NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
The following reply was made to PR kern/59615; it has been noted by GNATS.
From: Emmanuel Nyarko <emmankoko519%gmail.com@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: kern-bug-people%netbsd.org@localhost,
gnats-admin%netbsd.org@localhost,
netbsd-bugs%netbsd.org@localhost,
"leot%netbsd.org@localhost" <leot%NetBSD.org@localhost>
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x)
kernel and netbsd-10 userland
Date: Sun, 31 Aug 2025 13:52:25 +0000
> On 31 Aug 2025, at 1:05=E2=80=AFPM, Leonardo Taccari via gnats =
<gnats-admin%NetBSD.org@localhost> wrote:
>=20
> The following reply was made to PR kern/59615; it has been noted by =
GNATS.
>=20
> From: Leonardo Taccari <leot%NetBSD.org@localhost>
> To: gnats-bugs%netbsd.org@localhost
> Cc:=20
> Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD =
(11.99.x) kernel and netbsd-10 userland
> Date: Sun, 31 Aug 2025 15:01:53 +0200
>=20
> I have shared that also with joe@ who recently has done changes in NPF
> and he requested npfctl stats output.
>=20
> Attached here the `npfctl stats` transcript just after the boot and
> login as root, 4 pings that fails and then the transcript of `npfctl
> stats` again:
>=20
> # npfctl stats
> Packets passed:
> 8 default pass
> 0 ruleset pass
> 0 state pass
> Packets blocked:
> 0 default block
> 9 ruleset block
> State and NAT entries:
> 0 state allocations
> 0 state destructions
> 0 NAT entry allocations
> 0 NAT entry destructions
> Network buffers:
> 0 non-contiguous cases
> 0 contig alloc failures
> Invalid packet state cases:
> 0 cases in total
> 0 TCP case I
> 0 TCP case II
> 0 TCP case III
> Packet race cases:
> 0 NAT association race
> 0 duplicate state race
> Fragmentation:
> 0 fragments
> 0 reassembled
> 0 failed reassembly
> Other:
> 0 unexpected errors
> # ping -c 4 10.0.2.3
> PING 10.0.2.3 (10.0.2.3): 56 data bytes
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ^C
> ----10.0.2.3 PING Statistics----
> 4 packets transmitted, 0 packets received, 100.0% packet loss
> # npfctl stats
> Packets passed:
> 8 default pass
> 0 ruleset pass
> 0 state pass
> Packets blocked:
> 0 default block
> 17 ruleset block
> State and NAT entries:
> 0 state allocations
> 0 state destructions
> 0 NAT entry allocations
> 0 NAT entry destructions
> Network buffers:
> 0 non-contiguous cases
> 0 contig alloc failures
> Invalid packet state cases:
> 0 cases in total
> 0 TCP case I
> 0 TCP case II
> 0 TCP case III
> Packet race cases:
> 0 NAT association race
> 0 duplicate state race
> Fragmentation:
> 0 fragments
> 0 reassembled
> 0 failed reassembly
> Other:
> 0 unexpected errors
>=20
> It seems that the "ruleset block" counter increases despite the NPF
> rules should permit egress ICMP traffic.
Thanks!
So the main issue here is that,=20
during packet inspection, kernel checks the layer, whether layer 2 or 3 =
by masking the layer bit set in the rule.
if ((attr & layer) =3D=3D 0) {
n =3D skip_to;
continue;
}
so since the netbsd 10 userland doesn=E2=80=99t set the layers in th =
rules(setting layer bits were introduced in 11),=20
the kernel is ignoring all the rules and executing "block all=E2=80=9D =
as in the npf config you sent.
I think I should have loudly announced this.
but there=E2=80=99s always a fix.
so what we can do is=20
Since attribute must contain either of the layers,
/* only check this if layer is set from userland */
If (attr & (NPF_RULE_LAYER_3) | NPF_RULE_LAYER_2)) {
if ((attr & layer) =3D=3D 0) {
n =3D skip_to;
continue;
}
}
This still maintain current logic and also 11 kernel - 10 userland =
compatibility.
Emmanuel
Home |
Main Index |
Thread Index |
Old Index