Up to [cvs.NetBSD.org] / src / usr.sbin / npf / npfctl
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: MAIN
Revision 1.25 / (download) - annotate - [select for diffs], Sat May 30 14:16:56 2020 UTC (3 years, 9 months ago) by rmind
Branch: MAIN
CVS Tags: triaxx-drm,
netbsd-10-base,
netbsd-10-0-RC6,
netbsd-10-0-RC5,
netbsd-10-0-RC4,
netbsd-10-0-RC3,
netbsd-10-0-RC2,
netbsd-10-0-RC1,
netbsd-10,
cjep_sun2x-base1,
cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x,
HEAD
Changes since 1.24: +27 -11
lines
Diff to previous 1.24 (colored)
Major NPF improvements (merge from upstream): - Switch to the C11-style atomic primitives using atomic_loadstore(9). - npfkern: introduce the 'state.key.interface' and 'state.key.direction' settings. Users can now choose whether the connection state should be strictly per-interface or global at the configuration level. Keep NAT logic to be always per-interface, though. - npfkern: rewrite the G/C worker logic and make it self-tuning. - npfkern and libnpf: multiple bug fixes; add param exporting; introduce more parameters. Remove npf_nvlist_{copyin,copyout}() functions and refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have a single entry point for operations. Introduce npf_flow_t and clean up some code. - npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list' more informative; misc usability improvements and more user-friendly error messages. - Amend and improve the manual pages.
Revision 1.24 / (download) - annotate - [select for diffs], Mon Sep 30 21:06:16 2019 UTC (4 years, 5 months ago) by uwe
Branch: MAIN
CVS Tags: phil-wifi-20200421,
phil-wifi-20200411,
phil-wifi-20200406,
phil-wifi-20191119,
is-mlppp-base,
is-mlppp
Changes since 1.23: +2 -2
lines
Diff to previous 1.23 (colored)
Use -width Pa for FILES.
Revision 1.23 / (download) - annotate - [select for diffs], Mon Sep 30 20:53:12 2019 UTC (4 years, 5 months ago) by uwe
Branch: MAIN
Changes since 1.22: +2 -2
lines
Diff to previous 1.22 (colored)
Fix pasto in table replace -t type
Revision 1.22 / (download) - annotate - [select for diffs], Sun Sep 29 16:58:35 2019 UTC (4 years, 5 months ago) by rmind
Branch: MAIN
Changes since 1.21: +39 -10
lines
Diff to previous 1.21 (colored)
npfctl: implement table replace subcommand. Contributed by Timshel Knoll-Miller.
Revision 1.21 / (download) - annotate - [select for diffs], Sat Jan 19 21:19:32 2019 UTC (5 years, 1 month ago) by rmind
Branch: MAIN
CVS Tags: phil-wifi-20190609,
pgoyette-compat-20190127,
netbsd-9-base
Branch point for: netbsd-9
Changes since 1.20: +6 -6
lines
Diff to previous 1.20 (colored)
Major NPF improvements: - Convert NPF connection table to thmap. State lookup is now lock-free. - Improve connection state G/C: it is now incremental and tunable. - Add support for dynamic NAT address. Translation addresses can now be selected from a pool of addresses. There are two selection algorithms, "ip-hash" and "round-robin" (see the man page). - Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf to dynamically choose an IP from the interface address(es). - Add support for the NETMAP algorithm with static NAT for net-to-net translation (it is equivalent to iptables NETMAP logic). - Convert 'ipset' tables to use thmap; the table lookup is now lock-free. - Misc improvements, bug fixes and more unit tests. - Bump NPF_VERSION (will also bump libnpf).
Revision 1.20 / (download) - annotate - [select for diffs], Sun Dec 10 22:04:41 2017 UTC (6 years, 3 months ago) by rmind
Branch: MAIN
CVS Tags: phil-wifi-base,
pgoyette-compat-base,
pgoyette-compat-20190118,
pgoyette-compat-1226,
pgoyette-compat-1126,
pgoyette-compat-1020,
pgoyette-compat-0930,
pgoyette-compat-0906,
pgoyette-compat-0728,
pgoyette-compat-0625,
pgoyette-compat-0521,
pgoyette-compat-0502,
pgoyette-compat-0422,
pgoyette-compat-0415,
pgoyette-compat-0407,
pgoyette-compat-0330,
pgoyette-compat-0322,
pgoyette-compat-0315
Branch point for: phil-wifi,
pgoyette-compat
Changes since 1.19: +4 -3
lines
Diff to previous 1.19 (colored)
npfctl: add support for the 'no-ports' flag in the 'map' statements. This allows us to create a NAT policy without the port translation.
Revision 1.19 / (download) - annotate - [select for diffs], Tue Dec 27 20:55:11 2016 UTC (7 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: prg-localcount2-base3,
prg-localcount2-base2,
prg-localcount2-base1,
prg-localcount2-base,
prg-localcount2,
pgoyette-localcount-20170426,
pgoyette-localcount-20170320,
pgoyette-localcount-20170107,
perseant-stdc-iso10646-base,
perseant-stdc-iso10646,
netbsd-8-base,
netbsd-8-2-RELEASE,
netbsd-8-1-RELEASE,
netbsd-8-1-RC1,
netbsd-8-0-RELEASE,
netbsd-8-0-RC2,
netbsd-8-0-RC1,
netbsd-8,
matt-nb8-mediatek-base,
matt-nb8-mediatek,
bouyer-socketcan-base1,
bouyer-socketcan-base,
bouyer-socketcan
Changes since 1.18: +20 -2
lines
Diff to previous 1.18 (colored)
Document list
Revision 1.18 / (download) - annotate - [select for diffs], Tue May 24 05:46:57 2016 UTC (7 years, 9 months ago) by wiz
Branch: MAIN
CVS Tags: pgoyette-localcount-base,
pgoyette-localcount-20161104,
pgoyette-localcount-20160806,
pgoyette-localcount-20160726,
localcount-20160914
Branch point for: pgoyette-localcount
Changes since 1.17: +2 -2
lines
Diff to previous 1.17 (colored)
Fix typo. From Michael Scherer in PR 51162.
Revision 1.17 / (download) - annotate - [select for diffs], Sun Aug 3 00:02:56 2014 UTC (9 years, 7 months ago) by rmind
Branch: MAIN
CVS Tags: tls-maxphys-base,
tls-earlyentropy-base,
netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-base,
netbsd-7-2-RELEASE,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-1,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE,
netbsd-7-0,
netbsd-7
Changes since 1.16: +4 -3
lines
Diff to previous 1.16 (colored)
Cross-link npf(7).
Revision 1.16 / (download) - annotate - [select for diffs], Wed Jul 23 01:25:34 2014 UTC (9 years, 7 months ago) by rmind
Branch: MAIN
Changes since 1.15: +16 -20
lines
Diff to previous 1.15 (colored)
NPF: rework of the connection saving and restoring: - Add support for saving a snapshot of the current connections together with a full configuration. Support a reverse load operation. Eliminate the old 'sess-save' and 'sess-load' in favour of the new mechanism. - Share code between load and reload operations: the latter performs load from npf.conf without affecting the connections. - Simplify and fix races with connection loading. - Bump NPF_VERSION.
Revision 1.15 / (download) - annotate - [select for diffs], Fri Sep 20 21:30:49 2013 UTC (10 years, 5 months ago) by wiz
Branch: MAIN
CVS Tags: yamt-pagecache-base9,
riastradh-xf86-video-intel-2-7-1-pre-2-21-15,
riastradh-drm2-base3
Branch point for: tls-earlyentropy
Changes since 1.14: +2 -2
lines
Diff to previous 1.14 (colored)
Remove trailing whitespace.
Revision 1.14 / (download) - annotate - [select for diffs], Thu Sep 19 12:05:11 2013 UTC (10 years, 6 months ago) by rmind
Branch: MAIN
Changes since 1.13: +5 -5
lines
Diff to previous 1.13 (colored)
npfctl: remove some n-code leftovers, fix the build, update the man pages.
Revision 1.13 / (download) - annotate - [select for diffs], Sat Feb 16 21:11:15 2013 UTC (11 years, 1 month ago) by rmind
Branch: MAIN
CVS Tags: riastradh-drm2-base2,
riastradh-drm2-base1,
riastradh-drm2-base,
riastradh-drm2,
agc-symver-base,
agc-symver
Changes since 1.12: +9 -2
lines
Diff to previous 1.12 (colored)
- Convert NPF dynamic rule ID to just incremented 64-bit counter. - Fix multiple bugs. Also, update the man page.
Revision 1.12 / (download) - annotate - [select for diffs], Sat Feb 9 03:35:33 2013 UTC (11 years, 1 month ago) by rmind
Branch: MAIN
Changes since 1.11: +26 -3
lines
Diff to previous 1.11 (colored)
NPF: - Implement dynamic NPF rules. Controlled through npf(3) library of via npfctl rule command. A rule can be removed using a unique identifier, returned on addition, or using a key which is SHA1 hash of the rule. Adjust npftest and add a regression test. - Improvements to rule inspection mechanism. - Initial BPF support as an alternative to n-code. - Minor fixes; bump the version.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Dec 10 02:26:04 2012 UTC (11 years, 3 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base8,
yamt-pagecache-base7
Changes since 1.10: +12 -2
lines
Diff to previous 1.10 (colored)
npfctl: add 'validate' command to check the config, but not load it. Update the man page. Also add a small note about 'debug' command, PR/47298.
Revision 1.10 / (download) - annotate - [select for diffs], Thu Nov 15 22:22:53 2012 UTC (11 years, 4 months ago) by rmind
Branch: MAIN
Changes since 1.9: +14 -7
lines
Diff to previous 1.9 (colored)
npfctl(8): mention table listing.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Aug 13 01:18:32 2012 UTC (11 years, 7 months ago) by rmind
Branch: MAIN
CVS Tags: yamt-pagecache-base6
Branch point for: tls-maxphys
Changes since 1.8: +17 -16
lines
Diff to previous 1.8 (colored)
- npfctl show: add most of the missing cases. - Few minor improvements to NPF man pages.
Revision 1.8 / (download) - annotate - [select for diffs], Sun Jul 1 23:21:07 2012 UTC (11 years, 8 months ago) by rmind
Branch: MAIN
Changes since 1.7: +2 -2
lines
Diff to previous 1.7 (colored)
NPF improvements: - Add NPF_OPCODE_PROTO to match the address and/or protocol only. - Update parser to support arbitrary "pass proto <name/number>". - Fix IPv6 address and protocol handling (add a regression test). - Fix few theorethical races in session handling module. - Misc fixes, simplifications and some clean up.
Revision 1.7 / (download) - annotate - [select for diffs], Wed Jun 27 23:05:28 2012 UTC (11 years, 8 months ago) by rmind
Branch: MAIN
Changes since 1.6: +9 -3
lines
Diff to previous 1.6 (colored)
Fix and update npf.conf(5), npfctl(8) and its usage message.
Revision 1.6 / (download) - annotate - [select for diffs], Thu Mar 24 05:48:54 2011 UTC (12 years, 11 months ago) by jruoho
Branch: MAIN
CVS Tags: yamt-pagecache-base5,
yamt-pagecache-base4,
yamt-pagecache-base3,
yamt-pagecache-base2,
yamt-pagecache-base,
netbsd-6-base,
cherry-xenmp-base,
cherry-xenmp
Branch point for: yamt-pagecache,
netbsd-6
Changes since 1.5: +3 -3
lines
Diff to previous 1.5 (colored)
As per request from the author, put non-standard PERFORMANCE back.
Revision 1.5 / (download) - annotate - [select for diffs], Tue Mar 22 07:40:10 2011 UTC (13 years ago) by jruoho
Branch: MAIN
Changes since 1.4: +14 -15
lines
Diff to previous 1.4 (colored)
Use 'offset indent' for the list of commands. Emphasize valid commands. Remove PERFORMANCE (too small paragraph to warrant a section).
Revision 1.4 / (download) - annotate - [select for diffs], Tue Jan 18 20:33:45 2011 UTC (13 years, 2 months ago) by rmind
Branch: MAIN
CVS Tags: bouyer-quota2-nbase,
bouyer-quota2-base,
bouyer-quota2
Changes since 1.3: +30 -7
lines
Diff to previous 1.3 (colored)
NPF checkpoint: - Add the concept of rule procedure: separate normalization, logging and potentially other functions from the rule structure. Rule procedure can be shared amongst the rules. Separation is both at kernel level (npf_rproc_t) and configuration ("procedure" + "apply"). - Fix portmap sharing for NAT policy. - Update TCP state tracking logic. Use TCP FSM definitions. - Add if_byindex(), OK by matt@. Use in logging for the lookup. - Fix traceroute ALG and many other bugs; misc clean-up.
Revision 1.3 / (download) - annotate - [select for diffs], Tue Sep 14 11:04:57 2010 UTC (13 years, 6 months ago) by kim
Branch: MAIN
CVS Tags: matt-mips64-premerge-20101231
Changes since 1.2: +3 -3
lines
Diff to previous 1.2 (colored)
Fix remaining references for npf.conf(8) to npf.conf(5)
Revision 1.2 / (download) - annotate - [select for diffs], Tue Aug 24 23:55:05 2010 UTC (13 years, 6 months ago) by rmind
Branch: MAIN
Changes since 1.1: +2 -2
lines
Diff to previous 1.1 (colored)
Move npf.conf(5-8) into the correct section, hence npf.conf(5).
Revision 1.1 / (download) - annotate - [select for diffs], Sun Aug 22 18:56:24 2010 UTC (13 years, 6 months ago) by rmind
Branch: MAIN
Import NPF - a packet filter. Some features: - Designed to be fully MP-safe and highly efficient. - Tables/IP sets (hash or red-black tree) for high performance lookups. - Stateful filtering and Network Address Port Translation (NAPT). Framework for application level gateways (ALGs). - Packet inspection engine called n-code processor - inspired by BPF - supporting generic RISC-like and specific CISC-like instructions for common patterns (e.g. IPv4 address matching). See npf_ncode(9) manual. - Convenient userland utility npfctl(8) with npf.conf(8). NOTE: This is not yet a fully capable alternative to PF or IPFilter. Further work (support for binat/rdr, return-rst/return-icmp, common ALGs, state saving/restoring, logging, etc) is in progress. Thanks a lot to Matt Thomas for various useful comments and code review. Aye by: board@