Re: Layer-2 filtering in NPF

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

> On 5 Jul 2025, at 1:01 AM, Greg Troxel <gdt%lexort.com@localhost> wrote:
> 
> Apparently I'm having a different upgrade problem.
> 
> I had a rule in npf.conf that was accepted by my previous -current
> (early May?), and now it isn't.  That led to the default rules in
> npf_conf operating, and those did not allow dhcpcd to succeed.
> 
> The rule that is now objected to looks like
> 
>    pass in proto udp to any port 11000-11002
> 
> (but not those numbers).  Reading the man page, port-opts is
> 
>    port-opts       = "port" ( port-num | port-from "-" port-to | var-name )
> 
> which indeed my line did not match, so I changed to
> 
>    pass in proto udp to any port 11000 - 11002
> 
> but I didn't see this in the announced changes.

Okay i have seen the issue.

i included a rule for colon separated Mac addresses in lex, so the parser is choosing that ahead of the port range and striking a syntax error.

i might as well remove that.

even though the port range rule is
port_range
	: port		/* just port */
	{
		$$ = npfctl_parse_port_range($1, $1);
	}
	| port MINUS port	/* port from-to */
	{
		$$ = npfctl_parse_port_range($1, $3);
	}
	| VAR_ID

And i expect 1000-2000

Emmanuel