Re: stateful npf

[Patrick Welche <prlw1%cam.ac.uk@localhost>]

On Wed, Mar 28, 2018 at 12:43:59PM +0100, Patrick Welche wrote:
> On a toy -current/amd64 system with internal wm0 and external wm1:
> 
> # npfctl show
> # filtering:    active
> # config:       loaded
> 
> procedure "log"
> 
> group "ext" on wm1 # id="1" 
>         pass in final family inet6 proto ipv6-icmp # id="2" 
>         pass out final family inet6 proto ipv6-icmp # id="3" 
>         pass in final family inet4 proto icmp # id="4" 
>         pass stateful in final family inet4 proto tcp flags S/SA to 192.168.25.65 port 80 apply "log" # id="5" 
>         block all # id="6" 
> 
> group "int" on wm0 # id="7" 
>         pass all # id="8" 
> 
> group # id="9" 
>         pass final on lo0 all # id="a" 
>         block all # id="b" 
> 
> 
> If I
> 
>   telnet 192.168.25.65 80
> 
> I see the connection into ext_if with flag S, but nothing is returned.
> Shouldn't the "stateful"ness allow a reply? (Connecting via int_if
> works, so the httpd is happy.)

Logging on ext's block all, shows packets subsquent to the S/SA with
Flags [.] or Flags [P.] being blocked.

i.e., logging rules 5 and 6, we see on npflog0:

1st packet: rule 5.rules.0/0(match): pass in on wm1  ..>..65.80 Flags [S]
2nd packet: rule 6.rules.0/0(match): block in on wm1 ..>..65.80 Flags [.]

so what happened to the state?

Cheers,

Patrick