Re: npf on a router: configuration issues

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: npf on a router: configuration issues
From: Robert Elz <kre%munnari.OZ.AU@localhost>
Date: Sat, 12 Apr 2025 01:56:18 +0700

    Date:        Tue, 08 Apr 2025 19:51:30 -0400
    From:        Greg Troxel <gdt%lexort.com@localhost>
    Message-ID:  <rmih62yi54t.fsf%s1.lexort.com@localhost>

Just catching up on some old list e-mail I skipped earlier...

  | I have a mental model where the router part of the system forwards
  | packets but does not receive or transmit them.
  |
  |                             host
  |                             |
  |                   pass up   | pass down
  |                             |
  |   wm0 ---- pass in -------router---- pass out ------- wm1

That's fine, but it neither is, or has ever been, the BSD model.

All BSD systems are inherently routers (and while many people don't
like this model, that is how it has always been).   The routing
functionality is central to everything in the BSD (internet) stack.
(Unix domain sockets, and other protocols, are, and might be, resp,
different.)

Packets arrive, from an interface (from some other system often,
but not always) or from a socket (from an application sending a
packet, and through the protocol stack) and go to the router.

The router picks an outgoing interface to which to send the packet
(based upon what the routing table says).

If that is lo0 (or more correctly, loN for any N, even though almost
no-one ever configures more than lo0, it can actually be done),
the packet ends up being sent, via the protocol stack, to an application
(if there is one which wants it) or otherwise being processed locally
(eg: ICMP), or dropped if nothing wants it.

If the outgoing interface is something else, the packet gets sent to
that interface.   Strictly that's what happens when it is lo0 as well,
that interface just treats "outgoing" packets completely differently
than other interfaces do (magically transforming them into incoming
packets).

If there is no outgoing interface (no route in the routing table),
the packet is dropped (unreachable - probably returning an ICMP).

This is why the routing table needs a route for every addr the system
owns, with the dest interface being lo0.   Even sending (IP) packets
from one application to another on the same host use this model and
processing sequence.

To that basic model everything else added since (packet filtering,
BPF, multicast, bridges, MPLS, ALTQ, the srt interface ...) has been
bolted on - the underlying structure has never altered.

Configuring the system as a "host" in rc.conf rather than a router
doesn't change any of this, just alters some of the configuration
which is done.

kre

Follow-Ups:
- Re: npf on a router: configuration issues
  - From: Greg Troxel

References:
- Re: npf on a router: configuration issues
  - From: Greg Troxel
- npf on a router: configuration issues
  - From: Greg Troxel
- Re: npf on a router: configuration issues
  - From: Christoph Badura

Prev by Date: "add blocklistd support to service XYZ for dummies" or equivalent?
Next by Date: Re: npf on a router: configuration issues
Previous by Thread: Re: npf on a router: configuration issues
Next by Thread: Re: npf on a router: configuration issues
Indexes:

Home | Main Index | Thread Index | Old Index