When an internal or other error occurs during the listing of a pool,
return an error code when extiting ippool(8). Printing an error to
stderr without returning an error code is useless in shell scripts.
(cherry picked from commit 5568c8b2c5)
Add an ippool(8) option to dump a copy of the inm-memory ippool tables
in an ippool(5) format so that it can be reloaded using ippool -f.
(cherry picked from commit 7531c434a5)
Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.
This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.
(cherry picked from commit c47db49ba4)
When printing the interface name from the ipstate_t struct the interface
name in is_ifp may not always be avaiable when reading it from kmem
(tested on FreeBSD and NetBSD). However the is_ifname (the interface
name character string) is almost always available -- it is not available
when the source of the packet is a process running on the firewall
itself. Rather than print both interface name strings, print only the
one.
(cherry picked from commit 93c1048a13)
Rather than use a kmem read to determine the interface name used by a
nat_t structure through a pointer, nat_ipfs->netif->if_xname, obtain it
directly from nat_ifnames in the nat_t structure itself using the new
FORMAT_IF macro.
(cherry picked from commit ec793543fe)
Interface names stored in the ipstate_t and ipnat_t structures can be
NULL. This occurs when an application, such as named, is running on the
firewall machine itself. For example an application, i.e. named, running
on the firewall itself will cause a state table display and NAT mapping
display to show a null ingress interface and its egress interface. This
is perfectly valid but confusing to human eyes. Rather than print
nothing, print "(null)".
(cherry picked from commit 915395a280)
NAT table mappings list only the source and destination IP, the source
and destinaion port numbers, and their mappings. But the protocol is not
listed. Now that Facebook and Google use QUIC, seeing port 443 in in a
list of active NAT sessions could mean 443/tcp or 443/udp. This patch
adds the protocol to the listing to aid in determining whether HTTPS is
TCP or QUIC in a NAT mapping listing. This also helps differentiatinete
between other protocols such as ICMP, ESP, and AH in ipnat list of active
sessions.
(cherry picked from commit 9291d079d5)
ipfsync is a WIP sync daemon designed to be used in a failover scenario.
It was removed by 5ee61c7daa. This commit
restores its three files. ipfsync is in my work queue.
(cherry picked from commit 08ab34a06a)
The work to ANSIfy and adjust returns to style(9) resulted in a mismerge
of a stash when ipfilter was moved from contrib to sbin. An older file
replaced WIP at the time, resulting in a regression.
The majority of this work was done in 2018 saved as git stashes within
a git-svn tree and migrated to the git tree. The regression occurred
when the various stashes were sequentially merged to create individual
commits, following the ipfilter move to netpfil and sbin.
Reported by: jrtc27
Fixes: 2582ae5740
Pointy hat to: cy
(cherry picked from commit a3522837b0)
Replace the INLINE macro with inline. Some ancient compilers supported
__inline__ instead of inline. The INLINE hack compensated for it.
Ancient compilers are history.
Reported by: glebius
(cherry picked from commit 9be9c1c084)
Convert ipfilter userland function declarations from K&R to ANSI. This
syncs our function declarations with NetBSD hg commit 75edcd7552a0
(apply our changes). Though not copied from NetBSD, this change was
partially inspired by NetBSD's work and inspired by style(9).
Reviewed by: glebius (for #network)
Differential Revision: https://reviews.freebsd.org/D33595
(cherry picked from commit efeb8bffe3)
Since the move of ipfilter from contrib to sbin adjusting the source path
is no longer required.
Fixes: 41edb306f0
(cherry picked from commit 7cb2d7c413)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sbin/ipf. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to sbin.
This is the second of three commits of the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 41edb306f0)
Through fixes and improvements our ipfilter sources have diverged
enough to warrant move from contrib into sys/netpil. Now that I'm
planning on implementing MSS clamping as in iptables it makes more
sense to move ipfilter to netpfil.
This is the first of three commits the ipfilter move.
Suggested by glebius on two occaions.
Suggested by and discussed with: glebius
Reviewed by: glebius, kp (for #network)
Differential Revision: https://reviews.freebsd.org/D33510
(cherry picked from commit 3b9b51fe46)
PR/238816 initially addressed updates to usage() however the PR has
morphed into a shopping list of updates to usage() and man pages.
PR: 238816 (I added to the list during discussion)
MFC after: 1 week
that they still work. These utilities have become out of sync with the
code in the kernel and need work to bring them back into shape.
Most people test on real systems or VMs on real networks.
Suggested by: glebius
that they still work. These utilities have become out of sync with the
code in the kernel and need work to bring them back into shape.
Most people test on real systems or VMs on real networks.
Sugested by: glebius
These are no longer needed after the recent 'beforebuild: depend' changes
and hooking DIRDEPS_BUILD into a subset of FAST_DEPEND which supports
skipping 'make depend'.
Sponsored by: EMC / Isilon Storage Division
the real build file.
This lessens the need to define DPADD_<lib> and LDADD_<lib> to just very
special cases.
Sponsored by: EMC / Isilon Storage Division
This had no real impact since libipf is a static INTERNALLIB. It does conflict
with an assertion I am adding for LIBADD though.
Sponsored by: EMC / Isilon Storage Division
Unfortunately filemon/meta mode tracks all indirect dependencies here
since ld(1) is reading libelf when linking in libkvm. Churn would be
reduced if this was able to be limited to direct dependencies.
Sponsored by: EMC / Isilon Storage Division
files. Split up all of the targets to be more clear on how they are generated
to fix the problem.
MFC after: 2 weeks
Sponsored by: EMC / Isilon Storage Division
