[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/53962 (npf: weird 'stateful' behavior)
Mindaugas Rasiukevicius <rmind%netbsd.org@localhost> wrote:
> There are more implications here.. I am going to add configuration-wide
> parameters to give user more flexibility on connection state behaviour.
The changes are committed.
1. You can try your original stateful rules with strictly per-interface
state (the default).
2. Alternative, you can try 'stateful-all' with the following parameters:
set state.key.interface 0
set state.key.direction 0
Note that if you mix it with dynamic NAT, like in your last example, the
translation will happen on the interface where the NAT policy is applied.
The state will then use a translated address, meaning that the state (for
the reverse flow) will not be picked up on the initial interface, so you
would still need a rule to pass it.
We could add an option mark the packet to bypass the ruleset if the state
was picked on some interface and the packet is forwarded.
Main Index |
Thread Index |