Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-6]: src/usr.sbin/npf/npfctl Pull up following revision(s) (reques...
details: https://anonhg.NetBSD.org/src/rev/b48e8cc804ce
branches: netbsd-6
changeset: 774433:b48e8cc804ce
user: riz <riz%NetBSD.org@localhost>
date: Mon Aug 13 19:43:44 2012 +0000
description:
Pull up following revision(s) (requested by rmind in ticket #489):
usr.sbin/npf/npfctl/npfctl.8: revision 1.9
usr.sbin/npf/npfctl/npf.conf.5: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.9
- npfctl show: add most of the missing cases.
- Few minor improvements to NPF man pages.
diffstat:
usr.sbin/npf/npfctl/npf.conf.5 | 12 +-
usr.sbin/npf/npfctl/npf_disassemble.c | 208 +++++++++++++++++++++++++++++----
usr.sbin/npf/npfctl/npfctl.8 | 33 ++--
3 files changed, 206 insertions(+), 47 deletions(-)
diffs (truncated from 448 to 300 lines):
diff -r 58497c581b5f -r b48e8cc804ce usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 13 19:41:29 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Mon Aug 13 19:43:44 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.9.2.2 2012/07/05 17:48:44 riz Exp $
+.\" $NetBSD: npf.conf.5,v 1.9.2.3 2012/08/13 19:43:44 riz Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd June 29, 2012
+.Dd August 12, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -37,7 +37,8 @@
.Sh DESCRIPTION
.Nm
is the default configuration file for NPF packet filter.
-It can contain definitions, grouped rules, rule procedures, and tables.
+It can contain definitions, grouped rules, rule procedures,
+translation policies, and tables.
.Ss Definitions
Definitions are general purpose keywords which can be used in the
ruleset to make it more flexible and easier to manage.
@@ -56,7 +57,7 @@
Rules, which are the main part of NPF configuration, describe the criteria
used to inspect and make decisions about packets.
Currently, NPF supports filtering on the following criteria: interface,
-traffic direction, protocol, IPv4 address or network, TCP/UDP port
+traffic direction, protocol, IP address or network, TCP/UDP port
or range, TCP flags, and ICMP type/code.
Supported actions are blocking or passing the packet.
.Pp
@@ -229,3 +230,6 @@
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
+.Sh AUTHORS
+NPF was designed and implemented by
+.An Mindaugas Rasiukevicius .
diff -r 58497c581b5f -r b48e8cc804ce usr.sbin/npf/npfctl/npf_disassemble.c
--- a/usr.sbin/npf/npfctl/npf_disassemble.c Mon Aug 13 19:41:29 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_disassemble.c Mon Aug 13 19:43:44 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_disassemble.c,v 1.3.2.6 2012/07/25 20:45:23 jdc Exp $ */
+/* $NetBSD: npf_disassemble.c,v 1.3.2.7 2012/08/13 19:43:44 riz Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
@@ -29,8 +29,13 @@
* POSSIBILITY OF SUCH DAMAGE.
*/
+/*
+ * NPF n-code disassembler.
+ *
+ * FIXME: config generation should be redesigned..
+ */
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_disassemble.c,v 1.3.2.6 2012/07/25 20:45:23 jdc Exp $");
+__RCSID("$NetBSD: npf_disassemble.c,v 1.3.2.7 2012/08/13 19:43:44 riz Exp $");
#include <stdio.h>
#include <stdlib.h>
@@ -40,6 +45,7 @@
#include <err.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <netinet/tcp.h>
#include <net/if.h>
#include <util.h>
@@ -54,6 +60,8 @@
NPF_SHOW_DSTADDR,
NPF_SHOW_SRCPORT,
NPF_SHOW_DSTPORT,
+ NPF_SHOW_PROTO,
+ NPF_SHOW_FAMILY,
NPF_SHOW_ICMP,
NPF_SHOW_TCPF,
NPF_SHOW_COUNT,
@@ -123,6 +131,22 @@
npfvar_add_elements(vl, vp);
}
+static void
+npf_tcpflags2str(char *buf, unsigned tfl)
+{
+ int i = 0;
+
+ if (tfl & TH_FIN) buf[i++] = 'F';
+ if (tfl & TH_SYN) buf[i++] = 'S';
+ if (tfl & TH_RST) buf[i++] = 'R';
+ if (tfl & TH_PUSH) buf[i++] = 'P';
+ if (tfl & TH_ACK) buf[i++] = 'A';
+ if (tfl & TH_URG) buf[i++] = 'U';
+ if (tfl & TH_ECE) buf[i++] = 'E';
+ if (tfl & TH_CWR) buf[i++] = 'C';
+ buf[i] = '\0';
+}
+
static const char *
npfctl_ncode_operand(nc_inf_t *ni, char *buf, size_t bufsiz, uint8_t operand)
{
@@ -209,11 +233,40 @@
uint8_t proto = op & 0xff;
snprintf(buf, bufsiz, "addrlen=%u, proto=%u", addrlen, proto);
+ if (!ni) {
+ break;
+ }
+ switch (proto) {
+ case 0xff:
+ /* None. */
+ break;
+ case IPPROTO_TCP:
+ ni->ni_proto |= NC_MATCH_TCP;
+ break;
+ case IPPROTO_UDP:
+ ni->ni_proto |= NC_MATCH_UDP;
+ break;
+ case IPPROTO_ICMP:
+ ni->ni_proto |= NC_MATCH_ICMP;
+ /* FALLTHROUGH */
+ default:
+ snprintf(buf, bufsiz, "proto %d", proto);
+ npfctl_ncode_add_vp(ni, buf, NPF_SHOW_PROTO);
+ break;
+ }
+ switch (addrlen) {
+ case 4:
+ case 16:
+ snprintf(buf, bufsiz, "family inet%s",
+ addrlen == 16 ? "6" : "");
+ npfctl_ncode_add_vp(ni, buf, NPF_SHOW_FAMILY);
+ break;
+ }
break;
}
case NPF_OPERAND_SUBNET: {
snprintf(buf, bufsiz, "/%d", op);
- if (ni) {
+ if (ni && op != NPF_NO_NETMASK) {
npfctl_ncode_add_vp(ni, buf, ni->ni_srcdst ?
NPF_SHOW_SRCADDR : NPF_SHOW_DSTADDR);
}
@@ -242,13 +295,18 @@
return NULL;
}
snprintf(buf, bufsiz, "type=%d, code=%d", type, code);
- if (ni) {
- ni->ni_proto |= NC_MATCH_ICMP;
- if (type || code) {
- snprintf(buf, bufsiz,
- "icmp-type %d code %d", type, code);
- npfctl_ncode_add_vp(ni, buf, NPF_SHOW_ICMP);
- }
+ if (!ni) {
+ break;
+ }
+ ni->ni_proto |= NC_MATCH_ICMP;
+ if (*ni->ni_ipc == NPF_OPCODE_ICMP6) {
+ snprintf(buf, bufsiz, "proto \"ipv6-icmp\"");
+ npfctl_ncode_add_vp(ni, buf, NPF_SHOW_PROTO);
+ }
+ if (type || code) {
+ snprintf(buf, bufsiz,
+ "icmp-type %d code %d", type, code);
+ npfctl_ncode_add_vp(ni, buf, NPF_SHOW_ICMP);
}
break;
}
@@ -259,7 +317,10 @@
op, ni->ni_pc - ni->ni_buf);
return NULL;
}
- snprintf(buf, bufsiz, "flags=0x%x, mask=%0xx", tf, tf_mask);
+ char tf_buf[16], tfm_buf[16];
+ npf_tcpflags2str(tf_buf, tf);
+ npf_tcpflags2str(tfm_buf, tf_mask);
+ snprintf(buf, bufsiz, "flags %s/%s", tf_buf, tfm_buf);
if (ni) {
ni->ni_proto |= NC_MATCH_TCP;
npfctl_ncode_add_vp(ni, buf, NPF_SHOW_TCPF);
@@ -274,10 +335,23 @@
} else {
snprintf(buf, bufsiz, "%d-%d", p1, p2);
}
- if (ni) {
- npfctl_ncode_add_vp(ni, buf, ni->ni_srcdst ?
- NPF_SHOW_SRCPORT : NPF_SHOW_DSTPORT);
+
+ if (!ni) {
+ break;
}
+ switch (*ni->ni_ipc) {
+ case NPF_OPCODE_TCP_PORTS:
+ ni->ni_proto |= NC_MATCH_TCP;
+ break;
+ case NPF_OPCODE_UDP_PORTS:
+ ni->ni_proto |= NC_MATCH_UDP;
+ break;
+ }
+ int sd = ni->ni_srcdst ? NPF_SHOW_SRCPORT : NPF_SHOW_DSTPORT;
+ if (ni->ni_vlist[sd]) {
+ break;
+ }
+ npfctl_ncode_add_vp(ni, buf, sd);
break;
}
default:
@@ -351,7 +425,6 @@
}
ni->ni_left -= sizeof(opcode);
ni->ni_pc++;
-
for (size_t i = 0; i < __arraycount(insn->op); i++) {
const uint8_t o = insn->op[i];
const char *op;
@@ -381,21 +454,26 @@
static void
npfctl_show_fromto(const char *name, npfvar_t *vl, bool showany)
{
- size_t count = npfvar_get_count(vl), last = count - 1;
- bool one = (count == 1);
+ size_t count = npfvar_get_count(vl);
+ char *s;
- if (count == 0) {
+ switch (count) {
+ case 0:
if (showany) {
printf("%s any ", name);
}
return;
+ case 1:
+ s = npfvar_get_data(vl, NPFVAR_STRING, 0);
+ printf("%s %s ", name, s);
+ return;
}
- printf("%s%s ", name, one ? "" : " {");
-
+ printf("%s%s", name, " { ");
for (size_t i = 0; i < count; i++) {
- char *s = npfvar_get_data(vl, NPFVAR_STRING, i);
- printf("%s%s ", s, i == last ? (one ? "" : " }") : ",");
+ s = npfvar_get_data(vl, NPFVAR_STRING, i);
+ printf("%s%s", (i && s[0] != '/') ? ", " : "", s);
}
+ printf(" } ");
npfvar_destroy(vl);
}
@@ -403,25 +481,49 @@
npfctl_show_ncode(const void *nc, size_t len)
{
nc_inf_t *ni = npfctl_ncode_disinf(NULL);
+ bool any, protoshown = false;
npfvar_t *vl;
- bool any;
if (npfctl_ncode_disassemble(ni, nc, len) != 0) {
printf("<< ncode >> ");
return true;
}
+ if ((vl = ni->ni_vlist[NPF_SHOW_FAMILY]) != NULL) {
+ printf("%s ", npfvar_expand_string(vl));
+ npfvar_destroy(vl);
+ }
+
+ if ((vl = ni->ni_vlist[NPF_SHOW_PROTO]) != NULL) {
+ printf("%s ", npfvar_expand_string(vl));
+ npfvar_destroy(vl);
+ protoshown = true;
+ }
+
switch (ni->ni_proto) {
case NC_MATCH_TCP:
- printf("proto tcp ");
+ if (!protoshown) {
+ printf("proto tcp ");
+ }
+ if ((vl = ni->ni_vlist[NPF_SHOW_TCPF]) != NULL) {
+ printf("%s ", npfvar_expand_string(vl));
+ npfvar_destroy(vl);
+ }
break;
case NC_MATCH_ICMP:
- printf("proto icmp ");
+ if (!protoshown) {
+ printf("proto icmp ");
+ }
if ((vl = ni->ni_vlist[NPF_SHOW_ICMP]) != NULL) {
printf("%s ", npfvar_expand_string(vl));
npfvar_destroy(vl);
Home |
Main Index |
Thread Index |
Old Index