head	1.25;
access;
symbols
	RELENG_8_4:1.25.0.2
	RELENG_9_1_0_RELEASE:1.24.2.1.4.2
	RELENG_9_1:1.24.2.1.0.4
	RELENG_9_1_BP:1.24.2.1
	RELENG_8_3_0_RELEASE:1.21.2.2.6.1
	RELENG_8_3:1.21.2.2.0.6
	RELENG_8_3_BP:1.21.2.2
	RELENG_9_0_0_RELEASE:1.24.2.1.2.1
	RELENG_9_0:1.24.2.1.0.2
	RELENG_9_0_BP:1.24.2.1
	RELENG_9:1.24.0.2
	RELENG_9_BP:1.24
	RELENG_7_4_0_RELEASE:1.14.10.1.6.1
	RELENG_8_2_0_RELEASE:1.21.2.2.4.1
	RELENG_7_4:1.14.10.1.0.6
	RELENG_7_4_BP:1.14.10.1
	RELENG_8_2:1.21.2.2.0.4
	RELENG_8_2_BP:1.21.2.2
	RELENG_8_1_0_RELEASE:1.21.2.2.2.1
	RELENG_8_1:1.21.2.2.0.2
	RELENG_8_1_BP:1.21.2.2
	RELENG_7_3_0_RELEASE:1.14.10.1.4.1
	RELENG_7_3:1.14.10.1.0.4
	RELENG_7_3_BP:1.14.10.1
	RELENG_8_0_0_RELEASE:1.21.2.1.2.1
	RELENG_8_0:1.21.2.1.0.2
	RELENG_8_0_BP:1.21.2.1
	RELENG_8:1.21.0.2
	RELENG_8_BP:1.21
	RELENG_7_2_0_RELEASE:1.14.10.1.2.1
	RELENG_7_2:1.14.10.1.0.2
	RELENG_7_2_BP:1.14.10.1
	RELENG_7_1_0_RELEASE:1.14.18.1
	RELENG_6_4_0_RELEASE:1.14.16.1
	RELENG_7_1:1.14.0.18
	RELENG_7_1_BP:1.14
	RELENG_6_4:1.14.0.16
	RELENG_6_4_BP:1.14
	RELENG_7_0_0_RELEASE:1.14
	RELENG_6_3_0_RELEASE:1.14
	RELENG_7_0:1.14.0.14
	RELENG_7_0_BP:1.14
	RELENG_6_3:1.14.0.12
	RELENG_6_3_BP:1.14
	RELENG_7:1.14.0.10
	RELENG_7_BP:1.14
	RELENG_6_2_0_RELEASE:1.14
	RELENG_6_2:1.14.0.8
	RELENG_6_2_BP:1.14
	RELENG_5_5_0_RELEASE:1.12
	RELENG_5_5:1.12.0.14
	RELENG_5_5_BP:1.12
	RELENG_6_1_0_RELEASE:1.14
	RELENG_6_1:1.14.0.6
	RELENG_6_1_BP:1.14
	RELENG_6_0_0_RELEASE:1.14
	RELENG_6_0:1.14.0.4
	RELENG_6_0_BP:1.14
	RELENG_6:1.14.0.2
	RELENG_6_BP:1.14
	RELENG_5_4_0_RELEASE:1.12
	RELENG_5_4:1.12.0.12
	RELENG_5_4_BP:1.12
	RELENG_4_11_0_RELEASE:1.6.6.3
	RELENG_4_11:1.6.6.3.0.10
	RELENG_4_11_BP:1.6.6.3
	RELENG_5_3_0_RELEASE:1.12
	RELENG_5_3:1.12.0.10
	RELENG_5_3_BP:1.12
	RELENG_5:1.12.0.8
	RELENG_5_BP:1.12
	RELENG_4_10_0_RELEASE:1.6.6.3
	RELENG_4_10:1.6.6.3.0.8
	RELENG_4_10_BP:1.6.6.3
	RELENG_5_2_1_RELEASE:1.12
	RELENG_5_2_0_RELEASE:1.12
	RELENG_5_2:1.12.0.6
	RELENG_5_2_BP:1.12
	RELENG_4_9_0_RELEASE:1.6.6.3
	RELENG_4_9:1.6.6.3.0.6
	RELENG_4_9_BP:1.6.6.3
	RELENG_5_1_0_RELEASE:1.12
	RELENG_5_1:1.12.0.4
	RELENG_5_1_BP:1.12
	RELENG_4_8_0_RELEASE:1.6.6.3
	RELENG_4_8:1.6.6.3.0.4
	RELENG_4_8_BP:1.6.6.3
	RELENG_5_0_0_RELEASE:1.12
	RELENG_5_0:1.12.0.2
	RELENG_5_0_BP:1.12
	RELENG_4_7_0_RELEASE:1.6.6.3
	RELENG_4_7:1.6.6.3.0.2
	RELENG_4_7_BP:1.6.6.3
	RELENG_4_6_2_RELEASE:1.6.6.2
	RELENG_4_6_1_RELEASE:1.6.6.2
	RELENG_4_6_0_RELEASE:1.6.6.2
	RELENG_4_6:1.6.6.2.0.6
	RELENG_4_6_BP:1.6.6.2
	RELENG_4_5_0_RELEASE:1.6.6.2
	RELENG_4_5:1.6.6.2.0.4
	RELENG_4_5_BP:1.6.6.2
	RELENG_4_4_0_RELEASE:1.6.6.2
	RELENG_4_4:1.6.6.2.0.2
	RELENG_4_4_BP:1.6.6.2
	RELENG_4_3_0_RELEASE:1.6.6.1
	RELENG_4_3:1.6.6.1.0.2
	RELENG_4_3_BP:1.6.6.1
	RELENG_4_2_0_RELEASE:1.6.6.1
	RELENG_4_1_1_RELEASE:1.6
	PRE_SMPNG:1.6
	RELENG_4_1_0_RELEASE:1.6
	RELENG_3_5_0_RELEASE:1.6
	RELENG_4_0_0_RELEASE:1.6
	RELENG_4:1.6.0.6
	RELENG_4_BP:1.6
	RELENG_3_4_0_RELEASE:1.6
	RELENG_3_3_0_RELEASE:1.6
	RELENG_3_2_PAO:1.6.0.4
	RELENG_3_2_PAO_BP:1.6
	RELENG_3_2_0_RELEASE:1.6
	RELENG_3_1_0_RELEASE:1.6
	RELENG_3:1.6.0.2
	RELENG_3_BP:1.6
	RELENG_2_2_8_RELEASE:1.5.2.1
	RELENG_3_0_0_RELEASE:1.6
	RELENG_2_2_7_RELEASE:1.5.2.1
	RELENG_2_2_6_RELEASE:1.5.2.1
	RELENG_2_2_5_RELEASE:1.5.2.1
	RELENG_2_2_2_RELEASE:1.5
	RELENG_2_2_1_RELEASE:1.5
	RELENG_2_2_0_RELEASE:1.5
	RELENG_2_1_7_RELEASE:1.3
	RELENG_2_1_6_1_RELEASE:1.3
	RELENG_2_1_6_RELEASE:1.3
	RELENG_2_2:1.5.0.2
	RELENG_2_2_BP:1.5
	RELENG_2_1_5_RELEASE:1.3
	RELENG_2_1_0_RELEASE:1.3
	RELENG_2_1_0:1.3.0.4
	RELENG_2_1_0_BP:1.3
	RELENG_2_0_5_RELEASE:1.3
	RELENG_2_0_5:1.3.0.2
	RELENG_2_0_5_BP:1.3
	RELENG_2_0_5_ALPHA:1.3
	RELEASE_2_0:1.2
	BETA_2_0:1.2
	ALPHA_2_0:1.1.1.1.0.2
	ipfw:1.1.1.1;
locks; strict;
comment	@# @;


1.25
date	2012.11.17.01.50.22;	author svnexp;	state Exp;
branches
	1.25.2.1;
next	1.24;

1.24
date	2010.03.08.14.43.55;	author luigi;	state Exp;
branches
	1.24.2.1;
next	1.23;

1.23
date	2010.03.02.17.40.48;	author luigi;	state Exp;
branches;
next	1.22;

1.22
date	2010.02.25.20.24.19;	author ru;	state Exp;
branches;
next	1.21;

1.21
date	2009.06.24.22.57.07;	author oleg;	state Exp;
branches
	1.21.2.1;
next	1.20;

1.20
date	2009.02.01.16.00.49;	author luigi;	state Exp;
branches;
next	1.19;

1.19
date	2009.01.27.20.26.45;	author luigi;	state Exp;
branches;
next	1.18;

1.18
date	2009.01.27.12.01.30;	author luigi;	state Exp;
branches;
next	1.17;

1.17
date	2009.01.27.11.03.47;	author luigi;	state Exp;
branches;
next	1.16;

1.16
date	2009.01.27.10.18.55;	author luigi;	state Exp;
branches;
next	1.15;

1.15
date	2009.01.27.09.04.29;	author luigi;	state Exp;
branches;
next	1.14;

1.14
date	2004.10.03.06.32.37;	author green;	state Exp;
branches
	1.14.2.1
	1.14.10.1
	1.14.16.1
	1.14.18.1;
next	1.13;

1.13
date	2004.10.03.00.17.46;	author green;	state Exp;
branches;
next	1.12;

1.12
date	2002.07.11.17.33.37;	author bde;	state Exp;
branches;
next	1.11;

1.11
date	2002.06.27.23.02.16;	author luigi;	state Exp;
branches;
next	1.10;

1.10
date	2001.12.04.02.19.48;	author obrien;	state Exp;
branches;
next	1.9;

1.9
date	2001.03.26.14.33.06;	author ru;	state Exp;
branches;
next	1.8;

1.8
date	2001.03.20.18.13.14;	author ru;	state Exp;
branches;
next	1.7;

1.7
date	2000.10.06.11.18.11;	author ru;	state Exp;
branches;
next	1.6;

1.6
date	97.06.02.05.02.31;	author julian;	state Exp;
branches
	1.6.6.1;
next	1.5;

1.5
date	96.02.24.13.39.44;	author phk;	state Exp;
branches
	1.5.2.1;
next	1.4;

1.4
date	96.02.24.00.20.56;	author phk;	state Exp;
branches;
next	1.3;

1.3
date	95.02.18.16.36.23;	author jkh;	state Exp;
branches;
next	1.2;

1.2
date	94.11.17.09.50.27;	author jkh;	state Exp;
branches;
next	1.1;

1.1
date	94.10.28.15.06.52;	author jkh;	state Exp;
branches
	1.1.1.1;
next	;

1.25.2.1
date	2012.11.17.01.50.22;	author svnexp;	state dead;
branches;
next	1.25.2.2;

1.25.2.2
date	2013.03.28.13.03.34;	author svnexp;	state Exp;
branches;
next	;

1.24.2.1
date	2011.09.23.00.51.37;	author kensmith;	state Exp;
branches
	1.24.2.1.2.1
	1.24.2.1.4.1;
next	1.24.2.2;

1.24.2.2
date	2012.11.17.11.36.32;	author svnexp;	state Exp;
branches;
next	;

1.24.2.1.2.1
date	2011.11.11.04.20.22;	author kensmith;	state Exp;
branches;
next	1.24.2.1.2.2;

1.24.2.1.2.2
date	2012.11.17.08.36.31;	author svnexp;	state Exp;
branches;
next	;

1.24.2.1.4.1
date	2012.08.05.23.54.33;	author kensmith;	state Exp;
branches;
next	1.24.2.1.4.2;

1.24.2.1.4.2
date	2012.11.17.08.47.21;	author svnexp;	state Exp;
branches;
next	;

1.21.2.1
date	2009.08.03.08.13.06;	author kensmith;	state Exp;
branches
	1.21.2.1.2.1;
next	1.21.2.2;

1.21.2.2
date	2010.03.23.09.58.59;	author luigi;	state Exp;
branches
	1.21.2.2.2.1
	1.21.2.2.4.1
	1.21.2.2.6.1;
next	1.21.2.3;

1.21.2.3
date	2012.11.17.10.36.16;	author svnexp;	state Exp;
branches;
next	;

1.21.2.1.2.1
date	2009.10.25.01.10.29;	author kensmith;	state Exp;
branches;
next	;

1.21.2.2.2.1
date	2010.06.14.02.09.06;	author kensmith;	state Exp;
branches;
next	;

1.21.2.2.4.1
date	2010.12.21.17.09.25;	author kensmith;	state Exp;
branches;
next	;

1.21.2.2.6.1
date	2012.03.03.06.15.13;	author kensmith;	state Exp;
branches;
next	1.21.2.2.6.2;

1.21.2.2.6.2
date	2012.11.17.08.24.56;	author svnexp;	state Exp;
branches;
next	;

1.14.2.1
date	2012.11.17.07.41.19;	author svnexp;	state Exp;
branches;
next	;

1.14.10.1
date	2009.02.20.00.39.39;	author luigi;	state Exp;
branches
	1.14.10.1.2.1
	1.14.10.1.4.1
	1.14.10.1.6.1;
next	1.14.10.2;

1.14.10.2
date	2012.11.17.08.03.37;	author svnexp;	state Exp;
branches;
next	;

1.14.10.1.2.1
date	2009.04.15.03.14.26;	author kensmith;	state Exp;
branches;
next	;

1.14.10.1.4.1
date	2010.02.10.00.26.20;	author kensmith;	state Exp;
branches;
next	;

1.14.10.1.6.1
date	2010.12.21.17.10.29;	author kensmith;	state Exp;
branches;
next	1.14.10.1.6.2;

1.14.10.1.6.2
date	2012.11.17.08.16.54;	author svnexp;	state Exp;
branches;
next	;

1.14.16.1
date	2008.10.02.02.57.24;	author kensmith;	state Exp;
branches;
next	;

1.14.18.1
date	2008.11.25.02.59.29;	author kensmith;	state Exp;
branches;
next	;

1.6.6.1
date	2000.10.17.13.10.21;	author ru;	state Exp;
branches;
next	1.6.6.2;

1.6.6.2
date	2001.04.25.10.58.26;	author ru;	state Exp;
branches;
next	1.6.6.3;

1.6.6.3
date	2002.07.24.03.21.23;	author luigi;	state Exp;
branches;
next	1.6.6.4;

1.6.6.4
date	2012.11.17.07.24.30;	author svnexp;	state Exp;
branches;
next	;

1.5.2.1
date	97.06.21.00.10.25;	author julian;	state Exp;
branches;
next	;

1.1.1.1
date	94.10.28.15.06.53;	author jkh;	state Exp;
branches;
next	;


desc
@@


1.25
log
@Switching exporter and resync
@
text
@# $FreeBSD: head/sbin/ipfw/Makefile 204869 2010-03-08 14:43:55Z luigi $

PROG=	ipfw
SRCS=	ipfw2.c dummynet.c ipv6.c main.c nat.c altq.c
WARNS?=	2
DPADD=	${LIBUTIL}
LDADD=	-lutil
MAN=	ipfw.8

.include <bsd.prog.mk>
@


1.25.2.1
log
@file Makefile was added on branch RELENG_8_4 on 2013-03-28 13:03:34 +0000
@
text
@d1 10
@


1.25.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 10
# $FreeBSD: releng/8.4/sbin/ipfw/Makefile 205511 2010-03-23 09:58:59Z luigi $

PROG=	ipfw
SRCS=	ipfw2.c dummynet.c ipv6.c main.c nat.c altq.c
WARNS?=	2
DPADD=	${LIBUTIL}
LDADD=	-lutil
MAN=	ipfw.8

.include <bsd.prog.mk>
@


1.24
log
@SVN rev 204869 on 2010-03-08 14:43:55Z by luigi

add back DPADD (removed by mistake in a previous commit)
@
text
@d1 1
a1 1
# $FreeBSD$
@


1.24.2.1
log
@SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith

Copy head to stable/9 as part of 9.0-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.24.2.2
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242902
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242902 | dteske | 2012-11-11 23:29:45 +0000 (Sun, 11 Nov 2012) | 10 lines
## SVN ##
## SVN ## Fix a regression introduced by SVN r211417 that saw the breakage of a feature
## SVN ## documented in usr.sbin/sysinstall/help/shortcuts.hlp (reproduced below):
## SVN ##
## SVN ## If /usr/sbin/sysinstall is linked to another filename, say
## SVN ## `/usr/local/bin/configPackages', then the basename will be used
## SVN ## as an implicit command name.
## SVN ##
## SVN ## Reviewed by:	adrian (co-mentor)
## SVN ## Approved by:	adrian (co-mentor)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d1 1
a1 1
# $FreeBSD: stable/9/sbin/ipfw/Makefile 204869 2010-03-08 14:43:55Z luigi $
@


1.24.2.1.4.1
log
@SVN rev 239080 on 2012-08-05 23:54:33Z by kensmith

Copy stable/9 to releng/9.1 as part of the 9.1-RELEASE release process.

Approved by:	re (implicit)
@
text
@@


1.24.2.1.4.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/9.1/sbin/ipfw/Makefile 204869 2010-03-08 14:43:55Z luigi $
@


1.24.2.1.2.1
log
@SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith

Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release
cycle.

Approved by:	re (implicit)
@
text
@@


1.24.2.1.2.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/9.0/sbin/ipfw/Makefile 204869 2010-03-08 14:43:55Z luigi $
@


1.23
log
@SVN rev 204591 on 2010-03-02 17:40:48Z by luigi

Bring in the most recent version of ipfw and dummynet, developed
and tested over the past two months in the ipfw3-head branch.  This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.

The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.

In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.

Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.

Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.

Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.

CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
@
text
@d6 1
@


1.22
log
@SVN rev 204329 on 2010-02-25 20:24:19Z by ru

Fixed dependencies (make checkdpadd).
@
text
@a5 1
DPADD=	${LIBUTIL}
@


1.21
log
@SVN rev 194930 on 2009-06-24 22:57:07Z by oleg

- fix dummynet 'fast' mode for WF2Q case.
- fix printing of pipe profile data.
- introduce new pipe parameter: 'burst' - how much data can be sent through
  pipe bypassing bandwidth limit.
@
text
@d6 1
@


1.21.2.1
log
@SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith

Copy head to stable/8 as part of 8.0 Release cycle.

Approved by:	re (Implicit)
@
text
@@


1.21.2.2
log
@SVN rev 205511 on 2010-03-23 09:58:59Z by luigi

MFC of a large number of ipfw and dummynet fixes and enhancements
done in CURRENT over the last 4 months.
HEAD and RELENG_8 are almost in sync now for ipfw, dummynet
the pfil hooks and related components.

Among the most noticeable changes:
- r200855 more efficient lookup of skipto rules, and remove O(N)
  blocks from critical sections in the kernel;
- r204591 large restructuring of the dummynet module, with support
  for multiple scheduling algorithms (4 available so far)
See the original commit logs for details.

Changes in the kernel/userland ABI should be harmless because the
kernel is able to understand previous requests from RELENG_8 and
RELENG_7. For this reason, this changeset would be applicable
to RELENG_7 as well, but i am not sure if it is worthwhile.
@
text
@a5 1
DPADD=	${LIBUTIL}
@


1.21.2.3
log
@## SVN ##
## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/ 242909
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r242909 | dim | 2012-11-12 07:47:19 +0000 (Mon, 12 Nov 2012) | 20 lines
## SVN ##
## SVN ## MFC r242625:
## SVN ##
## SVN ## Remove duplicate const specifiers in many drivers (I hope I got all of
## SVN ## them, please let me know if not).  Most of these are of the form:
## SVN ##
## SVN ## static const struct bzzt_type {
## SVN ##       [...list of members...]
## SVN ## } const bzzt_devs[] = {
## SVN ##       [...list of initializers...]
## SVN ## };
## SVN ##
## SVN ## The second const is unnecessary, as arrays cannot be modified anyway,
## SVN ## and if the elements are const, the whole thing is const automatically
## SVN ## (e.g. it is placed in .rodata).
## SVN ##
## SVN ## I have verified this does not change the binary output of a full kernel
## SVN ## build (except for build timestamps embedded in the object files).
## SVN ##
## SVN ## Reviewed by:	yongari, marius
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d1 1
a1 1
# $FreeBSD: stable/8/sbin/ipfw/Makefile 205511 2010-03-23 09:58:59Z luigi $
@


1.21.2.2.6.1
log
@SVN rev 232438 on 2012-03-03 06:15:13Z by kensmith

Copy stable/8 to releng/8.3 as part of 8.3-RELEASE release cycle.

Approved by:	re (implicit)
@
text
@@


1.21.2.2.6.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/8.3/sbin/ipfw/Makefile 205511 2010-03-23 09:58:59Z luigi $
@


1.21.2.2.4.1
log
@SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith

Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release.

Approved by:	re (implicit)
@
text
@@


1.21.2.2.2.1
log
@SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith

Copy stable/8 to releng/8.1 in preparation for 8.1-RC1.

Approved by:	re (implicit)
@
text
@@


1.21.2.1.2.1
log
@SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith

Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure.

Approved by:	re (implicit)
@
text
@@


1.20
log
@SVN rev 187983 on 2009-02-01 16:00:49Z by luigi

put the altq-related functions into a separate file.
Minor cleanup of the includes used by the various source files,
including annotations of why certain headers are used.
@
text
@d6 1
@


1.19
log
@SVN rev 187787 on 2009-01-27 20:26:45Z by luigi

fix printing of uint64_t values, so we can use WARNS=2
@
text
@d4 1
a4 1
SRCS=	ipfw2.c dummynet.c ipv6.c main.c nat.c
@


1.18
log
@SVN rev 187770 on 2009-01-27 12:01:30Z by luigi

Put nat and ipv6 support in their own files.

Usual moving of code with no changes from ipfw2.c to the
newly created files, and addition of prototypes to ipfw2.h

I have added forward declarations for ipfw_insn_* in ipfw2.h
to avoid a global dependency on ip_fw.h
@
text
@d5 1
a5 1
WARNS?=	0
@


1.17
log
@SVN rev 187768 on 2009-01-27 11:03:47Z by luigi

never mind, for the time being let's stick with WARNS=0 until
we sort out all proper printf formats.
@
text
@d4 1
a4 1
SRCS=	ipfw2.c dummynet.c main.c
@


1.16
log
@SVN rev 187767 on 2009-01-27 10:18:55Z by luigi

Start splitting the monster file in smaller blocks.

In this episode:
- introduce a common header with a minimal set of common definitions;
- bring the main() function and options parser in main.c
- rename the main functions with an ipfw_ prefix

No code changes except for the introduction of a global variable,
resvd_set_number, which stores the RESVD_SET value from ip_fw.h
and is used to remove the dependency of main.c from ip_fw.h
(and the subtree of dependencies) for just a single constant.
@
text
@d4 2
a5 2
SRCS=	ipfw2.c main.c
WARNS?=	2
@


1.15
log
@SVN rev 187763 on 2009-01-27 09:04:29Z by luigi

I believe this is safe to build with WARNS=2 now
@
text
@d4 1
a4 1
SRCS=	ipfw2.c
@


1.14
log
@Remove blindly-copied extra include path.
@
text
@d5 1
a5 1
WARNS?=	0
@


1.14.2.1
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: stable/6/sbin/ipfw/Makefile 136079 2004-10-03 06:32:37Z green $
@


1.14.10.1
log
@SVN rev 188836 on 2009-02-20 00:39:39Z by luigi

MFC: sync the ipfw code with the version in HEAD.

The only new feature is that now one can write
"table all {flush | list}" to act on all tables.

Just for the records, there is one difference which probably
has no practical importance; two "tos" flags are represented
differently now:

@@@@ -182,8 +182,8 @@@@ static struct _s_x f_iptos[] = {
 	{ "throughput",	IPTOS_THROUGHPUT},
 	{ "reliability", IPTOS_RELIABILITY},
 	{ "mincost",	IPTOS_MINCOST},
-	{ "congestion",	IPTOS_CE},
-	{ "ecntransport", IPTOS_ECT},
+	{ "congestion",	IPTOS_ECN_CE},
+	{ "ecntransport", IPTOS_ECN_ECT0},
 	{ "ip tos option", 0},
 	{ NULL,	0 }
 };

IPTOS_ECT = IPTOS_ECN_ECT0 = 2 so 'ecntransport' is the same.

IPTOS_CE = 1, IPTOS_ECN_CE = 3 so 'congestion' is represented by a
different codepoint, but this also reflects a different specification
(RFC3168 obsoletes RFC2481) so the change is just adopting the new
spec.
@
text
@d4 2
a5 2
SRCS=	ipfw2.c dummynet.c ipv6.c main.c nat.c altq.c
WARNS?=	2
@


1.14.10.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: stable/7/sbin/ipfw/Makefile 188836 2009-02-20 00:39:39Z luigi $
@


1.14.10.1.6.1
log
@SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith

Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release.

Approved by:	re (implicit)
@
text
@@


1.14.10.1.6.2
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: releng/7.4/sbin/ipfw/Makefile 188836 2009-02-20 00:39:39Z luigi $
@


1.14.10.1.4.1
log
@SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith

Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process.

Approved by:	re (implicit)
@
text
@@


1.14.10.1.2.1
log
@SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith

Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE.

Approved by:	re (implicit)
@
text
@@


1.14.18.1
log
@SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith

Create releng/7.1 in preparation for moving into RC phase of 7.1 release
cycle.

Approved by:	re (implicit)
@
text
@@


1.14.16.1
log
@SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith

Create releng/6.4 from stable/6 in preparation for 6.4-RC1.

Approved by:	re (implicit)
@
text
@@


1.13
log
@Add to IPFW the ability to do ALTQ classification/tagging.
@
text
@a6 1
CFLAGS+= -I${.CURDIR}/../../sys/contrib/pf
@


1.12
log
@Uncommented WARNS=0.  ipfw2.c is full of printf format errors that are
fatal on alphas.

Fixed setting of WARNS.  WARNS should never be set unconditionally, since
this breaks testing of different WARNS values by setting it at a higher
level (e.g., on the command line).
@
text
@d7 1
@


1.11
log
@The new ipfw code.

This code makes use of variable-size kernel representation of rules
(exactly the same concept of BPF instructions, as used in the BSDI's
firewall), which makes firewall operation a lot faster, and the
code more readable and easier to extend and debug.

The interface with the rest of the system is unchanged, as witnessed
by this commit. The only extra kernel files that I am touching
are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In
userland I only had to touch those programs which manipulate the
internal representation of firewall rules).

The code is almost entirely new (and I believe I have written the
vast majority of those sections which were taken from the former
ip_fw.c), so rather than modifying the old ip_fw.c I decided to
create a new file, sys/netinet/ip_fw2.c .  Same for the user
interface, which is in sbin/ipfw/ipfw2.c (it still compiles to
/sbin/ipfw).  The old files are still there, and will be removed
in due time.

I have not renamed the header file because it would have required
touching a one-line change to a number of kernel files.

In terms of user interface, the new "ipfw" is supposed to accepts
the old syntax for ipfw rules (and produce the same output with
"ipfw show". Only a couple of the old options (out of some 30 of
them) has not been implemented, but they will be soon.

On the other hand, the new code has some very powerful extensions.
First, you can put "or" connectives between match fields (and soon
also between options), and write things like

ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any

This should make rulesets slightly more compact (and lines longer!),
by condensing 2 or more of the old rules into single ones.

Also, as an example of how easy the rules can be extended, I have
implemented an 'address set' match pattern, where you can specify
an IP address in a format like this:

        10.20.30.0/26{18,44,33,22,9}

which will match the set of hosts listed in braces belonging to the
subnet 10.20.30.0/26 . The match is done using a bitmap, so it is
essentially a constant time operation requiring a handful of CPU
instructions (and a very small amount of memmory -- for a full /24
subnet, the instruction only consumes 40 bytes).

Again, in this commit I have focused on functionality and tried
to minimize changes to the other parts of the system. Some performance
improvement can be achieved with minor changes to the interface of
ip_fw_chk_t. This will be done later when this code is settled.

The code is meant to compile unmodified on RELENG_4 (once the
PACKET_TAG_* changes have been merged), for this reason
you will see #ifdef __FreeBSD_version in a couple of places.
This should minimize errors when (hopefully soon) it will be time
to do the MFC.
@
text
@d5 1
a5 1
#WARNS=	0
@


1.10
log
@Default to WARNS=2.
Binary builds that cannot handle this must explicitly set WARNS=0.

Reviewed by:	mike
@
text
@d4 2
a5 1
WARNS=	0
@


1.9
log
@- Backout botched attempt to introduce MANSECT feature.
- MAN[1-9] -> MAN.
@
text
@d1 1
a1 1
# $FreeBSD: src/sbin/ipfw/Makefile,v 1.8 2001/03/20 18:13:14 ru Exp $
d4 1
a5 1
CFLAGS+=-Wall
@


1.8
log
@Set the default manual section for sbin/ to 8.
@
text
@d1 1
a1 1
# $FreeBSD: src/sbin/ipfw/Makefile,v 1.7 2000/10/06 11:18:11 ru Exp $
d4 1
@


1.7
log
@Convert this Makefile to the usual style.
@
text
@d1 1
a1 1
# $FreeBSD$
a3 1
MAN8=	ipfw.8
@


1.6
log
@Submitted by:	Whistle Communications (archie Cobbs)

these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.

The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...

see the man page for a complete description.
@
text
@d1 1
a1 3
PROG=   ipfw

COPTS+=	-Wall
d3 1
d5 1
@


1.6.6.1
log
@MFC: Style conversion.
@
text
@d1 3
a3 1
# $FreeBSD$
a4 1
PROG=	ipfw
a5 1
CFLAGS+=-Wall
@


1.6.6.2
log
@MFC: MAN[1-9] -> MAN.
@
text
@d1 1
a1 1
# $FreeBSD: src/sbin/ipfw/Makefile,v 1.6.6.1 2000/10/17 13:10:21 ru Exp $
d4 1
a4 1
MAN=	ipfw.8
@


1.6.6.3
log
@Bring ipfw2 into the -stable tree. This will give more people a
chance to test it, and hopefully accelerate the transition from the
old to the new ipfw code.

NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE,
NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES.
YOU WILL KEEP USING YOUR OLD "ipfw" UNLESS YOU:

  + add "options IPFW2" (undocumented) to your kernel config file;

  + compile and install sbin/ipfw and lib/libalias with
        make -DIPFW2

in other words, you must really want it.

On the other hand, i believe you do really want to use this new
code. In addition to being twice as fast in processing individual
rules, you can use more powerful match patterns such as

        ... ip from 1.2.3.0/24{50,6,27,158} to ...
        ... ip from { 1.2.3.4/26 or 5.6.7.8/22 } to ...
        ... ip from any 5-7,9-66,1020-3000,4000-5000 to ...

i.e. match sparse sets of IP addresses in constant time; use "or"
connectives between match patterns; have multiple port ranges; etc.
which I believe will dramatically reduce your ruleset size.

As an additional bonus, "keep-state" rules will now send keepalives
when the rule is about to expire, so you will not have your remote
login sessions die while you are idle.

The syntax is backward compatible with the old ipfw.
A manual page documenting the extensions has yet to be completed.
@
text
@d1 1
a1 1
# $FreeBSD$
a5 4
.if defined(IPFW2)
SRCS=	ipfw2.c
CFLAGS+= -DIPFW2
.endif
@


1.6.6.4
log
@Switch importer
@
text
@d1 1
a1 1
# $FreeBSD: stable/4/sbin/ipfw/Makefile 100592 2002-07-24 03:21:24Z luigi $
@


1.5
log
@Update to match kernel code.
@
text
@d3 2
@


1.5.2.1
log
@YAMFC

Upgrade the user utility to the upgraded firewall code

Submitted by:	whistle communications
@
text
@a2 2
COPTS+=	-Wall

@


1.4
log
@A new ipfw program that can set and control the new features.
An almost correct usage is printed.
@
text
@a1 2
DPADD=  ${LIBKVM}
LDADD=  -lkvm
a3 9

test:	ipfw
	./ipfw add reject tcp from any to any
	./ipfw add 11 reject tcp from 1.2.3.4 to 5.6.7.8 established
	./ipfw add 11 reject tcp from 1.2.3.4 to 5.6.7.8/24 in
	./ipfw add 11 reject tcp from 1.2.3.4 to 5.6.7.8 in out
	./ipfw add 11 reject tcp from 1.2.3.4 to 5.6.7.8 frag out
	./ipfw add 11 reject tcp from 1.2.3.4 to 5.6.7.8 tcpf p,f,!a ipopt !ts
	./ipfw add 12 count log udp from 1.2.3.4 to 5.6.7.8 123-125,234,245
@


1.3
log
@ipfirewall.4 is obviously not here anymore!  Adjust the Makefile.
@
text
@d7 9
@


1.2
log
@New man pages from Ugen.  Delete my old, first attempt.  I only hope
that the english in Ugen's two replacement pages is not too impenetrable! :-)
[Note:  Poul - please pull these into the BETA branch along with the
other firewall changes]

Submitted by:	ugen
@
text
@a4 2
MAN4=	ipfirewall.4
MLINKS=	ipfirewall.4 ipacct.4 ipfirewall.4 ipfw.4 ipfirewall.4 ipaccounting.4
@


1.1
log
@Initial revision
@
text
@d5 4
@


1.1.1.1
log
@Add the ipfw command, for IP firewall construction.
Submitted by:	danny ugen
@
text
@@
