Re: kern/53962: npf: weird 'stateful' behavior

To: tech-net%netbsd.org@localhost
Subject: Re: kern/53962: npf: weird 'stateful' behavior
From: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Date: Sun, 17 Feb 2019 12:54:15 +0100

A Timo knows, I'm running NetBSD in production.

I run a "one VLAN per IP range" (minus external, of course) policy.

I'm using packet filtering (currently ipf on 6.1) both on individual servers 
(anti-spoofing, access restriction to certain deamon ports) and on the gateway 
(the only machine with IP forwarding enabled) to restrict inter-network 
traffic. From the ipf bugs I run into, I conclude I'm the only person on 
the planet doing this.

I can think of two filter options that would make my life easier on the GW:
1. On an ingress rule, "if you see this packet on the outbound side, let it 
egress and remember the state there" (possibly limited to a set of interfaces 
(Timo has a Perl script to sort of simulate that)
2. On the egress side, make it possible to match "this packet passed on the 
inbound side", possibly limited to a set of interfaces.

Follow-Ups:
- Re: kern/53962: npf: weird 'stateful' behavior
  - From: Manuel Bouyer

References:
- Re: kern/53962: npf: weird 'stateful' behavior
  - From: fstd . lkml
- Re: kern/53962: npf: weird 'stateful' behavior
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: kern/53962: npf: weird 'stateful' behavior
Next by Date: Re: kern/53962: npf: weird 'stateful' behavior
Previous by Thread: Re: kern/53962: npf: weird 'stateful' behavior
Next by Thread: Re: kern/53962: npf: weird 'stateful' behavior
Indexes:

Home | Main Index | Thread Index | Old Index