Re: CVS commit: src/sys/net/npf

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

> On 8 Jul 2025, at 4:03 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:
> 
> "Emmanuel" <joe%netbsd.org@localhost> writes:
> 
>> Module Name: src
>> Committed By: joe
>> Date: Tue Jul  8 15:56:23 UTC 2025
>> 
>> Modified Files:
>> src/sys/net/npf: npf_handler.c
>> 
>> Log Message:
>> Pass frames directly when no layer 2 rules are set
>> 
>> NPF's original implementation of default pass is to block. i.e if the packet matches absolutely
>> no rule even the default group. we cannot use that in layer 2 as well since all frames will be
>> blocked when no rules are set for layer 2 and that would not be good. since NPF is primarily
>> a layer 3 filter.
> 
> OK, but we really should be talking in terms of having a documented
> specification and complying with it.   The text surrounding the
> introduction of l2 rules was that not having l2 rules would result in
> the previous behavior.
> 
> It seems there are at least two things missing, which would be good to
> fix before more features:
> 
>  - There should be tests that have traditional (l3) rule groups only,
>    and that verify that traffic is allowed.

i agree!!!

actually I’m working on making the testing suite better with more areas covered either together or separately.

so that it will help me catch bugs early. i’m now realizing some fields are not tested actually.
> 
>  - There don't seem to be statistics for npf in netstat -s.

maybe i can add that. 
>  I'm not
>    saying they have to be there, but there should be some amount of
>    counters for the various things that can happen, accessible somehow.
>    This became obvious when I ran into the 'all traffic blocked' bug
>    and I could not find a counter for blocked output packets.

npfctl stats???

i used npfctl stats and i saw the default blocks which helped me to solve the issue.


Emmanuel