Re: npf vs. pf

To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Subject: Re: npf vs. pf
From: "D'Arcy J.M. Cain" <darcy%NetBSD.org@localhost>
Date: Wed, 10 Dec 2014 19:24:59 -0500

On Wed, 10 Dec 2014 22:52:44 +0000
Mindaugas Rasiukevicius <rmind%netbsd.org@localhost> wrote:
> > In any case I think I will have to stick with pf a bit longer, at
> > least until npf grows a -D option.  I use rc.conf to specify
> > $int_if and $ext_if but npf doesn't support that.  I checked the
> > source and it isn't just a lack of documentation.
> 
> What is the benefit here?

I have a standard pf.conf for all my servers.  In my rc.conf I have
versions of this:

pf="YES" pf_flags="-Dext_if=wm0 -Dint_if=wm1"

I change the interface based on the individual server.  Without the -D
option I would have to make a different npf.conf.

> > Also, I don't see anything to
> > suggest that I can put comments into the table files.  That would
> > be a "nice to have."
> 
> All lines which start with # are ignored.  So you can put the
> comments, it is just not mentioned in the documentation.

How about this?

# List of enemies
254.502.128.312 # TV idea of an IP address

In practice I add a comment with the date added and why.  If the
comment needs to be on a separate line then the file is three times as
long linewise.  One for the comment, one for the IP and a blank line to
separate the comment/IP from the next one.

-- 
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost

References:
- npf vs. pf
  - From: D'Arcy J.M. Cain
- Re: npf vs. pf
  - From: Jean-Yves Migeon
- Re: npf vs. pf
  - From: D'Arcy J.M. Cain
- Re: npf vs. pf
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: npf vs. pf
Next by Date: RTM_NEWNEIGH
Previous by Thread: Re: npf vs. pf
Next by Thread: RTM_NEWNEIGH
Indexes:

Home | Main Index | Thread Index | Old Index