NetBSD Problem Report #57084
From www@netbsd.org Thu Nov 17 04:20:15 2022
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 3EE9C1A921F
for <gnats-bugs@gnats.NetBSD.org>; Thu, 17 Nov 2022 04:20:15 +0000 (UTC)
Message-Id: <20221117042013.D1A741A9239@mollari.NetBSD.org>
Date: Thu, 17 Nov 2022 04:20:13 +0000 (UTC)
From: th@sdf.org
Reply-To: th@sdf.org
To: gnats-bugs@NetBSD.org
Subject: When configuring a NAT subnet address for a dynamic map in npf.conf, npf does not report misconfigurations and filtering silently fails
X-Send-Pr-Version: www-1.0
>Number: 57084
>Category: bin
>Synopsis: When configuring a NAT subnet address for a dynamic map in npf.conf, npf does not report misconfigurations and filtering silently fails
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Nov 17 04:25:00 +0000 2022
>Last-Modified: Thu Nov 17 22:44:23 +0000 2022
>Originator: theo
>Release: 9.2
>Organization:
>Environment:
NetBSD localhost 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
When configuring npf for NAT dynamic map filtering, using an address for the "localnet" that isn't the network address for the corresponding subnet causes the map filter to fail, while no error is reported.
For example, configuring the filter with the following map: `map $ext_if dynamic $localnet -> $ext_v4` (from soho_gw-npf.conf) works when `$localnet = { X.Y.Z.0/24 }` is defined, but does not work when `$localnet = { X.Y.Z.1/24 }` is defined.
It would seem that in the latter case, the filter is considering the host address X.Y.Z.1 when matching packets, and comparing that host address with a packet's network address (i.e. any address - host or other - from this network, with the subnet mask applied) to see if said packet should be forwarded.
Of course, since no address of the form X.Z.Y.* masked with the CIDR netmask /24 ever matches the host address X.Y.Z.1, no packet is ever forwarded. However, when using such configuration, the npf configuration parsing should either fail immediately and report an error, or report a warning and implicitly use the network address instead of any specified host address for matching incoming packets.
>How-To-Repeat:
Configure npf for a NAT using the soho_gw-npf.conf template in a functioning way (e.g. with the $localnet defined to { X.Z.Y.0/24 }) and change the localnet to { X.Y.Z.1/24 }. Then restart npf. No traffic will be forwarded back to any machine behind the NAT.
>Fix:
To correct the problem, Riastradh on irc.libera.chat has suggested to have npf use the network address instead of the host address for the $localnet definition when parsing the configuration (e.g. npfctl_bpf_cidr should [...] do `word &= wordmask' in the `if (wordmask)' branch) and to also, or alternatively assert if the configured value is correct (e.g. assert(word == (word & wordmask))) and have npf report a user-visible warning (in case it also does the former processing) or error (in case it does not) when the assertion fails.
>Release-Note:
>Audit-Trail:
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2022
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.