Re: ipf/ipnat behavior

[Darren Reed <darrenr%fastmail.net@localhost>]

Paul, you made this comment:

> I'm still trying to track down some anomolous behavior
> I'm seeing on my -current (as of about 12 hours ago) nat
> box. I've noticed that even when I have an empty
> /etc/ipf.conf file (no filter rules at all), ipfstat
> still claims that packets are being dropped/blocked!
> Is this normal?

But in the statistics here:

> bad packets: in 0 out 0
> IPv6 packets: in 0 out 0
> input packets: blocked 0 passed 3154 nomatch 1623 counted 0 short 0
> output packets: blocked 0 passed 3149 nomatch 1616 counted 0 short 0
> input packets logged: blocked 0 passed 0
> output packets logged: blocked 0 passed 0
> packets logged: input 0 output 0
> log failures: input 0 output 0
> fragment state(in): kept 0 lost 0 not fragmented 0
> fragment state(out): kept 0 lost 0 not fragmented 0
> packet state(in): kept 0 lost 0
> packet state(out): kept 0 lost 0
> ICMP replies: 0
> TCP RSTs sent: 0
> Invalid source(in): 0
> Result cache hits(in): 1531 (out): 1533
> IN Pullups succeeded: 0 failed: 0
> OUT Pullups succeeded: 0 failed: 0
> Fastroute successes: 0 failures: 0
> TCP cksum fails(in): 0 (out): 0
> IPF Ticks: 947
> Packet log flags set: (0)

I see nothing to indicate that any packets are blocked.

That said, IPFilter will automatically drop a packet if:
- it matched a NAT rule but it could not create a new NAT session
- ipfilter to get the entire packet in one mbuf but could not do so
- it matched a "keep state" rule but ipf could not add the state

Darren