npfctl: add support for the 'no-ports' flag in the 'map' statements.
This allows us to create a NAT policy without the port translation.
This commit is contained in:
rmind
parent
ee91b1e521
commit
bd05c4c470
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $
|
||||
.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
@ -78,7 +78,8 @@ documentation and other manual pages.
|
||||
.Xr bpfjit 4 ,
|
||||
.Xr npf.conf 5 ,
|
||||
.Xr pcap-filter 7 ,
|
||||
.Xr npfctl 8
|
||||
.Xr npfctl 8 ,
|
||||
.Xr npfd 8
|
||||
.Pp
|
||||
.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation"
|
||||
.Sh HISTORY
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $
|
||||
.\" $NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd January 19, 2017
|
||||
.Dd December 10, 2017
|
||||
.Dt NPF.CONF 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -233,6 +233,14 @@ procedure "someproc" {
|
||||
.Ed
|
||||
.Pp
|
||||
In this case, the procedure calls the logging and normalisation modules.
|
||||
The logging facility requires the npf_ext_log kernel module which would
|
||||
normally get auto-loaded by NPF.
|
||||
The specified npflog interface would also be auto-created once the
|
||||
configuration is loaded.
|
||||
The log packets can be written to a file using the
|
||||
.Xr npfd 8
|
||||
daemon.
|
||||
.Pp
|
||||
Traffic normalisation has a set of different mechanisms.
|
||||
In the example above, the normalisation procedure has arguments which
|
||||
apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
|
||||
@ -248,8 +256,7 @@ i.e., the next line is considered an extension of the present line.
|
||||
.Sh GRAMMAR
|
||||
The following is a non-formal BNF-like definition of the grammar.
|
||||
The definition is simplified and is intended to be human readable,
|
||||
therefore it does not strictly represent the full syntax, which
|
||||
is more flexible.
|
||||
therefore it does not strictly represent the formal grammar.
|
||||
.Bd -literal
|
||||
; Syntax of a single line. Lines can be separated by LF (\\n) or
|
||||
; a semicolon. Comments start with a hash (#) character.
|
||||
@ -279,10 +286,13 @@ table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" )
|
||||
; Mapping for address translation.
|
||||
|
||||
map = "map" interface
|
||||
( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ]
|
||||
( "static" [ "algo" algorithm ] | "dynamic" )
|
||||
[ map-flags ] [ proto ]
|
||||
net-seg ( "->" | "<-" | "<->" ) net-seg
|
||||
[ "pass" [ proto ] filt-opts ]
|
||||
|
||||
map-flags = "no-ports"
|
||||
|
||||
; Rule procedure definition. The name should be in the double quotes.
|
||||
;
|
||||
; Each call can have its own options in a form of key-value pairs.
|
||||
@ -352,8 +362,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_if
|
||||
map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
|
||||
|
||||
procedure "log" {
|
||||
# Note: npf_ext_log kernel module should be loaded, if not built-in.
|
||||
# Also, the interface created, e.g.: ifconfig npflog0 create
|
||||
# The logging facility can be used together with npfd(8).
|
||||
log: npflog0
|
||||
}
|
||||
|
||||
@ -387,7 +396,8 @@ group default {
|
||||
.Xr bpf 4 ,
|
||||
.Xr npf 7 ,
|
||||
.Xr pcap-filter 7 ,
|
||||
.Xr npfctl 8
|
||||
.Xr npfctl 8 ,
|
||||
.Xr npfd 8
|
||||
.Sh HISTORY
|
||||
NPF first appeared in
|
||||
.Nx 6.0 .
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
|
||||
/* $NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
|
||||
@ -34,7 +34,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $");
|
||||
__RCSID("$NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $");
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/mman.h>
|
||||
@ -493,7 +493,7 @@ npfctl_build_maprset(const char *name, int attr, const char *ifname)
|
||||
attr |= attr_di;
|
||||
}
|
||||
/* Allow only "in/out" attributes. */
|
||||
attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
|
||||
attr = NPF_RULE_GROUP | NPF_RULE_DYNAMIC | (attr & attr_di);
|
||||
rl = npf_rule_create(name, attr, ifname);
|
||||
npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
|
||||
}
|
||||
@ -594,6 +594,11 @@ npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap,
|
||||
nl_nat_t *nat;
|
||||
|
||||
if (ap->ap_portrange) {
|
||||
/*
|
||||
* The port forwarding case. In such case, there has to
|
||||
* be a single port used for translation; we keep the port
|
||||
* translation on, but disable the port map.
|
||||
*/
|
||||
port = npfctl_get_singleport(ap->ap_portrange);
|
||||
flags &= ~NPF_NAT_PORTMAP;
|
||||
flags |= NPF_NAT_PORTS;
|
||||
@ -615,7 +620,7 @@ npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap,
|
||||
* npfctl_build_natseg: validate and create NAT policies.
|
||||
*/
|
||||
void
|
||||
npfctl_build_natseg(int sd, int type, const char *ifname,
|
||||
npfctl_build_natseg(int sd, int type, unsigned mflags, const char *ifname,
|
||||
const addr_port_t *ap1, const addr_port_t *ap2, const opt_proto_t *op,
|
||||
const filt_opts_t *fopts, u_int algo)
|
||||
{
|
||||
@ -650,6 +655,13 @@ npfctl_build_natseg(int sd, int type, const char *ifname,
|
||||
abort();
|
||||
}
|
||||
|
||||
/*
|
||||
* Apply the flag modifications.
|
||||
*/
|
||||
if (mflags & NPF_NAT_PORTS) {
|
||||
flags &= ~(NPF_NAT_PORTS | NPF_NAT_PORTMAP);
|
||||
}
|
||||
|
||||
/*
|
||||
* Validate the mappings and their configuration.
|
||||
*/
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_parse.y,v 1.45 2017/12/03 23:48:03 mlelstv Exp $ */
|
||||
/* $NetBSD: npf_parse.y,v 1.46 2017/12/10 22:04:41 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
|
||||
@ -124,6 +124,7 @@ yyerror(const char *fmt, ...)
|
||||
%token IFADDRS
|
||||
%token INTERFACE
|
||||
%token MAP
|
||||
%token NO_PORTS
|
||||
%token MINUS
|
||||
%token NAME
|
||||
%token NPT66
|
||||
@ -172,7 +173,7 @@ yyerror(const char *fmt, ...)
|
||||
%type <num> port, opt_final, number, afamily, opt_family
|
||||
%type <num> block_or_pass, rule_dir, group_dir, block_opts
|
||||
%type <num> maybe_not, opt_stateful, icmp_type, table_type
|
||||
%type <num> map_sd, map_algo, map_type
|
||||
%type <num> map_sd, map_algo, map_flags, map_type
|
||||
%type <var> static_ifaddrs, addr_or_ifaddr
|
||||
%type <var> port_range, icmp_type_and_code
|
||||
%type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask
|
||||
@ -337,6 +338,11 @@ map_algo
|
||||
| { $$ = 0; }
|
||||
;
|
||||
|
||||
map_flags
|
||||
: NO_PORTS { $$ = NPF_NAT_PORTS; }
|
||||
| { $$ = 0; }
|
||||
;
|
||||
|
||||
map_type
|
||||
: ARROWBOTH { $$ = NPF_NATIN | NPF_NATOUT; }
|
||||
| ARROWLEFT { $$ = NPF_NATIN; }
|
||||
@ -352,18 +358,18 @@ mapseg
|
||||
;
|
||||
|
||||
map
|
||||
: MAP ifref map_sd map_algo mapseg map_type mapseg
|
||||
: MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
|
||||
PASS opt_proto all_or_filt_opts
|
||||
{
|
||||
npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4);
|
||||
npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, &$10, &$11, $4);
|
||||
}
|
||||
| MAP ifref map_sd map_algo mapseg map_type mapseg
|
||||
| MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
|
||||
{
|
||||
npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4);
|
||||
npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, NULL, NULL, $4);
|
||||
}
|
||||
| MAP ifref map_sd map_algo proto mapseg map_type mapseg
|
||||
| MAP ifref map_sd map_algo map_flags proto mapseg map_type mapseg
|
||||
{
|
||||
npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4);
|
||||
npfctl_build_natseg($3, $8, $5, $2, &$7, &$9, &$6, NULL, $4);
|
||||
}
|
||||
| MAP RULESET group_opts
|
||||
{
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_scan.l,v 1.25 2017/01/03 01:29:49 rmind Exp $ */
|
||||
/* $NetBSD: npf_scan.l,v 1.26 2017/12/10 22:04:41 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
|
||||
@ -97,6 +97,7 @@ static return TSTATIC;
|
||||
dynamic return TDYNAMIC;
|
||||
file return TFILE;
|
||||
map return MAP;
|
||||
no-ports return NO_PORTS;
|
||||
set return SET;
|
||||
"<->" return ARROWBOTH;
|
||||
"<-" return ARROWLEFT;
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $ */
|
||||
/* $NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2013 The NetBSD Foundation, Inc.
|
||||
@ -36,7 +36,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__RCSID("$NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $");
|
||||
__RCSID("$NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $");
|
||||
|
||||
#include <sys/socket.h>
|
||||
#define __FAVOR_BSD
|
||||
@ -463,8 +463,10 @@ npfctl_print_nat(npf_conf_info_t *ctx, nl_nat_t *nt)
|
||||
flags = npf_nat_getflags(nt);
|
||||
|
||||
/* Print out the NAT policy with the filter criteria. */
|
||||
fprintf(ctx->fp, "map %s %s %s %s %s pass ",
|
||||
fprintf(ctx->fp, "map %s %s %s%s%s %s %s pass ",
|
||||
ifname, (flags & NPF_NAT_STATIC) ? "static" : "dynamic",
|
||||
"" /* XXX algo, */,
|
||||
(flags & NPF_NAT_PORTS) ? "" : "no-ports ",
|
||||
seg1, arrow, seg2);
|
||||
npfctl_print_filter(ctx, rl);
|
||||
npfctl_print_id(ctx, rl);
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: npfctl.8,v 1.19 2016/12/27 20:55:11 christos Exp $
|
||||
.\" $NetBSD: npfctl.8,v 1.20 2017/12/10 22:04:41 rmind Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd December 27, 2016
|
||||
.Dd December 10, 2017
|
||||
.Dt NPFCTL 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -205,7 +205,8 @@ Addition and removal of entries in the table whose ID is 2:
|
||||
.Sh SEE ALSO
|
||||
.Xr bpf 4 ,
|
||||
.Xr npf.conf 5 ,
|
||||
.Xr npf 7
|
||||
.Xr npf 7 ,
|
||||
.Xr npfd 8
|
||||
.Sh HISTORY
|
||||
NPF first appeared in
|
||||
.Nx 6.0 .
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: npfctl.h,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
|
||||
/* $NetBSD: npfctl.h,v 1.45 2017/12/10 22:04:41 rmind Exp $ */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
|
||||
@ -202,7 +202,7 @@ void npfctl_build_group_end(void);
|
||||
void npfctl_build_rule(uint32_t, const char *, sa_family_t,
|
||||
const opt_proto_t *, const filt_opts_t *,
|
||||
const char *, const char *);
|
||||
void npfctl_build_natseg(int, int, const char *,
|
||||
void npfctl_build_natseg(int, int, unsigned, const char *,
|
||||
const addr_port_t *, const addr_port_t *,
|
||||
const opt_proto_t *, const filt_opts_t *, unsigned);
|
||||
void npfctl_build_maprset(const char *, int, const char *);
|
||||
|
||||
@ -1,11 +1,4 @@
|
||||
-- how to convert other packet filters to npf
|
||||
-- have a way to use npflog to log packets to syslog
|
||||
We have npfd that logs to a file
|
||||
-- have a way to match dropped packets to rules
|
||||
We keep this information now and we pass it to npflog using the OpenBSD
|
||||
pflog format.
|
||||
-- have a way to list the active nat sessions
|
||||
Use "npfctl list"
|
||||
-- npfctl start does not load the configuration if not loaded.
|
||||
It is not clear you need to reload first. Or if it loads it should
|
||||
print the error messages. Or it should be called enable/disable since
|
||||
|
||||
Loading…
Reference in New Issue
Block a user