Ar addr6-list
1518 .It Ar ip6-addr :
1520 .Bl -tag -width indent
1521 .It Ar numeric-ip | hostname
1548 This form is advised only for non-contiguous
1553 error-prone.
1574 .Em or-block
1582 .Pq Ql -
1587 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1589 Fragmented packets which have a non-zero offset (i.e., not the first
1599 Zero or more of these so-called
1604 .Em or-blocks .
1607 .Bl -tag -width indent
1611 You can have comment-only rules, which are listed as having a
1617 .It Cm defer-immediate-action | defer-action
1621 .Cm record-state
1623 .Cm keep-state
1627 .Cm record-state
1629 .Cm defer-immediate-action
1636 .It Cm diverted-loopback
1639 .It Cm diverted-output
1642 .It Cm dst-ip Ar ip-address
1645 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1648 .It Cm dst-port Ar ports
1660 Hop-to-hop options
1690 .It Cm flow-id Ar labels
1695 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1702 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1723 .Pq Dv non-zero fragment offset .
1728 Empty list of options defaults to matching on non-zero fragment offset.
1764 time-to-live exceeded
1795 .It Cm ipid Ar id-list
1799 .Ar id-list ,
1803 .It Cm iplen Ar len-list
1806 .Ar len-list ,
1880 .It Cm ipttl Ar ttl-list
1882 .Ar ttl-list ,
1889 .It Cm keep-state Op Ar :flowname
1902 .Cm check-state
1914 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1922 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1937 .It Cm { MAC | mac } Ar dst-mac src-mac
1939 .Ar dst-mac
1941 .Ar src-mac
1948 .Bl -enum -width indent
1973 .It Cm mac-type Ar mac-type
1976 .Ar mac-type
1979 (i.e., one or more comma-separated single values or ranges).
1984 .Cm -N
1988 .It Cm record-state
1990 .Cm keep-state
1993 .Cm check-state
1995 .Cm keep-state .
2055 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2059 .Cm check-state
2068 to a non-zero value.
2077 .It Cm src-ip Ar ip-address
2080 .It Cm src-ip6 Ar ip6-address
2083 .It Cm src-port Ar ports
2086 .It Cm tagged Ar tag-list
2088 .Ar tag-list ,
2116 .It Cm tcpdatalen Ar tcpdatalen-list
2118 .Ar tcpdatalen-list ,
2142 a non-zero offset.
2146 .It Cm tcpmss Ar tcpmss-list
2148 .Ar tcpmss-list ,
2156 .It Cm tcpwin Ar tcpwin-list
2158 .Ar tcpwin-list ,
2201 .Dl ip verify unicast reverse-path
2203 This option can be used to make anti-spoofing rules to reject all
2218 .Dl ip verify unicast source reachable-via any
2220 This option can be used to make anti-spoofing rules to reject all
2232 This option can be used to make anti-spoofing rules to reject all
2245 .Ar table-name .
2260 .Bl -tag -width indent
2261 .It Ar table-type : Ar addr | iface | number | flow | mac
2262 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2263 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2264 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2285 Each entry is represented by 32-bit unsigned integer.
2312 .Bl -tag -width indent
2313 .It Ar create-options : Ar create-option | create-options
2314 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2315 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2328 .It Cm or-flush
2339 .Bl -tag -width indent
2340 .It Ar modify-options : Ar modify-option | modify-options
2341 .It Ar modify-option : Cm limit Ar number
2367 However, non-zero error code is returned in that case.
2369 .Cm atomic
2372 to indicate all-or-none add request.
2379 However, non-zero error code is returned in that case.
2382 .Ar table-key
2385 .Ar table-key
2394 .Bl -tag -width indent
2402 Shows generic table information and algo-specific data.
2406 .Bl -tag -width indent
2407 .It Ar algo-desc : algo-name | "algo-name algo-data"
2408 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2416 Separate auto-growing hashes for IPv4 and IPv6.
2423 Mostly optimized for /64 and byte-ranged IPv6 masks.
2430 Auto-growing hash storing flow entries.
2446 .Ar value-mask .
2451 .Bl -tag -width indent
2452 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2453 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2520 .Bd -ragged -offset indent
2530 Command execution is atomic on all the sets specified in the command.
2535 .Bd -ragged -offset indent
2544 .Bd -ragged -offset indent
2548 .Cm to Ar new-set
2552 .Bd -ragged -offset indent
2554 .Cm set swap Ar first-set second-set
2566 .Cm check-state , keep-state , record-state , limit
2568 .Cm set-limit
2573 .Cm keep-state ,
2574 .Cm record-state ,
2577 .Cm set-limit
2584 .Em src-ip/src-port dst-ip/dst-port
2592 .Cm keep-state
2598 .Cm check-state, keep-state
2612 .Dl "ipfw add check-state :OUTBOUND"
2613 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2620 .Dl "ipfw add check-state :OUTBOUND"
2621 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2654 .Bl -hang -offset XXXX
2673 are first grouped into flows according to a mask on the 5-tuple.
2693 .Bd -literal -offset indent
2695 +---------+ weight Wx +-------------+
2696 | |->-[flow]-->--| |-+
2697 -->--| QUEUE x | ... | | |
2698 | |->-[flow]-->--| SCHEDuler N | |
2699 +---------+ | | |
2700 ... | +--[LINK N]-->--
2701 +---------+ weight Wy | | +--[LINK N]-->--
2702 | |->-[flow]-->--| | |
2703 -->--| QUEUE y | ... | | |
2704 | |->-[flow]-->--| | |
2705 +---------+ +-------------+ |
2706 +-------------+
2716 value of the packet's 5-tuple after applying SCHED_MASK.
2717 As an example, using ``src-ip 0xffffff00'' creates one instance
2723 ``src-ip 0x000000ff''
2768 variable to a non-zero value.
2776 .Bd -ragged -offset indent
2777 .Cm pipe Ar number Cm config Ar pipe-configuration
2779 .Cm queue Ar number Cm config Ar queue-configuration
2781 .Cm sched Ar number Cm config Ar sched-configuration
2786 .Bl -tag -width indent -compact
2810 .It Cm delay Ar ms-delay
2853 .Bd -literal -offset indent
2857 L +-- loss-level x
2864 +-------*------------------->
2876 .Bl -tag -width indent
2884 .It Cm loss-level Ar L
2907 .Bd -literal -offset indent
2910 loss-level 0.86
2924 .Bl -tag -width indent -compact
2935 The following case-insensitive parameters can be configured for a
2938 .Bl -tag -width indent -compact
2941 .Bl -tag -width indent -compact
2945 FIFO has O(1) per-packet time complexity, with very low
2946 constants (estimate 60-80ns on a 2GHz desktop machine)
2954 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2959 costs (roughly, 100-150ns per packet)
2965 costs (roughly, 200-250ns per packet).
2967 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2968 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2969 (old sub-queues and new sub-queues) for providing brief periods of priority to
2971 By default, the total number of sub-queues is 1024.
2972 FQ-CoDel's internal, dynamically
2973 created sub-queues are controlled by separate instances of CoDel AQM.
2975 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2977 but uses per sub-queue PIE AQM instance to control the queue delay.
2993 .Bl -tag -width indent
3011 specifies the total number of flow queues (sub-queues) that fq_*
3013 By default, 1024 sub-queues are created when an instance
3036 .Bl -tag -width XXXX -compact
3037 .It Cm buckets Ar hash-table-size
3046 .It Cm mask Ar mask-specifier
3072 .Cm dst-ip Ar mask ,
3073 .Cm dst-ip6 Ar mask ,
3074 .Cm src-ip Ar mask ,
3075 .Cm src-ip6 Ar mask ,
3076 .Cm dst-port Ar mask ,
3077 .Cm src-port Ar mask ,
3078 .Cm flow-id Ar mask ,
3096 .It Cm plr Ar packet-loss-rate
3100 .Ar packet-loss-rate
3101 is a floating-point number between 0 and 1, with 0 meaning no
3104 When invoked with four arguments, the simple Gilbert-Elliott
3106 .Bd -literal -offset indent
3108 .----------------.
3110 .------------. .------------.
3113 '------------' '------------'
3115 '----------------'
3128 K = 1 - k ; H = 1 - h
3131 quick re-use of loss probability when giving only a single argument.
3149 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3184 .Bl -tag -width indent
3198 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3201 microseconds (us) can be specified instead.
3221 ECN-enabled TCP flows when queue delay becomes high.
3247 en-queue process, with the aim of achieving high throughput while keeping queue
3262 microseconds (us) can be specified instead.
3264 .Bl -tag -width indent
3281 probability becomes higher than ECN probability threshold
3285 enable or disable ECN marking for ECN-enabled TCP flows.
3291 enable or disable drop probability de-randomisation.
3292 De-randomisation eliminates
3294 De-randomisation is enabled by default.
3329 Information necessary to route link-local packets to an
3333 Care should be taken to ensure that link-local packets are not passed to
3338 .Bl -bullet
3349 use an auto-recovery script such as the one in
3355 .Bl -bullet
3374 reported as being dropped by rule -1.
3382 .Bd -literal -offset indent
3388 .Bd -literal -offset indent
3412 support in-kernel NAT using the kernel version of
3421 .Bd -ragged -offset indent
3422 .Bk -words
3426 .Ar nat-configuration
3431 .Bl -tag -width indent
3458 .It Cm port_range Ar lower-upper
3462 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3474 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3480 by port forwarding on the NAT, or tunnelling through an in-between server.
3486 .Bl -tag -width indent
3528 .Bd -ragged -offset indent
3529 .Bk -words
3535 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3541 configuration can be done in real-time through the
3554 supports in-kernel IPv6/IPv4 network address and protocol translation.
3555 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3558 among several IPv6-only clients.
3598 .Bd -ragged -offset indent
3599 .Bk -words
3603 .Ar create-options
3608 .Bl -tag -width indent
3618 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3623 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3693 .It Cm -log
3699 .It Cm -allow_private
3706 .Bd -ragged -offset indent
3707 .Bk -words
3718 it can be configured to pass IPv4 clients to IPv6-only servers.
3721 .Bd -ragged -offset indent
3722 .Bk -words
3726 .Ar create-options
3731 .Bl -tag -width indent
3733 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3748 .It Cm -log
3754 .It Cm -allow_private
3765 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3768 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3771 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3772 over IPv6-only networks with help of remote NAT64 translator.
3775 .Bd -ragged -offset indent
3776 .Bk -words
3780 .Ar create-options
3785 .Bl -tag -width indent
3787 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3790 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3797 .It Cm -log
3805 .It Cm -allow_private
3815 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3817 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3826 .Bd -ragged -offset indent
3827 .Bk -words
3831 .Ar create-options
3836 .Bl -tag -width indent
3874 .Bl -tag -width indent
3904 .Bl -tag -width indent
3908 responds to receipt of global OOTB ASCONF-AddIP:
3909 .Bl -tag -width indent
3911 No response (unless a partially matching association exists -
3934 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3938 and is not an INIT or ASCONF-AddIP packet:
3939 .Bl -tag -width indent
3960 multi-homed local hosts to function with the
3964 ASCONF-AddIP.
3989 SHUTDOWN-COMPLETE.
3993 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3999 will only be an INIT or ASCONF-AddIP packet.
4008 Level of detail in the system log messages (0 \- minimal, 1 \- event,
4009 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
4013 Timeout value while waiting for SHUTDOWN-COMPLETE.
4020 .Bl -tag -width indent
4059 the pipes/queues will only be deleted when the threshold is reached.
4061 Defines the default total number of flow queues (sub-queues) that
4102 Defines the default total number of flow queues (sub-queues) that
4118 The default maximum ECN probability threshold (scaled by 1000) for
4147 If set to a non-zero value,
4167 is used to determine the threshold over which empty pipes/queues
4195 The default maximum ECN probability threshold (scaled by 1000) for
4221 Delta between rule numbers when auto-generating them.
4230 The default rule number (read-only).
4243 (read-only).
4246 .Cm keep-state
4306 .Bl -tag -width indent
4331 sub-options:
4332 .Bl -tag -width indent
4336 with their in-kernel status.
4337 .It Cm monitor Op Ar filter-comment
4343 .Ar filter-comment
4386 of the address sets and or-blocks and write extremely
4398 going out to vlans 100-1000:
4401 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4405 option could be used to do automated anti-spoofing by adding the
4418 option could be used to do similar but more restricted anti-spoofing
4492 .Dl "ipfw add check-state"
4494 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4501 .Cm check-state ,
4502 .Cm keep-state
4507 .Cm check-state
4513 .Cm record-state
4515 .Cm defer-action
4524 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4525 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4533 stateful rules can be subject to denial-of-service attacks
4534 by a SYN-flood which opens a huge number of dynamic rules.
4544 .Dl ipfw -at list
4548 .Dl ipfw -a list
4603 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4617 Procedure Calls, and where the round-trip-time of the
4626 Per-flow queueing can be useful for a variety of purposes.
4646 on a net with per-host limits, rather than per-network limits:
4650 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4651 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4681 In the following example per-interface firewall is created:
4696 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4718 Here if everything goes well, you press control-C before the "sleep"
4730 .Dl "ipfw -S set 18 show"
4769 .Bd -literal -offset 2n
4780 .Bd -literal -offset 2n
4792 .Cm record-state
4794 .Cm defer-action
4799 .Cm keep-state
4811 .Dl "ipfw add allow record-state defer-action"
4817 .Dl "ipfw add check-state"
4825 .Cm check-state
4827 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4957 .An Poul-Henning Kamp ,
4961 .An Rasool Al-Saadi .
4963 .An -nosplit
4968 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4970 Some early work (1999-2000) on the
4980 .An -nosplit
4981 In-kernel NAT support written by
4997 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
5001 Rasool Al-Saadi.
5032 Dummynet drops all packets with IPv6 link-local addresses.