In article <ad169302-0658-f1d6-f362-2d3b52fb2...@netbsd.org>,
D'Arcy Cain <da...@netbsd.org> wrote:
>I tried switching from pf to npf before and it seemed to be not quite
>ready yet. I am trying again but running into problems.
>
>My first question - is anyone out there actually running npf in a
>production environment?
>
>My first issue was running npfctl without having npf installed. I was
>trying to create my first config on a GENERIC system. I wanted to use
>"npfctl validate" to check if my syntax was OK. Even with validate it
>wants to use /dev/npf so I ran it as root thinking that it wouldn't
>actually do anything with the device. So wrong. Not only did it read
>or write to the device but in doing so it completely hung the server. I
>have two issues with this - 1) don't access the device if simply
>validating the config file and 2) don't create the device if the driver
>is not installed or at least treat it as /dev/null.
Hmm, I tried 'ktrace /sbin/npfctl validate' in current and then:
$ kdump | grep NAMI| sort -u
16532 1 ktrace NAMI "/libexec/ld.elf_so"
16532 1 ktrace NAMI "/sbin/npfctl"
16532 1 npfctl NAMI "/etc/ld.so.conf"
16532 1 npfctl NAMI "/etc/malloc.conf"
16532 1 npfctl NAMI "/etc/npf.conf"
16532 1 npfctl NAMI "/etc/protocols"
16532 1 npfctl NAMI "/lib/libc.so.12"
16532 1 npfctl NAMI "/lib/libnpf.so.0"
16532 1 npfctl NAMI "/lib/libpcap.so.6"
16532 1 npfctl NAMI "/lib/libprop.so.1"
16532 1 npfctl NAMI "/lib/libutil.so.7"
16532 1 npfctl NAMI "/lib/npf/ext_log.so"
16532 1 npfctl NAMI "/var/db/services.cdb"
And it does not touch /dev/npf... Perhaps -7 is broken?
>So I built a new kernel and ran it under Xen so that I could work from
>the console and inspect things easier. I also ran a normal kernel with
>npf on a local machine. There were problems. Here is my npf.conf. It
>may seem a little weird for two reasons, it is generated from a script
>and I keep trying different things to make it work.
>
>$ext_if = xennet0
>$int_if = xennet1
># $Id: pf.conf.header 11409 2017-05-10 15:29:19Z darcy $
># Common npf.conf for Vex.Net
>
># These tables include IPs personally known to us.
>table <FRIENDS> type hash file "/etc/friends.list"
>table <ENEMIES> type hash file "/etc/enemies.list"
>
># The auto block table is built by a script examining attacks
>table <AUTOBLOCK> type hash dynamic
>
>alg "icmp"
>set bpf.jit off
>
>procedure "norm" {
> normalize: "random-id", "min-ttl" 512, "max-mss" 1432
>}
>
>group "external" on $ext_if {
> pass in final family inet4 proto icmp all
> pass stateful in final family inet4 proto tcp from <FRIENDS>
> block in final from <ENEMIES>
> block in final from <AUTOBLOCK>
> pass stateful in final proto tcp to any port 22
> pass in final proto udp to any port 123
>
> pass out final all
> block all
>}
>
>group "internal" on $int_if {
> pass out final on $ext_if proto tcp to 98.158.139.68 port smtp
> block out final on $ext_if proto tcp to any port smtp
> pass in final family inet4 proto icmp all
> pass stateful in final proto tcp all
> pass in final proto udp all
> pass out final family inet4 proto tcp all
>}
>
>group "localhost" on inet4(lo0) {
> pass stateful in final proto tcp to any port 22
> pass in final proto udp to any port 123
> pass stateful in final to inet4(lo0) apply "norm"
>}
>
>group default {
> pass stateful in final proto tcp flags S/SA to any port 22
> pass in final proto udp to any port 123
> pass in final on lo0 all
> pass stateful out final to any
> block in all
>}
>
>When I start the filter and ssh in from the local network I get this:
>
>$ ssh dilbert.vex.net
>Last login: Thu May 11 16:01:13 2017 from 98.158.139.93
>NetBSD 7.1.0_PATCH (XEN3_DOMU) #0: Tue May 9 20:27:33 EDT 2017
>
>And there it hangs. The console seems to be alive but "w" hangs for a
>bit and then shows me that I am logged in. Top shows no abnormal processes.
>
>I then run "npfctl show" to see if it matches my config. The system
>hangs and needs to be hard booted. I tried <CTRL><ALT><ESC> to see
>where it is hanging but nothing happens. Perhaps it doesn't work under Xen.
>
>I am running 7.1.0_PATCH NetBSD 7.1.0_PATCH (XEN3_DOMU) recently compiled.
Can you test current? I would also try to log all dropped packets.
christos
