NPF, bridge and IPv6

To: netbsd-users%NetBSD.org@localhost
Subject: NPF, bridge and IPv6
From: triaxx <triaxx%triaxx.org@localhost>
Date: Wed, 18 Sep 2019 19:21:01 +0200

On NetBSD 8.0 with Xen, I experienced some strange behaviors with npf,bridged interfaces and IPv6.

The following schema represents a part of my network topology for whichI encountered a problem:

|- dom0 -----------------------------------------------|
|                                 |- domU --------|    |
|-----|                 |---------|---------|     |    |
| wm0 |---- bridge0 ----| xvif1i0 | xennet0 |     |    |
|-----|                 |---------|---------|     |    |
|                                 |---------------|    |
|                                                      |
|                                 |- domU---------|    |
|    |------|           |-------- |---------|     |    |
|    | tap0 |- bridge1 -| xvif2i0 | xennet0 |     |    |
|    |------|           |---------|---------|     |    |
|                                 |---------------|    |
|------------------------------------------------------|

In my /etc/npf.conf, I have the following rules:
% group "external" on wm0 {
%   pass stateful out final all
%   pass stateful in final family inet4 proto tcp to wm0 port ssh
%   pass stateful in final family inet6 proto tcp to wm0 port ssh
%   [...]
% }

I understood that 'pass stateful out final all' allowed all outgoingconnections and established incoming connections.


The imaps (port 993) is not allowed in my 'pass in' rules.

If I comment the line 'pass stateful out final all' and I try to connectfrom my dom0 to a remote host on port 993, the connection is refused:

dom0# telnet -4 trashware.triaxx.org 993
Trying 88.180.169.84...
telnet: Unable to connect to remote host: Network is unreachable

Same behavior using IPv6:
dom0# telnet -6 trashware.triaxx.org 993
Trying 2a01:e35:8b4a:9540:7271:bcff:fe94:3759...
telnet: Unable to connect to remote host: Network is unreachable

If I try to connect from the first domU (linked to bridge0), itsurprisingly works using IPv4:

dumU# telnet -4 trashware.triaxx.org 993
Trying 88.180.169.84...
Connected to trashware.triaxx.org.
Escape character is '^]'

But it doesn't work using IPv6, even if I uncomment the line 'passstateful out final all':

domU# telnet -6 trashware.triaxx.org 993
Trying 2a01:e35:8b4a:9540:7271:bcff:fe94:3759...

It's like if stateful was broken for IPv6...

Following is the reminder on what works and what doesn't:
                              domO/IPv4  dom0/IPv6  domU/IPv4  domU/IPv6
 pass stateful out final all      X          X          X          O
#pass stateful out final all      O          0          X          O

Is there known issue related to my experience?

Follow-Ups:
- Re: NPF, bridge and IPv6
  - From: Frédéric Fauberteau

Prev by Date: Re: netbsd-9 build failed
Next by Date: Re: uefi and i915drm
Previous by Thread: uefi and i915drm
Next by Thread: Re: NPF, bridge and IPv6
Indexes:

Home | Main Index | Thread Index | Old Index