[src/trunk]: src/usr.sbin/npf/npfctl - Handle NPF rule procedures in the pars...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/npf/npfctl - Handle NPF rule procedures in the pars...
From: rmind <rmind%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 22:07:21 +0000

details:   https://anonhg.NetBSD.org/src/rev/f56304e298c6
branches:  trunk
changeset: 773556:f56304e298c6
user:      rmind <rmind%NetBSD.org@localhost>
date:      Mon Feb 06 00:37:52 2012 +0000

description:
- Handle NPF rule procedures in the parser and thus re-enable them.
- Few small updates to the man page.

diffstat:

 usr.sbin/npf/npfctl/npf.conf.5  |  26 +++++++++-----
 usr.sbin/npf/npfctl/npf_build.c |  72 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 85 insertions(+), 13 deletions(-)

diffs (169 lines):

diff -r 86ad67f231cd -r f56304e298c6 usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5    Sun Feb 05 21:46:37 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5    Mon Feb 06 00:37:52 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.7 2012/01/08 22:14:55 christos Exp $
+.\"    $NetBSD: npf.conf.5,v 1.8 2012/02/06 00:37:52 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 6, 2012
+.Dd February 5, 2012
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
@@ -80,20 +80,26 @@
 .Pp
 Definitions (prefixed with "$") and tables (specified by an ID within
 "\*[Lt]\*[Gt]" marks) can be used in the filter options of rules.
-.Ss Rule procedures and normalization
+.Ss Rule procedures and normalisation
 Rule procedures are provided to perform packet transformations and various
 additional procedures on the packets.
 It should be noted that rule procedures are applied for the connections,
 that is, both for packets which match the rule and for further packets
 of the connection, which are passed without ruleset inspection.
 Currently, two facilities are supported:
-traffic normalization and packet logging.
-Packet normalization has the following functionality:
-IP ID randomization, IP_DF flag cleansing, TCP minimum TTL enforcement,
+traffic normalisation and packet logging.
+Packet normalisation has the following functionality:
+IP ID randomisation, IP_DF flag cleansing, TCP minimum TTL enforcement,
 and maximum MSS enforcement ("MSS clamping").
-If a matching rule is going to drop the packet, normalization functions
+If a matching rule is going to drop the packet, normalisation functions
 are not performed.
 Packet logging is performed both in packet passing and blocking cases.
+Note that the logging interface has to be created manually, using
+.Xr ifconfig 8
+routine, for example:
+.Pp
+ifconfig npflog0 create
+.Pp
 .Ss Network address translation
 Rules for address translation can be added.
 Translation is performed on the specified interface, assigning the specified
@@ -150,10 +156,10 @@
 ruleset                = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
 
 rule           = ( "block" block-opts | "pass" ) [ "in" | out" ] [ "quick" ]
-                 [ "on" iface ] [ "inet" | "inet6" ] [ "proto" \*[Lt]protocol\*[Gt] ]
-                 ( "all" | filt-opts [ "flags" \*[Lt]tcp_flags> \*[Gt] )
-                 [ "keep state" ] [ "apply" rproc }
+                 [ "on" iface ] [ family "fam-opt" ] [ "proto" \*[Lt]protocol\*[Gt] ]
+                 ( "all" | filt-opts ) [ "keep state" ] [ "apply" rproc ] }
 
+fam-opt                = [ "inet" | "inet6" ]
 block-opts     = [ "return-rst" | "return-icmp" | "return" ]
 filt-addr      = iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt]
 port-opts      = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | def ) ]
diff -r 86ad67f231cd -r f56304e298c6 usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c   Sun Feb 05 21:46:37 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c   Mon Feb 06 00:37:52 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npf_build.c,v 1.3 2012/02/05 00:37:13 rmind Exp $      */
+/*     $NetBSD: npf_build.c,v 1.4 2012/02/06 00:37:52 rmind Exp $      */
 
 /*-
  * Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.3 2012/02/05 00:37:13 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.4 2012/02/06 00:37:52 rmind Exp $");
 
 #include <sys/types.h>
 #include <sys/ioctl.h>
@@ -299,19 +299,85 @@
        return true;
 }
 
+static void
+npfctl_build_rpcall(nl_rproc_t *rp, const char *name, npfvar_t *args)
+{
+       /*
+        * XXX/TODO: Hardcoded for the first release.  However,
+        * rule procedures will become fully dynamic modules.
+        */
+
+       bool log = false, norm = false;
+       bool rnd = false, no_df = false;
+       int minttl = 0, maxmss = 0;
+
+       if (strcmp(name, "log") == 0) {
+               log = true;
+       } else if (strcmp(name, "normalise") == 0) {
+               norm = true;
+       } else {
+               yyerror("unknown rule procedure '%s'", name);
+       }
+
+       for (size_t i = 0; i < npfvar_get_count(args); i++) {
+               module_arg_t *arg;
+               const char *aval;
+
+               arg = npfvar_get_data(args, NPFVAR_MODULE_ARG, i);
+               aval = arg->ma_name;
+
+               if (log) {
+                       u_int if_idx = npfctl_find_ifindex(aval);
+                       if (!if_idx) {
+                               yyerror("unknown interface '%s'", aval);
+                       }
+                       _npf_rproc_setlog(rp, if_idx);
+                       return;
+               }
+
+               const int type = npfvar_get_type(arg->ma_opts);
+               if (type != -1 && type != NPFVAR_NUM) {
+                       yyerror("option '%s' is not numeric", aval);
+               }
+               unsigned long *opt;
+
+               if (strcmp(aval, "random-id") == 0) {
+                       rnd = true;
+               } else if (strcmp(aval, "min-ttl") == 0) {
+                       opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0);
+                       minttl = *opt;
+               } else if (strcmp(aval, "max-mss") == 0) {
+                       opt = npfvar_get_data(arg->ma_opts, NPFVAR_NUM, 0);
+                       maxmss = *opt;
+               } else if (strcmp(aval, "no-df") == 0) {
+                       no_df = true;
+               } else {
+                       yyerror("unknown argument '%s'", aval);
+               }
+       }
+       assert(norm == true);
+       _npf_rproc_setnorm(rp, rnd, no_df, minttl, maxmss);
+}
+
 /*
  * npfctl_build_rproc: create and insert a rule procedure.
  */
 void
-npfctl_build_rproc(const char *name, npfvar_t *var)
+npfctl_build_rproc(const char *name, npfvar_t *procs)
 {
        nl_rproc_t *rp;
+       size_t i;
 
        rp = npf_rproc_create(name);
        if (rp == NULL) {
                errx(EXIT_FAILURE, "npf_rproc_create failed");
        }
        npf_rproc_insert(npf_conf, rp);
+
+       for (i = 0; i < npfvar_get_count(procs); i++) {
+               proc_op_t *po = npfvar_get_data(procs, NPFVAR_PROC_OP, i);
+               npfctl_build_rpcall(rp, po->po_name, po->po_opts);
+       }
 }
 
 /*

Prev by Date: [src/trunk]: src/usr.sbin/npf/npfctl Fix the family option in the grammar and...
Next by Date: [src/trunk]: src/sys/dev/ic PR/45932: Pierre Pronchery: Fix the return values...
Previous by Thread: [src/trunk]: src/usr.sbin/npf/npfctl Fix the family option in the grammar and...
Next by Thread: [src/trunk]: src/sys/dev/ic PR/45932: Pierre Pronchery: Fix the return values...
Indexes:

Home | Main Index | Thread Index | Old Index