Re: kern/53962 (npf: weird 'stateful' behavior)

To: rmind%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, fstd.lkml%gmail.com@localhost
Subject: Re: kern/53962 (npf: weird 'stateful' behavior)
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Sun, 31 May 2020 17:25:01 +0000 (UTC)

The following reply was made to PR kern/53962; it has been noted by GNATS.

From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost,
 fstd.lkml%gmail.com@localhost
Cc: 
Subject: Re: kern/53962 (npf: weird 'stateful' behavior)
Date: Sun, 31 May 2020 18:20:03 +0100

 Mindaugas Rasiukevicius <rmind%netbsd.org@localhost> wrote:
 >
 > There are more implications here.. I am going to add configuration-wide
 > parameters to give user more flexibility on connection state behaviour.
 >

 The changes are committed.

 1. You can try your original stateful rules with strictly per-interface
 state (the default).

 2. Alternative, you can try 'stateful-all' with the following parameters:

     set state.key.interface 0
     set state.key.direction 0

 Note that if you mix it with dynamic NAT, like in your last example, the
 translation will happen on the interface where the NAT policy is applied.
 The state will then use a translated address, meaning that the state (for
 the reverse flow) will not be picked up on the initial interface, so you
 would still need a rule to pass it.

 We could add an option mark the packet to bypass the ruleset if the state
 was picked on some interface and the packet is forwarded.

 -- 
 Mindaugas

Prev by Date: Re: kern/54507 (double NAT doesn't work with NPF)
Next by Date: Re: port-macppc/55326: gem(4): memory corruption by RX DMA
Previous by Thread: Re: kern/53962 (npf: weird 'stateful' behavior)
Next by Thread: PR/53984 CVS commit: src/sys/arch/x86/x86
Indexes:

Home | Main Index | Thread Index | Old Index