Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/npf/npfctl - Extend npf.conf syntax to support dyna...
details: https://anonhg.NetBSD.org/src/rev/c9862ab5e4cb
branches: trunk
changeset: 785530:c9862ab5e4cb
user: rmind <rmind%NetBSD.org@localhost>
date: Mon Mar 18 02:17:49 2013 +0000
description:
- Extend npf.conf syntax to support dynamic NAT policies.
- Imply dynamic group when using "ruleset" keyword.
diffstat:
usr.sbin/npf/npfctl/npf_build.c | 20 ++++++++++++++++++--
usr.sbin/npf/npfctl/npf_parse.y | 24 +++++++++++++++++++-----
usr.sbin/npf/npfctl/npf_scan.l | 4 ++--
usr.sbin/npf/npfctl/npfctl.c | 28 +++++++++++++++-------------
usr.sbin/npf/npfctl/npfctl.h | 3 ++-
5 files changed, 56 insertions(+), 23 deletions(-)
diffs (210 lines):
diff -r fa92a05e25a5 -r c9862ab5e4cb usr.sbin/npf/npfctl/npf_build.c
--- a/usr.sbin/npf/npfctl/npf_build.c Mon Mar 18 00:17:20 2013 +0000
+++ b/usr.sbin/npf/npfctl/npf_build.c Mon Mar 18 02:17:49 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $ */
+/* $NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2011-2013 The NetBSD Foundation, Inc.
@@ -34,7 +34,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npf_build.c,v 1.21 2013/02/16 21:11:14 rmind Exp $");
+__RCSID("$NetBSD: npf_build.c,v 1.22 2013/03/18 02:17:49 rmind Exp $");
#include <sys/types.h>
#include <sys/ioctl.h>
@@ -453,6 +453,22 @@
}
}
+void
+npfctl_build_maprset(const char *name, int attr, u_int if_idx)
+{
+ const int attr_di = (NPF_RULE_IN | NPF_RULE_OUT);
+ nl_rule_t *rl;
+
+ /* If no direction is not specified, then both. */
+ if ((attr & attr_di) == 0) {
+ attr |= attr_di;
+ }
+ /* Allow only "in/out" attributes. */
+ attr = NPF_RULE_GROUP | NPF_RULE_GROUP | (attr & attr_di);
+ rl = npf_rule_create(name, attr, if_idx);
+ npf_nat_insert(npf_conf, rl, NPF_PRI_LAST);
+}
+
/*
* npfctl_build_group: create a group, insert into the global ruleset,
* update the current group pointer and increase the nesting level.
diff -r fa92a05e25a5 -r c9862ab5e4cb usr.sbin/npf/npfctl/npf_parse.y
--- a/usr.sbin/npf/npfctl/npf_parse.y Mon Mar 18 00:17:20 2013 +0000
+++ b/usr.sbin/npf/npfctl/npf_parse.y Mon Mar 18 02:17:49 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_parse.y,v 1.20 2013/03/11 00:09:07 christos Exp $ */
+/* $NetBSD: npf_parse.y,v 1.21 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -131,6 +131,7 @@
%token RETURN
%token RETURNICMP
%token RETURNRST
+%token RULESET
%token SEPLINE
%token SLASH
%token STATEFUL
@@ -310,6 +311,10 @@
{
npfctl_build_natseg($3, $5, $2, &$4, &$6, NULL);
}
+ | MAP RULESET PAR_OPEN group_attr PAR_CLOSE
+ {
+ npfctl_build_maprset($4.rg_name, $4.rg_attr, $4.rg_ifnum);
+ }
;
rproc
@@ -383,6 +388,15 @@
}
;
+ruleset
+ : RULESET PAR_OPEN group_attr PAR_CLOSE
+ {
+ /* Ruleset is a dynamic group. */
+ npfctl_build_group($3.rg_name, $3.rg_attr | NPF_RULE_DYNAMIC,
+ $3.rg_ifnum, $3.rg_default);
+ npfctl_build_group_end();
+ }
+
group_attr
: group_opt COMMA group_attr
{
@@ -443,18 +457,18 @@
;
ruleset_block
- : CURLY_OPEN ruleset CURLY_CLOSE
- | /* Empty (for a dynamic ruleset). */
+ : CURLY_OPEN ruleset_def CURLY_CLOSE
;
-ruleset
- : rule_group SEPLINE ruleset
+ruleset_def
+ : rule_group SEPLINE ruleset_def
| rule_group
;
rule_group
: rule
| group
+ | ruleset
|
rule
diff -r fa92a05e25a5 -r c9862ab5e4cb usr.sbin/npf/npfctl/npf_scan.l
--- a/usr.sbin/npf/npfctl/npf_scan.l Mon Mar 18 00:17:20 2013 +0000
+++ b/usr.sbin/npf/npfctl/npf_scan.l Mon Mar 18 02:17:49 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_scan.l,v 1.10 2013/02/09 03:35:33 rmind Exp $ */
+/* $NetBSD: npf_scan.l,v 1.11 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2011-2012 The NetBSD Foundation, Inc.
@@ -130,7 +130,7 @@
return-rst return RETURNRST;
return-icmp return RETURNICMP;
return return RETURN;
-ruleset return GROUP;
+ruleset return RULESET;
from return FROM;
to return TO;
port return PORT;
diff -r fa92a05e25a5 -r c9862ab5e4cb usr.sbin/npf/npfctl/npfctl.c
--- a/usr.sbin/npf/npfctl/npfctl.c Mon Mar 18 00:17:20 2013 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.c Mon Mar 18 02:17:49 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $ */
+/* $NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.35 2013/03/11 00:39:32 christos Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.36 2013/03/18 02:17:49 rmind Exp $");
#include <sys/ioctl.h>
#include <sys/stat.h>
@@ -404,35 +404,37 @@
static const struct ruleops_s {
const char * cmd;
int action;
+ bool extra_arg;
} ruleops[] = {
- { "add", NPF_CMD_RULE_ADD },
- { "rem", NPF_CMD_RULE_REMKEY },
- { "del", NPF_CMD_RULE_REMKEY },
- { "rem-id", NPF_CMD_RULE_REMOVE },
- { "list", NPF_CMD_RULE_LIST },
- { "flush", NPF_CMD_RULE_FLUSH },
- { NULL, 0 }
+ { "add", NPF_CMD_RULE_ADD, true },
+ { "rem", NPF_CMD_RULE_REMKEY, true },
+ { "del", NPF_CMD_RULE_REMKEY, true },
+ { "rem-id", NPF_CMD_RULE_REMOVE, true },
+ { "list", NPF_CMD_RULE_LIST, false },
+ { "flush", NPF_CMD_RULE_FLUSH, false },
+ { NULL, 0, 0 }
};
uint8_t key[NPF_RULE_MAXKEYLEN];
const char *ruleset_name = argv[0];
const char *cmd = argv[1];
int error, action = 0;
uint64_t rule_id;
+ bool extra_arg;
nl_rule_t *rl;
for (int n = 0; ruleops[n].cmd != NULL; n++) {
if (strcmp(cmd, ruleops[n].cmd) == 0) {
action = ruleops[n].action;
+ extra_arg = ruleops[n].extra_arg;
break;
}
}
+ argc -= 2;
+ argv += 2;
- bool narg = action == NPF_CMD_RULE_LIST || action == NPF_CMD_RULE_FLUSH;
- if (!action || (argc < 3 && !narg)) {
+ if (!action || (extra_arg && argc == 0)) {
usage();
}
- argc -= 2;
- argv += 2;
switch (action) {
case NPF_CMD_RULE_ADD:
diff -r fa92a05e25a5 -r c9862ab5e4cb usr.sbin/npf/npfctl/npfctl.h
--- a/usr.sbin/npf/npfctl/npfctl.h Mon Mar 18 00:17:20 2013 +0000
+++ b/usr.sbin/npf/npfctl/npfctl.h Mon Mar 18 02:17:49 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.h,v 1.27 2013/02/16 21:11:15 rmind Exp $ */
+/* $NetBSD: npfctl.h,v 1.28 2013/03/18 02:17:49 rmind Exp $ */
/*-
* Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
@@ -199,6 +199,7 @@
const opt_proto_t *, const filt_opts_t *, const char *);
void npfctl_build_natseg(int, int, u_int, const addr_port_t *,
const addr_port_t *, const filt_opts_t *);
+void npfctl_build_maprset(const char *, int, u_int);
void npfctl_build_table(const char *, u_int, const char *);
#endif
Home |
Main Index |
Thread Index |
Old Index