Re: npf and multiple maps based on destination address

[Harry Waddell <waddell%caravaninfotech.com@localhost>]

On Mon, 16 Mar 2015 00:47:43 +0000
Mindaugas Rasiukevicius <rmind%netbsd.org@localhost> wrote:

> Harry Waddell <waddell%caravaninfotech.com@localhost> wrote:
> > 
> > I'm trying to have npf ( on the latest netbsd 7 beta ) 
> > map address onto either an internal dmz network based on the
> > destination address being in a fairly large table ( several hundred
> > entries ) or map to the WAN address otherwise, e.g. as 
> > 
> > map vlan200 dynamic $mesh_nattable -> 10.8.200.1 pass from $mesh_nattable
> > to <ngroutes> map $wan_if dynamic $wan_nattable -> $wan_if
> > 
> > Since there's nothing in the syntax to indicate one can do a "map final",
> > would something like this work and if so, which rule would get used, the
> > first, the last, the most specific? Since this isn't in a group, I'm not
> > sure how or if this will work at all. 
> 
> Yes, that would work.  Currently, map rules behave as "final" by default,
> so you have a first-match.  It is debatable what should be the default and
> it could be made configurable via the extended "pass" syntax.
> 
> In any case, I should document this.
> 
> -- 
> Mindaugas
> 

An implicit first match? OK, I can work with that. I have it working fairly well now, 
except that I have one case where some subnets are at the other end of an openvpn tunnel 
and then trying to map those packets into the MESH VPN isn't working as it does it 
local subnets, or as it used to work with ipfilter. 

I don't want to hijack my own thread, so I'll send some mail, or perhaps 
a PR, about some of the issues I have seen. 

My npf rules are 1/6 the size of my ipf rules, and my new network is 
_much_ more complicated. Overall, I amd very impressed. 


HW