Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,leot%NetBSD.org@localhost
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
From: "Leonardo Taccari via gnats" <gnats-admin%NetBSD.org@localhost>
Date: Sun, 31 Aug 2025 13:05:01 +0000 (UTC)

The following reply was made to PR kern/59615; it has been noted by GNATS.

From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Date: Sun, 31 Aug 2025 15:01:53 +0200

 I have shared that also with joe@ who recently has done changes in NPF
 and he requested npfctl stats output.
 
 Attached here the `npfctl stats` transcript just after the boot and
 login as root, 4 pings that fails and then the transcript of `npfctl
 stats` again:
 
  # npfctl stats
  Packets passed:
          8 default pass
          0 ruleset pass
          0 state pass
  Packets blocked:
          0 default block
          9 ruleset block
  State and NAT entries:
          0 state allocations
          0 state destructions
          0 NAT entry allocations
          0 NAT entry destructions
  Network buffers:
          0 non-contiguous cases
          0 contig alloc failures
  Invalid packet state cases:
          0 cases in total
          0 TCP case I
          0 TCP case II
          0 TCP case III
  Packet race cases:
          0 NAT association race
          0 duplicate state race
  Fragmentation:
          0 fragments
          0 reassembled
          0 failed reassembly
  Other:
          0 unexpected errors
  # ping -c 4 10.0.2.3
  PING 10.0.2.3 (10.0.2.3): 56 data bytes
  ping: sendto: Network is unreachable
  ping: sendto: Network is unreachable
  ping: sendto: Network is unreachable
  ping: sendto: Network is unreachable
  ^C
  ----10.0.2.3 PING Statistics----
  4 packets transmitted, 0 packets received, 100.0% packet loss
  # npfctl stats
  Packets passed:
          8 default pass
          0 ruleset pass
          0 state pass
  Packets blocked:
          0 default block
          17 ruleset block
  State and NAT entries:
          0 state allocations
          0 state destructions
          0 NAT entry allocations
          0 NAT entry destructions
  Network buffers:
          0 non-contiguous cases
          0 contig alloc failures
  Invalid packet state cases:
          0 cases in total
          0 TCP case I
          0 TCP case II
          0 TCP case III
  Packet race cases:
          0 NAT association race
          0 duplicate state race
  Fragmentation:
          0 fragments
          0 reassembled
          0 failed reassembly
  Other:
          0 unexpected errors
 
 It seems that the "ruleset block" counter increases despite the NPF
 rules should permit egress ICMP traffic.

Follow-Ups:
- Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
  - From: Emmanuel Nyarko

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: install/59621: kernel panic with Fujitsu Siemens Lifebook E Series
Previous by Thread: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Next by Thread: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Indexes:

Home | Main Index | Thread Index | Old Index