Re: NPF questions, issues and observations

[Harry Waddell <waddell%caravaninfotech.com@localhost>]

On Sat, 21 Mar 2015 01:09:39 +0000
Mindaugas Rasiukevicius <rmind%netbsd.org@localhost> wrote:

> Harry Waddell <waddell%caravaninfotech.com@localhost> wrote:
> > 
> > I know NPF is a work in progress, and so is its documentation, but now
> > that I have used it for a fairly large project, I have several questions
> > and a few problems. I'm using netbsd-7 as of 3/12/15. 
> > 
> > 1. this validates
> > 
> > $private_addr = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }
> > map vlan200 dynamic $private_addr -> $mesh_map_addr pass from
> > <mesh_nattable> to <ngroutes>
> > 
> >    but this does not
> > 
> > map vlan200 dynamic <mesh_nattable> -> $mesh_map_addr pass from
> > <mesh_nattable> to <ngroutes>
> > 
> >    This seems like an artificial constraint, but I could be missing
> > something. 
> 
> Yes.  In fact, when the extended map syntax is used, the value on the
> left hand side (in a case of outbound NAT) is ignored because the filter
> criteria is explicitly defined by the "pass ..." rule.  The parser only
> validates the syntax.  When I was implementing this, I was considering
> something like:
> 
>     map wm0 dynamic any -> $nat_ip pass from <table1> to <table2>
> 
> However, I was not sure whether the keyword "any" (or perhaps
> "explicit") would make it clearer or, contrary, would just confuse
> users.  Thoughts?
> 
...
> > 4. Since group names are unique ( when direction is factored in ), I
> > don't see what he advantage is to the "ruleset" syntax for dynamic
> > rules. I supect this is because there's a lot of functionality in
> > the "group-opt" I don't understand. Would someone provide some
> > additional explanation of dynamic rulesets?
> 
> Dynamic rulesets allow you to add/remove rules on the fly, think of
> iptables-style rules.  In npf.conf, "ruleset" is just a syntactic
> sugar for "group" which indicates that the group will have the rules
> managed dynamically rather than statically.  Does that answer your
> question?
> 
> > 5. With my large npf.conf file, npfctl comamnds and npf itself seem
> > to hang after repeated reloads and a system reboot is required to
> > clear the problem. Has anyone else experienced this. I think a PR
> > is in order. 
> 
> This is a bug.  I need more details about your problem, but I have
> just committed one fix in -current (and requested a pullup to
> netbsd-7 branch) which is likely to be a fix for the same problem you
> are experiencing.
> 
> Pull-up ticket containing the fix is #630.
> 
...
> 
> -- 
> Mindaugas
> 

Concerning the map syntax

map wm0 dynamic any -> $nat_ip pass from <table1> to <table2>

I don't think that "any" adds much value. Given that "all" is a keyword
already, I suspect it may lead to more confusion on the part of users. 
The current syntax is fine, but the documentation could use some 
additional clarification.

As for dynamic rulesets, it seems that if all the definition does is set 
an attribute of the group, it might be better to make "dynamic" an optional
keyword in the group declaration. I don't think it's worth making an
incompatible syntax change given that NPF is no longer a "new" feature
and netbsd-7 is already in beta.

The fix and pullup to netbsd-7 this weekend fixed the npfctl lockup issues
I was experiencing. Thank you very much!

Harry Waddell