Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/npf/npfctl npfctl: extend syntax for extracting int...
details: https://anonhg.NetBSD.org/src/rev/ea0a9641e9cd
branches: trunk
changeset: 782929:ea0a9641e9cd
user: rmind <rmind%NetBSD.org@localhost>
date: Mon Nov 26 20:34:28 2012 +0000
description:
npfctl: extend syntax for extracting interface IP address(es) by the family.
diffstat:
usr.sbin/npf/npfctl/npf.conf.5 | 22 ++++++++--
usr.sbin/npf/npfctl/npf_build.c | 6 +-
usr.sbin/npf/npfctl/npf_data.c | 49 ++++++++++------------
usr.sbin/npf/npfctl/npf_parse.y | 86 ++++++++++++++++++++++++++++------------
usr.sbin/npf/npfctl/npf_scan.l | 3 +-
usr.sbin/npf/npfctl/npf_var.h | 6 +-
usr.sbin/npf/npfctl/npfctl.h | 13 ++++-
7 files changed, 118 insertions(+), 67 deletions(-)
diffs (truncated from 491 to 300 lines):
diff -r bc5bf6289374 -r ea0a9641e9cd usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5 Mon Nov 26 20:13:54 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5 Mon Nov 26 20:34:28 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: npf.conf.5,v 1.23 2012/09/30 21:15:08 wiz Exp $
+.\" $NetBSD: npf.conf.5,v 1.24 2012/11/26 20:34:28 rmind Exp $
.\"
.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd September 30, 2012
+.Dd November 26, 2012
.Dt NPF.CONF 5
.Os
.Sh NAME
@@ -96,6 +96,18 @@
.Ed
.Pp
Tables of type "hash" can only contain IP addresses.
+.Ss Interfaces
+Interfaces can be specified as the values of the variables:
+.Bd -literal
+$pub_if_list = { ifnet(wm0), ifnet(wm1) }
+.Ed
+In the context of filtering, an interface provides a list of its
+all IP addresses, including IPv4 and IPv6.
+Specific interface addresses can be selected by the family, e.g.:
+.Bd -literal
+$pub_if4 = inet4(wm0)
+$pub_if6 = { inet6(wm0) }
+.Ed
.Ss Groups
Groups may have the following options: name, interface, and direction.
They are defined in the following form:
@@ -151,7 +163,7 @@
The following would translate the source to the IP address specified
by the $pub_ip for the packets on the interface $ext_if.
.Bd -literal
-map $ext_if dynamic 10.1.1.0/24 -> $pub_if
+map $ext_if dynamic 10.1.1.0/24 -> $pub_ip
.Ed
.Pp
Translations are implicitly filtered by limiting the operation to the
@@ -256,8 +268,8 @@
.\" -----
.Sh EXAMPLES
.Bd -literal
-$ext_if = "wm0"
-$int_if = "wm1"
+$ext_if = ifnet(wm0)
+$int_if = ifnet(wm1)
table <1> type hash file "/etc/npf_blacklist"
table <2> type tree dynamic
diff -r bc5bf6289374 -r ea0a9641e9cd usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c Mon Nov 26 20:13:54 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c Mon Nov 26 20:34:28 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.14 2012/09/16 13:47:41 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.15 2012/11/26 20:34:28 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.14 2012/09/16 13:47:41 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.15 2012/11/26 20:34:28 rmind Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -145,7 +145,7 @@
* Otherwise, address of invalid family was passed manually.
*/
if (family != AF_UNSPEC && family != fam->fam_family) {
- if (!fam->fam_interface) {
+ if (!fam->fam_ifindex) {
yyerror("specified address is not of the required "
"family %d", family);
}
diff -r bc5bf6289374 -r ea0a9641e9cd usr.sbin/npf/npfctl/npf_data.c
--- a/usr.sbin/npf/npfctl/npf_data.c Mon Nov 26 20:13:54 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_data.c Mon Nov 26 20:34:28 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_data.c,v 1.18 2012/08/12 03:35:13 rmind Exp $ */
+/* $NetBSD: npf_data.c,v 1.19 2012/11/26 20:34:28 rmind Exp $ */
/*-
* Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -31,7 +31,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_data.c,v 1.18 2012/08/12 03:35:13 rmind Exp $");
+__RCSID("$NetBSD: npf_data.c,v 1.19 2012/11/26 20:34:28 rmind Exp $");
#include <sys/types.h>
#include <sys/null.h>
@@ -273,63 +273,60 @@
}
npfvar_t *
-npfctl_parse_iface(const char *ifname)
+npfctl_parse_ifnet(const char *ifname, const int family)
{
- npfvar_t *vp = npfvar_create(".iface");
+ npfvar_t *vpa, *vp;
struct ifaddrs *ifa;
- fam_addr_mask_t fam;
- bool gotif = false;
+ ifnet_addr_t ifna;
if (ifs_list == NULL && getifaddrs(&ifs_list) == -1) {
err(EXIT_FAILURE, "getifaddrs");
}
- memset(&fam, 0, sizeof(fam));
- npfvar_t *ip = npfvar_create(".ifname");
- if (!npfvar_add_element(ip, NPFVAR_STRING, ifname, strlen(ifname) + 1))
- goto out;
+ vpa = npfvar_create(".ifaddrs");
+ ifna.ifna_addrs = vpa;
+ ifna.ifna_index = npfctl_find_ifindex(ifname);
+ assert(ifna.ifna_index != 0);
for (ifa = ifs_list; ifa != NULL; ifa = ifa->ifa_next) {
+ fam_addr_mask_t fam;
struct sockaddr *sa;
- sa_family_t family;
if (strcmp(ifa->ifa_name, ifname) != 0)
continue;
- gotif = true;
if ((ifa->ifa_flags & IFF_UP) == 0)
warnx("interface '%s' is down", ifname);
sa = ifa->ifa_addr;
- family = sa->sa_family;
- if (family != AF_INET && family != AF_INET6)
+ if (sa->sa_family != AF_INET && sa->sa_family != AF_INET6)
+ continue;
+ if (family != AF_UNSPEC && sa->sa_family != family)
continue;
- fam.fam_family = family;
- fam.fam_interface = ip;
+ memset(&fam, 0, sizeof(fam));
+ fam.fam_family = sa->sa_family;
+ fam.fam_ifindex = ifna.ifna_index;
- if (!npfctl_copy_address(family, &fam.fam_addr, sa))
+ if (!npfctl_copy_address(sa->sa_family, &fam.fam_addr, sa))
goto out;
if (!npfctl_parse_mask(NULL, fam.fam_family, &fam.fam_mask))
goto out;
- if (!npfvar_add_element(vp, NPFVAR_FAM, &fam, sizeof(fam)))
+ if (!npfvar_add_element(vpa, NPFVAR_FAM, &fam, sizeof(fam)))
goto out;
-
}
- if (!gotif) {
- yyerror("interface '%s' not found", ifname);
- goto out;
- }
- if (npfvar_get_count(vp) == 0) {
+ if (npfvar_get_count(vpa) == 0) {
yyerror("no addresses matched for interface '%s'", ifname);
goto out;
}
+
+ vp = npfvar_create(".interface");
+ npfvar_add_element(vp, NPFVAR_INTERFACE, &ifna, sizeof(ifna));
return vp;
out:
- npfvar_destroy(vp);
- npfvar_destroy(ip);
+ npfvar_destroy(ifna.ifna_addrs);
return NULL;
}
diff -r bc5bf6289374 -r ea0a9641e9cd usr.sbin/npf/npfctl/npf_parse.y
--- a/usr.sbin/npf/npfctl/npf_parse.y Mon Nov 26 20:13:54 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y Mon Nov 26 20:34:28 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.16 2012/11/15 22:20:27 rmind Exp $ */
+/* $NetBSD: npf_parse.y,v 1.17 2012/11/26 20:34:28 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -100,6 +100,7 @@
%token HASH
%token ICMPTYPE
%token ID
+%token IFNET
%token IN
%token INET
%token INET6
@@ -143,10 +144,11 @@
%type <str> addr, some_name, list_elem, table_store
%type <str> proc_param_val, opt_apply
-%type <num> ifindex, port, opt_final, on_iface
-%type <num> block_or_pass, rule_dir, block_opts, opt_family
+%type <num> ifindex, port, opt_final, on_ifindex
+%type <num> afamily, opt_family
+%type <num> block_or_pass, rule_dir, block_opts
%type <num> opt_stateful, icmp_type, table_type, map_sd, map_type
-%type <var> addr_or_iface, port_range, icmp_type_and_code
+%type <var> ifnet, addr_or_ifnet, port_range, icmp_type_and_code
%type <var> filt_addr, addr_and_mask, tcp_flags, tcp_flags_and_mask
%type <var> procs, proc_call, proc_param_list, proc_param
%type <addrport> mapseg
@@ -158,9 +160,9 @@
char * str;
unsigned long num;
double fpnum;
+ npfvar_t * var;
addr_port_t addrport;
filt_opts_t filtopts;
- npfvar_t * var;
opt_proto_t optproto;
rule_group_t rulegroup;
}
@@ -241,6 +243,10 @@
npfvar_add_element(vp, NPFVAR_VAR_ID, $1, strlen($1) + 1);
npfvar_add_elements(cvar, vp);
}
+ | ifnet
+ {
+ npfvar_add_elements(cvar, $1);
+ }
| addr_and_mask
{
npfvar_add_elements(cvar, $1);
@@ -277,7 +283,7 @@
;
mapseg
- : addr_or_iface port_range
+ : addr_or_ifnet port_range
{
$$.ap_netaddr = $1;
$$.ap_portrange = $2;
@@ -420,8 +426,8 @@
;
rule
- : block_or_pass opt_stateful rule_dir opt_final on_iface opt_family
- opt_proto all_or_filt_opts opt_apply
+ : block_or_pass opt_stateful rule_dir opt_final on_ifindex
+ opt_family opt_proto all_or_filt_opts opt_apply
{
/*
* Arguments: attributes, interface index, address
@@ -449,14 +455,18 @@
| { $$ = 0; }
;
-on_iface
+on_ifindex
: ON ifindex { $$ = $2; }
| { $$ = 0; }
;
+afamily
+ : INET { $$ = AF_INET; }
+ | INET6 { $$ = AF_INET6; }
+ ;
+
opt_family
- : FAMILY INET { $$ = AF_INET; }
- | FAMILY INET6 { $$ = AF_INET6; }
+ : FAMILY afamily { $$ = $2; }
| { $$ = AF_UNSPEC; }
;
@@ -546,7 +556,7 @@
;
filt_addr
- : addr_or_iface { $$ = $1; }
+ : addr_or_ifnet { $$ = $1; }
| TABLE_ID { $$ = npfctl_parse_table_id($1); }
| ANY { $$ = NULL; }
;
@@ -570,36 +580,37 @@
}
;
-addr_or_iface
+addr_or_ifnet
: addr_and_mask
{
Home |
Main Index |
Thread Index |
Old Index