tech-net: Re: stopping PF NAT state from "floating" ?

Subject: Re: stopping PF NAT state from "floating" ?
To: None <tech-net@netbsd.org>
From: Daniel Carosone <dan@geek.com.au>
List: tech-net
Date: 05/07/2007 16:40:40

--CE+1k2dSO48ffgeK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 07, 2007 at 01:01:47AM -0500, David Young wrote:
> I am using PF for NAT.  I would like to stop NAT states from floating
> between interfaces.  I have searched all day for a solution, but I have
> not found one.  Does anyone know how?

First question, if this is a "flow" where changing the IP addressing
within the "flow" when the routing changes doesn't break the
application, is whether you need a persistent NAT state at all.

Ie, if they're udp packets that should be hidden behind the relevant
exit interface address, and each packet is essentially independent
=66rom those that proceed and follow it, why do you need to keep much
state at all?  You could play with really short timeouts for these NAT
states.  Are there replies to these packets that must come back?
Maybe you want to kill the state immediately on that reply, and let
the next request create a new one-time state?

Alternately, could you try tagging these flows, and when the route
changes, flush all states with the tag.  I don't know pf enough to say
whether there's a way to do that.

> I can see why that might
> be desirable in some cases, but it is bad for my application.

Sure, for anything like a tcp connection, for example. As above, to
me, this seems that you don't want/need to be keeping state for these
packets.

> I thought that 'set state-policy if-bound' would help, but I have found
> out in other experiments that it will not.  I believe I understand why not
> after reading the PF sources, especially sys/dist/pf/sbin/pfctl/parse.y
> and sys/dist/pf/net/pf.c.

Hm, I'd have expected the same. Does it make any difference if you
specify it on the rule rather than as a global pref?

--
Dan.
--CE+1k2dSO48ffgeK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iD8DBQFGPsnoEAVxvV4N66cRAisrAKDDAfkQH/kLhOV9rCcTy1BMEmWbawCg8Grc
Dm9I6yn15y4DHR7yAODkJjc=
=n8Id
-----END PGP SIGNATURE-----

--CE+1k2dSO48ffgeK--