NPF newbie questions

[Egerváry Gergely <gergely%egervary.hu@localhost>]

Hi,

Let me ask some NPF newbie questions. I'm running on 7_STABLE.

#1:

I have several tunnel interfaces where I need normalisation, mostly MSS
clamping. In IPFilter and PF normalisation was separated from filter
rules, so I have had a single normalisation rule (okay - two rules for
two address families) for all packets going out on an interface like
this:

# IPFilter example - ipnat.conf
map pppoe0 inet 0/0 -> 0/0 msclamp 1452 tcp
map pppoe0 inet6 0/0 -> ::0/0 msclamp 1432 tcp
map gre0 inet 0/0 -> 0/0 mssclamp 1428 tcp
map gre0 inet6 0/0 -> ::0/0 mssclamp 1408 tcp
...

# PF example - pf.conf
scrub on pppoe0 inet max-mss 1452
scrub on pppoe0 inet6 max-mss 1432
scrub on gre0 inet max-mss 1428
scrub on gre0 inet6 max-mss 1408
...

NPF documentation says I have to apply the normalisation on filter
rules. Does this really mean I have to apply the normalisation on all
rules that can ever pass a packet on a specific interface? Or, is it
possible to create a normalisation rule, and then go on and process
other filter rules?

#2:

Do you have plans on inline sets (lists)? Now this is supported:

$web_services = { 80, 443 }
pass in proto tcp to 1.2.3.4 port $web_services

... but this is not supported:

pass in proto tcp to 1.2.3.4 port { 80, 443 }

or - different syntax, like `npfctl show' output:

pass in proto tcp to 1.2.3.4 { port 80, port 443 }

#3:

man 5 npf.conf has an example:

$pub_if46 = { inet4(wm0), inet6(wm0) }

... but I can't create any filter rule on it:

group default {
        pass in to $pub_if46
}

# npfctl validate npf.conf
npfctl: address family mismatch

Looks like it's not supported on multiple address families.
Please remove this example, or - better - implement it.

#4:

Do you have plans on implementing sets (lists) for protocols?
I mean:

$tcpudp = { tcp, udp }
pass in proto $tcpudp to 1.2.3.4 port 53

Thanks - and keep up the good work!

--
Gergely EGERVARY