head 1.91; access; symbols netbsd-8-3-RELEASE:1.48.4.2 netbsd-9-4-RELEASE:1.88.2.2 netbsd-10-0-RELEASE:1.91 netbsd-10-0-RC6:1.91 netbsd-10-0-RC5:1.91 netbsd-10-0-RC4:1.91 netbsd-10-0-RC3:1.91 netbsd-10-0-RC2:1.91 netbsd-10-0-RC1:1.91 netbsd-10:1.91.0.6 netbsd-10-base:1.91 netbsd-9-3-RELEASE:1.88.2.2 cjep_sun2x-base1:1.91 cjep_sun2x:1.91.0.4 cjep_sun2x-base:1.91 cjep_staticlib_x-base1:1.91 netbsd-9-2-RELEASE:1.88.2.2 cjep_staticlib_x:1.91.0.2 cjep_staticlib_x-base:1.91 netbsd-9-1-RELEASE:1.88.2.2 phil-wifi-20200421:1.90 phil-wifi-20200411:1.90 is-mlppp:1.90.0.2 is-mlppp-base:1.90 phil-wifi-20200406:1.90 netbsd-8-2-RELEASE:1.48.4.2 netbsd-9-0-RELEASE:1.88.2.1 netbsd-9-0-RC2:1.88.2.1 netbsd-9-0-RC1:1.88.2.1 phil-wifi-20191119:1.90 netbsd-9:1.88.0.2 netbsd-9-base:1.88 phil-wifi-20190609:1.86 netbsd-8-1-RELEASE:1.48.4.2 netbsd-8-1-RC1:1.48.4.2 pgoyette-compat-merge-20190127:1.51.2.4 pgoyette-compat-20190127:1.84 pgoyette-compat-20190118:1.83 pgoyette-compat-1226:1.79 pgoyette-compat-1126:1.79 pgoyette-compat-1020:1.79 pgoyette-compat-0930:1.79 pgoyette-compat-0906:1.75 netbsd-7-2-RELEASE:1.42.2.2 pgoyette-compat-0728:1.51 netbsd-8-0-RELEASE:1.48 phil-wifi:1.51.0.4 phil-wifi-base:1.51 pgoyette-compat-0625:1.51 netbsd-8-0-RC2:1.48 pgoyette-compat-0521:1.51 pgoyette-compat-0502:1.51 pgoyette-compat-0422:1.51 netbsd-8-0-RC1:1.48 pgoyette-compat-0415:1.51 pgoyette-compat-0407:1.51 pgoyette-compat-0330:1.51 pgoyette-compat-0322:1.51 pgoyette-compat-0315:1.51 netbsd-7-1-2-RELEASE:1.42.2.2 pgoyette-compat:1.51.0.2 pgoyette-compat-base:1.51 netbsd-7-1-1-RELEASE:1.42.2.2 matt-nb8-mediatek:1.48.0.6 matt-nb8-mediatek-base:1.48 perseant-stdc-iso10646:1.49.0.2 perseant-stdc-iso10646-base:1.49 netbsd-8:1.48.0.4 netbsd-8-base:1.48 prg-localcount2-base3:1.48 prg-localcount2-base2:1.48 prg-localcount2-base1:1.48 prg-localcount2:1.48.0.2 prg-localcount2-base:1.48 pgoyette-localcount-20170426:1.48 bouyer-socketcan-base1:1.48 pgoyette-localcount-20170320:1.48 netbsd-7-1:1.42.2.2.0.6 netbsd-7-1-RELEASE:1.42.2.2 netbsd-7-1-RC2:1.42.2.2 netbsd-7-nhusb-base-20170116:1.42.2.2 bouyer-socketcan:1.46.0.2 bouyer-socketcan-base:1.46 pgoyette-localcount-20170107:1.46 netbsd-7-1-RC1:1.42.2.2 pgoyette-localcount-20161104:1.44 netbsd-7-0-2-RELEASE:1.42.2.2 localcount-20160914:1.44 netbsd-7-nhusb:1.42.2.2.0.4 netbsd-7-nhusb-base:1.42.2.2 pgoyette-localcount-20160806:1.44 pgoyette-localcount-20160726:1.44 pgoyette-localcount:1.44.0.2 pgoyette-localcount-base:1.44 netbsd-7-0-1-RELEASE:1.42.2.2 netbsd-7-0:1.42.2.2.0.2 netbsd-7-0-RELEASE:1.42.2.2 netbsd-7-0-RC3:1.42.2.2 netbsd-7-0-RC2:1.42.2.2 netbsd-7-0-RC1:1.42.2.2 netbsd-6-0-6-RELEASE:1.9.2.4.2.1 netbsd-6-1-5-RELEASE:1.9.2.9 netbsd-7:1.42.0.2 netbsd-7-base:1.42 yamt-pagecache-base9:1.39 yamt-pagecache-tag8:1.5.4.4 netbsd-6-1-4-RELEASE:1.9.2.9 netbsd-6-0-5-RELEASE:1.9.2.4.2.1 tls-earlyentropy:1.39.0.2 tls-earlyentropy-base:1.42 riastradh-xf86-video-intel-2-7-1-pre-2-21-15:1.39 riastradh-drm2-base3:1.39 netbsd-6-1-3-RELEASE:1.9.2.9 netbsd-6-0-4-RELEASE:1.9.2.4.2.1 netbsd-6-1-2-RELEASE:1.9.2.9 netbsd-6-0-3-RELEASE:1.9.2.4.2.1 netbsd-6-1-1-RELEASE:1.9.2.9 riastradh-drm2-base2:1.29 riastradh-drm2-base1:1.29 riastradh-drm2:1.29.0.4 riastradh-drm2-base:1.29 netbsd-6-1:1.9.2.9.0.2 netbsd-6-0-2-RELEASE:1.9.2.4.2.1 netbsd-6-1-RELEASE:1.9.2.9 netbsd-6-1-RC4:1.9.2.9 netbsd-6-1-RC3:1.9.2.9 agc-symver:1.29.0.2 agc-symver-base:1.29 netbsd-6-1-RC2:1.9.2.8 netbsd-6-1-RC1:1.9.2.8 yamt-pagecache-base8:1.26 netbsd-6-0-1-RELEASE:1.9.2.4.2.1 yamt-pagecache-base7:1.25 matt-nb6-plus-nbase:1.9.2.4 yamt-pagecache-base6:1.23 netbsd-6-0:1.9.2.4.0.2 netbsd-6-0-RELEASE:1.9.2.4 netbsd-6-0-RC2:1.9.2.3 tls-maxphys:1.15.0.2 tls-maxphys-base:1.42 matt-nb6-plus:1.9.2.3.0.2 matt-nb6-plus-base:1.9.2.4 netbsd-6-0-RC1:1.9.2.3 yamt-pagecache-base5:1.9 yamt-pagecache-base4:1.9 netbsd-6:1.9.0.2 netbsd-6-base:1.9 yamt-pagecache-base3:1.5 yamt-pagecache-base2:1.5 yamt-pagecache:1.5.0.4 yamt-pagecache-base:1.5 cherry-xenmp:1.5.0.2 cherry-xenmp-base:1.5 bouyer-quota2-nbase:1.4 bouyer-quota2:1.3.0.2 bouyer-quota2-base:1.4 matt-mips64-premerge-20101231:1.2; locks; strict; comment @.\" @; 1.91 date 2020.05.30.14.16.56; author rmind; state Exp; branches; next 1.90; commitid fZlE4LRokUrgTgaC; 1.90 date 2019.09.30.20.44.51; author uwe; state Exp; branches; next 1.89; commitid aoFzHCl4lg74S4FB; 1.89 date 2019.09.30.00.37.11; author rmind; state Exp; branches; next 1.88; commitid SSYU7pia4hYlaYEB; 1.88 date 2019.07.23.14.20.22; author wiz; state Exp; branches 1.88.2.1; next 1.87; commitid tg7cWn75aHqFXawB; 1.87 date 2019.07.23.00.52.02; author rmind; state Exp; branches; next 1.86; commitid wZghwo6mmoF6u6wB; 1.86 date 2019.04.08.07.58.45; author wiz; state Exp; branches; next 1.85; commitid qpGNTLUJSYYZfwiB; 1.85 date 2019.04.07.22.23.40; author rmind; state Exp; branches; next 1.84; commitid mdrkZRA9KLeI4tiB; 1.84 date 2019.01.19.21.19.32; author rmind; state Exp; branches; next 1.83; commitid zfYSEXSEdJmsdr8B; 1.83 date 2019.01.08.11.36.10; author uwe; state Exp; branches; next 1.82; commitid KJ89EDPyY6AWlY6B; 1.82 date 2019.01.08.11.28.01; author uwe; state Exp; branches; next 1.81; commitid Hs92LUebtJy9jY6B; 1.81 date 2019.01.08.10.25.26; author wiz; state Exp; branches; next 1.80; commitid JvVyhHKZJn7CXX6B; 1.80 date 2019.01.08.01.19.16; author gutteridge; state Exp; branches; next 1.79; commitid yLmOH7WMRMNfVU6B; 1.79 date 2018.09.21.10.59.11; author uwe; state Exp; branches; next 1.78; commitid sx0Afkpb1Y2uEXSA; 1.78 date 2018.09.21.09.42.18; author uwe; state Exp; branches; next 1.77; commitid GQutVQez7u07eXSA; 1.77 date 2018.09.21.07.22.26; author maxv; state Exp; branches; next 1.76; commitid JsrZ1VrFKwW6sWSA; 1.76 date 2018.09.19.15.36.12; author maxv; state Exp; branches; next 1.75; commitid mJ1neUbcKLhtfJSA; 1.75 date 2018.09.04.15.36.01; author maxv; state Exp; branches; next 1.74; commitid ipfkNYvc20dhJNQA; 1.74 date 2018.09.02.18.03.23; author wiz; state Exp; branches; next 1.73; commitid GRhBU3eT3MwQByQA; 1.73 date 2018.09.02.17.45.18; author maxv; state Exp; branches; next 1.72; commitid PMnxNwuvfaHBvyQA; 1.72 date 2018.09.01.19.26.46; author wiz; state Exp; branches; next 1.71; commitid R63U4ZkPY75t6rQA; 1.71 date 2018.09.01.16.28.57; author rmind; state Exp; branches; next 1.70; commitid jPSjB9ufHLlh7qQA; 1.70 date 2018.08.31.11.18.35; author maxv; state Exp; branches; next 1.69; commitid tkEuMsOGgKDYqgQA; 1.69 date 2018.08.31.11.11.21; author maxv; state Exp; branches; next 1.68; commitid GNN82lksmcttogQA; 1.68 date 2018.08.31.11.01.09; author maxv; state Exp; branches; next 1.67; commitid QPD0cYztSDWXkgQA; 1.67 date 2018.08.31.10.52.30; author maxv; state Exp; branches; next 1.66; commitid iz436IhpS9X0igQA; 1.66 date 2018.08.27.13.20.47; author wiz; state Exp; branches; next 1.65; commitid ZhwhYfABrI0OeLPA; 1.65 date 2018.08.27.13.09.16; author maxv; state Exp; branches; next 1.64; commitid jd0cETk5vOvUaLPA; 1.64 date 2018.08.27.12.46.03; author maxv; state Exp; branches; next 1.63; commitid 8r1T2XK36tpX2LPA; 1.63 date 2018.08.17.12.20.49; author maxv; state Exp; branches; next 1.62; commitid bcmWywy9TrJaetOA; 1.62 date 2018.08.17.12.04.20; author maxv; state Exp; branches; next 1.61; commitid gpHepcWFLU6s8tOA; 1.61 date 2018.08.17.10.24.19; author maxv; state Exp; branches; next 1.60; commitid P8XoHWWhyPSeAsOA; 1.60 date 2018.08.17.10.16.24; author maxv; state Exp; branches; next 1.59; commitid xcWAEBV6uZ1lxsOA; 1.59 date 2018.08.16.09.58.00; author maxv; state Exp; branches; next 1.58; commitid peueqqbuxe7dtkOA; 1.58 date 2018.08.16.09.50.37; author maxv; state Exp; branches; next 1.57; commitid S4FC1gbAaVkHqkOA; 1.57 date 2018.08.16.09.46.18; author maxv; state Exp; branches; next 1.56; commitid aB9Sm1kYYePbpkOA; 1.56 date 2018.08.16.09.21.00; author maxv; state Exp; branches; next 1.55; commitid EdCN0sW7OJZwgkOA; 1.55 date 2018.08.16.08.51.53; author maxv; state Exp; branches; next 1.54; commitid 7tGtQFkOK00t6kOA; 1.54 date 2018.08.16.08.37.51; author maxv; state Exp; branches; next 1.53; commitid UYt2e3rAA2fG1kOA; 1.53 date 2018.08.13.06.06.13; author wiz; state Exp; branches; next 1.52; commitid CYfVuuguPy7GhVNA; 1.52 date 2018.08.07.00.22.13; author sevan; state Exp; branches; next 1.51; commitid s7V3Js5uIAyTy7NA; 1.51 date 2017.12.11.23.07.49; author wiz; state Exp; branches 1.51.2.1 1.51.4.1; next 1.50; commitid BBKWvpSdsNjqOwiA; 1.50 date 2017.12.10.22.04.41; author rmind; state Exp; branches; next 1.49; commitid lbkMQZtTZ3QIuoiA; 1.49 date 2017.07.03.21.35.31; author wiz; state Exp; branches; next 1.48; commitid GDcvPnLuEcjBtPXz; 1.48 date 2017.01.20.08.48.14; author wiz; state Exp; branches 1.48.4.1; next 1.47; commitid oPLspHZBj0LevGCz; 1.47 date 2017.01.19.20.18.17; author rmind; state Exp; branches; next 1.46; commitid kswhtu4ekC7elCCz; 1.46 date 2017.01.03.01.29.49; author rmind; state Exp; branches 1.46.2.1; next 1.45; commitid xZabrtOST8yzCsAz; 1.45 date 2016.12.27.22.35.33; author rmind; state Exp; branches; next 1.44; commitid HvOEu45RT65TQFzz; 1.44 date 2015.02.01.22.57.21; author rmind; state Exp; branches 1.44.2.1; next 1.43; commitid UfyZ9hmJBoFnjm8y; 1.43 date 2014.12.26.22.44.54; author christos; state Exp; branches; next 1.42; commitid jz0ptFLn2ZqwqB3y; 1.42 date 2014.08.03.00.02.56; author rmind; state Exp; branches 1.42.2.1; next 1.41; commitid zBWSeRsgqnjyyQKx; 1.41 date 2014.05.15.23.52.32; author wiz; state Exp; branches; next 1.40; commitid 9lQrKBRSa8su2HAx; 1.40 date 2014.05.15.02.34.29; author rmind; state Exp; branches; next 1.39; commitid 8BgKbsHLe0ELXzAx; 1.39 date 2014.02.14.01.52.58; author rmind; state Exp; branches 1.39.2.1; next 1.38; commitid P3hIJzv1eN4JC0px; 1.38 date 2014.02.08.01.20.09; author rmind; state Exp; branches; next 1.37; commitid BRiJpYwapYfJDeox; 1.37 date 2014.02.06.07.36.36; author wiz; state Exp; branches; next 1.36; commitid em0CvwLWVW3YM0ox; 1.36 date 2014.02.06.02.51.28; author rmind; state Exp; branches; next 1.35; commitid hfrPRSRxRso9dZnx; 1.35 date 2013.11.19.00.28.41; author rmind; state Exp; branches; next 1.34; commitid 2BwEtvqFu9yBXOdx; 1.34 date 2013.11.12.06.07.30; author wiz; state Exp; branches; next 1.33; commitid fRhQVcafcZKO3Xcx; 1.33 date 2013.11.12.00.46.34; author rmind; state Exp; branches; next 1.32; commitid qkAzbFl6v9gvhVcx; 1.32 date 2013.11.05.13.09.12; author kefren; state Exp; branches; next 1.31; commitid ucP3IYrR3DTiC5cx; 1.31 date 2013.09.20.03.03.52; author rmind; state Exp; branches; next 1.30; commitid Fw9MycO59ZOTJ76x; 1.30 date 2013.09.19.12.05.11; author rmind; state Exp; branches; next 1.29; commitid EO7Jo0AYrveUL26x; 1.29 date 2013.03.10.21.55.40; author christos; state Exp; branches; next 1.28; 1.28 date 2013.03.10.21.17.30; author rmind; state Exp; branches; next 1.27; 1.27 date 2013.02.09.03.35.32; author rmind; state Exp; branches; next 1.26; 1.26 date 2012.12.23.21.01.04; author rmind; state Exp; branches; next 1.25; 1.25 date 2012.12.06.22.36.51; author rmind; state Exp; branches; next 1.24; 1.24 date 2012.11.26.20.34.28; author rmind; state Exp; branches; next 1.23; 1.23 date 2012.09.30.21.15.08; author wiz; state Exp; branches; next 1.22; 1.22 date 2012.09.30.21.09.30; author rmind; state Exp; branches; next 1.21; 1.21 date 2012.09.30.13.15.03; author wiz; state Exp; branches; next 1.20; 1.20 date 2012.09.30.12.59.31; author spz; state Exp; branches; next 1.19; 1.19 date 2012.09.30.07.43.03; author wiz; state Exp; branches; next 1.18; 1.18 date 2012.09.29.19.50.03; author rmind; state Exp; branches; next 1.17; 1.17 date 2012.09.28.18.36.02; author spz; state Exp; branches; next 1.16; 1.16 date 2012.09.26.21.58.27; author rmind; state Exp; branches; next 1.15; 1.15 date 2012.08.13.01.18.31; author rmind; state Exp; branches 1.15.2.1; next 1.14; 1.14 date 2012.07.01.23.21.06; author rmind; state Exp; branches; next 1.13; 1.13 date 2012.06.27.23.05.28; author rmind; state Exp; branches; next 1.12; 1.12 date 2012.06.15.23.24.08; author rmind; state Exp; branches; next 1.11; 1.11 date 2012.05.30.22.00.44; author wiz; state Exp; branches; next 1.10; 1.10 date 2012.05.30.21.30.07; author rmind; state Exp; branches; next 1.9; 1.9 date 2012.02.06.00.41.36; author rmind; state Exp; branches 1.9.2.1; next 1.8; 1.8 date 2012.02.06.00.37.52; author rmind; state Exp; branches; next 1.7; 1.7 date 2012.01.08.22.14.55; author christos; state Exp; branches; next 1.6; 1.6 date 2011.11.29.01.12.09; author riz; state Exp; branches; next 1.5; 1.5 date 2011.03.22.07.31.42; author jruoho; state Exp; branches 1.5.4.1; next 1.4; 1.4 date 2011.02.02.02.20.25; author rmind; state Exp; branches; next 1.3; 1.3 date 2011.01.18.20.33.45; author rmind; state Exp; branches 1.3.2.1; next 1.2; 1.2 date 2010.09.16.04.53.27; author rmind; state Exp; branches; next 1.1; 1.1 date 2010.08.24.23.55.05; author rmind; state Exp; branches; next ; 1.88.2.1 date 2019.10.04.08.06.34; author martin; state Exp; branches; next 1.88.2.2; commitid 2eMCFfoFoyZWxwFB; 1.88.2.2 date 2020.06.20.15.46.48; author martin; state Exp; branches; next ; commitid 1R3KrEVYbMGFJYcC; 1.51.2.1 date 2018.09.06.06.56.51; author pgoyette; state Exp; branches; next 1.51.2.2; commitid HCi1bXD317XIK0RA; 1.51.2.2 date 2018.09.30.01.46.01; author pgoyette; state Exp; branches; next 1.51.2.3; commitid SQ44grEPCeKPh4UA; 1.51.2.3 date 2019.01.18.08.51.02; author pgoyette; state Exp; branches; next 1.51.2.4; commitid Lmlzg3OVT2cd6f8B; 1.51.2.4 date 2019.01.26.22.00.39; author pgoyette; state Exp; branches; next ; commitid JKpcmvSjdT25dl9B; 1.51.4.1 date 2019.06.10.22.10.34; author christos; state Exp; branches; next 1.51.4.2; commitid jtc8rnCzWiEEHGqB; 1.51.4.2 date 2020.04.13.08.05.55; author martin; state Exp; branches; next ; commitid X01YhRUPVUDaec4C; 1.48.4.1 date 2018.09.01.06.19.12; author martin; state Exp; branches; next 1.48.4.2; commitid VkFQT2qthn29KmQA; 1.48.4.2 date 2018.09.27.14.33.30; author martin; state Exp; branches; next ; commitid zWuUG5KGeNbkCKTA; 1.46.2.1 date 2017.04.21.16.54.18; author bouyer; state Exp; branches; next ; commitid dUG7nkTKALCadqOz; 1.44.2.1 date 2017.01.07.08.57.00; author pgoyette; state Exp; branches; next 1.44.2.2; commitid uEL0C1YuiJrlV0Bz; 1.44.2.2 date 2017.03.20.06.58.08; author pgoyette; state Exp; branches; next ; commitid jjw7cAwgyKq7RfKz; 1.42.2.1 date 2014.12.29.17.31.47; author martin; state Exp; branches; next 1.42.2.2; commitid 26xr1AlVVgYuBX3y; 1.42.2.2 date 2015.02.04.07.13.04; author snj; state Exp; branches; next ; commitid DpDYn4n81VdsZE8y; 1.39.2.1 date 2014.08.10.07.00.01; author tls; state Exp; branches; next ; commitid 57d1MwBvOsJLDMLx; 1.15.2.1 date 2012.11.20.03.03.03; author tls; state Exp; branches; next 1.15.2.2; 1.15.2.2 date 2013.02.25.00.30.46; author tls; state Exp; branches; next 1.15.2.3; 1.15.2.3 date 2013.06.23.06.29.05; author tls; state Exp; branches; next 1.15.2.4; commitid OnlO1cBgtQRcIHUw; 1.15.2.4 date 2014.08.20.00.05.11; author tls; state Exp; branches; next ; commitid jTnpym9Qu0o4R1Nx; 1.9.2.1 date 2012.06.26.00.07.20; author riz; state Exp; branches; next 1.9.2.2; 1.9.2.2 date 2012.07.05.17.48.44; author riz; state Exp; branches; next 1.9.2.3; 1.9.2.3 date 2012.08.13.19.43.44; author riz; state Exp; branches 1.9.2.3.2.1; next 1.9.2.4; 1.9.2.4 date 2012.10.01.20.05.56; author riz; state Exp; branches 1.9.2.4.2.1; next 1.9.2.5; 1.9.2.5 date 2012.12.11.04.31.53; author riz; state Exp; branches; next 1.9.2.6; 1.9.2.6 date 2012.12.15.23.31.07; author riz; state Exp; branches; next 1.9.2.7; 1.9.2.7 date 2013.01.07.16.51.07; author riz; state Exp; branches; next 1.9.2.8; 1.9.2.8 date 2013.02.11.21.49.47; author riz; state Exp; branches; next 1.9.2.9; 1.9.2.9 date 2013.03.31.17.43.16; author riz; state Exp; branches; next ; 1.9.2.3.2.1 date 2012.11.01.16.45.07; author matt; state Exp; branches; next ; 1.9.2.4.2.1 date 2012.12.15.23.34.31; author riz; state Exp; branches; next ; 1.5.4.1 date 2012.04.17.00.09.50; author yamt; state Exp; branches; next 1.5.4.2; 1.5.4.2 date 2012.10.30.19.00.43; author yamt; state Exp; branches; next 1.5.4.3; 1.5.4.3 date 2013.01.16.05.34.10; author yamt; state Exp; branches; next 1.5.4.4; 1.5.4.4 date 2013.01.23.00.06.43; author yamt; state Exp; branches; next 1.5.4.5; 1.5.4.5 date 2014.05.22.11.43.07; author yamt; state Exp; branches; next ; commitid wmvImESqVQCgMwBx; 1.3.2.1 date 2011.02.08.16.20.15; author bouyer; state Exp; branches; next ; desc @@ 1.91 log @Major NPF improvements (merge from upstream): - Switch to the C11-style atomic primitives using atomic_loadstore(9). - npfkern: introduce the 'state.key.interface' and 'state.key.direction' settings. Users can now choose whether the connection state should be strictly per-interface or global at the configuration level. Keep NAT logic to be always per-interface, though. - npfkern: rewrite the G/C worker logic and make it self-tuning. - npfkern and libnpf: multiple bug fixes; add param exporting; introduce more parameters. Remove npf_nvlist_{copyin,copyout}() functions and refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have a single entry point for operations. Introduce npf_flow_t and clean up some code. - npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list' more informative; misc usability improvements and more user-friendly error messages. - Amend and improve the manual pages. @ text @.\" $NetBSD$ .\" .\" Copyright (c) 2009-2020 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This material is based upon work partially supported by The .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" .Dd May 19, 2020 .Dt NPF.CONF 5 .Os .Sh NAME .Nm npf.conf .Nd NPF packet filter configuration file .\" ----- .Sh DESCRIPTION .Nm is the default configuration file for the NPF packet filter. .Pp This manual page serves as a reference for editing .Nm . Please refer to the official NPF documentation website for comprehensive and in-depth information. .Pp There are multiple structural elements that .Nm may contain, such as: .Pp .Bl -bullet -offset indent -compact .It variables .It table definitions (with or without content) .It abstraction groups .It packet filtering rules .It map rules for address translation .It application level gateways .It procedure definitions to call on filtered packets .It parameter settings. .El .Sh SYNTAX .Ss Variables Variables are specified using the dollar .Pq Li $ sign, which is used for both definition and referencing of a variable. Variables are defined by assigning a value to them as follows: .Pp .Dl $var1 = 10.0.0.1 .Pp A variable may also be defined as a set: .Pp .Dl $var2 = { 10.0.0.1, 10.0.0.2 } .Pp Common variable definitions are for IP addresses, networks, ports, and interfaces. .Ss Tables Tables are specified using a name between angle brackets .Sq Li < and .Sq Li > . The following is an example of table definition: .Pp .Dl table type ipset .Pp Currently, tables support three data storage types: .Cm ipset , .Cm lpm , or .Cm const . The contents of the table may be pre-loaded from the specified file. The .Cm const tables are immutable (no insertions or deletions after loading) and therefore must always be loaded from a file. .Pp The specified file should contain a list of IP addresses and/or networks in the form of .Li 10.1.1.1 or .Li 10.0.0.0/24 . .Pp Tables of type .Cm ipset and .Cm const can only contain IP addresses (without masks). The .Cm lpm tables can contain networks and they will perform the longest prefix match on lookup. .Ss Interfaces In NPF, an interface can be referenced directly by using its name, or can be passed to an extraction function which will return a list of IP addresses configured on the actual associated interface. .Pp It is legal to pass an extracted list from an interface in keywords where NPF would expect instead a direct reference to said interface. In this case, NPF infers a direct reference to the interface, and does not consider the list. .Pp There are two types of IP address lists. With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. Note that with a dynamic list, bringing the interface down has no effect, all addresses will remain present. .Pp Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: .Bl -tag -width "Fn ifaddrs interface" -offset indent .It Fn inet4 interface Static list. IPv4 addresses. .It Fn inet6 interface Static list. IPv6 addresses. .It Fn ifaddrs interface Dynamic list. Both IPv4 and IPv6. The .Cm family keyword of a filtering rule can be used in combination to explicitly select an IP address type. This function can also be used with .Cm map to specify the translation address, see below. .El .Pp Example of configuration: .Bd -literal -offset indent $var1 = inet4(wm0) $var2 = ifaddrs(wm0) group default { block in on wm0 all # rule 1 block in on $var1 all # rule 2 block in on inet4(wm0) all # rule 3 pass in on inet6(wm0) from $var2 # rule 4 pass in on wm0 from ifaddrs(wm0) # rule 5 } .Ed .Pp In the above example, .Li $var1 is the static list of IPv4 addresses configured on wm0, and .Li $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the .Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. .Ss Groups NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which can contain subrules. Groups may have the following options: name, interface, and direction. Packets matching group criteria are passed to the ruleset of that group. If a packet does not match any group, it is passed to the .Dv default group. The .Dv default group must always be defined. .Pp Example of configuration: .Bd -literal -offset indent group "my-name" in on wm0 { # List of rules, for packets received on wm0 } group default { # List of rules, for the other packets } .Ed .Ss Rules With a rule statement NPF is instructed to .Ic pass or .Ic block a packet depending on packet header information, transit direction and the interface it arrived on, either immediately upon match or using the last match. .Pp If a packet matches a rule which has the .Cm final option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. Otherwise, the last matching rule is used. .Pp The .Cm proto keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP or other). Its parameter should be a protocol number or its symbolic name, as specified in the .Pa /etc/protocols file. This keyword can additionally have protocol-specific options, such as .Cm flags . .Pp The .Cd flags keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp .D1 Ic proto Cm tcp flags Ar match Ns Op Li / Ns Ar mask .Pp Where .Ar match is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: .Sq Cm S (SYN), .Sq Cm A (ACK), .Sq Cm F (FIN), and .Sq Cm R (RST). The flags that are not present in .Ar mask are ignored. .Pp To notify the sender of a blocking decision, three .Cm return options can be used in conjunction with a .Ic block rule: .Bl -tag -width "Cm return-icmp" -offset indent .It Cm return Behaves as .Cm return-rst or .Cm return-icmp , depending on whether the packet being blocked is TCP or UDP. .It Cm return-rst Return a TCP RST message, when the packet being blocked is a TCP packet. Applies to IPv4 and IPv6. .It Cm return-icmp Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet. Applies to IPv4 and IPv6. .El .Pp The .Cm from and .Cm to keywords are provided to filter by source or destination IP addresses. They can be used in conjunction with the .Cm port keyword. Negation (the exclamation mark) can be used in front of the address filter criteria. .Pp Further packet specification at present is limited to TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp A rule can also instruct NPF to create an entry in the state table when passing the packet or to apply a procedure to the packet (e.g. "log"). .Pp A .Dq fully-featured rule would for example be: .Bd -literal -offset indent pass stateful in final family inet4 proto tcp flags S/SA \e from $source port $sport to $dest port $dport \e apply \*qsomeproc\*q .Ed .Pp Alternatively, NPF supports .Xr pcap-filter 7 syntax, for example: .Pp .Dl block out final pcap-filter \*qtcp and dst 10.1.1.252\*q .Pp Fragments are not selectable since NPF always reassembles packets before further processing. .Ss Stateful NPF supports stateful packet inspection which can be used to bypass unnecessary rule processing as well as to complement NAT. The connection state is uniquely identified by an n-tuple: IP version, layer 4 protocol, source and destination IP addresses and port numbers. Each state is represented by two keys: one for the original flow and one for the reverse flow, so that the reverse lookup on the returning packets would succeed. The packets are matched against the connection direction respectively. .Pp Depending on the settings (see the section on .Li state.key in the .Xr npf-params 7 manual), the connection identifier (keys) may also include the interface ID, making the states per-interface. .Pp Stateful packet inspection is enabled using the .Cm stateful or .Cm stateful-all keywords. The former matches the interface after the state lookup, while the latter avoids matching the interface (assuming the .Li state.key.interface parameter is disabled), i.e. making the state global, and must be used with caution. In both cases, a full TCP state tracking is performed for TCP connections and a limited tracking for message-based protocols (UDP and ICMP). .Pp By default, a stateful rule implies SYN-only flag check .Pq Dq Li flags S/SAFR for the TCP packets. It is not advisable to change this behavior; however, it can be overridden with the aforementioned .Cm flags keyword. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. The translation may be .Cm dynamic (stateful) or .Cm static (stateless). The following mapping types are available: .Pp .Bl -tag -width "Cm \&<->" -offset indent -compact .It Cm \&-> outbound NAT (translation of the source) .It Cm \&<- inbound NAT (translation of the destination) .It Cm \&<-> bi-directional NAT (combination of inbound and outbound NAT) .El .Pp The following would translate the source (10.1.1.0/24) to the IP address specified by .Li $pub_ip for the packets on the interface .Li $ext_if . .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> $pub_ip .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from the 10.1.1.0/24 network. Explicit filter criteria can be specified using .Cm pass Ar criteria ... as an additional option of the mapping. .Pp The dynamic NAT implies network address and port translation (NAPT). The port translation can be controlled explicitly. For example, the following provides .Dq port forwarding , redirecting the public port 9022 to the port 22 of an internal host: .Pp .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp In the regular dynamic NAT case, it is also possible to disable port translation using the .Cm no-ports flag. .Pp The translation address can also be dynamic, based on the interface. The following would select the IPv4 address(es) currently assigned to the interface: .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) .Pp If the dynamic NAT is configured with multiple translation addresses, then a custom selection algorithm can be chosen using the .Cm algo keyword. The currently available algorithms for the dynamic translation are: .Bl -tag -width "Cm round-robin" -offset indent .It Cm ip-hash The translation address for a new connection is selected based on a hash of the original source and destination addresses. This algorithms attempts to keep all connections of particular client associated with the same translation address. This is the default algorithm. .It Cm round-robin The translation address for each new connection is selected on a round-robin basis. .It Cm netmap See the description below. .El .Pp The static NAT can also have different address translation algorithms, chosen using the .Cm algo keyword. The currently available algorithms are: .Bl -tag -width "Cm netmap" -offset indent .It Cm netmap Network address mapping from one segment to another, leaving the host part as-is. The new address is computed as following: .Pp .Dl addr = net-addr | (orig-addr & ~mask) .It Cm npt66 IPv6-to-IPv6 network prefix translation (NPTv6). .El .Pp If no algorithm is specified, then 1:1 address mapping is assumed. Currently, the static NAT algorithms do not perform port translation. .Ss Application Level Gateways Certain application layer protocols are not compatible with NAT and require translation outside layers 3 and 4. Such translation is performed by packet filter extensions called Application Level Gateways (ALGs). .Pp NPF supports the following ALGs: .Bl -tag -width "Cm icmp" -offset indent .It Cm icmp ICMP ALG. Applies to IPv4 and IPv6. Allows to find an active connection by looking at the ICMP payload, and to perform NAT translation of the ICMP payload. Generally, this ALG is necessary to support .Xr traceroute 8 behind the NAT, when using the UDP or TCP probes. .El .Pp The ALGs are built-in. If NPF is used as kernel module, then they come as kernel modules too. In such case, the ALG kernel modules can be autoloaded through the configuration, using the .Cm alg keyword. .Pp For example: .Pp .Dl alg \*qicmp\*q .Pp Alternatively, the ALG kernel modules can be loaded manually, using .Xr modload 8 . .Ss Procedures A rule procedure is defined as a collection of extension calls (it may have none). Every extension call has a name and a list of options in the form of key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. Available options: .Bl -tag -width "Cm log: Ar interface" -offset indent .It Cm log : Ar interface Log events. This requires the .Pa npf_ext_log kernel module, which would normally get auto-loaded by NPF. The specified npflog interface would also be auto-created once the configuration is loaded. The log packets can be written to a file using the .Xr npfd 8 daemon. .It Cm normalize : Ar option1 Ns Op Li \&, Ar option2 ... Modify packets according to the specified normalization options. This requires the .Pa npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. .El .Pp The available normalization options are: .Bl -tag -width "Cm \*qmin-mss\*q Ar value" -offset indent .It Cm \*qmax-mss\*q Ar value Enforce a maximum value for the Maximum Segment Size (MSS) TCP option. Typically, for .Dq MSS clamping . .It Cm \*qmin-ttl\*q Ar value Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. .It Cm \*qno-df\*q Remove the Don't Fragment (DF) flag from IPv4 packets. .It Cm \*qrandom-id\*q Randomize the IPv4 ID parameter. .El .Pp For example: .Bd -literal -offset indent procedure "someproc" { log: npflog0 normalize: "random-id", "min-ttl" 64, "max-mss" 1432 } .Ed .Pp In this case, the procedure calls the logging and normalization modules. .Ss Parameter settings NPF supports a set of dynamically tunable configuration-wide parameters. For example: .Bd -literal -offset indent set state.tcp.timeout.time_wait 0 # destroy the state immediately .Ed .Pp See .Xr npf-params 7 for the list of parameters and their details. .Ss Misc Text after a hash .Pq Sq # character is considered a comment. The backslash .Pq Sq \e character at the end of a line marks a continuation line, i.e., the next line is considered an extension of the present line. .Sh GRAMMAR The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, therefore it does not strictly represent the formal grammar. .Bd -literal # Syntax of a single line. Lines can be separated by LF (\\n) or # a semicolon. Comments start with a hash (#) character. syntax = var-def | set-param | alg | table-def | map | group | proc | comment # Variable definition. Names can be alpha-numeric, including "_" # character. var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) # Parameter setting. set-param = "set" param-value # Application level gateway. The name should be in double quotes. alg = "alg" alg-name alg-name = "icmp" # Table definition. Table ID shall be numeric. Path is in the # double quotes. table-id = table-def = "table" table-id "type" ( "ipset" | "lpm" | "const" ) [ "file" path ] # Mapping for address translation. map = map-common | map-ruleset map-common = "map" interface ( "static" [ "algo" map-algo ] | "dynamic" ) [ map-flags ] [ proto ] map-seg ( "->" | "<-" | "<->" ) map-seg [ "pass" [ proto ] filt-opts ] map-ruleset = "map" "ruleset" group-opts map-algo = "ip-hash" | "round-robin" | "netmap" | "npt66" map-flags = "no-ports" map-seg = ( addr-mask | interface ) [ port-opts ] # Rule procedure definition. The name should be in the double quotes. # # Each call can have its own options in a form of key-value pairs. # Both key and values may be strings (either in double quotes or not) # and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" proc-opts = key [ " " val ] [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line # Group definition and the rule list. group = "group" ( "default" | group-opts ) "{" rule-list "}" group-opts = name-string [ "in" | "out" ] [ "on" interface ] rule-list = [ rule new-line ] rule-list npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-all" ] [ "in" | "out" ] [ "final" ] [ "on" interface ] ( npf-filter | "pcap-filter" pcap-filter-expr ) [ "apply" proc-name ] dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset tcp-flag-mask = tcp-flags tcp-flags = [ "S" ] [ "A" ] [ "F" ] [ "R" ] block-opts = "return-rst" | "return-icmp" | "return" family-opt = "inet4" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] proto = "proto" protocol [ proto-opts ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) addr-mask = addr [ "/" mask ] .Ed .\" ----- .Sh FILES .Bl -tag -width Pa -compact .It Pa /dev/npf control device .It Pa /etc/npf.conf default configuration file .It Pa /usr/share/examples/npf directory containing further examples .El .\" ----- .Sh EXAMPLES .Bd -literal $ext_if = { inet4(wm0) } $int_if = { inet4(wm1) } table type ipset file "/etc/npf_blocklist" table type lpm $services_tcp = { http, https, smtp, domain, 6000, 9022 } $services_udp = { domain, ntp, 6000 } $localnet = { 10.1.1.0/24 } alg "icmp" # These NAT rules will dynamically select the interface address(es). map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- ifaddrs($ext_if) port 9022 procedure "log" { # The logging facility can be used together with npfd(8). log: npflog0 } group "external" on $ext_if { pass stateful out final all block in final from pass stateful in final family inet4 proto tcp to $ext_if \e port ssh apply "log" pass stateful in final proto tcp to $ext_if \e port $services_tcp pass stateful in final proto udp to $ext_if \e port $services_udp pass stateful in final proto tcp to $ext_if \e port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if \e port 33434-33600 # traceroute } group "internal" on $int_if { block in all block in final from # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet pass out final all } group default { pass final on lo0 all block all } .Ed .\" ----- .Sh SEE ALSO .Xr bpf 4 , .Xr npf 7 , .Xr npf-params 7 , .Xr pcap-filter 7 , .Xr npfctl 8 , .Xr npfd 8 .Pp .Lk http://rmind.github.io/npf/ "NPF documentation website" .Sh HISTORY NPF first appeared in .Nx 6.0 . .Sh AUTHORS NPF was designed and implemented by .An Mindaugas Rasiukevicius . @ 1.90 log @Use -width Pa for FILES. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.89 2019/09/30 00:37:11 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2019 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd August 25, 2019 d274 11 d310 16 d331 5 a335 4 The former creates a state which is uniquely identified by a 5-tuple (source and destination IP addresses, port numbers and an interface identifier). The latter excludes the interface identifier, i.e. making the state global, and must be used with caution. d517 6 a522 1 NPF supports a set of dynamically tunable parameters. d525 1 a525 1 for specific details. d616 1 a616 2 filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] @ 1.89 log @libnpf/npfctl: support dynamic NAT rulesets using a name prefix. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.88 2019/07/23 14:20:22 wiz Exp $ d592 1 a592 1 .Bl -tag -width /usr/share/examples/npf -compact @ 1.88 log @New sentence, new line. Avoid formatting punctuation. Remove superfluous Pp. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.87 2019/07/23 00:52:02 rmind Exp $ d30 1 a30 1 .Dd May 19, 2019 d359 5 d536 2 a537 1 map = "map" interface d542 1 d544 1 a544 1 map-algo = "npt66" @ 1.88.2.1 log @Pull up following revision(s) (requested by rmind in ticket #282): usr.sbin/npf/npfctl/npf_build.c: revision 1.53 lib/libnpf/npf.c: revision 1.48 usr.sbin/npf/npfctl/npfctl.h: revision 1.50 sys/net/npf/npf_impl.h: revision 1.80 usr.sbin/npf/npfctl/npfctl.h: revision 1.51 sys/net/npf/npf_ruleset.c: revision 1.49 usr.sbin/npf/npfctl/npf.conf.5: revision 1.90 sys/net/npf/npf_ctl.c: revision 1.59 lib/libnpf/libnpf.3: revision 1.11 usr.sbin/npf/npfctl/npf_parse.y: revision 1.50 usr.sbin/npf/npftest/npftest.conf: revision 1.8 usr.sbin/npf/npfctl/npfctl.c: revision 1.62 usr.sbin/npf/npfctl/npfctl.c: revision 1.63 usr.sbin/npf/npfctl/npf_scan.l: revision 1.30 usr.sbin/npf/npfctl/npfctl.8: revision 1.22 lib/libnpf/npf.h: revision 1.38 usr.sbin/npf/npfctl/npfctl.8: revision 1.23 usr.sbin/npf/npfctl/npfctl.8: revision 1.24 sys/net/npf/npf_if.c: revision 1.11 sys/net/npf/npf_if.c: revision 1.12 usr.sbin/npf/npfctl/npf.conf.5: revision 1.89 sys/net/npf/npf_conn.c: revision 1.30 usr.sbin/npf/npfctl/npf_build.c: revision 1.52 npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. NPF ifmap: rework and fix a few small bugs. npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller. (missed a file in previous commit; cvs is so helpful..) libnpf/npfctl: support dynamic NAT rulesets using a name prefix. Use -width Pa for FILES. Fix pasto in table replace -t type Use -width Pa for FILES. npf_ifmap_copylogname: be more defensive. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.88 2019/07/23 14:20:22 wiz Exp $ d30 1 a30 1 .Dd August 25, 2019 a358 5 In the regular dynamic NAT case, it is also possible to disable port translation using the .Cm no-ports flag. .Pp d531 1 a531 2 map = map-common | map-ruleset map-common = "map" interface a535 1 map-ruleset = "map" "ruleset" group-opts d537 1 a537 1 map-algo = "ip-hash" | "round-robin" | "netmap" | "npt66" d585 1 a585 1 .Bl -tag -width Pa -compact @ 1.88.2.2 log @Pull up following revision(s) (requested by rmind in ticket #956): usr.sbin/npf/npf-params.7: revision 1.4 sys/net/npf/npf_worker.c: revision 1.9 usr.sbin/npf/npftest/npftest.h: revision 1.17 usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16 usr.sbin/npf/npf-params.7: revision 1.5 sys/net/npf/npf_state_tcp.c: revision 1.21 usr.sbin/npf/npfctl/npf_build.c: revision 1.55 usr.sbin/npf/npf-params.7: revision 1.6 sys/net/npf/npfkern.h: revision 1.5 lib/libnpf/npf.c: revision 1.49 usr.sbin/npf/npf-params.7: revision 1.7 sys/net/npf/npf_impl.h: revision 1.81 sys/net/npf/npf_ext_log.c: revision 1.17 usr.sbin/npf/npfctl/npfctl.h: revision 1.53 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11 sys/net/npf/npf_nat.c: revision 1.50 sys/net/npf/npf_mbuf.c: revision 1.24 sys/net/npf/npf_alg.c: revision 1.22 usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14 usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10 sys/net/npf/npf.h: revision 1.63 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21 usr.sbin/npf/npfctl/npf_var.c: revision 1.13 sys/net/npf/files.npf: revision 1.23 usr.sbin/npf/npfctl/npf_show.c: revision 1.32 usr.sbin/npf/npfctl/npf.conf.5: revision 1.91 sys/net/npf/npf_os.c: revision 1.18 sys/net/npf/npf_connkey.c: revision 1.2 sys/net/npf/npf_conf.c: revision 1.17 lib/libnpf/libnpf.3: revision 1.12 usr.sbin/npf/npftest/npftest.c: revision 1.25 usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_parse.y: revision 1.51 sys/net/npf/npf_tableset.c: revision 1.35 usr.sbin/npf/npftest/npftest.conf: revision 1.9 sys/net/npf/npf_sendpkt.c: revision 1.22 usr.sbin/npf/npfctl/npf_var.h: revision 1.10 sys/net/npf/npf_state.c: revision 1.23 sys/net/npf/npf_conn.h: revision 1.20 usr.sbin/npf/npfctl/npfctl.c: revision 1.64 usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1 sys/net/npf/npf_portmap.c: revision 1.5 sys/net/npf/npf_params.c: revision 1.3 usr.sbin/npf/npfctl/npf_scan.l: revision 1.32 tests/net/npf/t_npf.sh: revision 1.4 sys/net/npf/npf_ext_rndblock.c: revision 1.9 lib/libnpf/npf.h: revision 1.39 sys/net/npf/npf_ruleset.c: revision 1.51 sys/net/npf/npf_alg_icmp.c: revision 1.33 sys/net/npf/npf.c: revision 1.43 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17 usr.sbin/npf/npfctl/npfctl.8: revision 1.25 sys/net/npf/npf_ctl.c: revision 1.60 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11 sys/net/npf/npf_handler.c: revision 1.49 sys/net/npf/npf_inet.c: revision 1.57 sys/net/npf/npf_ifaddr.c: revision 1.7 sys/net/npf/npf_conndb.c: revision 1.9 sys/net/npf/npf_if.c: revision 1.13 usr.sbin/npf/npfctl/Makefile: revision 1.15 sys/net/npf/npf_conn.c: revision 1.32 sys/net/npf/npf_ext_normalize.c: revision 1.10 sys/net/npf/npf_rproc.c: revision 1.20 sys/net/npf/npf_worker.c: revision 1.8 Major NPF improvements (merge from upstream): - Switch to the C11-style atomic primitives using atomic_loadstore(9). - npfkern: introduce the 'state.key.interface' and 'state.key.direction' settings. Users can now choose whether the connection state should be strictly per-interface or global at the configuration level. Keep NAT logic to be always per-interface, though. - npfkern: rewrite the G/C worker logic and make it self-tuning. - npfkern and libnpf: multiple bug fixes; add param exporting; introduce more parameters. Remove npf_nvlist_{copyin,copyout}() functions and refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have a single entry point for operations. Introduce npf_flow_t and clean up some code. - npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list' more informative; misc usability improvements and more user-friendly error messages. - Amend and improve the manual pages. npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar. npftest -- npf_test_init(): add a workaround for NetBSD. npf-params(7): fix the state.key defaults. npf-params.7: s/filer/filter/ Adjust to "npfctl debug" command line changes, from rmind@@. Use more markup. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.88.2.1 2019/10/04 08:06:34 martin Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2020 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd May 19, 2020 a273 11 The .Cm from and .Cm to keywords are provided to filter by source or destination IP addresses. They can be used in conjunction with the .Cm port keyword. Negation (the exclamation mark) can be used in front of the address filter criteria. .Pp a298 16 NPF supports stateful packet inspection which can be used to bypass unnecessary rule processing as well as to complement NAT. The connection state is uniquely identified by an n-tuple: IP version, layer 4 protocol, source and destination IP addresses and port numbers. Each state is represented by two keys: one for the original flow and one for the reverse flow, so that the reverse lookup on the returning packets would succeed. The packets are matched against the connection direction respectively. .Pp Depending on the settings (see the section on .Li state.key in the .Xr npf-params 7 manual), the connection identifier (keys) may also include the interface ID, making the states per-interface. .Pp d304 4 a307 5 The former matches the interface after the state lookup, while the latter avoids matching the interface (assuming the .Li state.key.interface parameter is disabled), i.e. making the state global, and must be used with caution. d489 1 a489 6 NPF supports a set of dynamically tunable configuration-wide parameters. For example: .Bd -literal -offset indent set state.tcp.timeout.time_wait 0 # destroy the state immediately .Ed .Pp d492 1 a492 1 for the list of parameters and their details. d583 2 a584 1 filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] @ 1.87 log @NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.86 2019/04/08 07:58:45 wiz Exp $ d307 1 a307 1 and must be used with precaution. a376 1 .Pp d442 1 a442 1 .It Cm log: Ar interface d453 1 a453 1 .It Cm normalize: Ar option1 Ns Op Li \&, Ar option2 ... d484 2 a485 1 NPF supports a set of dynamically tunable parameters. See @ 1.86 log @Improve wording. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.85 2019/04/07 22:23:40 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd February 2, 2019 d64 3 a66 1 procedure definitions to call on filtered packets. d302 1 a302 1 .Cm stateful-ends d306 2 a307 2 The latter excludes the interface identifier and must be used with precaution. d359 3 a361 2 The translation address can also by dynamic, based on the interface. The following would select the IPv4 address(es) currently assigned to the interface: d369 1 a369 1 The currently available algorithms are: d381 2 d484 4 d559 1 a559 1 [ "stateful" | "stateful-ends" ] d651 1 @ 1.85 log @npf.conf(5): Add more info about ifaddrs(). @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.84 2019/01/19 21:19:32 rmind Exp $ d358 1 a358 1 The following would select IPv4 address currently assigned to the interface: @ 1.84 log @Major NPF improvements: - Convert NPF connection table to thmap. State lookup is now lock-free. - Improve connection state G/C: it is now incremental and tunable. - Add support for dynamic NAT address. Translation addresses can now be selected from a pool of addresses. There are two selection algorithms, "ip-hash" and "round-robin" (see the man page). - Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf to dynamically choose an IP from the interface address(es). - Add support for the NETMAP algorithm with static NAT for net-to-net translation (it is equivalent to iptables NETMAP logic). - Convert 'ipset' tables to use thmap; the table lookup is now lock-free. - Misc improvements, bug fixes and more unit tests. - Bump NPF_VERSION (will also bump libnpf). @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.83 2019/01/08 11:36:10 uwe Exp $ d30 1 a30 1 .Dd January 14, 2019 d151 3 d160 1 d357 5 d599 3 a601 4 # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic 10.1.1.0/24 -> $ext_if map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 d646 1 a646 1 .Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website" @ 1.83 log @Actually, according to the grammar the square brackets in the "tcp flags" are not literal, so use .Op to show that /mask is optional. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.82 2019/01/08 11:28:01 uwe Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd January 8, 2019 d89 1 a89 1 .Dl table type hash dynamic d92 2 a93 2 .Cm hash , .Cm tree , d95 6 a100 13 .Cm cdb . Tables can also be set as containing .Cm dynamic data or static .Cm file Ar filename data loaded from a specified file. Tables of type .Dq hash and .Dq cdb can only contain IP addresses, without masks. Only static data can be used with a storage type of .Dq cdb . d102 2 a103 2 The specified file should contain a list of IP addresses and/or networks in the form of d106 11 a116 1 .Li 10.0.0.0/24 d353 2 a354 2 The static NAT can have different address translation algorithms, which can be chosen using the d358 25 a382 1 .Bl -tag -width "Cm npt66" -offset indent d387 1 d508 2 a509 2 table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" ) ( "dynamic" | "file" path ) d581 2 a582 2 table type hash file "/etc/npf_blacklist" table type tree dynamic d603 1 a603 1 block in final from @ 1.82 log @Restore macro with effect. Fix the real problem that prevented it to have the effect. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.81 2019/01/08 10:25:26 wiz Exp $ d226 1 a226 1 .D1 Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li \&] @ 1.81 log @New sentence, new line. Punctuation fixes. Remove macros without effect. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.80 2019/01/08 01:19:16 gutteridge Exp $ d226 1 a226 1 .Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns ] @ 1.80 log @npf.conf(5): add a minor clarification about table types that can't accept masks on IP addresses. Prompted by Rob Hunter in PR bin/51900. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ d92 1 a92 1 .Cm hash, d136 2 a137 1 Static list. IPv4 addresses. d139 2 a140 1 Static list. IPv6 addresses. d142 2 a143 1 Dynamic list. Both IPv4 and IPv6. d170 1 a170 1 .Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > d226 1 a226 1 .Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li ] @ 1.79 log @According to the grammar and examples the static table is defined with "file" keyword, not "static". @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.78 2018/09/21 09:42:18 uwe Exp $ d30 1 a30 1 .Dd September 21, 2018 d105 1 a105 1 can only contain IP addresses. @ 1.78 log @Improve markup. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.77 2018/09/21 07:22:26 maxv Exp $ d98 3 a100 3 or .Cm static data i.e. loaded from a specified file. @ 1.77 log @Wrap long lines, so that nothing overflows. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.76 2018/09/19 15:36:12 maxv Exp $ d49 2 a50 1 .Bl -bullet -offset indent d68 3 a70 1 Variables are specified using the dollar ($) sign, which is used for both d73 2 a74 3 .Bd -literal $var1 = 10.0.0.1 .Ed d77 2 a78 3 .Bd -literal $var2 = { 10.0.0.1, 10.0.0.2 } .Ed d84 3 a86 1 < and >. a87 2 .Bd -literal table type hash dynamic d89 19 a107 6 .Ed Currently, tables support three data storage types: "hash", "tree", or "cdb". Tables can also be set as containing "dynamic" or "static" data i.e. loaded from a specified file. Tables of type "hash" and "cdb" can only contain IP addresses. Only static data can be used with a storage type of "cdb". d110 4 a113 5 form of: .Bd -literal 10.0.0.0/24 10.1.1.1 .Ed d129 1 a129 1 Note that with a dynamic list, marking the interface as ``down'' has no effect, d134 7 a140 7 .Bl -tag -width Xifaddrs()XX -offset indent .It Fn inet4 Static list, IPv4 addresses. .It Fn inet6 Static list, IPv6 addresses. .It Fn ifaddrs Dynamic list, both IPv4 and IPv6. d142 2 a143 2 .Cd family keyword can be used in combination of a filtering rule to explicitly select d148 1 a148 1 .Bd -literal d160 6 a165 3 In the above example, $var1 is the static list of IPv4 addresses configured on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. d167 1 a167 1 .Cd block ... on d177 2 a178 1 .Cd default group . d180 2 a181 2 .Cd default group must always be defined. d184 1 a184 1 .Bd -literal d194 1 a194 1 .Cd pass d196 1 a196 1 .Cd block d202 1 a202 1 .Cd final d208 1 a208 1 .Cd proto d216 1 a216 1 .Cd flags . d222 2 a223 3 .Bl -tag -width protoXX -offset indent .It proto tcp flags Ar match[/mask] .El d229 10 a238 2 set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in d243 1 a243 1 .Cd return d245 1 a245 1 .Cd block d247 8 a254 5 .Bl -tag -width Xreturn-icmpXX -offset indent .It return Behaves as return-rst or return-icmp, depending on whether the packet being blocked is TCP or UDP. .It return-rst d257 1 a257 1 .It return-icmp d269 7 a275 4 A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet4 proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" d281 2 a282 3 .Bd -literal block out final pcap-filter "tcp and dst 10.1.1.252" .Ed d288 1 a288 1 .Cd stateful d290 1 a290 1 .Cd stateful-ends d299 2 a300 1 By default, a stateful rule implies SYN-only flag check ("flags S/SAFR") d304 1 a304 1 .Cd flags d309 1 a309 1 .Cd dynamic d311 1 a311 1 .Cd static d314 3 a316 2 .Bl -tag -width <-> -offset indent .It Pa -> d318 1 a318 1 .It Pa <- d320 1 a320 1 .It Pa <-> d325 6 a330 4 specified by $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_ip .Ed d335 3 a337 2 Explicit filter criteria can be specified using "pass " as an additional option of the mapping. d339 1 a339 3 The .Cd dynamic NAT implies network address and port translation (NAPT). d341 5 a345 5 For example, the following provides "port forwarding", redirecting the public port 9022 to the port 22 of an internal host: .Bd -literal map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Ed d347 1 a347 3 The .Cd static NAT can have different address translation algorithms, which d349 1 a349 1 .Cd algo d352 2 a353 2 .Bl -tag -width Xnpt66XX -offset indent .It npt66 d365 2 a366 2 .Bl -tag -width XicmpXX -offset indent .It icmp d371 3 a373 2 Generally, this ALG is necessary to support "traceroute" behind the NAT, when using the UDP or TCP probes. d380 1 a380 1 .Cd alg d384 2 a385 3 .Bd -literal alg "icmp" .Ed d397 2 a398 2 .Bl -tag -width Xlog:XinterfaceXX -offset indent .It log: Ar interface d400 3 a402 1 This requires the npf_ext_log kernel module, which would normally get d409 1 a409 5 .It normalize: Xo .Ar option1 .Op , Ar option2 .Ar ... .Xc d411 3 a413 2 This requires the npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. d417 6 a422 4 .Bl -tag -width XXmin-ttlXXvalueXX -offset indent .It Dq random-id Randomize the IPv4 ID parameter. .It Do min-ttl Dc Ar value d424 1 a424 4 .It Do max-mss Dc Ar value Enforce a maximum value for the MSS on TCP packets. Typically, for "MSS clamping". .It Dq no-df d426 2 d431 1 a431 1 .Bd -literal @ 1.76 log @Switch back to tabs, it was nicer this way. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.75 2018/09/04 15:36:01 maxv Exp $ d30 1 a30 1 .Dd September 19, 2018 d428 2 a429 1 # Variable definition. Names can be alpha-numeric, including "_" character. d443 2 a444 1 # Table definition. Table ID shall be numeric. Path is in the double quotes. d497 2 a498 1 filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] d543 10 a552 5 pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" pass stateful in final proto tcp to $ext_if port $services_tcp pass stateful in final proto udp to $ext_if port $services_udp pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute @ 1.75 log @Fix the "Interfaces" section, I understood wrong. Talk about inference, because it was not mentioned before, and it plays an important role. Discussed with rmind. Probably not the last pass. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.74 2018/09/02 18:03:23 wiz Exp $ d30 1 a30 1 .Dd September 4, 2018 d532 2 a533 2 # The logging facility can be used together with npfd(8). log: npflog0 d537 1 a537 1 pass stateful out final all d539 6 a544 6 block in final from pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" pass stateful in final proto tcp to $ext_if port $services_tcp pass stateful in final proto udp to $ext_if port $services_udp pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute d548 2 a549 2 block in all block in final from d551 3 a553 3 # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet pass out final all d557 2 a558 2 pass final on lo0 all block all @ 1.74 log @New sentence, new line. Use Fn for functions. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.73 2018/09/02 17:45:18 maxv Exp $ d30 1 a30 1 .Dd September 2, 2018 d102 14 a115 10 In the context of NPF, an interface is seen as a list of IP addresses, that can be IPv4 or IPv6, which are configured on the actual associated interface. .Pp Such list can be either static or dynamic. With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. .Pp d134 1 a134 5 By default, when no extraction function is used, .Fn ifaddrs is assumed. .Pp Example of configuration with static interface lists: d136 9 a144 12 $pub_if4 = inet4(wm0) $pub_if46 = { inet4(wm0), inet6(wm0) } .Ed .Pp In the above example, $pub_if4 is the list of IPv4 addresses configured on wm0, and $pub_if46 is the list of IPv4 and IPv6 addresses configured on wm0. .Pp Example of configuration with dynamic interface lists: .Bd -literal $pub_if_1 = ifaddrs(wm0) $pub_if_2 = wm0 d147 8 a154 1 In the above example, $pub_if_1 and $pub_if_2 are equal. @ 1.73 log @Be clearer about the difference between static vs dynamic interface list, and slightly improve wording. My understanding is that when none of inet4/inet6/ifaddrs is passed, NPF assumes ifaddrs. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.72 2018/09/01 19:26:46 wiz Exp $ d106 2 a107 1 Such list can be either static or dynamic. With a static list, NPF will d118 1 a118 1 .It inet4() d120 1 a120 1 .It inet6() d122 1 a122 1 .It ifaddrs() d130 3 a132 1 By default, when no extraction function is used, ifaddrs() is assumed. @ 1.72 log @Remove superfluous Pp. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.71 2018/09/01 16:28:57 rmind Exp $ d30 1 a30 1 .Dd September 1, 2018 d102 28 a129 4 Interfaces can be specified as the values of the variables: .Bd -literal $pub_if_list = { inet4(wm0), inet4(wm1) } .Ed d131 1 a131 4 In the context of filtering, an interface provides a list of all its IP addresses, both IPv4 and IPv6. Specific addresses configured on an interface can also be selected by family, e.g.: d137 3 a139 2 In the above examples, NPF will statically capture the interface addresses on configuration load. d141 1 a141 1 The following can be used for dynamic handling of the interface addresses: d143 2 a144 1 $pub_if = ifaddrs(wm0) d147 1 a147 10 In this case, the expression will represent the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. Marking the interface as ``down'' has no effect, i.e. all addresses will remain present. .Pp A dynamic address list represents both the IPv4 and IPv6 addresses configured on an interface. The .Cd family keyword can be used in combination of a filtering rule to be explicit. d191 3 a193 1 The protocol keyword can additionally have protocol-specific options. d298 3 a300 1 The dynamic NAT implies network address and port translation (NAPT). d308 3 a310 1 The static NAT can have different address translation algorithms, which @ 1.71 log @npf.conf(5): fix some of the previous incorrect or inaccurate changes. The TCP flags option is not only for the stateful tracking. Dynamic NAT implies NAPT; algorithms, at least for now, are for static NAT mappings. Mention that ALG ICMP is also for traceroute behind NAT; also mention "MSS clamping" (some users might search for this term, so keeping the terminology is helpful). @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $ a300 1 .Pp @ 1.70 log @rename net-seg -> map-seg, and document it @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.68 2018/08/31 11:01:09 maxv Exp $ d30 1 a30 1 .Dd August 31, 2018 d90 2 a91 2 Tables can also be set as containing "dynamic" or "static" data i.e. loaded from a specified file. d169 25 a193 3 A rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. d212 7 a224 8 Any protocol in .Pa /etc/protocols can be specified. Further packet specification at present is limited to protocol TCP understanding flags, TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp a246 19 The .Cd flags keyword can be used in conjunction with the .Cd stateful keyword to match the packets against specific TCP flags, according to the following syntax: .Bl -tag -width flagsXX -offset indent .It flags Ar match[/mask] .El .Pp Where .Ar match is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in .Ar mask are ignored. .Pp d276 16 a291 1 Several NAT algorithms are available, and can be chosen using the d294 1 a294 2 By default, NPF will use the NAPT algorithm. The other available algorithms are: d300 2 a301 5 Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from the 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. d312 1 d315 2 a316 1 Applies to IPv4 and IPv6. d319 3 a321 3 The ALGs are built-in, unless NPF is used as kernel module, in which case they come as kernel modules too. In that case, the ALG kernel modules can be autoloaded through the d369 1 a461 1 proto = "proto" protocol [ proto-opts ] d463 1 d467 1 d506 2 a507 2 # The logging facility can be used together with npfd(8). log: npflog0 d511 1 a511 1 pass stateful out final all d513 6 a518 6 block in final from pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" pass stateful in final proto tcp to $ext_if port $services_tcp pass stateful in final proto udp to $ext_if port $services_udp pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP pass stateful in final proto udp to $ext_if port 33434-33600 # Traceroute d522 2 a523 2 block in all block in final from d525 3 a527 3 # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet pass out final all d531 2 a532 2 pass final on lo0 all block all @ 1.69 log @"interface" already contains "var-name", so don't mention it in "filt-addr", that's redundant @ text @d411 1 a411 1 net-seg ( "->" | "<-" | "<->" ) net-seg d416 1 a451 1 addr-mask = addr [ "/" mask ] d456 1 @ 1.68 log @should be port-opts @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.67 2018/08/31 10:52:30 maxv Exp $ d453 1 a453 2 filt-addr = [ "!" ] [ interface | var-name | addr-mask | table-id | "any" ] @ 1.67 log @Clarify the "Groups" section. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.66 2018/08/27 13:20:47 wiz Exp $ d455 2 a456 1 filt-port = "port" ( port-num | port-from "-" port-to | var-name ) @ 1.66 log @Add missing -width; remove unnecessary .Pp. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.65 2018/08/27 13:09:16 maxv Exp $ d30 1 a30 1 .Dd August 27, 2018 d135 2 d138 8 a145 1 They are defined in the following form: d148 4 a151 1 # List of rules a153 4 A minimal .Nm must contain a mandatory .Cd default group . @ 1.65 log @Improve the "Map" section. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.64 2018/08/27 12:46:03 maxv Exp $ d224 1 a224 1 .Bl -tag -offset indent a250 1 .Pp @ 1.64 log @Document ALGs. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.63 2018/08/17 12:20:49 maxv Exp $ d261 2 a262 2 The following would translate the source to the IP address specified by the $pub_ip for the packets on the interface $ext_if. d267 10 @ 1.63 log @Add the values of "algo" in the grammar, and use # as comment marker for man-k.org (and others) not to highlight things in an incorrect way. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.62 2018/08/17 12:04:20 maxv Exp $ d30 1 a30 1 .Dd August 17, 2018 d61 2 d272 29 d378 1 a378 1 # Application level gateway. The name should be in the double quotes. d381 1 @ 1.62 log @Add missing quote in static-rule, it causes man-k.org (and other tools) to wrongly highlight the grammar. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.61 2018/08/17 10:24:19 maxv Exp $ d332 2 a333 2 ; Syntax of a single line. Lines can be separated by LF (\\n) or ; a semicolon. Comments start with a hash (#) character. d338 1 a338 1 ; Variable definition. Names can be alpha-numeric, including "_" character. d344 1 a344 1 ; Parameter setting. d347 1 a347 1 ; Application level gateway. The name should be in the double quotes. d351 1 a351 1 ; Table definition. Table ID shall be numeric. Path is in the double quotes. d357 1 a357 1 ; Mapping for address translation. d360 1 a360 1 ( "static" [ "algo" algorithm ] | "dynamic" ) d365 1 d368 5 a372 5 ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. ; Both key and values may be strings (either in double quotes or not) ; and numbers, depending on the extension. d378 1 a378 1 ; Group definition and the rule list. @ 1.61 log @Replace "rproc"->"proc" in the grammar (spotted by he@@), and slightly reword. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.60 2018/08/17 10:16:24 maxv Exp $ d386 1 a386 1 [ "in" | out" ] [ "final" ] [ "on" interface ] @ 1.60 log @Replace () by [] in tcp-flags. Fix proc-opts, the value is optional, noted by he@@. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.59 2018/08/16 09:58:00 maxv Exp $ d228 1 a228 1 is the set of TCP flags we want to match out of the d336 1 a336 1 map | group | rproc | comment @ 1.59 log @Improve wording. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.58 2018/08/16 09:50:37 maxv Exp $ d30 1 a30 1 .Dd August 16, 2018 d374 1 a374 1 proc-opts = key " " val [ "," proc-opts ] d394 1 a394 1 tcp-flags = ("S")("A")("F")("R") @ 1.58 log @Improve the "Map" section a little. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $ d228 1 a228 1 is the set of TCP flags present in the @ 1.57 log @Document the "flags" keyword. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $ d243 5 a247 1 The translation may be dynamic (stateful) or static (stateless). d250 1 a250 1 .Bl -tag -width <-> -compact d267 1 a267 1 on packets originating from 10.1.1.0/24 network. @ 1.56 log @Improve the "Rules" section: better explain the "final" keyword (it is the same as PF's "quick", so use the same wording), and document the "return" options. While here simplify the man code, suggested by wiz. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.55 2018/08/16 08:51:53 maxv Exp $ d204 1 a204 1 Stateful packet inspection is enabled using d216 19 d238 1 a238 1 it can be overridden with the d389 2 @ 1.55 log @Add quotes around the option names, to match the actual npf conf. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.54 2018/08/16 08:37:51 maxv Exp $ d150 10 a159 4 the interface it arrived on, either immediately upon match (keyword .Cd final ) or using the last match. The rule can also instruct NPF to create an entry in the state table d163 17 d279 1 a279 3 .It Dq min-ttl Xo .Ar value .Xc d281 1 a281 3 .It Dq max-mss Xo .Ar value .Xc @ 1.54 log @Enlighten the "Procedures" section. In particular document the "no-df" option. Also replace "normalisation" -> "normalization", to match the name of the rule. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.53 2018/08/13 06:06:13 wiz Exp $ d253 2 a254 2 .Bl -tag -width Xmin-ttlXvalueXX -offset indent .It random-id d256 3 a258 1 .It min-ttl Ar value d260 3 a262 1 .It max-mss Ar value d264 1 a264 1 .It no-df @ 1.53 log @Add missing El. Remove trailing whitespace. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.52 2018/08/07 00:22:13 sevan Exp $ d30 1 a30 1 .Dd August 7, 2018 d231 33 d272 1 a272 13 In this case, the procedure calls the logging and normalisation modules. The logging facility requires the npf_ext_log kernel module which would normally get auto-loaded by NPF. The specified npflog interface would also be auto-created once the configuration is loaded. The log packets can be written to a file using the .Xr npfd 8 daemon. .Pp Traffic normalisation has a set of different mechanisms. In the example above, the normalisation procedure has arguments which apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) flag cleansing, minimum TTL enforcement and TCP MSS "clamping". @ 1.52 log @First pass at editing this manual. Add a link to the NPF documentation website and refer to it. Switch the multiple structural elements to a list to make it easier to read and extend. Clarify tables, re-order so all terms are before the example. Clarify obtaining addresses per family Move the minimum requirement for a default group to the group section. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.51 2017/12/11 23:07:49 wiz Exp $ d62 1 a62 1 d131 1 a131 1 keyword can be used in combination of a filtering rule to be explicit. @ 1.51 log @Remove superfluous Pp. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $ d30 1 a30 1 .Dd December 10, 2017 d43 1 a43 1 Please refer to the official NPF documentation for comprehensive and d46 1 a46 1 There are multiple structural elements d48 15 a62 16 may contain: .Cd variable and .Cd table definitions (with or without content), abstraction .Cd groups , packet filtering .Cd rules , .Cd map rules for address translation and .Cd procedure definitions to call on filtered packets. The minimal .Nm must contain a mandatory .Cd default group . d65 2 a66 2 Variables are specified using the dollar ($) sign, which is used both in definitions and uses of a variable. d87 5 a91 2 Currently, tables support three storage types: "hash", "tree", or "cdb". They can also be "dynamic" or static i.e. loaded from the specified file. d93 2 a94 1 The file should contain a list of IP addresses and/or networks in the form of: a98 3 .Pp Tables of type "hash" and "cdb" can only contain IP addresses. Also, the latter can only be static. d105 4 a108 3 In the context of filtering, an interface provides a list of its all IP addresses, including IPv4 and IPv6. Specific interface addresses can be selected by the family, e.g.: d127 3 a129 2 The dynamic address list represents both the IPv4 and IPv6 addresses, therefore the d131 1 a131 1 keyword can be used in combination to make the filtering more narrow. d140 4 d150 1 a150 1 interface it arrives on, either immediately upon match (keyword d405 2 @ 1.51.4.1 log @Sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.86 2019/04/08 07:58:45 wiz Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd February 2, 2019 d43 1 a43 1 Please refer to the official NPF documentation website for comprehensive and d46 1 a46 1 There are multiple structural elements that d48 16 a63 18 may contain, such as: .Pp .Bl -bullet -offset indent -compact .It variables .It table definitions (with or without content) .It abstraction groups .It packet filtering rules .It map rules for address translation .It application level gateways .It procedure definitions to call on filtered packets. .El d66 2 a67 4 Variables are specified using the dollar .Pq Li $ sign, which is used for both definition and referencing of a variable. d69 3 a71 2 .Pp .Dl $var1 = 10.0.0.1 d74 3 a76 2 .Pp .Dl $var2 = { 10.0.0.1, 10.0.0.2 } d82 1 a82 3 .Sq Li < and .Sq Li > . d84 2 d87 3 a89 1 .Dl table type ipset d91 5 a95 16 Currently, tables support three data storage types: .Cm ipset , .Cm lpm , or .Cm const . The contents of the table may be pre-loaded from the specified file. The .Cm const tables are immutable (no insertions or deletions after loading) and therefore must always be loaded from a file. .Pp The specified file should contain a list of IP addresses and/or networks in the form of .Li 10.1.1.1 or .Li 10.0.0.0/24 . d97 2 a98 9 Tables of type .Cm ipset and .Cm const can only contain IP addresses (without masks). The .Cm lpm tables can contain networks and they will perform the longest prefix match on lookup. d100 15 a114 37 In NPF, an interface can be referenced directly by using its name, or can be passed to an extraction function which will return a list of IP addresses configured on the actual associated interface. .Pp It is legal to pass an extracted list from an interface in keywords where NPF would expect instead a direct reference to said interface. In this case, NPF infers a direct reference to the interface, and does not consider the list. .Pp There are two types of IP address lists. With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. Note that with a dynamic list, bringing the interface down has no effect, all addresses will remain present. .Pp Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: .Bl -tag -width "Fn ifaddrs interface" -offset indent .It Fn inet4 interface Static list. IPv4 addresses. .It Fn inet6 interface Static list. IPv6 addresses. .It Fn ifaddrs interface Dynamic list. Both IPv4 and IPv6. The .Cm family keyword of a filtering rule can be used in combination to explicitly select an IP address type. This function can also be used with .Cm map to specify the translation address, see below. .El d116 3 a118 12 Example of configuration: .Bd -literal -offset indent $var1 = inet4(wm0) $var2 = ifaddrs(wm0) group default { block in on wm0 all # rule 1 block in on $var1 all # rule 2 block in on inet4(wm0) all # rule 3 pass in on inet6(wm0) from $var2 # rule 4 pass in on wm0 from ifaddrs(wm0) # rule 5 } d121 9 a129 11 In the above example, .Li $var1 is the static list of IPv4 addresses configured on wm0, and .Li $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the .Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. a130 2 NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which can contain subrules. d132 2 a133 10 Packets matching group criteria are passed to the ruleset of that group. If a packet does not match any group, it is passed to the .Dv default group. The .Dv default group must always be defined. .Pp Example of configuration: .Bd -literal -offset indent d135 1 a135 4 # List of rules, for packets received on wm0 } group default { # List of rules, for the other packets d140 1 a140 1 .Ic pass d142 1 a142 1 .Ic block d144 6 a149 2 the interface it arrived on, either immediately upon match or using the last match. d151 7 a157 12 If a packet matches a rule which has the .Cm final option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. Otherwise, the last matching rule is used. .Pp The .Cm proto keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP or other). Its parameter should be a protocol number or its symbolic name, as specified in the d159 5 a163 63 file. This keyword can additionally have protocol-specific options, such as .Cm flags . .Pp The .Cd flags keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp .D1 Ic proto Cm tcp flags Ar match Ns Op Li / Ns Ar mask .Pp Where .Ar match is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: .Sq Cm S (SYN), .Sq Cm A (ACK), .Sq Cm F (FIN), and .Sq Cm R (RST). The flags that are not present in .Ar mask are ignored. .Pp To notify the sender of a blocking decision, three .Cm return options can be used in conjunction with a .Ic block rule: .Bl -tag -width "Cm return-icmp" -offset indent .It Cm return Behaves as .Cm return-rst or .Cm return-icmp , depending on whether the packet being blocked is TCP or UDP. .It Cm return-rst Return a TCP RST message, when the packet being blocked is a TCP packet. Applies to IPv4 and IPv6. .It Cm return-icmp Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet. Applies to IPv4 and IPv6. .El .Pp Further packet specification at present is limited to TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp A rule can also instruct NPF to create an entry in the state table when passing the packet or to apply a procedure to the packet (e.g. "log"). .Pp A .Dq fully-featured rule would for example be: .Bd -literal -offset indent pass stateful in final family inet4 proto tcp flags S/SA \e from $source port $sport to $dest port $dport \e apply \*qsomeproc\*q .Ed d168 3 a170 2 .Pp .Dl block out final pcap-filter \*qtcp and dst 10.1.1.252\*q d175 2 a176 2 Stateful packet inspection is enabled using the .Cm stateful d178 1 a178 1 .Cm stateful-ends d187 1 a187 2 By default, a stateful rule implies SYN-only flag check .Pq Dq Li flags S/SAFR d190 2 a191 2 it can be overridden with the aforementioned .Cm flags d195 1 a195 5 The translation may be .Cm dynamic (stateful) or .Cm static (stateless). d198 2 a199 2 .Bl -tag -width "Cm \&<->" -offset indent -compact .It Cm \&-> d201 1 a201 1 .It Cm \&<- d203 1 a203 1 .It Cm \&<-> d207 5 a211 7 The following would translate the source (10.1.1.0/24) to the IP address specified by .Li $pub_ip for the packets on the interface .Li $ext_if . .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> $pub_ip d215 3 a217 85 on packets originating from the 10.1.1.0/24 network. Explicit filter criteria can be specified using .Cm pass Ar criteria ... as an additional option of the mapping. .Pp The dynamic NAT implies network address and port translation (NAPT). The port translation can be controlled explicitly. For example, the following provides .Dq port forwarding , redirecting the public port 9022 to the port 22 of an internal host: .Pp .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp The translation address can also by dynamic, based on the interface. The following would select the IPv4 address(es) currently assigned to the interface: .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) .Pp If the dynamic NAT is configured with multiple translation addresses, then a custom selection algorithm can be chosen using the .Cm algo keyword. The currently available algorithms are: .Bl -tag -width "Cm round-robin" -offset indent .It Cm ip-hash The translation address for a new connection is selected based on a hash of the original source and destination addresses. This algorithms attempts to keep all connections of particular client associated with the same translation address. This is the default algorithm. .Pp .It Cm round-robin The translation address for each new connection is selected on a round-robin basis. .El .Pp The static NAT can also have different address translation algorithms, chosen using the .Cm algo keyword. The currently available algorithms are: .Bl -tag -width "Cm netmap" -offset indent .It Cm netmap Network address mapping from one segment to another, leaving the host part as-is. The new address is computed as following: .Pp .Dl addr = net-addr | (orig-addr & ~mask) .It Cm npt66 IPv6-to-IPv6 network prefix translation (NPTv6). .El .Pp If no algorithm is specified, then 1:1 address mapping is assumed. Currently, the static NAT algorithms do not perform port translation. .Ss Application Level Gateways Certain application layer protocols are not compatible with NAT and require translation outside layers 3 and 4. Such translation is performed by packet filter extensions called Application Level Gateways (ALGs). .Pp NPF supports the following ALGs: .Bl -tag -width "Cm icmp" -offset indent .It Cm icmp ICMP ALG. Applies to IPv4 and IPv6. Allows to find an active connection by looking at the ICMP payload, and to perform NAT translation of the ICMP payload. Generally, this ALG is necessary to support .Xr traceroute 8 behind the NAT, when using the UDP or TCP probes. .El .Pp The ALGs are built-in. If NPF is used as kernel module, then they come as kernel modules too. In such case, the ALG kernel modules can be autoloaded through the configuration, using the .Cm alg keyword. .Pp For example: .Pp .Dl alg \*qicmp\*q .Pp Alternatively, the ALG kernel modules can be loaded manually, using .Xr modload 8 . a224 34 Available options: .Bl -tag -width "Cm log: Ar interface" -offset indent .It Cm log: Ar interface Log events. This requires the .Pa npf_ext_log kernel module, which would normally get auto-loaded by NPF. The specified npflog interface would also be auto-created once the configuration is loaded. The log packets can be written to a file using the .Xr npfd 8 daemon. .It Cm normalize: Ar option1 Ns Op Li \&, Ar option2 ... Modify packets according to the specified normalization options. This requires the .Pa npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. .El .Pp The available normalization options are: .Bl -tag -width "Cm \*qmin-mss\*q Ar value" -offset indent .It Cm \*qmax-mss\*q Ar value Enforce a maximum value for the Maximum Segment Size (MSS) TCP option. Typically, for .Dq MSS clamping . .It Cm \*qmin-ttl\*q Ar value Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. .It Cm \*qno-df\*q Remove the Don't Fragment (DF) flag from IPv4 packets. .It Cm \*qrandom-id\*q Randomize the IPv4 ID parameter. .El .Pp d226 1 a226 1 .Bd -literal -offset indent d233 13 a245 1 In this case, the procedure calls the logging and normalization modules. d259 2 a260 2 # Syntax of a single line. Lines can be separated by LF (\\n) or # a semicolon. Comments start with a hash (#) character. d263 1 a263 1 map | group | proc | comment d265 1 a265 2 # Variable definition. Names can be alpha-numeric, including "_" # character. d271 1 a271 1 # Parameter setting. d274 1 a274 1 # Application level gateway. The name should be in double quotes. a276 1 alg-name = "icmp" d278 1 a278 2 # Table definition. Table ID shall be numeric. Path is in the # double quotes. d281 2 a282 2 table-def = "table" table-id "type" ( "ipset" | "lpm" | "const" ) [ "file" path ] d284 1 a284 1 # Mapping for address translation. d287 1 a287 1 ( "static" [ "algo" map-algo ] | "dynamic" ) d289 1 a289 1 map-seg ( "->" | "<-" | "<->" ) map-seg a291 1 map-algo = "npt66" a292 1 map-seg = ( addr-mask | interface ) [ port-opts ] d294 5 a298 5 # Rule procedure definition. The name should be in the double quotes. # # Each call can have its own options in a form of key-value pairs. # Both key and values may be strings (either in double quotes or not) # and numbers, depending on the extension. d301 1 a301 1 proc-opts = key [ " " val ] [ "," proc-opts ] d304 1 a304 1 # Group definition and the rule list. d313 1 a313 1 [ "in" | "out" ] [ "final" ] [ "on" interface ] d320 1 a320 2 tcp-flag-mask = tcp-flags tcp-flags = [ "S" ] [ "A" ] [ "F" ] [ "R" ] a321 1 a324 1 proto = "proto" protocol [ proto-opts ] a325 5 filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) d327 4 d348 2 a349 2 table type ipset file "/etc/npf_blocklist" table type lpm d357 4 a360 3 # These NAT rules will dynamically select the interface address(es). map $ext_if dynamic 10.1.1.0/24 -> ifaddrs($ext_if) map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- ifaddrs($ext_if) port 9022 d370 6 a375 11 block in final from pass stateful in final family inet4 proto tcp to $ext_if \e port ssh apply "log" pass stateful in final proto tcp to $ext_if \e port $services_tcp pass stateful in final proto udp to $ext_if \e port $services_udp pass stateful in final proto tcp to $ext_if \e port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if \e port 33434-33600 # traceroute a398 2 .Pp .Lk http://rmind.github.io/npf/ "NPF documentation website" @ 1.51.4.2 log @Mostly merge changes from HEAD upto 20200411 @ text @d1 1 a1 1 .\" $NetBSD$ d3 1 a3 1 .\" Copyright (c) 2009-2019 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd August 25, 2019 d64 1 a64 3 procedure definitions to call on filtered packets .It parameter settings. d300 1 a300 1 .Cm stateful-all d304 2 a305 2 The latter excludes the interface identifier, i.e. making the state global, and must be used with caution. d357 2 a358 8 In the regular dynamic NAT case, it is also possible to disable port translation using the .Cm no-ports flag. .Pp The translation address can also be dynamic, based on the interface. The following would select the IPv4 address(es) currently assigned to the interface: d366 1 a366 1 The currently available algorithms for the dynamic translation are: d374 1 a377 2 .It Cm netmap See the description below. d438 1 a438 1 .It Cm log : Ar interface d449 1 a449 1 .It Cm normalize : Ar option1 Ns Op Li \&, Ar option2 ... a478 5 .Ss Parameter settings NPF supports a set of dynamically tunable parameters. See .Xr npf-params 7 for specific details. d522 1 a522 2 map = map-common | map-ruleset map-common = "map" interface a526 1 map-ruleset = "map" "ruleset" group-opts d528 1 a528 1 map-algo = "ip-hash" | "round-robin" | "netmap" | "npt66" d550 1 a550 1 [ "stateful" | "stateful-all" ] d576 1 a576 1 .Bl -tag -width Pa -compact a641 1 .Xr npf-params 7 , @ 1.51.2.1 log @Sync with HEAD Resolve a couple of conflicts (result of the uimin/uimax changes) @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.75 2018/09/04 15:36:01 maxv Exp $ d30 1 a30 1 .Dd September 4, 2018 d43 1 a43 1 Please refer to the official NPF documentation website for comprehensive and d46 1 a46 1 There are multiple structural elements that d48 16 a63 17 may contain, such as: .Bl -bullet -offset indent .It variables .It table definitions (with or without content) .It abstraction groups .It packet filtering rules .It map rules for address translation .It application level gateways .It procedure definitions to call on filtered packets. .El d66 2 a67 2 Variables are specified using the dollar ($) sign, which is used for both definition and referencing of a variable. d88 2 a89 5 Currently, tables support three data storage types: "hash", "tree", or "cdb". Tables can also be set as containing "dynamic" or "static" data i.e. loaded from a specified file. Tables of type "hash" and "cdb" can only contain IP addresses. Only static data can be used with a storage type of "cdb". d91 1 a91 2 The specified file should contain a list of IP addresses and/or networks in the form of: d96 3 d100 15 a114 31 In NPF, an interface can be referenced directly by using its name, or can be passed to an extraction function which will return a list of IP addresses configured on the actual associated interface. .Pp It is legal to pass an extracted list from an interface in keywords where NPF would expect instead a direct reference to said interface. In this case, NPF infers a direct reference to the interface, and does not consider the list. .Pp There are two types of IP address lists. With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. Note that with a dynamic list, marking the interface as ``down'' has no effect, all addresses will remain present. .Pp Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: .Bl -tag -width Xifaddrs()XX -offset indent .It Fn inet4 Static list, IPv4 addresses. .It Fn inet6 Static list, IPv6 addresses. .It Fn ifaddrs Dynamic list, both IPv4 and IPv6. The .Cd family keyword can be used in combination of a filtering rule to explicitly select an IP address type. .El d116 1 a116 1 Example of configuration: d118 1 a118 9 $var1 = inet4(wm0) $var2 = ifaddrs(wm0) group default { block in on wm0 all # rule 1 block in on $var1 all # rule 2 block in on inet4(wm0) all # rule 3 pass in on inet6(wm0) from $var2 # rule 4 pass in on wm0 from ifaddrs(wm0) # rule 5 } d121 9 a129 8 In the above example, $var1 is the static list of IPv4 addresses configured on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the .Cd block ... on syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. a130 2 NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which can contain subrules. d132 1 a132 8 Packets matching group criteria are passed to the ruleset of that group. If a packet does not match any group, it is passed to the .Cd default group . The .Cd default group must always be defined. .Pp Example of configuration: d135 1 a135 4 # List of rules, for packets received on wm0 } group default { # List of rules, for the other packets d144 6 a149 60 the interface it arrived on, either immediately upon match or using the last match. .Pp If a packet matches a rule which has the .Cd final option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. Otherwise, the last matching rule is used. .Pp The .Cd proto keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP or other). Its parameter should be a protocol number or its symbolic name, as specified in the .Pa /etc/protocols file. This keyword can additionally have protocol-specific options, such as .Cd flags . .Pp The .Cd flags keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Bl -tag -width protoXX -offset indent .It proto tcp flags Ar match[/mask] .El .Pp Where .Ar match is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in .Ar mask are ignored. .Pp To notify the sender of a blocking decision, three .Cd return options can be used in conjunction with a .Cd block rule: .Bl -tag -width Xreturn-icmpXX -offset indent .It return Behaves as return-rst or return-icmp, depending on whether the packet being blocked is TCP or UDP. .It return-rst Return a TCP RST message, when the packet being blocked is a TCP packet. Applies to IPv4 and IPv6. .It return-icmp Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet. Applies to IPv4 and IPv6. .El .Pp Further packet specification at present is limited to TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp A rule can also instruct NPF to create an entry in the state table when passing the packet or to apply a procedure to the packet (e.g. "log"). d157 8 d175 1 a175 1 Stateful packet inspection is enabled using the d190 1 a190 1 it can be overridden with the aforementioned d195 1 a195 5 The translation may be .Cd dynamic (stateful) or .Cd static (stateless). d197 2 a198 1 .Bl -tag -width <-> -offset indent d207 2 a208 2 The following would translate the source (10.1.1.0/24) to the IP address specified by $pub_ip for the packets on the interface $ext_if. d215 1 a215 1 on packets originating from the 10.1.1.0/24 network. a217 55 .Pp The .Cd dynamic NAT implies network address and port translation (NAPT). The port translation can be controlled explicitly. For example, the following provides "port forwarding", redirecting the public port 9022 to the port 22 of an internal host: .Bd -literal map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Ed .Pp The .Cd static NAT can have different address translation algorithms, which can be chosen using the .Cd algo keyword. The currently available algorithms are: .Bl -tag -width Xnpt66XX -offset indent .It npt66 IPv6-to-IPv6 network prefix translation (NPTv6). .El .Pp Currently, the static NAT algorithms do not perform port translation. .Ss Application Level Gateways Certain application layer protocols are not compatible with NAT and require translation outside layers 3 and 4. Such translation is performed by packet filter extensions called Application Level Gateways (ALGs). .Pp NPF supports the following ALGs: .Bl -tag -width XicmpXX -offset indent .It icmp ICMP ALG. Applies to IPv4 and IPv6. Allows to find an active connection by looking at the ICMP payload, and to perform NAT translation of the ICMP payload. Generally, this ALG is necessary to support "traceroute" behind the NAT, when using the UDP or TCP probes. .El .Pp The ALGs are built-in. If NPF is used as kernel module, then they come as kernel modules too. In such case, the ALG kernel modules can be autoloaded through the configuration, using the .Cd alg keyword. .Pp For example: .Bd -literal alg "icmp" .Ed .Pp Alternatively, the ALG kernel modules can be loaded manually, using .Xr modload 8 . a224 34 Available options: .Bl -tag -width Xlog:XinterfaceXX -offset indent .It log: Ar interface Log events. This requires the npf_ext_log kernel module, which would normally get auto-loaded by NPF. The specified npflog interface would also be auto-created once the configuration is loaded. The log packets can be written to a file using the .Xr npfd 8 daemon. .It normalize: Xo .Ar option1 .Op , Ar option2 .Ar ... .Xc Modify packets according to the specified normalization options. This requires the npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. .El .Pp The available normalization options are: .Bl -tag -width XXmin-ttlXXvalueXX -offset indent .It Dq random-id Randomize the IPv4 ID parameter. .It Do min-ttl Dc Ar value Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. .It Do max-mss Dc Ar value Enforce a maximum value for the MSS on TCP packets. Typically, for "MSS clamping". .It Dq no-df Remove the Don't Fragment (DF) flag from IPv4 packets. .El .Pp d233 13 a245 1 In this case, the procedure calls the logging and normalization modules. d259 2 a260 2 # Syntax of a single line. Lines can be separated by LF (\\n) or # a semicolon. Comments start with a hash (#) character. d263 1 a263 1 map | group | proc | comment d265 1 a265 1 # Variable definition. Names can be alpha-numeric, including "_" character. d271 1 a271 1 # Parameter setting. d274 1 a274 1 # Application level gateway. The name should be in double quotes. a276 1 alg-name = "icmp" d278 1 a278 1 # Table definition. Table ID shall be numeric. Path is in the double quotes. d284 1 a284 1 # Mapping for address translation. d287 1 a287 1 ( "static" [ "algo" map-algo ] | "dynamic" ) d289 1 a289 1 map-seg ( "->" | "<-" | "<->" ) map-seg a291 1 map-algo = "npt66" a292 1 map-seg = ( addr-mask | interface ) [ port-opts ] d294 5 a298 5 # Rule procedure definition. The name should be in the double quotes. # # Each call can have its own options in a form of key-value pairs. # Both key and values may be strings (either in double quotes or not) # and numbers, depending on the extension. d301 1 a301 1 proc-opts = key [ " " val ] [ "," proc-opts ] d304 1 a304 1 # Group definition and the rule list. d313 1 a313 1 [ "in" | "out" ] [ "final" ] [ "on" interface ] d320 1 a320 2 tcp-flag-mask = tcp-flags tcp-flags = [ "S" ] [ "A" ] [ "F" ] [ "R" ] a321 1 a324 1 proto = "proto" protocol [ proto-opts ] d326 1 d328 3 a330 4 filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) addr-mask = addr [ "/" mask ] d363 2 a364 2 # The logging facility can be used together with npfd(8). log: npflog0 d368 1 a368 1 pass stateful out final all d370 6 a375 6 block in final from pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" pass stateful in final proto tcp to $ext_if port $services_tcp pass stateful in final proto udp to $ext_if port $services_udp pass stateful in final proto tcp to $ext_if port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if port 33434-33600 # traceroute d379 2 a380 2 block in all block in final from d382 3 a384 3 # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet pass out final all d388 2 a389 2 pass final on lo0 all block all a398 2 .Pp .Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website" @ 1.51.2.2 log @Ssync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ d30 1 a30 1 .Dd September 21, 2018 d49 1 a49 2 .Pp .Bl -bullet -offset indent -compact d67 1 a67 3 Variables are specified using the dollar .Pq Li $ sign, which is used for both d70 3 a72 2 .Pp .Dl $var1 = 10.0.0.1 d75 3 a77 2 .Pp .Dl $var2 = { 10.0.0.1, 10.0.0.2 } d83 1 a83 3 .Sq Li < and .Sq Li > . d85 2 d88 6 a93 19 .Dl table type hash dynamic .Pp Currently, tables support three data storage types: .Cm hash, .Cm tree , or .Cm cdb . Tables can also be set as containing .Cm dynamic data or static .Cm file Ar filename data loaded from a specified file. Tables of type .Dq hash and .Dq cdb can only contain IP addresses. Only static data can be used with a storage type of .Dq cdb . d96 5 a100 4 form of .Li 10.1.1.1 or .Li 10.0.0.0/24 d116 1 a116 1 Note that with a dynamic list, bringing the interface down has no effect, d121 7 a127 7 .Bl -tag -width "Fn ifaddrs interface" -offset indent .It Fn inet4 interface Static list. IPv4 addresses. .It Fn inet6 interface Static list. IPv6 addresses. .It Fn ifaddrs interface Dynamic list. Both IPv4 and IPv6. d129 2 a130 2 .Cm family keyword of a filtering rule can be used in combination to explicitly select d135 1 a135 1 .Bd -literal -offset indent d147 3 a149 6 In the above example, .Li $var1 is the static list of IPv4 addresses configured on wm0, and .Li $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. d151 1 a151 1 .Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > d161 1 a161 2 .Dv default group. d163 2 a164 2 .Dv default group must always be defined. d167 1 a167 1 .Bd -literal -offset indent d177 1 a177 1 .Ic pass d179 1 a179 1 .Ic block d185 1 a185 1 .Cm final d191 1 a191 1 .Cm proto d199 1 a199 1 .Cm flags . d205 3 a207 2 .Pp .Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li ] d213 2 a214 10 set, both sets being represented as a string combination of: .Sq Cm S (SYN), .Sq Cm A (ACK), .Sq Cm F (FIN), and .Sq Cm R (RST). The flags that are not present in d219 1 a219 1 .Cm return d221 1 a221 1 .Ic block d223 5 a227 8 .Bl -tag -width "Cm return-icmp" -offset indent .It Cm return Behaves as .Cm return-rst or .Cm return-icmp , depending on whether the packet being blocked is TCP or UDP. .It Cm return-rst d230 1 a230 1 .It Cm return-icmp d242 4 a245 7 A .Dq fully-featured rule would for example be: .Bd -literal -offset indent pass stateful in final family inet4 proto tcp flags S/SA \e from $source port $sport to $dest port $dport \e apply \*qsomeproc\*q d251 3 a253 2 .Pp .Dl block out final pcap-filter \*qtcp and dst 10.1.1.252\*q d259 1 a259 1 .Cm stateful d261 1 a261 1 .Cm stateful-ends d270 1 a270 2 By default, a stateful rule implies SYN-only flag check .Pq Dq Li flags S/SAFR d274 1 a274 1 .Cm flags d279 1 a279 1 .Cm dynamic d281 1 a281 1 .Cm static d284 2 a285 3 .Pp .Bl -tag -width "Cm \&<->" -offset indent -compact .It Cm \&-> d287 1 a287 1 .It Cm \&<- d289 1 a289 1 .It Cm \&<-> d294 4 a297 6 specified by .Li $pub_ip for the packets on the interface .Li $ext_if . .Pp .Dl map $ext_if dynamic 10.1.1.0/24 -> $pub_ip d302 2 a303 3 Explicit filter criteria can be specified using .Cm pass Ar criteria ... as an additional option of the mapping. d305 3 a307 1 The dynamic NAT implies network address and port translation (NAPT). d309 5 a313 3 For example, the following provides .Dq port forwarding , redirecting the public port 9022 to the port 22 of an internal host: d315 3 a317 3 .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp The static NAT can have different address translation algorithms, which d319 1 a319 1 .Cm algo d322 2 a323 2 .Bl -tag -width "Cm npt66" -offset indent .It Cm npt66 d335 2 a336 2 .Bl -tag -width "Cm icmp" -offset indent .It Cm icmp d341 2 a342 3 Generally, this ALG is necessary to support .Xr traceroute 8 behind the NAT, when using the UDP or TCP probes. d349 1 a349 1 .Cm alg d353 3 a355 2 .Pp .Dl alg \*qicmp\*q d367 2 a368 2 .Bl -tag -width "Cm log: Ar interface" -offset indent .It Cm log: Ar interface d370 1 a370 3 This requires the .Pa npf_ext_log kernel module, which would normally get d377 5 a381 1 .It Cm normalize: Ar option1 Ns Op Li \&, Ar option2 ... d383 2 a384 3 This requires the .Pa npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. d388 4 a391 6 .Bl -tag -width "Cm \*qmin-mss\*q Ar value" -offset indent .It Cm \*qmax-mss\*q Ar value Enforce a maximum value for the Maximum Segment Size (MSS) TCP option. Typically, for .Dq MSS clamping . .It Cm \*qmin-ttl\*q Ar value d393 4 a396 1 .It Cm \*qno-df\*q a397 2 .It Cm \*qrandom-id\*q Randomize the IPv4 ID parameter. d401 1 a401 1 .Bd -literal -offset indent d428 1 a428 2 # Variable definition. Names can be alpha-numeric, including "_" # character. d442 1 a442 2 # Table definition. Table ID shall be numeric. Path is in the # double quotes. d495 1 a495 2 filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] d532 2 a533 2 # The logging facility can be used together with npfd(8). log: npflog0 d537 1 a537 1 pass stateful out final all d539 6 a544 11 block in final from pass stateful in final family inet4 proto tcp to $ext_if \e port ssh apply "log" pass stateful in final proto tcp to $ext_if \e port $services_tcp pass stateful in final proto udp to $ext_if \e port $services_udp pass stateful in final proto tcp to $ext_if \e port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if \e port 33434-33600 # traceroute d548 2 a549 2 block in all block in final from d551 3 a553 3 # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet pass out final all d557 2 a558 2 pass final on lo0 all block all @ 1.51.2.3 log @Synch with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.51.2.2 2018/09/30 01:46:01 pgoyette Exp $ d30 1 a30 1 .Dd January 8, 2019 d92 1 a92 1 .Cm hash , d105 1 a105 1 can only contain IP addresses, without masks. d136 1 a136 2 Static list. IPv4 addresses. d138 1 a138 2 Static list. IPv6 addresses. d140 1 a140 2 Dynamic list. Both IPv4 and IPv6. d167 1 a167 1 .Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > d223 1 a223 1 .D1 Ic proto Cm tcp flags Ar match Ns Op Li / Ns Ar mask @ 1.51.2.4 log @Sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.51.2.3 2019/01/18 08:51:02 pgoyette Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2018 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd January 14, 2019 d89 1 a89 1 .Dl table type ipset d92 2 a93 2 .Cm ipset , .Cm lpm , d95 13 a107 6 .Cm const . The contents of the table may be pre-loaded from the specified file. The .Cm const tables are immutable (no insertions or deletions after loading) and therefore must always be loaded from a file. d109 2 a110 2 The specified file should contain a list of IP addresses and/or networks in the form of d113 1 a113 11 .Li 10.0.0.0/24 . .Pp Tables of type .Cm ipset and .Cm const can only contain IP addresses (without masks). The .Cm lpm tables can contain networks and they will perform the longest prefix match on lookup. d350 2 a351 2 If the dynamic NAT is configured with multiple translation addresses, then a custom selection algorithm can be chosen using the d355 1 a355 25 .Bl -tag -width "Cm round-robin" -offset indent .It Cm ip-hash The translation address for a new connection is selected based on a hash of the original source and destination addresses. This algorithms attempts to keep all connections of particular client associated with the same translation address. This is the default algorithm. .Pp .It Cm round-robin The translation address for each new connection is selected on a round-robin basis. .El .Pp The static NAT can also have different address translation algorithms, chosen using the .Cm algo keyword. The currently available algorithms are: .Bl -tag -width "Cm netmap" -offset indent .It Cm netmap Network address mapping from one segment to another, leaving the host part as-is. The new address is computed as following: .Pp .Dl addr = net-addr | (orig-addr & ~mask) a359 1 If no algorithm is specified, then 1:1 address mapping is assumed. d480 2 a481 2 table-def = "table" table-id "type" ( "ipset" | "lpm" | "const" ) [ "file" path ] d553 2 a554 2 table type ipset file "/etc/npf_blocklist" table type lpm d575 1 a575 1 block in final from @ 1.50 log @npfctl: add support for the 'no-ports' flag in the 'map' statements. This allows us to create a NAT policy without the port translation. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $ a100 1 .Pp a132 1 .Pp @ 1.49 log @Remove workaround for ancient HTML generation code. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.48 2017/01/20 08:48:14 wiz Exp $ d30 1 a30 1 .Dd January 19, 2017 d236 8 d259 1 a259 2 therefore it does not strictly represent the full syntax, which is more flexible. d289 2 a290 1 ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] d294 2 d365 1 a365 2 # Note: npf_ext_log kernel module should be loaded, if not built-in. # Also, the interface created, e.g.: ifconfig npflog0 create d399 2 a400 1 .Xr npfctl 8 @ 1.48 log @Bump date for previous. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.47 2017/01/19 20:18:17 rmind Exp $ d82 1 a82 1 \*[Lt] and \*[Gt]. d275 1 a275 1 table-id = \*[Lt]table-name\*[Gt] d363 1 a363 1 block in final from \*[Lt]blacklist\*[Gt] d373 1 a373 1 block in final from \*[Lt]limited\*[Gt] @ 1.48.4.1 log @Sync the following with -current, with minor modifications as the "[ map-flags ]" feature is not available in netbsd-8, requested by maxv in ticket #1001: usr.sbin/npf/npfctl/npf.conf.5 1.49,1.50(partly),1.51-1.70 (via patch) Remove workaround for ancient HTML generation code. - npfctl: add support for the 'no-ports' flag in the 'map' statements. This allows us to create a NAT policy without the port translation. - Remove superfluous Pp. - First pass at editing this manual. Add a link to the NPF documentation website and refer to it. Switch the multiple structural elements to a list to make it easier to read and extend. Clarify tables, re-order so all terms are before the example. Clarify obtaining addresses per family Move the minimum requirement for a default group to the group section. - Add missing El. Remove trailing whitespace. - Enlighten the "Procedures" section. In particular document the "no-df" option. Also replace "normalisation" -> "normalization", to match the name of the rule. - Add quotes around the option names, to match the actual npf conf. - Improve the "Rules" section: better explain the "final" keyword (it is the same as PF's "quick", so use the same wording), and document the "return" options. While here simplify the man code, suggested by wiz. - Document the "flags" keyword. - Improve the "Map" section a little. - Improve wording. - Replace () by [] in tcp-flags. Fix proc-opts, the value is optional, noted by he@@. - Replace "rproc"->"proc" in the grammar (spotted by he@@), and slightly reword. - Add missing quote in static-rule, it causes man-k.org (and other tools) to wrongly highlight the grammar. - Add the values of "algo" in the grammar, and use # as comment marker for man-k.org (and others) not to highlight things in an incorrect way. - Document ALGs. - Improve the "Map" section. - Add missing -width; remove unnecessary .Pp. - Clarify the "Groups" section. - should be port-opts - "interface" already contains "var-name", so don't mention it in "filt-addr", that's redundant - rename net-seg -> map-seg, and document it @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.70 2018/08/31 11:18:35 maxv Exp $ d30 1 a30 1 .Dd August 31, 2018 d43 1 a43 1 Please refer to the official NPF documentation website for comprehensive and d46 1 a46 1 There are multiple structural elements that d48 16 a63 17 may contain, such as: .Bl -bullet -offset indent .It variables .It table definitions (with or without content) .It abstraction groups .It packet filtering rules .It map rules for address translation .It application level gateways .It procedure definitions to call on filtered packets. .El d66 2 a67 2 Variables are specified using the dollar ($) sign, which is used for both definition and referencing of a variable. d82 1 a82 1 < and >. d88 2 a89 5 Currently, tables support three data storage types: "hash", "tree", or "cdb". Tables can also be set as containing "dynamic" or "static" data i.e. loaded from a specified file. Tables of type "hash" and "cdb" can only contain IP addresses. Only static data can be used with a storage type of "cdb". d91 1 a91 2 The specified file should contain a list of IP addresses and/or networks in the form of: d96 3 d101 1 d106 3 a108 4 In the context of filtering, an interface provides a list of all its IP addresses, both IPv4 and IPv6. Specific addresses configured on an interface can also be selected by family, e.g.: d127 2 a128 3 A dynamic address list represents both the IPv4 and IPv6 addresses configured on an interface. The d130 1 a130 1 keyword can be used in combination of a filtering rule to be explicit. a131 2 NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which can contain subrules. d133 1 a133 6 Packets matching group criteria are passed to the ruleset of that group. If a packet does not match any group, it is passed to the .Cd default group . The .Cd default group must always be defined. a134 1 Example of configuration: d137 1 a137 4 # List of rules, for packets received on wm0 } group default { # List of rules, for the other packets d146 4 a149 10 the interface it arrived on, either immediately upon match or using the last match. .Pp If a packet matches a rule which has the .Cd final option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. Otherwise, the last matching rule is used. .Pp A rule can also instruct NPF to create an entry in the state table a152 17 To notify the sender of a blocking decision, three .Cd return options can be used in conjunction with a .Cd block rule: .Bl -tag -width Xreturn-icmpXX -offset indent .It return Behaves as return-rst or return-icmp, depending on whether the packet being blocked is TCP or UDP. .It return-rst Return a TCP RST message, when the packet being blocked is a TCP packet. Applies to IPv4 and IPv6. .It return-icmp Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet. Applies to IPv4 and IPv6. .El .Pp d177 1 a177 1 Stateful packet inspection is enabled using the a188 19 The .Cd flags keyword can be used in conjunction with the .Cd stateful keyword to match the packets against specific TCP flags, according to the following syntax: .Bl -tag -width flagsXX -offset indent .It flags Ar match[/mask] .El .Pp Where .Ar match is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: S (SYN), A (ACK), F (FIN), R (RST). The flags that are not present in .Ar mask are ignored. .Pp d192 1 a192 1 it can be overridden with the aforementioned d197 1 a197 5 The translation may be .Cd dynamic (stateful) or .Cd static (stateless). d199 2 a200 1 .Bl -tag -width <-> -offset indent d209 2 a210 2 The following would translate the source (10.1.1.0/24) to the IP address specified by $pub_ip for the packets on the interface $ext_if. a214 10 Several NAT algorithms are available, and can be chosen using the .Cd algo keyword. By default, NPF will use the NAPT algorithm. The other available algorithms are: .Bl -tag -width Xnpt66XX -offset indent .It npt66 IPv6-to-IPv6 network prefix translation (NPTv6). .El .Pp d217 1 a217 1 on packets originating from the 10.1.1.0/24 network. a219 29 .Ss Application Level Gateways Certain application layer protocols are not compatible with NAT and require translation outside layers 3 and 4. Such translation is performed by packet filter extensions called Application Level Gateways (ALGs). .Pp NPF supports the following ALGs: .Bl -tag -width XicmpXX -offset indent .It icmp ICMP ALG. Allows to find an active connection by looking at the ICMP payload, and to perform NAT translation of the ICMP payload. Applies to IPv4 and IPv6. .El .Pp The ALGs are built-in, unless NPF is used as kernel module, in which case they come as kernel modules too. In that case, the ALG kernel modules can be autoloaded through the configuration, using the .Cd alg keyword. .Pp For example: .Bd -literal alg "icmp" .Ed .Pp Alternatively, the ALG kernel modules can be loaded manually, using .Xr modload 8 . a226 33 Available options: .Bl -tag -width Xlog:XinterfaceXX -offset indent .It log: Ar interface Log events. This requires the npf_ext_log kernel module, which would normally get auto-loaded by NPF. The specified npflog interface would also be auto-created once the configuration is loaded. The log packets can be written to a file using the .Xr npfd 8 daemon. .It normalize: Xo .Ar option1 .Op , Ar option2 .Ar ... .Xc Modify packets according to the specified normalization options. This requires the npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. .El .Pp The available normalization options are: .Bl -tag -width XXmin-ttlXXvalueXX -offset indent .It Dq random-id Randomize the IPv4 ID parameter. .It Do min-ttl Dc Ar value Enforce a minimum value for the IPv4 Time To Live (TTL) parameter. .It Do max-mss Dc Ar value Enforce a maximum value for the MSS on TCP packets. .It Dq no-df Remove the Don't Fragment (DF) flag from IPv4 packets. .El .Pp d235 5 a239 1 In this case, the procedure calls the logging and normalization modules. d251 2 a252 1 therefore it does not strictly represent the formal grammar. d254 2 a255 2 # Syntax of a single line. Lines can be separated by LF (\\n) or # a semicolon. Comments start with a hash (#) character. d258 1 a258 1 map | group | proc | comment d260 1 a260 1 # Variable definition. Names can be alpha-numeric, including "_" character. d266 1 a266 1 # Parameter setting. d269 1 a269 1 # Application level gateway. The name should be in double quotes. a271 1 alg-name = "icmp" d273 1 a273 1 # Table definition. Table ID shall be numeric. Path is in the double quotes. d275 1 a275 1 table-id = d279 1 a279 1 # Mapping for address translation. d282 2 a283 2 ( "static" [ "algo" map-algo ] | "dynamic" ) [ proto ] map-seg ( "->" | "<-" | "<->" ) map-seg d286 5 a290 8 map-algo = "npt66" map-seg = ( addr-mask | interface ) [ port-opts ] # Rule procedure definition. The name should be in the double quotes. # # Each call can have its own options in a form of key-value pairs. # Both key and values may be strings (either in double quotes or not) # and numbers, depending on the extension. d293 1 a293 1 proc-opts = key [ " " val ] [ "," proc-opts ] d296 1 a296 1 # Group definition and the rule list. d305 1 a305 1 [ "in" | "out" ] [ "final" ] [ "on" interface ] a311 2 tcp-flag-mask = tcp-flags tcp-flags = [ "S" ] [ "A" ] [ "F" ] [ "R" ] d318 1 d320 3 a322 4 filt-addr = [ "!" ] [ interface | addr-mask | table-id | "any" ] port-opts = "port" ( port-num | port-from "-" port-to | var-name ) addr-mask = addr [ "/" mask ] d355 2 a356 1 # The logging facility can be used together with npfd(8). d363 1 a363 1 block in final from d373 1 a373 1 block in final from d390 1 a390 4 .Xr npfctl 8 , .Xr npfd 8 .Pp .Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation website" @ 1.48.4.2 log @Pull up the following, requested by maxv in ticket #1030: usr.sbin/npf/npfctl/npf.conf.5 1.71-1.79 (patch) npf.conf(5): fix some of the previous incorrect or inaccurate changes. The TCP flags option is not only for the stateful tracking. Dynamic NAT implies NAPT; algorithms, at least for now, are for static NAT mappings. Mention that ALG ICMP is also for traceroute behind NAT; also mention "MSS clamping" (some users might search for this term, so keeping the terminology is helpful). -------------------------------------------------------------------------------- Remove superfluous Pp. -------------------------------------------------------------------------------- Be clearer about the difference between static vs dynamic interface list, and slightly improve wording. My understanding is that when none of inet4/inet6/ifaddrs is passed, NPF assumes ifaddrs. -------------------------------------------------------------------------------- New sentence, new line. Use Fn for functions. -------------------------------------------------------------------------------- Fix the "Interfaces" section, I understood wrong. Talk about inference, because it was not mentioned before, and it plays an important role. Discussed with rmind. Probably not the last pass. -------------------------------------------------------------------------------- Switch back to tabs, it was nicer this way. -------------------------------------------------------------------------------- Wrap long lines, so that nothing overflows. -------------------------------------------------------------------------------- Improve markup. -------------------------------------------------------------------------------- According to the grammar and examples the static table is defined with "file" keyword, not "static". @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.79 2018/09/21 10:59:11 uwe Exp $ d30 1 a30 1 .Dd September 21, 2018 d49 1 a49 2 .Pp .Bl -bullet -offset indent -compact d67 1 a67 3 Variables are specified using the dollar .Pq Li $ sign, which is used for both d70 3 a72 2 .Pp .Dl $var1 = 10.0.0.1 d75 3 a77 2 .Pp .Dl $var2 = { 10.0.0.1, 10.0.0.2 } d83 1 a83 3 .Sq Li < and .Sq Li > . d85 2 d88 6 a93 19 .Dl table type hash dynamic .Pp Currently, tables support three data storage types: .Cm hash, .Cm tree , or .Cm cdb . Tables can also be set as containing .Cm dynamic data or static .Cm file Ar filename data loaded from a specified file. Tables of type .Dq hash and .Dq cdb can only contain IP addresses. Only static data can be used with a storage type of .Dq cdb . d96 5 a100 4 form of .Li 10.1.1.1 or .Li 10.0.0.0/24 d102 16 a117 31 In NPF, an interface can be referenced directly by using its name, or can be passed to an extraction function which will return a list of IP addresses configured on the actual associated interface. .Pp It is legal to pass an extracted list from an interface in keywords where NPF would expect instead a direct reference to said interface. In this case, NPF infers a direct reference to the interface, and does not consider the list. .Pp There are two types of IP address lists. With a static list, NPF will capture the interface addresses on configuration load, whereas with a dynamic list NPF will capture the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. Note that with a dynamic list, bringing the interface down has no effect, all addresses will remain present. .Pp Three functions exist, to extract addresses from an interface with a chosen list type and IP address type: .Bl -tag -width "Fn ifaddrs interface" -offset indent .It Fn inet4 interface Static list. IPv4 addresses. .It Fn inet6 interface Static list. IPv6 addresses. .It Fn ifaddrs interface Dynamic list. Both IPv4 and IPv6. The .Cm family keyword of a filtering rule can be used in combination to explicitly select an IP address type. .El d119 3 a121 11 Example of configuration: .Bd -literal -offset indent $var1 = inet4(wm0) $var2 = ifaddrs(wm0) group default { block in on wm0 all # rule 1 block in on $var1 all # rule 2 block in on inet4(wm0) all # rule 3 pass in on inet6(wm0) from $var2 # rule 4 pass in on wm0 from ifaddrs(wm0) # rule 5 } d124 10 a133 11 In the above example, .Li $var1 is the static list of IPv4 addresses configured on wm0, and .Li $var2 is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0. The first three rules are equivalent, because with the .Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li > syntax, NPF expects a direct reference to an interface, and therefore does not consider the extraction functions. The fourth and fifth rules are equivalent, for the same reason. d140 1 a140 2 .Dv default group. d142 2 a143 2 .Dv default group must always be defined. d146 1 a146 1 .Bd -literal -offset indent d156 1 a156 1 .Ic pass d158 1 a158 1 .Ic block d164 1 a164 1 .Cm final d169 3 a171 34 The .Cm proto keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP or other). Its parameter should be a protocol number or its symbolic name, as specified in the .Pa /etc/protocols file. This keyword can additionally have protocol-specific options, such as .Cm flags . .Pp The .Cd flags keyword can be used to match the packets against specific TCP flags, according to the following syntax: .Pp .Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li ] .Pp Where .Ar match is the set of TCP flags to be matched, out of the .Ar mask set, both sets being represented as a string combination of: .Sq Cm S (SYN), .Sq Cm A (ACK), .Sq Cm F (FIN), and .Sq Cm R (RST). The flags that are not present in .Ar mask are ignored. d174 1 a174 1 .Cm return d176 1 a176 1 .Ic block d178 5 a182 8 .Bl -tag -width "Cm return-icmp" -offset indent .It Cm return Behaves as .Cm return-rst or .Cm return-icmp , depending on whether the packet being blocked is TCP or UDP. .It Cm return-rst d185 1 a185 1 .It Cm return-icmp d190 4 a193 14 Further packet specification at present is limited to TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp A rule can also instruct NPF to create an entry in the state table when passing the packet or to apply a procedure to the packet (e.g. "log"). .Pp A .Dq fully-featured rule would for example be: .Bd -literal -offset indent pass stateful in final family inet4 proto tcp flags S/SA \e from $source port $sport to $dest port $dport \e apply \*qsomeproc\*q d196 8 d207 3 a209 2 .Pp .Dl block out final pcap-filter \*qtcp and dst 10.1.1.252\*q d215 1 a215 1 .Cm stateful d217 1 a217 1 .Cm stateful-ends d226 20 a245 2 By default, a stateful rule implies SYN-only flag check .Pq Dq Li flags S/SAFR d249 1 a249 1 .Cm flags d254 1 a254 1 .Cm dynamic d256 1 a256 1 .Cm static d259 2 a260 3 .Pp .Bl -tag -width "Cm \&<->" -offset indent -compact .It Cm \&-> d262 1 a262 1 .It Cm \&<- d264 1 a264 1 .It Cm \&<-> d269 4 a272 4 specified by .Li $pub_ip for the packets on the interface .Li $ext_if . d274 9 a282 1 .Dl map $ext_if dynamic 10.1.1.0/24 -> $pub_ip d287 2 a288 23 Explicit filter criteria can be specified using .Cm pass Ar criteria ... as an additional option of the mapping. .Pp The dynamic NAT implies network address and port translation (NAPT). The port translation can be controlled explicitly. For example, the following provides .Dq port forwarding , redirecting the public port 9022 to the port 22 of an internal host: .Pp .Dl map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 .Pp The static NAT can have different address translation algorithms, which can be chosen using the .Cm algo keyword. The currently available algorithms are: .Bl -tag -width "Cm npt66" -offset indent .It Cm npt66 IPv6-to-IPv6 network prefix translation (NPTv6). .El .Pp Currently, the static NAT algorithms do not perform port translation. d296 2 a297 2 .Bl -tag -width "Cm icmp" -offset indent .It Cm icmp a298 1 Applies to IPv4 and IPv6. d301 1 a301 3 Generally, this ALG is necessary to support .Xr traceroute 8 behind the NAT, when using the UDP or TCP probes. d304 3 a306 3 The ALGs are built-in. If NPF is used as kernel module, then they come as kernel modules too. In such case, the ALG kernel modules can be autoloaded through the d308 1 a308 1 .Cm alg d312 3 a314 2 .Pp .Dl alg \*qicmp\*q d326 2 a327 2 .Bl -tag -width "Cm log: Ar interface" -offset indent .It Cm log: Ar interface d329 1 a329 3 This requires the .Pa npf_ext_log kernel module, which would normally get d336 5 a340 1 .It Cm normalize: Ar option1 Ns Op Li \&, Ar option2 ... d342 2 a343 3 This requires the .Pa npf_ext_normalize kernel module, which would normally get auto-loaded by NPF. d347 4 a350 6 .Bl -tag -width "Cm \*qmin-mss\*q Ar value" -offset indent .It Cm \*qmax-mss\*q Ar value Enforce a maximum value for the Maximum Segment Size (MSS) TCP option. Typically, for .Dq MSS clamping . .It Cm \*qmin-ttl\*q Ar value d352 3 a354 1 .It Cm \*qno-df\*q a355 2 .It Cm \*qrandom-id\*q Randomize the IPv4 ID parameter. d359 1 a359 1 .Bd -literal -offset indent d386 1 a386 2 # Variable definition. Names can be alpha-numeric, including "_" # character. d400 1 a400 2 # Table definition. Table ID shall be numeric. Path is in the # double quotes. d409 1 a409 2 ( "static" [ "algo" map-algo ] | "dynamic" ) [ proto ] d444 1 a445 1 a448 1 proto = "proto" protocol [ proto-opts ] d450 1 a450 2 filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] d495 5 a499 10 pass stateful in final family inet4 proto tcp to $ext_if \e port ssh apply "log" pass stateful in final proto tcp to $ext_if \e port $services_tcp pass stateful in final proto udp to $ext_if \e port $services_udp pass stateful in final proto tcp to $ext_if \e port 49151-65535 # passive FTP pass stateful in final proto udp to $ext_if \e port 33434-33600 # traceroute @ 1.47 log @npfctl: - Add protocol filter option for "map". - Print user-friendly error if table contains an entry with invalid netmask. - Add support for inline ports. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $ d30 1 a30 1 .Dd January 3, 2017 @ 1.46 log @npfctl: dynamic interface address handling; update npf.conf(8). @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.45 2016/12/27 22:35:33 rmind Exp $ d231 1 a231 1 normalize: "random-id", "min-ttl" 64 d236 4 d282 1 a282 1 ( "static" [ "algo" algorithm ] | "dynamic" ) d284 1 a284 1 [ "pass" filt-opts ] d302 1 a302 2 npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) d312 1 d352 1 a352 1 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022 @ 1.46.2.1 log @Sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.48 2017/01/20 08:48:14 wiz Exp $ d30 1 a30 1 .Dd January 19, 2017 d231 1 a231 1 normalize: "random-id", "min-ttl" 64, "max-mss" 1432 a235 4 Traffic normalisation has a set of different mechanisms. In the example above, the normalisation procedure has arguments which apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) flag cleansing, minimum TTL enforcement and TCP MSS "clamping". d278 1 a278 1 ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] d280 1 a280 1 [ "pass" [ proto ] filt-opts ] d298 2 a299 1 npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) a308 1 proto = "proto" protocol [ proto-opts ] d348 1 a348 1 map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 @ 1.45 log @npf.conf: add support for logical NOT, e.g.: pass from ! 10.0.0.1 to any @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.44 2015/02/01 22:57:21 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd December 28, 2016 d113 18 @ 1.44 log @npf.conf(5): mention alg, include in the example, minor fix. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.43 2014/12/26 22:44:54 christos Exp $ d30 1 a30 1 .Dd February 1, 2015 d298 2 a299 1 filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] @ 1.44.2.1 log @Sync with HEAD. (Note that most of these changes are simply $NetBSD$ tag issues.) @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.46 2017/01/03 01:29:49 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd January 3, 2017 a112 18 .Pp In the above examples, NPF will statically capture the interface addresses on configuration load. .Pp The following can be used for dynamic handling of the interface addresses: .Bd -literal $pub_if = ifaddrs(wm0) .Ed .Pp In this case, the expression will represent the runtime list of addresses, reflecting any changes to the interface, including the attach and detach. Marking the interface as ``down'' has no effect, i.e. all addresses will remain present. .Pp The dynamic address list represents both the IPv4 and IPv6 addresses, therefore the .Cd family keyword can be used in combination to make the filtering more narrow. d298 1 a298 2 filt-addr = [ "!" ] [ interface | var-name | addr-mask | table-id | "any" ] @ 1.44.2.2 log @Sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.48 2017/01/20 08:48:14 wiz Exp $ d30 1 a30 1 .Dd January 19, 2017 d231 1 a231 1 normalize: "random-id", "min-ttl" 64, "max-mss" 1432 a235 4 Traffic normalisation has a set of different mechanisms. In the example above, the normalisation procedure has arguments which apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF) flag cleansing, minimum TTL enforcement and TCP MSS "clamping". d278 1 a278 1 ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ] d280 1 a280 1 [ "pass" [ proto ] filt-opts ] d298 2 a299 1 npf-filter = [ "family" family-opt ] [ proto ] ( "all" | filt-opts ) a308 1 proto = "proto" protocol [ proto-opts ] d348 1 a348 1 map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022 @ 1.43 log @allow turning off the bpf jit loading. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.42 2014/08/03 00:02:56 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd December 26, 2014 d235 2 a236 1 syntax = var-def | table-def | map | group | rproc | comment d244 6 a249 2 ; Parameter setting set-statement = "set" parameter value d314 2 a315 2 $ext_if = { inet4(wm0), inet6(wm0) } $int_if = { inet4(wm1), inet6(wm1) } d324 2 @ 1.42 log @Cross-link npf(7). @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.41 2014/05/15 23:52:32 wiz Exp $ d30 1 a30 1 .Dd August 2, 2014 d243 3 @ 1.42.2.1 log @Pull up following revision(s) (requested by rmind in ticket #359): usr.sbin/npf/npfctl/npf_scan.l: revision 1.22 usr.sbin/npf/npfctl/npf.conf.5: revision 1.43 usr.sbin/npf/npfctl/npfctl.c: revision 1.44 usr.sbin/npf/npfctl/npf_parse.y: revision 1.36 usr.sbin/npf/npfctl/npfctl.c: revision 1.45 usr.sbin/npf/npfctl/npfctl.h: revision 1.39 npfctl(8): attempt to preload bpfjit kernel module and print the warning on failure. allow turning off the bpf jit loading. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.42 2014/08/03 00:02:56 rmind Exp $ d30 1 a30 1 .Dd December 26, 2014 a242 3 ; Parameter setting set-statement = "set" parameter value @ 1.42.2.2 log @Pull up following revision(s) (requested by rmind in ticket #479): lib/libnpf/npf.c: revision 1.35 lib/libnpf/npf.h: revision 1.28 sys/net/npf/npf_conn.c: revision 1.15 sys/net/npf/npf_impl.h: revision 1.61 sys/net/npf/npf_ruleset.c: revision 1.41 usr.sbin/npf/npfctl/npf.conf.5: revision 1.44 usr.sbin/npf/npfctl/npf_parse.y: revision 1.37 usr.sbin/npf/npfctl/npf_show.c: revisions 1.16, 1.17 usr.sbin/npf/npfctl/npfctl.c: revision 1.46 load the config file before bpfjit so that we can disable the warning. -- Don't depend on yacc to include stdlib.h or string.h. -- - npf_conn_establish: remove a rare race condition when we might destroy a connection when it is still referenced by another thread. - npf_conn_destroy: remove the backwards entry using the saved key, PR/49488. - Sprinkle some asserts. -- npf.conf(5): mention alg, include in the example, minor fix. -- npfctl(8): report dynamic rule ID in a comment, print the case when libpcap is used correctly. Also, add npf_ruleset_dump() helper in the kernel. -- libnpf: add npf_rule_getid() and npf_rule_getcode(). Missed in the previous commit. -- npfctl_print_rule: print the ID in hex, not decimal. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.42.2.1 2014/12/29 17:31:47 martin Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2015 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd February 1, 2015 d235 1 a235 2 syntax = var-def | set-param | alg | table-def | map | group | rproc | comment d243 2 a244 6 ; Parameter setting. set-param = "set" param-value ; Application level gateway. The name should be in the double quotes. alg = "alg" alg-name d309 2 a310 2 $ext_if = { inet4(wm0) } $int_if = { inet4(wm1) } a318 2 alg "icmp" @ 1.41 log @Wording, typo fixes. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.40 2014/05/15 02:34:29 rmind Exp $ d30 1 a30 1 .Dd May 15, 2014 d355 1 @ 1.40 log @NPF: imply SYN-only check for the stateful rules by default (when inspecting TCP packets). Many users trip here. This behaviour can be overriden with the explicit "flags" keyword, but other configuration does not really make sense. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.39 2014/02/14 01:52:58 rmind Exp $ d171 1 a171 1 By default, stateful rule implies SYN-only flag check ("flags S/SAFR") d173 2 a174 2 It is not advisable to change this behavior, however, it can be overriden with @ 1.39 log @Document NAT algorithm option in the grammar of "map". @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.38 2014/02/08 01:20:09 rmind Exp $ d30 1 a30 1 .Dd February 14, 2014 d158 19 d274 2 a275 1 static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] @ 1.39.2.1 log @Rebase. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.42 2014/08/03 00:02:56 rmind Exp $ d30 1 a30 1 .Dd August 2, 2014 a157 19 .Ss Stateful Stateful packet inspection is enabled using .Cd stateful or .Cd stateful-ends keywords. The former creates a state which is uniquely identified by a 5-tuple (source and destination IP addresses, port numbers and an interface identifier). The latter excludes the interface identifier and must be used with precaution. In both cases, a full TCP state tracking is performed for TCP connections and a limited tracking for message-based protocols (UDP and ICMP). .Pp By default, a stateful rule implies SYN-only flag check ("flags S/SAFR") for the TCP packets. It is not advisable to change this behavior; however, it can be overridden with the .Cd flags keyword. d255 1 a255 2 static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-ends" ] a334 1 .Xr npf 7 , @ 1.38 log @NPF: - Adjust the syntax - remove "inet" keyword in favour of more explicit "inet4" for the address family. Consistent with "inet6" for IPv6. - Adjust and improve the man page a little bit. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.37 2014/02/06 07:36:36 wiz Exp $ d30 1 a30 1 .Dd February 8, 2014 d232 2 a233 1 map = "map" interface ( "static" | "dynamic" ) @ 1.37 log @Update count. Add serial comma. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.36 2014/02/06 02:51:28 rmind Exp $ d30 1 a30 1 .Dd February 6, 2014 d137 1 a137 1 pass stateful in final family inet proto tcp flags S/SA \\ d160 1 a160 1 At present, only dynamic translation is supported. d263 1 a263 1 family-opt = "inet" | "inet6" d288 1 a288 1 table type hash file "/etc/npf_blacklist" d309 2 a310 2 block in final from \*[Lt]black\*[Gt] pass stateful in final family inet proto tcp to $ext_if port ssh apply "log" d321 1 a321 1 # Ingress filtering as per RFC 2827. @ 1.36 log @Add support for CDB based NPF tables. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.35 2013/11/19 00:28:41 rmind Exp $ d88 1 a88 1 Currently, tables support two storage types: "hash", "tree" or "cdb". @ 1.35 log @Simplify parsing of npf.conf elements, create the npfvar_t when a value is parsed (to be used as a general structured for variables and inlined values), few misc improvements. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.34 2013/11/12 06:07:30 wiz Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2013 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd November 18, 2013 d88 1 a88 1 Currently, tables support two storage types: "hash" or "tree". d97 2 a98 1 Tables of type "hash" can only contain IP addresses. d227 1 a227 1 table-def = "table" table-id "type" ( "hash" | "tree" ) @ 1.34 log @Remove trailing whitespace. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.33 2013/11/12 00:46:34 rmind Exp $ d30 1 a30 1 .Dd November 10, 2013 d102 1 a102 1 $pub_if_list = { ifnet(wm0), ifnet(wm1) } d110 1 a110 1 $pub_if6 = { inet6(wm0) } d284 2 a285 2 $ext_if = ifnet(wm0) $int_if = ifnet(wm1) @ 1.33 log @NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128). Few misc fixes. Bump NPF_VERSION. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.32 2013/11/05 13:09:12 kefren Exp $ d252 1 a252 1 ( "all" | filt-opts ) @ 1.32 log @sync an example with the latest group syntax change @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.31 2013/09/20 03:03:52 rmind Exp $ d30 1 a30 1 .Dd November 5, 2013 d81 1 a81 1 Tables are specified using a number between angle brackets a82 1 The number used to specify a table should be between 0 and 15. d85 1 a85 1 table <1> type hash dynamic d117 1 a117 1 group "my_group_name" in on wm0 { d148 7 d225 1 a225 1 table-id = \*[Lt]tid\*[Gt] d251 2 d255 3 a257 2 [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) [ "apply" proc-name ] d287 2 a288 2 table <1> type hash file "/etc/npf_blacklist" table <2> type tree dynamic d308 1 a308 1 block in final from \*[Lt]1\*[Gt] d318 1 a318 1 block in final from \*[Lt]2\*[Gt] d333 1 @ 1.31 log @- NPF: change the group/ruleset syntax - simplify. Update npf.conf(5) manual. - Add support for the inline pcap-filter(7) syntax in the rule, e.g.: block out final pcap-filter "tcp and dst 10.1.1.252" @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.30 2013/09/19 12:05:11 rmind Exp $ d30 1 a30 1 .Dd September 20, 2013 d118 1 a118 1 group (name "my_group", interface wm0, in) { @ 1.30 log @npfctl: remove some n-code leftovers, fix the build, update the man pages. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.29 2013/03/10 21:55:40 christos Exp $ d30 1 a30 1 .Dd September 19, 2013 d239 1 a239 1 ; Group definition and the ruleset. d241 7 a247 7 group = "group" "(" ( "default" | group-opts ) ")" "{" ruleset "}" group-opts = [ "name" string ] [ "interface" interface ] [ "in" | "out" ] ruleset = [ rule new-line ] [ ruleset ] rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" iface ] [ "family" fam-opt ] [ "proto" protocol [ proto-opts ] ] d249 2 d253 1 a253 1 fam-opt = "inet" | "inet6" d296 1 a296 1 group (name "external", interface $ext_if) { d307 1 a307 1 group (name "internal", interface $int_if) { d309 4 a312 1 pass in final from \*[Lt]2\*[Gt] d316 1 a316 1 group (default) { @ 1.29 log @normalise -> normalize @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.28 2013/03/10 21:17:30 rmind Exp $ d30 1 a30 1 .Dd March 10, 2013 d318 2 a319 2 .Xr npfctl 8 , .Xr npf_ncode 9 @ 1.28 log @Fix the example (deja vu?). @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.27 2013/02/09 03:35:32 rmind Exp $ d30 1 a30 1 .Dd January 11, 2013 d187 1 a187 1 normalise: "random-id", "min-ttl" 64 @ 1.27 log @NPF: - Implement dynamic NPF rules. Controlled through npf(3) library of via npfctl rule command. A rule can be removed using a unique identifier, returned on addition, or using a key which is SHA1 hash of the rule. Adjust npftest and add a regression test. - Improvements to rule inspection mechanism. - Initial BPF support as an alternative to n-code. - Minor fixes; bump the version. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.26 2012/12/23 21:01:04 rmind Exp $ d286 1 a286 1 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022 @ 1.26 log @- Add NPF version check in proplist as well, not only ioctl. Bump the version. - Fix a bug in table entry lookup. - Updates/fixes to the man pages. Misc. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.25 2012/12/06 22:36:51 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd December 23, 2012 d206 1 a206 1 ; Syntax of a single line. Lines can be separated by LF (\n) or @ 1.25 log @- npf.conf(5): fix of the example config. - Mention npf_ext_log in a comment. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.24 2012/11/26 20:34:28 rmind Exp $ d30 1 a30 1 .Dd December 6, 2012 d101 1 d105 1 d290 1 @ 1.24 log @npfctl: extend syntax for extracting interface IP address(es) by the family. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.23 2012/09/30 21:15:08 wiz Exp $ d30 1 a30 1 .Dd November 26, 2012 d287 1 d292 1 a292 1 pass stateful out final from $ext_if @ 1.23 log @Wording, more macros. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.22 2012/09/30 21:09:30 rmind Exp $ d30 1 a30 1 .Dd September 30, 2012 d99 12 d166 1 a166 1 map $ext_if dynamic 10.1.1.0/24 -> $pub_if d271 2 a272 2 $ext_if = "wm0" $int_if = "wm1" @ 1.22 log @Add some content to the Procedures section. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.21 2012/09/30 13:15:03 wiz Exp $ d163 3 a165 3 Rule procedure is defined as a collection of extension calls (it may have none). Every extension call has a name and a list of options in a form of d167 1 a167 1 Depending on the call, key might represent the argument and the value d177 1 a177 1 In this case, procedure has a call to logging and normalisation modules. d179 7 a185 3 Text after a hash (#) character is considered a comment. The \\ character at the end of a line marks a continuation line, i.e. the next line is considered an extension of the present line. @ 1.21 log @Use more markup. New sentence, new line. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.20 2012/09/30 12:59:31 spz Exp $ d30 1 a30 1 .Dd September 29, 2012 d163 15 @ 1.20 log @Add some content to the "Rules" section. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.19 2012/09/30 07:43:03 wiz Exp $ d127 4 a130 1 Any protocol in /etc/protocols can be specified. Further packet @ 1.19 log @Whitespace fixes, remove unnecessary Pp XXX: Subsections Rules and Procedures seem empty? @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.18 2012/09/29 19:50:03 rmind Exp $ d109 25 @ 1.18 log @npf.conf(5): add syntax section and a first cut describing the structural elements. Some improvements and fixes from spz@@. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.17 2012/09/28 18:36:02 spz Exp $ d63 1 a63 1 .Cd default group. a98 1 .Pp a107 1 .Pp a108 1 .Pp a134 1 .Pp d169 1 a169 1 ; @ 1.17 log @re-work the description part of the man page, as discussed with rmind@@ @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.16 2012/09/26 21:58:27 rmind Exp $ d30 1 a30 1 .Dd September 26, 2012 d41 4 a44 4 The minimal .Nm consists of the mandatory .Cd default group. d46 1 d48 3 a50 1 may also contain variable and d52 4 a55 3 definitions (with or without content), packet filtering .Cd rule and address translation d57 1 a57 1 instructions and d59 79 a137 1 definitions to call with select packets. d139 4 a142 3 This man page is supposed to serve as a reference for editing npf.conf. For in-depth information about the behaviour of NPF please consult the documentation in /usr/share/doc/npf. d205 1 a205 1 .Bl -tag -width /dev/npf.conf -compact @ 1.16 log @npf.conf(5): improve and explain grammar definition. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.15 2012/08/13 01:18:31 rmind Exp $ d39 1 a39 24 is the default configuration file for NPF packet filter. It can contain definitions, grouped rules, rule procedures, translation policies, and tables. .Ss Definitions Definitions are general purpose keywords which can be used in the ruleset to make it more flexible and easier to manage. Most commonly, definitions are used to define one of the following: IP addresses, networks, ports, or interfaces. Definitions can contain multiple elements. .Ss Groups Having one huge ruleset for all interfaces or directions might be inefficient; therefore, NPF requires that all rules be defined within groups. Groups can be thought of as higher level rules which have subrules. The main properties of a group are its interface and traffic direction. Packets matching group criteria are passed to the ruleset of that group. If a packet does not match any group, it is passed to the default group. The default group must always be defined. .Ss Rules Rules, which are the main part of NPF configuration, describe the criteria used to inspect and make decisions about packets. Currently, NPF supports filtering on the following criteria: interface, traffic direction, protocol, IP address or network, TCP/UDP port or range, TCP flags, and ICMP type/code. Supported actions are blocking or passing the packet. d41 4 a44 9 Each rule has a priority, which is set according to its order in the ruleset. Rules defined first are accordingly inspected first. All rules in the group are inspected sequentially, and the last matching dictates the action to be taken. Rules, however, may be explicitly marked as final. In such cases, processing stops after encountering the first matching rule marked as final. If there is no matching rule in the custom group, then rules in the default group will be inspected. d46 14 a59 60 Stateful filtering is supported using the "stateful" keyword. In such cases, state (a session) is created and any further packets of the connection are tracked. Packets in backwards stream, after having been confirmed to belong to the same connection, are passed without ruleset inspection. Rules may have associated rule procedures (described in a later section), which are applied for all packets of a connection. .Pp Definitions (prefixed with "$") and tables (specified by an ID within "\*[Lt]\*[Gt]" marks) can be used in the filter options of rules. .Ss Rule procedures and normalisation Rule procedures are provided to perform packet transformations and various additional procedures on the packets. It should be noted that rule procedures are applied for the connections, that is, both for packets which match the rule and for further packets of the connection, which are passed without ruleset inspection. Currently, two facilities are supported: traffic normalisation and packet logging. Packet normalisation has the following functionality: IP ID randomisation, IP_DF flag cleansing, TCP minimum TTL enforcement, and maximum MSS enforcement ("MSS clamping"). If a matching rule is going to drop the packet, normalisation functions are not performed. Packet logging is performed both in packet passing and blocking cases. Note that the logging interface has to be created manually, using .Xr ifconfig 8 routine, for example: .Pp ifconfig npflog0 create .Ss Network address translation Rules for address translation can be added. Translation is performed on the specified interface, assigning the specified address of said interface. Currently, three types of translation are supported: Network Address Port Translation (NAPT) - a regular NAT, also known as "outbound NAT"; Port forwarding (redirection) - also known as "inbound NAT"; Bi-directional NAT - a combination of inbound and outbound NAT. .Pp Minimal filtering criteria on local network and destination are provided. Note that address translation implies routing, therefore IP forwarding is required to be enabled: net.inet.ip.forwarding = 1. See .Xr sysctl 7 for more details. .Ss Tables Certain configurations might use very large sets of IP addresses or change sets frequently. Storing large IP sets in the configuration file or performing frequent reloads can have a significant performance cost. .Pp In order to achieve high performance, NPF has tables. NPF tables provide separate storage designed for large IP sets and frequent updates without reloading the entire ruleset. Tables can be managed dynamically or loaded from a separate file, which is useful for large static tables. There are two types of storage: "tree" (red-black tree is used) and "hash". .\" ----- d127 2 @ 1.15 log @- npfctl show: add most of the missing cases. - Few minor improvements to NPF man pages. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.14 2012/07/01 23:21:06 rmind Exp $ d30 1 a30 1 .Dd August 12, 2012 d135 4 d140 2 a141 1 line = ( def | table | map | group | rproc ) d143 50 a192 31 var = $\*[Lt]name\*[Gt] iface = ( \*[Lt]interface\*[Gt] | var ) def = ( var "=" "{ "\*[Lt]value_1\*[Gt]", "\*[Lt]value_2\*[Gt]", ... }" | "\*[Lt]value\*[Gt]" ) table = "table" \*[Lt]tid\*[Gt] "type" ( "hash" | "tree" ) ( "dynamic" | "file" \*[Lt]path\*[Gt] ) map-di = ( "->" | "<-" | "<->" ) map-type = ( "static" | "dynamic" ) map = "map" iface map-type \*[Lt]seg1\*[Gt] map-di \*[Lt]seg2\*[Gt] [ "pass" filt-opts ] rproc = "procedure" \*[Lt]name\*[Gt] procs procs = "{" op1 \*[Lt]newline\*[Gt], op2 \*[Lt]newline\*[Gt], ... "}" op = ( "log" iface | "normalise" "(" norm-opt1 "," norm-opt2 ... ")" ) norm-opt = [ "random-id" | "min-ttl" \*[Lt]num\*[Gt] | "max-mss" \*[Lt]num\*[Gt] | "no-df" ] group = "group" "(" ( "default" | group-opts ) ")" ruleset group-opts = [ name \*[Lt]name\*[Gt] "," ] "interface" iface [ "," ( "in" | "out" ) ] ruleset = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}" rule = ( "block" block-opts | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] [ proto-opts ] ] ( "all" | filt-opts ) [ "apply" rproc ] } fam-opt = [ "inet" | "inet6" ] block-opts = [ "return-rst" | "return-icmp" | "return" ] filt-addr = iface | var | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | var ) ] filt-opts = [ "from" filt-addr [ port-opts ] ] [ "to" filt-addr [ port-opts ] ] proto-opts = [ "flags" \*[Lt]tcp_flags\*[Gt] | "icmp-type" \*[Lt]type\*[Gt] "code" \*[Lt]code\*[Gt] ] a223 4 procedure "rid" { normalise: "random-id" } d225 1 a225 1 pass stateful out final from $ext_if apply "rid" @ 1.15.2.1 log @Resync to 2012-11-19 00:00:00 UTC @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.23 2012/09/30 21:15:08 wiz Exp $ d30 1 a30 1 .Dd September 30, 2012 d39 9 a47 60 is the default configuration file for the NPF packet filter. .Pp This manual page serves as a reference for editing .Nm . Please refer to the official NPF documentation for comprehensive and in-depth information. .Pp There are multiple structural elements .Nm may contain: .Cd variable and .Cd table definitions (with or without content), abstraction .Cd groups , packet filtering .Cd rules , .Cd map rules for address translation and .Cd procedure definitions to call on filtered packets. The minimal .Nm must contain a mandatory .Cd default group . .Sh SYNTAX .Ss Variables Variables are specified using the dollar ($) sign, which is used both in definitions and uses of a variable. Variables are defined by assigning a value to them as follows: .Bd -literal $var1 = 10.0.0.1 .Ed .Pp A variable may also be defined as a set: .Bd -literal $var2 = { 10.0.0.1, 10.0.0.2 } .Ed .Pp Common variable definitions are for IP addresses, networks, ports, and interfaces. .Ss Tables Tables are specified using a number between angle brackets \*[Lt] and \*[Gt]. The number used to specify a table should be between 0 and 15. The following is an example of table definition: .Bd -literal table <1> type hash dynamic .Pp .Ed Currently, tables support two storage types: "hash" or "tree". They can also be "dynamic" or static i.e. loaded from the specified file. .Pp The file should contain a list of IP addresses and/or networks in the form of: .Bd -literal 10.0.0.0/24 10.1.1.1 .Ed .Pp Tables of type "hash" can only contain IP addresses. d49 7 a55 8 Groups may have the following options: name, interface, and direction. They are defined in the following form: .Pp .Bd -literal group (name "my_group", interface wm0, in) { # List of rules } .Ed d57 77 a133 77 With a rule statement NPF is instructed to .Cd pass or .Cd block a packet depending on packet header information, transit direction and interface it arrives on, either immediately upon match (keyword .Cd final ) or using the last match. The rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. .Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" .Ed .Pp Any protocol in .Pa /etc/protocols can be specified. Further packet specification at present is limited to protocol TCP understanding flags, TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp Fragments are not selectable since NPF always reassembles packets before further processing. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. At present, only dynamic translation is supported. The following mapping types are available: .Pp .Bl -tag -width <-> -compact .It Pa -> outbound NAT (translation of the source) .It Pa <- inbound NAT (translation of the destination) .It Pa <-> bi-directional NAT (combination of inbound and outbound NAT) .El .Pp The following would translate the source to the IP address specified by the $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_if .Ed .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Ss Procedures A rule procedure is defined as a collection of extension calls (it may have none). Every extension call has a name and a list of options in the form of key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. For example: .Bd -literal procedure "someproc" { log: npflog0 normalise: "random-id", "min-ttl" 64 } .Ed .Pp In this case, the procedure calls the logging and normalisation modules. .Ss Misc Text after a hash .Pq Sq # character is considered a comment. The backslash .Pq Sq \e character at the end of a line marks a continuation line, i.e., the next line is considered an extension of the present line. a134 4 The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, therefore it does not strictly represent the full syntax, which is more flexible. d136 1 a136 6 ; Syntax of a single line. Lines can be separated by LF (\n) or ; a semicolon. Comments start with a hash (#) character. syntax = var-def | table-def | map | group | rproc | comment ; Variable definition. Names can be alpha-numeric, including "_" character. d138 31 a168 46 var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) ; Table definition. Table ID shall be numeric. Path is in the double quotes. table-id = \*[Lt]tid\*[Gt] table-def = "table" table-id "type" ( "hash" | "tree" ) ( "dynamic" | "file" path ) ; Mapping for address translation. map = "map" interface ( "static" | "dynamic" ) net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" filt-opts ] ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. ; Both key and values may be strings (either in double quotes or not) ; and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" proc-opts = key " " val [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line ; Group definition and the ruleset. group = "group" "(" ( "default" | group-opts ) ")" "{" ruleset "}" group-opts = [ "name" string ] [ "interface" interface ] [ "in" | "out" ] ruleset = [ rule new-line ] [ ruleset ] rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" iface ] [ "family" fam-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) [ "apply" proc-name ] block-opts = "return-rst" | "return-icmp" | "return" fam-opt = "inet" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] filt-port = "port" ( port-num | port-from "-" port-to | var-name ) d172 1 a172 1 .Bl -tag -width /usr/share/examples/npf -compact a176 2 .It Pa /usr/share/examples/npf directory containing further examples d200 4 d205 1 a205 1 pass stateful out final from $ext_if @ 1.15.2.2 log @resync with head @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.15.2.1 2012/11/20 03:03:03 tls Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2013 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd January 11, 2013 a98 14 .Ss Interfaces Interfaces can be specified as the values of the variables: .Pp .Bd -literal $pub_if_list = { ifnet(wm0), ifnet(wm1) } .Ed .Pp In the context of filtering, an interface provides a list of its all IP addresses, including IPv4 and IPv6. Specific interface addresses can be selected by the family, e.g.: .Bd -literal $pub_if4 = inet4(wm0) $pub_if6 = { inet6(wm0) } .Ed d154 1 a154 1 map $ext_if dynamic 10.1.1.0/24 -> $pub_ip d192 1 a192 1 ; Syntax of a single line. Lines can be separated by LF (\\n) or d259 2 a260 2 $ext_if = ifnet(wm0) $int_if = ifnet(wm1) a274 2 # Note: npf_ext_log kernel module should be loaded, if not built-in. # Also, the interface created, e.g.: ifconfig npflog0 create d279 1 a279 1 pass stateful out final all @ 1.15.2.3 log @resync from head @ text @d1 1 a1 1 .\" $NetBSD$ d30 1 a30 1 .Dd March 10, 2013 d187 1 a187 1 normalize: "random-id", "min-ttl" 64 d286 1 a286 1 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022 @ 1.15.2.4 log @Rebase to HEAD as of a few days ago. @ text @d3 1 a3 1 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd August 2, 2014 d81 1 a81 1 Tables are specified using a name between angle brackets d83 1 d86 1 a86 1 table type hash dynamic d89 1 a89 1 Currently, tables support three storage types: "hash", "tree", or "cdb". d98 1 a98 2 Tables of type "hash" and "cdb" can only contain IP addresses. Also, the latter can only be static. d103 1 a103 1 $pub_if_list = { inet4(wm0), inet4(wm1) } d111 1 a111 1 $pub_if46 = { inet4(wm0), inet6(wm0) } d118 1 a118 1 group "my-name" in on wm0 { d137 1 a137 1 pass stateful in final family inet4 proto tcp flags S/SA \\ a148 7 Alternatively, NPF supports .Xr pcap-filter 7 syntax, for example: .Bd -literal block out final pcap-filter "tcp and dst 10.1.1.252" .Ed .Pp a150 19 .Ss Stateful Stateful packet inspection is enabled using .Cd stateful or .Cd stateful-ends keywords. The former creates a state which is uniquely identified by a 5-tuple (source and destination IP addresses, port numbers and an interface identifier). The latter excludes the interface identifier and must be used with precaution. In both cases, a full TCP state tracking is performed for TCP connections and a limited tracking for message-based protocols (UDP and ICMP). .Pp By default, a stateful rule implies SYN-only flag check ("flags S/SAFR") for the TCP packets. It is not advisable to change this behavior; however, it can be overridden with the .Cd flags keyword. d153 1 a153 1 The translation may be dynamic (stateful) or static (stateless). d219 2 a220 2 table-id = \*[Lt]table-name\*[Gt] table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" ) d225 1 a225 2 map = "map" interface ( "static" [ "algo" algorithm ] | "dynamic" ) d239 1 a239 13 ; Group definition and the rule list. group = "group" ( "default" | group-opts ) "{" rule-list "}" group-opts = name-string [ "in" | "out" ] [ "on" interface ] rule-list = [ rule new-line ] rule-list npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" | "stateful-ends" ] [ "in" | out" ] [ "final" ] [ "on" interface ] ( npf-filter | "pcap-filter" pcap-filter-expr ) [ "apply" proc-name ] d241 8 a248 2 dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset d251 1 a251 1 family-opt = "inet4" | "inet6" d273 2 a274 2 $ext_if = { inet4(wm0), inet6(wm0) } $int_if = { inet4(wm1), inet6(wm1) } d276 2 a277 2 table type hash file "/etc/npf_blacklist" table type tree dynamic d294 1 a294 1 group "external" on $ext_if { d297 2 a298 2 block in final from \*[Lt]blacklist\*[Gt] pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" d305 1 a305 1 group "internal" on $int_if { d307 1 a307 4 block in final from \*[Lt]limited\*[Gt] # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet d311 1 a311 1 group default { d318 2 a319 4 .Xr bpf 4 , .Xr npf 7 , .Xr pcap-filter 7 , .Xr npfctl 8 @ 1.14 log @NPF improvements: - Add NPF_OPCODE_PROTO to match the address and/or protocol only. - Update parser to support arbitrary "pass proto ". - Fix IPv6 address and protocol handling (add a regression test). - Fix few theorethical races in session handling module. - Misc fixes, simplifications and some clean up. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.13 2012/06/27 23:05:28 rmind Exp $ d30 1 a30 1 .Dd June 29, 2012 d40 2 a41 1 It can contain definitions, grouped rules, rule procedures, and tables. d60 1 a60 1 traffic direction, protocol, IPv4 address or network, TCP/UDP port d233 3 @ 1.13 log @Fix and update npf.conf(5), npfctl(8) and its usage message. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.12 2012/06/15 23:24:08 rmind Exp $ d30 1 a30 1 .Dd June 27, 2012 d221 1 @ 1.12 log @- Rework NPF NAT syntax to be more structured and support future additions of different types and configurations of NAT. - npfctl: improve disassemble and show-config command functionality. - Fix custom ICMP code and type filtering. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.11 2012/05/30 22:00:44 wiz Exp $ d30 1 a30 1 .Dd June 14, 2012 d106 1 a106 1 There are three types of translation: d137 3 a139 2 def = ( \*[Lt]name\*[Gt] "=" "{ a, b, ... }" | "\*[Lt]text\*[Gt]" | "$\*[Lt]interface\*[Gt]" ) iface = ( \*[Lt]interface\*[Gt] | def ) d146 1 a146 1 map = "map" iface maptype \*[Lt]seg1\*[Gt] mapdi \*[Lt]seg2\*[Gt] [ "pass" filt-opts ] d154 1 a154 1 group-opts = "interface" iface "," [ "in" | "out" ] d159 1 a159 1 [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] ] d164 2 a165 2 filt-addr = iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | def ) ] d190 2 d207 5 a211 5 pass in final family inet proto tcp to $ext_if port ssh apply "log" pass in final proto tcp to $ext_if port $services_tcp pass in final proto udp to $ext_if port $services_udp pass in final proto tcp to $ext_if port 49151-65535 # Passive FTP pass in final proto udp to $ext_if port 33434-33600 # Traceroute @ 1.11 log @Remove superfluous Pp @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.10 2012/05/30 21:30:07 rmind Exp $ d30 1 a30 1 .Dd May 27, 2012 d135 1 a135 1 line = ( def | table | nat | group | rproc ) d143 3 a145 3 nat = "nat" iface filt-opts "->" \*[Lt]addr\*[Gt] binat = "binat" iface filt-opts "->" \*[Lt]addr\*[Gt] rdr = "rdr" iface filt-opts "->" \*[Lt]addr\*[Gt] port-opts a181 3 $services_tcp = { http, https, smtp, domain, 6000 } $services_udp = { domain, ntp, 6000 } d185 6 a190 1 nat $ext_if from 192.168.0.0/24 to any -> $ext_if a200 1 block in final from \*[Lt]1\*[Gt] d203 1 @ 1.10 log @npfctl(8): add show-config command. Also, update syntax. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9 2012/02/06 00:41:36 rmind Exp $ a101 1 .Pp @ 1.9 log @Fix the family option in the grammar and example. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.8 2012/02/06 00:37:52 rmind Exp $ d30 1 a30 1 .Dd February 5, 2012 d67 1 a67 1 Rules, however, may be explicitly marked as final (that is, "quick"). d73 1 a73 1 Stateful filtering is supported using the "keep state" keyword. d158 1 a158 1 rule = ( "block" block-opts | "pass" ) [ "in" | out" ] [ "quick" ] d160 1 a160 1 ( "all" | filt-opts ) [ "keep state" ] [ "apply" rproc ] } d200 2 a201 2 block in quick from \*[Lt]1\*[Gt] pass out quick from $ext_if keep state apply "rid" d203 5 a207 5 pass in quick family inet proto tcp to $ext_if port ssh apply "log" pass in quick proto tcp to $ext_if port $services_tcp pass in quick proto udp to $ext_if port $services_udp pass in quick proto tcp to $ext_if port 49151-65535 # Passive FTP pass in quick proto udp to $ext_if port 33434-33600 # Traceroute d212 2 a213 2 pass in quick from \*[Lt]2\*[Gt] pass out quick all @ 1.9.2.1 log @Pull up following revision(s) (requested by rmind in ticket #354): sys/net/npf/npf_state_tcp.c: revision 1.4 sys/net/npf/npf_state_tcp.c: revision 1.5 sys/net/npf/npf_state_tcp.c: revision 1.6 usr.sbin/npf/npftest/npftest.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.1 usr.sbin/npf/npftest/npftest.c: revision 1.2 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.2 usr.sbin/npf/npfctl/npf_data.c: revision 1.11 usr.sbin/npf/npftest/npftest.c: revision 1.3 usr.sbin/npf/npfctl/npf_data.c: revision 1.12 usr.sbin/npf/npftest/npftest.h: revision 1.1 usr.sbin/npf/npfctl/npf_parse.y: revision 1.5 usr.sbin/npf/npfctl/npf_data.c: revision 1.13 sys/net/npf/npf.h: revision 1.16 usr.sbin/npf/npftest/npftest.h: revision 1.2 usr.sbin/npf/npfctl/npf_parse.y: revision 1.6 usr.sbin/npf/npftest/npftest.h: revision 1.3 usr.sbin/npf/npfctl/npf_parse.y: revision 1.7 usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.10 usr.sbin/npf/npfctl/npf_build.c: revision 1.6 usr.sbin/npf/npfctl/npf_parse.y: revision 1.8 usr.sbin/npf/npfctl/npf_build.c: revision 1.7 usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_nbuf_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_build.c: revision 1.8 usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_build.c: revision 1.9 usr.sbin/npf/npfctl/npf.conf.5: revision 1.10 usr.sbin/npf/npfctl/npf.conf.5: revision 1.11 usr.sbin/npf/npfctl/npf.conf.5: revision 1.12 sys/net/npf/npf_state.c: revision 1.7 usr.sbin/npf/npfctl/npfctl.c: revision 1.11 usr.sbin/npf/npfctl/npfctl.c: revision 1.12 usr.sbin/npf/npfctl/Makefile: revision 1.7 sys/rump/net/lib/libnet/Makefile: revision 1.14 sys/net/npf/npf_mbuf.c: revision 1.7 usr.sbin/npf/npftest/Makefile: revision 1.1 usr.sbin/npf/npftest/Makefile: revision 1.2 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.1 usr.sbin/npf/npfctl/npf_scan.l: revision 1.2 usr.sbin/npf/npftest/npfstream.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.2 usr.sbin/npf/npfctl/npf_scan.l: revision 1.3 usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.3 usr.sbin/npf/npfctl/npfctl.h: revision 1.12 sys/rump/dev/lib/libnpf/Makefile: revision 1.2 usr.sbin/npf/npfctl/npfctl.h: revision 1.14 sys/rump/dev/lib/libnpf/Makefile: revision 1.3 usr.sbin/npf/npfctl/npfctl.h: revision 1.15 usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.9 sys/net/npf/npf_ctl.c: revision 1.15 usr.sbin/npf/npfctl/npf_var.c: revision 1.4 usr.sbin/npf/npfctl/npf_var.h: revision 1.2 usr.sbin/npf/npfctl/npf_var.c: revision 1.5 sys/net/npf/npf_impl.h: revision 1.13 sys/net/npf/npf_sendpkt.c: revision 1.10 sys/net/npf/npf_impl.h: revision 1.14 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.4 sys/net/npf/npf_impl.h: revision 1.15 sys/net/npf/npf_handler.c: revision 1.16 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.1 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.5 sys/net/npf/npf_handler.c: revision 1.17 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.2 sys/net/npf/npf_ncode.h: revision 1.7 usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.1 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.3 sys/net/npf/npf_ncode.h: revision 1.8 npf_tcp_inwindow: in a case of negative skew, bump the maximum seen value of SEQ+LEN in the receiver's side correctly (using ACK from the sender's side). PR/46265 from Changli Gao. rumpnet_net: add pfil.c Update rumpdev_npf; use WARNS=4. Add initial NPF regression tests integrated with RUMP framework (running the kernel part of NPF in userland). Other tests will be added once converted to RUMP framework. All tests are in the public domain. Some Makefile fixes from christos@@. - Fix double-free case on ICMP return case. - npf_pfil_register: handle kernels without INET6 option correctly. - Reduce some #ifdefs. npfctl(8): add show-config command. Also, update syntax. npftest: add a stream processor, which prints out the TCP state information. A tool for debugging connection tracking from tcpdump -w captured data. npftest: add a module for TCP state tracking and add few test cases. npf_state_tcp: add an assert; fix some comments while here. - Rework NPF NAT syntax to be more structured and support future additions of different types and configurations of NAT. - npfctl: improve disassemble and show-config command functionality. - Fix custom ICMP code and type filtering. make this compile again. remove error(1) output Remove superfluous Pp - make each element of a variable hold a type - change get_type to take an index, so we can get the individual types of each element (since primitive elements can be in lists) - make port_range primitive - add a routine to convert a variable of primitives to a variable containing - only port ranges. remove extra rule that got merged... @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9 2012/02/06 00:41:36 rmind Exp $ d30 1 a30 1 .Dd June 14, 2012 d67 1 a67 1 Rules, however, may be explicitly marked as final. d73 1 a73 1 Stateful filtering is supported using the "stateful" keyword. d102 1 d136 1 a136 1 line = ( def | table | map | group | rproc ) d144 3 a146 3 map-di = ( "->" | "<-" | "<->" ) map-type = ( "static" | "dynamic" ) map = "map" iface maptype \*[Lt]seg1\*[Gt] mapdi \*[Lt]seg2\*[Gt] [ "pass" filt-opts ] d158 1 a158 1 rule = ( "block" block-opts | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] d160 1 a160 1 ( "all" | filt-opts ) [ "apply" rproc ] } d183 3 d189 1 a189 6 $services_tcp = { http, https, smtp, domain, 6000, 9022 } $services_udp = { domain, ntp, 6000 } $localnet = { 10.1.1.0/24 } map $ext_if dynamic 10.1.1.0/24 -> $ext_if map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022 d200 2 a201 1 pass stateful out final from $ext_if apply "rid" d203 5 a207 6 block in final from \*[Lt]1\*[Gt] pass in final family inet proto tcp to $ext_if port ssh apply "log" pass in final proto tcp to $ext_if port $services_tcp pass in final proto udp to $ext_if port $services_udp pass in final proto tcp to $ext_if port 49151-65535 # Passive FTP pass in final proto udp to $ext_if port 33434-33600 # Traceroute d212 2 a213 2 pass in final from \*[Lt]2\*[Gt] pass out final all @ 1.9.2.2 log @Pull up following revision(s) (requested by rmind in ticket #399): sys/net/npf/npf_session.c: revision 1.14 sys/net/npf/npf_tableset.c: revision 1.12 sys/net/npf/npf_state_tcp.c: revision 1.8 usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.3 usr.sbin/npf/npfctl/npf_data.c: revision 1.14 sys/net/npf/npf_inet.c: revision 1.13 sys/net/npf/npf_ruleset.c: revision 1.12 sys/net/npf/npf.h: revision 1.18 usr.sbin/npf/npfctl/npf_ncgen.c: revision 1.11 usr.sbin/npf/npfctl/npfctl.8: revision 1.7 usr.sbin/npf/npfctl/npf_parse.y: revision 1.9 usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.2 usr.sbin/npf/npfctl/npfctl.8: revision 1.8 sys/net/npf/npf_instr.c: revision 1.12 usr.sbin/npf/npftest/libnpftest/npf_table_test.c: revision 1.3 usr.sbin/npf/npfctl/npf.conf.5: revision 1.13 usr.sbin/npf/npfctl/npf.conf.5: revision 1.14 sys/net/npf/npf_state.c: revision 1.9 sys/net/npf/npf_processor.c: revision 1.11 usr.sbin/npf/npfctl/npfctl.c: revision 1.13 usr.sbin/npf/npfctl/npfctl.c: revision 1.14 usr.sbin/npf/npfctl/npf_build.c: revision 1.10 lib/libnpf/npf.3: revision 1.5 lib/libnpf/npf.h: revision 1.8 share/man/man9/npf_ncode.9: revision 1.9 usr.sbin/npf/npfctl/npf_scan.l: revision 1.4 lib/libnpf/npf.c: revision 1.9 usr.sbin/npf/npfctl/npfctl.h: revision 1.16 sys/net/npf/npf_nat.c: revision 1.14 usr.sbin/npf/npftest/libnpftest/npf_processor_test.c: revision 1.2 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.6 sys/net/npf/npf_impl.h: revision 1.17 sys/net/npf/npf_handler.c: revision 1.18 sys/net/npf/npf_handler.c: revision 1.19 usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.4 sys/net/npf/npf_ncode.h: revision 1.9 Fix and update npf.conf(5), npfctl(8) and its usage message. npf_state_tcp: fix for FIN retransmission and out-of-order ACK case. NPF improvements: - Add NPF_OPCODE_PROTO to match the address and/or protocol only. - Update parser to support arbitrary "pass proto <name/number>". - Fix IPv6 address and protocol handling (add a regression test). - Fix few theorethical races in session handling module. - Misc fixes, simplifications and some clean up. npf_packet_handler: fix gcc unused warning. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.1 2012/06/26 00:07:20 riz Exp $ d30 1 a30 1 .Dd June 29, 2012 d106 1 a106 1 Currently, three types of translation are supported: d137 2 a138 3 var = $\*[Lt]name\*[Gt] iface = ( \*[Lt]interface\*[Gt] | var ) def = ( var "=" "{ "\*[Lt]value_1\*[Gt]", "\*[Lt]value_2\*[Gt]", ... }" | "\*[Lt]value\*[Gt]" ) d145 1 a145 1 map = "map" iface map-type \*[Lt]seg1\*[Gt] map-di \*[Lt]seg2\*[Gt] [ "pass" filt-opts ] d153 1 a153 1 group-opts = [ name \*[Lt]name\*[Gt] "," ] "interface" iface [ "," ( "in" | "out" ) ] d158 1 a158 1 [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] [ proto-opts ] ] d163 2 a164 2 filt-addr = iface | var | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | var ) ] a188 2 # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), # then the translation address has to be specified explicitly. d204 5 a208 5 pass stateful in final family inet proto tcp to $ext_if port ssh apply "log" pass stateful in final proto tcp to $ext_if port $services_tcp pass stateful in final proto udp to $ext_if port $services_udp pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP pass stateful in final proto udp to $ext_if port 33434-33600 # Traceroute a217 1 pass final on lo0 all @ 1.9.2.3 log @Pull up following revision(s) (requested by rmind in ticket #489): usr.sbin/npf/npfctl/npfctl.8: revision 1.9 usr.sbin/npf/npfctl/npf.conf.5: revision 1.15 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.9 - npfctl show: add most of the missing cases. - Few minor improvements to NPF man pages. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.2 2012/07/05 17:48:44 riz Exp $ d30 1 a30 1 .Dd August 12, 2012 d40 1 a40 2 It can contain definitions, grouped rules, rule procedures, translation policies, and tables. d59 1 a59 1 traffic direction, protocol, IP address or network, TCP/UDP port a231 3 .Sh AUTHORS NPF was designed and implemented by .An Mindaugas Rasiukevicius . @ 1.9.2.3.2.1 log @sync with netbsd-6-0-RELEASE. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.4 2012/10/01 20:05:56 riz Exp $ d30 1 a30 1 .Dd September 30, 2012 d39 9 a47 60 is the default configuration file for the NPF packet filter. .Pp This manual page serves as a reference for editing .Nm . Please refer to the official NPF documentation for comprehensive and in-depth information. .Pp There are multiple structural elements .Nm may contain: .Cd variable and .Cd table definitions (with or without content), abstraction .Cd groups , packet filtering .Cd rules , .Cd map rules for address translation and .Cd procedure definitions to call on filtered packets. The minimal .Nm must contain a mandatory .Cd default group . .Sh SYNTAX .Ss Variables Variables are specified using the dollar ($) sign, which is used both in definitions and uses of a variable. Variables are defined by assigning a value to them as follows: .Bd -literal $var1 = 10.0.0.1 .Ed .Pp A variable may also be defined as a set: .Bd -literal $var2 = { 10.0.0.1, 10.0.0.2 } .Ed .Pp Common variable definitions are for IP addresses, networks, ports, and interfaces. .Ss Tables Tables are specified using a number between angle brackets \*[Lt] and \*[Gt]. The number used to specify a table should be between 0 and 15. The following is an example of table definition: .Bd -literal table <1> type hash dynamic .Pp .Ed Currently, tables support two storage types: "hash" or "tree". They can also be "dynamic" or static i.e. loaded from the specified file. .Pp The file should contain a list of IP addresses and/or networks in the form of: .Bd -literal 10.0.0.0/24 10.1.1.1 .Ed .Pp Tables of type "hash" can only contain IP addresses. d49 7 a55 8 Groups may have the following options: name, interface, and direction. They are defined in the following form: .Pp .Bd -literal group (name "my_group", interface wm0, in) { # List of rules } .Ed d57 77 a133 77 With a rule statement NPF is instructed to .Cd pass or .Cd block a packet depending on packet header information, transit direction and interface it arrives on, either immediately upon match (keyword .Cd final ) or using the last match. The rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. .Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" .Ed .Pp Any protocol in .Pa /etc/protocols can be specified. Further packet specification at present is limited to protocol TCP understanding flags, TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp Fragments are not selectable since NPF always reassembles packets before further processing. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. At present, only dynamic translation is supported. The following mapping types are available: .Pp .Bl -tag -width <-> -compact .It Pa -> outbound NAT (translation of the source) .It Pa <- inbound NAT (translation of the destination) .It Pa <-> bi-directional NAT (combination of inbound and outbound NAT) .El .Pp The following would translate the source to the IP address specified by the $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_if .Ed .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Ss Procedures A rule procedure is defined as a collection of extension calls (it may have none). Every extension call has a name and a list of options in the form of key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. For example: .Bd -literal procedure "someproc" { log: npflog0 normalise: "random-id", "min-ttl" 64 } .Ed .Pp In this case, the procedure calls the logging and normalisation modules. .Ss Misc Text after a hash .Pq Sq # character is considered a comment. The backslash .Pq Sq \e character at the end of a line marks a continuation line, i.e., the next line is considered an extension of the present line. a134 4 The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, therefore it does not strictly represent the full syntax, which is more flexible. d136 1 a136 6 ; Syntax of a single line. Lines can be separated by LF (\n) or ; a semicolon. Comments start with a hash (#) character. syntax = var-def | table-def | map | group | rproc | comment ; Variable definition. Names can be alpha-numeric, including "_" character. d138 31 a168 46 var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) ; Table definition. Table ID shall be numeric. Path is in the double quotes. table-id = \*[Lt]tid\*[Gt] table-def = "table" table-id "type" ( "hash" | "tree" ) ( "dynamic" | "file" path ) ; Mapping for address translation. map = "map" interface ( "static" | "dynamic" ) net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" filt-opts ] ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. ; Both key and values may be strings (either in double quotes or not) ; and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" proc-opts = key " " val [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line ; Group definition and the ruleset. group = "group" "(" ( "default" | group-opts ) ")" "{" ruleset "}" group-opts = [ "name" string ] [ "interface" interface ] [ "in" | "out" ] ruleset = [ rule new-line ] [ ruleset ] rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" iface ] [ "family" fam-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) [ "apply" proc-name ] block-opts = "return-rst" | "return-icmp" | "return" fam-opt = "inet" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] filt-port = "port" ( port-num | port-from "-" port-to | var-name ) d172 1 a172 1 .Bl -tag -width /usr/share/examples/npf -compact a176 2 .It Pa /usr/share/examples/npf directory containing further examples d200 4 d205 1 a205 1 pass stateful out final from $ext_if @ 1.9.2.4 log @Pull up following revision(s) (requested by rmind in ticket #582): usr.sbin/npf/npfctl/npf.conf.5: revision 1.16 usr.sbin/npf/npfctl/npf.conf.5: revision 1.17 usr.sbin/npf/npfctl/npf.conf.5: revision 1.18 usr.sbin/npf/npfctl/npf.conf.5: revision 1.19 usr.sbin/npf/npfctl/npfctl.c: revision 1.19 usr.sbin/npf/npfctl/npf.conf.5: revision 1.20 usr.sbin/npf/npfctl/npf.conf.5: revision 1.21 usr.sbin/npf/npfctl/npf.conf.5: revision 1.22 usr.sbin/npf/npfctl/npf.conf.5: revision 1.23 npfctl usage: minor formatting fix. npf.conf(5): improve and explain grammar definition. re-work the description part of the man page, as discussed with rmind@@ npf.conf(5): add syntax section and a first cut describing the structural elements. Some improvements and fixes from spz@@. Whitespace fixes, remove unnecessary Pp XXX: Subsections Rules and Procedures seem empty? Add some content to the "Rules" section. Use more markup. New sentence, new line. Add some content to the Procedures section. Wording, more macros. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.3 2012/08/13 19:43:44 riz Exp $ d30 1 a30 1 .Dd September 30, 2012 d39 9 a47 60 is the default configuration file for the NPF packet filter. .Pp This manual page serves as a reference for editing .Nm . Please refer to the official NPF documentation for comprehensive and in-depth information. .Pp There are multiple structural elements .Nm may contain: .Cd variable and .Cd table definitions (with or without content), abstraction .Cd groups , packet filtering .Cd rules , .Cd map rules for address translation and .Cd procedure definitions to call on filtered packets. The minimal .Nm must contain a mandatory .Cd default group . .Sh SYNTAX .Ss Variables Variables are specified using the dollar ($) sign, which is used both in definitions and uses of a variable. Variables are defined by assigning a value to them as follows: .Bd -literal $var1 = 10.0.0.1 .Ed .Pp A variable may also be defined as a set: .Bd -literal $var2 = { 10.0.0.1, 10.0.0.2 } .Ed .Pp Common variable definitions are for IP addresses, networks, ports, and interfaces. .Ss Tables Tables are specified using a number between angle brackets \*[Lt] and \*[Gt]. The number used to specify a table should be between 0 and 15. The following is an example of table definition: .Bd -literal table <1> type hash dynamic .Pp .Ed Currently, tables support two storage types: "hash" or "tree". They can also be "dynamic" or static i.e. loaded from the specified file. .Pp The file should contain a list of IP addresses and/or networks in the form of: .Bd -literal 10.0.0.0/24 10.1.1.1 .Ed .Pp Tables of type "hash" can only contain IP addresses. d49 7 a55 8 Groups may have the following options: name, interface, and direction. They are defined in the following form: .Pp .Bd -literal group (name "my_group", interface wm0, in) { # List of rules } .Ed d57 77 a133 77 With a rule statement NPF is instructed to .Cd pass or .Cd block a packet depending on packet header information, transit direction and interface it arrives on, either immediately upon match (keyword .Cd final ) or using the last match. The rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. .Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" .Ed .Pp Any protocol in .Pa /etc/protocols can be specified. Further packet specification at present is limited to protocol TCP understanding flags, TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp Fragments are not selectable since NPF always reassembles packets before further processing. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. At present, only dynamic translation is supported. The following mapping types are available: .Pp .Bl -tag -width <-> -compact .It Pa -> outbound NAT (translation of the source) .It Pa <- inbound NAT (translation of the destination) .It Pa <-> bi-directional NAT (combination of inbound and outbound NAT) .El .Pp The following would translate the source to the IP address specified by the $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_if .Ed .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Ss Procedures A rule procedure is defined as a collection of extension calls (it may have none). Every extension call has a name and a list of options in the form of key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. For example: .Bd -literal procedure "someproc" { log: npflog0 normalise: "random-id", "min-ttl" 64 } .Ed .Pp In this case, the procedure calls the logging and normalisation modules. .Ss Misc Text after a hash .Pq Sq # character is considered a comment. The backslash .Pq Sq \e character at the end of a line marks a continuation line, i.e., the next line is considered an extension of the present line. a134 4 The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, therefore it does not strictly represent the full syntax, which is more flexible. d136 1 a136 6 ; Syntax of a single line. Lines can be separated by LF (\n) or ; a semicolon. Comments start with a hash (#) character. syntax = var-def | table-def | map | group | rproc | comment ; Variable definition. Names can be alpha-numeric, including "_" character. d138 31 a168 46 var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) ; Table definition. Table ID shall be numeric. Path is in the double quotes. table-id = \*[Lt]tid\*[Gt] table-def = "table" table-id "type" ( "hash" | "tree" ) ( "dynamic" | "file" path ) ; Mapping for address translation. map = "map" interface ( "static" | "dynamic" ) net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" filt-opts ] ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. ; Both key and values may be strings (either in double quotes or not) ; and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" proc-opts = key " " val [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line ; Group definition and the ruleset. group = "group" "(" ( "default" | group-opts ) ")" "{" ruleset "}" group-opts = [ "name" string ] [ "interface" interface ] [ "in" | "out" ] ruleset = [ rule new-line ] [ ruleset ] rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" iface ] [ "family" fam-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) [ "apply" proc-name ] block-opts = "return-rst" | "return-icmp" | "return" fam-opt = "inet" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] filt-port = "port" ( port-num | port-from "-" port-to | var-name ) d172 1 a172 1 .Bl -tag -width /usr/share/examples/npf -compact a176 2 .It Pa /usr/share/examples/npf directory containing further examples d200 4 d205 1 a205 1 pass stateful out final from $ext_if @ 1.9.2.4.2.1 log @Pull up following revision(s) (requested by rmind in ticket #744): usr.sbin/npf/npfctl/npf.conf.5: revision 1.25 - npf.conf(5): fix of the example config. - Mention npf_ext_log in a comment. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.4 2012/10/01 20:05:56 riz Exp $ d30 1 a30 1 .Dd December 6, 2012 a274 1 # Note: npf_ext_log kernel module should be loaded, if not built-in. d279 1 a279 1 pass stateful out final all @ 1.9.2.5 log @Pull up following revision(s) (requested by rmind in ticket #736): usr.sbin/npf/npfctl/npf_parse.y: revision 1.17 sys/net/npf/npf_tableset.c: revision 1.16 usr.sbin/npf/npfctl/npfctl.h: revision 1.23 usr.sbin/npf/npfctl/npf_data.c: revision 1.19 usr.sbin/npf/npfctl/npf_build.c: revision 1.15 share/examples/npf/host-npf.conf: revision 1.3 usr.sbin/npf/npfctl/npf_scan.l: revision 1.9 share/examples/npf/soho_gw-npf.conf: revision 1.3 usr.sbin/npf/npfctl/npf_var.h: revision 1.6 usr.sbin/npf/npfctl/npf.conf.5: revision 1.24 npfctl: extend syntax for extracting interface IP address(es) by the family. adjust to current npf.conf syntax npf_table_list: avoid triggering assert on diagnostic. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.4 2012/10/01 20:05:56 riz Exp $ d30 1 a30 1 .Dd November 26, 2012 a98 12 .Ss Interfaces Interfaces can be specified as the values of the variables: .Bd -literal $pub_if_list = { ifnet(wm0), ifnet(wm1) } .Ed In the context of filtering, an interface provides a list of its all IP addresses, including IPv4 and IPv6. Specific interface addresses can be selected by the family, e.g.: .Bd -literal $pub_if4 = inet4(wm0) $pub_if6 = { inet6(wm0) } .Ed d154 1 a154 1 map $ext_if dynamic 10.1.1.0/24 -> $pub_ip d259 2 a260 2 $ext_if = ifnet(wm0) $int_if = ifnet(wm1) @ 1.9.2.6 log @Pull up following revision(s) (requested by rmind in ticket #744): usr.sbin/npf/npfctl/npf.conf.5: revision 1.25 share/examples/npf/host-npf.conf: revision 1.4 share/examples/npf/soho_gw-npf.conf: revision 1.4 Fix syntax error in the example, fix one rule and G/C "rid" procedure. - npf.conf(5): fix of the example config. - Mention npf_ext_log in a comment. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.5 2012/12/11 04:31:53 riz Exp $ d30 1 a30 1 .Dd December 6, 2012 a286 1 # Note: npf_ext_log kernel module should be loaded, if not built-in. d291 1 a291 1 pass stateful out final all @ 1.9.2.7 log @Pull up following revision(s) (requested by rmind in ticket #776): usr.sbin/npf/npfctl/npf.conf.5: revision 1.26 usr.sbin/npf/npfctl/npfctl.c: revision 1.26 dist/pf/usr.sbin/ftp-proxy/npf.c: revision 1.2 lib/libnpf/npf.c: revision 1.15 sys/net/npf/npf_ctl.c: revision 1.20 lib/libnpf/npf.h: revision 1.12 lib/libnpf/npf.3: revision 1.6 lib/libnpf/npf.3: revision 1.7 usr.sbin/npf/npfctl/npf_build.c: revision 1.17 sys/net/npf/npf.h: revision 1.24 - Add NPF version check in proplist as well, not only ioctl. Bump the version. - Fix a bug in table entry lookup. - Updates/fixes to the man pages. Misc. Remove a superfluous quote and fix a recurring typo. ftp-proxy: disable NPF bits for now; it will be re-done. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.6 2012/12/15 23:31:07 riz Exp $ d30 1 a30 1 .Dd December 23, 2012 a100 1 .Pp a103 1 .Pp a287 1 # Also, the interface created, e.g.: ifconfig npflog0 create @ 1.9.2.8 log @Pull up following revision(s) (requested by rmind in ticket #817): usr.sbin/npf/npfctl/npfctl.8: revision 1.12 usr.sbin/npf/npfctl/npf.conf.5: revision 1.27 usr.sbin/npf/npfctl/npf_parse.y: revision 1.18 usr.sbin/npf/npfctl/npf_build.c: revision 1.20 usr.sbin/npf/npfctl/npfctl.c: revision 1.28 lib/libnpf/npf.c: revision 1.16 usr.sbin/npf/npfctl/npfctl.c: revision 1.29 lib/libnpf/npf.c: revision 1.17 sys/modules/npf/Makefile: revision 1.12 sys/net/npf/npf_rproc.c: revision 1.6 usr.sbin/npf/npftest/README: revision 1.4 sys/net/npf/npf_tableset.c: revision 1.17 sys/net/npf/npf_ctl.c: revision 1.21 sys/net/npf/npf_ctl.c: revision 1.22 usr.sbin/npf/npfctl/npfctl.h: revision 1.25 lib/libnpf/npf.h: revision 1.13 usr.sbin/npf/npftest/npftest.conf: revision 1.2 usr.sbin/npf/npfctl/npfctl.h: revision 1.26 sys/net/npf/npf_ruleset.c: revision 1.17 lib/libnpf/npf.h: revision 1.14 sys/net/npf/npf_ruleset.c: revision 1.18 sys/net/npf/npf_conf.c: revision 1.1 usr.sbin/npf/npfctl/npf_scan.l: revision 1.10 sys/net/npf/npf_conf.c: revision 1.2 sys/net/npf/npf_instr.c: revision 1.16 sys/net/npf/npf_handler.c: revision 1.26 sys/net/npf/npf_impl.h: revision 1.26 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14 sys/net/npf/npf_processor.c: revision 1.15 sys/net/npf/npf_impl.h: revision 1.27 sys/net/npf/npf_alg_icmp.c: revision 1.15 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15 usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16 sys/net/npf/npf_ncode.h: revision 1.11 sys/net/npf/files.npf: revision 1.10 usr.sbin/npf/npftest/Makefile: revision 1.4 usr.sbin/npf/npfctl/npfctl.c: revision 1.30 lib/libnpf/npf.3: revision 1.8 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4 sys/net/npf/npf_session.c: revision 1.21 usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5 usr.sbin/npf/npfctl/npf_build.c: revision 1.18 usr.sbin/npf/npfctl/npf_build.c: revision 1.19 sys/net/npf/npf_alg.c: revision 1.7 usr.sbin/npf/npfctl/Makefile: revision 1.10 sys/net/npf/npf_inet.c: revision 1.21 sys/net/npf/npf.h: revision 1.26 sys/net/npf/npf.h: revision 1.27 usr.sbin/pf/ftp-proxy/Makefile: revision 1.8 sys/net/npf/npf_nat.c: revision 1.19 sys/net/npf/npf.c: revision 1.15 sys/net/npf/npf_state.c: revision 1.14 sys/net/npf/npf_sendpkt.c: revision 1.14 sys/rump/net/lib/libnpf/Makefile: revision 1.4 IPv6 linklocal address printing cosmetics NPF: - Implement dynamic NPF rules. Controlled through npf(3) library of via npfctl rule command. A rule can be removed using a unique identifier, returned on addition, or using a key which is SHA1 hash of the rule. Adjust npftest and add a regression test. - Improvements to rule inspection mechanism. - Initial BPF support as an alternative to n-code. - Minor fixes; bump the version. Disable -DWITH_NPF for now; will be converted to BPF mechanism. - Fix NPF config reload with dynamic rules present. - Implement list and flush commands on a dynamic ruleset. Allow filtering on IP addresses even if the L4 protocol is unknown. Patch from spz@@. npftest: adjust for recent change. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.7 2013/01/07 16:51:07 riz Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2013 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd January 11, 2013 d206 1 a206 1 ; Syntax of a single line. Lines can be separated by LF (\\n) or @ 1.9.2.9 log @Pull up following revision(s) (requested by rmind in ticket #852): usr.sbin/npf/npfctl/npf.conf.5: revision 1.28 usr.sbin/npf/npfctl/npf_parse.y: revision 1.19 usr.sbin/npf/npfctl/npf_parse.y: revision 1.20 usr.sbin/npf/npfctl/npfctl.c: revision 1.32 Fix the example (deja vu?). deal with strings as interfaces centralize error handling and print what went wrong instead of "ioctl" handle port "ftp-data" @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.9.2.8 2013/02/11 21:49:47 riz Exp $ d286 1 a286 1 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022 @ 1.8 log @- Handle NPF rule procedures in the parser and thus re-enable them. - Few small updates to the man page. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.7 2012/01/08 22:14:55 christos Exp $ d159 1 a159 1 [ "on" iface ] [ family "fam-opt" ] [ "proto" \*[Lt]protocol\*[Gt] ] d203 1 a203 1 pass in quick inet proto tcp to $ext_if port ssh apply "log" @ 1.7 log @update. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.6 2011/11/29 01:12:09 riz Exp $ d30 1 a30 1 .Dd January 6, 2012 d83 1 a83 1 .Ss Rule procedures and normalization d90 3 a92 3 traffic normalization and packet logging. Packet normalization has the following functionality: IP ID randomization, IP_DF flag cleansing, TCP minimum TTL enforcement, d94 1 a94 1 If a matching rule is going to drop the packet, normalization functions d97 6 d159 2 a160 3 [ "on" iface ] [ "inet" | "inet6" ] [ "proto" \*[Lt]protocol\*[Gt] ] ( "all" | filt-opts [ "flags" \*[Lt]tcp_flags> \*[Gt] ) [ "keep state" ] [ "apply" rproc } d162 1 @ 1.6 log @Remove quotes from "hash" and "tree" in the table examples so the example stands a chance of actually working as written. There appear to be other problems, too. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.5 2011/03/22 07:31:42 jruoho Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd March 22, 2011 d144 1 a144 1 op = ( "log" iface | "normalize" "(" norm-opt1 "," norm-opt2 ... ")" ) d158 3 a160 3 filt-opts = [ "from" ( iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] ) port-opts ] [ "to" ( iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] ) port-opts ] port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] ":" \*[Lt]port-to\*[Gt] | def ) ] d174 2 a175 2 ext_if = "wm0" int_if = "wm1" d177 2 a178 2 services_tcp = "{ http, https, smtp, domain, 6000 }" services_udp = "{ domain, ntp, 6000 }" d180 2 a181 2 table "1" type hash file "/etc/npf_blacklist" table "2" type tree dynamic d186 1 a186 1 log npflog0 d190 1 a190 1 normalize (random-id) d200 2 a201 2 pass in quick proto tcp to $ext_if port 49151:65535 # Passive FTP pass in quick proto udp to $ext_if port 33434:33600 # Traceroute @ 1.5 log @Use .Ss for non-standard subtitles in the DESCRIPTION. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.4 2011/02/02 02:20:25 rmind Exp $ d180 2 a181 2 table "1" type "hash" file "/etc/npf_blacklist" table "2" type "tree" dynamic @ 1.5.4.1 log @sync with head @ text @d1 1 a1 1 .\" $NetBSD$ d3 1 a3 1 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd February 5, 2012 d83 1 a83 1 .Ss Rule procedures and normalisation d90 3 a92 3 traffic normalisation and packet logging. Packet normalisation has the following functionality: IP ID randomisation, IP_DF flag cleansing, TCP minimum TTL enforcement, d94 1 a94 1 If a matching rule is going to drop the packet, normalisation functions a96 6 Note that the logging interface has to be created manually, using .Xr ifconfig 8 routine, for example: .Pp ifconfig npflog0 create .Pp d144 1 a144 1 op = ( "log" iface | "normalise" "(" norm-opt1 "," norm-opt2 ... ")" ) d153 3 a155 2 [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] ] ( "all" | filt-opts ) [ "keep state" ] [ "apply" rproc ] } a156 1 fam-opt = [ "inet" | "inet6" ] d158 3 a160 3 filt-addr = iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | def ) ] filt-opts = [ "from" filt-addr [ port-opts ] ] [ "to" filt-addr [ port-opts ] ] d174 2 a175 2 $ext_if = "wm0" $int_if = "wm1" d177 2 a178 2 $services_tcp = { http, https, smtp, domain, 6000 } $services_udp = { domain, ntp, 6000 } d180 2 a181 2 table <1> type hash file "/etc/npf_blacklist" table <2> type tree dynamic d186 1 a186 1 log: npflog0 d190 1 a190 1 normalise: "random-id" d197 1 a197 1 pass in quick family inet proto tcp to $ext_if port ssh apply "log" d200 2 a201 2 pass in quick proto tcp to $ext_if port 49151-65535 # Passive FTP pass in quick proto udp to $ext_if port 33434-33600 # Traceroute @ 1.5.4.2 log @sync with head @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.5.4.1 2012/04/17 00:09:50 yamt Exp $ d30 1 a30 1 .Dd September 30, 2012 d39 8 a46 60 is the default configuration file for the NPF packet filter. .Pp This manual page serves as a reference for editing .Nm . Please refer to the official NPF documentation for comprehensive and in-depth information. .Pp There are multiple structural elements .Nm may contain: .Cd variable and .Cd table definitions (with or without content), abstraction .Cd groups , packet filtering .Cd rules , .Cd map rules for address translation and .Cd procedure definitions to call on filtered packets. The minimal .Nm must contain a mandatory .Cd default group . .Sh SYNTAX .Ss Variables Variables are specified using the dollar ($) sign, which is used both in definitions and uses of a variable. Variables are defined by assigning a value to them as follows: .Bd -literal $var1 = 10.0.0.1 .Ed .Pp A variable may also be defined as a set: .Bd -literal $var2 = { 10.0.0.1, 10.0.0.2 } .Ed .Pp Common variable definitions are for IP addresses, networks, ports, and interfaces. .Ss Tables Tables are specified using a number between angle brackets \*[Lt] and \*[Gt]. The number used to specify a table should be between 0 and 15. The following is an example of table definition: .Bd -literal table <1> type hash dynamic .Pp .Ed Currently, tables support two storage types: "hash" or "tree". They can also be "dynamic" or static i.e. loaded from the specified file. .Pp The file should contain a list of IP addresses and/or networks in the form of: .Bd -literal 10.0.0.0/24 10.1.1.1 .Ed .Pp Tables of type "hash" can only contain IP addresses. d48 7 a54 8 Groups may have the following options: name, interface, and direction. They are defined in the following form: .Pp .Bd -literal group (name "my_group", interface wm0, in) { # List of rules } .Ed d56 78 a133 77 With a rule statement NPF is instructed to .Cd pass or .Cd block a packet depending on packet header information, transit direction and interface it arrives on, either immediately upon match (keyword .Cd final ) or using the last match. The rule can also instruct NPF to create an entry in the state table when passing the packet, to notify the sender when blocking it, and to apply a procedure to the packet (e.g. "log") in either case. .Pp A "fully-featured" rule would for example be: .Bd -literal pass stateful in final family inet proto tcp flags S/SA \\ from $source port $sport to $dest port $dport apply "someproc" .Ed .Pp Any protocol in .Pa /etc/protocols can be specified. Further packet specification at present is limited to protocol TCP understanding flags, TCP and UDP understanding source and destination ports, and ICMP and IPv6-ICMP understanding icmp-type. .Pp Fragments are not selectable since NPF always reassembles packets before further processing. .Ss Map Network Address Translation (NAT) is expressed in a form of segment mapping. At present, only dynamic translation is supported. The following mapping types are available: .Pp .Bl -tag -width <-> -compact .It Pa -> outbound NAT (translation of the source) .It Pa <- inbound NAT (translation of the destination) .It Pa <-> bi-directional NAT (combination of inbound and outbound NAT) .El .Pp The following would translate the source to the IP address specified by the $pub_ip for the packets on the interface $ext_if. .Bd -literal map $ext_if dynamic 10.1.1.0/24 -> $pub_if .Ed .Pp Translations are implicitly filtered by limiting the operation to the network segments specified, that is, translation would be performed only on packets originating from 10.1.1.0/24 network. Explicit filter criteria can be specified using "pass " as an additional option of the mapping. .Ss Procedures A rule procedure is defined as a collection of extension calls (it may have none). Every extension call has a name and a list of options in the form of key-value pairs. Depending on the call, the key might represent the argument and the value might be optional. For example: .Bd -literal procedure "someproc" { log: npflog0 normalise: "random-id", "min-ttl" 64 } .Ed .Pp In this case, the procedure calls the logging and normalisation modules. .Ss Misc Text after a hash .Pq Sq # character is considered a comment. The backslash .Pq Sq \e character at the end of a line marks a continuation line, i.e., the next line is considered an extension of the present line. a134 4 The following is a non-formal BNF-like definition of the grammar. The definition is simplified and is intended to be human readable, therefore it does not strictly represent the full syntax, which is more flexible. d136 1 a136 10 ; Syntax of a single line. Lines can be separated by LF (\n) or ; a semicolon. Comments start with a hash (#) character. syntax = var-def | table-def | map | group | rproc | comment ; Variable definition. Names can be alpha-numeric, including "_" character. var-name = "$" . string interface = interface-name | var-name var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) d138 2 a139 1 ; Table definition. Table ID shall be numeric. Path is in the double quotes. d141 2 a142 3 table-id = \*[Lt]tid\*[Gt] table-def = "table" table-id "type" ( "hash" | "tree" ) ( "dynamic" | "file" path ) d144 24 a167 36 ; Mapping for address translation. map = "map" interface ( "static" | "dynamic" ) net-seg ( "->" | "<-" | "<->" ) net-seg [ "pass" filt-opts ] ; Rule procedure definition. The name should be in the double quotes. ; ; Each call can have its own options in a form of key-value pairs. ; Both key and values may be strings (either in double quotes or not) ; and numbers, depending on the extension. proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" proc-opts = key " " val [ "," proc-opts ] proc-call = call-name ":" proc-opts new-line ; Group definition and the ruleset. group = "group" "(" ( "default" | group-opts ) ")" "{" ruleset "}" group-opts = [ "name" string ] [ "interface" interface ] [ "in" | "out" ] ruleset = [ rule new-line ] [ ruleset ] rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" iface ] [ "family" fam-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) [ "apply" proc-name ] block-opts = "return-rst" | "return-icmp" | "return" fam-opt = "inet" | "inet6" proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | "icmp-type" type [ "code" icmp-code ] addr-mask = addr [ "/" mask ] filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] filt-port = "port" ( port-num | port-from "-" port-to | var-name ) d171 1 a171 1 .Bl -tag -width /usr/share/examples/npf -compact a175 2 .It Pa /usr/share/examples/npf directory containing further examples d183 3 d189 1 a189 8 $services_tcp = { http, https, smtp, domain, 6000, 9022 } $services_udp = { domain, ntp, 6000 } $localnet = { 10.1.1.0/24 } # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), # then the translation address has to be specified explicitly. map $ext_if dynamic 10.1.1.0/24 -> $ext_if map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022 d195 4 d200 2 a201 1 pass stateful out final from $ext_if d203 5 a207 6 block in final from \*[Lt]1\*[Gt] pass stateful in final family inet proto tcp to $ext_if port ssh apply "log" pass stateful in final proto tcp to $ext_if port $services_tcp pass stateful in final proto udp to $ext_if port $services_udp pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP pass stateful in final proto udp to $ext_if port 33434-33600 # Traceroute d212 2 a213 2 pass in final from \*[Lt]2\*[Gt] pass out final all a216 1 pass final on lo0 all a226 3 .Sh AUTHORS NPF was designed and implemented by .An Mindaugas Rasiukevicius . @ 1.5.4.3 log @sync with (a bit old) head @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.5.4.2 2012/10/30 19:00:43 yamt Exp $ d30 1 a30 1 .Dd December 6, 2012 a98 12 .Ss Interfaces Interfaces can be specified as the values of the variables: .Bd -literal $pub_if_list = { ifnet(wm0), ifnet(wm1) } .Ed In the context of filtering, an interface provides a list of its all IP addresses, including IPv4 and IPv6. Specific interface addresses can be selected by the family, e.g.: .Bd -literal $pub_if4 = inet4(wm0) $pub_if6 = { inet6(wm0) } .Ed d154 1 a154 1 map $ext_if dynamic 10.1.1.0/24 -> $pub_ip d259 2 a260 2 $ext_if = ifnet(wm0) $int_if = ifnet(wm1) a274 1 # Note: npf_ext_log kernel module should be loaded, if not built-in. d279 1 a279 1 pass stateful out final all @ 1.5.4.4 log @sync with head @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.5.4.3 2013/01/16 05:34:10 yamt Exp $ d30 1 a30 1 .Dd December 23, 2012 a100 1 .Pp a103 1 .Pp a287 1 # Also, the interface created, e.g.: ifconfig npflog0 create @ 1.5.4.5 log @sync with head. for a reference, the tree before this commit was tagged as yamt-pagecache-tag8. this commit was splitted into small chunks to avoid a limitation of cvs. ("Protocol error: too many arguments") @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.5.4.4 2013/01/23 00:06:43 yamt Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd February 14, 2014 d81 1 a81 1 Tables are specified using a name between angle brackets d83 1 d86 1 a86 1 table type hash dynamic d89 1 a89 1 Currently, tables support three storage types: "hash", "tree", or "cdb". d98 1 a98 2 Tables of type "hash" and "cdb" can only contain IP addresses. Also, the latter can only be static. d103 1 a103 1 $pub_if_list = { inet4(wm0), inet4(wm1) } d111 1 a111 1 $pub_if46 = { inet4(wm0), inet6(wm0) } d118 1 a118 1 group "my-name" in on wm0 { d137 1 a137 1 pass stateful in final family inet4 proto tcp flags S/SA \\ a148 7 Alternatively, NPF supports .Xr pcap-filter 7 syntax, for example: .Bd -literal block out final pcap-filter "tcp and dst 10.1.1.252" .Ed .Pp d153 1 a153 1 The translation may be dynamic (stateful) or static (stateless). d187 1 a187 1 normalize: "random-id", "min-ttl" 64 d206 1 a206 1 ; Syntax of a single line. Lines can be separated by LF (\\n) or d219 2 a220 2 table-id = \*[Lt]table-name\*[Gt] table-def = "table" table-id "type" ( "hash" | "tree" | "cdb" ) d225 1 a225 2 map = "map" interface ( "static" [ "algo" algorithm ] | "dynamic" ) d239 1 a239 1 ; Group definition and the rule list. d241 8 a248 13 group = "group" ( "default" | group-opts ) "{" rule-list "}" group-opts = name-string [ "in" | "out" ] [ "on" interface ] rule-list = [ rule new-line ] rule-list npf-filter = [ "family" family-opt ] [ "proto" protocol [ proto-opts ] ] ( "all" | filt-opts ) static-rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] [ "on" interface ] ( npf-filter | "pcap-filter" pcap-filter-expr ) [ "apply" proc-name ] dynamic-ruleset = "ruleset" group-opts rule = static-rule | dynamic-ruleset d251 1 a251 1 family-opt = "inet4" | "inet6" d273 2 a274 2 $ext_if = { inet4(wm0), inet6(wm0) } $int_if = { inet4(wm1), inet6(wm1) } d276 2 a277 2 table type hash file "/etc/npf_blacklist" table type tree dynamic d286 1 a286 1 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if port 9022 d294 1 a294 1 group "external" on $ext_if { d297 2 a298 2 block in final from \*[Lt]blacklist\*[Gt] pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" d305 1 a305 1 group "internal" on $int_if { d307 1 a307 4 block in final from \*[Lt]limited\*[Gt] # Ingress filtering as per BCP 38 / RFC 2827. pass in final from $localnet d311 1 a311 1 group default { d318 2 a319 3 .Xr bpf 4 , .Xr pcap-filter 7 , .Xr npfctl 8 @ 1.4 log @NPF checkpoint: - Add libnpf(3) - a library to control NPF (configuration, ruleset, etc). - Add NPF support for ftp-proxy(8). - Add rc.d script for NPF. - Convert npfctl(8) to use libnpf(3) and thus make it less depressive. Note: next clean-up step should be a parser, once dholland@@ will finish it. - Add more documentation. - Various fixes. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.3 2011/01/18 20:33:45 rmind Exp $ d30 1 a30 1 .Dd February 2, 2011 d41 1 a41 1 .Sh DEFINITIONS d47 1 a47 1 .Sh GROUPS d55 1 a55 1 .Sh RULES d83 1 a83 1 .Sh RULE PROCEDURES AND NORMALIZATION d97 1 a97 1 .Sh NAT d114 1 a114 1 .Sh TABLES @ 1.3 log @NPF checkpoint: - Add the concept of rule procedure: separate normalization, logging and potentially other functions from the rule structure. Rule procedure can be shared amongst the rules. Separation is both at kernel level (npf_rproc_t) and configuration ("procedure" + "apply"). - Fix portmap sharing for NAT policy. - Update TCP state tracking logic. Use TCP FSM definitions. - Add if_byindex(), OK by matt@@. Use in logging for the lookup. - Fix traceroute ALG and many other bugs; misc clean-up. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.2 2010/09/16 04:53:27 rmind Exp $ d30 1 a30 1 .Dd January 18, 2011 d59 2 a60 2 traffic direction, protocol, IPv4 address or network, and TCP/UDP port or range. d73 8 d83 31 a126 5 .Sh NAT Special rules for Network Address Translation (NAT) can be added. Translation is performed on specified interface, assigning a specified address of said interface. Minimal filtering criteria on local network and destination are provided. @ 1.3.2.1 log @Sync with HEAD @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.4 2011/02/02 02:20:25 rmind Exp $ d30 1 a30 1 .Dd February 2, 2011 d59 2 a60 2 traffic direction, protocol, IPv4 address or network, TCP/UDP port or range, TCP flags, and ICMP type/code. a72 8 Stateful filtering is supported using the "keep state" keyword. In such cases, state (a session) is created and any further packets of the connection are tracked. Packets in backwards stream, after having been confirmed to belong to the same connection, are passed without ruleset inspection. Rules may have associated rule procedures (described in a later section), which are applied for all packets of a connection. .Pp a74 31 .Sh RULE PROCEDURES AND NORMALIZATION Rule procedures are provided to perform packet transformations and various additional procedures on the packets. It should be noted that rule procedures are applied for the connections, that is, both for packets which match the rule and for further packets of the connection, which are passed without ruleset inspection. Currently, two facilities are supported: traffic normalization and packet logging. Packet normalization has the following functionality: IP ID randomization, IP_DF flag cleansing, TCP minimum TTL enforcement, and maximum MSS enforcement ("MSS clamping"). If a matching rule is going to drop the packet, normalization functions are not performed. Packet logging is performed both in packet passing and blocking cases. .Sh NAT Rules for address translation can be added. Translation is performed on the specified interface, assigning the specified address of said interface. There are three types of translation: Network Address Port Translation (NAPT) - a regular NAT, also known as "outbound NAT"; Port forwarding (redirection) - also known as "inbound NAT"; Bi-directional NAT - a combination of inbound and outbound NAT. .Pp Minimal filtering criteria on local network and destination are provided. Note that address translation implies routing, therefore IP forwarding is required to be enabled: net.inet.ip.forwarding = 1. See .Xr sysctl 7 for more details. d88 5 @ 1.2 log @NPF checkpoint: - Add support for bi-directional NAT and redirection / port forwarding. - Finish filtering on ICMP type/code and add filtering on TCP flags. - Add support for TCP reset (RST) or ICMP destination unreachable on block. - Fix a bunch of bugs; misc cleanup. @ text @d1 1 a1 1 .\" $NetBSD: npf.conf.5,v 1.1 2010/08/24 23:55:05 rmind Exp $ d3 1 a3 1 .\" Copyright (c) 2009-2010 The NetBSD Foundation, Inc. d30 1 a30 1 .Dd September 16, 2010 d40 1 a40 1 It can contain definitions, grouped rules, and tables. d96 1 a96 1 line = ( def | table | nat | group ) d98 1 a98 1 def = ( \*[Lt]name\*[Gt] "=" "{ a, b, ... }" | "text" | "$\*[Lt]interface\*[Gt]" ) d108 6 a113 1 group = "group" "(" ( "default" | group-opts ) "") ruleset d118 1 a118 1 rule = ( "block" block-opts | "pass" ) [ "in" | out" ] rule-opts d121 1 a123 1 rule-opts = [ "log" ] [ "count" ] [ "quick" ] d149 9 a157 1 nat $ext_if from 192.168.0.0/24 to 0.0.0.0/0 -> $ext_if d161 1 a161 1 pass out quick from $ext_if keep state d163 1 a163 1 pass in log quick inet proto tcp to $ext_if port ssh d177 1 a177 1 block all @ 1.1 log @Move npf.conf(5-8) into the correct section, hence npf.conf(5). @ text @d1 1 a1 1 .\" $NetBSD$ d30 1 a30 1 .Dd August 24, 2010 d98 1 a98 1 def = ( "{ a, b, ... }" | "text" | "$\*[Lt]interface\*[Gt]" ) d104 3 a106 1 nat = "nat" iface "from" \*[Lt]addr/mask\*[Gt] "to" \*[Lt]addr/mask\*[Gt] "->" \*[Lt]addr\*[Gt] d113 1 a113 1 rule = ( "block" | "pass" ) [ "in" | out" ] rule-opts d115 1 a115 1 ( "all" | filt-opts ) d117 1 d122 1 @