Re: npfctl - questions and a bug report

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

rudolf <netbsd%eq.cz@localhost> wrote:
> Hi,
> 
> 1)
> I just noticed a bug in "npfctl show" output. In case of a rule with 
> port numbers expressed using a variable (list), only the first of listed 
> ports is displayed. Using the example from npf.conf(5) man page (only 
> the significant parts):

There are known problems with "npfctl show".  However, this component
is going to change significantly.  There is a Google Summer of Code 2013
project for this work:

http://wiki.netbsd.org/projects/project/npf_bpf_unparser/

So, we are looking for talented students. :)

> 2)
> I was trying to use variables in a definition of a variable:
> $ext_ipv4_0 = 10.0.0.200
> $ext_ipv4_1 = 10.0.0.201
> $ext_ipv4 = { $ext_ipv4_0, $ext_ipv4_1 }
> pass stateful in final family inet proto tcp to $ext_ipv4 port ssh
> 
> This is not possible, I get:
> variable 'ext_ipv4' is of type 'variable-id' not 'family-address-mask'
> 
> Is this a feature or a bug?

Rather a lack of feature.  This ought to be fixed.

> 3)
> Now tables are identified only as numbers, strings are converted to 
> number 0. Are there plans to support strings (probably with the same 
> naming rules as for the names of variables) as names of tables?
> 
> 4)
> With IPF, I use the "-h" option of "ipfstat" command frequently (I 
> usually do "ipfstat -hio"). It shows the number of times each rule 
> scores a "hit". I can't find corresponding feature of npfctl. Are there 
> plans to add it?

Yes, there are plans for both.  There are some higher priority features
I plan to implement though, so do not hold your breath yet.

-- 
Mindaugas