Re: Layer-2 filtering in NPF

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

> On 8 Jul 2025, at 10:13 AM, Markus Kilbinger <mk%kilbi.de@localhost> wrote:
> 
> Hi!
> 
> Thanks for your work and effort!
> 
> I'm using npf on interfaces with changed mac addresses because the
> initial one is set to '00:00:00:00:00:00' on a FriendlyElec NanoPC T6:
> 
>  rge0 at pci1 dev 0 function 0: vendor 10ec product 8125 (rev. 0x05)
>  rge0: interrupting at irq 272
>  rge0: HW rev. B
>  rge0: Ethernet address 00:00:00:00:00:00
> 
> -> ifconfig rge0 link 08:01:25:fd:bf:d5 active
>  ifconfig rge0
>  rge0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>        ec_capabilities=0x3<VLAN_MTU,VLAN_HWTAGGING>
>        ec_enabled=0x2<VLAN_HWTAGGING>
>        address: 08:01:25:fd:bf:d5
>        media: Ethernet autoselect (1000baseT full-duplex)
>        status: active
>        link 00:00:00:00:00:00
> 
> With this setting activating any npf rule (after import of your new
> layer-2 functionality) breaks / stops network connectivity completely!
> Is there a chance to get this scenario working again with npf?

Hi Markus, it should work now. NPF was default blocking frames when no layer 2 rules were set for them
because it was responding to layer3’s default pass( which is a block) and not good.

Greg, i think you can also update it and let me know.

it is well tested on my machine (i think i didn’t catch it because i have been using layer 2 filtering since and i have a pass ether all) in default
so my packets were reaching layer 3. 


Emmanuel