Re: NPF and PF

To: tech-net%NetBSD.org@localhost
Subject: Re: NPF and PF
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Thu, 17 Dec 2020 16:46:47 +0100

On Thu, Dec 17, 2020 at 09:08:35AM -0600, Hector wrote:
> * Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote, on 2020-12-17 03:13:
> > One thing I didn't mention in my previous emails is that, for the Xen
> > example, npf should accept to load rules with nonexistent interfaces
> > (the interfaces are created later).
> 
> I have this same problem with npf and tun interfaces.
> 
> My tun interfaces are generally not created until a particular process
> starts and creates them with an open() call on /dev/tunN.
> 
> npf was not happy with the non-existent interfaces being referenced
> in the ruleset.
> 
> I was able to work around the problem by creating a 'ifconfig.tun0', etc,
> in rc.conf, with only an 'up' action in it, which causes the interface
> to be created (by /etc/rc.d/network).

With Xen dom0 there's no way to work around this. The interfaces are numbered
by domain id, and this can becore arbitrary high: if you destroy/create a vm
(just rebooting the vm is enough) you get a new domain id each time.
You don't know how high it will get after months of uptime.
On one system of mine, the domain id is at 270 ...

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

References:
- Re: NPF and PF
  - From: Manuel Bouyer
- Re: NPF and PF
  - From: Robert Swindells
- Re: NPF and PF
  - From: Manuel Bouyer
- Re: NPF and PF
  - From: Hector

Prev by Date: Re: NPF and PF
Next by Date: Re: NPF and PF
Previous by Thread: Re: NPF and PF
Next by Thread: Re: NPF and PF
Indexes:

Home | Main Index | Thread Index | Old Index