Module Name: src
Committed By: rmind
Date: Sat Feb 8 01:20:09 UTC 2014
Modified Files:
src/usr.sbin/npf/npfctl: npf.conf.5 npf_parse.y npf_scan.l npf_show.c
Log Message:
NPF:
- Adjust the syntax - remove "inet" keyword in favour of more explicit
"inet4" for the address family. Consistent with "inet6" for IPv6.
- Adjust and improve the man page a little bit.
To generate a diff of this commit:
cvs rdiff -u -r1.37 -r1.38 src/usr.sbin/npf/npfctl/npf.conf.5
cvs rdiff -u -r1.30 -r1.31 src/usr.sbin/npf/npfctl/npf_parse.y
cvs rdiff -u -r1.17 -r1.18 src/usr.sbin/npf/npfctl/npf_scan.l
cvs rdiff -u -r1.9 -r1.10 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/npf/npfctl/npf.conf.5
diff -u src/usr.sbin/npf/npfctl/npf.conf.5:1.37 src/usr.sbin/npf/npfctl/npf.conf.5:1.38
--- src/usr.sbin/npf/npfctl/npf.conf.5:1.37 Thu Feb 6 07:36:36 2014
+++ src/usr.sbin/npf/npfctl/npf.conf.5 Sat Feb 8 01:20:09 2014
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.37 2014/02/06 07:36:36 wiz Exp $
+.\" $NetBSD: npf.conf.5,v 1.38 2014/02/08 01:20:09 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 6, 2014
+.Dd February 8, 2014
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -134,7 +134,7 @@ to apply a procedure to the packet (e.g.
.Pp
A "fully-featured" rule would for example be:
.Bd -literal
-pass stateful in final family inet proto tcp flags S/SA \\
+pass stateful in final family inet4 proto tcp flags S/SA \\
from $source port $sport to $dest port $dport apply "someproc"
.Ed
.Pp
@@ -157,7 +157,7 @@ Fragments are not selectable since NPF a
before further processing.
.Ss Map
Network Address Translation (NAT) is expressed in a form of segment mapping.
-At present, only dynamic translation is supported.
+The translation may be dynamic (stateful) or static (stateless).
The following mapping types are available:
.Pp
.Bl -tag -width <-> -compact
@@ -260,7 +260,7 @@ dynamic-ruleset = "ruleset" group-opts
rule = static-rule | dynamic-ruleset
block-opts = "return-rst" | "return-icmp" | "return"
-family-opt = "inet" | "inet6"
+family-opt = "inet4" | "inet6"
proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] |
"icmp-type" type [ "code" icmp-code ]
@@ -285,7 +285,7 @@ directory containing further examples
$ext_if = { inet4(wm0), inet6(wm0) }
$int_if = { inet4(wm1), inet6(wm1) }
-table <black> type hash file "/etc/npf_blacklist"
+table <blacklist> type hash file "/etc/npf_blacklist"
table <limited> type tree dynamic
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
@@ -306,8 +306,8 @@ procedure "log" {
group "external" on $ext_if {
pass stateful out final all
- block in final from \*[Lt]black\*[Gt]
- pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
+ block in final from \*[Lt]blacklist\*[Gt]
+ pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
pass stateful in final proto tcp to $ext_if port $services_tcp
pass stateful in final proto udp to $ext_if port $services_udp
pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP
@@ -318,7 +318,7 @@ group "internal" on $int_if {
block in all
block in final from \*[Lt]limited\*[Gt]
- # Ingress filtering as per RFC 2827.
+ # Ingress filtering as per BCP 38 / RFC 2827.
pass in final from $localnet
pass out final all
}
Index: src/usr.sbin/npf/npfctl/npf_parse.y
diff -u src/usr.sbin/npf/npfctl/npf_parse.y:1.30 src/usr.sbin/npf/npfctl/npf_parse.y:1.31
--- src/usr.sbin/npf/npfctl/npf_parse.y:1.30 Thu Feb 6 02:51:28 2014
+++ src/usr.sbin/npf/npfctl/npf_parse.y Sat Feb 8 01:20:09 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.30 2014/02/06 02:51:28 rmind Exp $ */
+/* $NetBSD: npf_parse.y,v 1.31 2014/02/08 01:20:09 rmind Exp $ */
/*-
* Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -108,7 +108,6 @@ yyerror(const char *fmt, ...)
%token HASH
%token ICMPTYPE
%token ID
-%token IFNET
%token IN
%token INET4
%token INET6
Index: src/usr.sbin/npf/npfctl/npf_scan.l
diff -u src/usr.sbin/npf/npfctl/npf_scan.l:1.17 src/usr.sbin/npf/npfctl/npf_scan.l:1.18
--- src/usr.sbin/npf/npfctl/npf_scan.l:1.17 Thu Feb 6 02:51:28 2014
+++ src/usr.sbin/npf/npfctl/npf_scan.l Sat Feb 8 01:20:09 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_scan.l,v 1.17 2014/02/06 02:51:28 rmind Exp $ */
+/* $NetBSD: npf_scan.l,v 1.18 2014/02/08 01:20:09 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -122,7 +122,6 @@ quick return FINAL;
on return ON;
inet6 return INET6;
inet4 return INET4;
-inet return INET4;
proto return PROTO;
family return FAMILY;
tcp return TCP;
Index: src/usr.sbin/npf/npfctl/npf_show.c
diff -u src/usr.sbin/npf/npfctl/npf_show.c:1.9 src/usr.sbin/npf/npfctl/npf_show.c:1.10
--- src/usr.sbin/npf/npfctl/npf_show.c:1.9 Fri Feb 7 23:45:22 2014
+++ src/usr.sbin/npf/npfctl/npf_show.c Sat Feb 8 01:20:09 2014
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $ */
+/* $NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $");
#include <sys/socket.h>
#include <netinet/in.h>
@@ -111,7 +111,7 @@ print_family(npf_conf_info_t *ctx, const
switch (af) {
case AF_INET:
- return estrdup("inet");
+ return estrdup("inet4");
case AF_INET6:
return estrdup("inet6");
default:
