Module Name: src
Committed By: spz
Date: Tue Dec 4 18:48:33 UTC 2012
Modified Files:
src/share/examples/npf: host-npf.conf soho_gw-npf.conf
Log Message:
adjust to current npf.conf syntax
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/share/examples/npf/host-npf.conf \
src/share/examples/npf/soho_gw-npf.conf
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/examples/npf/host-npf.conf
diff -u src/share/examples/npf/host-npf.conf:1.2 src/share/examples/npf/host-npf.conf:1.3
--- src/share/examples/npf/host-npf.conf:1.2 Wed Aug 22 06:45:17 2012
+++ src/share/examples/npf/host-npf.conf Tue Dec 4 18:48:32 2012
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.2 2012/08/22 06:45:17 spz Exp $
+# $NetBSD: host-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
#
# this is an example of NPF rules for a host (i.e., not routing) with
# two network interfaces, wired and wifi
@@ -7,7 +7,12 @@
# it also does IPSEC on the wifi
#
$wired_if = "wm0"
+$wired_v4 = { inet4(wm0) }
+$wired_v6 = { inet6(wm0) }
+
$wifi_if = "iwn0"
+$wifi_v4 = { inet4(iwn0) }
+$wifi_v6 = { inet6(iwn0) }
$dhcpserver = { 198.51.100.1 }
@@ -37,38 +42,38 @@ group (name "wired", interface $wired_if
pass in final family inet proto icmp all
pass in final family inet proto tcp \
- from $dhcpserver port bootps to $wired_if port bootpc
+ from $dhcpserver port bootps to $wired_v4 port bootpc
pass in final family inet proto udp \
- from $dhcpserver port bootps to $wired_if port bootpc
+ from $dhcpserver port bootps to $wired_v4 port bootpc
- pass in final family inet6 proto tcp to $wired_if port ssh
+ pass in final family inet6 proto tcp to $wired_v6 port ssh
pass in final family inet proto tcp flags S/SA \
- from $backupsrv_v4 to $wired_if port $backup_port
+ from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet proto udp \
- from $backupsrv_v4 to $wired_if port $backup_port
+ from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet6 proto tcp flags S/SA \
- from $backupsrv_v6 to $wired_if port $backup_port
+ from $backupsrv_v6 to $wired_v6 port $backup_port
pass in final family inet6 proto udp \
- from $backupsrv_v6 to $wired_if port $backup_port
+ from $backupsrv_v6 to $wired_v6 port $backup_port
- pass stateful in final family inet6 proto udp to $wired_if \
+ pass stateful in final family inet6 proto udp to $wired_v6 \
port $services_udp
- pass stateful in final family inet proto udp to $wired_if \
+ pass stateful in final family inet proto udp to $wired_v6 \
port $services_udp
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wired_if apply "rid"
+ from $wired_v6 apply "rid"
pass stateful out final family inet proto tcp flags S/SA \
- from $wired_if apply "rid"
+ from $wired_v4 apply "rid"
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wired_if apply "rid"
- pass out final family inet proto tcp from $wired_if apply "rid"
+ pass out final family inet6 proto tcp from $wired_v6 apply "rid"
+ pass out final family inet proto tcp from $wired_v4 apply "rid"
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wired_if apply "rid"
- pass stateful out final family inet from $wired_if apply "rid"
+ pass stateful out final family inet6 from $wired_v6 apply "rid"
+ pass stateful out final family inet from $wired_v4 apply "rid"
}
@@ -81,37 +86,37 @@ group (name "wifi", interface $wifi_if)
pass in final family inet6 proto ipv6-icmp to ff00::/10
pass out final family inet6 proto ipv6-icmp from ff00::/10
- pass in final family inet6 proto ipv6-icmp to $wifi_if
- pass in final family inet proto icmp to $wifi_if
+ pass in final family inet6 proto ipv6-icmp to $wifi_v6
+ pass in final family inet proto icmp to $wifi_v6
pass in final family inet proto tcp \
- from any port bootps to $wifi_if port bootpc
+ from any port bootps to $wifi_v4 port bootpc
pass in final family inet proto udp \
- from any port bootps to $wifi_if port bootpc
+ from any port bootps to $wifi_v4 port bootpc
- pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh
+ pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
- pass in final family inet6 proto udp to $wifi_if port $services_udp
- pass in final family inet proto udp to $wifi_if port $services_udp
+ pass in final family inet6 proto udp to $wifi_v6 port $services_udp
+ pass in final family inet proto udp to $wifi_v4 port $services_udp
# IPSEC
- pass in final family inet6 proto udp to $wifi_if port isakmp
- pass in final family inet proto udp to $wifi_if port isakmp
+ pass in final family inet6 proto udp to $wifi_v6 port isakmp
+ pass in final family inet proto udp to $wifi_v4 port isakmp
pass in family inet6 proto esp all
pass in family inet proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wifi_if apply "rid"
+ from $wifi_v6 apply "rid"
pass stateful out final family inet proto tcp flags S/SA \
- from $wifi_if apply "rid"
+ from $wifi_v4 apply "rid"
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wifi_if apply "rid"
- pass out final family inet proto tcp from $wifi_if apply "rid"
+ pass out final family inet6 proto tcp from $wifi_v6 apply "rid"
+ pass out final family inet proto tcp from $wifi_v4 apply "rid"
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wifi_if apply "rid"
- pass stateful out final family inet from $wifi_if apply "rid"
+ pass stateful out final family inet6 from $wifi_v6 apply "rid"
+ pass stateful out final family inet from $wifi_v4 apply "rid"
}
group (default) {
Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.2 src/share/examples/npf/soho_gw-npf.conf:1.3
--- src/share/examples/npf/soho_gw-npf.conf:1.2 Tue Aug 21 08:25:21 2012
+++ src/share/examples/npf/soho_gw-npf.conf Tue Dec 4 18:48:32 2012
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.2 2012/08/21 08:25:21 spz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
#
# SOHO border
#
@@ -6,6 +6,9 @@
# IPv4 only
#
$ext_if = "wm0"
+$ext_v4 = inet4(wm0)
+$ext_addrs = { ifnet(wm0) }
+
$int_if = "wm1"
# a table to house e.g. block candidates in
@@ -20,11 +23,11 @@ $localnet = { 198.51.100.0/24 }
# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
-map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 9022
procedure "log" {
log: npflog0
@@ -35,18 +38,18 @@ procedure "rid" {
}
group (name "external", interface $ext_if) {
- pass stateful out final from $ext_if apply "rid"
+ pass stateful out final from $ext_addrs apply "rid"
block in final from <1>
- pass stateful in final family inet proto tcp to $ext_if port ssh \
+ pass stateful in final family inet proto tcp to $ext_v4 port ssh \
apply "log"
- pass stateful in final proto tcp to $ext_if port $services_tcp
- pass stateful in final proto udp to $ext_if port $services_udp
+ pass stateful in final proto tcp to $ext_addrs port $services_tcp
+ pass stateful in final proto udp to $ext_addrs port $services_udp
# Passive FTP
- pass stateful in final proto tcp to $ext_if port 49151-65535
+ pass stateful in final proto tcp to $ext_addrs port 49151-65535
# Traceroute
- pass stateful in final proto udp to $ext_if port 33434-33600
+ pass stateful in final proto udp to $ext_addrs port 33434-33600
}
group (name "internal", interface $int_if) {
