Date: Sat, 21 Jun 2008 18:27:18 GMT From: Gleb Kurtsou <gk@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 143890 for review Message-ID: <200806211827.m5LIRIHb083260@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=143890 Change 143890 by gk@gk_h1 on 2008/06/21 18:27:01 update man pages and ipfw usage Affected files ... .. //depot/projects/soc2008/gk_l2filter/sbin-ifconfig/ifconfig.8#2 edit .. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#2 edit .. //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#6 edit .. //depot/projects/soc2008/gk_l2filter/share-man4/if_bridge.4#2 edit Differences ... ==== //depot/projects/soc2008/gk_l2filter/sbin-ifconfig/ifconfig.8#2 (text+ko) ==== @@ -240,6 +240,27 @@ If the Address Resolution Protocol is enabled, the host will perform normally, sending out requests and listening for replies. +.It Cm l2tag +Special tag containing source and destination layer 2 addresses will be +attached to every packet passing through interface. +Note that only incoming or outgoing packets may be tagged (but not both), it is +interface dependant. +.It Fl l2tag +Disable special packet tagging with layer 2 addresses. +.It Cm l2filter +Perform layer 2 filtering of packets passing through interface. +This option doesn't imply +.Cm l2tag +option. +With +.Cm l2filter +specified packets are passed to firewall as they were received from wire. +But +.Cm l2tag +just tags packet and usual layer 3 filtering is performed. +.It Fl l2filter +Disable layer 2 filtering. +Higher level filtering will perform normally. .It Cm broadcast (Inet only.) Specify the address to use to represent broadcasts to the ==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw.8#2 (text+ko) ==== @@ -45,7 +45,7 @@ .Cm set show .Pp .Nm -.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Op Ar value +.Cm table Ar number Cm add Ar addr Ns Oo / Ns Ar masklen Oc Oo Cm ether Ar etheraddr Oc Op Ar value .Nm .Cm table Ar number Cm delete Ar addr Ns Op / Ns Ar masklen .Nm @@ -332,9 +332,9 @@ to temporarily disable the firewall to regain access to the network, allowing you to fix the problem. .Sh PACKET FLOW -A packet is checked against the active ruleset in multiple places -in the protocol stack, under control of several sysctl variables. -These places and variables are shown below, and it is important to +A packet is checked against the active ruleset in multiple places in the +protocol stack, under control of several sysctl variables and interface flags. +These places and variables and flags are shown below, and it is important to have this picture in mind in order to design a correct ruleset. .Bd -literal -offset indent ^ to upper layers V @@ -342,11 +342,12 @@ +----------->-----------+ ^ V [ip(6)_input] [ip(6)_output] net.inet(6).ip(6).fw.enable=1 + | | (l2tag interface flag) | | ^ V - [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 + [ether_demux] [ether_output_frame] l2filter interface flag | | - +-->--[bdg_forward]-->--+ net.link.bridge.ipfw=1 + +-->----[bridge]----->--+ l2filter interface flag ^ V | to devices | .Ed @@ -370,13 +371,39 @@ or .Cm ip6_input() . .Pp +Note that packets do +.Em not +contain IP header when invoked from +.Cm ether_demux() , ether_output_frame() +or +.Cm bridge . +.Pp +In order to filter by both MAC and IP headers interface flag +.Cm l2tag +should be used. +When enabled a special tag containing MAC header is appended to incoming +packets. Tag is used when +.Nm +invoked from +.Cm ip_input() +or +.Cm ip6_input() . +Note that as a rule only incoming packets are tagged, but +.Cm bridge +appends tag to outgoing packets. +Therefore dynamic rules (like rules created by +.Cm keep-state +option) do not check specified MAC header options if there is no +.Cm l2tag +tag appended to packet. +.Pp Also note that each packet is always checked against the complete ruleset, irrespective of the place where the check occurs, or the source of the packet. If a rule contains some match patterns or actions which are not valid for the place of invocation (e.g.\& trying to match a MAC header within .Cm ip_input or -.Cm ip6_input ), +.Cm ip6_input ) Ns , the match pattern will not match, but a .Cm not operator in front of such patterns @@ -390,7 +417,7 @@ .Cm skipto rules can be useful here, as an example: .Bd -literal -offset indent -# packets from ether_demux or bdg_forward +# packets from ether_demux or bridge ipfw add 10 skipto 1000 all from any to any layer2 in # packets from ip_input ipfw add 10 skipto 2000 all from any to any not layer2 in @@ -401,7 +428,7 @@ .Ed .Pp (yes, at the moment there is no way to differentiate between -ether_demux and bdg_forward). +ether_demux and bridge). .Sh SYNTAX In general, each keyword or argument must be provided as a separate command line argument, with no leading or trailing @@ -1121,6 +1148,15 @@ .It Cm diverted-output Matches only packets going from a divert socket back outward to the IP stack output for delivery. +.It Cm dst-ether Ar dst-ether +Match packets with a given destination MAC address +.Ar dst-ether Ns , +specified as the +.Cm any +keyword (matching any MAC address), +.Cm muticast +keyword (matching multicast MAC addresses), or six groups of hex digits +separated by colons. .It Cm dst-ip Ar ip-address Matches IPv4 packets whose destination IP is one of the address(es) specified as argument. @@ -1336,48 +1372,10 @@ specified. Currently, only IPv4 flows are supported. -.It Cm { MAC | mac } Ar dst-mac src-mac -Match packets with a given -.Ar dst-mac -and -.Ar src-mac -addresses, specified as the -.Cm any -keyword (matching any MAC address), or six groups of hex digits -separated by colons, -and optionally followed by a mask indicating the significant bits. -The mask may be specified using either of the following methods: -.Bl -enum -width indent -.It -A slash -.Pq / -followed by the number of significant bits. -For example, an address with 33 significant bits could be specified as: -.Pp -.Dl "MAC 10:20:30:40:50:60/33 any" -.Pp -.It -An ampersand -.Pq & -followed by a bitmask specified as six groups of hex digits separated -by colons. -For example, an address in which the last 16 bits are significant could -be specified as: -.Pp -.Dl "MAC 10:20:30:40:50:60&00:00:00:00:ff:ff any" -.Pp -Note that the ampersand character has a special meaning in many shells -and should generally be escaped. -.Pp -.El -Note that the order of MAC addresses (destination first, -source second) is -the same as on the wire, but the opposite of the one used for -IP addresses. -.It Cm mac-type Ar mac-type +.It Cm ether-type Ar ether-type Matches packets whose Ethernet Type field corresponds to one of those specified as argument. -.Ar mac-type +.Ar ether-type is specified in the same way as .Cm port numbers (i.e., one or more comma-separated single values or ranges). @@ -1435,6 +1433,15 @@ Matches TCP packets that have the SYN bit set but no ACK bit. This is the short form of .Dq Li tcpflags\ syn,!ack . +.It Cm src-ether Ar src-ether +Match packets with a given source MAC address +.Ar src-ether Ns , +specified as the +.Cm any +keyword (matching any MAC address), +.Cm muticast +keyword (matching multicast MAC addresses), or six groups of hex digits +separated by colons. .It Cm src-ip Ar ip-address Matches IPv4 packets whose source IP is one of the address(es) specified as an argument. @@ -1591,6 +1598,8 @@ is not specified, it defaults to 32. When looking up an IP address in a table, the most specific entry will match. +Optionally each entry specifies MAC address +.Pq Cm ether Ar etheraddr Ns . Associated with each entry is a 32-bit unsigned .Ar value , which can optionally be checked by a rule matching code. @@ -1716,6 +1725,16 @@ .Em dst are used here only to denote the initial match addresses, but they are completely equivalent afterwards). +If rule specifies +.Em src-ether +and/or +.Em dst-ether +address they are also used to match packets. +But note that packets without +.Cm l2tag +appended to them match against such dynamic rules, because +.Cm l2tag +presents only in incoming or outgoing packets, but not in both. Dynamic rules will be checked at the first .Cm check-state, keep-state or ==== //depot/projects/soc2008/gk_l2filter/sbin-ipfw/ipfw2.c#6 (text+ko) ==== @@ -2728,7 +2728,7 @@ " redirect_port linkspec|redirect_proto linkspec}\n" "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n" "set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n" -"table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n" +"table N {add ip[/bits] [ether ETHERADDR] [value] | delete ip[/bits] | flush | list}\n" "\n" "RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n" "ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n" @@ -2742,6 +2742,7 @@ "IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }\n" "IP6LIST: { ip6 | ip6/bits }[,IP6LIST]\n" "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n" +"ETHERADDR: { any | multicast | ether }\n" "OPTION_LIST: OPTION [OPTION_LIST]\n" "OPTION: bridged | diverted | diverted-loopback | diverted-output |\n" " {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n" @@ -2750,9 +2751,10 @@ " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n" " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n" " icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB |\n" -" mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n" -" setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n" -" tcpdatalen LIST | verrevpath | versrcreach | antispoof\n" +" {src-ether|dst-ether} ETHERADDR | ether-type LIST | proto LIST |\n" +" {recv|xmit|via} {IF|IPADDR} | setup | {tcpack|tcpseq|tcpwin} NN |\n" +" tcpflags SPEC | tcpoptions SPEC | tcpdatalen LIST |\n" +" verrevpath | versrcreach | antispoof\n" ); exit(0); } ==== //depot/projects/soc2008/gk_l2filter/share-man4/if_bridge.4#2 (text+ko) ==== @@ -171,6 +171,14 @@ to only allow IP packets to pass (subject to firewall rules), set to .Li 0 to unconditionally pass all non-IP Ethernet frames. +.It Va net.link.bridge.pfil_layer2_arp +Set to +.Li 1 +to enable layer2 ARP filtering with +.Xr pfil 9 , +set to +.Li 0 +to disable it. .It Va net.link.bridge.pfil_member Set to .Li 1 @@ -192,36 +200,6 @@ Set to .Li 0 to disable this feature. -.It Va net.link.bridge.ipfw -Set to -.Li 1 -to enable layer2 filtering with -.Xr ipfirewall 4 , -set to -.Li 0 -to disable it. -This needs to be enabled for -.Xr dummynet 4 -support. -When -.Va ipfw -is enabled, -.Va pfil_bridge -and -.Va pfil_member -will be disabled so that IPFW -is not run twice; these can be re-enabled if desired. -.It Va net.link.bridge.ipfw_arp -Set to -.Li 1 -to enable layer2 ARP filtering with -.Xr ipfirewall 4 , -set to -.Li 0 -to disable it. -Requires -.Va ipfw -to be enabled. .El .Pp ARP and REVARP packets are forwarded without being filtered and others
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806211827.m5LIRIHb083260>