- Extend npf.conf syntax to support dynamic NAT policies.

- Imply dynamic group when using "ruleset" keyword.

usr.sbin/npf/npfctl/npf_build.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -453,6 +453,22 @@ npfctl_build_rproc(const char *name, npfvar_t *procs)
 	}
 }
 
+void
+npfctl_build_maprset(const char *name, int attr, u_int if_idx)
+{
+	const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT);
+	nl_rule_t *rl;
+
+	/* If no direction is not specified, then both. */
+	if ((attr & attr_di) == 0) {
+		attr |= attr_di;
+	}
+	/* Allow only "in/out" attributes. */
+	attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
+	rl = npf_rule_create(name, attr, if_idx);
+	npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
+}
+
 /*
  * npfctl_build_group: create a group, insert into the global ruleset,
  * update the current group pointer and increase the nesting level.

usr.sbin/npf/npfctl/npf_parse.y

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_parse.y,v 1.20 2013/03/11 00:09:07 christos Exp $	*/
+/*	$NetBSD: npf_parse.y,v 1.21 2013/03/18 02:17:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -131,6 +131,7 @@ yyerror(const char *fmt, ...)
 %token			RETURN
 %token			RETURNICMP
 %token			RETURNRST
+%token			RULESET
 %token			SEPLINE
 %token			SLASH
 %token			STATEFUL
@@ -310,6 +311,10 @@ map
 	{
 		npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL);
 	}
+	| MAP RULESET PAR_OPEN group_attr PAR_CLOSE
+	{
+		npfctl_build_maprset($4.rg_name, $4.rg_attr, $4.rg_ifnum);
+	}
 	;
 
 rproc
@@ -383,6 +388,15 @@ group
 	}
 	;
 
+ruleset
+	: RULESET PAR_OPEN group_attr PAR_CLOSE
+	{
+		/* Ruleset is a dynamic group. */
+		npfctl_build_group($3.rg_name, $3.rg_attr | NPF_RULE_DYNAMIC,
+		    $3.rg_ifnum, $3.rg_default);
+		npfctl_build_group_end();
+	}
+
 group_attr
 	: group_opt COMMA group_attr
 	{
@@ -443,18 +457,18 @@ group_opt
 	;
 
 ruleset_block
-	: CURLY_OPEN ruleset CURLY_CLOSE
-	| /* Empty (for a dynamic ruleset). */
+	: CURLY_OPEN ruleset_def CURLY_CLOSE
 	;
 
-ruleset
-	: rule_group SEPLINE ruleset
+ruleset_def
+	: rule_group SEPLINE ruleset_def
 	| rule_group
 	;
 
 rule_group
 	: rule
 	| group
+	| ruleset
 	|
 
 rule

usr.sbin/npf/npfctl/npf_scan.l

@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_scan.l,v 1.10 2013/02/09 03:35:33 rmind Exp $	*/
+/*	$NetBSD: npf_scan.l,v 1.11 2013/03/18 02:17:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -130,7 +130,7 @@ ipv6-icmp		{ yylval.num = IPPROTO_ICMPV6; return ICMP6; }
 return-rst		return RETURNRST;
 return-icmp		return RETURNICMP;
 return			return RETURN;
-ruleset			return GROUP;
+ruleset			return RULESET;
 from			return FROM;
 to			return TO;
 port			return PORT;

usr.sbin/npf/npfctl/npfctl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $	*/
+/*	$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $");
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -404,36 +404,38 @@ npfctl_rule(int fd, int argc, char **argv)
 	static const struct ruleops_s {
 		const char *	cmd;
 		int		action;
+		bool		extra_arg;
 	} ruleops[] = {
-		{ "add",	NPF_CMD_RULE_ADD		},
-		{ "rem",	NPF_CMD_RULE_REMKEY		},
-		{ "del",	NPF_CMD_RULE_REMKEY		},
-		{ "rem-id",	NPF_CMD_RULE_REMOVE		},
-		{ "list",	NPF_CMD_RULE_LIST		},
-		{ "flush",	NPF_CMD_RULE_FLUSH		},
-		{ NULL,		0				}
+		{ "add",	NPF_CMD_RULE_ADD,	true	},
+		{ "rem",	NPF_CMD_RULE_REMKEY,	true	},
+		{ "del",	NPF_CMD_RULE_REMKEY,	true	},
+		{ "rem-id",	NPF_CMD_RULE_REMOVE,	true	},
+		{ "list",	NPF_CMD_RULE_LIST,	false	},
+		{ "flush",	NPF_CMD_RULE_FLUSH,	false	},
+		{ NULL,		0,			0	}
 	};
 	uint8_t key[NPF_RULE_MAXKEYLEN];
 	const char *ruleset_name = argv[0];
 	const char *cmd = argv[1];
 	int error, action = 0;
 	uint64_t rule_id;
+	bool extra_arg;
 	nl_rule_t *rl;
 
 	for (int n = 0; ruleops[n].cmd != NULL; n++) {
 		if (strcmp(cmd, ruleops[n].cmd) == 0) {
 			action = ruleops[n].action;
+			extra_arg = ruleops[n].extra_arg;
 			break;
 		}
 	}
-
-	bool narg = action == NPF_CMD_RULE_LIST || action == NPF_CMD_RULE_FLUSH;
-	if (!action || (argc < 3 && !narg)) {
-		usage();
-	}
 	argc -= 2;
 	argv += 2;
 
+	if (!action || (extra_arg && argc == 0)) {
+		usage();
+	}
+
 	switch (action) {
 	case NPF_CMD_RULE_ADD:
 		rl = npfctl_parse_rule(argc, argv);

usr.sbin/npf/npfctl/npfctl.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.h,v 1.27 2013/02/16 21:11:15 rmind Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.28 2013/03/18 02:17:49 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -199,6 +199,7 @@ void		npfctl_build_rule(uint32_t, u_int, sa_family_t,
 		    const opt_proto_t *, const filt_opts_t *, const char *);
 void		npfctl_build_natseg(int, int, u_int, const addr_port_t *,
 		    const addr_port_t *, const filt_opts_t *);
+void		npfctl_build_maprset(const char *, int, u_int);
 void		npfctl_build_table(const char *, u_int, const char *);
 
 #endif