1.\" $NetBSD: libnpf.3,v 1.4 2016/12/27 21:25:12 wiz Exp $ 2.\" 3.\" Copyright (c) 2011-2015 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This material is based upon work partially supported by The 7.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd April 19, 2015 31.Dt LIBNPF 3 32.Os 33.Sh NAME 34.Nm libnpf 35.Nd NPF packet filter library 36.Sh LIBRARY 37.Lb libnpf 38.Sh SYNOPSIS 39.In npf.h 40.\" --- 41.Ft nl_config_t * 42.Fn npf_config_create "void" 43.Ft int 44.Fn npf_config_submit "nl_config_t *ncf" "int fd" "nl_error_t *errinfo" 45.Ft nl_config_t * 46.Fn npf_config_retrieve "int fd" "bool *active" "bool *loaded" 47.Ft int 48.Fn npf_config_flush "int fd" 49.Ft void 50.Fn npf_config_export "const nl_config_t *ncf" "size_t *len" 51.Ft nl_config_t * 52.Fn npf_config_import "const void *blob" "size_t len" 53.Ft bool 54.Fn npf_config_active_p "nl_config_t *ncf" 55.Ft void 56.Fn npf_config_destroy "nl_config_t *ncf" 57.\" --- 58.Ft nl_rule_t * 59.Fn npf_rule_create "char *name" "uint32_t attr" "const char *ifname" 60.Ft int 61.Fn npf_rule_setcode "nl_rule_t *rl" "int type" "const void *code" "size_t len" 62.Ft int 63.Fn npf_rule_setkey "nl_rule_t *rl" "int type" "const void *code" "size_t len" 64.Ft int 65.Fn npf_rule_setinfo "nl_rule_t *rl" "const void *info" "size_t len" 66.Ft bool 67.Fn npf_rule_exists_p "nl_config_t *ncf" "const char *name" 68.Ft int 69.Fn npf_rule_setprio "nl_rule_t *rl" "int pri" 70.Ft int 71.Fn npf_rule_setproc "nl_config_t *ncf" "nl_rule_t *rl" "const char *name" 72.Ft int 73.Fn npf_rule_insert "nl_config_t *ncf" "nl_rule_t *parent" "nl_rule_t *rl" 74.Ft void * 75.Fn npf_rule_export "nl_rule_t *rl" "size_t *length" 76.Ft void 77.Fn npf_rule_destroy "nl_rule_t *rl" 78.\" --- 79.Ft nl_rproc_t * 80.Fn npf_rproc_create "char *name" 81.Ft bool 82.Fn npf_rproc_exists_p "nl_config_t *ncf" "const char *name" 83.Ft int 84.Fn npf_rproc_insert "nl_config_t *ncf" "nl_rproc_t *rp" 85.\" --- 86.Ft nl_nat_t * 87.Fn npf_nat_create "int type" "u_int flags" "const char *ifname" \ 88"npf_addr_t *addr" "int af" "in_port_t port" 89.Ft int 90.Fn npf_nat_insert "nl_config_t *ncf" "nl_nat_t *nt" "pri_t pri" 91.\" --- 92.Ft nl_table_t * 93.Fn npf_table_create "const char *name" "u_int id" "int type" 94.Ft int 95.Fn npf_table_add_entry "nl_table_t *tl" "int af" \ 96"in_addr_t addr" "in_addr_t mask" 97.Ft int 98.Fn npf_table_insert "nl_config_t *ncf" "nl_table_t *tl" 99.Ft void 100.Fn npf_table_destroy "nl_table_t *tl" 101.\" ----- 102.Sh DESCRIPTION 103The 104.Nm 105library provides an interface to create an NPF configuration having rules, 106tables, procedures, or translation policies. 107The configuration can be submitted to the kernel. 108.\" ----- 109.Sh FUNCTIONS 110.Ss Configuration 111.Bl -tag -width 4n 112.It Fn npf_config_create 113Create a configuration. 114.It Fn npf_config_submit "ncf" "fd" "errinfo" 115Submit configuration 116.Fa ncf 117to the kernel. 118On error, the the description is written into the structure specified by 119.Fa errinfo . 120.It Fn npf_config_export "fd" "len" 121Serialize the given configuration and return binary object and its 122length in 123.Fa len 124parameter. 125The binary object is dynamically allocated and should be destroyed using 126.Xr free 3 . 127.It Fn npf_config_import "blob" "len" 128Read the configuration from a binary object of the specified length, 129unserialize, construct and return the configuration object. 130.It Fn npf_config_flush "fd" 131Flush the current configuration. 132.It Fn npf_config_retrieve "fd" "active" "loaded" 133Retrieve and return the loaded configuration from the kernel. 134.It Fn npf_config_active_p "ncf" 135Indicate whether the retrieved configuration is active (true if yes 136and false otherwise). 137.It Fn npf_config_destroy "ncf" 138Destroy the configuration 139.Fa ncf . 140.El 141.\" --- 142.Ss Rule interface 143.Bl -tag -width 4n 144.It Fn npf_rule_create "name" "attr" "ifname" 145Create a rule with a given name, attribute and priorty. 146Name can be 147.Dv NULL , 148in which case rule has no unique identifier. 149Otherwise, rules shall not have duplicate names. 150The following attributes, which can be ORed, are available: 151.Bl -tag -width indent 152.It Dv NPF_RULE_PASS 153Decision of this rule is "pass". 154If this attribute is not 155specified, then packet "block" (drop) is the default. 156.It Dv NPF_RULE_IN 157Match incoming packets. 158.It Dv NPF_RULE_OUT 159Match outgoing packets. 160.It Dv NPF_RULE_FINAL 161Indicates that on rule match, further processing of the 162ruleset should be stopped and this rule applied instantly. 163.It Dv NPF_RULE_STATEFUL 164Create a state (session) on match, track the connection and 165therefore pass the backwards stream without inspection. 166The state is uniquely identified by a 5-tuple (source and destination 167IP addresses, port numbers and an interface identifier). 168.It Dv NPF_RULE_MULTIENDS 169Exclude the interface from the state identifier. 170.It Dv NPF_RULE_RETRST 171Return TCP RST packet in a case of packet block. 172.It Dv NPF_RULE_RETICMP 173Return ICMP destination unreachable in a case of packet block. 174.It Dv NPF_RULE_GROUP 175Allow this rule to have sub-rules. 176If used with 177.Dv NPF_RULE_DYNAMIC 178flag set, the can be added dynamically. 179Otherwise rules must be added statically i.e. created with the configuration. 180.It Dv NPF_RULE_DYNAMIC 181Indicate that the rule is dynamic. 182.El 183.Pp 184Interface is specified by 185.Fa ifname , 186which is a string. 187.Dv NULL 188indicates any interface. 189.\" --- 190.It Fn npf_rule_setcode "rl" "type" "code" "len" 191Assign compiled code for the rule specified by 192.Fa rl , 193used for filter criteria. 194Pointer to the binary code is specified by 195.Fa code , 196and size of the memory area by 197.Fa len . 198Type of the code is specified by 199.Fa type . 200Currently, only BPF byte-code is supported and 201.Dv NPF_CODE_BPF 202should be passed. 203.\" --- 204.It Fn npf_rule_setkey "rl" "type" "key" "len" 205Assign a key for the rule specified by 206.Fa rl . 207Binary key is specified by 208.Fa key , 209and its size by 210.Fa len . 211The size shall not exceed 212.Dv NPF_RULE_MAXKEYLEN . 213The kernel does not validate the key is unique, it is the responsibility 214of the caller. 215.\" --- 216.It Fn npf_rule_setinfo "rl" "info" "len" 217Associate arbitrary information blob specified by 218.Fa info , 219and its size by 220.Fa len . 221This may be used for such purposes as byte-code annotation. 222.\" --- 223.It Fn npf_rule_setprio "rl" "pri" 224Set priority to the rule. 225Negative priorities are invalid. 226.Pp 227Priority is the order of the rule in the ruleset. 228Lower value means first to process, higher value - last to process. 229If multiple rules are inserted with the same priority, 230the order is unspecified. 231.Pp 232The special constants 233.Dv NPF_PRI_FIRST 234and 235.Dv NPF_PRI_LAST 236can be passed to indicate that the rule should be inserted into the 237beginning or the end of the priority level 0 in the ruleset. 238All rules inserted using these constants will have the priority 0 239assigned and will share this level in the ordered way. 240.\" --- 241.It Fn npf_rule_setproc "ncf" "rl" "name" 242Set a procedure for the specified rule. 243.\" --- 244.It Fn npf_rule_insert "ncf" "parent" "rl" 245Insert the rule into the set of parent rule specified by 246.Fa parent . 247If value of 248.Fa parent 249is 250.Dv NULL , 251then insert into the main ruleset. 252.\" --- 253.It Fn npf_rule_export "rl" "length" 254Serialize the rule (including the byte-code), return a binary object 255and set its 256.Fa length . 257The binary object is dynamically allocated and should be destroyed using 258.Xr free 3 . 259.\" --- 260.It Fn npf_rule_destroy "rl" 261Destroy the given rule. 262.El 263.\" ----- 264.Ss Rule procedure interface 265.Bl -tag -width 4n 266.It Fn npf_rproc_create "name" 267Create a rule procedure with a given 268.Fa name . 269Name must be unique for each procedure. 270.It Fn npf_rproc_insert "ncf" "rp" 271Insert rule procedure into the specified configuration. 272.El 273.\" ----- 274.Ss Translation interface 275.Bl -tag -width 4n 276.It Fn npf_nat_create "type" "flags" "ifname" "addr" "af" "port" 277Create a NAT translation policy of a specified type. 278There are two types: 279.Bl -tag -width "NPF_NAT_PORTMAP " 280.It Dv NPF_NATIN 281Inbound NAT policy (rewrite destination). 282.It Dv NPF_NATOUT 283Outbound NAT policy (rewrite source). 284.El 285.Pp 286A bi-directional NAT is obtained by combining two policies. 287The following 288.Fa flags 289are supported: 290.Bl -tag -width "NPF_NAT_PORTMAP " 291.It Dv NPF_NAT_STATIC 292Perform static (stateless) NAT rather than dynamic (stateful). 293.It Dv NPF_NAT_PORTS 294Indicates to perform port translation. 295Otherwise, port translation is not performed and 296.Fa port 297is ignored. 298.It Dv NPF_NAT_PORTMAP 299Effective only if 300.Dv NPF_NAT_PORTS 301flag is set. 302Indicates to create a port map and select a random port for translation. 303Otherwise, port is translated to the value specified by 304.Fa port 305is used. 306.El 307.Pp 308Translation address is specified by 309.Fa addr , 310and its family by 311.Fa af . 312Family must be either 313.Dv AF_INET 314for IPv4 or 315.Dv AF_INET6 316for IPv6 address. 317.\" --- 318.It Fn npf_nat_setalgo "nt" "algo" 319Set a particular NAT algorithm. 320Currently, only 321.Dv NPF_ALGO_NPT66 322algorithm is supported for NPTv6 (RFC 6296). 323.\" --- 324.It Fn npf_nat_insert "ncf" "nt" "pri" 325Insert NAT policy, its rule, into the specified configuration. 326.El 327.\" ----- 328.Ss Table interface 329.Bl -tag -width 4n 330.It Fn npf_table_create "name" "index" "type" 331Create NPF table of specified type. 332The following types are supported: 333.Bl -tag -width "NPF_TABLE_TREE " 334.It Dv NPF_TABLE_HASH 335Indicates to use hash table for storage. 336.It Dv NPF_TABLE_TREE 337Indicates to use red-black tree for storage. 338Table is identified by the 339.Fa name 340and 341.Fa index , 342which should be in the range between 1 and 343.Dv NPF_MAX_TABLE_ID . 344.El 345.\" --- 346.It Fn npf_table_add_entry "tl" "af" "addr" "mask" 347Add an entry of IP address and mask, specified by 348.Fa addr 349and 350.Fa mask , 351to the table specified by 352.Fa tl . 353Family, specified by 354.Fa af , 355must be either 356.Dv AF_INET 357for IPv4 or 358.Dv AF_INET6 359for IPv6 address. 360.It Fn npf_table_insert "ncf" "tl" 361Insert table into set of configuration. 362Routine performs a check for duplicate table ID. 363.\" --- 364.It Fn npf_table_destroy "tl" 365Destroy the specified table. 366.El 367.\" ----- 368.Sh SEE ALSO 369.Xr bpf 4 , 370.Xr npf 7 , 371.Xr npfctl 8 372.Sh HISTORY 373The NPF library first appeared in 374.Nx 6.0 . 375