[src/trunk]: src/share/examples/npf Sync some NPF config examples with the re...

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/89351bb565e8
branches:  trunk
changeset: 326629:89351bb565e8
user:      rmind <rmind%NetBSD.org@localhost>
date:      Sat Feb 08 01:32:19 2014 +0000

description:
Sync some NPF config examples with the reality.

diffstat:

 share/examples/npf/host-npf.conf    |  38 ++++++++++++++++++------------------
 share/examples/npf/soho_gw-npf.conf |  16 +++++++-------
 2 files changed, 27 insertions(+), 27 deletions(-)

diffs (153 lines):

diff -r 7069983563b8 -r 89351bb565e8 share/examples/npf/host-npf.conf
--- a/share/examples/npf/host-npf.conf  Sat Feb 08 01:20:09 2014 +0000
+++ b/share/examples/npf/host-npf.conf  Sat Feb 08 01:32:19 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
+# $NetBSD: host-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
 #
 # this is an example of NPF rules for a host (i.e., not routing) with
 # two network interfaces, wired and wifi
@@ -36,18 +36,18 @@
        # not being picky about our own address here
        pass in  final family inet6 proto ipv6-icmp all
        pass out final family inet6 proto ipv6-icmp all
-       pass in  final family inet  proto icmp      all
+       pass in  final family inet4 proto icmp      all
 
-       pass in  final family inet proto tcp \
+       pass in  final family inet4 proto tcp \
                from $dhcpserver port bootps to $wired_v4 port bootpc
-       pass in  final family inet proto udp \
+       pass in  final family inet4 proto udp \
                from $dhcpserver port bootps to $wired_v4 port bootpc
 
        pass in final family inet6 proto tcp to $wired_v6 port ssh
 
-       pass in final family inet  proto tcp flags S/SA \
+       pass in final family inet4 proto tcp flags S/SA \
                from $backupsrv_v4 to $wired_v4 port $backup_port 
-       pass in final family inet  proto udp \
+       pass in final family inet4 proto udp \
                from $backupsrv_v4 to $wired_v4 port $backup_port
        pass in final family inet6 proto tcp flags S/SA \
                from $backupsrv_v6 to $wired_v6 port $backup_port 
@@ -56,21 +56,21 @@
 
        pass stateful in final family inet6 proto udp to $wired_v6 \
                port $services_udp
-       pass stateful in final family inet  proto udp to $wired_v6 \
+       pass stateful in final family inet4 proto udp to $wired_v6 \
                port $services_udp
 
        # only SYN packets need to generate state
        pass stateful out final family inet6 proto tcp flags S/SA \
                from $wired_v6
-       pass stateful out final family inet  proto tcp flags S/SA \
+       pass stateful out final family inet4 proto tcp flags S/SA \
                from $wired_v4
        # pass the other tcp packets without generating extra state
        pass out final family inet6 proto tcp from $wired_v6
-       pass out final family inet  proto tcp from $wired_v4
+       pass out final family inet4 proto tcp from $wired_v4
 
        # all other types of traffic, generate state per packet
        pass stateful out final family inet6 from $wired_v6
-       pass stateful out final family inet  from $wired_v4
+       pass stateful out final family inet4 from $wired_v4
 
 }
 
@@ -84,36 +84,36 @@
        pass out final family inet6 proto ipv6-icmp from ff00::/10
 
        pass in  final family inet6 proto ipv6-icmp to $wifi_v6
-       pass in  final family inet  proto icmp      to $wifi_v6
+       pass in  final family inet4 proto icmp      to $wifi_v6
 
-       pass in  final family inet proto tcp \
+       pass in  final family inet4 proto tcp \
                from any port bootps to $wifi_v4 port bootpc
-       pass in  final family inet proto udp \
+       pass in  final family inet4 proto udp \
                from any port bootps to $wifi_v4 port bootpc
 
         pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 
 
         pass in final family inet6 proto udp to $wifi_v6 port $services_udp
-        pass in final family inet  proto udp to $wifi_v4 port $services_udp
+        pass in final family inet4 proto udp to $wifi_v4 port $services_udp
 
        # IPSEC
        pass in final family inet6 proto udp to $wifi_v6 port isakmp
-       pass in final family inet  proto udp to $wifi_v4 port isakmp
+       pass in final family inet4 proto udp to $wifi_v4 port isakmp
        pass in family inet6 proto esp all
-       pass in family inet  proto esp all
+       pass in family inet4 proto esp all
 
        # only SYN packets need to generate state
         pass stateful out final family inet6 proto tcp flags S/SA \
                from $wifi_v6
-        pass stateful out final family inet  proto tcp flags S/SA \
+        pass stateful out final family inet4 proto tcp flags S/SA \
                from $wifi_v4
        # pass the other tcp packets without generating extra state
         pass out final family inet6 proto tcp from $wifi_v6
-        pass out final family inet  proto tcp from $wifi_v4
+        pass out final family inet4 proto tcp from $wifi_v4
 
        # all other types of traffic, generate state per packet
         pass stateful out final family inet6 from $wifi_v6
-        pass stateful out final family inet  from $wifi_v4
+        pass stateful out final family inet4 from $wifi_v4
 }
 
 group default {
diff -r 7069983563b8 -r 89351bb565e8 share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf       Sat Feb 08 01:20:09 2014 +0000
+++ b/share/examples/npf/soho_gw-npf.conf       Sat Feb 08 01:32:19 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.5 2013/09/20 17:51:04 spz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
 #
 # SOHO border
 #
@@ -8,14 +8,14 @@
 
 $ext_if = "wm0"
 $ext_v4 = inet4(wm0)
-$ext_addrs = { ifnet(wm0) }
+$ext_addrs = { inet4(wm0), inet6(wm0) }
 
 $int_if = "wm1"
 
 # a table to house e.g. block candidates in
-table <1> type hash file "/usr/share/examples/npf/hashtablefile"
-# feed this using "npfctl table 2 add 198.51.100.16/29" f.e.
-table <2> type tree dynamic
+table <block> type hash file "/usr/share/examples/npf/hashtablefile"
+# feed this using e.g.: npfctl table "int-block" add 198.51.100.16/29
+table <int-block> type tree dynamic
 
 $services_tcp = { http, https, smtp, domain, 6000, 9022 }
 $services_udp = { domain, ntp, 6000 }
@@ -37,8 +37,8 @@
 group "external" on $ext_if {
        pass stateful out final all
 
-       block in final from <1>
-       pass stateful in final family inet proto tcp to $ext_v4 port ssh \
+       block in final from <block>
+       pass stateful in final family inet4 proto tcp to $ext_v4 port ssh \
                apply "log"
        pass stateful in final proto tcp to $ext_addrs port $services_tcp
        pass stateful in final proto udp to $ext_addrs port $services_udp
@@ -51,7 +51,7 @@
 
 group "internal" on $int_if {
        block in all
-       pass in final from <2>
+       pass in final from <int-block>
        pass out final all
 }