bin/51622: npf startup failure when using dhcpcd inet4 and inet6

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/51622: npf startup failure when using dhcpcd inet4 and inet6
From: timshel%fluentdevelopment.com.au@localhost
Date: Fri, 11 Nov 2016 13:10:00 +0000 (UTC)

>Number:         51622
>Category:       bin
>Synopsis:       NPF startup fails when using dhcpcd for inet4 and inet6
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 11 13:10:00 +0000 2016
>Originator:     Timshel Knoll-Miller
>Release:        NetBSD 7.0.2
>Organization:
Fluent Development
>Environment:
System: NetBSD hopkins.fluentdevelopment.com.au 7.0.2 NetBSD 7.0.2 (GENERIC.201610210724Z) amd64
Architecture: x86_64
Machine: amd64 
>Description:
Enabling of NPF at startup has been failing my VPS systems with the
following error:
/etc/npf.conf:1:25: no addresses matched for interface 'vioif0' near ')'

Running `npfctl show` after startup gives:
# filtering:	inactive
# config:	loaded

Doing a /etc/rc.d/npf restart after startup is successful.

I've finally managed to track this down to a timing issue between dhcpcd and
npf when used with both inet4 and inet6 addresses.

dhcpcd forks to the background after assigning one protocol's address.
When npf is enabled, it fails because the interface doesn't have an address
of the alternate protocol. Depending on which address dhcpcd received a
lease or RA from first, this could be either of the inet4() or inet6()
functions.

I've tried specifying both `--waitip 4' and `--waitip 6' to dhcpcd but it
doesn't seem to wait for both types of address to be assigned before
forking to the background.
The dhcpcd.conf(5) manpage says: "It is possible to wait for more than one
address protocol and dhcpcd.conf will only fork to the background when all
waiting conditions are satisfied." but my observations suggests that this
seems to be incorrect.

>How-To-Repeat:
 * Setup an interface on a network with a DHCP server for both IPv4 and
   IPv6 address assignments.
 * Ensure dhcpcd is enabled on the interface (e.g. `dhcpcd=YES' and
   `dhcpcd_args=-qM <interface_name>'). No other addresses should be assigned.
 * Setup a basic npf.conf which includes references to both
   inet4(<interface>) and inet6(<interface>)

--- begin example /etc/npf.conf ---
$ext_if = { inet4(vioif0), inet6(vioif0) }
$ext_if4 = inet4(vioif0)
$ext_if6 = inet6(vioif0)

$services_tcp = { ssh }

group "external" on $ext_if {
        # outbound traffic, generate state per packet
        pass stateful out final family inet6 from $ext_if6 
        pass stateful out final family inet4 from $ext_if4 

        # not being picky about our own address here
        pass in  final family inet6 proto ipv6-icmp all
        pass in  final family inet4 proto icmp      all

        # management services
        pass stateful in final family inet6 proto tcp to $ext_if6 port $services_tcp   
        pass stateful in final family inet4 proto tcp to $ext_if4 port $services_tcp
}

group default {
        pass final on lo0 all
}
--- end example  /etc/npf.conf ---

>Fix:

Unknown.

As mentioned above, I've tried (unsuccessfully) passing --waitip 4 and
--waitip 6 to dhcpcd, but this doesn't seem to wait for both IPv4 and IPv6
addresses to be assigned before continuing as suggested by the manpage.

Prev by Date: Fwd: Re: kern/51621: PT_ATTACH from a parent is unreliable
Next by Date: Re: bin/51622: npf startup failure when using dhcpcd inet4 and inet6
Previous by Thread: PR/51621 CVS commit: src/tests/kernel
Next by Thread: Re: bin/51622: npf startup failure when using dhcpcd inet4 and inet6
Indexes:

Home | Main Index | Thread Index | Old Index