NPF:
- Adjust the syntax - remove "inet" keyword in favour of more explicit "inet4" for the address family. Consistent with "inet6" for IPv6. - Adjust and improve the man page a little bit.
This commit is contained in:
rmind
parent
8274d601f9
commit
8b83480d27
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: npf.conf.5,v 1.37 2014/02/06 07:36:36 wiz Exp $
|
||||
.\" $NetBSD: npf.conf.5,v 1.38 2014/02/08 01:20:09 rmind Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
|
|
@ -27,7 +27,7 @@
|
|||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd February 6, 2014
|
||||
.Dd February 8, 2014
|
||||
.Dt NPF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
|
@ -134,7 +134,7 @@ to apply a procedure to the packet (e.g. "log") in either case.
|
|||
.Pp
|
||||
A "fully-featured" rule would for example be:
|
||||
.Bd -literal
|
||||
pass stateful in final family inet proto tcp flags S/SA \\
|
||||
pass stateful in final family inet4 proto tcp flags S/SA \\
|
||||
from $source port $sport to $dest port $dport apply "someproc"
|
||||
.Ed
|
||||
.Pp
|
||||
|
|
@ -157,7 +157,7 @@ Fragments are not selectable since NPF always reassembles packets
|
|||
before further processing.
|
||||
.Ss Map
|
||||
Network Address Translation (NAT) is expressed in a form of segment mapping.
|
||||
At present, only dynamic translation is supported.
|
||||
The translation may be dynamic (stateful) or static (stateless).
|
||||
The following mapping types are available:
|
||||
.Pp
|
||||
.Bl -tag -width <-> -compact
|
||||
|
|
@ -260,7 +260,7 @@ dynamic-ruleset = "ruleset" group-opts
|
|||
rule = static-rule | dynamic-ruleset
|
||||
|
||||
block-opts = "return-rst" | "return-icmp" | "return"
|
||||
family-opt = "inet" | "inet6"
|
||||
family-opt = "inet4" | "inet6"
|
||||
proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] |
|
||||
"icmp-type" type [ "code" icmp-code ]
|
||||
|
||||
|
|
@ -285,7 +285,7 @@ directory containing further examples
|
|||
$ext_if = { inet4(wm0), inet6(wm0) }
|
||||
$int_if = { inet4(wm1), inet6(wm1) }
|
||||
|
||||
table <black> type hash file "/etc/npf_blacklist"
|
||||
table <blacklist> type hash file "/etc/npf_blacklist"
|
||||
table <limited> type tree dynamic
|
||||
|
||||
$services_tcp = { http, https, smtp, domain, 6000, 9022 }
|
||||
|
|
@ -306,8 +306,8 @@ procedure "log" {
|
|||
group "external" on $ext_if {
|
||||
pass stateful out final all
|
||||
|
||||
block in final from \*[Lt]black\*[Gt]
|
||||
pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
|
||||
block in final from \*[Lt]blacklist\*[Gt]
|
||||
pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
|
||||
pass stateful in final proto tcp to $ext_if port $services_tcp
|
||||
pass stateful in final proto udp to $ext_if port $services_udp
|
||||
pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP
|
||||
|
|
@ -318,7 +318,7 @@ group "internal" on $int_if {
|
|||
block in all
|
||||
block in final from \*[Lt]limited\*[Gt]
|
||||
|
||||
# Ingress filtering as per RFC 2827.
|
||||
# Ingress filtering as per BCP 38 / RFC 2827.
|
||||
pass in final from $localnet
|
||||
pass out final all
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: npf_parse.y,v 1.30 2014/02/06 02:51:28 rmind Exp $ */
|
||||
/* $NetBSD: npf_parse.y,v 1.31 2014/02/08 01:20:09 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
|
||||
|
|
@ -108,7 +108,6 @@ yyerror(const char *fmt, ...)
|
|||
%token HASH
|
||||
%token ICMPTYPE
|
||||
%token ID
|
||||
%token IFNET
|
||||
%token IN
|
||||
%token INET4
|
||||
%token INET6
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: npf_scan.l,v 1.17 2014/02/06 02:51:28 rmind Exp $ */
|
||||
/* $NetBSD: npf_scan.l,v 1.18 2014/02/08 01:20:09 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
||||
|
|
@ -122,7 +122,6 @@ quick return FINAL;
|
|||
on return ON;
|
||||
inet6 return INET6;
|
||||
inet4 return INET4;
|
||||
inet return INET4;
|
||||
proto return PROTO;
|
||||
family return FAMILY;
|
||||
tcp return TCP;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $ */
|
||||
/* $NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2013 The NetBSD Foundation, Inc.
|
||||
|
|
@ -36,7 +36,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $");
|
||||
__RCSID("$NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $");
|
||||
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
|
|
@ -111,7 +111,7 @@ print_family(npf_conf_info_t *ctx, const uint32_t *words)
|
|||
|
||||
switch (af) {
|
||||
case AF_INET:
|
||||
return estrdup("inet");
|
||||
return estrdup("inet4");
|
||||
case AF_INET6:
|
||||
return estrdup("inet6");
|
||||
default:
|
||||
|
|
|
|||
Loading…
Reference in New Issue