Re: Layer-2 filtering in NPF

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

> On 2 Jul 2025, at 4:21 PM, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> 
> On Wed, Jul 02, 2025 at 02:12:35PM +0000, Emmanuel Nyarko wrote:
>> Hi tech-net,
>> 
>> Layer 2 filtering in NPF has been merged. man updated.
>> 
>> Follows a simple 
>> 
>> group name direction interface layer-2 {
>> pass_or_block ether direction interface from src_MAC to dst_MAC type Ex(4 hex for ether_type) 
>> }
>> 
>> groups without layer-2 labels have the layer 3 bit set in the attribues automatically (so it doesn?t break existing configurations)
>> so no need to set layer-3 label. layer 2 default group isn?t mandatory until you include a layer 2 group. so your existing configs are safe.
>> 
>> reviewing policy based routing(force a packet to a particular interface) next.
> 
> If a packet pass a layer-2 filter, will it go through layer-3 rules,
> or is it a final pass ?

Not a final pass, it still gets inspected at layer 3 if rules are cnfigured.

>> 
>> anyone in desperate need of any feature, let me know. i can do my best to finish it quickly. 
> 
> A way to have a packet processed by several groups,

that’s an interesting one.

> so that I can
> filter on source address, and if it passes filter on destination address.

so you want a packet to be inspected partly on one rule in a group and continue the inspection on another rule in another group.


> 
> Like the example in
> https://mail-index.netbsd.org/tech-net/2020/12/17/msg007977.html
> (but I have setups much more complex than that with ipf, I have one ipf.conf
> with more than 2000 lines)
> 
> -- 
> Manuel Bouyer <bouyer%antioche.eu.org@localhost>
>     NetBSD: 26 ans d'experience feront toujours la difference
> --


Emmanuel