1.\" $NetBSD: libnpf.3,v 1.5 2017/12/07 00:22:06 rmind Exp $ 2.\" 3.\" Copyright (c) 2011-2017 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This material is based upon work partially supported by The 7.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd December 7, 2017 31.Dt LIBNPF 3 32.Os 33.Sh NAME 34.Nm libnpf 35.Nd NPF packet filter library 36.Sh LIBRARY 37.Lb libnpf 38.Sh SYNOPSIS 39.In npf.h 40.\" --- 41.Ft nl_config_t * 42.Fn npf_config_create "void" 43.Ft int 44.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo" 45.Ft nl_config_t * 46.Fn npf_config_retrieve "int fd" "bool *active" "bool *loaded" 47.Ft int 48.Fn npf_config_flush "int fd" 49.Ft void 50.Fn npf_config_export "const nl_config_t *ncf" "size_t *len" 51.Ft nl_config_t * 52.Fn npf_config_import "const void *blob" "size_t len" 53.Ft bool 54.Fn npf_config_active_p "nl_config_t *ncf" 55.Ft void 56.Fn npf_config_destroy "nl_config_t *ncf" 57.\" --- 58.Ft nl_rule_t * 59.Fn npf_rule_create "char *name" "uint32_t attr" "const char *ifname" 60.Ft int 61.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len" 62.Ft int 63.Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len" 64.Ft int 65.Fn npf_rule_setinfo "nl_rule_t *rl" "const void *info" "size_t len" 66.Ft bool 67.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name" 68.Ft int 69.Fn npf_rule_setprio "nl_rule_t *rl" "int pri" 70.Ft int 71.Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name" 72.Ft int 73.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" 74.Ft void * 75.Fn npf_rule_export "nl_rule_t *rl" "size_t *length" 76.Ft void 77.Fn npf_rule_destroy "nl_rule_t *rl" 78.\" --- 79.Ft nl_rproc_t * 80.Fn npf_rproc_create "char *name" 81.Ft bool 82.Fn npf_rproc_exists_p "nl_config_t *ncf" "const char *name" 83.Ft int 84.Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp" 85.\" --- 86.Ft nl_nat_t * 87.Fn npf_nat_create "int type" "u_int flags" "const char *ifname" \ 88"npf_addr_t *addr" "int af" "in_port_t port" 89.Ft int 90.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri" 91.\" --- 92.Ft nl_table_t * 93.Fn npf_table_create "const char *name" "u_int id" "int type" 94.Ft int 95.Fn npf_table_add_entry "nl_table_t *tl" "int af" \ 96"in_addr_t addr" "in_addr_t mask" 97.Ft int 98.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl" 99.Ft void 100.Fn npf_table_destroy "nl_table_t *tl" 101.\" ----- 102.Sh DESCRIPTION 103The 104.Nm 105library provides an interface to create an NPF configuration having rules, 106tables, procedures, or translation policies. 107The configuration can be submitted to the kernel. 108.\" ----- 109.Sh FUNCTIONS 110.Ss Configuration 111.Bl -tag -width 4n 112.It Fn npf_config_create 113Create a new configuration object. 114.It Fn npf_config_submit "ncf" "fd" "errinfo" 115Submit the configuration object, specified by 116.Fa ncf , 117to the kernel. 118On failure, the error information is written into the structure 119specified by 120.Fa errinfo . 121.It Fn npf_config_export "fd" "len" 122Serialize the current configuration and return the binary object as 123well as its length in 124.Fa len 125parameter. 126The binary object is dynamically allocated and should be destroyed using 127.Xr free 3 . 128.It Fn npf_config_import "blob" "len" 129Read the configuration from a binary object of the specified length, 130unserialize, and return the configuration object. 131.It Fn npf_config_flush "fd" 132Flush the current configuration. 133.It Fn npf_config_retrieve "fd" "active" "loaded" 134Retrieve and return the loaded configuration from the kernel. 135.It Fn npf_config_active_p "ncf" 136Indicate whether the retrieved configuration is active (true if yes 137and false otherwise). 138.It Fn npf_config_destroy "ncf" 139Destroy the configuration object, specified by 140.Fa ncf . 141.El 142.\" --- 143.Ss Rule interface 144.Bl -tag -width 4n 145.It Fn npf_rule_create "name" "attr" "ifname" 146Create a rule with a given name, attribute and priorty. 147If the name is specified, then it should be unique within the 148configuration object. 149Otherwise, the name can be 150.Dv NULL , 151in which case the rule will have no identifier. 152The following attributes, which can be ORed, are available: 153.Bl -tag -width indent 154.It Dv NPF_RULE_PASS 155The decision of this rule shall be "pass". 156If this attribute is not 157specified, then "block" (drop the packet) is the default. 158.It Dv NPF_RULE_IN 159Match the incoming packets. 160.It Dv NPF_RULE_OUT 161Match the outgoing packets. 162.It Dv NPF_RULE_FINAL 163Indicate that on rule match, further processing of the ruleset should 164be stopped and this rule should be applied instantly. 165.It Dv NPF_RULE_STATEFUL 166Create a state (session) on match, track the connection and pass the 167backwards stream (the returning packets) without the ruleset inspection. 168The state is uniquely identified by a 5-tuple (source and destination 169IP addresses, port numbers and an interface identifier). 170.It Dv NPF_RULE_MULTIENDS 171Exclude the interface identifier from the state key i.e. use a 4-tuple. 172.It Dv NPF_RULE_RETRST 173Return TCP RST packet in a case of packet block. 174.It Dv NPF_RULE_RETICMP 175Return ICMP destination unreachable in a case of packet block. 176.It Dv NPF_RULE_GROUP 177Allow this rule to have sub-rules. 178If this flag is used with the 179.Dv NPF_RULE_DYNAMIC 180flag set, then it is a dynamic group. 181The sub-rules can be added dynamically to a dynamic group, also meaning 182that the sub-rules must have the 183.Dv NPF_RULE_DYNAMIC 184flag set. 185Otherwise rules must be added statically i.e. created with the configuration. 186.It Dv NPF_RULE_DYNAMIC 187Indicate that the rule is dynamic. 188Such rules can only be added to the dynamic groups. 189.El 190.Pp 191The interface is specified by the 192.Fa ifname 193string. 194.Dv NULL 195indicates any interface. 196.\" --- 197.It Fn npf_rule_setcode "rl" "type" "code" "len" 198Assign the code for the rule specified by 199.Fa rl . 200The code is used to implement the filter criteria. 201The pointer to the binary code is specified by 202.Fa code , 203the size of the memory area by 204.Fa len , 205and the type of the code is specified by 206.Fa type . 207Currently, only the BPF byte-code is supported and the 208.Dv NPF_CODE_BPF 209constant should be passed. 210.\" --- 211.It Fn npf_rule_setkey "rl" "type" "key" "len" 212Assign a key for the rule specified by 213.Fa rl . 214The binary key is specified by 215.Fa key , 216and its size by 217.Fa len . 218The size shall not exceed 219.Dv NPF_RULE_MAXKEYLEN . 220The kernel does not check whether key is unique, therefore it is the 221responsibility of the caller. 222.\" --- 223.It Fn npf_rule_setinfo "rl" "info" "len" 224Associate an arbitrary information blob specified by 225.Fa info , 226and its size by 227.Fa len . 228This may be used for such purposes as the byte-code annotation. 229.\" --- 230.It Fn npf_rule_setprio "rl" "pri" 231Set priority to the rule. 232Negative priorities are invalid. 233.Pp 234The priority is the order of the rule in the ruleset. 235The lower value means first to process, the higher value - last to process. 236If multiple rules are inserted with the same priority, 237then the order is unspecified. 238.Pp 239The special constants 240.Dv NPF_PRI_FIRST 241and 242.Dv NPF_PRI_LAST 243can be passed to indicate that the rule should be inserted into the 244beginning or the end of the priority level 0 in the ruleset. 245All rules inserted using these constants will have the priority 0 246assigned and will share this level in the ordered way. 247.\" --- 248.It Fn npf_rule_setproc "ncf" "rl" "name" 249Set a procedure for the specified rule. 250.\" --- 251.It Fn npf_rule_insert "ncf" "parent" "rl" 252Insert the rule into the set of the parent rule specified by 253.Fa parent . 254If the value of 255.Fa parent 256is 257.Dv NULL , 258then insert into the main ruleset. 259.\" --- 260.It Fn npf_rule_export "rl" "length" 261Serialize the rule (including the byte-code), return a binary object 262and set its 263.Fa length . 264The binary object is dynamically allocated and should be destroyed using 265.Xr free 3 . 266.\" --- 267.It Fn npf_rule_destroy "rl" 268Destroy the given rule object. 269.El 270.\" ----- 271.Ss Rule procedure interface 272.Bl -tag -width 4n 273.It Fn npf_rproc_create "name" 274Create a rule procedure with a given 275.Fa name . 276Thr name must be unique for each procedure. 277.It Fn npf_rproc_insert "ncf" "rp" 278Insert the rule procedure into the specified configuration object. 279.El 280.\" ----- 281.Ss Translation interface 282.Bl -tag -width 4n 283.It Fn npf_nat_create "type" "flags" "ifname" "addr" "af" "port" 284Create a NAT policy of a specified type. 285There are two types: 286.Bl -tag -width "NPF_NAT_PORTMAP " 287.It Dv NPF_NATIN 288Inbound NAT policy (rewrite destination). 289.It Dv NPF_NATOUT 290Outbound NAT policy (rewrite source). 291.El 292.Pp 293A bi-directional NAT is obtained by combining two policies. 294The following 295.Fa flags 296are supported: 297.Bl -tag -width "NPF_NAT_PORTMAP " 298.It Dv NPF_NAT_STATIC 299Perform static (stateless) translation rather than dynamic (stateful). 300.It Dv NPF_NAT_PORTS 301Perform the port translation. 302If this flag is not specified, then the port translation is not performed 303and the 304.Fa port 305parameter is ignored. 306.It Dv NPF_NAT_PORTMAP 307Create a port map and select a random port for translation. 308If enabled, then the value specified by the 309.Fa port 310parameter is ignored. 311This flag is effective only if the 312.Dv NPF_NAT_PORTS 313flag is set. 314.El 315.Pp 316The translation address is specified by 317.Fa addr , 318and its family by 319.Fa af . 320The family must be either 321.Dv AF_INET 322for IPv4 or 323.Dv AF_INET6 324for IPv6 address. 325.\" --- 326.It Fn npf_nat_setalgo "nt" "algo" 327Set a particular NAT algorithm. 328Currently, only 329.Dv NPF_ALGO_NPT66 330algorithm is supported for NPTv6 (RFC 6296). 331.\" --- 332.It Fn npf_nat_insert "ncf" "nt" "pri" 333Insert NAT policy, its rule, into the specified configuration. 334.El 335.\" ----- 336.Ss Table interface 337.Bl -tag -width 4n 338.It Fn npf_table_create "name" "index" "type" 339Create an NPF table of a specified type. 340The table is identified by the 341.Fa name 342and 343.Fa index , 344which should be in the range between 1 and 345.Dv NPF_MAX_TABLE_ID . 346.Pp 347The following types are supported: 348.Bl -tag -width "NPF_TABLE_HASH" 349.It Dv NPF_TABLE_HASH 350Indicates to use a hash table for storage. 351.It Dv NPF_TABLE_TREE 352Indicates to use a tree for storage, supporting the longest 353prefix match. 354.It Dv NPF_TABLE_CDB 355Indicates to use constant database for storage, typically using 356a perfect hash table. 357In such case, the database produced by 358.Xr cdbw 3 359should be set using the 360.Fn npf_table_setdata 361function. 362.El 363.\" --- 364.It Fn npf_table_add_entry "tl" "af" "addr" "mask" 365Add an entry of IP address and mask, specified by 366.Fa addr 367and 368.Fa mask , 369to the table specified by 370.Fa tl . 371The family, specified by 372.Fa af , 373must be either 374.Dv AF_INET 375for IPv4 or 376.Dv AF_INET6 377for IPv6 address. 378.It Fn npf_table_insert "ncf" "tl" 379Add the table to the configuration object. 380This routine performs a check for duplicate table IDs. 381.\" --- 382.It Fn npf_table_destroy "tl" 383Destroy the specified table. 384.El 385.\" ----- 386.Sh SEE ALSO 387.Xr bpf 4 , 388.Xr npf 7 , 389.Xr npfctl 8 390.Sh HISTORY 391The NPF library first appeared in 392.Nx 6.0 . 393