CVS commit: src/usr.sbin/npf/npfctl

Thu, 16 Aug 2018 02:46:48 -0700 

Module Name:    src
Committed By:   maxv
Date:           Thu Aug 16 09:46:18 UTC 2018

Modified Files:
        src/usr.sbin/npf/npfctl: npf.conf.5

Log Message:
Document the "flags" keyword.


To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/usr.sbin/npf/npfctl/npf.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.56 src/usr.sbin/npf/npfctl/npf.conf.5:1.57
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.56	Thu Aug 16 09:21:00 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5	Thu Aug 16 09:46:18 2018
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $
+.\"    $NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $
 .\"
 .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -201,7 +201,7 @@ block out final pcap-filter "tcp and dst
 Fragments are not selectable since NPF always reassembles packets
 before further processing.
 .Ss Stateful
-Stateful packet inspection is enabled using
+Stateful packet inspection is enabled using the
 .Cd stateful
 or
 .Cd stateful-ends
@@ -213,10 +213,29 @@ precaution.
 In both cases, a full TCP state tracking is performed for TCP connections
 and a limited tracking for message-based protocols (UDP and ICMP).
 .Pp
+The
+.Cd flags
+keyword can be used in conjunction with the
+.Cd stateful
+keyword to match the packets against specific TCP flags, according to
+the following syntax:
+.Bl -tag -offset indent
+.It flags Ar match[/mask]
+.El
+.Pp
+Where
+.Ar match
+is the set of TCP flags present in the
+.Ar mask
+set, both sets being represented as a string combination of: S (SYN),
+A (ACK), F (FIN), R (RST). The flags that are not present in
+.Ar mask
+are ignored.
+.Pp
 By default, a stateful rule implies SYN-only flag check ("flags S/SAFR")
 for the TCP packets.
 It is not advisable to change this behavior; however,
-it can be overridden with the
+it can be overridden with the aforementioned
 .Cd flags
 keyword.
 .Ss Map
@@ -367,6 +386,8 @@ static-rule	= ( "block" [ block-opts ] |
 dynamic-ruleset	= "ruleset" group-opts
 rule		= static-rule | dynamic-ruleset
 
+tcp-flag-mask	= tcp-flags
+tcp-flags	= ("S")("A")("F")("R")
 proto		= "proto" protocol [ proto-opts ]
 block-opts	= "return-rst" | "return-icmp" | "return"
 family-opt	= "inet4" | "inet6"

Reply via email to