| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: npf.conf.5,v 1.15 2012/08/13 01:18:31 rmind Exp $ | | 1 | .\" $NetBSD: npf.conf.5,v 1.16 2012/09/26 21:58:27 rmind Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2009-2012 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" This material is based upon work partially supported by The | | 6 | .\" This material is based upon work partially supported by The |
7 | .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 7 | .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| @@ -17,27 +17,27 @@ | | | @@ -17,27 +17,27 @@ |
17 | .\" | | 17 | .\" |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .\" | | 29 | .\" |
30 | .Dd August 12, 2012 | | 30 | .Dd September 26, 2012 |
31 | .Dt NPF.CONF 5 | | 31 | .Dt NPF.CONF 5 |
32 | .Os | | 32 | .Os |
33 | .Sh NAME | | 33 | .Sh NAME |
34 | .Nm npf.conf | | 34 | .Nm npf.conf |
35 | .Nd NPF packet filter configuration file | | 35 | .Nd NPF packet filter configuration file |
36 | .\" ----- | | 36 | .\" ----- |
37 | .Sh DESCRIPTION | | 37 | .Sh DESCRIPTION |
38 | .Nm | | 38 | .Nm |
39 | is the default configuration file for NPF packet filter. | | 39 | is the default configuration file for NPF packet filter. |
40 | It can contain definitions, grouped rules, rule procedures, | | 40 | It can contain definitions, grouped rules, rule procedures, |
41 | translation policies, and tables. | | 41 | translation policies, and tables. |
42 | .Ss Definitions | | 42 | .Ss Definitions |
43 | Definitions are general purpose keywords which can be used in the | | 43 | Definitions are general purpose keywords which can be used in the |
| @@ -122,60 +122,84 @@ Certain configurations might use very la | | | @@ -122,60 +122,84 @@ Certain configurations might use very la |
122 | sets frequently. | | 122 | sets frequently. |
123 | Storing large IP sets in the configuration file or performing frequent | | 123 | Storing large IP sets in the configuration file or performing frequent |
124 | reloads can have a significant performance cost. | | 124 | reloads can have a significant performance cost. |
125 | .Pp | | 125 | .Pp |
126 | In order to achieve high performance, NPF has tables. | | 126 | In order to achieve high performance, NPF has tables. |
127 | NPF tables provide separate storage designed for large IP sets and frequent | | 127 | NPF tables provide separate storage designed for large IP sets and frequent |
128 | updates without reloading the entire ruleset. | | 128 | updates without reloading the entire ruleset. |
129 | Tables can be managed dynamically or loaded from a separate file, which | | 129 | Tables can be managed dynamically or loaded from a separate file, which |
130 | is useful for large static tables. | | 130 | is useful for large static tables. |
131 | There are two types of storage: "tree" (red-black tree is used) and | | 131 | There are two types of storage: "tree" (red-black tree is used) and |
132 | "hash". | | 132 | "hash". |
133 | .\" ----- | | 133 | .\" ----- |
134 | .Sh GRAMMAR | | 134 | .Sh GRAMMAR |
| | | 135 | The following is a non-formal BNF-like definition of the grammar. |
| | | 136 | The definition is simplified and is intended to be human readable, |
| | | 137 | therefore it does not strictly represent the full syntax, which |
| | | 138 | is more flexible. |
135 | .Bd -literal | | 139 | .Bd -literal |
136 | line = ( def | table | map | group | rproc ) | | 140 | ; Syntax of a single line. Lines can be separated by LF (\n) or |
| | | 141 | ; a semicolon. Comments start with a hash (#) character. |
137 | | | 142 | |
138 | var = $\*[Lt]name\*[Gt] | | 143 | syntax = var-def | table-def | map | group | rproc | comment |
139 | iface = ( \*[Lt]interface\*[Gt] | var ) | | 144 | |
140 | def = ( var "=" "{ "\*[Lt]value_1\*[Gt]", "\*[Lt]value_2\*[Gt]", ... }" | "\*[Lt]value\*[Gt]" ) | | 145 | ; Variable definition. Names can be alpha-numeric, including "_" character. |
141 | | | 146 | |
142 | table = "table" \*[Lt]tid\*[Gt] "type" ( "hash" | "tree" ) | | 147 | var-name = "$" . string |
143 | ( "dynamic" | "file" \*[Lt]path\*[Gt] ) | | 148 | interface = interface-name | var-name |
144 | | | 149 | var-def = var "=" ( var-value | "{" value *[ "," value ] "}" ) |
145 | map-di = ( "->" | "<-" | "<->" ) | | 150 | |
146 | map-type = ( "static" | "dynamic" ) | | 151 | ; Table definition. Table ID shall be numeric. Path is in the double quotes. |
147 | map = "map" iface map-type \*[Lt]seg1\*[Gt] map-di \*[Lt]seg2\*[Gt] [ "pass" filt-opts ] | | 152 | |
148 | | | 153 | table-id = \*[Lt]tid\*[Gt] |
149 | rproc = "procedure" \*[Lt]name\*[Gt] procs | | 154 | table-def = "table" table-id "type" ( "hash" | "tree" ) |
150 | procs = "{" op1 \*[Lt]newline\*[Gt], op2 \*[Lt]newline\*[Gt], ... "}" | | 155 | ( "dynamic" | "file" path ) |
151 | op = ( "log" iface | "normalise" "(" norm-opt1 "," norm-opt2 ... ")" ) | | 156 | |
152 | norm-opt = [ "random-id" | "min-ttl" \*[Lt]num\*[Gt] | "max-mss" \*[Lt]num\*[Gt] | "no-df" ] | | 157 | ; Mapping for address translation. |
153 | | | 158 | |
154 | group = "group" "(" ( "default" | group-opts ) ")" ruleset | | 159 | map = "map" interface ( "static" | "dynamic" ) |
155 | group-opts = [ name \*[Lt]name\*[Gt] "," ] "interface" iface [ "," ( "in" | "out" ) ] | | 160 | net-seg ( "->" | "<-" | "<->" ) net-seg |
156 | | | 161 | [ "pass" filt-opts ] |
157 | ruleset = "{" rule1 \*[Lt]newline\*[Gt], rule2 \*[Lt]newline\*[Gt], ... "}" | | 162 | |
158 | | | 163 | ; Rule procedure definition. The name should be in the double quotes. |
159 | rule = ( "block" block-opts | "pass" ) [ "stateful" ] [ "in" | out" ] [ "final" ] | | 164 | ; |
160 | [ "on" iface ] [ "family" fam-opt ] [ "proto" \*[Lt]protocol\*[Gt] [ proto-opts ] ] | | 165 | ; Each call can have its own options in a form of key-value pairs. |
161 | ( "all" | filt-opts ) [ "apply" rproc ] } | | 166 | ; Both key and values may be strings (either in double quotes or not) |
162 | | | 167 | ; and numbers, depending on the extension. |
163 | fam-opt = [ "inet" | "inet6" ] | | 168 | |
164 | block-opts = [ "return-rst" | "return-icmp" | "return" ] | | 169 | proc = "procedure" proc-name "{" *( proc-call [ new-line ] ) "}" |
165 | filt-addr = iface | var | \*[Lt]addr/mask\*[Gt] | \*[Lt]tid\*[Gt] | | 170 | proc-opts = key " " val [ "," proc-opts ] |
166 | port-opts = [ "port" ( \*[Lt]port-num\*[Gt] | \*[Lt]port-from\*[Gt] "-" \*[Lt]port-to\*[Gt] | var ) ] | | 171 | proc-call = call-name ":" proc-opts new-line |
167 | filt-opts = [ "from" filt-addr [ port-opts ] ] [ "to" filt-addr [ port-opts ] ] | | 172 | |
168 | proto-opts = [ "flags" \*[Lt]tcp_flags\*[Gt] | "icmp-type" \*[Lt]type\*[Gt] "code" \*[Lt]code\*[Gt] ] | | 173 | ; Group definition and the ruleset. |
| | | 174 | |
| | | 175 | group = "group" "(" ( "default" | group-opts ) ")" "{" ruleset "}" |
| | | 176 | group-opts = [ "name" string ] [ "interface" interface ] [ "in" | "out" ] |
| | | 177 | ruleset = [ rule new-line ] [ ruleset ] |
| | | 178 | |
| | | 179 | rule = ( "block" [ block-opts ] | "pass" ) [ "stateful" ] |
| | | 180 | [ "in" | out" ] [ "final" ] [ "on" iface ] |
| | | 181 | [ "family" fam-opt ] [ "proto" protocol [ proto-opts ] ] |
| | | 182 | ( "all" | filt-opts ) [ "apply" proc-name ] |
| | | 183 | |
| | | 184 | block-opts = "return-rst" | "return-icmp" | "return" |
| | | 185 | fam-opt = "inet" | "inet6" |
| | | 186 | proto-opts = "flags" tcp-flags [ "/" tcp-flag-mask ] | |
| | | 187 | "icmp-type" type [ "code" icmp-code ] |
| | | 188 | |
| | | 189 | addr-mask = addr [ "/" mask ] |
| | | 190 | filt-opts = "from" filt-addr [ port-opts ] "to" filt-addr [ port-opts ] |
| | | 191 | filt-addr = [ interface | var-name | addr-mask | table-id | "any" ] |
| | | 192 | filt-port = "port" ( port-num | port-from "-" port-to | var-name ) |
169 | .Ed | | 193 | .Ed |
170 | .\" ----- | | 194 | .\" ----- |
171 | .Sh FILES | | 195 | .Sh FILES |
172 | .Bl -tag -width /dev/npf.conf -compact | | 196 | .Bl -tag -width /dev/npf.conf -compact |
173 | .It Pa /dev/npf | | 197 | .It Pa /dev/npf |
174 | control device | | 198 | control device |
175 | .It Pa /etc/npf.conf | | 199 | .It Pa /etc/npf.conf |
176 | default configuration file | | 200 | default configuration file |
177 | .El | | 201 | .El |
178 | .\" ----- | | 202 | .\" ----- |
179 | .Sh EXAMPLES | | 203 | .Sh EXAMPLES |
180 | .Bd -literal | | 204 | .Bd -literal |
181 | $ext_if = "wm0" | | 205 | $ext_if = "wm0" |
| @@ -187,32 +211,28 @@ table <2> type tree dynamic | | | @@ -187,32 +211,28 @@ table <2> type tree dynamic |
187 | $services_tcp = { http, https, smtp, domain, 6000, 9022 } | | 211 | $services_tcp = { http, https, smtp, domain, 6000, 9022 } |
188 | $services_udp = { domain, ntp, 6000 } | | 212 | $services_udp = { domain, ntp, 6000 } |
189 | $localnet = { 10.1.1.0/24 } | | 213 | $localnet = { 10.1.1.0/24 } |
190 | | | 214 | |
191 | # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), | | 215 | # Note: if $ext_if has multiple IP address (e.g. IPv6 as well), |
192 | # then the translation address has to be specified explicitly. | | 216 | # then the translation address has to be specified explicitly. |
193 | map $ext_if dynamic 10.1.1.0/24 -> $ext_if | | 217 | map $ext_if dynamic 10.1.1.0/24 -> $ext_if |
194 | map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022 | | 218 | map $ext_if dynamic 10.1.1.2 port 22 <- $ext_if 9022 |
195 | | | 219 | |
196 | procedure "log" { | | 220 | procedure "log" { |
197 | log: npflog0 | | 221 | log: npflog0 |
198 | } | | 222 | } |
199 | | | 223 | |
200 | procedure "rid" { | | | |
201 | normalise: "random-id" | | | |
202 | } | | | |
203 | | | | |
204 | group (name "external", interface $ext_if) { | | 224 | group (name "external", interface $ext_if) { |
205 | pass stateful out final from $ext_if apply "rid" | | 225 | pass stateful out final from $ext_if |
206 | | | 226 | |
207 | block in final from \*[Lt]1\*[Gt] | | 227 | block in final from \*[Lt]1\*[Gt] |
208 | pass stateful in final family inet proto tcp to $ext_if port ssh apply "log" | | 228 | pass stateful in final family inet proto tcp to $ext_if port ssh apply "log" |
209 | pass stateful in final proto tcp to $ext_if port $services_tcp | | 229 | pass stateful in final proto tcp to $ext_if port $services_tcp |
210 | pass stateful in final proto udp to $ext_if port $services_udp | | 230 | pass stateful in final proto udp to $ext_if port $services_udp |
211 | pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP | | 231 | pass stateful in final proto tcp to $ext_if port 49151-65535 # Passive FTP |
212 | pass stateful in final proto udp to $ext_if port 33434-33600 # Traceroute | | 232 | pass stateful in final proto udp to $ext_if port 33434-33600 # Traceroute |
213 | } | | 233 | } |
214 | | | 234 | |
215 | group (name "internal", interface $int_if) { | | 235 | group (name "internal", interface $int_if) { |
216 | block in all | | 236 | block in all |
217 | pass in final from \*[Lt]2\*[Gt] | | 237 | pass in final from \*[Lt]2\*[Gt] |
218 | pass out final all | | 238 | pass out final all |