On Sun, 7 Apr 2019, John D. Baker wrote: > Date: Sun, 7 Apr 2019 18:25:33 -0500 (CDT) > From: John D. Baker <[email protected]> > To: Mindaugas Rasiukevicius <[email protected]> > Cc: [email protected] > Subject: Re: Removing PF > > On Sun, 7 Apr 2019, Mindaugas Rasiukevicius wrote: > > > You *can* use ifaddrs(netifN) for a NAT rule in NetBSD -current, but > > you need to specify the address selection algorithm. Currently, > > "ip-hash" or "round-robin". You cannot select just the first address, > > though. That is something I can look into.
> Maybe an additional address-selection algorithm that selects any > specified elements of the list? Are address-selection algorithm specifications allowed in filter rules as well? I've become accustomed to things like: ext_if="qe2" int_if="le0" ssh_host="X.y.Z.q" table <abusive_hosts> persist file "/var/db/pf/abusive_hosts" nat on $ext_if from $int_if:network -> ($ext_if:0) rdr on $ext_if from !($ext_if) to ($ext_if) port ssh \ -> $ssh_host pass in on $ext_if proto tcp from !($ext_if) to $ssh_host port ssh \ synproxy state (max-src-conn 25, max-src-conn-rate 3/25 \ overload <abusive_hosts> flush global) so it will be interesting to see how 'npf' features and syntax map onto those of 'pf'. Thanks. -- |/"\ John D. Baker, KN5UKS NetBSD Darwin/MacOS X |\ / jdbaker[snail]consolidated[flyspeck]net OpenBSD FreeBSD | X No HTML/proprietary data in email. BSD just sits there and works! |/ \ GPGkeyID: D703 4A7E 479F 63F8 D3F4 BD99 9572 8F23 E4AD 1645
