Re: npf forwarding <-

To: Patrick Welche <prlw1%cam.ac.uk@localhost>
Subject: Re: npf forwarding <-
From: Stephen Borrill <netbsd%precedence.co.uk@localhost>
Date: Mon, 19 Nov 2018 14:42:50 +0000 (GMT)

On Mon, 19 Nov 2018, Patrick Welche wrote:

How is npf <- meant to work? This is the simplest test rig I could think of:

# rpi                          laptop                    webserver
# NetBSD-8.99.25/evbarm        NetBSD-8.99.25/amd64      NetBSD-8.99.25/amd64
# usmsc0 10.168.204.26/24 <--> wm0 10.168.204.62/24
#                              iwm0 10.111.65.65/24 <--> wm0 10.111.65.4/24

$ext_if = "iwn0"
$int_if = "wm0"

$ext_v4 = inet4($ext_if)
$int_v4 = inet4($int_if)

alg "icmp"

procedure "log" {
       log: npflog0
}

map $ext_if dynamic $int_net -> $ext_v4
map $int_if dynamic 10.111.65.4 <- 128.232.132.8

group "external" on $ext_if {
       pass stateful out final all apply "log"
       pass all apply "log"
}

group "internal" on $int_if {
       pass stateful final all apply "log"
       pass all apply "log"
}

group "local" on "lo0" {
       pass all apply "log"
}

group default {
       pass all apply "log"
}


On the rpi, lynx http://webserver/ gets the page successfully.
However, lynx http://128.232.132.8/ hangs. On the laptop,
tcpdump -nvi wm0 shows:

12:05:59.236370 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
   10.168.204.26.65517 > 128.232.132.8.80: Flags [S], cksum 0x9dbf (correct), seq 1728898885, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0
12:05:59.236439 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
   10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
       IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
   10.168.204.26.65517 > 10.111.65.4.8096: [|tcp]
12:06:05.238546 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
   10.168.204.26.65517 > 128.232.132.8.80: Flags [S], cksum 0x9db3 (correct), seq 1728898885, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 13 ecr 0], length 0
12:06:05.238638 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
   10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
       IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
   10.168.204.26.65517 > 10.111.65.4.8096: [|tcp]
12:06:17.248729 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
   10.168.204.26.65517 > 128.232.132.8.80: Flags [S], cksum 0x9d9b (correct), seq 1728898885, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 37 ecr 0], length 0
12:06:17.248802 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
   10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
       IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
   10.168.204.26.65517 > 10.111.65.4.8096: [|tcp]


Note, your ruleset does not work for me until I alter:
group "internal" on $int_if {
	pass stateful final all apply "log"
	pass all apply "log"
}

to:
group "internal" on $int_if {
        pass in final from $int_net to any
        pass stateful out final all
}

If I don't do that, I get ICMP unreachable like you.

rpi# ping -c1 10.111.65.4
PING warbler.flow.bpi.cam.ac.uk (10.111.65.4): 56 data bytes
64 bytes from 10.111.65.4: icmp_seq=0 ttl=254 time=4.833378 ms

----warbler.flow.bpi.cam.ac.uk PING Statistics----
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.833378/4.833378/4.833378/0.000000 ms


What am I missing?


Here's what I tried (xennet0 = internal network):

map xennet0 127.0.0.1 port 880 <- 192.168.1.0/24 port 80

I based this on the ipf equivalent (npf didn't like 0/0):
rdr xennet0 0/0 port 80 -> 127.0.0.1 port 3200 tcp

When loaded, npfctl show gave this line as:
map xennet0 dynamic 127.0.0.1 port 880 <- any pass family inet4 proto { tcp, udp } to 192.168.1.0/24 port 80

However, it will refuse to load such a rule:
/etc/npf.conf:23:45: syntax error near 'any'

It seems crazy that npf cannot load its own generated rules

Also, as just 192.168.1.0/24 implies this is the src, not the dest, therules I really want is probably:

map xennet0 dynamic 127.0.0.1 port 880 <- 192.168.1.0/24 proto tcp to any port 80

This is also rejected.

--
Stephen

Follow-Ups:
- Re: npf forwarding <-
  - From: Patrick Welche

References:
- npf forwarding <-
  - From: Patrick Welche

Prev by Date: Re: npf forwarding <-
Next by Date: Re: npf forwarding <-
Previous by Thread: Re: npf forwarding <-
Next by Thread: Re: npf forwarding <-
Indexes:

Home | Main Index | Thread Index | Old Index