Re: Layer-2 filtering in NPF

[Markus Kilbinger <mk%kilbi.de@localhost>]

Hi!

Thanks for your work and effort!

I'm using npf on interfaces with changed mac addresses because the
initial one is set to '00:00:00:00:00:00' on a FriendlyElec NanoPC T6:

  rge0 at pci1 dev 0 function 0: vendor 10ec product 8125 (rev. 0x05)
  rge0: interrupting at irq 272
  rge0: HW rev. B
  rge0: Ethernet address 00:00:00:00:00:00

-> ifconfig rge0 link 08:01:25:fd:bf:d5 active
  ifconfig rge0
  rge0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ec_capabilities=0x3<VLAN_MTU,VLAN_HWTAGGING>
        ec_enabled=0x2<VLAN_HWTAGGING>
        address: 08:01:25:fd:bf:d5
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        link 00:00:00:00:00:00

With this setting activating any npf rule (after import of your new
layer-2 functionality) breaks / stops network connectivity completely!
Is there a chance to get this scenario working again with npf?

Regards, Markus

Am Mi., 2. Juli 2025 um 16:13 Uhr schrieb Emmanuel Nyarko
<emmankoko519%gmail.com@localhost>:
>
> Hi tech-net,
>
> Layer 2 filtering in NPF has been merged. man updated.
>
> Follows a simple
>
> group name direction interface layer-2 {
>         pass_or_block ether direction interface from src_MAC to dst_MAC type Ex(4 hex for ether_type)
> }
>
> groups without layer-2 labels have the layer 3 bit set in the attribues automatically (so it doesn’t break existing configurations)
> so no need to set layer-3 label. layer 2 default group isn’t mandatory until you include a layer 2 group. so your existing configs are safe.
>
> reviewing policy based routing(force a packet to a particular interface) next.
>
> anyone in desperate need of any feature, let me know. i can do my best to finish it quickly.
>
>
> Emmanuel
>
>
>
>
>