CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rillig
Date: Thu Sep 14 20:03:56 UTC 2023
Modified Files:
src/usr.sbin/npf/npfctl: Makefile
Log Message:
npfctl: remove no-op NOLINT definition
Setting NOLINT must be done before including to have an
effect.
To generate a diff of this commit:
cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/Makefile
diff -u src/usr.sbin/npf/npfctl/Makefile:1.15 src/usr.sbin/npf/npfctl/Makefile:1.16
--- src/usr.sbin/npf/npfctl/Makefile:1.15 Sat May 30 14:16:56 2020
+++ src/usr.sbin/npf/npfctl/Makefile Thu Sep 14 20:03:56 2023
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.15 2020/05/30 14:16:56 rmind Exp $
+# $NetBSD: Makefile,v 1.16 2023/09/14 20:03:56 rillig Exp $
.include
@@ -17,6 +17,5 @@ LDADD+= -lnpf -lpcap -lutil -ly
DPADD+= ${LIBNPF} ${LIBUTIL} ${LIBPCAP} ${LIBUTIL} ${LIBY}
WARNS= 5
-NOLINT= # disabled deliberately
.include
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rillig Date: Thu Sep 14 20:03:56 UTC 2023 Modified Files: src/usr.sbin/npf/npfctl: Makefile Log Message: npfctl: remove no-op NOLINT definition Setting NOLINT must be done before including to have an effect. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/usr.sbin/npf/npfctl/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: tnn Date: Fri Aug 18 14:26:50 UTC 2023 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c Log Message: npfctl: adapt to new libpcap API To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: tnn
Date: Fri Aug 18 14:26:50 UTC 2023
Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c
Log Message:
npfctl: adapt to new libpcap API
To generate a diff of this commit:
cvs rdiff -u -r1.55 -r1.56 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.55 src/usr.sbin/npf/npfctl/npf_build.c:1.56
--- src/usr.sbin/npf/npfctl/npf_build.c:1.55 Sat May 30 14:16:56 2020
+++ src/usr.sbin/npf/npfctl/npf_build.c Fri Aug 18 14:26:50 2023
@@ -32,7 +32,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.55 2020/05/30 14:16:56 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.56 2023/08/18 14:26:50 tnn Exp $");
#include
#define __FAVOR_BSD
@@ -530,8 +530,14 @@ npfctl_build_pcap(nl_rule_t *rl, const c
const size_t maxsnaplen = 64 * 1024;
struct bpf_program bf;
size_t len;
+ pcap_t *pd;
- if (pcap_compile_nopcap(maxsnaplen, DLT_RAW, ,
+ pd = pcap_open_dead(DLT_RAW, maxsnaplen);
+ if (pd == NULL) {
+ err(EXIT_FAILURE, "pcap_open_dead");
+ }
+
+ if (pcap_compile(pd, ,
filter, 1, PCAP_NETMASK_UNKNOWN) == -1) {
yyerror("invalid pcap-filter(7) syntax");
}
@@ -542,6 +548,7 @@ npfctl_build_pcap(nl_rule_t *rl, const c
}
npfctl_dump_bpf();
pcap_freecode();
+ pcap_close(pd);
}
static void
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jul 14 09:15:01 UTC 2021 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: PR/56307: Konrad Schroder: npfctl's error messages don't report the failing filename. Add the filename (but in quotes for consistency with other places in the file). Also fix an err -> errx To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: christos
Date: Wed Jul 14 09:15:01 UTC 2021
Modified Files:
src/usr.sbin/npf/npfctl: npfctl.c
Log Message:
PR/56307: Konrad Schroder: npfctl's error messages don't report the failing
filename.
Add the filename (but in quotes for consistency with other places in the file).
Also fix an err -> errx
To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.64 src/usr.sbin/npf/npfctl/npfctl.c:1.65
--- src/usr.sbin/npf/npfctl/npfctl.c:1.64 Sat May 30 10:16:56 2020
+++ src/usr.sbin/npf/npfctl/npfctl.c Wed Jul 14 05:15:01 2021
@@ -28,7 +28,7 @@
*/
#include
-__RCSID("$NetBSD: npfctl.c,v 1.64 2020/05/30 14:16:56 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.65 2021/07/14 09:15:01 christos Exp $");
#include
#include
@@ -301,17 +301,18 @@ npfctl_import(const char *path)
* just leaving this responsibility for the caller.
*/
if ((fd = open(path, O_RDONLY)) == -1) {
- err(EXIT_FAILURE, "could not open `%s'", path);
+ err(EXIT_FAILURE, "open: '%s'", path);
}
if (fstat(fd, ) == -1) {
- err(EXIT_FAILURE, "stat");
+ err(EXIT_FAILURE, "stat: '%s'", path);
}
if ((blen = sb.st_size) == 0) {
- err(EXIT_FAILURE, "the binary configuration file is empty");
+ errx(EXIT_FAILURE,
+ "the binary configuration file '%s' is empty", path);
}
blob = mmap(NULL, blen, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0);
if (blob == MAP_FAILED) {
- err(EXIT_FAILURE, "mmap");
+ err(EXIT_FAILURE, "mmap: '%s'", path);
}
ncf = npf_config_import(blob, blen);
munmap(blob, blen);
@@ -329,7 +330,7 @@ npfctl_load(int fd)
*/
ncf = npfctl_import(NPF_DB_PATH);
if (ncf == NULL) {
- err(EXIT_FAILURE, "npf_config_import");
+ err(EXIT_FAILURE, "npf_config_import: '%s'", NPF_DB_PATH);
}
if ((errno = npf_config_submit(ncf, fd, )) != 0) {
npfctl_print_error();
@@ -345,7 +346,7 @@ npfctl_open_dev(const char *path)
int fd;
if (lstat(path, ) == -1) {
- err(EXIT_FAILURE, "fstat");
+ err(EXIT_FAILURE, "fstat: '%s'", path);
}
if ((st.st_mode & S_IFMT) == S_IFSOCK) {
struct sockaddr_un addr;
@@ -358,11 +359,11 @@ npfctl_open_dev(const char *path)
strncpy(addr.sun_path, path, sizeof(addr.sun_path) - 1);
if (connect(fd, (struct sockaddr *), sizeof(addr)) == -1) {
- err(EXIT_FAILURE, "connect");
+ err(EXIT_FAILURE, "connect: '%s'", path);
}
} else {
if ((fd = open(path, O_RDONLY)) == -1) {
- err(EXIT_FAILURE, "cannot open '%s'", path);
+ err(EXIT_FAILURE, "open: '%s'", path);
}
}
return fd;
@@ -416,7 +417,8 @@ npfctl_debug(int argc, char **argv)
puts("Loading the active configuration");
fd = npfctl_open_dev(NPF_DEV_PATH);
if ((ncf = npf_config_retrieve(fd)) == NULL) {
- err(EXIT_FAILURE, "npf_config_retrieve");
+ err(EXIT_FAILURE, "npf_config_retrieve: '%s'",
+ NPF_DEV_PATH);
}
}
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun May 24 15:35:40 UTC 2020
Modified Files:
src/usr.sbin/npf/npfctl: npf_scan.l
Log Message:
PR/55288: npfctl: change parameter syntax to be more permissive.
To generate a diff of this commit:
cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_scan.l
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.30 src/usr.sbin/npf/npfctl/npf_scan.l:1.31
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.30 Mon Sep 30 00:37:11 2019
+++ src/usr.sbin/npf/npfctl/npf_scan.l Sun May 24 15:35:39 2020
@@ -91,6 +91,7 @@ npfctl_parse_string(const char *str, par
ID [a-zA-Z_][a-zA-Z_0-9]*
DID [a-zA-Z_][a-zA-Z_0-9-]*
+SPID [a-zA-Z][a-zA-Z_0-9.]*
NUMBER [0-9]+
HEXDIG [0-9a-fA-F]+
@@ -227,7 +228,7 @@ any return ANY;
return VAR_ID;
}
-[a-z]*"."[a-z.]* {
+{ID}"."{SPID}+ {
yylval.str = estrndup(yytext, yyleng);
return PARAM;
}
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun May 24 15:35:40 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl: npf_scan.l Log Message: PR/55288: npfctl: change parameter syntax to be more permissive. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Fri Nov 1 13:58:32 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: PR/54670: Azuma OKAMOTO: Consistently use 'W' for TH_CWN, and bump buffer size. To generate a diff of this commit: cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: christos
Date: Fri Nov 1 13:58:32 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
PR/54670: Azuma OKAMOTO: Consistently use 'W' for TH_CWN, and bump buffer
size.
To generate a diff of this commit:
cvs rdiff -u -r1.29 -r1.30 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.29 src/usr.sbin/npf/npfctl/npf_show.c:1.30
--- src/usr.sbin/npf/npfctl/npf_show.c:1.29 Sat Aug 10 18:23:55 2019
+++ src/usr.sbin/npf/npfctl/npf_show.c Fri Nov 1 09:58:32 2019
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_show.c,v 1.29 2019/08/10 22:23:55 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.30 2019/11/01 13:58:32 christos Exp $");
#include
#define __FAVOR_BSD
@@ -125,7 +125,7 @@ tcpflags2string(char *buf, u_int tfl)
if (tfl & TH_ACK) buf[i++] = 'A';
if (tfl & TH_URG) buf[i++] = 'U';
if (tfl & TH_ECE) buf[i++] = 'E';
- if (tfl & TH_CWR) buf[i++] = 'C';
+ if (tfl & TH_CWR) buf[i++] = 'W';
buf[i] = '\0';
return i;
}
@@ -209,7 +209,7 @@ static char *
print_tcpflags(npf_conf_info_t *ctx __unused, const uint32_t *words)
{
const u_int tf = words[0], tf_mask = words[1];
- char buf[16];
+ char buf[20];
size_t n = tcpflags2string(buf, tf);
if (tf != tf_mask) {
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Mon Sep 30 21:06:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 Log Message: Use -width Pa for FILES. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.23 src/usr.sbin/npf/npfctl/npfctl.8:1.24 --- src/usr.sbin/npf/npfctl/npfctl.8:1.23 Mon Sep 30 20:53:12 2019 +++ src/usr.sbin/npf/npfctl/npfctl.8 Mon Sep 30 21:06:16 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.23 2019/09/30 20:53:12 uwe Exp $ +.\" $NetBSD: npfctl.8,v 1.24 2019/09/30 21:06:16 uwe Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -203,7 +203,7 @@ See for details. .\" - .Sh FILES -.Bl -tag -width /etc/npf.conf -compact +.Bl -tag -width Pa -compact .It Pa /dev/npf control device .It Pa /etc/npf.conf
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Mon Sep 30 21:06:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 Log Message: Use -width Pa for FILES. To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Mon Sep 30 20:53:12 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 Log Message: Fix pasto in table replace -t type To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.22 src/usr.sbin/npf/npfctl/npfctl.8:1.23 --- src/usr.sbin/npf/npfctl/npfctl.8:1.22 Sun Sep 29 16:58:35 2019 +++ src/usr.sbin/npf/npfctl/npfctl.8 Mon Sep 30 20:53:12 2019 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.22 2019/09/29 16:58:35 rmind Exp $ +.\" $NetBSD: npfctl.8,v 1.23 2019/09/30 20:53:12 uwe Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -148,7 +148,7 @@ be named .Ar newname , effectively renaming the table. If not specified, the name of the table being replaced will be used. -.It Fl n Ar type +.It Fl t Ar type be of type .Ar type ; currently supported types are
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Mon Sep 30 20:53:12 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 Log Message: Fix pasto in table replace -t type To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Mon Sep 30 20:44:52 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Use -width Pa for FILES. To generate a diff of this commit: cvs rdiff -u -r1.89 -r1.90 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.89 src/usr.sbin/npf/npfctl/npf.conf.5:1.90 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.89 Mon Sep 30 00:37:11 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Sep 30 20:44:51 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.89 2019/09/30 00:37:11 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.90 2019/09/30 20:44:51 uwe Exp $ .\" .\" Copyright (c) 2009-2019 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -589,7 +589,7 @@ addr-mask = addr [ "/" mask ] .Ed .\" - .Sh FILES -.Bl -tag -width /usr/share/examples/npf -compact +.Bl -tag -width Pa -compact .It Pa /dev/npf control device .It Pa /etc/npf.conf
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Mon Sep 30 20:44:52 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Use -width Pa for FILES. To generate a diff of this commit: cvs rdiff -u -r1.89 -r1.90 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Sep 29 18:51:08 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c Log Message: npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. (missed a file in previous commit; cvs is so helpful..) To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun Sep 29 18:51:08 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c
Log Message:
npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)
To generate a diff of this commit:
cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.51 src/usr.sbin/npf/npfctl/npf_build.c:1.52
--- src/usr.sbin/npf/npfctl/npf_build.c:1.51 Thu Aug 8 21:29:15 2019
+++ src/usr.sbin/npf/npfctl/npf_build.c Sun Sep 29 18:51:08 2019
@@ -32,7 +32,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.51 2019/08/08 21:29:15 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.52 2019/09/29 18:51:08 rmind Exp $");
#include
#define __FAVOR_BSD
@@ -151,25 +151,32 @@ npfctl_debug_addif(const char *ifname)
return 0;
}
-unsigned
-npfctl_table_getid(const char *name)
+nl_table_t *
+npfctl_table_getbyname(nl_config_t *ncf, const char *name)
{
- unsigned tid = (unsigned)-1;
nl_iter_t i = NPF_ITER_BEGIN;
nl_table_t *tl;
/* XXX dynamic ruleset */
- if (!npf_conf) {
- return (unsigned)-1;
+ if (!ncf) {
+ return NULL;
}
- while ((tl = npf_table_iterate(npf_conf, )) != NULL) {
+ while ((tl = npf_table_iterate(ncf, )) != NULL) {
const char *tname = npf_table_getname(tl);
if (strcmp(tname, name) == 0) {
- tid = npf_table_getid(tl);
break;
}
}
- return tid;
+ return tl;
+}
+
+unsigned
+npfctl_table_getid(const char *name)
+{
+ nl_table_t *tl;
+
+ tl = npfctl_table_getbyname(npf_conf, name);
+ return tl ? npf_table_getid(tl) : (unsigned)-1;
}
const char *
@@ -873,15 +880,13 @@ npfctl_build_natseg(int sd, int type, un
* npfctl_fill_table: fill NPF table with entries from a specified file.
*/
static void
-npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname)
+npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname, FILE *fp)
{
char *buf = NULL;
int l = 0;
- FILE *fp;
size_t n;
- fp = fopen(fname, "r");
- if (fp == NULL) {
+ if (fp == NULL && (fp = fopen(fname, "r")) == NULL) {
err(EXIT_FAILURE, "open '%s'", fname);
}
while (l++, getline(, , fp) != -1) {
@@ -908,6 +913,23 @@ npfctl_fill_table(nl_table_t *tl, u_int
}
/*
+ * npfctl_load_table: create an NPF table and fill with contents from a file.
+ */
+nl_table_t *
+npfctl_load_table(const char *tname, int tid, u_int type,
+const char *fname, FILE *fp)
+{
+ nl_table_t *tl;
+
+ tl = npf_table_create(tname, tid, type);
+ if (tl && fname) {
+ npfctl_fill_table(tl, type, fname, fp);
+ }
+
+ return tl;
+}
+
+/*
* npfctl_build_table: create an NPF table, add to the configuration and,
* if required, fill with contents from a file.
*/
@@ -916,15 +938,13 @@ npfctl_build_table(const char *tname, u_
{
nl_table_t *tl;
- tl = npf_table_create(tname, npfctl_tid_counter++, type);
- assert(tl != NULL);
-
- if (fname) {
- npfctl_fill_table(tl, type, fname);
- } else if (type == NPF_TABLE_CONST) {
+ if (type == NPF_TABLE_CONST && !fname) {
yyerror("table type 'const' must be loaded from a file");
}
+ tl = npfctl_load_table(tname, npfctl_tid_counter++, type, fname, NULL);
+ assert(tl != NULL);
+
if (npf_table_insert(npf_conf, tl)) {
yyerror("table '%s' is already defined", tname);
}
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun Sep 29 16:58:35 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npfctl.8 npfctl.c npfctl.h
Log Message:
npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npfctl.8
cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npfctl.8
diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.21 src/usr.sbin/npf/npfctl/npfctl.8:1.22
--- src/usr.sbin/npf/npfctl/npfctl.8:1.21 Sat Jan 19 21:19:32 2019
+++ src/usr.sbin/npf/npfctl/npfctl.8 Sun Sep 29 16:58:35 2019
@@ -1,4 +1,4 @@
-.\" $NetBSD: npfctl.8,v 1.21 2019/01/19 21:19:32 rmind Exp $
+.\" $NetBSD: npfctl.8,v 1.22 2019/09/29 16:58:35 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 10, 2017
+.Dd August 26, 2019
.Dt NPFCTL 8
.Os
.Sh NAME
@@ -114,28 +114,50 @@ List all rules in the dynamic ruleset sp
Remove all rules from the dynamic ruleset specified by
.Ar name .
.\" ---
-.It Ic table Ar tid Ic add Aq Ar addr/mask
+.It Ic table Ar name Ic add Aq Ar addr/mask
In table
-.Ar tid ,
+.Ar name ,
add the IP address and optionally netmask, specified by
.Aq Ar addr/mask .
Only the tables of type "lpm" support masks.
-.It Ic table Ar tid Ic rem Aq Ar addr/mask
+.It Ic table Ar name Ic rem Aq Ar addr/mask
In table
-.Ar tid ,
+.Ar name ,
remove the IP address and optionally netmask, specified by
.Aq Ar addr/mask .
Only the tables of type "lpm" support masks.
-.It Ic table Ar tid Ic test Aq Ar addr
+.It Ic table Ar name Ic test Aq Ar addr
Query the table
-.Ar tid
+.Ar name
for a specific IP address, specified by
.Ar addr .
If no mask is specified, a single host is assumed.
-.It Ic table Ar tid Ic list
+.It Ic table Ar name Ic list
List all entries in the currently loaded table specified by
-.Ar tid .
+.Ar name .
This operation is expensive and should be used with caution.
+.It Ic table Ar name Ic replace Oo Fl n Ar newname Oc Oo Fl t Ar type Oc Aq Ar path
+Replace the existing table specified by
+.Ar name
+with a new table built from the file specified by
+.Ar path .
+Optionally, the new table will:
+.Bl -tag -width xx -compact -offset 3n
+.It Fl n Ar newname
+be named
+.Ar newname ,
+effectively renaming the table.
+If not specified, the name of the table being replaced will be used.
+.It Fl n Ar type
+be of type
+.Ar type ;
+currently supported types are
+.Cm ipset ,
+.Cm lpm ,
+or
+.Cm const .
+If not specified, the type of the table being replaced will be used.
+.El
.\" ---
.It Ic save
Save the active configuration and a snapshot of the current connections.
@@ -201,6 +223,13 @@ Addition and removal of entries in the t
# npfctl table "vip" add 10.0.0.1
# npfctl table "vip" rem 182.168.0.0/24
.Ed
+.Pp
+Replacing the existing table which has ID "svr"
+with a new const table populated from file "/tmp/npf_vps_new",
+and renamed to "vps":
+.Bd -literal -offset indent
+# npfctl table "svr" replace -n "vps" -t const "/tmp/npf_vps_new"
+.Ed
.\" -
.Sh SEE ALSO
.Xr bpf 4 ,
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.61 src/usr.sbin/npf/npfctl/npfctl.c:1.62
--- src/usr.sbin/npf/npfctl/npfctl.c:1.61 Wed Aug 21 21:41:53 2019
+++ src/usr.sbin/npf/npfctl/npfctl.c Sun Sep 29 16:58:35 2019
@@ -28,7 +28,7 @@
*/
#include
-__RCSID("$NetBSD: npfctl.c,v 1.61 2019/08/21 21:41:53 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.62 2019/09/29 16:58:35 rmind Exp $");
#include
#include
@@ -142,10 +142,14 @@ usage(void)
"\t%s rule \"rule-name\" { list | flush }\n",
progname);
fprintf(stderr,
- "\t%s table { add | rem | test } \n",
+ "\t%s table \"table-name\" { add | rem | test } \n",
progname);
fprintf(stderr,
- "\t%s table { list | flush }\n",
+ "\t%s table \"table-name\" { list | flush }\n",
+ progname);
+ fprintf(stderr,
+ "\t%s table \"table-name\" replace [-n \"name\"]"
+ " [-t ] \n",
progname);
fprintf(stderr,
"\t%s save | load\n",
@@ -275,7 +279,101 @@ npfctl_print_addrmask(int alen, const ch
return buf;
}
-__dead static void
+static int
+npfctl_table_type(const char *typename)
+{
+ int i;
+
+ static const struct tbltype_s {
+ const char *name;
+ u_int type;
+ } tbltypes[] = {
+ { "ipset", NPF_TABLE_IPSET },
+ { "lpm", NPF_TABLE_LPM },
+ { "const", NPF_TABLE_CONST },
+ { NULL, 0 }
+ };
+
+ for (i = 0; tbltypes[i].name != NULL; i++) {
+ if (strcmp(typename, tbltypes[i].name) == 0) {
+ return tbltypes[i].type;
+ }
+ }
+
+ return
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Sep 29 16:58:35 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 npfctl.c npfctl.h Log Message: npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npfctl.8 cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sat Aug 10 22:23:55 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
npfctl show/validate: fix couple bugs in multiple table/port representation.
Fixes PR/54122.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.28 src/usr.sbin/npf/npfctl/npf_show.c:1.29
--- src/usr.sbin/npf/npfctl/npf_show.c:1.28 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_show.c Sat Aug 10 22:23:55 2019
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2013 The NetBSD Foundation, Inc.
+ * Copyright (c) 2013-2019 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This code is derived from software contributed to The NetBSD Foundation
@@ -34,7 +34,7 @@
*/
#include
-__RCSID("$NetBSD: npf_show.c,v 1.28 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.29 2019/08/10 22:23:55 rmind Exp $");
#include
#define __FAVOR_BSD
@@ -220,21 +220,29 @@ print_tcpflags(npf_conf_info_t *ctx __un
}
static char *
-print_portrange(npf_conf_info_t *ctx, const uint32_t *words)
+print_pbarrier(npf_conf_info_t *ctx, const uint32_t *words __unused)
+{
+ if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0) {
+ ctx->flags |= SEEN_SRC;
+ return estrdup("from any");
+ }
+ if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0) {
+ ctx->flags |= SEEN_DST;
+ return estrdup("to any");
+ }
+ return NULL;
+}
+
+static char *
+print_portrange(npf_conf_info_t *ctx __unused, const uint32_t *words)
{
u_int fport = words[0], tport = words[1];
- const char *any_str = "";
char *p;
- if (ctx->curmark == BM_SRC_PORTS && (ctx->flags & SEEN_SRC) == 0)
- any_str = "from any ";
- if (ctx->curmark == BM_DST_PORTS && (ctx->flags & SEEN_DST) == 0)
- any_str = "to any ";
-
if (fport != tport) {
- easprintf(, "%sport %u:%u", any_str, fport, tport);
+ easprintf(, "%u-%u", fport, tport);
} else {
- easprintf(, "%sport %u", any_str, fport);
+ easprintf(, "%u", fport);
}
return p;
}
@@ -283,12 +291,14 @@ static const struct mark_keyword_mapent
{ BM_ICMP_CODE, "code %s", NULL, 0, print_number, 1 },
{ BM_SRC_CIDR, "from %s", ", ", SEEN_SRC, print_address, 6 },
- { BM_SRC_TABLE, "from %s", NULL, SEEN_SRC, print_table, 1 },
- { BM_SRC_PORTS, "%s", ", ", 0, print_portrange,2 },
+ { BM_SRC_TABLE, "from %s", ", ", SEEN_SRC, print_table, 1 },
+ { BM_SRC_PORTS, "%s", NULL, 0, print_pbarrier, 2 },
+ { BM_SRC_PORTS, "port %s", ", ", 0, print_portrange,2 },
{ BM_DST_CIDR, "to %s", ", ", SEEN_DST, print_address, 6 },
- { BM_DST_TABLE, "to %s", NULL, SEEN_DST, print_table, 1 },
- { BM_DST_PORTS, "%s", ", ", 0, print_portrange,2 },
+ { BM_DST_TABLE, "to %s", ", ", SEEN_DST, print_table, 1 },
+ { BM_DST_PORTS, "%s", NULL, 0, print_pbarrier, 2 },
+ { BM_DST_PORTS, "port %s", ", ", 0, print_portrange,2 },
};
static const char * __attribute__((format_arg(2)))
@@ -314,13 +324,17 @@ scan_marks(npf_conf_info_t *ctx, const s
errx(EXIT_FAILURE, "byte-code marking inconsistency");
}
if (m == mk->mark) {
+ char *val;
+
/* Set the current mark and the flags. */
ctx->flags |= mk->set_flags;
ctx->curmark = m;
/* Value is processed by the print function. */
assert(mk->fwords == nwords);
- vals[nvals++] = mk->printfn(ctx, marks);
+ if ((val = mk->printfn(ctx, marks)) != NULL) {
+vals[nvals++] = val;
+ }
}
marks += nwords;
mlen -= nwords;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Aug 10 22:23:55 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: npfctl show/validate: fix couple bugs in multiple table/port representation. Fixes PR/54122. To generate a diff of this commit: cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Thu Aug 8 21:29:16 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npfctl.h
Log Message:
NPF: fix BPF byte-code generation for a port-range used in a group.
Resolved PR/52609 and PR/54169.
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.14
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.13 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Thu Aug 8 21:29:15 2019
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc.
+ * Copyright (c) 2010-2019 The NetBSD Foundation, Inc.
* All rights reserved.
*
* This material is based upon work partially supported by The
@@ -29,10 +29,60 @@
/*
* BPF byte-code generation for NPF rules.
+ *
+ * Overview
+ *
+ * Each NPF rule is compiled into BPF micro-program. There is a
+ * BPF byte-code fragment for each higher-level filtering logic,
+ * e.g. to match L4 protocol, IP/mask, etc. The generation process
+ * combines multiple BPF-byte code fragments into one program.
+ *
+ * Basic case
+ *
+ * Consider a basic case, where all filters should match. They
+ * are expressed as logical conjunction, e.g.:
+ *
+ * A and B and C and D
+ *
+ * Each test (filter) criterion can be evaluated to true (match) or
+ * false (no match) and the logic is as follows:
+ *
+ * - If the value is true, then jump to the "next" test (offset 0).
+ *
+ * - If the value is false, then jump to the JUMP_MAGIC value (0xff).
+ * This "magic" value is used to indicate that it will have to be
+ * patched at a later stage.
+ *
+ * Once all byte-code fragments are combined into one, then there
+ * are two additional steps:
+ *
+ * - Two instructions are appended at the end of the program: return
+ * "success" followed by return "failure".
+ *
+ * - All jumps with the JUMP_MAGIC value are patched to point to the
+ * "return failure" instruction.
+ *
+ * Therefore, if all filter criteria will match, then the first
+ * instruction will be reached, indicating a successful match of the
+ * rule. Otherwise, if any of the criteria will not match, it will
+ * take the failure path and the rule will not matching.
+ *
+ * Grouping
+ *
+ * Filters can have groups, which are have a meaning of logical
+ * disjunction, e.g.:
+ *
+ * A and B and (C or D)
+ *
+ * In such case, the logic inside the group has to be inverted i.e.
+ * the jump values swapped. If the test value is true, then jump
+ * out of the group; if false, then jump "next". At the end of the
+ * group, an addition failure path is appended and the JUMP_MAGIC
+ * uses within the group are patched to jump past the said path.
*/
#include
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.13 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.14 2019/08/08 21:29:15 rmind Exp $");
#include
#include
@@ -75,7 +125,10 @@ struct npf_bpf {
sa_family_t af;
uint32_t flags;
- /* The current group offset and block number. */
+ /*
+ * The current group offset (counted in BPF instructions)
+ * and block number at the start of the group.
+ */
bool ingroup;
u_int goff;
u_int gblock;
@@ -120,6 +173,7 @@ fixup_jumps(npf_bpf_t *ctx, u_int start,
for (u_int i = start; i < end; i++) {
struct bpf_insn *insn = >bf_insns[i];
const u_int fail_off = end - i;
+ bool seen_magic = false;
if (fail_off >= JUMP_MAGIC) {
errx(EXIT_FAILURE, "BPF generation error: "
@@ -128,15 +182,37 @@ fixup_jumps(npf_bpf_t *ctx, u_int start,
if (BPF_CLASS(insn->code) != BPF_JMP) {
continue;
}
- if (swap) {
+ if (BPF_OP(insn->code) == BPF_JA) {
+ /*
+ * BPF_JA can be used to jump to the failure path.
+ * If we are swapping i.e. inside the group, then
+ * jump "next"; groups have a failure path appended
+ * at their end.
+ */
+ if (insn->k == JUMP_MAGIC) {
+insn->k = swap ? 0 : fail_off;
+ }
+ continue;
+ }
+
+ /*
+ * Fixup the "magic" value. Swap only the "magic" jumps.
+ */
+
+ if (insn->jt == JUMP_MAGIC) {
+ insn->jt = fail_off;
+ seen_magic = true;
+ }
+ if (insn->jf == JUMP_MAGIC) {
+ insn->jf = fail_off;
+ seen_magic = true;
+ }
+
+ if (seen_magic && swap) {
uint8_t jt = insn->jt;
insn->jt = insn->jf;
insn->jf = jt;
}
- if (insn->jt == JUMP_MAGIC)
- insn->jt = fail_off;
- if (insn->jf == JUMP_MAGIC)
- insn->jf = fail_off;
}
}
@@ -225,11 +301,11 @@ npfctl_bpf_destroy(npf_bpf_t *ctx)
}
/*
- * npfctl_bpf_group: begin a logical group. It merely uses logical
+ *
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Aug 8 21:29:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c npfctl.h Log Message: NPF: fix BPF byte-code generation for a port-range used in a group. Resolved PR/52609 and PR/54169. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Jul 25 00:48:55 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_build.c npfctl.c Log Message: npfctl: fix the bpf.jit parameter handling. To generate a diff of this commit: cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_build.c cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Thu Jul 25 00:48:55 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c npfctl.c
Log Message:
npfctl: fix the bpf.jit parameter handling.
To generate a diff of this commit:
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.49 src/usr.sbin/npf/npfctl/npf_build.c:1.50
--- src/usr.sbin/npf/npfctl/npf_build.c:1.49 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf_build.c Thu Jul 25 00:48:55 2019
@@ -32,7 +32,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.49 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.50 2019/07/25 00:48:55 rmind Exp $");
#include
#define __FAVOR_BSD
@@ -969,6 +969,7 @@ npfctl_setparam(const char *name, int va
{
if (strcmp(name, "bpf.jit") == 0) {
npfctl_bpfjit(val != 0);
+ return;
}
if (npf_param_set(npf_conf, name, val) != 0) {
yyerror("invalid parameter `%s` or its value", name);
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.59 src/usr.sbin/npf/npfctl/npfctl.c:1.60
--- src/usr.sbin/npf/npfctl/npfctl.c:1.59 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npfctl.c Thu Jul 25 00:48:55 2019
@@ -28,7 +28,7 @@
*/
#include
-__RCSID("$NetBSD: npfctl.c,v 1.59 2019/07/23 00:52:02 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.60 2019/07/25 00:48:55 rmind Exp $");
#include
#include
@@ -231,7 +231,7 @@ npfctl_print_error(const npf_error_t *ne
const char *srcfile = ne->source_file;
if (ne->error_msg) {
- warnx("%s", ne->error_msg);
+ errx(EXIT_FAILURE, "%s", ne->error_msg);
}
if (srcfile) {
warnx("source %s line %d", srcfile, ne->source_line);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: wiz
Date: Tue Jul 23 14:20:22 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
New sentence, new line. Avoid formatting punctuation. Remove superfluous Pp.
To generate a diff of this commit:
cvs rdiff -u -r1.87 -r1.88 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.87 src/usr.sbin/npf/npfctl/npf.conf.5:1.88
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.87 Tue Jul 23 00:52:02 2019
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jul 23 14:20:22 2019
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.87 2019/07/23 00:52:02 rmind Exp $
+.\"$NetBSD: npf.conf.5,v 1.88 2019/07/23 14:20:22 wiz Exp $
.\"
.\" Copyright (c) 2009-2019 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -304,7 +304,7 @@ keywords.
The former creates a state which is uniquely identified by a 5-tuple (source
and destination IP addresses, port numbers and an interface identifier).
The latter excludes the interface identifier, i.e. making the state global,
-and must be used with precaution.
+and must be used with caution.
In both cases, a full TCP state tracking is performed for TCP connections
and a limited tracking for message-based protocols (UDP and ICMP).
.Pp
@@ -374,7 +374,6 @@ hash of the original source and destinat
This algorithms attempts to keep all connections of particular client
associated with the same translation address.
This is the default algorithm.
-.Pp
.It Cm round-robin
The translation address for each new connection is selected on a
round-robin basis.
@@ -440,7 +439,7 @@ Depending on the call, the key might rep
might be optional.
Available options:
.Bl -tag -width "Cm log: Ar interface" -offset indent
-.It Cm log: Ar interface
+.It Cm log : Ar interface
Log events.
This requires the
.Pa npf_ext_log
@@ -451,7 +450,7 @@ configuration is loaded.
The log packets can be written to a file using the
.Xr npfd 8
daemon.
-.It Cm normalize: Ar option1 Ns Op Li \&, Ar option2 ...
+.It Cm normalize : Ar option1 Ns Op Li \&, Ar option2 ...
Modify packets according to the specified normalization options.
This requires the
.Pa npf_ext_normalize kernel
@@ -482,7 +481,8 @@ procedure "someproc" {
.Pp
In this case, the procedure calls the logging and normalization modules.
.Ss Parameter settings
-NPF supports a set of dynamically tunable parameters. See
+NPF supports a set of dynamically tunable parameters.
+See
.Xr npf-params 7
for specific details.
.Ss Misc
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Tue Jul 23 14:20:22 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Avoid formatting punctuation. Remove superfluous Pp. To generate a diff of this commit: cvs rdiff -u -r1.87 -r1.88 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: tih
Date: Wed Apr 17 20:41:59 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c
Log Message:
Summary: Ensure default TCP flags are applied to rules like 'pass stateful all'
CVS: --
CVS: CVSROOT cvs.NetBSD.org:/cvsroot
CVS: please use "PR category/123" to have the commitmsg appended to PR 123
CVS:
CVS: Please evaluate your changes and consider the following.
CVS: Abort checkin if you answer no.
CVS: => For all changes:
CVS: Do the changed files compile?
CVS: Has the change been tested?
CVS: => If you are not completely familiar with the changed components:
CVS: Has the change been posted for review?
CVS: Have you allowed enough time for feedback?
CVS: => If the change is major:
CVS: => If the change adds files to, or removes files from $DESTDIR:
CVS: => If you are changing a library or kernel interface:
CVS: Have you successfully run "./build.sh release"?
The documented default "flags S/SAFR" for stateful rules that affect
TCP packets but don't specify any flags, doesn't actually get applied
to a rule like "pass stateful out all". The big problem with this is
that when you then do a "block return-rst" for an incoming packet, the
generated RST packet will create state for the connection attempt it's
blocking, so that a second attempt from the same source will pass.
This change makes the default flags actually apply to such simple
rules. It also fixes a related bug in the code generation for the
flag matching, where part of the action could erroneously be omitted.
Reviewed by
Closes PR bin/54124
Pullup to NetBSD 8
To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfctl/npf_bpf_comp.c
cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c
diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.11 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.12
--- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.11 Sat Sep 29 14:41:36 2018
+++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Wed Apr 17 20:41:58 2019
@@ -32,7 +32,7 @@
*/
#include
-__RCSID("$NetBSD: npf_bpf_comp.c,v 1.11 2018/09/29 14:41:36 rmind Exp $");
+__RCSID("$NetBSD: npf_bpf_comp.c,v 1.12 2019/04/17 20:41:58 tih Exp $");
#include
#include
@@ -565,10 +565,8 @@ npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t
};
add_insns(ctx, insns_cmp, __arraycount(insns_cmp));
- if (!checktcp) {
- uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
- done_block(ctx, mwords, sizeof(mwords));
- }
+ uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask};
+ done_block(ctx, mwords, sizeof(mwords));
}
/*
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.47 src/usr.sbin/npf/npfctl/npf_build.c:1.48
--- src/usr.sbin/npf/npfctl/npf_build.c:1.47 Sat Jan 19 21:19:32 2019
+++ src/usr.sbin/npf/npfctl/npf_build.c Wed Apr 17 20:41:58 2019
@@ -32,7 +32,7 @@
*/
#include
-__RCSID("$NetBSD: npf_build.c,v 1.47 2019/01/19 21:19:32 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.48 2019/04/17 20:41:58 tih Exp $");
#include
#define __FAVOR_BSD
@@ -363,7 +363,7 @@ static bool
npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op,
const filt_opts_t *fopts)
{
- bool noproto, noaddrs, noports, need_tcpudp = false;
+ bool noproto, noaddrs, noports, nostate, need_tcpudp = false;
const addr_port_t *apfrom = >fo_from;
const addr_port_t *apto = >fo_to;
const int proto = op->op_proto;
@@ -375,7 +375,8 @@ npfctl_build_code(nl_rule_t *rl, sa_fami
noproto = family == AF_UNSPEC && proto == -1 && !op->op_opts;
noaddrs = !apfrom->ap_netaddr && !apto->ap_netaddr;
noports = !apfrom->ap_portrange && !apto->ap_portrange;
- if (noproto && noaddrs && noports) {
+ nostate = !(npf_rule_getattr(rl) & NPF_RULE_STATEFUL);
+ if (noproto && noaddrs && noports && nostate) {
return false;
}
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: tih Date: Wed Apr 17 20:41:59 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c Log Message: Summary: Ensure default TCP flags are applied to rules like 'pass stateful all' CVS: -- CVS: CVSROOT cvs.NetBSD.org:/cvsroot CVS: please use "PR category/123" to have the commitmsg appended to PR 123 CVS: CVS: Please evaluate your changes and consider the following. CVS: Abort checkin if you answer no. CVS: => For all changes: CVS: Do the changed files compile? CVS: Has the change been tested? CVS: => If you are not completely familiar with the changed components: CVS: Has the change been posted for review? CVS: Have you allowed enough time for feedback? CVS: => If the change is major: CVS: => If the change adds files to, or removes files from $DESTDIR: CVS: => If you are changing a library or kernel interface: CVS: Have you successfully run "./build.sh release"? The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass. This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted. Reviewed by Closes PR bin/54124 Pullup to NetBSD 8 To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Apr 8 07:58:45 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve wording. To generate a diff of this commit: cvs rdiff -u -r1.85 -r1.86 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Apr 8 07:58:45 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve wording. To generate a diff of this commit: cvs rdiff -u -r1.85 -r1.86 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.85 src/usr.sbin/npf/npfctl/npf.conf.5:1.86 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.85 Sun Apr 7 22:23:40 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Apr 8 07:58:45 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.86 2019/04/08 07:58:45 wiz Exp $ .\" .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -355,7 +355,7 @@ redirecting the public port 9022 to the .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp The translation address can also by dynamic, based on the interface. -The following would select IPv4 address currently assigned to the interface: +The following would select the IPv4 address(es) currently assigned to the interface: .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) .Pp
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sun Apr 7 22:23:40 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
npf.conf(5): Add more info about ifaddrs().
To generate a diff of this commit:
cvs rdiff -u -r1.84 -r1.85 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.84 src/usr.sbin/npf/npfctl/npf.conf.5:1.85
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.84 Sat Jan 19 21:19:32 2019
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Apr 7 22:23:40 2019
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.84 2019/01/19 21:19:32 rmind Exp $
+.\"$NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $
.\"
.\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 14, 2019
+.Dd February 2, 2019
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -148,12 +148,16 @@ The
.Cm family
keyword of a filtering rule can be used in combination to explicitly select
an IP address type.
+This function can also be used with
+.Cm map
+to specify the translation address, see below.
.El
.Pp
Example of configuration:
.Bd -literal -offset indent
$var1 = inet4(wm0)
$var2 = ifaddrs(wm0)
+
group default {
block in on wm0 all # rule 1
block in on $var1 all # rule 2
@@ -350,6 +354,11 @@ redirecting the public port 9022 to the
.Pp
.Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
.Pp
+The translation address can also by dynamic, based on the interface.
+The following would select IPv4 address currently assigned to the interface:
+.Pp
+.Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if)
+.Pp
If the dynamic NAT is configured with multiple translation addresses,
then a custom selection algorithm can be chosen using the
.Cm algo
@@ -587,10 +596,9 @@ $localnet = { 10.1.1.0/24 }
alg "icmp"
-# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
-# then the translation address has to be specified explicitly.
-map $ext_if dynamic 10.1.1.0/24 -> $ext_if
-map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
+# These NAT rules will dynamically select the interface address(es).
+map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if)
+map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- ifaddrs($ext_if) port 9022
procedure "log" {
# The logging facility can be used together with npfd(8).
@@ -635,7 +643,7 @@ group default {
.Xr npfctl 8 ,
.Xr npfd 8
.Pp
-.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website"
+.Lk http://rmind.github.io/npf/ "NPF documentation website"
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Apr 7 22:23:40 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): Add more info about ifaddrs(). To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Tue Jan 8 11:36:10 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Actually, according to the grammar the square brackets in the "tcp flags" are not literal, so use .Op to show that /mask is optional. To generate a diff of this commit: cvs rdiff -u -r1.82 -r1.83 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.82 src/usr.sbin/npf/npfctl/npf.conf.5:1.83 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.82 Tue Jan 8 11:28:01 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 11:36:10 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.82 2019/01/08 11:28:01 uwe Exp $ +.\"$NetBSD: npf.conf.5,v 1.83 2019/01/08 11:36:10 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -223,7 +223,7 @@ The keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp -.D1 Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li \&] +.D1 Ic proto Cm tcp flags Ar match Ns Op Li / Ns Ar mask .Pp Where .Ar match
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Tue Jan 8 11:36:10 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Actually, according to the grammar the square brackets in the "tcp flags" are not literal, so use .Op to show that /mask is optional. To generate a diff of this commit: cvs rdiff -u -r1.82 -r1.83 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Tue Jan 8 11:28:01 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Restore macro with effect. Fix the real problem that prevented it to have the effect. To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.82 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Tue Jan 8 11:28:01 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Restore macro with effect. Fix the real problem that prevented it to have the effect. To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.82 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.81 src/usr.sbin/npf/npfctl/npf.conf.5:1.82 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.81 Tue Jan 8 10:25:26 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 11:28:01 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.81 2019/01/08 10:25:26 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.82 2019/01/08 11:28:01 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -223,7 +223,7 @@ The keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp -.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns ] +.D1 Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li \&] .Pp Where .Ar match
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Tue Jan 8 10:25:26 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Punctuation fixes. Remove macros without effect. To generate a diff of this commit: cvs rdiff -u -r1.80 -r1.81 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.80 src/usr.sbin/npf/npfctl/npf.conf.5:1.81 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.80 Tue Jan 8 01:19:16 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 10:25:26 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.80 2019/01/08 01:19:16 gutteridge Exp $ +.\"$NetBSD: npf.conf.5,v 1.81 2019/01/08 10:25:26 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -89,7 +89,7 @@ The following is an example of table def .Dl table type hash dynamic .Pp Currently, tables support three data storage types: -.Cm hash, +.Cm hash , .Cm tree , or .Cm cdb . @@ -133,11 +133,14 @@ Three functions exist, to extract addres list type and IP address type: .Bl -tag -width "Fn ifaddrs interface" -offset indent .It Fn inet4 interface -Static list. IPv4 addresses. +Static list. +IPv4 addresses. .It Fn inet6 interface -Static list. IPv6 addresses. +Static list. +IPv6 addresses. .It Fn ifaddrs interface -Dynamic list. Both IPv4 and IPv6. +Dynamic list. +Both IPv4 and IPv6. The .Cm family keyword of a filtering rule can be used in combination to explicitly select @@ -164,7 +167,7 @@ on wm0, and .Li $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the -.Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > +.Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. @@ -220,7 +223,7 @@ The keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp -.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li ] +.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns ] .Pp Where .Ar match
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Tue Jan 8 10:25:26 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Punctuation fixes. Remove macros without effect. To generate a diff of this commit: cvs rdiff -u -r1.80 -r1.81 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: gutteridge Date: Tue Jan 8 01:19:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): add a minor clarification about table types that can't accept masks on IP addresses. Prompted by Rob Hunter in PR bin/51900. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.79 src/usr.sbin/npf/npfctl/npf.conf.5:1.80 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.79 Fri Sep 21 10:59:11 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 01:19:16 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ +.\"$NetBSD: npf.conf.5,v 1.80 2019/01/08 01:19:16 gutteridge Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 21, 2018 +.Dd January 8, 2019 .Dt NPF.CONF 5 .Os .Sh NAME @@ -102,7 +102,7 @@ Tables of type .Dq hash and .Dq cdb -can only contain IP addresses. +can only contain IP addresses, without masks. Only static data can be used with a storage type of .Dq cdb . .Pp
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: gutteridge Date: Tue Jan 8 01:19:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): add a minor clarification about table types that can't accept masks on IP addresses. Prompted by Rob Hunter in PR bin/51900. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
re: CVS commit: src/usr.sbin/npf/npfctl
> >> Modified Files: > >>src/usr.sbin/npf/npfctl: npf.conf.5 > >> > >> Log Message: > >> Switch back to tabs, it was nicer this way. > > > > now these examples *really* overflow 80 lines, vs only just. > > > > can you try fix this? thanks. > > Even with whitespaces there were overflows. > > I've fixed it, not by replacing random tabs by whitespaces, but by cutting > long lines. thanks. i can read it on a normal sized tty, and better than the old too. .mrg.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Fri Sep 21 10:59:11 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: According to the grammar and examples the static table is defined with "file" keyword, not "static". To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.79 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.78 src/usr.sbin/npf/npfctl/npf.conf.5:1.79 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.78 Fri Sep 21 09:42:18 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Sep 21 10:59:11 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.78 2018/09/21 09:42:18 uwe Exp $ +.\"$NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -95,9 +95,9 @@ or .Cm cdb . Tables can also be set as containing .Cm dynamic -or -.Cm static -data i.e. loaded from a specified file. +data or static +.Cm file Ar filename +data loaded from a specified file. Tables of type .Dq hash and
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Fri Sep 21 10:59:11 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: According to the grammar and examples the static table is defined with "file" keyword, not "static". To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.79 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Fri Sep 21 09:42:18 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve markup. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: uwe
Date: Fri Sep 21 09:42:18 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Improve markup.
To generate a diff of this commit:
cvs rdiff -u -r1.77 -r1.78 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.77 src/usr.sbin/npf/npfctl/npf.conf.5:1.78
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.77 Fri Sep 21 07:22:26 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Sep 21 09:42:18 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.77 2018/09/21 07:22:26 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.78 2018/09/21 09:42:18 uwe Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -46,7 +46,8 @@ in-depth information.
There are multiple structural elements that
.Nm
may contain, such as:
-.Bl -bullet -offset indent
+.Pp
+.Bl -bullet -offset indent -compact
.It
variables
.It
@@ -64,40 +65,52 @@ procedure definitions to call on filtere
.El
.Sh SYNTAX
.Ss Variables
-Variables are specified using the dollar ($) sign, which is used for both
+Variables are specified using the dollar
+.Pq Li $
+sign, which is used for both
definition and referencing of a variable.
Variables are defined by assigning a value to them as follows:
-.Bd -literal
-$var1 = 10.0.0.1
-.Ed
+.Pp
+.Dl $var1 = 10.0.0.1
.Pp
A variable may also be defined as a set:
-.Bd -literal
-$var2 = { 10.0.0.1, 10.0.0.2 }
-.Ed
+.Pp
+.Dl $var2 = { 10.0.0.1, 10.0.0.2 }
.Pp
Common variable definitions are for IP addresses, networks, ports,
and interfaces.
.Ss Tables
Tables are specified using a name between angle brackets
-< and >.
+.Sq Li <
+and
+.Sq Li > .
The following is an example of table definition:
-.Bd -literal
-table type hash dynamic
.Pp
-.Ed
-Currently, tables support three data storage types: "hash", "tree", or "cdb".
-Tables can also be set as containing "dynamic" or "static" data i.e. loaded
-from a specified file.
-Tables of type "hash" and "cdb" can only contain IP addresses.
-Only static data can be used with a storage type of "cdb".
+.Dl table type hash dynamic
+.Pp
+Currently, tables support three data storage types:
+.Cm hash,
+.Cm tree ,
+or
+.Cm cdb .
+Tables can also be set as containing
+.Cm dynamic
+or
+.Cm static
+data i.e. loaded from a specified file.
+Tables of type
+.Dq hash
+and
+.Dq cdb
+can only contain IP addresses.
+Only static data can be used with a storage type of
+.Dq cdb .
.Pp
The specified file should contain a list of IP addresses and/or networks in the
-form of:
-.Bd -literal
-10.0.0.0/24
-10.1.1.1
-.Ed
+form of
+.Li 10.1.1.1
+or
+.Li 10.0.0.0/24
.Ss Interfaces
In NPF, an interface can be referenced directly by using its name, or can be
passed to an extraction function which will return a list of IP addresses
@@ -113,26 +126,26 @@ With a static list, NPF will capture the
load, whereas with a dynamic list NPF will capture the runtime list of
addresses, reflecting any changes to the interface, including the attach and
detach.
-Note that with a dynamic list, marking the interface as ``down'' has no effect,
+Note that with a dynamic list, bringing the interface down has no effect,
all addresses will remain present.
.Pp
Three functions exist, to extract addresses from an interface with a chosen
list type and IP address type:
-.Bl -tag -width Xifaddrs()XX -offset indent
-.It Fn inet4
-Static list, IPv4 addresses.
-.It Fn inet6
-Static list, IPv6 addresses.
-.It Fn ifaddrs
-Dynamic list, both IPv4 and IPv6.
+.Bl -tag -width "Fn ifaddrs interface" -offset indent
+.It Fn inet4 interface
+Static list. IPv4 addresses.
+.It Fn inet6 interface
+Static list. IPv6 addresses.
+.It Fn ifaddrs interface
+Dynamic list. Both IPv4 and IPv6.
The
-.Cd family
-keyword can be used in combination of a filtering rule to explicitly select
+.Cm family
+keyword of a filtering rule can be used in combination to explicitly select
an IP address type.
.El
.Pp
Example of configuration:
-.Bd -literal
+.Bd -literal -offset indent
$var1 = inet4(wm0)
$var2 = ifaddrs(wm0)
group default {
@@ -144,11 +157,14 @@ group default {
}
.Ed
.Pp
-In the above example, $var1 is the static list of IPv4 addresses configured
-on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses
-configured on wm0.
+In the above example,
+.Li $var1
+is the static list of IPv4 addresses configured
+on wm0, and
+.Li $var2
+is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0.
The first three rules are equivalent, because with the
-.Cd block ... on
+.Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li >
syntax, NPF expects a direct reference to an interface, and therefore does
not consider the extraction functions.
The fourth and fifth rules are equivalent, for the same reason.
@@
Re: CVS commit: src/usr.sbin/npf/npfctl
Le 19/09/2018 à 20:44, matthew green a écrit : "Maxime Villard" writes: Module Name:src Committed By: maxv Date: Wed Sep 19 15:36:12 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Switch back to tabs, it was nicer this way. now these examples *really* overflow 80 lines, vs only just. can you try fix this? thanks. Even with whitespaces there were overflows. I've fixed it, not by replacing random tabs by whitespaces, but by cutting long lines.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Fri Sep 21 07:22:26 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Wrap long lines, so that nothing overflows.
To generate a diff of this commit:
cvs rdiff -u -r1.76 -r1.77 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.76 src/usr.sbin/npf/npfctl/npf.conf.5:1.77
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.76 Wed Sep 19 15:36:12 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Sep 21 07:22:26 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.76 2018/09/19 15:36:12 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.77 2018/09/21 07:22:26 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 19, 2018
+.Dd September 21, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -425,7 +425,8 @@ therefore it does not strictly represent
syntax = var-def | set-param | alg | table-def |
map | group | proc | comment
-# Variable definition. Names can be alpha-numeric, including "_" character.
+# Variable definition. Names can be alpha-numeric, including "_"
+# character.
var-name = "$" . string
interface = interface-name | var-name
@@ -439,7 +440,8 @@ set-param = "set" param-value
alg = "alg" alg-name
alg-name = "icmp"
-# Table definition. Table ID shall be numeric. Path is in the double quotes.
+# Table definition. Table ID shall be numeric. Path is in the
+# double quotes.
table-id =
table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" )
@@ -492,7 +494,8 @@ proto-opts = "flags" tcp-flags [ "/" tcp
"icmp-type" type [ "code" icmp-code ]
proto = "proto" protocol [ proto-opts ]
-filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ]
+filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr
+ [ port-opts ]
filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ]
port-opts = "port" ( port-num | port-from "-" port-to | var-name )
@@ -537,11 +540,16 @@ group "external" on $ext_if {
pass stateful out final all
block in final from
- pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
- pass stateful in final proto tcp to $ext_if port $services_tcp
- pass stateful in final proto udp to $ext_if port $services_udp
- pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP
- pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute
+ pass stateful in final family inet4 proto tcp to $ext_if \e
+ port ssh apply "log"
+ pass stateful in final proto tcp to $ext_if \e
+ port $services_tcp
+ pass stateful in final proto udp to $ext_if \e
+ port $services_udp
+ pass stateful in final proto tcp to $ext_if \e
+ port 49151-65535 # passive FTP
+ pass stateful in final proto udp to $ext_if \e
+ port 33434-33600 # traceroute
}
group "internal" on $int_if {
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Sep 21 07:22:26 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Wrap long lines, so that nothing overflows. To generate a diff of this commit: cvs rdiff -u -r1.76 -r1.77 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
re: CVS commit: src/usr.sbin/npf/npfctl
"Maxime Villard" writes: > Module Name: src > Committed By: maxv > Date: Wed Sep 19 15:36:12 UTC 2018 > > Modified Files: > src/usr.sbin/npf/npfctl: npf.conf.5 > > Log Message: > Switch back to tabs, it was nicer this way. now these examples *really* overflow 80 lines, vs only just. can you try fix this? thanks. .mrg.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Wed Sep 19 15:36:12 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Switch back to tabs, it was nicer this way.
To generate a diff of this commit:
cvs rdiff -u -r1.75 -r1.76 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.75 src/usr.sbin/npf/npfctl/npf.conf.5:1.76
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.75 Tue Sep 4 15:36:01 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Wed Sep 19 15:36:12 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.75 2018/09/04 15:36:01 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.76 2018/09/19 15:36:12 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 4, 2018
+.Dd September 19, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -529,33 +529,33 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_
map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
procedure "log" {
- # The logging facility can be used together with npfd(8).
- log: npflog0
+ # The logging facility can be used together with npfd(8).
+ log: npflog0
}
group "external" on $ext_if {
- pass stateful out final all
+ pass stateful out final all
- block in final from
- pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
- pass stateful in final proto tcp to $ext_if port $services_tcp
- pass stateful in final proto udp to $ext_if port $services_udp
- pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP
- pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute
+ block in final from
+ pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
+ pass stateful in final proto tcp to $ext_if port $services_tcp
+ pass stateful in final proto udp to $ext_if port $services_udp
+ pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP
+ pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute
}
group "internal" on $int_if {
- block in all
- block in final from
+ block in all
+ block in final from
- # Ingress filtering as per BCP 38 / RFC 2827.
- pass in final from $localnet
- pass out final all
+ # Ingress filtering as per BCP 38 / RFC 2827.
+ pass in final from $localnet
+ pass out final all
}
group default {
- pass final on lo0 all
- block all
+ pass final on lo0 all
+ block all
}
.Ed
.\" -
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Wed Sep 19 15:36:12 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Switch back to tabs, it was nicer this way. To generate a diff of this commit: cvs rdiff -u -r1.75 -r1.76 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Tue Sep 4 15:36:02 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Fix the "Interfaces" section, I understood wrong. Talk about inference,
because it was not mentioned before, and it plays an important role.
Discussed with rmind. Probably not the last pass.
To generate a diff of this commit:
cvs rdiff -u -r1.74 -r1.75 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.74 src/usr.sbin/npf/npfctl/npf.conf.5:1.75
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.74 Sun Sep 2 18:03:23 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Sep 4 15:36:01 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.74 2018/09/02 18:03:23 wiz Exp $
+.\"$NetBSD: npf.conf.5,v 1.75 2018/09/04 15:36:01 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 2, 2018
+.Dd September 4, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -99,16 +99,20 @@ form of:
10.1.1.1
.Ed
.Ss Interfaces
-In the context of NPF, an interface is seen as a list of IP addresses,
-that can be IPv4 or IPv6, which are configured on the actual associated
-interface.
-.Pp
-Such list can be either static or dynamic.
-With a static list, NPF will
-capture the interface addresses on configuration load, whereas with a dynamic
-list NPF will capture the runtime list of addresses, reflecting any changes
-to the interface, including the attach and detach.
-.Pp
+In NPF, an interface can be referenced directly by using its name, or can be
+passed to an extraction function which will return a list of IP addresses
+configured on the actual associated interface.
+.Pp
+It is legal to pass an extracted list from an interface in keywords where
+NPF would expect instead a direct reference to said interface.
+In this case, NPF infers a direct reference to the interface, and does not
+consider the list.
+.Pp
+There are two types of IP address lists.
+With a static list, NPF will capture the interface addresses on configuration
+load, whereas with a dynamic list NPF will capture the runtime list of
+addresses, reflecting any changes to the interface, including the attach and
+detach.
Note that with a dynamic list, marking the interface as ``down'' has no effect,
all addresses will remain present.
.Pp
@@ -127,27 +131,27 @@ keyword can be used in combination of a
an IP address type.
.El
.Pp
-By default, when no extraction function is used,
-.Fn ifaddrs
-is assumed.
-.Pp
-Example of configuration with static interface lists:
-.Bd -literal
-$pub_if4 = inet4(wm0)
-$pub_if46 = { inet4(wm0), inet6(wm0) }
-.Ed
-.Pp
-In the above example, $pub_if4 is the list of IPv4 addresses configured
-on wm0, and $pub_if46 is the list of IPv4 and IPv6 addresses configured
-on wm0.
-.Pp
-Example of configuration with dynamic interface lists:
+Example of configuration:
.Bd -literal
-$pub_if_1 = ifaddrs(wm0)
-$pub_if_2 = wm0
+$var1 = inet4(wm0)
+$var2 = ifaddrs(wm0)
+group default {
+ block in on wm0 all # rule 1
+ block in on $var1 all # rule 2
+ block in on inet4(wm0) all# rule 3
+ pass in on inet6(wm0) from $var2 # rule 4
+ pass in on wm0 from ifaddrs(wm0) # rule 5
+}
.Ed
.Pp
-In the above example, $pub_if_1 and $pub_if_2 are equal.
+In the above example, $var1 is the static list of IPv4 addresses configured
+on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses
+configured on wm0.
+The first three rules are equivalent, because with the
+.Cd block ... on
+syntax, NPF expects a direct reference to an interface, and therefore does
+not consider the extraction functions.
+The fourth and fifth rules are equivalent, for the same reason.
.Ss Groups
NPF requires that all rules be defined within groups.
Groups can be thought of as higher level rules which can contain subrules.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Tue Sep 4 15:36:02 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Fix the "Interfaces" section, I understood wrong. Talk about inference, because it was not mentioned before, and it plays an important role. Discussed with rmind. Probably not the last pass. To generate a diff of this commit: cvs rdiff -u -r1.74 -r1.75 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Sun Sep 2 18:03:23 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Use Fn for functions. To generate a diff of this commit: cvs rdiff -u -r1.73 -r1.74 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.73 src/usr.sbin/npf/npfctl/npf.conf.5:1.74 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.73 Sun Sep 2 17:45:18 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Sep 2 18:03:23 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.73 2018/09/02 17:45:18 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.74 2018/09/02 18:03:23 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -103,7 +103,8 @@ In the context of NPF, an interface is s that can be IPv4 or IPv6, which are configured on the actual associated interface. .Pp -Such list can be either static or dynamic. With a static list, NPF will +Such list can be either static or dynamic. +With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. @@ -114,11 +115,11 @@ all addresses will remain present. Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: .Bl -tag -width Xifaddrs()XX -offset indent -.It inet4() +.It Fn inet4 Static list, IPv4 addresses. -.It inet6() +.It Fn inet6 Static list, IPv6 addresses. -.It ifaddrs() +.It Fn ifaddrs Dynamic list, both IPv4 and IPv6. The .Cd family @@ -126,7 +127,9 @@ keyword can be used in combination of a an IP address type. .El .Pp -By default, when no extraction function is used, ifaddrs() is assumed. +By default, when no extraction function is used, +.Fn ifaddrs +is assumed. .Pp Example of configuration with static interface lists: .Bd -literal
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Sun Sep 2 18:03:23 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Use Fn for functions. To generate a diff of this commit: cvs rdiff -u -r1.73 -r1.74 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Sun Sep 2 17:45:18 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Be clearer about the difference between static vs dynamic interface list,
and slightly improve wording.
My understanding is that when none of inet4/inet6/ifaddrs is passed, NPF
assumes ifaddrs.
To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.72 src/usr.sbin/npf/npfctl/npf.conf.5:1.73
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.72 Sat Sep 1 19:26:46 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Sep 2 17:45:18 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.72 2018/09/01 19:26:46 wiz Exp $
+.\"$NetBSD: npf.conf.5,v 1.73 2018/09/02 17:45:18 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 1, 2018
+.Dd September 2, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -99,38 +99,52 @@ form of:
10.1.1.1
.Ed
.Ss Interfaces
-Interfaces can be specified as the values of the variables:
-.Bd -literal
-$pub_if_list = { inet4(wm0), inet4(wm1) }
-.Ed
+In the context of NPF, an interface is seen as a list of IP addresses,
+that can be IPv4 or IPv6, which are configured on the actual associated
+interface.
+.Pp
+Such list can be either static or dynamic. With a static list, NPF will
+capture the interface addresses on configuration load, whereas with a dynamic
+list NPF will capture the runtime list of addresses, reflecting any changes
+to the interface, including the attach and detach.
+.Pp
+Note that with a dynamic list, marking the interface as ``down'' has no effect,
+all addresses will remain present.
+.Pp
+Three functions exist, to extract addresses from an interface with a chosen
+list type and IP address type:
+.Bl -tag -width Xifaddrs()XX -offset indent
+.It inet4()
+Static list, IPv4 addresses.
+.It inet6()
+Static list, IPv6 addresses.
+.It ifaddrs()
+Dynamic list, both IPv4 and IPv6.
+The
+.Cd family
+keyword can be used in combination of a filtering rule to explicitly select
+an IP address type.
+.El
+.Pp
+By default, when no extraction function is used, ifaddrs() is assumed.
.Pp
-In the context of filtering, an interface provides a list of all its IP
-addresses, both IPv4 and IPv6.
-Specific addresses configured on an interface can also be selected by family,
-e.g.:
+Example of configuration with static interface lists:
.Bd -literal
$pub_if4 = inet4(wm0)
$pub_if46 = { inet4(wm0), inet6(wm0) }
.Ed
.Pp
-In the above examples, NPF will statically capture the interface
-addresses on configuration load.
+In the above example, $pub_if4 is the list of IPv4 addresses configured
+on wm0, and $pub_if46 is the list of IPv4 and IPv6 addresses configured
+on wm0.
.Pp
-The following can be used for dynamic handling of the interface addresses:
+Example of configuration with dynamic interface lists:
.Bd -literal
-$pub_if = ifaddrs(wm0)
+$pub_if_1 = ifaddrs(wm0)
+$pub_if_2 = wm0
.Ed
.Pp
-In this case, the expression will represent the runtime list of addresses,
-reflecting any changes to the interface, including the attach and detach.
-Marking the interface as ``down'' has no effect, i.e. all addresses will
-remain present.
-.Pp
-A dynamic address list represents both the IPv4 and IPv6 addresses configured on
-an interface.
-The
-.Cd family
-keyword can be used in combination of a filtering rule to be explicit.
+In the above example, $pub_if_1 and $pub_if_2 are equal.
.Ss Groups
NPF requires that all rules be defined within groups.
Groups can be thought of as higher level rules which can contain subrules.
@@ -174,7 +188,9 @@ Its parameter should be a protocol numbe
as specified in the
.Pa /etc/protocols
file.
-The protocol keyword can additionally have protocol-specific options.
+This keyword can additionally have protocol-specific options, such as
+.Cd flags .
+.Pp
The
.Cd flags
keyword can be used to match the packets against specific TCP flags,
@@ -279,7 +295,9 @@ on packets originating from the 10.1.1.0
Explicit filter criteria can be specified using "pass " as
an additional option of the mapping.
.Pp
-The dynamic NAT implies network address and port translation (NAPT).
+The
+.Cd dynamic
+NAT implies network address and port translation (NAPT).
The port translation can be controlled explicitly.
For example, the following provides "port forwarding", redirecting the
public port 9022 to the port 22 of an internal host:
@@ -287,7 +305,9 @@ public port 9022 to the port 22 of an in
map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
.Ed
.Pp
-The static NAT can have
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Sun Sep 2 17:45:18 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Be clearer about the difference between static vs dynamic interface list, and slightly improve wording. My understanding is that when none of inet4/inet6/ifaddrs is passed, NPF assumes ifaddrs. To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.73 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Sat Sep 1 19:26:46 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Remove superfluous Pp. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.72 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.71 src/usr.sbin/npf/npfctl/npf.conf.5:1.72 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.71 Sat Sep 1 16:28:57 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Sep 1 19:26:46 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.72 2018/09/01 19:26:46 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -298,7 +298,6 @@ IPv6-to-IPv6 network prefix translation .El .Pp Currently, the static NAT algorithms do not perform port translation. -.Pp .Ss Application Level Gateways Certain application layer protocols are not compatible with NAT and require translation outside layers 3 and 4.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Sat Sep 1 19:26:46 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Remove superfluous Pp. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.72 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Re: CVS commit: src/usr.sbin/npf/npfctl
Le 01/09/2018 à 18:28, Mindaugas Rasiukevicius a écrit : Module Name:src Committed By: rmind Date: Sat Sep 1 16:28:57 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): fix some of the previous incorrect or inaccurate changes. The TCP flags option is not only for the stateful tracking. Dynamic NAT implies NAPT; algorithms, at least for now, are for static NAT mappings. Mention that ALG ICMP is also for traceroute behind NAT; also mention "MSS clamping" (some users might search for this term, so keeping the terminology is helpful). To generate a diff of this commit: cvs rdiff -u -r1.70 -r1.71 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Indeed the 'flags' option was not documented in the right section, thanks for moving it in the correct one. I believe it would be better to change - The protocol keyword can additionally have ... + The + .Cd proto + keyword can additionally have ... To keep things consistent. Or even "This keyword" to avoid repeating. And the end of the sentence should maybe be "protocol-specific options such as 'flags'", to make it clearer that you just want to talk about 'flags' in what follows.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Sep 1 16:28:57 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): fix some of the previous incorrect or inaccurate changes. The TCP flags option is not only for the stateful tracking. Dynamic NAT implies NAPT; algorithms, at least for now, are for static NAT mappings. Mention that ALG ICMP is also for traceroute behind NAT; also mention "MSS clamping" (some users might search for this term, so keeping the terminology is helpful). To generate a diff of this commit: cvs rdiff -u -r1.70 -r1.71 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: rmind
Date: Sat Sep 1 16:28:57 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
npf.conf(5): fix some of the previous incorrect or inaccurate changes.
The TCP flags option is not only for the stateful tracking. Dynamic NAT
implies NAPT; algorithms, at least for now, are for static NAT mappings.
Mention that ALG ICMP is also for traceroute behind NAT; also mention
"MSS clamping" (some users might search for this term, so keeping the
terminology is helpful).
To generate a diff of this commit:
cvs rdiff -u -r1.70 -r1.71 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.70 src/usr.sbin/npf/npfctl/npf.conf.5:1.71
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.70 Fri Aug 31 11:18:35 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Sep 1 16:28:57 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 31, 2018
+.Dd September 1, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -87,8 +87,8 @@ table type hash dynamic
.Pp
.Ed
Currently, tables support three data storage types: "hash", "tree", or "cdb".
-Tables can also be set as containing "dynamic" or "static" data i.e. loaded from
- a specified file.
+Tables can also be set as containing "dynamic" or "static" data i.e. loaded
+from a specified file.
Tables of type "hash" and "cdb" can only contain IP addresses.
Only static data can be used with a storage type of "cdb".
.Pp
@@ -166,9 +166,31 @@ option set, this rule is considered the
evaluation of subsequent rules is skipped.
Otherwise, the last matching rule is used.
.Pp
-A rule can also instruct NPF to create an entry in the state table
-when passing the packet, to notify the sender when blocking it, and
-to apply a procedure to the packet (e.g. "log") in either case.
+The
+.Cd proto
+keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP
+or other).
+Its parameter should be a protocol number or its symbolic name,
+as specified in the
+.Pa /etc/protocols
+file.
+The protocol keyword can additionally have protocol-specific options.
+The
+.Cd flags
+keyword can be used to match the packets against specific TCP flags,
+according to the following syntax:
+.Bl -tag -width protoXX -offset indent
+.It proto tcp flags Ar match[/mask]
+.El
+.Pp
+Where
+.Ar match
+is the set of TCP flags to be matched, out of the
+.Ar mask
+set, both sets being represented as a string combination of: S (SYN),
+A (ACK), F (FIN), R (RST). The flags that are not present in
+.Ar mask
+are ignored.
.Pp
To notify the sender of a blocking decision, three
.Cd return
@@ -187,20 +209,19 @@ Return an ICMP UNREACHABLE message, when
Applies to IPv4 and IPv6.
.El
.Pp
+Further packet specification at present is limited to TCP and UDP
+understanding source and destination ports, and ICMP and IPv6-ICMP
+understanding icmp-type.
+.Pp
+A rule can also instruct NPF to create an entry in the state table when
+passing the packet or to apply a procedure to the packet (e.g. "log").
+.Pp
A "fully-featured" rule would for example be:
.Bd -literal
pass stateful in final family inet4 proto tcp flags S/SA \\
from $source port $sport to $dest port $dport apply "someproc"
.Ed
.Pp
-Any protocol in
-.Pa /etc/protocols
-can be specified.
-Further packet
-specification at present is limited to protocol TCP understanding flags,
-TCP and UDP understanding source and destination ports, and ICMP and
-IPv6-ICMP understanding icmp-type.
-.Pp
Alternatively, NPF supports
.Xr pcap-filter 7
syntax, for example:
@@ -223,25 +244,6 @@ precaution.
In both cases, a full TCP state tracking is performed for TCP connections
and a limited tracking for message-based protocols (UDP and ICMP).
.Pp
-The
-.Cd flags
-keyword can be used in conjunction with the
-.Cd stateful
-keyword to match the packets against specific TCP flags, according to
-the following syntax:
-.Bl -tag -width flagsXX -offset indent
-.It flags Ar match[/mask]
-.El
-.Pp
-Where
-.Ar match
-is the set of TCP flags to be matched, out of the
-.Ar mask
-set, both sets being represented as a string combination of: S (SYN),
-A (ACK), F (FIN), R (RST). The flags that are not present in
-.Ar mask
-are ignored.
-.Pp
By default, a stateful rule implies SYN-only flag check ("flags S/SAFR")
for the TCP packets.
It is not advisable to change this behavior; however,
@@ -271,21 +273,32 @@ specified by $pub_ip for the packets on
map $ext_if dynamic 10.1.1.0/24 -> $pub_ip
.Ed
.Pp
-Several NAT
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:18:35 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: rename net-seg -> map-seg, and document it To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.70 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.69 src/usr.sbin/npf/npfctl/npf.conf.5:1.70 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.69 Fri Aug 31 11:11:21 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 11:18:35 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.69 2018/08/31 11:11:21 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -408,11 +408,12 @@ table-def = "table" table-id "type" ( "h map = "map" interface ( "static" [ "algo" map-algo ] | "dynamic" ) [ map-flags ] [ proto ] - net-seg ( "->" | "<-" | "<->" ) net-seg + map-seg ( "->" | "<-" | "<->" ) map-seg [ "pass" [ proto ] filt-opts ] map-algo = "npt66" map-flags = "no-ports" +map-seg = ( addr-mask | interface ) [ port-opts ] # Rule procedure definition. The name should be in the double quotes. # @@ -448,11 +449,11 @@ family-opt = "inet4" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] -addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) +addr-mask = addr [ "/" mask ] .Ed .\" - .Sh FILES
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:18:35 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: rename net-seg -> map-seg, and document it To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.70 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:11:21 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: "interface" already contains "var-name", so don't mention it in "filt-addr", that's redundant To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:11:21 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: "interface" already contains "var-name", so don't mention it in "filt-addr", that's redundant To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.68 src/usr.sbin/npf/npfctl/npf.conf.5:1.69 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.68 Fri Aug 31 11:01:09 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 11:11:21 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.68 2018/08/31 11:01:09 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.69 2018/08/31 11:11:21 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -450,8 +450,7 @@ proto-opts = "flags" tcp-flags [ "/" tcp addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] -filt-addr = [ "!" ] [ interface | var-name | - addr-mask | table-id | "any" ] +filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) .Ed
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:01:09 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: should be port-opts To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.67 src/usr.sbin/npf/npfctl/npf.conf.5:1.68 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.67 Fri Aug 31 10:52:30 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 11:01:09 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.67 2018/08/31 10:52:30 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.68 2018/08/31 11:01:09 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -452,7 +452,8 @@ addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ "!" ] [ interface | var-name | addr-mask | table-id | "any" ] -filt-port = "port" ( port-num | port-from "-" port-to | var-name ) + +port-opts = "port" ( port-num | port-from "-" port-to | var-name ) .Ed .\" - .Sh FILES
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:01:09 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: should be port-opts To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Fri Aug 31 10:52:30 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Clarify the "Groups" section.
To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.66 src/usr.sbin/npf/npfctl/npf.conf.5:1.67
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.66 Mon Aug 27 13:20:47 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 10:52:30 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.66 2018/08/27 13:20:47 wiz Exp $
+.\"$NetBSD: npf.conf.5,v 1.67 2018/08/31 10:52:30 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 27, 2018
+.Dd August 31, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -132,17 +132,25 @@ The
.Cd family
keyword can be used in combination of a filtering rule to be explicit.
.Ss Groups
+NPF requires that all rules be defined within groups.
+Groups can be thought of as higher level rules which can contain subrules.
Groups may have the following options: name, interface, and direction.
-They are defined in the following form:
+Packets matching group criteria are passed to the ruleset of that group.
+If a packet does not match any group, it is passed to the
+.Cd default group .
+The
+.Cd default group
+must always be defined.
+.Pp
+Example of configuration:
.Bd -literal
group "my-name" in on wm0 {
- # List of rules
+ # List of rules, for packets received on wm0
+}
+group default {
+ # List of rules, for the other packets
}
.Ed
-A minimal
-.Nm
-must contain a mandatory
-.Cd default group .
.Ss Rules
With a rule statement NPF is instructed to
.Cd pass
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 10:52:30 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Clarify the "Groups" section. To generate a diff of this commit: cvs rdiff -u -r1.66 -r1.67 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Aug 27 13:20:47 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing -width; remove unnecessary .Pp. To generate a diff of this commit: cvs rdiff -u -r1.65 -r1.66 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Aug 27 13:20:47 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing -width; remove unnecessary .Pp. To generate a diff of this commit: cvs rdiff -u -r1.65 -r1.66 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.65 src/usr.sbin/npf/npfctl/npf.conf.5:1.66 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.65 Mon Aug 27 13:09:16 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 27 13:20:47 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.65 2018/08/27 13:09:16 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.66 2018/08/27 13:20:47 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -221,7 +221,7 @@ keyword can be used in conjunction with .Cd stateful keyword to match the packets against specific TCP flags, according to the following syntax: -.Bl -tag -offset indent +.Bl -tag -width flagsXX -offset indent .It flags Ar match[/mask] .El .Pp @@ -248,7 +248,6 @@ The translation may be .Cd static (stateless). The following mapping types are available: -.Pp .Bl -tag -width <-> -offset indent .It Pa -> outbound NAT (translation of the source)
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Mon Aug 27 13:09:16 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Map" section. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.64 src/usr.sbin/npf/npfctl/npf.conf.5:1.65 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.64 Mon Aug 27 12:46:03 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 27 13:09:16 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.64 2018/08/27 12:46:03 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.65 2018/08/27 13:09:16 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -258,12 +258,22 @@ inbound NAT (translation of the destinat bi-directional NAT (combination of inbound and outbound NAT) .El .Pp -The following would translate the source to the IP address specified -by the $pub_ip for the packets on the interface $ext_if. +The following would translate the source (10.1.1.0/24) to the IP address +specified by $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_ip .Ed .Pp +Several NAT algorithms are available, and can be chosen using the +.Cd algo +keyword. +By default, NPF will use the NAPT algorithm. +The other available algorithms are: +.Bl -tag -width Xnpt66XX -offset indent +.It npt66 +IPv6-to-IPv6 network prefix translation (NPTv6). +.El +.Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from the 10.1.1.0/24 network.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Mon Aug 27 13:09:16 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Map" section. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Mon Aug 27 12:46:03 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Document ALGs.
To generate a diff of this commit:
cvs rdiff -u -r1.63 -r1.64 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.63 src/usr.sbin/npf/npfctl/npf.conf.5:1.64
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.63 Fri Aug 17 12:20:49 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 27 12:46:03 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.63 2018/08/17 12:20:49 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.64 2018/08/27 12:46:03 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 17, 2018
+.Dd August 27, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -58,6 +58,8 @@ packet filtering rules
.It
map rules for address translation
.It
+application level gateways
+.It
procedure definitions to call on filtered packets.
.El
.Sh SYNTAX
@@ -267,6 +269,35 @@ network segments specified, that is, tra
on packets originating from the 10.1.1.0/24 network.
Explicit filter criteria can be specified using "pass " as
an additional option of the mapping.
+.Ss Application Level Gateways
+Certain application layer protocols are not compatible with NAT and require
+translation outside layers 3 and 4.
+Such translation is performed by packet filter extensions called
+Application Level Gateways (ALGs).
+.Pp
+NPF supports the following ALGs:
+.Bl -tag -width XicmpXX -offset indent
+.It icmp
+ICMP ALG.
+Allows to find an active connection by looking at the ICMP payload, and to
+perform NAT translation of the ICMP payload.
+Applies to IPv4 and IPv6.
+.El
+.Pp
+The ALGs are built-in, unless NPF is used as kernel module, in which case
+they come as kernel modules too.
+In that case, the ALG kernel modules can be autoloaded through the
+configuration, using the
+.Cd alg
+keyword.
+.Pp
+For example:
+.Bd -literal
+alg "icmp"
+.Ed
+.Pp
+Alternatively, the ALG kernel modules can be loaded manually, using
+.Xr modload 8 .
.Ss Procedures
A rule procedure is defined as a collection of extension calls (it
may have none).
@@ -344,9 +375,10 @@ var-def = var "=" ( var-value | "{" val
# Parameter setting.
set-param = "set" param-value
-# Application level gateway. The name should be in the double quotes.
+# Application level gateway. The name should be in double quotes.
alg = "alg" alg-name
+alg-name = "icmp"
# Table definition. Table ID shall be numeric. Path is in the double quotes.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Mon Aug 27 12:46:03 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Document ALGs. To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 12:20:49 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add the values of "algo" in the grammar, and use # as comment marker for man-k.org (and others) not to highlight things in an incorrect way. To generate a diff of this commit: cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Fri Aug 17 12:20:49 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Add the values of "algo" in the grammar, and use # as comment marker for
man-k.org (and others) not to highlight things in an incorrect way.
To generate a diff of this commit:
cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.62 src/usr.sbin/npf/npfctl/npf.conf.5:1.63
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.62 Fri Aug 17 12:04:20 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 12:20:49 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.62 2018/08/17 12:04:20 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.63 2018/08/17 12:20:49 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -329,52 +329,53 @@ The following is a non-formal BNF-like d
The definition is simplified and is intended to be human readable,
therefore it does not strictly represent the formal grammar.
.Bd -literal
-; Syntax of a single line. Lines can be separated by LF (\\n) or
-; a semicolon. Comments start with a hash (#) character.
+# Syntax of a single line. Lines can be separated by LF (\\n) or
+# a semicolon. Comments start with a hash (#) character.
syntax = var-def | set-param | alg | table-def |
map | group | proc | comment
-; Variable definition. Names can be alpha-numeric, including "_" character.
+# Variable definition. Names can be alpha-numeric, including "_" character.
var-name = "$" . string
interface = interface-name | var-name
var-def = var "=" ( var-value | "{" value *[ "," value ] "}" )
-; Parameter setting.
+# Parameter setting.
set-param = "set" param-value
-; Application level gateway. The name should be in the double quotes.
+# Application level gateway. The name should be in the double quotes.
alg = "alg" alg-name
-; Table definition. Table ID shall be numeric. Path is in the double quotes.
+# Table definition. Table ID shall be numeric. Path is in the double quotes.
table-id =
table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" )
( "dynamic" | "file" path )
-; Mapping for address translation.
+# Mapping for address translation.
map = "map" interface
- ( "static" [ "algo" algorithm ] | "dynamic" )
+ ( "static" [ "algo" map-algo ] | "dynamic" )
[ map-flags ] [ proto ]
net-seg ( "->" | "<-" | "<->" ) net-seg
[ "pass" [ proto ] filt-opts ]
+map-algo = "npt66"
map-flags = "no-ports"
-; Rule procedure definition. The name should be in the double quotes.
-;
-; Each call can have its own options in a form of key-value pairs.
-; Both key and values may be strings (either in double quotes or not)
-; and numbers, depending on the extension.
+# Rule procedure definition. The name should be in the double quotes.
+#
+# Each call can have its own options in a form of key-value pairs.
+# Both key and values may be strings (either in double quotes or not)
+# and numbers, depending on the extension.
proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}"
proc-opts = key [ " " val ] [ "," proc-opts ]
proc-call = call-name ":" proc-opts new-line
-; Group definition and the rule list.
+# Group definition and the rule list.
group = "group" ( "default" | group-opts ) "{" rule-list "}"
group-opts = name-string [ "in" | "out" ] [ "on" interface ]
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 12:04:20 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing quote in static-rule, it causes man-k.org (and other tools) to wrongly highlight the grammar. To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 12:04:20 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing quote in static-rule, it causes man-k.org (and other tools) to wrongly highlight the grammar. To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.61 src/usr.sbin/npf/npfctl/npf.conf.5:1.62 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.61 Fri Aug 17 10:24:19 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 12:04:20 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.61 2018/08/17 10:24:19 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.62 2018/08/17 12:04:20 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -383,7 +383,7 @@ rule-list = [ rule new-line ] rule-list npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-ends" ] - [ "in" | out" ] [ "final" ] [ "on" interface ] + [ "in" | "out" ] [ "final" ] [ "on" interface ] ( npf-filter | "pcap-filter" pcap-filter-expr ) [ "apply" proc-name ]
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 10:24:19 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Replace "rproc"->"proc" in the grammar (spotted by he@), and slightly reword. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.60 src/usr.sbin/npf/npfctl/npf.conf.5:1.61 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.60 Fri Aug 17 10:16:24 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 10:24:19 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.60 2018/08/17 10:16:24 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.61 2018/08/17 10:24:19 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -225,7 +225,7 @@ the following syntax: .Pp Where .Ar match -is the set of TCP flags we want to match out of the +is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in @@ -333,7 +333,7 @@ therefore it does not strictly represent ; a semicolon. Comments start with a hash (#) character. syntax = var-def | set-param | alg | table-def | - map | group | rproc | comment + map | group | proc | comment ; Variable definition. Names can be alpha-numeric, including "_" character.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 10:24:19 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Replace "rproc"->"proc" in the grammar (spotted by he@), and slightly reword. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Fri Aug 17 10:16:24 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Replace () by [] in tcp-flags.
Fix proc-opts, the value is optional, noted by he@.
To generate a diff of this commit:
cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.59 src/usr.sbin/npf/npfctl/npf.conf.5:1.60
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.59 Thu Aug 16 09:58:00 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 10:16:24 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.59 2018/08/16 09:58:00 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.60 2018/08/17 10:16:24 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 16, 2018
+.Dd August 17, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -371,7 +371,7 @@ map-flags = "no-ports"
; and numbers, depending on the extension.
proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}"
-proc-opts = key " " val [ "," proc-opts ]
+proc-opts = key [ " " val ] [ "," proc-opts ]
proc-call = call-name ":" proc-opts new-line
; Group definition and the rule list.
@@ -391,7 +391,7 @@ dynamic-ruleset = "ruleset" group-opts
rule = static-rule | dynamic-ruleset
tcp-flag-mask = tcp-flags
-tcp-flags = ("S")("A")("F")("R")
+tcp-flags = [ "S" ] [ "A" ] [ "F" ] [ "R" ]
proto = "proto" protocol [ proto-opts ]
block-opts = "return-rst" | "return-icmp" | "return"
family-opt = "inet4" | "inet6"
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 10:16:24 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Replace () by [] in tcp-flags. Fix proc-opts, the value is optional, noted by he@. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:58:00 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve wording. To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:58:00 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve wording. To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.58 src/usr.sbin/npf/npfctl/npf.conf.5:1.59 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.58 Thu Aug 16 09:50:37 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:58:00 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.58 2018/08/16 09:50:37 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.59 2018/08/16 09:58:00 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -225,7 +225,7 @@ the following syntax: .Pp Where .Ar match -is the set of TCP flags present in the +is the set of TCP flags we want to match out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:50:37 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Map" section a little. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.57 src/usr.sbin/npf/npfctl/npf.conf.5:1.58 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.57 Thu Aug 16 09:46:18 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:50:37 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.58 2018/08/16 09:50:37 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -240,10 +240,14 @@ it can be overridden with the aforementi keyword. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. -The translation may be dynamic (stateful) or static (stateless). +The translation may be +.Cd dynamic +(stateful) or +.Cd static +(stateless). The following mapping types are available: .Pp -.Bl -tag -width <-> -compact +.Bl -tag -width <-> -offset indent .It Pa -> outbound NAT (translation of the source) .It Pa <- @@ -260,7 +264,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $pub_ .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only -on packets originating from 10.1.1.0/24 network. +on packets originating from the 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Ss Procedures
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:50:37 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Map" section a little. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:46:18 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Document the "flags" keyword. To generate a diff of this commit: cvs rdiff -u -r1.56 -r1.57 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Thu Aug 16 09:46:18 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Document the "flags" keyword.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.56 src/usr.sbin/npf/npfctl/npf.conf.5:1.57
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.56 Thu Aug 16 09:21:00 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:46:18 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $
+.\"$NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -201,7 +201,7 @@ block out final pcap-filter "tcp and dst
Fragments are not selectable since NPF always reassembles packets
before further processing.
.Ss Stateful
-Stateful packet inspection is enabled using
+Stateful packet inspection is enabled using the
.Cd stateful
or
.Cd stateful-ends
@@ -213,10 +213,29 @@ precaution.
In both cases, a full TCP state tracking is performed for TCP connections
and a limited tracking for message-based protocols (UDP and ICMP).
.Pp
+The
+.Cd flags
+keyword can be used in conjunction with the
+.Cd stateful
+keyword to match the packets against specific TCP flags, according to
+the following syntax:
+.Bl -tag -offset indent
+.It flags Ar match[/mask]
+.El
+.Pp
+Where
+.Ar match
+is the set of TCP flags present in the
+.Ar mask
+set, both sets being represented as a string combination of: S (SYN),
+A (ACK), F (FIN), R (RST). The flags that are not present in
+.Ar mask
+are ignored.
+.Pp
By default, a stateful rule implies SYN-only flag check ("flags S/SAFR")
for the TCP packets.
It is not advisable to change this behavior; however,
-it can be overridden with the
+it can be overridden with the aforementioned
.Cd flags
keyword.
.Ss Map
@@ -367,6 +386,8 @@ static-rule = ( "block" [ block-opts ] |
dynamic-ruleset = "ruleset" group-opts
rule = static-rule | dynamic-ruleset
+tcp-flag-mask = tcp-flags
+tcp-flags = ("S")("A")("F")("R")
proto = "proto" protocol [ proto-opts ]
block-opts = "return-rst" | "return-icmp" | "return"
family-opt = "inet4" | "inet6"
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:21:00 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Rules" section: better explain the "final" keyword (it is the same as PF's "quick", so use the same wording), and document the "return" options. While here simplify the man code, suggested by wiz. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.55 src/usr.sbin/npf/npfctl/npf.conf.5:1.56 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.55 Thu Aug 16 08:51:53 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:21:00 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.55 2018/08/16 08:51:53 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -147,13 +147,36 @@ With a rule statement NPF is instructed or .Cd block a packet depending on packet header information, transit direction and -the interface it arrived on, either immediately upon match (keyword -.Cd final ) -or using the last match. -The rule can also instruct NPF to create an entry in the state table +the interface it arrived on, either immediately upon match or using the +last match. +.Pp +If a packet matches a rule which has the +.Cd final +option set, this rule is considered the last matching rule, and +evaluation of subsequent rules is skipped. +Otherwise, the last matching rule is used. +.Pp +A rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. .Pp +To notify the sender of a blocking decision, three +.Cd return +options can be used in conjunction with a +.Cd block +rule: +.Bl -tag -width Xreturn-icmpXX -offset indent +.It return +Behaves as return-rst or return-icmp, depending on whether the packet +being blocked is TCP or UDP. +.It return-rst +Return a TCP RST message, when the packet being blocked is a TCP packet. +Applies to IPv4 and IPv6. +.It return-icmp +Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet. +Applies to IPv4 and IPv6. +.El +.Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet4 proto tcp flags S/SA \\ @@ -253,13 +276,9 @@ The available normalization options are: .Bl -tag -width XXmin-ttlXXvalueXX -offset indent .It Dq random-id Randomize the IPv4 ID parameter. -.It Dq min-ttl Xo -.Ar value -.Xc +.It Do min-ttl Dc Ar value Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. -.It Dq max-mss Xo -.Ar value -.Xc +.It Do max-mss Dc Ar value Enforce a maximum value for the MSS on TCP packets. .It Dq no-df Remove the Don't Fragment (DF) flag from IPv4 packets.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:21:00 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Rules" section: better explain the "final" keyword (it is the same as PF's "quick", so use the same wording), and document the "return" options. While here simplify the man code, suggested by wiz. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 08:51:53 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add quotes around the option names, to match the actual npf conf. To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 08:51:53 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add quotes around the option names, to match the actual npf conf. To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.54 src/usr.sbin/npf/npfctl/npf.conf.5:1.55 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.54 Thu Aug 16 08:37:51 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 08:51:53 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.54 2018/08/16 08:37:51 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.55 2018/08/16 08:51:53 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -250,14 +250,18 @@ auto-loaded by NPF. .El .Pp The available normalization options are: -.Bl -tag -width Xmin-ttlXvalueXX -offset indent -.It random-id +.Bl -tag -width XXmin-ttlXXvalueXX -offset indent +.It Dq random-id Randomize the IPv4 ID parameter. -.It min-ttl Ar value +.It Dq min-ttl Xo +.Ar value +.Xc Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. -.It max-mss Ar value +.It Dq max-mss Xo +.Ar value +.Xc Enforce a maximum value for the MSS on TCP packets. -.It no-df +.It Dq no-df Remove the Don't Fragment (DF) flag from IPv4 packets. .El .Pp
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src
Committed By: maxv
Date: Thu Aug 16 08:37:51 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Enlighten the "Procedures" section. In particular document the "no-df"
option. Also replace "normalisation" -> "normalization", to match the
name of the rule.
To generate a diff of this commit:
cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.53 src/usr.sbin/npf/npfctl/npf.conf.5:1.54
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.53 Mon Aug 13 06:06:13 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 08:37:51 2018
@@ -1,4 +1,4 @@
-.\"$NetBSD: npf.conf.5,v 1.53 2018/08/13 06:06:13 wiz Exp $
+.\"$NetBSD: npf.conf.5,v 1.54 2018/08/16 08:37:51 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 7, 2018
+.Dd August 16, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -228,6 +228,39 @@ Every extension call has a name and a li
key-value pairs.
Depending on the call, the key might represent the argument and the value
might be optional.
+Available options:
+.Bl -tag -width Xlog:XinterfaceXX -offset indent
+.It log: Ar interface
+Log events.
+This requires the npf_ext_log kernel module, which would normally get
+auto-loaded by NPF.
+The specified npflog interface would also be auto-created once the
+configuration is loaded.
+The log packets can be written to a file using the
+.Xr npfd 8
+daemon.
+.It normalize: Xo
+.Ar option1
+.Op , Ar option2
+.Ar ...
+.Xc
+Modify packets according to the specified normalization options.
+This requires the npf_ext_normalize kernel module, which would normally get
+auto-loaded by NPF.
+.El
+.Pp
+The available normalization options are:
+.Bl -tag -width Xmin-ttlXvalueXX -offset indent
+.It random-id
+Randomize the IPv4 ID parameter.
+.It min-ttl Ar value
+Enforce a minimum value for the IPv4 Time To Live (TTL) parameter.
+.It max-mss Ar value
+Enforce a maximum value for the MSS on TCP packets.
+.It no-df
+Remove the Don't Fragment (DF) flag from IPv4 packets.
+.El
+.Pp
For example:
.Bd -literal
procedure "someproc" {
@@ -236,19 +269,7 @@ procedure "someproc" {
}
.Ed
.Pp
-In this case, the procedure calls the logging and normalisation modules.
-The logging facility requires the npf_ext_log kernel module which would
-normally get auto-loaded by NPF.
-The specified npflog interface would also be auto-created once the
-configuration is loaded.
-The log packets can be written to a file using the
-.Xr npfd 8
-daemon.
-.Pp
-Traffic normalisation has a set of different mechanisms.
-In the example above, the normalisation procedure has arguments which
-apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
-flag cleansing, minimum TTL enforcement and TCP MSS "clamping".
+In this case, the procedure calls the logging and normalization modules.
.Ss Misc
Text after a hash
.Pq Sq #
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 08:37:51 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Enlighten the "Procedures" section. In particular document the "no-df" option. Also replace "normalisation" -> "normalization", to match the name of the rule. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Aug 13 06:06:13 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing El. Remove trailing whitespace. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Aug 13 06:06:13 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing El. Remove trailing whitespace. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.52 src/usr.sbin/npf/npfctl/npf.conf.5:1.53 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.52 Tue Aug 7 00:22:13 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 13 06:06:13 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.52 2018/08/07 00:22:13 sevan Exp $ +.\"$NetBSD: npf.conf.5,v 1.53 2018/08/13 06:06:13 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -59,7 +59,7 @@ packet filtering rules map rules for address translation .It procedure definitions to call on filtered packets. - +.El .Sh SYNTAX .Ss Variables Variables are specified using the dollar ($) sign, which is used for both @@ -128,7 +128,7 @@ A dynamic address list represents both t an interface. The .Cd family -keyword can be used in combination of a filtering rule to be explicit. +keyword can be used in combination of a filtering rule to be explicit. .Ss Groups Groups may have the following options: name, interface, and direction. They are defined in the following form:
