Re: CVS commit: src/sys/net/npf

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

> On 8 Jul 2025, at 4:25 PM, Greg Troxel <gdt%lexort.com@localhost> wrote:
> 
> Emmanuel Nyarko <emmankoko519%gmail.com@localhost> writes:
> 
>>> I'm not
>>>   saying they have to be there, but there should be some amount of
>>>   counters for the various things that can happen, accessible somehow.
>>>   This became obvious when I ran into the 'all traffic blocked' bug
>>>   and I could not find a counter for blocked output packets.
>> 
>> npfctl stats???
>> 
>> i used npfctl stats and i saw the default blocks which helped me to solve the issue.
> 
> Sorry, I missed that.  I scanned the output from npfctl on the left and
> didn't realize the first line had 5 separate verbs.  I'm going to say
> that's my fault and it's ok.
> 
> It would probably be good to improve granularity, perhaps in/out to
> start with, and "ether" probably should be layer-2 to be consistent.
> 

		{ -1, "Layer 2",					},
		{ NPF_ETHER_STAT_PASS,		"frame pass"		},
		{ NPF_ETHER_STAT_BLOCK,		"frame block"		},
		{ NPF_ETHER_DEFAULT_PASS,	"default pass"		},

		{ -1, "Layer 3",					},
		{ -1, "Packets passed"					},
		{ NPF_STAT_PASS_DEFAULT,	"default pass"		},
		{ NPF_STAT_PASS_RULESET,	"ruleset pass"		},
		{ NPF_STAT_PASS_CONN,		"state pass"		},

		{ -1, "Packets blocked"					},
		{ NPF_STAT_BLOCK_DEFAULT,	"default block"		},
		{ NPF_STAT_BLOCK_RULESET,	"ruleset block"		},

what about this actually ? So we can have them separated.

Emmanuel