CVS commit: src/share/examples/npf

Fri, 07 Feb 2014 17:33:40 -0800 

Module Name:    src
Committed By:   rmind
Date:           Sat Feb  8 01:32:19 UTC 2014

Modified Files:
        src/share/examples/npf: host-npf.conf soho_gw-npf.conf

Log Message:
Sync some NPF config examples with the reality.


To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/share/examples/npf/host-npf.conf \
    src/share/examples/npf/soho_gw-npf.conf

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/share/examples/npf/host-npf.conf
diff -u src/share/examples/npf/host-npf.conf:1.5 src/share/examples/npf/host-npf.conf:1.6
--- src/share/examples/npf/host-npf.conf:1.5	Fri Sep 20 17:51:04 2013
+++ src/share/examples/npf/host-npf.conf	Sat Feb  8 01:32:19 2014
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
+# $NetBSD: host-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
 #
 # this is an example of NPF rules for a host (i.e., not routing) with
 # two network interfaces, wired and wifi
@@ -36,18 +36,18 @@ group "wired" on $wired_if {
 	# not being picky about our own address here
 	pass in  final family inet6 proto ipv6-icmp all
 	pass out final family inet6 proto ipv6-icmp all
-	pass in  final family inet  proto icmp      all
+	pass in  final family inet4 proto icmp      all
 
-	pass in  final family inet proto tcp \
+	pass in  final family inet4 proto tcp \
 		from $dhcpserver port bootps to $wired_v4 port bootpc
-	pass in  final family inet proto udp \
+	pass in  final family inet4 proto udp \
 		from $dhcpserver port bootps to $wired_v4 port bootpc
 
 	pass in final family inet6 proto tcp to $wired_v6 port ssh
 
-	pass in final family inet  proto tcp flags S/SA \
+	pass in final family inet4 proto tcp flags S/SA \
 		from $backupsrv_v4 to $wired_v4 port $backup_port 
-	pass in final family inet  proto udp \
+	pass in final family inet4 proto udp \
 		from $backupsrv_v4 to $wired_v4 port $backup_port
 	pass in final family inet6 proto tcp flags S/SA \
 		from $backupsrv_v6 to $wired_v6 port $backup_port 
@@ -56,21 +56,21 @@ group "wired" on $wired_if {
 
 	pass stateful in final family inet6 proto udp to $wired_v6 \
 		port $services_udp
-	pass stateful in final family inet  proto udp to $wired_v6 \
+	pass stateful in final family inet4 proto udp to $wired_v6 \
 		port $services_udp
 
 	# only SYN packets need to generate state
 	pass stateful out final family inet6 proto tcp flags S/SA \
 		from $wired_v6
-	pass stateful out final family inet  proto tcp flags S/SA \
+	pass stateful out final family inet4 proto tcp flags S/SA \
 		from $wired_v4
 	# pass the other tcp packets without generating extra state
 	pass out final family inet6 proto tcp from $wired_v6
-	pass out final family inet  proto tcp from $wired_v4
+	pass out final family inet4 proto tcp from $wired_v4
 
 	# all other types of traffic, generate state per packet
 	pass stateful out final family inet6 from $wired_v6
-	pass stateful out final family inet  from $wired_v4
+	pass stateful out final family inet4 from $wired_v4
 
 }
 
@@ -84,36 +84,36 @@ group "wifi" on $wifi_if {
 	pass out final family inet6 proto ipv6-icmp from ff00::/10
 
 	pass in  final family inet6 proto ipv6-icmp to $wifi_v6
-	pass in  final family inet  proto icmp      to $wifi_v6
+	pass in  final family inet4 proto icmp      to $wifi_v6
 
-	pass in  final family inet proto tcp \
+	pass in  final family inet4 proto tcp \
 		from any port bootps to $wifi_v4 port bootpc
-	pass in  final family inet proto udp \
+	pass in  final family inet4 proto udp \
 		from any port bootps to $wifi_v4 port bootpc
 
         pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 
 
         pass in final family inet6 proto udp to $wifi_v6 port $services_udp
-        pass in final family inet  proto udp to $wifi_v4 port $services_udp
+        pass in final family inet4 proto udp to $wifi_v4 port $services_udp
 
 	# IPSEC
 	pass in final family inet6 proto udp to $wifi_v6 port isakmp
-	pass in final family inet  proto udp to $wifi_v4 port isakmp
+	pass in final family inet4 proto udp to $wifi_v4 port isakmp
 	pass in family inet6 proto esp all
-	pass in family inet  proto esp all
+	pass in family inet4 proto esp all
 
 	# only SYN packets need to generate state
         pass stateful out final family inet6 proto tcp flags S/SA \
 		from $wifi_v6
-        pass stateful out final family inet  proto tcp flags S/SA \
+        pass stateful out final family inet4 proto tcp flags S/SA \
 		from $wifi_v4
 	# pass the other tcp packets without generating extra state
         pass out final family inet6 proto tcp from $wifi_v6
-        pass out final family inet  proto tcp from $wifi_v4
+        pass out final family inet4 proto tcp from $wifi_v4
 
 	# all other types of traffic, generate state per packet
         pass stateful out final family inet6 from $wifi_v6
-        pass stateful out final family inet  from $wifi_v4
+        pass stateful out final family inet4 from $wifi_v4
 }
 
 group default {
Index: src/share/examples/npf/soho_gw-npf.conf
diff -u src/share/examples/npf/soho_gw-npf.conf:1.5 src/share/examples/npf/soho_gw-npf.conf:1.6
--- src/share/examples/npf/soho_gw-npf.conf:1.5	Fri Sep 20 17:51:04 2013
+++ src/share/examples/npf/soho_gw-npf.conf	Sat Feb  8 01:32:19 2014
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
 #
 # SOHO border
 #
@@ -8,14 +8,14 @@
 
 $ext_if = "wm0"
 $ext_v4 = inet4(wm0)
-$ext_addrs = { ifnet(wm0) }
+$ext_addrs = { inet4(wm0), inet6(wm0) }
 
 $int_if = "wm1"
 
 # a table to house e.g. block candidates in
-table <1> type hash file "/usr/share/examples/npf/hashtablefile"
-# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
-table <2> type tree dynamic
+table <block> type hash file "/usr/share/examples/npf/hashtablefile"
+# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
+table <int-block> type tree dynamic
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@@ -37,8 +37,8 @@ procedure "log" {
 group "external" on $ext_if {
 	pass stateful out final all
 
-	block in final from <1>
-	pass stateful in final family inet proto tcp to $ext_v4 port ssh \
+	block in final from <block>
+	pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
 		apply "log"
 	pass stateful in final proto tcp to $ext_addrs port $services_tcp
 	pass stateful in final proto udp to $ext_addrs port $services_udp
@@ -51,7 +51,7 @@ group "external" on $ext_if {
 
 group "internal" on $int_if {
 	block in all
-	pass in final from <2>
+	pass in final from <int-block>
 	pass out final all
 }

Reply via email to