tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Introducing NPF in NetBSD 6.0

Manuel Bouyer <> wrote:
> <...>
> If I understood it properly, in npf a group can only be defined based on
> incoming interface, do you plan to expand this by match of arbitrary
> rules ?

Currently, the grouping is based on the interface.  In the kernel, NPF
already supports nested rules.  A group is just a rule having subrules.
The limitation is merely syntactic, as I wanted to put more thought on
the structuring of nested rules.  It seems that you basically want the
iptables chains equivalent. :)

> Is there a way to explicitely allow, in a group, to leave this group a
> process the remaning groups ?

No, but it would be ~trivial to add.  Can you describe your use case?


Home | Main Index | Thread Index | Old Index