Subject: ipf feature mask
To: None <current-users@netbsd.org>
From: Patrick Welche <prlw1@newn.cam.ac.uk>
List: current-users
Date: 07/07/2005 21:01:20
What is the Feature mask as output by ipf?

Essentially I am trying to track down a problem and ended up with the
following simple setup:

rtk0 is the external interface
xi0  is the internal interface
192.168.. is the internal client machine which makes a connection to
an external web server.

tape# ipfstat -io
block out all
block in all
pass in on xi0 proto tcp from any to any port = www flags S/FSRPAU keep state keep frags
tape# ipnat -l
List of active MAP/Redirect filters:
map rtk0 192.168.204.234/32 -> 131.111.204.234/32

List of active sessions:
MAP 192.168.204.234 1288  <- -> 131.111.204.234 1288  [131.111.204.180 80]
tape# ipf -V
ipf: IP Filter: v4.1.8 (396)
Kernel: IP Filter: v4.1.8               
Running: yes
Log Flags: 0 = none set
Default: pass all, Logging: available
Active list: 0
Feature mask: 0x10a
tape# 

That works fine. When I run the same rules on another computer, the SA packet
returning from the webserver does not make it back through the firewall.
They are both running today's -current/i386, and both have options IPFILTER_LOG
and IPFILTER_DEFAULT_BLOCK.

The only difference that I can spot is that the working computer has
Feature mask: 0x10a, whereas the broken setup has 0xa. (and bge0/ex0
instead of rtk0/xi0) What does this mean, and could it make a difference?

Cheers,

Patrick