Module Name: src
Committed By: maxv
Date: Fri Aug 31 10:52:30 UTC 2018
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Log Message:
Clarify the "Groups" section.
To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 src/usr.sbin/npf/npfctl/npf.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.66 src/usr.sbin/npf/npfctl/npf.conf.5:1.67
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.66 Mon Aug 27 13:20:47 2018
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Fri Aug 31 10:52:30 2018
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.66 2018/08/27 13:20:47 wiz Exp $
+.\" $NetBSD: npf.conf.5,v 1.67 2018/08/31 10:52:30 maxv Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 27, 2018
+.Dd August 31, 2018
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -132,17 +132,25 @@ The
.Cd family
keyword can be used in combination of a filtering rule to be explicit.
.Ss Groups
+NPF requires that all rules be defined within groups.
+Groups can be thought of as higher level rules which can contain subrules.
Groups may have the following options: name, interface, and direction.
-They are defined in the following form:
+Packets matching group criteria are passed to the ruleset of that group.
+If a packet does not match any group, it is passed to the
+.Cd default group .
+The
+.Cd default group
+must always be defined.
+.Pp
+Example of configuration:
.Bd -literal
group "my-name" in on wm0 {
- # List of rules
+ # List of rules, for packets received on wm0
+}
+group default {
+ # List of rules, for the other packets
}
.Ed
-A minimal
-.Nm
-must contain a mandatory
-.Cd default group .
.Ss Rules
With a rule statement NPF is instructed to
.Cd pass
