NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
NPF questions, issues and observations
I know NPF is a work in progress, and so is its documentation, but now that I
have used it for a fairly large project, I have several questions and a
few problems. I'm using netbsd-7 as of 3/12/15.
1. this validates
$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
map vlan200 dynamic $private_addr -> $mesh_map_addr pass from <mesh_nattable> to <ngroutes>
but this does not
map vlan200 dynamic <mesh_nattable> -> $mesh_map_addr pass from <mesh_nattable> to <ngroutes>
This seems like an artificial constraint, but I could be missing something.
2. Is there a way to get a listing of the NAT state table akin to ipnat -l?
3. I got the "npfctl: npfctl_config_send: File exists" error message.
This is not the world's most useful message. I eventually tracked it down
to a duplicate entry in a tree type table loaded from a file.
4. Since group names are unique ( when direction is factored in ), I don't
see what he advantage is to the "ruleset" syntax for dynamic rules. I supect
this is because there's a lot of functionality in the "group-opt" I don't understand.
Would someone provide some additional explanation of dynamic rulesets?
5. With my large npf.conf file, npfctl comamnds and npf itself seem to hang
after repeated reloads and a system reboot is required to clear the problem.
Has anyone else experienced this. I think a PR is in order.
6. The line count of /etc/npf.conf and all my files for tables is now 569 lines.
The old ipfilter based configuration was 1184 lines. The new configuration
has 13 different network security zones — the old one had only 7.
Clearly, it's possible to do pretty complicated things with npf with
fewer, more readable, lines of configuration and tables make it
a lot easier to maintain.
7. It doesn't seem to be possible to use a variable in the definition
of another variable. I assume this is because the parser just makes one
pass, but it would be really handy if one could do something like:
$lab_net = a.b.c.d/24
$alarm_net = e.f.g.h/27
$control_net = i.j.k.l/24
$protected_nets = { $lab_net, $alarm_net, $control_net }
but not if it's going to slow things down a lot.
Except for number 5, I'm pretty pleased with it overall.
Thanks,
Harry Waddell
Home |
Main Index |
Thread Index |
Old Index