Re: Proposed Improvements to NPF

To: Josh Moyer <JMoyer%nodomain.net@localhost>
Subject: Re: Proposed Improvements to NPF
From: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
Date: Sun, 8 Jun 2025 10:09:52 +0000

> On 7 Jun 2025, at 6:48 AM, Josh Moyer <JMoyer%nodomain.net@localhost> wrote:
> 
> Dear tech-net,
> My npf.conf is complex and unwieldy at 720 lines.  I'm in need of
> syntactical improvements to help me manage it.  Necessity is the mother
> of invention and, so, I am proposing these prioritized improvements to
> npfctl's parser:
> 
> 1: Allow for multiple interfaces per group.
> 
Hi Josh, since you are connected on multiple interfaces, 

can you please try this simple rule for me and let me know the observed behavior.
1. don’t set any interface on your group decl.
2. Pass different interfaces to different rules in the same group.

would be happy to get the feedback on that.

group “external” { /* no dir, no interface */
        pass final on $interface1 from blabla
	block final on $interface2 to blabla
} 

and maybe a default that passes all.
group default {
	pass all
}

let me know if the rules in the non-interface group stretch accross separate interfaces.

Emmanuel

References:
- Proposed Improvements to NPF
  - From: Josh Moyer

Prev by Date: Re: Proposed Improvements to NPF
Next by Date: Proposal to automatically make the owner/user of an accepted socket the current process
Previous by Thread: Re: Proposed Improvements to NPF
Next by Thread: Proposal to automatically make the owner/user of an accepted socket the current process
Indexes:

Home | Main Index | Thread Index | Old Index