NPF: trunk
authorrmind <rmind@NetBSD.org>
Sat, 08 Feb 2014 01:20:09 +0000
branchtrunk
changeset 224473 bd37be841fb5
parent 224472 b463d4c6d43d
child 224474 e30490b8ccf7
NPF: - Adjust the syntax - remove "inet" keyword in favour of more explicit "inet4" for the address family. Consistent with "inet6" for IPv6. - Adjust and improve the man page a little bit.
usr.sbin/npf/npfctl/npf.conf.5
usr.sbin/npf/npfctl/npf_parse.y
usr.sbin/npf/npfctl/npf_scan.l
usr.sbin/npf/npfctl/npf_show.c
--- a/usr.sbin/npf/npfctl/npf.conf.5	Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5	Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.37 2014/02/06 07:36:36 wiz Exp $
+.\"    $NetBSD: npf.conf.5,v 1.38 2014/02/08 01:20:09 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd February 6, 2014
+.Dd February 8, 2014
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
@@ -134,7 +134,7 @@
 .Pp
 A "fully-featured" rule would for example be:
 .Bd -literal
-pass stateful in final family inet proto tcp flags S/SA \\
+pass stateful in final family inet4 proto tcp flags S/SA \\
 	from $source port $sport to $dest port $dport apply "someproc"
 .Ed
 .Pp
@@ -157,7 +157,7 @@
 before further processing.
 .Ss Map
 Network Address Translation (NAT) is expressed in a form of segment mapping.
-At present, only dynamic translation is supported.
+The translation may be dynamic (stateful) or static (stateless).
 The following mapping types are available:
 .Pp
 .Bl -tag -width <-> -compact
@@ -260,7 +260,7 @@
 rule		= static-rule | dynamic-ruleset
 
 block-opts	= "return-rst" | "return-icmp" | "return"
-family-opt	= "inet" | "inet6"
+family-opt	= "inet4" | "inet6"
 proto-opts	= "flags" tcp-flags [ "/" tcp-flag-mask ] |
 		  "icmp-type" type [ "code" icmp-code ]
 
@@ -285,7 +285,7 @@
 $ext_if = { inet4(wm0), inet6(wm0) }
 $int_if = { inet4(wm1), inet6(wm1) }
 
-table <black> type hash file "/etc/npf_blacklist"
+table <blacklist> type hash file "/etc/npf_blacklist"
 table <limited> type tree dynamic
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
@@ -306,8 +306,8 @@
 group "external" on $ext_if {
 	pass stateful out final all
 
-	block in final from \*[Lt]black\*[Gt]
-	pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
+	block in final from \*[Lt]blacklist\*[Gt]
+	pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
 	pass stateful in final proto tcp to $ext_if port $services_tcp
 	pass stateful in final proto udp to $ext_if port $services_udp
 	pass stateful in final proto tcp to $ext_if port 49151-65535	# Passive FTP
@@ -318,7 +318,7 @@
 	block in all
 	block in final from \*[Lt]limited\*[Gt]
 
-	# Ingress filtering as per RFC 2827.
+	# Ingress filtering as per BCP 38 / RFC 2827.
 	pass in final from $localnet
 	pass out final all
 }
--- a/usr.sbin/npf/npfctl/npf_parse.y	Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y	Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_parse.y,v 1.30 2014/02/06 02:51:28 rmind Exp $	*/
+/*	$NetBSD: npf_parse.y,v 1.31 2014/02/08 01:20:09 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -108,7 +108,6 @@
 %token			HASH
 %token			ICMPTYPE
 %token			ID
-%token			IFNET
 %token			IN
 %token			INET4
 %token			INET6
--- a/usr.sbin/npf/npfctl/npf_scan.l	Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_scan.l	Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_scan.l,v 1.17 2014/02/06 02:51:28 rmind Exp $	*/
+/*	$NetBSD: npf_scan.l,v 1.18 2014/02/08 01:20:09 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -122,7 +122,6 @@
 on			return ON;
 inet6			return INET6;
 inet4			return INET4;
-inet			return INET4;
 proto			return PROTO;
 family			return FAMILY;
 tcp			return TCP;
--- a/usr.sbin/npf/npfctl/npf_show.c	Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_show.c	Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $	*/
+/*	$NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $	*/
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $");
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -111,7 +111,7 @@
 
 	switch (af) {
 	case AF_INET:
-		return estrdup("inet");
+		return estrdup("inet4");
 	case AF_INET6:
 		return estrdup("inet6");
 	default: