[solved]: family inet and parameter stateful | npf.conff

[Darrel <levitch%iglou.com@localhost>]

> Darrel <levitch%iglou.com@localhost> wrote:
> > Hey, Mindaugas.
> >
> > The  rdesktop application or msft seems to be a unique case.
> >
> > This is what I am using and works for now:
> >
> > <...>
> >
> > If I remove 'pass in family inet from <6> to $if_ext' or
> > *put stateful* on 'pass out final family inet from $if_ext to <6>'
> > then I can not login through rdesktop

Hello Mindaugas,

I noticed more changes to IPv6 and NPF, but they are not in the
netbsd-6 sources tonight.

Having recently returned to NetBSD, the installation which I am
using is netbsd-6 beta2 and whatever X server and pkgsrc versions
were with that install cd-rom became installed as well.

I noticed eventually that nothing was happening whenever 'cvs update
-dP' was run in /usr/pkgsrc, so today I ran 'cvs update -dPA'.
Which led to this change after 'pkg_chk -sa' was run:

net/rdesktop - rdesktop-1.7.0 < rdesktop-1.7.1

I have no clue what is different about rdesktop-1.7.1, but now NPF
runs with success using the rule 'pass stateful out final family
inet proto tcp flags S/SA from $if_ext to <6> port $msft_wbt_server'
where table <6> is the msft 2008r2 machine and $msft_wbt_server is
"3389".

It seems like pkg_chk must have solved it, no other changes where
make to netbsd-6 and no changes occurred to the msft system.

I did notice this, netbsd-6 sources are from July 17

% cat /var/run/rc.log
[running /etc/rc.d/ldpd]
[running /etc/rc.d/npf]
Enabling NPF.
eval: /usr/sbin/npfctl: not found
eval: /usr/sbin/npfctl: not found
/etc/rc.d/npf exited with code 1
[running /etc/rc.d/pf]
[running /etc/rc.d/route6d]
[running /etc/rc.d/routed]

NPF is compiled into my kernel and included in /etc/rc.conf

and so with '#npfctl start' and '#npfctl reload' things were running
alright.

> > I have a small collection of tcpdumps, but if you are interested in
> > anything specific then please let me know.
>
> Could you tcpdump -w a single successful rdesktop session, then add
> "stateful" and capture the the problematic session, so that we could
> compare how do they differ?  You can send me the pcap files off-list.
>
> > If it important for us to know at this point about the 'tcp cases'?
> >
> > Invalid packet state cases:
> >          2665 cases in total
> >          2620 TCP case I
> >          44 TCP case II
> >          1 TCP case III
>
> Yes, under normal circumstances these should not happen.  It likely
> reflects the problem you are experiencing.

I am still seeing this:

Invalid packet state cases:
        10148 cases in total
        4727 TCP case I
        5421 TCP case II
        0 TCP case III

I will run for a while with rdesktop and run cases without rdesktop, try 
to determine if rdesktop might still be a culprit and then send out the 
pcap files to you off of the list.

Thank you,
Darrel

p.s.

(37) @ 2:10:43> ll /usr/sbin/npfctl
-r-xr-xr-x  1 root  wheel   62K Jul 17 12:42 /usr/sbin/npfctl*