NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: NPF and multiple group entrance
On Feb 23, 2:57am, kab00m%lich.phys.spbu.ru@localhost (Dima Veselov) wrote:
-- Subject: Re: NPF and multiple group entrance
| On Sun, Feb 21, 2016 at 11:42:32PM +0000, Christos Zoulas wrote:
|
| > >I migrate from ipfilter to npf due to ipf issues in 7.0, but have
| > >a question:
| > >
| > >Is there a possibility to make two entrance for one group?
| > >
| > >for example if I have:
| > >
| > >$ext_if = {inet4(vlan112), inet4(vlan113)};
| > >group "external" on $ext_if {
| > > <rules here>
| > >}
| > >
| > >the result will be:
| > >
| > ># npfctl show
| > >group "external" on vlan112
| > > pass stateful out final all
| > > ...
| > >
| > >As you can see - I can't find a way to make a group working for few interfaces
| > >at once, but I don't want to repeat group every time, having two
| > >external interfaces and several internal.
| > >
| > >Thanks in advance!
| >
| > Sure we can add some syntax to help with this... Any ideas?
| >
| > use group "name"
|
| The easiest syntax will be just this:
|
| $ext_if = {inet4(vlan112), inet4(vlan113)};
| group "external" on $ext_if {}
|
| which result in
|
| group "external" on [vlan112, vlan113]
|
|
| But if this is change too much - something like this will be enough:
|
| group "external" on vlan112 { -rule-set- }
| group "external2" on vlan113 { use group "external" }
|
| which will call "external" ruleset without calling group rules.
Sounds good, I'll check with rmind and see which one is best.
Thanks,
christos
Home |
Main Index |
Thread Index |
Old Index