Lines Matching +full:scaled +full:- +full:sync
8 in-kernel NAT.
19 .Op Ar rule | first-last ...
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
183 .Ar preproc-flags
195 in-kernel NAT services.
210 in rule-number order
233 .Cm keep-state ,
234 .Cm record-state ,
237 .Cm set-limit
243 i.e., rules that match packets with the same 5-tuple
248 .Cm check-state ,
249 .Cm keep-state
252 rule, and are typically used to open the firewall on-demand to
255 .Cm keep-state
259 .Cm check-state
261 .Cm record-state
263 .Cm set-limit
265 .Cm check-state .
314 .Bl -tag -width indent
450 If the world and the kernel get out of sync the
465 .Bd -literal -offset indent
468 +----------->-----------+
475 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
518 .Bd -literal -offset indent
556 Keywords are case-sensitive, whereas arguments may
557 or may not be case-sensitive depending on their nature
560 Some arguments (e.g., port or address lists) are comma-separated
567 .Bd -literal -offset indent
568 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
569 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
570 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
574 .Bd -ragged -offset indent
575 .Bk -words
593 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
610 Fragmentation, Hop-by-Hop options,
612 .It IPv6 Flow-ID
635 .Bl -tag -width indent
652 non-default rule number by the value of the sysctl variable
657 non-default value is used instead.
684 to simulate the effect of multiple paths leading to out-of-order
689 .Cm keep-state
691 .Cm check-state
707 .Bd -literal -offset indent
715 .Bd -literal -offset indent
738 Once the limit is reached, logging can be re-enabled by
755 and to start doing policy-based filtering.
797 keyword, a 32-bit numeric mark is assigned to the packet.
837 .Cm check-state
839 .Cm keep-state
865 .Bl -tag -width indent
869 .It Cm check-state Op Ar :flowname | Cm :any
875 .Cm Check-state
878 .Cm check-state
880 .Cm keep-state
887 .Cm keep-state
908 Change the next-hop on matching packets to
967 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
972 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
974 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
1077 command-line utility currently requires every action except
1078 .Cm check-state
1087 .Bd -literal -offset indent
1092 ipfw -c list
1110 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1111 .Cm isolated , net-prohib , host-prohib , tosnet ,
1112 .Cm toshost , filter-prohib , host-precedence
1114 .Cm precedence-cutoff .
1129 .Cm no-route, admin-prohib, address
1220 .It Cm tcp-setmss Ar mss
1232 .Cm tcp-setmss
1258 Alternatively, direction-based (like
1262 ) and source-based (like
1267 .Bd -literal -offset indent
1289 operators -- i.e., all must match in order for the
1298 .Pq Em or-blocks
1320 .Bd -ragged -offset indent
1336 .Bl -tag -width indent
1338 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1343 .Bl -tag -width indent
1366 .Em or-block )
1375 .Em ( or-block
1381 .Ar | addr-list | addr-set
1383 .Bl -tag -width indent
1395 If an optional 32-bit unsigned
1402 .It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
1403 .It Ar ip-addr :
1405 .Bl -tag -width indent
1406 .It Ar numeric-ip | hostname
1407 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1427 This form is advised only for non-contiguous
1432 error-prone.
1434 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1435 .It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
1457 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1458 or 1.2.3.0/24{128,35-55,89}
1462 .It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
1463 .It Ar ip6-addr :
1465 .Bl -tag -width indent
1466 .It Ar numeric-ip | hostname
1493 This form is advised only for non-contiguous
1498 error-prone.
1519 .Em or-block
1527 .Pq Ql -
1532 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1534 Fragmented packets which have a non-zero offset (i.e., not the first
1544 Zero or more of these so-called
1549 .Em or-blocks .
1552 .Bl -tag -width indent
1556 You can have comment-only rules, which are listed as having a
1562 .It Cm defer-immediate-action | defer-action
1566 .Cm record-state
1568 .Cm keep-state
1572 .Cm record-state
1574 .Cm defer-immediate-action
1581 .It Cm diverted-loopback
1584 .It Cm diverted-output
1587 .It Cm dst-ip Ar ip-address
1590 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1593 .It Cm dst-port Ar ports
1605 Hop-to-hop options
1635 .It Cm flow-id Ar labels
1640 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1647 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1668 .Pq Dv non-zero fragment offset .
1673 Empty list of options defaults to matching on non-zero fragment offset.
1709 time-to-live exceeded
1740 .It Cm ipid Ar id-list
1744 .Ar id-list ,
1748 .It Cm iplen Ar len-list
1751 .Ar len-list ,
1825 .It Cm ipttl Ar ttl-list
1827 .Ar ttl-list ,
1834 .It Cm keep-state Op Ar :flowname
1847 .Cm check-state
1859 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1867 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1882 .It Cm { MAC | mac } Ar dst-mac src-mac
1884 .Ar dst-mac
1886 .Ar src-mac
1893 .Bl -enum -width indent
1918 .It Cm mac-type Ar mac-type
1921 .Ar mac-type
1924 (i.e., one or more comma-separated single values or ranges).
1929 .Cm -N
1933 .It Cm record-state
1935 .Cm keep-state
1938 .Cm check-state
1940 .Cm keep-state .
2000 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2004 .Cm check-state
2013 to a non-zero value.
2022 .It Cm src-ip Ar ip-address
2025 .It Cm src-ip6 Ar ip6-address
2028 .It Cm src-port Ar ports
2031 .It Cm tagged Ar tag-list
2033 .Ar tag-list ,
2061 .It Cm tcpdatalen Ar tcpdatalen-list
2063 .Ar tcpdatalen-list ,
2087 a non-zero offset.
2091 .It Cm tcpmss Ar tcpmss-list
2093 .Ar tcpmss-list ,
2101 .It Cm tcpwin Ar tcpwin-list
2103 .Ar tcpwin-list ,
2146 .Dl ip verify unicast reverse-path
2148 This option can be used to make anti-spoofing rules to reject all
2163 .Dl ip verify unicast source reachable-via any
2165 This option can be used to make anti-spoofing rules to reject all
2177 This option can be used to make anti-spoofing rules to reject all
2190 .Ar table-name .
2205 .Bl -tag -width indent
2206 .It Ar table-type : Ar addr | iface | number | flow | mac
2207 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2208 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2209 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2230 Each entry is represented by 32-bit unsigned integer.
2257 .Bl -tag -width indent
2258 .It Ar create-options : Ar create-option | create-options
2259 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2260 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2273 .It Cm or-flush
2284 .Bl -tag -width indent
2285 .It Ar modify-options : Ar modify-option | modify-options
2286 .It Ar modify-option : Cm limit Ar number
2312 However, non-zero error code is returned in that case.
2317 to indicate all-or-none add request.
2324 However, non-zero error code is returned in that case.
2327 .Ar table-key
2330 .Ar table-key
2339 .Bl -tag -width indent
2347 Shows generic table information and algo-specific data.
2351 .Bl -tag -width indent
2352 .It Ar algo-desc : algo-name | "algo-name algo-data"
2353 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2361 Separate auto-growing hashes for IPv4 and IPv6.
2368 Mostly optimized for /64 and byte-ranged IPv6 masks.
2375 Auto-growing hash storing flow entries.
2391 .Ar value-mask .
2396 .Bl -tag -width indent
2397 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2398 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2465 .Bd -ragged -offset indent
2480 .Bd -ragged -offset indent
2489 .Bd -ragged -offset indent
2493 .Cm to Ar new-set
2497 .Bd -ragged -offset indent
2499 .Cm set swap Ar first-set second-set
2511 .Cm check-state , keep-state , record-state , limit
2513 .Cm set-limit
2518 .Cm keep-state ,
2519 .Cm record-state ,
2522 .Cm set-limit
2529 .Em src-ip/src-port dst-ip/dst-port
2537 .Cm keep-state
2543 .Cm check-state, keep-state
2557 .Dl "ipfw add check-state :OUTBOUND"
2558 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2565 .Dl "ipfw add check-state :OUTBOUND"
2566 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2599 .Bl -hang -offset XXXX
2618 are first grouped into flows according to a mask on the 5-tuple.
2638 .Bd -literal -offset indent
2640 +---------+ weight Wx +-------------+
2641 | |->-[flow]-->--| |-+
2642 -->--| QUEUE x | ... | | |
2643 | |->-[flow]-->--| SCHEDuler N | |
2644 +---------+ | | |
2645 ... | +--[LINK N]-->--
2646 +---------+ weight Wy | | +--[LINK N]-->--
2647 | |->-[flow]-->--| | |
2648 -->--| QUEUE y | ... | | |
2649 | |->-[flow]-->--| | |
2650 +---------+ +-------------+ |
2651 +-------------+
2661 value of the packet's 5-tuple after applying SCHED_MASK.
2662 As an example, using ``src-ip 0xffffff00'' creates one instance
2668 ``src-ip 0x000000ff''
2713 variable to a non-zero value.
2721 .Bd -ragged -offset indent
2722 .Cm pipe Ar number Cm config Ar pipe-configuration
2724 .Cm queue Ar number Cm config Ar queue-configuration
2726 .Cm sched Ar number Cm config Ar sched-configuration
2731 .Bl -tag -width indent -compact
2755 .It Cm delay Ar ms-delay
2798 .Bd -literal -offset indent
2802 L +-- loss-level x
2809 +-------*------------------->
2821 .Bl -tag -width indent
2829 .It Cm loss-level Ar L
2852 .Bd -literal -offset indent
2855 loss-level 0.86
2869 .Bl -tag -width indent -compact
2880 The following case-insensitive parameters can be configured for a
2883 .Bl -tag -width indent -compact
2886 .Bl -tag -width indent -compact
2890 FIFO has O(1) per-packet time complexity, with very low
2891 constants (estimate 60-80ns on a 2GHz desktop machine)
2899 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2904 costs (roughly, 100-150ns per packet)
2910 costs (roughly, 200-250ns per packet).
2912 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2913 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2914 (old sub-queues and new sub-queues) for providing brief periods of priority to
2916 By default, the total number of sub-queues is 1024.
2917 FQ-CoDel's internal, dynamically
2918 created sub-queues are controlled by separate instances of CoDel AQM.
2920 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2922 but uses per sub-queue PIE AQM instance to control the queue delay.
2938 .Bl -tag -width indent
2956 specifies the total number of flow queues (sub-queues) that fq_*
2958 By default, 1024 sub-queues are created when an instance
2981 .Bl -tag -width XXXX -compact
2982 .It Cm buckets Ar hash-table-size
2991 .It Cm mask Ar mask-specifier
3017 .Cm dst-ip Ar mask ,
3018 .Cm dst-ip6 Ar mask ,
3019 .Cm src-ip Ar mask ,
3020 .Cm src-ip6 Ar mask ,
3021 .Cm dst-port Ar mask ,
3022 .Cm src-port Ar mask ,
3023 .Cm flow-id Ar mask ,
3041 .It Cm plr Ar packet-loss-rate
3045 .Ar packet-loss-rate
3046 is a floating-point number between 0 and 1, with 0 meaning no
3049 When invoked with four arguments, the simple Gilbert-Elliott
3051 .Bd -literal -offset indent
3053 .----------------.
3055 .------------. .------------.
3058 '------------' '------------'
3060 '----------------'
3073 K = 1 - k ; H = 1 - h
3076 quick re-use of loss probability when giving only a single argument.
3094 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3129 .Bl -tag -width indent
3143 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3166 ECN-enabled TCP flows when queue delay becomes high.
3192 en-queue process, with the aim of achieving high throughput while keeping queue
3209 .Bl -tag -width indent
3230 enable or disable ECN marking for ECN-enabled TCP flows.
3236 enable or disable drop probability de-randomisation.
3237 De-randomisation eliminates
3239 De-randomisation is enabled by default.
3274 Information necessary to route link-local packets to an
3278 Care should be taken to ensure that link-local packets are not passed to
3283 .Bl -bullet
3294 use an auto-recovery script such as the one in
3300 .Bl -bullet
3319 reported as being dropped by rule -1.
3327 .Bd -literal -offset indent
3333 .Bd -literal -offset indent
3357 support in-kernel NAT using the kernel version of
3366 .Bd -ragged -offset indent
3367 .Bk -words
3371 .Ar nat-configuration
3376 .Bl -tag -width indent
3403 .It Cm port_range Ar lower-upper
3411 .Bl -tag -width indent
3453 .Bd -ragged -offset indent
3454 .Bk -words
3460 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3466 configuration can be done in real-time through the
3479 supports in-kernel IPv6/IPv4 network address and protocol translation.
3480 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3483 among several IPv6-only clients.
3523 .Bd -ragged -offset indent
3524 .Bk -words
3528 .Ar create-options
3533 .Bl -tag -width indent
3543 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3548 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3617 .It Cm -log
3623 .It Cm -allow_private
3630 .Bd -ragged -offset indent
3631 .Bk -words
3642 it can be configured to pass IPv4 clients to IPv6-only servers.
3645 .Bd -ragged -offset indent
3646 .Bk -words
3650 .Ar create-options
3655 .Bl -tag -width indent
3657 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3672 .It Cm -log
3678 .It Cm -allow_private
3689 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3692 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3695 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3696 over IPv6-only networks with help of remote NAT64 translator.
3699 .Bd -ragged -offset indent
3700 .Bk -words
3704 .Ar create-options
3709 .Bl -tag -width indent
3711 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3714 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3721 .It Cm -log
3729 .It Cm -allow_private
3739 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3741 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3750 .Bd -ragged -offset indent
3751 .Bk -words
3755 .Ar create-options
3760 .Bl -tag -width indent
3798 .Bl -tag -width indent
3828 .Bl -tag -width indent
3832 responds to receipt of global OOTB ASCONF-AddIP:
3833 .Bl -tag -width indent
3835 No response (unless a partially matching association exists -
3858 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3862 and is not an INIT or ASCONF-AddIP packet:
3863 .Bl -tag -width indent
3884 multi-homed local hosts to function with the
3888 ASCONF-AddIP.
3913 SHUTDOWN-COMPLETE.
3917 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3923 will only be an INIT or ASCONF-AddIP packet.
3932 Level of detail in the system log messages (0 \- minimal, 1 \- event,
3933 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
3937 Timeout value while waiting for SHUTDOWN-COMPLETE.
3944 .Bl -tag -width indent
3985 Defines the default total number of flow queues (sub-queues) that
4014 parameter (scaled by 1000) for
4021 parameter (scaled by 1000) for
4026 Defines the default total number of flow queues (sub-queues) that
4042 The default maximum ECN probability threshold (scaled by 1000) for
4071 If set to a non-zero value,
4102 parameter (scaled by 1000) for
4109 parameter (scaled by 1000) for
4119 The default maximum ECN probability threshold (scaled by 1000) for
4145 Delta between rule numbers when auto-generating them.
4154 The default rule number (read-only).
4167 (read-only).
4170 .Cm keep-state
4230 .Bl -tag -width indent
4255 sub-options:
4256 .Bl -tag -width indent
4260 with their in-kernel status.
4301 of the address sets and or-blocks and write extremely
4313 going out to vlans 100-1000:
4316 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4320 option could be used to do automated anti-spoofing by adding the
4333 option could be used to do similar but more restricted anti-spoofing
4407 .Dl "ipfw add check-state"
4409 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4416 .Cm check-state ,
4417 .Cm keep-state
4422 .Cm check-state
4428 .Cm record-state
4430 .Cm defer-action
4439 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4440 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4448 stateful rules can be subject to denial-of-service attacks
4449 by a SYN-flood which opens a huge number of dynamic rules.
4459 .Dl ipfw -at list
4463 .Dl ipfw -a list
4518 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4532 Procedure Calls, and where the round-trip-time of the
4541 Per-flow queueing can be useful for a variety of purposes.
4561 on a net with per-host limits, rather than per-network limits:
4565 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4566 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4596 In the following example per-interface firewall is created:
4611 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4633 Here if everything goes well, you press control-C before the "sleep"
4645 .Dl "ipfw -S set 18 show"
4684 .Bd -literal -offset 2n
4695 .Bd -literal -offset 2n
4707 .Cm record-state
4709 .Cm defer-action
4714 .Cm keep-state
4726 .Dl "ipfw add allow record-state defer-action"
4732 .Dl "ipfw add check-state"
4740 .Cm check-state
4742 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4872 .An Poul-Henning Kamp ,
4876 .An Rasool Al-Saadi .
4878 .An -nosplit
4883 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4885 Some early work (1999-2000) on the
4895 .An -nosplit
4896 In-kernel NAT support written by
4912 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
4916 Rasool Al-Saadi.
4947 Dummynet drops all packets with IPv6 link-local addresses.