Re: How do people use npf with dhcpcd?

[David Brownlee <abs%absd.org@localhost>]

On Sat, 27 Dec 2025 at 21:48, Michael van Elst <mlelstv%serpens.de@localhost> wrote:
>
> lloyd%must-have-coffee.gen.nz@localhost (Lloyd Parkes) writes:
>
> >ifwatchd(8) looks for IP addresses being added and removed from
> >interfaces and then runs scripts that you specify. I probably should be
> >using it for my pppoe0 and you could use it for your rge0.
>
> That's what ifwatchd is doing here. Changes in the uplink regenerate
> some configuration files and reload services as necessary.
>
> For npf you would probably write a table or modify a ruleset on
> the fly.

I think there are two (related) aspect here

1) Detect when to trigger a reload of npf

I'm doing this with a dhcpcd exit hook, though ifwatchd's "-u" option
is probably the more general case

2) Have npf handle the case where inet4() on an interface would return
an empty value, breaking the rules loading

This is the more awkward part - as mentioned I currently have the
below in rc.conf

if ifconfig rge0 | grep -q 'inet ' ; then
    npf_rules=/etc/npf.conf
else
    npf_rules=/etc/npf.boot
fi

though I've just tried switching it to a dynamic list via ifaddrs()
rather than inet4() which seems to avoid the error with empty lists (I
seem to recall issues with ifaddrs() with older npf versions, but as
long as I'm willing to allow IPv6 to slide into the chat then that
could avoid the issue for me...

Thanks

David