Re: Layer-2 filtering in NPF

[Manuel Bouyer <bouyer%antioche.eu.org@localhost>]

On Fri, Jul 04, 2025 at 12:36:55PM +0000, Emmanuel Nyarko wrote:
> 
> 
> > On 2 Jul 2025, at 4:21?PM, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
> > 
> > On Wed, Jul 02, 2025 at 02:12:35PM +0000, Emmanuel Nyarko wrote:
> >> Hi tech-net,
> >> 
> >> Layer 2 filtering in NPF has been merged. man updated.
> >> 
> >> Follows a simple 
> >> 
> >> group name direction interface layer-2 {
> >> pass_or_block ether direction interface from src_MAC to dst_MAC type Ex(4 hex for ether_type) 
> >> }
> >> 
> >> groups without layer-2 labels have the layer 3 bit set in the attribues automatically (so it doesn?t break existing configurations)
> >> so no need to set layer-3 label. layer 2 default group isn?t mandatory until you include a layer 2 group. so your existing configs are safe.
> >> 
> >> reviewing policy based routing(force a packet to a particular interface) next.
> > 
> > If a packet pass a layer-2 filter, will it go through layer-3 rules,
> > or is it a final pass ?
> 
> Not a final pass, it still gets inspected at layer 3 if rules are cnfigured.
> 
> >> 
> >> anyone in desperate need of any feature, let me know. i can do my best to finish it quickly. 
> > 
> > A way to have a packet processed by several groups,
> 
> that?s an interesting one.
> 
> > so that I can
> > filter on source address, and if it passes filter on destination address.
> 
> so you want a packet to be inspected partly on one rule in a group and continue the inspection on another rule in another group.

Yes, that's it. The first group can return pass, block, or continue.
This is what the quick keyword in ipf can do when conbined with groups.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--