Trying npf again

[D'Arcy Cain <darcy%NetBSD.org@localhost>]

I tried switching from pf to npf before and it seemed to be not quite 
ready yet.  I am trying again but running into problems.

My first question - is anyone out there actually running npf in a 
production environment?

My first issue was running npfctl without having npf installed.  I was 
trying to create my first config on a GENERIC system.  I wanted to use 
"npfctl validate" to check if my syntax was OK.  Even with validate it 
wants to use /dev/npf so I ran it as root thinking that it wouldn't 
actually do anything with the device.  So wrong.  Not only did it read 
or write to the device but in doing so it completely hung the server.  I 
have two issues with this - 1) don't access the device if simply 
validating the config file and 2) don't create the device if the driver 
is not installed or at least treat it as /dev/null.

So I built a new kernel and ran it under Xen so that I could work from 
the console and inspect things easier.  I also ran a normal kernel with 
npf on a local machine.  There were problems.  Here is my npf.conf.  It 
may seem a little weird for two reasons, it is generated from a script 
and I keep trying different things to make it work.

$ext_if = xennet0
$int_if = xennet1
# $Id: pf.conf.header 11409 2017-05-10 15:29:19Z darcy $
# Common npf.conf for Vex.Net

# These tables include IPs personally known to us.
table <FRIENDS> type hash file "/etc/friends.list"
table <ENEMIES> type hash file "/etc/enemies.list"

# The auto block table is built by a script examining attacks
table <AUTOBLOCK> type hash dynamic

alg "icmp"
set bpf.jit off

procedure "norm" {
    normalize: "random-id", "min-ttl" 512, "max-mss" 1432
}

group "external" on $ext_if {
    pass in final family inet4 proto icmp all
    pass stateful in final family inet4 proto tcp from <FRIENDS>
    block in final from <ENEMIES>
    block in final from <AUTOBLOCK>
    pass stateful in final proto tcp to any port 22
    pass in final proto udp to any port 123

    pass out final all
    block all
}

group "internal" on $int_if {
    pass out final on $ext_if proto tcp to 98.158.139.68 port smtp
    block out final on $ext_if proto tcp to any port smtp
    pass in final family inet4 proto icmp all
    pass stateful in final proto tcp all
    pass in final proto udp all
    pass out final family inet4 proto tcp all
}

group "localhost" on inet4(lo0) {
    pass stateful in final proto tcp to any port 22
    pass in final proto udp to any port 123
    pass stateful in final to inet4(lo0) apply "norm"
}

group default {
    pass stateful in final proto tcp flags S/SA to any port 22
    pass in final proto udp to any port 123
    pass in final on lo0 all
    pass stateful out final to any
    block in all
}

When I start the filter and ssh in from the local network I get this:

$ ssh dilbert.vex.net
Last login: Thu May 11 16:01:13 2017 from 98.158.139.93
NetBSD 7.1.0_PATCH (XEN3_DOMU) #0: Tue May 9 20:27:33 EDT 2017

And there it hangs.  The console seems to be alive but "w" hangs for a 
bit and then shows me that I am logged in.  Top shows no abnormal processes.

I then run "npfctl show" to see if it matches my config.  The system 
hangs and needs to be hard booted.  I tried <CTRL><ALT><ESC> to see 
where it is hanging but nothing happens.  Perhaps it doesn't work under Xen.

I am running 7.1.0_PATCH NetBSD 7.1.0_PATCH (XEN3_DOMU) recently compiled.

--
D'Arcy J.M. Cain <darcy%NetBSD.org@localhost>
http://www.NetBSD.org/ IM:darcy%Vex.Net@localhost