kern/55288: Kernel panics on "npfctl reload" if setting incorrect variables.

[Lars-Johan Liman <liman%cafax.se@localhost>]

>Number:         55288
>Category:       kern
>Synopsis:       Kernel panics on "npfctl reload" if setting portmap parameters.
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat May 23 11:35:00 +0000 2020
>Originator:     Lars-Johan Liman
>Release:        NetBSD 9.0
>Organization:
	Cafax AB
>Environment:
System: NetBSD vpn.cafax.se 9.0 NetBSD 9.0 (XEN3_DOMU) #0: Fri Feb 14 00:06:28 UTC 2020 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/xen/compile/XEN3_DOMU amd64
Architecture: x86_64
Machine: amd64
>Description:
	If you try to set a parameter with somewhat incorrect name and
        do an "npfctl reload", the kernel will immediately panic and the
        machine will reboot.
>How-To-Repeat:
        # cat >/etc/npf.conf <<EOT
	set portmap.somthingweird 40010
	group default {
	    pass in all
	    pass out all
	}
        EOT

	# npfctl reload
	<crash!>
>Fix:
	None known.

The traceback on the console looks like this:

[  96.9801348] uvm_fault(0xffffd40004af02f0, 0x0, 1) -> e
[  96.9801348] fatal page fault in supervisor mode
[  96.9801348] trap type 6 code 0 rip 0xffffffff802fe1d4 cs 0xe030 rflags 0x10282 cr2 0 ilevel 0 rsp 0xffffd4007a62bbb0
[  96.9801348] curlwp 0xffffd40004ad56a0 pid 955.1 lowest kstack 0xffffd4007a6282c0
[  96.9801348] panic: trap
[  96.9901034] cpu0: Begin traceback...
[  96.9901034] vpanic() at netbsd:vpanic+0x143
[  96.9901034] snprintf() at netbsd:snprintf
[  96.9901034] startlwp() at netbsd:startlwp
[  96.9901034] alltraps() at netbsd:alltraps+0xae
[  96.9901034] npf_config_destroy() at netbsd:npf_config_destroy+0x26
[  96.9901034] npfctl_load() at netbsd:npfctl_load+0x75
[  96.9901034] VOP_IOCTL() at netbsd:VOP_IOCTL+0x3b
[  96.9901034] vn_ioctl() at netbsd:vn_ioctl+0xa5
[  96.9901034] sys_ioctl() at netbsd:sys_ioctl+0x547
[  96.9901034] syscall() at netbsd:syscall+0x9c
[  96.9901034] --- syscall (number 54) ---
[  96.9901034] 7b3c5f7681ba:
[  96.9901034] cpu0: End traceback...

[  96.9901034] dumping to dev 168,1 (offset=8388607, size=0): not possible
[  96.9901034] rebooting...


Sorry, I have no idea where to start looking. :-(

The background is that I wanted to set the port range for NAT.
npf-params(7) says "portmap.min_port" (and "...max_port") but they yield
syntax errors with "npfctl validate". I thought it might be a
documentation error and tried "portmap.min-port" (hyphen instead of
underscore), but still syntax error, so I then tried with
"portmap.minport" (neiter hyphen nor underscore). That passed
validation, so I did a "reload", with ther result above.

Since then I've been testing other combinations, and I blieve the syntax
check will say OK to anything that begings with a proper "xxx.", but it
can be followed by any ".yyy" that is a valid combination of characters,
so "portmap.somethingsweird" will pass, but "somethingweird.max_port"
will not.

So there are essentially two problems here:

1. The syntax checker needs a once-over to make sure it kicks out
   unknown variables.

2. The kernel should deal gracefully with unknown variables.

... and I still haven't found the right words to use for setting the
port interval ... ;-)

Your kind assistance would be appreciated. :-)

				Best regards,
				  /Lars-Johan Liman
-- 
#-------------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.		 ! E-mail: liman%cafax.se@localhost
# Cafax AB				 ! HTTP  : //www.cafax.se/
# Computer Consultants, Sweden		 ! Voice : +46 8 - 564 702 30
#-------------------------------------------------------------------------