aboutsummaryrefslogtreecommitdiff
path: root/sbin
Commit message (Collapse)AuthorAgeFilesLines
...
* One more (hopefully the last one) step in cleaning up the syntax,Luigi Rizzo2002-08-192-61/+102
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | following Julian's good suggestion: since you can specify any match pattern as an option, rules now have the following format: [<proto> from <src> to <dst>] [options] i.e. the first part is now entirely optional (and left there just for compatibility with ipfw1 rulesets). Add a "-c" flag to show/list rules in the compact form (i.e. without the "ip from any to any" part) when possible. The default is to include it so that scripts processing ipfw's canonical output will still work. Note that as part of this cleanup (and to remove ambiguity), MAC fields now can only be specified in the options part. Update the manpage to reflect the syntax. Clarify the behaviour when a match is attempted on fields which are not present in the packet, e.g. port numbers on non TCP/UDP packets, and the "not" operator is specified. E.g. ipfw add allow not src-port 80 will match also ICMP packets because they do not have port numbers, so "src-port 80" will fail and "not src-port 80" will succeed. For such cases it is advised to insert further options to prevent undesired results (e.g. in the case above, "ipfw add allow proto tcp not src-port 80"). We definitely need to rewrite the parser using lex and yacc! Notes: svn path=/head/; revision=102098
* Fix last-minute typo which breaks the world.Maxim Sobolev2002-08-191-1/+1
| | | | | | | Submitted by: many Notes: svn path=/head/; revision=102095
* Major cleanup of the parser and printing routines in an attempt toLuigi Rizzo2002-08-192-209/+375
| | | | | | | | | | | | | | | | | | | | | | render the syntax less ambiguous. Now rules can be in one of these two forms <action> <protocol> from <src> to <dst> [options] <action> MAC dst-mac src-mac mac-type [options] however you can now specify MAC and IP header fields as options e.g. ipfw add allow all from any to any mac-type arp ipfw add allow all from any to any { dst-ip me or src-ip me } which makes complex expressions a lot easier to write and parse. The "all from any to any" part is there just for backward compatibility. Manpage updated accordingly. Notes: svn path=/head/; revision=102087
* Remove unused variable. camcontrol is now WARNS=2 clean on i386.Johan Karlsson2002-08-181-1/+0
| | | | | | | Approved by: ken, sheldonh (mentor) Notes: svn path=/head/; revision=102076
* Clarify the explanation of the behavior for setuid programs byJohn Polstra2002-08-181-2/+2
| | | | | | | | | | | | noting that the restrictions do not apply if the user invoking the program is also the owner of the program. Also, capitalize a section header properly. PR: misc/41180 Notes: svn path=/head/; revision=102070
* Include <nlist.h> for nlist interfaces instead of depending on namespaceBruce Evans2002-08-181-0/+1
| | | | | | | pollution in <kvm.h>. Notes: svn path=/head/; revision=102069
* Increase size of ifnet.if_flags from 16 bits (short) to 32 bits (int). To avoidMaxim Sobolev2002-08-181-2/+3
| | | | | | | | | | breaking application ABI use unused ifreq.ifru_flags[1] for upper 16 bits in SIOCSIFFLAGS and SIOCGIFFLAGS ioctl's. Reviewed by: -hackers, -net Notes: svn path=/head/; revision=102052
* Fix more breakage due to FSTYPENAMES/DKTYPENAMES split.Bosko Milekic2002-08-163-0/+3
| | | | | | | Also submitted by: David Wolfskill <david@catwhisker.org> Notes: svn path=/head/; revision=101994
* Complete list of differences between ipfw1 and ipfw2.Luigi Rizzo2002-08-161-10/+93
| | | | Notes: svn path=/head/; revision=101989
* sys/netinet/ip_fw2.c:Luigi Rizzo2002-08-162-116/+526
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement the M_SKIP_FIREWALL bit in m_flags to avoid loops for firewall-generated packets (the constant has to go in sys/mbuf.h). Better comments on keepalive generation, and enforce dyn_rst_lifetime and dyn_fin_lifetime to be less than dyn_keepalive_period. Enforce limits (up to 64k) on the number of dynamic buckets, and retry allocation with smaller sizes. Raise default number of dynamic rules to 4096. Improved handling of set of rules -- now you can atomically enable/disable multiple sets, move rules from one set to another, and swap sets. sbin/ipfw/ipfw2.c: userland support for "noerror" pipe attribute. userland support for sets of rules. minor improvements on rule parsing and printing. sbin/ipfw/ipfw.8: more documentation on ipfw2 extensions, differences from ipfw1 (so we can use the same manpage for both), stateful rules, and some additional examples. Feedback and more examples needed here. Notes: svn path=/head/; revision=101978
* No need to include sys/time.h, this unbreaks a c89 warning about long longAlfred Perlstein2002-08-161-1/+0
| | | | | | | constants as well. Notes: svn path=/head/; revision=101973
* Don't '#define DKTYPENAMES', we don't use the variable it exposes fromAlfred Perlstein2002-08-161-1/+0
| | | | | | | the header file. Notes: svn path=/head/; revision=101970
* Don't depend on namespace pollution in sys/mount.h andMaxime Henrion2002-08-134-0/+4
| | | | | | | include sys/uio.h. Notes: svn path=/head/; revision=101829
* mdoc(7) police: Removed redundant .Ns calls.Ruslan Ermilov2002-08-131-1/+1
| | | | Notes: svn path=/head/; revision=101828
* can not -> cannot.Ruslan Ermilov2002-08-133-4/+4
| | | | Notes: svn path=/head/; revision=101810
* mdoc(7) police: laundry.Ruslan Ermilov2002-08-131-17/+16
| | | | Notes: svn path=/head/; revision=101802
* mdoc(7) police: Consistently name options' arguments in the SYNOPSIS and ↵Ruslan Ermilov2002-08-131-16/+23
| | | | | | | DESCRIPTION sections.. Notes: svn path=/head/; revision=101800
* mdoc(7) police: canonize FreeBSD in e-mail address.Ruslan Ermilov2002-08-131-1/+1
| | | | Notes: svn path=/head/; revision=101796
* mdoc(7) police: missing markup bits.Ruslan Ermilov2002-08-131-6/+12
| | | | Notes: svn path=/head/; revision=101795
* mdoc(7) police: KAMEism in rev. 1.56, nits in rev. 1.58.Ruslan Ermilov2002-08-131-3/+4
| | | | Notes: svn path=/head/; revision=101792
* mdoc(7) police: Use the .Ud macro.Ruslan Ermilov2002-08-131-1/+2
| | | | Notes: svn path=/head/; revision=101791
* Improve wording even more.Ruslan Ermilov2002-08-131-4/+5
| | | | Notes: svn path=/head/; revision=101790
* mdoc(7) police: kill hard sentence break.Ruslan Ermilov2002-08-131-1/+2
| | | | Notes: svn path=/head/; revision=101788
* Warn that hex keys are the most portable.Warner Losh2002-08-121-0/+3
| | | | | | | | Submitted by: Gregory Bond <gnb@itga.com.au> Pr: 40872 Notes: svn path=/head/; revision=101714
* Simplify some things to use libufs-provided functionality here, such as theJuli Mallett2002-08-111-21/+28
| | | | | | | | | version of UFS on a disk, and bread() instead of other types of idiocy. Obtained from: jmallett_libufs Perforce branch. Notes: svn path=/head/; revision=101688
* Update manpage to match the code, we don't useMaxime Henrion2002-08-111-5/+0
| | | | | | | vfsload() here anymore. Notes: svn path=/head/; revision=101684
* Update the manpage to match the code. The mount utilitiesMaxime Henrion2002-08-111-24/+2
| | | | | | | | now don't try to load the filesystem module, the kernel takes care of this. Notes: svn path=/head/; revision=101683
* The kldload() system call doesn't return 0 when it succeeded,Maxime Henrion2002-08-111-1/+1
| | | | | | | | so compare the return value against -1 to see if it failed instead of simply doing if (kldload("nfs")). Notes: svn path=/head/; revision=101676
* - Introduce a new struct xvfsconf, the userland version of struct vfsconf.Maxime Henrion2002-08-104-10/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | - Make getvfsbyname() take a struct xvfsconf *. - Convert several consumers of getvfsbyname() to use struct xvfsconf. - Correct the getvfsbyname.3 manpage. - Create a new vfs.conflist sysctl to dump all the struct xvfsconf in the kernel, and rewrite getvfsbyname() to use this instead of the weird existing API. - Convert some {set,get,end}vfsent() consumers to use the new vfs.conflist sysctl. - Convert a vfsload() call in nfsiod.c to kldload() and remove the useless vfsisloadable() and endvfsent() calls. - Add a warning printf() in vfs_sysctl() to tell people they are using an old userland. After these changes, it's possible to modify struct vfsconf without breaking the binary compatibility. Please note that these changes don't break this compatibility either. When bp will have updated mount_smbfs(8) with the patch I sent him, there will be no more consumers of the {set,get,end}vfsent(), vfsisloadable() and vfsload() API, and I will promptly delete it. Notes: svn path=/head/; revision=101651
* Fix one parsing bug introduced by last commit, and correct parsingLuigi Rizzo2002-08-101-18/+63
| | | | | | | and printing of or-blocks in address, ports and options lists. Notes: svn path=/head/; revision=101641
* Major revision of the ipfw manpage, trying to make it up-to-dateLuigi Rizzo2002-08-101-518/+682
| | | | | | | | | | | | | | | | | | | | | | | with ipfw2 extensions and give examples of use of the new features. This is just a preliminary commit, where i simply added the basic syntax for the extensions, and clean up the page (e.g. by listing things in alphabetical rather than random order). I would appreciate feedback and possible corrections/extensions by interested parties. Still missing are a more detailed description of stateful rules (with keepalives), interaction with of stateful rules and natd (don't do that!), examples of use with the recently introduced rule sets. There is an issue related to the MFC: RELENG_4 still has ipfw as a default, and ipfw2 is optional. We have two options here: MFC this page as ipfw(8) adding a large number of "SORRY NOT IN IPFW" notes, or create a new ipfw2(8) manpage just for -stable users. I am all for the first approach, but of course am listening to your comments. Notes: svn path=/head/; revision=101640
* One bugfix and one new feature.Luigi Rizzo2002-08-101-22/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The bugfix (ipfw2.c) makes the handling of port numbers with a dash in the name, e.g. ftp-data, consistent with old ipfw: use \\ before the - to consider it as part of the name and not a range separator. The new feature (all this description will go in the manpage): each rule now belongs to one of 32 different sets, which can be optionally specified in the following form: ipfw add 100 set 23 allow ip from any to any If "set N" is not specified, the rule belongs to set 0. Individual sets can be disabled, enabled, and deleted with the commands: ipfw disable set N ipfw enable set N ipfw delete set N Enabling/disabling of a set is atomic. Rules belonging to a disabled set are skipped during packet matching, and they are not listed unless you use the '-S' flag in the show/list commands. Note that dynamic rules, once created, are always active until they expire or their parent rule is deleted. Set 31 is reserved for the default rule and cannot be disabled. All sets are enabled by default. The enable/disable status of the sets can be shown with the command ipfw show sets Hopefully, this feature will make life easier to those who want to have atomic ruleset addition/deletion/tests. Examples: To add a set of rules atomically: ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 To delete a set of rules atomically ipfw disable set 18 ipfw delete set 18 ipfw enable set 18 To test a ruleset and disable it and regain control if something goes wrong: ipfw disable set 18 ipfw add ... set 18 ... # repeat as needed ipfw enable set 18 ; echo "done "; sleep 30 && ipfw disable set 18 here if everything goes well, you press control-C before the "sleep" terminates, and your ruleset will be left active. Otherwise, e.g. if you cannot access your box, the ruleset will be disabled after the sleep terminates. I think there is only one more thing that one might want, namely a command to assign all rules in set X to set Y, so one can test a ruleset using the above mechanisms, and once it is considered acceptable, make it part of an existing ruleset. Notes: svn path=/head/; revision=101628
* Fix the broken "avoid unaligned data" fix. The problem is that the builtinPeter Wemm2002-08-101-2/+2
| | | | | | | | | | | | | | | | | | | | | gcc memcpy "knows" about types that are supposed to be actually already aligned and triggers alignment errors doing the memcpy itself. "Fix" this by changing it to a bcopy(). In this case, we had: struct timeval *tp; struct timeval tv1; memcpy(&tv1,tp,sizeof(tv1)); .. and since gcc *knows* that a pointer to a timeval is longword aligned and that tv1 is longword aligned, then it can use an inline that assumes alignment. The following works too: cp = (char *)tp; memcpy(&tv1,cp,sizeof(tv1)); Simply casting (char *)tp for the memcpy doesn't work. :-( This affected different 64 bit platforms in different ways and depends a lot on gcc as well. I've seen this on alpha and ia64 at least, although alpha isn't doing it right now. Notes: svn path=/head/; revision=101623
* Fixup preen.c to match its new residence.Poul-Henning Kamp2002-08-091-1/+5
| | | | | | | | The blockcheck() function is still pulled from fsck_ffs, it probably should live in libufs. Notes: svn path=/head/; revision=101592
* preen.c was a stragler after the fsck/fsck_ffs divorce.Poul-Henning Kamp2002-08-091-282/+0
| | | | | | | | | | | | | | | | | | fsck_ffs did not need it, but quotacheck did include it from fsck_ffs. A repocopy has now moved the fsck_ffs/preen.c file to quotacheck/preen.c quotacheck and fsck should probably use the same checkfstab() function and it should possibly live in libufs. Trouble is: they have diverged in the meantime. At least now fsck_ffs is not in the equation anymore. Sponsored by: DARPA & NAI Labs. Notes: svn path=/head/; revision=101585
* Fix -o ac(reg|dir)(min|max) options. The appropriate flags weren'tSemen Ustimenko2002-08-061-0/+4
| | | | | | | | | | | translated from ALTF_* to NFSMNT_* thus these options weren't accepted by kernel. PR: bin/30334 MFC after: 1 week Notes: svn path=/head/; revision=101440
* Fix generation of check-state rules, which i broke in last commit.Luigi Rizzo2002-08-041-1/+1
| | | | Notes: svn path=/head/; revision=101295
* Small diffs that p4 didn't catch when I extractedMaxime Henrion2002-08-031-2/+1
| | | | | | | the diffs from my branch. Notes: svn path=/head/; revision=101275
* This should have been committed too, I have no ideaMaxime Henrion2002-08-031-1/+1
| | | | | | | why p4 didn't gave me this diff too. Notes: svn path=/head/; revision=101274
* I should have committed this ages ago...Maxime Henrion2002-08-031-3/+15
| | | | | | | | | Convert init(8) to use nmount() instead of mount() when it has to mount devfs. This doesn't happen normally, since the kernel is supposed to mount devfs itself. Notes: svn path=/head/; revision=101271
* Now that the kernel is able to load modules itself,Maxime Henrion2002-08-0314-231/+25
| | | | | | | | | | | | | remove all the code which was trying to do so. This code was nasty in several ways, it was hiding the kernel bug where the kernel was unable to properly load a module, and it was quitting if it wasn't able to load the module. The consequence is that an ABI breakage of the vfsconf API would have broken *every* mount utility. Notes: svn path=/head/; revision=101270
* Introduce support for Mandatory Access Control and extensibleRobert Watson2002-08-022-1/+5
| | | | | | | | | | | | | | | | | kernel access control. Teach mount(8) to understand the MNT_MULTILABEL flag, which is used to determine whether a file system operates with individual per-vnode labels, or treats the entire file system as a single object with a single (mount) label. The behavior here will probably evolve some now that nmount(2) is available and can more flexibly support mount options. Obtained from: TrustedBSD Project Sponsored by: DARPA, NAI Labs Notes: svn path=/head/; revision=101205
* Forgot this one: properly initialize an address set when the setLuigi Rizzo2002-07-311-3/+1
| | | | | | | | size is less than 32 bits (/28 mask or more). Also remove a debugging fprintf(). Notes: svn path=/head/; revision=101117
* Two bugfixes:Luigi Rizzo2002-07-311-15/+26
| | | | | | | | | | | | + the header file contains two different opcodes (O_IPOPTS and O_IPOPT) for what is the same thing, and sure enough i used one in the kernel and the other one in userland. Be consistent! + "keep-state" and "limit" must be the last match pattern in a rule, so no matter how you enter them move them to the end of the rule. Notes: svn path=/head/; revision=101116
* Also print the serial # on atacontrol cap ....Søren Schmidt2002-07-311-0/+1
| | | | Notes: svn path=/head/; revision=101104
* Fix a bunch of format string warnings which brokeMaxime Henrion2002-07-316-35/+43
| | | | | | | | | the sparc64 build. Tested on: sparc64, i386 Notes: svn path=/head/; revision=101037
* Remove some additional paranoia which Kirk forgot to remove from hisPoul-Henning Kamp2002-07-302-4/+2
| | | | | | | | | | | | | | | | UFS2 commit. These bits in essence made any instance of "softupdates expected corrution", (ie blocks marked allocated but not referenced by an inode etc) result in a exit value for fsck_ffs of 2. 2 is part of the magic and appearantly undocumented protocol between fsck_FOO and fsck and means "dump into single user mode ASAP. Sponsored by: DARPA & NAI Labs. Notes: svn path=/head/; revision=100973
* Warning cleanup.Poul-Henning Kamp2002-07-3012-74/+74
| | | | | | | Format changes by peter Notes: svn path=/head/; revision=100935
* Don't depend on pollution in <machine/limits.h> (by way ofMike Barcroft2002-07-291-0/+1
| | | | | | | <sys/param.h>) for definition of <stdint.h> macros. Notes: svn path=/head/; revision=100881
* Drop support for COPY, -c has been the default mode of install(1)Ruslan Ermilov2002-07-291-1/+1
| | | | | | | | | for a long time now. Approved by: bde Notes: svn path=/head/; revision=100872
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-19 21:37:51 +0000