Lines Matching +full:ports +full:- +full:block +full:- +full:group +full:- +full:count
8 in-kernel NAT.
19 .Op Ar rule | first-last ...
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
183 .Ar preproc-flags
195 in-kernel NAT services.
210 in rule-number order
233 .Cm keep-state ,
234 .Cm record-state ,
237 .Cm set-limit
243 i.e., rules that match packets with the same 5-tuple
244 (protocol, source and destination addresses and ports)
248 .Cm check-state ,
249 .Cm keep-state
252 rule, and are typically used to open the firewall on-demand to
255 .Cm keep-state
259 .Cm check-state
261 .Cm record-state
263 .Cm set-limit
265 .Cm check-state .
274 a packet count, a byte count, a log count and a timestamp
314 .Bl -tag -width indent
465 .Bd -literal -offset indent
468 +----------->-----------+
475 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
518 .Bd -literal -offset indent
556 Keywords are case-sensitive, whereas arguments may
557 or may not be case-sensitive depending on their nature
560 Some arguments (e.g., port or address lists) are comma-separated
567 .Bd -literal -offset indent
568 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
569 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
570 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
574 .Bd -ragged -offset indent
575 .Bk -words
593 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
598 .It Source and dest. addresses and ports
610 Fragmentation, Hop-by-Hop options,
612 .It IPv6 Flow-ID
622 .It User/group ID
633 TCP/UDP ports, can be easily spoofed, so filtering on those fields
635 .Bl -tag -width indent
652 non-default rule number by the value of the sysctl variable
657 non-default value is used instead.
684 to simulate the effect of multiple paths leading to out-of-order
689 .Cm keep-state
691 .Cm check-state
707 .Bd -literal -offset indent
715 .Bd -literal -offset indent
738 Once the limit is reached, logging can be re-enabled by
755 and to start doing policy-based filtering.
797 keyword, a 32-bit numeric mark is assigned to the packet.
833 .Cm count Cm altq Ar queue
837 .Cm check-state
839 .Cm keep-state
865 .Bl -tag -width indent
869 .It Cm check-state Op Ar :flowname | Cm :any
875 .Cm Check-state
878 .Cm check-state
880 .Cm keep-state
887 .Cm keep-state
895 .It Cm count
908 Change the next-hop on matching packets to
967 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
972 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
974 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
1077 command-line utility currently requires every action except
1078 .Cm check-state
1087 .Bd -literal -offset indent
1092 ipfw -c list
1110 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1111 .Cm isolated , net-prohib , host-prohib , tosnet ,
1112 .Cm toshost , filter-prohib , host-precedence
1114 .Cm precedence-cutoff .
1129 .Cm no-route, admin-prohib, address
1220 .It Cm tcp-setmss Ar mss
1232 .Cm tcp-setmss
1242 If the packet is a fragment in the middle of a logical group of fragments,
1258 Alternatively, direction-based (like
1262 ) and source-based (like
1267 .Bd -literal -offset indent
1284 specific source and destination addresses or ports,
1289 operators -- i.e., all must match in order for the
1298 .Pq Em or-blocks
1320 .Bd -ragged -offset indent
1331 addresses and ports) can be specified in the
1336 .Bl -tag -width indent
1338 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1343 .Bl -tag -width indent
1366 .Em or-block )
1368 .It Ar src No and Ar dst : Bro Cm addr | Cm { Ar addr Cm or ... } Brc Op Oo Cm not Oc Ar ports
1371 .Ar ports
1375 .Em ( or-block
1381 .Ar | addr-list | addr-set
1383 .Bl -tag -width indent
1395 If an optional 32-bit unsigned
1402 .It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
1403 .It Ar ip-addr :
1405 .Bl -tag -width indent
1406 .It Ar numeric-ip | hostname
1407 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1427 This form is advised only for non-contiguous
1432 error-prone.
1434 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1435 .It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
1457 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1458 or 1.2.3.0/24{128,35-55,89}
1462 .It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
1463 .It Ar ip6-addr :
1465 .Bl -tag -width indent
1466 .It Ar numeric-ip | hostname
1493 This form is advised only for non-contiguous
1498 error-prone.
1503 .It Ar ports : Bro Ar port | port Ns \&- Ns Ar port Ns Brc Ns Op , Ns Ar ports
1505 .Cm ports
1506 may be specified as one or more ports or port ranges, separated
1512 notation specifies a range of ports (including boundaries).
1517 The length of the port list is limited to 30 ports or ranges,
1519 .Em or-block
1527 .Pq Ql -
1532 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1534 Fragmented packets which have a non-zero offset (i.e., not the first
1544 Zero or more of these so-called
1549 .Em or-blocks .
1552 .Bl -tag -width indent
1556 You can have comment-only rules, which are listed as having a
1557 .Cm count
1562 .It Cm defer-immediate-action | defer-action
1566 .Cm record-state
1568 .Cm keep-state
1572 .Cm record-state
1574 .Cm defer-immediate-action
1581 .It Cm diverted-loopback
1584 .It Cm diverted-output
1587 .It Cm dst-ip Ar ip-address
1590 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1593 .It Cm dst-port Ar ports
1605 Hop-to-hop options
1635 .It Cm flow-id Ar labels
1640 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1647 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1668 .Pq Dv non-zero fragment offset .
1673 Empty list of options defaults to matching on non-zero fragment offset.
1677 .It Cm gid Ar group
1679 .Ar group .
1681 .Ar group
1709 time-to-live exceeded
1740 .It Cm ipid Ar id-list
1744 .Ar id-list ,
1747 .Ar ports .
1748 .It Cm iplen Ar len-list
1751 .Ar len-list ,
1754 .Ar ports .
1825 .It Cm ipttl Ar ttl-list
1827 .Ar ttl-list ,
1830 .Ar ports .
1834 .It Cm keep-state Op Ar :flowname
1844 is used to assign additional to addresses, ports and protocol parameter
1847 .Cm check-state
1859 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1865 of source and destination addresses and ports can be
1867 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1882 .It Cm { MAC | mac } Ar dst-mac src-mac
1884 .Ar dst-mac
1886 .Ar src-mac
1893 .Bl -enum -width indent
1918 .It Cm mac-type Ar mac-type
1921 .Ar mac-type
1924 (i.e., one or more comma-separated single values or ranges).
1929 .Cm -N
1933 .It Cm record-state
1935 .Cm keep-state
1938 .Cm check-state
1940 .Cm keep-state .
2000 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2004 .Cm check-state
2013 to a non-zero value.
2022 .It Cm src-ip Ar ip-address
2025 .It Cm src-ip6 Ar ip6-address
2028 .It Cm src-port Ar ports
2031 .It Cm tagged Ar tag-list
2033 .Ar tag-list ,
2036 .Ar ports .
2061 .It Cm tcpdatalen Ar tcpdatalen-list
2063 .Ar tcpdatalen-list ,
2066 .Ar ports .
2087 a non-zero offset.
2091 .It Cm tcpmss Ar tcpmss-list
2093 .Ar tcpmss-list ,
2096 .Ar ports .
2101 .It Cm tcpwin Ar tcpwin-list
2103 .Ar tcpwin-list ,
2106 .Ar ports .
2123 (rfc1644 t/tcp connection count).
2146 .Dl ip verify unicast reverse-path
2148 This option can be used to make anti-spoofing rules to reject all
2163 .Dl ip verify unicast source reachable-via any
2165 This option can be used to make anti-spoofing rules to reject all
2177 This option can be used to make anti-spoofing rules to reject all
2187 addresses or other search keys (e.g., ports, jail IDs, interface names).
2190 .Ar table-name .
2205 .Bl -tag -width indent
2206 .It Ar table-type : Ar addr | iface | number | flow | mac
2207 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2208 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2209 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2229 Matches protocol ports, uids/gids or jail IDs.
2230 Each entry is represented by 32-bit unsigned integer.
2257 .Bl -tag -width indent
2258 .It Ar create-options : Ar create-option | create-options
2259 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2260 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2273 .It Cm or-flush
2284 .Bl -tag -width indent
2285 .It Ar modify-options : Ar modify-option | modify-options
2286 .It Ar modify-option : Cm limit Ar number
2312 However, non-zero error code is returned in that case.
2317 to indicate all-or-none add request.
2324 However, non-zero error code is returned in that case.
2327 .Ar table-key
2330 .Ar table-key
2339 .Bl -tag -width indent
2347 Shows generic table information and algo-specific data.
2351 .Bl -tag -width indent
2352 .It Ar algo-desc : algo-name | "algo-name algo-data"
2353 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2361 Separate auto-growing hashes for IPv4 and IPv6.
2368 Mostly optimized for /64 and byte-ranged IPv6 masks.
2375 Auto-growing hash storing flow entries.
2391 .Ar value-mask .
2396 .Bl -tag -width indent
2397 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2398 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2465 .Bd -ragged -offset indent
2480 .Bd -ragged -offset indent
2489 .Bd -ragged -offset indent
2493 .Cm to Ar new-set
2497 .Bd -ragged -offset indent
2499 .Cm set swap Ar first-set second-set
2511 .Cm check-state , keep-state , record-state , limit
2513 .Cm set-limit
2518 .Cm keep-state ,
2519 .Cm record-state ,
2522 .Cm set-limit
2529 .Em src-ip/src-port dst-ip/dst-port
2537 .Cm keep-state
2541 This name is used in matching together with addresses, ports and protocol.
2543 .Cm check-state, keep-state
2550 and ports and :flowname are checked on dynamic rules.
2557 .Dl "ipfw add check-state :OUTBOUND"
2558 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2565 .Dl "ipfw add check-state :OUTBOUND"
2566 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2599 .Bl -hang -offset XXXX
2618 are first grouped into flows according to a mask on the 5-tuple.
2638 .Bd -literal -offset indent
2640 +---------+ weight Wx +-------------+
2641 | |->-[flow]-->--| |-+
2642 -->--| QUEUE x | ... | | |
2643 | |->-[flow]-->--| SCHEDuler N | |
2644 +---------+ | | |
2645 ... | +--[LINK N]-->--
2646 +---------+ weight Wy | | +--[LINK N]-->--
2647 | |->-[flow]-->--| | |
2648 -->--| QUEUE y | ... | | |
2649 | |->-[flow]-->--| | |
2650 +---------+ +-------------+ |
2651 +-------------+
2661 value of the packet's 5-tuple after applying SCHED_MASK.
2662 As an example, using ``src-ip 0xffffff00'' creates one instance
2668 ``src-ip 0x000000ff''
2713 variable to a non-zero value.
2721 .Bd -ragged -offset indent
2722 .Cm pipe Ar number Cm config Ar pipe-configuration
2724 .Cm queue Ar number Cm config Ar queue-configuration
2726 .Cm sched Ar number Cm config Ar sched-configuration
2731 .Bl -tag -width indent -compact
2755 .It Cm delay Ar ms-delay
2798 .Bd -literal -offset indent
2802 L +-- loss-level x
2809 +-------*------------------->
2821 .Bl -tag -width indent
2829 .It Cm loss-level Ar L
2852 .Bd -literal -offset indent
2855 loss-level 0.86
2869 .Bl -tag -width indent -compact
2880 The following case-insensitive parameters can be configured for a
2883 .Bl -tag -width indent -compact
2886 .Bl -tag -width indent -compact
2890 FIFO has O(1) per-packet time complexity, with very low
2891 constants (estimate 60-80ns on a 2GHz desktop machine)
2899 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2904 costs (roughly, 100-150ns per packet)
2910 costs (roughly, 200-250ns per packet).
2912 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2913 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2914 (old sub-queues and new sub-queues) for providing brief periods of priority to
2916 By default, the total number of sub-queues is 1024.
2917 FQ-CoDel's internal, dynamically
2918 created sub-queues are controlled by separate instances of CoDel AQM.
2920 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2922 but uses per sub-queue PIE AQM instance to control the queue delay.
2938 .Bl -tag -width indent
2956 specifies the total number of flow queues (sub-queues) that fq_*
2958 By default, 1024 sub-queues are created when an instance
2981 .Bl -tag -width XXXX -compact
2982 .It Cm buckets Ar hash-table-size
2991 .It Cm mask Ar mask-specifier
2999 ports and protocol types as specified with the
3017 .Cm dst-ip Ar mask ,
3018 .Cm dst-ip6 Ar mask ,
3019 .Cm src-ip Ar mask ,
3020 .Cm src-ip6 Ar mask ,
3021 .Cm dst-port Ar mask ,
3022 .Cm src-port Ar mask ,
3023 .Cm flow-id Ar mask ,
3041 .It Cm plr Ar packet-loss-rate
3045 .Ar packet-loss-rate
3046 is a floating-point number between 0 and 1, with 0 meaning no
3049 When invoked with four arguments, the simple Gilbert-Elliott
3051 .Bd -literal -offset indent
3053 .----------------.
3055 .------------. .------------.
3058 '------------' '------------'
3060 '----------------'
3073 K = 1 - k ; H = 1 - h
3076 quick re-use of loss probability when giving only a single argument.
3094 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3129 .Bl -tag -width indent
3143 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3166 ECN-enabled TCP flows when queue delay becomes high.
3192 en-queue process, with the aim of achieving high throughput while keeping queue
3209 .Bl -tag -width indent
3230 enable or disable ECN marking for ECN-enabled TCP flows.
3236 enable or disable drop probability de-randomisation.
3237 De-randomisation eliminates
3239 De-randomisation is enabled by default.
3274 Information necessary to route link-local packets to an
3278 Care should be taken to ensure that link-local packets are not passed to
3283 .Bl -bullet
3294 use an auto-recovery script such as the one in
3300 .Bl -bullet
3319 reported as being dropped by rule -1.
3327 .Bd -literal -offset indent
3333 .Bd -literal -offset indent
3357 support in-kernel NAT using the kernel version of
3366 .Bd -ragged -offset indent
3367 .Bk -words
3371 .Ar nat-configuration
3376 .Bl -tag -width indent
3403 .It Cm port_range Ar lower-upper
3404 Set the aliasing ports between the ranges given.
3407 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3419 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3422 external addresses:ports is mapped to a random and unpredictable NAT
3425 by port forwarding on the NAT, or tunnelling through an in-between server.
3431 .Bl -tag -width indent
3470 Since the local and global side ports will be the same,
3472 Ports are redirected as follows:
3473 .Bd -ragged -offset indent
3474 .Bk -words
3480 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3486 configuration can be done in real-time through the
3499 supports in-kernel IPv6/IPv4 network address and protocol translation.
3500 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3503 among several IPv6-only clients.
3516 Each alias entry has a number of ports group entries allocated on demand.
3517 Ports group entries contains connection state entries.
3543 .Bd -ragged -offset indent
3544 .Bk -words
3548 .Ar create-options
3553 .Bl -tag -width indent
3563 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3568 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3575 The number of states chunks in single ports group.
3576 Each ports group by default can keep 64 state entries in single chunk.
3585 The number of seconds until a ports group with unused state entries will
3607 new connections from the same addresses and ports may be rejected by server,
3637 .It Cm -log
3643 .It Cm -allow_private
3650 .Bd -ragged -offset indent
3651 .Bk -words
3662 it can be configured to pass IPv4 clients to IPv6-only servers.
3665 .Bd -ragged -offset indent
3666 .Bk -words
3670 .Ar create-options
3675 .Bl -tag -width indent
3677 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3692 .It Cm -log
3698 .It Cm -allow_private
3709 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3712 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3715 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3716 over IPv6-only networks with help of remote NAT64 translator.
3719 .Bd -ragged -offset indent
3720 .Bk -words
3724 .Ar create-options
3729 .Bl -tag -width indent
3731 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3734 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3741 .It Cm -log
3749 .It Cm -allow_private
3759 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3761 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3770 .Bd -ragged -offset indent
3771 .Bk -words
3775 .Ar create-options
3780 .Bl -tag -width indent
3818 .Bl -tag -width indent
3848 .Bl -tag -width indent
3852 responds to receipt of global OOTB ASCONF-AddIP:
3853 .Bl -tag -width indent
3855 No response (unless a partially matching association exists -
3856 ports and vtags match but global address does not)
3878 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3882 and is not an INIT or ASCONF-AddIP packet:
3883 .Bl -tag -width indent
3890 partial match (ports and vtags match but the source global IP does not).
3904 multi-homed local hosts to function with the
3908 ASCONF-AddIP.
3933 SHUTDOWN-COMPLETE.
3937 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3943 will only be an INIT or ASCONF-AddIP packet.
3952 Level of detail in the system log messages (0 \- minimal, 1 \- event,
3953 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
3957 Timeout value while waiting for SHUTDOWN-COMPLETE.
3964 .Bl -tag -width indent
4005 Defines the default total number of flow queues (sub-queues) that
4046 Defines the default total number of flow queues (sub-queues) that
4091 If set to a non-zero value,
4165 Delta between rule numbers when auto-generating them.
4174 The default rule number (read-only).
4187 (read-only).
4190 .Cm keep-state
4250 .Bl -tag -width indent
4275 sub-options:
4276 .Bl -tag -width indent
4280 with their in-kernel status.
4321 of the address sets and or-blocks and write extremely
4333 going out to vlans 100-1000:
4336 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4340 option could be used to do automated anti-spoofing by adding the
4353 option could be used to do similar but more restricted anti-spoofing
4427 .Dl "ipfw add check-state"
4429 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4436 .Cm check-state ,
4437 .Cm keep-state
4442 .Cm check-state
4448 .Cm record-state
4450 .Cm defer-action
4459 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4460 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4468 stateful rules can be subject to denial-of-service attacks
4469 by a SYN-flood which opens a huge number of dynamic rules.
4479 .Dl ipfw -at list
4483 .Dl ipfw -a list
4538 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4552 Procedure Calls, and where the round-trip-time of the
4561 Per-flow queueing can be useful for a variety of purposes.
4576 tries to match IP packets it will not consider ports, so we
4577 would not see connections on separate ports as different
4581 on a net with per-host limits, rather than per-network limits:
4585 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4586 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4616 In the following example per-interface firewall is created:
4631 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4653 Here if everything goes well, you press control-C before the "sleep"
4665 .Dl "ipfw -S set 18 show"
4681 same ports on both sides, clearing aliasing table on address change
4704 .Bd -literal -offset 2n
4715 .Bd -literal -offset 2n
4727 .Cm record-state
4729 .Cm defer-action
4732 after NAT actions (or vice versa) to have consistent addresses and ports.
4734 .Cm keep-state
4746 .Dl "ipfw add allow record-state defer-action"
4752 .Dl "ipfw add check-state"
4760 .Cm check-state
4762 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4892 .An Poul-Henning Kamp ,
4896 .An Rasool Al-Saadi .
4898 .An -nosplit
4903 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4905 Some early work (1999-2000) on the
4915 .An -nosplit
4916 In-kernel NAT support written by
4932 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
4936 Rasool Al-Saadi.
4967 Dummynet drops all packets with IPv6 link-local addresses.