[src/trunk]: src/usr.sbin/npf/npfctl Document the "flags" keyword.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/npf/npfctl Document the "flags" keyword.
From: maxv <maxv%NetBSD.org@localhost>
Date: Tue, 04 Sep 2018 18:05:39 +0000

details:   https://anonhg.NetBSD.org/src/rev/0af43b930106
branches:  trunk
changeset: 365462:0af43b930106
user:      maxv <maxv%NetBSD.org@localhost>
date:      Thu Aug 16 09:46:18 2018 +0000

description:
Document the "flags" keyword.

diffstat:

 usr.sbin/npf/npfctl/npf.conf.5 |  27 ++++++++++++++++++++++++---
 1 files changed, 24 insertions(+), 3 deletions(-)

diffs (58 lines):

diff -r abdd8ef0767e -r 0af43b930106 usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5    Thu Aug 16 09:21:00 2018 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5    Thu Aug 16 09:46:18 2018 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.56 2018/08/16 09:21:00 maxv Exp $
+.\"    $NetBSD: npf.conf.5,v 1.57 2018/08/16 09:46:18 maxv Exp $
 .\"
 .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -201,7 +201,7 @@
 Fragments are not selectable since NPF always reassembles packets
 before further processing.
 .Ss Stateful
-Stateful packet inspection is enabled using
+Stateful packet inspection is enabled using the
 .Cd stateful
 or
 .Cd stateful-ends
@@ -213,10 +213,29 @@
 In both cases, a full TCP state tracking is performed for TCP connections
 and a limited tracking for message-based protocols (UDP and ICMP).
 .Pp
+The
+.Cd flags
+keyword can be used in conjunction with the
+.Cd stateful
+keyword to match the packets against specific TCP flags, according to
+the following syntax:
+.Bl -tag -offset indent
+.It flags Ar match[/mask]
+.El
+.Pp
+Where
+.Ar match
+is the set of TCP flags present in the
+.Ar mask
+set, both sets being represented as a string combination of: S (SYN),
+A (ACK), F (FIN), R (RST). The flags that are not present in
+.Ar mask
+are ignored.
+.Pp
 By default, a stateful rule implies SYN-only flag check ("flags S/SAFR")
 for the TCP packets.
 It is not advisable to change this behavior; however,
-it can be overridden with the
+it can be overridden with the aforementioned
 .Cd flags
 keyword.
 .Ss Map
@@ -367,6 +386,8 @@
 dynamic-ruleset        = "ruleset" group-opts
 rule           = static-rule | dynamic-ruleset
 
+tcp-flag-mask  = tcp-flags
+tcp-flags      = ("S")("A")("F")("R")
 proto          = "proto" protocol [ proto-opts ]
 block-opts     = "return-rst" | "return-icmp" | "return"
 family-opt     = "inet4" | "inet6"

Prev by Date: [src/trunk]: src/usr.sbin/npf/npfctl Improve the "Rules" section: better expl...
Next by Date: [src/trunk]: src/usr.sbin/npf/npfctl Improve the "Map" section a little.
Previous by Thread: [src/trunk]: src/usr.sbin/npf/npfctl Improve the "Rules" section: better expl...
Next by Thread: [src/trunk]: src/usr.sbin/npf/npfctl Improve the "Map" section a little.
Indexes:

Home | Main Index | Thread Index | Old Index