Discussion:
npf 'bpf.jit' errors out?
(too old to reply)
Hauke Fath
2017-04-10 12:02:58 UTC
Permalink
Hi,

on netbsd-7, a minimal npf(4) & blacklistd(8) setup to ward off ssh
script kiddies complains about

set bpf.jit on;

with

# /etc/rc.d/npf reload
Reloading NPF ruleset.
npfctl: error loading the bpfjit module; performance will be degraded:
Operation not permitted
npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf
#
Okay, this is a minimal installation with a monolithic kernel.
bpfjit(4) suggests

options BPFJIT
options SLJIT

(which isn't in any kernel config on either amd64 or i386 - why?), but
that doesn't seem to help:

# config -x /netbsd | grep JIT
options BPFJIT
options SLJIT
# sysctl net.bpf
net.bpf.maxbufsize = 1048576
#

Anything else I am missing?

Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2017-04-10 14:08:21 UTC
Permalink
Post by Hauke Fath
Hi,
on netbsd-7, a minimal npf(4) & blacklistd(8) setup to ward off ssh
script kiddies complains about
set bpf.jit on;
with
# /etc/rc.d/npf reload
Reloading NPF ruleset.
Operation not permitted
npfctl: To disable this warning `set bpf.jit off' in /etc/npf.conf
#
Okay, this is a minimal installation with a monolithic kernel.
bpfjit(4) suggests
options BPFJIT
options SLJIT
(which isn't in any kernel config on either amd64 or i386 - why?), but
# config -x /netbsd | grep JIT
options BPFJIT
options SLJIT
# sysctl net.bpf
net.bpf.maxbufsize = 1048576
#
Anything else I am missing?
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_module.c.diff?r1=1.117&r2=1.118&only_with_tag=MAIN&f=h

Unsure if it applies to -7, but basically you have probably set a secure
level so that modules cannot be loaded and npfctl see's no permission
rather than it already exists.

Roy


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Roy Marples
2017-04-10 14:31:27 UTC
Permalink
Post by Roy Marples
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_module.c.diff?r1=1.117&r2=1.118&only_with_tag=MAIN&f=h
Post by Roy Marples
Unsure if it applies to -7, but basically you have probably set a secure
level so that modules cannot be loaded and npfctl see's no permission
rather than it already exists.
I don't want to load any kernel modules, and after
options BPFJIT
options SLJIT
I shouldn't have to, or should I? Does the cone resulting from *JIT
require module majjic?
No you shouldn't, and the above patch allows npf to work like that.
Basically, irregardless of anything you set, npf tries to load a kernel
module and shows an error if not EEXISTS.

My kernel change allows EEXISTS to be returned even if you don't have
permission to load modules.
Post by Roy Marples
securelevel is 1 - I thought about upping it, but haven't, yet.
You'll either have to drop it to 0 or apply the aforementioned patch if
you want to get rid of the error message.

Roy

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2017-04-10 14:16:17 UTC
Permalink
On Mon, 10 Apr 2017 15:08:21 +0100, Roy Marples wrote:
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/kern/kern_module.c.diff?r1=1.117&r2=1.118&only_with_tag=MAIN&f=h
Post by Roy Marples
Unsure if it applies to -7, but basically you have probably set a secure
level so that modules cannot be loaded and npfctl see's no permission
rather than it already exists.
I don't want to load any kernel modules, and after

options BPFJIT
options SLJIT

I shouldn't have to, or should I? Does the cone resulting from *JIT
require module majjic?

securelevel is 1 - I thought about upping it, but haven't, yet.

Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Hauke Fath
2017-04-10 15:29:51 UTC
Permalink
Post by Roy Marples
My kernel change allows EEXISTS to be returned even if you don't have
permission to load modules.
Ahh, got you now. I'll put in your patch [applied, works. Thanks!].
Post by Roy Marples
Post by Roy Marples
securelevel is 1 - I thought about upping it, but haven't, yet.
You'll either have to drop it to 0 or apply the aforementioned patch if
you want to get rid of the error message.
... which would nicely explain why I only got the warning after an npf
reload, not during boot.

Cheerio,
hauke
--
The ASCII Ribbon Campaign Hauke Fath
() No HTML/RTF in email Institut für Nachrichtentechnik
/\ No Word docs in email TU Darmstadt
Respect for open standards Ruf +49-6151-16-21344

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...