At date and time Fri, 26 Dec 2014 20:10:35 +0000 (UTC), Christos Zoulas wrote: > In article <20141226020448.EE93.280FC639%netmail.ie@localhost>, > Gerard Lally <lists+netbsd.users%netmail.ie@localhost> wrote: > >I have been struggling to get NPF up and running on a NetBSD VPS, > >specifically a Xen domU. I really think for security reasons NPF should > >be nearly ready to go, so that we don't have to spend hours researching > >and pulling our hair out trying to fix what should be a straightforward > >issue, which leaves a machine vulnerable when it probably needs > >protection most. It appears this problem came up some years ago, but > >Googling provides me with no fix. > > > >I understand that NetBSD as a Xen domU does not support kernel modules. > >So the recommendation in the NPF documentation to "modload" npf_ext_log > >does not apply here. Fine, I took a wild guess and compiled a new Xen > >domU kernel with the following two lines added to make sure NPF logging > >and normalisation functionality was compiled into the kernel instead: > > > >options NPF_EXT_LOG > >options NPF_EXT_NORMALISE > > > >Needless to say I also made sure pseudo-device npf was enabled as well. > > > >I also made sure /dev/npf existed, and I created /etc/ifconfig.npflog0 > >with just the word "create". > > > >I kept the contents of npf.conf to a minimum for troubleshooting, but > >NPF just refuses to load. This is the error I get at boot: > > > >npfctl: cannot open '/dev/npf': Device not configured > >npfctl: cannot open '/dev/npf': Device not configured > >/etc/rc.d/npf exited with code 1 > > See if the device driver for npf is registered with the kernel correctly: > > $ sysctl kern.drivers | tr , '\n' | grep npf > [198 -1 npf] Thank you Christos. [root]# sysctl kern.drivers | tr , '\n' | grep npf [198 -1 npf] > Make sure that the device numbers are correct: > > $ ls -l /dev/npf > crw------- 1 root wheel 198, 0 Oct 13 2013 /dev/npf [root]# ls -la /dev/npf crw------- 1 root wheel 198, 0 Dec 26 00:38 /dev/npf > Look at the ktrace output and see what operation fails: > > $ ktrace /sbin/npfctl start > $ kdump | less [root]# ktrace /sbin/npfctl start npfctl: cannot open '/dev/npf': Device not configured [root]# kdump | less kdump.txt attached. I should have added extra information in my last post as well. Better late than never: NetBSD xxxxxx.xen.prgmr.com 7.0_BETA NetBSD 7.0_BETA (XEN3_DOMU.201412251110Z) amd64 System installed using ftp, from nyftp.netbsd.org, with all sets. I used the following config to compile the kernel with npf built-in, using syssrc.tgz from NetBSD 7.0_BETA 201412251110Z: /usr/src/sys/arch/amd64/conf/XEN3_DOMU Perhaps I caused myself a problem by extracting syssrc.tgz and compiling the kernel as a normal user instead of root? I've just noticed the owner and group on /usr/src/sys/arch/amd64/compile/custom-20141226/ are gerard:wsrc. Should that be root:wsrc instead? (I am in the wsrc group.) I seem to remember reading it's permissible to compile a kernel as a normal user once you're in the wsrc group. -- Gerard Lally
Attachment:
kdump.txt
Description: Binary data