Re: kern/53199 (stateful npf)

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,prlw1%cam.ac.uk@localhost
Subject: Re: kern/53199 (stateful npf)
From: Patrick Welche <prlw1%cam.ac.uk@localhost>
Date: Thu, 14 Feb 2019 15:25:01 +0000 (UTC)

The following reply was made to PR kern/53199; it has been noted by GNATS.

From: Patrick Welche <prlw1%cam.ac.uk@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/53199 (stateful npf)
Date: Thu, 14 Feb 2019 15:20:23 +0000

 I am surprised that this PR is unclear given the level of detail. 
 I even submitted rump scripts for reproduction which admittedly 
 gnats munged.

 I hope this is a more simple understandable explanation:

 I have a computer with 2 network interfaces, wm0 as "internal" and
 wm1 as "external". The default route points to a router connected to
 "internal". There is a web server listening on port 80 of "external".

 The system is running ipf with the following configuration file:

 block in all
 pass in on wm1 proto tcp from any to wm1/network port = 80 \
    flags S keep state
 pass in on lo0 all
 pass out on lo0 all
 pass in on wm0 all
 pass out on wm0 all

 It works for users logged in on the box, and it successfully hands
 out webpages to anyone who cares to retrieve one.

 If it is obvious to you how to achieve this with npf, please update
 the documentation so that it is obvious to others. If it is not
 currently possible to do this with npf, please consider this a
 change request and reconsider the removal of ipf.

 It seems someone else is suffering the same pain in PR kern/53962.

Prev by Date: bin/53974: arp(8): Attempting to set many ARP entries with -f option, it can cause "socket: Too many open files" error.
Next by Date: kern/53980: INSTALL_XEN3PAE_DOMU from -current panics
Previous by Thread: Re: kern/53199 (stateful npf)
Next by Thread: Re: kern/53199 (stateful npf)
Indexes:

Home | Main Index | Thread Index | Old Index