Re: NPF and multiple group entrance

To: Christos Zoulas <christos%astron.com@localhost>
Subject: Re: NPF and multiple group entrance
From: Dima Veselov <kab00m%lich.phys.spbu.ru@localhost>
Date: Tue, 23 Feb 2016 02:57:07 +0300

On Sun, Feb 21, 2016 at 11:42:32PM +0000, Christos Zoulas wrote:

> >I migrate from ipfilter to npf due to ipf issues in 7.0, but have
> >a question:
> >
> >Is there a possibility to make two entrance for one group?
> >
> >for example if I have:
> >
> >$ext_if = {inet4(vlan112), inet4(vlan113)};
> >group "external" on $ext_if {
> >	<rules here>
> >}
> >
> >the result will be:
> >
> ># npfctl show
> >group "external" on vlan112 
> >	pass stateful out final all 
> >	...
> >
> >As you can see - I can't find a way to make a group working for few interfaces
> >at once, but I don't want to repeat group every time, having two
> >external interfaces and several internal.
> >
> >Thanks in advance!
> 
> Sure we can add some syntax to help with this... Any ideas?
> 
> 	use group "name"

The easiest syntax will be just this:

$ext_if = {inet4(vlan112), inet4(vlan113)};
group "external" on $ext_if {}

which result in

group "external" on [vlan112, vlan113]


But if this is change too much - something like this will be enough:

group "external" on vlan112 { -rule-set- }
group "external2" on vlan113 { use group "external" }

which will call "external" ruleset without calling group rules.

-- 
Sincerely yours

Follow-Ups:
- Re: NPF and multiple group entrance
  - From: Christos Zoulas

References:
- NPF and multiple group entrance
  - From: Dima Veselov
- Re: NPF and multiple group entrance
  - From: Christos Zoulas

Prev by Date: Re: Exist operating systems that ship without blobs?
Next by Date: Re: NPF and multiple group entrance
Previous by Thread: Re: NPF and multiple group entrance
Next by Thread: Re: NPF and multiple group entrance
Indexes:

Home | Main Index | Thread Index | Old Index