Re: Connection closed when npf restarting with rules in non-default group

[triaxx%NetBSD.org@localhost]

Le 28/06/2024 à 17:37, Frédéric Fauberteau a écrit :
> Frédéric Fauberteau writes:
> >     group default {
> >       # [...]
> >       # SSH
> >       pass stateful in final family inet4 proto tcp to $ext_ip4 port ssh
> >       pass stateful in final family inet6 proto tcp to $ext_ip6 port ssh
> >       # [...]
> >     }
>
> Actually, 'service npf restart' closes connection if "on" interface is 
> added to the rule:
>
>        pass stateful in final on $ext_if family inet4 proto tcp to 
> $ext_ip4 port ssh
>        pass stateful in final on $ext_if family inet6 proto tcp to 
> $ext_ip6 port ssh
>
> Is it a bug or a feature?

The scenario below can be reproduced.

| uzqew% ssh -4 kyroz.triaxx.org

npf rule on kyroz:
----------
pass stateful in final on $ext_if family inet4 proto tcp to $ext_ip4 
port ssh
----------

Running the commands below (equivalent to 'service npf restart') on 
kyroz closes the SSH connection:

| kyroz# /sbin/npfctl stop
| kyroz# /sbin/npfctl flush
| kyroz# /sbin/npfctl reload /etc/npf.conf
| kyroz# /sbin/npfctl start

I assume that '/sbin/npfctl start' resets connections on $ext_if or 
something like that...

Now, changing the npf rule (by removing 'on $ext_if') to:
----------
pass stateful in final family inet4 proto tcp to $ext_ip4 port ssh
----------
and running the 4 npfctl's commands above still closes the SSH 
connection. But after reconnecting to kyroy, running the 4 npfctl's 
commands to restart npf doesn't close the SSH connection.

When developing npf rules, is it sufficent to run'/sbin/npfctl reload' 
to apply changes or some changes could require a 'service npf restart'? 
If running 'service npf restart' is required to be sure that any changes 
in npf rules are applied, I would tend not to use '"on" interface'.