npfctl

Mindaugas Rasiukevicius Wed, 27 Jun 2012 16:05:37 -0700

Module Name:    src
Committed By:   rmind
Date:           Wed Jun 27 23:05:28 UTC 2012


Modified Files:
        src/usr.sbin/npf/npfctl: npf.conf.5 npfctl.8 npfctl.c

Log Message:
Fix and update npf.conf(5), npfctl(8) and its usage message.


To generate a diff of this commit:
cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npfctl/npf.conf.5 \
    src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfctl/npfctl.8

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.12 src/usr.sbin/npf/npfctl/npf.conf.5:1.13
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.12	Fri Jun 15 23:24:08 2012
+++ src/usr.sbin/npf/npfctl/npf.conf.5	Wed Jun 27 23:05:28 2012
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.12 2012/06/15 23:24:08 rmind Exp $
+.\"    $NetBSD: npf.conf.5,v 1.13 2012/06/27 23:05:28 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 14, 2012
+.Dd June 27, 2012
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
@@ -103,7 +103,7 @@ ifconfig npflog0 create
 Rules for address translation can be added.
 Translation is performed on the specified interface, assigning the specified
 address of said interface.
-There are three types of translation:
+Currently, three types of translation are supported:
 Network Address Port Translation (NAPT) - a regular NAT,
 also known as "outbound NAT";
 Port forwarding (redirection) - also known as "inbound NAT";
@@ -134,15 +134,16 @@ There are two types of storage: "tree" (
 .Bd -literal
 line		= ( def | table | map | group | rproc )
 
-def		= ( \*[Lt]name\*[Gt] "=" "{ a, b, ... }" | "\*[Lt]text\*[Gt]" | "$\*[Lt]interface\*[Gt]" )
-iface		= ( \*[Lt]interface\*[Gt] | def )
+var		= $\*[Lt]name\*[Gt]
+iface		= ( \*[Lt]interface\*[Gt] | var )
+def		= ( var "=" "{ "\*[Lt]value_1\*[Gt]", "\*[Lt]value_2\*[Gt]", ... }" | "\*[Lt]value\*[Gt]" )
 
 table		= "table" \*[Lt]tid\*[Gt] "type" ( "hash" | "tree" )
 		  ( "dynamic" | "file" \*[Lt]path\*[Gt] )
 
 map-di		= ( "->" | "<-" | "<->" )
 map-type	= ( "static" | "dynamic" )
-map		= "map" iface maptype \*[Lt]seg1\*[Gt] mapdi \*[Lt]seg2\*[Gt] [ "pass" filt-opts ]
+map		= "map" iface map-type \*[Lt]seg1\*[Gt] map-di \*[Lt]seg2\*[Gt] [ "pass" filt-opts ]
 
 rproc		= "procedure" \*[Lt]name\*[Gt] procs
 procs		= "{" op1 \*[Lt]newline\*[Gt], op2 \*[Lt]newline\*[Gt], ... "}"
@@ -150,18 +151,18 @@ op		= ( "log" iface | "normalise" "(" no
 norm-opt	= [ "random-id" | "min-ttl" \*[Lt]num\*[Gt] | "max-mss" \*[Lt]num\*[Gt] | "no-df" ]
 
 group		= "group" "(" ( "default" | group-opts ) ")" ruleset
-group-opts	= "interface" iface "," [ "in" | "out" ]
+group-opts	= [ name \*[Lt]name\*[Gt] "," ] "interface" iface [ "," ( "in" | "out" ) ]
 
 ruleset		= "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
 
 rule		= ( "block" block-opts | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ]
-		  [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] ]
+		  [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] [ proto-opts ] ]
 		  ( "all" | filt-opts ) [ "apply" rproc ] }
 
 fam-opt		= [ "inet" | "inet6" ]
 block-opts	= [ "return-rst" | "return-icmp" | "return" ]
-filt-addr	= iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt]
-port-opts	= [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | def ) ]
+filt-addr	= iface | var | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt]
+port-opts	= [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | var ) ]
 filt-opts	= [ "from" filt-addr [ port-opts ] ] [ "to" filt-addr [ port-opts ] ]
 proto-opts	= [ "flags" \*[Lt]tcp_flags\*[Gt] | "icmp-type" \*[Lt]type\*[Gt] "code" \*[Lt]code\*[Gt] ]
 .Ed
@@ -186,6 +187,8 @@ $services_tcp = { http, https, smtp, dom
 $services_udp = { domain, ntp, 6000 }
 $localnet = { 10.1.1.0/24 }
 
+# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
+# then the translation address has to be specified explicitly.
 map $ext_if dynamic 10.1.1.0/24 -> $ext_if
 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022
 
@@ -201,11 +204,11 @@ group (name "external", interface $ext_i
 	pass stateful out final from $ext_if apply "rid"
 
 	block in final from \*[Lt]1\*[Gt]
-	pass in final family inet proto tcp to $ext_if port ssh apply "log"
-	pass in final proto tcp to $ext_if port $services_tcp
-	pass in final proto udp to $ext_if port $services_udp
-	pass in final proto tcp to $ext_if port 49151-65535	# Passive FTP
-	pass in final proto udp to $ext_if port 33434-33600	# Traceroute
+	pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
+	pass stateful in final proto tcp to $ext_if port $services_tcp
+	pass stateful in final proto udp to $ext_if port $services_udp
+	pass stateful in final proto tcp to $ext_if port 49151-65535	# Passive FTP
+	pass stateful in final proto udp to $ext_if port 33434-33600	# Traceroute
 }
 
 group (name "internal", interface $int_if) {
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.12 src/usr.sbin/npf/npfctl/npfctl.c:1.13
--- src/usr.sbin/npf/npfctl/npfctl.c:1.12	Fri Jun 15 23:24:08 2012
+++ src/usr.sbin/npf/npfctl/npfctl.c	Wed Jun 27 23:05:28 2012
@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.c,v 1.12 2012/06/15 23:24:08 rmind Exp $	*/
+/*	$NetBSD: npfctl.c,v 1.13 2012/06/27 23:05:28 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.12 2012/06/15 23:24:08 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.13 2012/06/27 23:05:28 rmind Exp $");
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -135,7 +135,7 @@ usage(void)
 	const char *progname = getprogname();
 
 	fprintf(stderr,
-	    "usage:\t%s [ start | stop | reload | flush | stats ]\n",
+	    "usage:\t%s [ start | stop | reload | flush | show | stats ]\n",
 	    progname);
 	fprintf(stderr,
 	    "usage:\t%s [ sess-save | sess-load ]\n",

Index: src/usr.sbin/npf/npfctl/npfctl.8
diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.6 src/usr.sbin/npf/npfctl/npfctl.8:1.7
--- src/usr.sbin/npf/npfctl/npfctl.8:1.6	Thu Mar 24 05:48:54 2011
+++ src/usr.sbin/npf/npfctl/npfctl.8	Wed Jun 27 23:05:28 2012
@@ -1,6 +1,6 @@
-.\"	$NetBSD: npfctl.8,v 1.6 2011/03/24 05:48:54 jruoho Exp $
+.\"	$NetBSD: npfctl.8,v 1.7 2012/06/27 23:05:28 rmind Exp $
 .\"
-.\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd March 24, 2011
+.Dd June 27, 2012
 .Dt NPFCTL 8
 .Os
 .Sh NAME
@@ -74,6 +74,11 @@ is atomic.
 Flush configuration.
 That is, remove all rules, tables and expire all sessions.
 This command does not disable packet inspection.
+.It Ic show
+Show the current state and configuration.
+Syntax of printed configuration is for the user and may not match the
+.Xr npf.conf 5
+syntax.
 .It Ic table Ar tid
 List all entries in the currently loaded table specified by
 .Ar tid .
@@ -129,6 +134,7 @@ Starting the NPF packet filter:
 .Bd -literal -offset indent
 # npfctl reload
 # npfctl start
+# npfctl show
 .Ed
 .Pp
 Addition and removal of entries in the table whose ID is 2:

CVS commit: src/usr.sbin/npf/npfctl

Reply via email to