Refer to range of IPs and use of wildcards

[rockyhotas]

Hello!
I am not sure about the category of this issue (bug report, improvement suggestion, ...), so I chose to create a blank one.
Using npf in NetBSD 9.0 (release), I did not manage to refer to a range of IPs in the filter syntax. I tried:

block in family inet4 proto tcp from <source_host_IP> to <first_IP_of_range>-<last_IP_of_range>

but this generated a syntax error. My intention was to refer to a range like 192.168.1.10-192.168.1.20, which does not necessarily correspond to a subnet, and which therefore is completely custom.

I avoided the use of a table because I may need to refer to a huge number of IPs, for example 10.0.0.50-10.0.1.251, and writing each of them in a table seems quite inefficient.

Similarly, I tried to refer to any third-level domain in (e.g.) example.org:

block in family inet4 proto tcp from <source_host_IP> to *.example.org

but this provoked a syntax error, too.

Am I using the wrong syntax and some other wildcard characters are needed, or does npf not have these capabilities?

If it's the second case, is there a chance that they will be added in a future?

[rmind]

Comments:

• Supporting the IP range is not difficult, just requires some changes to the npfctl utility. There is no ETA, but I will have a look next time I touch npfctl; feel free to beat me and propose a patch, though.
• Filtering by domain is not supported, but I don't think it should be supported like in the example given. Instead, one should use a dynamic table and populate when DNS records change.

Conceptually, it's just something like this ran in a cronjob or on TTL expirations:

host -t a example.com | awk '{print $4}' | npfctl table "my-domain" replace -

It could be integrated into npfd(8).

[rockyhotas]

* Supporting the IP range is not difficult, just requires some changes to the npfctl utility. There is no ETA, but I will have a look next time I touch npfctl; feel free to beat me and propose a patch, though.

Thank you so much for considering this.
Unfortunately, I don't think I'm enough confident with the code to make a patch.

* Filtering by domain is not supported, but I don't think it should be supported like in the example given. Instead, one should use a dynamic table and populate when DNS records change.

Ok! This seems reasonable, npf does not know (and maybe should not now) anything about namespaces.

Conceptually, it's just something like this ran in a cronjob or on TTL expirations:

host -t a example.com | awk '{print $4}' | npfctl table "my-domain" replace -

However, IIUC, host -t a example.com | awk '{print $4}' only prints the IP of one host, example.com. We don't know if there are third-levels host1.example.com, host2.example.com, and how many of them. What I was trying to do is to include any third-level, without actually knowing them. (Buy this may be off-topic, given the above considerations).

[georgalis]

I wanted to use ranges too. This script calculates the network blocks delegated per country.

https://github.com/georgalis/pub/blob/master/sub/cc2netblock.sh

It is mostly CIDR net/mask blocks, but there are many non-CIDR ranges too. I've not seen a range that is not just a bunch of adjacent /16 and those would be easy to script into CIDR. I don't have an idea to convert arbitrary ranges to CIDR blocks, is their a program or recipe for that somewhere?

[georgalis]

It turns out, ipcalc handily deaggregates ip ranges into CIDR blocks. I've incorporated the tool into the cc script and no longer have a need to ingest ranges with nfp, thanks!