Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/npf/npfd add man page, lint cleanups.
details: https://anonhg.NetBSD.org/src/rev/48d02fa904f5
branches: trunk
changeset: 350201:48d02fa904f5
user: christos <christos%NetBSD.org@localhost>
date: Sat Jan 07 16:48:03 2017 +0000
description:
add man page, lint cleanups.
diffstat:
usr.sbin/npf/npfd/Makefile | 6 +-
usr.sbin/npf/npfd/npfd.8 | 244 +++++++++++++++++++++++++++++++++++++++++++
usr.sbin/npf/npfd/npfd.c | 5 +-
usr.sbin/npf/npfd/npfd_log.c | 10 +-
4 files changed, 254 insertions(+), 11 deletions(-)
diffs (truncated from 344 to 300 lines):
diff -r d5d89acad005 -r 48d02fa904f5 usr.sbin/npf/npfd/Makefile
--- a/usr.sbin/npf/npfd/Makefile Sat Jan 07 16:36:54 2017 +0000
+++ b/usr.sbin/npf/npfd/Makefile Sat Jan 07 16:48:03 2017 +0000
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.4 2017/01/06 19:20:24 christos Exp $
+# $NetBSD: Makefile,v 1.5 2017/01/07 16:48:03 christos Exp $
#
# Public Domain
#
-NOMAN=
PROG= npfd
+MAN= npfd.8
-DBG=-g
SRCS= npfd.c npfd_log.c
CPPFLAGS+= -I${.CURDIR}
@@ -14,6 +13,5 @@
DPADD+= ${LIBNPF} ${LIBPCAP} ${LIBUTIL}
WARNS= 5
-NOLINT= # disabled deliberately
.include <bsd.prog.mk>
diff -r d5d89acad005 -r 48d02fa904f5 usr.sbin/npf/npfd/npfd.8
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/usr.sbin/npf/npfd/npfd.8 Sat Jan 07 16:48:03 2017 +0000
@@ -0,0 +1,244 @@
+.\" $NetBSD: npfd.8,v 1.1 2017/01/07 16:48:03 christos Exp $
+.\" $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $
+.\"
+.\" Copyright (c) 2001 Can Erkin Acar. All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\" derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\"
+.Dd January 5, 2017
+.Dt NPFD 8
+.Os
+.Sh NAME
+.Nm npfd
+.Nd packet filter logging and state synchronization daemon
+.Sh SYNOPSIS
+.Nm npfd
+.Bk -words
+.Op Fl D
+.Op Fl d Ar delay
+.Op Fl f Ar filename
+.Op Fl i Ar interface
+.Op Fl p Ar pidfile
+.Op Fl s Ar snaplen
+.Op Ar expression
+.Ek
+.Sh DESCRIPTION
+.Nm
+is a background daemon which reads packets logged by
+.Xr npf 7
+to an
+.\" .Xr npflog 4
+npflog
+interface, normally
+.Pa npflog0 ,
+and writes the packets to a logfile (normally
+.Pa /var/log/npflog0.pcap )
+in
+.Xr pcap 3
+format, which can be read by
+.Xr tcpdump 8 .
+These logs can be reviewed later using the
+.Fl r
+option of
+.Xr tcpdump 8 ,
+hopefully offline in case there are bugs in the packet parsing code of
+.Xr tcpdump 8 .
+.Pp
+.Nm
+closes and then re-opens the log file when it receives
+.Dv SIGHUP ,
+permitting
+.Xr newsyslog 8
+to rotate logfiles automatically.
+.Dv SIGALRM
+causes
+.Nm
+to flush the current logfile buffers to the disk, thus making the most
+recent logs available.
+The buffers are also flushed every
+.Ar delay
+seconds.
+.Pp
+If the log file contains data after a restart or a
+.Dv SIGHUP ,
+new logs are appended to the existing file.
+If the existing log file was created with a different snaplen,
+.Nm
+temporarily uses the old snaplen to keep the log file consistent.
+.Pp
+.Nm
+tries to preserve the integrity of the log file against I/O errors.
+Furthermore, integrity of an existing log file is verified before
+appending.
+If there is an invalid log file or an I/O error, the log file is moved
+out of the way and a new one is created.
+If a new file cannot be created, logging is suspended until a
+.Dv SIGHUP
+or a
+.Dv SIGALRM
+is received.
+.Pp
+If
+.Dv SIGINFO
+is received, then
+.Nm
+logs capture statistics to
+.Xr syslogd 8 .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl D
+Debugging mode.
+.Nm
+does not disassociate from the controlling terminal.
+.It Fl d Ar delay
+Time in seconds to delay between automatic flushes of the file.
+This may be specified with a value between 5 and 3600 seconds.
+If not specified, the default is 60 seconds.
+.It Fl f Ar filename
+Log output filename.
+Default is
+.Pa /var/log/npflog0.pcap .
+.It Fl i Ar interface
+Specifies the
+npflog
+.\" .Xr if_npflog 4
+interface to use.
+By default,
+.Nm
+will use
+.Ar npflog0 .
+.It Fl p Ar pidfile
+Writes a file containing the process ID of the program.
+The file name has the form
+.Pa /var/run/npfd.pid .
+If the option is not given,
+.Ar pidfile
+defaults to
+.Pa npfd .
+.It Fl s Ar snaplen
+Analyze at most the first
+.Ar snaplen
+bytes of data from each packet rather than the default of 116.
+The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may
+truncate protocol information for other protocols.
+Other file parsers may desire a higher snaplen.
+.\" .It Fl x
+.\" Check the integrity of an existing log file, and return.
+.It Ar expression
+Selects which packets will be dumped, using the regular language of
+.Xr tcpdump 8 .
+.El
+.Sh FILES
+.Bl -tag -width /var/run/npflog0.pcap -compact
+.It Pa /var/run/npfd.pid
+Process ID of the currently running
+.Nm .
+.It Pa /var/log/npflog0.pcap
+Default log file.
+.El
+.Sh EXAMPLES
+Log specific tcp packets to a different log file with a large snaplen
+(useful with a log-all rule to dump complete sessions):
+.Bd -literal -offset indent
+# npfd -s 1600 -f suspicious.log port 80 and host evilhost
+.Ed
+.Pp
+Log from another
+.\" .Xr pflog 4
+npflog
+interface, excluding specific packets:
+.Bd -literal -offset indent
+# npfd -i npflog3 -f network3.log "not (tcp and port 23)"
+.Ed
+.Pp
+Display binary logs:
+.Bd -literal -offset indent
+# tcpdump -n -e -ttt -r /var/log/npflog0.pcap
+.Ed
+.Pp
+Display the logs in real time (this does not interfere with the
+operation of
+.Nm ) :
+.Bd -literal -offset indent
+# tcpdump -n -e -ttt -i npflog0.pcap
+.Ed
+.Pp
+Tcpdump has been extended to be able to filter on the
+.Ox
+pfloghdr
+structure defined in
+.Ar sys/net/npf/if_npflog.h .
+Tcpdump can restrict the output
+to packets logged on a specified interface, a rule number, a reason,
+a direction, an IP family or an action.
+.Pp
+.Bl -tag -width "ruleset rules " -compact
+.It ip
+Address family equals IPv4.
+.It ip6
+Address family equals IPv6.
+.It ifname kue0
+Interface name equals "kue0".
+.It on kue0
+Interface name equals "kue0".
+.It ruleset rules
+Ruleset name equals "rules".
+.It rulenum 10
+Rule number equals 10.
+.It reason match
+Reason equals match.
+.\" Also accepts "bad-offset", "fragment", "bad-timestamp", "short",
+.\" "normalize", "memory", "congestion", "ip-option", "proto-cksum",
+.\" "state-mismatch", "state-insert", "state-limit", "src-limit",
+.\" and "synproxy".
+.It action pass
+Action equals pass.
+Also accepts "block".
+.It inbound
+The direction was inbound.
+.It outbound
+The direction was outbound.
+.El
+.Pp
+Display the logs in real time of inbound packets that were blocked on
+the wi0 interface:
+.Bd -literal -offset indent
+# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
+.Ed
+.Sh SEE ALSO
+.Xr pcap 3 ,
+\" .Xr if_npflog 4 ,
+.Xr npf.conf 5 ,
+.Xr newsyslog 8 ,
+.Xr npf 7 ,
+.Xr tcpdump 8
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Nx 8.0 .
+.Sh AUTHORS
+This manual page was written by
+.An Can Erkin Acar Aq Mt canacar%openbsd.org@localhost .
diff -r d5d89acad005 -r 48d02fa904f5 usr.sbin/npf/npfd/npfd.c
--- a/usr.sbin/npf/npfd/npfd.c Sat Jan 07 16:36:54 2017 +0000
+++ b/usr.sbin/npf/npfd/npfd.c Sat Jan 07 16:48:03 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $ */
+/* $NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $ */
/*-
* Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $");
+__RCSID("$NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $");
#include <stdio.h>
#include <string.h>
@@ -98,6 +98,7 @@
continue;
syslog(LOG_ERR, "poll failed: %m");
exit(EXIT_FAILURE);
+ /*NOTREACHED*/
case 0:
npfd_log_flush(log);
continue;
diff -r d5d89acad005 -r 48d02fa904f5 usr.sbin/npf/npfd/npfd_log.c
Home |
Main Index |
Thread Index |
Old Index