Re: npf bug(?)
On Sun, 2 Apr 2017, Christos Zoulas wrote: I am trying to understand the use case here: 1. you want to have V4 DNS and 6to4 service that can generate V4 fragments 2. you want V4 fragments dropped. 3. you can't put V4 rules in your firewall to restrict traffic to only those services. Is that correct? That is not completely right. I want to filter IPv6 with npf. IPv4 should not be filtered. After the activation of npf the statistics shows: Fragmentation: 1296 fragments 1104 reassembled 7160 failed reassembly Since IPv6 is no longer reassambling, it must be IPv4 packets. I want to make sure that the reassembly errors do not lead to packet losses, especially at 6to4. Regards Uwe
daily CVS update output
Updating src tree: P src/distrib/sets/lists/debug/mi P src/distrib/sets/lists/tests/mi P src/doc/3RDPARTY P src/doc/CHANGES P src/external/bsd/dhcpcd/Makefile P src/external/bsd/dhcpcd/dist/Makefile P src/external/bsd/dhcpcd/dist/configure P src/external/bsd/dhcpcd/dist/src/bpf.c P src/external/bsd/dhcpcd/dist/src/defs.h P src/external/bsd/dhcpcd/dist/src/dhcp.c P src/external/bsd/dhcpcd/dist/src/dhcp6.c P src/external/bsd/dhcpcd/dist/src/dhcpcd.8.in P src/external/bsd/dhcpcd/dist/src/dhcpcd.conf.5.in P src/external/bsd/dhcpcd/dist/src/ipv4ll.h U src/external/bsd/dhcpcd/examples/Makefile U src/external/bsd/dhcpcd/examples/hooks/Makefile P src/external/bsd/dhcpcd/libexec/dhcpcd-hooks/Makefile P src/external/bsd/dhcpcd/sbin/dhcpcd/Makefile P src/lib/libc/sys/kqueue.2 P src/share/man/man9/knote.9 P src/sys/arch/hppa/hppa/machdep.c P src/sys/arch/zaurus/conf/GENERIC P src/tests/lib/libc/sys/Makefile U src/tests/lib/libc/sys/msg.h U src/tests/lib/libc/sys/t_ptrace.c U src/tests/lib/libc/sys/t_ptrace_amd64_wait.h U src/tests/lib/libc/sys/t_ptrace_i386_wait.h U src/tests/lib/libc/sys/t_ptrace_wait.c U src/tests/lib/libc/sys/t_ptrace_wait.h U src/tests/lib/libc/sys/t_ptrace_wait3.c U src/tests/lib/libc/sys/t_ptrace_wait4.c U src/tests/lib/libc/sys/t_ptrace_wait6.c U src/tests/lib/libc/sys/t_ptrace_waitid.c U src/tests/lib/libc/sys/t_ptrace_waitpid.c U src/tests/lib/libc/sys/t_ptrace_x86_wait.h Updating xsrc tree: Killing core files: Running the SUP scanner: SUP Scan for current starting at Mon Apr 3 03:01:49 2017 SUP Scan for current completed at Mon Apr 3 03:02:11 2017 SUP Scan for mirror starting at Mon Apr 3 03:02:11 2017 SUP Scan for mirror completed at Mon Apr 3 03:04:49 2017 Updating release-6 src tree (netbsd-6): Updating release-6 xsrc tree (netbsd-6): Running the SUP scanner: SUP Scan for release-6 starting at Mon Apr 3 03:07:25 2017 SUP Scan for release-6 completed at Mon Apr 3 03:07:34 2017 Updating release-7 src tree (netbsd-7): Updating release-7 xsrc tree (netbsd-7): Running the SUP scanner: SUP Scan for release-7 starting at Mon Apr 3 03:09:55 2017 SUP Scan for release-7 completed at Mon Apr 3 03:10:01 2017 Updating file list: -rw-rw-r-- 1 srcmastr netbsd 55233265 Apr 3 03:12 ls-lRA.gz
Automated report: NetBSD-current/i386 build success
The NetBSD-current/i386 build is working again. The following commits were made between the last failed build and the successful build: 2017.04.03.00.11.45 sevan src/sys/arch/zaurus/conf/GENERIC,v 1.73 2017.04.03.00.42.20 kamil src/external/bsd/dhcpcd/dist/src/bpf.c,v 1.2 Log files can be found at: http://releng.NetBSD.org/b5reports/i386/commits-2017.04.html#2017.04.03.00.42.20
Re: npf bug(?)
On Apr 2, 11:16am, 6b...@6bone.informatik.uni-leipzig.de (6b...@6bone.informatik.uni-leipzig.de) wrote: -- Subject: Re: npf bug(?) | On Fri, 31 Mar 2017, Christos Zoulas wrote: | | > I would add some rules to block the ipv4 traffic, except when it comes from | > your 'known hosts' to your 'known interfaces and ports'. | > | | The DNS and the 6to4 service are offered for free usage. There are no | restrictions on certain IP networks. I guess the reassambling in such | cases is problematic. That's why I would like to switch it off. There are | also no firewall rules for IPv4. I am trying to understand the use case here: 1. you want to have V4 DNS and 6to4 service that can generate V4 fragments 2. you want V4 fragments dropped. 3. you can't put V4 rules in your firewall to restrict traffic to only those services. Is that correct? christos
Re: npf bug(?)
On Fri, 31 Mar 2017, Christos Zoulas wrote: I would add some rules to block the ipv4 traffic, except when it comes from your 'known hosts' to your 'known interfaces and ports'. The DNS and the 6to4 service are offered for free usage. There are no restrictions on certain IP networks. I guess the reassambling in such cases is problematic. That's why I would like to switch it off. There are also no firewall rules for IPv4. Regards Uwe
Re: Automated report: NetBSD-current/i386 build failure
On March 31, the NetBSD Test Fixture wrote: > > /tmp/bracket/build/2017.03.31.21.07.02-i386/src/external/bsd/dhcpcd/dist/src/bpf.c: > In function 'bpf_arp': > > /tmp/bracket/build/2017.03.31.21.07.02-i386/src/external/bsd/dhcpcd/dist/src/bpf.c:425:1: > error: stack protector not protecting local variables: variable length > buffer [-Werror=stack-protector] The build is still failing, but now with a different error --- install-bsd --- i486--netbsdelf-install: /tmp/bracket/build/2017.04.02.01.49.52-i386/obj/external/bsd/dhcpcd/libexec/dhcpcd-hooks/50-ypbind: stat: No such file or directory -- Andreas Gustafsson, g...@gson.org
