Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as expected following a `block all` line

[Frank Kardel <kardel%netbsd.org@localhost>]

The following reply was made to PR misc/56990; it has been noted by GNATS.

From: Frank Kardel <kardel%netbsd.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: misc/56990: npf: `ruleset` line in npf.conf does not behave as
 expected following a `block all` line
Date: Fri, 25 Aug 2023 13:14:19 +0200

 Hi,
 
 This is a strange behavior.
 
 Given that change to the default group change the behavior I suspect 
 that the
 
 packets from are not matched by the group definitions for wm0 and wm1.
 
 There are some things to help the analysis.
 
      1) add 'apply "log"' to the block rules and
 
        do "tcpdump -v -e -i npflog0"
 
        This should list which rule (presumably the default group) is the 
 blocking cause and the related interface.
 
        The rule numbers can be found by running "npfctl show"
 
      2) bridge0 is a non-trivial interface especially when packets 
 arrive on an interface without
 
        ip addresses but matching a local ip address it may be that NPF 
 sees bridge0 as incoming
 
        interface that is why 1) is important. If it sees bridge0 as 
 incoming interface it is no wonder
 
        why packets will be blocked by the unmodifies default rule.
 
      3) "brconfig bridge0 ipf" enables the packet filter - this may 
 enable NPF to react correctly
 
        to packets passing bridge0
 
      4) You could revert the patch to npf_ruleset.c to see whether that 
 makes a difference.
 
         I currently have yet to understand why the fix in npf_ruleset.c 
 changes the rule set matching.
 
 Frank