The NetBSD Project

CVS log for src/usr.sbin/npf/npfctl/npfctl.8

[BACK] Up to [cvs.NetBSD.org] / src / usr.sbin / npf / npfctl

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: MAIN


Revision 1.25 / (download) - annotate - [select for diffs], Sat May 30 14:16:56 2020 UTC (3 years, 9 months ago) by rmind
Branch: MAIN
CVS Tags: triaxx-drm, netbsd-10-base, netbsd-10-0-RC6, netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1, netbsd-10, cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x, HEAD
Changes since 1.24: +27 -11 lines
Diff to previous 1.24 (colored)

Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
  settings.  Users can now choose whether the connection state should be
  strictly per-interface or global at the configuration level.  Keep NAT
  logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
  more parameters.  Remove npf_nvlist_{copyin,copyout}() functions and
  refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
  a single entry point for operations.  Introduce npf_flow_t and clean up
  some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
  more informative; misc usability improvements and more user-friendly
  error messages.

- Amend and improve the manual pages.

Revision 1.24 / (download) - annotate - [select for diffs], Mon Sep 30 21:06:16 2019 UTC (4 years, 5 months ago) by uwe
Branch: MAIN
CVS Tags: phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, is-mlppp-base, is-mlppp
Changes since 1.23: +2 -2 lines
Diff to previous 1.23 (colored)

Use -width Pa for FILES.

Revision 1.23 / (download) - annotate - [select for diffs], Mon Sep 30 20:53:12 2019 UTC (4 years, 5 months ago) by uwe
Branch: MAIN
Changes since 1.22: +2 -2 lines
Diff to previous 1.22 (colored)

Fix pasto in table replace -t type

Revision 1.22 / (download) - annotate - [select for diffs], Sun Sep 29 16:58:35 2019 UTC (4 years, 5 months ago) by rmind
Branch: MAIN
Changes since 1.21: +39 -10 lines
Diff to previous 1.21 (colored)

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

Revision 1.21 / (download) - annotate - [select for diffs], Sat Jan 19 21:19:32 2019 UTC (5 years, 1 month ago) by rmind
Branch: MAIN
CVS Tags: phil-wifi-20190609, pgoyette-compat-20190127, netbsd-9-base
Branch point for: netbsd-9
Changes since 1.20: +6 -6 lines
Diff to previous 1.20 (colored)

Major NPF improvements:
- Convert NPF connection table to thmap.  State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address.  Translation addresses can now be
  selected from a pool of addresses.  There are two selection algorithms,
  "ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
  to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
  translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).

Revision 1.20 / (download) - annotate - [select for diffs], Sun Dec 10 22:04:41 2017 UTC (6 years, 3 months ago) by rmind
Branch: MAIN
CVS Tags: phil-wifi-base, pgoyette-compat-base, pgoyette-compat-20190118, pgoyette-compat-1226, pgoyette-compat-1126, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625, pgoyette-compat-0521, pgoyette-compat-0502, pgoyette-compat-0422, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315
Branch point for: phil-wifi, pgoyette-compat
Changes since 1.19: +4 -3 lines
Diff to previous 1.19 (colored)

npfctl: add support for the 'no-ports' flag in the 'map' statements.
This allows us to create a NAT policy without the port translation.

Revision 1.19 / (download) - annotate - [select for diffs], Tue Dec 27 20:55:11 2016 UTC (7 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: prg-localcount2-base3, prg-localcount2-base2, prg-localcount2-base1, prg-localcount2-base, prg-localcount2, pgoyette-localcount-20170426, pgoyette-localcount-20170320, pgoyette-localcount-20170107, perseant-stdc-iso10646-base, perseant-stdc-iso10646, netbsd-8-base, netbsd-8-2-RELEASE, netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2, netbsd-8-0-RC1, netbsd-8, matt-nb8-mediatek-base, matt-nb8-mediatek, bouyer-socketcan-base1, bouyer-socketcan-base, bouyer-socketcan
Changes since 1.18: +20 -2 lines
Diff to previous 1.18 (colored)

Document list

Revision 1.18 / (download) - annotate - [select for diffs], Tue May 24 05:46:57 2016 UTC (7 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pgoyette-localcount-base, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, localcount-20160914
Branch point for: pgoyette-localcount
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)

Fix typo. From Michael Scherer in PR 51162.

Revision 1.17 / (download) - annotate - [select for diffs], Sun Aug 3 00:02:56 2014 UTC (9 years, 7 months ago) by rmind
Branch: MAIN
CVS Tags: tls-maxphys-base, tls-earlyentropy-base, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-2-RELEASE, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-1, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE, netbsd-7-0, netbsd-7
Changes since 1.16: +4 -3 lines
Diff to previous 1.16 (colored)

Cross-link npf(7).

Revision 1.16 / (download) - annotate - [select for diffs], Wed Jul 23 01:25:34 2014 UTC (9 years, 7 months ago) by rmind
Branch: MAIN
Changes since 1.15: +16 -20 lines
Diff to previous 1.15 (colored)

NPF: rework of the connection saving and restoring:
- Add support for saving a snapshot of the current connections together
  with a full configuration.  Support a reverse load operation.  Eliminate
  the old 'sess-save' and 'sess-load' in favour of the new mechanism.
- Share code between load and reload operations: the latter performs
  load from npf.conf without affecting the connections.
- Simplify and fix races with connection loading.
- Bump NPF_VERSION.

Revision 1.15 / (download) - annotate - [select for diffs], Fri Sep 20 21:30:49 2013 UTC (10 years, 5 months ago) by wiz
Branch: MAIN
CVS Tags: yamt-pagecache-base9, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3
Branch point for: tls-earlyentropy
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

Remove trailing whitespace.

Revision 1.14 / (download) - annotate - [select for diffs], Thu Sep 19 12:05:11 2013 UTC (10 years, 6 months ago) by rmind
Branch: MAIN
Changes since 1.13: +5 -5 lines
Diff to previous 1.13 (colored)

npfctl: remove some n-code leftovers, fix the build, update the man pages.

Revision 1.13 / (download) - annotate - [select for diffs], Sat Feb 16 21:11:15 2013 UTC (11 years, 1 month ago) by rmind
Branch: MAIN
CVS Tags: riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2, agc-symver-base, agc-symver
Changes since 1.12: +9 -2 lines
Diff to previous 1.12 (colored)

- Convert NPF dynamic rule ID to just incremented 64-bit counter.
- Fix multiple bugs.  Also, update the man page.

Revision 1.12 / (download) - annotate - [select for diffs], Sat Feb 9 03:35:33 2013 UTC (11 years, 1 month ago) by rmind
Branch: MAIN
Changes since 1.11: +26 -3 lines
Diff to previous 1.11 (colored)

NPF:
- Implement dynamic NPF rules.  Controlled through npf(3) library of via
  npfctl rule command.  A rule can be removed using a unique identifier,
  returned on addition, or using a key which is SHA1 hash of the rule.
  Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.

Revision 1.11 / (download) - annotate - [select for diffs], Mon Dec 10 02:26:04 2012 UTC (11 years, 3 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base8, yamt-pagecache-base7
Changes since 1.10: +12 -2 lines
Diff to previous 1.10 (colored)

npfctl: add 'validate' command to check the config, but not load it.  Update
the man page.  Also add a small note about 'debug' command, PR/47298.

Revision 1.10 / (download) - annotate - [select for diffs], Thu Nov 15 22:22:53 2012 UTC (11 years, 4 months ago) by rmind
Branch: MAIN
Changes since 1.9: +14 -7 lines
Diff to previous 1.9 (colored)

npfctl(8): mention table listing.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Aug 13 01:18:32 2012 UTC (11 years, 7 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base6
Branch point for: tls-maxphys
Changes since 1.8: +17 -16 lines
Diff to previous 1.8 (colored)

- npfctl show: add most of the missing cases.
- Few minor improvements to NPF man pages.

Revision 1.8 / (download) - annotate - [select for diffs], Sun Jul 1 23:21:07 2012 UTC (11 years, 8 months ago) by rmind
Branch: MAIN
Changes since 1.7: +2 -2 lines
Diff to previous 1.7 (colored)

NPF improvements:
- Add NPF_OPCODE_PROTO to match the address and/or protocol only.
- Update parser to support arbitrary "pass proto <name/number>".
- Fix IPv6 address and protocol handling (add a regression test).
- Fix few theorethical races in session handling module.
- Misc fixes, simplifications and some clean up.

Revision 1.7 / (download) - annotate - [select for diffs], Wed Jun 27 23:05:28 2012 UTC (11 years, 8 months ago) by rmind
Branch: MAIN
Changes since 1.6: +9 -3 lines
Diff to previous 1.6 (colored)

Fix and update npf.conf(5), npfctl(8) and its usage message.

Revision 1.6 / (download) - annotate - [select for diffs], Thu Mar 24 05:48:54 2011 UTC (12 years, 11 months ago) by jruoho
Branch: MAIN
CVS Tags: yamt-pagecache-base5, yamt-pagecache-base4, yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, netbsd-6-base, cherry-xenmp-base, cherry-xenmp
Branch point for: yamt-pagecache, netbsd-6
Changes since 1.5: +3 -3 lines
Diff to previous 1.5 (colored)

As per request from the author, put non-standard PERFORMANCE back.

Revision 1.5 / (download) - annotate - [select for diffs], Tue Mar 22 07:40:10 2011 UTC (13 years ago) by jruoho
Branch: MAIN
Changes since 1.4: +14 -15 lines
Diff to previous 1.4 (colored)

Use 'offset indent' for the list of commands. Emphasize valid commands.
Remove PERFORMANCE (too small paragraph to warrant a section).

Revision 1.4 / (download) - annotate - [select for diffs], Tue Jan 18 20:33:45 2011 UTC (13 years, 2 months ago) by rmind
Branch: MAIN
CVS Tags: bouyer-quota2-nbase, bouyer-quota2-base, bouyer-quota2
Changes since 1.3: +30 -7 lines
Diff to previous 1.3 (colored)

NPF checkpoint:
- Add the concept of rule procedure: separate normalization, logging and
  potentially other functions from the rule structure.  Rule procedure can be
  shared amongst the rules.  Separation is both at kernel level (npf_rproc_t)
  and configuration ("procedure" + "apply").
- Fix portmap sharing for NAT policy.
- Update TCP state tracking logic.  Use TCP FSM definitions.
- Add if_byindex(), OK by matt@.  Use in logging for the lookup.
- Fix traceroute ALG and many other bugs; misc clean-up.

Revision 1.3 / (download) - annotate - [select for diffs], Tue Sep 14 11:04:57 2010 UTC (13 years, 6 months ago) by kim
Branch: MAIN
CVS Tags: matt-mips64-premerge-20101231
Changes since 1.2: +3 -3 lines
Diff to previous 1.2 (colored)

Fix remaining references for npf.conf(8) to npf.conf(5)

Revision 1.2 / (download) - annotate - [select for diffs], Tue Aug 24 23:55:05 2010 UTC (13 years, 6 months ago) by rmind
Branch: MAIN
Changes since 1.1: +2 -2 lines
Diff to previous 1.1 (colored)

Move npf.conf(5-8) into the correct section, hence npf.conf(5).

Revision 1.1 / (download) - annotate - [select for diffs], Sun Aug 22 18:56:24 2010 UTC (13 years, 6 months ago) by rmind
Branch: MAIN

Import NPF - a packet filter.  Some features:

- Designed to be fully MP-safe and highly efficient.

- Tables/IP sets (hash or red-black tree) for high performance lookups.

- Stateful filtering and Network Address Port Translation (NAPT).
  Framework for application level gateways (ALGs).

- Packet inspection engine called n-code processor - inspired by BPF -
  supporting generic RISC-like and specific CISC-like instructions for
  common patterns (e.g. IPv4 address matching).  See npf_ncode(9) manual.

- Convenient userland utility npfctl(8) with npf.conf(8).

NOTE: This is not yet a fully capable alternative to PF or IPFilter.
Further work (support for binat/rdr, return-rst/return-icmp, common ALGs,
state saving/restoring, logging, etc) is in progress.

Thanks a lot to Matt Thomas for various useful comments and code review.
Aye by: board@

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>