tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NPF and PF

On Thu, Dec 17, 2020 at 09:08:35AM -0600, Hector wrote:
> * Manuel Bouyer <> wrote, on 2020-12-17 03:13:
> > One thing I didn't mention in my previous emails is that, for the Xen
> > example, npf should accept to load rules with nonexistent interfaces
> > (the interfaces are created later).
> I have this same problem with npf and tun interfaces.
> My tun interfaces are generally not created until a particular process
> starts and creates them with an open() call on /dev/tunN.
> npf was not happy with the non-existent interfaces being referenced
> in the ruleset.
> I was able to work around the problem by creating a 'ifconfig.tun0', etc,
> in rc.conf, with only an 'up' action in it, which causes the interface
> to be created (by /etc/rc.d/network).

With Xen dom0 there's no way to work around this. The interfaces are numbered
by domain id, and this can becore arbitrary high: if you destroy/create a vm
(just rebooting the vm is enough) you get a new domain id each time.
You don't know how high it will get after months of uptime.
On one system of mine, the domain id is at 270 ...

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index