Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/npf npfctl: add support for the 'no-ports' flag in ...
details: https://anonhg.NetBSD.org/src/rev/c071d8cee50b
branches: trunk
changeset: 358093:c071d8cee50b
user: rmind <rmind%NetBSD.org@localhost>
date: Sun Dec 10 22:04:41 2017 +0000
description:
npfctl: add support for the 'no-ports' flag in the 'map' statements.
This allows us to create a NAT policy without the port translation.
diffstat:
usr.sbin/npf/npf.7 | 5 +++--
usr.sbin/npf/npfctl/npf.conf.5 | 26 ++++++++++++++++++--------
usr.sbin/npf/npfctl/npf_build.c | 20 ++++++++++++++++----
usr.sbin/npf/npfctl/npf_parse.y | 22 ++++++++++++++--------
usr.sbin/npf/npfctl/npf_scan.l | 3 ++-
usr.sbin/npf/npfctl/npf_show.c | 8 +++++---
usr.sbin/npf/npfctl/npfctl.8 | 7 ++++---
usr.sbin/npf/npfctl/npfctl.h | 4 ++--
usr.sbin/npf/npfctl/todo | 7 -------
9 files changed, 64 insertions(+), 38 deletions(-)
diffs (truncated from 330 to 300 lines):
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npf.7
--- a/usr.sbin/npf/npf.7 Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npf.7 Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.7,v 1.3 2015/07/12 23:54:43 rmind Exp $
+.\" $NetBSD: npf.7,v 1.4 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -78,7 +78,8 @@
.Xr bpfjit 4 ,
.Xr npf.conf 5 ,
.Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
.Pp
.Lk http://www.netbsd.org/~rmind/npf/ "NPF documentation"
.Sh HISTORY
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.49 2017/07/03 21:35:31 wiz Exp $
+.\" $NetBSD: npf.conf.5,v 1.50 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd January 19, 2017
+.Dd December 10, 2017
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -233,6 +233,14 @@
.Ed
.Pp
In this case, the procedure calls the logging and normalisation modules.
+The logging facility requires the npf_ext_log kernel module which would
+normally get auto-loaded by NPF.
+The specified npflog interface would also be auto-created once the
+configuration is loaded.
+The log packets can be written to a file using the
+.Xr npfd 8
+daemon.
+.Pp
Traffic normalisation has a set of different mechanisms.
In the example above, the normalisation procedure has arguments which
apply the following mechanisms: IPv4 ID randomisation, Don't Fragment (DF)
@@ -248,8 +256,7 @@
.Sh GRAMMAR
The following is a non-formal BNF-like definition of the grammar.
The definition is simplified and is intended to be human readable,
-therefore it does not strictly represent the full syntax, which
-is more flexible.
+therefore it does not strictly represent the formal grammar.
.Bd -literal
; Syntax of a single line. Lines can be separated by LF (\\n) or
; a semicolon. Comments start with a hash (#) character.
@@ -279,10 +286,13 @@
; Mapping for address translation.
map = "map" interface
- ( "static" [ "algo" algorithm ] | "dynamic" ) [ proto ]
+ ( "static" [ "algo" algorithm ] | "dynamic" )
+ [ map-flags ] [ proto ]
net-seg ( "->" | "<-" | "<->" ) net-seg
[ "pass" [ proto ] filt-opts ]
+map-flags = "no-ports"
+
; Rule procedure definition. The name should be in the double quotes.
;
; Each call can have its own options in a form of key-value pairs.
@@ -352,8 +362,7 @@
map $ext_if dynamic proto tcp 10.1.1.2 port 22 <- $ext_if port 9022
procedure "log" {
- # Note: npf_ext_log kernel module should be loaded, if not built-in.
- # Also, the interface created, e.g.: ifconfig npflog0 create
+ # The logging facility can be used together with npfd(8).
log: npflog0
}
@@ -387,7 +396,8 @@
.Xr bpf 4 ,
.Xr npf 7 ,
.Xr pcap-filter 7 ,
-.Xr npfctl 8
+.Xr npfctl 8 ,
+.Xr npfd 8
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.44 2017/01/19 20:18:17 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.45 2017/12/10 22:04:41 rmind Exp $");
#include <sys/types.h>
#include <sys/mman.h>
@@ -493,7 +493,7 @@
attr |= attr_di;
}
/* Allow only "in/out" attributes. */
- attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
+ attr = NPF_RULE_GROUP | NPF_RULE_DYNAMIC | (attr & attr_di);
rl = npf_rule_create(name, attr, ifname);
npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
}
@@ -594,6 +594,11 @@
nl_nat_t *nat;
if (ap->ap_portrange) {
+ /*
+ * The port forwarding case. In such case, there has to
+ * be a single port used for translation; we keep the port
+ * translation on, but disable the port map.
+ */
port = npfctl_get_singleport(ap->ap_portrange);
flags &= ~NPF_NAT_PORTMAP;
flags |= NPF_NAT_PORTS;
@@ -615,7 +620,7 @@
* npfctl_build_natseg: validate and create NAT policies.
*/
void
-npfctl_build_natseg(int sd, int type, const char *ifname,
+npfctl_build_natseg(int sd, int type, unsigned mflags, const char *ifname,
const addr_port_t *ap1, const addr_port_t *ap2, const opt_proto_t *op,
const filt_opts_t *fopts, u_int algo)
{
@@ -651,6 +656,13 @@
}
/*
+ * Apply the flag modifications.
+ */
+ if (mflags & NPF_NAT_PORTS) {
+ flags &= ~(NPF_NAT_PORTS | NPF_NAT_PORTMAP);
+ }
+
+ /*
* Validate the mappings and their configuration.
*/
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npf_parse.y
--- a/usr.sbin/npf/npfctl/npf_parse.y Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.45 2017/12/03 23:48:03 mlelstv Exp $ */
+/* $NetBSD: npf_parse.y,v 1.46 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2011-2017 The NetBSD Foundation, Inc.
@@ -124,6 +124,7 @@
%token IFADDRS
%token INTERFACE
%token MAP
+%token NO_PORTS
%token MINUS
%token NAME
%token NPT66
@@ -172,7 +173,7 @@
%type <num> port, opt_final, number, afamily, opt_family
%type <num> block_or_pass, rule_dir, group_dir, block_opts
%type <num> maybe_not, opt_stateful, icmp_type, table_type
-%type <num> map_sd, map_algo, map_type
+%type <num> map_sd, map_algo, map_flags, map_type
%type <var> static_ifaddrs, addr_or_ifaddr
%type <var> port_range, icmp_type_and_code
%type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask
@@ -337,6 +338,11 @@
| { $$ = 0; }
;
+map_flags
+ : NO_PORTS { $$ = NPF_NAT_PORTS; }
+ | { $$ = 0; }
+ ;
+
map_type
: ARROWBOTH { $$ = NPF_NATIN | NPF_NATOUT; }
| ARROWLEFT { $$ = NPF_NATIN; }
@@ -352,18 +358,18 @@
;
map
- : MAP ifref map_sd map_algo mapseg map_type mapseg
+ : MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
PASS opt_proto all_or_filt_opts
{
- npfctl_build_natseg($3, $6, $2, &$5, &$7, &$9, &$10, $4);
+ npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, &$10, &$11, $4);
}
- | MAP ifref map_sd map_algo mapseg map_type mapseg
+ | MAP ifref map_sd map_algo map_flags mapseg map_type mapseg
{
- npfctl_build_natseg($3, $6, $2, &$5, &$7, NULL, NULL, $4);
+ npfctl_build_natseg($3, $7, $5, $2, &$6, &$8, NULL, NULL, $4);
}
- | MAP ifref map_sd map_algo proto mapseg map_type mapseg
+ | MAP ifref map_sd map_algo map_flags proto mapseg map_type mapseg
{
- npfctl_build_natseg($3, $7, $2, &$6, &$8, &$5, NULL, $4);
+ npfctl_build_natseg($3, $8, $5, $2, &$7, &$9, &$6, NULL, $4);
}
| MAP RULESET group_opts
{
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npf_scan.l
--- a/usr.sbin/npf/npfctl/npf_scan.l Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npf_scan.l Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_scan.l,v 1.25 2017/01/03 01:29:49 rmind Exp $ */
+/* $NetBSD: npf_scan.l,v 1.26 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -97,6 +97,7 @@
dynamic return TDYNAMIC;
file return TFILE;
map return MAP;
+no-ports return NO_PORTS;
set return SET;
"<->" return ARROWBOTH;
"<-" return ARROWLEFT;
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npf_show.c
--- a/usr.sbin/npf/npfctl/npf_show.c Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npf_show.c Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $ */
+/* $NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $ */
/*-
* Copyright (c) 2013 The NetBSD Foundation, Inc.
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_show.c,v 1.24 2017/05/14 21:38:23 christos Exp $");
+__RCSID("$NetBSD: npf_show.c,v 1.25 2017/12/10 22:04:41 rmind Exp $");
#include <sys/socket.h>
#define __FAVOR_BSD
@@ -463,8 +463,10 @@
flags = npf_nat_getflags(nt);
/* Print out the NAT policy with the filter criteria. */
- fprintf(ctx->fp, "map %s %s %s %s %s pass ",
+ fprintf(ctx->fp, "map %s %s %s%s%s %s %s pass ",
ifname, (flags & NPF_NAT_STATIC) ? "static" : "dynamic",
+ "" /* XXX algo, */,
+ (flags & NPF_NAT_PORTS) ? "" : "no-ports ",
seg1, arrow, seg2);
npfctl_print_filter(ctx, rl);
npfctl_print_id(ctx, rl);
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npfctl.8
--- a/usr.sbin/npf/npfctl/npfctl.8 Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.8 Sun Dec 10 22:04:41 2017 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npfctl.8,v 1.19 2016/12/27 20:55:11 christos Exp $
+.\" $NetBSD: npfctl.8,v 1.20 2017/12/10 22:04:41 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd December 27, 2016
+.Dd December 10, 2017
.Dt NPFCTL 8
.Os
.Sh NAME
@@ -205,7 +205,8 @@
.Sh SEE ALSO
.Xr bpf 4 ,
.Xr npf.conf 5 ,
-.Xr npf 7
+.Xr npf 7 ,
+.Xr npfd 8
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
diff -r 1728c8f9a8f6 -r c071d8cee50b usr.sbin/npf/npfctl/npfctl.h
--- a/usr.sbin/npf/npfctl/npfctl.h Sun Dec 10 21:38:26 2017 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.h Sun Dec 10 22:04:41 2017 +0000
Home |
Main Index |
Thread Index |
Old Index