Re: kern/53962 (npf: weird 'stateful' behavior)

To: rmind%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, fstd.lkml%gmail.com@localhost
Subject: Re: kern/53962 (npf: weird 'stateful' behavior)
From: Timo Buhrmester <fstd.lkml%gmail.com@localhost>
Date: Tue, 14 Apr 2020 02:10:02 +0000 (UTC)

The following reply was made to PR kern/53962; it has been noted by GNATS.

From: Timo Buhrmester <fstd.lkml%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: tech-net%netbsd.org@localhost, rmind%netbsd.org@localhost
Subject: Re: kern/53962 (npf: weird 'stateful' behavior)
Date: Tue, 14 Apr 2020 04:07:50 +0200

 > > Does the "stateful-all" keyword (in -current/netbsd-9) satisfy your use case?
 > The short answer is no, or rather I don't know; something with the NAT seems broken.

 After some digging it seems that npf ties packet direction (in/out) to
 stream direction (forwards/backwards), which naturally fails when
 multiple interfaces are involved.  Maybe I'm misunderstanding things,
 but it fits the fact that the wrong address is being rewritten
 (in the mentioned testcase, rewriting 5.9.82.75 > 192.168.1.200
 to 192.168.1.200 > 192.168.1.200 rather than to 5.9.82.75 > 192.168.3.2.

 Unrelatedly, I noticed that the order of groups in npf.conf matters.
 That is, if the "default" group is the first group in the file,
 the rules in the "default" group will apply to all packets regardless
 of more specific groups below.  This can be trivially worked around
 by putting the default group last, of course, but the documentation
 doesn't read as if this was intended behavior.

Prev by Date: port-sparc64/55173: NetBSD-9.0/sparc64 blackscreens on bootup from CDROM on Sun Ultra 5
Next by Date: toolchain/55174: build.sh has trouble with CFLAGS on /etc/mk.conf if it was used "+=" instead of "="
Previous by Thread: Re: kern/53962 (npf: weird 'stateful' behavior)
Next by Thread: Re: kern/53962 (npf: weird 'stateful' behavior)
Indexes:

Home | Main Index | Thread Index | Old Index