misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line

To: misc-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
From: hopkinsza%gmail.com@localhost
Date: Fri, 2 Sep 2022 02:10:00 +0000 (UTC)

>Number:         56990
>Category:       misc
>Synopsis:       npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Sep 02 02:10:00 +0000 2022
>Originator:     Zach Hopkins
>Release:        9.3
>Organization:
n/a
>Environment:
NetBSD netbsdvm 9.3 NetBSD 9.3 (GENERIC) #0: Thu Aug 4 15:30:37 UTC 2022 mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
Discovered when trying to add blacklistd support into my /etc/npf.conf.
Adding the line `ruleset "blacklistd"` in the middle of a configuration block (group "xxx" {...}) in /etc/npf.conf caused everything to be blocked.
Putting that line at the very beginning or end of the block seemed to work as expected (after MUCH frustration of course!).

This actually does not have anything to do with blacklistd, because that npf ruleset was empty (no hosts blocked yet).
The cause was narrowed down to using the `ruleset "blacklistd"` line after `block all` -- with any ruleset name.

For further context, the bug was first discovered on an amd64 VPS running NetBSD 9.3 when trying to use blacklistd with sshd.
The results were further tested and verified using an amd64 NetBSD 9.3 VM in qemu.
>How-To-Repeat:
# echo '
alg "icmp"
group "filtered" on lo0 {
    block all
    ruleset "test"
    pass all
}
group default {
    pass all
}
' >/etc/ntp.conf
# service npf reload
# ping 127.0.0.1
<network unreachable>

The rest of the rule content does not matter; there can be any number of `pass all` and `block all`s in any order.
The ping will not work if there is a `block all` immediately followed by `ruleset "test"` in the config.
The ping wil work if there is a `pass all` immediately followed by `ruleset "test"` in the config.
>Fix:
The `ruleset` line can be moved to the top of the configuration block.

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Previous by Thread: PR/54835 CVS commit: [netbsd-9] src/distrib
Next by Thread: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line
Indexes:

Home | Main Index | Thread Index | Old Index