tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/53962: npf: weird 'stateful' behavior



> - NPF connection state is generally per-interface, but see below.  Bypassing
> the ruleset on other interfaces can have security implications, e.g. a packet
> with a spoofed IP address might bypass ingress filtering.  Hence the design
> decision to default to such behaviour (so you control what's happening on
> other interfaces with a ruleset there).
I actually like the per-interface state for various reasons including the one
you mentioned.  However it does come with the downside of rule multiplication.

Since with my last patch (including ifid in connkey) I have something that
works the way I intend and it's "in production" now, here's a bit of syntactic
inspiration as to how the rule multiplication could be countered:

Basically when writing my npf.conf I pretend 'egress <interface list>' is a
valid construct so my rules look like this:

| pass stateful in on wm1 egress pppoe0,wm2 final proto tcp from $foo to $bar

and a perl script will generate from that:

| pass stateful in on wm1 final proto tcp from $foo to $bar
| pass stateful out on pppoe0 final proto tcp from $foo to $bar
| pass stateful out on wm2 final proto tcp from $foo to $bar

(and sort it in the right groups).  


Home | Main Index | Thread Index | Old Index