Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/npf/npfctl npfctl(8): add show-config command. Als...
details: https://anonhg.NetBSD.org/src/rev/08961be4d05d
branches: trunk
changeset: 779488:08961be4d05d
user: rmind <rmind%NetBSD.org@localhost>
date: Wed May 30 21:30:07 2012 +0000
description:
npfctl(8): add show-config command. Also, update syntax.
diffstat:
usr.sbin/npf/npfctl/Makefile | 3 +-
usr.sbin/npf/npfctl/npf.conf.5 | 30 +-
usr.sbin/npf/npfctl/npf_data.c | 25 +-
usr.sbin/npf/npfctl/npf_disassemble.c | 284 ++++++++++++++++++++++++++++++---
usr.sbin/npf/npfctl/npf_ncgen.c | 15 +-
usr.sbin/npf/npfctl/npf_parse.y | 29 +-
usr.sbin/npf/npfctl/npf_scan.l | 8 +-
usr.sbin/npf/npfctl/npf_var.c | 7 +-
usr.sbin/npf/npfctl/npfctl.c | 27 ++-
usr.sbin/npf/npfctl/npfctl.h | 14 +-
10 files changed, 335 insertions(+), 107 deletions(-)
diffs (truncated from 915 to 300 lines):
diff -r d4fb4b794b5e -r 08961be4d05d usr.sbin/npf/npfctl/Makefile
--- a/usr.sbin/npf/npfctl/Makefile Wed May 30 20:15:56 2012 +0000
+++ b/usr.sbin/npf/npfctl/Makefile Wed May 30 21:30:07 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.6 2012/03/10 22:21:50 christos Exp $
+# $NetBSD: Makefile,v 1.7 2012/05/30 21:30:07 rmind Exp $
PROG= npfctl
MAN= npfctl.8 npf.conf.5
@@ -9,7 +9,6 @@
CPPFLAGS+= -I${.CURDIR}
SRCS+= npf_scan.l npf_parse.y
YHEADER= 1
-YFLAGS+= -v
LDADD+= -lnpf -lprop -lutil -ly
DPADD+= ${LIBNPF} ${LIBPROP} ${LIBUTIL}
diff -r d4fb4b794b5e -r 08961be4d05d usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Wed May 30 20:15:56 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Wed May 30 21:30:07 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.9 2012/02/06 00:41:36 rmind Exp $
+.\" $NetBSD: npf.conf.5,v 1.10 2012/05/30 21:30:07 rmind Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 5, 2012
+.Dd May 27, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -64,13 +64,13 @@
Rules defined first are accordingly inspected first.
All rules in the group are inspected sequentially, and the last matching
dictates the action to be taken.
-Rules, however, may be explicitly marked as final (that is, "quick").
+Rules, however, may be explicitly marked as final.
In such cases, processing stops after encountering the first matching rule
marked as final.
If there is no matching rule in the custom group, then rules in the default
group will be inspected.
.Pp
-Stateful filtering is supported using the "keep state" keyword.
+Stateful filtering is supported using the "stateful" keyword.
In such cases, state (a session) is created and any further packets
of the connection are tracked.
Packets in backwards stream, after having been confirmed to belong to
@@ -155,9 +155,9 @@
ruleset = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
-rule = ( "block" block-opts | "pass" ) [ "in" | out" ] [ "quick" ]
+rule = ( "block" block-opts | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ]
[ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] ]
- ( "all" | filt-opts ) [ "keep state" ] [ "apply" rproc ] }
+ ( "all" | filt-opts ) [ "apply" rproc ] }
fam-opt = [ "inet" | "inet6" ]
block-opts = [ "return-rst" | "return-icmp" | "return" ]
@@ -197,20 +197,20 @@
}
group (name "external", interface $ext_if) {
- block in quick from \*[Lt]1\*[Gt]
- pass out quick from $ext_if keep state apply "rid"
+ block in final from \*[Lt]1\*[Gt]
+ pass stateful out final from $ext_if apply "rid"
- pass in quick family inet proto tcp to $ext_if port ssh apply "log"
- pass in quick proto tcp to $ext_if port $services_tcp
- pass in quick proto udp to $ext_if port $services_udp
- pass in quick proto tcp to $ext_if port 49151-65535 # Passive FTP
- pass in quick proto udp to $ext_if port 33434-33600 # Traceroute
+ pass in final family inet proto tcp to $ext_if port ssh apply "log"
+ pass in final proto tcp to $ext_if port $services_tcp
+ pass in final proto udp to $ext_if port $services_udp
+ pass in final proto tcp to $ext_if port 49151-65535 # Passive FTP
+ pass in final proto udp to $ext_if port 33434-33600 # Traceroute
}
group (name "internal", interface $int_if) {
block in all
- pass in quick from \*[Lt]2\*[Gt]
- pass out quick all
+ pass in final from \*[Lt]2\*[Gt]
+ pass out final all
}
group (default) {
diff -r d4fb4b794b5e -r 08961be4d05d usr.sbin/npf/npfctl/npf_data.c
--- a/usr.sbin/npf/npfctl/npf_data.c Wed May 30 20:15:56 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_data.c Wed May 30 21:30:07 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_data.c,v 1.11 2012/02/26 21:50:05 christos Exp $ */
+/* $NetBSD: npf_data.c,v 1.12 2012/05/30 21:30:07 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_data.c,v 1.11 2012/02/26 21:50:05 christos Exp $");
+__RCSID("$NetBSD: npf_data.c,v 1.12 2012/05/30 21:30:07 rmind Exp $");
#include <sys/types.h>
#include <sys/null.h>
@@ -211,7 +211,7 @@
/*
* npfctl_parse_port_range: create a port-range variable. Note that the
- * passed port numbers are in network byte order.
+ * passed port numbers should be in host byte order.
*/
npfvar_t *
npfctl_parse_port_range(in_port_t s, in_port_t e)
@@ -219,8 +219,8 @@
npfvar_t *vp = npfvar_create(".port_range");
port_range_t pr;
- pr.pr_start = s;
- pr.pr_end = e;
+ pr.pr_start = htons(s);
+ pr.pr_end = htons(e);
if (!npfvar_add_element(vp, NPFVAR_PORT_RANGE, &pr, sizeof(pr)))
goto out;
@@ -235,14 +235,15 @@
npfctl_parse_port_range_variable(const char *v)
{
npfvar_t *vp = npfvar_lookup(v);
- in_port_t p;
- port_range_t *pr;
size_t count = npfvar_get_count(vp);
npfvar_t *pvp = npfvar_create(".port_range");
+ port_range_t *pr;
+ in_port_t p;
for (size_t i = 0; i < count; i++) {
int type = npfvar_get_type(vp, i);
void *data = npfvar_get_data(vp, type, i);
+
switch (type) {
case NPFVAR_IDENTIFIER:
case NPFVAR_STRING:
@@ -261,13 +262,11 @@
default:
yyerror("wrong variable '%s' type '%s' for port range",
v, npfvar_type(type));
- goto out;
+ npfvar_destroy(pvp);
+ return NULL;
}
}
return pvp;
-out:
- npfvar_destroy(pvp);
- return NULL;
}
npfvar_t *
@@ -350,7 +349,7 @@
/*
* npfctl_portno: convert port identifier (string) to a number.
*
- * => Returns port number in network byte order.
+ * => Returns port number in host byte order.
*/
in_port_t
npfctl_portno(const char *port)
@@ -383,7 +382,7 @@
}
out:
freeaddrinfo(rai);
- return p;
+ return ntohs(p);
}
npfvar_t *
diff -r d4fb4b794b5e -r 08961be4d05d usr.sbin/npf/npfctl/npf_disassemble.c
--- a/usr.sbin/npf/npfctl/npf_disassemble.c Wed May 30 20:15:56 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_disassemble.c Wed May 30 21:30:07 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_disassemble.c,v 1.3 2012/03/12 15:32:02 christos Exp $ */
+/* $NetBSD: npf_disassemble.c,v 1.4 2012/05/30 21:30:07 rmind Exp $ */
/*-
* Copyright (c) 2012 The NetBSD Foundation, Inc.
@@ -30,15 +30,17 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_disassemble.c,v 1.3 2012/03/12 15:32:02 christos Exp $");
+__RCSID("$NetBSD: npf_disassemble.c,v 1.4 2012/05/30 21:30:07 rmind Exp $");
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <errno.h>
#include <err.h>
#include <sys/socket.h>
#include <netinet/in.h>
+#include <net/if.h>
#include <util.h>
@@ -47,6 +49,21 @@
#include "npfctl.h"
+enum {
+ NPF_SHOW_SRCADDR,
+ NPF_SHOW_DSTADDR,
+ NPF_SHOW_SRCPORT,
+ NPF_SHOW_DSTPORT,
+ NPF_SHOW_ICMP,
+ NPF_SHOW_TCPF,
+ NPF_SHOW_COUNT,
+};
+
+struct nc_inf {
+ npfvar_t * nci_vlist[NPF_SHOW_COUNT];
+ bool nci_srcdst;
+};
+
#define ADVANCE(n, rv) \
do { \
if (len < sizeof(*pc) * (n)) { \
@@ -84,10 +101,24 @@
return q;
}
+static void
+npfctl_ncode_add_vp(char *buf, nc_inf_t *nci, unsigned idx)
+{
+ npfvar_t *vl = nci->nci_vlist[idx];
+
+ if (vl == NULL) {
+ vl = npfvar_create(".list");
+ nci->nci_vlist[idx] = vl;
+ }
+ npfvar_t *vp = npfvar_create(".string");
+ npfvar_add_element(vp, NPFVAR_STRING, buf, strlen(buf) + 1);
+ npfvar_add_elements(vl, vp);
+}
+
static const char *
npfctl_ncode_operand(char *buf, size_t bufsiz, uint8_t op, const uint32_t *st,
const uint32_t *ipc, const uint32_t **pcv, size_t *lenv,
- const uint32_t ***t, size_t *l, size_t *m)
+ const uint32_t ***t, size_t *l, size_t *m, nc_inf_t *nci)
{
const uint32_t *pc = *pcv;
size_t len = *lenv;
@@ -99,14 +130,14 @@
case NPF_OPERAND_REGISTER:
if (*pc & ~0x3) {
- warnx("Bad register operand 0x%x at offset %td",
+ warnx("invalid register operand 0x%x at offset %td",
*pc, pc - st);
return NULL;
}
snprintf(buf, bufsiz, "R%d", *pc);
ADVANCE(1, NULL);
break;
-
+
case NPF_OPERAND_KEY:
snprintf(buf, bufsiz, "key=<0x%x>", *pc);
ADVANCE(1, NULL);
@@ -119,12 +150,15 @@
case NPF_OPERAND_SD:
if (*pc & ~0x1) {
- warnx("Bad src/dst operand 0x%x at offset %td",
+ warnx("invalid src/dst operand 0x%x at offset %td",
*pc, pc - st);
return NULL;
}
- snprintf(buf, bufsiz, "%s", *pc == NPF_OPERAND_SD_SRC ?
- "SRC" : "DST");
+ bool srcdst = (*pc == NPF_OPERAND_SD_SRC);
+ if (nci) {
+ nci->nci_srcdst = srcdst;
+ }
+ snprintf(buf, bufsiz, "%s", srcdst ? "SRC" : "DST");
ADVANCE(1, NULL);
break;
@@ -140,8 +174,11 @@
sin->sin_family = AF_INET;
sin->sin_port = 0;
memcpy(&sin->sin_addr, pc, sizeof(sin->sin_addr));
- sockaddr_snprintf(buf, bufsiz, "%a", (struct sockaddr *)(void *)
Home |
Main Index |
Thread Index |
Old Index