On Feb 23, 2:57am, kab...@lich.phys.spbu.ru (Dima Veselov) wrote: -- Subject: Re: NPF and multiple group entrance
| On Sun, Feb 21, 2016 at 11:42:32PM +0000, Christos Zoulas wrote: | | > >I migrate from ipfilter to npf due to ipf issues in 7.0, but have | > >a question: | > > | > >Is there a possibility to make two entrance for one group? | > > | > >for example if I have: | > > | > >$ext_if = {inet4(vlan112), inet4(vlan113)}; | > >group "external" on $ext_if { | > > <rules here> | > >} | > > | > >the result will be: | > > | > ># npfctl show | > >group "external" on vlan112 | > > pass stateful out final all | > > ... | > > | > >As you can see - I can't find a way to make a group working for few interfaces | > >at once, but I don't want to repeat group every time, having two | > >external interfaces and several internal. | > > | > >Thanks in advance! | > | > Sure we can add some syntax to help with this... Any ideas? | > | > use group "name" | | The easiest syntax will be just this: | | $ext_if = {inet4(vlan112), inet4(vlan113)}; | group "external" on $ext_if {} | | which result in | | group "external" on [vlan112, vlan113] | | | But if this is change too much - something like this will be enough: | | group "external" on vlan112 { -rule-set- } | group "external2" on vlan113 { use group "external" } | | which will call "external" ruleset without calling group rules. Sounds good, I'll check with rmind and see which one is best. Thanks, christos