Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/share/examples/npf adjust to current npf.conf syntax
details: https://anonhg.NetBSD.org/src/rev/b5ca4f9a1907
branches: trunk
changeset: 783086:b5ca4f9a1907
user: spz <spz%NetBSD.org@localhost>
date: Tue Dec 04 18:48:32 2012 +0000
description:
adjust to current npf.conf syntax
diffstat:
share/examples/npf/host-npf.conf | 67 +++++++++++++++++++-----------------
share/examples/npf/soho_gw-npf.conf | 21 ++++++----
2 files changed, 48 insertions(+), 40 deletions(-)
diffs (187 lines):
diff -r 9b0be2c11faf -r b5ca4f9a1907 share/examples/npf/host-npf.conf
--- a/share/examples/npf/host-npf.conf Tue Dec 04 18:10:25 2012 +0000
+++ b/share/examples/npf/host-npf.conf Tue Dec 04 18:48:32 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: host-npf.conf,v 1.2 2012/08/22 06:45:17 spz Exp $
+# $NetBSD: host-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
#
# this is an example of NPF rules for a host (i.e., not routing) with
# two network interfaces, wired and wifi
@@ -7,7 +7,12 @@
# it also does IPSEC on the wifi
#
$wired_if = "wm0"
+$wired_v4 = { inet4(wm0) }
+$wired_v6 = { inet6(wm0) }
+
$wifi_if = "iwn0"
+$wifi_v4 = { inet4(iwn0) }
+$wifi_v6 = { inet6(iwn0) }
$dhcpserver = { 198.51.100.1 }
@@ -37,38 +42,38 @@
pass in final family inet proto icmp all
pass in final family inet proto tcp \
- from $dhcpserver port bootps to $wired_if port bootpc
+ from $dhcpserver port bootps to $wired_v4 port bootpc
pass in final family inet proto udp \
- from $dhcpserver port bootps to $wired_if port bootpc
+ from $dhcpserver port bootps to $wired_v4 port bootpc
- pass in final family inet6 proto tcp to $wired_if port ssh
+ pass in final family inet6 proto tcp to $wired_v6 port ssh
pass in final family inet proto tcp flags S/SA \
- from $backupsrv_v4 to $wired_if port $backup_port
+ from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet proto udp \
- from $backupsrv_v4 to $wired_if port $backup_port
+ from $backupsrv_v4 to $wired_v4 port $backup_port
pass in final family inet6 proto tcp flags S/SA \
- from $backupsrv_v6 to $wired_if port $backup_port
+ from $backupsrv_v6 to $wired_v6 port $backup_port
pass in final family inet6 proto udp \
- from $backupsrv_v6 to $wired_if port $backup_port
+ from $backupsrv_v6 to $wired_v6 port $backup_port
- pass stateful in final family inet6 proto udp to $wired_if \
+ pass stateful in final family inet6 proto udp to $wired_v6 \
port $services_udp
- pass stateful in final family inet proto udp to $wired_if \
+ pass stateful in final family inet proto udp to $wired_v6 \
port $services_udp
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wired_if apply "rid"
+ from $wired_v6 apply "rid"
pass stateful out final family inet proto tcp flags S/SA \
- from $wired_if apply "rid"
+ from $wired_v4 apply "rid"
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wired_if apply "rid"
- pass out final family inet proto tcp from $wired_if apply "rid"
+ pass out final family inet6 proto tcp from $wired_v6 apply "rid"
+ pass out final family inet proto tcp from $wired_v4 apply "rid"
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wired_if apply "rid"
- pass stateful out final family inet from $wired_if apply "rid"
+ pass stateful out final family inet6 from $wired_v6 apply "rid"
+ pass stateful out final family inet from $wired_v4 apply "rid"
}
@@ -81,37 +86,37 @@
pass in final family inet6 proto ipv6-icmp to ff00::/10
pass out final family inet6 proto ipv6-icmp from ff00::/10
- pass in final family inet6 proto ipv6-icmp to $wifi_if
- pass in final family inet proto icmp to $wifi_if
+ pass in final family inet6 proto ipv6-icmp to $wifi_v6
+ pass in final family inet proto icmp to $wifi_v6
pass in final family inet proto tcp \
- from any port bootps to $wifi_if port bootpc
+ from any port bootps to $wifi_v4 port bootpc
pass in final family inet proto udp \
- from any port bootps to $wifi_if port bootpc
+ from any port bootps to $wifi_v4 port bootpc
- pass in final family inet6 proto tcp flags S/SA to $wifi_if port ssh
+ pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh
- pass in final family inet6 proto udp to $wifi_if port $services_udp
- pass in final family inet proto udp to $wifi_if port $services_udp
+ pass in final family inet6 proto udp to $wifi_v6 port $services_udp
+ pass in final family inet proto udp to $wifi_v4 port $services_udp
# IPSEC
- pass in final family inet6 proto udp to $wifi_if port isakmp
- pass in final family inet proto udp to $wifi_if port isakmp
+ pass in final family inet6 proto udp to $wifi_v6 port isakmp
+ pass in final family inet proto udp to $wifi_v4 port isakmp
pass in family inet6 proto esp all
pass in family inet proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
- from $wifi_if apply "rid"
+ from $wifi_v6 apply "rid"
pass stateful out final family inet proto tcp flags S/SA \
- from $wifi_if apply "rid"
+ from $wifi_v4 apply "rid"
# pass the other tcp packets without generating extra state
- pass out final family inet6 proto tcp from $wifi_if apply "rid"
- pass out final family inet proto tcp from $wifi_if apply "rid"
+ pass out final family inet6 proto tcp from $wifi_v6 apply "rid"
+ pass out final family inet proto tcp from $wifi_v4 apply "rid"
# all other types of traffic, generate state per packet
- pass stateful out final family inet6 from $wifi_if apply "rid"
- pass stateful out final family inet from $wifi_if apply "rid"
+ pass stateful out final family inet6 from $wifi_v6 apply "rid"
+ pass stateful out final family inet from $wifi_v4 apply "rid"
}
group (default) {
diff -r 9b0be2c11faf -r b5ca4f9a1907 share/examples/npf/soho_gw-npf.conf
--- a/share/examples/npf/soho_gw-npf.conf Tue Dec 04 18:10:25 2012 +0000
+++ b/share/examples/npf/soho_gw-npf.conf Tue Dec 04 18:48:32 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: soho_gw-npf.conf,v 1.2 2012/08/21 08:25:21 spz Exp $
+# $NetBSD: soho_gw-npf.conf,v 1.3 2012/12/04 18:48:32 spz Exp $
#
# SOHO border
#
@@ -6,6 +6,9 @@
# IPv4 only
#
$ext_if = "wm0"
+$ext_v4 = inet4(wm0)
+$ext_addrs = { ifnet(wm0) }
+
$int_if = "wm1"
# a table to house e.g. block candidates in
@@ -20,11 +23,11 @@
# NAT outgoing to the address of the external interface
# Note: if $ext_if has multiple IP addresses (e.g. IPv6 as well),
# then the translation address has to be specified explicitly.
-map $ext_if dynamic 198.51.100.0/24 -> $ext_if
+map $ext_if dynamic 198.51.100.0/24 -> $ext_v4
# NAT traffic arriving on port 9022 of the external interface address
# to host 198.51.100.2 port 22
-map $ext_if dynamic 198.51.100.2 port 22 <- $ext_if 9022
+map $ext_if dynamic 198.51.100.2 port 22 <- $ext_v4 9022
procedure "log" {
log: npflog0
@@ -35,18 +38,18 @@
}
group (name "external", interface $ext_if) {
- pass stateful out final from $ext_if apply "rid"
+ pass stateful out final from $ext_addrs apply "rid"
block in final from <1>
- pass stateful in final family inet proto tcp to $ext_if port ssh \
+ pass stateful in final family inet proto tcp to $ext_v4 port ssh \
apply "log"
- pass stateful in final proto tcp to $ext_if port $services_tcp
- pass stateful in final proto udp to $ext_if port $services_udp
+ pass stateful in final proto tcp to $ext_addrs port $services_tcp
+ pass stateful in final proto udp to $ext_addrs port $services_udp
# Passive FTP
- pass stateful in final proto tcp to $ext_if port 49151-65535
+ pass stateful in final proto tcp to $ext_addrs port 49151-65535
# Traceroute
- pass stateful in final proto udp to $ext_if port 33434-33600
+ pass stateful in final proto udp to $ext_addrs port 33434-33600
}
group (name "internal", interface $int_if) {
Home |
Main Index |
Thread Index |
Old Index