[src/trunk]: src/usr.sbin/npf/npfctl Add some content to the "Rules" section.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/npf/npfctl Add some content to the "Rules" section.
From: spz <spz%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 23:43:29 +0000

details:   https://anonhg.NetBSD.org/src/rev/397a2f133a4e
branches:  trunk
changeset: 781782:397a2f133a4e
user:      spz <spz%NetBSD.org@localhost>
date:      Sun Sep 30 12:59:31 2012 +0000

description:
Add some content to the "Rules" section.

diffstat:

 usr.sbin/npf/npfctl/npf.conf.5 |  27 ++++++++++++++++++++++++++-
 1 files changed, 26 insertions(+), 1 deletions(-)

diffs (41 lines):

diff -r b8031a5f6b79 -r 397a2f133a4e usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5    Sun Sep 30 11:49:44 2012 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5    Sun Sep 30 12:59:31 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.19 2012/09/30 07:43:03 wiz Exp $
+.\"    $NetBSD: npf.conf.5,v 1.20 2012/09/30 12:59:31 spz Exp $
 .\"
 .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -106,6 +106,31 @@
 }
 .Ed
 .Ss Rules
+With a rule statement NPF is instructed to
+.Cd pass
+or
+.Cd block
+a packet depending on packet header information, transit direction and
+interface it arrives on, either immediately upon match (keyword
+.Cd final )
+or using the last match.
+The rule can also instruct NPF to create an entry in the state table
+when passing the packet, to notify the sender when blocking it, and
+to apply a procedure to the packet (e.g. "log") in either case.
+.Pp
+A "fully-featured" rule would for example be:
+.Bd -literal
+pass stateful in final family inet proto tcp flags S/SA \\
+       from $source port $sport to $dest port $dport apply "someproc"
+.Ed
+.Pp
+Any protocol in /etc/protocols can be specified. Further packet
+specification at present is limited to protocol TCP understanding flags,
+TCP and UDP understanding source and destination ports, and ICMP and
+IPv6-ICMP understanding icmp-type.
+.Pp
+Fragments are not selectable since NPF always reassembles packets
+before further processing.
 .Ss Map
 Network Address Translation (NAT) is expressed in a form of segment mapping.
 At present, only dynamic translation is supported.

Prev by Date: [src/trunk]: src/sys/dev/pci Fix debug build
Next by Date: [src/trunk]: src/sys/kern Provide consistent locking around getc() in ttread(...
Previous by Thread: [src/trunk]: src/sys/dev/pci Fix debug build
Next by Thread: [src/trunk]: src/sys/kern Provide consistent locking around getc() in ttread(...
Indexes:

Home | Main Index | Thread Index | Old Index