netctrl.config(4M) DG/UX B2 Security R4.12MU02 netctrl.config(4M)
NAME
netctrl.config - configuration file for Network Control, netctrl
SYNOPSIS
/etc/netctrl.config
DESCRIPTION
The netctrl.config file provides administrative control over TCP/IP
features such as: NAT (Network Address Translation), proxy redirects,
and service load distribution. The netctrl(1M) command is
automatically invoked to install the netctrl.config configuration
each time the system is rebooted; however, the configuration can be
modified and reinstalled at any time by explicitly invoking the
netctrl command.
The configuration file contains three types of statements: FILTER,
POOLADDRS, and PROXYARP. Each statement is on a single line
beginning with one of these three keywords.
The FILTER statements form an ordered list which are searched for
each incoming and outgoing packet. The actions associated with the
first matching filter are performed on the packet. Once a matching
filter is found for a packet, no other filters are searched.
Each filter is associated with a single network interface (e.g.
dpen0), and therefore can only match packets incoming from or
outgoing to that network interface. Each filter may also be matched
based upon: protocol, source address, destination address, source
port, and/or destination port.
Each filter may have zero or more of the following actions: deny
(i.e. drop) the packet, proxy the packet to the local system rather
than forwarding it to the destination system, translate the source
address, destination address, source port, and/or destination port.
The POOLADDRS statement is used to specify which IP addresses are
available for use as pool addresses. Pool addresses provide a
mechanism whereby some number of hosts on an internal private network
can share a presumably smaller number, a pool, of externally legal IP
addresses. The maximum number of hosts from the private network
which can concurrently connect to external hosts is then limited by
the number of pool addresses.
The PROXYARP statement is used to create an ARP entry for the
interface itself. The interface across which address translation is
performed is known on the host side by it's configured address;
however, it may be known by another address on the network side of
the interface by all hosts on the internal private network. The
PROXYARP statement performs the same operation as the arp command
with the -s option.
Format
Each line of the netctrl.config file contains a single statement.
The only exception are comments which begin with the # character and
continue to the end of the line. The general format of each
statement is one of the following:
FILTER Flags Interface SrcFilter DstFilter Actions
POOLADDRS Interface AddrsSpec
PROXYARP Interface IntIPAddr HardwareAddr
Flags
The Flags field of each filter consists of a sequence of characters
denoting which direction and protocol(s) to match. The characters
are as follows and can be in any order: i matches incoming packets, o
matches outgoing packets, T matches TCP packets, U matches UDP
packets, and O matches any protocol other than TCP or UDP. For
example, iTU matches incoming TCP and UDP packets.
Note that exactly one direction must be specified; the system will
automatically perform any necessary reverse translation for reply
packets.
Interface
The Interface field of the FILTER command contains the name of the
network interface to which this filter belongs. The name of the
network interface is specified by giving its device file in the /dev
directory. For example, dpen0 specifies the network interface
associated with the /dev/dpen0 device file. Each filter matches only
packets traversing the specified interface.
The Interface field of the POOLADDRS command specifies which network
interface the pool addresses are associated with. In order for a
pool address to be used, the matching filter must have TSA or TDA
action with the POOL keyword; see the Actions section below for more
information.
SrcFilter and DstFilter
The SrcFilter field specifies which source addresses and port numbers
to match; the DstFilter field specifies which destination addresses
and port numbers to match. Both the SrcFilter and DstFilter fields
are of the format AddrsSpec:PortRange, where address A and port P
match the filter if A is one of the addresses specified by AddrsSpec
and P is in range of ports specified by PortRange.
AddrsSpec has two possible formats. The first possible format is:
IPAddr:Mask. This specification includes all addresses A for which A
& Mask equals IPAddr & Mask. The second possible format of AddrsSpec
is: A.B.C.D where any component of the dotted quad can be a single
digit or a range of digits. For example, 1.2.3.1-12 includes
addresses 1.2.3.1 through 1.2.3.12. This format is actually
converted internally to the first format, which is then equivalent to
1.2.3.0:0xfffffff0. Note therefore that 1.2.3.1-12 actually includes
addresses 1.2.3.0 through 1.2.3.15.
The PortRange specification can be of the form, MinPort-MaxPort,
denoting a range of ports, or a single number which means the minimum
and maximum port numbers are equal.
For example, if SrcFilter is 1.2.3.4:0xffffffff:0-1024, then the
source address must must equal 1.2.3.4 and the source port must be
1024 or less in order to match the filter. Or, if DstFilter is
0:0:23, then the destination address can be anything but the
destination port must be 23 (i.e. the telnet port).
The wildcard character is * and may be used to match any address and
port number.
Actions
Once a filter is matched, 0 or more of the following actions can be
performed on the packet. The order in which they appear in the
configuration file does not matter; they are always performed in the
following order.
DENY Deny or drop the packet. This action precludes all
other actions.
TSA={ NewAddrsSpec | POOL }
The "Translate Source Address" command. If
NewAddrsSpec is specified, the source address is
staticly translated to the new address. The format of
NewAddrsSpec is the same as AddrsSpec which is
described in the SrcFilter and DstFilter section above.
The first address specified by the SrcFilter is
translated to the first address specified by the
NewAddrsSpec, the second address is translated to the
second, the third address is translated to the third,
etc. Therefore, there should be the same number of
addresses specified by both address specifications.
If the keyword POOL is specified, the source address is
translated to one of the available pool addresses
specified by a POOLADDRS statement.
Reverse translation is automatically performed by the
system; therefore, you need only specify a filter for a
single direction. Typically, you should specify the
translation that should take place for incoming packets
on an internal network interface (i.e. the network
interface which corresponds to the private network
whose addresses need translation).
TDA={ NewAddrsSpec | POOL }
The "Translate Destination Address" command. This
command is analogous to the TSA command above. If
NewAddrsSpec is specified, the destination address is
staticly translated to the new address. The format of
NewAddrsSpec is the same as AddrsSpec which is
described in the SrcFilter and DstFilter section above.
The first address specified by the DstFilter is
translated to the first address specified by the
NewAddrsSpec, the second address is translated to the
second, the third address is translated to the third,
etc. Therefore, there should be the same number of
addresses specified by both address specifications.
If the keyword POOL is specified, the destination
address is translated to one of the available pool
addresses specified by a POOLADDRS statement.
Reverse translation is automatically performed by the
system; therefore, you need only specify a filter for a
single direction. Typically, you should specify the
translation that should take place for incoming packets
on an internal network interface (i.e. the network
interface which corresponds to the private network
whose addresses need translation).
TSP=NewPort
The "Translate Source Port" command. This command
changes the source port number to NewPort. Reverse
translation is automatically performed by the system;
therefore, you need only specify a filter for a single
direction. When performing reverse translation,
however, the NewPort value is translated to the minimum
port specified in the PortRange of the SrcFilter.
Therefore, the PortRange should specify a single port
value in order to correctly perform reverse translation
for this command. For example,
FILTER iT dpen0 0:0:5000-5010 * TSP=1000
matches all incoming TCP packets on dpen0 whose source
port is between 5000 and 5010 inclusive, and translates
the source port to 1000. However, for all outgoing
packets on dpen0 whose destination port is 1000, the
destination port will be translated to 5000. A single-
valued source port range is therefore needed if the TSP
action is used.
TDP=NewPort
The "Translate Destination Port" command. This command
changes the destination port number to NewPort, and is
analogous to the TSP command above. Reverse
translation is automatically performed by the system;
therefore, you need only specify a filter for a single
direction. When performing reverse translation,
however, the NewPort value is translated to the minimum
port specified in the PortRange of the DstFilter.
Therefore, the PortRange should specify a single port
value in order to correctly perform reverse translation
for this command. See the example in the TSP command
above.
PROXY[=ProxyPort]
This action applies only to incoming packets, and
causes the the packet to be redirected to the local
host even if it was not intended for the local host.
This action does not cause the destination address or
port number to be changed, but simply redirects the
packet as if they had been changed. If a ProxyPort is
specified, the packet is redirected to port number
ProxyPort on the local host; otherwise, the packet is
redirected to the port specified by the destination
port in the packet.
Since the destination address and port numbers are not
actually changed in the packet, a proxy server
listening on port ProxyPort can retrieve the intended
destination address and port number with the
getsockname for TCP endpoints or with the
IPRECVDSTSOCKADDR option for UDP endpoints.
AddrsSpec
The AddrsSpec field of the POOLADDRS command is of the format:
A.B.C.D where any component of the dotted quad can be a single digit
or a range of digits. For example,
POOLADDRS dpen1 1.2.3.1-10
puts addresses 1.2.3.1 through 1.2.3.10 into the pool of addresses
associated with dpen1.
EXAMPLES
In the following examples, assume dpen0 is the external interface
which is attached to the internet, and assume dpen1 is the internal
interface which is attached to the private network.
Static address translation
Translate the source address on packets coming from the internal
network from a private 10.0.0.x address to 128.222.11.x. Note that
packets going to the internal network are also translated. This
provides both private-to-internet as well as internet-to-private
connectivity.
FILTER iTUO dpen1 10.0.0.1-255 * TSA=1.2.3.1-255
Dynamic address translation
Translate the source address on packets coming from the internal
network from a private 10.0.0.x address to one of the pool addresses:
128.222.11.1 to 128.222.11.15. Note that packets going to the
internal network are also translated. This provides private-to-
internet connectivity only.
FILTER iTUO dpen1 10.0.0.1-255 * TSA=POOL
POOLADDRS dpen1 1.2.3.1-15
Proxy and address hiding configuration
Proxy all TCP and UDP traffic to the proxy servers running on TCP and
UDP port 1000, respectively.
FILTER iTU dpen1 * * PROXY=1000
Since all connections go through a proxy, the source address of the
system hosting the proxy server appears on the internet instead of
any internal addresses. The internal addresses are therefore hidden.
See the man page for the generic proxy daemon, netgpd, for more
information.
Load balance configuration
Send all http requests (i.e. to port 80) from odd addresses to
1.2.3.4 and all other http requests to 1.2.3.5.
FILTER iT dpen1 1:1 0:0:80 TDA=1.2.3.4
FILTER iT dpen1 * 0:0:80 TDA=1.2.3.5
FILES
/etc/netctrl.config
SEE ALSO
netctrl(1M).
Licensed material--property of copyright holder(s)