History log of /freebsd-head/sbin/ipfw/ipfw2.c
Revision Date Author Comments
13992a66bcfbb04385ba4267b07fb69326b27620 11-Sep-2020 ae <ae@FreeBSD.org> Fix compatibility regression after r364117.

Properly handle the case, when some opcode keywords follow after
the `frag` opcode without additional options.

Reported by: Evgeniy Khramtsov <evgeniy at khramtsov org>
36f059d4272588520a665ec17ed2c7abc6cdff83 01-Sep-2020 se <se@FreeBSD.org> Change printf format string to include the extra blank

This is a follow up change to r364321 after a discussion about the style.
All near by places use extra blanks in format strings, and while use of the
format string to provide the extra blank may need more cycles than adding 1
to twidth, it generates shorter code and is clearer in the opinion of some
reviewers of the previous change.

Not objected to by: emaste
MFC after: 3 days
77d1c9962834364f9afdc6bdb8bfcf82c9a1f0ea 17-Aug-2020 emaste <emaste@FreeBSD.org> ipfw: line up `ipfw -t list` with and without timestamp

From the PR:
When I run `ipfw -t list` on release/12 or current, I get misaligned
output between lines that do and do not have a last match timestamp,
like so:

00100 Tue Aug 11 03:03:26 2020 allow ip from any to any via lo0
00200 deny ip from any to

(specifically, the "allow" and "deny" strings do not line up)

PR: 248608
Submitted by: Taylor Stearns
MFC after: 3 days
a90e178610c2d071c512b3512715f721d275929c 11-Aug-2020 glebius <glebius@FreeBSD.org> ipfw: make the "frag" keyword accept additional options "mf",
"df", "rf" and "offset". This allows to match on specific
bits of ip_off field.

For compatibility reasons lack of keyword means "offset".

Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D26021
bc246ae5e0caa21b376733ec4b32c6e7da72b08b 14-Jul-2020 adrian <adrian@FreeBSD.org> [ipfw] quieten maybe-uninitialized errors in ipfw when compiled under mips-gcc-6.3.0.

This is mostly an exercise to set variables to NULL/0 when declared, but
one was ensuring a string variable was set before printing it.
We should never see "<unknown>" in a printed rule; if we do then this code
definitely has some bugs that need addressing.
d766bb0d2894d24e8c7dfdad8e3c19c46a55208f 13-Jul-2020 markj <markj@FreeBSD.org> ipfw(8): Handle unaligned pointers in pr_u64.

struct _ipfw_dyn_rule is defined as packed, and as a result, its
uint64_t fields are misaligned on some 32-bit platforms. Since
pr_u64() is explicitly supposed to handle this case, avoid using a
uint64_t * for the input pointer to make sure that the compiler won't
(correctly) warn about the misalignment.

Reported by: jenkins
MFC with: r363164
e76b8ebd8269c525517a903b8f704eac553af89a 13-Jul-2020 markj <markj@FreeBSD.org> ipfw(8): Fix most warnings with the default WARNS level.

- Add missing const and static qualifiers.
- Avoid shadowing the global "co" by renaming it to "g_co".
- Avoid mixing signedness in loop bound checks.
- Leave -Wcast-align warnings disabled for now.

Reviewed by: ae, melifaro
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D25456
8c5f78e7a059ea6074759af9102f31aa9612a7a4 25-Jun-2020 markj <markj@FreeBSD.org> ipfw: Support the literal IPv6 address syntax in the fwd command.

Discussed with: rgrimes, Lutz Donnerhacke
Submitted by: Neel Chauhan <neel AT neelc DOT org>
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D24011
6e9131e1da4c998d823ca3299c97a00aadd8485c 24-Mar-2020 ae <ae@FreeBSD.org> Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy
NAT instance.

The NAT44 group of opcodes for IP_FW3 socket option is modern way
to control NAT instances and this method can be used in future to
switch from numeric to named NAT instances, like was done for ipfw
The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control
plane that doesn't support versioned operations. This interface will
be retired soon.

Reviewed by: melifaro
MFC after: 10 days
Sponsored by: Yandex LLC
2b3a33612a73e47fb8649c711b73d6746e1cb174 11-Mar-2020 melifaro <melifaro@FreeBSD.org> Revert r358858 as it breaks some ipfw(8) setups.

Reported by: O. Hartmann <o.hartmann@walstatt.org>
c2d0d7c3d08302498a7a85fc059772b0533b63f9 10-Mar-2020 melifaro <melifaro@FreeBSD.org> Don't assume !IPv6 is IPv4 in ipfw(8) add_src() and add_dst().

Submitted by: Neel Chauhan <neel AT neelc DOT org>
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D21812
a67e053e2bda7829203775e7e28a5d99332583de 05-Aug-2019 kevans <kevans@FreeBSD.org> ipfw: fix jail option after r348215

r348215 changed jail_getid(3) to validate passed-in jids as active jails
(as the function is documented to return -1 if the jail does not exist).
This broke the jail option (in some cases?) as the jail historically hasn't
needed to exist at the time of rule parsing; jids will get stored and later

Fix this caller to attempt to parse *av as a number first and just use it
as-is to match historical behavior. jail_getid(3) must still be used in
order for name arguments to work, but it's strictly a fallback in case we
weren't given a number.

Reported and tested by: Ari Suutari <ari stonepile fi>
Reviewed by: ae
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D21128
664615ae29ad6e28c25c4d88a0d651928871a3c7 25-Jun-2019 ae <ae@FreeBSD.org> Restore ipfw(8)'s compact output support broken after r331668.

Also modify it a bit. Now -c option omits only 'from any to any' part
and works for different protocols (not just for ip).

Reported by: Dmitry Selivanov <dseliv at gmail>
MFC after: 1 week
c6d750cdc7006255ce3702dea338d6c47d9e5c39 21-Jun-2019 ae <ae@FreeBSD.org> Add "tcpmss" opcode to match the TCP MSS value.

With this opcode it is possible to match TCP packets with specified
MSS option, whose value corresponds to configured in opcode value.
It is allowed to specify single value, range of values, or array of
specific values or ranges. E.g.

# ipfw add deny log tcp from any to any tcpmss 0-500

Reviewed by: melifaro,bcr
Obtained from: Yandex LLC
MFC after: 1 week
Sponsored by: Yandex LLC
50b3d8bf81088f77cb3a48d9d9f7f368ecfb42b5 29-Apr-2019 ae <ae@FreeBSD.org> Handle HAVE_PROTO flag and print "proto" keyword for O_IP4 and O_IP6
opcodes when it is needed.
This should fix the problem, when printed by `ipfw show` rule could not
be added due to missing "proto" keyword.

MFC after: 2 weeks
93a7173b744f01de6f104418db8654872cb618da 18-Mar-2019 ae <ae@FreeBSD.org> Add NAT64 CLAT implementation as defined in RFC6877.

CLAT is customer-side translator that algorithmically translates 1:1
private IPv4 addresses to global IPv6 addresses, and vice versa.
It is implemented as part of ipfw_nat64 kernel module. When module
is loaded or compiled into the kernel, it registers "nat64clat" external
action. External action named instance can be created using `create`
command and then used in ipfw rules. The create command accepts two
IPv6 prefixes `plat_prefix` and `clat_prefix`. If plat_prefix is ommitted,
IPv6 NAT64 Well-Known prefix 64:ff9b::/96 will be used.

# ipfw nat64clat CLAT create clat_prefix SRC_PFX plat_prefix DST_PFX
# ipfw add nat64clat CLAT ip4 from IPv4_PFX to any out
# ipfw add nat64clat CLAT ip6 from DST_PFX to SRC_PFX in

Obtained from: Yandex LLC
Submitted by: Boris N. Lytochkin
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
f78efc9763165bbc1f0974fa6d12d8abdf37e969 21-Dec-2018 ae <ae@FreeBSD.org> Allow use underscores and dots in service names without escaping.

PR: 234237
MFC after: 1 week
2243bfe43c7a35b2614ab1126a4f73d907c15c1b 10-Dec-2018 ae <ae@FreeBSD.org> Rework how protocol number is tracked in rule. Save it when O_PROTO
opcode will be printed. This should solve the problem, when protocol
name is not printed in `ipfw -N show`.

Reported by: Claudio Eichenberger <cei at yourshop.com>
MFC after: 1 week
4e62948ad41ca234be1990920f347a7e668cf13f 10-Dec-2018 ae <ae@FreeBSD.org> Use correct size for IPv4 address in gethostbyaddr().

When u_long is 8 bytes, it returns EINVAL and 'ipfw -N show' doesn't work.

Reported by: Claudio Eichenberger <cei at yourshop.com>
MFC after: 1 week
0d01acf0acd643b125e8ba28615826e06a4ab6de 04-Dec-2018 ae <ae@FreeBSD.org> Add ability to request listing and deleting only for dynamic states.

This can be useful, when net.inet.ip.fw.dyn_keep_states is enabled, but
after rules reloading some state must be deleted. Added new flag '-D'
for such purpose.

Retire '-e' flag, since there can not be expired states in the meaning
that this flag historically had.

Also add "verbose" mode for listing of dynamic states, it can be enabled
with '-v' flag and adds additional information to states list. This can
be useful for debugging.

Obtained from: Yandex LLC
MFC after: 2 months
Sponsored by: Yandex LLC
d4dca1e7d7914cbcfe7f3e5a4cdd716030515d88 25-Oct-2018 ae <ae@FreeBSD.org> Use correct format specificator to print setdscp action.

PR: 232642
MFC after: 3 days
32b03c3d5c5f983ea18aafe9a0f333ce9e0c89cc 21-Oct-2018 ae <ae@FreeBSD.org> Add IPFW_RULE_JUSTOPTS flag, that is used by ipfw(8) to mark rule,
that was added using "new rule format". And then, when the kernel
returns rule with this flag, ipfw(8) can correctly show it.

Reported by: lev
MFC after: 3 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D17373
07abcaa5746727a0f55b37a06b7b21b2458d092b 26-Sep-2018 ae <ae@FreeBSD.org> Add "src-ip" or "dst-ip" keyword to the output, when we are printing the
rest of rule options.

Reported by: lev
Approved by: re (gjb)
MFC after: 1 week
9ceb9bc9afa53aa74b3c818f6c23b02ced45e9ea 10-Aug-2018 ae <ae@FreeBSD.org> Restore the behaviour changed in r337536, when bad `ipfw delete` command
returns error.

Now -q option only makes it quiet. And when -f flag is specified, the
command will ignore errors and continue executing with next batched

MFC after: 2 weeks
b8314a3b24c501dc5c6cce17123c7321510baaf7 09-Aug-2018 ae <ae@FreeBSD.org> If -q flag is specified, do not complain when we are trying to delete
nonexistent NAT instance or nonexistent rule.

This allows execute batched `delete` commands and do not fail when
found nonexistent rule.

Obtained from: Yandex LLC
MFC after: 2 weeks
Sponsored by: Yandex LLC
544b51e5e3da428c64a8567f1af47bec104e1de7 09-Jul-2018 ae <ae@FreeBSD.org> Add "record-state", "set-limit" and "defer-action" rule options to ipfw.

"record-state" is similar to "keep-state", but it doesn't produce implicit
O_PROBE_STATE opcode in a rule. "set-limit" is like "limit", but it has the
same feature as "record-state", it is single opcode without implicit
O_PROBE_STATE opcode. "defer-action" is targeted to be used with dynamic
states. When rule with this opcode is matched, the rule's action will
not be executed, instead dynamic state will be created. And when this
state will be matched by "check-state", then rule action will be executed.
This allows create a more complicated rulesets.

Submitted by: lev
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D1776
95deb222cf0a213bba4a16ee24d9bd2247716b95 03-Jul-2018 jamie <jamie@FreeBSD.org> Allow jail names (not just IDs) to be specified for: cpuset(1), ipfw(8),
sockstat(1), ugidfw(8)
These are the last of the jail-aware userland utilities that didn't work
with names.

PR: 229266
MFC after: 3 days
Differential Revision: D16047
c7db69c6d868fdb666d49b9aab921f6e42834587 10-May-2018 ae <ae@FreeBSD.org> Fix the printing of rule comments.

Change uint8_t type of opcode argument to int in the print_opcode()
function. Use negative value to print the rest of opcodes, because
zero value is O_NOP, and it can't be uses for this purpose.

Reported by: lev
MFC after: 1 week
117bdbcf950d9584cba5774e27bf11e8130bea44 12-Apr-2018 ae <ae@FreeBSD.org> Remove printing of "not" keyword from print_ip6() function.

After r331668 handling of F_NOT flag done in one place by
print_instruction() function. Also remove unused argument from
print_ip[6]() functions.

MFC after: 1 week
4b88bf822d97d33375599834e829b5868253ff8c 12-Apr-2018 ae <ae@FreeBSD.org> Remove printing of "not" keyword from print_ip() function.

After r331668 handling of F_NOT flag done in one place by
print_instruction() function.

MFC after: 1 week
a619ff04485019c541872350b78568a22362b88c 28-Mar-2018 ae <ae@FreeBSD.org> Rework ipfw rules parsing and printing code.

Introduce show_state structure to keep information about printed opcodes.
Split show_static_rule() function into several smaller functions. Make
parsing and printing opcodes into several passes. Each printed opcode
is marked in show_state structure and will be skipped in next passes.
Now show_static_rule() function is simple, it just prints each part
of rule separately: action, modifiers, proto, src and dst addresses,
options. The main goal of this change is avoiding occurrence of wrong
result of `ifpw show` command, that can not be parsed by ipfw(8).
Also now it is possible to make some simple static optimizations
by reordering of opcodes in the rule.

PR: 222705
Discussed with: melifaro
MFC after: 2 weeks
Sponsored by: Yandex LLC
ad460b0f5eb0dadc8e3c21b64f9a1bd8e15d9d49 24-Dec-2017 ae <ae@FreeBSD.org> Fix rule number truncation, use uint16_t type to specify rulenum.

PR: 224555
MFC after: 1 week
d61fecb27316443e127799eaab6b95fb620fedb9 20-Dec-2017 pfg <pfg@FreeBSD.org> Revert r327005 - SPDX tags for license similar to BSD-2-Clause.

After consultation with SPDX experts and their matching guidelines[1],
the licensing doesn't exactly match the BSD-2-Clause. It yet remains to be
determined if they are equivalent or if there is a recognized license that
matches but it is safer to just revert the tags.

Let this also be a reminder that on FreeBSD, SPDX tags are only advisory
and have no legal value (but IANAL).

Pointyhat to: pfg
Thanks to: Rodney Grimes, Gary O'Neall

[1] https://spdx.org/spdx-license-list/matching-guidelines
95df0f2b7ef1fb28b1e77056188b52f4c1459058 19-Dec-2017 pfg <pfg@FreeBSD.org> SPDX: These are fundamentally BSD-2-Clause.

They just omit the introductory line and numbering.
6fd4821b437f085e0ca7fcdaca411217b55a3c48 26-Nov-2017 tuexen <tuexen@FreeBSD.org> Add to ipfw support for sending an SCTP packet containing an ABORT chunk.
This is similar to the TCP case. where a TCP RST segment can be sent.

There is one limitation: When sending an ABORT in response to an incoming
packet, it should be tested if there is no ABORT chunk in the received
packet. Currently, it is only checked if the first chunk is an ABORT
chunk to avoid parsing the whole packet, which could result in a DOS attack.

Thanks to Timo Voelker for helping me to test this patch.
Reviewed by: bcr@ (man page part), ae@ (generic, non-SCTP part)
Differential Revision: https://reviews.freebsd.org/D13239
11e7e3951be810ff00b7d0346cb1e6a1c693d3d0 02-May-2017 ae <ae@FreeBSD.org> Properly initialize ipfw_range_tlv variable to fix possible EINVAL
in case when ipfw delete/zero/resetlog command issued for several rules
in the loop. Also reorder some variables by size.

PR: 218993
MFC after: 1 week
fccd5b2db9e6f98900ddcec90456873f109e656b 03-Apr-2017 ae <ae@FreeBSD.org> Add ipfw_pmod kernel module.

The module is designed for modification of a packets of any protocols.
For now it implements only TCP MSS modification. It adds the external
action handler for "tcp-setmss" action.

A rule with tcp-setmss action does additional check for protocol and
TCP flags. If SYN flag is present, it parses TCP options and modifies
MSS option if its value is greater than configured value in the rule.
Then it adjustes TCP checksum if needed. After handling the search
continues with the next rule.

Obtained from: Yandex LLC
MFC after: 2 weeks
Relnotes: yes
Sponsored by: Yandex LLC
No objection from: #network
Differential Revision: https://reviews.freebsd.org/D10150
5b90a3f01fa042266e3cf9565597985ee2386c67 03-Apr-2017 ae <ae@FreeBSD.org> Add O_EXTERNAL_DATA opcode support.

This opcode can be used to attach some data to external action opcode.
And unlike to O_EXTERNAL_INSTANCE opcode, this opcode does not require
creating of named instance to pass configuration arguments to external
action handler. The data is coming just next to O_EXTERNAL_ACTION opcode.

The userlevel part currenly supports formatting for opcode with ipfw_insn
size, by default it expects u16 numeric value in the arg1.

Obtained from: Yandex LLC
MFC after: 2 weeks
Sponsored by: Yandex LLC
452baa814de19956a62760ec8d9ab22286c52815 15-Mar-2017 ae <ae@FreeBSD.org> Change the syntax of ipfw's named states.

Since the state name is an optional argument, it often can conflict
with other options. To avoid ambiguity now the state name must be
prefixed with a colon.

Obtained from: Yandex LLC
MFC after: 2 week
Sponsored by: Yandex LLC
35fedb74e59f8cb691d5e21bc9de73d5cd4a325f 28-Dec-2016 marius <marius@FreeBSD.org> Fix a bug in r272840; given that the optlen parameter of setsockopt(2)
is a 32-bit socklen_t, do_get3() passes the kernel to access the wrong
32-bit half on big-endian LP64 machines when simply casting the 64-bit
size_t optlen to a socklen_t pointer.
While at it and given that the intention of do_get3() apparently is to
hide/wrap the fact that socket options are used for communication with
ipfw(4), change the optlen parameter of do_set3() to be of type size_t
and as such more appropriate than uintptr_t, too.

MFC after: 3 days
2f47929e75e0261cdce1269693caab0d270a9658 29-Nov-2016 oleg <oleg@FreeBSD.org> Fix 'ipfw delete set N':
do not emit meaningless 'rule 0 not found' warning if set was already empty.

MFC after: 1 week
eaf81b99c6efd42bf03f6943c13187bd6b94c71b 15-Nov-2016 ae <ae@FreeBSD.org> Add missing support of named lookup tables to the IPv6 code.

PR: 214419
MFC after: 1 week
Sponsored by: Yandex LLC
fe7e60ec8aa25e10bcc779a94afda99782cd4146 14-Aug-2016 ae <ae@FreeBSD.org> Add an ability to attach comment to check-state rules.

MFC after: 1 week
de0a5f6a7694bdac1491dfe0f10656c5ab403b9c 14-Aug-2016 ae <ae@FreeBSD.org> Do not warn about ambiguous state name when we inspect a comment token.

Reported by: lev
8c03d2551f387791d7a7b4ab8bbac67d07374829 13-Aug-2016 ae <ae@FreeBSD.org> Add ipfw_nat64 module that implements stateless and stateful NAT64.

The module works together with ipfw(4) and implemented as its external
action module.

Stateless NAT64 registers external action with name nat64stl. This
keyword should be used to create NAT64 instance and to address this
instance in rules. Stateless NAT64 uses two lookup tables with mapped
IPv4->IPv6 and IPv6->IPv4 addresses to perform translation.

A configuration of instance should looks like this:
1. Create lookup tables:
# ipfw table T46 create type addr valtype ipv6
# ipfw table T64 create type addr valtype ipv4
2. Fill T46 and T64 tables.
3. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
4. Create NAT64 instance:
# ipfw nat64stl NAT create table4 T46 table6 T64
5. Add rules that matches the traffic:
# ipfw add nat64stl NAT ip from any to table(T46)
# ipfw add nat64stl NAT ip from table(T64) to 64:ff9b::/96
6. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.

Stateful NAT64 registers external action with name nat64lsn. The only
one option required to create nat64lsn instance - prefix4. It defines
the pool of IPv4 addresses used for translation.

A configuration of instance should looks like this:
1. Add rule to allow neighbor solicitation and advertisement:
# ipfw add allow icmp6 from any to any icmp6types 135,136
2. Create NAT64 instance:
# ipfw nat64lsn NAT create prefix4 A.B.C.D/28
3. Add rules that matches the traffic:
# ipfw add nat64lsn NAT ip from any to A.B.C.D/28
# ipfw add nat64lsn NAT ip6 from any to 64:ff9b::/96
4. Configure DNS64 for IPv6 clients and add route to 64:ff9b::/96
via NAT64 host.

Obtained from: Yandex LLC
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6434
4500e11f0ab853367b969173406366111fedd257 11-Aug-2016 ae <ae@FreeBSD.org> Restore "nat global" support.

Now zero value of arg1 used to specify "tablearg", use the old "tablearg"
value for "nat global". Introduce new macro IP_FW_NAT44_GLOBAL to replace
hardcoded magic number to specify "nat global". Also replace 65535 magic
number with corresponding macro. Fix typo in comments.

PR: 211256
Tested by: Victor Chernov
MFC after: 3 days
c6aaca92fce21a628dd3740273b404a4d3058cb6 08-Aug-2016 ae <ae@FreeBSD.org> Fix formatting of setfib opcode.

Zero fib is correct value and it conflicts with IP_FW_TARG.
Use bprint_uint_arg() only when opcode contains IP_FW_TARG,
otherwise just print numeric value with cleared high-order bit.

MFC after: 3 days
357073584e7e700ff7a5a27d07da44855643e1af 08-Aug-2016 ae <ae@FreeBSD.org> Fix constructing of setdscp opcode with tablearg keyword.

setdscp's argument can have zero value that conflicts with IP_FW_TARG value.
Always set high-order bit if parser doesn't find tablearg keyword.

MFC after: 3 days
e679279326d9c15acc3c4b11f8f58161869354c1 19-Jul-2016 ae <ae@FreeBSD.org> Add named dynamic states support to ipfw(4).

The keep-state, limit and check-state now will have additional argument
flowname. This flowname will be assigned to dynamic rule by keep-state
or limit opcode. And then can be matched by check-state opcode or
O_PROBE_STATE internal opcode. To reduce possible breakage and to maximize
compatibility with old rulesets default flowname introduced.
It will be assigned to the rules when user has omitted state name in
keep-state and check-state opcodes. Also if name is ambiguous (can be
evaluated as rule opcode) it will be replaced to default.

Reviewed by: julian
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6674
2c47439b3f3763ea3fc9c1ee71abf72c60868ec1 18-Jul-2016 ae <ae@FreeBSD.org> Add ipfw_nptv6 module that implements Network Prefix Translation for IPv6
as defined in RFC 6296. The module works together with ipfw(4) and
implemented as its external action module. When it is loaded, it registers
as eaction and can be used in rules. The usage pattern is similar to
ipfw_nat(4). All matched by rule traffic goes to the NPT module.

Reviewed by: hrs
Obtained from: Yandex LLC
MFC after: 1 month
Relnotes: yes
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D6420
00d578928eca75be320b36d37543a7e2a4f9fbdb 27-May-2016 grehan <grehan@FreeBSD.org> Create branch for bhyve graphics import.
ee940751c30a0127c0a5dc187754fddaae8ca982 17-May-2016 ae <ae@FreeBSD.org> Make `ipfw internal olist` output more user friendly.
Print object type as string for known types.

Obtained from: Yandex LLC
Sponsored by: Yandex LLC
f79f8e9de833c40831a97da242c164c934e5545f 17-May-2016 ae <ae@FreeBSD.org> Make named objects set-aware. Now it is possible to create named
objects with the same name in different sets.

Add optional manage_sets() callback to objects rewriting framework.
It is intended to implement handler for moving and swapping named
object's sets. Add ipfw_obj_manage_sets() function that implements
generic sets handler. Use new callback to implement sets support for
lookup tables.
External actions objects are global and they don't support sets.
Modify eaction_findbyname() to reflect this.
ipfw(8) now may fail to move rules or sets, because some named objects
in target set may have conflicting names.
Note that ipfw_obj_ntlv type was changed, but since lookup tables
actually didn't support sets, this change is harmless.

Obtained from: Yandex LLC
Sponsored by: Yandex LLC
9308a287b414d87065bd0b502f6e994d5e254f56 30-Apr-2016 pfg <pfg@FreeBSD.org> sbin: minor spelling fixes.

No functional change.
4d9b1f8309d402ff30a915a7e44f5a9a185b2ef2 14-Apr-2016 ae <ae@FreeBSD.org> Add External Actions KPI to ipfw(9).

It allows implementing loadable kernel modules with new actions and
without needing to modify kernel headers and ipfw(8). The module
registers its action handler and keyword string, that will be used
as action name. Using generic syntax user can add rules with this
action. Also ipfw(8) can be easily modified to extend basic syntax
for external actions, that become a part base system.
Sample modules will coming soon.

Obtained from: Yandex LLC
Sponsored by: Yandex LLC
c3dfe54d824933b6bf801646313bf6eb06e0888f 14-Apr-2016 ae <ae@FreeBSD.org> Fix output formatting of O_UNREACH6 opcode.

Obtained from: Yandex LLC
0abb9ca63476a6154ea806f6b2d9d2b1608ac3ec 09-Mar-2016 ae <ae@FreeBSD.org> Set buffer to empty string to prevent duplicated output in some cases.

PR: 193888
3b4b162df0228ed74a1e63eccc7315071254344f 02-Mar-2016 ae <ae@FreeBSD.org> MFC r295969:
Fix bug in filling and handling ipfw's O_DSCP opcode.
Due to integer overflow CS4 token was handled as BE.

PR: 207459
Approved by: re (gjb)
fbff7925a133d45c4511f61818c53393501ce9dc 24-Feb-2016 ae <ae@FreeBSD.org> Fix bug in filling and handling ipfw's O_DSCP opcode.
Due to integer overflow CS4 token was handled as BE.

PR: 207459
MFC after: 1 week
750b62ddbe83065a7addaeebf7b25c178265dc35 03-Nov-2015 ae <ae@FreeBSD.org> Implement `ipfw internal olist` command to list named objects.

Reviewed by: melifaro
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
687e72445cf6071a6282fdbf71d856ae2ae580ff 12-Oct-2015 ae <ae@FreeBSD.org> MFC r288528:
Fix possible segmentation fault.

PR: 203494
8472d6f85dc76a4dbc89975877d989351400d9d7 03-Oct-2015 ae <ae@FreeBSD.org> Fix possible segmentation fault.

PR: 203494
MFC after: 1 week
d61f0d555c91cafefd45aa3af4f5dde90e0d2da3 22-Sep-2015 dim <dim@FreeBSD.org> MFC r286702:

In ipfw2, avoid left-shifting negative integers, which is undefined.
While here, make some other arguments to htonl(3) unsigned too.
5496fd3096bf187ed2221f8f0290f9f119b06208 18-Sep-2015 melifaro <melifaro@FreeBSD.org> MFC r266310

Fix wrong formatting of table records in ipfw(8).

Add `flags` u16 field to the hole in ipfw_table_xentry structure.
Kernel has been guessing address family for supplied record based
on xent length size.
Userland, however, has been getting fixed-size ipfw_table_xentry structures
guessing address family by checking address by IN6_IS_ADDR_V4COMPAT().

Fix this behavior by providing specific IPFW_TCF_INET flag for IPv4 records.

PR: bin/189471,kern/200169
9ff051aa1cc08152eef35ef635d5a4403a86cc95 25-Aug-2015 araujo <araujo@FreeBSD.org> Code cleanup unused-but-set-variable spotted by gcc.

Reviewed by: melifaro
Approved by: bapt (mentor)
Differential Revision: D3473
06a3ccc4849881b77d332f022c58c3ac0df7e669 12-Aug-2015 dim <dim@FreeBSD.org> In ipfw2, avoid left-shifting negative integers, which is undefined.
While here, make some other arguments to htonl(3) unsigned too.

MFC after: 3 days
bcaee5870c1df015d2e70304e0d0fc043a66cfa3 03-Aug-2015 melifaro <melifaro@FreeBSD.org> Fix ipfw range deletion.

Spotted by: ian,julian
bf6ce87002c3a5f1c9946e1c513ca3b06fe3e1eb 26-Apr-2015 melifaro <melifaro@FreeBSD.org> Generalize object reference handling in ipfw rules.
No ABI changes.
14e86687711fe0ff15cfbfaa6fbfcae8aecb13a3 13-Mar-2015 ae <ae@FreeBSD.org> Properly initialize scope zone id when next hop address stored
directly in the O_FORWARD_IP6 opcode. Use getnameinfo(3) to formatting
the IPv6 addresses of such opcodes.

Obtained from: Yandex LLC
Sponsored by: Yandex LLC
be47553309d1c25b349c4ca6256e5a0231688a4b 05-Feb-2015 melifaro <melifaro@FreeBSD.org> Retrieve counters from kernel if rule timstamping is requested.

PR: kern/197271
Submitted by: lev
Sponsored by: Yandex LLC
c9090358025e1fc68662c5fad7a839a1b71b35c0 24-Oct-2014 melifaro <melifaro@FreeBSD.org> Fix displaying non-contiguous netmasks.

Found by: ae
Sponsored by: Yandex LLC
d7ea66893ffd70df675df8ebd11c04d63611a773 18-Oct-2014 melifaro <melifaro@FreeBSD.org> * Zero rule buffer.
* Rename 'read' variable.

Pointed by: luigi
48fe6db658f408de27d0a3f48acd21a172154f34 17-Oct-2014 melifaro <melifaro@FreeBSD.org> * Fix table sets handling.
* Simplify formatting.

Suggested by: luigi
76e89c35002f91c3847a4d3c09550051a97cb6e4 13-Oct-2014 melifaro <melifaro@FreeBSD.org> Show error when deleting non-existing rule number.

Found by: Oleg Ginzburg
14eb15740e8e9c54c73db41489a10ca25bf55cb2 13-Oct-2014 melifaro <melifaro@FreeBSD.org> * Fix zeroing individual entries via ipfw(8).
* Report error and return non-zero exit code if zeroing non-matched entries

Found by: Oleg Ginzburg
4b5577b783ff0935c6ea74c6a76b5f554d898e9a 10-Oct-2014 melifaro <melifaro@FreeBSD.org> Partially fix build on !amd64

Pointed by: bz
de047d9894ae20c81e9cc23c1144edd637150167 06-Oct-2014 melifaro <melifaro@FreeBSD.org> Improve "reserved keywords" hack:

we can't easily predict (in current parsing model)
if the keyword is ipfw(8) reserved keyword or port name.
Checking proto database via getprotobyname() consumes a lot of
CPU and leads to tens of seconds for parsing large ruleset.
Use list of reserved keywords and check them as pre-requisite
before doing getprotobyname().

Obtained from: Yandex LLC
6d4e1e4f7b52f1c8a619c0543a842d2c32fc4b08 05-Oct-2014 melifaro <melifaro@FreeBSD.org> Fix tracked interface list retrieval.
94289f5d3934e2c58e0829ac8c967da579783e2b 04-Oct-2014 melifaro <melifaro@FreeBSD.org> Fix GCC wardnings.
6cdcf30fda817762f864513fff7727b9ae7eba7a 05-Sep-2014 melifaro <melifaro@FreeBSD.org> Return setsockopt() directly.

Suggested by: Steven Hartland at killing@multiplay.co.uk.
81481843c89b5698f398e75d85bb91e8b251c059 05-Sep-2014 melifaro <melifaro@FreeBSD.org> Use per-function errno handling instead of global one.

Requested by: luigi
a1eca3cc0cdd195bc172867295820b7b183f96ba 31-Aug-2014 melifaro <melifaro@FreeBSD.org> Add support for multi-field values inside ipfw tables.
This is the last major change in given branch.

Kernel changes:
* Use 64-bytes structures to hold multi-value variables.
* Use shared array to hold values from all tables (assume
each table algo is capable of holding 32-byte variables).
* Add some placeholders to support per-table value arrays in future.
* Use simple eventhandler-style API to ease the process of adding new
table items. Currently table addition may required multiple UH drops/
acquires which is quite tricky due to atomic table modificatio/swap
support, shared array resize, etc. Deal with it by calling special
notifier capable of rolling back state before actually performing
swap/resize operations. Original operation then restarts itself after
acquiring UH lock.
* Bump all objhash users default values to at least 64
* Fix custom hashing inside objhash.

Userland changes:
* Add support for dumping shared value array via "vlist" internal cmd.
* Some small print/fill_flags dixes to support u32 values.
* valtype is now bitmask of
New values can hold distinct values for each of this types.
* Provide special "legacy" type which assumes all values are the same.
* More helpers/docs following..

Some examples:

3:41 [1] zfscurr0# ipfw table mimimi create valtype skipto,limit,ipv4,ipv6
3:41 [1] zfscurr0# ipfw table mimimi info
+++ table(mimimi), set(0) +++
kindex: 2, type: addr
references: 0, valtype: skipto,limit,ipv4,ipv6
algorithm: addr:radix
items: 0, size: 296
3:42 [1] zfscurr0# ipfw table mimimi add 3000,10,,2a02:978:2::1
added: 3000,10,,2a02:978:2::1
3:42 [1] zfscurr0# ipfw table mimimi list
+++ table(mimimi), set(0) +++ 3000,0,,2a02:978:2::1
06eb65b2486cbb226f54027c3e796e7af67bea20 23-Aug-2014 melifaro <melifaro@FreeBSD.org> Whitespace/style changes merged from projects/ipfw.
f99eb0fb2fab9f81d8f9b18956916ea731e2b10b 23-Aug-2014 melifaro <melifaro@FreeBSD.org> Merge buffer-printing changes from from projects/ipfw as preparation
for branch merge.

Requested by: luigi
21ceaa3a9fee4ff9b5d6a289bd62fc9733c50419 13-Aug-2014 melifaro <melifaro@FreeBSD.org> * Pass proper table set numbers from userland side.
* Ignore them, but honor V_fw_tables_sets value on kernel side.
cb5593124f9c98d6a52de009f7c611954f79ec51 13-Aug-2014 melifaro <melifaro@FreeBSD.org> Update op3 cmds.
4db6b3801cde1307c593e1f162f67103a2df26db 12-Aug-2014 melifaro <melifaro@FreeBSD.org> Move one step further towards libipfw: convert show_static_rule() to
bpprint-output style, so one can now output human-readable rule
representation to preallocated buffer.
72d98439fa7a3f3a7b9754f2c7349fd011e97bf0 12-Aug-2014 melifaro <melifaro@FreeBSD.org> * Update table_handler cmd list
* Implement partial cmd matching inside table handler.
20eb17aed6d26d7d3c707c19a003ded76903f2dd 12-Aug-2014 melifaro <melifaro@FreeBSD.org> Change tablearg value to be 0 (try #2).
Most of the tablearg-supported opcodes does not accept 0 as valid value:
O_NETGRAPH, O_NGTEE, O_NAT treats 0 as invalid input.

The rest are O_SETDSCP and O_SETFIB.
'Fix' them by adding high-order bit (0x8000) set for non-tablearg values.
Do translation in kernel for old clients (import_rule0 / export_rule0),
teach current ipfw(8) binary to add/remove given bit.

This change does not affect handling SETDSCP values, but limit
O_SETFIB values to 32767 instead of 65k. Since currently we have either
old (16) or new (2^32) max fibs, this should not be a big deal:
we're definitely OK for former and have to add another opcode to deal
with latter, regardless of tablearg value.
57d917cb999b3ca0620d53795938338b40ab5904 08-Aug-2014 melifaro <melifaro@FreeBSD.org> Kernel changes:
* Fix buffer calculation for table dumps
* Fix IPv6 radix entiries addition broken in r269371.

Userland changes:
* Fix bug in retrieving statric ruleset
* Fix several bugs in retrieving table list
deeb40d882b2cea0871cad31896ee9feda938ebb 08-Aug-2014 melifaro <melifaro@FreeBSD.org> Partially revert previous commit:
"0" value is perfectly valid for O_SETFIB and O_SETDSCP,
so tablearg remains to be 655535 for now.
bc102dcade457b5c55b2db567fb4f2aad6fe3f80 08-Aug-2014 melifaro <melifaro@FreeBSD.org> * Switch tablearg value from 65535 to 0.
* Use u16 table kidx instead of integer on for iface opcode.
* Provide compability layer for old clients.
61bb76b81376b5a5ada7bef245e71f67bd406af7 07-Aug-2014 melifaro <melifaro@FreeBSD.org> Kernel changes:
* Implement proper checks for switching between global and set-aware tables
* Split IP_FW_DEL mess into the following opcodes:
* IP_FW_XDEL (del rules matching pattern)
* IP_FW_XMOVE (move rules matching pattern to another set)
* IP_FW_SET_SWAP (swap between 2 sets)
* IP_FW_SET_MOVE (move one set to another one)
* IP_FW_SET_ENABLE (enable/disable sets)
* Add IP_FW_XZERO / IP_FW_XRESETLOG to finish IP_FW3 migration.
* Use unified ipfw_range_tlv as range description for all of the above.
* Check dynamic states IFF there was non-zero number of deleted dyn rules,
* Del relevant dynamic states with singe traversal instead of per-rule one.

Userland changes:
* Switch ipfw(8) to use new opcodes.
becbec7be8fc96c65142c29024e62335a3e0a95c 03-Aug-2014 melifaro <melifaro@FreeBSD.org> * Move "talist" and "iflist" cmds into newly-create "internal" ipfw(8) cmd.
* Add "table X detail" cmd and show detailed algo info there instead
of "info".
178311d9d4c0a512292c01d751831b7155819d27 01-Aug-2014 melifaro <melifaro@FreeBSD.org> * Permit limiting number of items in table.

Kernel changes:
* Add TEI_FLAGS_DONTADD entry flag to indicate that insert is not possible
* Support given flag in all algorithms
* Add "limit" field to ipfw_xtable_info
* Add actual limiting code into add_table_entry()

Userland changes:
* Add "limit" option as "create" table sub-option. Limit modification
is currently impossible.
* Print human-readable errors in table enry addition/deletion code.
58e70e361d08201a6ba2a735dead93dadb3842d3 31-Jul-2014 melifaro <melifaro@FreeBSD.org> * Add new "flow" table type to support N=1..5-tuple lookups
* Add "flow:hash" algorithm

Kernel changes:
* Add O_IP_FLOW_LOOKUP opcode to support "flow" lookups
* Add IPFW_TABLE_FLOW table type
* Add "struct tflow_entry" as strage for 6-tuple flows
* Add "flow:hash" algorithm. Basically it is auto-growing chained hash table.
Additionally, we store mask of fields we need to compare in each instance/

* Increase ipfw_obj_tentry size by adding struct tflow_entry
* Add per-algorithm stat (ifpw_ta_tinfo) to ipfw_xtable_info
* Increase algoname length: 32 -> 64 (algo options passed there as string)
* Assume every table type can be customized by flags, use u8 to store "tflags" field.
* Simplify ipfw_find_table_entry() by providing @tentry directly to algo callback.
* Fix bug in cidr:chash resize procedure.

Userland changes:
* add "flow table(NAME)" syntax to support n-tuple checking tables.
* make fill_flags() separate function to ease working with _s_x arrays
* change "table info" output to reflect longer "type" fields

ipfw table fl2 create type flow:[src-ip][,proto][,src-port][,dst-ip][dst-port] [algo flow:hash]


0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash
0:02 [2] zfscurr0# ipfw table fl2 info
+++ table(fl2), set(0) +++
kindex: 0, type: flow:src-ip,proto,dst-port
valtype: number, references: 0
algorithm: flow:hash
items: 0, size: 280
0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000
0:02 [2] zfscurr0# ipfw table fl2 add,tcp,80 22000
0:02 [2] zfscurr0# ipfw table fl2 list
+++ table(fl2), set(0) +++
2a02:6b8::333,6,443 45000,6,80 22000
0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 80 flow 'table(fl2)'
00200 count tcp from me to dst-port 80 flow table(fl2)
0:03 [2] zfscurr0# ipfw show
00200 0 0 count tcp from me to dst-port 80 flow table(fl2)
65535 617 59416 allow ip from any to any
0:03 [2] zfscurr0# telnet -s 80
0:04 [2] zfscurr0# ipfw show
00200 5 272 count tcp from me to dst-port 80 flow table(fl2)
65535 682 66733 allow ip from any to any
4419c812fe0038036e569006b6f17f4558ec53dc 30-Jul-2014 melifaro <melifaro@FreeBSD.org> * Add number:array algorithm lookup method.

Kernel changes:
* Force "lookup <port|uid|gid|jid>" to be IPFW_TABLE_NUMBER
* Support "lookup" method for number tables
* Add number:array algorihm (i32 as key, auto-growing).

Userland changes:
* Support named tables in "lookup <tag> Table"
* Fix handling of "table(NAME,val)" case
* Support printing "number" table data.
fa3f38a6a0f5431577dbb7d336d2468cd60edab8 28-Jul-2014 melifaro <melifaro@FreeBSD.org> * Add generic ipfw interface tracking API
* Rewrite interface tables to use interface indexes

Kernel changes:
* Add generic interface tracking API:
- ipfw_iface_ref (must call unlocked, performs lazy init if needed, allocates
state & bumps ref)
- ipfw_iface_add_ntfy(UH_WLOCK+WLOCK, links comsumer & runs its callback to
update ifindex)
- ipfw_iface_del_ntfy(UH_WLOCK+WLOCK, unlinks consumer)
- ipfw_iface_unref(unlocked, drops reference)
Additionally, consumer callbacks are called in interface withdrawal/departure.

* Rewrite interface tables to use iface tracking API. Currently tables are
implemented the following way:
runtime data is stored as sorted array of {ifidx, val} for existing interfaces
full data is stored inside namedobj instance (chained hashed table).

* Add IP_FW_XIFLIST opcode to dump status of tracked interfaces

* Pass @chain ptr to most non-locked algorithm callbacks:
(prepare_add, prepare_del, flush_entry ..). This may be needed for better
interaction of given algorithm an other ipfw subsystems

* Add optional "change_ti" algorithm handler to permit updating of
cached table_info pointer (happens in case of table_max resize)

* Fix small bug in ipfw_list_tables()
* Add badd (insert into sorted array) and bdel (remove from sorted array) funcs

Userland changes:
* Add "iflist" cmd to print status of currently tracked interface
* Add stringnum_cmp for better interface/table names sorting
3f7d90b38540b269777223f0d936ca2415f262ac 08-Jul-2014 melifaro <melifaro@FreeBSD.org> * Use different rule structures in kernel/userland.
* Switch kernel to use per-cpu counters for rules.
* Keep ABI/API.

Kernel changes:
* Each rules is now exported as TLV with optional extenable
counter block (ip_fW_bcounter for base one) and
ip_fw_rule for rule&cmd data.
* Counters needs to be explicitly requested by IPFW_CFG_GET_COUNTERS flag.
* Separate counters from rules in kernel and clean up ip_fw a bit.
* Pack each rule in IPFW_TLV_RULE_ENT tlv to ease parsing.
* Introduce versioning in container TLV (may be needed in future).
* Fix ipfw_cfg_lheader broken u64 alignment.

Userland changes:
* Use set_mask from cfg header when requesting config
* Fix incorrect read accouting in ipfw_show_config()
* Use IPFW_RULE_NOOPT flag instead of playing with _pad
* Fix "ipfw -d list": do not print counters for dynamic states
* Some small fixes
7189aec01e6afdff30c5da27f7d8465d6be09ce7 06-Jul-2014 melifaro <melifaro@FreeBSD.org> * Prepare to pass other dynamic states via ipfw_dump_config()

Kernel changes:
* Change dump format for dynamic states:
each state is now stored inside ipfw_obj_dyntlv
last dynamic state is indicated by IPFW_DF_LAST flag
* Do not perform sooptcopyout() for !SOPT_GET requests.

Userland changes:
* Introduce foreach_state() function handler to ease work
with different states passed by ipfw_dump_config().
99023231d3e6ab3f80cecab0626d12352069bedf 03-Jul-2014 melifaro <melifaro@FreeBSD.org> Fully switch to named tables:

Kernel changes:
* Introduce ipfw_obj_tentry table entry structure to force u64 alignment.
* Support "update-on-existing-key" "add" bahavior (TEI_FLAGS_UPDATED).
* Use "subtype" field to distingush between IPv4 and IPv6 table records
instead of previous hack.
* Add value type (vtype) field for kernel tables. Current types are
number,ip and dscp
* Fix sets mask retrieval for old binaries
* Fix crash while using interface tables

Userland changes:
* Switch ipfw_table_handler() to use named-only tables.
* Add "table NAME create [type {cidr|iface|u32} [valtype {number|ip|dscp}] ..."
* Switch ipfw_table_handler to match_token()-based parser.
* Switch ipfw_sets_handler to use new ipfw_get_config() for mask retrieval.
* Allow ipfw set X table ... syntax to permit using per-set table namespaces.
75913dd997a81341ee4e07a64ff5f6d7ccec1d2b 29-Jun-2014 melifaro <melifaro@FreeBSD.org> * Add new IP_FW_XADD opcode which permits to
a) specify table ids as names
b) add multiple rules at once.
Partially convert current code for atomic addition of multiple rules.
145faf7cb6c219cd3a072b2514084c24d477b9e8 29-Jun-2014 melifaro <melifaro@FreeBSD.org> Enable kernel-side rule filtering based on user request.
Make do_get3() function return real error.
5d627fdb8b30e877afe6caaa8ca68a5e9e191bc4 28-Jun-2014 melifaro <melifaro@FreeBSD.org> Suppord showing named tables in ipfw(8) rule listing.

Kernel changes:
* change base TLV header to be u64 (so size can be u32).
* Introduce ipfw_obj_ctlv generc container TLV.
* Add IP_FW_XGET opcode which is now used for atomic configuration
retrieval. One can specify needed configuration pieces to retrieve
via flags field. Currently supported are
IPFW_CFG_GET_STATIC (static rules) and
IPFW_CFG_GET_STATES (dynamic states).
Other configuration pieces (tables, pipes, etc..) support is planned.

Userland changes:
* Switch ipfw(8) to use new IP_FW_XGET for rule listing.
* Split rule listing code get and show pieces.
* Make several steps forward towards libipfw:
permit printing states and rules(paritally) to supplied buffer.
do not die on malloc/kernel failure inside given printing functions.
stop assuming cmdline_opts is global symbol.
fe9646e6ff1b3a57a7e6178adbd24217fe42d8a1 14-Jun-2014 melifaro <melifaro@FreeBSD.org> Move further to eliminate next pieces of number-assuming code inside tables.

Kernel changes:
* Add IP_FW_OBJ_FLUSH opcode (flush table based on its name/set)
* Add IP_FW_OBJ_DUMP opcode (dumps table data based on its names/set)
* Add IP_FW_OBJ_LISTSIZE / IP_FW_OBJ_LIST opcodes (get list of kernel tables)

Userland changes:
* move tables code to separate tables.c file
* get rid of tables_max
* switch "all"/list handling to new opcodes
f9fb63fe8c86b065753da183636bf586e6e03258 14-Jun-2014 melifaro <melifaro@FreeBSD.org> Add API to ease adding new algorithms/new tabletypes to ipfw.

Kernel-side changelog:
* Split general tables code and algorithm-specific table data.
Current algorithms (IPv4/IPv6 radix and interface tables radix) moved to
new ip_fw_table_algo.c file.
Tables code now supports any algorithm implementing the following callbacks:
+struct table_algo {
+ char name[64];
+ int idx;
+ ta_init *init;
+ ta_destroy *destroy;
+ table_lookup_t *lookup;
+ ta_prepare_add *prepare_add;
+ ta_prepare_del *prepare_del;
+ ta_add *add;
+ ta_del *del;
+ ta_flush_entry *flush_entry;
+ ta_foreach *foreach;
+ ta_dump_entry *dump_entry;
+ ta_dump_xentry *dump_xentry;

* Change ->state, ->xstate, ->tabletype fields of ip_fw_chain to
->tablestate pointer (array of 32 bytes structures necessary for
runtime lookups (can be probably shrinked to 16 bytes later):

+struct table_info {
+ table_lookup_t *lookup; /* Lookup function */
+ void *state; /* Lookup radix/other structure */
+ void *xstate; /* eXtended state */
+ u_long data; /* Hints for given func */

* Add count method for namedobj instance to ease size calculations
* Bump ip_fw3 buffer in ipfw_clt 128->256 bytes.
* Improve bitmask resizing on tables_max change.
* Remove table numbers checking from most places.
* Fix wrong nesting in ipfw_rewrite_table_uidx().

* Add IP_FW_OBJ_LIST opcode (list all objects of given type, currently
implemented for IPFW_OBJTYPE_TABLE).
* Add IP_FW_OBJ_LISTSIZE (get buffer size to hold IP_FW_OBJ_LIST data,
currenly implemented for IPFW_OBJTYPE_TABLE).
* Add IP_FW_OBJ_INFO (requests info for one object of given type).

Some name changes:
s/ipfw_xtable_tlv/ipfw_obj_tlv/ (no table specifics)
s/ipfw_xtable_ntlv/ipfw_obj_ntlv/ (no table specifics)

Userland changes:
* Add do_set3() cmd to ipfw2 to ease dealing with op3-embeded opcodes.
* Add/improve support for destroy/info cmds.
01ec53e019425da60623197883cf086045df2974 12-Jun-2014 melifaro <melifaro@FreeBSD.org> Make ipfw tables use names as used-level identifier internally:

* Add namedobject set-aware api capable of searching/allocation objects by their name/idx.
* Switch tables code to use string ids for configuration tasks.
* Change locking model: most configuration changes are protected with UH lock, runtime-visible are protected with both locks.
* Reduce number of arguments passed to ipfw_table_add/del by using separate structure.
* Add internal V_fw_tables_sets tunable (set to 0) to prepare for set-aware tables (requires opcodes/client support)
* Implement typed table referencing (and tables are implicitly allocated with all state like radix ptrs on reference)
* Add "destroy" ipfw(8) using new IP_FW_DELOBJ opcode

Namedobj more detailed:
* Blackbox api providing methods to add/del/search/enumerate objects
* Statically-sized hashes for names/indexes
* Per-set bitmask to indicate free indexes
* Separate methods for index alloc/delete/resize

Basically, there should not be any user-visible changes except the following:
* reducing table_max is not supported
* flush & add change table type won't work if table is referenced

Sponsored by: Yandex LLC
f4783a05e9466a8805fae966e8fd9d592f053eeb 17-May-2014 melifaro <melifaro@FreeBSD.org> Fix wrong formatting of table records in ipfw(8).

Add `flags` u16 field to the hole in ipfw_table_xentry structure.
Kernel has been guessing address family for supplied record based
on xent length size.
Userland, however, has been getting fixed-size ipfw_table_xentry structures
guessing address family by checking address by IN6_IS_ADDR_V4COMPAT().

Fix this behavior by providing specific IPFW_TCF_INET flag for IPv4 records.

PR: bin/189471
Submitted by: Dennis Yusupoff <dyr@smartspb.net>
MFC after: 2 weeks
89bf7e80ea7ce88fd4bbd25c5f6576c40dea5acd 08-May-2014 melifaro <melifaro@FreeBSD.org> Merge r258708, r258711, r260247, r261117.

Check ipfw table numbers in both user and kernel space before rule addition.
Found by: Saychik Pavel <umka@localka.net>

Simplify O_NAT opcode handling.

Use rnh_matchaddr instead of rnh_lookup for longest-prefix match.
rnh_lookup is effectively the same as rnh_matchaddr if called with
empy network mask.

Reorder struct ip_fw_chain:
* move rarely-used fields down
* move uh_lock to different cacheline
* remove some usused fields
e9871feb649f1b35fccefcbbf29b7c093f4510d9 08-May-2014 melifaro <melifaro@FreeBSD.org> Merge r258677.

Fix key lookup in ipfw(8) broken since r232865.
Print warning for IPv4 address strings which are valid in
inet_aton() but not valid in inet_pton(). (1)

Found by: Özkan KIRIK <ozkan.kirik@gmail.com>
Submitted by: Ian Smith <smithi@nimnet.asn.au> (1)
eb1a5f8de9f7ea602c373a710f531abbf81141c4 21-Feb-2014 gjb <gjb@FreeBSD.org> Move ^/user/gjb/hacking/release-embedded up one directory, and remove
^/user/gjb/hacking since this is likely to be merged to head/ soon.

Sponsored by: The FreeBSD Foundation
6b01bbf146ab195243a8e7d43bb11f8835c76af8 27-Dec-2013 gjb <gjb@FreeBSD.org> Copy head@r259933 -> user/gjb/hacking/release-embedded for initial
inclusion of (at least) arm builds with the release.

Sponsored by: The FreeBSD Foundation
c9cfc8e3226ba615d3221cb9c74e66d69b9c70c5 28-Nov-2013 melifaro <melifaro@FreeBSD.org> Check ipfw table numbers in both user and kernel space before rule addition.

Found by: Saychik Pavel <umka@localka.net>
MFC after: 2 weeks
Sponsored by: Yandex LLC
fd228112092db02fbde2bcbe9cddfb98e487da00 27-Nov-2013 melifaro <melifaro@FreeBSD.org> Fix key lookup in ipfw(8) broken since r232865.
Print warning for IPv4 address strings which are valid in
inet_aton() but not valid in inet_pton(). (1)

Found by: Özkan KIRIK <ozkan.kirik@gmail.com>
Submitted by: Ian Smith <smithi@nimnet.asn.au> (1)
MFC after: 2 weeks
Sponsored by: Yandex LLC
960402d8a4c86e0690805d08a9234d62a335662e 18-May-2013 melifaro <melifaro@FreeBSD.org> Fix ipfw(8) sets of ipv6 addresses handling.
Conditionally use stack buffer instead of calling strdup().

PR: bin/104921
MFC after: 2 weeks
d50a0fe376234526284497deaba11cfcca6c3c35 20-Mar-2013 melifaro <melifaro@FreeBSD.org> Remove unused variable.
31a6358fffd6950960c98280182bba118f5ac9f9 20-Mar-2013 melifaro <melifaro@FreeBSD.org> Add ipfw support for setting/matching DiffServ codepoints (DSCP).

Setting DSCP support is done via O_SETDSCP which works for both
IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4.
Dscp can be specified by name (AFXY, CSX, BE, EF), by value
(0..63) or via tablearg.

Matching DSCP is done via another opcode (O_DSCP) which accepts several
classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words).

Many people made their variants of this patch, the ones I'm aware of are
(in alphabetic order):

Dmitrii Tejblum
Marcelo Araujo
Roman Bogorodskiy (novel)
Sergey Matveichuk (sem)
Sergey Ryabin

PR: kern/102471, kern/121122
MFC after: 2 weeks
68eaa885cacec0b2c6ff1d1345f422b741060bca 04-Mar-2013 melifaro <melifaro@FreeBSD.org> Do not suddenly fail on some rulesets if -n (syntax check only) is specified
and ipfw(4) module is not loaded.

MFC after: 2 weeks
12a0d12e98a778065f432a14c07437bcc8c34871 03-Mar-2013 melifaro <melifaro@FreeBSD.org> Implement buffer size checking in ipfw(8) add cmd.

PR: bin/65961
Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru>
MFC after: 2 weeks
5026b7b931be858ac65f951dc40069f970064606 02-Mar-2013 melifaro <melifaro@FreeBSD.org> Fix ipfw table argument parsing/printing.
Fix style.

PR: kern/175909
Submitted by: Daniel Hagerty <hag@linnaean.org>
MFC after: 2 weeks
c90cd26f1610fbff118edf8a8a1a97b6d25f0f42 30-Jul-2012 luigi <luigi@FreeBSD.org> remove the last __unused instance in sbin/ipfw.
This particular function (show_prerequisites() ) we should actually
remove the argument from the callers as well, but i'll do it at a
later time.
d8e2c218a2f038ccc70ed8fe056b40c23f743930 30-Jul-2012 luigi <luigi@FreeBSD.org> Fix some compile errors at high WARNS, including one
for an uninitialized variable.

unused parameters and variables are annotated with
(void)foo; /* UNUSED */
instead of __unused, because this code needs to build
also on linux and windows.
97c3a90503d7ac77bc3c91a3910e5112ea4f1bb2 25-Mar-2012 melifaro <melifaro@FreeBSD.org> - Permit number of ipfw tables to be changed in runtime.

net.inet.ip.fw.tables_max is now read-write.

- Bump IPFW_TABLES_MAX to 65535
Default number of tables is still 128

- Remove IPFW_TABLES_MAX from ipfw(8) code.

Sponsored by Yandex LLC

Approved by: kib(mentor)

MFC after: 2 weeks
c614ff641f951a75a93d083b1980b4bd3480b949 12-Mar-2012 melifaro <melifaro@FreeBSD.org> - Add ipfw eXtended tables permitting radix to be used for any kind of keys.
- Add support for IPv6 and interface extended tables
- Make number of tables to be loader tunable in range 0..65534.
- Use IP_FW3 opcode for all new extended table cmds

No ABI changes are introduced. Old userland will see valid tables for
IPv4 tables and no entries otherwise. Flush works for any table.

IP_FW3 socket option is used to encapsulate all new opcodes:
/* IP_FW3 header/opcodes */
typedef struct _ip_fw3_opheader {
uint16_t opcode; /* Operation opcode */
uint16_t reserved[3]; /* Align to 64-bit boundary */
} ip_fw3_opheader;

New opcodes added:

ipfw(8) table argument parsing behavior is changed:
'ipfw table 999 add host' now assumes 'host' to be interface name instead of

New tunable:
net.inet.ip.fw.tables_max controls number of table supported by ipfw in given
VNET instance. 128 is still the default value.

New syntax:
ipfw add skipto tablearg ip from any to any via table(42) in
ipfw add skipto tablearg ip from any to any via table(4242) out

This is a bit hackish, special interface name '\1' is used to signal interface
table number is passed in p.glob field.

Sponsored by Yandex LLC

Reviewed by: ae
Approved by: ae (mentor)

MFC after: 4 weeks
d050a38ab423c57cd15f6818d1d27faf9a35b352 06-Feb-2012 glebius <glebius@FreeBSD.org> Make the 'tcpwin' option of ipfw(8) accept ranges and lists.

Submitted by: sem
5f1ca9b98226dc2417a50af15b77d5a5cfd6837a 07-Jan-2012 uqs <uqs@FreeBSD.org> Spelling fixes for sbin/
eccbdd061bd53b771dcd87b1708dfbc43cfb72a7 20-Aug-2011 bz <bz@FreeBSD.org> Add support for IPv6 to ipfw fwd:
Distinguish IPv4 and IPv6 addresses and optional port numbers in
user space to set the option for the correct protocol family.
Add support in the kernel for carrying the new IPv6 destination
address and port.
Add support to TCP and UDP for IPv6 and fix UDP IPv4 to not change
the address in the IP header.
Add support for IPv6 forwarding to a non-local destination.
Add a regession test uitilizing VIMAGE to check all 20 possible
combinations I could think of.

Obtained from: David Dolson at Sandvine Incorporated
(original version for ipfw fwd IPv6 support)
Sponsored by: Sandvine Incorporated
PR: bin/117214
MFC after: 4 weeks
Approved by: re (kib)
5181cb930bcc5093a0e2be0d0e535fc945a2f7a0 17-Aug-2011 jhb <jhb@FreeBSD.org> Fix a regression where a rule containing a source port option after a
destination IP would incorrectly display the source port as a destination

Reviewed by: luigi
Approved by: re (kib)
MFC after: 1 week
6b5f802b89475290bd6d581f19f00d0326038be1 29-Jun-2011 ae <ae@FreeBSD.org> Add new rule actions "call" and "return" to ipfw. They make
possible to organize subroutines with rules.

The "call" action saves the current rule number in the internal
stack and rules processing continues from the first rule with
specified number (similar to skipto action). If later a rule with
"return" action is encountered, the processing returns to the first
rule with number of "call" rule saved in the stack plus one or higher.

Submitted by: Vadim Goncharov
Discussed by: ipfw@, luigi@
2071e3510abcb0d23655e9ec6f21ded8a0d7fa8a 18-Jun-2011 benl <benl@FreeBSD.org> Fix clang warnings.

Approved by: philip (mentor)
a060389e5b178c7324442c0723886c8fda798998 14-Jun-2011 ae <ae@FreeBSD.org> Implement "global" mode for ipfw nat. It is similar to natd(8)
"globalport" option for multiple NAT instances.

If ipfw rule contains "global" keyword instead of nat_number, then
for each outgoing packet ipfw_nat looks up translation state in all
configured nat instances. If an entry is found, packet aliased
according to that entry, otherwise packet is passed unchanged.

User can specify "skip_global" option in NAT configuration to exclude
an instance from the lookup in global mode.

PR: kern/157867
Submitted by: Alexander V. Chernikov (previous version)
Tested by: Eugene Grosbein
5251d374e6bf12e432d3d911ba9be1ba950711bd 30-May-2011 ae <ae@FreeBSD.org> Add tablearg support for ipfw setfib.

PR: kern/156410
MFC after: 2 weeks
54ea1a10a5370fdc4fe35392a981779de4c01e5e 18-Apr-2011 glebius <glebius@FreeBSD.org> More whitespace fixes.

Checked with: md5, diff -x -w
57baf3da41e06e14fc231a6361a34932b3de1c2a 18-Apr-2011 glebius <glebius@FreeBSD.org> Whitespace fixes.

Checked with: md5, diff -w
e7ccc85b8fa77badd0aebc86e7657d29f3710e08 12-Nov-2010 luigi <luigi@FreeBSD.org> The first customer of the SO_USER_COOKIE option:
the "sockarg" ipfw option matches packets associated to
a local socket and with a non-zero so_user_cookie value.
The value is made available as tablearg, so it can be used
as a skipto target or pipe number in ipfw/dummynet rules.

Code by Paul Joe, manpage by me.

Submitted by: Paul Joe
MFC after: 1 week
09f9c897d33c41618ada06fbbcf1a9b3812dee53 19-Oct-2010 jamie <jamie@FreeBSD.org> A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.
bb534382180913f176ec65d85f59265953baed39 19-Apr-2010 luigi <luigi@FreeBSD.org> fix 64-bit build

Reported by: Robert Noland
063c00f467c27760c023e7f170a99f4597aa1530 19-Apr-2010 luigi <luigi@FreeBSD.org> Slightly different handling of printf/snprintf for unaligned uint64_t,
which should improve readability, and also to ease the port to
platforms that do not support %llu

MFC after: 3 days
09ed433bcc40a0d0bac22ffaa81136dd8af34e10 11-Apr-2010 ume <ume@FreeBSD.org> MFC r206266: Set net.inet6.ip6.fw.enable as well.
69c698c97448731698194f305ab33a4c7be2b4a5 06-Apr-2010 ume <ume@FreeBSD.org> Set net.inet6.ip6.fw.enable as well.
c041d56cdf53775a30c5c413775aeef58662fab8 24-Mar-2010 luigi <luigi@FreeBSD.org> fix handling of "ipfw set N ..."

Submitted by: Marcin Wisnicki
45fd7e506671b45f3ecbb47dd123cf1900c3143d 24-Mar-2010 luigi <luigi@FreeBSD.org> fix another bug in "ipfw set N ..."

Submitted by: Marcin Wisnicki
153fa4f49e7ae4d39851638cfb970d383c0f8b91 23-Mar-2010 luigi <luigi@FreeBSD.org> MFC of a large number of ipfw and dummynet fixes and enhancements
done in CURRENT over the last 4 months.
HEAD and RELENG_8 are almost in sync now for ipfw, dummynet
the pfil hooks and related components.

Among the most noticeable changes:
- r200855 more efficient lookup of skipto rules, and remove O(N)
blocks from critical sections in the kernel;
- r204591 large restructuring of the dummynet module, with support
for multiple scheduling algorithms (4 available so far)
See the original commit logs for details.

Changes in the kernel/userland ABI should be harmless because the
kernel is able to understand previous requests from RELENG_8 and
RELENG_7. For this reason, this changeset would be applicable
to RELENG_7 as well, but i am not sure if it is worthwhile.
332c6d6542481962db514e61cdf291fb1232a610 22-Mar-2010 luigi <luigi@FreeBSD.org> mfc r205179: print correctly addresses with an OR block
f65342081dee75b9f14fe694115caf0b6379f2e3 22-Mar-2010 glebius <glebius@FreeBSD.org> MFC r200183 by luigi:

restore setting of sin_len (was removed in 1.146 last february) as
it seems that now it is necessary for 'forward' to work outside lo0.

Approved by: luigi
f1216d1f0ade038907195fc114b7e630623b402c 19-Mar-2010 delphij <delphij@FreeBSD.org> Create a custom branch where I will be able to do the merge.
b958ac2aee0c02d048840ba1a096b9d1a8e4a2d2 15-Mar-2010 luigi <luigi@FreeBSD.org> print correctly commands of the form

ipfw add 100 allow ip from { or }

(note that the above example could be better written as

ipfw add 100 allow dst-ip,

Submitted by: Riccardo Panicucci
3a68724891acc310ddc8fbf436121e9727dcee70 15-Mar-2010 luigi <luigi@FreeBSD.org> Implement "lookup dscp N" which does a lookup of the DSCP (top 6 bits
of ip->ip_tos) in a table. This can be useful to direct traffic to
different pipes/queues according to the DSCP of the packet, as follows:

ipfw add 100 queue tablearg lookup dscp 3 // table 3 maps dscp->queue

This change is a no-op (but harmless) until the two-line kernel
side is committed, which will happen shortly.
3860a058155dbee2de632be4f7d91488b158b560 04-Mar-2010 imp <imp@FreeBSD.org> Merge through 204723 plus changes to usr.sbin to move to the Makefile.arch setup
b486493f31704510ea9ba1a97eb1f59f7b828fd1 04-Mar-2010 luigi <luigi@FreeBSD.org> fix handling of sets
5ceeac4aa882074e2b1e42fbc20c79ebbd24f4c5 02-Mar-2010 luigi <luigi@FreeBSD.org> Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch. This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.

The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.

In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.

Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.

Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.

Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.

This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
84d17b9dde0bca3ba11491efd293d666259c204f 15-Dec-2009 luigi <luigi@FreeBSD.org> implement a new match option,

lookup {dst-ip|src-ip|dst-port|src-port|uid|jail} N

which searches the specified field in table N and sets tablearg
With dst-ip or src-ip the option replicates two existing options.
When used with other arguments, the option can be useful to
quickly dispatch traffic based on other fields.

Work supported by the Onelab project.

MFC after: 1 week
d0b8e66dba0af5ad71faace968e40cfdac06caa0 06-Dec-2009 luigi <luigi@FreeBSD.org> restore setting of sin_len (was removed in 1.146 last february) as
it seems that now it is necessary for 'forward' to work outside lo0.
The bug (and fix) was reported on 8.0. This patch probably applies
to RELENG_7 as well.
It seems that 'pf' has a similar bug.

Submitted by: Lytochkin Boris
MFC after: 3 days
d90175e4d60b3b4fe9477b8d462b71b3bccf43c0 08-Jun-2009 luigi <luigi@FreeBSD.org> add a missing format in a printf
Detected building with gcc 4.3.3

MFC after: 3 days
78a4bbf2875db443e6d62f814cfa0932be524a77 05-Jun-2009 luigi <luigi@FreeBSD.org> Several ipfw options and actions use a 16-bit argument to indicate
pipes, queues, tags, rule numbers and so on.
These are all different namespaces, and the only thing they have in
common is the fact they use a 16-bit slot to represent the argument.

There is some confusion in the code, mostly for historical reasons,
on how the values 0 and 65535 should be used. At the moment, 0 is
forbidden almost everywhere, while 65535 is used to represent a
'tablearg' argument, i.e. the result of the most recent table() lookup.

For now, try to use explicit constants for the min and max allowed
values, and do not overload the default rule number for that.

Also, make the MTAG_IPFW declaration only visible to the kernel.

NOTE: I think the issue needs to be revisited before 8.0 is out:
the 2^16 namespace limit for rule numbers and pipe/queue is
annoying, and we can easily bump the limit to 2^32 which gives
a lot more flexibility in partitioning the namespace.

MFC after: 5 days
c9b4c109954a4dd9052f62f379febea366d11a07 01-Apr-2009 piso <piso@FreeBSD.org> Implement an ipfw action to reassemble ip packets: reass.
af5756126ea4abebdc1e1fedff024352d7afc9f1 02-Feb-2009 luigi <luigi@FreeBSD.org> Explain that we assume AF_INET and only use the addr and port field
from a struct sockaddr_in, so there is no need to initialize sin_len
23001c70f6bbdc9d9fdf1e5004247a1ca399bca0 01-Feb-2009 luigi <luigi@FreeBSD.org> put the altq-related functions into a separate file.
Minor cleanup of the includes used by the various source files,
including annotations of why certain headers are used.
5f74942998479b79250f585067f2adf70b583c5b 27-Jan-2009 luigi <luigi@FreeBSD.org> fix printing of uint64_t values, so we can use WARNS=2
8a3b5c8587eefdf155a589610647bbc582948ce7 27-Jan-2009 luigi <luigi@FreeBSD.org> Put nat and ipv6 support in their own files.

Usual moving of code with no changes from ipfw2.c to the
newly created files, and addition of prototypes to ipfw2.h

I have added forward declarations for ipfw_insn_* in ipfw2.h
to avoid a global dependency on ip_fw.h
5153c1f1c42195d9130f83a12b751e798054a287 27-Jan-2009 luigi <luigi@FreeBSD.org> Put dummynet-related code in a separate file.
To this purpose, add prototypes for global functions in ipfw2.h
and move there also the list of tokens used in various places in the code.
80a7476516826d36a4d351787cfe847b666aa55a 27-Jan-2009 luigi <luigi@FreeBSD.org> Start splitting the monster file in smaller blocks.

In this episode:
- introduce a common header with a minimal set of common definitions;
- bring the main() function and options parser in main.c
- rename the main functions with an ipfw_ prefix

No code changes except for the introduction of a global variable,
resvd_set_number, which stores the RESVD_SET value from ip_fw.h
and is used to remove the dependency of main.c from ip_fw.h
(and the subtree of dependencies) for just a single constant.
4e134bba317d2d01b583b91d430c2be800a478c8 27-Jan-2009 luigi <luigi@FreeBSD.org> put the usage() function inline, it was only 1 line and used once;
slightly reformat the help() text;
slightly correct the text for the 'extraneous filename' error message;
a1283d80864875ab3971699c3524c52725a2ec9e 27-Jan-2009 luigi <luigi@FreeBSD.org> put all options in a single struct, and document them.

This will allow us to easily restore the original values when processing
commands from a file (where each individual line can have its own options).
3b18b2924ea6e30ef99df6e1b7ceea64aab6a611 27-Jan-2009 luigi <luigi@FreeBSD.org> remove a couple of rarely used #define;

change PRINT_UINT from a macro to a function (renaming is
postponed to reduce clutter)
b193317a46c06dbf600581ded1f5953d417062a0 26-Jan-2009 luigi <luigi@FreeBSD.org> wrap all malloc/calloc/realloc calls so they exit on failure
without having to check in each place.

Remove an wrong strdup from previous commit.
a9074e77b8d04e6644c56537bd7e2dabad938e40 26-Jan-2009 luigi <luigi@FreeBSD.org> Some implementations of getopt() expect that argv[0] is always the
program name, and ignore that entry. ipfw2.c code instead skips
this entry and starts with options at offset 0, relying on a more
tolerant implementation of the library.

This change fixes the issue by always passing a program name
in the first entry to getopt. The motivation for this change
is to remove a potential compatibility issue should we use
a different getopt() implementation in the future.

No functional changes.

Submitted by: Marta Carbone (parts)
MFC after: 4 weeks
6cbadf07649b075298e84b71f3be9d4e6fda3fec 22-Jan-2009 luigi <luigi@FreeBSD.org> remove some useless #include,
document why timeconv.h is needed

MFC after: 3 days
cee4a08b628a7b35f5901643bb8d336eff5a637b 20-Jan-2009 luigi <luigi@FreeBSD.org> Fix a number of (innocuous) warnings, and remove a useless test.
There are still several signed/unsigned warnings left, which
require a bit more study for a proper fix.

This file has grown beyond reasonable limits.

We really need to split it into separate components (ipv4, ipv6,
dummynet, nat, table, userland-kernel communication ...) so we can
make mainteinance easier.

MFC after: 1 weeks
8af3d78dd29ac07a9612994c5bdf8ea196ee5599 28-Dec-2008 piso <piso@FreeBSD.org> Import sctp nat support in ipfw obtained from CAIA - http://caia.swin.edu.au.
9102cbe344a04848798c70cd2257812a15a4512e 18-Dec-2008 piso <piso@FreeBSD.org> Honor the quiet (-q) option while adding a nat rule.

Submitted by: Andrey V. Elsukov<bu7cher@yandex.ru>
MFC after: 3 days
19b6af98ec71398e77874582eb84ec5310c7156f 22-Nov-2008 dfr <dfr@FreeBSD.org> Clone Kip's Xen on stable/6 tree so that I can work on improving FreeBSD/amd64
performance in Xen's HVM mode.
cf5320822f93810742e3d4a1ac8202db8482e633 19-Oct-2008 lulf <lulf@FreeBSD.org> - Import the HEAD csup code which is the basis for the cvsmode work.
be9cccafc21186d9180b1c71790a858f2ef3d398 14-Oct-2008 maxim <maxim@FreeBSD.org> o Remove a debug code and restore an accidentally deleted code
in a previous commit.
c9e34ff82a33ac0c781d195d15c5c1ab6bf8e56c 14-Oct-2008 maxim <maxim@FreeBSD.org> o Do nothing in show_nat() for a test mode (-n). This prevents
show_nat() from endless loop and makes work ipfw -n nat <...>.

PR: bin/128064
Submitted by: sem
MFC after: 1 month
192de0a030310be59eed4c3d4ff26f1162ac0b74 27-Sep-2008 rik <rik@FreeBSD.org> Fix the build.

Noted by: ganbold@
187806f48e9ef16ebb43f36c20efc1751ab9146f 27-Sep-2008 rik <rik@FreeBSD.org> Add keyword all in addtion to the table number for the 'list' and the
'flush' actions on tables. Part of PR: 127058.

PR: 127058 (based on)
MFC after: 1 month
28c58e7c96e364527d589ea10eb7787431aca46d 23-Sep-2008 rik <rik@FreeBSD.org> MFH: 182818, 182823, 182825, 183012 - IPFW_DEFAULT_RULE related fixes.

New Revision: 182818
URL: http://svn.freebsd.org/changeset/base/182818

Export the IPFW_DEFAULT_RULE outside ip_fw2.c. This number in not only
the default rule number but also the maximum rule number. User space
software such as ipfw and natd should be aware of its value. The
software that already includes ip_fw.h should use the defined value. All
other a expected to use sysctl (as discussed on net@).

MFC after: 5 days.
Discussed on: net@


New Revision: 182823
URL: http://svn.freebsd.org/changeset/base/182823

Use IPFW_DEFAULT_RULE instead of hardcoded value since now it is

MFC after: 5 days.


New Revision: 182825
URL: http://svn.freebsd.org/changeset/base/182825

Check rule numbers against maximum value to avoid rules cleanup due
to overflow.

MFC after: 5 days.


New Revision: 183012
URL: http://svn.freebsd.org/changeset/base/183012

Make the commet for the default rule number more clear.

Submitted by: yar@


Approved by: re (kensmith)
24cc0f58d69f12c5c7dd9b02bb5e259f91824aef 22-Sep-2008 keramida <keramida@FreeBSD.org> Unbreak the build.
89ba9c24eeac9215b911c9d51e34a31bac0315de 21-Sep-2008 rik <rik@FreeBSD.org> Add the check of the table number.
9e1d29763a8d23ecc0e438118e6b153e2af6f6d8 21-Sep-2008 rik <rik@FreeBSD.org> Move table list to a separate function.
a76a4a93e98f6735706ff6661856943fa9f1fe20 20-Sep-2008 rik <rik@FreeBSD.org> Free allocated memory.
87be3efbcd3d507eb8b5073e5b30286f109f64a2 20-Sep-2008 rik <rik@FreeBSD.org> Remove some unused variables.
2600b8bb7d56e3fd70e3137ace9e035499ba158e 20-Sep-2008 rik <rik@FreeBSD.org> Style(9) the show_nat() function.
a32f707733c85820ecb4ee9dec2f248c602b2e34 20-Sep-2008 rik <rik@FreeBSD.org> Do not do the useless job for an empty table.

MFC after: 1 month
65828aa4c7f5c98c28dd5864555de7a10a0acb62 06-Sep-2008 rik <rik@FreeBSD.org> Use IPFW_DEFAULT_RULE instead of hardcoded value since now it is

MFC after: 5 days.
f5059fcf481f84d6749a0072e558df9dcb2e8806 24-Jul-2008 julian <julian@FreeBSD.org> Commit ancillary parts of the MFC that I couldn't do last night because
the SVN server went strange (repoman. crashed I believe).

Obtained from: Cisco IronPort
dc8d54c205784683ec1aae7ecf1f24fe1f6cb2c0 24-Jul-2008 julian <julian@FreeBSD.org> MFC an ABI compatible implementation of Multiple routing tables.
See the commit message for
version 1.129 (svn change # 178888) for more info.

Obtained from: Ironport (Cisco Systems)
bdf655b82ee9d6fa13af4d9cfa8d72ed3e2c438b 20-May-2008 dwmalone <dwmalone@FreeBSD.org> MFC:
Dummynet has a limit of 100 slots queue size (or 1MB, if you give
the limit in bytes) hard coded into both the kernel and userland.
Make both these limits a sysctl, so it is easy to change the limit.
c0cbd36f8490846661afb2ab7220c12bd6c6391d 20-May-2008 dwmalone <dwmalone@FreeBSD.org> MFC:
Dummynet has a limit of 100 slots queue size (or 1MB, if you give
the limit in bytes) hard coded into both the kernel and userland.
Make both these limits a sysctl, so it is easy to change the limit.
816e721312fb4cb2c38886f5f52b0d24668ef539 10-May-2008 julian <julian@FreeBSD.org> Change two variables to size_t to improve portability.
Submitted by: Xin Li
1dfc5c98a4f7c32163dfdc61e390ccf805385108 09-May-2008 julian <julian@FreeBSD.org> Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)

Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.

From my notes:


One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
packet streams to be routed by more than just the destination address.


I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.

One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".

One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.

This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.

Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.

To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.

The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.

The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.

In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.

One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this

You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.

This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.

Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.

Packets fall into one of a number of classes.

1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..

setfib -3 ping target.example.com # will use fib 3 for ping.

It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.

2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)

3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).

4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.

5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.

6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.

Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)

In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.

In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.

Early testing experience:

Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.

For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.

Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes

ipfw has grown 2 new keywords:

setfib N ip from anay to any
count ip from any to any fib N

In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.

SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.

Where to next:

After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.

Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.

My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.

When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.

Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.

This work was sponsored by Ironport Systems/Cisco

Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
d09731caba5d2da56a93ba9f5c0c5aadec96e7ad 25-Apr-2008 oleg <oleg@FreeBSD.org> MFC: 1.111

Calculate p.fs.lookup_step correctly. This should prevent zeroing of
w_q_lookup table (used in RED algorithm for (1 - w_q)^t computation).
27a9c9bec6ce3b4496db62cc39cbcd88a8eec99b 25-Apr-2008 oleg <oleg@FreeBSD.org> MFC: 1.111

Calculate p.fs.lookup_step correctly. This should prevent zeroing of
w_q_lookup table (used in RED algorithm for (1 - w_q)^t computation).
91515fa1c76c054b73705150f91a632fd5f65062 04-Apr-2008 julian <julian@FreeBSD.org> MFC: ipfw2.c 1.114
ipfw.8 1.209

Use an explicit argument to format table args as IP addresses.
4b5191a4295728801ef65c3e961e86fa6015951c 04-Apr-2008 julian <julian@FreeBSD.org> MFC: ipfw2.c 1.114 ipfw.8 1.209

Use an explicit argument to display table args a IP addresses.
db9f05b4fb9bf50518ab6fe9d46935e83656eb7c 14-Mar-2008 piso <piso@FreeBSD.org> Fix showing nat rules.

Bug spotted by: Gael Roualland <gael.roualland@dial.oleane.com>
PR: bin/121683
bb843a8a0193fa6488ede2608f8690733e0e7cd7 04-Mar-2008 piso <piso@FreeBSD.org> MFC:

Add table/tablearg support to ipfw's nat.
Fix display of nat range.
Fix display of multiple nat rules.
Whitespace elimination.

sbin/ipfw/ipfw2.c: rev. 1.115, 1.116 and 1.117
sbin/ipfw/ipfw.8: rev. 1.210
sys/netinet/ip_fw2.c: rev. 1.181
f8898784849d458af8c05d246a4f5d131ae9fa45 27-Feb-2008 dwmalone <dwmalone@FreeBSD.org> Dummynet has a limit of 100 slots queue size (or 1MB, if you give
the limit in bytes) hard coded into both the kernel and userland.
Make both these limits a sysctl, so it is easy to change the limit.
If the userland part of ipfw finds that the sysctls don't exist,
it will just fall back to the traditional limits.

(100 packets is quite a small limit these days. If you want to test
TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.)

Note these sysctls in the man page and warn against increasing them
without thinking first.

MFC after: 3 weeks
f960df766fa7a334f981b56173d7f55147e234a5 26-Feb-2008 maxim <maxim@FreeBSD.org> MFC rev. 1.112: fix command line parser bug: "ipfw nat 1 config if"
requires an argument.
a4b4ccad078cd04c874f35be2814b7314a45552b 24-Feb-2008 piso <piso@FreeBSD.org> Add table/tablearg support to ipfw's nat.

MFC After: 1 week
47b2af9c1cb1409bf9100c13eba277a47a02c22d 21-Feb-2008 piso <piso@FreeBSD.org> -Fix display of nat range.
-Whitespace elimination.

Bug spotted by: Luiz Otavio O Souza
MFC After: 3 days
6733058442037a1dbef4e6638c1305b7745013dd 18-Feb-2008 piso <piso@FreeBSD.org> Fix display of multiple nat rules.

Bug spotted by: Luiz Otavio O Souza
PR: 120734
MFC After: 3 days
be6b4b9b616cc7d00e7671e3563ab0907db86fec 18-Feb-2008 julian <julian@FreeBSD.org> Instead of using a heuristic to decide whether to display
table 'values' as IP addresses, use an explicit argument (-i).
This is a 'POLA' issue. This is a low risk change and should be MFC'd
to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3.
(not sure about 6.2).

Fix suggested by: Eugene Grosbein
PR: 120720
MFC After: 3 days
dd4aad889a0e6aa17ad92aad95d752e4ba9bec7e 28-Jan-2008 rwatson <rwatson@FreeBSD.org> Merge ipfw2.c:1.113, ip_fw.h:1.111, ip_fw2.c:1.180 from HEAD to RELENG_7:

Hide ipfw internal data structures behind IPFW_INTERNAL rather than
exposing them to all consumers of ip_fw.h. These structures are
used in both ipfw(8) and ipfw(4), but not part of the user<->kernel
interface for other applications to use, rather, shared

Reported by: Paul Vixie <paul at vix dot com>
1dcfe4a494542fa0fbcbea2ab0bb74b602d2ee23 25-Jan-2008 rwatson <rwatson@FreeBSD.org> Hide ipfw internal data structures behind IPFW_INTERNAL rather than
exposing them to all consumers of ip_fw.h. These structures are
used in both ipfw(8) and ipfw(4), but not part of the user<->kernel
interface for other applications to use, rather, shared

MFC after: 3 days
Reported by: Paul Vixie <paul at vix dot com>
3646748d3a5e87a887add01aa8e8876397b298c1 20-Jan-2008 maxim <maxim@FreeBSD.org> o Fix ipfw(8) command line parser bug: "ipfw nat 1 config if" requires an argument.

PR: bin/119815
Submitted by: Dierk Sacher
MFC after: 1 week
3ced3975d99146a0d4f69805de38b8502f0ad386 17-Dec-2007 oleg <oleg@FreeBSD.org> Calculate p.fs.lookup_step correctly. This should prevent zeroing of
w_q_lookup table (used in RED algorithm for (1 - w_q)^t computation).

MFC after: 1 months
e0b9f6a2b2bad01ea9271181c944da1d4ca22e3f 27-Oct-2007 maxim <maxim@FreeBSD.org> o Fix indentation. No functional changes.
04560c1155f6af5753b978d2bef7c1b07f5ea656 19-Oct-2007 rpaulo <rpaulo@FreeBSD.org> Comply with the removal of IPTOS_CE and IPTOS_ECT.
Discussed on freebsd-net with no objections.

Approved by: njl (mentor), rwatson
08383c0d27c888d1fa8ed9c1d6269503896131ce 14-Oct-2007 maxim <maxim@FreeBSD.org> MFC rev.1.108: fix the issue when "ipfw(8) show" produces "not" twice.
9f9cc8d8af1e3d0faf3aa8f6c33dcba894d564c6 23-Sep-2007 maxim <maxim@FreeBSD.org> o Cosmetic: fix the issue when "ipfw(8) show" produces "not" twice:

$ ipfw -n add 1 allow layer2 not mac-type ip
00001 allow ip from any to any layer2 not not mac-type 0x0800

PR: bin/115372
Submitted by: Andrey V. Elsukov
Approved by: re (hrs)
MFC after: 3 weeks
3eb0fa1342d0b24e14ff06361e7b8a71c4441b06 26-Aug-2007 maxim <maxim@FreeBSD.org> o Fix bug I introduced in the previous commit (ipfw set extention):
pack a set number correctly.

Submitted by: oleg

o Plug a memory leak.

Submitted by: oleg and Andrey V. Elsukov
Approved by: re (kensmith)
MFC after: 1 week
2139af42ea6ab3e2d8b8c7f9cdd85f4fd28ca79e 18-Jun-2007 maxim <maxim@FreeBSD.org> o Make ipfw set more robust -- now it is possible:
- to show a specific set: ipfw set 3 show
- to delete rules from the set: ipfw set 9 delete 100 200 300
- to flush the set: ipfw set 4 flush
- to reset rules counters in the set: ipfw set 1 zero

PR: kern/113388
Submitted by: Andrey V. Elsukov
Approved by: re (kensmith)
MFC after: 6 weeks
2903a43579ca0db11f4f349714b16e68e36cdfcb 10-Jun-2007 maxim <maxim@FreeBSD.org> MFC rev. 1.103: make ipfw(8) show rules with mac/mac-type options
MFC rev. 1.105: teach get_mac_addr_mask() to not silently accept
incorrect MAC addresses.
4ad973ddfb08fb4040a555739b1eff07815dc7cb 07-Jun-2007 bz <bz@FreeBSD.org> MFC:
1.200 sbin/ipfw/ipfw.8, 1.104 sbin/ipfw/ipfw2.c
1.110 sys/netinet/ip_fw.h, 1.164 sys/netinet/ip_fw2.c

Add support for filtering on Routing Header Type 0 and
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.
4941ee4a2accc1d1a5d38148ec1378487b9e1cf0 09-May-2007 maxim <maxim@FreeBSD.org> o Teach get_mac_addr_mask() to not silently accept incorrect MAC
o Swap a couple of magic 6s by ETHER_ADDR_LEN.

PR: bin/80913
Submitted by: Andrey V. Elsukov
MFC after: 1 month
049302cd6a135212b6e99c436b77bf00a7b16574 08-May-2007 julian <julian@FreeBSD.org> MFC 1.93 1.94.
allow table entries to store/return an IP address as a value.
ab603b3a9cf7b2e1e960a1f240075673e7e10f6a 04-May-2007 bz <bz@FreeBSD.org> Add support for filtering on Routing Header Type 0 and
Mobile IPv6 Routing Header Type 2 in addition to filter
on the non-differentiated presence of any Routing Header.

MFC after: 3 weeks
185e6bdacbf602696d724b2a2ec619e9d1b70a39 30-Apr-2007 maxim <maxim@FreeBSD.org> o Make ipfw(8) show rules with mac/mac-type options correctly.


$ ipfw -n add 100 count icmp from any to any mac-type 0x01
00100 count icmp 0x0001
$ ipfw -n add 100 count icmp from any to any mac any any
00100 count icmp MAC any any any


$ ipfw -n add 100 count icmp from any to any mac-type 0x01
00100 count icmp from any to any mac-type 0x0001
$ ipfw -n add 100 count icmp from any to any mac any any
00100 count icmp from any to any MAC any any

PR: bin/112244
Submitted by: Andrey V. Elsukov
MFC after: 1 month
b55cf0b91d6e16d90b15e614ee7d23bed176ab22 28-Apr-2007 maxim <maxim@FreeBSD.org> MFC rev. 1.102: add missed w/space in the error message.
708ec25681ba4539b2161e56169de23fbc01d262 17-Apr-2007 maxim <maxim@FreeBSD.org> o Add missed w/space in the error message.

Spotted by: Ivan Voras
MFC after: 1 week
642ce217a4ee8e0b9bb7307965cdfea84d3e2d6b 10-Jan-2007 mlaier <mlaier@FreeBSD.org> MFC: ipfw2.c, 1.101:
Fix a parsing bug when specifying more than one address with dotted
decimal netmask.

Reported by: Igor Anishchuk
PR: kern/107565
56fe8a82e89bc0f48e59d0db6f93bf22076186f3 07-Jan-2007 mlaier <mlaier@FreeBSD.org> Fix a parsing bug when specifying more than one address with dotted decimal

Reported by: Igor Anishchuk
PR: kern/107565
MFC after: 3 days
0db606a3b135b207a944e841f0142c30f4f43ceb 29-Dec-2006 piso <piso@FreeBSD.org> Summer of Code 2005: improve libalias - part 2 of 2

With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
312d1a5eea498f9dd56869968a553d9ff8c0afc8 21-Oct-2006 maxim <maxim@FreeBSD.org> MFC rev. 1.99: check for a required "pathname" argument presence.

Approved by: re (bmah)
54f179c406f0a468fe6fc0c181d1b80a8a6ab536 29-Sep-2006 maxim <maxim@FreeBSD.org> o Check for a required "pathname" argument presence.

PR: bin/95146
Submitted by: candy-sendpr@kgc.co.jp
MFC after: 3 weeks
841f0777f79e5255f80e36de4464c8f5e2900aee 20-Sep-2006 jhay <jhay@FreeBSD.org> MFC: 1.98
Check the length of the ipv4 and ipv6 address lists. It must be less
than F_LEN_MASK.

Approved by: re (hrs)
7fb24b60834961e1ed9560adfcba93ac4a61a077 20-Sep-2006 jhay <jhay@FreeBSD.org> MFC: 1.97
Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command

ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129

turns into icmp6types 1,2,32,33,34,...94,95,128,129

PR: 102422 (part 1)
Submitted by: Andrey V. Elsukov <bu7cher at yandex.ru>
Approved by: re (hrs)
9e8a4daa6bfb66b9c9565e9f7ed6639f28b4ba38 16-Sep-2006 jhay <jhay@FreeBSD.org> Check the length of the ipv4 and ipv6 address lists. It must be less
than F_LEN_MASK.

MFC after: 5 days
3f597283a3bb3f57f6625859d29936c349ec32fe 16-Sep-2006 jhay <jhay@FreeBSD.org> Use bzero() to clear the whole ipfw_insn_icmp6 structure in fill_icmp6types(),
otherwise this command

ipfw add allow ipv6-icmp from any to 2002::1 icmp6types 1,2,128,129

turns into icmp6types 1,2,32,33,34,...94,95,128,129

PR: 102422 (part 1)
Submitted by: Andrey V. Elsukov <bu7cher at yandex.ru>
MFC after: 5 days
0f1fb984cdee02593305f597e5984b764726aa44 31-Aug-2006 dwmalone <dwmalone@FreeBSD.org> MFC 1.96: Treat "Bits" as bits not bytes.
MFC 1.95: Fix me6 keyword by getting parens in the right place.
e0dfe3d7df89c3c52e58a630308eaf7fac6c3377 23-Aug-2006 dwmalone <dwmalone@FreeBSD.org> A pipe bandwidth of 10MBits/s should probably
be understood as 10Mbits/s not 10MBytes/s.

Submitted by: Gavin McCullagh <gavin.mccullagh@nuim.ie>
MFC after: 1 week
b6bc6170e95bbe29f1ab91fe7bd5334eb1ef60e8 20-Aug-2006 dwmalone <dwmalone@FreeBSD.org> Regigle parens to try and get the intended affect. This should fix people
having trouble with the "me6" keyword. Also, we were using inet_pton on
the wrong variable in one place.

Reviewed by: mlaier (previous version of patch)
Obtained from: Sascha Blank (inet_pton change)
MFC after: 1 week
2e81f075ec517d298bfed516e8bc69c999f21c11 18-Aug-2006 julian <julian@FreeBSD.org> comply with style police

Submitted by: ru
MFC after: 1 month
ff9e3178175b11cd7809c6ada10182a3554f2397 17-Aug-2006 julian <julian@FreeBSD.org> Allow ipfw to forward to a destination that is specified by a table.
for example:
fwd tablearg ip from any to table(1)
where table 1 has entries of the form: router2

This allows trivial implementation of a secondary routing table implemented
in the firewall layer.

I expect more work (under discussion with Glebius) to follow this to clean
up some of the messy parts of ipfw related to tables.

Reviewed by: Glebius
MFC after: 1 month
ce539f49751033b1904735e45c097119e88f2444 07-Aug-2006 mlaier <mlaier@FreeBSD.org> Belatedly MFC ipfw2.c, 1.88:
For src/dest parsing take off the netmask before checking for AF with
inet_pton. This fixes cases like "fe02::/16".

PR: bin/91245
Reported by: Fredrik Lindberge

Reminded by: oleg
e39de9bd5c5f4f79e4ce5382bba0b9e1a1262b79 05-Aug-2006 stefanf <stefanf@FreeBSD.org> Use the SLIST_NEXT macro instead of sle_next.

Checked with: cmp(1)
2c4011996d9fd06cc7da7682714c8978aaf348ae 29-Jul-2006 oleg <oleg@FreeBSD.org> MFC:
src/sys/netinet/ip_dummynet.c rev. 1.101
- Fix following rules: pipe X (tag|altq) Y ...

src/sys/netinet/ip_fw.h rev. 1.106
src/sys/netinet/ip_fw2.c rev. 1.132 1.134 1.135
src/sbin/ipfw/ipfw2.c rev. 1.89 1.91
src/sbin/ipfw/ipfw.8 rev. 1.188 1.189 1.190
- Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>

- install_state(): style(9) cleanup

- Add support of 'tablearg' feature for:
a) 'tag' & 'untag' action parameters.
b) 'tagged' & 'limit' rule options.

- Minor imporvements to ipfw parser:
a) new macros:
GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
PRINT_UINT_ARG - support of 'tablearg' keyword.
b) strtoport(): do not silently truncate/accept invalid port list expressions
like: '1,2-abc' or '1,2-3-4' or '1,2-3x4', style(9) cleanup.
64961250b28b2ad75f5a2ed9bfb80842abe10b92 29-Jun-2006 julian <julian@FreeBSD.org> MFC: 1.84. (and fixes)
If in silent mode, do not return an error responce if asked
to delete a table entry that is not present, or add one that exists.
f361b24e4beb1033be1c618424055d43e3cc18d5 24-Jun-2006 oleg <oleg@FreeBSD.org> MFC src/sys/netinet/ip_fw2.c rev.1.133:

install_state() should properly initialize 'addr_type' field of newly created
flows for O_LIMIT rules.

MFC src/sbin/ipfw/ipfw2.c rev.1.90 (mlaier):

Print dynamic rules for IPv6 as well.

PR: bin/98349
7a65db868d2dd50e0b00551e66f65f991130d187 15-Jun-2006 oleg <oleg@FreeBSD.org> Add support of 'tablearg' feature for:
- 'tag' & 'untag' action parameters.
- 'tagged' & 'limit' rule options.
Rule examples:
pipe 1 tag tablearg ip from table(1) to any
allow ip from any to table(2) tagged tablearg
allow tcp from table(3) to any 25 setup limit src-addr tablearg

1) new macros
GET_UINT_ARG - support of 'tablearg' keyword, argument range checking.
PRINT_UINT_ARG - support of 'tablearg' keyword.
2) strtoport(): do not silently truncate/accept invalid port list expressions
like: '1,2-abc' or '1,2-3-4' or '1,2-3x4'. style(9) cleanup.

Approved by: glebius (mentor)
MFC after: 1 month
5b7662dfe9883a7e44fa22ced316b437cc59aaeb 02-Jun-2006 mlaier <mlaier@FreeBSD.org> Print dynamic rules for IPv6 as well.

PR: bin/98349
Submitted by: Mark Andrews
MFC after: 2 weeks
499297c74cc00692bc00ddab18c1e67dcbfaf0a9 24-May-2006 oleg <oleg@FreeBSD.org> Implement internal (i.e. inside kernel) packet tagging using mbuf_tags(9).
Since tags are kept while packet resides in kernelspace, it's possible to
use other kernel facilities (like netgraph nodes) for altering those tags.

Submitted by: Andrey Elsukov <bu7cher at yandex dot ru>
Submitted by: Vadim Goncharov <vadimnuclight at tpu dot ru>
Approved by: glebius (mentor)
Idea from: OpenBSD PF
MFC after: 1 month
efe765e26504465495306de73fb16f6c5c6b4dd2 14-May-2006 mlaier <mlaier@FreeBSD.org> For src/dest parsing take off the netmask before checking for AF with
inet_pton. This fixes cases like "fe02::/16".

PR: bin/91245
Reported by: Fredrik Lindberge
44c376893968817ddb19d4a2ef12f8bf0970fbe0 31-Mar-2006 julian <julian@FreeBSD.org> Amazing.. two screwups in one commit.
I'm piling on thise pointy hats on top of each other.
At least they nest..
bce212e4e5ce65f246a90972498cc75a379adefe 31-Mar-2006 julian <julian@FreeBSD.org> I can't believe that no-one noticed that I broke ipfw table del
for over a month!
put {} around if clause with multiple statements
b50d2d1850198875f8d41266e4f0afa0af0e5c32 09-Mar-2006 ume <ume@FreeBSD.org> MFC: Revert `proto ip' back to the previous behavior. The kernel side of
ipfw2 doesn't allow zero as protocol number.

sbin/ipfw/ipfw.8: 1.186
sbin/ipfw/ipfw2.c: 1.85

Approved by: re (mux)
a9ea2a9a097f07173b47dd0bdcc0e6b06c975001 05-Mar-2006 ume <ume@FreeBSD.org> Revert `proto ip' back to the previous behavior. The kernel side of
ipfw2 doesn't allow zero as protocol number.

MFC after: 3 days
82537e7f969a1ad40f12e1d524aacbf81f39750f 14-Feb-2006 julian <julian@FreeBSD.org> oops, mismerge from working sources.. not only add new code,
but remove old code!
9c8fd45ad2de41502d1f15f35426dc7967a0f245 14-Feb-2006 julian <julian@FreeBSD.org> Stop ipfw from aborting when asked to delete a table entry that
doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week
470df2fb1961fbace4a2a896001a7dfbe502bf28 15-Jan-2006 glebius <glebius@FreeBSD.org> MFC:
Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.
bf3ba15d9be6715c3f6ffca4703e044b3efc0d75 15-Jan-2006 glebius <glebius@FreeBSD.org> Cleanup _FreeBSD_version.
63168c1b169a20c53b3b2b8d86b7833f5c2424f7 15-Jan-2006 glebius <glebius@FreeBSD.org> MFC:
Catch up with ip_dummynet.h rev. 1.38.
d5ab5191cf5df5bcf63257124ddb49c77c2d7137 13-Dec-2005 glebius <glebius@FreeBSD.org> Add a new feature for optimizining ipfw rulesets - substitution of the
action argument with the value obtained from table lookup. The feature
is now applicable only to "pipe", "queue", "divert", "tee", "netgraph"
and "ngtee" rules.

An example usage:

ipfw pipe 1000 config bw 1000Kbyte/s
ipfw pipe 4000 config bw 4000Kbyte/s
ipfw table 1 add x.x.x.x 1000
ipfw table 1 add x.x.x.y 4000
ipfw pipe tablearg ip from table(1) to any

In the example above the rule will throw different packets to different pipes.

- Support "skipto" action, but without searching all rules.
- Improve parser, so that it warns about bad rules. These are:
- "tablearg" argument to action, but no "table" in the rule. All
traffic will be blocked.
- "tablearg" argument to action, but "table" searches for entry with
a specific value. All traffic will be blocked.
- "tablearg" argument to action, and two "table" looks - for src and
for dst. The last lookup will match.
5d0fbfa49f349b8c89639345f0f631d1e44596b4 09-Dec-2005 glebius <glebius@FreeBSD.org> Cleanup _FreeBSD_version.
fb6187e212659221153d49791c1352187bdde507 06-Dec-2005 ume <ume@FreeBSD.org> MFC: We couldn't specify the rule for filtering tunnel traffic since an
IPv6 support was committed:

- Stop treating `ip' and `ipv6' as special in `proto' option as they
conflict with /etc/protocols.

- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.

- When protocol is specified as numeric, treat it as it is even it is
41 (ipv6).

- Allow zero for protocol as it is valid number of `ip'.

sbin/ipfw/ipfw.8: 1.180
src/sbin/ipfw/ipfw2.c: 1.80
b9221a7b293183d332361bb1560482565e606177 29-Nov-2005 ume <ume@FreeBSD.org> We couldn't specify the rule for filtering tunnel traffic since an
IPv6 support was committed:

- Stop treating `ip' and `ipv6' as special in `proto' option as they
conflict with /etc/protocols.

- Disuse `ipv4' in `proto' option as it is corresponding to `ipv6'.

- When protocol is specified as numeric, treat it as it is even it is
41 (ipv6).

- Allow zero for protocol as it is valid number of `ip'.

Still, we cannot specify an IPv6 over an IPv4 tunnel like before such

pass ipv6 from any to any

But, now, you can specify it like:

pass ip4 from any to any proto ipv6

PR: kern/89472
Reported by: Ga l Roualland <gael.roualland__at__dial.oleane.com>
MFC after: 1 week
9cc098a3bd2c8b2b9ba834027a93f61317ac4f92 29-Nov-2005 glebius <glebius@FreeBSD.org> Catch up with ip_dummynet.h rev. 1.38 and fix build.
7abe9e6ffe612f8a9e1d7ea439c090185b48e4c4 29-Nov-2005 glebius <glebius@FreeBSD.org> Garbage-collect now unused struct _ipfw_insn_pipe and flush_pipe_ptrs(),
thus removing a few XXXes.
Document the ABI breakage in UPDATING.
bf3595b8d834ffd34536d2e5826cc9ff5986c6c8 20-Aug-2005 bz <bz@FreeBSD.org> MFC:
rev. 1.108, 1.109 src/sys/netinet/ip_fw2.c
rev. 1.101 src/sys/netinet/ip_fw.h
rev. 1.77 src/sbin/ipfw/ipfw2.c
rev. 1.176 src/sbin/ipfw/ipfw.8

* Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.
* Fix build without INET6 and IPFIREWALL compiled into kernel.[1]

Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Spotted and tested by: Michal Mertl <mime at traveller.cz>[1]
Approved by: re (kensmith)
5434a588080f496f3f78c9b62fcc9bc2993449cb 13-Aug-2005 bz <bz@FreeBSD.org> * Add dynamic sysctl for net.inet6.ip6.fw.
* Correct handling of IPv6 Extension Headers.
* Add unreach6 code.
* Add logging for IPv6.

Submitted by: sysctl handling derived from patch from ume needed for ip6fw
Obtained from: is_icmp6_query and send_reject6 derived from similar
functions of netinet6,ip6fw
Reviewed by: ume, gnn; silence on ipfw@
Test setup provided by: CK Software GmbH
MFC after: 6 days
163c101c2cf347c70a3fe18f9acab4779cd2484b 07-Jun-2005 mlaier <mlaier@FreeBSD.org> add_proto() now fills proto for us so stop to 'guess' the protocol from the
command and rather trust the value add_proto filled in. While here, fix an
oversight in the pretty printing of ip6/4 options.
f2254cf7022e4e6909272699c8e1f774b7e4e3f1 03-Jun-2005 mlaier <mlaier@FreeBSD.org> Add support for IPv4 only rules to IPFW2 now that it supports IPv6 as well.
This is the last requirement before we can retire ip6fw.

Reviewed by: dwhite, brooks(earlier version)
Submitted by: dwhite (manpage)
Silence from: -ipfw
ce2b072e9f6924afc8e43de7ce661b3f1642c441 21-May-2005 mlaier <mlaier@FreeBSD.org> Unbreak handling of "ip[v]6" protocol and option flag. No more segfaults
and not every protocol is IPv6.
3f77e18f9b94a43481ad88f443208b20edbfbdc8 26-Apr-2005 brooks <brooks@FreeBSD.org> Fix a the previous commit. I wanted to remove the if and always run the
body not remove both.

Reported by: ceri
Pointy hat: brooks
347035a2c95e2e10e9d70cf894f67d74ae119484 26-Apr-2005 brooks <brooks@FreeBSD.org> Don't force IPv6 proto to be printed numericaly.

Noticed by: ceri
f3ecaa630b5d676d2b43b5da90f46c294bd63836 18-Apr-2005 brooks <brooks@FreeBSD.org> Add IPv6 support to IPFW and Dummynet.

Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
151bf3aeda01f38eac0a40377e1ef6bba0c8831f 05-Apr-2005 brooks <brooks@FreeBSD.org> Be more specific when complaining about bit masks.
67c8ae0802e5b708541ca404efd85c35330e6640 05-Feb-2005 glebius <glebius@FreeBSD.org> Add a ng_ipfw node, implementing a quick and simple interface between
ipfw(4) and netgraph(4) facilities.

Reviewed by: andre, brooks, julian
038ca13cb7f5445f7485c8c5bef12d58c0a7b92a 18-Jan-2005 glebius <glebius@FreeBSD.org> Don't print extra " via ", if we have already printed one. While here,
slightly style brackets.

PR: misc/75297
MFC after: 1 week
a7b7255dba8fc4dbb902a3e1c18effdb1c509a49 15-Jan-2005 brooks <brooks@FreeBSD.org> Deprecate unmaintainable uses of strncmp to implement abbreviations.
This commit replaces those with two new functions that simplify the code
and produce warnings that the syntax is deprecated. A small number of
sensible abbreviations may be explicitly added based on user feedback.

There were previously three types of strncmp use in ipfw:
- Most commonly, strncmp(av, "string", sizeof(av)) was used to allow av
to match string or any shortened form of it. I have replaced this
with a new function _substrcmp(av, "string") which returns 0 if av
is a substring of "string", but emits a warning if av is not exactly

- The next type was two instances of strncmp(av, "by", 2) which allowed
the abbreviation of bytes to "by", "byt", etc. Unfortunately, it
also supported "bykHUygh&*g&*7*ui". I added a second new function
_substrcmp2(av, "by", "bytes") which acts like the strncmp did, but
complains if the user doesn't spell out the word "bytes".

- There is also one correct use of strncmp to match "table(" which might
have another token after it without a space.

Since I changed all the lines anyway, I also fixed the treatment of
strncmp's return as a boolean in many cases. I also modified a few
strcmp cases as well to be fully consistent.
182c46b20dedd864b7066a7d50338bd691247880 07-Jan-2005 brooks <brooks@FreeBSD.org> Write some bit mask limits in hex rather than decimal so they look less
e25eb8fca3b0abca815f96fe603ca6b7324712b9 25-Nov-2004 brooks <brooks@FreeBSD.org> Remove a duplicate line from an apparent merge error in rev 1.63.
a5dc9b92684ac12031e6fc8524048c7f76a9cd32 08-Oct-2004 green <green@FreeBSD.org> Commit forgotten documentation for "diverted" rules.
cb606898b9f83045c54ca6796b13313487916ac0 03-Oct-2004 green <green@FreeBSD.org> Add support to IPFW for matching by TCP data length.
4f70622005bf8214002abf3a3dcd4f7614f2dd59 03-Oct-2004 green <green@FreeBSD.org> Add support to IPFW for classification based on "diverted" status
(that is, input via a divert socket).
4454a09917934bccea925f619fa53ec38b25a5d7 03-Oct-2004 green <green@FreeBSD.org> Remove accidentally-added O_DIVERTED section.
a1ab5f0c7dae91ac2b8d9c2be9463083757f5fe6 03-Oct-2004 green <green@FreeBSD.org> Add to IPFW the ability to do ALTQ classification/tagging.
88c0121fcb364467ed1cf5c2205b7d004f057ceb 21-Sep-2004 csjp <csjp@FreeBSD.org> Since "d" is an array of 32 bit values, it is more
correct to change the cast from unsigned int to uint32_t.

Pointed out by: luigi
b1981485f76169c84d5d3e162d766c201f05fd08 11-Sep-2004 csjp <csjp@FreeBSD.org> Currently when ipfw(8) generates the micro-instructions for rules which
contain O_UID, O_GID and O_JAIL opcodes, the F_NOT or F_OR logical
operator bits get clobbered. Making it impossible to use the ``NOT'' or
``OR'' operators with uid, gid and jail based constraints.

The ipfw_insn instruction template contains a ``len'' element which
stores two pieces of information, the size of the instruction
(in 32-bit words) in the low 6 bits of "len" with the 2 remaining
bits to implement OR and NOT.

The current code clobbers the OR and NOT bits by initializing the
``len'' element to the size, rather than OR'ing the bits. This change
fixes this by changing the initialization of cmd->len to an OR operation
for the O_UID, O_GID and O_JAIL opcodes.

This may be a MFC candidate for RELENG_5.

Reviewed by: andre
Approved by: luigi
PR: kern/63961 (partially)
e510005b1a940dd73ddd385cce471aaeea507ab2 10-Sep-2004 maxim <maxim@FreeBSD.org> o Initialize a local variable and make gcc happy.

PR: bin/71485
Submitted by: Jukka A. Ukkonen
d003e4e10fd36cc26502515efcbc35bf3a02d2e9 29-Aug-2004 maxim <maxim@FreeBSD.org> o Restore a historical ipfw1 logamount behaviour: rules with 'log'
keyword but without 'logamount' limit the amount of their log messages
by net.inet.ip.fw.verbose_limit sysctl value.

RELENG_5 candidate.

PR: kern/46080
Submitted by: Dan Pelleg
MFC after: 1 week
aa05ee70bcf2fc0e6538044e9a4de14d587d761d 23-Aug-2004 pjd <pjd@FreeBSD.org> Fix 'show' command for pipes and queues.

PR: bin/70311
Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
MFC after: 3 days
6661aed38d315a94d79f9f5311239dbfeceb4083 12-Aug-2004 csjp <csjp@FreeBSD.org> Add the ability to associate ipfw rules with a specific prison ID.
Since the only thing truly unique about a prison is it's ID, I figured
this would be the most granular way of handling this.

This commit makes the following changes:

- Adds tokenizing and parsing for the ``jail'' command line option
to the ipfw(8) userspace utility.
- Append the ipfw opcode list with O_JAIL.
- While Iam here, add a comment informing others that if they
want to add additional opcodes, they should append them to the end
of the list to avoid ABI breakage.
- Add ``fw_prid'' to the ipfw ucred cache structure.
- When initializing ucred cache, if the process is jailed,
set fw_prid to the prison ID, otherwise set it to -1.
- Update man page to reflect these changes.

This change was a strong motivator behind the ucred caching
mechanism in ipfw.

A sample usage of this new functionality could be:

ipfw add count ip from any to any jail 2

It should be noted that because ucred based constraints
are only implemented for TCP and UDP packets, the same
applies for jail associations.

Conceptual head nod by: pjd
Reviewed by: rwatson
Approved by: bmilekic (mentor)
649b4336f4c3f3c74176cbaa17d1a54288018ba7 09-Aug-2004 andre <andre@FreeBSD.org> New ipfw option "antispoof":

For incoming packets, the packet's source address is checked if it
belongs to a directly connected network. If the network is directly
connected, then the interface the packet came on in is compared to
the interface the network is connected to. When incoming interface
and directly connected interface are not the same, the packet does
not match.

Usage example:

ipfw add deny ip from any to any not antispoof in

Manpage education by: ru
08b51f32419c42e6d2e7990051bfdea845362f75 10-Jun-2004 ru <ru@FreeBSD.org> Fixed a bug spotted by compiling with -Wall.
27bed143c8c7c9b562797f2484f88fdaa8bc1e39 09-Jun-2004 ru <ru@FreeBSD.org> Introduce a new feature to IPFW2: lookup tables. These are useful
for handling large sparse address sets. Initial implementation by
Vsevolod Lobko <seva@ip.net.ua>, refined by me.

MFC after: 1 week
77c46c25ea46aa8cdd333c9104a8d61cebca86b3 02-Jun-2004 csjp <csjp@FreeBSD.org> o Move NEED1 macro to the top of the source file.

o Add sanity checking to the firewall delete operation
which tells the user that a firewall rule
specification is required.

The previous behaviour was to exit without reporting any
errors to the user.

Approved by: bmilekic (mentor)
5aa19203106329a7c3f60c08cf85231099311a57 18-May-2004 stefanf <stefanf@FreeBSD.org> Remove spurious semicolons.

Approved by: das (mentor)
Reviewed by: ipfw@
02de288baa42c7ed6df99d0272fe1e2c776cf55a 09-May-2004 csjp <csjp@FreeBSD.org> Remove redundant sanity check before add_mac() when adding
mac ipfw rules. The exact same sanity check is performed as
the first operation of add_mac(), so there is no sense
in doing it twice.

Approved by: bmilekic (mentor)
PR: bin/55981
d4f49f008f33c4f8764a222f33a2c7469a2bed19 23-Apr-2004 andre <andre@FreeBSD.org> Add the option versrcreach to verify that a valid route to the
source address of a packet exists in the routing table. The
default route is ignored because it would match everything and
render the check pointless.

This option is very useful for routers with a complete view of
the Internet (BGP) in the routing table to reject packets with
spoofed or unrouteable source addresses.


ipfw add 1000 deny ip from any to any not versrcreach

also known in Cisco-speak as:

ip verify unicast source reachable-via any

Reviewed by: luigi
7c2d4936459c16f1ab5823b44c18fbd81474fa28 09-Apr-2004 maxim <maxim@FreeBSD.org> o Fix an incorrect parsing of expression.

PR: kern/64778
MFC after: 6 weeks
ed6eaf7bd911166c7e8d63e44674b0518add9787 24-Jan-2004 maxim <maxim@FreeBSD.org> o Pass a correct argument to errx(3).

PR: bin/61846
Submitted by: Eugene Grosbein
MFC after: 1 week
912d84fa39ca176c72b4a298434a9608a5b24a36 24-Dec-2003 maxim <maxim@FreeBSD.org> o Legitimate -f (force) flags for -p (preprocessor) case.

PR: bin/60433
Submitted: Bjoern A. Zeeb
MFC after: 3 weeks
d2a6451a37922152b78305f66308dedace8bb5ba 12-Dec-2003 luigi <luigi@FreeBSD.org> Add a -b flag to /sbin/ipfw to print only action and comment for each
rule, thus omitting the entire body.
This makes the output a lot more readable for complex rulesets
(provided, of course, you have annotated your ruleset appropriately!)

MFC after: 3 days
f1e94c6f29b079e4ad9d9305ef3e90a719bcbbda 31-Oct-2003 brooks <brooks@FreeBSD.org> Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)
7e54937ddb022f672576cb288d412974c0534239 03-Oct-2003 sam <sam@FreeBSD.org> remove include of route.h now that ip_dummynet.h no longer exposes
data structures that have an embedded struct route

Sponsored by: FreeBSD Foundation
c8c49c9053cf93bca10de6b9c511e6405c9e181b 04-Sep-2003 tmm <tmm@FreeBSD.org> Apply a bandaid to get this working on sparc64 again; the introduction
of do_cmd() broke things, because this function assumes that a socklen_t
is large enough to hold a pointer.
A real solution to this problem would be a rewrite of do_cmd() to
treat the optlen parameter consistently and not use it to carry
a pointer or integer dependent on the context.
c789fb5e2063c3015f4ed9c429611ba4e1fd6fc4 02-Sep-2003 maxim <maxim@FreeBSD.org> Check an arguments count before proceed in sysctl_handler().

PR: bin/56298
Submitted by: Kang Liu <liukang@bjpu.edu.cn>
MFC after: 2 weeks

# We need a regression test suit for ipfw(2)/ipfw(8) badly.
5d0d1d89afae69b866c9eddb6de40960d75a14bd 21-Jul-2003 maxim <maxim@FreeBSD.org> o Initialize do_pipe before command parsing.

PR: bin/54649
Submitted by: Andy Gilligan <andy@evo6.org>
MFC after: 3 days
d9b36adf9db6e55ce3c1c5daac171320822b286b 15-Jul-2003 luigi <luigi@FreeBSD.org> Userland side of:
Allow set 31 to be used for rules other than 65535.
Set 31 is still special because rules belonging to it are not deleted
by the "ipfw flush" command, but must be deleted explicitly with
"ipfw delete set 31" or by individual rule numbers.

This implement a flexible form of "persistent rules" which you might
want to have available even after an "ipfw flush".
Note that this change does not violate POLA, because you could not
use set 31 in a ruleset before this change.

Suggested by: Paul Richards
ce0c00f511371de4e08ccd40a89f1d4d6b8f7912 15-Jul-2003 luigi <luigi@FreeBSD.org> Make sure that comments are printed at the end of a rule.

Reported by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
a122d1d4616c9f6dd793fb803d7b6125bc6858f4 14-Jul-2003 luigi <luigi@FreeBSD.org> Fix one typo in help() string, remove whitespace at end of line and
other minor whitespace changes.

Replace u_char with uint8_t in a few places.
be37c541ae6482e2829990c12ee3bc5c7dd71e1e 14-Jul-2003 luigi <luigi@FreeBSD.org> ccept of empty lines when reading from a file (this fixes a bug
introduced in the latest commits).


* update the 'ipfw -h' output;

* allow rules of the form "100 add allow ..." i.e. with the index first.
(requested by Paul Richards). This was an undocumented ipfw1 behaviour,
and it is left undocumented.

and minor code cleanups.
043fe49d632271f6d3cdc39b84baa093dc4cbd60 12-Jul-2003 luigi <luigi@FreeBSD.org> Add a '-T' flag to print the timestamp as numeric value instead
of converting it with ctime(). This is a lot more convenient for

Submitted by: "Jacob S. Barrett" <jbarrett@amduat.net>
1282338878b6d294cf795d294e7bb6aa5a5186e2 12-Jul-2003 luigi <luigi@FreeBSD.org> In random order:

* make the code compile with WARNS=5 (at least on i386), mostly
by adding 'const' specifier and replacing "void *" with "char *"
in places where pointer arithmetic was used.
This also spotted a few places where invalid tests (e.g. uint < 0)
were used.

* support ranges in "list" and "show" commands. Now you can say

ipfw show 100-1000 4000-8000

which is very convenient when you have large rulesets.

* implement comments in ipfw commands. These are implemented in the
kernel as O_NOP commands (which always match) whose body contains
the comment string. In userland, a comment is a C++-style comment:

ipfw add allow ip from me to any // i can talk to everybody

The choice of '//' versus '#' is somewhat arbitrary, but because
the preprocessor/readfile part of ipfw used to strip away '#',
I did not want to change this behaviour.

If a rule only contains a comment

ipfw add 1000 // this rule is just a comment

then it is stored as a 'count' rule (this is also to remind
the user that scanning through a rule is expensive).

* improve handling of flags (still to be completed).
ipfw_main() was written thinking of 'one rule per ipfw invocation',
and so flags are set and never cleared. With readfile/preprocessor
support, this changes and certain flags should be reset on each
line. For the time being, only fix handling of '-a' which
differentiates the "list" and "show" commands.

* rework the preprocessor support -- ipfw_main() already had most
of the parsing code, so i have moved in there the only missing
bit (stripping away '#' and comments) and removed the parsing
from ipfw_readfile().
Also, add some more options (such as -c, -N, -S) to the readfile

MFC after: 3 days
45a53225d8111c69d12992255593f256a55f55ea 08-Jul-2003 luigi <luigi@FreeBSD.org> A bunch of changes (mostly syntactic sugar, all backward compatible):

* Make the addr-set size optional (defaults to /24)
You can now write{56-80} or{56-80}
Also make the parser more strict.

* Support a new format for the list of addresses:,,,, ...
which exploits the new capabilities of O_IP_SRC_MASK/O_IP_DST_MASK

* Allow spaces after commas to make lists of addresses more readable.,,,, ...

* ipfw will now accept full commands as a single argument and strip
extra leading/trailing whitespace as below:
ipfw "-q add allow ip from to, "
This should help in moving the body of ipfw into a library
that user programs can invoke.

* Cleanup some comments and data structures.

* Do not print rule counters for dynamic rules with ipfw -d list
(PR 51182)

* Improve 'ipfw -h' output (PR 46785)

* Add a '-n' flag to test the syntax of commands without actually
calling [gs]etsockopt() (PR 44238)

* Support the '-n' flag also with the preprocessors;

Manpage commit to follow.

MFC after: 3 days
c530f5973f70002f8d4f101d8be867a7b2cd031c 04-Jul-2003 luigi <luigi@FreeBSD.org> Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.
Should work with both regular and fast ipsec (mutually exclusive).
See manpage for more details.

Submitted by: Ari Suutari (ari.suutari@syncrontech.com)
Revised by: sam
MFC after: 1 week
131318184e9eceae71726ef73aef6d437338ac47 27-Jun-2003 luigi <luigi@FreeBSD.org> remove extra whitespace and blank lines
f71f9df706a36ec25fdbde2e8451b6109e64ea0d 23-Jun-2003 luigi <luigi@FreeBSD.org> Split some long lines to fit 80 columns (the code in RELENG_4
was already correct).
7d1080fe33a6ce1eb16aa602b1d5bb9918f0c09f 23-Jun-2003 luigi <luigi@FreeBSD.org> syntactic sugar: support range notation such as{5,6,7,10-20,60-90}
for set of ip addresses.
Previously you needed to specify every address in the range, which
was unconvenient and lead to very long lines.
Internally the set is still stored in the same way, just the
input and output routines are modified.

Manpage update still missing.

Perhaps a similar preprocessing step would be useful for port ranges.

MFC after: 3 days
a2349d529836463f5ee1d4f893837c60d23b15d2 22-Jun-2003 luigi <luigi@FreeBSD.org> Add support for multiple values and ranges for the "iplen", "ipttl",
"ipid" options. This feature has been requested by several users.
On passing, fix some minor bugs in the parser. This change is fully
backward compatible so if you have an old /sbin/ipfw and a new
kernel you are not in trouble (but you need to update /sbin/ipfw
if you want to use the new features).

Document the changes in the manpage.

Now you can write things like

ipfw add skipto 1000 iplen 0-500

which some people were asking to give preferential treatment to
short packets.

The 'MFC after' is just set as a reminder, because I still need
to merge the Alpha/Sparc64 fixes for ipfw2 (which unfortunately
change the size of certain kernel structures; not that it matters
a lot since ipfw2 is entirely optional and not the default...)

PR: bin/48015

MFC after: 1 week
5a341ceea0cbdc652b00645a7c1937a34fe936bf 16-Jun-2003 maxim <maxim@FreeBSD.org> o Pass a correct argument to printf(3).

PR: bin/51750
Submitted by: Vasil Dimov <vd@datamax.bg>
MFC after: 2 weeks
bb00c59c79a3aceacb0bb3712668d1a80352481f 04-Jun-2003 ticso <ticso@FreeBSD.org> Change handling to support strong alignment architectures such as alpha and

PR: alpha/50658
Submitted by: rizzo
Tested on: alpha
94a234c212a5c9dd2d1959aeac7d473f32edc469 15-Mar-2003 cjc <cjc@FreeBSD.org> Add a 'verrevpath' option that verifies the interface that a packet
comes in on is the same interface that we would route out of to get to
the packet's source address. Essentially automates an anti-spoofing
check using the information in the routing table.

Experimental. The usage and rule format for the feature may still be
subject to change.
943ba45ae5ca2f2d117bcb4d8a03441351d87c0f 13-Mar-2003 maxim <maxim@FreeBSD.org> o Partially revert rev. 1.103, fix 'ipfw show': dynamically adjust a
width of fields for packets and bytes counters.

PR: bin/47196
Reviewed by: -audit
Not objected by: luigi, des

o Use %llu instead of deprecated %qu convert specification for ipfw
packets and bytes counters.

Noted by: des
MFC after: 1 month
d780a8e4ec7278df96a51bf2a94de46d27ab9177 12-Jan-2003 dillon <dillon@FreeBSD.org> It turns out that we do not need to add a new ioctl to unbreak a
default-to-deny firewall. Simply turning off IPFW via a preexisting
sysctl does the job. To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner. For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'. This is far easier to remember then the
net.inet.ip.fw.enable sysctl.

Reviewed by: imp
MFC after: 3 days
d3367c5f5d3ddcc6824d8f41c4cf179f9a5588f8 01-Jan-2003 schweikh <schweikh@FreeBSD.org> Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
9ac9c4ac0c352bd7527c4e2d11ce5b069ea22436 23-Dec-2002 kbyanc <kbyanc@FreeBSD.org> Make preprocessor support more generic by passing all command-line options
after -p except for the last (the ruleset file to process) to the
preprocessor for interpretation. This allows command-line options besides
-U and -D to be passed to cpp(1) and m4(1) as well as making it easier to
use other preprocessors.

Sponsored By: NTT Multimedia Communications Labs
MFC after: 1 week
2dcf3f40e1f30f9d91ee9967b3826786db73333b 26-Nov-2002 keramida <keramida@FreeBSD.org> Align timestamps when -t is used in ipfw and ipfw2.

PR: kern/44843
Approved by: re (jhb)
e7e1590ec6bd185936901503ca73cd07cd2740e8 26-Nov-2002 luigi <luigi@FreeBSD.org> Fix a kernel panic with rules of the type

prob 0.5 pipe NN ....

due to the generation of an invalid ipfw instruction sequence.
No ABI change, but you need to upgrade /sbin/ipfw to generate the
correct code.

Approved by: re
9e1dcedc4a371029357f988d57dce49db9ad0def 06-Nov-2002 maxim <maxim@FreeBSD.org> Kill EOL whitespaces, style(9) fix.
d32e27266d0d5becd2df83aa74ae8224d3fba9ee 06-Nov-2002 maxim <maxim@FreeBSD.org> Fix UID/GID options parsing.

PR: bin/42579
Submitted by: Belousov Oleg <oleg@belousov.com>
Approved by: luigi
MFC after: 2 weeks
6b68b7717efa3ba892f3ff4dee85e1c5b8b8166a 24-Oct-2002 mux <mux@FreeBSD.org> Fix ipfw2 panics on 64-bit platforms.

Quoting luigi:

In order to make the userland code fully 64-bit clean it may
be necessary to commit other changes that may or may not cause
a minor change in the ABI.

Reviewed by: luigi
4eb7324870821ed43689fe000ead5b3815f6e051 12-Sep-2002 luigi <luigi@FreeBSD.org> Store the port number in "fwd" rules in host format, same as ipfw1
has always done.

Technically, this is the wrong format, but it reduces the diffs in
-stable. Someday, when we get rid of ipfw1, I will put the port number
in the proper format both in kernel and userland.

MFC after: 3 days
(with re@ permission)
be3fb716390064e92134d98e272ab35537b33ce9 19-Aug-2002 luigi <luigi@FreeBSD.org> One more (hopefully the last one) step in cleaning up the syntax,
following Julian's good suggestion: since you can specify any match
pattern as an option, rules now have the following format:

[<proto> from <src> to <dst>] [options]

i.e. the first part is now entirely optional (and left there just
for compatibility with ipfw1 rulesets).

Add a "-c" flag to show/list rules in the compact form
(i.e. without the "ip from any to any" part) when possible.
The default is to include it so that scripts processing ipfw's
canonical output will still work.
Note that as part of this cleanup (and to remove ambiguity), MAC
fields now can only be specified in the options part.

Update the manpage to reflect the syntax.

Clarify the behaviour when a match is attempted on fields which
are not present in the packet, e.g. port numbers on non TCP/UDP
packets, and the "not" operator is specified. E.g.

ipfw add allow not src-port 80

will match also ICMP packets because they do not have port numbers, so
"src-port 80" will fail and "not src-port 80" will succeed. For such
cases it is advised to insert further options to prevent undesired results
(e.g. in the case above, "ipfw add allow proto tcp not src-port 80").

We definitely need to rewrite the parser using lex and yacc!
7a01faeb986e02cda904c1b3b06dd18b9a262bb4 19-Aug-2002 luigi <luigi@FreeBSD.org> Major cleanup of the parser and printing routines in an attempt to
render the syntax less ambiguous.

Now rules can be in one of these two forms

<action> <protocol> from <src> to <dst> [options]
<action> MAC dst-mac src-mac mac-type [options]

however you can now specify MAC and IP header fields as options e.g.

ipfw add allow all from any to any mac-type arp
ipfw add allow all from any to any { dst-ip me or src-ip me }

which makes complex expressions a lot easier to write and parse.
The "all from any to any" part is there just for backward compatibility.

Manpage updated accordingly.
6d2f675ff72aea0c0a68127f92aa569bd522eba8 16-Aug-2002 luigi <luigi@FreeBSD.org> sys/netinet/ip_fw2.c:

Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops
for firewall-generated packets (the constant has to go in sys/mbuf.h).

Better comments on keepalive generation, and enforce dyn_rst_lifetime
and dyn_fin_lifetime to be less than dyn_keepalive_period.

Enforce limits (up to 64k) on the number of dynamic buckets, and
retry allocation with smaller sizes.

Raise default number of dynamic rules to 4096.

Improved handling of set of rules -- now you can atomically
enable/disable multiple sets, move rules from one set to another,
and swap sets.


userland support for "noerror" pipe attribute.

userland support for sets of rules.

minor improvements on rule parsing and printing.


more documentation on ipfw2 extensions, differences from ipfw1
(so we can use the same manpage for both), stateful rules,
and some additional examples.
Feedback and more examples needed here.
d7e57fda87ab250ce74541d103d7974d202516f0 10-Aug-2002 luigi <luigi@FreeBSD.org> Fix one parsing bug introduced by last commit, and correct parsing
and printing of or-blocks in address, ports and options lists.
e3c4c6c9daa5f8657f056c8088ad060282c15bbe 10-Aug-2002 luigi <luigi@FreeBSD.org> One bugfix and one new feature.

The bugfix (ipfw2.c) makes the handling of port numbers with
a dash in the name, e.g. ftp-data, consistent with old ipfw:
use \\ before the - to consider it as part of the name and not
a range separator.

The new feature (all this description will go in the manpage):

each rule now belongs to one of 32 different sets, which can
be optionally specified in the following form:

ipfw add 100 set 23 allow ip from any to any

If "set N" is not specified, the rule belongs to set 0.

Individual sets can be disabled, enabled, and deleted with the commands:

ipfw disable set N
ipfw enable set N
ipfw delete set N

Enabling/disabling of a set is atomic. Rules belonging to a disabled
set are skipped during packet matching, and they are not listed
unless you use the '-S' flag in the show/list commands.
Note that dynamic rules, once created, are always active until
they expire or their parent rule is deleted.
Set 31 is reserved for the default rule and cannot be disabled.

All sets are enabled by default. The enable/disable status of the sets
can be shown with the command

ipfw show sets

Hopefully, this feature will make life easier to those who want to
have atomic ruleset addition/deletion/tests. Examples:

To add a set of rules atomically:

ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18

To delete a set of rules atomically

ipfw disable set 18
ipfw delete set 18
ipfw enable set 18

To test a ruleset and disable it and regain control if something
goes wrong:

ipfw disable set 18
ipfw add ... set 18 ... # repeat as needed
ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18

here if everything goes well, you press control-C before
the "sleep" terminates, and your ruleset will be left
active. Otherwise, e.g. if you cannot access your box,
the ruleset will be disabled after the sleep terminates.

I think there is only one more thing that one might want, namely
a command to assign all rules in set X to set Y, so one can
test a ruleset using the above mechanisms, and once it is
considered acceptable, make it part of an existing ruleset.
41b5da4c2049fbfc54b3f97d64a948c223195e3e 04-Aug-2002 luigi <luigi@FreeBSD.org> Fix generation of check-state rules, which i broke in last commit.
5f890d455e3e8952439397a5870c1d275724d4a0 31-Jul-2002 luigi <luigi@FreeBSD.org> Forgot this one: properly initialize an address set when the set
size is less than 32 bits (/28 mask or more).
Also remove a debugging fprintf().
9503b6d5cd749af5f4a168d9c598429dac429c60 31-Jul-2002 luigi <luigi@FreeBSD.org> Two bugfixes:
+ the header file contains two different opcodes (O_IPOPTS and O_IPOPT)
for what is the same thing, and sure enough i used one in the kernel
and the other one in userland. Be consistent!

+ "keep-state" and "limit" must be the last match pattern in a rule,
so no matter how you enter them move them to the end of the rule.
8c163527e8dfce287de82c8ec9b25c288edc5577 13-Jul-2002 luigi <luigi@FreeBSD.org> A bunch of minor fixes:

* accept "icmptype" as an alias for "icmptypes";
* remove an extra whitespace after "log" rules;
* print correctly the "limit" masks;
* correct a typo in parsing dummynet arguments (this caused a coredump);
* do not allow specifying both "check-state" and "limit", they are
(and have always been) mutually exclusive;
* remove an extra print of the rule before installing it;
* make stdout buffered -- otherwise, if you log its output with syslog,
you will see one entry for each printf(). Rather unpleasant.
91dbf8726eef25725068916e2c1729b8f3476caa 08-Jul-2002 bde <bde@FreeBSD.org> Fixed some world breakage caused by not updating clients when <timeconv.h>
was split off from <time.h>. This became fatal here when -Werror was
95e13a442bbbd5c27bc85499b778f90a47530072 05-Jul-2002 luigi <luigi@FreeBSD.org> Implement the last 2-3 missing instructions for ipfw,
now it should support all the instructions of the old ipfw.

Fix some bugs in the user interface, /sbin/ipfw.

Please check this code against your rulesets, so i can fix the
remaining bugs (if any, i think they will be mostly in /sbin/ipfw).

Once we have done a bit of testing, this code is ready to be MFC'ed,
together with a bunch of other changes (glue to ipfw, and also the
removal of some global variables) which have been in -current for
a couple of weeks now.

MFC after: 7 days
a9ab854862b9e8f268eb8bbbac00742895dbb2c3 27-Jun-2002 luigi <luigi@FreeBSD.org> The new ipfw code.

This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.

The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).

The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c . Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw). The old files are still there, and will be removed
in due time.

I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.

In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.

On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like

ipfw add allow ip from { or } 10-23,25,1024-3000 to any

This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.

Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:{18,44,33,22,9}

which will match the set of hosts listed in braces belonging to the
subnet . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).

Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.

The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.