Re: Layer-2 filtering in NPF

To: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
Subject: Re: Layer-2 filtering in NPF
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Wed, 2 Jul 2025 18:21:36 +0200

On Wed, Jul 02, 2025 at 02:12:35PM +0000, Emmanuel Nyarko wrote:
> Hi tech-net,
> 
> Layer 2 filtering in NPF has been merged. man updated.
> 
> Follows a simple 
> 
> group name direction interface layer-2 {
> 	pass_or_block ether direction interface from src_MAC to dst_MAC type Ex(4 hex for ether_type) 
> }
> 
> groups without layer-2 labels have the layer 3 bit set in the attribues automatically (so it doesn?t break existing configurations)
> so no need to set layer-3 label. layer 2 default group isn?t mandatory until you include a layer 2 group. so your existing configs are safe.
> 
> reviewing policy based routing(force a packet to a particular interface) next.

If a packet pass a layer-2 filter, will it go through layer-3 rules,
or is it a final pass ?

> 
> anyone in desperate need of any feature, let me know. i can do my best to finish it quickly. 

A way to have a packet processed by several groups, so that I can
filter on source address, and if it passes filter on destination address.

Like the example in
https://mail-index.netbsd.org/tech-net/2020/12/17/msg007977.html
(but I have setups much more complex than that with ipf, I have one ipf.conf
with more than 2000 lines)

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Follow-Ups:
- Re: Layer-2 filtering in NPF
  - From: Emmanuel Nyarko

References:
- Layer-2 filtering in NPF
  - From: Emmanuel Nyarko

Prev by Date: Layer-2 filtering in NPF
Next by Date: Re: Layer-2 filtering in NPF
Previous by Thread: Layer-2 filtering in NPF
Next by Thread: Re: Layer-2 filtering in NPF
Indexes:

Home | Main Index | Thread Index | Old Index