Re: kern/53199: stateful npf

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,prlw1%cam.ac.uk@localhost
Subject: Re: kern/53199: stateful npf
From: Patrick Welche <prlw1%cam.ac.uk@localhost>
Date: Fri, 4 May 2018 15:35:01 +0000 (UTC)

The following reply was made to PR kern/53199; it has been noted by GNATS.

From: Patrick Welche <prlw1%cam.ac.uk@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/53199: stateful npf
Date: Fri, 4 May 2018 16:32:07 +0100

 # npfctl show
 # filtering:    active
 # config:       loaded
 
 procedure "log"
 
 group "ext" on wm0 # id="1" 
         block in all apply "log" # id="2" 
         pass stateful in family inet4 proto tcp flags S/SA to 192.168.0.1 port 80 apply "log" # id="3" 
 
 group # id="4" 
         pass all apply "log" # id="5" 
 
 
 Experiment with
 
 NetBSD-8.99.14/evbarm rpi, usmsc0: 192.168.0.2 as ftp client
 
 NetBSD-8.99.15/amd64          wm0: 192.168.0.1 as webserver
                              iwn0: external interface
 
 as per rump script. This works, and the first few packets are:
 
 16:15:34.581155 rule 3.rules.0/0(match): pass in on ???: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
     192.168.0.2.65534 > 192.168.0.1.80: Flags [S], cksum 0x2ef0 (correct), seq 196676535, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0
 16:15:34.581176 rule 3.rules.0/0(match): pass out on ???: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->b968)!)
     192.168.0.1.80 > 192.168.0.2.65534: Flags [S.], cksum 0x50c6 (correct), seq 38525900, ack 196676536, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 1], length 0
 16:15:34.581952 rule 3.rules.0/0(match): pass in on ???: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
     192.168.0.2.65534 > 192.168.0.1.80: Flags [.], cksum 0xef29 (correct), ack 1, win 4197, options [nop,nop,TS val 1 ecr 1], length 0
 
 
 # filtering:    active
 # config:       loaded
 
 procedure "log"
 
 group "ext" on wm1 # id="1" 
         block in all apply "log" # id="2" 
         pass stateful in family inet4 proto tcp flags S/SA to 131.111.65.65 port 80 apply "log" # id="3" 
 
 group # id="4" 
         pass all apply "log" # id="5" 
 
 Experiment with
 
 linux box as lynx client
 NetBSD-8.99.15/amd64  wm0: internal interface
                       wm1: 131.111.65.65
 
 fails, first few packets are
 
 15:43:20.478154 rule 3.rules.0/0(match): pass in on ???: (tos 0x0, ttl 62, id 17986, offset 0, flags [DF], proto TCP (6), length 60)
     131.111.62.210.60810 > 131.111.65.65.80: Flags [S], cksum 0x6b3f (correct), seq 198627856, win 29200, options [mss 1460,sackOK,TS val 2208994386 ecr 0,nop,wscale 7], length 0
 15:43:20.478166 rule 5.rules.0/0(match): pass out on ???: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60, bad cksum 0 (->b3ca)!)
     131.111.65.65.80 > 131.111.62.210.60810: Flags [S.], cksum 0x1bee (correct), seq 1414262023, ack 198627857, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 2208994386], length 0
 15:43:20.479687 rule 2.rules.0/0(match): block in on ???: (tos 0x0, ttl 62, id 17987, offset 0, flags [DF], proto TCP (6), length 52)
     131.111.62.210.60810 > 131.111.65.65.80: Flags [.], cksum 0xc9d0 (correct), ack 1, win 229, options [nop,nop,TS val 2208994387 ecr 1], length 0
 
 
 Note that now the 2nd packet goes out via the "pass all" rule, rather than the
 stateful rule.
 
 Why the difference in behaviour?

Prev by Date: Re: kern/53199: stateful npf
Next by Date: PR/49174 CVS commit: [netbsd-8] src/sys/arch/x86/acpi
Previous by Thread: Re: kern/53199: stateful npf
Next by Thread: Re: kern/53199: stateful npf
Indexes:

Home | Main Index | Thread Index | Old Index