Re: Layer-2 filtering in NPF

[Greg Troxel <gdt%lexort.com@localhost>]

Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:

>> On 2 Jul 2025, at 4:21 PM, Manuel Bouyer <bouyer%antioche.eu.org@localhost> wrote:
>> 
>> On Wed, Jul 02, 2025 at 02:12:35PM +0000, Emmanuel Nyarko wrote:
>>> Hi tech-net,
>>> 
>>> Layer 2 filtering in NPF has been merged. man updated.
>>> 
>>> Follows a simple 
>>> 
>>> group name direction interface layer-2 {
>>> pass_or_block ether direction interface from src_MAC to dst_MAC type Ex(4 hex for ether_type) 
>>> }
>>> 
>>> groups without layer-2 labels have the layer 3 bit set in the attribues automatically (so it doesn?t break existing configurations)
>>> so no need to set layer-3 label. layer 2 default group isn?t mandatory until you include a layer 2 group. so your existing configs are safe.
>>> 
>> 
>> If a packet pass a layer-2 filter, will it go through layer-3 rules,
>> or is it a final pass ?
>
> Not a final pass, it still gets inspected at layer 3 if rules are cnfigured.

This upgrade broke one of my systems.  It basically has one group, which
looks like

  block in all
  pass in to this port
  and that port

which used to work fine.  Obviously there are no layer-2 flags.

Given the group semantics, and the statement about layer-2/layer-3, I
expect that group to have an implicit layer-3 and thus the previous
behavior.

I also expect that if in a group, any rule hits, then processing stops
at the end of that group.

I am pretty sure that the new behavior broke my system by blocking
dhcpcd.  The system is a xen domU, with a xvif bridged by the dom0 to
Ethernet, and the DHCP server is on the same switch.  Nothing fancy
really.

It's hard to believe nobody else is having trouble.