FreeBSD: alle ipfw “table” Kommandos

No Comments

Aufrufe: 367

LOOKUP TABLES
ipfw [set N] table name create create-options
ipfw [set N] table {name | all} destroy
ipfw [set N] table name modify modify-options
ipfw [set N] table name swap name
ipfw [set N] table name add table-key [value]
ipfw [set N] table name add [table-key value ...]
ipfw [set N] table name atomic add [table-key value ...]
ipfw [set N] table name delete [table-key ...]
ipfw [set N] table name lookup addr
ipfw [set N] table name lock
ipfw [set N] table name unlock
ipfw [set N] table {name | all} list
ipfw [set N] table {name | all} info
ipfw [set N] table {name | all} detail
ipfw [set N] table {name | all} flush
create-option: type table-type | valtype value-mask
| algo algo-desc | limit number | locked

type Table key type.

valtype Table value mask.

algo Table algorithm to use (see below).

limit Maximum number of items that may be inserted into table.

locked Restrict any table modifications.

Some of these options may be modified later via modify keyword. The
following options can be changed:

modify-options:

modify-option: limit number

limit Alter maximum number of items that may be inserted into table.

Additionally, table can be locked or unlocked using lock or unlock
commands.

Tables of the same type can be swapped with each other using swap name
command. Swap may fail if tables limits are set and data exchange would
result in limits hit. Operation is performed atomically.

One or more entries can be added to a table at once using add command.
Addition of all items are performed atomically. By default, error in
addition of one entry does not influence addition of other entries.
However, non-zero error code is returned in that case. Special atomic
keyword may be specified before add to indicate all-or-none add request.

One or more entries can be removed from a table at once using delete
command. By default, error in removal of one entry does not influence
removing of other entries. However, non-zero error code is returned in
that case.

It may be possible to check what entry will be found on particular
table-key using lookup table-key command. This functionality is optional
and may be unsupported in some algorithms.

The following operations can be performed on one or all tables:

list List all entries.

flush Removes all entries.

info Shows generic table information.

detail Shows generic table information and algo-specific data.

The following lookup algorithms are supported:

algo-desc: algo-name | algo-name algo-data

algo-name: addr:radix | addr:hash | iface:array 
| number:array | flow:hash

addr:radix
Separate Radix trees for IPv4 and IPv6, the same way as the
routing table (see route(4)). Default choice for addr type.

addr:hash
Separate auto-growing hashes for IPv4 and IPv6. Accepts entries
with the same mask length specified initially via addr:hash
masks=/v4,/v6 algorithm creation options. Assume /32 and /128
masks by default. Search removes host bits (according to mask)
from supplied address and checks resulting key in appropriate
hash. Mostly optimized for /64 and byte-ranged IPv6 masks.

iface:array
Array storing sorted indexes for entries which are presented in
the system. Optimized for very fast lookup.

number:array
Array storing sorted u32 numbers.

flow:hash
Auto-growing hash storing flow entries. Search calculates hash
on required packet fields and searches for matching entries in
selected bucket.

The tablearg feature provides the ability to use a value, looked up in
the table, as the argument for a rule action, action parameter or rule
option. This can significantly reduce number of rules in some
configurations. If two tables are used in a rule, the result of the
second (destination) is used.

Each record may hold one or more values according to value-mask. This
mask is set on table creation via valtype option. The following value
types are supported:

value-mask: value-type[,value-mask]

value-type: skipto | pipe | fib | nat | dscp | tag | 
divert | netgraph | limit | ipv4 | ipv6

skipto rule number to jump to.

pipe Pipe number to use.

fib fib number to match/set.

nat nat number to jump to.

dscp dscp value to match/set.

tag tag number to match/set.

divert port number to divert traffic to.

netgraph hook number to move packet to.

limit maximum number of connections.

ipv4 IPv4 nexthop to fwd packets to.

ipv6 IPv6 nexthop to fwd packets to.

The tablearg argument can be used with the following actions: nat, pipe,
queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action
parameters: tag, untag, rule options: limit, tagged.

When used with the skipto action, the user should be aware that the code
will walk the ruleset up to a rule equal to, or past, the given number.

See the EXAMPLES Section for example usage of tables and the tablearg
keyword.

SETS OF RULES
Each rule or table belongs to one of 32 different sets , numbered 0 to
31. Set 31 is reserved for the default rule.

By default, rules or tables are put in set 0, unless you use the set N
attribute when adding a new rule or table. Sets can be individually and
atomically enabled or disabled, so this mechanism permits an easy way to
store multiple configurations of the firewall and quickly (and
atomically) switch between them.

By default, tables from set 0 are referenced when adding rule with table
opcodes regardless of rule set. This behavior can be changed by setting
net.inet.ip.fw.tables_sets variable to 1. Rule’s set will then be used
for table references.

The command to enable/disable sets is

ipfw set [disable number …] [enable number …]

where multiple enable or disable sections can be specified. Command
execution is atomic on all the sets specified in the command. By
default, all sets are enabled.

When you disable a set, its rules behave as if they do not exist in the
firewall configuration, with only one exception:

dynamic rules created from a rule before it had been disabled will
still be active until they expire. In order to delete dynamic
rules you have to explicitly delete the parent rule which generated
them.

The set number of rules can be changed with the command

ipfw set move {rule rule-number | old-set} to new-set

Also, you can atomically swap two rulesets with the command

ipfw set swap first-set second-set

EXAMPLES Section on some possible uses of sets of rules.
LOOKUP TABLES
In the following example, we need to create several traffic bandwidth
classes and we need different hosts/networks to fall into different
classes. We create one pipe for each class and configure them
accordingly. Then we create a single table and fill it with IP subnets
and addresses. For each subnet/host we set the argument equal to the
number of the pipe that it should use. Then we classify traffic using a
single rule:

ipfw pipe 1 config bw 1000Kbyte/s
ipfw pipe 4 config bw 4000Kbyte/s

ipfw table T1 create type addr
ipfw table T1 add 192.168.2.0/24 1
ipfw table T1 add 192.168.0.0/27 4
ipfw table T1 add 192.168.0.2 1

ipfw add pipe tablearg ip from ‘table(T1)’ to any

Using the fwd action, the table entries may include hostnames and IP
addresses.

ipfw table T2 create type addr ftype ip
ipfw table T2 add 192.168.2.0/24 10.23.2.1
ipfw table T21 add 192.168.0.0/27 router1.dmz

ipfw add 100 fwd tablearg ip from any to table(1)

In the following example per-interface firewall is created:

ipfw table IN create type iface valtype skipto,fib
ipfw table IN add vlan20 12000,12
ipfw table IN add vlan30 13000,13
ipfw table OUT create type iface valtype skipto
ipfw table OUT add vlan20 22000
ipfw table OUT add vlan30 23000
..
ipfw add 100 setfib tablearg ip from any to any recv ‘table(IN)’ in
ipfw add 200 skipto tablearg ip from any to any recv ‘table(IN)’ in
ipfw add 300 skipto tablearg ip from any to any xmit ‘table(OUT)’
out

The following example illustrate usage of flow tables:

ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port
ipfw table fl add 2a02:6b8:77::88,tcp,2a02:6b8:77::99,80 11
ipfw table fl add 10.0.0.1,udp,10.0.0.2,53 12
..
ipfw add 100 allow ip from any to any flow ‘table(fl,11)’ recv ix0

SETS OF RULES
To add a set of rules atomically, e.g. set 18:

ipfw set disable 18
ipfw add NN set 18 … # repeat as needed
ipfw set enable 18

To delete a set of rules atomically the command is simply:

ipfw delete set 18

To test a ruleset and disable it and regain control if something goes
wrong:

ipfw set disable 18
ipfw add NN set 18 … # repeat as needed
ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18

Here if everything goes well, you press control-C before the “sleep”
terminates, and your ruleset will be left active. Otherwise, e.g. if you
cannot access your box, the ruleset will be disabled after the sleep
terminates thus restoring the previous situation.

To show rules of the specific set:

ipfw set 18 show

To show rules of the disabled set:

ipfw -S set 18 show

To clear a specific rule counters of the specific set:

ipfw set 18 zero NN

To delete a specific rule of the specific set:

ipfw set 18 delete NN

Categories: News

Schreibe einen Kommentar