On Sun, Feb 21, 2016 at 11:42:32PM +0000, Christos Zoulas wrote: > >I migrate from ipfilter to npf due to ipf issues in 7.0, but have > >a question: > > > >Is there a possibility to make two entrance for one group? > > > >for example if I have: > > > >$ext_if = {inet4(vlan112), inet4(vlan113)}; > >group "external" on $ext_if { > > <rules here> > >} > > > >the result will be: > > > ># npfctl show > >group "external" on vlan112 > > pass stateful out final all > > ... > > > >As you can see - I can't find a way to make a group working for few > >interfaces > >at once, but I don't want to repeat group every time, having two > >external interfaces and several internal. > > > >Thanks in advance! > > Sure we can add some syntax to help with this... Any ideas? > > use group "name"
The easiest syntax will be just this: $ext_if = {inet4(vlan112), inet4(vlan113)}; group "external" on $ext_if {} which result in group "external" on [vlan112, vlan113] But if this is change too much - something like this will be enough: group "external" on vlan112 { -rule-set- } group "external2" on vlan113 { use group "external" } which will call "external" ruleset without calling group rules. -- Sincerely yours