Discussion:
"npfctl validate" error non-message
(too old to reply)
Hauke Fath
2017-01-14 13:13:39 UTC
Permalink
After a context-free

# npfctl validate /etc/npf.conf
npfctl: address family mismatch
#

from
<https://github.com/rmind/npf/blob/master/src/npfctl/npf_bpf_comp.c>#347,
where in the ruleset would I start looking?

Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2017-01-14 14:02:58 UTC
Permalink
Post by Hauke Fath
# npfctl validate /etc/npf.conf
npfctl: address family mismatch
#
FTR, instead of

pass in proto udp from any port bootpc to $if port bootps

I needed to declare

pass in proto udp from any port bootpc to inet4($if) port bootps

Sigh.
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mindaugas Rasiukevicius
2017-01-15 19:22:31 UTC
Permalink
Post by Hauke Fath
Post by Hauke Fath
# npfctl validate /etc/npf.conf
npfctl: address family mismatch
#
FTR, instead of
pass in proto udp from any port bootpc to $if port bootps
I needed to declare
pass in proto udp from any port bootpc to inet4($if) port bootps
It is because of the IPv4 and IPv6 address mixing. The byte-code generator
could be a bit more clever and actually handle this.. I just have not had
time to improve it yet.
--
Mindaugas

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2017-01-15 20:44:41 UTC
Permalink
Post by Mindaugas Rasiukevicius
Post by Hauke Fath
# npfctl validate /etc/npf.conf
npfctl: address family mismatch
#
It is because of the IPv4 and IPv6 address mixing.
That's what I figured out in the end, by commenting out any lines that
looked remotely related.

I guess my point is that the error message was useless in the face of a
300 line rule set. Any line that the parser objects to it should point
out with (at least) the line number.

In the end, I gave up on npf when I ran into an

Enabling NPF.
npfctl: npfctl_config_send: Invalid argument

which I was not able to debug.

Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Mindaugas Rasiukevicius
2017-01-15 21:13:38 UTC
Permalink
Post by Hauke Fath
Post by Mindaugas Rasiukevicius
Post by Hauke Fath
# npfctl validate /etc/npf.conf
npfctl: address family mismatch
#
It is because of the IPv4 and IPv6 address mixing.
That's what I figured out in the end, by commenting out any lines that
looked remotely related.
I guess my point is that the error message was useless in the face of a
300 line rule set. Any line that the parser objects to it should point
out with (at least) the line number.
I agree and it generally does. There are a few cases where these checks
happen post-parsing and at that point it does not know the line number.
Unfortunately, there are many wish-lists and few very few volunteers who
have free time to work on these little problems.
Post by Hauke Fath
In the end, I gave up on npf when I ran into an
Enabling NPF.
npfctl: npfctl_config_send: Invalid argument
which I was not able to debug.
Seems like you might have ran into the proplib limitation mentioned in
the other thread. ioctl() returned EINVAL before reaching the NPF code
so it did not report anything meaningful. It is now fixed in -current.
--
Mindaugas

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2017-01-15 21:43:01 UTC
Permalink
Post by Mindaugas Rasiukevicius
Unfortunately, there are many wish-lists and few very few volunteers who
have free time to work on these little problems.
I see that well, and I am far from blaming you. Rather, it is the
NetBSD project ("us") who is failing to support, and run with, projects
like yours.

When I look at what's available for pf(4), it is obvious that it has
broad support from developers to volunteers writing technical
documentation to sysadmins with serious installations on their hands
providing feedback.

Cheerio,
Hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...