Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ netctrl.config(4M) — DG/UX R4.11MU05

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

netctrl(1M)



netctrl.config(4M)       DG/UX B2 Security R4.12MU02      netctrl.config(4M)


NAME
       netctrl.config - configuration file for Network Control, netctrl

SYNOPSIS
       /etc/netctrl.config

DESCRIPTION
       The netctrl.config file provides administrative control over TCP/IP
       features such as: NAT (Network Address Translation), proxy redirects,
       and service load distribution.  The netctrl(1M) command is
       automatically invoked to install the netctrl.config configuration
       each time the system is rebooted; however, the configuration can be
       modified and reinstalled at any time by explicitly invoking the
       netctrl command.

       The configuration file contains three types of statements: FILTER,
       POOLADDRS, and PROXYARP.  Each statement is on a single line
       beginning with one of these three keywords.

       The FILTER statements form an ordered list which are searched for
       each incoming and outgoing packet.  The actions associated with the
       first matching filter are performed on the packet.  Once a matching
       filter is found for a packet, no other filters are searched.

       Each filter is associated with a single network interface (e.g.
       dpen0), and therefore can only match packets incoming from or
       outgoing to that network interface.  Each filter may also be matched
       based upon: protocol, source address, destination address, source
       port, and/or destination port.

       Each filter may have zero or more of the following actions: deny
       (i.e. drop) the packet, proxy the packet to the local system rather
       than forwarding it to the destination system, translate the source
       address, destination address, source port, and/or destination port.

       The POOLADDRS statement is used to specify which IP addresses are
       available for use as pool addresses.  Pool addresses provide a
       mechanism whereby some number of hosts on an internal private network
       can share a presumably smaller number, a pool, of externally legal IP
       addresses.  The maximum number of hosts from the private network
       which can concurrently connect to external hosts is then limited by
       the number of pool addresses.

       The PROXYARP statement is used to create an ARP entry for the
       interface itself.  The interface across which address translation is
       performed is known on the host side by it's configured address;
       however, it may be known by another address on the network side of
       the interface by all hosts on the internal private network.  The
       PROXYARP statement performs the same operation as the arp command
       with the -s option.

   Format
       Each line of the netctrl.config file contains a single statement.
       The only exception are comments which begin with the # character and
       continue to the end of the line.  The general format of each
       statement is one of the following:

       FILTER Flags Interface SrcFilter DstFilter Actions

       POOLADDRS Interface AddrsSpec

       PROXYARP Interface IntIPAddr HardwareAddr

   Flags
       The Flags field of each filter consists of a sequence of characters
       denoting which direction and protocol(s) to match.  The characters
       are as follows and can be in any order: i matches incoming packets, o
       matches outgoing packets, T matches TCP packets, U matches UDP
       packets, and O matches any protocol other than TCP or UDP.  For
       example, iTU matches incoming TCP and UDP packets.

       Note that exactly one direction must be specified; the system will
       automatically perform any necessary reverse translation for reply
       packets.

   Interface
       The Interface field of the FILTER command contains the name of the
       network interface to which this filter belongs.  The name of the
       network interface is specified by giving its device file in the /dev
       directory.  For example, dpen0 specifies the network interface
       associated with the /dev/dpen0 device file.  Each filter matches only
       packets traversing the specified interface.

       The Interface field of the POOLADDRS command specifies which network
       interface the pool addresses are associated with.  In order for a
       pool address to be used, the matching filter must have TSA or TDA
       action with the POOL keyword; see the Actions section below for more
       information.

   SrcFilter and DstFilter
       The SrcFilter field specifies which source addresses and port numbers
       to match; the DstFilter field specifies which destination addresses
       and port numbers to match.  Both the SrcFilter and DstFilter fields
       are of the format AddrsSpec:PortRange, where address A and port P
       match the filter if A is one of the addresses specified by AddrsSpec
       and P is in range of ports specified by PortRange.

       AddrsSpec has two possible formats.  The first possible format is:
       IPAddr:Mask.  This specification includes all addresses A for which A
       & Mask equals IPAddr & Mask.  The second possible format of AddrsSpec
       is: A.B.C.D where any component of the dotted quad can be a single
       digit or a range of digits.  For example, 1.2.3.1-12 includes
       addresses 1.2.3.1 through 1.2.3.12.  This format is actually
       converted internally to the first format, which is then equivalent to
       1.2.3.0:0xfffffff0.  Note therefore that 1.2.3.1-12 actually includes
       addresses 1.2.3.0 through 1.2.3.15.

       The PortRange specification can be of the form, MinPort-MaxPort,
       denoting a range of ports, or a single number which means the minimum
       and maximum port numbers are equal.

       For example, if SrcFilter is 1.2.3.4:0xffffffff:0-1024, then the
       source address must must equal 1.2.3.4 and the source port must be
       1024 or less in order to match the filter.  Or, if DstFilter is
       0:0:23, then the destination address can be anything but the
       destination port must be 23 (i.e. the telnet port).

       The wildcard character is * and may be used to match any address and
       port number.

   Actions
       Once a filter is matched, 0 or more of the following actions can be
       performed on the packet.  The order in which they appear in the
       configuration file does not matter; they are always performed in the
       following order.

              DENY   Deny or drop the packet.  This action precludes all
                     other actions.

              TSA={ NewAddrsSpec | POOL }
                     The "Translate Source Address" command.  If
                     NewAddrsSpec is specified, the source address is
                     staticly translated to the new address.  The format of
                     NewAddrsSpec is the same as AddrsSpec which is
                     described in the SrcFilter and DstFilter section above.
                     The first address specified by the SrcFilter is
                     translated to the first address specified by the
                     NewAddrsSpec, the second address is translated to the
                     second, the third address is translated to the third,
                     etc.  Therefore, there should be the same number of
                     addresses specified by both address specifications.

                     If the keyword POOL is specified, the source address is
                     translated to one of the available pool addresses
                     specified by a POOLADDRS statement.

                     Reverse translation is automatically performed by the
                     system; therefore, you need only specify a filter for a
                     single direction.  Typically, you should specify the
                     translation that should take place for incoming packets
                     on an internal network interface (i.e. the network
                     interface which corresponds to the private network
                     whose addresses need translation).

              TDA={ NewAddrsSpec | POOL }
                     The "Translate Destination Address" command.  This
                     command is analogous to the TSA command above.  If
                     NewAddrsSpec is specified, the destination address is
                     staticly translated to the new address.  The format of
                     NewAddrsSpec is the same as AddrsSpec which is
                     described in the SrcFilter and DstFilter section above.
                     The first address specified by the DstFilter is
                     translated to the first address specified by the
                     NewAddrsSpec, the second address is translated to the
                     second, the third address is translated to the third,
                     etc.  Therefore, there should be the same number of
                     addresses specified by both address specifications.

                     If the keyword POOL is specified, the destination
                     address is translated to one of the available pool
                     addresses specified by a POOLADDRS statement.

                     Reverse translation is automatically performed by the
                     system; therefore, you need only specify a filter for a
                     single direction.  Typically, you should specify the
                     translation that should take place for incoming packets
                     on an internal network interface (i.e. the network
                     interface which corresponds to the private network
                     whose addresses need translation).

              TSP=NewPort
                     The "Translate Source Port" command.  This command
                     changes the source port number to NewPort.  Reverse
                     translation is automatically performed by the system;
                     therefore, you need only specify a filter for a single
                     direction.  When performing reverse translation,
                     however, the NewPort value is translated to the minimum
                     port specified in the PortRange of the SrcFilter.
                     Therefore, the PortRange should specify a single port
                     value in order to correctly perform reverse translation
                     for this command.  For example,

                     FILTER iT dpen0 0:0:5000-5010 * TSP=1000

                     matches all incoming TCP packets on dpen0 whose source
                     port is between 5000 and 5010 inclusive, and translates
                     the source port to 1000.  However, for all outgoing
                     packets on dpen0 whose destination port is 1000, the
                     destination port will be translated to 5000.  A single-
                     valued source port range is therefore needed if the TSP
                     action is used.

              TDP=NewPort
                     The "Translate Destination Port" command.  This command
                     changes the destination port number to NewPort, and is
                     analogous to the TSP command above.  Reverse
                     translation is automatically performed by the system;
                     therefore, you need only specify a filter for a single
                     direction.  When performing reverse translation,
                     however, the NewPort value is translated to the minimum
                     port specified in the PortRange of the DstFilter.
                     Therefore, the PortRange should specify a single port
                     value in order to correctly perform reverse translation
                     for this command.  See the example in the TSP command
                     above.

              PROXY[=ProxyPort]
                     This action applies only to incoming packets, and
                     causes the the packet to be redirected to the local
                     host even if it was not intended for the local host.
                     This action does not cause the destination address or
                     port number to be changed, but simply redirects the
                     packet as if they had been changed.  If a ProxyPort is
                     specified, the packet is redirected to port number
                     ProxyPort on the local host; otherwise, the packet is
                     redirected to the port specified by the destination
                     port in the packet.

                     Since the destination address and port numbers are not
                     actually changed in the packet, a proxy server
                     listening on port ProxyPort can retrieve the intended
                     destination address and port number with the
                     getsockname for TCP endpoints or with the
                     IPRECVDSTSOCKADDR option for UDP endpoints.

   AddrsSpec
       The AddrsSpec field of the POOLADDRS command is of the format:
       A.B.C.D where any component of the dotted quad can be a single digit
       or a range of digits.  For example,

       POOLADDRS dpen1 1.2.3.1-10

       puts addresses 1.2.3.1 through 1.2.3.10 into the pool of addresses
       associated with dpen1.

EXAMPLES
       In the following examples, assume dpen0 is the external interface
       which is attached to the internet, and assume dpen1 is the internal
       interface which is attached to the private network.

   Static address translation
       Translate the source address on packets coming from the internal
       network from a private 10.0.0.x address to 128.222.11.x.  Note that
       packets going to the internal network are also translated.  This
       provides both private-to-internet as well as internet-to-private
       connectivity.

       FILTER iTUO dpen1 10.0.0.1-255 * TSA=1.2.3.1-255

   Dynamic address translation
       Translate the source address on packets coming from the internal
       network from a private 10.0.0.x address to one of the pool addresses:
       128.222.11.1 to 128.222.11.15.  Note that packets going to the
       internal network are also translated.  This provides private-to-
       internet connectivity only.

       FILTER iTUO dpen1 10.0.0.1-255 * TSA=POOL

       POOLADDRS dpen1 1.2.3.1-15

   Proxy and address hiding configuration
       Proxy all TCP and UDP traffic to the proxy servers running on TCP and
       UDP port 1000, respectively.

       FILTER iTU dpen1 * * PROXY=1000

       Since all connections go through a proxy, the source address of the
       system hosting the proxy server appears on the internet instead of
       any internal addresses.  The internal addresses are therefore hidden.
       See the man page for the generic proxy daemon, netgpd, for more
       information.

   Load balance configuration
       Send all http requests (i.e. to port 80) from odd addresses to
       1.2.3.4 and all other http requests to 1.2.3.5.

       FILTER iT dpen1 1:1 0:0:80 TDA=1.2.3.4

       FILTER iT dpen1 *   0:0:80 TDA=1.2.3.5

FILES
       /etc/netctrl.config

SEE ALSO
       netctrl(1M).


Licensed material--property of copyright holder(s)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026