Module Name: src
Committed By: riz
Date: Mon Oct 1 20:15:36 UTC 2012
Modified Files:
src/distrib/sets/lists/base [netbsd-6]: mi
src/etc/mtree [netbsd-6]: NetBSD.dist.base
src/share/examples [netbsd-6]: Makefile
Added Files:
src/share/examples/npf [netbsd-6]: Makefile hashtablefile host-npf.conf
soho_gw-npf.conf treetablefile
Log Message:
Pull up following revision(s) (requested by rmind in ticket #584):
share/examples/npf/treetablefile: revision 1.1
share/examples/npf/Makefile: revision 1.1
distrib/sets/lists/base/mi: revision 1.1003
share/examples/npf/host-npf.conf: revision 1.2
share/examples/Makefile: revision 1.21
share/examples/npf/soho_gw-npf.conf: revision 1.1
etc/mtree/NetBSD.dist.base: revision 1.104
share/examples/npf/soho_gw-npf.conf: revision 1.2
share/examples/npf/hashtablefile: revision 1.1
the example from the man page, with a few extra comments
add id string, fix comments
actually install the new npf examples
add examples for a hash table file and a tree table file
add an ID string to host-npf.conf
To generate a diff of this commit:
cvs rdiff -u -r1.984.2.9 -r1.984.2.10 src/distrib/sets/lists/base/mi
cvs rdiff -u -r1.97.2.3 -r1.97.2.4 src/etc/mtree/NetBSD.dist.base
cvs rdiff -u -r1.20 -r1.20.2.1 src/share/examples/Makefile
cvs rdiff -u -r0 -r1.1.4.2 src/share/examples/npf/Makefile \
src/share/examples/npf/hashtablefile src/share/examples/npf/treetablefile
cvs rdiff -u -r0 -r1.2.4.2 src/share/examples/npf/host-npf.conf \
src/share/examples/npf/soho_gw-npf.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/base/mi
diff -u src/distrib/sets/lists/base/mi:1.984.2.9 src/distrib/sets/lists/base/mi:1.984.2.10
--- src/distrib/sets/lists/base/mi:1.984.2.9 Sun Aug 19 17:43:20 2012
+++ src/distrib/sets/lists/base/mi Mon Oct 1 20:15:34 2012
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.984.2.9 2012/08/19 17:43:20 riz Exp $
+# $NetBSD: mi,v 1.984.2.10 2012/10/01 20:15:34 riz Exp $
#
# Note: Don't delete entries from here - mark them as "obsolete" instead,
# unless otherwise stated below.
@@ -1659,6 +1659,11 @@
./usr/share/examples/lua/sqlite.lua base-sys-examples share
./usr/share/examples/mount_portal base-miscfs-examples
./usr/share/examples/named base-obsolete obsolete
+./usr/share/examples/npf base-netutil-examples
+./usr/share/examples/npf/host-npf.conf base-netutil-examples
+./usr/share/examples/npf/soho_gw-npf.conf base-netutil-examples
+./usr/share/examples/npf/hashtablefile base-netutil-examples
+./usr/share/examples/npf/treetablefile base-netutil-examples
./usr/share/examples/openssl base-crypto-examples
./usr/share/examples/pf base-netutil-examples
./usr/share/examples/postfix base-postfix-examples
Index: src/etc/mtree/NetBSD.dist.base
diff -u src/etc/mtree/NetBSD.dist.base:1.97.2.3 src/etc/mtree/NetBSD.dist.base:1.97.2.4
--- src/etc/mtree/NetBSD.dist.base:1.97.2.3 Mon Aug 13 23:18:23 2012
+++ src/etc/mtree/NetBSD.dist.base Mon Oct 1 20:15:36 2012
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.dist.base,v 1.97.2.3 2012/08/13 23:18:23 riz Exp $
+# $NetBSD: NetBSD.dist.base,v 1.97.2.4 2012/10/01 20:15:36 riz Exp $
# @(#)4.4BSD.dist 8.1 (Berkeley) 6/13/93
# Do not customize this file as it may be overwritten on upgrades.
@@ -342,6 +342,7 @@
./usr/share/examples/libsaslc/mech
./usr/share/examples/lua
./usr/share/examples/mount_portal
+./usr/share/examples/npf
./usr/share/examples/openssl
./usr/share/examples/pf
./usr/share/examples/pppd
Index: src/share/examples/Makefile
diff -u src/share/examples/Makefile:1.20 src/share/examples/Makefile:1.20.2.1
--- src/share/examples/Makefile:1.20 Sat Nov 12 01:18:40 2011
+++ src/share/examples/Makefile Mon Oct 1 20:15:36 2012
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.20 2011/11/12 01:18:40 jmmv Exp $
+# $NetBSD: Makefile,v 1.20.2.1 2012/10/01 20:15:36 riz Exp $
-SUBDIR= amd apm asm disktab emul fstab ftpd getdate hostapd isdn lua pppd \
- racoon supfiles syslogd wsmoused
+SUBDIR= amd apm asm disktab emul fstab ftpd getdate hostapd \
+ isdn lua npf pppd racoon supfiles syslogd wsmoused
.include <bsd.subdir.mk>
Added files:
Index: src/share/examples/npf/Makefile
diff -u /dev/null src/share/examples/npf/Makefile:1.1.4.2
--- /dev/null Mon Oct 1 20:15:36 2012
+++ src/share/examples/npf/Makefile Mon Oct 1 20:15:34 2012
@@ -0,0 +1,12 @@
+# $NetBSD: Makefile,v 1.1.4.2 2012/10/01 20:15:34 riz Exp $
+
+NOOBJ= # defined
+
+.include <bsd.own.mk>
+
+.if ${MKSHARE} != "no"
+FILES= host-npf.conf soho_gw-npf.conf hashtablefile treetablefile
+FILESDIR= /usr/share/examples/npf
+.endif
+
+.include <bsd.prog.mk>
Index: src/share/examples/npf/hashtablefile
diff -u /dev/null src/share/examples/npf/hashtablefile:1.1.4.2
--- /dev/null Mon Oct 1 20:15:36 2012
+++ src/share/examples/npf/hashtablefile Mon Oct 1 20:15:34 2012
@@ -0,0 +1,8 @@
+# $NetBSD: hashtablefile,v 1.1.4.2 2012/10/01 20:15:34 riz Exp $
+#
+# hash tables can only have single IP addresses
+#
+# entry comment 1 (optional)
+192.0.2.7
+# entry comment 2 (optional)
+198.51.100.48
Index: src/share/examples/npf/treetablefile
diff -u /dev/null src/share/examples/npf/treetablefile:1.1.4.2
--- /dev/null Mon Oct 1 20:15:36 2012
+++ src/share/examples/npf/treetablefile Mon Oct 1 20:15:33 2012
@@ -0,0 +1,8 @@
+# $NetBSD: treetablefile,v 1.1.4.2 2012/10/01 20:15:33 riz Exp $
+#
+# tree tables can have address blocks
+#
+# entry comment 1 (optional)
+198.51.100.40/30
+# entry comment 2 (optional)
+192.0.2.7
Index: src/share/examples/npf/host-npf.conf
diff -u /dev/null src/share/examples/npf/host-npf.conf:1.2.4.2
--- /dev/null Mon Oct 1 20:15:36 2012
+++ src/share/examples/npf/host-npf.conf Mon Oct 1 20:15:34 2012
@@ -0,0 +1,120 @@
+# $NetBSD: host-npf.conf,v 1.2.4.2 2012/10/01 20:15:34 riz Exp $
+#
+# this is an example of NPF rules for a host (i.e., not routing) with
+# two network interfaces, wired and wifi
+#
+# it does both IPv4 and IPv6 and allows for DHCP in v4 and SLAAC in v6
+# it also does IPSEC on the wifi
+#
+$wired_if = "wm0"
+$wifi_if = "iwn0"
+
+$dhcpserver = { 198.51.100.1 }
+
+# sample udp service
+$services_udp = { ntp }
+
+# sample mixed service
+$backupsrv_v4 = { 198.51.100.11 }
+$backupsrv_v6 = { 2001:0DB8:404::11 }
+$backup_port = { amanda }
+
+# watching a tcpdump of npflog0, when it only logs blocks,
+# can be very helpful for building the rules you actually need
+procedure "log" {
+ log: npflog0
+}
+
+procedure "rid" {
+ normalise: "random-id"
+}
+
+group (name "wired", interface $wired_if) {
+
+ # not being picky about our own address here
+ pass in final family inet6 proto ipv6-icmp all
+ pass out final family inet6 proto ipv6-icmp all
+ pass in final family inet proto icmp all
+
+ pass in final family inet proto tcp \
+ from $dhcpserver port bootps to $wired_if port bootpc
+ pass in final family inet proto udp \
+ from $dhcpserver port bootps to $wired_if port bootpc
+
+ pass in final family inet6 proto tcp to $wired_if port ssh
+
+ pass in final family inet proto tcp flags S/SA \
+ from $backupsrv_v4 to $wired_if port $backup_port
+ pass in final family inet proto udp \
+ from $backupsrv_v4 to $wired_if port $backup_port
+ pass in final family inet6 proto tcp flags S/SA \
+ from $backupsrv_v6 to $wired_if port $backup_port
+ pass in final family inet6 proto udp \
+ from $backupsrv_v6 to $wired_if port $backup_port
+
+ pass stateful in final family inet6 proto udp to $wired_if \
+ port $services_udp
+ pass stateful in final family inet proto udp to $wired_if \
+ port $services_udp
+
+ # only SYN packets need to generate state
+ pass stateful out final family inet6 proto tcp flags S/SA \
+ from $wired_if apply "rid"
+ pass stateful out final family inet proto tcp flags S/SA \
+ from $wired_if apply "rid"
+ # pass the other tcp packets without generating extra state
+ pass out final family inet6 proto tcp from $wired_if apply "rid"
+ pass out final family inet proto tcp from $wired_if apply "rid"
+
+ # all other types of traffic, generate state per packet
+ pass stateful out final family inet6 from $wired_if apply "rid"
+ pass stateful out final family inet from $wired_if apply "rid"
+
+}
+
+group (name "wifi", interface $wifi_if) {
+ # linklocal
+ pass in final family inet6 proto ipv6-icmp to fe80::/10
+ pass out final family inet6 proto ipv6-icmp from fe80::/10
+
+ # administrative multicasts
+ pass in final family inet6 proto ipv6-icmp to ff00::/10
+ pass out final family inet6 proto ipv6-icmp from ff00::/10
+
+ pass in final family inet6 proto ipv6-icmp to $wifi_if
+ pass in final family inet proto icmp to $wifi_if
+
+ pass in final family inet proto tcp \
+ from any port bootps to $wifi_if port bootpc
+ pass in final family inet proto udp \
+ from any port bootps to $wifi_if port bootpc
+
+ pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh
+
+ pass in final family inet6 proto udp to $wifi_if port $services_udp
+ pass in final family inet proto udp to $wifi_if port $services_udp
+
+ # IPSEC
+ pass in final family inet6 proto udp to $wifi_if port isakmp
+ pass in final family inet proto udp to $wifi_if port isakmp
+ pass in family inet6 proto esp all
+ pass in family inet proto esp all
+
+ # only SYN packets need to generate state
+ pass stateful out final family inet6 proto tcp flags S/SA \
+ from $wifi_if apply "rid"
+ pass stateful out final family inet proto tcp flags S/SA \
+ from $wifi_if apply "rid"
+ # pass the other tcp packets without generating extra state
+ pass out final family inet6 proto tcp from $wifi_if apply "rid"
+ pass out final family inet proto tcp from $wifi_if apply "rid"
+
+ # all other types of traffic, generate state per packet
+ pass stateful out final family inet6 from $wifi_if apply "rid"
+ pass stateful out final family inet from $wifi_if apply "rid"
+}
+
+group (default) {
+ pass final on lo0 all
+ block all apply "log"
+}
Index: src/share/examples/npf/soho_gw-npf.conf
diff -u /dev/null src/share/examples/npf/soho_gw-npf.conf:1.2.4.2
--- /dev/null Mon Oct 1 20:15:36 2012
+++ src/share/examples/npf/soho_gw-npf.conf Mon Oct 1 20:15:34 2012
@@ -0,0 +1,62 @@
+# $NetBSD$
+#
+# SOHO border
+#
+# This is a natting border gateway/webserver/mailserver/nameserver
+# IPv4 only
+#
+$ext_if = "wm0"
+$int_if = "wm1"
+
+# a table to house e.g. block candidates in
+table <1> type hash file "/usr/share/examples/npf/hashtablefile"
+# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
+table <2> type tree dynamic
+
+$services_tcp = { http, https, smtp, domain, 6000, 9022 }
+$services_udp = { domain, ntp, 6000 }
+$localnet = { 198.51.100.0/24 }
+
+# NAT outgoing to the address of the external interface
+# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
+# then the translation address has to be specified explicitly.
+map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+
+# NAT traffic arriving on port 9022 of the external interface address
+# to host 198.51.100.2 port 22
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+
+procedure "log" {
+ log: npflog0
+}
+
+procedure "rid" {
+ normalise: "random-id"
+}
+
+group (name "external", interface $ext_if) {
+ pass stateful out final from $ext_if apply "rid"
+
+ block in final from <1>
+ pass stateful in final family inet proto tcp to $ext_if port ssh \
+ apply "log"
+ pass stateful in final proto tcp to $ext_if port $services_tcp
+ pass stateful in final proto udp to $ext_if port $services_udp
+
+ # Passive FTP
+ pass stateful in final proto tcp to $ext_if port 49151-65535
+ # Traceroute
+ pass stateful in final proto udp to $ext_if port 33434-33600
+}
+
+group (name "internal", interface $int_if) {
+ block in all
+ pass in final from <2>
+ pass out final all
+}
+
+group (default) {
+ pass final on lo0 all
+ block all
+}
+
