Re: NPF - npfctl_config_send: Invalid argument

To: "D'Arcy J.M. Cain" <darcy%NetBSD.org@localhost>
Subject: Re: NPF - npfctl_config_send: Invalid argument
From: coypu%SDF.ORG@localhost
Date: Fri, 15 Apr 2016 15:01:11 +0000

On Fri, Apr 15, 2016 at 10:39:19AM -0400, D'Arcy J.M. Cain wrote:
> On Thu, 14 Apr 2016 20:13:57 +0000
> coypu%SDF.ORG@localhost wrote:
> > > npfctl: source /usr/src/sys/net/npf/npf_ctl.c line 174
> > > npfctl: npfctl_config_send: Invalid argument
> > > 
> > > That source reference doesn't seem to sync to anything in the actual
> > > source.  Anyone know what this message indicates?
> > 
> > Looks like npf_mk_table_entries(t, ents) returned EINVAL.
> 
> Thanks.  It still doesn't tell me what I did wrong in the config.  I
> have to assume that npf doesn't fail for everyone.  Here's my config in
> case it offers clues.  Also, since I am just switching from pf any
> critique of the way I am doing things is welcome.
> 
> # $Id$                                                 
> # Common npf.conf for Vex.Net
>  
> $ext_if = inet4(bge0)
> $int_if = inet4(bge1)
>  
> # These tables include IPs personally known to us.
> table <FRIENDS> type tree file "/VEX/general/npf/friends.list"
> table <ENEMIES> type tree file "/VEX/general/npf/enemies.list"
>  
> # The auto block table is built by a script examining attacks
> table <AUTOBLOCK> type tree dynamic
>  
> group "eth0" on $ext_if {
>     pass in final family inet4 proto icmp all 
>     pass stateful in final from <FRIENDS>
>     pass stateful out final from <FRIENDS> 
>     pass in final proto udp from any port ntp 
>     block in final from any port auth 
>     block in final from <ENEMIES> 
>     block in final from <AUTOBLOCK> 
> }
>  
> group default {
>     pass final on lo0 all
>     pass final on bge1 all
>     block all
> }
> 
> 
> -- 
> D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
> http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost

Sorry - I'm unable to reproduce this issue with your config file.

I don't use a packet filter normally, so I had to make minimal changes
and insert mock entries to the lists. Perhaps the problem is in the list
files.

There are example files in /usr/share/examples/npf, maybe a comparison
against them will help.

I wonder about the use of eth0 (in 'group "eth0" on $ext_if') when your
network interfaces are named bge0, bge1.
The examples uses group "external", instead, as well.

Follow-Ups:
- Re: NPF - npfctl_config_send: Invalid argument
  - From: D'Arcy J.M. Cain

References:
- NPF - npfctl_config_send: Invalid argument
  - From: D'Arcy J.M. Cain
- Re: NPF - npfctl_config_send: Invalid argument
  - From: coypu
- Re: NPF - npfctl_config_send: Invalid argument
  - From: D'Arcy J.M. Cain

Prev by Date: Re: NPF - npfctl_config_send: Invalid argument
Next by Date: Re: NPF - npfctl_config_send: Invalid argument
Previous by Thread: Re: NPF - npfctl_config_send: Invalid argument
Next by Thread: Re: NPF - npfctl_config_send: Invalid argument
Indexes:

Home | Main Index | Thread Index | Old Index