netbsd-users: Re: Does ipf filter a packet once or twice?

Subject: Re: Does ipf filter a packet once or twice?
To: Jukka Marin <jmarin@pyy.jmp.fi>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 04/10/2001 01:20:44

On Mon, Apr 09, 2001 at 11:40:38PM +0300, Jukka Marin wrote:
> A packet arrives at, say, ep0 and is passed by the ipf "in" rules of ep0.
> The packet is destined to another network behind ep1, and is blocked by
> the "out" rules of ep1.  Unless I'm doing something stupid (like I often
> am), it seems that when the packet is accepted in via ep0, it will auto-
> magically be passed to ep1, even though the "out" rules would block it.

I know a couple other people replied and blamed your use of 'quick', but
that doesn't match my understanding of ipf. ipf hooks into the pfil
hooks in NetBSD, and catches the packet when first in on the wire, and
last before it goes out on the wire. I expect these to be two different
times for the rules to be applied, and so I don't expect 'quick' to
bypass the 'out' rules - they're run after the packet has passed through
the stack. I've never seen where ipf would track a packet through the
stack, so I don't expect it realizes that it's a packet that was passed
with 'quick' in.

Checking the code, ipf doesn't track what happened while processing the
'in' rules - once it hits a 'quick' rule, it passes the packet to the
stack, and it's done (for now).

> I use "quick" and grouping extensively.  The "in" rules of ep0 are part
> of group 100 and they are all "quick" (if the packet is passed, the rest
> of the rules are not checked).  The "out" rules of op1 are part of
> group 450 and they are also "quick".
> 
> Why aren't the "out" rules of ep1 checked?  Does a "quick" keyword in
> another group cause this or does ipf _always_ work this way?

Can you give some example IPs? (Disguised, if need be)

> This machine is a router between four or five different networks and what
> comes in via ep0 is NOT what should go out via ep1 (although it might be
> what should go out via ep2 etc.).

Is NAT involved? Be aware you'll need to match post-natted IPs on
inbound rules, and pre-natted IPs on outbound rules.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
All this stuff in twice the space would only look half as bad!
					      - me