Re: Introducing NPF in NetBSD 6.0

To: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Subject: Re: Introducing NPF in NetBSD 6.0
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Mon, 29 Oct 2012 00:23:03 +0000

Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
>
> <...>
> 
> If I understood it properly, in npf a group can only be defined based on
> incoming interface, do you plan to expand this by match of arbitrary
> rules ?

Currently, the grouping is based on the interface.  In the kernel, NPF
already supports nested rules.  A group is just a rule having subrules.
The limitation is merely syntactic, as I wanted to put more thought on
the structuring of nested rules.  It seems that you basically want the
iptables chains equivalent. :)

> 
> Is there a way to explicitely allow, in a group, to leave this group a
> process the remaning groups ?
> 

No, but it would be ~trivial to add.  Can you describe your use case?

-- 
Mindaugas

Follow-Ups:
- Re: Introducing NPF in NetBSD 6.0
  - From: Manuel Bouyer

References:
- Re: Introducing NPF in NetBSD 6.0
  - From: Manuel Bouyer

Prev by Date: Re: Packet Filtering
Next by Date: Re: Packet Filtering
Previous by Thread: Re: Introducing NPF in NetBSD 6.0
Next by Thread: Re: Introducing NPF in NetBSD 6.0
Indexes:

Home | Main Index | Thread Index | Old Index