[src/trunk]: src/usr.sbin/npf/npfctl NPF:

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/7069983563b8
branches:  trunk
changeset: 326628:7069983563b8
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sat Feb 08 01:20:09 2014 +0000

description:
NPF:
- Adjust the syntax - remove "inet" keyword in favour of more explicit
  "inet4" for the address family.  Consistent with "inet6" for IPv6.
- Adjust and improve the man page a little bit.

diffstat:

 usr.sbin/npf/npfctl/npf.conf.5  |  18 +++++++++---------
 usr.sbin/npf/npfctl/npf_parse.y |   3 +--
 usr.sbin/npf/npfctl/npf_scan.l  |   3 +--
 usr.sbin/npf/npfctl/npf_show.c  |   6 +++---
 4 files changed, 14 insertions(+), 16 deletions(-)

diffs (135 lines):

diff -r 0ac8d0b3dc89 -r 7069983563b8 usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5    Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5    Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.37 2014/02/06 07:36:36 wiz Exp $
+.\"    $NetBSD: npf.conf.5,v 1.38 2014/02/08 01:20:09 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd February 6, 2014
+.Dd February 8, 2014
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
@@ -134,7 +134,7 @@
 .Pp
 A "fully-featured" rule would for example be:
 .Bd -literal
-pass stateful in final family inet proto tcp flags S/SA \\
+pass stateful in final family inet4 proto tcp flags S/SA \\
        from $source port $sport to $dest port $dport apply "someproc"
 .Ed
 .Pp
@@ -157,7 +157,7 @@
 before further processing.
 .Ss Map
 Network Address Translation (NAT) is expressed in a form of segment mapping.
-At present, only dynamic translation is supported.
+The translation may be dynamic (stateful) or static (stateless).
 The following mapping types are available:
 .Pp
 .Bl -tag -width <-> -compact
@@ -260,7 +260,7 @@
 rule           = static-rule | dynamic-ruleset
 
 block-opts     = "return-rst" | "return-icmp" | "return"
-family-opt     = "inet" | "inet6"
+family-opt     = "inet4" | "inet6"
 proto-opts     = "flags" tcp-flags [ "/" tcp-flag-mask ] |
                  "icmp-type" type [ "code" icmp-code ]
 
@@ -285,7 +285,7 @@
 $ext_if = { inet4(wm0), inet6(wm0) }
 $int_if = { inet4(wm1), inet6(wm1) }
 
-table <black> type hash file "/etc/npf_blacklist"
+table <blacklist> type hash file "/etc/npf_blacklist"
 table <limited> type tree dynamic
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
@@ -306,8 +306,8 @@
 group "external" on $ext_if {
        pass stateful out final all
 
-       block in final from \*[Lt]black\*[Gt]
-       pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
+       block in final from \*[Lt]blacklist\*[Gt]
+       pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log"
        pass stateful in final proto tcp to $ext_if port $services_tcp
        pass stateful in final proto udp to $ext_if port $services_udp
        pass stateful in final proto tcp to $ext_if port 49151-65535    # Passive FTP
@@ -318,7 +318,7 @@
        block in all
        block in final from \*[Lt]limited\*[Gt]
 
-       # Ingress filtering as per RFC 2827.
+       # Ingress filtering as per BCP 38 / RFC 2827.
        pass in final from $localnet
        pass out final all
 }
diff -r 0ac8d0b3dc89 -r 7069983563b8 usr.sbin/npf/npfctl/npf_parse.y
--- a/usr.sbin/npf/npfctl/npf_parse.y   Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y   Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_parse.y,v 1.30 2014/02/06 02:51:28 rmind Exp $     */
+/*     $NetBSD: npf_parse.y,v 1.31 2014/02/08 01:20:09 rmind Exp $     */
 
 /*-
  * Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -108,7 +108,6 @@
 %token                 HASH
 %token                 ICMPTYPE
 %token                 ID
-%token                 IFNET
 %token                 IN
 %token                 INET4
 %token                 INET6
diff -r 0ac8d0b3dc89 -r 7069983563b8 usr.sbin/npf/npfctl/npf_scan.l
--- a/usr.sbin/npf/npfctl/npf_scan.l    Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_scan.l    Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_scan.l,v 1.17 2014/02/06 02:51:28 rmind Exp $      */
+/*     $NetBSD: npf_scan.l,v 1.18 2014/02/08 01:20:09 rmind Exp $      */
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -122,7 +122,6 @@
 on                     return ON;
 inet6                  return INET6;
 inet4                  return INET4;
-inet                   return INET4;
 proto                  return PROTO;
 family                 return FAMILY;
 tcp                    return TCP;
diff -r 0ac8d0b3dc89 -r 7069983563b8 usr.sbin/npf/npfctl/npf_show.c
--- a/usr.sbin/npf/npfctl/npf_show.c    Fri Feb 07 23:45:22 2014 +0000
+++ b/usr.sbin/npf/npfctl/npf_show.c    Sat Feb 08 01:20:09 2014 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $       */
+/*     $NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $      */
 
 /*-
  * Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.9 2014/02/07 23:45:22 rmind Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.10 2014/02/08 01:20:09 rmind Exp $");
 
 #include <sys/socket.h>
 #include <netinet/in.h>
@@ -111,7 +111,7 @@
 
        switch (af) {
        case AF_INET:
-               return estrdup("inet");
+               return estrdup("inet4");
        case AF_INET6:
                return estrdup("inet6");
        default: