Re: CVS commit: src/sys/net/npf

To: "Emmanuel" <joe%netbsd.org@localhost>
Subject: Re: CVS commit: src/sys/net/npf
From: Greg Troxel <gdt%lexort.com@localhost>
Date: Tue, 08 Jul 2025 12:03:31 -0400

"Emmanuel" <joe%netbsd.org@localhost> writes:

> Module Name:	src
> Committed By:	joe
> Date:		Tue Jul  8 15:56:23 UTC 2025
>
> Modified Files:
> 	src/sys/net/npf: npf_handler.c
>
> Log Message:
> Pass frames directly when no layer 2 rules are set
>
> NPF's original implementation of default pass is to block. i.e if the packet matches absolutely
> no rule even the default group. we cannot use that in layer 2 as well since all frames will be
> blocked when no rules are set for layer 2 and that would not be good. since NPF is primarily
> a layer 3 filter.

OK, but we really should be talking in terms of having a documented
specification and complying with it.   The text surrounding the
introduction of l2 rules was that not having l2 rules would result in
the previous behavior.

It seems there are at least two things missing, which would be good to
fix before more features:

  - There should be tests that have traditional (l3) rule groups only,
    and that verify that traffic is allowed.

  - There don't seem to be statistics for npf in netstat -s.  I'm not
    saying they have to be there, but there should be some amount of
    counters for the various things that can happen, accessible somehow.
    This became obvious when I ran into the 'all traffic blocked' bug
    and I could not find a counter for blocked output packets.

Follow-Ups:
- Re: CVS commit: src/sys/net/npf
  - From: Emmanuel Nyarko
- Re: CVS commit: src/sys/net/npf
  - From: Greg Troxel

Prev by Date: Re: NetBSD/earmv4: "Error: selected processor does not support `bx lr' in ARM mode"
Next by Date: Re: CVS commit: src/sys/net/npf
Previous by Thread: NetBSD/earmv4: "Error: selected processor does not support `bx lr' in ARM mode"
Next by Thread: Re: CVS commit: src/sys/net/npf
Indexes:

Home | Main Index | Thread Index | Old Index