IPF 3.2.3

1 files changed, 91 insertions, 40 deletions

diff --git a/sbin/ipf/ipf.5 b/sbin/ipf/ipf.5
index 6bb78204762..f036affb88b 100644
--- a/sbin/ipf/ipf.5
+++ b/sbin/ipf/ipf.5
@@ -1,11 +1,11 @@
-.\"	$OpenBSD: ipf.5,v 1.9 1997/07/14 01:21:41 angelos Exp $
+.\"	$OpenBSD: ipf.5,v 1.10 1998/01/26 04:13:34 dgregor Exp $
 .TH IPF 5
 .SH NAME
 ipf \- IP packet filter rule syntax
 .SH DESCRIPTION
 .PP
 A rule file for \fBipf\fP may have any name or even be stdin.  As
-\fBipfstat\fP produces parsable rules as output when displaying the internal
+\fBipfstat\fP produces parseable rules as output when displaying the internal
 kernel filter lists, it is quite plausible to use its output to feed back
 into \fBipf\fP.  Thus, to remove all filters on input packets, the following
 could be done:
@@ -19,27 +19,26 @@ The format used by \fBipf\fP for construction of filtering rules can be
 described using the following grammar in BNF:
 \fC
 .nf
-filter-rule = [ insert ] action in-out [ options ] [ match ] [ keep ]
+filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
+	      [ proto ] [ ip ] [ group ].
 
 insert	= "@" decnumber .
-action	= block | "pass" | log | "count" | call .
+action	= block | "pass" | log | "count" | skip | auth | call .
 in-out	= "in" | "out" .
 options	= [ log ] [ "quick" ] [ "on" interface-name [ dup ] [ froute ] ] .
-match	= [ tos ] [ ttl ] [ proto ] [ ip ] .
-keep  	= "keep state" | "keep frags" .
+tos	= "tos" decnumber | "tos" hexnumber .
+ttl	= "ttl" decnumber .
+proto	= "proto" protocol .
+ip	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
+group	= [ "head" decnumber ] [ "group" decnumber ] .
 
 block	= "block" [ "return-icmp"[return-code] | "return-rst" ] .
-log   	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
-call  	= "call" [ "now" ] function-name .
-
-dup   	= "dup-to" interface-name[":"ipaddr] .
+auth    = "auth" | "preauth" .
+log	= "log" [ "body" ] [ "first" ] [ "or-block" ] .
+call	= "call" [ "now" ] function-name .
+skip	= "skip" decnumber .
+dup	= "dup-to" interface-name[":"ipaddr] .
 froute	= "fastroute" | "to" interface-name .
-
-tos   	= "tos" decnumber | "tos" hexnumber .
-ttl   	= "ttl" decnumber .
-proto	= "proto" protocol .
-ip    	= srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
-
 protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
 srcdst	= "all" | fromto .
 fromto	= "from" object "to" object .
@@ -48,11 +47,11 @@ object	= addr [ port-comp | port-range ] .
 addr	= "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
 port-comp = "port" compare port-num .
 port-range = "port" port-num range port-num .
-
 flags	= "flags" flag { flag } [ "/" flag { flag } ] .
 with	= "with" | "and" .
 icmp	= "icmp-type" icmp-type [ "code" decnumber ] .
 return-code = "("icmp-code")" .
+keep	= "keep" "state" | "keep" "frags" .
 
 nummask	= host-name [ "/" decnumber ] .
 host-name = ipaddr | hostname | "any" .
@@ -70,19 +69,19 @@ seclvl  = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
 icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
 	    "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
 	    "inforep" | "maskreq" | "maskrep"  | decnumber .
-icmp-code = decnumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
+icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
 	    "needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
 	    "net-prohib" | "host-prohib" | "net-tos" | "host-tos" .
-optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
-	  "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
-	  "visa" | "imitd" | "eip" | "finn" .
+optlist	= "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" |
+	  "tr" | "sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" |
+	  "addext" | "visa" | "imitd" | "eip" | "finn" .
 
 hexnumber = "0" "x" hexstring .
 hexstring = hexdigit [ hexstring ] .
 decnumber = digit [ decnumber ] .
 
-compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
-	  "le" | "ge" .
+compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" |
+	  "gt" | "le" | "ge" .
 range	= "<>" | "><" .
 hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
 digit	= "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
@@ -96,18 +95,9 @@ not make sense (such as tcp \fBflags\fP for non-TCP packets).
 .PP
 The "briefest" valid rules are (currently) no-ops and are of the form:
 .nf
-       block in
-       pass in
-       log in
-       count in
-.fi
-.PP
-These are supposed to be the same as, but currently differ from:
-.\" XXX How, why do they differ??
-.nf
        block in all
-       pass in from any to any
-       log in all
+       pass in all
+       log out all
        count in all
 .fi
 .PP
@@ -154,6 +144,12 @@ must conform to a specific calling interface. Customized actions and
 semantics can thus be implemented to supplement those available. This
 feature is for use by knowledgeable hackers, and is not currently
 documented.
+.TP
+.B "skip <n>"
+.TP
+.B auth
+.TP
+.B preauth
 .PP
 The next word must be either \fBin\fP or \fBout\fP.  Each packet
 moving through the kernel is either inbound (just been received on an
@@ -222,7 +218,6 @@ packets with different Type-Of-Service values can be filtered.
 Individual service levels or combinations can be filtered upon.  The
 value for the TOS mask can either be represented as a hex number or a
 decimal integer value.
-.\" XXX TOS mask??  not in grammar!
 .TP
 .B ttl
 packets may also be selected by their Time-To-Live value.  The value given in
@@ -278,7 +273,10 @@ packets from both protocols are compared. This is equivalent to "proto
 tcp/udp".  When composing \fBport\fP comparisons, either the service
 name or an integer port number may be used. Port comparisons may be
 done in a number of forms, with a number of comparison operators, or
-port ranges may be specified. See the examples for more information.
+port ranges may be specified. When the port appears as part of the
+\fBfrom\fP object, it matches the source port number, when it appears
+as part of the \fBto\fP object, it matches the destination port number.
+See the examples for more information.
 .PP
 The \fBall\fP keyword is essentially a synonym for "from any to any"
 with no other match parameters.
@@ -354,8 +352,9 @@ with which they are associated can be used.  The most important from
 a security point of view is the ICMP redirect.
 .SH KEEP HISTORY
 .PP
-The last parameter which can be set for a filter rule is whether on not to
-record historical information for that packet, and what sort to keep. The following information can be kept:
+The second last parameter which can be set for a filter rule is whether on not
+to record historical information for that packet, and what sort to keep. The
+following information can be kept:
 .TP
 .B state
 keeps information about the flow of a communication session. State can
@@ -367,6 +366,23 @@ fragments.
 .PP
 allowing packets which match these to flow straight through, rather
 than going through the access control list.
+.SH GROUPS
+The last pair of parameters control filter rule "grouping".  By default, all
+filter rules are placed in group 0 if no other group is specified.  To add a
+rule to a non-default group, the group must first be started by creating a
+group \fIhead\fP.  If a packet matches a rule which is the \fIhead\fP of a
+group, the filter processing then switches to the group, using that rule as
+the default for the group.  If \fBquick\fP is used with a \fBhead\fP rule, rule
+processing isn't stopped until it has returned from processing the group.
+.PP
+A rule may be both the head for a new group and a member of a non-default
+group (\fBhead\fP and \fBgroup\fP may be used together in a rule).
+.TP
+.B "head <n>"
+indicates that a new group (number n) should be created.
+.TP
+.B "group <n>"
+indicates that the rule should be put in group (number n) rather than group 0.
 .SH LOGGING
 .PP
 When a packet is logged, with either the \fBlog\fP action or option,
@@ -425,7 +441,42 @@ rule such as:
         pass in quick from any to any port < 1024
 .fi
 .PP
-would be needed before the first block.  
+would be needed before the first block.  To create a new group for
+processing all inbould packets on le0/le1/lo0, with the default being to block
+all inbound packets, we would do something like:
+.LP
+.nf
+       block in all
+       block in on le0 quick all head 100
+       block in on le1 quick all head 200
+       block in on lo0 quick all head 300
+.fi
+.PP
+
+and to then allow ICMP packets in on le0, only, we would do:
+.LP
+.nf
+       pass in proto icmp all group 100
+.fi
+.PP
+Note that because only inbound packets on le0 are used processed by group 100,
+there is no need to respecify the interface name.  Likewise, we could further
+breakup processing of TCP, etc, as follows:
+.LP
+.nf
+       block in proto tcp all head 110 group 100
+       pass in from any to any port = 23 group 110
+.fi
+.PP
+and so on.  The last line, if written without the groups would be:
+.LP
+.nf
+       pass in on le0 proto tcp from any to any port = telnet
+.fi
+.PP
+Note, that if we wanted to say "port = telnet", "proto tcp" would
+need to be specified as the parser interprets each rule on its own and
+qualifies all service/port names with the protocol specified.
 .SH FILES
 \fI/etc/services\fP -- port names
 .br
@@ -433,4 +484,4 @@ would be needed before the first block.
 .br
 \fI/usr/share/ipf\fP -- sample configuration files
 .SH SEE ALSO
-ipf(1), ipftest(1), ipf(4), hosts(5), services(5)
+ipf(1), ipftest(1), mkfilters(1), ipmon(8), ipf(4), hosts(5), services(5)