Hello!
After browsing the available documentation for npf, I did not find any
hints about some issues.
1) How to represent port ranges? I tried with
beginning_port:end_port (which for example is used in OpenBSD's pf)
beginning_port,end_port
beginning_port-end_port
$port_range = { beginning_port, end_port }
but none of them seems to work in
map $myif dynamic proto tcp $myhost port XXX <- $myif port XXX
However, `http://www.netbsd.org/~rmind/pub/npf_manual_netbsd_6.pdf'
mentions in par. 3.4 that a ``TCP/UDP port or range' can be speficied in
a rule.
2) I would like to block all the IPs from a subnet, except the ones
listed in a variable $host_group. Is this possible?
block in final proto tcp from NOT $host_group to $destination port $some_port
3) In the `map' section of npf.conf(5) it is stated that
``Explicit filter criteria can be specified using pass criteria ... as an
additional option of the mapping''.
So, assume I have:
map $myif dynamic proto tcp $myhost port $port1 <- $myif port $port2
pass stateful in family inet4 proto tcp to $myif port $port2
How to merge them?
Checking the source code, trying to get some more information about
this, is not feasible for me.
Thank you anyway!
Rocky
