Re: kern/53962 (npf: weird 'stateful' behavior)

To: gnats-bugs%netbsd.org@localhost
Subject: Re: kern/53962 (npf: weird 'stateful' behavior)
From: Timo Buhrmester <fstd.lkml%gmail.com@localhost>
Date: Tue, 14 Apr 2020 04:07:50 +0200

> > Does the "stateful-all" keyword (in -current/netbsd-9) satisfy your use case?
> The short answer is no, or rather I don't know; something with the NAT seems broken.

After some digging it seems that npf ties packet direction (in/out) to
stream direction (forwards/backwards), which naturally fails when
multiple interfaces are involved.  Maybe I'm misunderstanding things,
but it fits the fact that the wrong address is being rewritten
(in the mentioned testcase, rewriting 5.9.82.75 > 192.168.1.200
to 192.168.1.200 > 192.168.1.200 rather than to 5.9.82.75 > 192.168.3.2.

Unrelatedly, I noticed that the order of groups in npf.conf matters.
That is, if the "default" group is the first group in the file,
the rules in the "default" group will apply to all packets regardless
of more specific groups below.  This can be trivially worked around
by putting the default group last, of course, but the documentation
doesn't read as if this was intended behavior.

Prev by Date: Re: Question about NetBSD implementation of IPv6 SLAAC and RFC4941
Next by Date: Download latest movies from elitetorrent1.com
Previous by Thread: Re: kern/53962 (npf: weird 'stateful' behavior)
Next by Thread: Re: Question about NetBSD implementation of IPv6 SLAAC and RFC4941
Indexes:

Home | Main Index | Thread Index | Old Index