kern/53199: stateful npf

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/53199: stateful npf
From: prlw1%cam.ac.uk@localhost
Date: Fri, 20 Apr 2018 08:45:00 +0000 (UTC)

>Number:         53199
>Category:       kern
>Synopsis:       stateful npf
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Apr 20 08:45:00 +0000 2018
>Originator:     Patrick Welche
>Release:        NetBSD-8.99.14/amd64
>Organization:
>Environment:
NetBSD-8.99.14/amd64
>Description:
First suspicion that stateful npf doesn't work as expected (if not sw-bug, then doc-bug):

http://mail-index.netbsd.org/netbsd-users/2018/03/28/msg020565.html

The more specific subsequent test (also related in the thread) is:
>How-To-Repeat:
ext iwn0: 10.168.5.65
int wm0:  192.168.2.62

Toy ipf setup works as expected: 

# cat /etc/ipnat.conf
map iwn0 192.168.2.0/24 -> 10.168.5.65 portmap tcp/udp 40000:6000 
map iwn0 192.168.2.0/24 -> 10.168.5.65
# cat /etc/ipf.conf
block in on wm0 all
pass in proto tcp from any to 10.168.5.4 port = 80 flags S/SA keep state


I hope this is the equivalent in npf:

# cat /etc/npf.conf
map iwn0 dynamic 192.168.2.0/24 -> 10.168.5.65

group "ext" on wm0 {
  block in all
  pass stateful in proto tcp flags S/SA from any to 10.168.5.4 port 80
}

group default {
  pass all 
}


test: plug NetBSD-running rpi into wm0 as 192.168.2.26 and grab web page
from another NetBSD/amd64 webserver, 10.168.5.4. Webpage arrives with ipf,
but not with npf.

>Fix:

Prev by Date: Re: kern/53179 (KASSERT panic in ata_read_log_ext_ncq())
Next by Date: Re: kern/53096 (netbsd-8 crash on heavy disk I/O)
Previous by Thread: Re: kern/53179 (KASSERT panic in ata_read_log_ext_ncq())
Next by Thread: Re: kern/53199: stateful npf
Indexes:

Home | Main Index | Thread Index | Old Index