Re: kern/53962: npf: weird 'stateful' behavior

To: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/53962: npf: weird 'stateful' behavior
From: fstd.lkml%gmail.com@localhost
Date: Sat, 9 Feb 2019 12:54:01 +0100

I have discovered that this 5th example does what I need:

npf.conf:
| procedure "log" {
| 	log: npflog0
| }
| 
| group "net1" on wm1 {
| 	pass in final proto tcp flags S/SARF from 192.168.1.0/24 to 192.168.2.0/24 port 22 apply "log"
| 	block all apply "log"
| }
| 
| group "net2" on wm2 {
| 	pass stateful-ends out final proto tcp flags S/SARF from 192.168.1.0/24 to 192.168.2.13 port 22 apply "log"
| 	block all apply "log"
| }
| 
| group default {
| 	pass final on lo0 all
| 	block all apply "log"
| }


Since the packet will first ingress on wm1, originally I thought 'stateful-ends' on the wm1 rule would be what to go for, but the state kept by it would not make it egress on wm2.  Having both rules 'stateful-ends' doesn't do the trick either.

But if I, as shown above, stateLESSly let the SYN ingress and then keep state(ful-ends) on the wm2 egress rule -- THEN state is kept that, in fact, also applies to future related packages in- or egressing on wm1.

I'd love to understand what's going on here.

References:
- kern/53962: npf: weird 'stateful' behavior
  - From: fstd . lkml

Prev by Date: Re: toolchain/53947 (NetBSD 8.0 VAX - bash shell build failure)
Next by Date: Re: port-xen/35050
Previous by Thread: kern/53962: npf: weird 'stateful' behavior
Next by Thread: Re: kern/53962: npf: weird 'stateful' behavior
Indexes:

Home | Main Index | Thread Index | Old Index