Lines Matching +full:lookup +full:- +full:table
8 in-kernel NAT.
19 .Op Ar rule | first-last ...
47 .Ss LOOKUP TABLES
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
51 .Oo Cm set Ar N Oc Cm table
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
57 .Oo Cm set Ar N Oc Cm table Ar name Cm swap Ar name
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
67 .Oo Cm set Ar N Oc Cm table Ar name Cm lookup Ar addr
69 .Oo Cm set Ar N Oc Cm table Ar name Cm lock
71 .Oo Cm set Ar N Oc Cm table Ar name Cm unlock
73 .Oo Cm set Ar N Oc Cm table
77 .Oo Cm set Ar N Oc Cm table
81 .Oo Cm set Ar N Oc Cm table
85 .Oo Cm set Ar N Oc Cm table
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
183 .Ar preproc-flags
195 in-kernel NAT services.
210 in rule-number order
233 .Cm keep-state ,
234 .Cm record-state ,
237 .Cm set-limit
243 i.e., rules that match packets with the same 5-tuple
248 .Cm check-state ,
249 .Cm keep-state
252 rule, and are typically used to open the firewall on-demand to
255 .Cm keep-state
259 .Cm check-state
261 .Cm record-state
263 .Cm set-limit
265 .Cm check-state .
314 .Bl -tag -width indent
344 When listing a table (see the
345 .Sx LOOKUP TABLES
346 section below for more information on lookup tables), format values
373 It also stops a table add or delete
465 .Bd -literal -offset indent
468 +----------->-----------+
475 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
518 .Bd -literal -offset indent
556 Keywords are case-sensitive, whereas arguments may
557 or may not be case-sensitive depending on their nature
560 Some arguments (e.g., port or address lists) are comma-separated
567 .Bd -literal -offset indent
568 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
569 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
570 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
574 .Bd -ragged -offset indent
575 .Bk -words
593 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
610 Fragmentation, Hop-by-Hop options,
612 .It IPv6 Flow-ID
628 Whether a packet has been tagged for using a specific FIB (routing table)
635 .Bl -tag -width indent
652 non-default rule number by the value of the sysctl variable
657 non-default value is used instead.
684 to simulate the effect of multiple paths leading to out-of-order
689 .Cm keep-state
691 .Cm check-state
707 .Bd -literal -offset indent
715 .Bd -literal -offset indent
738 Once the limit is reached, logging can be re-enabled by
755 and to start doing policy-based filtering.
797 keyword, a 32-bit numeric mark is assigned to the packet.
801 Unlike tags, mark can be matched as a lookup table key or compared with bitwise
837 .Cm check-state
839 .Cm keep-state
865 .Bl -tag -width indent
869 .It Cm check-state Op Ar :flowname | Cm :any
875 .Cm Check-state
878 .Cm check-state
880 .Cm keep-state
887 .Cm keep-state
908 Change the next-hop on matching packets to
911 The next hop can also be supplied by the last table
929 the local routing table for that IP.
967 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
972 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
974 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
1077 command-line utility currently requires every action except
1078 .Cm check-state
1087 .Bd -literal -offset indent
1092 ipfw -c list
1110 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1111 .Cm isolated , net-prohib , host-prohib , tosnet ,
1112 .Cm toshost , filter-prohib , host-precedence
1114 .Cm precedence-cutoff .
1129 .Cm no-route, admin-prohib, address
1152 The packet is tagged so as to use the FIB (routing table)
1220 .It Cm tcp-setmss Ar mss
1232 .Cm tcp-setmss
1258 Alternatively, direction-based (like
1262 ) and source-based (like
1267 .Bd -literal -offset indent
1289 operators -- i.e., all must match in order for the
1298 .Pq Em or-blocks
1320 .Bd -ragged -offset indent
1336 .Bl -tag -width indent
1338 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1343 .Bl -tag -width indent
1366 .Em or-block )
1375 .Em ( or-block
1380 .Cm table Ns Pq Ar name Ns Op , Ns Ar value
1381 .Ar | addr-list | addr-set
1383 .Bl -tag -width indent
1392 .It Cm table Ns Pq Ar name Ns Op , Ns Ar value
1393 Matches any IPv4 or IPv6 address for which an entry exists in the lookup table
1395 If an optional 32-bit unsigned
1399 .Sx LOOKUP TABLES
1400 section below for more information on lookup tables.
1402 .It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
1403 .It Ar ip-addr :
1405 .Bl -tag -width indent
1406 .It Ar numeric-ip | hostname
1407 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1427 This form is advised only for non-contiguous
1432 error-prone.
1434 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1435 .It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
1457 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1458 or 1.2.3.0/24{128,35-55,89}
1462 .It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
1463 .It Ar ip6-addr :
1465 .Bl -tag -width indent
1466 .It Ar numeric-ip | hostname
1493 This form is advised only for non-contiguous
1498 error-prone.
1519 .Em or-block
1527 .Pq Ql -
1532 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1534 Fragmented packets which have a non-zero offset (i.e., not the first
1544 Zero or more of these so-called
1549 .Em or-blocks .
1552 .Bl -tag -width indent
1556 You can have comment-only rules, which are listed as having a
1562 .It Cm defer-immediate-action | defer-action
1566 .Cm record-state
1568 .Cm keep-state
1572 .Cm record-state
1574 .Cm defer-immediate-action
1577 When the rule is later activated via the state table, the action is
1581 .It Cm diverted-loopback
1584 .It Cm diverted-output
1587 .It Cm dst-ip Ar ip-address
1590 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1593 .It Cm dst-port Ar ports
1605 Hop-to-hop options
1621 the given FIB (routing table) number.
1622 .It Cm flow Ar table Ns Pq Ar name Ns Op , Ns Ar value
1623 Search for the flow entry in lookup table
1628 is set to the value extracted from the table.
1633 .Sx LOOKUP TABLES
1634 section below for more information on lookup tables.
1635 .It Cm flow-id Ar labels
1640 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1641 Search for the destination MAC address entry in lookup table
1646 is set to the value extracted from the table.
1647 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1648 Search for the source MAC address entry in lookup table
1653 is set to the value extracted from the table.
1668 .Pq Dv non-zero fragment offset .
1673 Empty list of options defaults to matching on non-zero fragment offset.
1709 time-to-live exceeded
1740 .It Cm ipid Ar id-list
1744 .Ar id-list ,
1748 .It Cm iplen Ar len-list
1751 .Ar len-list ,
1825 .It Cm ipttl Ar ttl-list
1827 .Ar ttl-list ,
1834 .It Cm keep-state Op Ar :flowname
1847 .Cm check-state
1859 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1867 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1869 Search an entry in lookup table
1875 is set to the value extracted from the table.
1880 .Sx LOOKUP TABLES
1881 section below for more information on lookup tables.
1882 .It Cm { MAC | mac } Ar dst-mac src-mac
1884 .Ar dst-mac
1886 .Ar src-mac
1893 .Bl -enum -width indent
1918 .It Cm mac-type Ar mac-type
1921 .Ar mac-type
1924 (i.e., one or more comma-separated single values or ranges).
1929 .Cm -N
1933 .It Cm record-state
1935 .Cm keep-state
1938 .Cm check-state
1940 .Cm keep-state .
1941 .It Cm recv | xmit | via Brq Ar ifX | Ar ifmask | Ar table Ns Po Ar name Ns Oo , Ns Ar value Oc Pc …
1959 Table
1963 .Sx LOOKUP TABLES
1964 section below for more information on lookup tables.
2000 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2004 .Cm check-state
2013 to a non-zero value.
2022 .It Cm src-ip Ar ip-address
2025 .It Cm src-ip6 Ar ip6-address
2028 .It Cm src-port Ar ports
2031 .It Cm tagged Ar tag-list
2033 .Ar tag-list ,
2049 to match a value supplied by the last table lookup.
2061 .It Cm tcpdatalen Ar tcpdatalen-list
2063 .Ar tcpdatalen-list ,
2087 a non-zero offset.
2091 .It Cm tcpmss Ar tcpmss-list
2093 .Ar tcpmss-list ,
2101 .It Cm tcpwin Ar tcpwin-list
2103 .Ar tcpwin-list ,
2135 a routing table lookup is done on the packet's source address.
2146 .Dl ip verify unicast reverse-path
2148 This option can be used to make anti-spoofing rules to reject all
2154 a routing table lookup is done on the packet's source address.
2163 .Dl ip verify unicast source reachable-via any
2165 This option can be used to make anti-spoofing rules to reject all
2177 This option can be used to make anti-spoofing rules to reject all
2185 .Sh LOOKUP TABLES
2186 Lookup tables are useful to handle large sparse sets of
2189 Table name needs to match the following spec:
2190 .Ar table-name .
2202 There may be up to 65535 different lookup tables.
2204 The following table types are supported:
2205 .Bl -tag -width indent
2206 .It Ar table-type : Ar addr | iface | number | flow | mac
2207 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2208 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2209 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2222 When looking up an IP address in a table, the most specific
2230 Each entry is represented by 32-bit unsigned integer.
2235 type suboptions with table entries.
2248 When looking up an MAC address in a table, the most specific
2257 .Bl -tag -width indent
2258 .It Ar create-options : Ar create-option | create-options
2259 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2260 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2262 Table key type.
2264 Table value mask.
2266 Table algorithm to use (see below).
2268 Maximum number of items that may be inserted into table.
2270 Restrict any table modifications.
2272 Do not fail if table already exists and has exactly same options as new one.
2273 .It Cm or-flush
2274 Flush existing table with same name instead of returning error.
2277 so existing table must be compatible with new one.
2284 .Bl -tag -width indent
2285 .It Ar modify-options : Ar modify-option | modify-options
2286 .It Ar modify-option : Cm limit Ar number
2288 Alter maximum number of items that may be inserted into table.
2291 Additionally, table can be locked or unlocked using
2306 One or more entries can be added to a table at once using
2312 However, non-zero error code is returned in that case.
2317 to indicate all-or-none add request.
2319 One or more entries can be removed from a table at once using
2324 However, non-zero error code is returned in that case.
2327 .Ar table-key
2329 .Cm lookup
2330 .Ar table-key
2339 .Bl -tag -width indent
2345 Shows generic table information.
2347 Shows generic table information and algo-specific data.
2350 The following lookup algorithms are supported:
2351 .Bl -tag -width indent
2352 .It Ar algo-desc : algo-name | "algo-name algo-data"
2353 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2355 Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see
2361 Separate auto-growing hashes for IPv4 and IPv6.
2368 Mostly optimized for /64 and byte-ranged IPv6 masks.
2371 Optimized for very fast lookup.
2375 Auto-growing hash storing flow entries.
2384 feature provides the ability to use a value, looked up in the table, as
2391 .Ar value-mask .
2392 This mask is set on table creation via
2396 .Bl -tag -width indent
2397 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2398 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2445 Each rule or table belongs to one of 32 different
2452 attribute when adding a new rule or table.
2458 table opcodes regardless of rule set.
2462 Rule's set will then be used for table references.
2465 .Bd -ragged -offset indent
2480 .Bd -ragged -offset indent
2489 .Bd -ragged -offset indent
2493 .Cm to Ar new-set
2497 .Bd -ragged -offset indent
2499 .Cm set swap Ar first-set second-set
2511 .Cm check-state , keep-state , record-state , limit
2513 .Cm set-limit
2518 .Cm keep-state ,
2519 .Cm record-state ,
2522 .Cm set-limit
2529 .Em src-ip/src-port dst-ip/dst-port
2537 .Cm keep-state
2543 .Cm check-state, keep-state
2557 .Dl "ipfw add check-state :OUTBOUND"
2558 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2565 .Dl "ipfw add check-state :OUTBOUND"
2566 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2599 .Bl -hang -offset XXXX
2618 are first grouped into flows according to a mask on the 5-tuple.
2638 .Bd -literal -offset indent
2640 +---------+ weight Wx +-------------+
2641 | |->-[flow]-->--| |-+
2642 -->--| QUEUE x | ... | | |
2643 | |->-[flow]-->--| SCHEDuler N | |
2644 +---------+ | | |
2645 ... | +--[LINK N]-->--
2646 +---------+ weight Wy | | +--[LINK N]-->--
2647 | |->-[flow]-->--| | |
2648 -->--| QUEUE y | ... | | |
2649 | |->-[flow]-->--| | |
2650 +---------+ +-------------+ |
2651 +-------------+
2661 value of the packet's 5-tuple after applying SCHED_MASK.
2662 As an example, using ``src-ip 0xffffff00'' creates one instance
2668 ``src-ip 0x000000ff''
2713 variable to a non-zero value.
2721 .Bd -ragged -offset indent
2722 .Cm pipe Ar number Cm config Ar pipe-configuration
2724 .Cm queue Ar number Cm config Ar queue-configuration
2726 .Cm sched Ar number Cm config Ar sched-configuration
2731 .Bl -tag -width indent -compact
2755 .It Cm delay Ar ms-delay
2798 .Bd -literal -offset indent
2802 L +-- loss-level x
2809 +-------*------------------->
2821 .Bl -tag -width indent
2829 .It Cm loss-level Ar L
2852 .Bd -literal -offset indent
2855 loss-level 0.86
2869 .Bl -tag -width indent -compact
2880 The following case-insensitive parameters can be configured for a
2883 .Bl -tag -width indent -compact
2886 .Bl -tag -width indent -compact
2890 FIFO has O(1) per-packet time complexity, with very low
2891 constants (estimate 60-80ns on a 2GHz desktop machine)
2899 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2904 costs (roughly, 100-150ns per packet)
2910 costs (roughly, 200-250ns per packet).
2912 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2913 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2914 (old sub-queues and new sub-queues) for providing brief periods of priority to
2916 By default, the total number of sub-queues is 1024.
2917 FQ-CoDel's internal, dynamically
2918 created sub-queues are controlled by separate instances of CoDel AQM.
2920 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2922 but uses per sub-queue PIE AQM instance to control the queue delay.
2938 .Bl -tag -width indent
2956 specifies the total number of flow queues (sub-queues) that fq_*
2958 By default, 1024 sub-queues are created when an instance
2981 .Bl -tag -width XXXX -compact
2982 .It Cm buckets Ar hash-table-size
2983 Specifies the size of the hash table used for storing the
2991 .It Cm mask Ar mask-specifier
3017 .Cm dst-ip Ar mask ,
3018 .Cm dst-ip6 Ar mask ,
3019 .Cm src-ip Ar mask ,
3020 .Cm src-ip6 Ar mask ,
3021 .Cm dst-port Ar mask ,
3022 .Cm src-port Ar mask ,
3023 .Cm flow-id Ar mask ,
3041 .It Cm plr Ar packet-loss-rate
3045 .Ar packet-loss-rate
3046 is a floating-point number between 0 and 1, with 0 meaning no
3049 When invoked with four arguments, the simple Gilbert-Elliott
3051 .Bd -literal -offset indent
3053 .----------------.
3055 .------------. .------------.
3058 '------------' '------------'
3060 '----------------'
3073 K = 1 - k ; H = 1 - h
3076 quick re-use of loss probability when giving only a single argument.
3094 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3129 .Bl -tag -width indent
3143 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3166 ECN-enabled TCP flows when queue delay becomes high.
3192 en-queue process, with the aim of achieving high throughput while keeping queue
3209 .Bl -tag -width indent
3230 enable or disable ECN marking for ECN-enabled TCP flows.
3236 enable or disable drop probability de-randomisation.
3237 De-randomisation eliminates
3239 De-randomisation is enabled by default.
3274 Information necessary to route link-local packets to an
3278 Care should be taken to ensure that link-local packets are not passed to
3283 .Bl -bullet
3294 use an auto-recovery script such as the one in
3300 .Bl -bullet
3319 reported as being dropped by rule -1.
3327 .Bd -literal -offset indent
3333 .Bd -literal -offset indent
3357 support in-kernel NAT using the kernel version of
3366 .Bd -ragged -offset indent
3367 .Bk -words
3371 .Ar nat-configuration
3376 .Bl -tag -width indent
3396 Reset table of the packet aliasing engine on address change.
3402 Skip instance in case of global state lookup (see below).
3403 .It Cm port_range Ar lower-upper
3407 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3419 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3425 by port forwarding on the NAT, or tunnelling through an in-between server.
3431 .Bl -tag -width indent
3443 Uses argument supplied in lookup table.
3445 .Sx LOOKUP TABLES
3446 section below for more information on lookup tables.
3473 .Bd -ragged -offset indent
3474 .Bk -words
3480 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3486 configuration can be done in real-time through the
3499 supports in-kernel IPv6/IPv4 network address and protocol translation.
3500 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3503 among several IPv6-only clients.
3514 in the states table.
3543 .Bd -ragged -offset indent
3544 .Bk -words
3548 .Ar create-options
3553 .Bl -tag -width indent
3560 in the states table will be dropped by translator.
3563 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3568 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3609 Keeping them in translator's state table protects from such rejects.
3637 .It Cm -log
3643 .It Cm -allow_private
3649 To inspect a states table of stateful NAT64 the following command can be used:
3650 .Bd -ragged -offset indent
3651 .Bk -words
3658 Stateless NAT64 translator doesn't use a states table for translation
3660 mappings taken from configured lookup tables.
3661 Since a states table doesn't used by stateless translator,
3662 it can be configured to pass IPv4 clients to IPv6-only servers.
3665 .Bd -ragged -offset indent
3666 .Bk -words
3670 .Ar create-options
3675 .Bl -tag -width indent
3677 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3681 The lookup table
3685 The lookup table
3692 .It Cm -log
3698 .It Cm -allow_private
3706 If corresponding addresses was not found in the lookup tables, the packet
3709 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3712 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3715 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3716 over IPv6-only networks with help of remote NAT64 translator.
3719 .Bd -ragged -offset indent
3720 .Bk -words
3724 .Ar create-options
3729 .Bl -tag -width indent
3731 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3734 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3741 .It Cm -log
3749 .It Cm -allow_private
3759 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3761 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3770 .Bd -ragged -offset indent
3771 .Bk -words
3775 .Ar create-options
3780 .Bl -tag -width indent
3818 .Bl -tag -width indent
3848 .Bl -tag -width indent
3852 responds to receipt of global OOTB ASCONF-AddIP:
3853 .Bl -tag -width indent
3855 No response (unless a partially matching association exists -
3878 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3882 and is not an INIT or ASCONF-AddIP packet:
3883 .Bl -tag -width indent
3904 multi-homed local hosts to function with the
3908 ASCONF-AddIP.
3917 .Nm hash table
3923 The table sizes may be changed to suit specific needs.
3928 A prime number is best for the table size.
3932 Hold association in table for this many seconds after receiving a
3933 SHUTDOWN-COMPLETE.
3937 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3943 will only be an INIT or ASCONF-AddIP packet.
3952 Level of detail in the system log messages (0 \- minimal, 1 \- event,
3953 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
3957 Timeout value while waiting for SHUTDOWN-COMPLETE.
3964 .Bl -tag -width indent
4005 Defines the default total number of flow queues (sub-queues) that
4046 Defines the default total number of flow queues (sub-queues) that
4086 Default size of the hash table used for dynamic pipes/queues.
4091 If set to a non-zero value,
4165 Delta between rule numbers when auto-generating them.
4168 The current number of buckets in the hash table for dynamic rules
4174 The default rule number (read-only).
4179 The number of buckets in the hash table for dynamic rules.
4184 command to make sure that the hash table is resized.
4187 (read-only).
4190 .Cm keep-state
4250 .Bl -tag -width indent
4275 sub-options:
4276 .Bl -tag -width indent
4280 with their in-kernel status.
4282 List all table lookup algorithms currently available.
4321 of the address sets and or-blocks and write extremely
4333 going out to vlans 100-1000:
4336 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4340 option could be used to do automated anti-spoofing by adding the
4353 option could be used to do similar but more restricted anti-spoofing
4427 .Dl "ipfw add check-state"
4429 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4436 .Cm check-state ,
4437 .Cm keep-state
4442 .Cm check-state
4448 .Cm record-state
4450 .Cm defer-action
4459 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4460 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4468 stateful rules can be subject to denial-of-service attacks
4469 by a SYN-flood which opens a huge number of dynamic rules.
4479 .Dl ipfw -at list
4483 .Dl ipfw -a list
4538 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4552 Procedure Calls, and where the round-trip-time of the
4561 Per-flow queueing can be useful for a variety of purposes.
4581 on a net with per-host limits, rather than per-network limits:
4585 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4586 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4587 .Ss LOOKUP TABLES
4591 Then we create a single table and fill it with IP subnets and addresses.
4599 .Dl "ipfw table T1 create type addr"
4600 .Dl "ipfw table T1 add 192.168.2.0/24 1"
4601 .Dl "ipfw table T1 add 192.168.0.0/27 4"
4602 .Dl "ipfw table T1 add 192.168.0.2 1"
4604 .Dl "ipfw add pipe tablearg ip from 'table(T1)' to any"
4608 action, the table entries may include hostnames and IP addresses.
4610 .Dl "ipfw table T2 create type addr valtype ipv4"
4611 .Dl "ipfw table T2 add 192.168.2.0/24 10.23.2.1"
4612 .Dl "ipfw table T2 add 192.168.0.0/27 router1.dmz"
4614 .Dl "ipfw add 100 fwd tablearg ip from any to 'table(T2)'"
4616 In the following example per-interface firewall is created:
4618 .Dl "ipfw table IN create type iface valtype skipto,fib"
4619 .Dl "ipfw table IN add vlan20 12000,12"
4620 .Dl "ipfw table IN add vlan30 13000,13"
4621 .Dl "ipfw table OUT create type iface valtype skipto"
4622 .Dl "ipfw table OUT add vlan20 22000"
4623 .Dl "ipfw table OUT add vlan30 23000"
4625 .Dl "ipfw add 100 setfib tablearg ip from any to any recv 'table(IN)' in"
4626 .Dl "ipfw add 200 skipto tablearg ip from any to any recv 'table(IN)' in"
4627 .Dl "ipfw add 300 skipto tablearg ip from any to any xmit 'table(OUT)' out"
4631 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4632 .Dl "ipfw table fl add 2a02:6b8:77::88,tcp,2a02:6b8:77::99,80 11"
4633 .Dl "ipfw table fl add 10.0.0.1,udp,10.0.0.2,53 12"
4635 .Dl "ipfw add 100 allow ip from any to any flow 'table(fl,11)' recv ix0"
4653 Here if everything goes well, you press control-C before the "sleep"
4665 .Dl "ipfw -S set 18 show"
4681 same ports on both sides, clearing aliasing table on address change
4686 Or to change address of instance 123, aliasing table will be cleared (see
4704 .Bd -literal -offset 2n
4715 .Bd -literal -offset 2n
4727 .Cm record-state
4729 .Cm defer-action
4734 .Cm keep-state
4746 .Dl "ipfw add allow record-state defer-action"
4752 .Dl "ipfw add check-state"
4760 .Cm check-state
4762 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4892 .An Poul-Henning Kamp ,
4896 .An Rasool Al-Saadi .
4898 .An -nosplit
4903 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4905 Some early work (1999-2000) on the
4915 .An -nosplit
4916 In-kernel NAT support written by
4932 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
4936 Rasool Al-Saadi.
4967 Dummynet drops all packets with IPv6 link-local addresses.