Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src Pull up following revision(s) (requested by rmind in tick...
details: https://anonhg.NetBSD.org/src/rev/5b2895a92bfe
branches: netbsd-6
changeset: 775564:5b2895a92bfe
user: riz <riz%NetBSD.org@localhost>
date: Tue Dec 11 04:31:52 2012 +0000
description:
Pull up following revision(s) (requested by rmind in ticket #736):
usr.sbin/npf/npfctl/npf_parse.y: revision 1.17
sys/net/npf/npf_tableset.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.h: revision 1.23
usr.sbin/npf/npfctl/npf_data.c: revision 1.19
usr.sbin/npf/npfctl/npf_build.c: revision 1.15
share/examples/npf/host-npf.conf: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.9
share/examples/npf/soho_gw-npf.conf: revision 1.3
usr.sbin/npf/npfctl/npf_var.h: revision 1.6
usr.sbin/npf/npfctl/npf.conf.5: revision 1.24
npfctl: extend syntax for extracting interface IP address(es) by the family.
adjust to current npf.conf syntax
npf_table_list: avoid triggering assert on diagnostic.
diffstat:
share/examples/npf/host-npf.conf | 67 +++++++++++++++-------------
share/examples/npf/soho_gw-npf.conf | 21 +++++---
sys/net/npf/npf_tableset.c | 7 +-
usr.sbin/npf/npfctl/npf.conf.5 | 22 +++++++--
usr.sbin/npf/npfctl/npf_build.c | 6 +-
usr.sbin/npf/npfctl/npf_data.c | 49 +++++++++-----------
usr.sbin/npf/npfctl/npf_parse.y | 86 +++++++++++++++++++++++++-----------
usr.sbin/npf/npfctl/npf_scan.l | 3 +-
usr.sbin/npf/npfctl/npf_var.h | 6 +-
usr.sbin/npf/npfctl/npfctl.h | 13 ++++-
10 files changed, 169 insertions(+), 111 deletions(-)
diffs (truncated from 706 to 300 lines):
diff -r 9beaafa25b17 -r 5b2895a92bfe share/examples/npf/host-npf.conf
--- a/share/examples/npf/host-npf.conf Tue Dec 11 04:26:26 2012 +0000
+++ b/share/examples/npf/host-npf.conf Tue Dec 11 04:31:52 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.2.4.2 2012/10/01 20:15:34 riz Exp $
+# $NetBSD: host-npf.conf,v 1.2.4.3 2012/12/11 04:31:53 riz Exp $
#
# this is an example of NPF rules for a host (i.e., not routing) with
# two network interfaces, wired and wifi
@@ -7,7 +7,12 @@
# it also does IPSEC on the wifi
#
$wired_if = "wm0"
+$wired_v4 = { inet4(wm0) }
+$wired_v6 = { inet6(wm0) }
+
$wifi_if = "iwn0"
+$wifi_v4 = { inet4(iwn0) }
+$wifi_v6 = { inet6(iwn0) }
$dhcpserver = { 198.51.100.1 }
@@ -37,38 +42,38 @@
pass in final family inet proto icmp all
pass in final family inet proto tcp \
- from $dhcpserver port bootps to $wired_if port bootpc
+ from $dhcpserver port bootps to $wired_v4 port bootpc
pass in final family inet proto udp \
- from $dhcpserver port bootps to $wired_if port bootpc
+ from $dhcpserver port bootps to $wired_v4 port bootpc
- pass in final family inet6 proto tcp to $wired_if port ssh
+ pass in final family inet6 proto tcp to $wired_v6 port ssh
pass in final family inet proto tcp flags S/SA \
- from $backupsrv_v4 to $wired_if port $backup_port
+ from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet proto udp \
- from $backupsrv_v4 to $wired_if port $backup_port
+ from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet6 proto tcp flags S/SA \
- from $backupsrv_v6 to $wired_if port $backup_port
+ from $backupsrv_v6 to $wired_v6 port $backup_port
pass in final family inet6 proto udp \
- from $backupsrv_v6 to $wired_if port $backup_port
+ from $backupsrv_v6 to $wired_v6 port $backup_port
- pass stateful in final family inet6 proto udp to $wired_if \
+ pass stateful in final family inet6 proto udp to $wired_v6 \
port $services_udp
- pass stateful in final family inet proto udp to $wired_if \
+ pass stateful in final family inet proto udp to $wired_v6 \
port $services_udp
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wired_if apply "rid"
+ from $wired_v6 apply "rid"
pass stateful out final family inet proto tcp flags S/SA \
- from $wired_if apply "rid"
+ from $wired_v4 apply "rid"
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wired_if apply "rid"
- pass out final family inet proto tcp from $wired_if apply "rid"
+ pass out final family inet6 proto tcp from $wired_v6 apply "rid"
+ pass out final family inet proto tcp from $wired_v4 apply "rid"
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wired_if apply "rid"
- pass stateful out final family inet from $wired_if apply "rid"
+ pass stateful out final family inet6 from $wired_v6 apply "rid"
+ pass stateful out final family inet from $wired_v4 apply "rid"
}
@@ -81,37 +86,37 @@
pass in final family inet6 proto ipv6-icmp to ff00::/10
pass out final family inet6 proto ipv6-icmp from ff00::/10
- pass in final family inet6 proto ipv6-icmp to $wifi_if
- pass in final family inet proto icmp to $wifi_if
+ pass in final family inet6 proto ipv6-icmp to $wifi_v6
+ pass in final family inet proto icmp to $wifi_v6
pass in final family inet proto tcp \
- from any port bootps to $wifi_if port bootpc
+ from any port bootps to $wifi_v4 port bootpc
pass in final family inet proto udp \
- from any port bootps to $wifi_if port bootpc
+ from any port bootps to $wifi_v4 port bootpc
- pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh
+ pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
- pass in final family inet6 proto udp to $wifi_if port $services_udp
- pass in final family inet proto udp to $wifi_if port $services_udp
+ pass in final family inet6 proto udp to $wifi_v6 port $services_udp
+ pass in final family inet proto udp to $wifi_v4 port $services_udp
# IPSEC
- pass in final family inet6 proto udp to $wifi_if port isakmp
- pass in final family inet proto udp to $wifi_if port isakmp
+ pass in final family inet6 proto udp to $wifi_v6 port isakmp
+ pass in final family inet proto udp to $wifi_v4 port isakmp
pass in family inet6 proto esp all
pass in family inet proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wifi_if apply "rid"
+ from $wifi_v6 apply "rid"
pass stateful out final family inet proto tcp flags S/SA \
- from $wifi_if apply "rid"
+ from $wifi_v4 apply "rid"
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wifi_if apply "rid"
- pass out final family inet proto tcp from $wifi_if apply "rid"
+ pass out final family inet6 proto tcp from $wifi_v6 apply "rid"
+ pass out final family inet proto tcp from $wifi_v4 apply "rid"
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wifi_if apply "rid"
- pass stateful out final family inet from $wifi_if apply "rid"
+ pass stateful out final family inet6 from $wifi_v6 apply "rid"
+ pass stateful out final family inet from $wifi_v4 apply "rid"
}
group (default) {
diff -r 9beaafa25b17 -r 5b2895a92bfe share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf Tue Dec 11 04:26:26 2012 +0000
+++ b/share/examples/npf/soho_gw-npf.conf Tue Dec 11 04:31:52 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.2.4.2 2012/10/01 20:15:34 riz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.2.4.3 2012/12/11 04:31:53 riz Exp $
#
# SOHO border
#
@@ -6,6 +6,9 @@
# IPv4 only
#
$ext_if = "wm0"
+$ext_v4 = inet4(wm0)
+$ext_addrs = { ifnet(wm0) }
+
$int_if = "wm1"
# a table to house e.g. block candidates in
@@ -20,11 +23,11 @@
# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
-map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 9022
procedure "log" {
log: npflog0
@@ -35,18 +38,18 @@
}
group (name "external", interface $ext_if) {
- pass stateful out final from $ext_if apply "rid"
+ pass stateful out final from $ext_addrs apply "rid"
block in final from <1>
- pass stateful in final family inet proto tcp to $ext_if port ssh \
+ pass stateful in final family inet proto tcp to $ext_v4 port ssh \
apply "log"
- pass stateful in final proto tcp to $ext_if port $services_tcp
- pass stateful in final proto udp to $ext_if port $services_udp
+ pass stateful in final proto tcp to $ext_addrs port $services_tcp
+ pass stateful in final proto udp to $ext_addrs port $services_udp
# Passive FTP
- pass stateful in final proto tcp to $ext_if port 49151-65535
+ pass stateful in final proto tcp to $ext_addrs port 49151-65535
# Traceroute
- pass stateful in final proto udp to $ext_if port 33434-33600
+ pass stateful in final proto udp to $ext_addrs port 33434-33600
}
group (name "internal", interface $int_if) {
diff -r 9beaafa25b17 -r 5b2895a92bfe sys/net/npf/npf_tableset.c
--- a/sys/net/npf/npf_tableset.c Tue Dec 11 04:26:26 2012 +0000
+++ b/sys/net/npf/npf_tableset.c Tue Dec 11 04:31:52 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_tableset.c,v 1.9.2.6 2012/11/24 04:34:41 riz Exp $ */
+/* $NetBSD: npf_tableset.c,v 1.9.2.7 2012/12/11 04:31:53 riz Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9.2.6 2012/11/24 04:34:41 riz Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_tableset.c,v 1.9.2.7 2012/12/11 04:31:53 riz Exp $");
#include <sys/param.h>
#include <sys/types.h>
@@ -575,8 +575,7 @@
if (error)
break;
error = table_tree_list(&t->t_tree[1], 128, ubuf, len, &off);
- if (error)
- break;
+ break;
default:
KASSERT(false);
}
diff -r 9beaafa25b17 -r 5b2895a92bfe usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Tue Dec 11 04:26:26 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Tue Dec 11 04:31:52 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.9.2.4 2012/10/01 20:05:56 riz Exp $
+.\" $NetBSD: npf.conf.5,v 1.9.2.5 2012/12/11 04:31:53 riz Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 30, 2012
+.Dd November 26, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -96,6 +96,18 @@
.Ed
.Pp
Tables of type "hash" can only contain IP addresses.
+.Ss Interfaces
+Interfaces can be specified as the values of the variables:
+.Bd -literal
+$pub_if_list = { ifnet(wm0), ifnet(wm1) }
+.Ed
+In the context of filtering, an interface provides a list of its
+all IP addresses, including IPv4 and IPv6.
+Specific interface addresses can be selected by the family, e.g.:
+.Bd -literal
+$pub_if4 = inet4(wm0)
+$pub_if6 = { inet6(wm0) }
+.Ed
.Ss Groups
Groups may have the following options: name, interface, and direction.
They are defined in the following form:
@@ -151,7 +163,7 @@
The following would translate the source to the IP address specified
by the $pub_ip for the packets on the interface $ext_if.
.Bd -literal
-map $ext_if dynamic 10.1.1.0/24 -> $pub_if
+map $ext_if dynamic 10.1.1.0/24 -> $pub_ip
.Ed
.Pp
Translations are implicitly filtered by limiting the operation to the
@@ -256,8 +268,8 @@
.\" -----
.Sh EXAMPLES
.Bd -literal
-$ext_if = "wm0"
-$int_if = "wm1"
+$ext_if = ifnet(wm0)
+$int_if = ifnet(wm1)
table <1> type hash file "/etc/npf_blacklist"
table <2> type tree dynamic
diff -r 9beaafa25b17 -r 5b2895a92bfe usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c Tue Dec 11 04:26:26 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c Tue Dec 11 04:31:52 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.4.2.7 2012/11/18 22:38:28 riz Exp $ */
+/* $NetBSD: npf_build.c,v 1.4.2.8 2012/12/11 04:31:52 riz Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.4.2.7 2012/11/18 22:38:28 riz Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.4.2.8 2012/12/11 04:31:52 riz Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -145,7 +145,7 @@
* Otherwise, address of invalid family was passed manually.
*/
if (family != AF_UNSPEC && family != fam->fam_family) {
- if (!fam->fam_interface) {
+ if (!fam->fam_ifindex) {
yyerror("specified address is not of the required "
"family %d", family);
}
diff -r 9beaafa25b17 -r 5b2895a92bfe usr.sbin/npf/npfctl/npf_data.c
Home |
Main Index |
Thread Index |
Old Index