FreeBSD: alle ipfw “table” Kommandos

    No Comments

    Aufrufe: 471

    ipfw [set N] table name create create-options
    ipfw [set N] table {name | all} destroy
    ipfw [set N] table name modify modify-options
    ipfw [set N] table name swap name
    ipfw [set N] table name add table-key [value]
    ipfw [set N] table name add [table-key value ...]
    ipfw [set N] table name atomic add [table-key value ...]
    ipfw [set N] table name delete [table-key ...]
    ipfw [set N] table name lookup addr
    ipfw [set N] table name lock
    ipfw [set N] table name unlock
    ipfw [set N] table {name | all} list
    ipfw [set N] table {name | all} info
    ipfw [set N] table {name | all} detail
    ipfw [set N] table {name | all} flush
    create-option: type table-type | valtype value-mask
    | algo algo-desc | limit number | locked

    type Table key type.

    valtype Table value mask.

    algo Table algorithm to use (see below).

    limit Maximum number of items that may be inserted into table.

    locked Restrict any table modifications.

    Some of these options may be modified later via modify keyword. The
    following options can be changed:


    modify-option: limit number

    limit Alter maximum number of items that may be inserted into table.

    Additionally, table can be locked or unlocked using lock or unlock

    Tables of the same type can be swapped with each other using swap name
    command. Swap may fail if tables limits are set and data exchange would
    result in limits hit. Operation is performed atomically.

    One or more entries can be added to a table at once using add command.
    Addition of all items are performed atomically. By default, error in
    addition of one entry does not influence addition of other entries.
    However, non-zero error code is returned in that case. Special atomic
    keyword may be specified before add to indicate all-or-none add request.

    One or more entries can be removed from a table at once using delete
    command. By default, error in removal of one entry does not influence
    removing of other entries. However, non-zero error code is returned in
    that case.

    It may be possible to check what entry will be found on particular
    table-key using lookup table-key command. This functionality is optional
    and may be unsupported in some algorithms.

    The following operations can be performed on one or all tables:

    list List all entries.

    flush Removes all entries.

    info Shows generic table information.

    detail Shows generic table information and algo-specific data.

    The following lookup algorithms are supported:
    algo-desc: algo-name | algo-name algo-data
    algo-name: addr:radix | addr:hash | iface:array 
    | number:array | flow:hash

    Separate Radix trees for IPv4 and IPv6, the same way as the
    routing table (see route(4)). Default choice for addr type.

    Separate auto-growing hashes for IPv4 and IPv6. Accepts entries
    with the same mask length specified initially via addr:hash
    masks=/v4,/v6 algorithm creation options. Assume /32 and /128
    masks by default. Search removes host bits (according to mask)
    from supplied address and checks resulting key in appropriate
    hash. Mostly optimized for /64 and byte-ranged IPv6 masks.

    Array storing sorted indexes for entries which are presented in
    the system. Optimized for very fast lookup.

    Array storing sorted u32 numbers.

    Auto-growing hash storing flow entries. Search calculates hash
    on required packet fields and searches for matching entries in
    selected bucket.

    The tablearg feature provides the ability to use a value, looked up in
    the table, as the argument for a rule action, action parameter or rule
    option. This can significantly reduce number of rules in some
    configurations. If two tables are used in a rule, the result of the
    second (destination) is used.

    Each record may hold one or more values according to value-mask. This
    mask is set on table creation via valtype option. The following value
    types are supported:

    value-mask: value-type[,value-mask]
    value-type: skipto | pipe | fib | nat | dscp | tag | 
    divert | netgraph | limit | ipv4 | ipv6

    skipto rule number to jump to.

    pipe Pipe number to use.

    fib fib number to match/set.

    nat nat number to jump to.

    dscp dscp value to match/set.

    tag tag number to match/set.

    divert port number to divert traffic to.

    netgraph hook number to move packet to.

    limit maximum number of connections.

    ipv4 IPv4 nexthop to fwd packets to.

    ipv6 IPv6 nexthop to fwd packets to.

    The tablearg argument can be used with the following actions: nat, pipe,
    queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action
    parameters: tag, untag, rule options: limit, tagged.

    When used with the skipto action, the user should be aware that the code
    will walk the ruleset up to a rule equal to, or past, the given number.

    See the EXAMPLES Section for example usage of tables and the tablearg

    Each rule or table belongs to one of 32 different sets , numbered 0 to
    31. Set 31 is reserved for the default rule.

    By default, rules or tables are put in set 0, unless you use the set N
    attribute when adding a new rule or table. Sets can be individually and
    atomically enabled or disabled, so this mechanism permits an easy way to
    store multiple configurations of the firewall and quickly (and
    atomically) switch between them.

    By default, tables from set 0 are referenced when adding rule with table
    opcodes regardless of rule set. This behavior can be changed by setting
    net.inet.ip.fw.tables_sets variable to 1. Rule’s set will then be used
    for table references.

    The command to enable/disable sets is

    ipfw set [disable number …] [enable number …]

    where multiple enable or disable sections can be specified. Command
    execution is atomic on all the sets specified in the command. By
    default, all sets are enabled.

    When you disable a set, its rules behave as if they do not exist in the
    firewall configuration, with only one exception:

    dynamic rules created from a rule before it had been disabled will
    still be active until they expire. In order to delete dynamic
    rules you have to explicitly delete the parent rule which generated

    The set number of rules can be changed with the command

    ipfw set move {rule rule-number | old-set} to new-set

    Also, you can atomically swap two rulesets with the command

    ipfw set swap first-set second-set

    EXAMPLES Section on some possible uses of sets of rules.
    In the following example, we need to create several traffic bandwidth
    classes and we need different hosts/networks to fall into different
    classes. We create one pipe for each class and configure them
    accordingly. Then we create a single table and fill it with IP subnets
    and addresses. For each subnet/host we set the argument equal to the
    number of the pipe that it should use. Then we classify traffic using a
    single rule:

    ipfw pipe 1 config bw 1000Kbyte/s
    ipfw pipe 4 config bw 4000Kbyte/s

    ipfw table T1 create type addr
    ipfw table T1 add 1
    ipfw table T1 add 4
    ipfw table T1 add 1

    ipfw add pipe tablearg ip from ‘table(T1)’ to any

    Using the fwd action, the table entries may include hostnames and IP

    ipfw table T2 create type addr ftype ip
    ipfw table T2 add
    ipfw table T21 add router1.dmz

    ipfw add 100 fwd tablearg ip from any to table(1)

    In the following example per-interface firewall is created:

    ipfw table IN create type iface valtype skipto,fib
    ipfw table IN add vlan20 12000,12
    ipfw table IN add vlan30 13000,13
    ipfw table OUT create type iface valtype skipto
    ipfw table OUT add vlan20 22000
    ipfw table OUT add vlan30 23000
    ipfw add 100 setfib tablearg ip from any to any recv ‘table(IN)’ in
    ipfw add 200 skipto tablearg ip from any to any recv ‘table(IN)’ in
    ipfw add 300 skipto tablearg ip from any to any xmit ‘table(OUT)’

    The following example illustrate usage of flow tables:

    ipfw table fl create type flow:src-ip,proto,dst-ip,dst-port
    ipfw table fl add 2a02:6b8:77::88,tcp,2a02:6b8:77::99,80 11
    ipfw table fl add,udp,,53 12
    ipfw add 100 allow ip from any to any flow ‘table(fl,11)’ recv ix0

    To add a set of rules atomically, e.g. set 18:

    ipfw set disable 18
    ipfw add NN set 18 … # repeat as needed
    ipfw set enable 18

    To delete a set of rules atomically the command is simply:

    ipfw delete set 18

    To test a ruleset and disable it and regain control if something goes

    ipfw set disable 18
    ipfw add NN set 18 … # repeat as needed
    ipfw set enable 18; echo done; sleep 30 && ipfw set disable 18

    Here if everything goes well, you press control-C before the “sleep”
    terminates, and your ruleset will be left active. Otherwise, e.g. if you
    cannot access your box, the ruleset will be disabled after the sleep
    terminates thus restoring the previous situation.

    To show rules of the specific set:

    ipfw set 18 show

    To show rules of the disabled set:

    ipfw -S set 18 show

    To clear a specific rule counters of the specific set:

    ipfw set 18 zero NN

    To delete a specific rule of the specific set:

    ipfw set 18 delete NN

    Categories: News

    Schreibe einen Kommentar