Lines Matching +full:speed +full:- +full:grade
8 in-kernel NAT.
19 .Op Ar rule | first-last ...
49 .Oo Cm set Ar N Oc Cm table Ar name Cm create Ar create-options
55 .Oo Cm set Ar N Oc Cm table Ar name Cm modify Ar modify-options
59 .Oo Cm set Ar N Oc Cm table Ar name Cm add Ar table-key Op Ar value
61 .Oo Cm set Ar N Oc Cm table Ar name Cm add Op Ar table-key Ar value ...
63 .Oo Cm set Ar N Oc Cm table Ar name Cm atomic add Op Ar table-key Ar value ...
65 .Oo Cm set Ar N Oc Cm table Ar name Cm delete Op Ar table-key ...
93 .Ar config-options
99 .Ss IN-KERNEL NAT
105 .Ar config-options
113 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm create Ar create-options
115 .Oo Cm set Ar N Oc Cm nat64lsn Ar name Cm config Ar config-options
129 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm create Ar create-options
131 .Oo Cm set Ar N Oc Cm nat64stl Ar name Cm config Ar config-options
144 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm create Ar create-options
146 .Oo Cm set Ar N Oc Cm nat64clat Ar name Cm config Ar config-options
157 .Ss IPv6-to-IPv6 NETWORK PREFIX TRANSLATION
159 .Oo Cm set Ar N Oc Cm nptv6 Ar name Cm create Ar create-options
183 .Ar preproc-flags
195 in-kernel NAT services.
210 in rule-number order
233 .Cm keep-state ,
234 .Cm record-state ,
237 .Cm set-limit
243 i.e., rules that match packets with the same 5-tuple
248 .Cm check-state ,
249 .Cm keep-state
252 rule, and are typically used to open the firewall on-demand to
255 .Cm keep-state
259 .Cm check-state
261 .Cm record-state
263 .Cm set-limit
265 .Cm check-state .
314 .Bl -tag -width indent
465 .Bd -literal -offset indent
468 +----------->-----------+
475 +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1
518 .Bd -literal -offset indent
556 Keywords are case-sensitive, whereas arguments may
557 or may not be case-sensitive depending on their nature
560 Some arguments (e.g., port or address lists) are comma-separated
567 .Bd -literal -offset indent
568 ipfw -q add deny src-ip 10.0.0.0/24,127.0.0.1/8
569 ipfw -q add deny src-ip 10.0.0.0/24, 127.0.0.1/8
570 ipfw "-q add deny src-ip 10.0.0.0/24, 127.0.0.1/8"
574 .Bd -ragged -offset indent
575 .Bk -words
593 .Bl -tag -width "Source and dest. addresses and ports" -offset XXX -compact
610 Fragmentation, Hop-by-Hop options,
612 .It IPv6 Flow-ID
635 .Bl -tag -width indent
652 non-default rule number by the value of the sysctl variable
657 non-default value is used instead.
684 to simulate the effect of multiple paths leading to out-of-order
689 .Cm keep-state
691 .Cm check-state
707 .Bd -literal -offset indent
715 .Bd -literal -offset indent
738 Once the limit is reached, logging can be re-enabled by
755 and to start doing policy-based filtering.
797 keyword, a 32-bit numeric mark is assigned to the packet.
837 .Cm check-state
839 .Cm keep-state
865 .Bl -tag -width indent
869 .It Cm check-state Op Ar :flowname | Cm :any
875 .Cm Check-state
878 .Cm check-state
880 .Cm keep-state
887 .Cm keep-state
908 Change the next-hop on matching packets to
967 Pass packet to a CLAT NAT64 instance (for client-side IPv6/IPv4 network address and
972 Pass packet to a NPTv6 instance (for IPv6-to-IPv6 network prefix translation):
974 .Sx IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
1077 command-line utility currently requires every action except
1078 .Cm check-state
1087 .Bd -literal -offset indent
1092 ipfw -c list
1110 .Cm needfrag , srcfail , net-unknown , host-unknown ,
1111 .Cm isolated , net-prohib , host-prohib , tosnet ,
1112 .Cm toshost , filter-prohib , host-precedence
1114 .Cm precedence-cutoff .
1129 .Cm no-route, admin-prohib, address
1220 .It Cm tcp-setmss Ar mss
1232 .Cm tcp-setmss
1258 Alternatively, direction-based (like
1262 ) and source-based (like
1267 .Bd -literal -offset indent
1289 operators -- i.e., all must match in order for the
1298 .Pq Em or-blocks
1320 .Bd -ragged -offset indent
1336 .Bl -tag -width indent
1338 .It Ar protocol : Oo Cm not Oc Ar protocol-name | protocol-number
1343 .Bl -tag -width indent
1366 .Em or-block )
1375 .Em ( or-block
1381 .Ar | addr-list | addr-set
1383 .Bl -tag -width indent
1395 If an optional 32-bit unsigned
1402 .It Ar addr-list : ip-addr Ns Op Ns , Ns Ar addr-list
1403 .It Ar ip-addr :
1405 .Bl -tag -width indent
1406 .It Ar numeric-ip | hostname
1407 Matches a single IPv4 address, specified as dotted-quad or a hostname.
1427 This form is advised only for non-contiguous
1432 error-prone.
1434 .It Ar addr-set : addr Ns Oo Ns / Ns Ar masklen Oc Ns Cm { Ns Ar list Ns Cm }
1435 .It Ar list : Bro Ar num | num-num Brc Ns Op Ns , Ns Ar list
1457 As an example, an address specified as 1.2.3.4/24{128,35-55,89}
1458 or 1.2.3.0/24{128,35-55,89}
1462 .It Ar addr6-list : ip6-addr Ns Op Ns , Ns Ar addr6-list
1463 .It Ar ip6-addr :
1465 .Bl -tag -width indent
1466 .It Ar numeric-ip | hostname
1493 This form is advised only for non-contiguous
1498 error-prone.
1519 .Em or-block
1527 .Pq Ql -
1532 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
1534 Fragmented packets which have a non-zero offset (i.e., not the first
1544 Zero or more of these so-called
1549 .Em or-blocks .
1552 .Bl -tag -width indent
1556 You can have comment-only rules, which are listed as having a
1562 .It Cm defer-immediate-action | defer-action
1566 .Cm record-state
1568 .Cm keep-state
1572 .Cm record-state
1574 .Cm defer-immediate-action
1581 .It Cm diverted-loopback
1584 .It Cm diverted-output
1587 .It Cm dst-ip Ar ip-address
1590 .It Bro Cm dst-ip6 | dst-ipv6 Brc Ar ip6-address
1593 .It Cm dst-port Ar ports
1605 Hop-to-hop options
1635 .It Cm flow-id Ar labels
1640 .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1647 .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value
1668 .Pq Dv non-zero fragment offset .
1673 Empty list of options defaults to matching on non-zero fragment offset.
1709 time-to-live exceeded
1740 .It Cm ipid Ar id-list
1744 .Ar id-list ,
1748 .It Cm iplen Ar len-list
1751 .Ar len-list ,
1825 .It Cm ipttl Ar ttl-list
1827 .Ar ttl-list ,
1834 .It Cm keep-state Op Ar :flowname
1847 .Cm check-state
1859 .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname
1867 .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid |
1882 .It Cm { MAC | mac } Ar dst-mac src-mac
1884 .Ar dst-mac
1886 .Ar src-mac
1893 .Bl -enum -width indent
1918 .It Cm mac-type Ar mac-type
1921 .Ar mac-type
1924 (i.e., one or more comma-separated single values or ranges).
1929 .Cm -N
1933 .It Cm record-state
1935 .Cm keep-state
1938 .Cm check-state
1940 .Cm keep-state .
2000 .It Cm set-limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N
2004 .Cm check-state
2013 to a non-zero value.
2022 .It Cm src-ip Ar ip-address
2025 .It Cm src-ip6 Ar ip6-address
2028 .It Cm src-port Ar ports
2031 .It Cm tagged Ar tag-list
2033 .Ar tag-list ,
2061 .It Cm tcpdatalen Ar tcpdatalen-list
2063 .Ar tcpdatalen-list ,
2087 a non-zero offset.
2091 .It Cm tcpmss Ar tcpmss-list
2093 .Ar tcpmss-list ,
2101 .It Cm tcpwin Ar tcpwin-list
2103 .Ar tcpwin-list ,
2146 .Dl ip verify unicast reverse-path
2148 This option can be used to make anti-spoofing rules to reject all
2163 .Dl ip verify unicast source reachable-via any
2165 This option can be used to make anti-spoofing rules to reject all
2177 This option can be used to make anti-spoofing rules to reject all
2190 .Ar table-name .
2205 .Bl -tag -width indent
2206 .It Ar table-type : Ar addr | iface | number | flow | mac
2207 .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec
2208 .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec
2209 .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port
2230 Each entry is represented by 32-bit unsigned integer.
2257 .Bl -tag -width indent
2258 .It Ar create-options : Ar create-option | create-options
2259 .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc |
2260 .Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
2273 .It Cm or-flush
2284 .Bl -tag -width indent
2285 .It Ar modify-options : Ar modify-option | modify-options
2286 .It Ar modify-option : Cm limit Ar number
2312 However, non-zero error code is returned in that case.
2317 to indicate all-or-none add request.
2324 However, non-zero error code is returned in that case.
2327 .Ar table-key
2330 .Ar table-key
2339 .Bl -tag -width indent
2347 Shows generic table information and algo-specific data.
2351 .Bl -tag -width indent
2352 .It Ar algo-desc : algo-name | "algo-name algo-data"
2353 .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: r…
2361 Separate auto-growing hashes for IPv4 and IPv6.
2368 Mostly optimized for /64 and byte-ranged IPv6 masks.
2375 Auto-growing hash storing flow entries.
2391 .Ar value-mask .
2396 .Bl -tag -width indent
2397 .It Ar value-mask : Ar value-type Ns Op , Ns Ar value-mask
2398 .It Ar value-type : Ar skipto | pipe | fib | nat | dscp | tag | divert |
2465 .Bd -ragged -offset indent
2480 .Bd -ragged -offset indent
2489 .Bd -ragged -offset indent
2493 .Cm to Ar new-set
2497 .Bd -ragged -offset indent
2499 .Cm set swap Ar first-set second-set
2511 .Cm check-state , keep-state , record-state , limit
2513 .Cm set-limit
2518 .Cm keep-state ,
2519 .Cm record-state ,
2522 .Cm set-limit
2529 .Em src-ip/src-port dst-ip/dst-port
2537 .Cm keep-state
2543 .Cm check-state, keep-state
2557 .Dl "ipfw add check-state :OUTBOUND"
2558 .Dl "ipfw add allow tcp from my-subnet to any setup keep-state :OUTBOUND"
2565 .Dl "ipfw add check-state :OUTBOUND"
2566 .Dl "ipfw add allow udp from my-subnet to any keep-state :OUTBOUND"
2599 .Bl -hang -offset XXXX
2618 are first grouped into flows according to a mask on the 5-tuple.
2638 .Bd -literal -offset indent
2640 +---------+ weight Wx +-------------+
2641 | |->-[flow]-->--| |-+
2642 -->--| QUEUE x | ... | | |
2643 | |->-[flow]-->--| SCHEDuler N | |
2644 +---------+ | | |
2645 ... | +--[LINK N]-->--
2646 +---------+ weight Wy | | +--[LINK N]-->--
2647 | |->-[flow]-->--| | |
2648 -->--| QUEUE y | ... | | |
2649 | |->-[flow]-->--| | |
2650 +---------+ +-------------+ |
2651 +-------------+
2661 value of the packet's 5-tuple after applying SCHED_MASK.
2662 As an example, using ``src-ip 0xffffff00'' creates one instance
2668 ``src-ip 0x000000ff''
2713 variable to a non-zero value.
2721 .Bd -ragged -offset indent
2722 .Cm pipe Ar number Cm config Ar pipe-configuration
2724 .Cm queue Ar number Cm config Ar queue-configuration
2726 .Cm sched Ar number Cm config Ar sched-configuration
2731 .Bl -tag -width indent -compact
2755 .It Cm delay Ar ms-delay
2798 .Bd -literal -offset indent
2802 L +-- loss-level x
2809 +-------*------------------->
2821 .Bl -tag -width indent
2829 .It Cm loss-level Ar L
2852 .Bd -literal -offset indent
2855 loss-level 0.86
2869 .Bl -tag -width indent -compact
2880 The following case-insensitive parameters can be configured for a
2883 .Bl -tag -width indent -compact
2886 .Bl -tag -width indent -compact
2890 FIFO has O(1) per-packet time complexity, with very low
2891 constants (estimate 60-80ns on a 2GHz desktop machine)
2899 WF2Q+ has O(log N) per-packet processing cost, where N is the number
2904 costs (roughly, 100-150ns per packet)
2910 costs (roughly, 200-250ns per packet).
2912 implements the FQ-CoDel (FlowQueue-CoDel) scheduler/AQM algorithm, which
2913 uses a modified Deficit Round Robin scheduler to manage two lists of sub-queues
2914 (old sub-queues and new sub-queues) for providing brief periods of priority to
2916 By default, the total number of sub-queues is 1024.
2917 FQ-CoDel's internal, dynamically
2918 created sub-queues are controlled by separate instances of CoDel AQM.
2920 implements the FQ-PIE (FlowQueue-PIE) scheduler/AQM algorithm, which similar to
2922 but uses per sub-queue PIE AQM instance to control the queue delay.
2938 .Bl -tag -width indent
2956 specifies the total number of flow queues (sub-queues) that fq_*
2958 By default, 1024 sub-queues are created when an instance
2981 .Bl -tag -width XXXX -compact
2982 .It Cm buckets Ar hash-table-size
2991 .It Cm mask Ar mask-specifier
3017 .Cm dst-ip Ar mask ,
3018 .Cm dst-ip6 Ar mask ,
3019 .Cm src-ip Ar mask ,
3020 .Cm src-ip6 Ar mask ,
3021 .Cm dst-port Ar mask ,
3022 .Cm src-port Ar mask ,
3023 .Cm flow-id Ar mask ,
3041 .It Cm plr Ar packet-loss-rate
3045 .Ar packet-loss-rate
3046 is a floating-point number between 0 and 1, with 0 meaning no
3049 When invoked with four arguments, the simple Gilbert-Elliott
3051 .Bd -literal -offset indent
3053 .----------------.
3055 .------------. .------------.
3058 '------------' '------------'
3060 '----------------'
3073 K = 1 - k ; H = 1 - h
3076 quick re-use of loss probability when giving only a single argument.
3091 Note that for slow speed links you should keep the queue
3094 E.g., 50 max-sized Ethernet packets (1500 bytes) mean 600Kbit
3129 .Bl -tag -width indent
3143 Make use of the CoDel (Controlled-Delay) queue management algorithm.
3166 ECN-enabled TCP flows when queue delay becomes high.
3192 en-queue process, with the aim of achieving high throughput while keeping queue
3209 .Bl -tag -width indent
3230 enable or disable ECN marking for ECN-enabled TCP flows.
3236 enable or disable drop probability de-randomisation.
3237 De-randomisation eliminates
3239 De-randomisation is enabled by default.
3274 Information necessary to route link-local packets to an
3278 Care should be taken to ensure that link-local packets are not passed to
3283 .Bl -bullet
3294 use an auto-recovery script such as the one in
3300 .Bl -bullet
3319 reported as being dropped by rule -1.
3327 .Bd -literal -offset indent
3333 .Bd -literal -offset indent
3357 support in-kernel NAT using the kernel version of
3366 .Bd -ragged -offset indent
3367 .Bk -words
3371 .Ar nat-configuration
3376 .Bl -tag -width indent
3393 Like unreg_only, but includes the RFC 6598 (Carrier Grade NAT)
3403 .It Cm port_range Ar lower-upper
3407 When enabled, UDP packets use endpoint-independent mapping (EIM) from RFC 4787
3419 When disabled, UDP packets use endpoint-dependent mapping (EDM) ("symmetric"
3425 by port forwarding on the NAT, or tunnelling through an in-between server.
3431 .Bl -tag -width indent
3473 .Bd -ragged -offset indent
3474 .Bk -words
3480 .Ar ip_address [,addr_list] {[port | port-port] [,ports]}
3486 configuration can be done in real-time through the
3499 supports in-kernel IPv6/IPv4 network address and protocol translation.
3500 Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
3503 among several IPv6-only clients.
3543 .Bd -ragged -offset indent
3544 .Bk -words
3548 .Ar create-options
3553 .Bl -tag -width indent
3563 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3568 The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
3637 .It Cm -log
3643 .It Cm -allow_private
3650 .Bd -ragged -offset indent
3651 .Bk -words
3662 it can be configured to pass IPv4 clients to IPv6-only servers.
3665 .Bd -ragged -offset indent
3666 .Bk -words
3670 .Ar create-options
3675 .Bl -tag -width indent
3677 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3692 .It Cm -log
3698 .It Cm -allow_private
3709 XLAT464 CLAT NAT64 translator implements client-side stateless translation as
3712 Instead of lookup tables it uses one-to-one mapping between IPv4 and IPv6
3715 that are not using it (e.g. VoIP) allowing them to access IPv4-only Internet
3716 over IPv6-only networks with help of remote NAT64 translator.
3719 .Bd -ragged -offset indent
3720 .Bk -words
3724 .Ar create-options
3729 .Bl -tag -width indent
3731 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3734 The IPv6 prefix defines IPv4-embedded IPv6 addresses used by translator
3741 .It Cm -log
3749 .It Cm -allow_private
3759 .Sh IPv6-to-IPv6 NETWORK PREFIX TRANSLATION (NPTv6)
3761 supports in-kernel IPv6-to-IPv6 network prefix translation as described
3770 .Bd -ragged -offset indent
3771 .Bk -words
3775 .Ar create-options
3780 .Bl -tag -width indent
3818 .Bl -tag -width indent
3848 .Bl -tag -width indent
3852 responds to receipt of global OOTB ASCONF-AddIP:
3853 .Bl -tag -width indent
3855 No response (unless a partially matching association exists -
3878 responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
3882 and is not an INIT or ASCONF-AddIP packet:
3883 .Bl -tag -width indent
3904 multi-homed local hosts to function with the
3908 ASCONF-AddIP.
3933 SHUTDOWN-COMPLETE.
3937 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
3943 will only be an INIT or ASCONF-AddIP packet.
3952 Level of detail in the system log messages (0 \- minimal, 1 \- event,
3953 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug).
3957 Timeout value while waiting for SHUTDOWN-COMPLETE.
3964 .Bl -tag -width indent
4005 Defines the default total number of flow queues (sub-queues) that
4046 Defines the default total number of flow queues (sub-queues) that
4091 If set to a non-zero value,
4165 Delta between rule numbers when auto-generating them.
4174 The default rule number (read-only).
4187 (read-only).
4190 .Cm keep-state
4250 .Bl -tag -width indent
4275 sub-options:
4276 .Bl -tag -width indent
4280 with their in-kernel status.
4321 of the address sets and or-blocks and write extremely
4333 going out to vlans 100-1000:
4336 .Dl "{ xmit vlan1000 or xmit \*qvlan[1-9]??\*q }"
4340 option could be used to do automated anti-spoofing by adding the
4353 option could be used to do similar but more restricted anti-spoofing
4427 .Dl "ipfw add check-state"
4429 .Dl "ipfw add allow tcp from my-net to any setup keep-state"
4436 .Cm check-state ,
4437 .Cm keep-state
4442 .Cm check-state
4448 .Cm record-state
4450 .Cm defer-action
4459 .Dl "ipfw add allow tcp from my-net/24 to any setup limit src-addr 10"
4460 .Dl "ipfw add allow tcp from any to me setup limit src-addr 4"
4468 stateful rules can be subject to denial-of-service attacks
4469 by a SYN-flood which opens a huge number of dynamic rules.
4479 .Dl ipfw -at list
4483 .Dl ipfw -a list
4538 you want to simulate a half-duplex medium (e.g.\& AppleTalk,
4552 Procedure Calls, and where the round-trip-time of the
4561 Per-flow queueing can be useful for a variety of purposes.
4581 on a net with per-host limits, rather than per-network limits:
4585 .Dl "dnctl pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4586 .Dl "dnctl pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes"
4616 In the following example per-interface firewall is created:
4631 .Dl "ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port"
4653 Here if everything goes well, you press control-C before the "sleep"
4665 .Dl "ipfw -S set 18 show"
4704 .Bd -literal -offset 2n
4715 .Bd -literal -offset 2n
4727 .Cm record-state
4729 .Cm defer-action
4734 .Cm keep-state
4746 .Dl "ipfw add allow record-state defer-action"
4752 .Dl "ipfw add check-state"
4760 .Cm check-state
4762 .Ss CONFIGURING CODEL, PIE, FQ-CODEL and FQ-PIE AQM
4892 .An Poul-Henning Kamp ,
4896 .An Rasool Al-Saadi .
4898 .An -nosplit
4903 Dummynet has been introduced by Luigi Rizzo in 1997-1998.
4905 Some early work (1999-2000) on the
4915 .An -nosplit
4916 In-kernel NAT support written by
4932 CoDel, PIE, FQ-CoDel and FQ-PIE AQM for Dummynet have been implemented by
4936 Rasool Al-Saadi.
4967 Dummynet drops all packets with IPv6 link-local addresses.