Module Name: src Committed By: maxv Date: Thu Aug 16 08:37:51 UTC 2018
Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Enlighten the "Procedures" section. In particular document the "no-df" option. Also replace "normalisation" -> "normalization", to match the name of the rule. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.53 src/usr.sbin/npf/npfctl/npf.conf.5:1.54 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.53 Mon Aug 13 06:06:13 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 08:37:51 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf.conf.5,v 1.53 2018/08/13 06:06:13 wiz Exp $ +.\" $NetBSD: npf.conf.5,v 1.54 2018/08/16 08:37:51 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 7, 2018 +.Dd August 16, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -228,6 +228,39 @@ Every extension call has a name and a li key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. +Available options: +.Bl -tag -width Xlog:XinterfaceXX -offset indent +.It log: Ar interface +Log events. +This requires the npf_ext_log kernel module, which would normally get +auto-loaded by NPF. +The specified npflog interface would also be auto-created once the +configuration is loaded. +The log packets can be written to a file using the +.Xr npfd 8 +daemon. +.It normalize: Xo +.Ar option1 +.Op , Ar option2 +.Ar ... +.Xc +Modify packets according to the specified normalization options. +This requires the npf_ext_normalize kernel module, which would normally get +auto-loaded by NPF. +.El +.Pp +The available normalization options are: +.Bl -tag -width Xmin-ttlXvalueXX -offset indent +.It random-id +Randomize the IPv4 ID parameter. +.It min-ttl Ar value +Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. +.It max-mss Ar value +Enforce a maximum value for the MSS on TCP packets. +.It no-df +Remove the Don't Fragment (DF) flag from IPv4 packets. +.El +.Pp For example: .Bd -literal procedure "someproc" { @@ -236,19 +269,7 @@ procedure "someproc" { } .Ed .Pp -In this case, the procedure calls the logging and normalisation modules. -The logging facility requires the npf_ext_log kernel module which would -normally get auto-loaded by NPF. -The specified npflog interface would also be auto-created once the -configuration is loaded. -The log packets can be written to a file using the -.Xr npfd 8 -daemon. -.Pp -Traffic normalisation has a set of different mechanisms. -In the example above, the normalisation procedure has arguments which -apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) -flag cleansing, minimum TTL enforcement and TCP MSS "clamping". +In this case, the procedure calls the logging and normalization modules. .Ss Misc Text after a hash .Pq Sq #