Re: npf forwarding <-

[Patrick Welche <prlw1%cam.ac.uk@localhost>]

On Mon, Nov 19, 2018 at 12:10:47PM +0000, Patrick Welche wrote:
> How is npf <- meant to work? This is the simplest test rig I could think of:
> 
> # rpi                          laptop                    webserver
> # NetBSD-8.99.25/evbarm        NetBSD-8.99.25/amd64      NetBSD-8.99.25/amd64
> # usmsc0 10.168.204.26/24 <--> wm0 10.168.204.62/24 
> #                              iwm0 10.111.65.65/24 <--> wm0 10.111.65.4/24
> 
> $ext_if = "iwn0"
> $int_if = "wm0"
> 
> $ext_v4 = inet4($ext_if)
> $int_v4 = inet4($int_if)

$int_net = { 10.168.204.0/24 }

[pruned a little too much]

> alg "icmp"
> 
> procedure "log" {
>         log: npflog0
> }
> 
> map $ext_if dynamic $int_net -> $ext_v4
> map $int_if dynamic 10.111.65.4 <- 128.232.132.8
> 
> group "external" on $ext_if {
>         pass stateful out final all apply "log"
>         pass all apply "log"
> }
> 
> group "internal" on $int_if {
>         pass stateful final all apply "log"
>         pass all apply "log"
> }
>  
> group "local" on "lo0" {
>         pass all apply "log"      
> }       
>         
> group default {
>         pass all apply "log"
> }       
> 
> 
> On the rpi, lynx http://webserver/ gets the page successfully.
> However, lynx http://128.232.132.8/ hangs. On the laptop,
> tcpdump -nvi wm0 shows:
> 
> 12:05:59.236370 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
>     10.168.204.26.65517 > 128.232.132.8.80: Flags [S], cksum 0x9dbf (correct), seq 1728898885, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0
> 12:05:59.236439 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
>     10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
>         IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
>     10.168.204.26.65517 > 10.111.65.4.8096: [|tcp]
> 12:06:05.238546 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
>     10.168.204.26.65517 > 128.232.132.8.80: Flags [S], cksum 0x9db3 (correct), seq 1728898885, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 13 ecr 0], length 0
> 12:06:05.238638 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
>     10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
>         IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
>     10.168.204.26.65517 > 10.111.65.4.8096: [|tcp]
> 12:06:17.248729 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
>     10.168.204.26.65517 > 128.232.132.8.80: Flags [S], cksum 0x9d9b (correct), seq 1728898885, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 37 ecr 0], length 0
> 12:06:17.248802 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto ICMP (1), length 56, bad cksum 0 (->e1c)!)
>     10.168.204.62 > 10.168.204.26: ICMP host 10.111.65.4 unreachable, length 36
>         IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
>     10.168.204.26.65517 > 10.111.65.4.8096: [|tcp]
> 
> rpi# ping -c1 10.111.65.4
> PING warbler.flow.bpi.cam.ac.uk (10.111.65.4): 56 data bytes
> 64 bytes from 10.111.65.4: icmp_seq=0 ttl=254 time=4.833378 ms
> 
> ----warbler.flow.bpi.cam.ac.uk PING Statistics----
> 1 packets transmitted, 1 packets received, 0.0% packet loss
> round-trip min/avg/max/stddev = 4.833378/4.833378/4.833378/0.000000 ms
> 
> 
> What am I missing?
> 
> 
> Cheers,
> 
> Patrick