[src/trunk]: src/usr.sbin/npf/npfctl Improve markup.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/usr.sbin/npf/npfctl Improve markup.
From: uwe <uwe%NetBSD.org@localhost>
Date: Tue, 07 Apr 2020 10:55:01 +0000
details:   https://anonhg.NetBSD.org/src/rev/7b2fd8441de9
branches:  trunk
changeset: 836003:7b2fd8441de9
user:      uwe <uwe%NetBSD.org@localhost>
date:      Fri Sep 21 09:42:18 2018 +0000

description:
Improve markup.

diffstat:

 usr.sbin/npf/npfctl/npf.conf.5 |  278 ++++++++++++++++++++++------------------
 1 files changed, 154 insertions(+), 124 deletions(-)

diffs (truncated from 483 to 300 lines):

diff -r 61f5d2301729 -r 7b2fd8441de9 usr.sbin/npf/npfctl/npf.conf.5
--- a/usr.sbin/npf/npfctl/npf.conf.5    Fri Sep 21 08:43:18 2018 +0000
+++ b/usr.sbin/npf/npfctl/npf.conf.5    Fri Sep 21 09:42:18 2018 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: npf.conf.5,v 1.77 2018/09/21 07:22:26 maxv Exp $
+.\"    $NetBSD: npf.conf.5,v 1.78 2018/09/21 09:42:18 uwe Exp $
 .\"
 .\" Copyright (c) 2009-2017 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -46,7 +46,8 @@
 There are multiple structural elements that
 .Nm
 may contain, such as:
-.Bl -bullet -offset indent
+.Pp
+.Bl -bullet -offset indent -compact
 .It
 variables
 .It
@@ -64,40 +65,52 @@
 .El
 .Sh SYNTAX
 .Ss Variables
-Variables are specified using the dollar ($) sign, which is used for both
+Variables are specified using the dollar
+.Pq Li $
+sign, which is used for both
 definition and referencing of a variable.
 Variables are defined by assigning a value to them as follows:
-.Bd -literal
-$var1 = 10.0.0.1
-.Ed
+.Pp
+.Dl $var1 = 10.0.0.1
 .Pp
 A variable may also be defined as a set:
-.Bd -literal
-$var2 = { 10.0.0.1, 10.0.0.2 }
-.Ed
+.Pp
+.Dl $var2 = { 10.0.0.1, 10.0.0.2 }
 .Pp
 Common variable definitions are for IP addresses, networks, ports,
 and interfaces.
 .Ss Tables
 Tables are specified using a name between angle brackets
-< and >.
+.Sq Li <
+and
+.Sq Li > .
 The following is an example of table definition:
-.Bd -literal
-table <black> type hash dynamic
+.Pp
+.Dl table <black> type hash dynamic
 .Pp
-.Ed
-Currently, tables support three data storage types: "hash", "tree", or "cdb".
-Tables can also be set as containing "dynamic" or "static" data i.e. loaded
-from a specified file.
-Tables of type "hash" and "cdb" can only contain IP addresses.
-Only static data can be used with a storage type of "cdb".
+Currently, tables support three data storage types:
+.Cm hash,
+.Cm tree ,
+or
+.Cm cdb .
+Tables can also be set as containing
+.Cm dynamic
+or
+.Cm static
+data i.e. loaded from a specified file.
+Tables of type
+.Dq hash
+and
+.Dq cdb
+can only contain IP addresses.
+Only static data can be used with a storage type of
+.Dq cdb .
 .Pp
 The specified file should contain a list of IP addresses and/or networks in the
-form of:
-.Bd -literal
-10.0.0.0/24
-10.1.1.1
-.Ed
+form of
+.Li 10.1.1.1
+or
+.Li 10.0.0.0/24
 .Ss Interfaces
 In NPF, an interface can be referenced directly by using its name, or can be
 passed to an extraction function which will return a list of IP addresses
@@ -113,26 +126,26 @@
 load, whereas with a dynamic list NPF will capture the runtime list of
 addresses, reflecting any changes to the interface, including the attach and
 detach.
-Note that with a dynamic list, marking the interface as ``down'' has no effect,
+Note that with a dynamic list, bringing the interface down has no effect,
 all addresses will remain present.
 .Pp
 Three functions exist, to extract addresses from an interface with a chosen
 list type and IP address type:
-.Bl -tag -width Xifaddrs()XX -offset indent
-.It Fn inet4
-Static list, IPv4 addresses.
-.It Fn inet6
-Static list, IPv6 addresses.
-.It Fn ifaddrs
-Dynamic list, both IPv4 and IPv6.
+.Bl -tag -width "Fn ifaddrs interface" -offset indent
+.It Fn inet4 interface
+Static list.  IPv4 addresses.
+.It Fn inet6 interface
+Static list.  IPv6 addresses.
+.It Fn ifaddrs interface
+Dynamic list.  Both IPv4 and IPv6.
 The
-.Cd family
-keyword can be used in combination of a filtering rule to explicitly select
+.Cm family
+keyword of a filtering rule can be used in combination to explicitly select
 an IP address type.
 .El
 .Pp
 Example of configuration:
-.Bd -literal
+.Bd -literal -offset indent
 $var1 = inet4(wm0)
 $var2 = ifaddrs(wm0)
 group default {
@@ -144,11 +157,14 @@
 }
 .Ed
 .Pp
-In the above example, $var1 is the static list of IPv4 addresses configured
-on wm0, and $var2 is the dynamic list of all the IPv4 and IPv6 addresses
-configured on wm0.
+In the above example,
+.Li $var1
+is the static list of IPv4 addresses configured
+on wm0, and
+.Li $var2
+is the dynamic list of all the IPv4 and IPv6 addresses configured on wm0.
 The first three rules are equivalent, because with the
-.Cd block ... on <interface>
+.Li Ic block Ar "..." Cm on Li < Ns Ar interface Ns Li >
 syntax, NPF expects a direct reference to an interface, and therefore does
 not consider the extraction functions.
 The fourth and fifth rules are equivalent, for the same reason.
@@ -158,13 +174,14 @@
 Groups may have the following options: name, interface, and direction.
 Packets matching group criteria are passed to the ruleset of that group.
 If a packet does not match any group, it is passed to the
-.Cd default group .
+.Dv default
+group.
 The
-.Cd default group
-must always be defined.
+.Dv default
+group must always be defined.
 .Pp
 Example of configuration:
-.Bd -literal
+.Bd -literal -offset indent
 group "my-name" in on wm0 {
        # List of rules, for packets received on wm0
 }
@@ -174,21 +191,21 @@
 .Ed
 .Ss Rules
 With a rule statement NPF is instructed to
-.Cd pass
+.Ic pass
 or
-.Cd block
+.Ic block
 a packet depending on packet header information, transit direction and
 the interface it arrived on, either immediately upon match or using the
 last match.
 .Pp
 If a packet matches a rule which has the
-.Cd final
+.Cm final
 option set, this rule is considered the last matching rule, and
 evaluation of subsequent rules is skipped.
 Otherwise, the last matching rule is used.
 .Pp
 The
-.Cd proto
+.Cm proto
 keyword can be used to filter packets by layer 4 protocol (TCP, UDP, ICMP
 or other).
 Its parameter should be a protocol number or its symbolic name,
@@ -196,38 +213,48 @@
 .Pa /etc/protocols
 file.
 This keyword can additionally have protocol-specific options, such as
-.Cd flags .
+.Cm flags .
 .Pp
 The
 .Cd flags
 keyword can be used to match the packets against specific TCP flags,
 according to the following syntax:
-.Bl -tag -width protoXX -offset indent
-.It proto tcp flags Ar match[/mask]
-.El
+.Pp
+.Dl Ic proto Cm tcp flags Ar match Ns Li [/ Ns Ar mask Ns Li ]
 .Pp
 Where
 .Ar match
 is the set of TCP flags to be matched, out of the
 .Ar mask
-set, both sets being represented as a string combination of: S (SYN),
-A (ACK), F (FIN), R (RST). The flags that are not present in
+set, both sets being represented as a string combination of:
+.Sq Cm S
+(SYN),
+.Sq Cm A
+(ACK),
+.Sq Cm F
+(FIN), and
+.Sq Cm R
+(RST).
+The flags that are not present in
 .Ar mask
 are ignored.
 .Pp
 To notify the sender of a blocking decision, three
-.Cd return
+.Cm return
 options can be used in conjunction with a
-.Cd block
+.Ic block
 rule:
-.Bl -tag -width Xreturn-icmpXX -offset indent
-.It return
-Behaves as return-rst or return-icmp, depending on whether the packet
-being blocked is TCP or UDP.
-.It return-rst
+.Bl -tag -width "Cm return-icmp" -offset indent
+.It Cm return
+Behaves as
+.Cm return-rst
+or
+.Cm return-icmp ,
+depending on whether the packet being blocked is TCP or UDP.
+.It Cm return-rst
 Return a TCP RST message, when the packet being blocked is a TCP packet.
 Applies to IPv4 and IPv6.
-.It return-icmp
+.It Cm return-icmp
 Return an ICMP UNREACHABLE message, when the packet being blocked is a UDP packet.
 Applies to IPv4 and IPv6.
 .El
@@ -239,26 +266,28 @@
 A rule can also instruct NPF to create an entry in the state table when
 passing the packet or to apply a procedure to the packet (e.g. "log").
 .Pp
-A "fully-featured" rule would for example be:
-.Bd -literal
-pass stateful in final family inet4 proto tcp flags S/SA \\
-       from $source port $sport to $dest port $dport apply "someproc"
+A
+.Dq fully-featured
+rule would for example be:
+.Bd -literal -offset indent
+pass stateful in final family inet4 proto tcp flags S/SA \e
+        from $source port $sport to $dest port $dport    \e
+        apply \*qsomeproc\*q
 .Ed
 .Pp
 Alternatively, NPF supports
 .Xr pcap-filter 7
 syntax, for example:
-.Bd -literal
-block out final pcap-filter "tcp and dst 10.1.1.252"
-.Ed
+.Pp
+.Dl block out final pcap-filter \*qtcp and dst 10.1.1.252\*q
 .Pp
 Fragments are not selectable since NPF always reassembles packets
 before further processing.
 .Ss Stateful
 Stateful packet inspection is enabled using the
-.Cd stateful
+.Cm stateful
 or
-.Cd stateful-ends
+.Cm stateful-ends
 keywords.
 The former creates a state which is uniquely identified by a 5-tuple (source
 and destination IP addresses, port numbers and an interface identifier).
@@ -267,60 +296,61 @@
 In both cases, a full TCP state tracking is performed for TCP connections
 and a limited tracking for message-based protocols (UDP and ICMP).
 .Pp
Prev by Date: [src/trunk]: src/usr.sbin/npf/npfctl According to the grammar and examples th...
Next by Date: [src/trunk]: src/sys/external/bsd/drm2/radeon Appease GCC with a kernel sanit...
Previous by Thread: [src/trunk]: src/usr.sbin/npf/npfctl According to the grammar and examples th...
Next by Thread: [src/trunk]: src/sys/external/bsd/drm2/radeon Appease GCC with a kernel sanit...
Indexes:
Home | Main Index | Thread Index | Old Index