Module Name: src
Committed By: rmind
Date: Mon Feb 6 00:37:52 UTC 2012
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5 npf_build.c
Log Message:
- Handle NPF rule procedures in the parser and thus re-enable them.
- Few small updates to the man page.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.3 -r1.4 src/usr.sbin/npf/npfctl/npf_build.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.7 src/usr.sbin/npf/npfctl/npf.conf.5:1.8
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.7 Sun Jan 8 22:14:55 2012
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Mon Feb 6 00:37:52 2012
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.7 2012/01/08 22:14:55 christos Exp $
+.\" $NetBSD: npf.conf.5,v 1.8 2012/02/06 00:37:52 rmind Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 6, 2012
+.Dd February 5, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -80,20 +80,26 @@ which are applied for all packets of a c
.Pp
Definitions (prefixed with "$") and tables (specified by an ID within
"\*[Lt]\*[Gt]" marks) can be used in the filter options of rules.
-.Ss Rule procedures and normalization
+.Ss Rule procedures and normalisation
Rule procedures are provided to perform packet transformations and various
additional procedures on the packets.
It should be noted that rule procedures are applied for the connections,
that is, both for packets which match the rule and for further packets
of the connection, which are passed without ruleset inspection.
Currently, two facilities are supported:
-traffic normalization and packet logging.
-Packet normalization has the following functionality:
-IP ID randomization, IP_DF flag cleansing, TCP minimum TTL enforcement,
+traffic normalisation and packet logging.
+Packet normalisation has the following functionality:
+IP ID randomisation, IP_DF flag cleansing, TCP minimum TTL enforcement,
and maximum MSS enforcement ("MSS clamping").
-If a matching rule is going to drop the packet, normalization functions
+If a matching rule is going to drop the packet, normalisation functions
are not performed.
Packet logging is performed both in packet passing and blocking cases.
+Note that the logging interface has to be created manually, using
+.Xr ifconfig 8
+routine, for example:
+.Pp
+ifconfig npflog0 create
+.Pp
.Ss Network address translation
Rules for address translation can be added.
Translation is performed on the specified interface, assigning the specified
@@ -150,10 +156,10 @@ group-opts = "interface" iface "," [ "in
ruleset = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
rule = ( "block" block-opts | "pass" ) [ "in" | out" ] [ "quick" ]
- [ "on" iface ] [ "inet" | "inet6" ] [ "proto" \*[Lt]protocol\*[Gt] ]
- ( "all" | filt-opts [ "flags" \*[Lt]tcp_flags> \*[Gt] )
- [ "keep state" ] [ "apply" rproc }
+ [ "on" iface ] [ family "fam-opt" ] [ "proto" \*[Lt]protocol\*[Gt] ]
+ ( "all" | filt-opts ) [ "keep state" ] [ "apply" rproc ] }
+fam-opt = [ "inet" | "inet6" ]
block-opts = [ "return-rst" | "return-icmp" | "return" ]
filt-addr = iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt]
port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | def ) ]
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.3 src/usr.sbin/npf/npfctl/npf_build.c:1.4
--- src/usr.sbin/npf/npfctl/npf_build.c:1.3 Sun Feb 5 00:37:13 2012
+++ src/usr.sbin/npf/npfctl/npf_build.c Mon Feb 6 00:37:52 2012
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.3 2012/02/05 00:37:13 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.4 2012/02/06 00:37:52 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.3 2012/02/05 00:37:13 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.4 2012/02/06 00:37:52 rmind Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -299,19 +299,85 @@ npfctl_build_ncode(nl_rule_t *rl, sa_fam
return true;
}
+static void
+npfctl_build_rpcall(nl_rproc_t *rp, const char *name, npfvar_t *args)
+{
+ /*
+ * XXX/TODO: Hardcoded for the first release. However,
+ * rule procedures will become fully dynamic modules.
+ */
+
+ bool log = false, norm = false;
+ bool rnd = false, no_df = false;
+ int minttl = 0, maxmss = 0;
+
+ if (strcmp(name, "log") == 0) {
+ log = true;
+ } else if (strcmp(name, "normalise") == 0) {
+ norm = true;
+ } else {
+ yyerror("unknown rule procedure '%s'", name);
+ }
+
+ for (size_t i = 0; i < npfvar_get_count(args); i++) {
+ module_arg_t *arg;
+ const char *aval;
+
+ arg = npfvar_get_data(args, NPFVAR_MODULE_ARG, i);
+ aval = arg->ma_name;
+
+ if (log) {
+ u_int if_idx = npfctl_find_ifindex(aval);
+ if (!if_idx) {
+ yyerror("unknown interface '%s'", aval);
+ }
+ _npf_rproc_setlog(rp, if_idx);
+ return;
+ }
+
+ const int type = npfvar_get_type(arg->ma_opts);
+ if (type != -1 && type != NPFVAR_NUM) {
+ yyerror("option '%s' is not numeric", aval);
+ }
+ unsigned long *opt;
+
+ if (strcmp(aval, "random-id") == 0) {
+ rnd = true;
+ } else if (strcmp(aval, "min-ttl") == 0) {
+ opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0);
+ minttl = *opt;
+ } else if (strcmp(aval, "max-mss") == 0) {
+ opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0);
+ maxmss = *opt;
+ } else if (strcmp(aval, "no-df") == 0) {
+ no_df = true;
+ } else {
+ yyerror("unknown argument '%s'", aval);
+ }
+ }
+ assert(norm == true);
+ _npf_rproc_setnorm(rp, rnd, no_df, minttl, maxmss);
+}
+
/*
* npfctl_build_rproc: create and insert a rule procedure.
*/
void
-npfctl_build_rproc(const char *name, npfvar_t *var)
+npfctl_build_rproc(const char *name, npfvar_t *procs)
{
nl_rproc_t *rp;
+ size_t i;
rp = npf_rproc_create(name);
if (rp == NULL) {
errx(EXIT_FAILURE, "npf_rproc_create failed");
}
npf_rproc_insert(npf_conf, rp);
+
+ for (i = 0; i < npfvar_get_count(procs); i++) {
+ proc_op_t *po = npfvar_get_data(procs, NPFVAR_PROC_OP, i);
+ npfctl_build_rpcall(rp, po->po_name, po->po_opts);
+ }
}
/*
