Re: NPF and multiple group entrance

[christos%zoulas.com@localhost (Christos Zoulas)]

On Feb 23,  2:57am, kab00m%lich.phys.spbu.ru@localhost (Dima Veselov) wrote:
-- Subject: Re: NPF and multiple group entrance

| On Sun, Feb 21, 2016 at 11:42:32PM +0000, Christos Zoulas wrote:
| 
| > >I migrate from ipfilter to npf due to ipf issues in 7.0, but have
| > >a question:
| > >
| > >Is there a possibility to make two entrance for one group?
| > >
| > >for example if I have:
| > >
| > >$ext_if = {inet4(vlan112), inet4(vlan113)};
| > >group "external" on $ext_if {
| > >	<rules here>
| > >}
| > >
| > >the result will be:
| > >
| > ># npfctl show
| > >group "external" on vlan112 
| > >	pass stateful out final all 
| > >	...
| > >
| > >As you can see - I can't find a way to make a group working for few interfaces
| > >at once, but I don't want to repeat group every time, having two
| > >external interfaces and several internal.
| > >
| > >Thanks in advance!
| > 
| > Sure we can add some syntax to help with this... Any ideas?
| > 
| > 	use group "name"
| 
| The easiest syntax will be just this:
| 
| $ext_if = {inet4(vlan112), inet4(vlan113)};
| group "external" on $ext_if {}
| 
| which result in
| 
| group "external" on [vlan112, vlan113]
| 
| 
| But if this is change too much - something like this will be enough:
| 
| group "external" on vlan112 { -rule-set- }
| group "external2" on vlan113 { use group "external" }
| 
| which will call "external" ruleset without calling group rules.

Sounds good, I'll check with rmind and see which one is best.

Thanks,

christos