--- /var/current/mysrc/sbin/ipfw/ipfw.8.orig 2008-12-21 15:28:57.000000000 +0800 +++ /var/current/mysrc/sbin/ipfw/ipfw.8 2009-01-03 23:08:02.000000000 +0800 @@ -56,6 +56,15 @@ .Cm table .Brq Ar number | all .Cm list +.Nm +.Cm port_table Ar number Cm add Ar low_port Ns Oo "{-| }" Ns high_port Oc +.Op Ar value +.Nm +.Cm port_table Ar number Cm delete Ar low_port +.Nm +.Cm port_table Ar number Cm flush +.Nm +.Cm port_table Ar number Cm list .Pp .Nm .Brq Cm pipe | queue @@ -1069,7 +1078,9 @@ .Pp No support for sets of IPv6 addresses is provided because IPv6 addresses are typically random past the initial prefix. -.It Ar ports : Bro Ar port | port Ns \&- Ns Ar port Ns Brc Ns Op , Ns Ar ports +.It Ar ports : Bro Ar port | port Ns \&- Ns Ar port | +.Cm port_table Ns Pq Ar number Ns Op , Ns Ar value Ns +.Ns Brc Ns Op , Ns Ar ports For protocols which support port numbers (such as TCP and UDP), optional .Cm ports may be specified as one or more ports or port ranges, separated @@ -1106,6 +1117,16 @@ See the .Cm frag option for details on matching fragmented packets. +.It Cm port_table Ns Pq Ar number Ns Op , Ns Ar value +Matches any port for which an entry exists (there can be port +ranges) in the port lookup table +.Ar number . +If an optional 32-bit unsigned +.Ar value +is also specified, an entry will match only if it has this value. +See the +.Sx PORT LOOKUP TABLES +section below for more information on port lookup tables. .El .Ss RULE OPTIONS (MATCH PATTERNS) Additional match patterns can be used within @@ -1657,6 +1678,36 @@ action, the user should be aware that the code will walk the ruleset up to a rule equal to, or past, the given number, and should therefore try keep the ruleset compact between the skipto and the target rules. +.Sh PORT LOOKUP TABLES +Port lookup tables are useful to handle many ports. +There may be up to 128 different port lookup tables, numbered 0 to 127 +and each port table can have up to 128 different ports or ranges of ports. +.Pp +Each entry is represented by an +.Ar low_port , Ar high_port +and will match all ports within the +.Ar low_port , Ar high_port +ranges. +When looking up a port in a port table, the most specific +entry will match. +Associated with each entry is a 32-bit unsigned +.Ar value , +which can optionally be checked by a rule matching code. +When adding an entry, if +.Ar value +is not specified, it defaults to 0. +.Pp +An entry can be added to a port table +.Pq Cm add , +removed from a port table +.Pq Cm delete , +a port table can be examined +.Pq Cm list +or flushed +.Pq Cm flush . +.Pp +Internally, each port table is stored in an array. +.Pp .Sh SETS OF RULES Each rule belongs to one of 32 different .Em sets @@ -2582,6 +2633,19 @@ .Dl "ipfw table 1 add 192.168.0.0/27 router1.dmz" .Dl "..." .Dl "ipfw add 100 fwd tablearg ip from any to table(1)" +.Ss PORT LOOKUP TABLES +In the following example, we create a single port table and fill it with +ports we want to deny (or allow) access to. Then we add some rules: +.Pp +.Dl "ipfw port_table 1 add 135-138 1" +.Dl "ipfw port_table 1 add 445 445 1" +.Dl "ipfw port_table 1 add 6000 6010 2" +.Dl "ipfw port_table 1 add 25" +.Dl "ipfw port_table 1 add 80" +.Dl "..." +.Dl "ipfw add deny all from any to any port_table(1,1)" +.Dl "ipfw add deny all from any to 192.168.2.0/24 port_table(1,2)" +.Dl "ipfw add pass all from any to any port_table(1,0)" .Ss SETS OF RULES To add a set of rules atomically, e.g.\& set 18: .Pp