NPF questions, issues and observations

To: netbsd-users%netbsd.org@localhost
Subject: NPF questions, issues and observations
From: Harry Waddell <waddell%caravaninfotech.com@localhost>
Date: Wed, 18 Mar 2015 16:49:05 -0700

I know NPF is a work in progress, and so is its documentation, but now that I
have used it for a fairly large project, I have several questions and a
few problems. I'm using netbsd-7 as of 3/12/15.

1. this validates

$private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
map vlan200 dynamic $private_addr -> $mesh_map_addr pass from <mesh_nattable> to <ngroutes>

but this does not

map vlan200 dynamic <mesh_nattable> -> $mesh_map_addr pass from <mesh_nattable> to <ngroutes>

This seems like an artificial constraint, but I could be missing something.

2. Is there a way to get a listing of the NAT state table akin to ipnat -l?

3. I got the "npfctl: npfctl_config_send: File exists" error message.
This is not the world's most useful message. I eventually tracked it down
to a duplicate entry in a tree type table loaded from a file.

4. Since group names are unique ( when direction is factored in ), I don't
see what he advantage is to the "ruleset" syntax for dynamic rules. I supect
this is because there's a lot of functionality in the "group-opt" I don't understand.
Would someone provide some additional explanation of dynamic rulesets?

5. With my large npf.conf file, npfctl comamnds and npf itself seem to hang
after repeated reloads and a system reboot is required to clear the problem.
Has anyone else experienced this. I think a PR is in order.

6. The line count of /etc/npf.conf and all my files for tables is now 569 lines.
The old ipfilter based configuration was 1184 lines. The new configuration
has 13 different network security zones — the old one had only 7.
Clearly, it's possible to do pretty complicated things with npf with
fewer, more readable, lines of configuration and tables make it
a lot easier to maintain.

7. It doesn't seem to be possible to use a variable in the definition
of another variable. I assume this is because the parser just makes one
pass, but it would be really handy if one could do something like:

$lab_net = a.b.c.d/24
$alarm_net = e.f.g.h/27
$control_net = i.j.k.l/24

$protected_nets = { $lab_net, $alarm_net, $control_net }

but not if it's going to slow things down a lot.

Except for number 5, I'm pretty pleased with it overall.

Thanks,

Harry Waddell

Follow-Ups:
- Re: NPF questions, issues and observations
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: net.inet.tcp.tso=0
Next by Date: SCP file transfer speed
Previous by Thread: /proc inodes filling up in 1 week
Next by Thread: Re: NPF questions, issues and observations
Indexes:

Home | Main Index | Thread Index | Old Index