CVS commit: src/usr.sbin/npf/npfctl

Sun, 30 Sep 2012 05:59:44 -0700 

Module Name:    src
Committed By:   spz
Date:           Sun Sep 30 12:59:31 UTC 2012

Modified Files:
        src/usr.sbin/npf/npfctl: npf.conf.5

Log Message:
Add some content to the "Rules" section.


To generate a diff of this commit:
cvs rdiff -u -r1.19 -r1.20 src/usr.sbin/npf/npfctl/npf.conf.5

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.19 src/usr.sbin/npf/npfctl/npf.conf.5:1.20
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.19	Sun Sep 30 07:43:03 2012
+++ src/usr.sbin/npf/npfctl/npf.conf.5	Sun Sep 30 12:59:31 2012
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.19 2012/09/30 07:43:03 wiz Exp $
+.\"    $NetBSD: npf.conf.5,v 1.20 2012/09/30 12:59:31 spz Exp $
 .\"
 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -106,6 +106,31 @@ group (name "my_group", interface wm0, i
 }
 .Ed
 .Ss Rules
+With a rule statement NPF is instructed to
+.Cd pass
+or
+.Cd block
+a packet depending on packet header information, transit direction and
+interface it arrives on, either immediately upon match (keyword
+.Cd final )
+or using the last match.
+The rule can also instruct NPF to create an entry in the state table
+when passing the packet, to notify the sender when blocking it, and
+to apply a procedure to the packet (e.g. "log") in either case.
+.Pp
+A "fully-featured" rule would for example be:
+.Bd -literal
+pass stateful in final family inet proto tcp flags S/SA \\
+	from $source port $sport to $dest port $dport apply "someproc"
+.Ed
+.Pp
+Any protocol in /etc/protocols can be specified. Further packet
+specification at present is limited to protocol TCP understanding flags,
+TCP and UDP understanding source and destination ports, and ICMP and
+IPv6-ICMP understanding icmp-type.
+.Pp
+Fragments are not selectable since NPF always reassembles packets
+before further processing.
 .Ss Map
 Network Address Translation (NAT) is expressed in a form of segment mapping.
 At present, only dynamic translation is supported.

Reply via email to