Re: Introducing NPF in NetBSD 6.0

To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Subject: Re: Introducing NPF in NetBSD 6.0
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Sun, 4 Nov 2012 11:10:35 +0100

On Mon, Oct 29, 2012 at 12:23:03AM +0000, Mindaugas Rasiukevicius wrote:
> Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> >
> > <...>
> > 
> > If I understood it properly, in npf a group can only be defined based on
> > incoming interface, do you plan to expand this by match of arbitrary
> > rules ?
> 
> Currently, the grouping is based on the interface.  In the kernel, NPF
> already supports nested rules.  A group is just a rule having subrules.
> The limitation is merely syntactic, as I wanted to put more thought on
> the structuring of nested rules.  It seems that you basically want the
> iptables chains equivalent. :)

Maybe, I don't know iptables at all

> 
> > 
> > Is there a way to explicitely allow, in a group, to leave this group a
> > process the remaning groups ?
> > 
> 
> No, but it would be ~trivial to add.  Can you describe your use case?

The one I'm thinking of is anti-spoof:
block in log level err quick from network_of_vlan_xxx/24 to any head 1xxx
pass in on vlanxxx from any to any group 1xxx

if the packet is from network_of_vlan_xxx/24 but not from interface vlanxxx,
it's blocked by the head rule. The pass rule allows the packet to not be
blocked here, but it will go through the remaining rules, which may pass
or block it.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- Re: Introducing NPF in NetBSD 6.0
  - From: Manuel Bouyer
- Re: Introducing NPF in NetBSD 6.0
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: Packet Filtering
Next by Date: TCP SYN Cookies for NetBSD
Previous by Thread: Re: Introducing NPF in NetBSD 6.0
Next by Thread: Packet Filtering
Indexes:

Home | Main Index | Thread Index | Old Index