npf syntax: port ranges, negation of a condition, and map rules

To: netbsd-users <netbsd-users%NetBSD.org@localhost>
Subject: npf syntax: port ranges, negation of a condition, and map rules
From: Rocky Hotas <rockyhotas%firemail.cc@localhost>
Date: Wed, 28 Oct 2020 12:16:36 +0100

Hello!
After browsing the available documentation for npf, I did not find any
hints about some issues.

1) How to represent port ranges? I tried with

beginning_port:end_port (which for example is used in OpenBSD's pf)
beginning_port,end_port
beginning_port-end_port

$port_range = { beginning_port, end_port }

but none of them seems to work in

map $myif dynamic proto tcp $myhost port XXX <- $myif port XXX

However, `http://www.netbsd.org/~rmind/pub/npf_manual_netbsd_6.pdf'
mentions in par. 3.4 that a ``TCP/UDP port or range' can be speficied in
a rule.

2) I would like to block all the IPs from a subnet, except the ones
listed in a variable $host_group. Is this possible?

block in final proto tcp from NOT $host_group to $destination port $some_port

3) In the `map' section of npf.conf(5) it is stated that

``Explicit filter criteria can be specified using pass criteria ... as an
  additional option of the mapping''.

So, assume I have: 

map $myif dynamic proto tcp $myhost port $port1 <- $myif port $port2
pass stateful in family inet4 proto tcp to $myif port $port2

How to merge them?

Checking the source code, trying to get some more information about
this, is not feasible for me.

Thank you anyway!

Rocky

Follow-Ups:
- Re: npf syntax: port ranges, negation of a condition, and map rules
  - From: Martin Husemann

Prev by Date: Re: Filesystem checks with noauto
Next by Date: Re: npf syntax: port ranges, negation of a condition, and map rules
Previous by Thread: Filesystem checks with noauto
Next by Thread: Re: npf syntax: port ranges, negation of a condition, and map rules
Indexes:

Home | Main Index | Thread Index | Old Index