npftest.conf revision 1.14
1 # $NetBSD: npftest.conf,v 1.14 2025/07/01 20:19:30 joe Exp $ 2 3 $ext_if = "npftest0" 4 $int_if = "npftest1" 5 6 set portmap.min_port 1024 7 set portmap.max_port 65535 8 9 # 10 # RFC 5737 11 # 12 13 $pub_ip1 = 192.0.2.1 14 $pub_ip2 = 192.0.2.2 15 $pub_ip3 = 192.0.2.3 16 17 $local_ip1 = 10.1.1.1 18 $local_ip2 = 10.1.1.2 19 $local_ip3 = 10.1.1.3 20 $local_ip4 = 10.1.1.4 21 $Kojo = 1001 22 $wheel = 20 23 24 $local_net = { 10.1.1.0/24 } 25 $ports = { 8000, 9000 } 26 27 # 28 # RFC 7042 29 # 30 # 00:00:5E:00:53:00 - 00:00:5E:00:53:FF 31 $mac1 = 00:00:5E:00:53:00 32 $mac2 = 00:00:5E:00:53:01 33 $mac3 = 00:00:5E:00:53:02 34 35 map $ext_if static $local_ip3 <-> $pub_ip3 36 map $ext_if dynamic $local_ip2 <-> $pub_ip2 37 map $ext_if dynamic $local_net -> $pub_ip1 38 map $ext_if dynamic $local_ip1 port 6000 <- $pub_ip1 port 8000 39 40 $net6_inner = fd01:203:405::/48 41 $net6_outer = 2001:db8:1::/48 42 43 # Example of multiple addresses with a common 32-bit word, taken from 44 # PR bin/55403: npfctl miscompiles IPv6 rules. 45 $net6_pr55403 = { fe80::1, fe80::1000:0:0/95, fe80::2, fe80::2000:0:0/96, fe80::3, fe80::3000:0:0/97 } 46 47 $net_a = 10.100.0.0/16 48 $net_b = 10.255.0.0/16 49 50 map $ext_if static algo npt66 $net6_inner <-> $net6_outer 51 map $ext_if static algo netmap $net_a <-> $net_b 52 map ruleset "map:some-daemon" on $ext_if 53 54 group "ext" on $ext_if { 55 pass out final from $local_ip3 56 pass in final to $pub_ip3 57 pass in final from $local_ip4 user $Kojo group $wheel 58 block out final to 127.0.0.1 user > $Kojo group 1 >< $wheel 59 60 pass out final from $net6_inner 61 pass in final to $net6_outer 62 63 pass out final from $net_a 64 pass in final to $net_b 65 66 pass stateful out final proto tcp flags S/SA all 67 pass stateful out final from $local_net 68 pass stateful in final to any port $ports 69 pass stateful in final proto icmp all 70 71 block all 72 } 73 74 group "int" on $int_if { 75 ruleset "test-rules" 76 pass stateful out final to $local_ip2 77 pass out final to $local_ip3 78 block final to $local_ip4 79 80 pass in final family inet6 proto udp from $net6_pr55403 81 pass in final family inet6 proto udp from ! $net6_pr55403 to $net6_pr55403 82 } 83 84 group "ext2" on $int_if layer-2 { 85 ruleset "l2-ruleset" layer-2 86 pass ether in final from $mac1 to $mac2 type Ex86DD 87 block ether in final from $mac2 88 pass ether out final to $mac3 type Ex809B 89 } 90 91 group default { 92 block all 93 } 94 95 group default layer-2 { 96 block ether all 97 } 98
Indexes created Sat Oct 11 19:10:01 GMT 2025