CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jul 14 09:15:01 UTC 2021 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: PR/56307: Konrad Schroder: npfctl's error messages don't report the failing filename. Add the filename (but in quotes for consistency with other places in the file). Also fix an err -> errx To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.64 src/usr.sbin/npf/npfctl/npfctl.c:1.65 --- src/usr.sbin/npf/npfctl/npfctl.c:1.64 Sat May 30 10:16:56 2020 +++ src/usr.sbin/npf/npfctl/npfctl.c Wed Jul 14 05:15:01 2021 @@ -28,7 +28,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.64 2020/05/30 14:16:56 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.65 2021/07/14 09:15:01 christos Exp $"); #include #include @@ -301,17 +301,18 @@ npfctl_import(const char *path) * just leaving this responsibility for the caller. */ if ((fd = open(path, O_RDONLY)) == -1) { - err(EXIT_FAILURE, "could not open `%s'", path); + err(EXIT_FAILURE, "open: '%s'", path); } if (fstat(fd, ) == -1) { - err(EXIT_FAILURE, "stat"); + err(EXIT_FAILURE, "stat: '%s'", path); } if ((blen = sb.st_size) == 0) { - err(EXIT_FAILURE, "the binary configuration file is empty"); + errx(EXIT_FAILURE, + "the binary configuration file '%s' is empty", path); } blob = mmap(NULL, blen, PROT_READ, MAP_FILE | MAP_PRIVATE, fd, 0); if (blob == MAP_FAILED) { - err(EXIT_FAILURE, "mmap"); + err(EXIT_FAILURE, "mmap: '%s'", path); } ncf = npf_config_import(blob, blen); munmap(blob, blen); @@ -329,7 +330,7 @@ npfctl_load(int fd) */ ncf = npfctl_import(NPF_DB_PATH); if (ncf == NULL) { - err(EXIT_FAILURE, "npf_config_import"); + err(EXIT_FAILURE, "npf_config_import: '%s'", NPF_DB_PATH); } if ((errno = npf_config_submit(ncf, fd, )) != 0) { npfctl_print_error(); @@ -345,7 +346,7 @@ npfctl_open_dev(const char *path) int fd; if (lstat(path, ) == -1) { - err(EXIT_FAILURE, "fstat"); + err(EXIT_FAILURE, "fstat: '%s'", path); } if ((st.st_mode & S_IFMT) == S_IFSOCK) { struct sockaddr_un addr; @@ -358,11 +359,11 @@ npfctl_open_dev(const char *path) strncpy(addr.sun_path, path, sizeof(addr.sun_path) - 1); if (connect(fd, (struct sockaddr *), sizeof(addr)) == -1) { - err(EXIT_FAILURE, "connect"); + err(EXIT_FAILURE, "connect: '%s'", path); } } else { if ((fd = open(path, O_RDONLY)) == -1) { - err(EXIT_FAILURE, "cannot open '%s'", path); + err(EXIT_FAILURE, "open: '%s'", path); } } return fd; @@ -416,7 +417,8 @@ npfctl_debug(int argc, char **argv) puts("Loading the active configuration"); fd = npfctl_open_dev(NPF_DEV_PATH); if ((ncf = npf_config_retrieve(fd)) == NULL) { - err(EXIT_FAILURE, "npf_config_retrieve"); + err(EXIT_FAILURE, "npf_config_retrieve: '%s'", + NPF_DEV_PATH); } }
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: taca Date: Thu Dec 17 05:33:06 UTC 2020 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: Change second gc.interval_min to gc.interval_max. Obviously, second gc.interval_min should be gc.interval_max. Should be pulled up to netbnsd-9. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.7 src/usr.sbin/npf/npf-params.7:1.8 --- src/usr.sbin/npf/npf-params.7:1.7 Sat Jun 6 20:38:00 2020 +++ src/usr.sbin/npf/npf-params.7 Thu Dec 17 05:33:06 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.7 2020/06/06 20:38:00 wiz Exp $ +.\" $NetBSD: npf-params.7,v 1.8 2020/12/17 05:33:06 taca Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -83,7 +83,7 @@ The worker is self-tuning and will wake connections to expire; it will wake up less frequently, diverging towards the upper bound, if it does not encounter expired connections. Default: 50 (in milliseconds). -.It Li gc.interval_min +.It Li gc.interval_max The upper bound for the sleep time of the G/C worker. Default: 5000 (in milliseconds). .El
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: abs Date: Fri Oct 30 09:23:36 UTC 2020 Modified Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: Fix tcpdump example from "‐i npflog0.pcap" to "‐i npflog0" To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/npfd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u src/usr.sbin/npf/npfd/npfd.8:1.6 src/usr.sbin/npf/npfd/npfd.8:1.7 --- src/usr.sbin/npf/npfd/npfd.8:1.6 Fri Aug 31 10:38:17 2018 +++ src/usr.sbin/npf/npfd/npfd.8 Fri Oct 30 09:23:36 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfd.8,v 1.6 2018/08/31 10:38:17 maxv Exp $ +.\" $NetBSD: npfd.8,v 1.7 2020/10/30 09:23:36 abs Exp $ .\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. @@ -171,7 +171,7 @@ Display the logs in real time (this does operation of .Nm ) : .Bd -literal -offset indent -# tcpdump -n -e -ttt -i npflog0.pcap +# tcpdump -n -e -ttt -i npflog0 .Ed .Pp Tcpdump has been extended to be able to filter on the
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: riastradh Date: Thu Aug 27 18:51:20 UTC 2020 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_gc_test.c Log Message: npftest: Wait at least one tick in each gc busy wait iteration. Otherwise the busy wait loop runs a little too fast for the gc about half the times I run the test. XXX We should really arrange mstohz to round up! To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npftest/libnpftest/npf_gc_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/libnpftest/npf_gc_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_gc_test.c:1.1 src/usr.sbin/npf/npftest/libnpftest/npf_gc_test.c:1.2 --- src/usr.sbin/npf/npftest/libnpftest/npf_gc_test.c:1.1 Sat May 30 14:16:57 2020 +++ src/usr.sbin/npf/npftest/libnpftest/npf_gc_test.c Thu Aug 27 18:51:20 2020 @@ -222,7 +222,7 @@ run_worker_tests(npf_t *npf) /* Wait for the task to be done. */ while (!atomic_load_acquire(_done) && retry--) { npf_worker_signal(test_npf); - kpause("gctest", false, mstohz(1), NULL); + kpause("gctest", false, MAX(1, mstohz(1)), NULL); } CHECK_TRUE(atomic_load_acquire(_done));
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: wiz Date: Sat Jun 6 20:38:00 UTC 2020 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: Use more markup. To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.6 src/usr.sbin/npf/npf-params.7:1.7 --- src/usr.sbin/npf/npf-params.7:1.6 Sun May 31 16:32:07 2020 +++ src/usr.sbin/npf/npf-params.7 Sat Jun 6 20:38:00 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.6 2020/05/31 16:32:07 tnn Exp $ +.\" $NetBSD: npf-params.7,v 1.7 2020/06/06 20:38:00 wiz Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -34,7 +34,9 @@ NPF supports a set of dynamically tunable parameters. .Pp All parameter values are integers and should generally be between -zero and INT_MAX, unless specified otherwise. +zero and +.Dv INT_MAX , +unless specified otherwise. Some parameters values can be negative; such values would typically have a special meaning. Enable/disable switches should be represented as boolean values 0 ("off")
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: tnn Date: Sun May 31 16:32:07 UTC 2020 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: npf-params.7: s/filer/filter/ To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.5 src/usr.sbin/npf/npf-params.7:1.6 --- src/usr.sbin/npf/npf-params.7:1.5 Sun May 31 15:57:15 2020 +++ src/usr.sbin/npf/npf-params.7 Sun May 31 16:32:07 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.5 2020/05/31 15:57:15 rmind Exp $ +.\" $NetBSD: npf-params.7,v 1.6 2020/05/31 16:32:07 tnn Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -24,7 +24,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 30, 2020 +.Dd May 31, 2020 .Dt NPF-PARAMS 7 .Os .Sh NAME @@ -60,7 +60,7 @@ Perform IPv4 reassembly before inspectin Fragmentation is considered very harmful, so most networks are expected to prevent it; therefore, reassembly is disabled by default. However, while the packet should generally be reassembled at the receiver, -reassembly by the packet filer might be necessary in order to perform state +reassembly by the packet filter might be necessary in order to perform state tracking. Default: 0. .It Li ip6.reassembly
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun May 31 15:57:15 UTC 2020 Modified Files: src/usr.sbin/npf: npf-params.7 Log Message: npf-params(7): fix the state.key defaults. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npf-params.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf-params.7 diff -u src/usr.sbin/npf/npf-params.7:1.4 src/usr.sbin/npf/npf-params.7:1.5 --- src/usr.sbin/npf/npf-params.7:1.4 Sat May 30 14:16:56 2020 +++ src/usr.sbin/npf/npf-params.7 Sun May 31 15:57:15 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf-params.7,v 1.4 2020/05/30 14:16:56 rmind Exp $ +.\" $NetBSD: npf-params.7,v 1.5 2020/05/31 15:57:15 rmind Exp $ .\" .\" Copyright (c) 2019 Mindaugas Rasiukevicius .\" All rights reserved. @@ -94,10 +94,10 @@ some of the information in (from) the ke .It Li interface Include interface identifier into the keys, making the connection state strictly per-interface. -Default: 0. +Default: 1. .It Li direction Include packet direction into the keys. -Default: 0. +Default: 1. .El .\" --- .It Li state.generic
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: rmind Date: Sat May 30 21:00:31 UTC 2020 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_test_subr.c Log Message: npftest -- npf_test_init(): add a workaround for NetBSD. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 \ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.17 src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.18 --- src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c:1.17 Sat May 30 14:16:57 2020 +++ src/usr.sbin/npf/npftest/libnpftest/npf_test_subr.c Sat May 30 21:00:31 2020 @@ -64,6 +64,13 @@ npf_test_init(int (*pton_func)(int, cons { npf_t *npf; +#ifdef __NetBSD__ + // XXX: Workaround for npf_init() + if ((npf = npf_getkernctx()) != NULL) { + npf_worker_discharge(npf); + npf_worker_sysfini(); + } +#endif npfk_sysinit(0); npf = npfk_create(0, _mbufops, _ifops, NULL); npfk_thread_register(npf);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun May 24 15:35:40 UTC 2020 Modified Files: src/usr.sbin/npf/npfctl: npf_scan.l Log Message: PR/55288: npfctl: change parameter syntax to be more permissive. To generate a diff of this commit: cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_scan.l diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.30 src/usr.sbin/npf/npfctl/npf_scan.l:1.31 --- src/usr.sbin/npf/npfctl/npf_scan.l:1.30 Mon Sep 30 00:37:11 2019 +++ src/usr.sbin/npf/npfctl/npf_scan.l Sun May 24 15:35:39 2020 @@ -91,6 +91,7 @@ npfctl_parse_string(const char *str, par ID [a-zA-Z_][a-zA-Z_0-9]* DID [a-zA-Z_][a-zA-Z_0-9-]* +SPID [a-zA-Z][a-zA-Z_0-9.]* NUMBER [0-9]+ HEXDIG [0-9a-fA-F]+ @@ -227,7 +228,7 @@ any return ANY; return VAR_ID; } -[a-z]*"."[a-z.]* { +{ID}"."{SPID}+ { yylval.str = estrndup(yytext, yyleng); return PARAM; }
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: christos Date: Sat May 16 12:42:11 UTC 2020 Modified Files: src/usr.sbin/npf/npftest: Makefile Log Message: more nofifofs lossage To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npftest/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/Makefile diff -u src/usr.sbin/npf/npftest/Makefile:1.12 src/usr.sbin/npf/npftest/Makefile:1.13 --- src/usr.sbin/npf/npftest/Makefile:1.12 Mon May 13 13:55:09 2019 +++ src/usr.sbin/npf/npftest/Makefile Sat May 16 08:42:11 2020 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.12 2019/05/13 17:55:09 bad Exp $ +# $NetBSD: Makefile,v 1.13 2020/05/16 12:42:11 christos Exp $ # # Public Domain # @@ -17,8 +17,8 @@ LIBNPFTEST!= cd ${.CURDIR}/libnpftest && DPADD+= ${LIBNPFTEST}/libnpftest.a LDADD+= -L${LIBNPFTEST} -lnpftest -LDADD+= -lrump -lrumpvfs -lrumpuser -lrumpnet -lrumpnet_net -LDADD+= -lrumpdev_bpf +LDADD+= -lrump -lrumpvfs_nofifofs -lrumpvfs -lrumpuser +LDADD+= -lrumpnet -lrumpnet_net -lrumpdev_bpf .include
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: joerg Date: Thu Apr 23 00:27:45 UTC 2020 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_test.h Log Message: npftest_mbufops and npftest_ifops are owned by npf_mbuf_subr.c To generate a diff of this commit: cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npftest/libnpftest/npf_test.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/libnpftest/npf_test.h diff -u src/usr.sbin/npf/npftest/libnpftest/npf_test.h:1.19 src/usr.sbin/npf/npftest/libnpftest/npf_test.h:1.20 --- src/usr.sbin/npf/npftest/libnpftest/npf_test.h:1.19 Tue Jul 23 00:52:02 2019 +++ src/usr.sbin/npf/npftest/libnpftest/npf_test.h Thu Apr 23 00:27:45 2020 @@ -84,8 +84,8 @@ struct mbuf { #define CHECK_TRUE(x) \ if (!(x)) { printf("FAIL: %s line %d\n", __func__, __LINE__); return 0; } -const npf_mbufops_t npftest_mbufops; -const npf_ifops_t npftest_ifops; +extern const npf_mbufops_t npftest_mbufops; +extern const npf_ifops_t npftest_ifops; struct mbuf * npfkern_m_get(int, int); size_t npfkern_m_length(const struct mbuf *);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: tih Date: Wed Apr 17 20:41:59 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf_bpf_comp.c npf_build.c Log Message: Summary: Ensure default TCP flags are applied to rules like 'pass stateful all' CVS: -- CVS: CVSROOT cvs.NetBSD.org:/cvsroot CVS: please use "PR category/123" to have the commitmsg appended to PR 123 CVS: CVS: Please evaluate your changes and consider the following. CVS: Abort checkin if you answer no. CVS: => For all changes: CVS: Do the changed files compile? CVS: Has the change been tested? CVS: => If you are not completely familiar with the changed components: CVS: Has the change been posted for review? CVS: Have you allowed enough time for feedback? CVS: => If the change is major: CVS: => If the change adds files to, or removes files from $DESTDIR: CVS: => If you are changing a library or kernel interface: CVS: Have you successfully run "./build.sh release"? The documented default "flags S/SAFR" for stateful rules that affect TCP packets but don't specify any flags, doesn't actually get applied to a rule like "pass stateful out all". The big problem with this is that when you then do a "block return-rst" for an incoming packet, the generated RST packet will create state for the connection attempt it's blocking, so that a second attempt from the same source will pass. This change makes the default flags actually apply to such simple rules. It also fixes a related bug in the code generation for the flag matching, where part of the action could erroneously be omitted. Reviewed by Closes PR bin/54124 Pullup to NetBSD 8 To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npf_build.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.11 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.12 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.11 Sat Sep 29 14:41:36 2018 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Wed Apr 17 20:41:58 2019 @@ -32,7 +32,7 @@ */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.11 2018/09/29 14:41:36 rmind Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.12 2019/04/17 20:41:58 tih Exp $"); #include #include @@ -565,10 +565,8 @@ npfctl_bpf_tcpfl(npf_bpf_t *ctx, uint8_t }; add_insns(ctx, insns_cmp, __arraycount(insns_cmp)); - if (!checktcp) { - uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask}; - done_block(ctx, mwords, sizeof(mwords)); - } + uint32_t mwords[] = { BM_TCPFL, 2, tf, tf_mask}; + done_block(ctx, mwords, sizeof(mwords)); } /* Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.47 src/usr.sbin/npf/npfctl/npf_build.c:1.48 --- src/usr.sbin/npf/npfctl/npf_build.c:1.47 Sat Jan 19 21:19:32 2019 +++ src/usr.sbin/npf/npfctl/npf_build.c Wed Apr 17 20:41:58 2019 @@ -32,7 +32,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.47 2019/01/19 21:19:32 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.48 2019/04/17 20:41:58 tih Exp $"); #include #define __FAVOR_BSD @@ -363,7 +363,7 @@ static bool npfctl_build_code(nl_rule_t *rl, sa_family_t family, const opt_proto_t *op, const filt_opts_t *fopts) { - bool noproto, noaddrs, noports, need_tcpudp = false; + bool noproto, noaddrs, noports, nostate, need_tcpudp = false; const addr_port_t *apfrom = >fo_from; const addr_port_t *apto = >fo_to; const int proto = op->op_proto; @@ -375,7 +375,8 @@ npfctl_build_code(nl_rule_t *rl, sa_fami noproto = family == AF_UNSPEC && proto == -1 && !op->op_opts; noaddrs = !apfrom->ap_netaddr && !apto->ap_netaddr; noports = !apfrom->ap_portrange && !apto->ap_portrange; - if (noproto && noaddrs && noports) { + nostate = !(npf_rule_getattr(rl) & NPF_RULE_STATEFUL); + if (noproto && noaddrs && noports && nostate) { return false; }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Apr 8 07:58:45 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve wording. To generate a diff of this commit: cvs rdiff -u -r1.85 -r1.86 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.85 src/usr.sbin/npf/npfctl/npf.conf.5:1.86 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.85 Sun Apr 7 22:23:40 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Apr 8 07:58:45 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.86 2019/04/08 07:58:45 wiz Exp $ .\" .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -355,7 +355,7 @@ redirecting the public port 9022 to the .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp The translation address can also by dynamic, based on the interface. -The following would select IPv4 address currently assigned to the interface: +The following would select the IPv4 address(es) currently assigned to the interface: .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) .Pp
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sun Apr 7 22:23:40 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): Add more info about ifaddrs(). To generate a diff of this commit: cvs rdiff -u -r1.84 -r1.85 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.84 src/usr.sbin/npf/npfctl/npf.conf.5:1.85 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.84 Sat Jan 19 21:19:32 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Apr 7 22:23:40 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.84 2019/01/19 21:19:32 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $ .\" .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 14, 2019 +.Dd February 2, 2019 .Dt NPF.CONF 5 .Os .Sh NAME @@ -148,12 +148,16 @@ The .Cm family keyword of a filtering rule can be used in combination to explicitly select an IP address type. +This function can also be used with +.Cm map +to specify the translation address, see below. .El .Pp Example of configuration: .Bd -literal -offset indent $var1 = inet4(wm0) $var2 = ifaddrs(wm0) + group default { block in on wm0 all # rule 1 block in on $var1 all # rule 2 @@ -350,6 +354,11 @@ redirecting the public port 9022 to the .Pp .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp +The translation address can also by dynamic, based on the interface. +The following would select IPv4 address currently assigned to the interface: +.Pp +.Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) +.Pp If the dynamic NAT is configured with multiple translation addresses, then a custom selection algorithm can be chosen using the .Cm algo @@ -587,10 +596,9 @@ $localnet = { 10.1.1.0/24 } alg "icmp" -# Note: if $ext_if has multiple IP address (e.g. IPv6 as well), -# then the translation address has to be specified explicitly. -map $ext_if dynamic 10.1.1.0/24 -> $ext_if -map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 +# These NAT rules will dynamically select the interface address(es). +map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) +map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- ifaddrs($ext_if) port 9022 procedure "log" { # The logging facility can be used together with npfd(8). @@ -635,7 +643,7 @@ group default { .Xr npfctl 8 , .Xr npfd 8 .Pp -.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website" +.Lk http://rmind.github.io/npf/ "NPF documentation website" .Sh HISTORY NPF first appeared in .Nx 6.0 .
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Tue Jan 8 11:36:10 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Actually, according to the grammar the square brackets in the "tcp flags" are not literal, so use .Op to show that /mask is optional. To generate a diff of this commit: cvs rdiff -u -r1.82 -r1.83 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.82 src/usr.sbin/npf/npfctl/npf.conf.5:1.83 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.82 Tue Jan 8 11:28:01 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 11:36:10 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.82 2019/01/08 11:28:01 uwe Exp $ +.\"$NetBSD: npf.conf.5,v 1.83 2019/01/08 11:36:10 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -223,7 +223,7 @@ The keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp -.D1 Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li \&] +.D1 Ic proto Cm tcp flags Ar match Ns Op Li / Ns Ar mask .Pp Where .Ar match
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Tue Jan 8 11:28:01 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Restore macro with effect. Fix the real problem that prevented it to have the effect. To generate a diff of this commit: cvs rdiff -u -r1.81 -r1.82 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.81 src/usr.sbin/npf/npfctl/npf.conf.5:1.82 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.81 Tue Jan 8 10:25:26 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 11:28:01 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.81 2019/01/08 10:25:26 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.82 2019/01/08 11:28:01 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -223,7 +223,7 @@ The keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp -.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns ] +.D1 Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li \&] .Pp Where .Ar match
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Tue Jan 8 10:25:26 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Punctuation fixes. Remove macros without effect. To generate a diff of this commit: cvs rdiff -u -r1.80 -r1.81 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.80 src/usr.sbin/npf/npfctl/npf.conf.5:1.81 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.80 Tue Jan 8 01:19:16 2019 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 10:25:26 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.80 2019/01/08 01:19:16 gutteridge Exp $ +.\"$NetBSD: npf.conf.5,v 1.81 2019/01/08 10:25:26 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -89,7 +89,7 @@ The following is an example of table def .Dl table type hash dynamic .Pp Currently, tables support three data storage types: -.Cm hash, +.Cm hash , .Cm tree , or .Cm cdb . @@ -133,11 +133,14 @@ Three functions exist, to extract addres list type and IP address type: .Bl -tag -width "Fn ifaddrs interface" -offset indent .It Fn inet4 interface -Static list. IPv4 addresses. +Static list. +IPv4 addresses. .It Fn inet6 interface -Static list. IPv6 addresses. +Static list. +IPv6 addresses. .It Fn ifaddrs interface -Dynamic list. Both IPv4 and IPv6. +Dynamic list. +Both IPv4 and IPv6. The .Cm family keyword of a filtering rule can be used in combination to explicitly select @@ -164,7 +167,7 @@ on wm0, and .Li $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the -.Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > +.Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. @@ -220,7 +223,7 @@ The keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp -.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li ] +.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns ] .Pp Where .Ar match
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: gutteridge Date: Tue Jan 8 01:19:16 UTC 2019 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): add a minor clarification about table types that can't accept masks on IP addresses. Prompted by Rob Hunter in PR bin/51900. To generate a diff of this commit: cvs rdiff -u -r1.79 -r1.80 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.79 src/usr.sbin/npf/npfctl/npf.conf.5:1.80 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.79 Fri Sep 21 10:59:11 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 8 01:19:16 2019 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ +.\"$NetBSD: npf.conf.5,v 1.80 2019/01/08 01:19:16 gutteridge Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 21, 2018 +.Dd January 8, 2019 .Dt NPF.CONF 5 .Os .Sh NAME @@ -102,7 +102,7 @@ Tables of type .Dq hash and .Dq cdb -can only contain IP addresses. +can only contain IP addresses, without masks. Only static data can be used with a storage type of .Dq cdb . .Pp
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Fri Sep 21 10:59:11 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: According to the grammar and examples the static table is defined with "file" keyword, not "static". To generate a diff of this commit: cvs rdiff -u -r1.78 -r1.79 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.78 src/usr.sbin/npf/npfctl/npf.conf.5:1.79 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.78 Fri Sep 21 09:42:18 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Sep 21 10:59:11 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.78 2018/09/21 09:42:18 uwe Exp $ +.\"$NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -95,9 +95,9 @@ or .Cm cdb . Tables can also be set as containing .Cm dynamic -or -.Cm static -data i.e. loaded from a specified file. +data or static +.Cm file Ar filename +data loaded from a specified file. Tables of type .Dq hash and
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: uwe Date: Fri Sep 21 09:42:18 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve markup. To generate a diff of this commit: cvs rdiff -u -r1.77 -r1.78 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.77 src/usr.sbin/npf/npfctl/npf.conf.5:1.78 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.77 Fri Sep 21 07:22:26 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Sep 21 09:42:18 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.77 2018/09/21 07:22:26 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.78 2018/09/21 09:42:18 uwe Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -46,7 +46,8 @@ in-depth information. There are multiple structural elements that .Nm may contain, such as: -.Bl -bullet -offset indent +.Pp +.Bl -bullet -offset indent -compact .It variables .It @@ -64,40 +65,52 @@ procedure definitions to call on filtere .El .Sh SYNTAX .Ss Variables -Variables are specified using the dollar ($) sign, which is used for both +Variables are specified using the dollar +.Pq Li $ +sign, which is used for both definition and referencing of a variable. Variables are defined by assigning a value to them as follows: -.Bd -literal -$var1 = 10.0.0.1 -.Ed +.Pp +.Dl $var1 = 10.0.0.1 .Pp A variable may also be defined as a set: -.Bd -literal -$var2 = { 10.0.0.1, 10.0.0.2 } -.Ed +.Pp +.Dl $var2 = { 10.0.0.1, 10.0.0.2 } .Pp Common variable definitions are for IP addresses, networks, ports, and interfaces. .Ss Tables Tables are specified using a name between angle brackets -< and >. +.Sq Li < +and +.Sq Li > . The following is an example of table definition: -.Bd -literal -table type hash dynamic .Pp -.Ed -Currently, tables support three data storage types: "hash", "tree", or "cdb". -Tables can also be set as containing "dynamic" or "static" data i.e. loaded -from a specified file. -Tables of type "hash" and "cdb" can only contain IP addresses. -Only static data can be used with a storage type of "cdb". +.Dl table type hash dynamic +.Pp +Currently, tables support three data storage types: +.Cm hash, +.Cm tree , +or +.Cm cdb . +Tables can also be set as containing +.Cm dynamic +or +.Cm static +data i.e. loaded from a specified file. +Tables of type +.Dq hash +and +.Dq cdb +can only contain IP addresses. +Only static data can be used with a storage type of +.Dq cdb . .Pp The specified file should contain a list of IP addresses and/or networks in the -form of: -.Bd -literal -10.0.0.0/24 -10.1.1.1 -.Ed +form of +.Li 10.1.1.1 +or +.Li 10.0.0.0/24 .Ss Interfaces In NPF, an interface can be referenced directly by using its name, or can be passed to an extraction function which will return a list of IP addresses @@ -113,26 +126,26 @@ With a static list, NPF will capture the load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. -Note that with a dynamic list, marking the interface as ``down'' has no effect, +Note that with a dynamic list, bringing the interface down has no effect, all addresses will remain present. .Pp Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: -.Bl -tag -width Xifaddrs()XX -offset indent -.It Fn inet4 -Static list, IPv4 addresses. -.It Fn inet6 -Static list, IPv6 addresses. -.It Fn ifaddrs -Dynamic list, both IPv4 and IPv6. +.Bl -tag -width "Fn ifaddrs interface" -offset indent +.It Fn inet4 interface +Static list. IPv4 addresses. +.It Fn inet6 interface +Static list. IPv6 addresses. +.It Fn ifaddrs interface +Dynamic list. Both IPv4 and IPv6. The -.Cd family -keyword can be used in combination of a filtering rule to explicitly select +.Cm family +keyword of a filtering rule can be used in combination to explicitly select an IP address type. .El .Pp Example of configuration: -.Bd -literal +.Bd -literal -offset indent $var1 = inet4(wm0) $var2 = ifaddrs(wm0) group default { @@ -144,11 +157,14 @@ group default { } .Ed .Pp -In the above example, $var1 is the static list of IPv4 addresses configured -on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses -configured on wm0. +In the above example, +.Li $var1 +is the static list of IPv4 addresses configured +on wm0, and +.Li $var2 +is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the -.Cd block ... on +.Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. @@
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Sep 21 07:22:26 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Wrap long lines, so that nothing overflows. To generate a diff of this commit: cvs rdiff -u -r1.76 -r1.77 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.76 src/usr.sbin/npf/npfctl/npf.conf.5:1.77 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.76 Wed Sep 19 15:36:12 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Sep 21 07:22:26 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.76 2018/09/19 15:36:12 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.77 2018/09/21 07:22:26 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 19, 2018 +.Dd September 21, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -425,7 +425,8 @@ therefore it does not strictly represent syntax = var-def | set-param | alg | table-def | map | group | proc | comment -# Variable definition. Names can be alpha-numeric, including "_" character. +# Variable definition. Names can be alpha-numeric, including "_" +# character. var-name = "$" . string interface = interface-name | var-name @@ -439,7 +440,8 @@ set-param = "set" param-value alg = "alg" alg-name alg-name = "icmp" -# Table definition. Table ID shall be numeric. Path is in the double quotes. +# Table definition. Table ID shall be numeric. Path is in the +# double quotes. table-id = table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" ) @@ -492,7 +494,8 @@ proto-opts = "flags" tcp-flags [ "/" tcp "icmp-type" type [ "code" icmp-code ] proto = "proto" protocol [ proto-opts ] -filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] +filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr + [ port-opts ] filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) @@ -537,11 +540,16 @@ group "external" on $ext_if { pass stateful out final all block in final from - pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" - pass stateful in final proto tcp to $ext_if port $services_tcp - pass stateful in final proto udp to $ext_if port $services_udp - pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP - pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute + pass stateful in final family inet4 proto tcp to $ext_if \e + port ssh apply "log" + pass stateful in final proto tcp to $ext_if \e + port $services_tcp + pass stateful in final proto udp to $ext_if \e + port $services_udp + pass stateful in final proto tcp to $ext_if \e + port 49151-65535 # passive FTP + pass stateful in final proto udp to $ext_if \e + port 33434-33600 # traceroute } group "internal" on $int_if {
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Wed Sep 19 15:36:12 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Switch back to tabs, it was nicer this way. To generate a diff of this commit: cvs rdiff -u -r1.75 -r1.76 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.75 src/usr.sbin/npf/npfctl/npf.conf.5:1.76 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.75 Tue Sep 4 15:36:01 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Wed Sep 19 15:36:12 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.75 2018/09/04 15:36:01 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.76 2018/09/19 15:36:12 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 4, 2018 +.Dd September 19, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -529,33 +529,33 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_ map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 procedure "log" { - # The logging facility can be used together with npfd(8). - log: npflog0 + # The logging facility can be used together with npfd(8). + log: npflog0 } group "external" on $ext_if { - pass stateful out final all + pass stateful out final all - block in final from - pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" - pass stateful in final proto tcp to $ext_if port $services_tcp - pass stateful in final proto udp to $ext_if port $services_udp - pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP - pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute + block in final from + pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" + pass stateful in final proto tcp to $ext_if port $services_tcp + pass stateful in final proto udp to $ext_if port $services_udp + pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP + pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute } group "internal" on $int_if { - block in all - block in final from + block in all + block in final from - # Ingress filtering as per BCP 38 / RFC 2827. - pass in final from $localnet - pass out final all + # Ingress filtering as per BCP 38 / RFC 2827. + pass in final from $localnet + pass out final all } group default { - pass final on lo0 all - block all + pass final on lo0 all + block all } .Ed .\" -
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Tue Sep 4 15:36:02 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Fix the "Interfaces" section, I understood wrong. Talk about inference, because it was not mentioned before, and it plays an important role. Discussed with rmind. Probably not the last pass. To generate a diff of this commit: cvs rdiff -u -r1.74 -r1.75 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.74 src/usr.sbin/npf/npfctl/npf.conf.5:1.75 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.74 Sun Sep 2 18:03:23 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Sep 4 15:36:01 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.74 2018/09/02 18:03:23 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.75 2018/09/04 15:36:01 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 2, 2018 +.Dd September 4, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -99,16 +99,20 @@ form of: 10.1.1.1 .Ed .Ss Interfaces -In the context of NPF, an interface is seen as a list of IP addresses, -that can be IPv4 or IPv6, which are configured on the actual associated -interface. -.Pp -Such list can be either static or dynamic. -With a static list, NPF will -capture the interface addresses on configuration load, whereas with a dynamic -list NPF will capture the runtime list of addresses, reflecting any changes -to the interface, including the attach and detach. -.Pp +In NPF, an interface can be referenced directly by using its name, or can be +passed to an extraction function which will return a list of IP addresses +configured on the actual associated interface. +.Pp +It is legal to pass an extracted list from an interface in keywords where +NPF would expect instead a direct reference to said interface. +In this case, NPF infers a direct reference to the interface, and does not +consider the list. +.Pp +There are two types of IP address lists. +With a static list, NPF will capture the interface addresses on configuration +load, whereas with a dynamic list NPF will capture the runtime list of +addresses, reflecting any changes to the interface, including the attach and +detach. Note that with a dynamic list, marking the interface as ``down'' has no effect, all addresses will remain present. .Pp @@ -127,27 +131,27 @@ keyword can be used in combination of a an IP address type. .El .Pp -By default, when no extraction function is used, -.Fn ifaddrs -is assumed. -.Pp -Example of configuration with static interface lists: -.Bd -literal -$pub_if4 = inet4(wm0) -$pub_if46 = { inet4(wm0), inet6(wm0) } -.Ed -.Pp -In the above example, $pub_if4 is the list of IPv4 addresses configured -on wm0, and $pub_if46 is the list of IPv4 and IPv6 addresses configured -on wm0. -.Pp -Example of configuration with dynamic interface lists: +Example of configuration: .Bd -literal -$pub_if_1 = ifaddrs(wm0) -$pub_if_2 = wm0 +$var1 = inet4(wm0) +$var2 = ifaddrs(wm0) +group default { + block in on wm0 all # rule 1 + block in on $var1 all # rule 2 + block in on inet4(wm0) all# rule 3 + pass in on inet6(wm0) from $var2 # rule 4 + pass in on wm0 from ifaddrs(wm0) # rule 5 +} .Ed .Pp -In the above example, $pub_if_1 and $pub_if_2 are equal. +In the above example, $var1 is the static list of IPv4 addresses configured +on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses +configured on wm0. +The first three rules are equivalent, because with the +.Cd block ... on +syntax, NPF expects a direct reference to an interface, and therefore does +not consider the extraction functions. +The fourth and fifth rules are equivalent, for the same reason. .Ss Groups NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which can contain subrules.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Sun Sep 2 18:03:23 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: New sentence, new line. Use Fn for functions. To generate a diff of this commit: cvs rdiff -u -r1.73 -r1.74 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.73 src/usr.sbin/npf/npfctl/npf.conf.5:1.74 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.73 Sun Sep 2 17:45:18 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Sep 2 18:03:23 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.73 2018/09/02 17:45:18 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.74 2018/09/02 18:03:23 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -103,7 +103,8 @@ In the context of NPF, an interface is s that can be IPv4 or IPv6, which are configured on the actual associated interface. .Pp -Such list can be either static or dynamic. With a static list, NPF will +Such list can be either static or dynamic. +With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. @@ -114,11 +115,11 @@ all addresses will remain present. Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: .Bl -tag -width Xifaddrs()XX -offset indent -.It inet4() +.It Fn inet4 Static list, IPv4 addresses. -.It inet6() +.It Fn inet6 Static list, IPv6 addresses. -.It ifaddrs() +.It Fn ifaddrs Dynamic list, both IPv4 and IPv6. The .Cd family @@ -126,7 +127,9 @@ keyword can be used in combination of a an IP address type. .El .Pp -By default, when no extraction function is used, ifaddrs() is assumed. +By default, when no extraction function is used, +.Fn ifaddrs +is assumed. .Pp Example of configuration with static interface lists: .Bd -literal
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Sun Sep 2 17:45:18 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Be clearer about the difference between static vs dynamic interface list, and slightly improve wording. My understanding is that when none of inet4/inet6/ifaddrs is passed, NPF assumes ifaddrs. To generate a diff of this commit: cvs rdiff -u -r1.72 -r1.73 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.72 src/usr.sbin/npf/npfctl/npf.conf.5:1.73 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.72 Sat Sep 1 19:26:46 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Sep 2 17:45:18 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.72 2018/09/01 19:26:46 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.73 2018/09/02 17:45:18 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd September 1, 2018 +.Dd September 2, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -99,38 +99,52 @@ form of: 10.1.1.1 .Ed .Ss Interfaces -Interfaces can be specified as the values of the variables: -.Bd -literal -$pub_if_list = { inet4(wm0), inet4(wm1) } -.Ed +In the context of NPF, an interface is seen as a list of IP addresses, +that can be IPv4 or IPv6, which are configured on the actual associated +interface. +.Pp +Such list can be either static or dynamic. With a static list, NPF will +capture the interface addresses on configuration load, whereas with a dynamic +list NPF will capture the runtime list of addresses, reflecting any changes +to the interface, including the attach and detach. +.Pp +Note that with a dynamic list, marking the interface as ``down'' has no effect, +all addresses will remain present. +.Pp +Three functions exist, to extract addresses from an interface with a chosen +list type and IP address type: +.Bl -tag -width Xifaddrs()XX -offset indent +.It inet4() +Static list, IPv4 addresses. +.It inet6() +Static list, IPv6 addresses. +.It ifaddrs() +Dynamic list, both IPv4 and IPv6. +The +.Cd family +keyword can be used in combination of a filtering rule to explicitly select +an IP address type. +.El +.Pp +By default, when no extraction function is used, ifaddrs() is assumed. .Pp -In the context of filtering, an interface provides a list of all its IP -addresses, both IPv4 and IPv6. -Specific addresses configured on an interface can also be selected by family, -e.g.: +Example of configuration with static interface lists: .Bd -literal $pub_if4 = inet4(wm0) $pub_if46 = { inet4(wm0), inet6(wm0) } .Ed .Pp -In the above examples, NPF will statically capture the interface -addresses on configuration load. +In the above example, $pub_if4 is the list of IPv4 addresses configured +on wm0, and $pub_if46 is the list of IPv4 and IPv6 addresses configured +on wm0. .Pp -The following can be used for dynamic handling of the interface addresses: +Example of configuration with dynamic interface lists: .Bd -literal -$pub_if = ifaddrs(wm0) +$pub_if_1 = ifaddrs(wm0) +$pub_if_2 = wm0 .Ed .Pp -In this case, the expression will represent the runtime list of addresses, -reflecting any changes to the interface, including the attach and detach. -Marking the interface as ``down'' has no effect, i.e. all addresses will -remain present. -.Pp -A dynamic address list represents both the IPv4 and IPv6 addresses configured on -an interface. -The -.Cd family -keyword can be used in combination of a filtering rule to be explicit. +In the above example, $pub_if_1 and $pub_if_2 are equal. .Ss Groups NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which can contain subrules. @@ -174,7 +188,9 @@ Its parameter should be a protocol numbe as specified in the .Pa /etc/protocols file. -The protocol keyword can additionally have protocol-specific options. +This keyword can additionally have protocol-specific options, such as +.Cd flags . +.Pp The .Cd flags keyword can be used to match the packets against specific TCP flags, @@ -279,7 +295,9 @@ on packets originating from the 10.1.1.0 Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Pp -The dynamic NAT implies network address and port translation (NAPT). +The +.Cd dynamic +NAT implies network address and port translation (NAPT). The port translation can be controlled explicitly. For example, the following provides "port forwarding", redirecting the public port 9022 to the port 22 of an internal host: @@ -287,7 +305,9 @@ public port 9022 to the port 22 of an in map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Ed .Pp -The static NAT can have
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Sat Sep 1 19:26:46 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Remove superfluous Pp. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.72 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.71 src/usr.sbin/npf/npfctl/npf.conf.5:1.72 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.71 Sat Sep 1 16:28:57 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Sep 1 19:26:46 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.72 2018/09/01 19:26:46 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -298,7 +298,6 @@ IPv6-to-IPv6 network prefix translation .El .Pp Currently, the static NAT algorithms do not perform port translation. -.Pp .Ss Application Level Gateways Certain application layer protocols are not compatible with NAT and require translation outside layers 3 and 4.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Sat Sep 1 16:28:57 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: npf.conf(5): fix some of the previous incorrect or inaccurate changes. The TCP flags option is not only for the stateful tracking. Dynamic NAT implies NAPT; algorithms, at least for now, are for static NAT mappings. Mention that ALG ICMP is also for traceroute behind NAT; also mention "MSS clamping" (some users might search for this term, so keeping the terminology is helpful). To generate a diff of this commit: cvs rdiff -u -r1.70 -r1.71 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.70 src/usr.sbin/npf/npfctl/npf.conf.5:1.71 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.70 Fri Aug 31 11:18:35 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Sep 1 16:28:57 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 31, 2018 +.Dd September 1, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -87,8 +87,8 @@ table type hash dynamic .Pp .Ed Currently, tables support three data storage types: "hash", "tree", or "cdb". -Tables can also be set as containing "dynamic" or "static" data i.e. loaded from - a specified file. +Tables can also be set as containing "dynamic" or "static" data i.e. loaded +from a specified file. Tables of type "hash" and "cdb" can only contain IP addresses. Only static data can be used with a storage type of "cdb". .Pp @@ -166,9 +166,31 @@ option set, this rule is considered the evaluation of subsequent rules is skipped. Otherwise, the last matching rule is used. .Pp -A rule can also instruct NPF to create an entry in the state table -when passing the packet, to notify the sender when blocking it, and -to apply a procedure to the packet (e.g. "log") in either case. +The +.Cd proto +keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP +or other). +Its parameter should be a protocol number or its symbolic name, +as specified in the +.Pa /etc/protocols +file. +The protocol keyword can additionally have protocol-specific options. +The +.Cd flags +keyword can be used to match the packets against specific TCP flags, +according to the following syntax: +.Bl -tag -width protoXX -offset indent +.It proto tcp flags Ar match[/mask] +.El +.Pp +Where +.Ar match +is the set of TCP flags to be matched, out of the +.Ar mask +set, both sets being represented as a string combination of: S (SYN), +A (ACK), F (FIN), R (RST). The flags that are not present in +.Ar mask +are ignored. .Pp To notify the sender of a blocking decision, three .Cd return @@ -187,20 +209,19 @@ Return an ICMP UNREACHABLE message, when Applies to IPv4 and IPv6. .El .Pp +Further packet specification at present is limited to TCP and UDP +understanding source and destination ports, and ICMP and IPv6-ICMP +understanding icmp-type. +.Pp +A rule can also instruct NPF to create an entry in the state table when +passing the packet or to apply a procedure to the packet (e.g. "log"). +.Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet4 proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" .Ed .Pp -Any protocol in -.Pa /etc/protocols -can be specified. -Further packet -specification at present is limited to protocol TCP understanding flags, -TCP and UDP understanding source and destination ports, and ICMP and -IPv6-ICMP understanding icmp-type. -.Pp Alternatively, NPF supports .Xr pcap-filter 7 syntax, for example: @@ -223,25 +244,6 @@ precaution. In both cases, a full TCP state tracking is performed for TCP connections and a limited tracking for message-based protocols (UDP and ICMP). .Pp -The -.Cd flags -keyword can be used in conjunction with the -.Cd stateful -keyword to match the packets against specific TCP flags, according to -the following syntax: -.Bl -tag -width flagsXX -offset indent -.It flags Ar match[/mask] -.El -.Pp -Where -.Ar match -is the set of TCP flags to be matched, out of the -.Ar mask -set, both sets being represented as a string combination of: S (SYN), -A (ACK), F (FIN), R (RST). The flags that are not present in -.Ar mask -are ignored. -.Pp By default, a stateful rule implies SYN-only flag check ("flags S/SAFR") for the TCP packets. It is not advisable to change this behavior; however, @@ -271,21 +273,32 @@ specified by $pub_ip for the packets on map $ext_if dynamic 10.1.1.0/24 -> $pub_ip .Ed .Pp -Several NAT
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:18:35 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: rename net-seg -> map-seg, and document it To generate a diff of this commit: cvs rdiff -u -r1.69 -r1.70 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.69 src/usr.sbin/npf/npfctl/npf.conf.5:1.70 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.69 Fri Aug 31 11:11:21 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 11:18:35 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.69 2018/08/31 11:11:21 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -408,11 +408,12 @@ table-def = "table" table-id "type" ( "h map = "map" interface ( "static" [ "algo" map-algo ] | "dynamic" ) [ map-flags ] [ proto ] - net-seg ( "->" | "<-" | "<->" ) net-seg + map-seg ( "->" | "<-" | "<->" ) map-seg [ "pass" [ proto ] filt-opts ] map-algo = "npt66" map-flags = "no-ports" +map-seg = ( addr-mask | interface ) [ port-opts ] # Rule procedure definition. The name should be in the double quotes. # @@ -448,11 +449,11 @@ family-opt = "inet4" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] -addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) +addr-mask = addr [ "/" mask ] .Ed .\" - .Sh FILES
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:11:21 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: "interface" already contains "var-name", so don't mention it in "filt-addr", that's redundant To generate a diff of this commit: cvs rdiff -u -r1.68 -r1.69 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.68 src/usr.sbin/npf/npfctl/npf.conf.5:1.69 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.68 Fri Aug 31 11:01:09 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 11:11:21 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.68 2018/08/31 11:01:09 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.69 2018/08/31 11:11:21 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -450,8 +450,7 @@ proto-opts = "flags" tcp-flags [ "/" tcp addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] -filt-addr = [ "!" ] [ interface | var-name | - addr-mask | table-id | "any" ] +filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) .Ed
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 11:01:09 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: should be port-opts To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.67 src/usr.sbin/npf/npfctl/npf.conf.5:1.68 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.67 Fri Aug 31 10:52:30 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 11:01:09 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.67 2018/08/31 10:52:30 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.68 2018/08/31 11:01:09 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -452,7 +452,8 @@ addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ "!" ] [ interface | var-name | addr-mask | table-id | "any" ] -filt-port = "port" ( port-num | port-from "-" port-to | var-name ) + +port-opts = "port" ( port-num | port-from "-" port-to | var-name ) .Ed .\" - .Sh FILES
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 31 10:52:30 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Clarify the "Groups" section. To generate a diff of this commit: cvs rdiff -u -r1.66 -r1.67 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.66 src/usr.sbin/npf/npfctl/npf.conf.5:1.67 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.66 Mon Aug 27 13:20:47 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 10:52:30 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.66 2018/08/27 13:20:47 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.67 2018/08/31 10:52:30 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 27, 2018 +.Dd August 31, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -132,17 +132,25 @@ The .Cd family keyword can be used in combination of a filtering rule to be explicit. .Ss Groups +NPF requires that all rules be defined within groups. +Groups can be thought of as higher level rules which can contain subrules. Groups may have the following options: name, interface, and direction. -They are defined in the following form: +Packets matching group criteria are passed to the ruleset of that group. +If a packet does not match any group, it is passed to the +.Cd default group . +The +.Cd default group +must always be defined. +.Pp +Example of configuration: .Bd -literal group "my-name" in on wm0 { - # List of rules + # List of rules, for packets received on wm0 +} +group default { + # List of rules, for the other packets } .Ed -A minimal -.Nm -must contain a mandatory -.Cd default group . .Ss Rules With a rule statement NPF is instructed to .Cd pass
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: maxv Date: Fri Aug 31 10:38:17 UTC 2018 Modified Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: remove commented reference to pflog To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npfd/npfd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u src/usr.sbin/npf/npfd/npfd.8:1.5 src/usr.sbin/npf/npfd/npfd.8:1.6 --- src/usr.sbin/npf/npfd/npfd.8:1.5 Tue Aug 7 22:55:47 2018 +++ src/usr.sbin/npf/npfd/npfd.8 Fri Aug 31 10:38:17 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfd.8,v 1.5 2018/08/07 22:55:47 sevan Exp $ +.\" $NetBSD: npfd.8,v 1.6 2018/08/31 10:38:17 maxv Exp $ .\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. @@ -156,7 +156,6 @@ Log specific tcp packets to a different .Ed .Pp Log from another -.\" .Xr pflog 4 npflog interface, excluding specific packets: .Bd -literal -offset indent
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Aug 27 13:20:47 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing -width; remove unnecessary .Pp. To generate a diff of this commit: cvs rdiff -u -r1.65 -r1.66 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.65 src/usr.sbin/npf/npfctl/npf.conf.5:1.66 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.65 Mon Aug 27 13:09:16 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 27 13:20:47 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.65 2018/08/27 13:09:16 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.66 2018/08/27 13:20:47 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -221,7 +221,7 @@ keyword can be used in conjunction with .Cd stateful keyword to match the packets against specific TCP flags, according to the following syntax: -.Bl -tag -offset indent +.Bl -tag -width flagsXX -offset indent .It flags Ar match[/mask] .El .Pp @@ -248,7 +248,6 @@ The translation may be .Cd static (stateless). The following mapping types are available: -.Pp .Bl -tag -width <-> -offset indent .It Pa -> outbound NAT (translation of the source)
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Mon Aug 27 13:09:16 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Map" section. To generate a diff of this commit: cvs rdiff -u -r1.64 -r1.65 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.64 src/usr.sbin/npf/npfctl/npf.conf.5:1.65 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.64 Mon Aug 27 12:46:03 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 27 13:09:16 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.64 2018/08/27 12:46:03 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.65 2018/08/27 13:09:16 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -258,12 +258,22 @@ inbound NAT (translation of the destinat bi-directional NAT (combination of inbound and outbound NAT) .El .Pp -The following would translate the source to the IP address specified -by the $pub_ip for the packets on the interface $ext_if. +The following would translate the source (10.1.1.0/24) to the IP address +specified by $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_ip .Ed .Pp +Several NAT algorithms are available, and can be chosen using the +.Cd algo +keyword. +By default, NPF will use the NAPT algorithm. +The other available algorithms are: +.Bl -tag -width Xnpt66XX -offset indent +.It npt66 +IPv6-to-IPv6 network prefix translation (NPTv6). +.El +.Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from the 10.1.1.0/24 network.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Mon Aug 27 12:46:03 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Document ALGs. To generate a diff of this commit: cvs rdiff -u -r1.63 -r1.64 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.63 src/usr.sbin/npf/npfctl/npf.conf.5:1.64 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.63 Fri Aug 17 12:20:49 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 27 12:46:03 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.63 2018/08/17 12:20:49 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.64 2018/08/27 12:46:03 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 17, 2018 +.Dd August 27, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -58,6 +58,8 @@ packet filtering rules .It map rules for address translation .It +application level gateways +.It procedure definitions to call on filtered packets. .El .Sh SYNTAX @@ -267,6 +269,35 @@ network segments specified, that is, tra on packets originating from the 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. +.Ss Application Level Gateways +Certain application layer protocols are not compatible with NAT and require +translation outside layers 3 and 4. +Such translation is performed by packet filter extensions called +Application Level Gateways (ALGs). +.Pp +NPF supports the following ALGs: +.Bl -tag -width XicmpXX -offset indent +.It icmp +ICMP ALG. +Allows to find an active connection by looking at the ICMP payload, and to +perform NAT translation of the ICMP payload. +Applies to IPv4 and IPv6. +.El +.Pp +The ALGs are built-in, unless NPF is used as kernel module, in which case +they come as kernel modules too. +In that case, the ALG kernel modules can be autoloaded through the +configuration, using the +.Cd alg +keyword. +.Pp +For example: +.Bd -literal +alg "icmp" +.Ed +.Pp +Alternatively, the ALG kernel modules can be loaded manually, using +.Xr modload 8 . .Ss Procedures A rule procedure is defined as a collection of extension calls (it may have none). @@ -344,9 +375,10 @@ var-def = var "=" ( var-value | "{" val # Parameter setting. set-param = "set" param-value -# Application level gateway. The name should be in the double quotes. +# Application level gateway. The name should be in double quotes. alg = "alg" alg-name +alg-name = "icmp" # Table definition. Table ID shall be numeric. Path is in the double quotes.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 12:20:49 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add the values of "algo" in the grammar, and use # as comment marker for man-k.org (and others) not to highlight things in an incorrect way. To generate a diff of this commit: cvs rdiff -u -r1.62 -r1.63 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.62 src/usr.sbin/npf/npfctl/npf.conf.5:1.63 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.62 Fri Aug 17 12:04:20 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 12:20:49 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.62 2018/08/17 12:04:20 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.63 2018/08/17 12:20:49 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -329,52 +329,53 @@ The following is a non-formal BNF-like d The definition is simplified and is intended to be human readable, therefore it does not strictly represent the formal grammar. .Bd -literal -; Syntax of a single line. Lines can be separated by LF (\\n) or -; a semicolon. Comments start with a hash (#) character. +# Syntax of a single line. Lines can be separated by LF (\\n) or +# a semicolon. Comments start with a hash (#) character. syntax = var-def | set-param | alg | table-def | map | group | proc | comment -; Variable definition. Names can be alpha-numeric, including "_" character. +# Variable definition. Names can be alpha-numeric, including "_" character. var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) -; Parameter setting. +# Parameter setting. set-param = "set" param-value -; Application level gateway. The name should be in the double quotes. +# Application level gateway. The name should be in the double quotes. alg = "alg" alg-name -; Table definition. Table ID shall be numeric. Path is in the double quotes. +# Table definition. Table ID shall be numeric. Path is in the double quotes. table-id = table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" ) ( "dynamic" | "file" path ) -; Mapping for address translation. +# Mapping for address translation. map = "map" interface - ( "static" [ "algo" algorithm ] | "dynamic" ) + ( "static" [ "algo" map-algo ] | "dynamic" ) [ map-flags ] [ proto ] net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" [ proto ] filt-opts ] +map-algo = "npt66" map-flags = "no-ports" -; Rule procedure definition. The name should be in the double quotes. -; -; Each call can have its own options in a form of key-value pairs. -; Both key and values may be strings (either in double quotes or not) -; and numbers, depending on the extension. +# Rule procedure definition. The name should be in the double quotes. +# +# Each call can have its own options in a form of key-value pairs. +# Both key and values may be strings (either in double quotes or not) +# and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" proc-opts = key [ " " val ] [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line -; Group definition and the rule list. +# Group definition and the rule list. group = "group" ( "default" | group-opts ) "{" rule-list "}" group-opts = name-string [ "in" | "out" ] [ "on" interface ]
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 12:04:20 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing quote in static-rule, it causes man-k.org (and other tools) to wrongly highlight the grammar. To generate a diff of this commit: cvs rdiff -u -r1.61 -r1.62 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.61 src/usr.sbin/npf/npfctl/npf.conf.5:1.62 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.61 Fri Aug 17 10:24:19 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 12:04:20 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.61 2018/08/17 10:24:19 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.62 2018/08/17 12:04:20 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -383,7 +383,7 @@ rule-list = [ rule new-line ] rule-list npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-ends" ] - [ "in" | out" ] [ "final" ] [ "on" interface ] + [ "in" | "out" ] [ "final" ] [ "on" interface ] ( npf-filter | "pcap-filter" pcap-filter-expr ) [ "apply" proc-name ]
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 10:24:19 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Replace "rproc"->"proc" in the grammar (spotted by he@), and slightly reword. To generate a diff of this commit: cvs rdiff -u -r1.60 -r1.61 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.60 src/usr.sbin/npf/npfctl/npf.conf.5:1.61 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.60 Fri Aug 17 10:16:24 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 10:24:19 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.60 2018/08/17 10:16:24 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.61 2018/08/17 10:24:19 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -225,7 +225,7 @@ the following syntax: .Pp Where .Ar match -is the set of TCP flags we want to match out of the +is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in @@ -333,7 +333,7 @@ therefore it does not strictly represent ; a semicolon. Comments start with a hash (#) character. syntax = var-def | set-param | alg | table-def | - map | group | rproc | comment + map | group | proc | comment ; Variable definition. Names can be alpha-numeric, including "_" character.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Aug 17 10:16:24 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Replace () by [] in tcp-flags. Fix proc-opts, the value is optional, noted by he@. To generate a diff of this commit: cvs rdiff -u -r1.59 -r1.60 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.59 src/usr.sbin/npf/npfctl/npf.conf.5:1.60 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.59 Thu Aug 16 09:58:00 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 17 10:16:24 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.59 2018/08/16 09:58:00 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.60 2018/08/17 10:16:24 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 16, 2018 +.Dd August 17, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -371,7 +371,7 @@ map-flags = "no-ports" ; and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" -proc-opts = key " " val [ "," proc-opts ] +proc-opts = key [ " " val ] [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line ; Group definition and the rule list. @@ -391,7 +391,7 @@ dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset tcp-flag-mask = tcp-flags -tcp-flags = ("S")("A")("F")("R") +tcp-flags = [ "S" ] [ "A" ] [ "F" ] [ "R" ] proto = "proto" protocol [ proto-opts ] block-opts = "return-rst" | "return-icmp" | "return" family-opt = "inet4" | "inet6"
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:58:00 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve wording. To generate a diff of this commit: cvs rdiff -u -r1.58 -r1.59 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.58 src/usr.sbin/npf/npfctl/npf.conf.5:1.59 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.58 Thu Aug 16 09:50:37 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:58:00 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.58 2018/08/16 09:50:37 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.59 2018/08/16 09:58:00 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -225,7 +225,7 @@ the following syntax: .Pp Where .Ar match -is the set of TCP flags present in the +is the set of TCP flags we want to match out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:50:37 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Map" section a little. To generate a diff of this commit: cvs rdiff -u -r1.57 -r1.58 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.57 src/usr.sbin/npf/npfctl/npf.conf.5:1.58 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.57 Thu Aug 16 09:46:18 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:50:37 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.58 2018/08/16 09:50:37 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -240,10 +240,14 @@ it can be overridden with the aforementi keyword. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. -The translation may be dynamic (stateful) or static (stateless). +The translation may be +.Cd dynamic +(stateful) or +.Cd static +(stateless). The following mapping types are available: .Pp -.Bl -tag -width <-> -compact +.Bl -tag -width <-> -offset indent .It Pa -> outbound NAT (translation of the source) .It Pa <- @@ -260,7 +264,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $pub_ .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only -on packets originating from 10.1.1.0/24 network. +on packets originating from the 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Ss Procedures
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:46:18 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Document the "flags" keyword. To generate a diff of this commit: cvs rdiff -u -r1.56 -r1.57 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.56 src/usr.sbin/npf/npfctl/npf.conf.5:1.57 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.56 Thu Aug 16 09:21:00 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:46:18 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -201,7 +201,7 @@ block out final pcap-filter "tcp and dst Fragments are not selectable since NPF always reassembles packets before further processing. .Ss Stateful -Stateful packet inspection is enabled using +Stateful packet inspection is enabled using the .Cd stateful or .Cd stateful-ends @@ -213,10 +213,29 @@ precaution. In both cases, a full TCP state tracking is performed for TCP connections and a limited tracking for message-based protocols (UDP and ICMP). .Pp +The +.Cd flags +keyword can be used in conjunction with the +.Cd stateful +keyword to match the packets against specific TCP flags, according to +the following syntax: +.Bl -tag -offset indent +.It flags Ar match[/mask] +.El +.Pp +Where +.Ar match +is the set of TCP flags present in the +.Ar mask +set, both sets being represented as a string combination of: S (SYN), +A (ACK), F (FIN), R (RST). The flags that are not present in +.Ar mask +are ignored. +.Pp By default, a stateful rule implies SYN-only flag check ("flags S/SAFR") for the TCP packets. It is not advisable to change this behavior; however, -it can be overridden with the +it can be overridden with the aforementioned .Cd flags keyword. .Ss Map @@ -367,6 +386,8 @@ static-rule = ( "block" [ block-opts ] | dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset +tcp-flag-mask = tcp-flags +tcp-flags = ("S")("A")("F")("R") proto = "proto" protocol [ proto-opts ] block-opts = "return-rst" | "return-icmp" | "return" family-opt = "inet4" | "inet6"
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 09:21:00 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Improve the "Rules" section: better explain the "final" keyword (it is the same as PF's "quick", so use the same wording), and document the "return" options. While here simplify the man code, suggested by wiz. To generate a diff of this commit: cvs rdiff -u -r1.55 -r1.56 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.55 src/usr.sbin/npf/npfctl/npf.conf.5:1.56 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.55 Thu Aug 16 08:51:53 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 09:21:00 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.55 2018/08/16 08:51:53 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -147,13 +147,36 @@ With a rule statement NPF is instructed or .Cd block a packet depending on packet header information, transit direction and -the interface it arrived on, either immediately upon match (keyword -.Cd final ) -or using the last match. -The rule can also instruct NPF to create an entry in the state table +the interface it arrived on, either immediately upon match or using the +last match. +.Pp +If a packet matches a rule which has the +.Cd final +option set, this rule is considered the last matching rule, and +evaluation of subsequent rules is skipped. +Otherwise, the last matching rule is used. +.Pp +A rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. .Pp +To notify the sender of a blocking decision, three +.Cd return +options can be used in conjunction with a +.Cd block +rule: +.Bl -tag -width Xreturn-icmpXX -offset indent +.It return +Behaves as return-rst or return-icmp, depending on whether the packet +being blocked is TCP or UDP. +.It return-rst +Return a TCP RST message, when the packet being blocked is a TCP packet. +Applies to IPv4 and IPv6. +.It return-icmp +Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet. +Applies to IPv4 and IPv6. +.El +.Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet4 proto tcp flags S/SA \\ @@ -253,13 +276,9 @@ The available normalization options are: .Bl -tag -width XXmin-ttlXXvalueXX -offset indent .It Dq random-id Randomize the IPv4 ID parameter. -.It Dq min-ttl Xo -.Ar value -.Xc +.It Do min-ttl Dc Ar value Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. -.It Dq max-mss Xo -.Ar value -.Xc +.It Do max-mss Dc Ar value Enforce a maximum value for the MSS on TCP packets. .It Dq no-df Remove the Don't Fragment (DF) flag from IPv4 packets.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 08:51:53 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add quotes around the option names, to match the actual npf conf. To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.54 src/usr.sbin/npf/npfctl/npf.conf.5:1.55 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.54 Thu Aug 16 08:37:51 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 08:51:53 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.54 2018/08/16 08:37:51 maxv Exp $ +.\"$NetBSD: npf.conf.5,v 1.55 2018/08/16 08:51:53 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -250,14 +250,18 @@ auto-loaded by NPF. .El .Pp The available normalization options are: -.Bl -tag -width Xmin-ttlXvalueXX -offset indent -.It random-id +.Bl -tag -width XXmin-ttlXXvalueXX -offset indent +.It Dq random-id Randomize the IPv4 ID parameter. -.It min-ttl Ar value +.It Dq min-ttl Xo +.Ar value +.Xc Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. -.It max-mss Ar value +.It Dq max-mss Xo +.Ar value +.Xc Enforce a maximum value for the MSS on TCP packets. -.It no-df +.It Dq no-df Remove the Don't Fragment (DF) flag from IPv4 packets. .El .Pp
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Thu Aug 16 08:37:51 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Enlighten the "Procedures" section. In particular document the "no-df" option. Also replace "normalisation" -> "normalization", to match the name of the rule. To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.53 src/usr.sbin/npf/npfctl/npf.conf.5:1.54 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.53 Mon Aug 13 06:06:13 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Aug 16 08:37:51 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.53 2018/08/13 06:06:13 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.54 2018/08/16 08:37:51 maxv Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 7, 2018 +.Dd August 16, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -228,6 +228,39 @@ Every extension call has a name and a li key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. +Available options: +.Bl -tag -width Xlog:XinterfaceXX -offset indent +.It log: Ar interface +Log events. +This requires the npf_ext_log kernel module, which would normally get +auto-loaded by NPF. +The specified npflog interface would also be auto-created once the +configuration is loaded. +The log packets can be written to a file using the +.Xr npfd 8 +daemon. +.It normalize: Xo +.Ar option1 +.Op , Ar option2 +.Ar ... +.Xc +Modify packets according to the specified normalization options. +This requires the npf_ext_normalize kernel module, which would normally get +auto-loaded by NPF. +.El +.Pp +The available normalization options are: +.Bl -tag -width Xmin-ttlXvalueXX -offset indent +.It random-id +Randomize the IPv4 ID parameter. +.It min-ttl Ar value +Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. +.It max-mss Ar value +Enforce a maximum value for the MSS on TCP packets. +.It no-df +Remove the Don't Fragment (DF) flag from IPv4 packets. +.El +.Pp For example: .Bd -literal procedure "someproc" { @@ -236,19 +269,7 @@ procedure "someproc" { } .Ed .Pp -In this case, the procedure calls the logging and normalisation modules. -The logging facility requires the npf_ext_log kernel module which would -normally get auto-loaded by NPF. -The specified npflog interface would also be auto-created once the -configuration is loaded. -The log packets can be written to a file using the -.Xr npfd 8 -daemon. -.Pp -Traffic normalisation has a set of different mechanisms. -In the example above, the normalisation procedure has arguments which -apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) -flag cleansing, minimum TTL enforcement and TCP MSS "clamping". +In this case, the procedure calls the logging and normalization modules. .Ss Misc Text after a hash .Pq Sq #
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Aug 13 06:06:13 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Add missing El. Remove trailing whitespace. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.52 src/usr.sbin/npf/npfctl/npf.conf.5:1.53 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.52 Tue Aug 7 00:22:13 2018 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 13 06:06:13 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.52 2018/08/07 00:22:13 sevan Exp $ +.\"$NetBSD: npf.conf.5,v 1.53 2018/08/13 06:06:13 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -59,7 +59,7 @@ packet filtering rules map rules for address translation .It procedure definitions to call on filtered packets. - +.El .Sh SYNTAX .Ss Variables Variables are specified using the dollar ($) sign, which is used for both @@ -128,7 +128,7 @@ A dynamic address list represents both t an interface. The .Cd family -keyword can be used in combination of a filtering rule to be explicit. +keyword can be used in combination of a filtering rule to be explicit. .Ss Groups Groups may have the following options: name, interface, and direction. They are defined in the following form:
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: sevan Date: Tue Aug 7 22:55:47 UTC 2018 Modified Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: Simplify the description of npfd, default npflog interface & pcap file are covered later. Move advise regarding offline analysis to the CAVEATS section. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npfd/npfd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u src/usr.sbin/npf/npfd/npfd.8:1.4 src/usr.sbin/npf/npfd/npfd.8:1.5 --- src/usr.sbin/npf/npfd/npfd.8:1.4 Tue Aug 7 22:02:08 2018 +++ src/usr.sbin/npf/npfd/npfd.8 Tue Aug 7 22:55:47 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfd.8,v 1.4 2018/08/07 22:02:08 sevan Exp $ +.\" $NetBSD: npfd.8,v 1.5 2018/08/07 22:55:47 sevan Exp $ .\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. @@ -43,24 +43,16 @@ .Op Ar expression .Sh DESCRIPTION .Nm -is a background daemon which reads packets logged by +is a background daemon which writes to a file in +.Xr pcap 3 +format logged packets read from an npflog interface. +The npflog interface is used by .Xr npf 7 -to an -.\" .Xr npflog 4 -npflog -interface, normally -.Pa npflog0 , -and writes the packets to a logfile (normally -.Pa /var/log/npflog0.pcap ) -in +to log packets as defined in +.Xr npf.conf 5 . +The generated .Xr pcap 3 -format, which can be read by -.Xr tcpdump 8 . -These logs can be reviewed later using the -.Fl r -option of -.Xr tcpdump 8 , -hopefully offline in case there are bugs in the packet parsing code of +files can then be analysed using tools such as .Xr tcpdump 8 . .Pp .Nm @@ -260,3 +252,7 @@ command appeared in .Sh AUTHORS This manual page was written by .An Can Erkin Acar Aq Mt cana...@openbsd.org . +.Sh CAVEATS +Offline analysis of captured data is advised to alleviate issues with +malicious data intended to exploit bugs in the packet parsing code of +.Xr tcpdump 8 .
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: sevan Date: Tue Aug 7 22:02:08 UTC 2018 Modified Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: Escape ellipsis to stop it being interpreted as a macro. Drop commented out manual which doesn't exist. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npfd/npfd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u src/usr.sbin/npf/npfd/npfd.8:1.3 src/usr.sbin/npf/npfd/npfd.8:1.4 --- src/usr.sbin/npf/npfd/npfd.8:1.3 Sun Jan 8 13:59:53 2017 +++ src/usr.sbin/npf/npfd/npfd.8 Tue Aug 7 22:02:08 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfd.8,v 1.3 2017/01/08 13:59:53 wiz Exp $ +.\" $NetBSD: npfd.8,v 1.4 2018/08/07 22:02:08 sevan Exp $ .\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. @@ -26,7 +26,7 @@ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" -.Dd January 5, 2017 +.Dd August 7, 2018 .Dt NPFD 8 .Os .Sh NAME @@ -231,23 +231,22 @@ Each rule is marked with an id number, shown using: .Bd -literal -offset indent # npfctl show -... +\&... block final all apply "log" # id="45" -... +\&... .Ed .Pp This id is the rule id shown by tcpdump: .Bd -literal -offset indent # tcpdump -enr /var/log/npflog0.pcap -... +\&... 11:26:02.288199 rule 45.rules.0/0(match): block in on sk0: \e 1.2.3.4.46063 > 5.6.7.8.23231: Flags [S], seq 1, win 8192, \e options [mss 1440], length 0 -... +\&... .Ed .Sh SEE ALSO .Xr pcap 3 , -\" .Xr if_npflog 4 , .Xr npf.conf 5 , .Xr npf 7 , .Xr newsyslog 8 ,
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: sevan Date: Tue Aug 7 00:22:13 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: First pass at editing this manual. Add a link to the NPF documentation website and refer to it. Switch the multiple structural elements to a list to make it easier to read and extend. Clarify tables, re-order so all terms are before the example. Clarify obtaining addresses per family Move the minimum requirement for a default group to the group section. To generate a diff of this commit: cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.51 src/usr.sbin/npf/npfctl/npf.conf.5:1.52 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.51 Mon Dec 11 23:07:49 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Aug 7 00:22:13 2018 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.51 2017/12/11 23:07:49 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.52 2018/08/07 00:22:13 sevan Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 10, 2017 +.Dd August 7, 2018 .Dt NPF.CONF 5 .Os .Sh NAME @@ -40,31 +40,30 @@ is the default configuration file for th .Pp This manual page serves as a reference for editing .Nm . -Please refer to the official NPF documentation for comprehensive and +Please refer to the official NPF documentation website for comprehensive and in-depth information. .Pp -There are multiple structural elements +There are multiple structural elements that .Nm -may contain: -.Cd variable -and -.Cd table -definitions (with or without content), abstraction -.Cd groups , -packet filtering -.Cd rules , -.Cd map -rules for address translation and -.Cd procedure -definitions to call on filtered packets. -The minimal -.Nm -must contain a mandatory -.Cd default group . +may contain, such as: +.Bl -bullet -offset indent +.It +variables +.It +table definitions (with or without content) +.It +abstraction groups +.It +packet filtering rules +.It +map rules for address translation +.It +procedure definitions to call on filtered packets. + .Sh SYNTAX .Ss Variables -Variables are specified using the dollar ($) sign, which is used both -in definitions and uses of a variable. +Variables are specified using the dollar ($) sign, which is used for both +definition and referencing of a variable. Variables are defined by assigning a value to them as follows: .Bd -literal $var1 = 10.0.0.1 @@ -85,26 +84,28 @@ The following is an example of table def table type hash dynamic .Pp .Ed -Currently, tables support three storage types: "hash", "tree", or "cdb". -They can also be "dynamic" or static i.e. loaded from the specified file. +Currently, tables support three data storage types: "hash", "tree", or "cdb". +Tables can also be set as containing "dynamic" or "static" data i.e. loaded from + a specified file. +Tables of type "hash" and "cdb" can only contain IP addresses. +Only static data can be used with a storage type of "cdb". .Pp -The file should contain a list of IP addresses and/or networks in the form of: +The specified file should contain a list of IP addresses and/or networks in the +form of: .Bd -literal 10.0.0.0/24 10.1.1.1 .Ed -.Pp -Tables of type "hash" and "cdb" can only contain IP addresses. -Also, the latter can only be static. .Ss Interfaces Interfaces can be specified as the values of the variables: .Bd -literal $pub_if_list = { inet4(wm0), inet4(wm1) } .Ed .Pp -In the context of filtering, an interface provides a list of its -all IP addresses, including IPv4 and IPv6. -Specific interface addresses can be selected by the family, e.g.: +In the context of filtering, an interface provides a list of all its IP +addresses, both IPv4 and IPv6. +Specific addresses configured on an interface can also be selected by family, +e.g.: .Bd -literal $pub_if4 = inet4(wm0) $pub_if46 = { inet4(wm0), inet6(wm0) } @@ -123,10 +124,11 @@ reflecting any changes to the interface, Marking the interface as ``down'' has no effect, i.e. all addresses will remain present. .Pp -The dynamic address list represents both the IPv4 and IPv6 addresses, -therefore the +A dynamic address list represents both the IPv4 and IPv6 addresses configured on +an interface. +The .Cd family -keyword can be used in combination to make the filtering more narrow. +keyword can be used in combination of a filtering rule to be explicit. .Ss Groups Groups may have the following options: name, interface, and direction. They are defined in the following form: @@ -135,13 +137,17 @@ group "my-name" in on wm0 { # List of rules } .Ed +A minimal +.Nm +must contain a mandatory +.Cd
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: sevan Date: Thu Aug 2 16:42:12 UTC 2018 Modified Files: src/usr.sbin/npf: npf.7 Log Message: Use Nm macro Move history details to the HISTORY section Spelling Be less meta & clarify the website should be consulted. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npf.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf.7 diff -u src/usr.sbin/npf/npf.7:1.4 src/usr.sbin/npf/npf.7:1.5 --- src/usr.sbin/npf/npf.7:1.4 Sun Dec 10 22:04:41 2017 +++ src/usr.sbin/npf/npf.7 Thu Aug 2 16:42:12 2018 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $ +.\" $NetBSD: npf.7,v 1.5 2018/08/02 16:42:12 sevan Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 13, 2015 +.Dd August 2, 2018 .Dt NPF 7 .Os .Sh NAME @@ -35,16 +35,15 @@ .Nd NetBSD packet filter .\" - .Sh DESCRIPTION -NPF is a layer 3 packet filter, supporting IPv4 and IPv6 as well as +.Nm +is a layer 3 packet filter, supporting IPv4 and IPv6 as well as layer 4 protocols such as TCP, UDP, and ICMP. It was designed with a focus on high performance, scalability, and modularity. -.Pp -NPF was written from scratch in 2009 and is distributed under the -2-clause BSD license. .\" - .Sh FEATURES -NPF offers the traditional set of features provided by packet filters. +.Nm +offers the traditional set of features provided by packet filters. Some key features are: .Bl -bullet -offset indent .It @@ -60,17 +59,20 @@ Tables for efficient IP sets. .It Application Level Gateways (e.g., to support traceroute). .It -NPF uses BPF with just-in-time (JIT) compilation. +Use of BPF with just-in-time (JIT) compilation. .It -Rule procedures and a framework for NPF extensions. +Rule procedures and a framework for +.Nm +extensions. .It -Traffic normalization (extension). +Traffic normalisation (extension). .It Packet logging (extension). .El .Pp -For a full set of features and their description, see the NPF -documentation and other manual pages. +For a full set of features and their description, see the +.Nm +documentation website and other manual pages. .\" - .Sh SEE ALSO .Xr libnpf 3 , @@ -81,10 +83,12 @@ documentation and other manual pages. .Xr npfctl 8 , .Xr npfd 8 .Pp -.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation" +.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website" .Sh HISTORY .Nm -first appeared in +was written from scratch in 2009 and is distributed under the +2-clause BSD license. +It first appeared in .Nx 6.0 . .Sh AUTHORS .Nm
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: maxv Date: Fri Apr 13 17:43:37 UTC 2018 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: Document "debug" in usage(). To generate a diff of this commit: cvs rdiff -u -r1.54 -r1.55 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.54 src/usr.sbin/npf/npfctl/npfctl.c:1.55 --- src/usr.sbin/npf/npfctl/npfctl.c:1.54 Mon Oct 30 04:53:43 2017 +++ src/usr.sbin/npf/npfctl/npfctl.c Fri Apr 13 17:43:37 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.54 2017/10/30 04:53:43 ozaki-r Exp $ */ +/* $NetBSD: npfctl.c,v 1.55 2018/04/13 17:43:37 maxv Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.54 2017/10/30 04:53:43 ozaki-r Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.55 2018/04/13 17:43:37 maxv Exp $"); #include #include @@ -155,6 +155,9 @@ usage(void) fprintf(stderr, "\t%s list [-46hNnw] [-i ]\n", progname); + fprintf(stderr, + "\t%s debug [] []\n", + progname); exit(EXIT_FAILURE); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Mon Dec 11 23:07:49 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Remove superfluous Pp. To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.50 src/usr.sbin/npf/npfctl/npf.conf.5:1.51 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.50 Sun Dec 10 22:04:41 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Dec 11 23:07:49 2017 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.51 2017/12/11 23:07:49 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -98,7 +98,6 @@ Tables of type "hash" and "cdb" can only Also, the latter can only be static. .Ss Interfaces Interfaces can be specified as the values of the variables: -.Pp .Bd -literal $pub_if_list = { inet4(wm0), inet4(wm1) } .Ed @@ -131,7 +130,6 @@ keyword can be used in combination to ma .Ss Groups Groups may have the following options: name, interface, and direction. They are defined in the following form: -.Pp .Bd -literal group "my-name" in on wm0 { # List of rules
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: rmind Date: Sun Dec 10 22:04:41 UTC 2017 Modified Files: src/usr.sbin/npf: npf.7 src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l npf_show.c npfctl.8 npfctl.h todo Log Message: npfctl: add support for the 'no-ports' flag in the 'map' statements. This allows us to create a NAT policy without the port translation. To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npf.7 cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.25 -r1.26 src/usr.sbin/npf/npfctl/npf_scan.l cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npfctl.8 cvs rdiff -u -r1.14 -r1.15 src/usr.sbin/npf/npfctl/todo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npf.7 diff -u src/usr.sbin/npf/npf.7:1.3 src/usr.sbin/npf/npf.7:1.4 --- src/usr.sbin/npf/npf.7:1.3 Sun Jul 12 23:54:43 2015 +++ src/usr.sbin/npf/npf.7 Sun Dec 10 22:04:41 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $ +.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -78,7 +78,8 @@ documentation and other manual pages. .Xr bpfjit 4 , .Xr npf.conf 5 , .Xr pcap-filter 7 , -.Xr npfctl 8 +.Xr npfctl 8 , +.Xr npfd 8 .Pp .Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation" .Sh HISTORY Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.49 src/usr.sbin/npf/npfctl/npf.conf.5:1.50 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.49 Mon Jul 3 21:35:31 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 10 22:04:41 2017 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $ +.\"$NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 19, 2017 +.Dd December 10, 2017 .Dt NPF.CONF 5 .Os .Sh NAME @@ -233,6 +233,14 @@ procedure "someproc" { .Ed .Pp In this case, the procedure calls the logging and normalisation modules. +The logging facility requires the npf_ext_log kernel module which would +normally get auto-loaded by NPF. +The specified npflog interface would also be auto-created once the +configuration is loaded. +The log packets can be written to a file using the +.Xr npfd 8 +daemon. +.Pp Traffic normalisation has a set of different mechanisms. In the example above, the normalisation procedure has arguments which apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) @@ -248,8 +256,7 @@ i.e., the next line is considered an ext .Sh GRAMMAR The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, -therefore it does not strictly represent the full syntax, which -is more flexible. +therefore it does not strictly represent the formal grammar. .Bd -literal ; Syntax of a single line. Lines can be separated by LF (\\n) or ; a semicolon. Comments start with a hash (#) character. @@ -279,10 +286,13 @@ table-def = "table" table-id "type" ( "h ; Mapping for address translation. map = "map" interface - ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] + ( "static" [ "algo" algorithm ] | "dynamic" ) + [ map-flags ] [ proto ] net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" [ proto ] filt-opts ] +map-flags = "no-ports" + ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. @@ -352,8 +362,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_ map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 procedure "log" { - # Note: npf_ext_log kernel module should be loaded, if not built-in. - # Also, the interface created, e.g.: ifconfig npflog0 create + # The logging facility can be used together with npfd(8). log: npflog0 } @@ -387,7 +396,8 @@ group default { .Xr bpf 4 , .Xr npf 7 , .Xr pcap-filter 7 , -.Xr npfctl 8 +.Xr npfctl 8 , +.Xr npfd 8 .Sh HISTORY NPF first appeared in .Nx 6.0 . Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.44 src/usr.sbin/npf/npfctl/npf_build.c:1.45 --- src/usr.sbin/npf/npfctl/npf_build.c:1.44 Thu Jan 19 20:18:17 2017 +++ src/usr.sbin/npf/npfctl/npf_build.c Sun Dec 10 22:04:41 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */ +/* $NetBSD: npf_build.c,v
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: leot Date: Sun Dec 10 20:45:26 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: todo Log Message: Fix a typo To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/npf/npfctl/todo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/todo diff -u src/usr.sbin/npf/npfctl/todo:1.13 src/usr.sbin/npf/npfctl/todo:1.14 --- src/usr.sbin/npf/npfctl/todo:1.13 Sun Dec 10 20:30:45 2017 +++ src/usr.sbin/npf/npfctl/todo Sun Dec 10 20:45:26 2017 @@ -2,7 +2,7 @@ -- have a way to use npflog to log packets to syslog We have npfd that logs to a file -- have a way to match dropped packets to rules - We keep this information now and we pass it to nplog using the OpenBSD + We keep this information now and we pass it to npflog using the OpenBSD pflog format. -- have a way to list the active nat sessions Use "npfctl list"
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Sun Dec 10 20:30:45 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: todo Log Message: Add things implemented To generate a diff of this commit: cvs rdiff -u -r1.12 -r1.13 src/usr.sbin/npf/npfctl/todo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/todo diff -u src/usr.sbin/npf/npfctl/todo:1.12 src/usr.sbin/npf/npfctl/todo:1.13 --- src/usr.sbin/npf/npfctl/todo:1.12 Tue Jan 10 21:13:54 2017 +++ src/usr.sbin/npf/npfctl/todo Sun Dec 10 15:30:45 2017 @@ -1,7 +1,11 @@ -- how to convert other packet filters to npf -- have a way to use npflog to log packets to syslog + We have npfd that logs to a file -- have a way to match dropped packets to rules + We keep this information now and we pass it to nplog using the OpenBSD + pflog format. -- have a way to list the active nat sessions + Use "npfctl list" -- npfctl start does not load the configuration if not loaded. It is not clear you need to reload first. Or if it loads it should print the error messages. Or it should be called enable/disable since
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: mlelstv Date: Sun Dec 3 23:48:03 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_parse.y Log Message: allow PASS opt_proto ALL syntax in map statement. To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf_parse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_parse.y diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.44 src/usr.sbin/npf/npfctl/npf_parse.y:1.45 --- src/usr.sbin/npf/npfctl/npf_parse.y:1.44 Fri Jan 20 23:00:30 2017 +++ src/usr.sbin/npf/npfctl/npf_parse.y Sun Dec 3 23:48:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.44 2017/01/20 23:00:30 rmind Exp $ */ +/* $NetBSD: npf_parse.y,v 1.45 2017/12/03 23:48:03 mlelstv Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -353,7 +353,7 @@ mapseg map : MAP ifref map_sd map_algo mapseg map_type mapseg - PASS opt_proto filt_opts + PASS opt_proto all_or_filt_opts { npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: ozaki-r Date: Mon Oct 30 04:53:43 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: Fix showing translated port (ntohs-ed twice wrongly) To generate a diff of this commit: cvs rdiff -u -r1.53 -r1.54 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.53 src/usr.sbin/npf/npfctl/npfctl.c:1.54 --- src/usr.sbin/npf/npfctl/npfctl.c:1.53 Wed Jan 11 02:10:44 2017 +++ src/usr.sbin/npf/npfctl/npfctl.c Mon Oct 30 04:53:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.53 2017/01/11 02:10:44 christos Exp $ */ +/* $NetBSD: npfctl.c,v 1.54 2017/10/30 04:53:43 ozaki-r Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.53 2017/01/11 02:10:44 christos Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.54 2017/10/30 04:53:43 ozaki-r Exp $"); #include #include @@ -624,7 +624,7 @@ npfctl_conn_print(unsigned alen, const n fputc('\n', fp); return 1; } - fprintf(fp, " via %s:%d\n", ifname, ntohs(p[2])); + fprintf(fp, " via %s:%d\n", ifname, p[2]); return 1; }
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Mon Oct 16 11:18:43 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd.c Log Message: Treat EOF as a condition to re-open the pcap socket. Since we've been woken up by poll(2), there must be data to read. If there is not, our socket might not be ok anymore. To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npfd/npfd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.8 src/usr.sbin/npf/npfd/npfd.c:1.9 --- src/usr.sbin/npf/npfd/npfd.c:1.8 Sun Oct 15 11:26:10 2017 +++ src/usr.sbin/npf/npfd/npfd.c Mon Oct 16 07:18:43 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.8 2017/10/15 15:26:10 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.9 2017/10/16 11:18:43 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.8 2017/10/15 15:26:10 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.9 2017/10/16 11:18:43 christos Exp $"); #include #include @@ -110,7 +110,7 @@ npfd_event_loop(npfd_log_t *log, int del npfd_log_flush(log); count = 0; } - if (npfd_log(log) < 0) + if (npfd_log(log) <= 0) npfd_log_pcap_reopen(log); }
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Mon Oct 16 11:17:45 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd_log.c Log Message: Add a message when we are re-opening the pcap socket. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.11 src/usr.sbin/npf/npfd/npfd_log.c:1.12 --- src/usr.sbin/npf/npfd/npfd_log.c:1.11 Sun Oct 15 11:26:10 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Mon Oct 16 07:17:45 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.11 2017/10/15 15:26:10 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.12 2017/10/16 11:17:45 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.11 2017/10/15 15:26:10 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.12 2017/10/16 11:17:45 christos Exp $"); #include #include @@ -247,6 +247,8 @@ npfd_log_pcap_reopen(npfd_log_t *ctx) if (ctx->pcap != NULL) pcap_close(ctx->pcap); + else + syslog(LOG_INFO, "reopening pcap socket"); ctx->pcap = pcap_create(ctx->ifname, errbuf); if (ctx->pcap == NULL)
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Sun Oct 15 15:26:10 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd.c npfd.h npfd_log.c Log Message: try to re-open the pcap connection on error. To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npfd/npfd.c cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npfd/npfd.h cvs rdiff -u -r1.10 -r1.11 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.7 src/usr.sbin/npf/npfd/npfd.c:1.8 --- src/usr.sbin/npf/npfd/npfd.c:1.7 Tue Jan 24 15:24:59 2017 +++ src/usr.sbin/npf/npfd/npfd.c Sun Oct 15 11:26:10 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.7 2017/01/24 20:24:59 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.8 2017/10/15 15:26:10 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.7 2017/01/24 20:24:59 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.8 2017/10/15 15:26:10 christos Exp $"); #include #include @@ -83,7 +83,7 @@ npfd_event_loop(npfd_log_t *log, int del while (!done) { if (hup) { hup = false; - npfd_log_reopen(log, false); + npfd_log_file_reopen(log, false); } if (stats) { stats = false; @@ -110,7 +110,8 @@ npfd_event_loop(npfd_log_t *log, int del npfd_log_flush(log); count = 0; } - npfd_log(log); + if (npfd_log(log) < 0) +npfd_log_pcap_reopen(log); } } Index: src/usr.sbin/npf/npfd/npfd.h diff -u src/usr.sbin/npf/npfd/npfd.h:1.4 src/usr.sbin/npf/npfd/npfd.h:1.5 --- src/usr.sbin/npf/npfd/npfd.h:1.4 Fri Jan 6 14:20:24 2017 +++ src/usr.sbin/npf/npfd/npfd.h Sun Oct 15 11:26:10 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.h,v 1.4 2017/01/06 19:20:24 christos Exp $ */ +/* $NetBSD: npfd.h,v 1.5 2017/10/15 15:26:10 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -45,8 +45,9 @@ typedef struct npfd_log npfd_log_t; npfd_log_t * npfd_log_create(const char *, const char *, const char *, int); void npfd_log_destroy(npfd_log_t *); int npfd_log_getsock(npfd_log_t *); -bool npfd_log_reopen(npfd_log_t *, bool); -void npfd_log(npfd_log_t *); +bool npfd_log_file_reopen(npfd_log_t *, bool); +bool npfd_log_pcap_reopen(npfd_log_t *); +int npfd_log(npfd_log_t *); void npfd_log_stats(npfd_log_t *); void npfd_log_flush(npfd_log_t *); Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.10 src/usr.sbin/npf/npfd/npfd_log.c:1.11 --- src/usr.sbin/npf/npfd/npfd_log.c:1.10 Sat Mar 25 07:00:27 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Sun Oct 15 11:26:10 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.10 2017/03/25 11:00:27 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.11 2017/10/15 15:26:10 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.10 2017/03/25 11:00:27 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.11 2017/10/15 15:26:10 christos Exp $"); #include #include @@ -39,6 +39,7 @@ __RCSID("$NetBSD: npfd_log.c,v 1.10 2017 #include #include +#include #include #include #include @@ -53,18 +54,23 @@ __RCSID("$NetBSD: npfd_log.c,v 1.10 2017 struct npfd_log { char ifname[IFNAMSIZ]; char path[MAXPATHLEN]; + char *filter; + int snaplen; pcap_t *pcap; pcap_dumper_t *dumper; }; static void -npfd_log_setfilter(npfd_log_t *ctx, const char *filter) +npfd_log_setfilter(npfd_log_t *ctx) { struct bpf_program bprog; - if (pcap_compile(ctx->pcap, , filter, 1, 0) == -1) - errx(EXIT_FAILURE, "pcap_compile failed for `%s': %s", filter, - pcap_geterr(ctx->pcap)); + if (ctx->filter == NULL) + return; + + if (pcap_compile(ctx->pcap, , ctx->filter, 1, 0) == -1) + errx(EXIT_FAILURE, "pcap_compile failed for `%s': %s", + ctx->filter, pcap_geterr(ctx->pcap)); if (pcap_setfilter(ctx->pcap, ) == -1) errx(EXIT_FAILURE, "pcap_setfilter failed: %s", pcap_geterr(ctx->pcap)); @@ -206,15 +212,42 @@ npfd_log_create(const char *filename, co int snaplen) { npfd_log_t *ctx; - char errbuf[PCAP_ERRBUF_SIZE]; if ((ctx = calloc(1, sizeof(*ctx))) == NULL) err(EXIT_FAILURE, "malloc failed"); - /* - * Open a live capture handle in non-blocking mode. - */ snprintf(ctx->ifname, sizeof(ctx->ifname), "%s", ifname); + if (filename == NULL) + snprintf(ctx->path, sizeof(ctx->path), NPFD_LOG_PATH "/%s.pcap", + ctx->ifname); + else + snprintf(ctx->path, sizeof(ctx->path), "%s", filename); + + if (filter != NULL) { + ctx->filter = strdup(filter); + if (ctx->filter == NULL) + err(EXIT_FAILURE, "malloc failed"); + } + ctx->snaplen = snaplen; + + /* Open a live capture handle in non-blocking mode. */ + npfd_log_pcap_reopen(ctx); + + /* Open the log file */ + npfd_log_file_reopen(ctx, false); + return
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: christos Date: Wed May 17 18:55:13 UTC 2017 Modified Files: src/usr.sbin/npf/npftest: npftest.c Log Message: set "testing mode" for ioctl I/O To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/usr.sbin/npf/npftest/npftest.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/npftest.c diff -u src/usr.sbin/npf/npftest/npftest.c:1.20 src/usr.sbin/npf/npftest/npftest.c:1.21 --- src/usr.sbin/npf/npftest/npftest.c:1.20 Mon Dec 26 18:05:05 2016 +++ src/usr.sbin/npf/npftest/npftest.c Wed May 17 14:55:13 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npftest.c,v 1.20 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npftest.c,v 1.21 2017/05/17 18:55:13 christos Exp $ */ /* * NPF testing framework. @@ -195,6 +195,8 @@ npf_kern_fini(void) #endif } +extern int rumpns_npfctl_testing; + int main(int argc, char **argv) { @@ -276,6 +278,7 @@ main(int argc, char **argv) /* * Initialise the NPF kernel component. */ + rumpns_npfctl_testing = 1; npf_kern_init(); rumpns_npf_test_init(inet_pton, inet_ntop, random);
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Sun May 14 21:38:23 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: don't print decimal and parse hex! To generate a diff of this commit: cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.23 src/usr.sbin/npf/npfctl/npf_show.c:1.24 --- src/usr.sbin/npf/npfctl/npf_show.c:1.23 Sat Jan 28 19:18:15 2017 +++ src/usr.sbin/npf/npfctl/npf_show.c Sun May 14 17:38:23 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.23 2017/01/29 00:18:15 christos Exp $ */ +/* $NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.23 2017/01/29 00:18:15 christos Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $"); #include #define __FAVOR_BSD @@ -341,7 +341,7 @@ static void npfctl_print_id(npf_conf_info_t *ctx, nl_rule_t *rl) { uint64_t id = id = npf_rule_getid(rl); - fprintf(ctx->fp, "# id=\"%" PRIu64 "\" ", id); + fprintf(ctx->fp, "# id=\"%" PRIx64 "\" ", id); } static void
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Sat Mar 25 11:00:27 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd_log.c Log Message: can't call pcap_datalink before activate. To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.9 src/usr.sbin/npf/npfd/npfd_log.c:1.10 --- src/usr.sbin/npf/npfd/npfd_log.c:1.9 Tue Jan 24 15:25:08 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Sat Mar 25 07:00:27 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.9 2017/01/24 20:25:08 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.10 2017/03/25 11:00:27 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.9 2017/01/24 20:25:08 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.10 2017/03/25 11:00:27 christos Exp $"); #include #include @@ -91,7 +91,6 @@ npfd_log_gethdr(npfd_log_t *ctx, struct if (hdr->magic != TCPDUMP_MAGIC || hdr->version_major != PCAP_VERSION_MAJOR || hdr->version_minor != PCAP_VERSION_MINOR || - hdr->linktype != (u_int)pcap_datalink(ctx->pcap) || hdr->sigfigs != (u_int)pcap_get_tstamp_precision(ctx->pcap)) goto out; break;
CVS commit: src/usr.sbin/npf/npftest/libnpftest
Module Name:src Committed By: christos Date: Sun Jan 29 04:12:52 UTC 2017 Modified Files: src/usr.sbin/npf/npftest/libnpftest: npf_rule_test.c Log Message: fix function argument. To generate a diff of this commit: cvs rdiff -u -r1.13 -r1.14 \ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c diff -u src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.13 src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.14 --- src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c:1.13 Mon Dec 26 18:05:05 2016 +++ src/usr.sbin/npf/npftest/libnpftest/npf_rule_test.c Sat Jan 28 23:12:52 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_rule_test.c,v 1.13 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npf_rule_test.c,v 1.14 2017/01/29 04:12:52 christos Exp $ */ /* * NPF ruleset test. @@ -80,7 +80,8 @@ npf_rule_raw_test(bool verbose, struct m npf_cache_t npc = { .npc_info = 0, .npc_ctx = npf }; nbuf_t nbuf; npf_rule_t *rl; - int retfl, error; + npf_match_info_t mi; + int error; nbuf_init(npf, , m, ifp); npc.npc_nbuf = @@ -90,7 +91,7 @@ npf_rule_raw_test(bool verbose, struct m rl = npf_ruleset_inspect(, npf_config_ruleset(npf), di, NPF_LAYER_3); if (rl) { - error = npf_rule_conclude(rl, ); + error = npf_rule_conclude(rl, ); } else { error = ENOENT; }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Sun Jan 29 00:18:15 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c Log Message: Always print the rule id associated with a rule. To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/usr.sbin/npf/npfctl/npf_show.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.22 src/usr.sbin/npf/npfctl/npf_show.c:1.23 --- src/usr.sbin/npf/npfctl/npf_show.c:1.22 Thu Dec 29 15:48:50 2016 +++ src/usr.sbin/npf/npfctl/npf_show.c Sat Jan 28 19:18:15 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $ */ +/* $NetBSD: npf_show.c,v 1.23 2017/01/29 00:18:15 christos Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.23 2017/01/29 00:18:15 christos Exp $"); #include #define __FAVOR_BSD @@ -338,6 +338,13 @@ scan_marks(npf_conf_info_t *ctx, const s } static void +npfctl_print_id(npf_conf_info_t *ctx, nl_rule_t *rl) +{ + uint64_t id = id = npf_rule_getid(rl); + fprintf(ctx->fp, "# id=\"%" PRIu64 "\" ", id); +} + +static void npfctl_print_filter(npf_conf_info_t *ctx, nl_rule_t *rl) { const void *marks; @@ -399,8 +406,7 @@ npfctl_print_rule(npf_conf_info_t *ctx, if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_GROUP) { /* Group; done. */ - fputs("\n", ctx->fp); - return; + goto out; } /* Print filter criteria. */ @@ -411,12 +417,8 @@ npfctl_print_rule(npf_conf_info_t *ctx, fprintf(ctx->fp, "apply \"%s\" ", rproc); } - /* If dynamic rule - print its ID. */ - if ((attr & NPF_DYNAMIC_GROUP) == NPF_RULE_DYNAMIC) { - uint64_t id = npf_rule_getid(rl); - fprintf(ctx->fp, "# id = \"%" PRIx64 "\" ", id); - } - +out: + npfctl_print_id(ctx, rl); fputs("\n", ctx->fp); } @@ -465,6 +467,7 @@ npfctl_print_nat(npf_conf_info_t *ctx, n ifname, (flags & NPF_NAT_STATIC) ? "static" : "dynamic", seg1, arrow, seg2); npfctl_print_filter(ctx, rl); + npfctl_print_id(ctx, rl); fputs("\n", ctx->fp); free(seg); }
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Tue Jan 24 20:25:08 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd_log.c Log Message: fix signed compare To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.8 src/usr.sbin/npf/npfd/npfd_log.c:1.9 --- src/usr.sbin/npf/npfd/npfd_log.c:1.8 Sat Jan 7 11:48:03 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Tue Jan 24 15:25:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.8 2017/01/07 16:48:03 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.9 2017/01/24 20:25:08 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.8 2017/01/07 16:48:03 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.9 2017/01/24 20:25:08 christos Exp $"); #include #include @@ -90,7 +90,9 @@ npfd_log_gethdr(npfd_log_t *ctx, struct case 1: if (hdr->magic != TCPDUMP_MAGIC || hdr->version_major != PCAP_VERSION_MAJOR || - hdr->version_minor != PCAP_VERSION_MINOR) + hdr->version_minor != PCAP_VERSION_MINOR || + hdr->linktype != (u_int)pcap_datalink(ctx->pcap) || + hdr->sigfigs != (u_int)pcap_get_tstamp_precision(ctx->pcap)) goto out; break; default:
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Tue Jan 24 20:24:59 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd.c Log Message: output every 5 seconds instead of 60 or every 100 packets To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/npfd.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.6 src/usr.sbin/npf/npfd/npfd.c:1.7 --- src/usr.sbin/npf/npfd/npfd.c:1.6 Sat Jan 7 11:48:03 2017 +++ src/usr.sbin/npf/npfd/npfd.c Tue Jan 24 15:24:59 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.7 2017/01/24 20:24:59 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.7 2017/01/24 20:24:59 christos Exp $"); #include #include @@ -75,6 +75,7 @@ static void npfd_event_loop(npfd_log_t *log, int delay) { struct pollfd pfd; + size_t count = 0; pfd.fd = npfd_log_getsock(log); pfd.events = POLLHUP | POLLIN; @@ -91,6 +92,7 @@ npfd_event_loop(npfd_log_t *log, int del if (flush) { flush = false; npfd_log_flush(log); + count = 0; } switch (poll(, 1, delay)) { case -1: @@ -101,8 +103,13 @@ npfd_event_loop(npfd_log_t *log, int del /*NOTREACHED*/ case 0: npfd_log_flush(log); + count = 0; continue; default: + if (count++ >= 100) { +npfd_log_flush(log); +count = 0; + } npfd_log(log); } @@ -168,7 +175,7 @@ main(int argc, char **argv) bool daemon_off = false; int ch; - int delay = 60 * 1000; + int delay = 5 * 1000; const char *iface = "npflog0"; int snaplen = 116; char *pidname = NULL;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Fri Jan 20 23:00:30 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_parse.y Log Message: npfctl: fix shift/reduce conflicts, thanks to riastradh@. To generate a diff of this commit: cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf_parse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_parse.y diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.43 src/usr.sbin/npf/npfctl/npf_parse.y:1.44 --- src/usr.sbin/npf/npfctl/npf_parse.y:1.43 Fri Jan 20 03:16:40 2017 +++ src/usr.sbin/npf/npfctl/npf_parse.y Fri Jan 20 23:00:30 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.43 2017/01/20 03:16:40 kre Exp $ */ +/* $NetBSD: npf_parse.y,v 1.44 2017/01/20 23:00:30 rmind Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -180,7 +180,7 @@ yyerror(const char *fmt, ...) %type element, list_elems, list, value %type mapseg %type filt_opts, all_or_filt_opts -%type opt_proto +%type proto opt_proto %type group_opts %type onoff @@ -357,7 +357,11 @@ map { npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4); } - | MAP ifref map_sd map_algo opt_proto mapseg map_type mapseg + | MAP ifref map_sd map_algo mapseg map_type mapseg + { + npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4); + } + | MAP ifref map_sd map_algo proto mapseg map_type mapseg { npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4); } @@ -546,7 +550,7 @@ opt_family | { $$ = AF_UNSPEC; } ; -opt_proto +proto : PROTO TCP tcp_flags_and_mask { $$.op_proto = IPPROTO_TCP; @@ -572,6 +576,10 @@ opt_proto $$.op_proto = $2; $$.op_opts = NULL; } + ; + +opt_proto + : proto { $$ = $1; } | { $$.op_proto = -1;
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Fri Jan 20 08:48:14 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 Log Message: Bump date for previous. To generate a diff of this commit: cvs rdiff -u -r1.47 -r1.48 src/usr.sbin/npf/npfctl/npf.conf.5 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.47 src/usr.sbin/npf/npfctl/npf.conf.5:1.48 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.47 Thu Jan 19 20:18:17 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Jan 20 08:48:14 2017 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.47 2017/01/19 20:18:17 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.48 2017/01/20 08:48:14 wiz Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 3, 2017 +.Dd January 19, 2017 .Dt NPF.CONF 5 .Os .Sh NAME
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: kre Date: Fri Jan 20 03:16:40 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_parse.y Log Message: Add missing ; - hopefully unbreak build. To generate a diff of this commit: cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npf_parse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_parse.y diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.42 src/usr.sbin/npf/npfctl/npf_parse.y:1.43 --- src/usr.sbin/npf/npfctl/npf_parse.y:1.42 Thu Jan 19 20:18:17 2017 +++ src/usr.sbin/npf/npfctl/npf_parse.y Fri Jan 20 03:16:40 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.42 2017/01/19 20:18:17 rmind Exp $ */ +/* $NetBSD: npf_parse.y,v 1.43 2017/01/20 03:16:40 kre Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -72,7 +72,7 @@ yyerror(const char *fmt, ...) char *dst = ecalloc(1, len * 4 + 1); strvisx(dst, context, len, VIS_WHITE|VIS_CSTYLE); - context = dst + context = dst; #endif fprintf(stderr, " near '%s'", context); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Jan 19 20:18:18 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_data.c npf_parse.y npfctl.h Log Message: npfctl: - Add protocol filter option for "map". - Print user-friendly error if table contains an entry with invalid netmask. - Add support for inline ports. To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.43 -r1.44 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/npf/npfctl/npf_data.c cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf_parse.y Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.46 src/usr.sbin/npf/npfctl/npf.conf.5:1.47 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.46 Tue Jan 3 01:29:49 2017 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Thu Jan 19 20:18:17 2017 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.47 2017/01/19 20:18:17 rmind Exp $ .\" .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -228,11 +228,15 @@ For example: .Bd -literal procedure "someproc" { log: npflog0 - normalize: "random-id", "min-ttl" 64 + normalize: "random-id", "min-ttl" 64, "max-mss" 1432 } .Ed .Pp In this case, the procedure calls the logging and normalisation modules. +Traffic normalisation has a set of different mechanisms. +In the example above, the normalisation procedure has arguments which +apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) +flag cleansing, minimum TTL enforcement and TCP MSS "clamping". .Ss Misc Text after a hash .Pq Sq # @@ -275,9 +279,9 @@ table-def = "table" table-id "type" ( "h ; Mapping for address translation. map = "map" interface - ( "static" [ "algo" algorithm ] | "dynamic" ) + ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] net-seg ( "->" | "<-" | "<->" ) net-seg - [ "pass" filt-opts ] + [ "pass" [ proto ] filt-opts ] ; Rule procedure definition. The name should be in the double quotes. ; @@ -295,8 +299,7 @@ group = "group" ( "default" | group-opt group-opts = name-string [ "in" | "out" ] [ "on" interface ] rule-list = [ rule new-line ] rule-list -npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] - ( "all" | filt-opts ) +npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-ends" ] [ "in" | out" ] [ "final" ] [ "on" interface ] @@ -306,6 +309,7 @@ static-rule = ( "block" [ block-opts ] | dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset +proto = "proto" protocol [ proto-opts ] block-opts = "return-rst" | "return-icmp" | "return" family-opt = "inet4" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | @@ -345,7 +349,7 @@ alg "icmp" # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic 10.1.1.0/24 -> $ext_if -map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022 +map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 procedure "log" { # Note: npf_ext_log kernel module should be loaded, if not built-in. Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.43 src/usr.sbin/npf/npfctl/npf_build.c:1.44 --- src/usr.sbin/npf/npfctl/npf_build.c:1.43 Tue Jan 3 01:29:49 2017 +++ src/usr.sbin/npf/npfctl/npf_build.c Thu Jan 19 20:18:17 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $"); #include #include @@ -586,9 +586,9 @@ npfctl_build_rule(uint32_t attr, const c */ static nl_nat_t * npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap, -const filt_opts_t *fopts, u_int flags) +const opt_proto_t *op, const filt_opts_t *fopts, u_int flags) { - const opt_proto_t op = { .op_proto = -1, .op_opts = NULL }; + const opt_proto_t def_op = { .op_proto = -1, .op_opts = NULL }; fam_addr_mask_t *am = npfctl_get_singlefam(ap->ap_netaddr); in_port_t port; nl_nat_t *nat; @@ -600,10 +600,13 @@ npfctl_build_nat(int type, const char *i } else { port = 0; } + if (!op) { + op = _op; + } nat = npf_nat_create(type, flags, ifname, am->fam_family, >fam_addr, am->fam_mask, port); - npfctl_build_code(nat,
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jan 11 02:13:54 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: todo Log Message: more todo To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfctl/todo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/todo diff -u src/usr.sbin/npf/npfctl/todo:1.11 src/usr.sbin/npf/npfctl/todo:1.12 --- src/usr.sbin/npf/npfctl/todo:1.11 Thu Feb 13 21:01:12 2014 +++ src/usr.sbin/npf/npfctl/todo Tue Jan 10 21:13:54 2017 @@ -16,3 +16,4 @@ -- add algo for "with short" -- implement "port-unr" -- implement block return-icmp in log final all with ipopts +-- handle array variables in more places
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jan 11 02:11:21 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf_parse.y npf_var.c Log Message: Don't silently take the first element of multiple element variables. To generate a diff of this commit: cvs rdiff -u -r1.40 -r1.41 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npf_var.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_parse.y diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.40 src/usr.sbin/npf/npfctl/npf_parse.y:1.41 --- src/usr.sbin/npf/npfctl/npf_parse.y:1.40 Mon Jan 2 20:29:49 2017 +++ src/usr.sbin/npf/npfctl/npf_parse.y Tue Jan 10 21:11:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.40 2017/01/03 01:29:49 rmind Exp $ */ +/* $NetBSD: npf_parse.y,v 1.41 2017/01/11 02:11:21 christos Exp $ */ /*- * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. @@ -665,6 +665,8 @@ addr_or_ifaddr } | static_ifaddrs { + if (npfvar_get_count($1) != 1) + yyerror("multiple interfaces are not supported"); ifnet_addr_t *ifna = npfvar_get_data($1, NPFVAR_INTERFACE, 0); $$ = ifna->ifna_addrs; } @@ -765,6 +767,8 @@ tcp_flags_and_mask } | FLAGS tcp_flags { + if (npfvar_get_count($2) != 1) + yyerror("multiple tcpflags are not supported"); char *s = npfvar_get_data($2, NPFVAR_TCPFLAG, 0); npfvar_add_elements($2, npfctl_parse_tcpflag(s)); $$ = $2; @@ -804,6 +808,9 @@ ifname $$ = npfvar_expand_string(vp); break; case NPFVAR_INTERFACE: + if (npfvar_get_count(vp) != 1) +yyerror( +"multiple interfaces are not supported"); ifna = npfvar_get_data(vp, type, 0); $$ = ifna->ifna_name; break; @@ -838,6 +845,8 @@ ifref | dynamic_ifaddrs | static_ifaddrs { + if (npfvar_get_count($1) != 1) + yyerror("multiple interfaces are not supported"); ifnet_addr_t *ifna = npfvar_get_data($1, NPFVAR_INTERFACE, 0); npfctl_note_interface(ifna->ifna_name); $$ = ifna->ifna_name; Index: src/usr.sbin/npf/npfctl/npf_var.c diff -u src/usr.sbin/npf/npfctl/npf_var.c:1.9 src/usr.sbin/npf/npfctl/npf_var.c:1.10 --- src/usr.sbin/npf/npfctl/npf_var.c:1.9 Sun Jul 12 19:54:44 2015 +++ src/usr.sbin/npf/npfctl/npf_var.c Tue Jan 10 21:11:21 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_var.c,v 1.9 2015/07/12 23:54:44 rmind Exp $ */ +/* $NetBSD: npf_var.c,v 1.10 2017/01/11 02:11:21 christos Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npf_var.c,v 1.9 2015/07/12 23:54:44 rmind Exp $"); +__RCSID("$NetBSD: npf_var.c,v 1.10 2017/01/11 02:11:21 christos Exp $"); #include #include @@ -188,6 +188,10 @@ npfvar_destroy(npfvar_t *vp) char * npfvar_expand_string(const npfvar_t *vp) { + if (npfvar_get_count(vp) != 1) + yyerror("variable '%s' type '%s' has %zu elements", vp->v_key, + npfvar_type(vp->v_type), npfvar_get_count(vp)); + return npfvar_get_data(vp, NPFVAR_STRING, 0); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jan 11 02:10:44 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: fix hint. To generate a diff of this commit: cvs rdiff -u -r1.52 -r1.53 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.52 src/usr.sbin/npf/npfctl/npfctl.c:1.53 --- src/usr.sbin/npf/npfctl/npfctl.c:1.52 Thu Dec 29 15:48:50 2016 +++ src/usr.sbin/npf/npfctl/npfctl.c Tue Jan 10 21:10:44 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $ */ +/* $NetBSD: npfctl.c,v 1.53 2017/01/11 02:10:44 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.53 2017/01/11 02:10:44 christos Exp $"); #include #include @@ -695,7 +695,8 @@ npfctl_open_dev(const char *path) if (ver != NPF_VERSION) { errx(EXIT_FAILURE, "incompatible NPF interface version (%d, kernel %d)\n" - "Hint: update userland?", NPF_VERSION, ver); + "Hint: update %s?", NPF_VERSION, ver, + NPF_VERSION > ver ? "userland" : "kernel"); } return fd; }
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: wiz Date: Sun Jan 8 13:59:53 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: Whitespace, fix xref, remove unnecessary macro, sort SEE ALSO. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npfd/npfd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u src/usr.sbin/npf/npfd/npfd.8:1.2 src/usr.sbin/npf/npfd/npfd.8:1.3 --- src/usr.sbin/npf/npfd/npfd.8:1.2 Sat Jan 7 18:48:47 2017 +++ src/usr.sbin/npf/npfd/npfd.8 Sun Jan 8 13:59:53 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfd.8,v 1.2 2017/01/07 18:48:47 christos Exp $ +.\" $NetBSD: npfd.8,v 1.3 2017/01/08 13:59:53 wiz Exp $ .\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" +.\" .Dd January 5, 2017 .Dt NPFD 8 .Os @@ -34,7 +34,6 @@ .Nd packet filter logging and state synchronization daemon .Sh SYNOPSIS .Nm npfd -.Bk -words .Op Fl D .Op Fl d Ar delay .Op Fl f Ar filename @@ -42,7 +41,6 @@ .Op Fl p Ar pidfile .Op Fl s Ar snaplen .Op Ar expression -.Ek .Sh DESCRIPTION .Nm is a background daemon which reads packets logged by @@ -167,7 +165,7 @@ Log specific tcp packets to a different .Pp Log from another .\" .Xr pflog 4 -npflog +npflog interface, excluding specific packets: .Bd -literal -offset indent # npfd -i npflog3 -f network3.log "not (tcp and port 23)" @@ -229,12 +227,12 @@ the wi0 interface: .Ed .Pp Each -.Xr npf 4 +.Xr npf 7 rule is marked with an id number, shown using: .Bd -literal -offset indent # npfctl show ... -block final all apply "log" # id="45" +block final all apply "log" # id="45" ... .Ed .Pp @@ -251,8 +249,8 @@ options [mss 1440], length 0 .Xr pcap 3 , \" .Xr if_npflog 4 , .Xr npf.conf 5 , -.Xr newsyslog 8 , .Xr npf 7 , +.Xr newsyslog 8 , .Xr npfctl 8 , .Xr tcpdump 8 .Sh HISTORY
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Sat Jan 7 18:48:47 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: add example. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npfd/npfd.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u src/usr.sbin/npf/npfd/npfd.8:1.1 src/usr.sbin/npf/npfd/npfd.8:1.2 --- src/usr.sbin/npf/npfd/npfd.8:1.1 Sat Jan 7 11:48:03 2017 +++ src/usr.sbin/npf/npfd/npfd.8 Sat Jan 7 13:48:47 2017 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfd.8,v 1.1 2017/01/07 16:48:03 christos Exp $ +.\" $NetBSD: npfd.8,v 1.2 2017/01/07 18:48:47 christos Exp $ .\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ .\" .\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. @@ -225,7 +225,27 @@ The direction was outbound. Display the logs in real time of inbound packets that were blocked on the wi0 interface: .Bd -literal -offset indent -# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0 +# tcpdump -n -e -ttt -i npflog0 inbound and action block and on wi0 +.Ed +.Pp +Each +.Xr npf 4 +rule is marked with an id number, shown using: +.Bd -literal -offset indent +# npfctl show +... +block final all apply "log" # id="45" +... +.Ed +.Pp +This id is the rule id shown by tcpdump: +.Bd -literal -offset indent +# tcpdump -enr /var/log/npflog0.pcap +... +11:26:02.288199 rule 45.rules.0/0(match): block in on sk0: \e +1.2.3.4.46063 > 5.6.7.8.23231: Flags [S], seq 1, win 8192, \e +options [mss 1440], length 0 +... .Ed .Sh SEE ALSO .Xr pcap 3 , @@ -233,6 +253,7 @@ the wi0 interface: .Xr npf.conf 5 , .Xr newsyslog 8 , .Xr npf 7 , +.Xr npfctl 8 , .Xr tcpdump 8 .Sh HISTORY The
CVS commit: src/usr.sbin/npf
Module Name:src Committed By: christos Date: Sat Jan 7 17:27:03 UTC 2017 Modified Files: src/usr.sbin/npf: Makefile Log Message: descend to npfd To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/Makefile diff -u src/usr.sbin/npf/Makefile:1.5 src/usr.sbin/npf/Makefile:1.6 --- src/usr.sbin/npf/Makefile:1.5 Sat Aug 2 19:57:40 2014 +++ src/usr.sbin/npf/Makefile Sat Jan 7 12:27:02 2017 @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.5 2014/08/02 23:57:40 rmind Exp $ +# $NetBSD: Makefile,v 1.6 2017/01/07 17:27:02 christos Exp $ .include -SUBDIR= npfctl +SUBDIR= npfctl npfd .if ${MKRUMP} != "no" && ${MKPIC} != "no" SUBDIR+= npftest
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Sat Jan 7 16:48:03 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: Makefile npfd.c npfd_log.c Added Files: src/usr.sbin/npf/npfd: npfd.8 Log Message: add man page, lint cleanups. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npfd/Makefile cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npfd/npfd.8 cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npfd/npfd.c cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/Makefile diff -u src/usr.sbin/npf/npfd/Makefile:1.4 src/usr.sbin/npf/npfd/Makefile:1.5 --- src/usr.sbin/npf/npfd/Makefile:1.4 Fri Jan 6 14:20:24 2017 +++ src/usr.sbin/npf/npfd/Makefile Sat Jan 7 11:48:03 2017 @@ -1,12 +1,11 @@ -# $NetBSD: Makefile,v 1.4 2017/01/06 19:20:24 christos Exp $ +# $NetBSD: Makefile,v 1.5 2017/01/07 16:48:03 christos Exp $ # # Public Domain # -NOMAN= PROG= npfd +MAN= npfd.8 -DBG=-g SRCS= npfd.c npfd_log.c CPPFLAGS+= -I${.CURDIR} @@ -14,6 +13,5 @@ LDADD+= -lnpf -lpcap -lutil DPADD+= ${LIBNPF} ${LIBPCAP} ${LIBUTIL} WARNS= 5 -NOLINT= # disabled deliberately .include Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.5 src/usr.sbin/npf/npfd/npfd.c:1.6 --- src/usr.sbin/npf/npfd/npfd.c:1.5 Fri Jan 6 14:20:24 2017 +++ src/usr.sbin/npf/npfd/npfd.c Sat Jan 7 11:48:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $"); #include #include @@ -98,6 +98,7 @@ npfd_event_loop(npfd_log_t *log, int del continue; syslog(LOG_ERR, "poll failed: %m"); exit(EXIT_FAILURE); + /*NOTREACHED*/ case 0: npfd_log_flush(log); continue; Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.7 src/usr.sbin/npf/npfd/npfd_log.c:1.8 --- src/usr.sbin/npf/npfd/npfd_log.c:1.7 Sat Jan 7 11:36:54 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Sat Jan 7 11:48:03 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.7 2017/01/07 16:36:54 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.8 2017/01/07 16:48:03 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.7 2017/01/07 16:36:54 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.8 2017/01/07 16:48:03 christos Exp $"); #include #include @@ -100,7 +100,7 @@ npfd_log_gethdr(npfd_log_t *ctx, struct return fp; out: fclose(fp); - hdr->magic = -1; + hdr->magic = (uint32_t)-1; return NULL; } @@ -170,7 +170,7 @@ fix: syslog(LOG_WARNING, "Incomplete last packet in `%s', truncating", ctx->path); - if (truncate(ctx->path, o) == -1) { + if (truncate(ctx->path, (off_t)o) == -1) { syslog(LOG_ERR, "Cannot truncate `%s': %m", ctx->path); goto rename; } @@ -324,7 +324,7 @@ npfd_log(npfd_log_t *ctx) { pcap_dumper_t *dumper = ctx->dumper; - pcap_dispatch(ctx->pcap, PCAP_NPACKETS, pcap_dump, (uint8_t *)dumper); + pcap_dispatch(ctx->pcap, PCAP_NPACKETS, pcap_dump, (void *)dumper); } void Added files: Index: src/usr.sbin/npf/npfd/npfd.8 diff -u /dev/null src/usr.sbin/npf/npfd/npfd.8:1.1 --- /dev/null Sat Jan 7 11:48:03 2017 +++ src/usr.sbin/npf/npfd/npfd.8 Sat Jan 7 11:48:03 2017 @@ -0,0 +1,244 @@ +.\" $NetBSD: npfd.8,v 1.1 2017/01/07 16:48:03 christos Exp $ +.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $ +.\" +.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\"notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\"notice, this list of conditions and the following disclaimer in the +.\"documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\"derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Sat Jan 7 16:36:54 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd_log.c Log Message: restrict permissions on log file To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.6 src/usr.sbin/npf/npfd/npfd_log.c:1.7 --- src/usr.sbin/npf/npfd/npfd_log.c:1.6 Fri Jan 6 14:20:24 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Sat Jan 7 11:36:54 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.6 2017/01/06 19:20:24 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.7 2017/01/07 16:36:54 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.6 2017/01/06 19:20:24 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.7 2017/01/07 16:36:54 christos Exp $"); #include #include @@ -260,6 +260,8 @@ npfd_log_create(const char *filename, co bool npfd_log_reopen(npfd_log_t *ctx, bool die) { + mode_t omask = umask(077); + if (ctx->dumper) pcap_dump_close(ctx->dumper); /* @@ -277,6 +279,7 @@ npfd_log_reopen(npfd_log_t *ctx, bool di ctx->dumper = pcap_dump_open_append(ctx->pcap, ctx->path); break; } + (void)umask(omask); if (ctx->dumper == NULL) { if (die)
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Fri Jan 6 19:20:24 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: Makefile npfd.c npfd.h npfd_log.c Log Message: Add log validation To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npfd/Makefile \ src/usr.sbin/npf/npfd/npfd.h cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npfd/npfd.c cvs rdiff -u -r1.5 -r1.6 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/Makefile diff -u src/usr.sbin/npf/npfd/Makefile:1.3 src/usr.sbin/npf/npfd/Makefile:1.4 --- src/usr.sbin/npf/npfd/Makefile:1.3 Fri Dec 30 14:55:46 2016 +++ src/usr.sbin/npf/npfd/Makefile Fri Jan 6 14:20:24 2017 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.3 2016/12/30 19:55:46 christos Exp $ +# $NetBSD: Makefile,v 1.4 2017/01/06 19:20:24 christos Exp $ # # Public Domain # @@ -6,7 +6,7 @@ NOMAN= PROG= npfd -#DBG=-g +DBG=-g SRCS= npfd.c npfd_log.c CPPFLAGS+= -I${.CURDIR} Index: src/usr.sbin/npf/npfd/npfd.h diff -u src/usr.sbin/npf/npfd/npfd.h:1.3 src/usr.sbin/npf/npfd/npfd.h:1.4 --- src/usr.sbin/npf/npfd/npfd.h:1.3 Fri Dec 30 14:55:46 2016 +++ src/usr.sbin/npf/npfd/npfd.h Fri Jan 6 14:20:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.h,v 1.3 2016/12/30 19:55:46 christos Exp $ */ +/* $NetBSD: npfd.h,v 1.4 2017/01/06 19:20:24 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -42,7 +42,7 @@ struct npf_log; typedef struct npfd_log npfd_log_t; -npfd_log_t * npfd_log_create(const char *, const char *, int); +npfd_log_t * npfd_log_create(const char *, const char *, const char *, int); void npfd_log_destroy(npfd_log_t *); int npfd_log_getsock(npfd_log_t *); bool npfd_log_reopen(npfd_log_t *, bool); Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.4 src/usr.sbin/npf/npfd/npfd.c:1.5 --- src/usr.sbin/npf/npfd/npfd.c:1.4 Fri Dec 30 14:55:46 2016 +++ src/usr.sbin/npf/npfd/npfd.c Fri Jan 6 14:20:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.4 2016/12/30 19:55:46 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.4 2016/12/30 19:55:46 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $"); #include #include @@ -49,7 +49,7 @@ __RCSID("$NetBSD: npfd.c,v 1.4 2016/12/3 #include "npfd.h" -static volatile sig_atomic_t hup, stats, done; +static volatile sig_atomic_t hup, stats, done, flush; static int npfd_getctl(void) @@ -87,6 +87,9 @@ npfd_event_loop(npfd_log_t *log, int del if (stats) { stats = false; npfd_log_stats(log); + } + if (flush) { + flush = false; npfd_log_flush(log); } switch (poll(, 1, delay)) { @@ -118,9 +121,11 @@ sighandler(int sig) done = true; break; case SIGINFO: - case SIGQUIT: stats = true; break; + case SIGALRM: + flush = true; + break; default: syslog(LOG_ERR, "Unhandled signal %d", sig); break; @@ -131,7 +136,8 @@ static __dead void usage(void) { fprintf(stderr, "Usage: %s [-D] [-d ] [-i ]" - " [-p ] [-s ] expression\n", getprogname()); + " [-f ] [-p ] [-s ] expression\n", + getprogname()); exit(EXIT_FAILURE); } @@ -165,11 +171,12 @@ main(int argc, char **argv) const char *iface = "npflog0"; int snaplen = 116; char *pidname = NULL; + char *filename = NULL; int fd = npfd_getctl(); (void)close(fd); - while ((ch = getopt(argc, argv, "Dd:i:p:s:")) != -1) { + while ((ch = getopt(argc, argv, "Dd:f:i:p:s:")) != -1) { switch (ch) { case 'D': daemon_off = true; @@ -177,6 +184,9 @@ main(int argc, char **argv) case 'd': delay = atoi(optarg) * 1000; break; + case 'f': + filename = optarg; + break; case 'i': iface = optarg; break; @@ -196,7 +206,7 @@ main(int argc, char **argv) char *filter = copyargs(argc, argv); - npfd_log_t *log = npfd_log_create(iface, filter, snaplen); + npfd_log_t *log = npfd_log_create(filename, iface, filter, snaplen); if (!daemon_off) { if (daemon(0, 0) == -1) Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.5 src/usr.sbin/npf/npfd/npfd_log.c:1.6 --- src/usr.sbin/npf/npfd/npfd_log.c:1.5 Thu Jan 5 11:23:31 2017 +++ src/usr.sbin/npf/npfd/npfd_log.c Fri Jan 6 14:20:24 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.5 2017/01/05 16:23:31 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.6 2017/01/06 19:20:24 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,10 +30,12 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.5 2017/01/05 16:23:31 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.6 2017/01/06 19:20:24 christos Exp $"); #include #include +#include + #include #include @@ -69,8 +71,138 @@
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Thu Jan 5 16:23:31 UTC 2017 Modified Files: src/usr.sbin/npf/npfd: npfd_log.c Log Message: set the timeout to 1 second so we can see packets flowing in real time. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.4 src/usr.sbin/npf/npfd/npfd_log.c:1.5 --- src/usr.sbin/npf/npfd/npfd_log.c:1.4 Fri Dec 30 14:55:46 2016 +++ src/usr.sbin/npf/npfd/npfd_log.c Thu Jan 5 11:23:31 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.4 2016/12/30 19:55:46 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.5 2017/01/05 16:23:31 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.4 2016/12/30 19:55:46 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.5 2017/01/05 16:23:31 christos Exp $"); #include #include @@ -93,6 +93,10 @@ npfd_log_create(const char *ifname, cons errx(EXIT_FAILURE, "pcap_set_snaplen failed: %s", pcap_geterr(ctx->pcap)); + if (pcap_set_timeout(ctx->pcap, 1000) == -1) + errx(EXIT_FAILURE, "pcap_set_timeout failed: %s", + pcap_geterr(ctx->pcap)); + if (pcap_activate(ctx->pcap) == -1) errx(EXIT_FAILURE, "pcap_activate failed: %s", pcap_geterr(ctx->pcap));
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Tue Jan 3 01:29:49 UTC 2017 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c npf_parse.y npf_scan.l npfctl.h Log Message: npfctl: dynamic interface address handling; update npf.conf(8). To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.42 -r1.43 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.39 -r1.40 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.24 -r1.25 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.45 src/usr.sbin/npf/npfctl/npf.conf.5:1.46 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.45 Tue Dec 27 22:35:33 2016 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Jan 3 01:29:49 2017 @@ -1,6 +1,6 @@ -.\"$NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $ .\" -.\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. +.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd December 28, 2016 +.Dd January 3, 2017 .Dt NPF.CONF 5 .Os .Sh NAME @@ -110,6 +110,24 @@ Specific interface addresses can be sele $pub_if4 = inet4(wm0) $pub_if46 = { inet4(wm0), inet6(wm0) } .Ed +.Pp +In the above examples, NPF will statically capture the interface +addresses on configuration load. +.Pp +The following can be used for dynamic handling of the interface addresses: +.Bd -literal +$pub_if = ifaddrs(wm0) +.Ed +.Pp +In this case, the expression will represent the runtime list of addresses, +reflecting any changes to the interface, including the attach and detach. +Marking the interface as ``down'' has no effect, i.e. all addresses will +remain present. +.Pp +The dynamic address list represents both the IPv4 and IPv6 addresses, +therefore the +.Cd family +keyword can be used in combination to make the filtering more narrow. .Ss Groups Groups may have the following options: name, interface, and direction. They are defined in the following form: Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.42 src/usr.sbin/npf/npfctl/npf_build.c:1.43 --- src/usr.sbin/npf/npfctl/npf_build.c:1.42 Tue Dec 27 22:35:33 2016 +++ src/usr.sbin/npf/npfctl/npf_build.c Tue Jan 3 01:29:49 2017 @@ -1,7 +1,7 @@ -/* $NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $ */ /*- - * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. + * Copyright (c) 2011-2017 The NetBSD Foundation, Inc. * All rights reserved. * * This material is based upon work partially supported by The @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.43 2017/01/03 01:29:49 rmind Exp $"); #include #include @@ -65,6 +65,7 @@ static nl_rule_t * the_rule = NULL; static nl_rule_t * current_group[MAX_RULE_NESTING]; static unsigned rule_nesting_level = 0; static nl_rule_t * defgroup = NULL; +static unsigned npfctl_tid_counter = 0; static void npfctl_dump_bpf(struct bpf_program *); @@ -797,10 +798,9 @@ npfctl_fill_table(nl_table_t *tl, u_int void npfctl_build_table(const char *tname, u_int type, const char *fname) { - static unsigned tid = 0; nl_table_t *tl; - tl = npf_table_create(tname, tid++, type); + tl = npf_table_create(tname, npfctl_tid_counter++, type); assert(tl != NULL); if (npf_table_insert(npf_conf, tl)) { @@ -814,6 +814,24 @@ npfctl_build_table(const char *tname, u_ } } +npfvar_t * +npfctl_ifnet_table(const char *ifname) +{ + char tname[NPF_TABLE_MAXNAMELEN]; + nl_table_t *tl; + u_int tid; + + snprintf(tname, sizeof(tname), ".ifnet-%s", ifname); + + tid = npfctl_table_getid(tname); + if (tid == (unsigned)-1) { + tid = npfctl_tid_counter++; + tl = npf_table_create(tname, tid, NPF_TABLE_TREE); + (void)npf_table_insert(npf_conf, tl); + } + return npfvar_create_element(NPFVAR_TABLE, , sizeof(u_int)); +} + /* * npfctl_build_alg: create an NPF application level gateway and add it * to the configuration. Index: src/usr.sbin/npf/npfctl/npfctl.h diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.42 src/usr.sbin/npf/npfctl/npfctl.h:1.43 --- src/usr.sbin/npf/npfctl/npfctl.h:1.42 Tue Dec 27 22:35:33 2016 +++ src/usr.sbin/npf/npfctl/npfctl.h Tue Jan 3 01:29:49 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.h,v 1.42 2016/12/27 22:35:33 rmind Exp $ */ +/* $NetBSD: npfctl.h,v 1.43 2017/01/03 01:29:49 rmind Exp $ */ /*- *
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Fri Dec 30 19:55:46 UTC 2016 Modified Files: src/usr.sbin/npf/npfd: Makefile npfd.c npfd.h npfd_log.c Log Message: flesh this out more. To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npfd/Makefile \ src/usr.sbin/npf/npfd/npfd.h cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npfd/npfd.c \ src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/Makefile diff -u src/usr.sbin/npf/npfd/Makefile:1.2 src/usr.sbin/npf/npfd/Makefile:1.3 --- src/usr.sbin/npf/npfd/Makefile:1.2 Tue Dec 27 20:25:48 2016 +++ src/usr.sbin/npf/npfd/Makefile Fri Dec 30 14:55:46 2016 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.2 2016/12/28 01:25:48 christos Exp $ +# $NetBSD: Makefile,v 1.3 2016/12/30 19:55:46 christos Exp $ # # Public Domain # @@ -6,11 +6,12 @@ NOMAN= PROG= npfd +#DBG=-g SRCS= npfd.c npfd_log.c CPPFLAGS+= -I${.CURDIR} -LDADD+= -lnpf -lpcap -DPADD+= ${LIBNPF} ${LIBPCAP} +LDADD+= -lnpf -lpcap -lutil +DPADD+= ${LIBNPF} ${LIBPCAP} ${LIBUTIL} WARNS= 5 NOLINT= # disabled deliberately Index: src/usr.sbin/npf/npfd/npfd.h diff -u src/usr.sbin/npf/npfd/npfd.h:1.2 src/usr.sbin/npf/npfd/npfd.h:1.3 --- src/usr.sbin/npf/npfd/npfd.h:1.2 Tue Dec 27 20:25:48 2016 +++ src/usr.sbin/npf/npfd/npfd.h Fri Dec 30 14:55:46 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.h,v 1.2 2016/12/28 01:25:48 christos Exp $ */ +/* $NetBSD: npfd.h,v 1.3 2016/12/30 19:55:46 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -42,12 +42,13 @@ struct npf_log; typedef struct npfd_log npfd_log_t; -npfd_log_t * npfd_log_create(unsigned); +npfd_log_t * npfd_log_create(const char *, const char *, int); void npfd_log_destroy(npfd_log_t *); int npfd_log_getsock(npfd_log_t *); -bool npfd_log_reopen(npfd_log_t *); +bool npfd_log_reopen(npfd_log_t *, bool); void npfd_log(npfd_log_t *); void npfd_log_stats(npfd_log_t *); +void npfd_log_flush(npfd_log_t *); #endif Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.3 src/usr.sbin/npf/npfd/npfd.c:1.4 --- src/usr.sbin/npf/npfd/npfd.c:1.3 Tue Dec 27 22:02:54 2016 +++ src/usr.sbin/npf/npfd/npfd.c Fri Dec 30 14:55:46 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.3 2016/12/28 03:02:54 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.4 2016/12/30 19:55:46 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,9 +30,10 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.3 2016/12/28 03:02:54 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.4 2016/12/30 19:55:46 christos Exp $"); #include +#include #include #include #include @@ -42,6 +43,7 @@ __RCSID("$NetBSD: npfd.c,v 1.3 2016/12/2 #include #include #include +#include #include @@ -70,33 +72,31 @@ npfd_getctl(void) } static void -npfd_event_loop(void) +npfd_event_loop(npfd_log_t *log, int delay) { struct pollfd pfd; - npfd_log_t *log; - log = npfd_log_create(0); - if (log == NULL) - exit(EXIT_FAILURE); pfd.fd = npfd_log_getsock(log); pfd.events = POLLHUP | POLLIN; while (!done) { if (hup) { hup = false; - npfd_log_reopen(log); + npfd_log_reopen(log, false); } if (stats) { stats = false; npfd_log_stats(log); + npfd_log_flush(log); } - switch (poll(, 1, 1000)) { + switch (poll(, 1, delay)) { case -1: if (errno == EINTR) continue; syslog(LOG_ERR, "poll failed: %m"); exit(EXIT_FAILURE); case 0: + npfd_log_flush(log); continue; default: npfd_log(log); @@ -115,7 +115,7 @@ sighandler(int sig) break; case SIGTERM: case SIGINT: - hup = true; + done = true; break; case SIGINFO: case SIGQUIT: @@ -123,38 +123,96 @@ sighandler(int sig) break; default: syslog(LOG_ERR, "Unhandled signal %d", sig); + break; } } +static __dead void +usage(void) +{ + fprintf(stderr, "Usage: %s [-D] [-d ] [-i ]" + " [-p ] [-s ] expression\n", getprogname()); + exit(EXIT_FAILURE); +} + +static char * +copyargs(int argc, char **argv) +{ + if (argc == 0) + return NULL; + + size_t len = 0, p = 0; + char *buf = NULL; + + for (int i = 0; i < argc; i++) { + size_t l = strlen(argv[i]); + if (p + l + 1 >= len) + buf = erealloc(buf, len = p + l + 1); + memcpy(buf + p, argv[i], l); + p += l; + buf[p++] = i == argc - 1 ? '\0' : ' '; + } + return buf; +} + int main(int argc, char **argv) { bool daemon_off = false; int ch; - while ((ch = getopt(argc, argv, "d")) != -1) { + int delay = 60 * 1000; + const char *iface = "npflog0"; + int snaplen = 116; + char *pidname = NULL; + + int fd = npfd_getctl(); + (void)close(fd); + + while ((ch = getopt(argc, argv, "Dd:i:p:s:")) != -1) { switch (ch) { - case 'd': + case 'D': daemon_off = true; break; + case 'd': + delay = atoi(optarg) * 1000; + break; + case 'i': + iface =
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Thu Dec 29 20:48:50 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c npfctl.c Log Message: Improve 'npfctl debug' a little bit. To generate a diff of this commit: cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.51 -r1.52 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.21 src/usr.sbin/npf/npfctl/npf_show.c:1.22 --- src/usr.sbin/npf/npfctl/npf_show.c:1.21 Tue Dec 27 20:14:35 2016 +++ src/usr.sbin/npf/npfctl/npf_show.c Thu Dec 29 20:48:50 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $ */ +/* $NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.22 2016/12/29 20:48:50 rmind Exp $"); #include #define __FAVOR_BSD @@ -506,8 +506,8 @@ npfctl_config_show(int fd) loaded ? "loaded" : "empty"); print_linesep(ctx); } else { - npfctl_config_send(0, NULL); ncf = npfctl_config_ref(); + (void)npf_config_build(ncf); loaded = true; } ctx->conf = ncf; Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.51 src/usr.sbin/npf/npfctl/npfctl.c:1.52 --- src/usr.sbin/npf/npfctl/npfctl.c:1.51 Tue Dec 27 20:24:32 2016 +++ src/usr.sbin/npf/npfctl/npfctl.c Thu Dec 29 20:48:50 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $ */ +/* $NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.52 2016/12/29 20:48:50 rmind Exp $"); #include #include @@ -70,6 +70,7 @@ enum { NPFCTL_STATS, NPFCTL_SAVE, NPFCTL_LOAD, + NPFCTL_DEBUG, NPFCTL_CONN_LIST, }; @@ -83,7 +84,6 @@ static const struct operations_s { { "reload", NPFCTL_RELOAD }, { "show", NPFCTL_SHOWCONF, }, { "flush", NPFCTL_FLUSH }, - { "valid", NPFCTL_VALIDATE }, /* Table */ { "table", NPFCTL_TABLE }, /* Rule */ @@ -94,6 +94,9 @@ static const struct operations_s { { "save", NPFCTL_SAVE }, { "load", NPFCTL_LOAD }, { "list", NPFCTL_CONN_LIST }, + /* Misc. */ + { "valid", NPFCTL_VALIDATE }, + { "debug", NPFCTL_DEBUG }, /* --- */ { NULL, 0 } }; @@ -247,14 +250,12 @@ npfctl_print_addrmask(int alen, const ch switch (alen) { case 4: { struct sockaddr_in *sin = (void *) - sin->sin_len = sizeof(*sin); sin->sin_family = AF_INET; memcpy(>sin_addr, addr, sizeof(sin->sin_addr)); break; } case 16: { struct sockaddr_in6 *sin6 = (void *) - sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = AF_INET6; memcpy(>sin6_addr, addr, sizeof(sin6->sin6_addr)); break; @@ -593,7 +594,7 @@ struct npf_conn_filter { }; static int -npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p, +npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p, const char *ifname, void *v) { struct npf_conn_filter *fil = v; @@ -674,21 +675,19 @@ npfctl_conn_list(int fd, int argc, char if (header) fprintf(f.fp, "%*.*s %*.*s\n", w, w, "From address:port ", w, w, "To address:port "); - + npf_conn_list(fd, npfctl_conn_print, ); return 0; } -static void -npfctl(int action, int argc, char **argv) +static int +npfctl_open_dev(const char *path) { - int fd, ver, boolval, ret = 0; - nl_config_t *ncf; - const char *fun = ""; + int fd, ver; - fd = open(NPF_DEV_PATH, O_RDONLY); + fd = open(path, O_RDONLY); if (fd == -1) { - err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH); + err(EXIT_FAILURE, "cannot open '%s'", path); } if (ioctl(fd, IOC_NPF_VERSION, ) == -1) { err(EXIT_FAILURE, "ioctl(IOC_NPF_VERSION)"); @@ -698,6 +697,24 @@ npfctl(int action, int argc, char **argv "incompatible NPF interface version (%d, kernel %d)\n" "Hint: update userland?", NPF_VERSION, ver); } + return fd; +} + +static void +npfctl(int action, int argc, char **argv) +{ + int fd, boolval, ret = 0; + const char *fun = ""; + nl_config_t *ncf; + + switch (action) { + case NPFCTL_VALIDATE: + case NPFCTL_DEBUG: + fd = 0; + break; + default: + fd = npfctl_open_dev(NPF_DEV_PATH); + } switch (action) { case NPFCTL_START: @@ -725,12 +742,6 @@ npfctl(int action, int argc, char **argv ret = npf_config_flush(fd); fun = "npf_config_flush"; break; - case NPFCTL_VALIDATE: - npfctl_config_init(false); - npfctl_parse_file(argc < 3 ? NPF_CONF_PATH : argv[2]); - ret = npfctl_config_show(0); - fun = "npfctl_config_show"; - break; case
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Wed Dec 28 03:02:54 UTC 2016 Modified Files: src/usr.sbin/npf/npfd: npfd.c npfd_log.c Log Message: starts running To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/npf/npfd/npfd.c \ src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.2 src/usr.sbin/npf/npfd/npfd.c:1.3 --- src/usr.sbin/npf/npfd/npfd.c:1.2 Tue Dec 27 20:25:48 2016 +++ src/usr.sbin/npf/npfd/npfd.c Tue Dec 27 22:02:54 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.2 2016/12/28 01:25:48 christos Exp $ */ +/* $NetBSD: npfd.c,v 1.3 2016/12/28 03:02:54 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.2 2016/12/28 01:25:48 christos Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.3 2016/12/28 03:02:54 christos Exp $"); #include #include @@ -76,6 +76,8 @@ npfd_event_loop(void) npfd_log_t *log; log = npfd_log_create(0); + if (log == NULL) + exit(EXIT_FAILURE); pfd.fd = npfd_log_getsock(log); pfd.events = POLLHUP | POLLIN; @@ -105,7 +107,6 @@ npfd_event_loop(void) } static void -/*###114 [cc] error: 'sighandler' defined but not used [-Werror=unused-function]%%%*/ sighandler(int sig) { switch (sig) { Index: src/usr.sbin/npf/npfd/npfd_log.c diff -u src/usr.sbin/npf/npfd/npfd_log.c:1.2 src/usr.sbin/npf/npfd/npfd_log.c:1.3 --- src/usr.sbin/npf/npfd/npfd_log.c:1.2 Tue Dec 27 20:25:48 2016 +++ src/usr.sbin/npf/npfd/npfd_log.c Tue Dec 27 22:02:54 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd_log.c,v 1.2 2016/12/28 01:25:48 christos Exp $ */ +/* $NetBSD: npfd_log.c,v 1.3 2016/12/28 03:02:54 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfd_log.c,v 1.2 2016/12/28 01:25:48 christos Exp $"); +__RCSID("$NetBSD: npfd_log.c,v 1.3 2016/12/28 03:02:54 christos Exp $"); #include #include @@ -40,6 +40,7 @@ __RCSID("$NetBSD: npfd_log.c,v 1.2 2016/ #include #include #include +#include #include #include @@ -80,6 +81,11 @@ npfd_log_create(unsigned if_idx) pcap_set_snaplen(ctx->pcap, 10240); + if (pcap_activate(ctx->pcap) == -1) { + syslog(LOG_ERR, "pcap_activate failed: %s", + pcap_geterr(ctx->pcap)); + goto err; + } snprintf(ctx->path, sizeof(ctx->path), "%s/%s%s", NPFD_LOG_PATH, ctx->ifname, ".pcap"); @@ -100,9 +106,12 @@ npfd_log_reopen(npfd_log_t *ctx) /* * Open a log file to write for a given interface and dump there. */ - ctx->dumper = pcap_dump_open_append(ctx->pcap, ctx->path); + if (access(ctx->path, F_OK) == 0) + ctx->dumper = pcap_dump_open_append(ctx->pcap, ctx->path); + else + ctx->dumper = pcap_dump_open(ctx->pcap, ctx->path); if (ctx->dumper == NULL) { - syslog(LOG_ERR, "pcap_dump_open_append failed for `%s': %s", + syslog(LOG_ERR, "pcap_dump_open failed for `%s': %s", ctx->path, pcap_geterr(ctx->pcap)); return false; }
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: christos Date: Wed Dec 28 01:25:48 UTC 2016 Modified Files: src/usr.sbin/npf/npfd: Makefile npfd.c npfd.h npfd_log.c Log Message: Add some flesh. To generate a diff of this commit: cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npfd/Makefile \ src/usr.sbin/npf/npfd/npfd.c src/usr.sbin/npf/npfd/npfd.h \ src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfd/Makefile diff -u src/usr.sbin/npf/npfd/Makefile:1.1 src/usr.sbin/npf/npfd/Makefile:1.2 --- src/usr.sbin/npf/npfd/Makefile:1.1 Tue Dec 27 17:20:00 2016 +++ src/usr.sbin/npf/npfd/Makefile Tue Dec 27 20:25:48 2016 @@ -1,11 +1,12 @@ -# $NetBSD: Makefile,v 1.1 2016/12/27 22:20:00 rmind Exp $ +# $NetBSD: Makefile,v 1.2 2016/12/28 01:25:48 christos Exp $ # # Public Domain # +NOMAN= PROG= npfd -SRCS= npfd.c +SRCS= npfd.c npfd_log.c CPPFLAGS+= -I${.CURDIR} LDADD+= -lnpf -lpcap Index: src/usr.sbin/npf/npfd/npfd.c diff -u src/usr.sbin/npf/npfd/npfd.c:1.1 src/usr.sbin/npf/npfd/npfd.c:1.2 --- src/usr.sbin/npf/npfd/npfd.c:1.1 Tue Dec 27 17:20:00 2016 +++ src/usr.sbin/npf/npfd/npfd.c Tue Dec 27 20:25:48 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $ */ +/* $NetBSD: npfd.c,v 1.2 2016/12/28 01:25:48 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -30,21 +30,29 @@ */ #include -__RCSID("$NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $"); +__RCSID("$NetBSD: npfd.c,v 1.2 2016/12/28 01:25:48 christos Exp $"); #include +#include +#include #include +#include #include +#include +#include +#include #include +#include + #include "npfd.h" -static volatile sig_atomic_t hup = false; +static volatile sig_atomic_t hup, stats, done; -int +static int npfd_getctl(void) { - int fd; + int fd, ver; fd = open(NPF_DEV_PATH, O_RDONLY); if (fd == -1) { @@ -55,7 +63,7 @@ npfd_getctl(void) } if (ver != NPF_VERSION) { errx(EXIT_FAILURE, - "incompatible NPF interface version (%d, kernel %d)\n" + "Incompatible NPF interface version (%d, kernel %d)\n" "Hint: update userland?", NPF_VERSION, ver); } return fd; @@ -64,38 +72,57 @@ npfd_getctl(void) static void npfd_event_loop(void) { - int fds[8], fd, nfds = 0, maxfd = 0; - fd_set rfds; + struct pollfd pfd; + npfd_log_t *log; - FD_ZERO(); + log = npfd_log_create(0); + pfd.fd = npfd_log_getsock(log); + pfd.events = POLLHUP | POLLIN; - fd = npfd_log_create(0) - fds[nfds++] = fd; - FD_SET(fd, ); - - for (int i = 0; i < nfds; i++) { - maxfd = MAX(maxfd, fds[i] + 1); - } - - while (!done) { - if ((ret = select(maxfd, , NULL, NULL, NULL)) == -1) { - syslog(LOG_ERR, "select failed: %m"); - err(EXIT_FAILURE, "select"); - } + while (!done) { if (hup) { hup = false; + npfd_log_reopen(log); } - - for (fd = 0; fd < maxfd; fd++) { - // TODO + if (stats) { + stats = false; + npfd_log_stats(log); } + switch (poll(, 1, 1000)) { + case -1: + if (errno == EINTR) +continue; + syslog(LOG_ERR, "poll failed: %m"); + exit(EXIT_FAILURE); + case 0: + continue; + default: + npfd_log(log); + } + } + npfd_log_destroy(log); } static void -sighup_handler(int sig) +/*###114 [cc] error: 'sighandler' defined but not used [-Werror=unused-function]%%%*/ +sighandler(int sig) { - hup = true; + switch (sig) { + case SIGHUP: + hup = true; + break; + case SIGTERM: + case SIGINT: + hup = true; + break; + case SIGINFO: + case SIGQUIT: + stats = true; + break; + default: + syslog(LOG_ERR, "Unhandled signal %d", sig); + } } int @@ -110,16 +137,22 @@ main(int argc, char **argv) daemon_off = true; break; default: - errx(EXIT_FAILURE, "usage:\n\t%s [ -d ]", argv[0]); + fprintf(stderr, "Usage: %s [-d]\n", getprogname()); + exit(EXIT_FAILURE); } } + int fd = npfd_getctl(); + (void)close(fd); - openlog(argv[0], LOG_PID | LOG_NDELAY | LOG_CONS, LOG_DAEMON); if (!daemon_off && daemon(0, 0) == -1) { - syslog(LOG_ERR, "daemon failed: %m"); err(EXIT_FAILURE, "daemon"); } - signal(SIGHUP, sighup_handler); + openlog(argv[0], LOG_PID | LOG_NDELAY | LOG_CONS, LOG_DAEMON); + signal(SIGHUP, sighandler); + signal(SIGINT, sighandler); + signal(SIGTERM, sighandler); + signal(SIGINFO, sighandler); + signal(SIGQUIT, sighandler); npfd_event_loop(); closelog(); Index: src/usr.sbin/npf/npfd/npfd.h diff -u src/usr.sbin/npf/npfd/npfd.h:1.1 src/usr.sbin/npf/npfd/npfd.h:1.2 --- src/usr.sbin/npf/npfd/npfd.h:1.1 Tue Dec 27 17:20:00 2016 +++ src/usr.sbin/npf/npfd/npfd.h Tue Dec 27 20:25:48 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfd.h,v 1.1 2016/12/27 22:20:00 rmind Exp $ */ +/* $NetBSD: npfd.h,v 1.2 2016/12/28 01:25:48 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -34,6 +34,7 @@ #define PCAP_NPACKETS 1024 #define NPFD_LOG_PATH "/var/log"
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: rmind Date: Tue Dec 27 22:35:33 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npf.conf.5 npf_bpf_comp.c npf_build.c npf_data.c npf_parse.y npf_scan.l npfctl.h Log Message: npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any To generate a diff of this commit: cvs rdiff -u -r1.44 -r1.45 src/usr.sbin/npf/npfctl/npf.conf.5 cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npf_bpf_comp.c cvs rdiff -u -r1.41 -r1.42 src/usr.sbin/npf/npfctl/npf_build.c \ src/usr.sbin/npf/npfctl/npfctl.h cvs rdiff -u -r1.26 -r1.27 src/usr.sbin/npf/npfctl/npf_data.c cvs rdiff -u -r1.38 -r1.39 src/usr.sbin/npf/npfctl/npf_parse.y cvs rdiff -u -r1.23 -r1.24 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf.conf.5 diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.44 src/usr.sbin/npf/npfctl/npf.conf.5:1.45 --- src/usr.sbin/npf/npfctl/npf.conf.5:1.44 Sun Feb 1 22:57:21 2015 +++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Dec 27 22:35:33 2016 @@ -1,4 +1,4 @@ -.\"$NetBSD: npf.conf.5,v 1.44 2015/02/01 22:57:21 rmind Exp $ +.\"$NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $ .\" .\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd February 1, 2015 +.Dd December 28, 2016 .Dt NPF.CONF 5 .Os .Sh NAME @@ -295,7 +295,8 @@ proto-opts = "flags" tcp-flags [ "/" tcp addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] -filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] +filt-addr = [ "!" ] [ interface | var-name | + addr-mask | table-id | "any" ] filt-port = "port" ( port-num | port-from "-" port-to | var-name ) .Ed .\" - Index: src/usr.sbin/npf/npfctl/npf_bpf_comp.c diff -u src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.9 src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.10 --- src/usr.sbin/npf/npfctl/npf_bpf_comp.c:1.9 Mon Dec 26 23:05:05 2016 +++ src/usr.sbin/npf/npfctl/npf_bpf_comp.c Tue Dec 27 22:35:33 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_bpf_comp.c,v 1.9 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $ */ /*- * Copyright (c) 2010-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_bpf_comp.c,v 1.9 2016/12/26 23:05:05 christos Exp $"); +__RCSID("$NetBSD: npf_bpf_comp.c,v 1.10 2016/12/27 22:35:33 rmind Exp $"); #include #include @@ -244,18 +244,29 @@ npfctl_bpf_group(npf_bpf_t *ctx) } void -npfctl_bpf_endgroup(npf_bpf_t *ctx) +npfctl_bpf_endgroup(npf_bpf_t *ctx, bool invert) { struct bpf_program *bp = >prog; const size_t curoff = bp->bf_len; /* If there are no blocks or only one - nothing to do. */ - if ((ctx->nblocks - ctx->gblock) <= 1) { + if (!invert && (ctx->nblocks - ctx->gblock) <= 1) { ctx->goff = ctx->gblock = 0; return; } /* + * If inverting, then prepend a jump over the statement below. + * If matching, jump will jump below and the fail will happen. + */ + if (invert) { + struct bpf_insn insns_ret[] = { + BPF_STMT(BPF_JMP+BPF_JA, 1), + }; + add_insns(ctx, insns_ret, __arraycount(insns_ret)); + } + + /* * Append a failure return as a fall-through i.e. if there is * no match within the group. */ @@ -309,7 +320,7 @@ fetch_l3(npf_bpf_t *ctx, sa_family_t af, */ if (ingroup) { assert(ctx->nblocks == ctx->gblock); - npfctl_bpf_endgroup(ctx); + npfctl_bpf_endgroup(ctx, false); } /* Index: src/usr.sbin/npf/npfctl/npf_build.c diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.41 src/usr.sbin/npf/npfctl/npf_build.c:1.42 --- src/usr.sbin/npf/npfctl/npf_build.c:1.41 Mon Dec 26 23:05:05 2016 +++ src/usr.sbin/npf/npfctl/npf_build.c Tue Dec 27 22:35:33 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.41 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $ */ /*- * Copyright (c) 2011-2014 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.41 2016/12/26 23:05:05 christos Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.42 2016/12/27 22:35:33 rmind Exp $"); #include #include @@ -268,7 +268,7 @@ npfctl_build_vars(npf_bpf_t *ctx, sa_fam assert(false); } } - npfctl_bpf_endgroup(ctx); + npfctl_bpf_endgroup(ctx, (opts & MATCH_INVERT) != 0); } static void @@ -321,6 +321,7 @@ npfctl_build_code(nl_rule_t *rl, sa_fami const addr_port_t *apto = >fo_to; const int proto = op->op_proto; npf_bpf_t *bc; + unsigned opts; size_t len; /* If none specified, then no byte-code. */ @@ -365,8 +366,10 @@ npfctl_build_code(nl_rule_t *rl, sa_fami } /* Build IP address blocks. */
CVS commit: src/usr.sbin/npf/npfd
Module Name:src Committed By: rmind Date: Tue Dec 27 22:20:00 UTC 2016 Added Files: src/usr.sbin/npf/npfd: Makefile npfd.c npfd.h npfd_log.c Log Message: Add some very preliminary npfd(8) code. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npfd/Makefile \ src/usr.sbin/npf/npfd/npfd.c src/usr.sbin/npf/npfd/npfd.h \ src/usr.sbin/npf/npfd/npfd_log.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/usr.sbin/npf/npfd/Makefile diff -u /dev/null src/usr.sbin/npf/npfd/Makefile:1.1 --- /dev/null Tue Dec 27 22:20:00 2016 +++ src/usr.sbin/npf/npfd/Makefile Tue Dec 27 22:20:00 2016 @@ -0,0 +1,17 @@ +# $NetBSD: Makefile,v 1.1 2016/12/27 22:20:00 rmind Exp $ +# +# Public Domain +# + +PROG= npfd + +SRCS= npfd.c +CPPFLAGS+= -I${.CURDIR} + +LDADD+= -lnpf -lpcap +DPADD+= ${LIBNPF} ${LIBPCAP} + +WARNS= 5 +NOLINT= # disabled deliberately + +.include Index: src/usr.sbin/npf/npfd/npfd.c diff -u /dev/null src/usr.sbin/npf/npfd/npfd.c:1.1 --- /dev/null Tue Dec 27 22:20:00 2016 +++ src/usr.sbin/npf/npfd/npfd.c Tue Dec 27 22:20:00 2016 @@ -0,0 +1,127 @@ +/* $NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Mindaugas Rasiukevicius. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +__RCSID("$NetBSD: npfd.c,v 1.1 2016/12/27 22:20:00 rmind Exp $"); + +#include +#include +#include +#include + +#include "npfd.h" + +static volatile sig_atomic_t hup = false; + +int +npfd_getctl(void) +{ + int fd; + + fd = open(NPF_DEV_PATH, O_RDONLY); + if (fd == -1) { + err(EXIT_FAILURE, "cannot open '%s'", NPF_DEV_PATH); + } + if (ioctl(fd, IOC_NPF_VERSION, ) == -1) { + err(EXIT_FAILURE, "ioctl(IOC_NPF_VERSION)"); + } + if (ver != NPF_VERSION) { + errx(EXIT_FAILURE, + "incompatible NPF interface version (%d, kernel %d)\n" + "Hint: update userland?", NPF_VERSION, ver); + } + return fd; +} + +static void +npfd_event_loop(void) +{ + int fds[8], fd, nfds = 0, maxfd = 0; + fd_set rfds; + + FD_ZERO(); + + fd = npfd_log_create(0) + fds[nfds++] = fd; + FD_SET(fd, ); + + for (int i = 0; i < nfds; i++) { + maxfd = MAX(maxfd, fds[i] + 1); + } + + while (!done) { + if ((ret = select(maxfd, , NULL, NULL, NULL)) == -1) { + syslog(LOG_ERR, "select failed: %m"); + err(EXIT_FAILURE, "select"); + } + if (hup) { + hup = false; + } + + for (fd = 0; fd < maxfd; fd++) { + // TODO + } + } +} + +static void +sighup_handler(int sig) +{ + hup = true; +} + +int +main(int argc, char **argv) +{ + bool daemon_off = false; + int ch; + + while ((ch = getopt(argc, argv, "d")) != -1) { + switch (ch) { + case 'd': + daemon_off = true; + break; + default: + errx(EXIT_FAILURE, "usage:\n\t%s [ -d ]", argv[0]); + } + } + + openlog(argv[0], LOG_PID | LOG_NDELAY | LOG_CONS, LOG_DAEMON); + if (!daemon_off && daemon(0, 0) == -1) { + syslog(LOG_ERR, "daemon failed: %m"); + err(EXIT_FAILURE, "daemon"); + } + signal(SIGHUP, sighup_handler); + npfd_event_loop(); + closelog(); + + return 0; +} Index: src/usr.sbin/npf/npfd/npfd.h diff -u /dev/null src/usr.sbin/npf/npfd/npfd.h:1.1 --- /dev/null Tue Dec 27 22:20:00 2016 +++ src/usr.sbin/npf/npfd/npfd.h Tue Dec 27 22:20:00 2016 @@ -0,0 +1,49 @@ +/* $NetBSD: npfd.h,v 1.1 2016/12/27 22:20:00 rmind Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Mindaugas Rasiukevicius. + * + *
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Tue Dec 27 20:55:11 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 Log Message: Document list To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.18 src/usr.sbin/npf/npfctl/npfctl.8:1.19 --- src/usr.sbin/npf/npfctl/npfctl.8:1.18 Tue May 24 01:46:57 2016 +++ src/usr.sbin/npf/npfctl/npfctl.8 Tue Dec 27 15:55:11 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.18 2016/05/24 05:46:57 wiz Exp $ +.\" $NetBSD: npfctl.8,v 1.19 2016/12/27 20:55:11 christos Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd August 2, 2014 +.Dd December 27, 2016 .Dt NPFCTL 8 .Os .Sh NAME @@ -153,6 +153,24 @@ Print various statistics. Process the configuration file, print the byte-code of each rule and dump the raw configuration. This is primarily for developer use. +.It Ic list Oo Fl 46hNnw Oc Op Fl i Ar ifname +Display a list of tracked connections: +.Bl -tag -width x -compact -offset 3n +.It Fl 4 +Display only IPv4 connections. +.It Fl 6 +Display only IPv6 connections. +.It Fl h +Don't display a header. +.It Fl N +Try to resolve addresses. +.It Fl n +Only show NAT connections. +.It Fl w +Don't restrict display width. +.It Fl i Ar ifname +Display only connections through the named interface. +.El .El .Sh PERFORMANCE Reloading the configuration is a relatively expensive operation.
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Tue Dec 27 20:24:32 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: Sort options in usage. To generate a diff of this commit: cvs rdiff -u -r1.50 -r1.51 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.50 src/usr.sbin/npf/npfctl/npfctl.c:1.51 --- src/usr.sbin/npf/npfctl/npfctl.c:1.50 Tue Dec 27 20:14:35 2016 +++ src/usr.sbin/npf/npfctl/npfctl.c Tue Dec 27 20:24:32 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.50 2016/12/27 20:14:35 christos Exp $ */ +/* $NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.50 2016/12/27 20:14:35 christos Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.51 2016/12/27 20:24:32 wiz Exp $"); #include #include @@ -150,7 +150,7 @@ usage(void) "\t%s save | load\n", progname); fprintf(stderr, - "\t%s list [-46hnNw] [-i ]\n", + "\t%s list [-46hNnw] [-i ]\n", progname); exit(EXIT_FAILURE); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Tue Dec 27 20:14:35 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npf_show.c npfctl.c npfctl.h Log Message: Add a list command to iterate over connection and nat endpoints. To generate a diff of this commit: cvs rdiff -u -r1.20 -r1.21 src/usr.sbin/npf/npfctl/npf_show.c cvs rdiff -u -r1.49 -r1.50 src/usr.sbin/npf/npfctl/npfctl.c cvs rdiff -u -r1.40 -r1.41 src/usr.sbin/npf/npfctl/npfctl.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_show.c diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.20 src/usr.sbin/npf/npfctl/npf_show.c:1.21 --- src/usr.sbin/npf/npfctl/npf_show.c:1.20 Mon Dec 26 18:05:05 2016 +++ src/usr.sbin/npf/npfctl/npf_show.c Tue Dec 27 15:14:35 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_show.c,v 1.20 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $ */ /*- * Copyright (c) 2013 The NetBSD Foundation, Inc. @@ -36,7 +36,7 @@ */ #include -__RCSID("$NetBSD: npf_show.c,v 1.20 2016/12/26 23:05:05 christos Exp $"); +__RCSID("$NetBSD: npf_show.c,v 1.21 2016/12/27 20:14:35 christos Exp $"); #include #define __FAVOR_BSD @@ -153,7 +153,7 @@ print_address(npf_conf_info_t *ctx, cons errx(EXIT_FAILURE, "invalid byte-code mark (address)"); } addr = (const npf_addr_t *)words; - return npfctl_print_addrmask(alen, addr, mask); + return npfctl_print_addrmask(alen, "%a", addr, mask); } static char * @@ -437,7 +437,7 @@ npfctl_print_nat(npf_conf_info_t *ctx, n /* Get the translation address (and port, if used). */ npf_nat_getmap(nt, , , ); - seg = npfctl_print_addrmask(alen, , NPF_NO_NETMASK); + seg = npfctl_print_addrmask(alen, "%a", , NPF_NO_NETMASK); if (port) { char *p; easprintf(, "%s port %u", seg, ntohs(port)); Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.49 src/usr.sbin/npf/npfctl/npfctl.c:1.50 --- src/usr.sbin/npf/npfctl/npfctl.c:1.49 Tue Dec 27 08:43:38 2016 +++ src/usr.sbin/npf/npfctl/npfctl.c Tue Dec 27 15:14:35 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.49 2016/12/27 13:43:38 christos Exp $ */ +/* $NetBSD: npfctl.c,v 1.50 2016/12/27 20:14:35 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.49 2016/12/27 13:43:38 christos Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.50 2016/12/27 20:14:35 christos Exp $"); #include #include @@ -70,6 +70,7 @@ enum { NPFCTL_STATS, NPFCTL_SAVE, NPFCTL_LOAD, + NPFCTL_CONN_LIST, }; static const struct operations_s { @@ -92,6 +93,7 @@ static const struct operations_s { /* Full state save/load */ { "save", NPFCTL_SAVE }, { "load", NPFCTL_LOAD }, + { "list", NPFCTL_CONN_LIST }, /* --- */ { NULL, 0 } }; @@ -147,6 +149,9 @@ usage(void) fprintf(stderr, "\t%s save | load\n", progname); + fprintf(stderr, + "\t%s list [-46hnNw] [-i ]\n", + progname); exit(EXIT_FAILURE); } @@ -230,9 +235,10 @@ npfctl_print_error(const npf_error_t *ne } char * -npfctl_print_addrmask(int alen, const npf_addr_t *addr, npf_netmask_t mask) +npfctl_print_addrmask(int alen, const char *fmt, const npf_addr_t *addr, +npf_netmask_t mask) { - const unsigned buflen = 64; + const unsigned buflen = 256; char *buf = ecalloc(1, buflen); struct sockaddr_storage ss; @@ -241,12 +247,14 @@ npfctl_print_addrmask(int alen, const np switch (alen) { case 4: { struct sockaddr_in *sin = (void *) + sin->sin_len = sizeof(*sin); sin->sin_family = AF_INET; memcpy(>sin_addr, addr, sizeof(sin->sin_addr)); break; } case 16: { struct sockaddr_in6 *sin6 = (void *) + sin6->sin6_len = sizeof(*sin6); sin6->sin6_family = AF_INET6; memcpy(>sin6_addr, addr, sizeof(sin6->sin6_addr)); break; @@ -254,7 +262,7 @@ npfctl_print_addrmask(int alen, const np default: assert(false); } - inet_ntop(ss.ss_family, (const void *), buf, buflen); + sockaddr_snprintf(buf, buflen, fmt, (const void *)); if (mask && mask != NPF_NO_NETMASK) { const unsigned len = strlen(buf); snprintf([len], buflen - len, "/%u", mask); @@ -359,7 +367,7 @@ again: while (nct.nct_data.buf.len--) { if (!ent->alen) break; - buf = npfctl_print_addrmask(ent->alen, + buf = npfctl_print_addrmask(ent->alen, "%a", >addr, ent->mask); puts(buf); ent++; @@ -574,6 +582,103 @@ npfctl_load(int fd) return error; } +struct npf_conn_filter { + uint16_t alen; + const char *ifname; + bool nat; + bool wide; + bool name; + int width; + FILE *fp; +}; + +static int +npfctl_conn_print(unsigned alen, const npf_addr_t *a, const in_port_t *p, +const char *ifname, void *v) +{ + struct npf_conn_filter *fil = v; + FILE *fp = fil->fp; + char *src, *dst; + + if (fil->ifname && strcmp(ifname, fil->ifname) != 0) + return 0; + if (fil->alen
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Tue Dec 27 13:43:38 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: We don't use openssl for NPF in NetBSD, so don't include the header, and provide a compatibility define. To generate a diff of this commit: cvs rdiff -u -r1.48 -r1.49 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.48 src/usr.sbin/npf/npfctl/npfctl.c:1.49 --- src/usr.sbin/npf/npfctl/npfctl.c:1.48 Mon Dec 26 18:05:05 2016 +++ src/usr.sbin/npf/npfctl/npfctl.c Tue Dec 27 08:43:38 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.48 2016/12/26 23:05:05 christos Exp $ */ +/* $NetBSD: npfctl.c,v 1.49 2016/12/27 13:43:38 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.48 2016/12/26 23:05:05 christos Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.49 2016/12/27 13:43:38 christos Exp $"); #include #include @@ -39,6 +39,9 @@ __RCSID("$NetBSD: npfctl.c,v 1.48 2016/1 #include #include #include +#define SHA_DIGEST_LENGTH SHA1_DIGEST_LENGTH +#else +#include #endif #include @@ -50,7 +53,6 @@ __RCSID("$NetBSD: npfctl.c,v 1.48 2016/1 #include #include -#include #include "npfctl.h" @@ -389,8 +391,8 @@ npfctl_parse_rule(int argc, char **argv) } #ifdef __NetBSD__ -unsigned char * -SHA1(const unsigned char *d, unsigned long l, unsigned char *md) +static unsigned char * +SHA1(const unsigned char *d, size_t l, unsigned char *md) { SHA1_CTX c;
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: kre Date: Mon Aug 8 16:31:53 UTC 2016 Modified Files: src/usr.sbin/npf/npftest: Makefile Log Message: Yet another -lrumpdev To generate a diff of this commit: cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npftest/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/Makefile diff -u src/usr.sbin/npf/npftest/Makefile:1.9 src/usr.sbin/npf/npftest/Makefile:1.10 --- src/usr.sbin/npf/npftest/Makefile:1.9 Sun May 29 02:28:07 2016 +++ src/usr.sbin/npf/npftest/Makefile Mon Aug 8 16:31:53 2016 @@ -19,6 +19,7 @@ LDADD+= -L${LIBNPFTEST} -lnpftest LDADD+= -lrump -lrumpvfs -lrumpuser -lrumpnet -lrumpnet_net LDADD+= -lrumpdev_bpf +LDADD+= -lrumpdev .include
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jun 29 21:40:20 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npfctl.c Log Message: use sha1 from libc To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/usr.sbin/npf/npfctl/npfctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.c diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.46 src/usr.sbin/npf/npfctl/npfctl.c:1.47 --- src/usr.sbin/npf/npfctl/npfctl.c:1.46 Sun Jan 4 15:02:15 2015 +++ src/usr.sbin/npf/npfctl/npfctl.c Wed Jun 29 17:40:20 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.46 2015/01/04 20:02:15 christos Exp $ */ +/* $NetBSD: npfctl.c,v 1.47 2016/06/29 21:40:20 christos Exp $ */ /*- * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.46 2015/01/04 20:02:15 christos Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.47 2016/06/29 21:40:20 christos Exp $"); #include #include @@ -44,8 +44,7 @@ __RCSID("$NetBSD: npfctl.c,v 1.46 2015/0 #include #include #include - -#include +#include #include "npfctl.h" @@ -386,6 +385,17 @@ npfctl_parse_rule(int argc, char **argv) } static void +SHA1(const uint8_t *d, unsigned int n, uint8_t *md) +{ +SHA1_CTX c; + +SHA1Init(); +SHA1Update(, d, n); +SHA1Final(md, ); +memset(, 0, sizeof(c)); +} + +static void npfctl_generate_key(nl_rule_t *rl, void *key) { void *meta; @@ -394,9 +404,9 @@ npfctl_generate_key(nl_rule_t *rl, void if ((meta = npf_rule_export(rl, )) == NULL) { errx(EXIT_FAILURE, "error generating rule key"); } - __CTASSERT(NPF_RULE_MAXKEYLEN >= SHA_DIGEST_LENGTH); + __CTASSERT(NPF_RULE_MAXKEYLEN >= SHA1_DIGEST_LENGTH); memset(key, 0, NPF_RULE_MAXKEYLEN); - SHA1(meta, len, key); + SHA1(meta, (unsigned int)len, key); free(meta); }
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Wed Jun 29 21:40:10 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: Makefile Log Message: remove libcrypto dependency, fix other dependencies. To generate a diff of this commit: cvs rdiff -u -r1.11 -r1.12 src/usr.sbin/npf/npfctl/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/Makefile diff -u src/usr.sbin/npf/npfctl/Makefile:1.11 src/usr.sbin/npf/npfctl/Makefile:1.12 --- src/usr.sbin/npf/npfctl/Makefile:1.11 Wed Sep 18 21:04:45 2013 +++ src/usr.sbin/npf/npfctl/Makefile Wed Jun 29 17:40:10 2016 @@ -1,4 +1,6 @@ -# $NetBSD: Makefile,v 1.11 2013/09/19 01:04:45 rmind Exp $ +# $NetBSD: Makefile,v 1.12 2016/06/29 21:40:10 christos Exp $ + +.include PROG= npfctl MAN= npfctl.8 npf.conf.5 @@ -11,8 +13,8 @@ CPPFLAGS+= -I${.CURDIR} SRCS+= npf_scan.l npf_parse.y YHEADER= 1 -LDADD+= -lnpf -lprop -lcrypto -lpcap -lutil -ly -DPADD+= ${LIBNPF} ${LIBPROP} ${LIBUTIL} +LDADD+= -lnpf -lprop -lpcap -lutil -ly +DPADD+= ${LIBNPF} ${LIBPROP} ${LIBUTIL} ${LIBPCAP} ${LIBUTIL} ${LIBY} WARNS= 5 NOLINT= # disabled deliberately
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: christos Date: Sun May 29 02:28:07 UTC 2016 Modified Files: src/usr.sbin/npf/npftest: Makefile Log Message: npftest needs to disable mprotect because it uses bpfjit To generate a diff of this commit: cvs rdiff -u -r1.8 -r1.9 src/usr.sbin/npf/npftest/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/Makefile diff -u src/usr.sbin/npf/npftest/Makefile:1.8 src/usr.sbin/npf/npftest/Makefile:1.9 --- src/usr.sbin/npf/npftest/Makefile:1.8 Sun Apr 24 22:01:32 2016 +++ src/usr.sbin/npf/npftest/Makefile Sat May 28 22:28:07 2016 @@ -5,6 +5,7 @@ PROG= npftest NOMAN= # no man page +PAXCTL_FLAGS.npftest += +m WARNS= 5 NOLINT= # disabled (note: deliberately)
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: wiz Date: Tue May 24 05:46:57 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npfctl.8 Log Message: Fix typo. From Michael Scherer in PR 51162. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npfctl/npfctl.8 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npfctl.8 diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.17 src/usr.sbin/npf/npfctl/npfctl.8:1.18 --- src/usr.sbin/npf/npfctl/npfctl.8:1.17 Sun Aug 3 00:02:56 2014 +++ src/usr.sbin/npf/npfctl/npfctl.8 Tue May 24 05:46:57 2016 @@ -1,4 +1,4 @@ -.\" $NetBSD: npfctl.8,v 1.17 2014/08/03 00:02:56 rmind Exp $ +.\" $NetBSD: npfctl.8,v 1.18 2016/05/24 05:46:57 wiz Exp $ .\" .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -138,7 +138,7 @@ List all entries in the currently loaded This operation is expensive and should be used with caution. .\" --- .It Ic save -Save the active configuration and a spanshot of the current connections. +Save the active configuration and a snapshot of the current connections. The data will be stored in the .Pa /var/db/npf.db file.
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: knakahara Date: Mon Apr 25 02:01:32 UTC 2016 Modified Files: src/usr.sbin/npf/npftest: Makefile Log Message: fix ATF net/npf/t_npf failure To generate a diff of this commit: cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npftest/Makefile Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/Makefile diff -u src/usr.sbin/npf/npftest/Makefile:1.7 src/usr.sbin/npf/npftest/Makefile:1.8 --- src/usr.sbin/npf/npftest/Makefile:1.7 Sat Nov 16 17:12:35 2013 +++ src/usr.sbin/npf/npftest/Makefile Mon Apr 25 02:01:32 2016 @@ -16,7 +16,7 @@ LIBNPFTEST!= cd ${.CURDIR}/libnpftest && DPADD+= ${LIBNPFTEST}/libnpftest.a LDADD+= -L${LIBNPFTEST} -lnpftest -LDADD+= -lrump -lrumpvfs -lrumpnet -lrumpnet_net +LDADD+= -lrump -lrumpvfs -lrumpuser -lrumpnet -lrumpnet_net LDADD+= -lrumpdev_bpf .include
CVS commit: src/usr.sbin/npf/npftest
Module Name:src Committed By: pooka Date: Mon Jan 25 12:24:41 UTC 2016 Modified Files: src/usr.sbin/npf/npftest: npftest.c Log Message: include proplib.h if you're going to useuseitit To generate a diff of this commit: cvs rdiff -u -r1.18 -r1.19 src/usr.sbin/npf/npftest/npftest.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npftest/npftest.c diff -u src/usr.sbin/npf/npftest/npftest.c:1.18 src/usr.sbin/npf/npftest/npftest.c:1.19 --- src/usr.sbin/npf/npftest/npftest.c:1.18 Tue Jun 16 23:04:14 2015 +++ src/usr.sbin/npf/npftest/npftest.c Mon Jan 25 12:24:41 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npftest.c,v 1.18 2015/06/16 23:04:14 christos Exp $ */ +/* $NetBSD: npftest.c,v 1.19 2016/01/25 12:24:41 pooka Exp $ */ /* * NPF testing framework. @@ -20,6 +20,8 @@ #include #include +#include + #include #include
CVS commit: src/usr.sbin/npf/npfctl
Module Name:src Committed By: christos Date: Fri Jan 22 22:03:54 UTC 2016 Modified Files: src/usr.sbin/npf/npfctl: npf_scan.l Log Message: handle v4 mapped addresses To generate a diff of this commit: cvs rdiff -u -r1.22 -r1.23 src/usr.sbin/npf/npfctl/npf_scan.l Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/usr.sbin/npf/npfctl/npf_scan.l diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.22 src/usr.sbin/npf/npfctl/npf_scan.l:1.23 --- src/usr.sbin/npf/npfctl/npf_scan.l:1.22 Fri Dec 26 17:44:54 2014 +++ src/usr.sbin/npf/npfctl/npf_scan.l Fri Jan 22 17:03:54 2016 @@ -1,4 +1,4 @@ -/* $NetBSD: npf_scan.l,v 1.22 2014/12/26 22:44:54 christos Exp $ */ +/* $NetBSD: npf_scan.l,v 1.23 2016/01/22 22:03:54 christos Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -175,7 +175,7 @@ any return ANY; return IPV6ADDR; } -"::"{HEXDIG}[0-9a-fA-F:]* { +"::"{HEXDIG}[0-9a-fA-F:.]* { yylval.str = estrndup(yytext, yyleng); return IPV6ADDR; }