Re: Removing PF

["John D. Baker" <jdbaker%consolidated.net@localhost>]

On Sun, 7 Apr 2019, John D. Baker wrote:

> Date: Sun, 7 Apr 2019 18:25:33 -0500 (CDT)
> From: John D. Baker <jdbaker%spike.technoskunk.fur@localhost>
> To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
> Cc: tech-kern%NetBSD.org@localhost
> Subject: Re: Removing PF
> 
> On Sun, 7 Apr 2019, Mindaugas Rasiukevicius wrote:
> 
> > You *can* use ifaddrs(netifN) for a NAT rule in NetBSD -current, but
> > you need to specify the address selection algorithm.  Currently,
> > "ip-hash" or "round-robin".  You cannot select just the first address,
> > though.  That is something I can look into.

> Maybe an additional address-selection algorithm that selects any
> specified elements of the list?

Are address-selection algorithm specifications allowed in filter rules
as well?  I've become accustomed to things like:


ext_if="qe2"
int_if="le0"

ssh_host="X.y.Z.q"

table <abusive_hosts> persist file "/var/db/pf/abusive_hosts"

nat on $ext_if from $int_if:network -> ($ext_if:0)
rdr on $ext_if from !($ext_if) to ($ext_if) port ssh \
  -> $ssh_host

pass in on $ext_if proto tcp from !($ext_if) to $ssh_host port ssh \
  synproxy state (max-src-conn 25, max-src-conn-rate 3/25 \
  overload <abusive_hosts> flush global)


so it will be interesting to see how 'npf' features and syntax map
onto those of 'pf'.

Thanks.

-- 
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645