NetBSD Problem Report #51818

From paul@whooppee.com  Wed Jan 11 00:34:24 2017
Return-Path: <paul@whooppee.com>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 6713B7A1AF
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 11 Jan 2017 00:34:24 +0000 (UTC)
Message-Id: <20170111003421.64B6816E62@speedy.whooppee.com>
Date: Wed, 11 Jan 2017 08:34:21 +0800 (PHT)
From: paul@whooppee.com
Reply-To: paul@whooppee.com
To: gnats-bugs@NetBSD.org
Subject: npfctl doesn't handle multiple i/f names in group statements
X-Send-Pr-Version: 3.95

>Number:         51818
>Category:       kern
>Synopsis:       npfctl doesn't handle multiple i/f names in group statements
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          analyzed
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Wed Jan 11 00:35:00 +0000 2017
>Closed-Date:    
>Last-Modified:  Fri Aug 31 14:36:36 +0000 2018
>Originator:     Paul Goyette
>Release:        NetBSD 7.99.53
>Organization:
+------------------+--------------------------+------------------------+
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:      |
| (Retired)        | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com   |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+
>Environment:


System: NetBSD speedy.whooppee.com 7.99.53 NetBSD 7.99.53 (SPEEDY 2016-12-31 23:00:24) #1: Sun Jan 1 01:39:34 UTC 2017 paul@speedy.whooppee.com:/build/netbsd-local/obj/amd64/sys/arch/amd64/compile/SPEEDY amd64
Architecture: x86_64
Machine: amd64
>Description:
Following the example /usr/share/examples/blacklistd/npf.conf I created the
following:

        # Transparent firewall example for blacklistd

        $ext_if = { wm0, tun0 }

        set bpf.jit on;
        alg "icmp"

        group "external" on $ext_if {
                ruleset "blacklistd"
                pass final all
        }

        group default {
                pass final all
        }

After enabling npf, I see filter rules only on wm0, nothing for the tunnel:

        {150} /etc/rc.d/npf restart
        Disabling NPF.
        Enabling NPF.
        {151}  npfctl show
        # filtering:    active
        # config:       loaded

        group "external" on wm0
                ruleset "blacklistd" all
                pass final all

        group
                pass final all

        {152}


>How-To-Repeat:
See above

>Fix:


>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->analyzed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Fri, 31 Aug 2018 14:36:36 +0000
State-Changed-Why:
I changed this PR to "change-request", because NPF doesn't support
multiple interfaces per group.

Contrary to what this PR indicates npfctl does generate an error when
loading a conf with an interface list on a group.


>Unformatted:

Home	PR Database Search