tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Experiments with npf on -current



I've had a quick test of npf on a dual attached machine which usually ran pf.

# /etc/rc.d/pf stop
# modunload pf
# modload npf
# modstat|grep 'pf '



First tried nat, but could not get it to take effect:

int_if = "bge1"
int_net = "192.168.2.0/24"
ext_if = "bge0"
nat $ext_if from $int_net to any -> $ext_if


# npfctl stats
Packets passed:
        570636 default pass
        0 ruleset pass
        0 session pass

Packets blocked:
        0 default block
        0 ruleset block

Session and NAT entries:
        0 session allocations
        0 session destructions
        0 NAT entry allocations
        0 NAT entry destructions
[...]



Then tried a simple block rule:

group (name "internal", interface $int_if) {
    block in quick proto tcp to any port 80
}

/etc/rc.d/npf reload
Reloading NPF ruleset.
npfctl: n-code size got wrong (36 != 72)


/netbsd & /stand/amd64/5.99.56/modules/npf/npf.kmod  from the same
build last night.
Could there be anything obvious I'm missing?

Thanks


Home | Main Index | Thread Index | Old Index