Setting up NetBSD Packet Filter (NPF)

Requirements

You should have npf as builtin (by default incl. for XEN/PV since v9)

    modstat | egrep "npf|jit"

NAT

    sysctl net.inet.ip.forwarding
    sysctl -w net.inet.ip.forwarding=1

    cp -pi /etc/sysctl.conf /etc/sysctl.conf.dist
    echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
    cat /etc/sysctl.conf

    ifconfig -a
    ls -lF /usr/share/examples/npf/
    vi /etc/npf.conf

    set bpf.jit off
    #set bpf.jit on;

    group default {
            pass in all
            pass out all
    }

    map $ext_if dynamic INTERNAL/24 -> $pub_ip

    chmod 400 /etc/npf.conf

if you need port forwarding

    map $ext_if dynamic proto tcp INTERNAL-IP port XXXX <- PUBLIC-IP port XXXX

Ready to go

    echo npf=yes >> /etc/rc.conf
    cat /etc/rc.conf

    tail -F /var/log/messages

    /etc/rc.d/npf reload
    #/etc/rc.d/npf restart

    shutdown -r now

Tuning & Blacklistd

Eventually harden the thing if not already defined in the kernel config.

    sysctl kern.securelevel
    sysctl -w kern.securelevel=1

    echo securelevel=1 >> /etc/rc.conf
    echo kern.securelevel=1 >> /etc/sysctl.conf
    cat /etc/sysctl.conf

Enable blacklistd and the required kernel modules first… As you cannot load those in securelevel 1.

Operations

edit

    cp -pi /etc/npf.conf /etc/npf.conf.`date +%s`
    vi /etc/npf.conf

reload

    /etc/rc.d/npf reload

status

    npfctl show

TODO logging

    ifconfig npflog0 create
    echo create > /etc/ifconfig.npflog0

Resources

npf.conf – NPF packet filter configuration file https://netbsd.gw.com/cgi-bin/man-cgi?npf.conf https://netbsd.gw.com/cgi-bin/man-cgi?npf.conf++NetBSD-current

current-only // npf-params – tunable NPF parameters https://netbsd.gw.com/cgi-bin/man-cgi?npf-params+7+NetBSD-current

rmind/npf https://github.com/rmind/npf/

overall

NPF tasklist https://www.netbsd.org/~rmind/npf/__tasklist.html

kernel

troubleshooting

Trash

Update: since netbsd v9 - no need to recompile your xen kernel anymore!

As for a XEN guest, quoting the XEN howto

In standard kernels, npf is a module, and thus cannot be loaded in a DOMU kernel.

therefore compile your own NetBSD/XEN domU kernel and disable PF for that unless you wanna watch the following error

    ../../../../net/npf/npf_if.c:53:2: error: #error "NPF and PF are mutually exclusive; please select one"

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml