Experiments with npf on -current

To: tech-net%netbsd.org@localhost
Subject: Experiments with npf on -current
From: David Brownlee <abs%absd.org@localhost>
Date: Sun, 20 Nov 2011 20:37:04 +0000

I've had a quick test of npf on a dual attached machine which usually ran pf.

# /etc/rc.d/pf stop
# modunload pf
# modload npf
# modstat|grep 'pf '



First tried nat, but could not get it to take effect:

int_if = "bge1"
int_net = "192.168.2.0/24"
ext_if = "bge0"
nat $ext_if from $int_net to any -> $ext_if


# npfctl stats
Packets passed:
        570636 default pass
        0 ruleset pass
        0 session pass

Packets blocked:
        0 default block
        0 ruleset block

Session and NAT entries:
        0 session allocations
        0 session destructions
        0 NAT entry allocations
        0 NAT entry destructions
[...]



Then tried a simple block rule:

group (name "internal", interface $int_if) {
    block in quick proto tcp to any port 80
}

/etc/rc.d/npf reload
Reloading NPF ruleset.
npfctl: n-code size got wrong (36 != 72)


/netbsd & /stand/amd64/5.99.56/modules/npf/npf.kmod  from the same
build last night.
Could there be anything obvious I'm missing?

Thanks

Follow-Ups:
- Re: Experiments with npf on -current
  - From: Mindaugas Rasiukevicius

Prev by Date: Re: ipsec/l2tp/ppp
Next by Date: Re: Experiments with npf on -current
Previous by Thread: ipsec/l2tp/ppp
Next by Thread: Re: Experiments with npf on -current
Indexes:

Home | Main Index | Thread Index | Old Index