npf(3)
- NetBSD Manual Pages
NPF(3) NetBSD Library Functions Manual NPF(3)
NAME
npf -- NPF packet filter library
LIBRARY
library ``libnpf''
SYNOPSIS
#include <npf.h>
nl_config_t *
npf_config_create(void);
int
npf_config_submit(nl_config_t *ncf, int fd);
void
npf_config_destroy(nl_config_t *ncf);
int
npf_config_flush(int fd);
nl_rule_t *
npf_rule_create(char *name, uint32_t attr, u_int if_idx);
int
npf_rule_setcode(nl_rule_t *rl, int type, const void *code, size_t sz);
bool
npf_rule_exists_p(nl_config_t *ncf, const char *name);
int
npf_rule_insert(nl_config_t *ncf, nl_rule_t *parent, nl_rule_t *rl,
pri_t pri);
int
npf_rule_setproc(nl_config_t *ncf, nl_rule_t *rl, const char *name);
void
npf_rule_destroy(nl_rule_t *rl);
nl_rproc_t *
npf_rproc_create(char *name);
bool
npf_rproc_exists_p(nl_config_t *ncf, const char *name);
int
npf_rproc_insert(nl_config_t *ncf, nl_rproc_t *rp);
nl_nat_t *
npf_nat_create(int type, u_int flags, u_int if_idx, npf_addr_t *addr,
int af, in_port_t port);
int
npf_nat_insert(nl_config_t *ncf, nl_nat_t *nt, pri_t pri);
nl_table_t *
npf_table_create(u_int id, int type);
int
npf_table_add_entry(nl_table_t *tl, in_addr_t addr, in_addr_t mask);
bool
npf_table_exists_p(nl_config_t *ncf, u_int tid);
int
npf_table_insert(nl_config_t *ncf, nl_table_t *tl);
void
npf_table_destroy(nl_table_t *tl);
int
npf_update_rule(int fd, const char *rname, nl_rule_t *rl);
int
npf_sessions_send(int fd, const char *fpath);
int
npf_sessions_recv(int fd, const char *fpath);
DESCRIPTION
The npf library provides an interface to create an NPF configuration hav-
ing rules, tables, procedures, or translation policies. The configura-
tion can be submitted to the kernel.
FUNCTIONS
Configuration
npf_config_create()
Create a configuration.
npf_config_submit(ncf, fd)
Submit configuration ncf to the kernel.
npf_config_destroy(ncf)
Destroy the configuration ncf.
npf_config_flush(fd)
Flush the current configuration.
Rule interface
npf_rule_create(name, attr, if_idx)
Create a rule with a given name, attribute and priorty. Name can
be NULL, in which case rule has no unique identifier. Otherwise,
rules shall not have duplicate names. The following attributes,
which can be ORed, are available:
NPF_RULE_PASS
Decision of this rule is "pass". If this attribute is not
specified, then packet "block" (drop) is the default.
NPF_RULE_DEFAULT
This a default rule in the ruleset. There can only be a
single rule having this attribute set in the ruleset.
NPF_RULE_FINAL
Indicates that on rule match, further processing of the
ruleset should be stopped and this rule applied instantly.
NPF_RULE_STATEFUL
Create a state (session) on match, track the connection and
therefore pass the backwards stream without inspection.
NPF_RULE_RETRST
Return TCP RST packet in a case of packet block.
NPF_RULE_RETICMP
Return ICMP destination unreachable in a case of packet
block.
NPF_RULE_IN
Rule may match only if incoming packet.
NPF_RULE_OUT
Rule may match only if outgoing packet.
Interface is specified by if_idx, which is a numeral representation
of an interface, given by if_nametoindex(3). Zero indicates any
interface.
npf_rule_setcode(rl, type, code, sz)
Assign compiled code for the rule specified by rl, used for filter
criteria. Pointer to the binary code is specified by code, and
size of the memory area by sz. Type of the code is specified by
type. Currently, only n-code is supported and NPF_CODE_NCODE
should be passed.
npf_rule_insert(ncf, parent, rl, pri)
Insert the rule into the set of parent rule specified by parent.
If value of parent is NULL, then insert into the main ruleset.
Priority is the order of the rule in the ruleset. Lower value
means first to process, higher value - last to process. If multi-
ple rules have the same priority - order is unspecified. A special
constant NPF_PRI_NEXT may be passed to use the value of last used
priority incremented by 1.
npf_rule_setproc(ncf, rl, name)
Set procedure for the specified rule.
npf_rule_destroy(rl)
Destroy the given rule.
Rule procedure interface
npf_rproc_create(name)
Create a rule procedure with a given name. Name must be unique for
each procedure.
npf_rproc_insert(ncf, rp)
Insert rule procedure into the specified configuration.
Translation interface
npf_nat_create(type, flags, if_idx, addr, af, port)
Create a NAT translation policy of a specified type. There are two
types:
NPF_NATIN Inbound NAT policy.
NPF_NATOUT Outbound NAT policy.
A bi-directional NAT is obtained by combining two policies. The
following flags are supported:
NPF_NAT_PORTS Indicates to perform port translation. Other-
wise, port translation is not performed and port
is ignored.
NPF_NAT_PORTMAP Effective only if NPF_NAT_PORTS flag is set.
Indicates to create a port map and select a ran-
dom port for translation. Otherwise, port is
translated to the value specified by port is
used.
Translation address is specified by addr, and its family by fa.
Family must be either AF_INET for IPv4 or AF_INET6 for IPv6
address.
npf_nat_insert(ncf, nt, pri)
Insert NAT policy, its rule, into the specified configuration.
Table interface
npf_table_create(index, type)
Create NPF table of specified type. The following types are sup-
ported:
NPF_TABLE_HASH Indicates to use hash table for storage.
NPF_TABLE_TREE Indicates to use red-black tree for storage. Ta-
ble is identified by index, which should be in the
range between 1 and NPF_MAX_TABLE_ID.
npf_table_add_entry(tl, addr, mask)
Add an entry of IPv4 address and mask, specified by addr and mask,
to the table specified by tl.
npf_table_exists_p(ncf, name)
Determine whether table with ID tid exists in the configuration
ncf. Return true if exists, and false otherwise.
npf_table_insert(ncf, tl)
Insert table into set of configuration. Routine performs a check
for duplicate table ID.
npf_table_destroy(tl)
Destroy the specified table.
Session interface
npf_update_rule(fd, rname, rl)
npf_sessions_send(fd, fpath)
Read the file specified by fpath, and send sessions saved in it to
the kernel.
npf_sessions_recv(fd, fpath)
Receive currently loaded session from the kernel, and save them to
a file specified by fpath.
SEE ALSO
npfctl(8), npf_ncode(9)
HISTORY
The NPF library first appeared in NetBSD 6.0.
NetBSD 6.0 July 1, 2012 NetBSD 6.0
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.