|
Lines 234-240
Link Here
|
| 234 |
When listing a table (see the |
234 |
When listing a table (see the |
| 235 |
.Sx LOOKUP TABLES |
235 |
.Sx LOOKUP TABLES |
| 236 |
section below for more information on lookup tables), format values |
236 |
section below for more information on lookup tables), format values |
| 237 |
as IP addresses. By default, values are shown as integers. |
237 |
as IP addresses. |
|
|
238 |
By default, values are shown as integers. |
| 238 |
.It Fl n |
239 |
.It Fl n |
| 239 |
Only check syntax of the command strings, without actually passing |
240 |
Only check syntax of the command strings, without actually passing |
| 240 |
them to the kernel. |
241 |
them to the kernel. |
|
Lines 566-572
Link Here
|
| 566 |
.Xr bpf 4 |
567 |
.Xr bpf 4 |
| 567 |
attached to the |
568 |
attached to the |
| 568 |
.Li ipfw0 |
569 |
.Li ipfw0 |
| 569 |
pseudo interface. There is no overhead if no |
570 |
pseudo interface. |
|
|
571 |
There is no overhead if no |
| 570 |
.Xr bpf 4 |
572 |
.Xr bpf 4 |
| 571 |
is attached to the pseudo interface. |
573 |
is attached to the pseudo interface. |
| 572 |
.Pp |
574 |
.Pp |
|
Lines 880-902
Link Here
|
| 880 |
Processing continues at the next rule. |
882 |
Processing continues at the next rule. |
| 881 |
It is possible to use the |
883 |
It is possible to use the |
| 882 |
.Cm tablearg |
884 |
.Cm tablearg |
| 883 |
keyword with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. |
885 |
keyword with a setfib. |
|
|
886 |
If tablearg value is not within compiled FIB range packet fib is set to 0. |
| 884 |
.It Cm reass |
887 |
.It Cm reass |
| 885 |
Queue and reassemble ip fragments. |
888 |
Queue and reassemble ip fragments. |
| 886 |
If the packet is not fragmented, counters are updated and processing continues with the next rule. |
889 |
If the packet is not fragmented, counters are |
|
|
890 |
updated and processing continues with the next rule. |
| 887 |
If the packet is the last logical fragment, the packet is reassembled and, if |
891 |
If the packet is the last logical fragment, the packet is reassembled and, if |
| 888 |
.Va net.inet.ip.fw.one_pass |
892 |
.Va net.inet.ip.fw.one_pass |
| 889 |
is set to 0, processing continues with the next rule, else packet is allowed to pass and search terminates. |
893 |
is set to 0, processing continues with the next rule, |
| 890 |
If the packet is a fragment in the middle, it is consumed and processing stops immediately. |
894 |
else packet is allowed to pass and search terminates. |
|
|
895 |
If the packet is a fragment in the middle, it is |
| 896 |
consumed and processing stops immediately. |
| 891 |
.Pp |
897 |
.Pp |
| 892 |
Fragments handling can be tuned via |
898 |
Fragments handling can be tuned via |
| 893 |
.Va net.inet.ip.maxfragpackets |
899 |
.Va net.inet.ip.maxfragpackets |
| 894 |
and |
900 |
and |
| 895 |
.Va net.inet.ip.maxfragsperpacket |
901 |
.Va net.inet.ip.maxfragsperpacket |
| 896 |
which limit, respectively, the maximum number of processable fragments (default: 800) and |
902 |
which limit, respectively, the maximum number of |
|
|
903 |
processable fragments (default: 800) and |
| 897 |
the maximum number of fragments per packet (default: 16). |
904 |
the maximum number of fragments per packet (default: 16). |
| 898 |
.Pp |
905 |
.Pp |
| 899 |
NOTA BENE: since fragments do not contain port numbers, they should be avoided with the |
906 |
NOTA BENE: since fragments do not contain port numbers, |
|
|
907 |
they should be avoided with the |
| 900 |
.Nm reass |
908 |
.Nm reass |
| 901 |
rule. |
909 |
rule. |
| 902 |
Alternatively, direction-based (like |
910 |
Alternatively, direction-based (like |
|
Lines 1516-1522
Link Here
|
| 1516 |
.It Cm sockarg |
1524 |
.It Cm sockarg |
| 1517 |
Matches packets that are associated to a local socket and |
1525 |
Matches packets that are associated to a local socket and |
| 1518 |
for which the SO_USER_COOKIE socket option has been set |
1526 |
for which the SO_USER_COOKIE socket option has been set |
| 1519 |
to a non-zero value. As a side effect, the value of the |
1527 |
to a non-zero value. |
|
|
1528 |
As a side effect, the value of the |
| 1520 |
option is made available as |
1529 |
option is made available as |
| 1521 |
.Cm tablearg |
1530 |
.Cm tablearg |
| 1522 |
value, which in turn can be used as |
1531 |
value, which in turn can be used as |
|
Lines 1731-1737
Link Here
|
| 1731 |
When used with the |
1740 |
When used with the |
| 1732 |
.Cm skipto |
1741 |
.Cm skipto |
| 1733 |
action, the user should be aware that the code will walk the ruleset |
1742 |
action, the user should be aware that the code will walk the ruleset |
| 1734 |
up to a rule equal to, or past, the given number, and should therefore try keep the |
1743 |
up to a rule equal to, or past, the given number, |
|
|
1744 |
and should therefore try keep the |
| 1735 |
ruleset compact between the skipto and the target rules. |
1745 |
ruleset compact between the skipto and the target rules. |
| 1736 |
.Sh SETS OF RULES |
1746 |
.Sh SETS OF RULES |
| 1737 |
Each rule belongs to one of 32 different |
1747 |
Each rule belongs to one of 32 different |
|
Lines 1939-1948
Link Here
|
| 1939 |
for each /24 destination subnet. |
1949 |
for each /24 destination subnet. |
| 1940 |
.Pp |
1950 |
.Pp |
| 1941 |
The FLOW_MASK, together with the SCHED_MASK, is used to split |
1951 |
The FLOW_MASK, together with the SCHED_MASK, is used to split |
| 1942 |
packets into flows. As an example, using |
1952 |
packets into flows. |
|
|
1953 |
As an example, using |
| 1943 |
``src-ip 0x000000ff'' |
1954 |
``src-ip 0x000000ff'' |
| 1944 |
together with the previous SCHED_MASK makes a flow for |
1955 |
together with the previous SCHED_MASK makes a flow for |
| 1945 |
each individual source address. In turn, flows for each /24 |
1956 |
each individual source address. |
|
|
1957 |
In turn, flows for each /24 |
| 1946 |
subnet will be sent to the same scheduler instance. |
1958 |
subnet will be sent to the same scheduler instance. |
| 1947 |
.Pp |
1959 |
.Pp |
| 1948 |
The above diagram holds even for the |
1960 |
The above diagram holds even for the |
|
Lines 2065-2071
Link Here
|
| 2065 |
the use of the channel, MAC level retransmissions and so on. |
2077 |
the use of the channel, MAC level retransmissions and so on. |
| 2066 |
From our point of view, the channel is effectively unavailable |
2078 |
From our point of view, the channel is effectively unavailable |
| 2067 |
for this extra time, which is constant or variable depending |
2079 |
for this extra time, which is constant or variable depending |
| 2068 |
on the link type. Additionally, packets may be dropped after this |
2080 |
on the link type. |
|
|
2081 |
Additionally, packets may be dropped after this |
| 2069 |
time (e.g. on a wireless link after too many retransmissions). |
2082 |
time (e.g. on a wireless link after too many retransmissions). |
| 2070 |
We can model the additional delay with an empirical curve |
2083 |
We can model the additional delay with an empirical curve |
| 2071 |
that represents its distribution. |
2084 |
that represents its distribution. |
|
Lines 2166-2172
Link Here
|
| 2166 |
.It Cm wf2qp |
2179 |
.It Cm wf2qp |
| 2167 |
implements the WF2Q+ algorithm, which is a Weighted Fair Queueing |
2180 |
implements the WF2Q+ algorithm, which is a Weighted Fair Queueing |
| 2168 |
algorithm which permits flows to share bandwidth according to |
2181 |
algorithm which permits flows to share bandwidth according to |
| 2169 |
their weights. Note that weights are not priorities; even a flow |
2182 |
their weights. |
|
|
2183 |
Note that weights are not priorities; even a flow |
| 2170 |
with a minuscule weight will never starve. |
2184 |
with a minuscule weight will never starve. |
| 2171 |
WF2Q+ has O(log N) per-packet processing cost, where N is the number |
2185 |
WF2Q+ has O(log N) per-packet processing cost, where N is the number |
| 2172 |
of flows, and is the default algorithm used by previous versions |
2186 |
of flows, and is the default algorithm used by previous versions |
|
Lines 2515-2521
Link Here
|
| 2515 |
Defines the maximum number of chunks in an SCTP packet that will be parsed for a |
2529 |
Defines the maximum number of chunks in an SCTP packet that will be parsed for a |
| 2516 |
packet that matches an existing association. |
2530 |
packet that matches an existing association. |
| 2517 |
This value is enforced to be greater or equal than |
2531 |
This value is enforced to be greater or equal than |
| 2518 |
.Cm net.inet.ip.alias.sctp.initialising_chunk_proc_limit . |
2532 |
.Cm net.inet.ip.alias.sctp.initialising_chunk_proc_limit . |
| 2519 |
A high value is |
2533 |
A high value is |
| 2520 |
a DoS risk yet setting too low a value may result in important control chunks in |
2534 |
a DoS risk yet setting too low a value may result in important control chunks in |
| 2521 |
the packet not being located and parsed. |
2535 |
the packet not being located and parsed. |
|
Lines 2595-2601
Link Here
|
| 2595 |
As for other similar sysctl variables, larger values pose a DoS risk. |
2609 |
As for other similar sysctl variables, larger values pose a DoS risk. |
| 2596 |
.It Va net.inet.ip.alias.sctp.log_level: No 0 |
2610 |
.It Va net.inet.ip.alias.sctp.log_level: No 0 |
| 2597 |
Level of detail in the system log messages (0 \- minimal, 1 \- event, |
2611 |
Level of detail in the system log messages (0 \- minimal, 1 \- event, |
| 2598 |
2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). May be a good |
2612 |
2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). |
|
|
2613 |
May be a good |
| 2599 |
option in high loss environments. |
2614 |
option in high loss environments. |
| 2600 |
.It Va net.inet.ip.alias.sctp.shutdown_time: No 15 |
2615 |
.It Va net.inet.ip.alias.sctp.shutdown_time: No 15 |
| 2601 |
Timeout value while waiting for SHUTDOWN-COMPLETE. |
2616 |
Timeout value while waiting for SHUTDOWN-COMPLETE. |
|
Lines 2614-2620
Link Here
|
| 2614 |
.El |
2629 |
.El |
| 2615 |
.Pp |
2630 |
.Pp |
| 2616 |
This variable is fully dynamic, the new value will be adopted for all newly |
2631 |
This variable is fully dynamic, the new value will be adopted for all newly |
| 2617 |
arriving associations, existing associations are treated as they were previously. |
2632 |
arriving associations, existing associations |
|
|
2633 |
are treated as they were previously. |
| 2618 |
Global tracking will decrease the number of collisions within the |
2634 |
Global tracking will decrease the number of collisions within the |
| 2619 |
.Nm nat |
2635 |
.Nm nat |
| 2620 |
at a cost |
2636 |
at a cost |
|
Lines 2622-2628
Link Here
|
| 2622 |
.Nm nat |
2638 |
.Nm nat |
| 2623 |
state |
2639 |
state |
| 2624 |
problems in complex networks with multiple |
2640 |
problems in complex networks with multiple |
| 2625 |
.Nm nats . |
2641 |
.Nm nats . |
| 2626 |
We recommend not tracking |
2642 |
We recommend not tracking |
| 2627 |
global IP addresses, this will still result in a fully functional |
2643 |
global IP addresses, this will still result in a fully functional |
| 2628 |
.Nm nat . |
2644 |
.Nm nat . |
|
Lines 3152-3159
Link Here
|
| 3152 |
traffic shaper supported by Akamba Corp. |
3168 |
traffic shaper supported by Akamba Corp. |
| 3153 |
.Pp |
3169 |
.Pp |
| 3154 |
The ipfw core (ipfw2) has been completely redesigned and |
3170 |
The ipfw core (ipfw2) has been completely redesigned and |
| 3155 |
reimplemented by Luigi Rizzo in summer 2002. Further |
3171 |
reimplemented by Luigi Rizzo in summer 2002. |
| 3156 |
actions and |
3172 |
Further actions and |
| 3157 |
options have been added by various developer over the years. |
3173 |
options have been added by various developer over the years. |
| 3158 |
.Pp |
3174 |
.Pp |
| 3159 |
.An -nosplit |
3175 |
.An -nosplit |