Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland

["Leonardo Taccari via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR kern/59615; it has been noted by GNATS.

From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Date: Thu, 04 Sep 2025 12:58:39 +0200

 Hello folks,
 <joe> shared off-list the attached patch and it fixes the issue but the
 `npfctl stats` for NAT are not ok probably due npf_stats_t enum changes.
 
 Sharing here too for completeness...
 
 After applying the patch, here transcript of `npfctl stats` before and
 after ping and `npfctl list`:
 
  # npfctl stats
  Packets passed:
          9 default pass
          8 ruleset pass
          0 state pass
  Packets blocked:
          0 default block
          0 ruleset block
  State and NAT entries:
          10 state allocations
          0 state destructions
          0 NAT entry allocations
          0 NAT entry destructions
  Network buffers:
          0 non-contiguous cases
          0 contig alloc failures
  Invalid packet state cases:
          0 cases in total
          0 TCP case I
          0 TCP case II
          0 TCP case III
  Packet race cases:
          0 NAT association race
          0 duplicate state race
  Fragmentation:
          0 fragments
          0 reassembled
          0 failed reassembly
  Other:
          0 unexpected errors
  # ping -c 4 10.0.2.3
  PING 10.0.2.3 (10.0.2.3): 56 data bytes
  64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=0.096294 ms
  64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.099546 ms
  64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=19.273100 ms
  64 bytes from 10.0.2.3: icmp_seq=3 ttl=255 time=0.098007 ms
  
  ----10.0.2.3 PING Statistics----
  4 packets transmitted, 4 packets received, 0.0% packet loss
  round-trip min/avg/max/stddev = 0.096294/4.891737/19.273100/9.587576 ms
  # npfctl stats
  Packets passed:
          21 default pass
          14 ruleset pass
          8 state pass
  Packets blocked:
          0 default block
          0 ruleset block
  State and NAT entries:
          10 state allocations
          0 state destructions
          2 NAT entry allocations
          0 NAT entry destructions
  Network buffers:
          0 non-contiguous cases
          0 contig alloc failures
  Invalid packet state cases:
          0 cases in total
          0 TCP case I
          0 TCP case II
          0 TCP case III
  Packet race cases:
          0 NAT association race
          0 duplicate state race
  Fragmentation:
          0 fragments
          0 reassembled
          0 failed reassembly
  Other:
          0 unexpected errors
  # npfctl list
  # src-addr:port       dst-addr:port         interface  nat-addr:port
  10.0.2.15:65533       10.0.2.3:53           -
  10.0.2.15:8920        10.0.2.3:8920         -
 
 Patch attached inline.
 
 
 Thanks Emmanuel!
 
 
 Index: sys/net/npf/npf_ruleset.c
 ===================================================================
 RCS file: /cvsroot/src/sys/net/npf/npf_ruleset.c,v
 retrieving revision 1.56
 diff -u -p -r1.56 npf_ruleset.c
 --- sys/net/npf/npf_ruleset.c	1 Jul 2025 18:42:37 -0000	1.56
 +++ sys/net/npf/npf_ruleset.c	31 Aug 2025 17:18:46 -0000
 @@ -925,9 +925,18 @@ npf_ruleset_inspect(npf_cache_t *npc, co
  		const unsigned skip_to = rl->r_skip_to & SKIPTO_MASK;
  		const uint32_t attr = rl->r_attr;
  
 -		if ((attr & layer) == 0) {
 -			n = skip_to;
 -			continue;
 +
 +		if (attr & (NPF_RULE_LAYER_3  | NPF_RULE_LAYER_2)) {
 +			if ((attr & layer) == 0) {
 +				n = skip_to;
 +				continue;
 +			}
 +		} else {
 +			/* if no layer attribute is set, never inspect at layer 2 */
 +			if (layer == NPF_RULE_LAYER_2) {
 +				n = skip_to;
 +				continue;
 +			}
  		}
  
  		KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));