NPF: issue with port redirection

To: tech-net%netbsd.org@localhost
Subject: NPF: issue with port redirection
From: Hugo Silva <hugo%barafranca.com@localhost>
Date: Wed, 21 Nov 2012 11:45:33 +0000

I'm giving NPF a go and running into a few problems.


Right now I'm trying to get port redirection to work but so far there's
something preventing it to work.

I'm running NetBSD 6.0 release on a Xen domU.

Here's the situation:


map $ext_if dynamic 127.0.0.1 port 8080 <- $nat_addr port 8080

group (default) {

    # lo0 skip
    pass final on lo0 all

    # default logging
    block all apply "default_log"
}

...

group (name "internet_inbound", interface $ext_if, in) {

    # map-port-rdr test
    pass stateful in final family inet proto tcp flags S/SA from
$home_addr to $nat_addr port 8080
}





Now first things first, I can confirm that 127.0.0.1:8080 works:

% telnet localhost 8080
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.9 NetBSD_Secure_Shell-20110907-hpn13v11-lpk



With the above rules in place, I can establish a TCP connection to
$nat_addr, but never get to see the SSH banner:

$ telnet $nat_addr 8080
Trying $nat_addr...
Escape character is '^]'.
(few seconds pass)
Connection closed by foreign host.


netstat says the connection is established:

Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp        0     63  127.0.0.1.8080         $home_ip.60121   ESTABLISHED


Now if I comment the map rule, I get, on the next try,

telnet: connect to address $nat_addr: Connection refused

Which is expected because the rule in group internet_in is still there.
Commenting that one out predictably results in a timeout.

And by the way, the packet will NOT be logged if the group happens to be
declared but without any rules, which seems to go against what the
manpage says (if no rules match, go to default group). So, to get the
logged packet, I actually have to comment out the group definition
entirely or add a random rule. Small gotcha.


Note that I'm only using localhost in the tests because for a host
available on the other interface ($int_if), the connection wasn't
establishing either and I would see no packet ever leaving $int_if to
connect to the internal host.

Tried mapping to the address of $int_if too, with the same result.


I'm out of ideas, what am I missing?

Prev by Date: Re: How to use two WAN connections at once?
Next by Date: Re: Using multiple interfaces (3+) causes intermittent system freezes on NetBSD 5.1_STABLE and later... [was: NetBSD 5 partly freezing, may be related to 802.1Q]
Previous by Thread: pptp between NetBSD and Windows VPN server?
Next by Thread: [PATCH] if_ppp.c
Indexes:

Home | Main Index | Thread Index | Old Index