Re: npf on a router: configuration issues

To: netbsd-users%netbsd.org@localhost
Subject: Re: npf on a router: configuration issues
From: mlelstv%serpens.de@localhost (Michael van Elst)
Date: Wed, 9 Apr 2025 06:02:09 -0000 (UTC)

bad%bsd.de@localhost (Christoph Badura) writes:

>I see only https://rmind.github.io/npf/intro.html#processing discussing
>this a bit.  That seems to be a different concept.  I.e. packets are
>processed "on each interface a packet is traversing, either as incoming or
>outgoing."

Actually, packets are not processed "on an interface".

npf is an instance of bpf. Most people know bpf being
attached to an interface and processing incoming and
outgoing packets in the interface driver (using bpf_mtap()).
That's how e.g. tcpdump is using it.

But bpf can also be attached to the IP layer, and that's
what npf is using and why it cannot filter non-IP packets.

ip_input() and ip_output() call pfil_run_hooks which calls
the installed npf filters. ip_forward() is just calling
ip_output() internally, so you get a forwarded packet
filtered on ingress and egress.

Some pseudo interfaces (like carp) call ip_output() or
inject data into the ip packet queue. Then the filters
may run again (usually on an encapsulated/decapsulated
packet).

And then we have a "fast forward" logic in the ethernet
and ppp code when the kernel is compiled with the GATEWAY
option and net.inet.ip.maxflows > 0. If I understand the
code correctly, this will bypass the IP layer and IP filters
for packets forwarded on a known IP flow.

References:
- npf on a router: configuration issues
  - From: Greg Troxel
- Re: npf on a router: configuration issues
  - From: Christoph Badura

Prev by Date: Re: npf on a router: configuration issues
Next by Date: Re: npf on a router: configuration issues
Previous by Thread: Re: npf on a router: configuration issues
Next by Thread: make CD music
Indexes:

Home | Main Index | Thread Index | Old Index