Re: NPF questions, issues and observations

[Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>]

Harry Waddell <waddell%caravaninfotech.com@localhost> wrote:
> 
> I know NPF is a work in progress, and so is its documentation, but now
> that I have used it for a fairly large project, I have several questions
> and a few problems. I'm using netbsd-7 as of 3/12/15. 
> 
> 1. this validates
> 
> $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
> map vlan200 dynamic $private_addr -> $mesh_map_addr pass from
> <mesh_nattable> to <ngroutes>
> 
>    but this does not
> 
> map vlan200 dynamic <mesh_nattable> -> $mesh_map_addr pass from
> <mesh_nattable> to <ngroutes>
> 
>    This seems like an artificial constraint, but I could be missing
> something. 

Yes.  In fact, when the extended map syntax is used, the value on the
left hand side (in a case of outbound NAT) is ignored because the filter
criteria is explicitly defined by the "pass ..." rule.  The parser only
validates the syntax.  When I was implementing this, I was considering
something like:

    map wm0 dynamic any -> $nat_ip pass from <table1> to <table2>

However, I was not sure whether the keyword "any" (or perhaps "explicit")
would make it clearer or, contrary, would just confuse users.  Thoughts?

> 2. Is there a way to get a listing of the NAT state table akin to ipnat
> -l?

Well, you can run npfctl save and it will dump the configuration *and*
all the connections to the /var/db/npf.db file (in PropertyList format).
However, npfctl does not have a command to print them in human readable
format yet.  This functionality is planned, but my higher priority is
to replace proplib/PropertyList with a better library and format (binary,
at the very least).

> 3. I got the "npfctl: npfctl_config_send: File exists" error message. 
>    This is not the world's most useful message. I eventually tracked it
> down to a duplicate entry in a tree type table loaded from a file. 

Fixed.  There are more user-unfriendly messages lurking.. I will need to
go through them in a more structured way at some point.

> 4. Since group names are unique ( when direction is factored in ), I
> don't see what he advantage is to the "ruleset" syntax for dynamic rules.
> I supect this is because there's a lot of functionality in the
> "group-opt" I don't understand. Would someone provide some additional
> explanation of dynamic rulesets?

Dynamic rulesets allow you to add/remove rules on the fly, think of
iptables-style rules.  In npf.conf, "ruleset" is just a syntactic sugar
for "group" which indicates that the group will have the rules managed
dynamically rather than statically.  Does that answer your question?

> 5. With my large npf.conf file, npfctl comamnds and npf itself seem to
> hang after repeated reloads and a system reboot is required to clear the
> problem. Has anyone else experienced this. I think a PR is in order. 

This is a bug.  I need more details about your problem, but I have just
committed one fix in -current (and requested a pullup to netbsd-7 branch)
which is likely to be a fix for the same problem you are experiencing.

Pull-up ticket containing the fix is #630.

> 6. The line count of /etc/npf.conf and all my files for tables is now 569
> lines. The old ipfilter based configuration was 1184 lines. The new
> configuration has 13 different network security zones — the old one had
> only 7. Clearly, it's possible to do pretty complicated things with npf
> with fewer, more readable, lines of configuration and tables make it 
> a lot easier to maintain.

Good to hear!

> 7. It doesn't seem to be possible to use a variable in the definition 
>    of another variable. I assume this is because the parser just makes one
>    pass, but it would be really handy if one could do something like:

The parser has some limitations.  Hopefully, it will get improved soon.

-- 
Mindaugas