Re: Layer-2 filtering in NPF: breaking config parsing

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

> On 8 Jul 2025, at 1:34 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:
> 
> I have taken out all the stuff about the tun0 interface (that isn't
> there) from the config.   I'm left with a pretty normal config
> 
>  alg icmp
>  procedure log
> 
>  group default {
>    pass stateful out final all 
>    block all apply "log" 
>    block in final from <blocklist> apply "log" 
>    a bunch of individual pass rules
> 
> after starting, even outbound ping fails, and I see in messages:
> 
>  Jul  8 09:29:21 n11 dhcpcd[826]: ps_root_recvmsg: Network is unreachable
> 
> I then did
> 
>  telnet 1.2.3.4 30
> 
> where 1.2.3.4 is another host.  tcpdumping there showed no SYN arriving.
> 
> after
> 
>  /etc/rc.d/npf onestop
> 
> doing telnet again showed the packet arriving at the other host.

Alright. thank you for the report. I’ll look into it quickly as possible.

Emmanuel