At Fri, 11 Apr 2025 17:13:42 -0400, Greg Troxel wrote:
Subject: Re: npf on a router: configuration issues
>
> It is still sensible to want to be able to write a firewall rule that
> will only be matched for a packet that is being input to the host
> portion (delivered to a socket,
Robert Elz writes:
> All BSD systems are inherently routers (and while many people don't
> like this model, that is how it has always been). The routing
> functionality is central to everything in the BSD (internet) stack.
> (Unix domain sockets, and other protocols, are, and might be, resp,
>
Date:Tue, 08 Apr 2025 19:51:30 -0400
From:Greg Troxel
Message-ID:
Just catching up on some old list e-mail I skipped earlier...
| I have a mental model where the router part of the system forwards
| packets but does not receive or transmit them.
|
|
On Tue, Apr 01, 2025 at 08:57:38AM -0400, Greg Troxel wrote:
> I am trying to configure npf in a router/nat context and unclear on some
> things, with the documentation not being clear enough to unconfuse me.
> This is intended today as a series of questions I'd like answers for,
> although I see i
On Wed, Apr 09, 2025 at 06:02:09AM -, Michael van Elst wrote:
> And then we have a "fast forward" logic in the ethernet
> and ppp code when the kernel is compiled with the GATEWAY
> option and net.inet.ip.maxflows > 0. If I understand the
> code correctly, this will bypass the IP layer and IP f
On Tue, Apr 08, 2025 at 07:51:30PM -0400, Greg Troxel wrote:
> Christoph Badura writes:
> > On Tue, Apr 01, 2025 at 08:57:38AM -0400, Greg Troxel wrote:
> >>b) Is it really meant that "if a packet does not match any defined
> >> group, then -- and only then -- will it be processed by the
b...@bsd.de (Christoph Badura) writes:
>I see only https://rmind.github.io/npf/intro.html#processing discussing
>this a bit. That seems to be a different concept. I.e. packets are
>processed "on each interface a packet is traversing, either as incoming or
>outgoing."
Actually, packets are not
Christoph Badura writes:
> On Tue, Apr 01, 2025 at 08:57:38AM -0400, Greg Troxel wrote:
> Since I need to write my observations down sometime I might as well start
> now. :-)
Thanks; this is very helpful.
>>b) Is it really meant that "if a packet does not match any defined
>> group,
I am trying to configure npf in a router/nat context and unclear on some
things, with the documentation not being clear enough to unconfuse me.
This is intended today as a series of questions I'd like answers for,
although I see it as also serving as a documentation bug report.
1) There are groups
