diff --git a/usr.sbin/npf/npfctl/npf_build.c b/usr.sbin/npf/npfctl/npf_build.c index 57da3b56e306..279c134179de 100644 --- a/usr.sbin/npf/npfctl/npf_build.c +++ b/usr.sbin/npf/npfctl/npf_build.c @@ -1,4 +1,4 @@ -/* $NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $ */ +/* $NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $ */ /*- * Copyright (c) 2011-2013 The NetBSD Foundation, Inc. @@ -34,7 +34,7 @@ */ #include -__RCSID("$NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $"); +__RCSID("$NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $"); #include #include @@ -453,6 +453,22 @@ npfctl_build_rproc(const char *name, npfvar_t *procs) } } +void +npfctl_build_maprset(const char *name, int attr, u_int if_idx) +{ + const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT); + nl_rule_t *rl; + + /* If no direction is not specified, then both. */ + if ((attr & attr_di) == 0) { + attr |= attr_di; + } + /* Allow only "in/out" attributes. */ + attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di); + rl = npf_rule_create(name, attr, if_idx); + npf_nat_insert(npf_conf, rl, NPF_PRI_LAST); +} + /* * npfctl_build_group: create a group, insert into the global ruleset, * update the current group pointer and increase the nesting level. diff --git a/usr.sbin/npf/npfctl/npf_parse.y b/usr.sbin/npf/npfctl/npf_parse.y index c657c02f2137..d5b46b1c1732 100644 --- a/usr.sbin/npf/npfctl/npf_parse.y +++ b/usr.sbin/npf/npfctl/npf_parse.y @@ -1,4 +1,4 @@ -/* $NetBSD: npf_parse.y,v 1.20 2013/03/11 00:09:07 christos Exp $ */ +/* $NetBSD: npf_parse.y,v 1.21 2013/03/18 02:17:49 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -131,6 +131,7 @@ yyerror(const char *fmt, ...) %token RETURN %token RETURNICMP %token RETURNRST +%token RULESET %token SEPLINE %token SLASH %token STATEFUL @@ -310,6 +311,10 @@ map { npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL); } + | MAP RULESET PAR_OPEN group_attr PAR_CLOSE + { + npfctl_build_maprset($4.rg_name, $4.rg_attr, $4.rg_ifnum); + } ; rproc @@ -383,6 +388,15 @@ group } ; +ruleset + : RULESET PAR_OPEN group_attr PAR_CLOSE + { + /* Ruleset is a dynamic group. */ + npfctl_build_group($3.rg_name, $3.rg_attr | NPF_RULE_DYNAMIC, + $3.rg_ifnum, $3.rg_default); + npfctl_build_group_end(); + } + group_attr : group_opt COMMA group_attr { @@ -443,18 +457,18 @@ group_opt ; ruleset_block - : CURLY_OPEN ruleset CURLY_CLOSE - | /* Empty (for a dynamic ruleset). */ + : CURLY_OPEN ruleset_def CURLY_CLOSE ; -ruleset - : rule_group SEPLINE ruleset +ruleset_def + : rule_group SEPLINE ruleset_def | rule_group ; rule_group : rule | group + | ruleset | rule diff --git a/usr.sbin/npf/npfctl/npf_scan.l b/usr.sbin/npf/npfctl/npf_scan.l index 383cb2d705b4..678f124d6f70 100644 --- a/usr.sbin/npf/npfctl/npf_scan.l +++ b/usr.sbin/npf/npfctl/npf_scan.l @@ -1,4 +1,4 @@ -/* $NetBSD: npf_scan.l,v 1.10 2013/02/09 03:35:33 rmind Exp $ */ +/* $NetBSD: npf_scan.l,v 1.11 2013/03/18 02:17:49 rmind Exp $ */ /*- * Copyright (c) 2011-2012 The NetBSD Foundation, Inc. @@ -130,7 +130,7 @@ ipv6-icmp { yylval.num = IPPROTO_ICMPV6; return ICMP6; } return-rst return RETURNRST; return-icmp return RETURNICMP; return return RETURN; -ruleset return GROUP; +ruleset return RULESET; from return FROM; to return TO; port return PORT; diff --git a/usr.sbin/npf/npfctl/npfctl.c b/usr.sbin/npf/npfctl/npfctl.c index 53215012f0a6..f48a96a99c7e 100644 --- a/usr.sbin/npf/npfctl/npfctl.c +++ b/usr.sbin/npf/npfctl/npfctl.c @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $ */ +/* $NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include -__RCSID("$NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $"); +__RCSID("$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $"); #include #include @@ -404,36 +404,38 @@ npfctl_rule(int fd, int argc, char **argv) static const struct ruleops_s { const char * cmd; int action; + bool extra_arg; } ruleops[] = { - { "add", NPF_CMD_RULE_ADD }, - { "rem", NPF_CMD_RULE_REMKEY }, - { "del", NPF_CMD_RULE_REMKEY }, - { "rem-id", NPF_CMD_RULE_REMOVE }, - { "list", NPF_CMD_RULE_LIST }, - { "flush", NPF_CMD_RULE_FLUSH }, - { NULL, 0 } + { "add", NPF_CMD_RULE_ADD, true }, + { "rem", NPF_CMD_RULE_REMKEY, true }, + { "del", NPF_CMD_RULE_REMKEY, true }, + { "rem-id", NPF_CMD_RULE_REMOVE, true }, + { "list", NPF_CMD_RULE_LIST, false }, + { "flush", NPF_CMD_RULE_FLUSH, false }, + { NULL, 0, 0 } }; uint8_t key[NPF_RULE_MAXKEYLEN]; const char *ruleset_name = argv[0]; const char *cmd = argv[1]; int error, action = 0; uint64_t rule_id; + bool extra_arg; nl_rule_t *rl; for (int n = 0; ruleops[n].cmd != NULL; n++) { if (strcmp(cmd, ruleops[n].cmd) == 0) { action = ruleops[n].action; + extra_arg = ruleops[n].extra_arg; break; } } - - bool narg = action == NPF_CMD_RULE_LIST || action == NPF_CMD_RULE_FLUSH; - if (!action || (argc < 3 && !narg)) { - usage(); - } argc -= 2; argv += 2; + if (!action || (extra_arg && argc == 0)) { + usage(); + } + switch (action) { case NPF_CMD_RULE_ADD: rl = npfctl_parse_rule(argc, argv); diff --git a/usr.sbin/npf/npfctl/npfctl.h b/usr.sbin/npf/npfctl/npfctl.h index 03354c563729..dc39c385c03c 100644 --- a/usr.sbin/npf/npfctl/npfctl.h +++ b/usr.sbin/npf/npfctl/npfctl.h @@ -1,4 +1,4 @@ -/* $NetBSD: npfctl.h,v 1.27 2013/02/16 21:11:15 rmind Exp $ */ +/* $NetBSD: npfctl.h,v 1.28 2013/03/18 02:17:49 rmind Exp $ */ /*- * Copyright (c) 2009-2013 The NetBSD Foundation, Inc. @@ -199,6 +199,7 @@ void npfctl_build_rule(uint32_t, u_int, sa_family_t, const opt_proto_t *, const filt_opts_t *, const char *); void npfctl_build_natseg(int, int, u_int, const addr_port_t *, const addr_port_t *, const filt_opts_t *); +void npfctl_build_maprset(const char *, int, u_int); void npfctl_build_table(const char *, u_int, const char *); #endif