NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
> On 31 Aug 2025, at 1:05 PM, Leonardo Taccari via gnats <gnats-admin%NetBSD.org@localhost> wrote:
>
> The following reply was made to PR kern/59615; it has been noted by GNATS.
>
> From: Leonardo Taccari <leot%NetBSD.org@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc:
> Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
> Date: Sun, 31 Aug 2025 15:01:53 +0200
>
> I have shared that also with joe@ who recently has done changes in NPF
> and he requested npfctl stats output.
>
> Attached here the `npfctl stats` transcript just after the boot and
> login as root, 4 pings that fails and then the transcript of `npfctl
> stats` again:
>
> # npfctl stats
> Packets passed:
> 8 default pass
> 0 ruleset pass
> 0 state pass
> Packets blocked:
> 0 default block
> 9 ruleset block
> State and NAT entries:
> 0 state allocations
> 0 state destructions
> 0 NAT entry allocations
> 0 NAT entry destructions
> Network buffers:
> 0 non-contiguous cases
> 0 contig alloc failures
> Invalid packet state cases:
> 0 cases in total
> 0 TCP case I
> 0 TCP case II
> 0 TCP case III
> Packet race cases:
> 0 NAT association race
> 0 duplicate state race
> Fragmentation:
> 0 fragments
> 0 reassembled
> 0 failed reassembly
> Other:
> 0 unexpected errors
> # ping -c 4 10.0.2.3
> PING 10.0.2.3 (10.0.2.3): 56 data bytes
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ^C
> ----10.0.2.3 PING Statistics----
> 4 packets transmitted, 0 packets received, 100.0% packet loss
> # npfctl stats
> Packets passed:
> 8 default pass
> 0 ruleset pass
> 0 state pass
> Packets blocked:
> 0 default block
> 17 ruleset block
> State and NAT entries:
> 0 state allocations
> 0 state destructions
> 0 NAT entry allocations
> 0 NAT entry destructions
> Network buffers:
> 0 non-contiguous cases
> 0 contig alloc failures
> Invalid packet state cases:
> 0 cases in total
> 0 TCP case I
> 0 TCP case II
> 0 TCP case III
> Packet race cases:
> 0 NAT association race
> 0 duplicate state race
> Fragmentation:
> 0 fragments
> 0 reassembled
> 0 failed reassembly
> Other:
> 0 unexpected errors
>
> It seems that the "ruleset block" counter increases despite the NPF
> rules should permit egress ICMP traffic.
Thanks!
So the main issue here is that,
during packet inspection, kernel checks the layer, whether layer 2 or 3 by masking the layer bit set in the rule.
if ((attr & layer) == 0) {
n = skip_to;
continue;
}
so since the netbsd 10 userland doesn’t set the layers in th rules(setting layer bits were introduced in 11),
the kernel is ignoring all the rules and executing "block all” as in the npf config you sent.
I think I should have loudly announced this.
but there’s always a fix.
so what we can do is
Since attribute must contain either of the layers,
/* only check this if layer is set from userland */
If (attr & (NPF_RULE_LAYER_3) | NPF_RULE_LAYER_2)) {
if ((attr & layer) == 0) {
n = skip_to;
continue;
}
}
This still maintain current logic and also 11 kernel - 10 userland compatibility.
Emmanuel
Home |
Main Index |
Thread Index |
Old Index