| @@ -1,43 +1,43 @@ | | | @@ -1,43 +1,43 @@ |
1 | .\" $NetBSD: libnpf.3,v 1.4 2016/12/27 21:25:12 wiz Exp $ | | 1 | .\" $NetBSD: libnpf.3,v 1.5 2017/12/07 00:22:06 rmind Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2011-2017 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" This material is based upon work partially supported by The | | 6 | .\" This material is based upon work partially supported by The |
7 | .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. | | 7 | .\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
15 | .\" notice, this list of conditions and the following disclaimer in the | | 15 | .\" notice, this list of conditions and the following disclaimer in the |
16 | .\" documentation and/or other materials provided with the distribution. | | 16 | .\" documentation and/or other materials provided with the distribution. |
17 | .\" | | 17 | .\" |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .\" | | 29 | .\" |
30 | .Dd April 19, 2015 | | 30 | .Dd December 7, 2017 |
31 | .Dt LIBNPF 3 | | 31 | .Dt LIBNPF 3 |
32 | .Os | | 32 | .Os |
33 | .Sh NAME | | 33 | .Sh NAME |
34 | .Nm libnpf | | 34 | .Nm libnpf |
35 | .Nd NPF packet filter library | | 35 | .Nd NPF packet filter library |
36 | .Sh LIBRARY | | 36 | .Sh LIBRARY |
37 | .Lb libnpf | | 37 | .Lb libnpf |
38 | .Sh SYNOPSIS | | 38 | .Sh SYNOPSIS |
39 | .In npf.h | | 39 | .In npf.h |
40 | .\" --- | | 40 | .\" --- |
41 | .Ft nl_config_t * | | 41 | .Ft nl_config_t * |
42 | .Fn npf_config_create "void" | | 42 | .Fn npf_config_create "void" |
43 | .Ft int | | 43 | .Ft int |
| @@ -100,275 +100,293 @@ | | | @@ -100,275 +100,293 @@ |
100 | .Fn npf_table_destroy "nl_table_t *tl" | | 100 | .Fn npf_table_destroy "nl_table_t *tl" |
101 | .\" ----- | | 101 | .\" ----- |
102 | .Sh DESCRIPTION | | 102 | .Sh DESCRIPTION |
103 | The | | 103 | The |
104 | .Nm | | 104 | .Nm |
105 | library provides an interface to create an NPF configuration having rules, | | 105 | library provides an interface to create an NPF configuration having rules, |
106 | tables, procedures, or translation policies. | | 106 | tables, procedures, or translation policies. |
107 | The configuration can be submitted to the kernel. | | 107 | The configuration can be submitted to the kernel. |
108 | .\" ----- | | 108 | .\" ----- |
109 | .Sh FUNCTIONS | | 109 | .Sh FUNCTIONS |
110 | .Ss Configuration | | 110 | .Ss Configuration |
111 | .Bl -tag -width 4n | | 111 | .Bl -tag -width 4n |
112 | .It Fn npf_config_create | | 112 | .It Fn npf_config_create |
113 | Create a configuration. | | 113 | Create a new configuration object. |
114 | .It Fn npf_config_submit "ncf" "fd" "errinfo" | | 114 | .It Fn npf_config_submit "ncf" "fd" "errinfo" |
115 | Submit configuration | | 115 | Submit the configuration object, specified by |
116 | .Fa ncf | | 116 | .Fa ncf , |
117 | to the kernel. | | 117 | to the kernel. |
118 | On error, the the description is written into the structure specified by | | 118 | On failure, the error information is written into the structure |
| | | 119 | specified by |
119 | .Fa errinfo . | | 120 | .Fa errinfo . |
120 | .It Fn npf_config_export "fd" "len" | | 121 | .It Fn npf_config_export "fd" "len" |
121 | Serialize the given configuration and return binary object and its | | 122 | Serialize the current configuration and return the binary object as |
122 | length in | | 123 | well as its length in |
123 | .Fa len | | 124 | .Fa len |
124 | parameter. | | 125 | parameter. |
125 | The binary object is dynamically allocated and should be destroyed using | | 126 | The binary object is dynamically allocated and should be destroyed using |
126 | .Xr free 3 . | | 127 | .Xr free 3 . |
127 | .It Fn npf_config_import "blob" "len" | | 128 | .It Fn npf_config_import "blob" "len" |
128 | Read the configuration from a binary object of the specified length, | | 129 | Read the configuration from a binary object of the specified length, |
129 | unserialize, construct and return the configuration object. | | 130 | unserialize, and return the configuration object. |
130 | .It Fn npf_config_flush "fd" | | 131 | .It Fn npf_config_flush "fd" |
131 | Flush the current configuration. | | 132 | Flush the current configuration. |
132 | .It Fn npf_config_retrieve "fd" "active" "loaded" | | 133 | .It Fn npf_config_retrieve "fd" "active" "loaded" |
133 | Retrieve and return the loaded configuration from the kernel. | | 134 | Retrieve and return the loaded configuration from the kernel. |
134 | .It Fn npf_config_active_p "ncf" | | 135 | .It Fn npf_config_active_p "ncf" |
135 | Indicate whether the retrieved configuration is active (true if yes | | 136 | Indicate whether the retrieved configuration is active (true if yes |
136 | and false otherwise). | | 137 | and false otherwise). |
137 | .It Fn npf_config_destroy "ncf" | | 138 | .It Fn npf_config_destroy "ncf" |
138 | Destroy the configuration | | 139 | Destroy the configuration object, specified by |
139 | .Fa ncf . | | 140 | .Fa ncf . |
140 | .El | | 141 | .El |
141 | .\" --- | | 142 | .\" --- |
142 | .Ss Rule interface | | 143 | .Ss Rule interface |
143 | .Bl -tag -width 4n | | 144 | .Bl -tag -width 4n |
144 | .It Fn npf_rule_create "name" "attr" "ifname" | | 145 | .It Fn npf_rule_create "name" "attr" "ifname" |
145 | Create a rule with a given name, attribute and priorty. | | 146 | Create a rule with a given name, attribute and priorty. |
146 | Name can be | | 147 | If the name is specified, then it should be unique within the |
| | | 148 | configuration object. |
| | | 149 | Otherwise, the name can be |
147 | .Dv NULL , | | 150 | .Dv NULL , |
148 | in which case rule has no unique identifier. | | 151 | in which case the rule will have no identifier. |
149 | Otherwise, rules shall not have duplicate names. | | | |
150 | The following attributes, which can be ORed, are available: | | 152 | The following attributes, which can be ORed, are available: |
151 | .Bl -tag -width indent | | 153 | .Bl -tag -width indent |
152 | .It Dv NPF_RULE_PASS | | 154 | .It Dv NPF_RULE_PASS |
153 | Decision of this rule is "pass". | | 155 | The decision of this rule shall be "pass". |
154 | If this attribute is not | | 156 | If this attribute is not |
155 | specified, then packet "block" (drop) is the default. | | 157 | specified, then "block" (drop the packet) is the default. |
156 | .It Dv NPF_RULE_IN | | 158 | .It Dv NPF_RULE_IN |
157 | Match incoming packets. | | 159 | Match the incoming packets. |
158 | .It Dv NPF_RULE_OUT | | 160 | .It Dv NPF_RULE_OUT |
159 | Match outgoing packets. | | 161 | Match the outgoing packets. |
160 | .It Dv NPF_RULE_FINAL | | 162 | .It Dv NPF_RULE_FINAL |
161 | Indicates that on rule match, further processing of the | | 163 | Indicate that on rule match, further processing of the ruleset should |
162 | ruleset should be stopped and this rule applied instantly. | | 164 | be stopped and this rule should be applied instantly. |
163 | .It Dv NPF_RULE_STATEFUL | | 165 | .It Dv NPF_RULE_STATEFUL |
164 | Create a state (session) on match, track the connection and | | 166 | Create a state (session) on match, track the connection and pass the |
165 | therefore pass the backwards stream without inspection. | | 167 | backwards stream (the returning packets) without the ruleset inspection. |
166 | The state is uniquely identified by a 5-tuple (source and destination | | 168 | The state is uniquely identified by a 5-tuple (source and destination |
167 | IP addresses, port numbers and an interface identifier). | | 169 | IP addresses, port numbers and an interface identifier). |
168 | .It Dv NPF_RULE_MULTIENDS | | 170 | .It Dv NPF_RULE_MULTIENDS |
169 | Exclude the interface from the state identifier. | | 171 | Exclude the interface identifier from the state key i.e. use a 4-tuple. |
170 | .It Dv NPF_RULE_RETRST | | 172 | .It Dv NPF_RULE_RETRST |
171 | Return TCP RST packet in a case of packet block. | | 173 | Return TCP RST packet in a case of packet block. |
172 | .It Dv NPF_RULE_RETICMP | | 174 | .It Dv NPF_RULE_RETICMP |
173 | Return ICMP destination unreachable in a case of packet block. | | 175 | Return ICMP destination unreachable in a case of packet block. |
174 | .It Dv NPF_RULE_GROUP | | 176 | .It Dv NPF_RULE_GROUP |
175 | Allow this rule to have sub-rules. | | 177 | Allow this rule to have sub-rules. |
176 | If used with | | 178 | If this flag is used with the |
177 | .Dv NPF_RULE_DYNAMIC | | 179 | .Dv NPF_RULE_DYNAMIC |
178 | flag set, the can be added dynamically. | | 180 | flag set, then it is a dynamic group. |
| | | 181 | The sub-rules can be added dynamically to a dynamic group, also meaning |
| | | 182 | that the sub-rules must have the |
| | | 183 | .Dv NPF_RULE_DYNAMIC |
| | | 184 | flag set. |
179 | Otherwise rules must be added statically i.e. created with the configuration. | | 185 | Otherwise rules must be added statically i.e. created with the configuration. |
180 | .It Dv NPF_RULE_DYNAMIC | | 186 | .It Dv NPF_RULE_DYNAMIC |
181 | Indicate that the rule is dynamic. | | 187 | Indicate that the rule is dynamic. |
| | | 188 | Such rules can only be added to the dynamic groups. |
182 | .El | | 189 | .El |
183 | .Pp | | 190 | .Pp |
184 | Interface is specified by | | 191 | The interface is specified by the |
185 | .Fa ifname , | | 192 | .Fa ifname |
186 | which is a string. | | 193 | string. |
187 | .Dv NULL | | 194 | .Dv NULL |
188 | indicates any interface. | | 195 | indicates any interface. |
189 | .\" --- | | 196 | .\" --- |
190 | .It Fn npf_rule_setcode "rl" "type" "code" "len" | | 197 | .It Fn npf_rule_setcode "rl" "type" "code" "len" |
191 | Assign compiled code for the rule specified by | | 198 | Assign the code for the rule specified by |
192 | .Fa rl , | | 199 | .Fa rl . |
193 | used for filter criteria. | | 200 | The code is used to implement the filter criteria. |
194 | Pointer to the binary code is specified by | | 201 | The pointer to the binary code is specified by |
195 | .Fa code , | | 202 | .Fa code , |
196 | and size of the memory area by | | 203 | the size of the memory area by |
197 | .Fa len . | | 204 | .Fa len , |
198 | Type of the code is specified by | | 205 | and the type of the code is specified by |
199 | .Fa type . | | 206 | .Fa type . |
200 | Currently, only BPF byte-code is supported and | | 207 | Currently, only the BPF byte-code is supported and the |
201 | .Dv NPF_CODE_BPF | | 208 | .Dv NPF_CODE_BPF |
202 | should be passed. | | 209 | constant should be passed. |
203 | .\" --- | | 210 | .\" --- |
204 | .It Fn npf_rule_setkey "rl" "type" "key" "len" | | 211 | .It Fn npf_rule_setkey "rl" "type" "key" "len" |
205 | Assign a key for the rule specified by | | 212 | Assign a key for the rule specified by |
206 | .Fa rl . | | 213 | .Fa rl . |
207 | Binary key is specified by | | 214 | The binary key is specified by |
208 | .Fa key , | | 215 | .Fa key , |
209 | and its size by | | 216 | and its size by |
210 | .Fa len . | | 217 | .Fa len . |
211 | The size shall not exceed | | 218 | The size shall not exceed |
212 | .Dv NPF_RULE_MAXKEYLEN . | | 219 | .Dv NPF_RULE_MAXKEYLEN . |
213 | The kernel does not validate the key is unique, it is the responsibility | | 220 | The kernel does not check whether key is unique, therefore it is the |
214 | of the caller. | | 221 | responsibility of the caller. |
215 | .\" --- | | 222 | .\" --- |
216 | .It Fn npf_rule_setinfo "rl" "info" "len" | | 223 | .It Fn npf_rule_setinfo "rl" "info" "len" |
217 | Associate arbitrary information blob specified by | | 224 | Associate an arbitrary information blob specified by |
218 | .Fa info , | | 225 | .Fa info , |
219 | and its size by | | 226 | and its size by |
220 | .Fa len . | | 227 | .Fa len . |
221 | This may be used for such purposes as byte-code annotation. | | 228 | This may be used for such purposes as the byte-code annotation. |
222 | .\" --- | | 229 | .\" --- |
223 | .It Fn npf_rule_setprio "rl" "pri" | | 230 | .It Fn npf_rule_setprio "rl" "pri" |
224 | Set priority to the rule. | | 231 | Set priority to the rule. |
225 | Negative priorities are invalid. | | 232 | Negative priorities are invalid. |
226 | .Pp | | 233 | .Pp |
227 | Priority is the order of the rule in the ruleset. | | 234 | The priority is the order of the rule in the ruleset. |
228 | Lower value means first to process, higher value - last to process. | | 235 | The lower value means first to process, the higher value - last to process. |
229 | If multiple rules are inserted with the same priority, | | 236 | If multiple rules are inserted with the same priority, |
230 | the order is unspecified. | | 237 | then the order is unspecified. |
231 | .Pp | | 238 | .Pp |
232 | The special constants | | 239 | The special constants |
233 | .Dv NPF_PRI_FIRST | | 240 | .Dv NPF_PRI_FIRST |
234 | and | | 241 | and |
235 | .Dv NPF_PRI_LAST | | 242 | .Dv NPF_PRI_LAST |
236 | can be passed to indicate that the rule should be inserted into the | | 243 | can be passed to indicate that the rule should be inserted into the |
237 | beginning or the end of the priority level 0 in the ruleset. | | 244 | beginning or the end of the priority level 0 in the ruleset. |
238 | All rules inserted using these constants will have the priority 0 | | 245 | All rules inserted using these constants will have the priority 0 |
239 | assigned and will share this level in the ordered way. | | 246 | assigned and will share this level in the ordered way. |
240 | .\" --- | | 247 | .\" --- |
241 | .It Fn npf_rule_setproc "ncf" "rl" "name" | | 248 | .It Fn npf_rule_setproc "ncf" "rl" "name" |
242 | Set a procedure for the specified rule. | | 249 | Set a procedure for the specified rule. |
243 | .\" --- | | 250 | .\" --- |
244 | .It Fn npf_rule_insert "ncf" "parent" "rl" | | 251 | .It Fn npf_rule_insert "ncf" "parent" "rl" |
245 | Insert the rule into the set of parent rule specified by | | 252 | Insert the rule into the set of the parent rule specified by |
246 | .Fa parent . | | 253 | .Fa parent . |
247 | If value of | | 254 | If the value of |
248 | .Fa parent | | 255 | .Fa parent |
249 | is | | 256 | is |
250 | .Dv NULL , | | 257 | .Dv NULL , |
251 | then insert into the main ruleset. | | 258 | then insert into the main ruleset. |
252 | .\" --- | | 259 | .\" --- |
253 | .It Fn npf_rule_export "rl" "length" | | 260 | .It Fn npf_rule_export "rl" "length" |
254 | Serialize the rule (including the byte-code), return a binary object | | 261 | Serialize the rule (including the byte-code), return a binary object |
255 | and set its | | 262 | and set its |
256 | .Fa length . | | 263 | .Fa length . |
257 | The binary object is dynamically allocated and should be destroyed using | | 264 | The binary object is dynamically allocated and should be destroyed using |
258 | .Xr free 3 . | | 265 | .Xr free 3 . |
259 | .\" --- | | 266 | .\" --- |
260 | .It Fn npf_rule_destroy "rl" | | 267 | .It Fn npf_rule_destroy "rl" |
261 | Destroy the given rule. | | 268 | Destroy the given rule object. |
262 | .El | | 269 | .El |
263 | .\" ----- | | 270 | .\" ----- |
264 | .Ss Rule procedure interface | | 271 | .Ss Rule procedure interface |
265 | .Bl -tag -width 4n | | 272 | .Bl -tag -width 4n |
266 | .It Fn npf_rproc_create "name" | | 273 | .It Fn npf_rproc_create "name" |
267 | Create a rule procedure with a given | | 274 | Create a rule procedure with a given |
268 | .Fa name . | | 275 | .Fa name . |
269 | Name must be unique for each procedure. | | 276 | Thr name must be unique for each procedure. |
270 | .It Fn npf_rproc_insert "ncf" "rp" | | 277 | .It Fn npf_rproc_insert "ncf" "rp" |
271 | Insert rule procedure into the specified configuration. | | 278 | Insert the rule procedure into the specified configuration object. |
272 | .El | | 279 | .El |
273 | .\" ----- | | 280 | .\" ----- |
274 | .Ss Translation interface | | 281 | .Ss Translation interface |
275 | .Bl -tag -width 4n | | 282 | .Bl -tag -width 4n |
276 | .It Fn npf_nat_create "type" "flags" "ifname" "addr" "af" "port" | | 283 | .It Fn npf_nat_create "type" "flags" "ifname" "addr" "af" "port" |
277 | Create a NAT translation policy of a specified type. | | 284 | Create a NAT policy of a specified type. |
278 | There are two types: | | 285 | There are two types: |
279 | .Bl -tag -width "NPF_NAT_PORTMAP " | | 286 | .Bl -tag -width "NPF_NAT_PORTMAP " |
280 | .It Dv NPF_NATIN | | 287 | .It Dv NPF_NATIN |
281 | Inbound NAT policy (rewrite destination). | | 288 | Inbound NAT policy (rewrite destination). |
282 | .It Dv NPF_NATOUT | | 289 | .It Dv NPF_NATOUT |
283 | Outbound NAT policy (rewrite source). | | 290 | Outbound NAT policy (rewrite source). |
284 | .El | | 291 | .El |
285 | .Pp | | 292 | .Pp |
286 | A bi-directional NAT is obtained by combining two policies. | | 293 | A bi-directional NAT is obtained by combining two policies. |
287 | The following | | 294 | The following |
288 | .Fa flags | | 295 | .Fa flags |
289 | are supported: | | 296 | are supported: |
290 | .Bl -tag -width "NPF_NAT_PORTMAP " | | 297 | .Bl -tag -width "NPF_NAT_PORTMAP " |
291 | .It Dv NPF_NAT_STATIC | | 298 | .It Dv NPF_NAT_STATIC |
292 | Perform static (stateless) NAT rather than dynamic (stateful). | | 299 | Perform static (stateless) translation rather than dynamic (stateful). |
293 | .It Dv NPF_NAT_PORTS | | 300 | .It Dv NPF_NAT_PORTS |
294 | Indicates to perform port translation. | | 301 | Perform the port translation. |
295 | Otherwise, port translation is not performed and | | 302 | If this flag is not specified, then the port translation is not performed |
| | | 303 | and the |
296 | .Fa port | | 304 | .Fa port |
297 | is ignored. | | 305 | parameter is ignored. |
298 | .It Dv NPF_NAT_PORTMAP | | 306 | .It Dv NPF_NAT_PORTMAP |
299 | Effective only if | | 307 | Create a port map and select a random port for translation. |
| | | 308 | If enabled, then the value specified by the |
| | | 309 | .Fa port |
| | | 310 | parameter is ignored. |
| | | 311 | This flag is effective only if the |
300 | .Dv NPF_NAT_PORTS | | 312 | .Dv NPF_NAT_PORTS |
301 | flag is set. | | 313 | flag is set. |
302 | Indicates to create a port map and select a random port for translation. | | | |
303 | Otherwise, port is translated to the value specified by | | | |
304 | .Fa port | | | |
305 | is used. | | | |
306 | .El | | 314 | .El |
307 | .Pp | | 315 | .Pp |
308 | Translation address is specified by | | 316 | The translation address is specified by |
309 | .Fa addr , | | 317 | .Fa addr , |
310 | and its family by | | 318 | and its family by |
311 | .Fa af . | | 319 | .Fa af . |
312 | Family must be either | | 320 | The family must be either |
313 | .Dv AF_INET | | 321 | .Dv AF_INET |
314 | for IPv4 or | | 322 | for IPv4 or |
315 | .Dv AF_INET6 | | 323 | .Dv AF_INET6 |
316 | for IPv6 address. | | 324 | for IPv6 address. |
317 | .\" --- | | 325 | .\" --- |
318 | .It Fn npf_nat_setalgo "nt" "algo" | | 326 | .It Fn npf_nat_setalgo "nt" "algo" |
319 | Set a particular NAT algorithm. | | 327 | Set a particular NAT algorithm. |
320 | Currently, only | | 328 | Currently, only |
321 | .Dv NPF_ALGO_NPT66 | | 329 | .Dv NPF_ALGO_NPT66 |
322 | algorithm is supported for NPTv6 (RFC 6296). | | 330 | algorithm is supported for NPTv6 (RFC 6296). |
323 | .\" --- | | 331 | .\" --- |
324 | .It Fn npf_nat_insert "ncf" "nt" "pri" | | 332 | .It Fn npf_nat_insert "ncf" "nt" "pri" |
325 | Insert NAT policy, its rule, into the specified configuration. | | 333 | Insert NAT policy, its rule, into the specified configuration. |
326 | .El | | 334 | .El |
327 | .\" ----- | | 335 | .\" ----- |
328 | .Ss Table interface | | 336 | .Ss Table interface |
329 | .Bl -tag -width 4n | | 337 | .Bl -tag -width 4n |
330 | .It Fn npf_table_create "name" "index" "type" | | 338 | .It Fn npf_table_create "name" "index" "type" |
331 | Create NPF table of specified type. | | 339 | Create an NPF table of a specified type. |
332 | The following types are supported: | | 340 | The table is identified by the |
333 | .Bl -tag -width "NPF_TABLE_TREE " | | | |
334 | .It Dv NPF_TABLE_HASH | | | |
335 | Indicates to use hash table for storage. | | | |
336 | .It Dv NPF_TABLE_TREE | | | |
337 | Indicates to use red-black tree for storage. | | | |
338 | Table is identified by the | | | |
339 | .Fa name | | 341 | .Fa name |
340 | and | | 342 | and |
341 | .Fa index , | | 343 | .Fa index , |
342 | which should be in the range between 1 and | | 344 | which should be in the range between 1 and |
343 | .Dv NPF_MAX_TABLE_ID . | | 345 | .Dv NPF_MAX_TABLE_ID . |
| | | 346 | .Pp |
| | | 347 | The following types are supported: |
| | | 348 | .Bl -tag -width "NPF_TABLE_HASH" |
| | | 349 | .It Dv NPF_TABLE_HASH |
| | | 350 | Indicates to use a hash table for storage. |
| | | 351 | .It Dv NPF_TABLE_TREE |
| | | 352 | Indicates to use a tree for storage, supporting the longest |
| | | 353 | prefix match. |
| | | 354 | .It Dv NPF_TABLE_CDB |
| | | 355 | Indicates to use constant database for storage, typically using |
| | | 356 | a perfect hash table. |
| | | 357 | In such case, the database produced by |
| | | 358 | .Xr cdbw 3 |
| | | 359 | should be set using the |
| | | 360 | .Fn npf_table_setdata |
| | | 361 | function. |
344 | .El | | 362 | .El |
345 | .\" --- | | 363 | .\" --- |
346 | .It Fn npf_table_add_entry "tl" "af" "addr" "mask" | | 364 | .It Fn npf_table_add_entry "tl" "af" "addr" "mask" |
347 | Add an entry of IP address and mask, specified by | | 365 | Add an entry of IP address and mask, specified by |
348 | .Fa addr | | 366 | .Fa addr |
349 | and | | 367 | and |
350 | .Fa mask , | | 368 | .Fa mask , |
351 | to the table specified by | | 369 | to the table specified by |
352 | .Fa tl . | | 370 | .Fa tl . |
353 | Family, specified by | | 371 | The family, specified by |
354 | .Fa af , | | 372 | .Fa af , |
355 | must be either | | 373 | must be either |
356 | .Dv AF_INET | | 374 | .Dv AF_INET |
357 | for IPv4 or | | 375 | for IPv4 or |
358 | .Dv AF_INET6 | | 376 | .Dv AF_INET6 |
359 | for IPv6 address. | | 377 | for IPv6 address. |
360 | .It Fn npf_table_insert "ncf" "tl" | | 378 | .It Fn npf_table_insert "ncf" "tl" |
361 | Insert table into set of configuration. | | 379 | Add the table to the configuration object. |
362 | Routine performs a check for duplicate table ID. | | 380 | This routine performs a check for duplicate table IDs. |
363 | .\" --- | | 381 | .\" --- |
364 | .It Fn npf_table_destroy "tl" | | 382 | .It Fn npf_table_destroy "tl" |
365 | Destroy the specified table. | | 383 | Destroy the specified table. |
366 | .El | | 384 | .El |
367 | .\" ----- | | 385 | .\" ----- |
368 | .Sh SEE ALSO | | 386 | .Sh SEE ALSO |
369 | .Xr bpf 4 , | | 387 | .Xr bpf 4 , |
370 | .Xr npf 7 , | | 388 | .Xr npf 7 , |
371 | .Xr npfctl 8 | | 389 | .Xr npfctl 8 |
372 | .Sh HISTORY | | 390 | .Sh HISTORY |
373 | The NPF library first appeared in | | 391 | The NPF library first appeared in |
374 | .Nx 6.0 . | | 392 | .Nx 6.0 . |