Re: Layer-2 filtering in NPF

To: tech-net%netbsd.org@localhost
Subject: Re: Layer-2 filtering in NPF
From: Christoph Badura <bad%bsd.de@localhost>
Date: Wed, 9 Jul 2025 16:11:44 +0200

On Fri, Jul 04, 2025 at 09:01:56PM -0400, Greg Troxel wrote:
> The rule that is now objected to looks like
> 
>     pass in proto udp to any port 11000-11002
> 
> (but not those numbers).  Reading the man page, port-opts is
> 
>     port-opts       = "port" ( port-num | port-from "-" port-to | var-name )
> 
> which indeed my line did not match, so I changed to

The man page clearly states that it is a "non-formal BNF-like definition of
the grammar".  Looks to me like the non-formal part is ment to say that it
doesn't have to explicitly state where whitespace is necessary.  Obviously
whitespace is necessary where tokens could otherwise not be separated.

But a port range like 123-456 is easily tokenizable.  Especially because
negative port numbers don't exist. :-)

I was expecting that bit of "non-formal BNF-like grammar" to mean that no
whitespace is needed.  Any other interpretation violates common sense and
common usage.

Fortunately, this has been fixed already.  Altough I haven't seen a test
case when I looked at the npftest.conf file an hour or so ago.

--chris

References:
- Layer-2 filtering in NPF
  - From: Emmanuel Nyarko
- Re: Layer-2 filtering in NPF
  - From: Manuel Bouyer
- Re: Layer-2 filtering in NPF
  - From: Emmanuel Nyarko
- Re: Layer-2 filtering in NPF
  - From: Greg Troxel
- Re: Layer-2 filtering in NPF
  - From: Greg Troxel

Prev by Date: npf stats (was: Re: CVS commit: src/sys/net/npf)
Next by Date: MVP for a DHCP server (was Re: ISC's EoL dhcp suite, including dhcpd)
Previous by Thread: Re: Layer-2 filtering in NPF
Next by Thread: Re: Layer-2 filtering in NPF
Indexes:

Home | Main Index | Thread Index | Old Index