NetBSD Problem Report #59615
From leot@netbsd.org Fri Aug 29 15:29:26 2025
Return-Path: <leot@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
client-signature RSA-PSS (2048 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id 151D51A923A
for <gnats-bugs@gnats.NetBSD.org>; Fri, 29 Aug 2025 15:29:26 +0000 (UTC)
Message-Id: <20250829152925.6B62A855F8@mail.netbsd.org>
Date: Fri, 29 Aug 2025 15:29:25 +0000 (UTC)
From: leot@NetBSD.org
Reply-To: leot@NetBSD.org
To: gnats-bugs@NetBSD.org
Subject: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
X-Send-Pr-Version: 3.95
>Number: 59615
>Category: kern
>Synopsis: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: joe
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Fri Aug 29 15:30:00 +0000 2025
>Closed-Date: Mon Oct 13 09:32:16 +0000 2025
>Last-Modified: Mon Oct 13 09:32:16 +0000 2025
>Originator: Leonardo Taccari
>Release: NetBSD 11.99.1
>Organization:
The NetBSD Foundation
>Environment:
System: NetBSD netbsd 11.99.1 NetBSD 11.99.1 (GENERIC) #0: Fri Aug 29 05:25:51 UTC 2025 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
Architecture: x86_64
Machine: amd64
>Description:
When booting a HEAD (11.99.1) kernel with a netbsd-10 userland and
having NPF enabled with some simple rules all the traffic seems blocked.
>How-To-Repeat:
- Install netbsd-10:
# uname -a
NetBSD netbsd 10.1_STABLE NetBSD 10.1_STABLE (GENERIC) #0: Tue Aug 26 10:37:35 UTC 2025 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
- Populate /etc/npf.conf as follows:
alg "icmp"
procedure "log" {
log: npflog0
}
group default {
pass final on lo0 all
pass stateful out final proto icmp to any
pass stateful out final proto tcp to any
pass stateful out final proto udp to any
block all apply "log"
}
- Enable NPF:
# echo npf=yes >> /etc/rc.conf
- (Only for completeness) Check the actual configuration:
# npfctl show
# filtering: active
# config: loaded
procedure "log"
group default { # id="1"
pass final on lo0 all # id="2"
pass stateful out final proto icmp all # id="3"
pass stateful out final proto tcp flags S/FSRA all # id="4"
pass stateful out final proto udp all # id="5"
block all apply "log" # id="6"
}
- Test that ICMP is working, for example in QEMU:
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=18.683200 ms
64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.118707 ms
64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=19.959391 ms
64 bytes from 10.0.2.3: icmp_seq=3 ttl=255 time=0.128701 ms
- Everything works as expected and ICMP packets are send back and forward
- Backup netbsd-10 kernel via:
# cp /netbsd /onetbsd
- (Now let's update to HEAD...)
- Extract kern-GENERIC.tar.xz and modules.tar.xz installation sets:
# tar xJpf /path/to/kern-GENERIC.tar.xz
# tar xJpf /path/to/modules.tar.xz
- Reboot via `shutdown -r now`
- Double-check that we are running -current:
# uname -a
NetBSD netbsd 11.99.1 NetBSD 11.99.1 (GENERIC) #0: Fri Aug 29 05:25:51 UTC 2025 mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
- Double-check NPF rules via npfctl:
# npfctl show
# filtering: active
# config: loaded
procedure "log"
group default { # id="1"
pass final on lo0 all # id="2"
pass stateful out final proto icmp all # id="3"
pass stateful out final proto tcp flags S/FSRA all # id="4"
pass stateful out final proto udp all # id="5"
block all apply "log" # id="6"
}
- Retry to ping the host and see that no ping are received:
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
^C
----10.0.2.3 PING Statistics----
4 packets transmitted, 0 packets received, 100.0% packet loss
- Stop NPF:
# service npf stop
Disabling NPF.
- Retry to ping and see that ICMP now is working
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=19.665515 ms
64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.098813 ms
64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=0.074525 ms
^C
----10.0.2.3 PING Statistics----
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.074525/6.612951/19.665515/11.303859 ms
- Restart NPF again (only to reproduce the problem again)
# service npf start
Enabling NPF /etc/npf.conf
- Retry to ping and see that with NPF enabled, despite ICMP should be permitted
in egress, no packets are received:
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
ping: sendto: Network is unreachable
^C
----10.0.2.3 PING Statistics----
1 packets transmitted, 0 packets received, 100.0% packet loss
>Fix:
Yes please!
At the moment, a workaround is to to also update npfctl(8) from HEAD and then
NPF works as expected.
>Release-Note:
>Audit-Trail:
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Date: Sun, 31 Aug 2025 15:01:53 +0200
I have shared that also with joe@ who recently has done changes in NPF
and he requested npfctl stats output.
Attached here the `npfctl stats` transcript just after the boot and
login as root, 4 pings that fails and then the transcript of `npfctl
stats` again:
# npfctl stats
Packets passed:
8 default pass
0 ruleset pass
0 state pass
Packets blocked:
0 default block
9 ruleset block
State and NAT entries:
0 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
ping: sendto: Network is unreachable
^C
----10.0.2.3 PING Statistics----
4 packets transmitted, 0 packets received, 100.0% packet loss
# npfctl stats
Packets passed:
8 default pass
0 ruleset pass
0 state pass
Packets blocked:
0 default block
17 ruleset block
State and NAT entries:
0 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
It seems that the "ruleset block" counter increases despite the NPF
rules should permit egress ICMP traffic.
From: Emmanuel Nyarko <emmankoko519@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
"leot@netbsd.org" <leot@NetBSD.org>
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x)
kernel and netbsd-10 userland
Date: Sun, 31 Aug 2025 13:52:25 +0000
> On 31 Aug 2025, at 1:05=E2=80=AFPM, Leonardo Taccari via gnats =
<gnats-admin@NetBSD.org> wrote:
>=20
> The following reply was made to PR kern/59615; it has been noted by =
GNATS.
>=20
> From: Leonardo Taccari <leot@NetBSD.org>
> To: gnats-bugs@netbsd.org
> Cc:=20
> Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD =
(11.99.x) kernel and netbsd-10 userland
> Date: Sun, 31 Aug 2025 15:01:53 +0200
>=20
> I have shared that also with joe@ who recently has done changes in NPF
> and he requested npfctl stats output.
>=20
> Attached here the `npfctl stats` transcript just after the boot and
> login as root, 4 pings that fails and then the transcript of `npfctl
> stats` again:
>=20
> # npfctl stats
> Packets passed:
> 8 default pass
> 0 ruleset pass
> 0 state pass
> Packets blocked:
> 0 default block
> 9 ruleset block
> State and NAT entries:
> 0 state allocations
> 0 state destructions
> 0 NAT entry allocations
> 0 NAT entry destructions
> Network buffers:
> 0 non-contiguous cases
> 0 contig alloc failures
> Invalid packet state cases:
> 0 cases in total
> 0 TCP case I
> 0 TCP case II
> 0 TCP case III
> Packet race cases:
> 0 NAT association race
> 0 duplicate state race
> Fragmentation:
> 0 fragments
> 0 reassembled
> 0 failed reassembly
> Other:
> 0 unexpected errors
> # ping -c 4 10.0.2.3
> PING 10.0.2.3 (10.0.2.3): 56 data bytes
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ping: sendto: Network is unreachable
> ^C
> ----10.0.2.3 PING Statistics----
> 4 packets transmitted, 0 packets received, 100.0% packet loss
> # npfctl stats
> Packets passed:
> 8 default pass
> 0 ruleset pass
> 0 state pass
> Packets blocked:
> 0 default block
> 17 ruleset block
> State and NAT entries:
> 0 state allocations
> 0 state destructions
> 0 NAT entry allocations
> 0 NAT entry destructions
> Network buffers:
> 0 non-contiguous cases
> 0 contig alloc failures
> Invalid packet state cases:
> 0 cases in total
> 0 TCP case I
> 0 TCP case II
> 0 TCP case III
> Packet race cases:
> 0 NAT association race
> 0 duplicate state race
> Fragmentation:
> 0 fragments
> 0 reassembled
> 0 failed reassembly
> Other:
> 0 unexpected errors
>=20
> It seems that the "ruleset block" counter increases despite the NPF
> rules should permit egress ICMP traffic.
Thanks!
So the main issue here is that,=20
during packet inspection, kernel checks the layer, whether layer 2 or 3 =
by masking the layer bit set in the rule.
if ((attr & layer) =3D=3D 0) {
n =3D skip_to;
continue;
}
so since the netbsd 10 userland doesn=E2=80=99t set the layers in th =
rules(setting layer bits were introduced in 11),=20
the kernel is ignoring all the rules and executing "block all=E2=80=9D =
as in the npf config you sent.
I think I should have loudly announced this.
but there=E2=80=99s always a fix.
so what we can do is=20
Since attribute must contain either of the layers,
/* only check this if layer is set from userland */
If (attr & (NPF_RULE_LAYER_3) | NPF_RULE_LAYER_2)) {
if ((attr & layer) =3D=3D 0) {
n =3D skip_to;
continue;
}
}
This still maintain current logic and also 11 kernel - 10 userland =
compatibility.
Emmanuel
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Date: Thu, 04 Sep 2025 12:58:39 +0200
Hello folks,
<joe> shared off-list the attached patch and it fixes the issue but the
`npfctl stats` for NAT are not ok probably due npf_stats_t enum changes.
Sharing here too for completeness...
After applying the patch, here transcript of `npfctl stats` before and
after ping and `npfctl list`:
# npfctl stats
Packets passed:
9 default pass
8 ruleset pass
0 state pass
Packets blocked:
0 default block
0 ruleset block
State and NAT entries:
10 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=0.096294 ms
64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.099546 ms
64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=19.273100 ms
64 bytes from 10.0.2.3: icmp_seq=3 ttl=255 time=0.098007 ms
----10.0.2.3 PING Statistics----
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.096294/4.891737/19.273100/9.587576 ms
# npfctl stats
Packets passed:
21 default pass
14 ruleset pass
8 state pass
Packets blocked:
0 default block
0 ruleset block
State and NAT entries:
10 state allocations
0 state destructions
2 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
# npfctl list
# src-addr:port dst-addr:port interface nat-addr:port
10.0.2.15:65533 10.0.2.3:53 -
10.0.2.15:8920 10.0.2.3:8920 -
Patch attached inline.
Thanks Emmanuel!
Index: sys/net/npf/npf_ruleset.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_ruleset.c,v
retrieving revision 1.56
diff -u -p -r1.56 npf_ruleset.c
--- sys/net/npf/npf_ruleset.c 1 Jul 2025 18:42:37 -0000 1.56
+++ sys/net/npf/npf_ruleset.c 31 Aug 2025 17:18:46 -0000
@@ -925,9 +925,18 @@ npf_ruleset_inspect(npf_cache_t *npc, co
const unsigned skip_to = rl->r_skip_to & SKIPTO_MASK;
const uint32_t attr = rl->r_attr;
- if ((attr & layer) == 0) {
- n = skip_to;
- continue;
+
+ if (attr & (NPF_RULE_LAYER_3 | NPF_RULE_LAYER_2)) {
+ if ((attr & layer) == 0) {
+ n = skip_to;
+ continue;
+ }
+ } else {
+ /* if no layer attribute is set, never inspect at layer 2 */
+ if (layer == NPF_RULE_LAYER_2) {
+ n = skip_to;
+ continue;
+ }
}
KASSERT(!nbuf_flag_p(nbuf, NBUF_DATAREF_RESET));
From: Emmanuel Nyarko <emmankoko519@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
"leot@netbsd.org" <leot@NetBSD.org>
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x)
kernel and netbsd-10 userland
Date: Fri, 5 Sep 2025 07:06:35 +0000
Hi Leo,
Please can you run this patch in and test the kernel.
Index: sys/net/npf/npf.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sys/net/npf/npf.h,v
retrieving revision 1.67
diff -u -r1.67 npf.h
--- sys/net/npf/npf.h 1 Jul 2025 18:42:37 -0000 1.67
+++ sys/net/npf/npf.h 4 Sep 2025 11:41:15 -0000
@@ -355,11 +355,9 @@
NPF_STAT_PASS_DEFAULT,
NPF_STAT_PASS_RULESET,
NPF_STAT_PASS_CONN,
- NPF_ETHER_STAT_PASS,
/* Packets blocked. */
NPF_STAT_BLOCK_DEFAULT,
NPF_STAT_BLOCK_RULESET,
- NPF_ETHER_STAT_BLOCK,
/* Connection and NAT entries. */
NPF_STAT_CONN_CREATE,
NPF_STAT_CONN_DESTROY,
@@ -382,6 +380,9 @@
/* nbuf non-contiguous cases. */
NPF_STAT_NBUF_NONCONTIG,
NPF_STAT_NBUF_CONTIG_FAIL,
+ /* layer 2 statistics */
+ NPF_ETHER_STAT_PASS,
+ NPF_ETHER_STAT_BLOCK,
/* Count (last). */
NPF_STATS_COUNT
} npf_stats_t;
this patch is to ensure the macros maintain their index values accross =
10 and 11 so npfctl does read different values from kernel.
tested on mine and works cool with both a full 11 setup and a 10 =
userland 11 kernel.
But would like to hear from you too.
Emmanuel
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x) kernel and netbsd-10 userland
Date: Sat, 06 Sep 2025 16:10:23 +0200
Hello Emmanuel,
Emmanuel Nyarko writes:
> Hi Leo,
>
> Please can you run this patch in and test the kernel.
>
> Index: sys/net/npf/npf.h
> ===================================================================
> RCS file: /cvsroot/src/sys/net/npf/npf.h,v
> retrieving revision 1.67
> diff -u -r1.67 npf.h
> --- sys/net/npf/npf.h 1 Jul 2025 18:42:37 -0000 1.67
> +++ sys/net/npf/npf.h 4 Sep 2025 11:41:15 -0000
> @@ -355,11 +355,9 @@
> NPF_STAT_PASS_DEFAULT,
> NPF_STAT_PASS_RULESET,
> NPF_STAT_PASS_CONN,
> - NPF_ETHER_STAT_PASS,
> /* Packets blocked. */
> NPF_STAT_BLOCK_DEFAULT,
> NPF_STAT_BLOCK_RULESET,
> - NPF_ETHER_STAT_BLOCK,
> /* Connection and NAT entries. */
> NPF_STAT_CONN_CREATE,
> NPF_STAT_CONN_DESTROY,
> @@ -382,6 +380,9 @@
> /* nbuf non-contiguous cases. */
> NPF_STAT_NBUF_NONCONTIG,
> NPF_STAT_NBUF_CONTIG_FAIL,
> + /* layer 2 statistics */
> + NPF_ETHER_STAT_PASS,
> + NPF_ETHER_STAT_BLOCK,
> /* Count (last). */
> NPF_STATS_COUNT
> } npf_stats_t;
>
> this patch is to ensure the macros maintain their index values accross 10 and 11 so npfctl does read different values from kernel.
>
> tested on mine and works cool with both a full 11 setup and a 10 userland 11 kernel.
>
> But would like to hear from you too.
> [...]
I have tested it (both the former patch that you have shared off-list
and I attached here a couple of days ago and this one you have shared
yesterday) and I can confirm that now the stats looks good:
# npfctl list
# src-addr:port dst-addr:port interface nat-addr:port
# npfctl stats
Packets passed:
8 default pass
8 ruleset pass
0 state pass
Packets blocked:
0 default block
7 ruleset block
State and NAT entries:
0 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
# ping -c 4 10.0.2.3
PING 10.0.2.3 (10.0.2.3): 56 data bytes
64 bytes from 10.0.2.3: icmp_seq=0 ttl=255 time=19.203814 ms
64 bytes from 10.0.2.3: icmp_seq=1 ttl=255 time=0.115402 ms
64 bytes from 10.0.2.3: icmp_seq=2 ttl=255 time=0.088149 ms
64 bytes from 10.0.2.3: icmp_seq=3 ttl=255 time=0.101776 ms
----10.0.2.3 PING Statistics----
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.088149/4.877285/19.203814/9.551026 ms
# npfctl list
# src-addr:port dst-addr:port interface nat-addr:port
10.0.2.15:65533 10.0.2.3:53 -
10.0.2.15:62358 10.0.2.3:62358 -
# npfctl stats
Packets passed:
20 default pass
14 ruleset pass
8 state pass
Packets blocked:
0 default block
8 ruleset block
State and NAT entries:
2 state allocations
0 state destructions
0 NAT entry allocations
0 NAT entry destructions
Network buffers:
0 non-contiguous cases
0 contig alloc failures
Invalid packet state cases:
0 cases in total
0 TCP case I
0 TCP case II
0 TCP case III
Packet race cases:
0 NAT association race
0 duplicate state race
Fragmentation:
0 fragments
0 reassembled
0 failed reassembly
Other:
0 unexpected errors
Thanks a lot!
From: Emmanuel Nyarko <emmankoko519@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
"leot@netbsd.org" <leot@NetBSD.org>
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x)
kernel and netbsd-10 userland
Date: Sun, 7 Sep 2025 15:51:36 +0000
> On 6 Sep 2025, at 2:15=E2=80=AFPM, Leonardo Taccari via gnats =
<gnats-admin@NetBSD.org> wrote:
>=20
> The following reply was made to PR kern/59615; it has been noted by =
GNATS.
>=20
> From: Leonardo Taccari <leot@NetBSD.org>
> To: gnats-bugs@netbsd.org
> Cc:=20
> Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD =
(11.99.x) kernel and netbsd-10 userland
> Date: Sat, 06 Sep 2025 16:10:23 +0200
>=20
> Hello Emmanuel,
>=20
> Emmanuel Nyarko writes:
>>=20
>=20
> I have tested it (both the former patch that you have shared off-list
> and I attached here a couple of days ago and this one you have shared
> yesterday) and I can confirm that now the stats looks good:
committing this. @leot
Index: ./sys/net/npf/npf_ruleset.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sys/net/npf/npf_ruleset.c,v
retrieving revision 1.56
diff -u -r1.56 npf_ruleset.c
--- ./sys/net/npf/npf_ruleset.c 1 Jul 2025 18:42:37 -0000 1.56
+++ ./sys/net/npf/npf_ruleset.c 7 Sep 2025 15:47:06 -0000
@@ -925,7 +925,14 @@
const unsigned skip_to =3D rl->r_skip_to & SKIPTO_MASK;
const uint32_t attr =3D rl->r_attr;
=20
- if ((attr & layer) =3D=3D 0) {
+ /*
+ * PR kern/59615
+ * we are skipping rule inspection on two cases
+ * if layer attributes are set but we are on a different =
layer
+ * or if no layer attributes set (10 userland), don't =
inspect at layer 2
+ */
+ if ((((attr & (NPF_RULE_LAYER_2 | NPF_RULE_LAYER_3)) && =
(attr & layer) =3D=3D 0)) ||
+ (((attr & (NPF_RULE_LAYER_2 | NPF_RULE_LAYER_3)) =3D=3D=
0) && layer =3D=3D NPF_RULE_LAYER_2)) {
n =3D skip_to;
continue;
}
RCS file: /cvsroot/src/sys/net/npf/npf.h,v
retrieving revision 1.67
diff -u -r1.67 npf.h
--- sys/net/npf/npf.h 1 Jul 2025 18:42:37 -0000 1.67
+++ sys/net/npf/npf.h 4 Sep 2025 11:41:15 -0000
@@ -355,11 +355,9 @@
NPF_STAT_PASS_DEFAULT,
NPF_STAT_PASS_RULESET,
NPF_STAT_PASS_CONN,
- NPF_ETHER_STAT_PASS,
/* Packets blocked. */
NPF_STAT_BLOCK_DEFAULT,
NPF_STAT_BLOCK_RULESET,
- NPF_ETHER_STAT_BLOCK,
/* Connection and NAT entries. */
NPF_STAT_CONN_CREATE,
NPF_STAT_CONN_DESTROY,
@@ -382,6 +380,9 @@
/* nbuf non-contiguous cases. */
NPF_STAT_NBUF_NONCONTIG,
NPF_STAT_NBUF_CONTIG_FAIL,
+ /* layer 2 statistics */
+ NPF_ETHER_STAT_PASS,
+ NPF_ETHER_STAT_BLOCK,
/* Count (last). */
NPF_STATS_COUNT
} npf_stats_t;
fixes PR.
Emmanuel
From: Emmanuel Nyarko <emmankoko519@gmail.com>
To: gnats-bugs@netbsd.org
Cc: kern-bug-people@netbsd.org,
gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org,
"leot@netbsd.org" <leot@NetBSD.org>
Subject: Re: kern/59615: NPF seems to block all traffic with an HEAD (11.99.x)
kernel and netbsd-10 userland
Date: Mon, 6 Oct 2025 18:18:13 +0000
Hi Leot,
I=E2=80=99m closing this PR.
I=E2=80=99m committing this patch.
Index: sys/net/npf/npf.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sys/net/npf/npf.h,v
retrieving revision 1.67
diff -u -r1.67 npf.h
--- sys/net/npf/npf.h 1 Jul 2025 18:42:37 -0000 1.67
+++ sys/net/npf/npf.h 6 Oct 2025 18:13:26 -0000
@@ -355,11 +355,9 @@
NPF_STAT_PASS_DEFAULT,
NPF_STAT_PASS_RULESET,
NPF_STAT_PASS_CONN,
- NPF_ETHER_STAT_PASS,
/* Packets blocked. */
NPF_STAT_BLOCK_DEFAULT,
NPF_STAT_BLOCK_RULESET,
- NPF_ETHER_STAT_BLOCK,
/* Connection and NAT entries. */
NPF_STAT_CONN_CREATE,
NPF_STAT_CONN_DESTROY,
@@ -382,6 +380,9 @@
/* nbuf non-contiguous cases. */
NPF_STAT_NBUF_NONCONTIG,
NPF_STAT_NBUF_CONTIG_FAIL,
+ /* layer 2 statistics */
+ NPF_ETHER_STAT_PASS,
+ NPF_ETHER_STAT_BLOCK,
/* Count (last). */
NPF_STATS_COUNT
} npf_stats_t;
Index: sys/net/npf/npf_ruleset.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /cvsroot/src/sys/net/npf/npf_ruleset.c,v
retrieving revision 1.56
diff -u -r1.56 npf_ruleset.c
--- sys/net/npf/npf_ruleset.c 1 Jul 2025 18:42:37 -0000 1.56
+++ sys/net/npf/npf_ruleset.c 6 Oct 2025 18:13:26 -0000
@@ -925,7 +925,14 @@
const unsigned skip_to =3D rl->r_skip_to & SKIPTO_MASK;
const uint32_t attr =3D rl->r_attr;
=20
- if ((attr & layer) =3D=3D 0) {
+ /*
+ * PR kern/59615
+ * we are skipping rule inspection on two cases
+ * if layer attributes are set but we are on a different =
layer
+ * or if no layer attributes set (10 userland), don't =
inspect at layer 2
+ */
+ if (!(((layer =3D=3D NPF_RULE_LAYER_3 && ((attr & =
(NPF_RULE_LAYER_2 | NPF_RULE_LAYER_3)) =3D=3D 0)) ||
+ (attr & layer)))) {
n =3D skip_to;
continue;
}
From: "Emmanuel" <joe@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59615 CVS commit: src/sys/net/npf
Date: Thu, 9 Oct 2025 15:30:18 +0000
Module Name: src
Committed By: joe
Date: Thu Oct 9 15:30:18 UTC 2025
Modified Files:
src/sys/net/npf: npf.h npf_ruleset.c
Log Message:
PR kern/59615 introduce layer checks for 10 userland 11 kernel
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sys/net/npf/npf.h
cvs rdiff -u -r1.56 -r1.57 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Responsible-Changed-From-To: kern-bug-people->joe
Responsible-Changed-By: martin@NetBSD.org
Responsible-Changed-When: Fri, 10 Oct 2025 12:12:56 +0000
Responsible-Changed-Why:
joe fixed it in HEAD
State-Changed-From-To: open->needs-pullups
State-Changed-By: martin@NetBSD.org
State-Changed-When: Fri, 10 Oct 2025 12:12:56 +0000
State-Changed-Why:
needs pullup to -11
From: "Martin Husemann" <martin@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/59615 CVS commit: [netbsd-11] src/sys/net/npf
Date: Mon, 13 Oct 2025 09:24:53 +0000
Module Name: src
Committed By: martin
Date: Mon Oct 13 09:24:53 UTC 2025
Modified Files:
src/sys/net/npf [netbsd-11]: npf.h npf_ruleset.c
Log Message:
Pull up following revision(s) (requested by joe in ticket #53):
sys/net/npf/npf.h: revision 1.68
sys/net/npf/npf_ruleset.c: revision 1.57
PR kern/59615 introduce layer checks for 10 userland 11 kernel
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.67.2.1 src/sys/net/npf/npf.h
cvs rdiff -u -r1.56 -r1.56.2.1 src/sys/net/npf/npf_ruleset.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: needs-pullups->closed
State-Changed-By: martin@NetBSD.org
State-Changed-When: Mon, 13 Oct 2025 09:32:16 +0000
State-Changed-Why:
pullups done
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2025
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home