adjust to current npf.conf syntax

2012-12-04 18:48:32 +00:00 · 2012-12-04 18:48:32 +00:00 · e146303174
commit e146303174
parent f97bce71b9
2 changed files with 48 additions and 40 deletions
--- a/share/examples/npf/host-npf.conf
+++ b/share/examples/npf/host-npf.conf
@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.2 2012/08/22 06:45:17 spz Exp $
+# $NetBSD: host-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
 #
 # this is an example of NPF rules for a host (i.e., not routing) with
 # two network interfaces, wired and wifi
@ -7,7 +7,12 @@
 # it also does IPSEC on the wifi
 #
 $wired_if = "wm0"
+$wired_v4 = { inet4(wm0) }
+$wired_v6 = { inet6(wm0) }
+
 $wifi_if = "iwn0"
+$wifi_v4 = { inet4(iwn0) }
+$wifi_v6 = { inet6(iwn0) }

 $dhcpserver = { 198.51.100.1 }

@ -37,38 +42,38 @@ group (name "wired", interface $wired_if) {
 	pass in  final family inet  proto icmp      all

 	pass in  final family inet proto tcp \
-		from $dhcpserver port bootps to $wired_if port bootpc
+		from $dhcpserver port bootps to $wired_v4 port bootpc
 	pass in  final family inet proto udp \
-		from $dhcpserver port bootps to $wired_if port bootpc
+		from $dhcpserver port bootps to $wired_v4 port bootpc

-	pass in final family inet6 proto tcp to $wired_if port ssh
+	pass in final family inet6 proto tcp to $wired_v6 port ssh

 	pass in final family inet  proto tcp flags S/SA \
-		from $backupsrv_v4 to $wired_if port $backup_port 
+		from $backupsrv_v4 to $wired_v4 port $backup_port 
 	pass in final family inet  proto udp \
-		from $backupsrv_v4 to $wired_if port $backup_port
+		from $backupsrv_v4 to $wired_v4 port $backup_port
 	pass in final family inet6 proto tcp flags S/SA \
-		from $backupsrv_v6 to $wired_if port $backup_port 
+		from $backupsrv_v6 to $wired_v6 port $backup_port 
 	pass in final family inet6 proto udp \
-		from $backupsrv_v6 to $wired_if port $backup_port
+		from $backupsrv_v6 to $wired_v6 port $backup_port

-	pass stateful in final family inet6 proto udp to $wired_if \
+	pass stateful in final family inet6 proto udp to $wired_v6 \
 		port $services_udp
-	pass stateful in final family inet  proto udp to $wired_if \
+	pass stateful in final family inet  proto udp to $wired_v6 \
 		port $services_udp

 	# only SYN packets need to generate state
 	pass stateful out final family inet6 proto tcp flags S/SA \
-		from $wired_if apply "rid" 
+		from $wired_v6 apply "rid" 
 	pass stateful out final family inet  proto tcp flags S/SA \
-		from $wired_if apply "rid" 
+		from $wired_v4 apply "rid" 
 	# pass the other tcp packets without generating extra state
-	pass out final family inet6 proto tcp from $wired_if apply "rid" 
-	pass out final family inet  proto tcp from $wired_if apply "rid" 
+	pass out final family inet6 proto tcp from $wired_v6 apply "rid" 
+	pass out final family inet  proto tcp from $wired_v4 apply "rid" 

 	# all other types of traffic, generate state per packet
-	pass stateful out final family inet6 from $wired_if apply "rid" 
-	pass stateful out final family inet  from $wired_if apply "rid" 
+	pass stateful out final family inet6 from $wired_v6 apply "rid" 
+	pass stateful out final family inet  from $wired_v4 apply "rid" 

 }

@ -81,37 +86,37 @@ group (name "wifi", interface $wifi_if) {
 	pass in  final family inet6 proto ipv6-icmp  to ff00::/10
 	pass out final family inet6 proto ipv6-icmp from ff00::/10

-	pass in  final family inet6 proto ipv6-icmp to $wifi_if
-	pass in  final family inet  proto icmp      to $wifi_if
+	pass in  final family inet6 proto ipv6-icmp to $wifi_v6
+	pass in  final family inet  proto icmp      to $wifi_v6

 	pass in  final family inet proto tcp \
-		from any port bootps to $wifi_if port bootpc
+		from any port bootps to $wifi_v4 port bootpc
 	pass in  final family inet proto udp \
-		from any port bootps to $wifi_if port bootpc
+		from any port bootps to $wifi_v4 port bootpc

-        pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh 
+        pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 

-        pass in final family inet6 proto udp to $wifi_if port $services_udp
-        pass in final family inet  proto udp to $wifi_if port $services_udp
+        pass in final family inet6 proto udp to $wifi_v6 port $services_udp
+        pass in final family inet  proto udp to $wifi_v4 port $services_udp

 	# IPSEC
-	pass in final family inet6 proto udp to $wifi_if port isakmp
-	pass in final family inet  proto udp to $wifi_if port isakmp
+	pass in final family inet6 proto udp to $wifi_v6 port isakmp
+	pass in final family inet  proto udp to $wifi_v4 port isakmp
 	pass in family inet6 proto esp all
 	pass in family inet  proto esp all

 	# only SYN packets need to generate state
        pass stateful out final family inet6 proto tcp flags S/SA \
-		from $wifi_if apply "rid" 
+		from $wifi_v6 apply "rid" 
        pass stateful out final family inet  proto tcp flags S/SA \
-		from $wifi_if apply "rid" 
+		from $wifi_v4 apply "rid" 
 	# pass the other tcp packets without generating extra state
-        pass out final family inet6 proto tcp from $wifi_if apply "rid" 
-        pass out final family inet  proto tcp from $wifi_if apply "rid" 
+        pass out final family inet6 proto tcp from $wifi_v6 apply "rid" 
+        pass out final family inet  proto tcp from $wifi_v4 apply "rid" 

 	# all other types of traffic, generate state per packet
-        pass stateful out final family inet6 from $wifi_if apply "rid" 
-        pass stateful out final family inet  from $wifi_if apply "rid" 
+        pass stateful out final family inet6 from $wifi_v6 apply "rid" 
+        pass stateful out final family inet  from $wifi_v4 apply "rid" 
 }

 group (default) {
--- a/share/examples/npf/soho_gw-npf.conf
+++ b/share/examples/npf/soho_gw-npf.conf
@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.2 2012/08/21 08:25:21 spz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
 #
 # SOHO border
 #
@ -6,6 +6,9 @@
 # IPv4 only
 #
 $ext_if = "wm0"
+$ext_v4 = inet4(wm0)
+$ext_addrs = { ifnet(wm0) }
+
 $int_if = "wm1"

 # a table to house e.g. block candidates in
@ -20,11 +23,11 @@ $localnet = { 198.51.100.0/24 }
 # NAT outgoing to the address of the external interface
 # Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
 # then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+map $ext_if dynamic 198.51.100.0/24 -> $ext_v4

 # NAT traffic arriving on port 9022 of the external interface address
 # to host 198.51.100.2 port 22
-map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 9022

 procedure "log" {
 	log: npflog0
@ -35,18 +38,18 @@ procedure "rid" {
 }

 group (name "external", interface $ext_if) {
-	pass stateful out final from $ext_if apply "rid"
+	pass stateful out final from $ext_addrs apply "rid"

 	block in final from <1>
-	pass stateful in final family inet proto tcp to $ext_if port ssh \
+	pass stateful in final family inet proto tcp to $ext_v4 port ssh \
 		apply "log"
-	pass stateful in final proto tcp to $ext_if port $services_tcp
-	pass stateful in final proto udp to $ext_if port $services_udp
+	pass stateful in final proto tcp to $ext_addrs port $services_tcp
+	pass stateful in final proto udp to $ext_addrs port $services_udp

 	# Passive FTP
-	pass stateful in final proto tcp to $ext_if port 49151-65535
+	pass stateful in final proto tcp to $ext_addrs port 49151-65535
 	# Traceroute
-	pass stateful in final proto udp to $ext_if port 33434-33600
+	pass stateful in final proto udp to $ext_addrs port 33434-33600
 }

 group (name "internal", interface $int_if) {