Module Name: src
Committed By: rmind
Date: Sun Dec 10 22:04:41 UTC 2017
Modified Files:
src/usr.sbin/npf: npf.7
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l
npf_show.c npfctl.8 npfctl.h todo
Log Message:
npfctl: add support for the 'no-ports' flag in the 'map' statements.
This allows us to create a NAT policy without the port translation.
To generate a diff of this commit:
cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npf.7
cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf_build.c \
src/usr.sbin/npf/npfctl/npfctl.h
cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.25 -r1.26 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_show.c
cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.8
cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/todo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npf.7
diff -u src/usr.sbin/npf/npf.7:1.3 src/usr.sbin/npf/npf.7:1.4
--- src/usr.sbin/npf/npf.7:1.3 Sun Jul 12 23:54:43 2015
+++ src/usr.sbin/npf/npf.7 Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $
+.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -78,7 +78,8 @@ documentation and other manual pages.
.Xr bpfjit 4 ,
.Xr npf.conf 5 ,
.Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
.Pp
.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation"
.Sh HISTORY
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.49 src/usr.sbin/npf/npfctl/npf.conf.5:1.50
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.49 Mon Jul 3 21:35:31 2017
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $
+.\" $NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 19, 2017
+.Dd December 10, 2017
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -233,6 +233,14 @@ procedure "someproc" {
.Ed
.Pp
In this case, the procedure calls the logging and normalisation modules.
+The logging facility requires the npf_ext_log kernel module which would
+normally get auto-loaded by NPF.
+The specified npflog interface would also be auto-created once the
+configuration is loaded.
+The log packets can be written to a file using the
+.Xr npfd 8
+daemon.
+.Pp
Traffic normalisation has a set of different mechanisms.
In the example above, the normalisation procedure has arguments which
apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
@@ -248,8 +256,7 @@ i.e., the next line is considered an ext
.Sh GRAMMAR
The following is a non-formal BNF-like definition of the grammar.
The definition is simplified and is intended to be human readable,
-therefore it does not strictly represent the full syntax, which
-is more flexible.
+therefore it does not strictly represent the formal grammar.
.Bd -literal
; Syntax of a single line. Lines can be separated by LF (\\n) or
; a semicolon. Comments start with a hash (#) character.
@@ -279,10 +286,13 @@ table-def = "table" table-id "type" ( "h
; Mapping for address translation.
map = "map" interface
- ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ]
+ ( "static" [ "algo" algorithm ] | "dynamic" )
+ [ map-flags ] [ proto ]
net-seg ( "->" | "<-" | "<->" ) net-seg
[ "pass" [ proto ] filt-opts ]
+map-flags = "no-ports"
+
; Rule procedure definition. The name should be in the double quotes.
;
; Each call can have its own options in a form of key-value pairs.
@@ -352,8 +362,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_
map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
procedure "log" {
- # Note: npf_ext_log kernel module should be loaded, if not built-in.
- # Also, the interface created, e.g.: ifconfig npflog0 create
+ # The logging facility can be used together with npfd(8).
log: npflog0
}
@@ -387,7 +396,8 @@ group default {
.Xr bpf 4 ,
.Xr npf 7 ,
.Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.44 src/usr.sbin/npf/npfctl/npf_build.c:1.45
--- src/usr.sbin/npf/npfctl/npf_build.c:1.44 Thu Jan 19 20:18:17 2017
+++ src/usr.sbin/npf/npfctl/npf_build.c Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -493,7 +493,7 @@ npfctl_build_maprset(const char *name, i
attr |= attr_di;
}
/* Allow only "in/out" attributes. */
- attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
+ attr = NPF_RULE_GROUP | NPF_RULE_DYNAMIC | (attr & attr_di);
rl = npf_rule_create(name, attr, ifname);
npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
}
@@ -594,6 +594,11 @@ npfctl_build_nat(int type, const char *i
nl_nat_t *nat;
if (ap->ap_portrange) {
+ /*
+ * The port forwarding case. In such case, there has to
+ * be a single port used for translation; we keep the port
+ * translation on, but disable the port map.
+ */
port = npfctl_get_singleport(ap->ap_portrange);
flags &= ~NPF_NAT_PORTMAP;
flags |= NPF_NAT_PORTS;
@@ -615,7 +620,7 @@ npfctl_build_nat(int type, const char *i
* npfctl_build_natseg: validate and create NAT policies.
*/
void
-npfctl_build_natseg(int sd, int type, const char *ifname,
+npfctl_build_natseg(int sd, int type, unsigned mflags, const char *ifname,
const addr_port_t *ap1, const addr_port_t *ap2, const opt_proto_t *op,
const filt_opts_t *fopts, u_int algo)
{
@@ -651,6 +656,13 @@ npfctl_build_natseg(int sd, int type, co
}
/*
+ * Apply the flag modifications.
+ */
+ if (mflags & NPF_NAT_PORTS) {
+ flags &= ~(NPF_NAT_PORTS | NPF_NAT_PORTMAP);
+ }
+
+ /*
* Validate the mappings and their configuration.
*/
Index: src/usr.sbin/npf/npfctl/npfctl.h
diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.44 src/usr.sbin/npf/npfctl/npfctl.h:1.45
--- src/usr.sbin/npf/npfctl/npfctl.h:1.44 Thu Jan 19 20:18:17 2017
+++ src/usr.sbin/npf/npfctl/npfctl.h Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.h,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
+/* $NetBSD: npfctl.h,v 1.45 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
@@ -202,7 +202,7 @@ void npfctl_build_group_end(void);
void npfctl_build_rule(uint32_t, const char *, sa_family_t,
const opt_proto_t *, const filt_opts_t *,
const char *, const char *);
-void npfctl_build_natseg(int, int, const char *,
+void npfctl_build_natseg(int, int, unsigned, const char *,
const addr_port_t *, const addr_port_t *,
const opt_proto_t *, const filt_opts_t *, unsigned);
void npfctl_build_maprset(const char *, int, const char *);
Index: src/usr.sbin/npf/npfctl/npf_parse.y
diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.45 src/usr.sbin/npf/npfctl/npf_parse.y:1.46
--- src/usr.sbin/npf/npfctl/npf_parse.y:1.45 Sun Dec 3 23:48:03 2017
+++ src/usr.sbin/npf/npfctl/npf_parse.y Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.45 2017/12/03 23:48:03 mlelstv Exp $ */
+/* $NetBSD: npf_parse.y,v 1.46 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -124,6 +124,7 @@ yyerror(const char *fmt, ...)
%token IFADDRS
%token INTERFACE
%token MAP
+%token NO_PORTS
%token MINUS
%token NAME
%token NPT66
@@ -172,7 +173,7 @@ yyerror(const char *fmt, ...)
%type <num> port, opt_final, number, afamily, opt_family
%type <num> block_or_pass, rule_dir, group_dir, block_opts
%type <num> maybe_not, opt_stateful, icmp_type, table_type
-%type <num> map_sd, map_algo, map_type
+%type <num> map_sd, map_algo, map_flags, map_type
%type <var> static_ifaddrs, addr_or_ifaddr
%type <var> port_range, icmp_type_and_code
%type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask
@@ -337,6 +338,11 @@ map_algo
| { $$ = 0; }
;
+map_flags
+ : NO_PORTS { $$ = NPF_NAT_PORTS; }
+ | { $$ = 0; }
+ ;
+
map_type
: ARROWBOTH { $$ = NPF_NATIN | NPF_NATOUT; }
| ARROWLEFT { $$ = NPF_NATIN; }
@@ -352,18 +358,18 @@ mapseg
;
map
- : MAP ifref map_sd map_algo mapseg map_type mapseg
+ : MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
PASS opt_proto all_or_filt_opts
{
- npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4);
+ npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, &$10, &$11, $4);
}
- | MAP ifref map_sd map_algo mapseg map_type mapseg
+ | MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
{
- npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4);
+ npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, NULL, NULL, $4);
}
- | MAP ifref map_sd map_algo proto mapseg map_type mapseg
+ | MAP ifref map_sd map_algo map_flags proto mapseg map_type mapseg
{
- npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4);
+ npfctl_build_natseg($3, $8, $5, $2, &$7, &$9, &$6, NULL, $4);
}
| MAP RULESET group_opts
{
Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.25 src/usr.sbin/npf/npfctl/npf_scan.l:1.26
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.25 Tue Jan 3 01:29:49 2017
+++ src/usr.sbin/npf/npfctl/npf_scan.l Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_scan.l,v 1.25 2017/01/03 01:29:49 rmind Exp $ */
+/* $NetBSD: npf_scan.l,v 1.26 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -97,6 +97,7 @@ static return TSTATIC;
dynamic return TDYNAMIC;
file return TFILE;
map return MAP;
+no-ports return NO_PORTS;
set return SET;
"<->" return ARROWBOTH;
"<-" return ARROWLEFT;
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.24 src/usr.sbin/npf/npfctl/npf_show.c:1.25
--- src/usr.sbin/npf/npfctl/npf_show.c:1.24 Sun May 14 21:38:23 2017
+++ src/usr.sbin/npf/npfctl/npf_show.c Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $ */
+/* $NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $");
#include <sys/socket.h>
#define __FAVOR_BSD
@@ -463,8 +463,10 @@ npfctl_print_nat(npf_conf_info_t *ctx, n
flags = npf_nat_getflags(nt);
/* Print out the NAT policy with the filter criteria. */
- fprintf(ctx->fp, "map %s %s %s %s %s pass ",
+ fprintf(ctx->fp, "map %s %s %s%s%s %s %s pass ",
ifname, (flags & NPF_NAT_STATIC) ? "static" : "dynamic",
+ "" /* XXX algo, */,
+ (flags & NPF_NAT_PORTS) ? "" : "no-ports ",
seg1, arrow, seg2);
npfctl_print_filter(ctx, rl);
npfctl_print_id(ctx, rl);
Index: src/usr.sbin/npf/npfctl/npfctl.8
diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.19 src/usr.sbin/npf/npfctl/npfctl.8:1.20
--- src/usr.sbin/npf/npfctl/npfctl.8:1.19 Tue Dec 27 20:55:11 2016
+++ src/usr.sbin/npf/npfctl/npfctl.8 Sun Dec 10 22:04:41 2017
@@ -1,4 +1,4 @@
-.\" $NetBSD: npfctl.8,v 1.19 2016/12/27 20:55:11 christos Exp $
+.\" $NetBSD: npfctl.8,v 1.20 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 27, 2016
+.Dd December 10, 2017
.Dt NPFCTL 8
.Os
.Sh NAME
@@ -205,7 +205,8 @@ Addition and removal of entries in the t
.Sh SEE ALSO
.Xr bpf 4 ,
.Xr npf.conf 5 ,
-.Xr npf 7
+.Xr npf 7 ,
+.Xr npfd 8
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
Index: src/usr.sbin/npf/npfctl/todo
diff -u src/usr.sbin/npf/npfctl/todo:1.14 src/usr.sbin/npf/npfctl/todo:1.15
--- src/usr.sbin/npf/npfctl/todo:1.14 Sun Dec 10 20:45:26 2017
+++ src/usr.sbin/npf/npfctl/todo Sun Dec 10 22:04:41 2017
@@ -1,11 +1,4 @@
-- how to convert other packet filters to npf
--- have a way to use npflog to log packets to syslog
- We have npfd that logs to a file
--- have a way to match dropped packets to rules
- We keep this information now and we pass it to npflog using the OpenBSD
- pflog format.
--- have a way to list the active nat sessions
- Use "npfctl list"
-- npfctl start does not load the configuration if not loaded.
It is not clear you need to reload first. Or if it loads it should
print the error messages. Or it should be called enable/disable since
