Re: Proposed Improvements to NPF

To: Christoph Badura <bad%bsd.de@localhost>
Subject: Re: Proposed Improvements to NPF
From: Vadim Goncharov <vadimnuclight%gmail.com@localhost>
Date: Tue, 8 Jul 2025 22:11:36 +0300

On Tue, 8 Jul 2025 20:17:50 +0200
Christoph Badura <bad%bsd.de@localhost> wrote:

> 
> Not sure what the actual syntax would/should look like.  I have the
> iptables/nftables JUMP/GOTO actions in mind.

These are better called "CALL".

> > My use case also involves the dynamic tun(4) interfaces, which aren't
> > always present at startup (think OpenVPN), so will try to accommodate that
> > somehow too.  
> 
> This would be welcome.  E.g. the ppp interface on my Linux router comes and
> goes as the PPPoE connection sometimes terminates and gets restarted.
> 
> nftables distinguishes matching on a specific interface ([io]if "name", which
> translates to the if_index of the interface) and matching on the name
> ([io]ifname "foo*", which translates to actual pattern matching on the
> if_xname).

FreeBSD's ipfw allows this, too, and even a full fnmatch(3) i.e. shell
patterns like vlan[0-2]?*
Of course, such match is done in kernel on every packet.


-- 
WBR, @nuclight

References:
- Proposed Improvements to NPF
  - From: Josh Moyer
- Re: Proposed Improvements to NPF
  - From: Greg Troxel
- Re: Proposed Improvements to NPF
  - From: Rhialto
- Re: Proposed Improvements to NPF
  - From: Greg Troxel
- RE: Proposed Improvements to NPF
  - From: Josh Moyer
- Re: Proposed Improvements to NPF
  - From: Christoph Badura

Prev by Date: Re: Proposed Improvements to NPF
Next by Date: Re: Layer-2 filtering in NPF: breaking config parsing
Previous by Thread: Re: Proposed Improvements to NPF
Next by Thread: Re: Proposed Improvements to NPF
Indexes:

Home | Main Index | Thread Index | Old Index