NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
The following reply was made to PR kern/59615; it has been noted by GNATS.
From: Leonardo Taccari <leot%NetBSD.org@localhost>
To: gnats-bugs%netbsd.org@localhost
Cc:
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Date: Sat, 06 Sep 2025 16:10:23 +0200
Hello Emmanuel,
Emmanuel Nyarko writes:
> Hi Leo,
>
> Please can you run this patch in and test the kernel.
>
> Index: sys/net/npf/npf.h
> ===================================================================
> RCS file: /cvsroot/src/sys/net/npf/npf.h,v
> retrieving revision 1.67
> diff -u -r1.67 npf.h
> --- sys/net/npf/npf.h 1 Jul 2025 18:42:37 -0000 1.67
> +++ sys/net/npf/npf.h 4 Sep 2025 11:41:15 -0000
> @@ -355,11 +355,9 @@
> NPF_STAT_PASS_DEFAULT,
> NPF_STAT_PASS_RULESET,
> NPF_STAT_PASS_CONN,
> - NPF_ETHER_STAT_PASS,
> /* Packets blocked. */
> NPF_STAT_BLOCK_DEFAULT,
> NPF_STAT_BLOCK_RULESET,
> - NPF_ETHER_STAT_BLOCK,
> /* Connection and NAT entries. */
> NPF_STAT_CONN_CREATE,
> NPF_STAT_CONN_DESTROY,
> @@ -382,6 +380,9 @@
> /* nbuf non-contiguous cases. */
> NPF_STAT_NBUF_NONCONTIG,
> NPF_STAT_NBUF_CONTIG_FAIL,
> + /* layer 2 statistics */
> + NPF_ETHER_STAT_PASS,
> + NPF_ETHER_STAT_BLOCK,
> /* Count (last). */
> NPF_STATS_COUNT
> } npf_stats_t;
>
> this patch is to ensure the macros maintain their index values accross 10 and 11 so npfctl does read different values from kernel.
>
> tested on mine and works cool with both a full 11 setup and a 10 userland 11 kernel.
>
> But would like to hear from you too.
> [...]
I have tested it (both the former patch that you have shared off-list
and I attached here a couple of days ago and this one you have shared
yesterday) and I can confirm that now the stats looks good:
# npfctl list
# src-addr:port dst-addr:port interface nat-addr:port
# npfctl stats
Packets passed:
8 default pass
8 ruleset pass
0 state pass
Packets blocked:
0 default block
7 ruleset block
State and NAT entries:
0 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=19.203814 ms
64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.115402 ms
64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=0.088149 ms
64 bytes from 10.0.2.3: icmp_seq=3 ttl=255 time=0.101776 ms
----10.0.2.3 PING Statistics----
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.088149/4.877285/19.203814/9.551026 ms
# npfctl list
# src-addr:port dst-addr:port interface nat-addr:port
10.0.2.15:65533 10.0.2.3:53 -
10.0.2.15:62358 10.0.2.3:62358 -
# npfctl stats
Packets passed:
20 default pass
14 ruleset pass
8 state pass
Packets blocked:
0 default block
8 ruleset block
State and NAT entries:
2 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
Thanks a lot!
Home |
Main Index |
Thread Index |
Old Index