npfctl: add support for the 'no-ports' flag in the 'map' statements.

This allows us to create a NAT policy without the port translation.
2017-12-10 22:04:41 +00:00 · 2017-12-10 22:04:41 +00:00 · bd05c4c470
parent ee91b1e521
commit bd05c4c470
9 changed files with 64 additions and 38 deletions
--- a/usr.sbin/npf/npf.7
+++ b/usr.sbin/npf/npf.7
@ -1,4 +1,4 @@
-.\"	$NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $
+.\"	$NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -78,7 +78,8 @@ documentation and other manual pages.
 .Xr bpfjit 4 ,
 .Xr npf.conf 5 ,
 .Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
 .Pp
 .Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation"
 .Sh HISTORY
--- a/usr.sbin/npf/npfctl/npf.conf.5
+++ b/usr.sbin/npf/npfctl/npf.conf.5
@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $
+.\"    $NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 19, 2017
+.Dd December 10, 2017
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
@ -233,6 +233,14 @@ procedure "someproc" {
 .Ed
 .Pp
 In this case, the procedure calls the logging and normalisation modules.
+The logging facility requires the npf_ext_log kernel module which would
+normally get auto-loaded by NPF.
+The specified npflog interface would also be auto-created once the
+configuration is loaded.
+The log packets can be written to a file using the
+.Xr npfd 8
+daemon.
+.Pp
 Traffic normalisation has a set of different mechanisms.
 In the example above, the normalisation procedure has arguments which
 apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
@ -248,8 +256,7 @@ i.e., the next line is considered an extension of the present line.
 .Sh GRAMMAR
 The following is a non-formal BNF-like definition of the grammar.
 The definition is simplified and is intended to be human readable,
-therefore it does not strictly represent the full syntax, which
-is more flexible.
+therefore it does not strictly represent the formal grammar.
 .Bd -literal
 ; Syntax of a single line.  Lines can be separated by LF (\\n) or
 ; a semicolon.  Comments start with a hash (#) character.
@ -279,10 +286,13 @@ table-def	= "table" table-id "type" ( "hash" | "tree" | "cdb" )
 ; Mapping for address translation.

 map		= "map" interface
-		  ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ]
+		  ( "static" [ "algo" algorithm ] | "dynamic" )
+		  [ map-flags ] [ proto ]
 		  net-seg ( "->" | "<-" | "<->" ) net-seg
 		  [ "pass" [ proto ] filt-opts ]

+map-flags	= "no-ports"
+
 ; Rule procedure definition.  The name should be in the double quotes.
 ;
 ; Each call can have its own options in a form of key-value pairs.
@ -352,8 +362,7 @@ map $ext_if dynamic 10.1.1.0/24 -> $ext_if
 map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022

 procedure "log" {
-	# Note: npf_ext_log kernel module should be loaded, if not built-in.
-	# Also, the interface created, e.g.: ifconfig npflog0 create
+	# The logging facility can be used together with npfd(8).
 	log: npflog0
 }

@ -387,7 +396,8 @@ group default {
 .Xr bpf 4 ,
 .Xr npf 7 ,
 .Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
 .Sh HISTORY
 NPF first appeared in
 .Nx 6.0 .
--- a/usr.sbin/npf/npfctl/npf_build.c
+++ b/usr.sbin/npf/npfctl/npf_build.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $	*/
+/*	$NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $	*/

 /*-
 * Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@ -34,7 +34,7 @@
 */

 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $");

 #include <sys/types.h>
 #include <sys/mman.h>
@ -493,7 +493,7 @@ npfctl_build_maprset(const char *name, int attr, const char *ifname)
 		attr |= attr_di;
 	}
 	/* Allow only "in/out" attributes. */
-	attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
+	attr = NPF_RULE_GROUP | NPF_RULE_DYNAMIC | (attr & attr_di);
 	rl = npf_rule_create(name, attr, ifname);
 	npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
 }
@ -594,6 +594,11 @@ npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap,
 	nl_nat_t *nat;

 	if (ap->ap_portrange) {
+		/*
+		 * The port forwarding case.  In such case, there has to
+		 * be a single port used for translation; we keep the port
+		 * translation on, but disable the port map.
+		 */
 		port = npfctl_get_singleport(ap->ap_portrange);
 		flags &= ~NPF_NAT_PORTMAP;
 		flags |= NPF_NAT_PORTS;
@ -615,7 +620,7 @@ npfctl_build_nat(int type, const char *ifname, const addr_port_t *ap,
 * npfctl_build_natseg: validate and create NAT policies.
 */
 void
-npfctl_build_natseg(int sd, int type, const char *ifname,
+npfctl_build_natseg(int sd, int type, unsigned mflags, const char *ifname,
    const addr_port_t *ap1, const addr_port_t *ap2, const opt_proto_t *op,
    const filt_opts_t *fopts, u_int algo)
 {
@ -650,6 +655,13 @@ npfctl_build_natseg(int sd, int type, const char *ifname,
 		abort();
 	}

+	/*
+	 * Apply the flag modifications.
+	 */
+	if (mflags & NPF_NAT_PORTS) {
+		flags &= ~(NPF_NAT_PORTS | NPF_NAT_PORTMAP);
+	}
+
 	/*
 	 * Validate the mappings and their configuration.
 	 */
--- a/usr.sbin/npf/npfctl/npf_parse.y
+++ b/usr.sbin/npf/npfctl/npf_parse.y
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_parse.y,v 1.45 2017/12/03 23:48:03 mlelstv Exp $	*/
+/*	$NetBSD: npf_parse.y,v 1.46 2017/12/10 22:04:41 rmind Exp $	*/

 /*-
 * Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@ -124,6 +124,7 @@ yyerror(const char *fmt, ...)
 %token			IFADDRS
 %token			INTERFACE
 %token			MAP
+%token			NO_PORTS
 %token			MINUS
 %token			NAME
 %token			NPT66
@ -172,7 +173,7 @@ yyerror(const char *fmt, ...)
 %type	<num>		port, opt_final, number, afamily, opt_family
 %type	<num>		block_or_pass, rule_dir, group_dir, block_opts
 %type	<num>		maybe_not, opt_stateful, icmp_type, table_type
-%type	<num>		map_sd, map_algo, map_type
+%type	<num>		map_sd, map_algo, map_flags, map_type
 %type	<var>		static_ifaddrs, addr_or_ifaddr
 %type	<var>		port_range, icmp_type_and_code
 %type	<var>		filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask
@ -337,6 +338,11 @@ map_algo
 	|		{ $$ = 0; }
 	;

+map_flags
+	: NO_PORTS	{ $$ = NPF_NAT_PORTS; }
+	|		{ $$ = 0; }
+	;
+
 map_type
 	: ARROWBOTH	{ $$ = NPF_NATIN | NPF_NATOUT; }
 	| ARROWLEFT	{ $$ = NPF_NATIN; }
@ -352,18 +358,18 @@ mapseg
 	;

 map
-	: MAP ifref map_sd map_algo mapseg map_type mapseg
+	: MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
 	  PASS opt_proto all_or_filt_opts
 	{
-		npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4);
+		npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, &$10, &$11, $4);
 	}
-	| MAP ifref map_sd map_algo mapseg map_type mapseg
+	| MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
 	{
-		npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4);
+		npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, NULL, NULL, $4);
 	}
-	| MAP ifref map_sd map_algo proto mapseg map_type mapseg
+	| MAP ifref map_sd map_algo map_flags proto mapseg map_type mapseg
 	{
-		npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4);
+		npfctl_build_natseg($3, $8, $5, $2, &$7, &$9, &$6, NULL, $4);
 	}
 	| MAP RULESET group_opts
 	{
--- a/usr.sbin/npf/npfctl/npf_scan.l
+++ b/usr.sbin/npf/npfctl/npf_scan.l
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_scan.l,v 1.25 2017/01/03 01:29:49 rmind Exp $	*/
+/*	$NetBSD: npf_scan.l,v 1.26 2017/12/10 22:04:41 rmind Exp $	*/

 /*-
 * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@ -97,6 +97,7 @@ static			return TSTATIC;
 dynamic			return TDYNAMIC;
 file			return TFILE;
 map			return MAP;
+no-ports		return NO_PORTS;
 set			return SET;
 "<->"			return ARROWBOTH;
 "<-"			return ARROWLEFT;
--- a/usr.sbin/npf/npfctl/npf_show.c
+++ b/usr.sbin/npf/npfctl/npf_show.c
@ -1,4 +1,4 @@
-/*	$NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $	*/
+/*	$NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $	*/

 /*-
 * Copyright (c) 2013 The NetBSD Foundation, Inc.
@ -36,7 +36,7 @@
 */

 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $");

 #include <sys/socket.h>
 #define	__FAVOR_BSD
@ -463,8 +463,10 @@ npfctl_print_nat(npf_conf_info_t *ctx, nl_nat_t *nt)
 	flags = npf_nat_getflags(nt);

 	/* Print out the NAT policy with the filter criteria. */
-	fprintf(ctx->fp, "map %s %s %s %s %s pass ",
+	fprintf(ctx->fp, "map %s %s %s%s%s %s %s pass ",
 	    ifname, (flags & NPF_NAT_STATIC) ? "static" : "dynamic",
+	    "" /* XXX algo, */,
+	    (flags & NPF_NAT_PORTS) ? "" : "no-ports ",
 	    seg1, arrow, seg2);
 	npfctl_print_filter(ctx, rl);
 	npfctl_print_id(ctx, rl);
--- a/usr.sbin/npf/npfctl/npfctl.8
+++ b/usr.sbin/npf/npfctl/npfctl.8
@ -1,4 +1,4 @@
-.\"	$NetBSD: npfctl.8,v 1.19 2016/12/27 20:55:11 christos Exp $
+.\"	$NetBSD: npfctl.8,v 1.20 2017/12/10 22:04:41 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 27, 2016
+.Dd December 10, 2017
 .Dt NPFCTL 8
 .Os
 .Sh NAME
@ -205,7 +205,8 @@ Addition and removal of entries in the table whose ID is 2:
 .Sh SEE ALSO
 .Xr bpf 4 ,
 .Xr npf.conf 5 ,
-.Xr npf 7
+.Xr npf 7 ,
+.Xr npfd 8
 .Sh HISTORY
 NPF first appeared in
 .Nx 6.0 .
--- a/usr.sbin/npf/npfctl/npfctl.h
+++ b/usr.sbin/npf/npfctl/npfctl.h
@ -1,4 +1,4 @@
-/*	$NetBSD: npfctl.h,v 1.44 2017/01/19 20:18:17 rmind Exp $	*/
+/*	$NetBSD: npfctl.h,v 1.45 2017/12/10 22:04:41 rmind Exp $	*/

 /*-
 * Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
@ -202,7 +202,7 @@ void		npfctl_build_group_end(void);
 void		npfctl_build_rule(uint32_t, const char *, sa_family_t,
 		    const opt_proto_t *, const filt_opts_t *,
 		    const char *, const char *);
-void		npfctl_build_natseg(int, int, const char *,
+void		npfctl_build_natseg(int, int, unsigned, const char *,
 		    const addr_port_t *, const addr_port_t *,
 		    const opt_proto_t *, const filt_opts_t *, unsigned);
 void		npfctl_build_maprset(const char *, int, const char *);
--- a/usr.sbin/npf/npfctl/todo
+++ b/usr.sbin/npf/npfctl/todo
@ -1,11 +1,4 @@
 -- how to convert other packet filters to npf
-- have a way to use npflog to log packets to syslog
-   We have npfd that logs to a file
-- have a way to match dropped packets to rules
-   We keep this information now and we pass it to npflog using the OpenBSD
-   pflog format.
-- have a way to list the active nat sessions
-   Use "npfctl list"
 -- npfctl start does not load the configuration if not loaded.
   It is not clear you need to reload first. Or if it loads it should
   print the error messages. Or it should be called enable/disable since