NetBSD Problem Report #51818
From paul@whooppee.com Wed Jan 11 00:34:24 2017
Return-Path: <paul@whooppee.com>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id 6713B7A1AF
for <gnats-bugs@gnats.NetBSD.org>; Wed, 11 Jan 2017 00:34:24 +0000 (UTC)
Message-Id: <20170111003421.64B6816E62@speedy.whooppee.com>
Date: Wed, 11 Jan 2017 08:34:21 +0800 (PHT)
From: paul@whooppee.com
Reply-To: paul@whooppee.com
To: gnats-bugs@NetBSD.org
Subject: npfctl doesn't handle multiple i/f names in group statements
X-Send-Pr-Version: 3.95
>Number: 51818
>Category: kern
>Synopsis: npfctl doesn't handle multiple i/f names in group statements
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: kern-bug-people
>State: analyzed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Wed Jan 11 00:35:00 +0000 2017
>Closed-Date:
>Last-Modified: Fri Aug 31 14:36:36 +0000 2018
>Originator: Paul Goyette
>Release: NetBSD 7.99.53
>Organization:
+------------------+--------------------------+------------------------+
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| (Retired) | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com |
| Kernel Developer | 0786 F758 55DE 53BA 7731 | pgoyette at netbsd.org |
+------------------+--------------------------+------------------------+
>Environment:
System: NetBSD speedy.whooppee.com 7.99.53 NetBSD 7.99.53 (SPEEDY 2016-12-31 23:00:24) #1: Sun Jan 1 01:39:34 UTC 2017 paul@speedy.whooppee.com:/build/netbsd-local/obj/amd64/sys/arch/amd64/compile/SPEEDY amd64
Architecture: x86_64
Machine: amd64
>Description:
Following the example /usr/share/examples/blacklistd/npf.conf I created the
following:
# Transparent firewall example for blacklistd
$ext_if = { wm0, tun0 }
set bpf.jit on;
alg "icmp"
group "external" on $ext_if {
ruleset "blacklistd"
pass final all
}
group default {
pass final all
}
After enabling npf, I see filter rules only on wm0, nothing for the tunnel:
{150} /etc/rc.d/npf restart
Disabling NPF.
Enabling NPF.
{151} npfctl show
# filtering: active
# config: loaded
group "external" on wm0
ruleset "blacklistd" all
pass final all
group
pass final all
{152}
>How-To-Repeat:
See above
>Fix:
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Fri, 31 Aug 2018 14:36:36 +0000
State-Changed-Why:
I changed this PR to "change-request", because NPF doesn't support
multiple interfaces per group.
Contrary to what this PR indicates npfctl does generate an error when
loading a conf with an interface list on a group.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.