Re: Layer-2 filtering in NPF

To: mk%kilbi.de@localhost
Subject: Re: Layer-2 filtering in NPF
From: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
Date: Tue, 8 Jul 2025 10:34:05 +0000


> On 8 Jul 2025, at 10:32 AM, Markus Kilbinger <mk%kilbi.de@localhost> wrote:
> 
> I've played some time with npf.conf (w/ and w/o layer-2 rules) and
> couldn't manage to define rules that maintained network functioning.
> 
> A minimalistic:
> 
>  group default {
>          pass final all
>  }
> 
> yields no errors, but stops network immediately (deactivating npf
> makes it working again).

okay thank you very much. let me quickly investigate that. 
> 
> Am Di., 8. Juli 2025 um 12:19 Uhr schrieb Emmanuel Nyarko
> <emmankoko519%gmail.com@localhost>:
>> 
>> 
>> 
>>> On 8 Jul 2025, at 10:13 AM, Markus Kilbinger <mk%kilbi.de@localhost> wrote:
>>> 
>>> Hi!
>>> 
>>> Thanks for your work and effort!
>>> 
>>> I'm using npf on interfaces with changed mac addresses because the
>>> initial one is set to '00:00:00:00:00:00' on a FriendlyElec NanoPC T6:
>>> 
>>> rge0 at pci1 dev 0 function 0: vendor 10ec product 8125 (rev. 0x05)
>>> rge0: interrupting at irq 272
>>> rge0: HW rev. B
>>> rge0: Ethernet address 00:00:00:00:00:00
>>> 
>>> -> ifconfig rge0 link 08:01:25:fd:bf:d5 active
>>> ifconfig rge0
>>> rge0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>>>       ec_capabilities=0x3<VLAN_MTU,VLAN_HWTAGGING>
>>>       ec_enabled=0x2<VLAN_HWTAGGING>
>>>       address: 08:01:25:fd:bf:d5
>>>       media: Ethernet autoselect (1000baseT full-duplex)
>>>       status: active
>>>       link 00:00:00:00:00:00
>>> 
>>> With this setting activating any npf rule (after import of your new
>>> layer-2 functionality) breaks / stops network connectivity completely!
>>> Is there a chance to get this scenario working again with npf?
>> 
>> any rule you mean any rule ?? or layer 2 rules .
>>> 
>>> Regards, Markus
>>> 
>>> Am Mi., 2. Juli 2025 um 16:13 Uhr schrieb Emmanuel Nyarko
>>> <emmankoko519%gmail.com@localhost>:
>>>> 
>>>> Hi tech-net,
>>>> 
>>>> Layer 2 filtering in NPF has been merged. man updated.
>>>> 
>>>> Follows a simple
>>>> 
>>>> group name direction interface layer-2 {
>>>>       pass_or_block ether direction interface from src_MAC to dst_MAC type Ex(4 hex for ether_type)
>>>> }
>>>> 
>>>> groups without layer-2 labels have the layer 3 bit set in the attribues automatically (so it doesn’t break existing configurations)
>>>> so no need to set layer-3 label. layer 2 default group isn’t mandatory until you include a layer 2 group. so your existing configs are safe.
>>>> 
>>>> reviewing policy based routing(force a packet to a particular interface) next.
>>>> 
>>>> anyone in desperate need of any feature, let me know. i can do my best to finish it quickly.
>>>> 
>>>> 
>>>> Emmanuel
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>> 
>> Emmanuel
>> 
>> 
>> 
>> 
>> 

Emmanuel

Follow-Ups:
- Re: Layer-2 filtering in NPF
  - From: Greg Troxel

References:
- Layer-2 filtering in NPF
  - From: Emmanuel Nyarko
- Re: Layer-2 filtering in NPF
  - From: Markus Kilbinger
- Re: Layer-2 filtering in NPF
  - From: Emmanuel Nyarko
- Re: Layer-2 filtering in NPF
  - From: Markus Kilbinger

Prev by Date: Re: Layer-2 filtering in NPF
Next by Date: Re: Layer-2 filtering in NPF
Previous by Thread: Re: Layer-2 filtering in NPF
Next by Thread: Re: Layer-2 filtering in NPF
Indexes:

Home | Main Index | Thread Index | Old Index