svn commit: r190026 - head/sbin/ipfw

Christian Brueffer brueffer at FreeBSD.org
Thu Mar 19 03:42:08 PDT 2009 

Author: brueffer
Date: Thu Mar 19 10:42:07 2009
New Revision: 190026
URL: http://svn.freebsd.org/changeset/base/190026

Log:
  Mdoc style, spelling, grammar and wording fixes. This manpage needs more work.

Modified:
  head/sbin/ipfw/ipfw.8

Modified: head/sbin/ipfw/ipfw.8
==============================================================================
--- head/sbin/ipfw/ipfw.8	Thu Mar 19 10:32:25 2009	(r190025)
+++ head/sbin/ipfw/ipfw.8	Thu Mar 19 10:42:07 2009	(r190026)
@@ -1,7 +1,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd September 27, 2008
+.Dd February 7, 2009
 .Dt IPFW 8
 .Os
 .Sh NAME
@@ -606,10 +606,10 @@ To delete previously applied tag, use th
 keyword.
 .Pp
 Note: since tags are kept with the packet everywhere in kernelspace,
-they can be set and unset anywhere in kernel network subsystem
-(using
+they can be set and unset anywhere in the kernel network subsystem
+(using the
 .Xr mbuf_tags 9
-facility), not only by means of
+facility), not only by means of the
 .Xr ipfw 4
 .Cm tag
 and
@@ -862,8 +862,8 @@ actions.
 .It Cm setfib Ar fibnum
 The packet is tagged so as to use the FIB (routing table)
 .Ar fibnum
-in any subsequent forwarding decisions. Initially this is
-limited to the values  0 through 15. See 
+in any subsequent forwarding decisions.
+Initially this is limited to the values 0 through 15, see
 .Xr setfib 8 .
 Processing continues at the next rule.
 .El
@@ -1166,7 +1166,7 @@ Destination options
 .Pq Cm dstopt ,
 IPSec authentication headers
 .Pq Cm ah ,
-and IPSec encapsulated security payload headers
+and IPsec encapsulated security payload headers
 .Pq Cm esp .
 .It Cm fib Ar fibnum
 Matches a packet that has been tagged to use
@@ -1835,13 +1835,12 @@ A pipe emulates a link with given bandwi
 queue size and packet loss rate.
 Packets are queued in front of the pipe as they come out from the classifier,
 and then transferred to the pipe according to the pipe's parameters.
-.Pp
 .It Em queue
 A queue
 is an abstraction used to implement the WF2Q+
 (Worst-case Fair Weighted Fair Queueing) policy, which is
 an efficient variant of the WFQ policy.
-.br
+.Pp
 The queue associates a
 .Em weight
 and a reference pipe to each flow, and then all backlogged (i.e.,
@@ -1850,8 +1849,8 @@ bandwidth proportionally to their weight
 Note that weights are not priorities; a flow with a lower weight
 is still guaranteed to get its fraction of the bandwidth even if a
 flow with a higher weight is permanently backlogged.
-.Pp
 .El
+.Pp
 In practice,
 .Em pipes
 can be used to set hard limits to the bandwidth that a flow can use, whereas
@@ -2101,7 +2100,7 @@ If you are logged in over a network, loa
 version of
 .Nm
 is probably not as straightforward as you would think.
-I recommend the following command line:
+The following command line is recommended:
 .Bd -literal -offset indent
 kldload ipfw && \e
 ipfw add 32000 allow ip from any to any
@@ -2141,14 +2140,13 @@ The nat configuration command is the fol
 .Ek
 .Ed
 .Pp
-.
 The following parameters can be configured:
 .Bl -tag -width indent
 .It Cm ip Ar ip_address
 Define an ip address to use for aliasing.
 .It Cm if Ar nic
-Use ip addres of NIC for aliasing, dynamically changing
-it if NIC's ip address change.
+Use ip address of NIC for aliasing, dynamically changing
+it if NIC's ip address changes.
 .It Cm log
 Enable logging on this nat instance.
 .It Cm deny_in
@@ -2171,27 +2169,26 @@ To let the packet continue after being (
 .Va net.inet.ip.fw.one_pass 
 to 0.
 For more information about aliasing modes, refer to
-.Xr libalias 3
-.
+.Xr libalias 3 .
 See Section
 .Sx EXAMPLES
 for some examples about nat usage.
 .Sh REDIRECT AND LSNAT SUPPORT IN IPFW
 Redirect and LSNAT support follow closely the syntax used in
-.Xr natd 8
-. 
+.Xr natd 8 . 
 See Section
 .Sx EXAMPLES
 for some examples on how to do redirect and lsnat.
 .Sh SCTP NAT SUPPORT
-Sctp nat can be configured in a simillar manner to TCP through the
-ipfw command line tool
-.Xr ipfw 8
-, the main difference is that 
+SCTP nat can be configured in a similar manner to TCP through the
+.Nm
+command line tool.
+The main difference is that 
 .Nm sctp nat 
-does not do port
-translation. Since the local and global side ports will be the same,
-there is no need to specify both. Ports are redirected as follows:
+does not do port translation.
+Since the local and global side ports will be the same,
+there is no need to specify both.
+Ports are redirected as follows:
 .Bd -ragged -offset indent
 .Bk -words
 .Cm nat 
@@ -2203,15 +2200,16 @@ there is no need to specify both. Ports 
 .Ek
 .Ed
 .Pp
-.
 Most
-.B sctp nat
+.Nm sctp nat
 configuration can be done in real-time through the
-.B sysctl(8)
-interface. All may be changed dynamically, though the hash_table size will only
-change for new 
-.Nm nat 
-instances. See 
+.Xr sysctl 8
+interface.
+All may be changed dynamically, though the hash_table size will only
+change for new
+.Nm nat
+instances.
+See
 .Sx SYSCTL VARIABLES 
 for more info.
 .Sh SYSCTL VARIABLES
@@ -2238,22 +2236,23 @@ ports and vtags match but global address
 will accept and process all OOTB global AddIP messages.
 .El
 .Pp
-Option 1 should never be selected as this forms a security risk. An attacker can
+Option 1 should never be selected as this forms a security risk.
+An attacker can
 establish multiple fake associations by sending AddIP messages.
 .It Va net.inet.ip.alias.sctp.chunk_proc_limit: No 5
 Defines the maximum number of chunks in an SCTP packet that will be parsed for a
-packet that matches an existing association. This value is enforced to be greater or equal
-than 
+packet that matches an existing association.
+This value is enforced to be greater or equal than 
 .Cm net.inet.ip.alias.sctp.initialising_chunk_proc_limit . 
 A high value is
 a DoS risk yet setting too low a value may result in important control chunks in
 the packet not being located and parsed.
 .It Va net.inet.ip.alias.sctp.error_on_ootb: No 1
-Defines when the 
+Defines when the
 .Nm nat 
-responds to any Out-of-the-Blue (OOTB) packets with ErrorM
-packets. An OOTB packet is a packet that arrives with no existing association
-registered in the 
+responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets.
+An OOTB packet is a packet that arrives with no existing association
+registered in the
 .Nm nat 
 and is not an INIT or ASCONF-AddIP packet:
 .Bl -tag -width indent
@@ -2263,8 +2262,8 @@ ErrorM is never sent in response to OOTB
 ErrorM is only sent to OOTB packets received on the local side.
 .It Cm 2
 ErrorM is sent to the local side and on the global side ONLY if there is a
-partial match (ports and vtags match but the source global IP does not). This
-value is only useful if the 
+partial match (ports and vtags match but the source global IP does not).
+This value is only useful if the 
 .Nm nat 
 is tracking global IP addresses.
 .It Cm 3
@@ -2273,20 +2272,21 @@ ErrorM is sent in response to all OOTB p
 .El
 .Pp
 At the moment the default is 0, since the ErrorM packet is not yet
-supported by most SCTP stacks. When it is supported, and if not tracking
+supported by most SCTP stacks.
+When it is supported, and if not tracking
 global addresses, we recommend setting this value to 1 to allow
 multi-homed local hosts to function with the 
 .Nm nat .
 To track global addresses, we recommend setting this value to 2 to
 allow global hosts to be informed when they need to (re)send an
-ASCONF-AddIP. Value 3 should never be chosen (except for debugging) as
-the
+ASCONF-AddIP.
+Value 3 should never be chosen (except for debugging) as the
 .Nm nat 
 will respond to all OOTB global packets (a DoS risk).
 .It Va net.inet.ip.alias.sctp.hashtable_size: No 2003
 Size of hash tables used for 
 .Nm nat 
-lookups (100 < prime_number > 1000001)
+lookups (100 < prime_number > 1000001).
 This value sets the 
 .Nm hash table 
 size for any future created 
@@ -2294,26 +2294,33 @@ size for any future created 
 instance and therefore must be set prior to creating a 
 .Nm nat 
 instance.
-The table sizes my be changed to suit specific needs. If there will be few
-concurrent associations, and memory is scarce, you may make these smaller.  If
-there will be many thousands (or millions) of concurrent associations, you
-should make these larger. A prime number is best for the table size. The sysctl
+The table sizes may be changed to suit specific needs.
+If there will be few
+concurrent associations, and memory is scarce, you may make these smaller.
+If there will be many thousands (or millions) of concurrent associations, you
+should make these larger.
+A prime number is best for the table size.
+The sysctl
 update function will adjust your input value to the next highest prime number.
 .It Va net.inet.ip.alias.sctp.holddown_time:  No 0
 Hold association in table for this many seconds after receiving a
-SHUTDOWN-COMPLETE.  This allows endpoints to correct shutdown gracefully if a
+SHUTDOWN-COMPLETE.
+This allows endpoints to correct shutdown gracefully if a
 shutdown_complete is lost and retransmissions are required.
 .It Va net.inet.ip.alias.sctp.init_timer: No 15
 Timeout value while waiting for (INIT-ACK|AddIP-ACK).
 This value cannot be 0.
 .It Va net.inet.ip.alias.sctp.initialising_chunk_proc_limit: No 2
 Defines the maximum number of chunks in an SCTP packet that will be parsed when
-no existing association exists that matches that packet. Ideally this packet
-will only be an INIT or ASCONF-AddIP packet. A higher value may become a DoS
+no existing association exists that matches that packet.
+Ideally this packet
+will only be an INIT or ASCONF-AddIP packet.
+A higher value may become a DoS
 risk as malformed packets can consume processing resources.
 .It Va net.inet.ip.alias.sctp.param_proc_limit: No 25
 Defines the maximum number of parameters within a chunk that will be parsed in a
-packet. As for other similar sysctl variables, larger values pose a DoS risk.
+packet.
+As for other similar sysctl variables, larger values pose a DoS risk.
 .It Va net.inet.ip.alias.sctp.log_level: No 0 
 Level of detail in the system log messages (0 \- minimal, 1 \- event,
 2 \- info, 3 \- detail, 4 \- debug, 5 \- max debug). May be a good
@@ -2335,7 +2342,7 @@ association is limited to this value
 .El
 .Pp
 This variable is fully dynamic, the new value will be adopted for all newly
-arriving associations, existing association are treated as they were previously.
+arriving associations, existing associations are treated as they were previously.
 Global tracking will decrease the number of collisions within the 
 .Nm nat 
 at a cost
@@ -2552,10 +2559,10 @@ by adding the following to the top of a 
 This rule drops all incoming packets that appear to be coming from another
 directly connected system but on the wrong interface.
 For example, a packet with a source address of
-.Li 192.168.0.0/24
-, configured on
-.Li fxp0
-, but coming in on
+.Li 192.168.0.0/24 ,
+configured on
+.Li fxp0 ,
+but coming in on
 .Li fxp1
 would be dropped.
 .Ss DYNAMIC RULES
@@ -2875,14 +2882,13 @@ Work on
 .Nm dummynet
 traffic shaper supported by Akamba Corp.
 .Pp
-Sctp
+SCTP
 .Nm nat
 support has been developed by
 .An The Centre for Advanced Internet Architectures (CAIA) Aq http://www.caia.swin.edu.au .
 The primary developers and maintainers are David Hayes and Jason But.
 For further information visit:
 .Aq http://www.caia.swin.edu.au/urp/SONATA
-.
 .Sh BUGS
 The syntax has grown over the years and sometimes it might be confusing.
 Unfortunately, backward compatibility prevents cleaning up mistakes
@@ -2933,8 +2939,8 @@ or quoted appropriately.
 .Pp
 Due to the architecture of 
 .Xr libalias 3 , 
-ipfw nat is not compatible with the tcp segmentation offloading
-(TSO). Thus, to reliably nat your network traffic, please disable TSO
+ipfw nat is not compatible with the TCP segmentation offloading (TSO).
+Thus, to reliably nat your network traffic, please disable TSO
 on your NICs using
 .Xr ifconfig 8 .
 .Pp

More information about the svn-src-head mailing list