Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw.8
| .\" | .\" | ||||
| .\" $FreeBSD$ | .\" $FreeBSD$ | ||||
| .\" | .\" | ||||
| .Dd June 14, 2021 | .Dd June 4, 2022 | ||||
| .Dt IPFW 8 | .Dt IPFW 8 | ||||
| .Os | .Os | ||||
| .Sh NAME | .Sh NAME | ||||
| .Nm ipfw , dnctl | .Nm ipfw , dnctl | ||||
| .Nd User interface for firewall, traffic shaper, packet scheduler, | .Nd User interface for firewall, traffic shaper, packet scheduler, | ||||
| in-kernel NAT. | in-kernel NAT. | ||||
| .Sh SYNOPSIS | .Sh SYNOPSIS | ||||
| .Ss FIREWALL CONFIGURATION | .Ss FIREWALL CONFIGURATION | ||||
| ▲ Show 20 Lines • Show All 1,592 Lines • ▼ Show 20 Lines | |||||
| See the | See the | ||||
| .Sx LOOKUP TABLES | .Sx LOOKUP TABLES | ||||
| section below for more information on lookup tables. | section below for more information on lookup tables. | ||||
| .It Cm flow-id Ar labels | .It Cm flow-id Ar labels | ||||
| Matches IPv6 packets containing any of the flow labels given in | Matches IPv6 packets containing any of the flow labels given in | ||||
| .Ar labels . | .Ar labels . | ||||
| .Ar labels | .Ar labels | ||||
| is a comma separated list of numeric flow labels. | is a comma separated list of numeric flow labels. | ||||
| .It Cm dst-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value | |||||
| Search for the destination MAC address entry in lookup table | |||||
| .Ar name . | |||||
| If not found, the match fails. | |||||
| Otherwise, the match succeeds and | |||||
| .Cm tablearg | |||||
| is set to the value extracted from the table. | |||||
| .It Cm src-mac Ar table Ns Pq Ar name Ns Op , Ns Ar value | |||||
| Search for the source MAC address entry in lookup table | |||||
| .Ar name . | |||||
| If not found, the match fails. | |||||
| Otherwise, the match succeeds and | |||||
| .Cm tablearg | |||||
| is set to the value extracted from the table. | |||||
| .It Cm frag Ar spec | .It Cm frag Ar spec | ||||
| Matches IPv4 packets whose | Matches IPv4 packets whose | ||||
| .Cm ip_off | .Cm ip_off | ||||
| field contains the comma separated list of IPv4 fragmentation | field contains the comma separated list of IPv4 fragmentation | ||||
| options specified in | options specified in | ||||
| .Ar spec . | .Ar spec . | ||||
| The recognized options are: | The recognized options are: | ||||
| .Cm df | .Cm df | ||||
| ▲ Show 20 Lines • Show All 197 Lines • ▼ Show 20 Lines | |||||
| .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname | .It Cm limit Bro Cm src-addr | src-port | dst-addr | dst-port Brc Ar N Op Ar :flowname | ||||
| The firewall will only allow | The firewall will only allow | ||||
| .Ar N | .Ar N | ||||
| connections with the same | connections with the same | ||||
| set of parameters as specified in the rule. | set of parameters as specified in the rule. | ||||
| One or more | One or more | ||||
| of source and destination addresses and ports can be | of source and destination addresses and ports can be | ||||
| specified. | specified. | ||||
| .It Cm lookup Bro Cm dst-ip | dst-port | src-ip | src-port | uid | jail Brc Ar name | .It Cm lookup Bro Cm dst-ip | dst-port | dst-mac | src-ip | src-port | src-mac | uid | jail Brc Ar name | ||||
| Search an entry in lookup table | Search an entry in lookup table | ||||
| .Ar name | .Ar name | ||||
| that matches the field specified as argument. | that matches the field specified as argument. | ||||
| If not found, the match fails. | If not found, the match fails. | ||||
| Otherwise, the match succeeds and | Otherwise, the match succeeds and | ||||
| .Cm tablearg | .Cm tablearg | ||||
| is set to the value extracted from the table. | is set to the value extracted from the table. | ||||
| .Pp | .Pp | ||||
| ▲ Show 20 Lines • Show All 293 Lines • ▼ Show 20 Lines | |||||
| variable. | variable. | ||||
| See the | See the | ||||
| .Sx SETS OF RULES | .Sx SETS OF RULES | ||||
| section for more information. | section for more information. | ||||
| There may be up to 65535 different lookup tables. | There may be up to 65535 different lookup tables. | ||||
| .Pp | .Pp | ||||
| The following table types are supported: | The following table types are supported: | ||||
| .Bl -tag -width indent | .Bl -tag -width indent | ||||
| .It Ar table-type : Ar addr | iface | number | flow | .It Ar table-type : Ar addr | iface | number | flow | mac | ||||
| .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec | .It Ar table-key : Ar addr Ns Oo / Ns Ar masklen Oc | iface-name | number | flow-spec | ||||
| .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec | .It Ar flow-spec : Ar flow-field Ns Op , Ns Ar flow-spec | ||||
| .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port | .It Ar flow-field : src-ip | proto | src-port | dst-ip | dst-port | ||||
| .It Cm addr | .It Cm addr | ||||
| Matches IPv4 or IPv6 address. | Matches IPv4 or IPv6 address. | ||||
| Each entry is represented by an | Each entry is represented by an | ||||
| .Ar addr Ns Op / Ns Ar masklen | .Ar addr Ns Op / Ns Ar masklen | ||||
| and will match all addresses with base | and will match all addresses with base | ||||
| Show All 13 Lines | |||||
| .It Cm number | .It Cm number | ||||
| Matches protocol ports, uids/gids or jail IDs. | Matches protocol ports, uids/gids or jail IDs. | ||||
| Each entry is represented by 32-bit unsigned integer. | Each entry is represented by 32-bit unsigned integer. | ||||
| Ranges are not supported. | Ranges are not supported. | ||||
| .It Cm flow | .It Cm flow | ||||
| Matches packet fields specified by | Matches packet fields specified by | ||||
| .Ar flow | .Ar flow | ||||
| type suboptions with table entries. | type suboptions with table entries. | ||||
| .It Cm mac | |||||
| Matches MAC address. | |||||
| Each entry is represented by an | |||||
| .Ar addr Ns Op / Ns Ar masklen | |||||
| and will match all addresses with base | |||||
| .Ar addr | |||||
| and mask width of | |||||
| .Ar masklen | |||||
| bits. | |||||
| If | |||||
| .Ar masklen | |||||
| is not specified, it defaults to 48. | |||||
| When looking up an MAC address in a table, the most specific | |||||
| entry will match. | |||||
| .El | .El | ||||
| .Pp | .Pp | ||||
| Tables require explicit creation via | Tables require explicit creation via | ||||
| .Cm create | .Cm create | ||||
| before use. | before use. | ||||
| .Pp | .Pp | ||||
| The following creation options are supported: | The following creation options are supported: | ||||
| .Bl -tag -width indent | .Bl -tag -width indent | ||||
| ▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines | |||||
| Shows generic table information. | Shows generic table information. | ||||
| .It Cm detail | .It Cm detail | ||||
| Shows generic table information and algo-specific data. | Shows generic table information and algo-specific data. | ||||
| .El | .El | ||||
| .Pp | .Pp | ||||
| The following lookup algorithms are supported: | The following lookup algorithms are supported: | ||||
| .Bl -tag -width indent | .Bl -tag -width indent | ||||
| .It Ar algo-desc : algo-name | "algo-name algo-data" | .It Ar algo-desc : algo-name | "algo-name algo-data" | ||||
| .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | .It Ar algo-name : Ar addr: radix | addr: hash | iface: array | number: array | flow: hash | mac: radix | ||||
| .It Cm addr: radix | .It Cm addr: radix | ||||
| Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see | Separate Radix trees for IPv4 and IPv6, the same way as the routing table (see | ||||
| .Xr route 4 ) . | .Xr route 4 ) . | ||||
| Default choice for | Default choice for | ||||
| .Ar addr | .Ar addr | ||||
| type. | type. | ||||
| .It Cm addr:hash | .It Cm addr:hash | ||||
| Separate auto-growing hashes for IPv4 and IPv6. | Separate auto-growing hashes for IPv4 and IPv6. | ||||
| Accepts entries with the same mask length specified initially via | Accepts entries with the same mask length specified initially via | ||||
| .Cm "addr:hash masks=/v4,/v6" | .Cm "addr:hash masks=/v4,/v6" | ||||
| algorithm creation options. | algorithm creation options. | ||||
| Assume /32 and /128 masks by default. | Assume /32 and /128 masks by default. | ||||
| Search removes host bits (according to mask) from supplied address and checks | Search removes host bits (according to mask) from supplied address and checks | ||||
| resulting key in appropriate hash. | resulting key in appropriate hash. | ||||
| Mostly optimized for /64 and byte-ranged IPv6 masks. | Mostly optimized for /64 and byte-ranged IPv6 masks. | ||||
| .It Cm iface:array | .It Cm iface:array | ||||
| Array storing sorted indexes for entries which are presented in the system. | Array storing sorted indexes for entries which are presented in the system. | ||||
| Optimized for very fast lookup. | Optimized for very fast lookup. | ||||
| .It Cm number:array | .It Cm number:array | ||||
| Array storing sorted u32 numbers. | Array storing sorted u32 numbers. | ||||
| .It Cm flow:hash | .It Cm flow:hash | ||||
| Auto-growing hash storing flow entries. | Auto-growing hash storing flow entries. | ||||
| Search calculates hash on required packet fields and searches for matching | Search calculates hash on required packet fields and searches for matching | ||||
| entries in selected bucket. | entries in selected bucket. | ||||
| .It Cm mac: radix | |||||
| Radix tree for MAC address | |||||
| .El | .El | ||||
| .Pp | .Pp | ||||
| The | The | ||||
| .Cm tablearg | .Cm tablearg | ||||
| feature provides the ability to use a value, looked up in the table, as | feature provides the ability to use a value, looked up in the table, as | ||||
| the argument for a rule action, action parameter or rule option. | the argument for a rule action, action parameter or rule option. | ||||
| This can significantly reduce number of rules in some configurations. | This can significantly reduce number of rules in some configurations. | ||||
| If two tables are used in a rule, the result of the second (destination) | If two tables are used in a rule, the result of the second (destination) | ||||
| ▲ Show 20 Lines • Show All 2,559 Lines • Show Last 20 Lines | |||||