kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
From: leot%NetBSD.org@localhost
Date: Fri, 29 Aug 2025 15:30:00 +0000 (UTC)

>Number:         59615
>Category:       kern
>Synopsis:       NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Aug 29 15:30:00 +0000 2025
>Originator:     Leonardo Taccari
>Release:        NetBSD 11.99.1
>Organization:
The NetBSD Foundation
>Environment:
System: NetBSD netbsd 11.99.1 NetBSD 11.99.1 (GENERIC) #0: Fri Aug 29 05:25:51 UTC 2025  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
When booting a HEAD (11.99.1) kernel with a netbsd-10 userland and
having NPF enabled with some simple rules all the traffic seems blocked.
>How-To-Repeat:
- Install netbsd-10:

        # uname -a
        NetBSD netbsd 10.1_STABLE NetBSD 10.1_STABLE (GENERIC) #0: Tue Aug 26 10:37:35 UTC 2025  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64

- Populate /etc/npf.conf as follows:

        alg "icmp"

        procedure "log" {
                log: npflog0
        }

        group default {
                pass final on lo0 all

                pass stateful out final proto icmp to any
                pass stateful out final proto tcp to any
                pass stateful out final proto udp to any

                block all apply "log"
        }

- Enable NPF:

        # echo npf=yes >> /etc/rc.conf

- (Only for completeness) Check the actual configuration:

        # npfctl show
        # filtering:    active
        # config:       loaded

        procedure "log"

        group default { # id="1"
                pass final on lo0 all # id="2"
                pass stateful out final proto icmp all # id="3"
                pass stateful out final proto tcp flags S/FSRA all # id="4"
                pass stateful out final proto udp all # id="5"
                block all apply "log" # id="6"
        }

- Test that ICMP is working, for example in QEMU:

        # ping -c 4 10.0.2.3
        PING 10.0.2.3 (10.0.2.3): 56 data bytes
        64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=18.683200 ms
        64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.118707 ms
        64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=19.959391 ms
        64 bytes from 10.0.2.3: icmp_seq=3 ttl=255 time=0.128701 ms

- Everything works as expected and ICMP packets are send back and forward
- Backup netbsd-10 kernel via:

        # cp /netbsd /onetbsd

- (Now let's update to HEAD...)
- Extract kern-GENERIC.tar.xz and modules.tar.xz installation sets:

        # tar xJpf /path/to/kern-GENERIC.tar.xz
        # tar xJpf /path/to/modules.tar.xz

- Reboot via `shutdown -r now`
- Double-check that we are running -current:

        # uname -a
        NetBSD netbsd 11.99.1 NetBSD 11.99.1 (GENERIC) #0: Fri Aug 29 05:25:51 UTC 2025  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64

- Double-check NPF rules via npfctl:

        # npfctl show
        # filtering:    active
        # config:       loaded

        procedure "log"

        group default { # id="1"
                pass final on lo0 all # id="2"
                pass stateful out final proto icmp all # id="3"
                pass stateful out final proto tcp flags S/FSRA all # id="4"
                pass stateful out final proto udp all # id="5"
                block all apply "log" # id="6"
        }

- Retry to ping the host and see that no ping are received:

        # ping -c 4 10.0.2.3
        PING 10.0.2.3 (10.0.2.3): 56 data bytes
        ping: sendto: Network is unreachable
        ping: sendto: Network is unreachable
        ping: sendto: Network is unreachable
        ping: sendto: Network is unreachable
        ^C
        ----10.0.2.3 PING Statistics----
        4 packets transmitted, 0 packets received, 100.0% packet loss

- Stop NPF:

        # service npf stop
        Disabling NPF.

- Retry to ping and see that ICMP now is working

        # ping -c 4 10.0.2.3
        PING 10.0.2.3 (10.0.2.3): 56 data bytes
        64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=19.665515 ms
        64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.098813 ms
        64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=0.074525 ms
        ^C
        ----10.0.2.3 PING Statistics----
        3 packets transmitted, 3 packets received, 0.0% packet loss
        round-trip min/avg/max/stddev = 0.074525/6.612951/19.665515/11.303859 ms

- Restart NPF again (only to reproduce the problem again)

        # service npf start
        Enabling NPF /etc/npf.conf

- Retry to ping and see that with NPF enabled, despite ICMP should be permitted
  in egress, no packets are received:

        # ping -c 4 10.0.2.3
        PING 10.0.2.3 (10.0.2.3): 56 data bytes
        ping: sendto: Network is unreachable
        ^C
        ----10.0.2.3 PING Statistics----
        1 packets transmitted, 0 packets received, 100.0% packet loss

>Fix:
Yes please!

At the moment, a workaround is to to also update npfctl(8) from HEAD and then
NPF works as expected.

Prev by Date: PR/59596 CVS commit: [netbsd-10] src
Next by Date: port-m68k/59616: m68k softfloat nans and infs have to be preserved when changing sizes
Previous by Thread: PR/59596 CVS commit: [netbsd-10] src
Next by Thread: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Indexes:

Home | Main Index | Thread Index | Old Index