RE: Proposed Improvements to NPF

To: Greg Troxel <gdt%lexort.com@localhost>, Rhialto <rhialto%falu.nl@localhost>
Subject: RE: Proposed Improvements to NPF
From: Josh Moyer <JMoyer%nodomain.net@localhost>
Date: Sat, 7 Jun 2025 20:52:56 +0000

Thank you all for the early input and support.  I heartily agree with Greg's
suggestion to take it one feature/improvement at a time, starting with
multi-interface groups, nested variables and then hostname lookups, an order
which reflects my needs at the moment, with host lookups coming in at a
relatively distant third.

There was some confusion around my careless use of the word "group".  For
groups, as per npf.conf(5), yes I do mean supporting this syntax of Greg's:

    group "my-name" in on { wm0, wm1, vlan3 } {
        # List of rules, for packets received on wm0
    }

My use case also involves the dynamic tun(4) interfaces, which aren't always
present at startup (think OpenVPN), so will try to accommodate that somehow
too.

I was also talking about groups of variables, but perhaps should have said
"nested variables", such as:

    $host1=x.x.x.x
    $host2={x.x.x.x,x.x.x.x}
    $trustedhostgroup=$host1,$host2

I've had lots of problems there, frankly, including the mentioned crashes.
I will look at my core file as part of work on this feature.

As for "DNS lookups", I was thinking of using gethostbyname(3), Olaf, so I'm
sure that nsswitch.conf would be honored.  Greg's use case reasonably
matched my own, so I think we're all on the same page here.

I have started keeping notes with the other suggestions and requirements and
will try to keep them all in mind as work progresses.  That seems to mean
that the next step is for a design sketch.  I'm not yet familiar enough with
the code to propose anything at this time, but I will soon.  Suggestions as
what a sketch should include and look like are appreciated.  Thanks again
and stay tuned!

--
Thanks and kind regards,
    _____    
   | * * |   Josh Moyer (he/him) <JMoyer%NODOMAIN.NET@localhost>
   |*(*)*|   http://jmoyer.nodomain.net/
    \ - /    http://www.nodomain.net/
     \//     
             Love, Responsibility, Justice
             Liebe, Verantwortung, Gerechtigkeit
             
             Please don't eat the animals.
             Thanks.

Follow-Ups:
- Re: Proposed Improvements to NPF
  - From: Edgar Fuß
- Re: Proposed Improvements to NPF
  - From: Martin Husemann

References:
- Proposed Improvements to NPF
  - From: Josh Moyer
- Re: Proposed Improvements to NPF
  - From: Greg Troxel
- Re: Proposed Improvements to NPF
  - From: Rhialto
- Re: Proposed Improvements to NPF
  - From: Greg Troxel

Prev by Date: Re: Proposed Improvements to NPF
Next by Date: Re: Proposed Improvements to NPF
Previous by Thread: Re: Proposed Improvements to NPF
Next by Thread: Re: Proposed Improvements to NPF
Indexes:

Home | Main Index | Thread Index | Old Index