Harry Waddell <wadd...@caravaninfotech.com> wrote: > > I know NPF is a work in progress, and so is its documentation, but now > that I have used it for a fairly large project, I have several questions > and a few problems. I'm using netbsd-7 as of 3/12/15. > > 1. this validates > > $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 } > map vlan200 dynamic $private_addr -> $mesh_map_addr pass from > <mesh_nattable> to <ngroutes> > > but this does not > > map vlan200 dynamic <mesh_nattable> -> $mesh_map_addr pass from > <mesh_nattable> to <ngroutes> > > This seems like an artificial constraint, but I could be missing > something.
Yes. In fact, when the extended map syntax is used, the value on the left hand side (in a case of outbound NAT) is ignored because the filter criteria is explicitly defined by the "pass ..." rule. The parser only validates the syntax. When I was implementing this, I was considering something like: map wm0 dynamic any -> $nat_ip pass from <table1> to <table2> However, I was not sure whether the keyword "any" (or perhaps "explicit") would make it clearer or, contrary, would just confuse users. Thoughts? > 2. Is there a way to get a listing of the NAT state table akin to ipnat > -l? Well, you can run npfctl save and it will dump the configuration *and* all the connections to the /var/db/npf.db file (in PropertyList format). However, npfctl does not have a command to print them in human readable format yet. This functionality is planned, but my higher priority is to replace proplib/PropertyList with a better library and format (binary, at the very least). > 3. I got the "npfctl: npfctl_config_send: File exists" error message. > This is not the world's most useful message. I eventually tracked it > down to a duplicate entry in a tree type table loaded from a file. Fixed. There are more user-unfriendly messages lurking.. I will need to go through them in a more structured way at some point. > 4. Since group names are unique ( when direction is factored in ), I > don't see what he advantage is to the "ruleset" syntax for dynamic rules. > I supect this is because there's a lot of functionality in the > "group-opt" I don't understand. Would someone provide some additional > explanation of dynamic rulesets? Dynamic rulesets allow you to add/remove rules on the fly, think of iptables-style rules. In npf.conf, "ruleset" is just a syntactic sugar for "group" which indicates that the group will have the rules managed dynamically rather than statically. Does that answer your question? > 5. With my large npf.conf file, npfctl comamnds and npf itself seem to > hang after repeated reloads and a system reboot is required to clear the > problem. Has anyone else experienced this. I think a PR is in order. This is a bug. I need more details about your problem, but I have just committed one fix in -current (and requested a pullup to netbsd-7 branch) which is likely to be a fix for the same problem you are experiencing. Pull-up ticket containing the fix is #630. > 6. The line count of /etc/npf.conf and all my files for tables is now 569 > lines. The old ipfilter based configuration was 1184 lines. The new > configuration has 13 different network security zones — the old one had > only 7. Clearly, it's possible to do pretty complicated things with npf > with fewer, more readable, lines of configuration and tables make it > a lot easier to maintain. Good to hear! > 7. It doesn't seem to be possible to use a variable in the definition > of another variable. I assume this is because the parser just makes one > pass, but it would be really handy if one could do something like: The parser has some limitations. Hopefully, it will get improved soon. -- Mindaugas