Home | History | Annotate | Download | only in npftest
History log of /src/usr.sbin/npf/npftest/npftest.conf
RevisionDateAuthorComments
 1.18  20-Aug-2025  joe PR bin/59511

when extracting variables for filtering in NPF, allow the handler to
recursively extract all variables that might be present in the parent variable
to fully get all the filter elements present in them. this issue poses a security risk
as intruders can find their way into your machine if you intend to block them
but have their IPs in a nested variable with other IPs as well.

so this needs to be pulled up to 9, 10, 11


this fix has been reviewed by christos@ and martin@ and tests have been included.
 1.17  10-Aug-2025  mlelstv Include local_ip3 in tests.
 1.16  10-Jul-2025  joe Add more test to layer2 filtering for variables as a set

simplify the BPF code for multiword
we have tests to cover all possible cases in layer2 filtering
 1.15  05-Jul-2025  joe Temporarily remove dash and dot separated MAC address rule in scanner.

this avoids breaking existing configurations where spaceless port ranges are used
as the parser tries to resolve the MAC address rules instead.

Also, add a simple test for port ranges in the NPF rump test suite

@Greg Troxel
 1.14  01-Jul-2025  joe Rump testing for layer 2 filtering in NPF

reviewed by christos@
 1.13  01-Jun-2025  joe testing for NPF user/group filtering: reviewed by christos@
 1.12  30-Oct-2024  riastradh npftest: Expand test cases to cover more compiler paths.

Cover masked ranges with full- and partial-word sizes.

PR bin/55403: npfctl miscompiles IPv6 rules
 1.11  30-Oct-2024  riastradh npftest: Fix newly added test.

- Adapt new test to actually exercise new rules.
- Mark the right test xfail.

PR bin/55403: npfctl miscompiles IPv6 rules
 1.10  29-Oct-2024  riastradh npftest: Add a test to match groups of IPv6 addresses.

The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)

PR bin/55403: npfctl miscompiles IPv6 rules
 1.9  30-May-2020  rmind branches: 1.9.6; 1.9.8;
Major NPF improvements (merge from upstream):

- Switch to the C11-style atomic primitives using atomic_loadstore(9).

- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.

- npfkern: rewrite the G/C worker logic and make it self-tuning.

- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.

- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.

- Amend and improve the manual pages.
 1.8  30-Sep-2019  rmind libnpf/npfctl: support dynamic NAT rulesets using a name prefix.
 1.7  23-Jul-2019  rmind branches: 1.7.2;
NPF improvements:
- Add support for dynamic NETMAP algorithm (stateful net-to-net).
- Add most of the support for the dynamic NAT rules; a little bit more
userland work is needed to finish this up and enable.
- Replace 'stateful-ends' with more permissive 'stateful-all'.
- Add various tunable parameters and document them, see npf-params(7).
- Reduce the memory usage of the connection state table (conndb).
- Portmap rewrite: use memory more efficiently, handle addresses dynamically.
- Bug fix: add splsoftnet()/splx() around the thmap writers and comment.
- npftest: clean up and simplify; fix some memleaks to make ASAN happy.
 1.6  19-Jan-2019  rmind Major NPF improvements:
- Convert NPF connection table to thmap. State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address. Translation addresses can now be
selected from a pool of addresses. There are two selection algorithms,
"ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
 1.5  13-Feb-2014  rmind branches: 1.5.24; 1.5.26;
NPF: add support for IPv6-to-IPv6 Network Prefix Translation (NPTv6),
as per RFC 6296. Add a unit test. Also, bump NPF_VERSION.

Thanks to S.P.Zeidler for the help with NPTv6 work!
 1.4  07-Feb-2014  rmind NPF: add support for static (stateless) NAT.
 1.3  23-Sep-2013  rmind Update npftest.conf for the recent syntax adjustments.
 1.2  09-Feb-2013  rmind NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
 1.1  12-Aug-2012  rmind branches: 1.1.2; 1.1.4; 1.1.6;
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.1.6.3  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.1.6.2  30-Oct-2012  yamt sync with head
 1.1.6.1  12-Aug-2012  yamt file npftest.conf was added on branch yamt-pagecache on 2012-10-30 19:00:46 +0000
 1.1.4.2  20-Aug-2014  tls Rebase to HEAD as of a few days ago.
 1.1.4.1  25-Feb-2013  tls resync with head
 1.1.2.3  11-Feb-2013  riz Pull up following revision(s) (requested by rmind in ticket #817):
usr.sbin/npf/npfctl/npfctl.8: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.27
usr.sbin/npf/npfctl/npf_parse.y: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.28
lib/libnpf/npf.c: revision 1.16
usr.sbin/npf/npfctl/npfctl.c: revision 1.29
lib/libnpf/npf.c: revision 1.17
sys/modules/npf/Makefile: revision 1.12
sys/net/npf/npf_rproc.c: revision 1.6
usr.sbin/npf/npftest/README: revision 1.4
sys/net/npf/npf_tableset.c: revision 1.17
sys/net/npf/npf_ctl.c: revision 1.21
sys/net/npf/npf_ctl.c: revision 1.22
usr.sbin/npf/npfctl/npfctl.h: revision 1.25
lib/libnpf/npf.h: revision 1.13
usr.sbin/npf/npftest/npftest.conf: revision 1.2
usr.sbin/npf/npfctl/npfctl.h: revision 1.26
sys/net/npf/npf_ruleset.c: revision 1.17
lib/libnpf/npf.h: revision 1.14
sys/net/npf/npf_ruleset.c: revision 1.18
sys/net/npf/npf_conf.c: revision 1.1
usr.sbin/npf/npfctl/npf_scan.l: revision 1.10
sys/net/npf/npf_conf.c: revision 1.2
sys/net/npf/npf_instr.c: revision 1.16
sys/net/npf/npf_handler.c: revision 1.26
sys/net/npf/npf_impl.h: revision 1.26
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.14
sys/net/npf/npf_processor.c: revision 1.15
sys/net/npf/npf_impl.h: revision 1.27
sys/net/npf/npf_alg_icmp.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.15
usr.sbin/npf/npfctl/npf_disassemble.c: revision 1.16
sys/net/npf/npf_ncode.h: revision 1.11
sys/net/npf/files.npf: revision 1.10
usr.sbin/npf/npftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.c: revision 1.30
lib/libnpf/npf.3: revision 1.8
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.4
sys/net/npf/npf_session.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.5
usr.sbin/npf/npfctl/npf_build.c: revision 1.18
usr.sbin/npf/npfctl/npf_build.c: revision 1.19
sys/net/npf/npf_alg.c: revision 1.7
usr.sbin/npf/npfctl/Makefile: revision 1.10
sys/net/npf/npf_inet.c: revision 1.21
sys/net/npf/npf.h: revision 1.26
sys/net/npf/npf.h: revision 1.27
usr.sbin/pf/ftp-proxy/Makefile: revision 1.8
sys/net/npf/npf_nat.c: revision 1.19
sys/net/npf/npf.c: revision 1.15
sys/net/npf/npf_state.c: revision 1.14
sys/net/npf/npf_sendpkt.c: revision 1.14
sys/rump/net/lib/libnpf/Makefile: revision 1.4
IPv6 linklocal address printing cosmetics
NPF:
- Implement dynamic NPF rules. Controlled through npf(3) library of via
npfctl rule command. A rule can be removed using a unique identifier,
returned on addition, or using a key which is SHA1 hash of the rule.
Adjust npftest and add a regression test.
- Improvements to rule inspection mechanism.
- Initial BPF support as an alternative to n-code.
- Minor fixes; bump the version.
Disable -DWITH_NPF for now; will be converted to BPF mechanism.
- Fix NPF config reload with dynamic rules present.
- Implement list and flush commands on a dynamic ruleset.
Allow filtering on IP addresses even if the L4 protocol is unknown.
Patch from spz@.
npftest: adjust for recent change.
 1.1.2.2  13-Aug-2012  riz Pull up following revision(s) (requested by rmind in ticket #485):
lib/libnpf/npf.c: revision 1.11
sys/net/npf/npf_session.c: revision 1.17
sys/modules/npf/Makefile: revision 1.10
usr.sbin/npf/npftest/npftest.c: revision 1.4
usr.sbin/npf/npftest/README: revision 1.1
sys/net/npf/npf_tableset.c: revision 1.14
usr.sbin/npf/npftest/npftest.h: revision 1.4
lib/libnpf/npf.h: revision 1.10
sys/net/npf/npf_ruleset.c: revision 1.14
usr.sbin/npf/npfctl/npf_data.c: revision 1.18
usr.sbin/npf/npftest/npftest.conf: revision 1.1
sys/net/npf/npf_handler.c: revision 1.21
sys/net/npf/npf_impl.h: revision 1.21
usr.sbin/npf/npfctl/npfctl.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_build.c: revision 1.13
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.1
usr.sbin/npf/npftest/npfstream.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.4
usr.sbin/npf/npfctl/npfctl.h: revision 1.19
sys/net/npf/npf_nat.c: revision 1.16
sys/net/npf/npf_state.c: revision 1.11
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.3
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.5
usr.sbin/npf/npfctl/npf_parse.y: revision 1.12
- Extend npftest: add ruleset inspection testing from the config generated
by npfctl debug functionality. Auto-create npftest interfaces for this.
- NPF sessions: combine protocol and interface into a separate substructure,
share between the entries and thus fix the handling of them. Constify.
- npftest: add regression tests for NAT policies.
- npf_build_nat: simplify and fix bi-NAT regression.
- Bump yacc stack size for npfctl.
 1.1.2.1  12-Aug-2012  riz file npftest.conf was added on branch netbsd-6 on 2012-08-13 17:49:52 +0000
 1.5.26.2  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.5.26.1  10-Jun-2019  christos Sync with HEAD
 1.5.24.1  26-Jan-2019  pgoyette Sync with HEAD
 1.7.2.3  17-Nov-2024  martin Pull up following revision(s) (requested by riastradh in ticket #1918):

usr.sbin/npf/npftest/npftest.conf: revision 1.10
usr.sbin/npf/npftest/npftest.conf: revision 1.11
usr.sbin/npf/npftest/npftest.conf: revision 1.12
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.23
tests/net/npf/t_npf.sh: revision 1.5
tests/net/npf/t_npf.sh: revision 1.6
tests/net/npf/t_npf.sh: revision 1.7

npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules


npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules


npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules


npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules


npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.
PR bin/55403: npfctl miscompiles IPv6 rules
 1.7.2.2  20-Jun-2020  martin Pull up following revision(s) (requested by rmind in ticket #956):

usr.sbin/npf/npf-params.7: revision 1.4
sys/net/npf/npf_worker.c: revision 1.9
usr.sbin/npf/npftest/npftest.h: revision 1.17
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.16
usr.sbin/npf/npf-params.7: revision 1.5
sys/net/npf/npf_state_tcp.c: revision 1.21
usr.sbin/npf/npfctl/npf_build.c: revision 1.55
usr.sbin/npf/npf-params.7: revision 1.6
sys/net/npf/npfkern.h: revision 1.5
lib/libnpf/npf.c: revision 1.49
usr.sbin/npf/npf-params.7: revision 1.7
sys/net/npf/npf_impl.h: revision 1.81
sys/net/npf/npf_ext_log.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.h: revision 1.53
usr.sbin/npf/npftest/libnpftest/npf_mbuf_subr.c: revision 1.11
sys/net/npf/npf_nat.c: revision 1.50
sys/net/npf/npf_mbuf.c: revision 1.24
sys/net/npf/npf_alg.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_nat_test.c: revision 1.14
usr.sbin/npf/npftest/libnpftest/npf_conn_test.c: file removal
usr.sbin/npf/npftest/libnpftest/npf_state_test.c: revision 1.10
sys/net/npf/npf.h: revision 1.63
usr.sbin/npf/npftest/libnpftest/npf_test.h: revision 1.21
usr.sbin/npf/npfctl/npf_var.c: revision 1.13
sys/net/npf/files.npf: revision 1.23
usr.sbin/npf/npfctl/npf_show.c: revision 1.32
usr.sbin/npf/npfctl/npf.conf.5: revision 1.91
sys/net/npf/npf_os.c: revision 1.18
sys/net/npf/npf_connkey.c: revision 1.2
sys/net/npf/npf_conf.c: revision 1.17
lib/libnpf/libnpf.3: revision 1.12
usr.sbin/npf/npftest/npftest.c: revision 1.25
usr.sbin/npf/npftest/libnpftest/npf_gc_test.c: revision 1.1
usr.sbin/npf/npfctl/npf_parse.y: revision 1.51
sys/net/npf/npf_tableset.c: revision 1.35
usr.sbin/npf/npftest/npftest.conf: revision 1.9
sys/net/npf/npf_sendpkt.c: revision 1.22
usr.sbin/npf/npfctl/npf_var.h: revision 1.10
sys/net/npf/npf_state.c: revision 1.23
sys/net/npf/npf_conn.h: revision 1.20
usr.sbin/npf/npfctl/npfctl.c: revision 1.64
usr.sbin/npf/npfctl/npf_cmd.c: revision 1.1
sys/net/npf/npf_portmap.c: revision 1.5
sys/net/npf/npf_params.c: revision 1.3
usr.sbin/npf/npfctl/npf_scan.l: revision 1.32
tests/net/npf/t_npf.sh: revision 1.4
sys/net/npf/npf_ext_rndblock.c: revision 1.9
lib/libnpf/npf.h: revision 1.39
sys/net/npf/npf_ruleset.c: revision 1.51
sys/net/npf/npf_alg_icmp.c: revision 1.33
sys/net/npf/npf.c: revision 1.43
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.17
usr.sbin/npf/npfctl/npfctl.8: revision 1.25
sys/net/npf/npf_ctl.c: revision 1.60
usr.sbin/npf/npftest/libnpftest/npf_test_subr.c: revision 1.18
usr.sbin/npf/npftest/libnpftest/Makefile: revision 1.11
sys/net/npf/npf_handler.c: revision 1.49
sys/net/npf/npf_inet.c: revision 1.57
sys/net/npf/npf_ifaddr.c: revision 1.7
sys/net/npf/npf_conndb.c: revision 1.9
sys/net/npf/npf_if.c: revision 1.13
usr.sbin/npf/npfctl/Makefile: revision 1.15
sys/net/npf/npf_conn.c: revision 1.32
sys/net/npf/npf_ext_normalize.c: revision 1.10
sys/net/npf/npf_rproc.c: revision 1.20
sys/net/npf/npf_worker.c: revision 1.8

Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction'
settings. Users can now choose whether the connection state should be
strictly per-interface or global at the configuration level. Keep NAT
logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce
more parameters. Remove npf_nvlist_{copyin,copyout}() functions and
refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have
a single entry point for operations. Introduce npf_flow_t and clean up
some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list'
more informative; misc usability improvements and more user-friendly
error messages.
- Amend and improve the manual pages.

npf_worker_sys{init,fini}: initialize/destroy the exit_cv condvar.

npftest -- npf_test_init(): add a workaround for NetBSD.

npf-params(7): fix the state.key defaults.

npf-params.7: s/filer/filter/

Adjust to "npfctl debug" command line changes, from rmind@.

Use more markup.
 1.7.2.1  04-Oct-2019  martin Pull up following revision(s) (requested by rmind in ticket #282):

usr.sbin/npf/npfctl/npf_build.c: revision 1.53
lib/libnpf/npf.c: revision 1.48
usr.sbin/npf/npfctl/npfctl.h: revision 1.50
sys/net/npf/npf_impl.h: revision 1.80
usr.sbin/npf/npfctl/npfctl.h: revision 1.51
sys/net/npf/npf_ruleset.c: revision 1.49
usr.sbin/npf/npfctl/npf.conf.5: revision 1.90
sys/net/npf/npf_ctl.c: revision 1.59
lib/libnpf/libnpf.3: revision 1.11
usr.sbin/npf/npfctl/npf_parse.y: revision 1.50
usr.sbin/npf/npftest/npftest.conf: revision 1.8
usr.sbin/npf/npfctl/npfctl.c: revision 1.62
usr.sbin/npf/npfctl/npfctl.c: revision 1.63
usr.sbin/npf/npfctl/npf_scan.l: revision 1.30
usr.sbin/npf/npfctl/npfctl.8: revision 1.22
lib/libnpf/npf.h: revision 1.38
usr.sbin/npf/npfctl/npfctl.8: revision 1.23
usr.sbin/npf/npfctl/npfctl.8: revision 1.24
sys/net/npf/npf_if.c: revision 1.11
sys/net/npf/npf_if.c: revision 1.12
usr.sbin/npf/npfctl/npf.conf.5: revision 1.89
sys/net/npf/npf_conn.c: revision 1.30
usr.sbin/npf/npfctl/npf_build.c: revision 1.52

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.

NPF ifmap: rework and fix a few small bugs.

npfctl: implement table replace subcommand.
Contributed by Timshel Knoll-Miller.
(missed a file in previous commit; cvs is so helpful..)

libnpf/npfctl: support dynamic NAT rulesets using a name prefix.

Use -width Pa for FILES.

Fix pasto in table replace -t type

Use -width Pa for FILES.

npf_ifmap_copylogname: be more defensive.
 1.9.8.1  02-Aug-2025  perseant Sync with HEAD
 1.9.6.1  17-Nov-2024  martin Pull up following revision(s) (requested by riastradh in ticket #1002):

usr.sbin/npf/npftest/npftest.conf: revision 1.10
usr.sbin/npf/npftest/npftest.conf: revision 1.11
usr.sbin/npf/npftest/npftest.conf: revision 1.12
usr.sbin/npf/npfctl/npf_bpf_comp.c: revision 1.17
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.20
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.21
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.22
usr.sbin/npf/npftest/libnpftest/npf_rule_test.c: revision 1.23
tests/net/npf/t_npf.sh: revision 1.5
tests/net/npf/t_npf.sh: revision 1.6
tests/net/npf/t_npf.sh: revision 1.7

npftest: Add AF_* parameter to test cases.
No functional change intended.
Preparation to add test cases for:
PR bin/55403: npfctl miscompiles IPv6 rules

npftest: Add a test to match groups of IPv6 addresses.
The npf_rule test group is now an xfail. (npftest doesn't have a way
to mark individual cases in a test group as xfail, so this will have
to do for now.)
PR bin/55403: npfctl miscompiles IPv6 rules

npftest: Fix newly added test.
- Adapt new test to actually exercise new rules.
- Mark the right test xfail.
PR bin/55403: npfctl miscompiles IPv6 rules

npftest: Expand test cases to cover more compiler paths.
Cover masked ranges with full- and partial-word sizes.
PR bin/55403: npfctl miscompiles IPv6 rules

npfctl(8): Fix compiling multiword comparisons, i.e., IPv6 addrs.
PR bin/55403: npfctl miscompiles IPv6 rules

RSS XML Feed