- Add NPF version check in proplist as well, not only ioctl. Bump the version.
- Fix a bug in table entry lookup. - Updates/fixes to the man pages. Misc.
This commit is contained in:
rmind
parent
67d7dad798
commit
57ff5416fd
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: npf.3,v 1.5 2012/07/01 23:21:07 rmind Exp $
|
||||
.\" $NetBSD: npf.3,v 1.6 2012/12/23 21:01:05 rmind Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd July 1, 2012
|
||||
.Dd December 23, 2012
|
||||
.Dt NPF 3
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -77,20 +77,14 @@
|
||||
.Ft nl_table_t *
|
||||
.Fn npf_table_create "u_int id" "int type"
|
||||
.Ft int
|
||||
.Fn npf_table_add_entry "nl_table_t *tl" "in_addr_t addr" "in_addr_t mask"
|
||||
.Fn npf_table_add_entry "nl_table_t *tl" "int "af" \
|
||||
"in_addr_t addr" "in_addr_t mask"
|
||||
.Ft bool
|
||||
.Fn npf_table_exists_p "nl_config_t *ncf" "u_int tid"
|
||||
.Ft int
|
||||
.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl"
|
||||
.Ft void
|
||||
.Fn npf_table_destroy "nl_table_t *tl"
|
||||
.\" ---
|
||||
.Ft int
|
||||
.Fn npf_update_rule "int fd" "const char *rname" "nl_rule_t *rl"
|
||||
.Ft int
|
||||
.Fn npf_sessions_send "int fd" "const char *fpath"
|
||||
.Ft int
|
||||
.Fn npf_sessions_recv "int fd" "const char *fpath"
|
||||
.\" -----
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
@ -261,13 +255,20 @@ Table is identified by
|
||||
which should be in the range between 1 and
|
||||
.Dv NPF_MAX_TABLE_ID .
|
||||
.El
|
||||
.It Fn npf_table_add_entry "tl" "addr" "mask"
|
||||
Add an entry of IPv4 address and mask, specified by
|
||||
.It Fn npf_table_add_entry "tl" "af" "addr" "mask"
|
||||
Add an entry of IP address and mask, specified by
|
||||
.Fa addr
|
||||
and
|
||||
.Fa mask ,
|
||||
to the table specified by
|
||||
.Fa tl .
|
||||
Family, specified by
|
||||
.Fa fa ,
|
||||
must be either
|
||||
.Dv AF_INET
|
||||
for IPv4 or
|
||||
.Dv AF_INET6
|
||||
for IPv6 address.
|
||||
.It Fn npf_table_exists_p "ncf" "name"
|
||||
Determine whether table with ID
|
||||
.Fa tid
|
||||
@ -285,19 +286,6 @@ Routine performs a check for duplicate table ID.
|
||||
Destroy the specified table.
|
||||
.El
|
||||
.\" -----
|
||||
.Ss Session interface
|
||||
.Bl -tag -width 4n
|
||||
.It Fn npf_update_rule "fd" "rname" "rl"
|
||||
.It Fn npf_sessions_send "fd" "fpath"
|
||||
Read the file specified by
|
||||
.Fa fpath ,
|
||||
and send sessions saved in it to the kernel.
|
||||
.It Fn npf_sessions_recv "fd" "fpath"
|
||||
Receive currently loaded session from the kernel, and save them to a file
|
||||
specified by
|
||||
.Fa fpath .
|
||||
.El
|
||||
.\" -----
|
||||
.Sh SEE ALSO
|
||||
.Xr npfctl 8 ,
|
||||
.Xr npf_ncode 9
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf.c,v 1.14 2012/10/28 16:27:20 rmind Exp $ */
|
||||
/* $NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2010-2012 The NetBSD Foundation, Inc.
|
||||
@ -30,7 +30,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.14 2012/10/28 16:27:20 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf.c,v 1.15 2012/12/23 21:01:05 rmind Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <netinet/in_systm.h>
|
||||
@ -121,14 +121,15 @@ npf_config_submit(nl_config_t *ncf, int fd)
|
||||
if (npf_dict == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
if (ncf->ncf_debug) {
|
||||
prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
|
||||
}
|
||||
prop_dictionary_set_uint32(npf_dict, "version", NPF_VERSION);
|
||||
prop_dictionary_set(npf_dict, "rules", ncf->ncf_rules_list);
|
||||
prop_dictionary_set(npf_dict, "rprocs", ncf->ncf_rproc_list);
|
||||
prop_dictionary_set(npf_dict, "tables", ncf->ncf_table_list);
|
||||
prop_dictionary_set(npf_dict, "translation", ncf->ncf_nat_list);
|
||||
prop_dictionary_set_bool(npf_dict, "flush", ncf->ncf_flush);
|
||||
if (ncf->ncf_debug) {
|
||||
prop_dictionary_set(npf_dict, "debug", ncf->ncf_debug);
|
||||
}
|
||||
|
||||
if (plist) {
|
||||
if (!prop_dictionary_externalize_to_file(npf_dict, plist)) {
|
||||
@ -664,24 +665,36 @@ npf_table_create(u_int id, int type)
|
||||
}
|
||||
|
||||
int
|
||||
npf_table_add_entry(nl_table_t *tl, const int alen,
|
||||
const npf_addr_t *addr, const npf_netmask_t mask)
|
||||
npf_table_add_entry(nl_table_t *tl, int af, const npf_addr_t *addr,
|
||||
const npf_netmask_t mask)
|
||||
{
|
||||
prop_dictionary_t tldict = tl->ntl_dict, entdict;
|
||||
prop_array_t tblents;
|
||||
prop_data_t addrdata;
|
||||
unsigned alen;
|
||||
|
||||
/* Create the table entry. */
|
||||
entdict = prop_dictionary_create();
|
||||
if (entdict == NULL) {
|
||||
return ENOMEM;
|
||||
}
|
||||
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
alen = sizeof(struct in_addr);
|
||||
break;
|
||||
case AF_INET6:
|
||||
alen = sizeof(struct in6_addr);
|
||||
break;
|
||||
default:
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
addrdata = prop_data_create_data(addr, alen);
|
||||
prop_dictionary_set(entdict, "addr", addrdata);
|
||||
prop_dictionary_set_uint8(entdict, "mask", mask);
|
||||
prop_object_release(addrdata);
|
||||
|
||||
/* Insert the entry. */
|
||||
tblents = prop_dictionary_get(tldict, "entries");
|
||||
prop_array_add(tblents, entdict);
|
||||
prop_object_release(entdict);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf.h,v 1.11 2012/09/16 13:47:42 rmind Exp $ */
|
||||
/* $NetBSD: npf.h,v 1.12 2012/12/23 21:01:05 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
||||
@ -103,20 +103,20 @@ nl_nat_t * npf_nat_create(int, u_int, u_int, npf_addr_t *, int, in_port_t);
|
||||
int npf_nat_insert(nl_config_t *, nl_nat_t *, pri_t);
|
||||
|
||||
nl_table_t * npf_table_create(u_int, int);
|
||||
int npf_table_add_entry(nl_table_t *, const int,
|
||||
int npf_table_add_entry(nl_table_t *, int,
|
||||
const npf_addr_t *, const npf_netmask_t);
|
||||
bool npf_table_exists_p(nl_config_t *, u_int);
|
||||
int npf_table_insert(nl_config_t *, nl_table_t *);
|
||||
void npf_table_destroy(nl_table_t *);
|
||||
|
||||
int npf_update_rule(int, const char *, nl_rule_t *);
|
||||
int npf_sessions_send(int, const char *);
|
||||
int npf_sessions_recv(int, const char *);
|
||||
|
||||
#ifdef _NPF_PRIVATE
|
||||
|
||||
#include <ifaddrs.h>
|
||||
|
||||
int npf_update_rule(int, const char *, nl_rule_t *);
|
||||
int npf_sessions_send(int, const char *);
|
||||
int npf_sessions_recv(int, const char *);
|
||||
|
||||
void _npf_config_error(nl_config_t *, nl_error_t *);
|
||||
void _npf_config_setsubmit(nl_config_t *, const char *);
|
||||
int _npf_rule_foreach(nl_config_t *, nl_rule_callback_t);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf.h,v 1.23 2012/12/10 01:11:13 rmind Exp $ */
|
||||
/* $NetBSD: npf.h,v 1.24 2012/12/23 21:01:03 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||
@ -45,7 +45,7 @@
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/in.h>
|
||||
|
||||
#define NPF_VERSION 7
|
||||
#define NPF_VERSION 8
|
||||
|
||||
/*
|
||||
* Public declarations and definitions.
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_ctl.c,v 1.19 2012/10/29 02:27:12 rmind Exp $ */
|
||||
/* $NetBSD: npf_ctl.c,v 1.20 2012/12/23 21:01:03 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||
@ -37,7 +37,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.19 2012/10/29 02:27:12 rmind Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.20 2012/12/23 21:01:03 rmind Exp $");
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/conf.h>
|
||||
@ -458,6 +458,7 @@ npfctl_reload(u_long cmd, void *data)
|
||||
npf_tableset_t *tblset = NULL;
|
||||
npf_ruleset_t *rlset = NULL;
|
||||
npf_ruleset_t *nset = NULL;
|
||||
uint32_t ver = 0;
|
||||
bool flush;
|
||||
int error;
|
||||
|
||||
@ -470,8 +471,13 @@ npfctl_reload(u_long cmd, void *data)
|
||||
npf_dict = (prop_dictionary_t)pref;
|
||||
#endif
|
||||
|
||||
/* Dictionary for error reporting. */
|
||||
/* Dictionary for error reporting and version check. */
|
||||
errdict = prop_dictionary_create();
|
||||
prop_dictionary_get_uint32(npf_dict, "version", &ver);
|
||||
if (ver != NPF_VERSION) {
|
||||
error = EPROGMISMATCH;
|
||||
goto fail;
|
||||
}
|
||||
|
||||
/* NAT policies. */
|
||||
nset = npf_ruleset_create();
|
||||
@ -720,6 +726,7 @@ npfctl_table(void *data)
|
||||
case NPF_IOCTL_TBLENT_LOOKUP:
|
||||
error = npf_table_lookup(tblset, nct->nct_tid,
|
||||
nct->nct_data.ent.alen, &nct->nct_data.ent.addr);
|
||||
break;
|
||||
case NPF_IOCTL_TBLENT_ADD:
|
||||
error = npf_table_insert(tblset, nct->nct_tid,
|
||||
nct->nct_data.ent.alen, &nct->nct_data.ent.addr,
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: npf.conf.5,v 1.25 2012/12/06 22:36:51 rmind Exp $
|
||||
.\" $NetBSD: npf.conf.5,v 1.26 2012/12/23 21:01:04 rmind Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 6, 2012
|
||||
.Dd December 23, 2012
|
||||
.Dt NPF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -98,9 +98,11 @@ The file should contain a list of IP addresses and/or networks in the form of:
|
||||
Tables of type "hash" can only contain IP addresses.
|
||||
.Ss Interfaces
|
||||
Interfaces can be specified as the values of the variables:
|
||||
.Pp
|
||||
.Bd -literal
|
||||
$pub_if_list = { ifnet(wm0), ifnet(wm1) }
|
||||
.Ed
|
||||
.Pp
|
||||
In the context of filtering, an interface provides a list of its
|
||||
all IP addresses, including IPv4 and IPv6.
|
||||
Specific interface addresses can be selected by the family, e.g.:
|
||||
@ -285,6 +287,7 @@ map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022
|
||||
|
||||
procedure "log" {
|
||||
# Note: npf_ext_log kernel module should be loaded, if not built-in.
|
||||
# Also, the interface created, e.g.: ifconfig npflog0 create
|
||||
log: npflog0
|
||||
}
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_build.c,v 1.16 2012/12/10 02:26:04 rmind Exp $ */
|
||||
/* $NetBSD: npf_build.c,v 1.17 2012/12/23 21:01:04 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
||||
@ -34,7 +34,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: npf_build.c,v 1.16 2012/12/10 02:26:04 rmind Exp $");
|
||||
__RCSID("$NetBSD: npf_build.c,v 1.17 2012/12/23 21:01:04 rmind Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/ioctl.h>
|
||||
@ -617,7 +617,8 @@ npfctl_fill_table(nl_table_t *tl, u_int type, const char *fname)
|
||||
}
|
||||
|
||||
/* Create and add a table entry. */
|
||||
npf_table_add_entry(tl, alen, &fam.fam_addr, fam.fam_mask);
|
||||
npf_table_add_entry(tl, fam.fam_family,
|
||||
&fam.fam_addr, fam.fam_mask);
|
||||
}
|
||||
if (buf != NULL) {
|
||||
free(buf);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npfctl.c,v 1.25 2012/12/10 02:26:04 rmind Exp $ */
|
||||
/* $NetBSD: npfctl.c,v 1.26 2012/12/23 21:01:04 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
|
||||
@ -30,7 +30,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: npfctl.c,v 1.25 2012/12/10 02:26:04 rmind Exp $");
|
||||
__RCSID("$NetBSD: npfctl.c,v 1.26 2012/12/23 21:01:04 rmind Exp $");
|
||||
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/stat.h>
|
||||
@ -294,7 +294,7 @@ again:
|
||||
errx(EXIT_FAILURE, "invalid CIDR '%s'", arg);
|
||||
}
|
||||
nct.nct_data.ent.alen = alen;
|
||||
memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, sizeof(npf_addr_t));
|
||||
memcpy(&nct.nct_data.ent.addr, &fam.fam_addr, alen);
|
||||
nct.nct_data.ent.mask = fam.fam_mask;
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user