npf configuration for blacklistd

To: current-users%netbsd.org@localhost
Subject: npf configuration for blacklistd
From: Paul Goyette <paul%whooppee.com@localhost>
Date: Sat, 30 Mar 2019 09:00:57 +0800 (PST)

With all the discussion going on (re removal of pf), I revisited my
attempts to implement blacklistd.  But I'm still having some issues
getting npf configured.

I have two external-facing interfaces, both of which should be handled
identically by blacklistd.  I tried using the npf examples, with an
interface group containug both wm0 and tun0, but npf won't deal with
it - it complains about having multiple members in the $ext_if group.
(See PR kern/51818)

So, I tried creating two groups, one for each interface, but both
having the same blacklistd ruleset.  Now npf complains "some table
has a duplicate entry" and still doesn't start.

So, any suggestions on how to make this work?

(FWIW, I have no real opinion on the greater question(s) regarding the
possible demise of pf and/or ipf.)

+--------------------+--------------------------+-----------------------+
| Paul Goyette       | PGP Key fingerprint:     | E-mail addresses:     |
| (Retired)          | FA29 0E3B 35AF E8AE 6651 | paul%whooppee.com@localhost     |
| Software Developer | 0786 F758 55DE 53BA 7731 | pgoyette%netbsd.org@localhost   |
+--------------------+--------------------------+-----------------------+

Prev by Date: Automated report: NetBSD-current/i386 build success
Next by Date: daily CVS update output
Previous by Thread: HEADS UP: SCSI device specific timeouts
Next by Thread: New jemalloc problem on evbarm earmv7hf / cubietruck
Indexes:

Home | Main Index | Thread Index | Old Index