bin/53512: A dynamically configured which has not yet obtained an address can cause npf & npfd to fail

[venture37%geeklan.co.uk@localhost]

>Number:         53512
>Category:       bin
>Synopsis:       A dynamically configured which has not yet obtained an address can cause npf & npfd to fail
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 11 13:55:00 +0000 2018
>Originator:     Sevan Janiyan
>Release:        NetBSD-8
>Organization:
>Environment:
NetBSD 8.0 macppc powerpc
>Description:
A rule which calls inet4() or inet6() to obtain address of an interface fails if an address has not been obtained by the time npf have been started by rc.d. This is a problem on a system where the interface is wireless and associating takes a while. The follow-on from this is npfd failing to start with "npfd: pcap_dump_open failed for `/var/log/npflog0.pcap': /var/log/npflog0.pcap: not-yet-activated pcap_t passed to pcap_dump_open"
>How-To-Repeat:
On a system with wifi interface which connects to a WPA protected network & configured via DHCP.

create the following /etc/npf.conf
# Derived from /usr/share/examples/npf/host-npf.conf
$wifi_if = "urtwn0"
$wifi_v4 = { inet4(urtwn0) }
$wifi_v6 = { inet6(urtwn0) }

$dhcpserver = { 198.51.100.1 }

# sample udp service
$services_udp = { ntp }

# sample mixed service
$backupsrv_v4 = { 198.51.100.11 }
$backupsrv_v6 = { 2001:0DB8:404::11 }
$backup_port = { amanda }

# watching a tcpdump of npflog0, when it only logs blocks,
# can be very helpful for building the rules you actually need
procedure "log" {
     log: npflog0
}

group "wifi" on $wifi_if {
	# linklocal
	pass in  final family inet6 proto ipv6-icmp  to fe80::/10
	pass out final family inet6 proto ipv6-icmp from fe80::/10

	# administrative multicasts
	pass in  final family inet6 proto ipv6-icmp  to ff00::/10
	pass out final family inet6 proto ipv6-icmp from ff00::/10

	pass in  final family inet6 proto ipv6-icmp to $wifi_v6
	pass in  final family inet4 proto icmp      to $wifi_v4

	pass in  final family inet4 proto tcp \
		from any port bootps to $wifi_v4 port bootpc
	pass in  final family inet4 proto udp \
		from any port bootps to $wifi_v4 port bootpc

        pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 

        pass in final family inet6 proto udp to $wifi_v6 port $services_udp
        pass in final family inet4 proto udp to $wifi_v4 port $services_udp

	# IPSEC
	pass in final family inet6 proto udp to $wifi_v6 port isakmp
	pass in final family inet4 proto udp to $wifi_v4 port isakmp
	pass in family inet6 proto esp all
	pass in family inet4 proto esp all

	# only SYN packets need to generate state
        pass stateful out final family inet6 proto tcp flags S/SA \
		from $wifi_v6
        pass stateful out final family inet4 proto tcp flags S/SA \
		from $wifi_v4
	# pass the other tcp packets without generating extra state
        pass out final family inet6 proto tcp from $wifi_v6
        pass out final family inet4 proto tcp from $wifi_v4

	# all other types of traffic, generate state per packet
        pass stateful out final family inet6 from $wifi_v6
        pass stateful out final family inet4 from $wifi_v4
}

group default {
	pass final on lo0 all
	block all apply "log"
}

enable npf & npfd alongside wpa_supplicant & dhcpcd in /etc/rc.conf
wpa_supplicant=YES
wpa_supplicant_flags="-i urtwn0 -c /etc/wpa_supplicant.conf"
dhcpcd=YES
dhcpcd_flags="-b"
npf=YES
npfd=YES
>Fix: