NetBSD Problem Report #54122
From www@netbsd.org Sat Apr 13 15:46:22 2019
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id CEAE07A16D
for <gnats-bugs@gnats.NetBSD.org>; Sat, 13 Apr 2019 15:46:22 +0000 (UTC)
Message-Id: <20190413154621.6FEF07A1DC@mollari.NetBSD.org>
Date: Sat, 13 Apr 2019 15:46:21 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: npfctl validate coredumps
X-Send-Pr-Version: www-1.0
>Number: 54122
>Category: bin
>Synopsis: npfctl validate coredumps
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Apr 13 15:50:00 +0000 2019
>Closed-Date: Sat Aug 10 22:26:02 +0000 2019
>Last-Modified: Sun Aug 11 10:15:04 +0000 2019
>Originator: Sevan Janiyan
>Release: NetBSD-HEAD
>Organization:
>Environment:
NetBSD 8.99.37 i386
>Description:
npfctl validate coredumps
#0 0xb7984d47 in _lwp_kill () from /lib/libc.so.12
(gdb) bt
#0 0xb7984d47 in _lwp_kill () from /lib/libc.so.12
#1 0xb7984cd1 in raise () from /lib/libc.so.12
#2 0xb79849a7 in abort () from /lib/libc.so.12
#3 0xb7984554 in __assert13 () from /lib/libc.so.12
#4 0x009ed0b3 in scan_marks.constprop ()
#5 0x009ed108 in npfctl_print_filter.constprop ()
#6 0x009ed6aa in npfctl_config_show ()
#7 0x009fb834 in main ()
Ruleset (wip) I used
$wired_if = "fxp0"
$wifi_if = "ath0"
$hostaddrs = { ifaddrs(fxp0), ifaddrs(ath0) }
$dhcpserver = { 198.51.100.1 }
# sample udp service
$services_udp = { ntp }
# sample mixed service
$backupsrv_v4 = { 198.51.100.11 }
$backupsrv_v6 = { 2001:0DB8:404::11 }
$backup_port = { amanda }
# watching a tcpdump of npflog0, when it only logs blocks,
# can be very helpful for building the rules you actually need
procedure "log" {
log: npflog0
}
# make a service running on a high port on 127.0.0.1 available on $wired_if
# see also the pass rules below
map $wired_if dynamic 127.0.0.1 port 8080 <- $hostaddrs port 80
group "wired" on $wired_if {
# not being picky about our own address here
pass in final family inet6 proto ipv6-icmp all
pass out final family inet6 proto ipv6-icmp all
pass in final family inet4 proto icmp all
pass in final family inet4 proto tcp \
from $dhcpserver port bootps to $hostaddrs port bootpc
pass in final family inet4 proto udp \
from $dhcpserver port bootps to $hostaddrs port bootpc
pass in final family inet6 proto tcp to $hostaddrs port ssh
# the port mapping
# Note the filter sees packets before translation
pass in final family inet4 proto tcp from any to $hostaddrs port 80
pass out final family inet4 proto tcp from 127.0.0.1 port 8080 to any
pass in final family inet4 proto tcp flags S/SA \
from $backupsrv_v4 to $hostaddrs port $backup_port
pass in final family inet4 proto udp \
from $backupsrv_v4 to $hostaddrs port $backup_port
pass in final family inet6 proto tcp flags S/SA \
from $backupsrv_v6 to $hostaddrs port $backup_port
pass in final family inet6 proto udp \
from $backupsrv_v6 to $hostaddrs port $backup_port
pass stateful in final family inet6 proto udp to $hostaddrs \
port $services_udp
pass stateful in final family inet4 proto udp to $hostaddrs \
port $services_udp
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $hostaddrs
pass stateful out final family inet4 proto tcp flags S/SA \
from $hostaddrs
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $hostaddrs
pass out final family inet4 proto tcp from $hostaddrs
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $hostaddrs
pass stateful out final family inet4 from $hostaddrs
}
group "wifi" on $wifi_if {
# linklocal
pass in final family inet6 proto ipv6-icmp to fe80::/10
pass out final family inet6 proto ipv6-icmp from fe80::/10
# administrative multicasts
pass in final family inet6 proto ipv6-icmp to ff00::/10
pass out final family inet6 proto ipv6-icmp from ff00::/10
pass in final family inet6 proto ipv6-icmp to $hostaddrs
pass in final family inet4 proto icmp to $hostaddrs
pass in final family inet4 proto tcp \
from any port bootps to $hostaddrs port bootpc
pass in final family inet4 proto udp \
from any port bootps to $hostaddrs port bootpc
pass in final family inet6 proto tcp flags S/SA to $hostaddrs port ssh
pass in final family inet6 proto udp to $hostaddrs port $services_udp
pass in final family inet4 proto udp to $hostaddrs port $services_udp
# IPSEC
pass in final family inet6 proto udp to $hostaddrs port isakmp
pass in final family inet4 proto udp to $hostaddrs port isakmp
pass in family inet6 proto esp all
pass in family inet4 proto esp all
# only SYN packets need to generate state
pass stateful out final family inet6 proto tcp flags S/SA \
from $hostaddrs
pass stateful out final family inet4 proto tcp flags S/SA \
from $hostaddrs
# pass the other tcp packets without generating extra state
pass out final family inet6 proto tcp from $hostaddrs
pass out final family inet4 proto tcp from $hostaddrs
# all other types of traffic, generate state per packet
pass stateful out final family inet6 from $hostaddrs
pass stateful out final family inet4 from $hostaddrs
}
group default {
pass final on lo0 all
block all apply "log"
}
>How-To-Repeat:
npfctl validated npf.conf
npf.conf contains the ruleset above.
>Fix:
>Release-Note:
>Audit-Trail:
From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: bin/54122: npfctl validate coredumps
Date: Sat, 13 Apr 2019 16:54:31 +0100
Error is:
assertion "nvals == 1 || mk->sep != NULL" failed: file
"/usr/src/usr.sbin/npf/npfctl/npf_show.c", line 331, function "scan_marks"
map fxp0 dynamic 127.0.0.1 port 8080 <- any pass family inet4 proto {
tcp, udp } Abort (core dumped)
From: "Mindaugas Rasiukevicius" <rmind@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54122 CVS commit: src/usr.sbin/npf/npfctl
Date: Sat, 10 Aug 2019 22:23:55 +0000
Module Name: src
Committed By: rmind
Date: Sat Aug 10 22:23:55 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl: npf_show.c
Log Message:
npfctl show/validate: fix couple bugs in multiple table/port representation.
Fixes PR/54122.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.29 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: rmind@NetBSD.org
State-Changed-When: Sat, 10 Aug 2019 22:26:02 +0000
State-Changed-Why:
Fixed.
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54122 CVS commit: [netbsd-9] src/usr.sbin/npf/npfctl
Date: Sun, 11 Aug 2019 10:12:18 +0000
Module Name: src
Committed By: martin
Date: Sun Aug 11 10:12:18 UTC 2019
Modified Files:
src/usr.sbin/npf/npfctl [netbsd-9]: npf_show.c
Log Message:
Pull up following revision(s) (requested by rmind in ticket #45):
usr.sbin/npf/npfctl/npf_show.c: revision 1.29
npfctl show/validate: fix couple bugs in multiple table/port representation.
Fixes PR/54122.
To generate a diff of this commit:
cvs rdiff -u -r1.28 -r1.28.2.1 src/usr.sbin/npf/npfctl/npf_show.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.