1.\" $NetBSD: libnpf.3,v 1.12 2020/05/30 14:16:56 rmind Exp $ 2.\" 3.\" Copyright (c) 2011-2019 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This material is based upon work partially supported by The 7.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd May 30, 2020 31.Dt LIBNPF 3 32.Os 33.Sh NAME 34.Nm libnpf 35.Nd NPF packet filter library 36.Sh LIBRARY 37.Lb libnpf 38.Sh SYNOPSIS 39.In npf.h 40.\" --- 41.Ft nl_config_t * 42.Fn npf_config_create "void" 43.Ft int 44.Fn npf_config_submit "nl_config_t *ncf" "int fd" "npf_error_t *errinfo" 45.Ft nl_config_t * 46.Fn npf_config_retrieve "int fd" 47.Ft int 48.Fn npf_config_flush "int fd" 49.Ft void 50.Fn npf_config_export "nl_config_t *ncf" "size_t *len" 51.Ft nl_config_t * 52.Fn npf_config_import "const void *blob" "size_t len" 53.Ft bool 54.Fn npf_config_active_p "nl_config_t *ncf" 55.Ft bool 56.Fn npf_config_loaded_p "nl_config_t *ncf" 57.Ft void 58.Fn npf_config_destroy "nl_config_t *ncf" 59.\" --- 60.Ft nl_rule_t * 61.Fn npf_rule_create "const char *name" "uint32_t attr" "const char *ifname" 62.Ft int 63.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len" 64.Ft int 65.Fn npf_rule_setkey "nl_rule_t *rl" "const void *key" "size_t len" 66.Ft int 67.Fn npf_rule_setinfo "nl_rule_t *rl" "const void *info" "size_t len" 68.Ft int 69.Fn npf_rule_setprio "nl_rule_t *rl" "int pri" 70.Ft int 71.Fn npf_rule_setproc "nl_rule_t *rl" "const char *name" 72.Ft int 73.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" 74.Ft bool 75.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name" 76.Ft void * 77.Fn npf_rule_export "nl_rule_t *rl" "size_t *length" 78.Ft void 79.Fn npf_rule_destroy "nl_rule_t *rl" 80.\" --- 81.Ft nl_rproc_t * 82.Fn npf_rproc_create "const char *name" 83.Ft int 84.Fn npf_rproc_extcall "nl_rproc_t *rp" "nl_ext_t *ext" 85.Ft bool 86.Fn npf_rproc_exists_p "nl_config_t *ncf" "const char *name" 87.Ft int 88.Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp" 89.\" --- 90.Ft nl_nat_t * 91.Fn npf_nat_create "int type" "unsigned flags" "const char *ifname" 92.Ft int 93.Fn npf_nat_setaddr "nl_nat_t *nt" "int af" "npf_addr_t *addr" \ 94"npf_netmask_t mask" 95.Ft int 96.Fn npf_nat_setport "nl_nat_t *nt" "in_port_t port" 97.Ft int 98.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" 99.\" --- 100.Ft nl_table_t * 101.Fn npf_table_create "const char *name" "unsigned id" "int type" 102.Ft int 103.Fn npf_table_add_entry "nl_table_t *tl" "int af" \ 104"const npf_addr_t *addr" "const npf_netmask_t mask" 105.Ft int 106.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl" 107.Ft int 108.Fn npf_table_replace "int fd" "nl_table_t *tl" "npf_error_t *errinfo" 109.Ft void 110.Fn npf_table_destroy "nl_table_t *tl" 111.\" --- 112.Ft int 113.Fn npf_ruleset_add "int fd" "const char *name" "nl_rule_t *rl" "uint64_t *id" 114.Ft int 115.Fn npf_ruleset_remove "int fd" "const char *name" "uint64_t id" 116.Ft int 117.Fn npf_ruleset_remkey "int fd" "const char *name" "const void *key" "size_t len" 118.Ft int 119.Fn npf_ruleset_flush "int fd" "const char *name" 120.\" ----- 121.Sh DESCRIPTION 122The 123.Nm 124library provides an interface to create an NPF configuration having rules, 125tables, procedures, or translation policies. 126The configuration can be submitted to the kernel. 127.\" ----- 128.Sh FUNCTIONS 129.Ss Configuration 130.Bl -tag -width 4n 131.It Fn npf_config_create 132Create a new configuration object. 133.It Fn npf_config_submit "ncf" "fd" "errinfo" 134Submit the configuration object, specified by 135.Fa ncf , 136to the kernel. 137On failure, the error information is written into the structure 138specified by 139.Fa errinfo . 140.It Fn npf_config_export "ncf" "len" 141Serialize the given configuration and return the binary object as 142well as its length in 143.Fa len 144parameter. 145The binary object is dynamically allocated and should be destroyed using 146.Xr free 3 . 147.It Fn npf_config_import "blob" "len" 148Read the configuration from a binary object of the specified length, 149unserialize, and return the configuration object. 150.It Fn npf_config_flush "fd" 151Flush the current configuration. 152.It Fn npf_config_retrieve "fd" 153Retrieve and return the loaded configuration from the kernel. 154.It Fn npf_config_active_p "ncf" 155Indicate whether the retrieved configuration is active i.e. packet 156filtering is enabled (true if yes and false otherwise). 157.It Fn npf_config_loaded_p "ncf" 158Indicate whether the retrieved configuration is loaded i.e. has any 159rules (true if yes and false otherwise). 160.It Fn npf_config_destroy "ncf" 161Destroy the configuration object, specified by 162.Fa ncf . 163.El 164.\" --- 165.Ss Rule interface 166.Bl -tag -width 4n 167.It Fn npf_rule_create "name" "attr" "ifname" 168Create a rule with a given name, attributes and priority. 169If the name is specified, then it should be unique within the 170configuration object. 171Otherwise, the name can be 172.Dv NULL , 173in which case the rule will have no identifier. 174The following attributes, which can be ORed, are available: 175.Bl -tag -width indent 176.It Dv NPF_RULE_PASS 177The decision of this rule shall be "pass". 178If this attribute is not 179specified, then "block" (drop the packet) is the default. 180.It Dv NPF_RULE_IN 181Match the incoming packets. 182.It Dv NPF_RULE_OUT 183Match the outgoing packets. 184.It Dv NPF_RULE_FINAL 185Indicate that on rule match, further processing of the ruleset should 186be stopped and this rule should be applied instantly. 187.It Dv NPF_RULE_STATEFUL 188Create a state (session) on match, track the connection and pass the 189backwards stream (the returning packets) without the ruleset inspection. 190The state is uniquely identified by an n-tuple key. 191.It Dv NPF_RULE_GSTATEFUL 192Exclude the interface identifier from the state key (n-tuple). 193This makes the state global with respect to the network interfaces. 194The state is also picked for packets travelling in different direction 195than originally. 196.It Dv NPF_RULE_RETRST 197Return TCP RST packet in a case of packet block. 198.It Dv NPF_RULE_RETICMP 199Return ICMP destination unreachable in a case of packet block. 200.It Dv NPF_RULE_GROUP 201Allow this rule to have sub-rules. 202If this flag is used with the 203.Dv NPF_RULE_DYNAMIC 204flag set, then it is a dynamic group. 205The sub-rules can be added dynamically to a dynamic group, also meaning 206that the sub-rules must have the 207.Dv NPF_RULE_DYNAMIC 208flag set. 209Otherwise rules must be added statically i.e. created with the configuration. 210.It Dv NPF_RULE_DYNAMIC 211Indicate that the rule is dynamic. 212Such rules can only be added to the dynamic groups. 213.El 214.Pp 215The interface is specified by the 216.Fa ifname 217string. 218.Dv NULL 219indicates any interface. 220.\" --- 221.It Fn npf_rule_setcode "rl" "type" "code" "len" 222Assign the code for the rule specified by 223.Fa rl . 224The code is used to implement the filter criteria. 225The pointer to the binary code is specified by 226.Fa code , 227the size of the memory area by 228.Fa len , 229and the type of the code is specified by 230.Fa type . 231Currently, only the BPF byte-code is supported and the 232.Dv NPF_CODE_BPF 233constant should be passed. 234.\" --- 235.It Fn npf_rule_setkey "rl" "key" "len" 236Assign a key for the rule specified by 237.Fa rl . 238The binary key is specified by 239.Fa key , 240and its size by 241.Fa len . 242The size shall not exceed 243.Dv NPF_RULE_MAXKEYLEN . 244The kernel does not check whether key is unique, therefore it is the 245responsibility of the caller. 246.\" --- 247.It Fn npf_rule_setinfo "rl" "info" "len" 248Associate an arbitrary information blob specified by 249.Fa info , 250and its size by 251.Fa len . 252This may be used for such purposes as the byte-code annotation. 253.\" --- 254.It Fn npf_rule_setprio "rl" "pri" 255Set priority to the rule. 256Negative priorities are invalid. 257.Pp 258The priority is the order of the rule in the ruleset. 259The lower value means first to process, the higher value - last to process. 260If multiple rules are inserted with the same priority, 261then the order is unspecified. 262.Pp 263The special constants 264.Dv NPF_PRI_FIRST 265and 266.Dv NPF_PRI_LAST 267can be passed to indicate that the rule should be inserted into the 268beginning or the end of the priority level 0 in the ruleset. 269All rules inserted using these constants will have the priority 0 270assigned and will share this level in the ordered way. 271.\" --- 272.It Fn npf_rule_setproc "rl" "name" 273Set a procedure for the specified rule. 274.\" --- 275.It Fn npf_rule_insert "ncf" "parent" "rl" 276Insert the rule into the set of the parent rule specified by 277.Fa parent . 278If the value of 279.Fa parent 280is 281.Dv NULL , 282then insert into the main ruleset. 283The rule will be consumed (the relevant resourced will be freed) and it 284must not be referenced after insertion. 285.\" --- 286.It Fn npf_rule_exists_p "ncf" "name" 287Check whether the rule with a given name is already in the configuration. 288.\" --- 289.It Fn npf_rule_export "rl" "length" 290Serialize the rule (including the byte-code), return a binary object 291and set its 292.Fa length . 293The binary object is dynamically allocated and should be destroyed using 294.Xr free 3 . 295.\" --- 296.It Fn npf_rule_destroy "rl" 297Destroy the given rule object. 298.El 299.\" ----- 300.Ss Rule procedure interface 301.Bl -tag -width 4n 302.It Fn npf_rproc_create "name" 303Create a rule procedure with a given 304.Fa name . 305Thr name must be unique for each procedure. 306.It Fn npf_rproc_insert "ncf" "rp" 307Insert the rule procedure into the specified configuration object. 308The rule procedure must not be referenced after insertion. 309.El 310.\" ----- 311.Ss Translation interface 312.Bl -tag -width 4n 313.It Fn npf_nat_create "type" "flags" "ifname" 314Create a NAT policy of a specified type. 315There are two types: 316.Bl -tag -width "NPF_NAT_PORTMAP " 317.It Dv NPF_NATIN 318Inbound NAT policy (rewrite destination). 319.It Dv NPF_NATOUT 320Outbound NAT policy (rewrite source). 321.El 322.Pp 323A bi-directional NAT is obtained by combining two policies. 324The following 325.Fa flags 326are supported: 327.Bl -tag -width "NPF_NAT_PORTMAP " 328.It Dv NPF_NAT_STATIC 329Perform static (stateless) translation rather than dynamic (stateful). 330.It Dv NPF_NAT_PORTS 331Perform the port translation. 332If this flag is not specified, then the port translation is not performed 333and the 334.Fa port 335parameter is ignored. 336.It Dv NPF_NAT_PORTMAP 337Create a port map and select a random port for translation. 338If enabled, then the value specified by the 339.Fa port 340parameter is ignored. 341This flag is effective only if the 342.Dv NPF_NAT_PORTS 343flag is set. 344.El 345.Pp 346The network interface on which the policy will be applicable is specified by 347.Fa ifname . 348.\" --- 349.It Fn npf_nat_setaddr "nt" "af" "addr" "mask" 350Set the translation address, as specified by 351.Fa addr , 352and its family by 353.Fa af . 354The family must be either 355.Dv AF_INET 356for IPv4 or 357.Dv AF_INET6 358for IPv6 address. 359Additionally, 360.Fa mask 361may be specified to indicate the translation network; 362otherwise, it should be set to 363.Dv NPF_NO_NETMASK . 364.Pp 365In order to use the translation network, a custom algorithm may need to 366be specified using the 367.Fn npf_nat_setalgo 368function. 369.\" --- 370.It Fn npf_nat_setport "nt" "port" 371Set the translation port, specified by 372.Fa port . 373.\" --- 374.It Fn npf_nat_setalgo "nt" "algo" 375Set a particular NAT algorithm. 376Currently, the following algorithms are supported with dynamic NAT: 377.Bl -tag -width "NPF_ALGO_IPHASH" 378.It Dv NPF_ALGO_IPHASH 379Hash of the source and destination addresses. 380.It Dv NPF_ALGO_RR 381Round-robin for the translation addresses. 382.It Dv NPF_ALGO_NETMAP 383Network-to-network map as described below, but with state tracking. 384It is used when it is necessary to translate the ports. 385.El 386.Pp 387The following are support with static NAT: 388.Bl -tag -width "NPF_ALGO_NETMAP" 389.It Dv NPF_ALGO_NETMAP 390Network-to-network map where the translation network prefix (address 391after applying the mask) is bitwise OR-ed with the host part of the 392original address (zero bits of the mask). 393.It Dv NPF_ALGO_NPT66 394IPv6-to-IPv6 Network Prefix Translation (NPTv6, defined in RFC 6296). 395.El 396.\" --- 397.It Fn npf_nat_insert "ncf" "nt" 398Insert the NAT policy, its rule, into the specified configuration. 399The NAT rule must not be referenced after insertion. 400.El 401.\" ----- 402.Ss Table interface 403.Bl -tag -width 4n 404.It Fn npf_table_create "name" "index" "type" 405Create an NPF table of a specified type. 406The table is identified by the 407.Fa name 408and 409.Fa index , 410which should be in the range between 1 and 411.Dv NPF_MAX_TABLES . 412.Pp 413The following types are supported: 414.Bl -tag -width "NPF_TABLE_IPSET" 415.It Dv NPF_TABLE_IPSET 416Indicates to use a regular associative array for storage of IP sets. 417Currently implemented as a hashmap. 418.It Dv NPF_TABLE_LPM 419Indicates to the table can contain networks (as well as hosts) and the 420longest prefix match should be performed on lookup. 421.It Dv NPF_TABLE_CONST 422Indicates that the table contents will be constant and the table can be 423considered immutable (no inserts/removes after load). 424If such constraint is acceptable, this table type will provide the best 425performance. 426It is currently implemented as a perfect hash table, generated on table 427insertion into the configuration. 428.El 429.\" --- 430.It Fn npf_table_add_entry "tl" "af" "addr" "mask" 431Add an entry of IP address and mask, specified by 432.Fa addr 433and 434.Fa mask , 435to the table specified by 436.Fa tl . 437The family, specified by 438.Fa af , 439must be either 440.Dv AF_INET 441for IPv4 or 442.Dv AF_INET6 443for IPv6 address. 444If there is no mask, then 445.Fa mask 446should be set to 447.Dv NPF_NO_NETMASK . 448.\" --- 449.It Fn npf_table_insert "ncf" "tl" 450Add the table to the configuration object. 451This routine performs a check for duplicate table IDs. 452The table must not be referenced after insertion. 453.\" --- 454.It Fn npf_table_replace "fd" "tl" "errinfo" 455Submit the table object, specified by 456.Fa tl , 457to the kernel, to replace the existing table with the 458corresponding table name and ID. 459On failure, the error information is written into the structure 460specified by 461.Fa errinfo . 462.\" --- 463.It Fn npf_table_destroy "tl" 464Destroy the specified table. 465.El 466.\" ----- 467.Ss Ruleset interface 468.Bl -tag -width 4n 469.It Fn npf_ruleset_add "fd" "name" "rl" "id" 470Add a given rule, specified by 471.Fa rl , 472into the dynamic ruleset named 473.Fa name . 474On success, return 0 and a unique rule ID in the 475.Fa id 476parameter. 477.It Fn npf_ruleset_remove "fd" "name" "id" 478Remove a rule from the dynamic ruleset, specified by 479.Fa name . 480The rule is specified by its unique ID in the 481.Fa id 482parameter. 483.It Fn npf_ruleset_remkey "fd" "name" "key" "len" 484Remove a rule from the dynamic ruleset, specified by 485.Fa name . 486The rule is specified by its key, in the 487.Fa key 488and 489.Fa len 490parameters. 491The key for the rule must have been set during its construction, using the 492.Fn npf_rule_setkey 493routine. 494.It Fn npf_ruleset_flush "fd" "name" 495Clear the dynamic ruleset, specified by 496.Fa name , 497by removing all its rules. 498.El 499.\" ----- 500.Sh SEE ALSO 501.Xr bpf 4 , 502.Xr npf 7 , 503.Xr npfctl 8 504.Sh HISTORY 505The NPF library first appeared in 506.Nx 6.0 . 507