NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/53962: npf: weird 'stateful' behavior
The following reply was made to PR kern/53962; it has been noted by GNATS.
From: David Holland <dholland-bugs%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: kern/53962: npf: weird 'stateful' behavior
Date: Mon, 18 Feb 2019 05:50:33 +0000
not sent to gnats
(you usually need to change To: explicitly to gnats-bugs if replying
to your own posting)
------
From: fstd.lkml%gmail.com@localhost
To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/53962: npf: weird 'stateful' behavior
Date: Sat, 9 Feb 2019 12:54:01 +0100
I have discovered that this 5th example does what I need:
npf.conf:
| procedure "log" {
| log: npflog0
| }
|
| group "net1" on wm1 {
| pass in final proto tcp flags S/SARF from 192.168.1.0/24 to 192.168.2.0/24 port 22 apply "log"
| block all apply "log"
| }
|
| group "net2" on wm2 {
| pass stateful-ends out final proto tcp flags S/SARF from 192.168.1.0/24 to 192.168.2.13 port 22 apply "log"
| block all apply "log"
| }
|
| group default {
| pass final on lo0 all
| block all apply "log"
| }
Since the packet will first ingress on wm1, originally I thought 'stateful-ends' on the wm1 rule would be what to go for, but the state kept by it would not make it egress on wm2. Having both rules 'stateful-ends' doesn't do the trick either.
But if I, as shown above, stateLESSly let the SYN ingress and then keep state(ful-ends) on the wm2 egress rule -- THEN state is kept that, in fact, also applies to future related packages in- or egressing on wm1.
I'd love to understand what's going on here.
Home |
Main Index |
Thread Index |
Old Index