Re: npf NAT stops working on external interface IP changed

Mon, 16 Jan 2023 22:46:09 -0800 

I have this as /etc/dhcpcd.exit-hook

#!/bin/sh
case "$interface" in
    lo[0-9]* | tun[0-9]*) exit;;
esac
/etc/rc.d/npf reload

On Mon, 16 Jan 2023, 19:01 Jeremy C. Reed, <[email protected]> wrote:

> Last week, my NetBSD NPF router got a new IP address via DHCP.
>
> npfctl list showed many entries with the nat-addr:port with the old
> address.
>
> I did a npfctl reload and my NAT started working again.
>
> Today it happened again.
>
> "npfctl show" shows the current IP address in the map.
>
> Part of my /etc/npf.conf follows:
>
> $ext_if = "re1"
> $int_if = "re0"
> $ext_addrs = { ifaddrs($ext_if) }
> $localnet = { 172.16.1.0/24 }
>
> # Allow pings
> alg "icmp"
>
> # Perform IPv4 NAT
> map inet4($ext_if) dynamic $localnet -> inet4($ext_if)
>
> group "external" on $ext_if {
>     # Allow all outbound traffic
>     pass stateful out all
>
>     # Block all incoming traffic
>     block in all
> }
>
> group "internal" on $int_if {
>     # Pass everything to internal networks,
>     # should be ok, because we are nat'ed.
>     pass final all
> }
>
> # default group is mandatory
> group default {
>     # Loopback interface should allows packets to traverse it.
>     pass final on lo0 all
>     # Block everything by default.
>     block all
> }
>
>
> When the problem began my logs had:
>
> Jan 16 18:28:24 t1 unbound: [210:0] error: event_add failed. in cpsl.
> Jan 16 18:28:25 t1 syslogd[189]: last message repeated 2 times
> Jan 16 18:28:25 t1 unbound: [210:0] error: could not event_del on close
> Jan 16 18:28:25 t1 unbound: [210:0] error: event_add failed. in cpsl.
> ...
> Jan 16 18:28:49 t1 unbound: [210:0] error: could not event_del on close
> Jan 16 18:28:49 t1 unbound: [210:0] error: event_add failed. in cpsl.
>
> Jan 16 18:28:50 t1 dhcpcd[152]: re1: probing for an IPv4LL address
> Jan 16 18:28:50 t1 dhcpcd[152]: re1: using IPv4LL address 169.254.77.128
> Jan 16 18:28:50 t1 dhcpcd[152]: re1: DHCP lease expired
>
> Then it was offered a new IP, added route, changed default route.
>
> I did a "sudo npfctl reload" to get NAT to work again.
>
> How can I get it to automatically reload on external interface changes?
>

Reply via email to