Re: npf questions/experience migrating from ipf on NetBSD8

[yancm%sdf.org@localhost]

> 1) In NetBSD 8 (probably 9?), need to modify the GENERIC
>    kernel to include(uncomment):
>      pseudo-device   npf             # NPF packet filter
>      pseudo-device   bpfilter        # Berkeley packet filter
>    Should this be listed somewhere?
>    Probably in "The Guide" update for npf?
> 2) Looks like we aught to be clear what sysctl variables need
>    set to what...
>    For my ipf setup, already had:
>      net.inet.ip.forwarding=1
>    Do I also need:
>      kern.securelevel=0  ?
> 3) At a minimum will want to add in rc.conf or rc.local:
>    npf=YES (disable the ipf stuff with NO for testing)
>    anything else in here? npfd or some logging daemon?
> 4) What do I need to do to enable logging in npf? I can see the
>    directives in the example config file, but no logs
>    seem to be written?
>    Would like a log like I get with ipf with action/rule/addresses
> in human readable form.

On 4, figured out logging via what's in npfd... good enough...

Q 5) assuming I can get NAT to function...
In ipf we have an rdr directive in addition to map.
The npf examples have some directives, but not quite what I want...
I would like to redirect/map any outbound request for ntp or dns
to these services on my local server.

>
> After recompiling an GENERIC NetBSD 8_Stable kernel with npf
> pseudo-device, I could ping the internet from the console, but
> not from machines attached to my lan...
> Here are some diagnostics...
> # npfctl list -n
Is empty... no NAT taking place I can tell?

I even tried a simple, promiscuous ruleset and that also fails to NAT?

# npfctl show
# filtering:    active
# config:       loaded

procedure "log"

map wm0 dynamic any -> 10.1.10.10 pass family inet4 from 192.168.1.0/24 #
id="1"

group "external" on wm0 # id="1"
        pass stateful flags S/FSRA # id="2"

group "internal" on bge0 # id="3"
        pass stateful flags S/FSRA # id="4"

group # id="5"
        pass final on lo0 all # id="6"
        block all # id="7"


 # tcpdump -n -e -ttt -i npflog0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on npflog0, link-type PFLOG (OpenBSD pflog file), capture size
262144 bytes
 00:00:00.000000 rule 4.rules.0/0(match): pass in on bge0:
192.168.1.2.61991 > 172.217.4.46.443: Flags [S], seq 3013848542, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000005 rule 2.rules.0/0(match): pass out on wm0:
192.168.1.2.61991 > 172.217.4.46.443: Flags [S], seq 3013848542, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000004 rule 4.rules.0/0(match): pass out on bge0: 192.168.1.1 >
192.168.1.2: ICMP host 172.217.4.46 unreachable, length 36
 00:00:00.076195 rule 4.rules.0/0(match): pass in on bge0:
192.168.1.2.61992 > 52.85.79.57.443: Flags [S], seq 2317300665, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000005 rule 2.rules.0/0(match): pass out on wm0:
192.168.1.2.61992 > 52.85.79.57.443: Flags [S], seq 2317300665, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000003 rule 4.rules.0/0(match): pass out on bge0: 192.168.1.1 >
192.168.1.2: ICMP host 52.85.79.57 unreachable, length 36
 00:00:00.091642 rule 4.rules.0/0(match): pass in on bge0:
192.168.1.2.61971 > 35.201.124.9.443: Flags [S], seq 638454253, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000004 rule 2.rules.0/0(match): pass out on wm0:
192.168.1.2.61971 > 35.201.124.9.443: Flags [S], seq 638454253, win
64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000004 rule 4.rules.0/0(match): pass out on bge0: 192.168.1.1 >
192.168.1.2: ICMP host 35.201.124.9 unreachable, length 36

> Comments/pointers welcome...