Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,hopkinsza%gmail.com@localhost
Subject: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
From: BERTRAND Joël <joel.bertrand%systella.fr@localhost>
Date: Fri, 25 Aug 2023 10:35:01 +0000 (UTC)

The following reply was made to PR misc/56990; it has been noted by GNATS.

From: =?UTF-8?Q?BERTRAND_Jo=c3=abl?= <joel.bertrand%systella.fr@localhost>
To: "gnats-bugs%netbsd.org@localhost" <gnats-bugs%NetBSD.org@localhost>
Cc: 
Subject: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as
 expected following a `block all` line
Date: Fri, 25 Aug 2023 12:34:03 +0200

 	Hello,
 
 	PR/56990 seems to broke a running configuration on -10_beta.
 
 Network configuration:
 - wm0 and wm1 : bridge0 (192.168.12.1/24) connected to two NAS (iSCSI)
 - wm2 : WAN (public address)
 - wm3 and wm4 : lagg0 (192.168.10.128/24) connected to LAN
 - re0 : DMZ (192.168.1.1/24)
 
 wm0 and wm1 are two Ethernet connectors on the same I350 adapter (one
 connector for a NAS, connected without switch).
 
 	Until last patches, my server runs with the following npf.conf. I use
 video_if and bacula_if as npf doesn't understand bridge0.
 
 $lan_if = "lagg0"
 $wan_if = "wm2"
 $bacula_if = "wm1"
 $video_if = "wm0"
 $ext_v4 = inet4($wan_if)
 $dmz_if = "re0"
 
 set bpf.jit on;
 alg "icmp"
 
 # Outgoing NAT
 map inet4($wan_if) dynamic 192.168.10.0/24 -> $ext_v4
 map inet4($wan_if) dynamic 192.168.12.0/24 -> $ext_v4
 
 procedure "log" {
     log: npflog0
 }
 
 group "wan" on $wan_if {
     ruleset "blocklistd"
 
     # ICMP
     pass in final family inet4 proto icmp all
     pass out final family inet4 proto icmp all
 
 ...
 
     # Default
     block final all
 }
 
 group "lan" on $lan_if {
     pass final all
 }
 
 group "dmz" on $dmz_if {
     pass in final family inet4 proto icmp all
     pass out final family inet4 proto icmp all
 
     # ssh
     pass stateful out final family inet4 proto tcp from any \
             to any port ssh
     pass stateful in final family inet4 proto tcp from any \
             to any port ssh
 
 ...
     block final all
 }
 
 group "bacula" on $bacula_if {
     pass final all
 }
 
 
 group "video" on $video_if {
     pass final all
 }
 
 group default {
     pass final on lo0 all
     block all
 }
 
 	Now, I have to replace group default by :
 
 group default {
     pass final on lo0 all
     pass all
 }
 
 if I want to access to both NAS. With "block all", only the first NAS
 can be connected to server with iSCSI but both answer to ping.
 
 	Best regards,
 
 	JKB

Prev by Date: Re: kern/57580: evbarm/earmv7hf RPI2 scheduler/cpu stall
Next by Date: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Previous by Thread: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Next by Thread: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Indexes:

Home | Main Index | Thread Index | Old Index