Setting up NetBSD Packet Filter (NPF)

Requirements

You should have the npf and bpfilter drivers built-in. They are by default incl. for XEN/PV, since v9. Otherwise build a custom kernel. Also enable blacklistd and the required kernel modules first – as you cannot load those in securelevel 1. Ehm, this is why we use securelevel 0 instead, for magic happens and it goes to 1 by itself afterwards.

    pseudo-device   npf                     # NPF packet filter
    pseudo-device   bpfilter                # Berkeley packet filter

check

    modstat | grep npf
    modstat | grep bpf
    modstat | grep jit

IP forwarding

dynamically

    sysctl net.inet.ip.forwarding
    sysctl kern.securelevel
    sysctl -w net.inet.ip.forwarding=1
    sysctl -w kern.securelevel=0

statically

    mv -i /etc/sysctl.conf /etc/sysctl.conf.dist
grep -vE '^(#|$)' /etc/sysctl.conf.dist > /etc/sysctl.conf
    chmod 600 /etc/npf.conf

    echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
    echo kern.securelevel=0 >> /etc/sysctl.conf
    cat /etc/sysctl.conf

    echo securelevel=0 >> /etc/rc.conf
    cat /etc/rc.conf

NAT

port forwarding is commented out

    vi /etc/npf.conf

    set bpf.jit on;

    group default {
            pass in all
            pass out all
    }

    map FACING-NIC dynamic INTERNAL/24 -> FACING-IP
    #map FACING-NIC dynamic proto tcp INTERNAL-IP port XXXX <- FACING-IP port XXXX

Ready to go

start & enable

    echo npf=yes >> /etc/rc.conf
    cat /etc/rc.conf

    tail -F /var/log/messages &
    /etc/rc.d/npf start

status

    npfctl show

edit & reload

    cp -pi /etc/npf.conf /etc/npf.conf.`date +%s`
    vi /etc/npf.conf
    /etc/rc.d/npf reload

Acceptance

check that your gateway settings survive a reboot

    shutdown -r now

Troubles

    npfctl: error loading the bpfjit module; performance will be degraded: Operation not permitted
    npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf

TODO logging

    ifconfig npflog0 create
    echo create > /etc/ifconfig.npflog0

Resources

https://wiki.netbsd.org/tutorials/kernel_secure_levels/

/usr/share/examples/npf/

npf.conf – NPF packet filter configuration file https://netbsd.gw.com/cgi-bin/man-cgi?npf.conf https://netbsd.gw.com/cgi-bin/man-cgi?npf.conf++NetBSD-current

current-only // npf-params – tunable NPF parameters https://netbsd.gw.com/cgi-bin/man-cgi?npf-params+7+NetBSD-current

rmind/npf https://github.com/rmind/npf/

overall

NPF tasklist https://www.netbsd.org/~rmind/npf/__tasklist.html

kernel

troubleshooting

Trash

Update: since netbsd v9 - no need to recompile your xen kernel anymore!

As for a XEN guest, quoting the XEN howto

In standard kernels, npf is a module, and thus cannot be loaded in a DOMU kernel.

therefore compile your own NetBSD/XEN domU kernel and disable PF for that unless you wanna watch the following error

    ../../../../net/npf/npf_if.c:53:2: error: #error "NPF and PF are mutually exclusive; please select one"

Nethence | Pub | Lab | Pbraun | SNE Russia