bin/54122: npfctl validate coredumps

[venture37%geeklan.co.uk@localhost]

>Number:         54122
>Category:       bin
>Synopsis:       npfctl validate coredumps
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Apr 13 15:50:00 +0000 2019
>Originator:     Sevan Janiyan
>Release:        NetBSD-HEAD
>Organization:
>Environment:
NetBSD 8.99.37 i386
>Description:
npfctl validate coredumps

#0  0xb7984d47 in _lwp_kill () from /lib/libc.so.12
(gdb) bt
#0  0xb7984d47 in _lwp_kill () from /lib/libc.so.12
#1  0xb7984cd1 in raise () from /lib/libc.so.12
#2  0xb79849a7 in abort () from /lib/libc.so.12
#3  0xb7984554 in __assert13 () from /lib/libc.so.12
#4  0x009ed0b3 in scan_marks.constprop ()
#5  0x009ed108 in npfctl_print_filter.constprop ()
#6  0x009ed6aa in npfctl_config_show ()
#7  0x009fb834 in main ()


Ruleset (wip) I used

$wired_if = "fxp0"
$wifi_if = "ath0"
$hostaddrs = { ifaddrs(fxp0), ifaddrs(ath0) }

$dhcpserver = { 198.51.100.1 }

# sample udp service
$services_udp = { ntp }

# sample mixed service
$backupsrv_v4 = { 198.51.100.11 }
$backupsrv_v6 = { 2001:0DB8:404::11 }
$backup_port = { amanda }

# watching a tcpdump of npflog0, when it only logs blocks,
# can be very helpful for building the rules you actually need
procedure "log" {
     log: npflog0
}

# make a service running on a high port on 127.0.0.1 available on $wired_if
# see also the pass rules below
map $wired_if dynamic 127.0.0.1 port 8080 <- $hostaddrs port 80

group "wired" on $wired_if {

        # not being picky about our own address here
        pass in  final family inet6 proto ipv6-icmp all
        pass out final family inet6 proto ipv6-icmp all
        pass in  final family inet4 proto icmp      all

        pass in  final family inet4 proto tcp \
                from $dhcpserver port bootps to $hostaddrs port bootpc
        pass in  final family inet4 proto udp \
                from $dhcpserver port bootps to $hostaddrs port bootpc

        pass in final family inet6 proto tcp to $hostaddrs port ssh

        # the port mapping
        # Note the filter sees packets before translation
        pass in  final family inet4 proto tcp from any to $hostaddrs port 80
        pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any

        pass in final family inet4 proto tcp flags S/SA \
                from $backupsrv_v4 to $hostaddrs port $backup_port 
        pass in final family inet4 proto udp \
                from $backupsrv_v4 to $hostaddrs port $backup_port
        pass in final family inet6 proto tcp flags S/SA \
                from $backupsrv_v6 to $hostaddrs port $backup_port 
        pass in final family inet6 proto udp \
                from $backupsrv_v6 to $hostaddrs port $backup_port

        pass stateful in final family inet6 proto udp to $hostaddrs \
                port $services_udp
        pass stateful in final family inet4 proto udp to $hostaddrs \
                port $services_udp

        # only SYN packets need to generate state
        pass stateful out final family inet6 proto tcp flags S/SA \
                from $hostaddrs
        pass stateful out final family inet4 proto tcp flags S/SA \
                from $hostaddrs
        # pass the other tcp packets without generating extra state
        pass out final family inet6 proto tcp from $hostaddrs
        pass out final family inet4 proto tcp from $hostaddrs

        # all other types of traffic, generate state per packet
        pass stateful out final family inet6 from $hostaddrs
        pass stateful out final family inet4 from $hostaddrs

}

group "wifi" on $wifi_if {
        # linklocal
        pass in  final family inet6 proto ipv6-icmp  to fe80::/10
        pass out final family inet6 proto ipv6-icmp from fe80::/10

        # administrative multicasts
        pass in  final family inet6 proto ipv6-icmp  to ff00::/10
        pass out final family inet6 proto ipv6-icmp from ff00::/10

        pass in  final family inet6 proto ipv6-icmp to $hostaddrs
        pass in  final family inet4 proto icmp      to $hostaddrs

        pass in  final family inet4 proto tcp \
                from any port bootps to $hostaddrs port bootpc
        pass in  final family inet4 proto udp \
                from any port bootps to $hostaddrs port bootpc

        pass in final family inet6 proto tcp flags S/SA to $hostaddrs port ssh 

        pass in final family inet6 proto udp to $hostaddrs port $services_udp
        pass in final family inet4 proto udp to $hostaddrs port $services_udp

        # IPSEC
        pass in final family inet6 proto udp to $hostaddrs port isakmp
        pass in final family inet4 proto udp to $hostaddrs port isakmp
        pass in family inet6 proto esp all
        pass in family inet4 proto esp all

        # only SYN packets need to generate state
        pass stateful out final family inet6 proto tcp flags S/SA \
                from $hostaddrs
        pass stateful out final family inet4 proto tcp flags S/SA \
                from $hostaddrs
        # pass the other tcp packets without generating extra state
        pass out final family inet6 proto tcp from $hostaddrs
        pass out final family inet4 proto tcp from $hostaddrs

        # all other types of traffic, generate state per packet
        pass stateful out final family inet6 from $hostaddrs
        pass stateful out final family inet4 from $hostaddrs
}

group default {
        pass final on lo0 all
        block all apply "log"
}
>How-To-Repeat:
npfctl validated npf.conf
npf.conf contains the ruleset above.
>Fix: