Dynamic & static address grouping in NPF

To: tech-net%netbsd.org@localhost
Subject: Dynamic & static address grouping in NPF
From: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
Date: Thu, 24 Jul 2025 09:25:30 +0000

In an attempt to fix this PR reported by Josh Mayor: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=59507

the crash ( from the PR )  was here    "$clientgroup={ $self, $otherip }”
$self =. Dynamic, $otherip = raw IP

and this is because he was listing a dynamic address first and a raw IP second on the same rule.
 
the basic issue I found was 
if you have a rule
pass from { ifaddrs(wm0), 192.164.64.7 } on the same rule,

an assertion failure.

		/*
		 * L3 block cannot be inserted in the middle of a group.
		 * In fact, it never is.  Check and start the group after.
		 */
		if (ingroup) {
			assert(ctx->nblocks == ctx->gblock);
			npfctl_bpf_group_exit(ctx);
		}


This is a comment rmind@ left in a function that fetches the address family.

Group here means : a group of addresses ( not the group keyword )
{ 192.168.65.7, 192.168.64.8, 192.168.64.9 } => a group 

What he means:  always load the address family first.

and when you list a static address, NPF extracts the address family and uses first when evaluating a group.

(000) ld M[0]     // 4 bytes offset the packet header to get the version
(001) jeq #0x04 // the address family fetched on the rule ( version 4 here )

/// before you load and compare the addresses.


But NPF doesn’t extract and check the version to use in filtering when you enter a dynamic address,

when you put { Ifaddrs(wm0), 192.168.64.7 } in the same group, 

(000) ld #0x0   // the index of the dynamic address table
(001) unimp  0x27   // runs the table functions and returns a value based on match or not
(002) //compares and continues

// now when it is now about to evaluate the static IP on rule

doesn’t allow fetching the address family because NPF thinks it should be the first thing checked.
So it tries to exit the group, but before that the dynamic check has already increased nblocks by 1
so nblocks == gblocks assertion fails.

With this behaviour , NPF tries to tie each rule to one address family. 
with your experiences with firewall configuration, is it an expected behavior ?


based on this comment by rmind, 
  /*
 * L3 block cannot be inserted in the middle of a group.
 * In fact, it never is.  Check and start the group after.
 */
if this is a statement we agree with, then I make it a compile time error when you try to insert a raw IP in the middle of a group that begins with a dynamic address.

PS:
you are free to list only dynamic addresses in one group.(that doesn’t seg fault because no address family check )

Prev by Date: Re: MVP for a DHCP server (was Re: ISC's EoL dhcp suite, including dhcpd)
Previous by Thread: MVP for a DHCP server (was Re: ISC's EoL dhcp suite, including dhcpd)
Indexes:

Home | Main Index | Thread Index | Old Index