Module Name: src
Committed By: rmind
Date: Mon Mar 18 02:17:50 UTC 2013
Modified Files:
src/usr.sbin/npf/npfctl: npf_build.c npf_parse.y npf_scan.l npfctl.c
npfctl.h
Log Message:
- Extend npf.conf syntax to support dynamic NAT policies.
- Imply dynamic group when using "ruleset" keyword.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 src/usr.sbin/npf/npfctl/npf_build.c
cvs rdiff -u -r1.20 -r1.21 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.10 -r1.11 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.35 -r1.36 src/usr.sbin/npf/npfctl/npfctl.c
cvs rdiff -u -r1.27 -r1.28 src/usr.sbin/npf/npfctl/npfctl.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf_build.c
diff -u src/usr.sbin/npf/npfctl/npf_build.c:1.21 src/usr.sbin/npf/npfctl/npf_build.c:1.22
--- src/usr.sbin/npf/npfctl/npf_build.c:1.21 Sat Feb 16 21:11:14 2013
+++ src/usr.sbin/npf/npfctl/npf_build.c Mon Mar 18 02:17:49 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -453,6 +453,22 @@ npfctl_build_rproc(const char *name, npf
}
}
+void
+npfctl_build_maprset(const char *name, int attr, u_int if_idx)
+{
+ const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT);
+ nl_rule_t *rl;
+
+ /* If no direction is not specified, then both. */
+ if ((attr & attr_di) == 0) {
+ attr |= attr_di;
+ }
+ /* Allow only "in/out" attributes. */
+ attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
+ rl = npf_rule_create(name, attr, if_idx);
+ npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
+}
+
/*
* npfctl_build_group: create a group, insert into the global ruleset,
* update the current group pointer and increase the nesting level.
Index: src/usr.sbin/npf/npfctl/npf_parse.y
diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.20 src/usr.sbin/npf/npfctl/npf_parse.y:1.21
--- src/usr.sbin/npf/npfctl/npf_parse.y:1.20 Mon Mar 11 00:09:07 2013
+++ src/usr.sbin/npf/npfctl/npf_parse.y Mon Mar 18 02:17:49 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.20 2013/03/11 00:09:07 christos Exp $ */
+/* $NetBSD: npf_parse.y,v 1.21 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -131,6 +131,7 @@ yyerror(const char *fmt, ...)
%token RETURN
%token RETURNICMP
%token RETURNRST
+%token RULESET
%token SEPLINE
%token SLASH
%token STATEFUL
@@ -310,6 +311,10 @@ map
{
npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL);
}
+ | MAP RULESET PAR_OPEN group_attr PAR_CLOSE
+ {
+ npfctl_build_maprset($4.rg_name, $4.rg_attr, $4.rg_ifnum);
+ }
;
rproc
@@ -383,6 +388,15 @@ group
}
;
+ruleset
+ : RULESET PAR_OPEN group_attr PAR_CLOSE
+ {
+ /* Ruleset is a dynamic group. */
+ npfctl_build_group($3.rg_name, $3.rg_attr | NPF_RULE_DYNAMIC,
+ $3.rg_ifnum, $3.rg_default);
+ npfctl_build_group_end();
+ }
+
group_attr
: group_opt COMMA group_attr
{
@@ -443,18 +457,18 @@ group_opt
;
ruleset_block
- : CURLY_OPEN ruleset CURLY_CLOSE
- | /* Empty (for a dynamic ruleset). */
+ : CURLY_OPEN ruleset_def CURLY_CLOSE
;
-ruleset
- : rule_group SEPLINE ruleset
+ruleset_def
+ : rule_group SEPLINE ruleset_def
| rule_group
;
rule_group
: rule
| group
+ | ruleset
|
rule
Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.10 src/usr.sbin/npf/npfctl/npf_scan.l:1.11
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.10 Sat Feb 9 03:35:33 2013
+++ src/usr.sbin/npf/npfctl/npf_scan.l Mon Mar 18 02:17:49 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_scan.l,v 1.10 2013/02/09 03:35:33 rmind Exp $ */
+/* $NetBSD: npf_scan.l,v 1.11 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -130,7 +130,7 @@ ipv6-icmp { yylval.num = IPPROTO_ICMPV6
return-rst return RETURNRST;
return-icmp return RETURNICMP;
return return RETURN;
-ruleset return GROUP;
+ruleset return RULESET;
from return FROM;
to return TO;
port return PORT;
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.35 src/usr.sbin/npf/npfctl/npfctl.c:1.36
--- src/usr.sbin/npf/npfctl/npfctl.c:1.35 Mon Mar 11 00:39:32 2013
+++ src/usr.sbin/npf/npfctl/npfctl.c Mon Mar 18 02:17:49 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $ */
+/* $NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -404,35 +404,37 @@ npfctl_rule(int fd, int argc, char **arg
static const struct ruleops_s {
const char * cmd;
int action;
+ bool extra_arg;
} ruleops[] = {
- { "add", NPF_CMD_RULE_ADD },
- { "rem", NPF_CMD_RULE_REMKEY },
- { "del", NPF_CMD_RULE_REMKEY },
- { "rem-id", NPF_CMD_RULE_REMOVE },
- { "list", NPF_CMD_RULE_LIST },
- { "flush", NPF_CMD_RULE_FLUSH },
- { NULL, 0 }
+ { "add", NPF_CMD_RULE_ADD, true },
+ { "rem", NPF_CMD_RULE_REMKEY, true },
+ { "del", NPF_CMD_RULE_REMKEY, true },
+ { "rem-id", NPF_CMD_RULE_REMOVE, true },
+ { "list", NPF_CMD_RULE_LIST, false },
+ { "flush", NPF_CMD_RULE_FLUSH, false },
+ { NULL, 0, 0 }
};
uint8_t key[NPF_RULE_MAXKEYLEN];
const char *ruleset_name = argv[0];
const char *cmd = argv[1];
int error, action = 0;
uint64_t rule_id;
+ bool extra_arg;
nl_rule_t *rl;
for (int n = 0; ruleops[n].cmd != NULL; n++) {
if (strcmp(cmd, ruleops[n].cmd) == 0) {
action = ruleops[n].action;
+ extra_arg = ruleops[n].extra_arg;
break;
}
}
+ argc -= 2;
+ argv += 2;
- bool narg = action == NPF_CMD_RULE_LIST || action == NPF_CMD_RULE_FLUSH;
- if (!action || (argc < 3 && !narg)) {
+ if (!action || (extra_arg && argc == 0)) {
usage();
}
- argc -= 2;
- argv += 2;
switch (action) {
case NPF_CMD_RULE_ADD:
Index: src/usr.sbin/npf/npfctl/npfctl.h
diff -u src/usr.sbin/npf/npfctl/npfctl.h:1.27 src/usr.sbin/npf/npfctl/npfctl.h:1.28
--- src/usr.sbin/npf/npfctl/npfctl.h:1.27 Sat Feb 16 21:11:15 2013
+++ src/usr.sbin/npf/npfctl/npfctl.h Mon Mar 18 02:17:49 2013
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.h,v 1.27 2013/02/16 21:11:15 rmind Exp $ */
+/* $NetBSD: npfctl.h,v 1.28 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -199,6 +199,7 @@ void npfctl_build_rule(uint32_t, u_int,
const opt_proto_t *, const filt_opts_t *, const char *);
void npfctl_build_natseg(int, int, u_int, const addr_port_t *,
const addr_port_t *, const filt_opts_t *);
+void npfctl_build_maprset(const char *, int, u_int);
void npfctl_build_table(const char *, u_int, const char *);
#endif
