[src/trunk]: src/usr.sbin/npf/npfctl Fix and update npf.conf(5), npfctl(8) an...

[rmind <rmind%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/11075d63ccd6
branches:  trunk
changeset: 779925:11075d63ccd6
user:      rmind <rmind%NetBSD.org@localhost>
date:      Wed Jun 27 23:05:28 2012 +0000

description:
Fix and update npf.conf(5), npfctl(8) and its usage message.

diffstat:

 usr.sbin/npf/npfctl/npf.conf.5 |  33 ++++++++++++++++++---------------
 usr.sbin/npf/npfctl/npfctl.8   |  12 +++++++++---
 usr.sbin/npf/npfctl/npfctl.c   |   6 +++---
 3 files changed, 30 insertions(+), 21 deletions(-)

diffs (164 lines):

diff -r a14749fa9ef4 -r 11075d63ccd6 usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5    Wed Jun 27 22:57:27 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5    Wed Jun 27 23:05:28 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.12 2012/06/15 23:24:08 rmind Exp $
+.\"    $NetBSD: npf.conf.5,v 1.13 2012/06/27 23:05:28 rmind Exp $
 .\"
 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd June 14, 2012
+.Dd June 27, 2012
 .Dt NPF.CONF 5
 .Os
 .Sh NAME
@@ -103,7 +103,7 @@
 Rules for address translation can be added.
 Translation is performed on the specified interface, assigning the specified
 address of said interface.
-There are three types of translation:
+Currently, three types of translation are supported:
 Network Address Port Translation (NAPT) - a regular NAT,
 also known as "outbound NAT";
 Port forwarding (redirection) - also known as "inbound NAT";
@@ -134,15 +134,16 @@
 .Bd -literal
 line           = ( def | table | map | group | rproc )
 
-def            = ( \*[Lt]name\*[Gt] "=" "{ a, b, ... }" | "\*[Lt]text\*[Gt]" | "$\*[Lt]interface\*[Gt]" )
-iface          = ( \*[Lt]interface\*[Gt] | def )
+var            = $\*[Lt]name\*[Gt]
+iface          = ( \*[Lt]interface\*[Gt] | var )
+def            = ( var "=" "{ "\*[Lt]value_1\*[Gt]", "\*[Lt]value_2\*[Gt]", ... }" | "\*[Lt]value\*[Gt]" )
 
 table          = "table" \*[Lt]tid\*[Gt] "type" ( "hash" | "tree" )
                  ( "dynamic" | "file" \*[Lt]path\*[Gt] )
 
 map-di         = ( "->" | "<-" | "<->" )
 map-type       = ( "static" | "dynamic" )
-map            = "map" iface maptype \*[Lt]seg1\*[Gt] mapdi \*[Lt]seg2\*[Gt] [ "pass" filt-opts ]
+map            = "map" iface map-type \*[Lt]seg1\*[Gt] map-di \*[Lt]seg2\*[Gt] [ "pass" filt-opts ]
 
 rproc          = "procedure" \*[Lt]name\*[Gt] procs
 procs          = "{" op1 \*[Lt]newline\*[Gt], op2 \*[Lt]newline\*[Gt], ... "}"
@@ -150,18 +151,18 @@
 norm-opt       = [ "random-id" | "min-ttl" \*[Lt]num\*[Gt] | "max-mss" \*[Lt]num\*[Gt] | "no-df" ]
 
 group          = "group" "(" ( "default" | group-opts ) ")" ruleset
-group-opts     = "interface" iface "," [ "in" | "out" ]
+group-opts     = [ name \*[Lt]name\*[Gt] "," ] "interface" iface [ "," ( "in" | "out" ) ]
 
 ruleset                = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}"
 
 rule           = ( "block" block-opts | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ]
-                 [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] ]
+                 [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] [ proto-opts ] ]
                  ( "all" | filt-opts ) [ "apply" rproc ] }
 
 fam-opt                = [ "inet" | "inet6" ]
 block-opts     = [ "return-rst" | "return-icmp" | "return" ]
-filt-addr      = iface | def | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt]
-port-opts      = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | def ) ]
+filt-addr      = iface | var | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt]
+port-opts      = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | var ) ]
 filt-opts      = [ "from" filt-addr [ port-opts ] ] [ "to" filt-addr [ port-opts ] ]
 proto-opts     = [ "flags" \*[Lt]tcp_flags\*[Gt] | "icmp-type" \*[Lt]type\*[Gt] "code" \*[Lt]code\*[Gt] ]
 .Ed
@@ -186,6 +187,8 @@
 $services_udp = { domain, ntp, 6000 }
 $localnet = { 10.1.1.0/24 }
 
+# Note: if $ext_if has multiple IP address (e.g. IPv6 as well),
+# then the translation address has to be specified explicitly.
 map $ext_if dynamic 10.1.1.0/24 -> $ext_if
 map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022
 
@@ -201,11 +204,11 @@
        pass stateful out final from $ext_if apply "rid"
 
        block in final from \*[Lt]1\*[Gt]
-       pass in final family inet proto tcp to $ext_if port ssh apply "log"
-       pass in final proto tcp to $ext_if port $services_tcp
-       pass in final proto udp to $ext_if port $services_udp
-       pass in final proto tcp to $ext_if port 49151-65535     # Passive FTP
-       pass in final proto udp to $ext_if port 33434-33600     # Traceroute
+       pass stateful in final family inet proto tcp to $ext_if port ssh apply "log"
+       pass stateful in final proto tcp to $ext_if port $services_tcp
+       pass stateful in final proto udp to $ext_if port $services_udp
+       pass stateful in final proto tcp to $ext_if port 49151-65535    # Passive FTP
+       pass stateful in final proto udp to $ext_if port 33434-33600    # Traceroute
 }
 
 group (name "internal", interface $int_if) {
diff -r a14749fa9ef4 -r 11075d63ccd6 usr.sbin/npf/npfctl/npfctl.8
--- a/usr.sbin/npf/npfctl/npfctl.8      Wed Jun 27 22:57:27 2012 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.8      Wed Jun 27 23:05:28 2012 +0000
@@ -1,6 +1,6 @@
-.\"    $NetBSD: npfctl.8,v 1.6 2011/03/24 05:48:54 jruoho Exp $
+.\"    $NetBSD: npfctl.8,v 1.7 2012/06/27 23:05:28 rmind Exp $
 .\"
-.\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
+.\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
 .\"
 .\" This material is based upon work partially supported by The
@@ -27,7 +27,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd March 24, 2011
+.Dd June 27, 2012
 .Dt NPFCTL 8
 .Os
 .Sh NAME
@@ -74,6 +74,11 @@
 Flush configuration.
 That is, remove all rules, tables and expire all sessions.
 This command does not disable packet inspection.
+.It Ic show
+Show the current state and configuration.
+Syntax of printed configuration is for the user and may not match the
+.Xr npf.conf 5
+syntax.
 .It Ic table Ar tid
 List all entries in the currently loaded table specified by
 .Ar tid .
@@ -129,6 +134,7 @@
 .Bd -literal -offset indent
 # npfctl reload
 # npfctl start
+# npfctl show
 .Ed
 .Pp
 Addition and removal of entries in the table whose ID is 2:
diff -r a14749fa9ef4 -r 11075d63ccd6 usr.sbin/npf/npfctl/npfctl.c
--- a/usr.sbin/npf/npfctl/npfctl.c      Wed Jun 27 22:57:27 2012 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.c      Wed Jun 27 23:05:28 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npfctl.c,v 1.12 2012/06/15 23:24:08 rmind Exp $        */
+/*     $NetBSD: npfctl.c,v 1.13 2012/06/27 23:05:28 rmind Exp $        */
 
 /*-
  * Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.12 2012/06/15 23:24:08 rmind Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.13 2012/06/27 23:05:28 rmind Exp $");
 
 #include <sys/ioctl.h>
 #include <sys/stat.h>
@@ -135,7 +135,7 @@
        const char *progname = getprogname();
 
        fprintf(stderr,
-           "usage:\t%s [ start | stop | reload | flush | stats ]\n",
+           "usage:\t%s [ start | stop | reload | flush | show | stats ]\n",
            progname);
        fprintf(stderr,
            "usage:\t%s [ sess-save | sess-load ]\n",