rmind / npf Goto Github PK

Description

It would be nice to add an option in NPF allowing to drop packets with IPv4/IPv6 options. This is an important yet missing feature, and IPv4/IPv6 options are a significant problem in network security.

The point is that IPv4/IPv6 options are big enablers when it comes to exploitation: they are hard to parse (that is the parser can easily be buggy), and they allow to push the actual payload farther in the mbuf, in a way that makes it a lot easier to exploit buffer overflows.

Two years ago I wrote a patch for that using BPF. Unfortunately I realized it wasn't correct, because when a connection already exists NPF does a pass-through of the packet without applying BPF rules, meaning that the subsequent TCP packets in the stream could have IPv4/IPv6 options and NPF would accept them.

Patch Suggestion

Probably the correct way to proceed is using npf-params, with ip4.drop_options and ip6.drop_options, along the lines of:

 		/* Retrieve the complete header. */
 		if ((u_int)(ip->ip_hl << 2) < sizeof(struct ip)) {
 			return NPC_FMTERR;
 		}
+		if (npf->ip4_drop_options && (ip->ip_hl != 5)) {
+			return NPC_FMTERR;
+		}
 		ip = nbuf_ensure_contig(nbuf, (u_int)(ip->ip_hl << 2));
 		if (ip == NULL) {
 			return NPC_FMTERR;
 		}

 			case IPPROTO_HOPOPTS:
 			case IPPROTO_DSTOPTS:
 			case IPPROTO_ROUTING:
+				if (npf->ip6_drop_options) {
+					return NPC_FMTERR;
+				}
 				hlen = (ip6e->ip6e_len + 1) << 3;
 				break;

By default I think that IPv4/IPv6 options should be dropped, like PF does.

Idk whats wrong, everything compiled ok...

Using Debian 10.4.

root@npf:~/npf# npfctl start
npfctl: fstat: No such file or directory

npfctl debug works

Thanks in advance.

The software compiles quite nicely on CentOS 7 x64, and when I began to try npfctl, it complained that it was missing /dev/npf. As I've been a fan of PF for a while (and just trying out NPF on NetBSD), I thought I'd give it a shot to see if these powerful firewalls can run on Linux as well.

What I'm wondering is if there's a way to safely make the proper device nodes that NPF needs on CentOS; I've tried using the mknod command to manually make a node, but it seems that npfctl doesn't pick up on it.

Hi, I am runnig npf on Centos7 .
The environment:
CPU:E5-2620 v3
NIC:I350 Gigabit Network Connection 1521
Linux Kernel:4.4.15
Distribution: Centos 7.6.1810
DPDK:17.11.2
When I had compiled npf_dpdk_demo, I run it with the command sudo ./build/npf_dpdk_demo -c1 -n1 , I got the error [1] 23335 segmentation fault ./npf_dpdk_demo -c 1 -n 1 ,so I used gdb to debug npf_dpdk_demo and I set the same args , the result was that:

Breakpoint 1, main (argc=<optimized out>, argv=<optimized out>)
    at /root/satoshi/npf/dpdk/npf_dpdk_demo.c:254
254		for (unsigned i = 0; i < (16 * 1024); i++) {
(gdb) n
255			process_packets(npf, ifp, PFIL_IN, c);
(gdb) n

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff68ff61c in malloc_consolidate () from /lib64/libc.so.6
(gdb) n
Single stepping until exit from function malloc_consolidate,
which has no line number information.
[Thread 0x7ffff7fd7980 (LWP 26480) exited]
No unwaited-for children left.
Couldn't get registers: No such process.

I am new to npf, and I don't know how to sovle this problem. Your help will be greatly appreciated!

Configuration exporting (npfctl save) does not capture the following:

• ALG and its state associated with the NAT entry (see npf_nat_export()).
• Rule procedure calls and parameters (see npf_rprocset_export()).

The former needs some refactoring: NAT entry should probably use ALG IDs and the ALG API should be extended to support exporting/importing of the custom ALG data. The rule procedure API needs to be similarly extened.

Description

npf_conn_establish (invoked from the packet-processing path in softint context) has an error branch to handle memory allocation failure in thmap_put (via npf_conndb_insert), but the error branch calls thmap_del (via npf_conndb_remove), which relies on memory allocation to succeed (rmind/thmap#11):

This error branch is essentially guaranteed to crash -- see, e.g.: https://gnats.netbsd.org/57208

Environment and configuration

Environment:

• NPF environment: NetBSD
• Operating system version: NetBSD xxx.xxxx.net 9.2 NetBSD 9.2 (GENERIC) #0: Wed May 12 13:15:55 UTC 2021 [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC amd64
• NPF version: NetBSD 9.2 (but the problem persists in npf master, NetBSD HEAD)

Configuration:
N/A

Any additional information

• For userspace where allocation is never guaranteed to succeed, thmap_del callers need to be taught to handle failure and retry later.
• For kernel where allocation can sleep, thmap_del needs to be made to sleep, and callers must defer it to thread context (with no spin locks held) where it can safely do so. npf_tableset.c needs to do this outside any spin locks.

When running make deb on Ubuntu 18.04, I get the following error. I believe, the "npf_parse.h" is auto-generated by yacc.

lex -o npf_scan.c npf_scan.l
cc -g -O2 -fdebug-prefix-map=/home/student/sources/npf/pkg=. -fstack-protector-strong -Wformat -Werror=format-security -std=gnu99 -O2 -g -Wall -Wextra -Werror -D_POSIX_C_SOURCE=200809L -D_GNU_SOURCE -D_DEFAULT_SOURCE -I. -D__RCSID\(x\)= -D__dead= -D__printflike\(x,y\)= -Wno-unused-local-typedefs -Wno-unused-result -Wno-unknown-warning-option  -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Wmissing-declarations  -Wshadow -Wcast-qual -Wcast-align -Wwrite-strings -Wold-style-definition -DNDEBUG -Dgetprogname\(\)=\"npfctl\" -Wno-sign-compare -c npf_scan.c -o npf_scan.o
npf_scan.l:36:10: fatal error: npf_parse.h: No such file or directory
 #include "npf_parse.h"
          ^~~~~~~~~~~~~
compilation terminated.
Makefile:74: recipe for target 'npf_scan.o' failed
make[3]: *** [npf_scan.o] Error 1
make[3]: *** Waiting for unfinished jobs....
make[3]: Leaving directory '/home/student/sources/npf/pkg/SOURCES/npfctl'
dh_auto_build: cd SOURCES && make -j8 -C npfctl returned exit code 2
debian/rules:27: recipe for target 'override_dh_auto_install' failed
make[2]: *** [override_dh_auto_install] Error 2
make[2]: Leaving directory '/home/student/sources/npf/pkg'
debian/rules:16: recipe for target 'binary' failed
make[1]: *** [binary] Error 2
make[1]: Leaving directory '/home/student/sources/npf/pkg'
dpkg-buildpackage: error: fakeroot debian/rules binary subprocess returned exit status 2
Makefile:18: recipe for target 'deb' failed
make: *** [deb] Error 2

Some context to help with debugging, output from yacc --version.

bison (GNU Bison) 3.0.4
Written by Robert Corbett and Richard Stallman.

Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Output from flex --version:

flex 2.6.4

Hi
Try to build on ubuntu 21.10 with GCC 11.2 but get this error:

In file included from /usr/include/string.h:519,
from stand/npf_stand.h:26,
from npf.h:21,
from npf_impl.h:37,
from npf_rproc.c:25:
In function ‘stpncpy’,
inlined from ‘strlcpy’ at stand/npf_stand.h:236:8,
inlined from ‘npf_ext_register’ at npf_rproc.c:113:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:103:10: error: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
103 | return __builtin___stpncpy_chk (__dest, __src, __n,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
104 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from /usr/include/string.h:519,
from stand/npf_stand.h:26,
from npf.h:21,
from npf_impl.h:37,
from npf_if.c:45:
In function ‘stpncpy’,
inlined from ‘strlcpy’ at stand/npf_stand.h:236:8,
inlined from ‘npf_ifmap_copylogname’ at npf_if.c:189:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:103:10: error: ‘__builtin_strncpy’ output may be truncated copying between 0 and 16 bytes from a string of length 16 [-Werror=stringop-truncation]
103 | return __builtin___stpncpy_chk (__dest, __src, __n,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
104 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
In function ‘stpncpy’,
inlined from ‘strlcpy’ at stand/npf_stand.h:236:8,
inlined from ‘npf_rproc_create’ at npf_rproc.c:279:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:103:10: error: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
103 | return __builtin___stpncpy_chk (__dest, __src, __n,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
104 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
npf_if.c: At top level:
cc1: note: unrecognized command-line option ‘-Wno-unknown-warning-option’ may have been intended to silence earlier diagnostics
cc1: all warnings being treated as errors
In file included from /usr/include/string.h:519,
from stand/npf_stand.h:26,
from npf.h:21,
from npf_impl.h:37,
from npf_tableset.c:43:
In function ‘stpncpy’,
inlined from ‘strlcpy’ at stand/npf_stand.h:236:8,
inlined from ‘npf_table_create’ at npf_tableset.c:350:2:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:103:10: error: ‘__builtin_strncpy’ specified bound 32 equals destination size [-Werror=stringop-truncation]
103 | return __builtin___stpncpy_chk (__dest, __src, __n,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
104 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
npf_rproc.c: At top level:
cc1: note: unrecognized command-line option ‘-Wno-unknown-warning-option’ may have been intended to silence earlier diagnostics
cc1: all warnings being treated as errors
make[1]: *** [Makefile:90: build/npf_if.lo] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:90: build/npf_rproc.lo] Error 1
In file included from /usr/include/string.h:519,
from stand/npf_stand.h:26,
from npf.h:21,
from npf_impl.h:37,
from npf_ruleset.c:32:
In function ‘stpncpy’,
inlined from ‘strlcpy’ at stand/npf_stand.h:236:8,
inlined from ‘npf_rule_alloc’ at npf_ruleset.c:601:3:
/usr/include/x86_64-linux-gnu/bits/string_fortified.h:103:10: error: ‘__builtin_strncpy’ specified bound 64 equals destination size [-Werror=stringop-truncation]
103 | return __builtin___stpncpy_chk (__dest, __src, __n,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
104 | __glibc_objsize (__dest));
| ~~~~~~~~~~~~~~~~~~~~~~~~~
npf_tableset.c: At top level:
cc1: note: unrecognized command-line option ‘-Wno-unknown-warning-option’ may have been intended to silence earlier diagnostics
cc1: all warnings being treated as errors
make[1]: *** [Makefile:90: build/npf_tableset.lo] Error 1
npf_ruleset.c: At top level:
cc1: note: unrecognized command-line option ‘-Wno-unknown-warning-option’ may have been intended to silence earlier diagnostics
cc1: all warnings being treated as errors
make[1]: *** [Makefile:90: build/npf_ruleset.lo] Error 1
make[1]: Leaving directory '/build/npf/npf-master/pkg/SOURCES/kern'
make: *** [Makefile:11: all] Error 2

And second :

npf.c: In function ‘_npf_table_build_const.part.0’:
npf.c:1198:13: error: ‘cdbw_output’ reading 16 bytes from a region of size 14 [-Werror=stringop-overread]
1198 | if (cdbw_output(cdbw, fd, "npf-table-cdb", NULL) == -1) {
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
npf.c:1198:13: note: referencing argument 3 of type ‘const char *’
In file included from npf.c:53:
/usr/include/cdbw.h:53:18: note: in a call to function ‘cdbw_output’
53 | int cdbw_output(struct cdbw *, int, const char[16],
| ^~~~~~~~~~~
npf.c: At top level:
cc1: note: unrecognized command-line option ‘-Wno-unknown-warning-option’ may have been intended to silence earlier diagnostics
cc1: all warnings being treated as errors
make[1]: *** [Makefile:70: npf.lo] Error 1

And app build have problem with dpdk 20.11

arp.c: In function ‘arp_input’:
arp.c:215:24: error: taking address of packed member of ‘struct rte_arp_ipv4’ may result in an unaligned pointer value [-Werror=address-of-packed-member]
215 | arp_cache(ifp, &arp->arp_sip, &arp->arp_sha, targeted);
| ^~~~~~~~~~~~~
arp.c: At top level:
cc1: note: unrecognized command-line option ‘-Wno-unknown-warning-option’ may have been intended to silence earlier diagnostics
cc1: all warnings being treated as errors
make: *** [: arp.o] Error 1

m.

Presently, if_npflog.h has a _KERNEL guard on it:
https://github.com/rmind/npf/blob/2efbe2828bc507896248598ffb1026653cbfed2c/src/kern/if_npflog.h#L28C1-L30C7
In discussion with other NetBSD developers, we weren't sure why that was, and there was a suggestion to simply remove it. (The equivalent if_pflog.h does not have this restriction. Part of the context being, evenutally we will be removing PF from NetBSD.) I thought I'd ask about that here.

There are a few multi-element combinations which are currently not supported by npfctl.

1. Mixing of protocols, e.g.:
   pass proto { tcp, udp } from 10.0.0.0/8

2. Mixing of IP addresses and tables:
   pass from { 10.0.0.2, <some-table> }

3. Static NAT rule expressed with any (e.g. bi-directional NAT entries), e.g.
   map eth0 static no-ports 10.1.1.3 <- any pass family inet4 to 192.0.2.3

Hello!
I am not sure about the category of this issue (bug report, improvement suggestion, ...), so I chose to create a blank one.
Using npf in NetBSD 9.0 (release), I did not manage to refer to a range of IPs in the filter syntax. I tried:

block in family inet4 proto tcp from <source_host_IP> to <first_IP_of_range>-<last_IP_of_range>

but this generated a syntax error. My intention was to refer to a range like 192.168.1.10-192.168.1.20, which does not necessarily correspond to a subnet, and which therefore is completely custom.

I avoided the use of a table because I may need to refer to a huge number of IPs, for example 10.0.0.50-10.0.1.251, and writing each of them in a table seems quite inefficient.

Similarly, I tried to refer to any third-level domain in (e.g.) example.org:

block in family inet4 proto tcp from <source_host_IP> to *.example.org

but this provoked a syntax error, too.

Am I using the wrong syntax and some other wildcard characters are needed, or does npf not have these capabilities?

If it's the second case, is there a chance that they will be added in a future?

Hi again Mindaugas,

Thanks for accepting my previous PR :) As I suggested in the comments there, I was also
thinking of adding a command to npfctl to replace an active table with one rebuilt from a file.

I've actually got this pretty much working so will be submitting a PR for it shortly...

From the original comment on PR #38:

I was also thinking of adding a command to npfctl to replace an active table with one rebuilt from a file. Not only would this be handy for testing, it's also likely to have some real-world usefulness.
I wasn't 100% sure as to where to put this sub-command; keeping it with other commands under npfctl table makes the most sense from a usability perspective. But this does raise the issue of how to incorporate it within the current npfctl table subcommands: these currently all share the same ioctl(2), with a payload of npf_ioctl_table_t, and thus fit well together in the logic of the npfctl_table() command handler. However, adding a replace subcommand would involve a bit of messing up that neat subcommand logic, as the new IOC_NPF_TABLE_REPLACE ioctl is its own beast, more similar to load than anything else. So I'd need to restructure npfctl_table() a bit to accomodate this replace subcommand. Are you happy for me to give that a go, or would you prefer a different approach?

What I'm proposing would be to:

Add replace subcommand to npfctl_table() in src/npfctl/npfctl.c. A command test early in npfctl_table() would pass control to a new npfctl_table_replace() command handler function:
Add a new npfctl_table_replace(int fd, int argc, char **argv) function, which will:
a. Parse table name, type and filename from command line arguments
b. Check that table name exists in the active config and fetch its tid
c. Build a new nl_table_t with the passed name, type & file using a modified version of npfctl_build_table() (ie. split into 2 to decouple it from the nl_config_t npf_conf global variable, and also allow manually setting the TID)
d. Call npf_table_replace() with the new table structure.
Does that sound like an acceptable approach?

Cheers,

Timshel

Description

I want to enable port forwarding of ports 17106 and 22222 to a computer on LAN.
I've already asked for help, but got no answers to the problem that could solve it.

The NetBSD box runs:

# uname -a
NetBSD netpi 9.0 NetBSD 9.0 (GENERIC) #0: Fri Feb 14 00:06:28 UTC 2020  [email protected]:/usr/src/sys/arch/i386/compile/GENERIC i386

net.inet.ip.forwarding=1

From the NetBSD box I can access the LAN computer:

# curl 192.168.1.30:17106
<!DOCTYPE html>
<html lang="en" >

<head>

From outside, the Internet, I cannot access it.

In the NetBSD computer, when listening on the external interface, after some seconds:

# tcpdump -en -i ure0 | grep 17106
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ure0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:08:20.818053 00:fa:fa:fa:fa:fa > 00:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 74: 4.4.4.4.55269 > 3.3.3.3.17106: Flags [S], seq 2134094756, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 1 ecr 0], length 0
22:08:26.820016 00:fa:fa:fa:fa:fa > 00:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 74: 4.4.4.4.55269 > 3.3.3.3.17106: Flags [S], seq 2134094756, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 13 ecr 0], length 0
22:08:38.840625 00:fa:fa:fa:fa:fa > 00:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 74: 4.4.4.4.55269 > 3.3.3.3.17106: Flags [S], seq 2134094756, win 32768, options [mss 1460,nop,wscale 3,sackOK,TS val 37 ecr 0], length 0

The npf.conf file:

# npfctl show
# filtering:    active
# config:       loaded

table <int-block> type lpm

procedure "log"

map ure0 dynamic any -> 3.3.3.3 pass family inet4 from 192.168.1.0/24 # id="1"
map ure0 dynamic 192.168.1.30 port 17106 <- any pass family inet4 proto { tcp, udp } to 3.3.3.3 port 17106 # id="2"
map ure0 dynamic 192.168.1.30 port 22222 <- any pass family inet4 proto { tcp, udp } to 3.3.3.3 port 22222 # id="3"

group "external" on ure0 { # id="1"
        pass stateful out final flags S/FSRA # id="2"
        pass stateful in final family inet4 proto tcp flags S/FSRA to ifaddrs(ure0) port 22 apply "log" # id="3"
        pass stateful in final proto tcp flags S/FSRA to ifaddrs(ure0) port { 80, 443, 25, 53, 6000, 9022 } # id="4"
        pass stateful in final proto udp to ifaddrs(ure0) port { 53, 123, 6000 } # id="5"
        pass stateful out final flags S/FSRA # id="6"
}

group "internal" on re0 { # id="7"
        pass in final family inet4 from 192.168.1.0/24 # id="8"
        pass out final all # id="9"
}

group default { # id="a"
        pass final on lo0 all # id="b"
}

3.3.3.3 and 4.4.4.4 are not he real IPs.

Don't know what else to do or check.

As per my direct emails, I'm working on fixing & improving the NPF support for greyd(8), and am looking for a way to replace the full contents of a table in a single atomic operation.

One possible design option for implementing this functionality:

• Add commands for IOC_NPF_TABLE ioctl(2) to create, swap and destroy tables:
  • New NPF_CMD_TABLE_SWAP command will will be a front-end to npf_tableset_swap()
  • New NPF_CMD_TABLE_CREATE command will create a table (potentially reallocating the current tableset to make enough space and allocating the next available table ID?) Is there a better way to get around the initial tableset size allocation limit?
  • New NPF_CMD_TABLE_REMOVE command to remove a temporary table from the tableset and destroy then table removing/destroying the swapped-out table.

Any comments/suggestions on the above design?

Mentioning an item for future considerations when syncing with NetBSD sources. We had a PR (57441) about not having an npflog(4) man page, so I added one. I've placed the man page in the usual place (src/share/man/man4), which seemed to be the NetBSD consensus. (I did ask if we wanted to place it elsewhere to make it easier for you to sync to, should you want it upstream.)

Hello,

When I create a new rule for ruleset with apply "log" via npfctl I get an error: syntax error near 'log'
Example:

# npfctl rule "test" add pass all apply "log"
stdin:1:18: syntax error near 'log'

npf.conf:

procedure "log" {
    log: npflog0
}

group default {
    ruleset "test"
    pass all apply "log"
}

Also, I face to this problem when try to create the same rule by npfctl API.
How can I solve this problem?
Thank you!

maxv@netbsd reports:

panic: kernel diagnostic assertion "i <= npf->ifmap_cnt" failed: file "/usr/src/sys/net/npf/npf_if.c", line 152
cpu0: Begin traceback...
...
npf_ifmap_getid() at netbsd:npf_ifmap_getid+0x67
nbuf_init() at netbsd:nbuf_init+0x25
npf_packet_handler() at netbsd:npf_packet_handler+0x46
...

This can happen due to a race condition: there is a short window during npfctl reload when there can be some packets in-flight while the interface index numbers are being re-assigned.

It is possible to make NAT full cone or port restrictive cone nat?

Hi, is it possible to pass/block packet according to its size? I need to block outgoing UDP/123 (NTP) packets bigger than 128B to disable DDoS amplification. There is nothing about it in doc.
Thanks.

A few remarks on the latest PPTP additions, CC @alexk99 who may be interested:

• npfa_pptp_gre_conns_init(): KM_SLEEP does not fail, so either the flag should be KM_NOSLEEP, or the NULL check should be removed.

• npf_pptp_gre_cache(): there should be a NULL check on the nbuf_advance(), because it will fail if the packet is too small.

• npfa_pptp_tcp_translate():

  1. The access to tcp may not be safe after the first call to nbuf_advance(), because this function can reorder the underlying mbuf. If this happens, then tcp will point to the previous area, which is now freed.
  2. There should be a NULL check on pptp_call_reply because nbuf_ensure_contig() could fail if the packet is too small.
  3. Now that th_off has a real meaning within NPF, we may want to add a sanity check in npf_cache_all() to make sure that th_off >= 5, and leave with NPC_FMTERR if the check fails. This is to prevent possible surprises later in the NPF stack, and such packets are invalid anyway.

Hi, I have compiled all the lib and npf/src on Centos 7, and I passed all the test with the command npftest -c /tmp/npf.nvlist -t,but when I run npfctl start I got the error npfctl: cannot open '/dev/npf': No such file or directory.
I don't know what dev/npf is used for.How to sovle the problem?
Your help will be greatly appreciated!

• Race condition when unloading ALG module: npf_nat_freealg() vs lock-free readers.
• Inspection as a loop in npf_alg_conn() is not particularly efficient. It could be optimized to be: 1) per-protocol 2) only limited to ALGs which perform inspection, rather than all.
• npf_alg_exec() should only be performed if the NAT entry has an associated ALG; it is currently applicable only for the dynamic NAT anyway. If there will be ALGs operating with the static NAT, then npfa_funcs_t::snat could be added.