Re: NPF on domU - more clarity required

[christos%astron.com@localhost (Christos Zoulas)]

In article <20141226020448.EE93.280FC639%netmail.ie@localhost>,
Gerard Lally  <lists+netbsd.users%netmail.ie@localhost> wrote:
>I have been struggling to get NPF up and running on a NetBSD VPS,
>specifically a Xen domU. I really think for security reasons NPF should
>be nearly ready to go, so that we don't have to spend hours researching
>and pulling our hair out trying to fix what should be a straightforward
>issue, which leaves a machine vulnerable when it probably needs
>protection most. It appears this problem came up some years ago, but
>Googling provides me with no fix.
>
>I understand that NetBSD as a Xen domU does not support kernel modules.
>So the recommendation in the NPF documentation to "modload" npf_ext_log
>does not apply here. Fine, I took a wild guess and compiled a new Xen
>domU kernel with the following two lines added to make sure NPF logging
>and normalisation functionality was compiled into the kernel instead:
>
>options NPF_EXT_LOG
>options NPF_EXT_NORMALISE
>
>Needless to say I also made sure pseudo-device npf was enabled as well.
>
>I also made sure /dev/npf existed, and I created /etc/ifconfig.npflog0
>with just the word "create".
>
>I kept the contents of npf.conf to a minimum for troubleshooting, but
>NPF just refuses to load. This is the error I get at boot:
>
>npfctl: cannot open '/dev/npf': Device not configured
>npfctl: cannot open '/dev/npf': Device not configured
>/etc/rc.d/npf exited with code 1

See if the device driver for npf is registered with the kernel correctly:

	$ sysctl kern.drivers | tr , '\n' | grep npf
	  [198 -1 npf]

Make sure that the device numbers are correct:

	$ ls -l /dev/npf
	crw-------  1 root  wheel  198, 0 Oct 13  2013 /dev/npf

Look at the ktrace output and see what operation fails:

	$ ktrace /sbin/npfctl start
	$ kdump | less

christos