Re: npf forwarding <-

[Patrick Welche <prlw1%cam.ac.uk@localhost>]

On Mon, Nov 19, 2018 at 08:37:51PM +0300, Dima Veselov wrote:
> On Mon, Nov 19, 2018 at 03:14:33PM +0000, Patrick Welche wrote:
> > > 
> > procedure "log"
> > 
> > map iwn0 dynamic any -> 10.111.65.65 pass family inet4 from 10.168.204.0/24 # id="1" 
> > map wm0 dynamic 10.111.65.4 <- any pass family inet4 to 128.232.132.8 # id="2" 
> 
> I got your setup working and now have to explain something:
> typical pub->priv redirect always works with priv->pub mapping, 
> because NAT have to allocate outleading port when inside server
> replies. In your setup there is no rule for mapping replies.
> 
> You have to NAT replied packet and it will work with that:
> map $int_if static 172.20.27.7 -> 128.232.132.8
> map $int_if static 172.20.27.7 <- 128.232.132.8
> map $ext_if dynamic $int_net -> $ext_v4
> 
> (172.20.27.7 is the outside webserver you are trying to reach).

Interesting: this gets me 172.20.27.7 if I aim for 128.232.132.8 as
requested, but given the other rule, if I aim for 172.20.27.7 I don't
get 172.20.27.7...

> I also converted "dynamic" to "static" and have no idea why it works,
> maybe npf architector can tell us.
> 
> As for previous note about stateful - recently I got same problem.
> It seems NAT will never work if inside->outside connection is stateful.

According to http://rmind.github.io/npf/nat.html

   It should be
   remembered that dynamic NAT, as a concept, relies on stateful
   filtering, therefore it is performing it implicitly.

I expected the return rule not be necessary, as I expected the reply
packet to match the connection state. How is this meant to work?

Cheers,

Patrick