Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,campbell+netbsd%mumble.net@localhost
Subject: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
From: "Taylor R Campbell via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Wed, 29 Apr 2026 00:20:01 +0000 (UTC)

The following reply was made to PR kern/60191; it has been noted by GNATS.

From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
To: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Date: Wed, 29 Apr 2026 00:16:24 +0000

 Traffic _from the local host_ to its own public addresses is also
 troublesome.

 With the rules above, _remote hosts_ can do, e.g.,

 	ftp -4 http://example.com/robots.txt

 and it works fine, while

 	ftp -6 http://example.com/robots.txt

 does not (packets arrive at $primary_if but go nowhere), where
 example.com has those npf rules -- that's the original issue.

 I can work around this by changing the v6 rule to

 	map $primary_if dynamic proto tcp $primary_addrs port 8000 \
 	    <- $primary_v6 port 80

 at the cost of inadvertently exposing public access via port 8000 too
 (not a big deal but kind of sloppy).

 On the _local host_ (i.e., on example.com),

 	ftp -4 http://example.com/robots.txt

 gives connection refused, via TCP RST that shows up on lo0 with
 tcpdump, and leads to no output in `npfctl list -n'.  I can make this
 work by adding:

 	map lo0 dynamic proto tcp 127.0.0.1 port 8000 \
 	    <- $primary_v4 port 80

 If the v4 address is 192.0.2.123, then with this additional map rule,
 `npfctl list -n' shows (after running ftp -4):

 # src-addr:port       dst-addr:port         interface  nat-addr:port
 192.0.2.123:65519     192.0.2.123:80        lo0        127.0.0.1:8000

 But I can't find how to make

 	ftp -6 http://example.com/robots.txt

 work _on the local host_ (i.e., on example.com).

 I tried various combinations of map lo0 and map $primary_if with
 sources and destinations of $primary_v6, $primary_addrs, and
 hard-coded explicit addresses -- couldn't find anything that worked;
 everything I tried went nowhere with zero output from tcpdump on
 either lo0 or $primary_if.

 If the v6 addresses are 2001:db8::123 and fe80::123, and $primary_if
 is xennet0, I've gotten `npfctl list -n' to show alternately

 # src-addr:port       dst-addr:port         interface  nat-addr:port
 [2001:db8::123]:65478 [2001:db8::123]:80    xennet0    [fe80::123]:8000

 or

 # src-addr:port       dst-addr:port         interface  nat-addr:port
 [2001:db8::123]:65478 [2001:db8::123]:80    xennet0    [2001:db8::123]:8000

 (but I was flailing around a lot and don't remember exactly which set
 of options led to which output).  Note that in all my attempts, it
 showed xennet0 ($primary_if), never lo0!  Perhaps that is a clue that
 will lead to the source of the problem: v4 is getting mapped through
 lo0, but v6 is getting mapped through $primary_if instead.

Prev by Date: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Previous by Thread: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Next by Thread: kern/60192: consider mentioning GPT partition tables in handbook installation and cgd chapters
Indexes:

Home | Main Index | Thread Index | Old Index