Pull up following revision(s) (requested by joe in ticket #53):

	sys/net/npf/npf.h: revision 1.68
	sys/net/npf/npf_ruleset.c: revision 1.57

PR kern/59615 introduce layer checks for 10 userland 11 kernel

Author: MartinHusemann

sys/net/npf/npf.h

@@ -355,11 +355,9 @@ typedef enum {
 	NPF_STAT_PASS_DEFAULT,
 	NPF_STAT_PASS_RULESET,
 	NPF_STAT_PASS_CONN,
-	NPF_ETHER_STAT_PASS,
 	/* Packets blocked. */
 	NPF_STAT_BLOCK_DEFAULT,
 	NPF_STAT_BLOCK_RULESET,
-	NPF_ETHER_STAT_BLOCK,
 	/* Connection and NAT entries. */
 	NPF_STAT_CONN_CREATE,
 	NPF_STAT_CONN_DESTROY,
@@ -382,6 +380,9 @@ typedef enum {
 	/* nbuf non-contiguous cases. */
 	NPF_STAT_NBUF_NONCONTIG,
 	NPF_STAT_NBUF_CONTIG_FAIL,
+	/* layer 2 statistics */
+	NPF_ETHER_STAT_PASS,
+	NPF_ETHER_STAT_BLOCK,
 	/* Count (last). */
 	NPF_STATS_COUNT
 } npf_stats_t;

sys/net/npf/npf_ruleset.c

@@ -34,7 +34,7 @@
 
 #ifdef _KERNEL
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.56 2025/07/01 18:42:37 joe Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ruleset.c,v 1.56.2.1 2025/10/13 09:24:53 martin Exp $");
 
 #include <sys/param.h>
 #include <sys/types.h>
@@ -925,7 +925,14 @@ npf_ruleset_inspect(npf_cache_t *npc, const npf_ruleset_t *rlset,
 		const unsigned skip_to = rl->r_skip_to & SKIPTO_MASK;
 		const uint32_t attr = rl->r_attr;
 
-		if ((attr & layer) == 0) {
+		/*
+		 * PR kern/59615
+		 * we are skipping rule inspection on two cases
+		 * if layer attributes are set but we are on a different layer
+		 * or if no layer attributes set (10 userland), don't inspect at layer 2
+		 */
+		if (!(((layer == NPF_RULE_LAYER_3 && ((attr & (NPF_RULE_LAYER_2 | NPF_RULE_LAYER_3)) == 0)) ||
+		    (attr & layer)))) {
 			n = skip_to;
 			continue;
 		}