Re: kern/53962: npf: weird 'stateful' behavior

[Timo Buhrmester <fstd.lkml%gmail.com@localhost>]

The following reply was made to PR kern/53962; it has been noted by GNATS.

From: Timo Buhrmester <fstd.lkml%gmail.com@localhost>
To: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Cc: gnats-bugs%netbsd.org@localhost, tech-net%netbsd.org@localhost
Subject: Re: kern/53962: npf: weird 'stateful' behavior
Date: Sun, 17 Feb 2019 19:36:40 +0100

 > - NPF connection state is generally per-interface, but see below.  Bypassing
 > the ruleset on other interfaces can have security implications, e.g. a packet
 > with a spoofed IP address might bypass ingress filtering.  Hence the design
 > decision to default to such behaviour (so you control what's happening on
 > other interfaces with a ruleset there).
 I actually like the per-interface state for various reasons including the one
 you mentioned.  However it does come with the downside of rule multiplication.
 
 Since with my last patch (including ifid in connkey) I have something that
 works the way I intend and it's "in production" now, here's a bit of syntactic
 inspiration as to how the rule multiplication could be countered:
 
 Basically when writing my npf.conf I pretend 'egress <interface list>' is a
 valid construct so my rules look like this:
 
 | pass stateful in on wm1 egress pppoe0,wm2 final proto tcp from $foo to $bar
 
 and a perl script will generate from that:
 
 | pass stateful in on wm1 final proto tcp from $foo to $bar
 | pass stateful out on pppoe0 final proto tcp from $foo to $bar
 | pass stateful out on wm2 final proto tcp from $foo to $bar
 
 (and sort it in the right groups).