bin/57084: When configuring a NAT subnet address for a dynamic map in npf.conf, npf does not report misconfigurations and filtering silently fails

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/57084: When configuring a NAT subnet address for a dynamic map in npf.conf, npf does not report misconfigurations and filtering silently fails
From: th%sdf.org@localhost
Date: Thu, 17 Nov 2022 04:25:01 +0000 (UTC)

>Number:         57084
>Category:       bin
>Synopsis:       When configuring a NAT subnet address for a dynamic map in npf.conf, npf does not report misconfigurations and filtering silently fails
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Nov 17 04:25:00 +0000 2022
>Originator:     theo
>Release:        9.2
>Organization:
>Environment:
NetBSD localhost 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When configuring npf for NAT dynamic map filtering, using an address that isn't the network address for the corresponding subnet causes the map to fail, while no error is reported.
For example, configuring the filter with the following map: `map $ext_if dynamic $localnet -> $ext_v4` (from soho_gw-npf.conf) works when `$localnet = { X.Y.Z.0/24 } is defined, but does not work when `$localnet = { X.Y.Z.1/24 } is defined.
It would seem that the filter is considering the address X.Y.Z.1 for all packets, and comparing it with the packet's address (with the subnet mask applied) to see if the traffic should be forwarded.
Of course, since no address of the form X.Z.Y.* with the CIDR netmask /24 ever matches X.Y.Z.1, no packet is forwarded. However npf should report an error, or report a warning and use the network address instead of the host address when using this configuration.
>How-To-Repeat:
Configure npf for a NAT using the soho_gw-npf.conf template in a functioning way (e.g. with the $localnet defined to { X.Z.Y.0/24 }) and change the localnet to { X.Y.Z.1/24 }. Then restart npf. No traffic will be forwarded back to any machine behind the NAT.
>Fix:
To correct the problem, Riastradh on irc.libera.chat has suggested to have npf use the network address instead of the host address for the $localnet definition when parsing the configuration (e.g. npfctl_bpf_cidr should [...] do `word &= wordmask' in the `if (wordmask)' branch) and to also, or alternatively assert if the configured value is correct (e.g. assert(word == (word & wordmask))) and have npf report a user-visible warning (in case it also does the former processing) or error (in case it does not) when the assertion fails.

Prev by Date: Re: lib/57083
Next by Date: port-evbmips/57085: evbmips/malta enhancements (patch)
Previous by Thread: Re: lib/57083
Next by Thread: port-evbmips/57085: evbmips/malta enhancements (patch)
Indexes:

Home | Main Index | Thread Index | Old Index