Module Name: src
Committed By: rmind
Date: Tue Aug 24 23:55:05 UTC 2010
Modified Files:
src/distrib/sets/lists/man: mi
src/share/man/man9: npf_ncode.9
src/usr.sbin/npf/npfctl: Makefile npfctl.8
Added Files:
src/usr.sbin/npf/npfctl: npf.conf.5
Removed Files:
src/usr.sbin/npf/npfctl: npf.conf.8
Log Message:
Move npf.conf(5-8) into the correct section, hence npf.conf(5).
To generate a diff of this commit:
cvs rdiff -u -r1.1234 -r1.1235 src/distrib/sets/lists/man/mi
cvs rdiff -u -r1.2 -r1.3 src/share/man/man9/npf_ncode.9
cvs rdiff -u -r1.1 -r1.2 src/usr.sbin/npf/npfctl/Makefile \
src/usr.sbin/npf/npfctl/npfctl.8
cvs rdiff -u -r0 -r1.1 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.1 -r0 src/usr.sbin/npf/npfctl/npf.conf.8
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/man/mi
diff -u src/distrib/sets/lists/man/mi:1.1234 src/distrib/sets/lists/man/mi:1.1235
--- src/distrib/sets/lists/man/mi:1.1234 Sun Aug 22 18:56:20 2010
+++ src/distrib/sets/lists/man/mi Tue Aug 24 23:55:04 2010
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.1234 2010/08/22 18:56:20 rmind Exp $
+# $NetBSD: mi,v 1.1235 2010/08/24 23:55:04 rmind Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -1863,6 +1863,7 @@
./usr/share/man/cat5/nicknames.0 man-nis-catman yp,.cat
./usr/share/man/cat5/nisplus_table.0 man-postfix-catman postfix,.cat
./usr/share/man/cat5/nologin.0 man-sysutil-catman .cat
+./usr/share/man/cat5/npf.conf.0 man-npf-catman .cat
./usr/share/man/cat5/nsswitch.conf.0 man-net-catman .cat
./usr/share/man/cat5/openssl.cnf.0 man-crypto-catman crypto,.cat
./usr/share/man/cat5/pam.conf.0 man-sys-catman .cat
@@ -2419,7 +2420,6 @@
./usr/share/man/cat8/nfsiod.0 man-obsolete obsolete
./usr/share/man/cat8/nis.0 man-nis-catman .cat
./usr/share/man/cat8/nologin.0 man-sysutil-catman .cat
-./usr/share/man/cat8/npf.conf.0 man-npf-catman .cat
./usr/share/man/cat8/npfctl.0 man-npf-catman .cat
./usr/share/man/cat8/nqmgr.0 man-obsolete obsolete
./usr/share/man/cat8/nslookup.0 man-netutil-catman .cat
@@ -4456,6 +4456,7 @@
./usr/share/man/html5/nicknames.html man-nis-htmlman yp,html
./usr/share/man/html5/nisplus_table.html man-postfix-htmlman postfix,html
./usr/share/man/html5/nologin.html man-sysutil-htmlman html
+./usr/share/man/html5/npf.conf.html man-npf-htmlman html
./usr/share/man/html5/nsswitch.conf.html man-net-htmlman html
./usr/share/man/html5/openssl.cnf.html man-crypto-htmlman crypto,html
./usr/share/man/html5/pam.conf.html man-sys-htmlman html
@@ -4878,7 +4879,6 @@
./usr/share/man/html8/nfsd.html man-nfsserver-htmlman html
./usr/share/man/html8/nis.html man-nis-htmlman html
./usr/share/man/html8/nologin.html man-sysutil-htmlman html
-./usr/share/man/html8/npf.conf.html man-npf-htmlman html
./usr/share/man/html8/npfctl.html man-npf-htmlman html
./usr/share/man/html8/nslookup.html man-netutil-htmlman html
./usr/share/man/html8/nsupdate.html man-obsolete obsolete
@@ -7003,6 +7003,7 @@
./usr/share/man/man5/nicknames.5 man-nis-man yp,.man
./usr/share/man/man5/nisplus_table.5 man-postfix-man postfix,.man
./usr/share/man/man5/nologin.5 man-sysutil-man .man
+./usr/share/man/man5/npf.conf.5 man-npf-man .man
./usr/share/man/man5/nsswitch.conf.5 man-net-man .man
./usr/share/man/man5/openssl.cnf.5 man-crypto-man crypto,.man
./usr/share/man/man5/pam.conf.5 man-sys-man .man
@@ -7559,7 +7560,6 @@
./usr/share/man/man8/nfsiod.8 man-obsolete obsolete
./usr/share/man/man8/nis.8 man-nis-man .man
./usr/share/man/man8/nologin.8 man-sysutil-man .man
-./usr/share/man/man8/npf.conf.8 man-npf-man .man
./usr/share/man/man8/npfctl.8 man-npf-man .man
./usr/share/man/man8/nqmgr.8 man-obsolete obsolete
./usr/share/man/man8/nslookup.8 man-netutil-man .man
Index: src/share/man/man9/npf_ncode.9
diff -u src/share/man/man9/npf_ncode.9:1.2 src/share/man/man9/npf_ncode.9:1.3
--- src/share/man/man9/npf_ncode.9:1.2 Sun Aug 22 20:36:09 2010
+++ src/share/man/man9/npf_ncode.9 Tue Aug 24 23:55:05 2010
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf_ncode.9,v 1.2 2010/08/22 20:36:09 wiz Exp $
+.\" $NetBSD: npf_ncode.9,v 1.3 2010/08/24 23:55:05 rmind Exp $
.\"
.\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -258,7 +258,7 @@
is implemented within the file
.Pa sys/net/npf/npf_processor.c .
.Sh SEE ALSO
-.Xr npf.conf 8 ,
+.Xr npf.conf 5 ,
.Xr npfctl 8
.Sh HISTORY
The NPF n-code processor first appeared in
Index: src/usr.sbin/npf/npfctl/Makefile
diff -u src/usr.sbin/npf/npfctl/Makefile:1.1 src/usr.sbin/npf/npfctl/Makefile:1.2
--- src/usr.sbin/npf/npfctl/Makefile:1.1 Sun Aug 22 18:56:23 2010
+++ src/usr.sbin/npf/npfctl/Makefile Tue Aug 24 23:55:04 2010
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.1 2010/08/22 18:56:23 rmind Exp $
+# $NetBSD: Makefile,v 1.2 2010/08/24 23:55:04 rmind Exp $
PROG= npfctl
-MAN= npfctl.8 npf.conf.8
+MAN= npfctl.8 npf.conf.5
SRCS= npfctl.c npf_parser.c npf_data.c npf_ncgen.c
Index: src/usr.sbin/npf/npfctl/npfctl.8
diff -u src/usr.sbin/npf/npfctl/npfctl.8:1.1 src/usr.sbin/npf/npfctl/npfctl.8:1.2
--- src/usr.sbin/npf/npfctl/npfctl.8:1.1 Sun Aug 22 18:56:24 2010
+++ src/usr.sbin/npf/npfctl/npfctl.8 Tue Aug 24 23:55:05 2010
@@ -1,4 +1,4 @@
-.\" $NetBSD: npfctl.8,v 1.1 2010/08/22 18:56:24 rmind Exp $
+.\" $NetBSD: npfctl.8,v 1.2 2010/08/24 23:55:05 rmind Exp $
.\"
.\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -116,7 +116,7 @@
.Ed
.\" -----
.Sh SEE ALSO
-.Xr npf.conf 8 ,
+.Xr npf.conf 5 ,
.Xr npf_ncode 9
.Sh HISTORY
NPF first appeared in
Added files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u /dev/null src/usr.sbin/npf/npfctl/npf.conf.5:1.1
--- /dev/null Tue Aug 24 23:55:05 2010
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Tue Aug 24 23:55:05 2010
@@ -0,0 +1,169 @@
+.\" $NetBSD: npf.conf.5,v 1.1 2010/08/24 23:55:05 rmind Exp $
+.\"
+.\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This material is based upon work partially supported by The
+.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd August 24, 2010
+.Dt NPF.CONF 5
+.Os
+.Sh NAME
+.Nm npf.conf
+.Nd NPF packet filter configuration file
+.\" -----
+.Sh DESCRIPTION
+.Nm
+is the default configuration file for NPF packet filter.
+It can contain definitions, grouped rules, and tables.
+.Sh DEFINITIONS
+Definitions are general purpose keywords which can be used in the
+ruleset to make it more flexible and easier to manage.
+Most commonly, definitions are used to define one of the following:
+IP addresses, networks, ports, or interfaces.
+Definitions can contain multiple elements.
+.Sh GROUPS
+Having one huge ruleset for all interfaces or directions might be
+inefficient; therefore, NPF requires that all rules be defined within groups.
+Groups can be thought of as higher level rules which have subrules.
+The main properties of a group are its interface and traffic direction.
+Packets matching group criteria are passed to the ruleset of that group.
+If a packet does not match any group, it is passed to the default group.
+The default group must always be defined.
+.Sh RULES
+Rules, which are the main part of NPF configuration, describe the criteria
+used to inspect and make decisions about packets.
+Currently, NPF supports filtering on the following criteria: interface,
+traffic direction, protocol, IPv4 address or network, and TCP/UDP port
+or range.
+Supported actions are blocking or passing the packet.
+.Pp
+Each rule has a priority, which is set according to its order in the ruleset.
+Rules defined first are accordingly inspected first.
+All rules in the group are inspected sequentially, and the last matching
+dictates the action to be taken.
+Rules, however, may be explicitly marked as final (that is, "quick").
+In such cases, processing stops after encountering the first matching rule
+marked as final.
+If there is no matching rule in the custom group, then rules in the default
+group will be inspected.
+.Pp
+Definitions (prefixed with "$") and tables (specified by an ID within
+"\*[Lt]\*[Gt]" marks) can be used in the filter options of rules.
+.Sh TABLES
+Certain configurations might use very large sets of IP addresses or change
+sets frequently.
+Storing large IP sets in the configuration file or performing frequent
+reloads can have a significant performance cost.
+.Pp
+In order to achieve high performance, NPF has tables.
+NPF tables provide separate storage designed for large IP sets and frequent
+updates without reloading the entire ruleset.
+Tables can be managed dynamically or loaded from a separate file, which
+is useful for large static tables.
+There are two types of storage: "tree" (red-black tree is used) and
+"hash".
+.Sh NAT
+Special rules for Network Address Translation (NAT) can be added.
+Translation is performed on specified interface, assigning a specified
+address of said interface.
+Minimal filtering criteria on local network and destination are provided.
+.\" -----
+.Sh GRAMMAR
+.Bd -literal
+line = ( def | table | nat | group )
+
+def = ( "{ a, b, ... }" | "text" | "$\*[Lt]interface\*[Gt]" )
+iface = ( \*[Lt]interface\*[Gt] | def )
+
+table = "table" \*[Lt]tid\*[Gt] "type" ( "hash" | "tree" )
+ ( "dynamic" | "file" \*[Lt]path\*[Gt] )
+
+nat = "nat" iface "from" \*[Lt]addr/mask\*[Gt] "to" \*[Lt]addr/mask\*[Gt] "->" \*[Lt]addr\*[Gt]
+
+group = "group" "(" ( "default" | group-opts ) "") ruleset
+group-opts = "interface" iface "," [ "in" | "out" ]
+
+ruleset = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
+
+rule = ( "block" | "pass" ) [ "in" | out" ] rule-opts
+ [ "on" iface ] [ "inet" | "inet6" ] [ "proto" \*[Lt]protocol\*[Gt] ]
+ ( "all" | filt-opts )
+
+rule-opts = [ "log" ] [ "count" ] [ "quick" ]
+filt-opts = [ "from" ( iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] ) port-opts ]
+ [ "to" ( iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] ) port-opts ]
+port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] ":" \*[Lt]port-to\*[Gt] | def ) ]
+.Ed
+.\" -----
+.Sh FILES
+.Bl -tag -width /dev/npf.conf -compact
+.It Pa /dev/npf
+control device
+.It Pa /etc/npf.conf
+default configuration file
+.El
+.\" -----
+.Sh EXAMPLES
+.Bd -literal
+ext_if = "wm0"
+int_if = "wm1"
+
+services_tcp = "{ http, https, smtp, domain, 6000 }"
+services_udp = "{ domain, ntp, 6000 }"
+
+table "1" type "hash" file "/etc/npf_blacklist"
+table "2" type "tree" dynamic
+
+nat $ext_if from 192.168.0.0/24 to 0.0.0.0/0 -> $ext_if
+
+group (name "external", interface $ext_if) {
+ block in quick from \*[Lt]1\*[Gt]
+ pass out quick from $ext_if keep state
+
+ pass in log quick inet proto tcp to $ext_if port ssh
+ pass in quick proto tcp to $ext_if port $services_tcp
+ pass in quick proto udp to $ext_if port $services_udp
+ pass in quick proto tcp to $ext_if port 49151:65535 # Passive FTP
+ pass in quick proto udp to $ext_if port 33434:33600 # Traceroute
+}
+
+group (name "internal", interface $int_if) {
+ block in all
+ pass in quick from \*[Lt]2\*[Gt]
+ pass out quick all
+}
+
+group (default) {
+ block all
+}
+.Ed
+.\" -----
+.Sh SEE ALSO
+.Xr npfctl 8 ,
+.Xr npf_ncode 9
+.Sh HISTORY
+NPF first appeared in
+.Nx 6.0 .
