Module Name: src
Committed By: riz
Date: Sat Dec 15 23:31:07 UTC 2012
Modified Files:
src/share/examples/npf [netbsd-6]: host-npf.conf soho_gw-npf.conf
src/usr.sbin/npf/npfctl [netbsd-6]: npf.conf.5
Log Message:
Pull up following revision(s) (requested by rmind in ticket #744):
usr.sbin/npf/npfctl/npf.conf.5: revision 1.25
share/examples/npf/host-npf.conf: revision 1.4
share/examples/npf/soho_gw-npf.conf: revision 1.4
Fix syntax error in the example, fix one rule and G/C "rid" procedure.
- npf.conf(5): fix of the example config.
- Mention npf_ext_log in a comment.
To generate a diff of this commit:
cvs rdiff -u -r1.2.4.3 -r1.2.4.4 src/share/examples/npf/host-npf.conf \
src/share/examples/npf/soho_gw-npf.conf
cvs rdiff -u -r1.9.2.5 -r1.9.2.6 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/examples/npf/host-npf.conf
diff -u src/share/examples/npf/host-npf.conf:1.2.4.3 src/share/examples/npf/host-npf.conf:1.2.4.4
--- src/share/examples/npf/host-npf.conf:1.2.4.3 Tue Dec 11 04:31:53 2012
+++ src/share/examples/npf/host-npf.conf Sat Dec 15 23:31:07 2012
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.2.4.3 2012/12/11 04:31:53 riz Exp $
+# $NetBSD: host-npf.conf,v 1.2.4.4 2012/12/15 23:31:07 riz Exp $
#
# this is an example of NPF rules for a host (i.e., not routing) with
# two network interfaces, wired and wifi
@@ -6,6 +6,7 @@
# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
# it also does IPSEC on the wifi
#
+
$wired_if = "wm0"
$wired_v4 = { inet4(wm0) }
$wired_v6 = { inet6(wm0) }
@@ -30,10 +31,6 @@ procedure "log" {
log: npflog0
}
-procedure "rid" {
- normalise: "random-id"
-}
-
group (name "wired", interface $wired_if) {
# not being picky about our own address here
@@ -64,16 +61,16 @@ group (name "wired", interface $wired_if
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wired_v6 apply "rid"
+ from $wired_v6
pass stateful out final family inet proto tcp flags S/SA \
- from $wired_v4 apply "rid"
+ from $wired_v4
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wired_v6 apply "rid"
- pass out final family inet proto tcp from $wired_v4 apply "rid"
+ pass out final family inet6 proto tcp from $wired_v6
+ pass out final family inet proto tcp from $wired_v4
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wired_v6 apply "rid"
- pass stateful out final family inet from $wired_v4 apply "rid"
+ pass stateful out final family inet6 from $wired_v6
+ pass stateful out final family inet from $wired_v4
}
@@ -107,16 +104,16 @@ group (name "wifi", interface $wifi_if)
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wifi_v6 apply "rid"
+ from $wifi_v6
pass stateful out final family inet proto tcp flags S/SA \
- from $wifi_v4 apply "rid"
+ from $wifi_v4
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wifi_v6 apply "rid"
- pass out final family inet proto tcp from $wifi_v4 apply "rid"
+ pass out final family inet6 proto tcp from $wifi_v6
+ pass out final family inet proto tcp from $wifi_v4
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wifi_v6 apply "rid"
- pass stateful out final family inet from $wifi_v4 apply "rid"
+ pass stateful out final family inet6 from $wifi_v6
+ pass stateful out final family inet from $wifi_v4
}
group (default) {
Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.2.4.3 src/share/examples/npf/soho_gw-npf.conf:1.2.4.4
--- src/share/examples/npf/soho_gw-npf.conf:1.2.4.3 Tue Dec 11 04:31:53 2012
+++ src/share/examples/npf/soho_gw-npf.conf Sat Dec 15 23:31:07 2012
@@ -1,10 +1,11 @@
-# $NetBSD: soho_gw-npf.conf,v 1.2.4.3 2012/12/11 04:31:53 riz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.2.4.4 2012/12/15 23:31:07 riz Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#
+
$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_addrs = { ifnet(wm0) }
@@ -27,18 +28,14 @@ map $ext_if dynamic 198.51.100.0/24 -> $
# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
-map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 9022
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 port 9022
procedure "log" {
log: npflog0
}
-procedure "rid" {
- normalise: "random-id"
-}
-
group (name "external", interface $ext_if) {
- pass stateful out final from $ext_addrs apply "rid"
+ pass stateful out final all
block in final from <1>
pass stateful in final family inet proto tcp to $ext_v4 port ssh \
@@ -62,4 +59,3 @@ group (default) {
pass final on lo0 all
block all
}
-
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.9.2.5 src/usr.sbin/npf/npfctl/npf.conf.5:1.9.2.6
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.9.2.5 Tue Dec 11 04:31:53 2012
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Dec 15 23:31:07 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.9.2.5 2012/12/11 04:31:53 riz Exp $
+.\" $NetBSD: npf.conf.5,v 1.9.2.6 2012/12/15 23:31:07 riz Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd November 26, 2012
+.Dd December 6, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -284,11 +284,12 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_
map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022
procedure "log" {
+ # Note: npf_ext_log kernel module should be loaded, if not built-in.
log: npflog0
}
group (name "external", interface $ext_if) {
- pass stateful out final from $ext_if
+ pass stateful out final all
block in final from \*[Lt]1\*[Gt]
pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
