tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Introducing NPF in NetBSD 6.0

On Mon, Oct 29, 2012 at 12:23:03AM +0000, Mindaugas Rasiukevicius wrote:
> Manuel Bouyer <> wrote:
> >
> > <...>
> > 
> > If I understood it properly, in npf a group can only be defined based on
> > incoming interface, do you plan to expand this by match of arbitrary
> > rules ?
> Currently, the grouping is based on the interface.  In the kernel, NPF
> already supports nested rules.  A group is just a rule having subrules.
> The limitation is merely syntactic, as I wanted to put more thought on
> the structuring of nested rules.  It seems that you basically want the
> iptables chains equivalent. :)

Maybe, I don't know iptables at all

> > 
> > Is there a way to explicitely allow, in a group, to leave this group a
> > process the remaning groups ?
> > 
> No, but it would be ~trivial to add.  Can you describe your use case?

The one I'm thinking of is anti-spoof:
block in log level err quick from network_of_vlan_xxx/24 to any head 1xxx
pass in on vlanxxx from any to any group 1xxx

if the packet is from network_of_vlan_xxx/24 but not from interface vlanxxx,
it's blocked by the head rule. The pass rule allows the packet to not be
blocked here, but it will go through the remaining rules, which may pass
or block it.

Manuel Bouyer <>
     NetBSD: 26 ans d'experience feront toujours la difference

Home | Main Index | Thread Index | Old Index