[src/trunk]: src/usr.sbin/npf/npfd add man page, lint cleanups.

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/6dd70e919b0e
branches:  trunk
changeset: 820343:6dd70e919b0e
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Jan 07 16:48:03 2017 +0000

description:
add man page, lint cleanups.

diffstat:

 usr.sbin/npf/npfd/Makefile   |    6 +-
 usr.sbin/npf/npfd/npfd.8     |  244 +++++++++++++++++++++++++++++++++++++++++++
 usr.sbin/npf/npfd/npfd.c     |    5 +-
 usr.sbin/npf/npfd/npfd_log.c |   10 +-
 4 files changed, 254 insertions(+), 11 deletions(-)

diffs (truncated from 344 to 300 lines):

diff -r bd2abbf55c6d -r 6dd70e919b0e usr.sbin/npf/npfd/Makefile
--- a/usr.sbin/npf/npfd/Makefile        Sat Jan 07 16:36:54 2017 +0000
+++ b/usr.sbin/npf/npfd/Makefile        Sat Jan 07 16:48:03 2017 +0000
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.4 2017/01/06 19:20:24 christos Exp $
+# $NetBSD: Makefile,v 1.5 2017/01/07 16:48:03 christos Exp $
 #
 # Public Domain
 #
 
-NOMAN=
 PROG=          npfd
+MAN=           npfd.8
 
-DBG=-g
 SRCS=          npfd.c npfd_log.c
 CPPFLAGS+=     -I${.CURDIR}
 
@@ -14,6 +13,5 @@
 DPADD+=                ${LIBNPF} ${LIBPCAP} ${LIBUTIL}
 
 WARNS=         5
-NOLINT=                # disabled deliberately
 
 .include <bsd.prog.mk>
diff -r bd2abbf55c6d -r 6dd70e919b0e usr.sbin/npf/npfd/npfd.8
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/usr.sbin/npf/npfd/npfd.8  Sat Jan 07 16:48:03 2017 +0000
@@ -0,0 +1,244 @@
+.\"    $NetBSD: npfd.8,v 1.1 2017/01/07 16:48:03 christos Exp $
+.\"    $OpenBSD: pflogd.8,v 1.35 2007/05/31 19:19:47 jmc Exp $
+.\"
+.\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" 
+.Dd January 5, 2017
+.Dt NPFD 8
+.Os
+.Sh NAME
+.Nm npfd
+.Nd packet filter logging and state synchronization daemon
+.Sh SYNOPSIS
+.Nm npfd
+.Bk -words
+.Op Fl D
+.Op Fl d Ar delay
+.Op Fl f Ar filename
+.Op Fl i Ar interface
+.Op Fl p Ar pidfile
+.Op Fl s Ar snaplen
+.Op Ar expression
+.Ek
+.Sh DESCRIPTION
+.Nm
+is a background daemon which reads packets logged by
+.Xr npf 7
+to an
+.\" .Xr npflog 4
+npflog
+interface, normally
+.Pa npflog0 ,
+and writes the packets to a logfile (normally
+.Pa /var/log/npflog0.pcap )
+in
+.Xr pcap 3
+format, which can be read by
+.Xr tcpdump 8 .
+These logs can be reviewed later using the
+.Fl r
+option of
+.Xr tcpdump 8 ,
+hopefully offline in case there are bugs in the packet parsing code of
+.Xr tcpdump 8 .
+.Pp
+.Nm
+closes and then re-opens the log file when it receives
+.Dv SIGHUP ,
+permitting
+.Xr newsyslog 8
+to rotate logfiles automatically.
+.Dv SIGALRM
+causes
+.Nm
+to flush the current logfile buffers to the disk, thus making the most
+recent logs available.
+The buffers are also flushed every
+.Ar delay
+seconds.
+.Pp
+If the log file contains data after a restart or a
+.Dv SIGHUP ,
+new logs are appended to the existing file.
+If the existing log file was created with a different snaplen,
+.Nm
+temporarily uses the old snaplen to keep the log file consistent.
+.Pp
+.Nm
+tries to preserve the integrity of the log file against I/O errors.
+Furthermore, integrity of an existing log file is verified before
+appending.
+If there is an invalid log file or an I/O error, the log file is moved
+out of the way and a new one is created.
+If a new file cannot be created, logging is suspended until a
+.Dv SIGHUP
+or a
+.Dv SIGALRM
+is received.
+.Pp
+If
+.Dv SIGINFO
+is received, then
+.Nm
+logs capture statistics to
+.Xr syslogd 8 .
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl D
+Debugging mode.
+.Nm
+does not disassociate from the controlling terminal.
+.It Fl d Ar delay
+Time in seconds to delay between automatic flushes of the file.
+This may be specified with a value between 5 and 3600 seconds.
+If not specified, the default is 60 seconds.
+.It Fl f Ar filename
+Log output filename.
+Default is
+.Pa /var/log/npflog0.pcap .
+.It Fl i Ar interface
+Specifies the
+npflog
+.\" .Xr if_npflog 4
+interface to use.
+By default,
+.Nm
+will use
+.Ar npflog0 .
+.It Fl p Ar pidfile
+Writes a file containing the process ID of the program.
+The file name has the form
+.Pa /var/run/npfd.pid .
+If the option is not given,
+.Ar pidfile
+defaults to
+.Pa npfd .
+.It Fl s Ar snaplen
+Analyze at most the first
+.Ar snaplen
+bytes of data from each packet rather than the default of 116.
+The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may
+truncate protocol information for other protocols.
+Other file parsers may desire a higher snaplen.
+.\" .It Fl x
+.\" Check the integrity of an existing log file, and return.
+.It Ar expression
+Selects which packets will be dumped, using the regular language of
+.Xr tcpdump 8 .
+.El
+.Sh FILES
+.Bl -tag -width /var/run/npflog0.pcap -compact
+.It Pa /var/run/npfd.pid
+Process ID of the currently running
+.Nm .
+.It Pa /var/log/npflog0.pcap
+Default log file.
+.El
+.Sh EXAMPLES
+Log specific tcp packets to a different log file with a large snaplen
+(useful with a log-all rule to dump complete sessions):
+.Bd -literal -offset indent
+# npfd -s 1600 -f suspicious.log port 80 and host evilhost
+.Ed
+.Pp
+Log from another
+.\" .Xr pflog 4
+npflog 
+interface, excluding specific packets:
+.Bd -literal -offset indent
+# npfd -i npflog3 -f network3.log "not (tcp and port 23)"
+.Ed
+.Pp
+Display binary logs:
+.Bd -literal -offset indent
+# tcpdump -n -e -ttt -r /var/log/npflog0.pcap
+.Ed
+.Pp
+Display the logs in real time (this does not interfere with the
+operation of
+.Nm ) :
+.Bd -literal -offset indent
+# tcpdump -n -e -ttt -i npflog0.pcap
+.Ed
+.Pp
+Tcpdump has been extended to be able to filter on the
+.Ox
+pfloghdr
+structure defined in
+.Ar sys/net/npf/if_npflog.h .
+Tcpdump can restrict the output
+to packets logged on a specified interface, a rule number, a reason,
+a direction, an IP family or an action.
+.Pp
+.Bl -tag -width "ruleset rules " -compact
+.It ip
+Address family equals IPv4.
+.It ip6
+Address family equals IPv6.
+.It ifname kue0
+Interface name equals "kue0".
+.It on kue0
+Interface name equals "kue0".
+.It ruleset rules
+Ruleset name equals "rules".
+.It rulenum 10
+Rule number equals 10.
+.It reason match
+Reason equals match.
+.\" Also accepts "bad-offset", "fragment", "bad-timestamp", "short",
+.\" "normalize", "memory", "congestion", "ip-option", "proto-cksum",
+.\" "state-mismatch", "state-insert", "state-limit", "src-limit",
+.\" and "synproxy".
+.It action pass
+Action equals pass.
+Also accepts "block".
+.It inbound
+The direction was inbound.
+.It outbound
+The direction was outbound.
+.El
+.Pp
+Display the logs in real time of inbound packets that were blocked on
+the wi0 interface:
+.Bd -literal -offset indent
+# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
+.Ed
+.Sh SEE ALSO
+.Xr pcap 3 ,
+\" .Xr if_npflog 4 ,
+.Xr npf.conf 5 ,
+.Xr newsyslog 8 ,
+.Xr npf 7 ,
+.Xr tcpdump 8
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Nx 8.0 .
+.Sh AUTHORS
+This manual page was written by
+.An Can Erkin Acar Aq Mt canacar%openbsd.org@localhost .
diff -r bd2abbf55c6d -r 6dd70e919b0e usr.sbin/npf/npfd/npfd.c
--- a/usr.sbin/npf/npfd/npfd.c  Sat Jan 07 16:36:54 2017 +0000
+++ b/usr.sbin/npf/npfd/npfd.c  Sat Jan 07 16:48:03 2017 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $        */
+/*     $NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $        */
 
 /*-
  * Copyright (c) 2015 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: npfd.c,v 1.5 2017/01/06 19:20:24 christos Exp $");
+__RCSID("$NetBSD: npfd.c,v 1.6 2017/01/07 16:48:03 christos Exp $");
 
 #include <stdio.h>
 #include <string.h>
@@ -98,6 +98,7 @@
                                continue;
                        syslog(LOG_ERR, "poll failed: %m");
                        exit(EXIT_FAILURE);
+                       /*NOTREACHED*/
                case 0:
                        npfd_log_flush(log);
                        continue;
diff -r bd2abbf55c6d -r 6dd70e919b0e usr.sbin/npf/npfd/npfd_log.c