Lines Matching +full:cm +full:- +full:name
5 .Sh NAME
8 in-kernel NAT.
17 .Op Cm set Ar N
19 .Op Ar rule | first-last ...
22 .Op Cm set Ar N
26 .Op Cm set Ar N
31 .Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
34 .Op Cm rule
35 .Ar number Cm to Ar number
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
51 .Oo Cm set Ar N Oc Cm table
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
57 .Oo Cm set Ar N Oc Cm table Ar name Cm swap Ar name
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
67 .Oo Cm set Ar N Oc Cm table Ar name Cm lookup Ar addr
69 .Oo Cm set Ar N Oc Cm table Ar name Cm lock
71 .Oo Cm set Ar N Oc Cm table Ar name Cm unlock
73 .Oo Cm set Ar N Oc Cm table
77 .Oo Cm set Ar N Oc Cm table
81 .Oo Cm set Ar N Oc Cm table
85 .Oo Cm set Ar N Oc Cm table
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
117 .Oo Cm set Ar N Oc Cm nat64lsn
120 .Op Cm states
122 .Oo Cm set Ar N Oc Cm nat64lsn
126 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm stats Op Cm reset
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
133 .Oo Cm set Ar N Oc Cm nat64stl
137 .Oo Cm set Ar N Oc Cm nat64stl
141 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm stats Op Cm reset
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
148 .Oo Cm set Ar N Oc Cm nat64clat
152 .Oo Cm set Ar N Oc Cm nat64clat
156 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm stats Op Cm reset
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
161 .Oo Cm set Ar N Oc Cm nptv6
165 .Oo Cm set Ar N Oc Cm nptv6
169 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm stats Op Cm reset
183 .Ar preproc-flags
195 in-kernel NAT services.
210 in rule-number order
233 .Cm keep-state ,
234 .Cm record-state ,
237 .Cm set-limit
243 i.e., rules that match packets with the same 5-tuple
248 .Cm check-state ,
249 .Cm keep-state
252 rule, and are typically used to open the firewall on-demand to
255 .Cm keep-state
259 .Cm check-state
261 .Cm record-state
263 .Cm set-limit
265 .Cm check-state .
314 .Bl -tag -width indent
427 name search is performed.
465 .Bd -literal -offset indent
468 +----------->-----------+
475 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
518 .Bd -literal -offset indent
556 Keywords are case-sensitive, whereas arguments may
557 or may not be case-sensitive depending on their nature
560 Some arguments (e.g., port or address lists) are comma-separated
567 .Bd -literal -offset indent
568 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
569 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
570 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
574 .Bd -ragged -offset indent
575 .Bk -words
577 .Op Cm set Ar set_number
578 .Op Cm prob Ar match_probability
580 .Op Cm log Op Cm logamount Ar number
581 .Op Cm altq Ar queue
593 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
603 By name or address
610 Fragmentation, Hop-by-Hop options,
612 .It IPv6 Flow-ID
635 .Bl -tag -width indent
652 non-default rule number by the value of the sysctl variable
657 non-default value is used instead.
658 .It Cm set Ar set_number
677 .It Cm prob Ar match_probability
684 to simulate the effect of multiple paths leading to out-of-order
689 .Cm keep-state
691 .Cm check-state
694 .It Cm log Op Cm logamount Ar number
707 .Bd -literal -offset indent
715 .Bd -literal -offset indent
738 Once the limit is reached, logging can be re-enabled by
746 .It Cm tag Ar number
755 and to start doing policy-based filtering.
786 .It Cm untag Ar number
794 .It Cm setmark Ar value | tablearg
797 keyword, a 32-bit numeric mark is assigned to the packet.
815 .It Cm altq Ar queue
833 .Cm count Cm altq Ar queue
837 .Cm check-state
839 .Cm keep-state
845 to set up the queues before IPFW will be able to look them up by name,
865 .Bl -tag -width indent
866 .It Cm allow | accept | pass | permit
869 .It Cm check-state Op Ar :flowname | Cm :any
875 .Cm Check-state
878 .Cm check-state
880 .Cm keep-state
886 is symbolic name assigned to dynamic rule by
887 .Cm keep-state
894 keyword is special name used for compatibility with old rulesets.
895 .It Cm count
898 .It Cm deny | drop
901 .It Cm divert Ar port
907 .It Cm fwd | forward Ar ipaddr | tablearg Ns Op , Ns Ar port
908 Change the next-hop on matching packets to
910 which can be an IP address or a host name.
949 .It Cm nat Ar nat_nr | global | tablearg
956 .It Cm nat64lsn Ar name
961 .It Cm nat64stl Ar name
966 .It Cm nat64clat Ar name
967 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
971 .It Cm nptv6 Ar name
972 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
974 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
976 .It Cm pipe Ar pipe_nr
991 .It Cm queue Ar queue_nr
996 .It Cm reject
1000 .It Cm reset
1004 .It Cm reset6
1008 .It Cm skipto Ar number | tablearg
1024 .It Cm call Ar number | tablearg
1060 .It Cm return
1077 command-line utility currently requires every action except
1078 .Cm check-state
1087 .Bd -literal -offset indent
1092 ipfw -c list
1096 .It Cm tee Ar port
1102 .It Cm unreach Ar code Op mtu
1110 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1111 .Cm isolated , net-prohib , host-prohib , tosnet ,
1112 .Cm toshost , filter-prohib , host-precedence
1114 .Cm precedence-cutoff .
1122 .It Cm unreach6 Ar code
1129 .Cm no-route, admin-prohib, address
1133 .It Cm netgraph Ar cookie
1141 .It Cm ngtee Ar cookie
1151 .It Cm setfib Ar fibnum | tablearg
1163 .It Cm setdscp Ar DSCP | number | tablearg
1220 .It Cm tcp-setmss Ar mss
1232 .Cm tcp-setmss
1234 .It Cm reass
1258 Alternatively, direction-based (like
1262 ) and source-based (like
1267 .Bd -literal -offset indent
1273 .It Cm abort
1277 .It Cm abort6
1289 operators -- i.e., all must match in order for the
1298 .Pq Em or-blocks
1320 .Bd -ragged -offset indent
1321 .Op Ar proto Cm from Ar src Cm to Ar dst
1336 .Bl -tag -width indent
1337 .It Ar proto : protocol | Cm { Ar protocol Cm or ... }
1338 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1339 An IP protocol specified by number or name
1343 .Bl -tag -width indent
1344 .It Cm ip4 | ipv4
1346 .It Cm ip6 | ipv6
1348 .It Cm ip | all
1364 .Cm { Ar protocol Cm or ... }
1366 .Em or-block )
1368 .It Ar src No and Ar dst : Bro Cm addr | Cm { Ar addr Cm or ... } Brc Op Oo Cm not Oc Ar ports
1375 .Em ( or-block
1378 .It Ar addr : Oo Cm not Oc Bro
1380 .Cm table Ns Pq Ar name Ns Op , Ns Ar value
1381 .Ar | addr-list | addr-set
1383 .Bl -tag -width indent
1384 .It Cm any
1386 .It Cm me
1388 .It Cm me6
1392 .It Cm table Ns Pq Ar name Ns Op , Ns Ar value
1395 If an optional 32-bit unsigned
1412 .It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
1413 .It Ar ip-addr :
1415 .Bl -tag -width indent
1416 .It Ar numeric-ip | hostname
1417 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1437 This form is advised only for non-contiguous
1442 error-prone.
1444 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1445 .It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
1467 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1468 or 1.2.3.0/24{128,35-55,89}
1472 .It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
1473 .It Ar ip6-addr :
1475 .Bl -tag -width indent
1476 .It Ar numeric-ip | hostname
1503 This form is advised only for non-contiguous
1508 error-prone.
1529 .Em or-block
1537 .Pq Ql -
1538 character in a service name (from a shell, the backslash must be
1542 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1544 Fragmented packets which have a non-zero offset (i.e., not the first
1554 Zero or more of these so-called
1559 .Em or-blocks .
1562 .Bl -tag -width indent
1563 .It Cm // this is a comment .
1566 You can have comment-only rules, which are listed as having a
1569 .It Cm bridged
1572 .It Cm defer-immediate-action | defer-action
1576 .Cm record-state
1578 .Cm keep-state
1582 .Cm record-state
1584 .Cm defer-immediate-action
1589 .It Cm diverted
1591 .It Cm diverted-loopback
1594 .It Cm diverted-output
1597 .It Cm dst-ip Ar ip-address
1600 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1603 .It Cm dst-port Ar ports
1606 .It Cm established
1608 .It Cm ext6hdr Ar header
1614 .Pq Cm frag ,
1615 Hop-to-hop options
1616 .Pq Cm hopopt ,
1618 .Pq Cm route ,
1620 .Pq Cm rthdr0 ,
1622 .Pq Cm rthdr2 ,
1624 .Pq Cm dstopt ,
1626 .Pq Cm ah ,
1628 .Pq Cm esp .
1629 .It Cm fib Ar fibnum
1632 .It Cm flow Ar table Ns Pq Ar name Ns Op , Ns Ar value
1634 .Ar name .
1645 .It Cm flow-id Ar labels
1650 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1652 .Ar name .
1657 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1659 .Ar name .
1664 .It Cm frag Ar spec
1678 .Pq Dv non-zero fragment offset .
1683 Empty list of options defaults to matching on non-zero fragment offset.
1687 .It Cm gid Ar group
1692 may be specified by name or number.
1693 .It Cm jail Ar jail
1695 jail whose ID or name is
1697 .It Cm icmptypes Ar types
1706 .Pq Cm 0 ,
1708 .Pq Cm 3 ,
1710 .Pq Cm 4 ,
1712 .Pq Cm 5 ,
1714 .Pq Cm 8 ,
1716 .Pq Cm 9 ,
1718 .Pq Cm 10 ,
1719 time-to-live exceeded
1720 .Pq Cm 11 ,
1722 .Pq Cm 12 ,
1724 .Pq Cm 13 ,
1726 .Pq Cm 14 ,
1728 .Pq Cm 15 ,
1730 .Pq Cm 16 ,
1732 .Pq Cm 17
1734 .Pq Cm 18 .
1735 .It Cm icmp6types Ar types
1741 .It Cm in | out
1750 .It Cm ipid Ar id-list
1754 .Ar id-list ,
1758 .It Cm iplen Ar len-list
1761 .Ar len-list ,
1765 .It Cm ipoptions Ar spec
1782 .It Cm ipprecedence Ar precedence
1785 .It Cm ipsec
1803 .It Cm iptos Ar spec
1824 .It Cm dscp spec Ns Op , Ns Ar spec
1835 .It Cm ipttl Ar ttl-list
1837 .Ar ttl-list ,
1841 .It Cm ipversion Ar ver
1844 .It Cm keep-state Op Ar :flowname
1857 .Cm check-state
1861 keyword is special name used for compatibility with old rulesets.
1862 .It Cm layer2
1869 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1877 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1878 .Cm jail | dscp | mark | rulenum Brc Ar name
1880 .Ar name
1892 .It Cm { MAC | mac } Ar dst-mac src-mac
1894 .Ar dst-mac
1896 .Ar src-mac
1903 .Bl -enum -width indent
1928 .It Cm mac-type Ar mac-type
1931 .Ar mac-type
1934 (i.e., one or more comma-separated single values or ranges).
1939 .Cm -N
1941 .It Cm proto Ar protocol
1943 .It Cm record-state
1945 .Cm keep-state
1948 .Cm check-state
1950 .Cm keep-state .
1951 .It Cm recv | xmit | via Brq Ar ifX | Ar ifmask | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc …
1953 respectively, the interface specified by exact name
1960 name may be matched against
1970 .Ar name
2010 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2014 .Cm check-state
2016 .It Cm setup
2020 .It Cm sockarg
2023 to a non-zero value.
2032 .It Cm src-ip Ar ip-address
2035 .It Cm src-ip6 Ar ip6-address
2038 .It Cm src-port Ar ports
2041 .It Cm tagged Ar tag-list
2043 .Ar tag-list ,
2050 .It Cm mark Ar value[:bitmask] | tablearg[:bitmask]
2067 .It Cm tcpack Ar ack
2071 .It Cm tcpdatalen Ar tcpdatalen-list
2073 .Ar tcpdatalen-list ,
2077 .It Cm tcpflags Ar spec
2097 a non-zero offset.
2101 .It Cm tcpmss Ar tcpmss-list
2103 .Ar tcpmss-list ,
2107 .It Cm tcpseq Ar seq
2111 .It Cm tcpwin Ar tcpwin-list
2113 .Ar tcpwin-list ,
2117 .It Cm tcpoptions Ar spec
2137 .It Cm uid Ar user
2142 may be matched by name or identification number.
2143 .It Cm verrevpath
2153 The name and functionality of the option is intentionally similar to
2156 .Dl ip verify unicast reverse-path
2158 This option can be used to make anti-spoofing rules to reject all
2162 .It Cm versrcreach
2170 The name and functionality of the option is intentionally similar to
2173 .Dl ip verify unicast source reachable-via any
2175 This option can be used to make anti-spoofing rules to reject all
2177 .It Cm antispoof
2187 This option can be used to make anti-spoofing rules to reject all
2199 Table name needs to match the following spec:
2200 .Ar table-name .
2201 Tables with the same name can be created in different
2215 .Bl -tag -width indent
2216 .It Ar table-type : Ar addr | iface | number | flow | mac
2217 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2218 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2219 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2220 .It Cm addr
2234 .It Cm iface
2236 Each entry is represented by string treated as interface name.
2238 .It Cm number
2240 Each entry is represented by 32-bit unsigned integer.
2242 .It Cm flow
2246 .It Cm mac
2267 .Bl -tag -width indent
2268 .It Ar create-options : Ar create-option | create-options
2269 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2270 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2271 .It Cm type
2273 .It Cm valtype
2275 .It Cm algo
2277 .It Cm limit
2279 .It Cm locked
2281 .It Cm missing
2283 .It Cm or-flush
2284 Flush existing table with same name instead of returning error.
2294 .Bl -tag -width indent
2295 .It Ar modify-options : Ar modify-option | modify-options
2296 .It Ar modify-option : Cm limit Ar number
2297 .It Cm limit
2310 .Cm swap Ar name
2322 However, non-zero error code is returned in that case.
2327 to indicate all-or-none add request.
2334 However, non-zero error code is returned in that case.
2337 .Ar table-key
2340 .Ar table-key
2349 .Bl -tag -width indent
2350 .It Cm list
2352 .It Cm flush
2354 .It Cm info
2356 .It Cm detail
2357 Shows generic table information and algo-specific data.
2361 .Bl -tag -width indent
2362 .It Ar algo-desc : algo-name | "algo-name algo-data"
2363 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2364 .It Cm addr: radix
2370 .It Cm addr:hash
2371 Separate auto-growing hashes for IPv4 and IPv6.
2378 Mostly optimized for /64 and byte-ranged IPv6 masks.
2379 .It Cm iface:array
2382 .It Cm number:array
2384 .It Cm flow:hash
2385 Auto-growing hash storing flow entries.
2388 .It Cm mac: radix
2401 .Ar value-mask .
2406 .Bl -tag -width indent
2407 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2408 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2410 .It Cm skipto
2412 .It Cm pipe
2414 .It Cm fib
2416 .It Cm nat
2418 .It Cm dscp
2420 .It Cm tag
2422 .It Cm divert
2424 .It Cm netgraph
2426 .It Cm limit
2428 .It Cm ipv4
2430 .It Cm ipv6
2432 .It Cm mark
2475 .Bd -ragged -offset indent
2477 .Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
2490 .Bd -ragged -offset indent
2499 .Bd -ragged -offset indent
2503 .Cm to Ar new-set
2507 .Bd -ragged -offset indent
2509 .Cm set swap Ar first-set second-set
2521 .Cm check-state , keep-state , record-state , limit
2523 .Cm set-limit
2528 .Cm keep-state ,
2529 .Cm record-state ,
2532 .Cm set-limit
2539 .Em src-ip/src-port dst-ip/dst-port
2547 .Cm keep-state
2551 This name is used in matching together with addresses, ports and protocol.
2553 .Cm check-state, keep-state
2567 .Dl "ipfw add check-state :OUTBOUND"
2568 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2575 .Dl "ipfw add check-state :OUTBOUND"
2576 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2609 .Bl -hang -offset XXXX
2628 are first grouped into flows according to a mask on the 5-tuple.
2648 .Bd -literal -offset indent
2650 +---------+ weight Wx +-------------+
2651 | |->-[flow]-->--| |-+
2652 -->--| QUEUE x | ... | | |
2653 | |->-[flow]-->--| SCHEDuler N | |
2654 +---------+ | | |
2655 ... | +--[LINK N]-->--
2656 +---------+ weight Wy | | +--[LINK N]-->--
2657 | |->-[flow]-->--| | |
2658 -->--| QUEUE y | ... | | |
2659 | |->-[flow]-->--| | |
2660 +---------+ +-------------+ |
2661 +-------------+
2671 value of the packet's 5-tuple after applying SCHED_MASK.
2672 As an example, using ``src-ip 0xffffff00'' creates one instance
2678 ``src-ip 0x000000ff''
2723 variable to a non-zero value.
2731 .Bd -ragged -offset indent
2732 .Cm pipe Ar number Cm config Ar pipe-configuration
2734 .Cm queue Ar number Cm config Ar queue-configuration
2736 .Cm sched Ar number Cm config Ar sched-configuration
2741 .Bl -tag -width indent -compact
2742 .It Cm bw Ar bandwidth | device
2745 .Op Cm K | M | G
2754 If a device name is specified instead of a numeric value, as in
2765 .It Cm delay Ar ms-delay
2775 .It Cm burst Ar size
2794 .It Cm profile Ar filename
2808 .Bd -literal -offset indent
2812 L +-- loss-level x
2819 +-------*------------------->
2831 .Bl -tag -width indent
2832 .It Cm name Ar identifier
2833 optional name (listed by "dnctl pipe show")
2835 .It Cm bw Ar value
2839 .It Cm loss-level Ar L
2842 .It Cm samples Ar N
2845 .It Cm "delay prob" | "prob delay"
2862 .Bd -literal -offset indent
2863 name bla_bla_bla
2865 loss-level 0.86
2879 .Bl -tag -width indent -compact
2880 .It Cm pipe Ar pipe_nr
2885 .It Cm weight Ar weight
2890 The following case-insensitive parameters can be configured for a
2893 .Bl -tag -width indent -compact
2894 .It Cm type Ar {fifo | wf2q+ | rr | qfq | fq_codel | fq_pie}
2896 .Bl -tag -width indent -compact
2897 .It Cm fifo
2900 FIFO has O(1) per-packet time complexity, with very low
2901 constants (estimate 60-80ns on a 2GHz desktop machine)
2903 .It Cm wf2q+
2909 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2912 .It Cm rr
2914 costs (roughly, 100-150ns per packet)
2917 .It Cm qfq
2920 costs (roughly, 200-250ns per packet).
2921 .It Cm fq_codel
2922 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2923 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2924 (old sub-queues and new sub-queues) for providing brief periods of priority to
2926 By default, the total number of sub-queues is 1024.
2927 FQ-CoDel's internal, dynamically
2928 created sub-queues are controlled by separate instances of CoDel AQM.
2929 .It Cm fq_pie
2930 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2932 but uses per sub-queue PIE AQM instance to control the queue delay.
2948 .Bl -tag -width indent
2949 .It Cm quantum
2957 .It Cm limit
2964 .It Cm flows
2966 specifies the total number of flow queues (sub-queues) that fq_*
2968 By default, 1024 sub-queues are created when an instance
2991 .Bl -tag -width XXXX -compact
2992 .It Cm buckets Ar hash-table-size
3001 .It Cm mask Ar mask-specifier
3027 .Cm dst-ip Ar mask ,
3028 .Cm dst-ip6 Ar mask ,
3029 .Cm src-ip Ar mask ,
3030 .Cm src-ip6 Ar mask ,
3031 .Cm dst-port Ar mask ,
3032 .Cm src-port Ar mask ,
3033 .Cm flow-id Ar mask ,
3040 .It Cm noerror
3051 .It Cm plr Ar packet-loss-rate
3052 .It Cm plr Ar K,p,H,r
3055 .Ar packet-loss-rate
3056 is a floating-point number between 0 and 1, with 0 meaning no
3059 When invoked with four arguments, the simple Gilbert-Elliott
3061 .Bd -literal -offset indent
3063 .----------------.
3065 .------------. .------------.
3068 '------------' '------------'
3070 '----------------'
3083 K = 1 - k ; H = 1 - h
3086 quick re-use of loss probability when giving only a single argument.
3094 .It Cm queue Brq Ar slots | size Ns Cm Kbytes
3104 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3117 .It Cm red | gred Ar w_q Ns / Ns Ar min_th Ns / Ns Ar max_th Ns / Ns Ar max_p
3139 .Bl -tag -width indent
3151 .It Cm codel Oo Cm target Ar time Oc Oo Cm interval Ar time Oc Oo Cm ecn |
3153 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3176 ECN-enabled TCP flows when queue delay becomes high.
3194 .It Cm pie Oo Cm target Ar time Oc Oo Cm tupdate Ar time Oc Oo
3195 .Cm alpha Ar n Oc Oo Cm beta Ar n Oc Oo Cm max_burst Ar time Oc Oo
3196 .Cm max_ecnth Ar n Oc Oo Cm ecn | Cm noecn Oc Oo Cm capdrop |
3197 .Cm nocapdrop Oc Oo Cm drand | Cm nodrand Oc Oo Cm onoff
3198 .Oc Oo Cm dre | Cm ts Oc
3202 en-queue process, with the aim of achieving high throughput while keeping queue
3219 .Bl -tag -width indent
3220 .It Cm alpha Ar n
3225 .It Cm beta Ar n
3230 .It Cm max_burst Ar time
3234 .It Cm max_ecnth Ar n
3239 .It Cm ecn | noecn
3240 enable or disable ECN marking for ECN-enabled TCP flows.
3242 .It Cm capdrop | nocapdrop
3245 .It Cm drand | nodrand
3246 enable or disable drop probability de-randomisation.
3247 De-randomisation eliminates
3249 De-randomisation is enabled by default.
3250 .It Cm onoff
3256 .It Cm dre | ts
3284 Information necessary to route link-local packets to an
3288 Care should be taken to ensure that link-local packets are not passed to
3293 .Bl -bullet
3304 use an auto-recovery script such as the one in
3310 .Bl -bullet
3329 reported as being dropped by rule -1.
3337 .Bd -literal -offset indent
3343 .Bd -literal -offset indent
3367 support in-kernel NAT using the kernel version of
3376 .Bd -ragged -offset indent
3377 .Bk -words
3381 .Ar nat-configuration
3386 .Bl -tag -width indent
3387 .It Cm ip Ar ip_address
3389 .It Cm if Ar nic
3392 .It Cm log
3394 .It Cm deny_in
3396 .It Cm same_ports
3399 .It Cm unreg_only
3402 .It Cm unreg_cgn
3405 .It Cm reset
3407 .It Cm reverse
3409 .It Cm proxy_only
3411 .It Cm skip_global
3413 .It Cm port_range Ar lower-upper
3416 .It Cm udp_eim
3417 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3429 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3435 by port forwarding on the NAT, or tunnelling through an in-between server.
3441 .Bl -tag -width indent
3442 .It Cm global
3452 .It Cm tablearg
3483 .Bd -ragged -offset indent
3484 .Bk -words
3490 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3496 configuration can be done in real-time through the
3509 supports in-kernel IPv6/IPv4 network address and protocol translation.
3510 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3513 among several IPv6-only clients.
3553 .Bd -ragged -offset indent
3554 .Bk -words
3556 .Ar name
3558 .Ar create-options
3563 .Bl -tag -width indent
3564 .It Cm prefix4 Ar ipv4_prefix/plen
3572 .It Cm prefix6 Ar ipv6_prefix/length
3573 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3578 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3584 .It Cm states_chunks Ar number
3589 .It Cm host_del_age Ar seconds
3594 .It Cm pg_del_age Ar seconds
3599 .It Cm tcp_syn_age Ar seconds
3606 .It Cm tcp_est_age Ar seconds
3611 .It Cm tcp_close_age Ar seconds
3622 .It Cm udp_age Ar seconds
3627 .It Cm icmp_age Ar seconds
3632 .It Cm log
3647 .It Cm -log
3649 .It Cm allow_private
3653 .It Cm -allow_private
3660 .Bd -ragged -offset indent
3661 .Bk -words
3663 .Ar name
3664 .Cm show Cm states
3672 it can be configured to pass IPv4 clients to IPv6-only servers.
3675 .Bd -ragged -offset indent
3676 .Bk -words
3678 .Ar name
3680 .Ar create-options
3685 .Bl -tag -width indent
3686 .It Cm prefix6 Ar ipv6_prefix/length
3687 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3690 .It Cm table4 Ar table46
3694 .It Cm table6 Ar table64
3698 .It Cm log
3702 .It Cm -log
3704 .It Cm allow_private
3708 .It Cm -allow_private
3719 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3722 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3725 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3726 over IPv6-only networks with help of remote NAT64 translator.
3729 .Bd -ragged -offset indent
3730 .Bk -words
3732 .Ar name
3734 .Ar create-options
3739 .Bl -tag -width indent
3740 .It Cm clat_prefix Ar ipv6_prefix/length
3741 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3743 .It Cm plat_prefix Ar ipv6_prefix/length
3744 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3747 .It Cm log
3751 .It Cm -log
3753 .It Cm allow_private
3759 .It Cm -allow_private
3769 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3771 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3780 .Bd -ragged -offset indent
3781 .Bk -words
3783 .Ar name
3785 .Ar create-options
3790 .Bl -tag -width indent
3791 .It Cm int_prefix Ar ipv6_prefix
3794 .It Cm ext_prefix Ar ipv6_prefix
3797 .It Cm ext_if Ar nic
3806 .It Cm prefixlen Ar length
3828 .Bl -tag -width indent
3858 .Bl -tag -width indent
3862 responds to receipt of global OOTB ASCONF-AddIP:
3863 .Bl -tag -width indent
3864 .It Cm 0
3865 No response (unless a partially matching association exists -
3867 .It Cm 1
3888 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3892 and is not an INIT or ASCONF-AddIP packet:
3893 .Bl -tag -width indent
3894 .It Cm 0
3896 .It Cm 1
3898 .It Cm 2
3904 .It Cm 3
3914 multi-homed local hosts to function with the
3918 ASCONF-AddIP.
3943 SHUTDOWN-COMPLETE.
3947 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3953 will only be an INIT or ASCONF-AddIP packet.
3962 Level of detail in the system log messages (0 \- minimal, 1 \- event,
3963 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
3967 Timeout value while waiting for SHUTDOWN-COMPLETE.
3974 .Bl -tag -width indent
3975 .It Cm 0
3977 .It Cm >1
4015 Defines the default total number of flow queues (sub-queues) that
4056 Defines the default total number of flow queues (sub-queues) that
4101 If set to a non-zero value,
4175 Delta between rule numbers when auto-generating them.
4184 The default rule number (read-only).
4197 (read-only).
4200 .Cm keep-state
4260 .Bl -tag -width indent
4261 .It Cm 0
4271 .It Cm 1
4285 sub-options:
4286 .Bl -tag -width indent
4287 .It Cm iflist
4290 with their in-kernel status.
4291 .It Cm talist
4331 of the address sets and or-blocks and write extremely
4343 going out to vlans 100-1000:
4346 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4350 option could be used to do automated anti-spoofing by adding the
4363 option could be used to do similar but more restricted anti-spoofing
4437 .Dl "ipfw add check-state"
4439 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4446 .Cm check-state ,
4447 .Cm keep-state
4452 .Cm check-state
4458 .Cm record-state
4460 .Cm defer-action
4469 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4470 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4478 stateful rules can be subject to denial-of-service attacks
4479 by a SYN-flood which opens a huge number of dynamic rules.
4489 .Dl ipfw -at list
4493 .Dl ipfw -a list
4548 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4562 Procedure Calls, and where the round-trip-time of the
4571 Per-flow queueing can be useful for a variety of purposes.
4591 on a net with per-host limits, rather than per-network limits:
4595 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4596 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4626 In the following example per-interface firewall is created:
4641 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4663 Here if everything goes well, you press control-C before the "sleep"
4675 .Dl "ipfw -S set 18 show"
4714 .Bd -literal -offset 2n
4725 .Bd -literal -offset 2n
4737 .Cm record-state
4739 .Cm defer-action
4744 .Cm keep-state
4756 .Dl "ipfw add allow record-state defer-action"
4762 .Dl "ipfw add check-state"
4770 .Cm check-state
4772 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4902 .An Poul-Henning Kamp ,
4906 .An Rasool Al-Saadi .
4908 .An -nosplit
4913 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4915 Some early work (1999-2000) on the
4925 .An -nosplit
4926 In-kernel NAT support written by
4942 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
4946 Rasool Al-Saadi.
4966 The packet source interface name
4977 Dummynet drops all packets with IPv6 link-local addresses.