Re: Trying npf again

To: tech-userlevel%netbsd.org@localhost
Subject: Re: Trying npf again
From: christos%astron.com@localhost (Christos Zoulas)
Date: Thu, 11 May 2017 22:35:15 +0000 (UTC)

In article <ad169302-0658-f1d6-f362-2d3b52fb2ba3%NetBSD.org@localhost>,
D'Arcy Cain  <darcy%NetBSD.org@localhost> wrote:
>I tried switching from pf to npf before and it seemed to be not quite 
>ready yet.  I am trying again but running into problems.
>
>My first question - is anyone out there actually running npf in a 
>production environment?
>
>My first issue was running npfctl without having npf installed.  I was 
>trying to create my first config on a GENERIC system.  I wanted to use 
>"npfctl validate" to check if my syntax was OK.  Even with validate it 
>wants to use /dev/npf so I ran it as root thinking that it wouldn't 
>actually do anything with the device.  So wrong.  Not only did it read 
>or write to the device but in doing so it completely hung the server.  I 
>have two issues with this - 1) don't access the device if simply 
>validating the config file and 2) don't create the device if the driver 
>is not installed or at least treat it as /dev/null.

Hmm, I tried 'ktrace /sbin/npfctl validate' in current and then:
$ kdump | grep NAMI| sort -u
 16532      1 ktrace   NAMI  "/libexec/ld.elf_so"
 16532      1 ktrace   NAMI  "/sbin/npfctl"
 16532      1 npfctl   NAMI  "/etc/ld.so.conf"
 16532      1 npfctl   NAMI  "/etc/malloc.conf"
 16532      1 npfctl   NAMI  "/etc/npf.conf"
 16532      1 npfctl   NAMI  "/etc/protocols"
 16532      1 npfctl   NAMI  "/lib/libc.so.12"
 16532      1 npfctl   NAMI  "/lib/libnpf.so.0"
 16532      1 npfctl   NAMI  "/lib/libpcap.so.6"
 16532      1 npfctl   NAMI  "/lib/libprop.so.1"
 16532      1 npfctl   NAMI  "/lib/libutil.so.7"
 16532      1 npfctl   NAMI  "/lib/npf/ext_log.so"
 16532      1 npfctl   NAMI  "/var/db/services.cdb"

And it does not touch /dev/npf... Perhaps -7 is broken?

>So I built a new kernel and ran it under Xen so that I could work from 
>the console and inspect things easier.  I also ran a normal kernel with 
>npf on a local machine.  There were problems.  Here is my npf.conf.  It 
>may seem a little weird for two reasons, it is generated from a script 
>and I keep trying different things to make it work.
>
>$ext_if = xennet0
>$int_if = xennet1
># $Id: pf.conf.header 11409 2017-05-10 15:29:19Z darcy $
># Common npf.conf for Vex.Net
>
># These tables include IPs personally known to us.
>table <FRIENDS> type hash file "/etc/friends.list"
>table <ENEMIES> type hash file "/etc/enemies.list"
>
># The auto block table is built by a script examining attacks
>table <AUTOBLOCK> type hash dynamic
>
>alg "icmp"
>set bpf.jit off
>
>procedure "norm" {
>     normalize: "random-id", "min-ttl" 512, "max-mss" 1432
>}
>
>group "external" on $ext_if {
>     pass in final family inet4 proto icmp all
>     pass stateful in final family inet4 proto tcp from <FRIENDS>
>     block in final from <ENEMIES>
>     block in final from <AUTOBLOCK>
>     pass stateful in final proto tcp to any port 22
>     pass in final proto udp to any port 123
>
>     pass out final all
>     block all
>}
>
>group "internal" on $int_if {
>     pass out final on $ext_if proto tcp to 98.158.139.68 port smtp
>     block out final on $ext_if proto tcp to any port smtp
>     pass in final family inet4 proto icmp all
>     pass stateful in final proto tcp all
>     pass in final proto udp all
>     pass out final family inet4 proto tcp all
>}
>
>group "localhost" on inet4(lo0) {
>     pass stateful in final proto tcp to any port 22
>     pass in final proto udp to any port 123
>     pass stateful in final to inet4(lo0) apply "norm"
>}
>
>group default {
>     pass stateful in final proto tcp flags S/SA to any port 22
>     pass in final proto udp to any port 123
>     pass in final on lo0 all
>     pass stateful out final to any
>     block in all
>}
>
>When I start the filter and ssh in from the local network I get this:
>
>$ ssh dilbert.vex.net
>Last login: Thu May 11 16:01:13 2017 from 98.158.139.93
>NetBSD 7.1.0_PATCH (XEN3_DOMU) #0: Tue May 9 20:27:33 EDT 2017
>
>And there it hangs.  The console seems to be alive but "w" hangs for a 
>bit and then shows me that I am logged in.  Top shows no abnormal processes.
>
>I then run "npfctl show" to see if it matches my config.  The system 
>hangs and needs to be hard booted.  I tried <CTRL><ALT><ESC> to see 
>where it is hanging but nothing happens.  Perhaps it doesn't work under Xen.
>
>I am running 7.1.0_PATCH NetBSD 7.1.0_PATCH (XEN3_DOMU) recently compiled.

Can you test current? I would also try to log all dropped packets.

christos

Follow-Ups:
- Re: Trying npf again
  - From: Robert Elz
- Re: Trying npf again
  - From: D'Arcy Cain

References:
- Trying npf again
  - From: D'Arcy Cain

Prev by Date: Trying npf again
Next by Date: Re: Trying npf again
Previous by Thread: Trying npf again
Next by Thread: Re: Trying npf again
Indexes:

Home | Main Index | Thread Index | Old Index