Re: Proposed Improvements to NPF

To: tech-net%netbsd.org@localhost
Subject: Re: Proposed Improvements to NPF
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Sun, 8 Jun 2025 13:09:43 -0000 (UTC)

gdt%lexort.com@localhost (Greg Troxel) writes:

>> Obvious choices are: (1) drop the rule [this is my favorite] loudly,
>> (2) provide syntax for fallback addresses (hard to get right for
>> the admin, but easy to implement), (3) fail the whole config
>> loading (IMHO worst option).

>I think of those, only option 1 is reasonable, with a warning.  I guess
>right now we might not have warnings, just silent success and errors.

Right now we don't have a failing DNS resolver, no warnings, no errors.

Dropping an allow rule might be an option for an initial configuration.

Dropping a forbid rule on the other hand is probably always bad, and that
includes permit rules with a negation ("allow all but ...").

For me the only safe way is 3), either load a working configuration
or keep the existing configuration.

N.B. a much better approach to handle varying IP addresses is to use a
table that gets refreshed externally.

References:
- Proposed Improvements to NPF
  - From: Josh Moyer
- Re: Proposed Improvements to NPF
  - From: Greg Troxel
- Re: Proposed Improvements to NPF
  - From: Rhialto
- Re: Proposed Improvements to NPF
  - From: Greg Troxel
- RE: Proposed Improvements to NPF
  - From: Josh Moyer
- Re: Proposed Improvements to NPF
  - From: Martin Husemann
- Re: Proposed Improvements to NPF
  - From: Greg Troxel
- Re: Proposed Improvements to NPF
  - From: Martin Husemann
- Re: Proposed Improvements to NPF
  - From: Greg Troxel

Prev by Date: Re: Proposed Improvements to NPF
Next by Date: ALTQ modifications proposal
Previous by Thread: Re: Proposed Improvements to NPF
Next by Thread: Re: Proposed Improvements to NPF
Indexes:

Home | Main Index | Thread Index | Old Index