From owner-freebsd-net@freebsd.org Wed Dec 27 17:37:51 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1B9D0EA33FE for ; Wed, 27 Dec 2017 17:37:51 +0000 (UTC) (envelope-from johnllyon@gmail.com) Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 931FE6E9EA; Wed, 27 Dec 2017 17:37:50 +0000 (UTC) (envelope-from johnllyon@gmail.com) Received: by mail-wm0-x22b.google.com with SMTP id i11so40298172wmf.4; Wed, 27 Dec 2017 09:37:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FK9rcfAA8k6cwnzxaiY/LM75kqNJAmXAGTgFPwvLuYo=; b=UMECy+QK14DtpsqYHeyJdaD4oT3fnDkS5QtrJVtq7FYY3nmx/pfjEWrxRUI8gRZCK6 KSHurVFBgyMhyngiJhBIy4N6l+do4aWTvMldCsAU1QdwBfIAslRo7VviZDia/s8lh5IU oMc5iPuOgq9F3ZIexj+lleHVNSViznmL/FVNjjjAiCmUcJSZ23egpzbZzFo0FhcXjTik kMo97JOGbY9gMH1KZo/N77DjuMogsGqCprsteZhijQK/i5MTrwU3wuXg5RwRVX5mtCNU MMXwdBKcbZebLJmp0rnRa8nTNFDWRTKd5GmDSZZmqHji8Gmiv0K9Nk/Hk4c7FuHeyGqr EexQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FK9rcfAA8k6cwnzxaiY/LM75kqNJAmXAGTgFPwvLuYo=; b=litih4XVtzM5km186gI5eecOBLEWdo+Acj++eIHfs7pjYFS2NALRnY6kW7XR98Jwg1 ZEQrPINwW/7TtB7M6qAF2G1OZiY8KKGxAFkNJMDANGtwyMROIQQvpvmDo/LbkKMHDf4x QADBqd3svcSERyzEkEFISHVLqQbocY1K+Ohoc6ttfrIhP6hwbKowt8PefZNsgo0KPiSp 8ok7ZSqD4PBZs8UShYZQiKG27QBWdRpPAtITbA/8ACXtIZ7M9EaZ6UeihCvcrZyEKbdp LU3XoqKP5OXaiT3AlYNcKK0d0+1VcgbbCO78suhUf3d+G4iPXWIxoJ9yUxTZeG6wKbzD NyeA== X-Gm-Message-State: AKGB3mIxGhzHjCEIyYU36FhaGqy5kK9VKNwpVPa8IP/WlUgQankfRM3f zkZknTQAFCe8jJhnNvJouT2LgjyK9svUaG6pEueVLw== X-Google-Smtp-Source: ACJfBosqqjgg5KrEngKPrkQFSSn0Jrlk7caTofe1ajgdNuXqe2VWOlIBwN746oFcRU5/fdtVxMYB3wTtQmeZk4jDz4A= X-Received: by 10.80.184.52 with SMTP id j49mr35635180ede.160.1514396268342; Wed, 27 Dec 2017 09:37:48 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.211.20 with HTTP; Wed, 27 Dec 2017 09:37:27 -0800 (PST) In-Reply-To: <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> References: <5A3225BF.6020205@omnilan.de> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> From: John Lyon Date: Wed, 27 Dec 2017 12:37:27 -0500 Message-ID: Subject: Re: Need Netgraph Help To: Julian Elischer Cc: Harry Schmalzbauer , freebsd-net@freebsd.org, Eugene Grosbein Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Dec 2017 17:37:51 -0000 Julian, Unfortunately, this issue remains unresolved. I would like to think that this is just a PEBKAC issue, but I have tried every permutation of escape characters in case it's an issue with my syntax and I get the same set of errors. No matter what I do, I can't connect the no match hook of an ETF node to the upper hook of an ng_ether node. Do you have any insights into why this might be occurring? By the way, thanks for reaching out to me! I was going to email you directly after the holidays since your name and email address are at the bottom of the relevant Netgraph man pages. I figured that must mean if you didn't know the answer, no one does. :-) Thanks. -------------------------------- John L. Lyon PGP Key Available At: https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer wrote: > John did you get a resolution to this issue? > > > On 16/12/17 2:59 am, John Lyon wrote: > >> Harry and Eugene (and others), >> >> I appreciate all of your help. It's been really insightful. Although I >> feel like I'm getting much closer to the solution, I don't think my >> problem >> has been diagnosed. I've outlined my thought process below. Can you >> please tell me if I am misunderstanding something? Admittedly, I am not= a >> kernel developer and my C language skills have atrophied the last few >> years. However, I've reviewed my script and I looked in the code for >> ng_etf.c and I don't think I am violating any of the requirements for >> linking a hook for no match. >> >> As Eugene stated: >> >> 1) referenced "matchook" exists and you should not use "indirect name" >>>> >>> here, >> >>> only hook own name, or else you get error ENOENT (No such file or >>>> >>> directory); >> >> This does not seem to be a problem as the upper and lower hooks for the >> em1 >> already exist (I can confirm this). >> >> 2) referenced "matchook" is *not* downstream hook, or else you get error >>>> EINVAL (Invalid argument); >>>> >>> I read the ng_etf.c file in the source tree and found this little >> snippet: >> >> /* and is not the downstream hook */ >> if (hook =3D=3D etfp->downstream_hook.hook) { >> error =3D EINVAL; >> break; >> } >> >> This appears to be an error check to make sure you are not creating a >> cycle >> in the graph by referencing the ETF node's own downstream hook (i.e. >> filtering incoming traffic and circularly feeding non-matching frames ba= ck >> into the ETF's own filter). I'm not doing this. I am feeding >> non-matching >> packets into the *lower* hook of another ether node and not back into th= e >> *downstream* hook of the etf node I am creating. As a result, my netgra= ph >> should not be triggering this error condition. >> >> 3) it was not already configured, or else you get error EEXIST (File >>>> >>> exists). >> >> I am not getting this error, so it appears not to be an issue in my case= . >> >> What am I missing here? The man page states that "*any other *hook" can >> be >> >> used for the non-matching packets. So the man page says this should wor= k, >> and there's no explicit error condition that I see (caveat, I have not >> written in C for at least 10 years - PEBKAC is entirely possible) that >> would be triggered in the ng_etf code. So what is going wrong? >> >> Thanks for all of your help, patience, and understanding. >> >> >> -------------------------------- >> John L. Lyon >> PGP Key Available At: >> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >> >> On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer >> wrote: >> >> Bez=C3=BCglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localti= me): >>> >>>> 15.12.2017 4:27, John Lyon wrote: >>>> >>>> I'm a new Netgraph user, but am having some problems with a simple >>>>>>> Netgraph >>>>>>> script I have written. Unfortunately, the error message is cryptic >>>>>>> >>>>>> and I >>> >>>> can't tell what I am doing wrong since my script closely follows the >>>>>>> example provided in the ng_etf man page. >>>>>>> >>>>>>> For some context, I'm trying to filter EAP traffic coming in on my >>>>>>> LAN >>>>>>> interface. Any ethernet frames that correspond to EAP traffic need >>>>>>> >>>>>> to be >>> >>>> immediately forwarded from the LAN interface to my WAN interface. All >>>>>>> other ethernet frames coming in on my LAN interface need to be >>>>>>> >>>>>> handled by >>> >>>> the kernel's network stack. A (horrid) ASCII art representation of my >>>>>>> desired netgraph would look like this: >>>>>>> >>>>>>> lower -> em0 -> downstream -> ETF -> no match -> upper em0 >>>>>>> -> matc= h >>>>>>> -> >>>>>>> lower em1 >>>>>>> >>>>>>> The script I have written is this: >>>>>>> >>>>>>> #! /bin/sh >>>>>>> ngctl mkpeer em0: etf lower downstream >>>>>>> ngctl name em0:lower lan_filter >>>>>>> ngctl connect em0: lan_filter: upper nomatch >>>>>>> ngctl msg lan_filter: setfilter { matchhook=3D"em1:lower" >>>>>>> ethertype=3D0x888e } >>>>>>> >>>>>>> Unfortunately, the last line of my script generates the following >>>>>>> >>>>>> error >>> >>>> message: >>>>>>> >>>>>>> ngctl: send msg: Invalid Argument >>>>>>> >>>>>> For "setfilter" command to work, ng_etf requires that: >>>> >>>> 1) referenced "matchook" exists and you should not use "indirect name" >>>> >>> here, >>> >>>> only hook own name, or else you get error ENOENT (No such file or >>>> >>> directory); >>> >>>> 2) referenced "matchook" is *not* downstream hook, or else you get err= or >>>> EINVAL (Invalid argument); >>>> 3) it was not already configured, or else you get error EEXIST (File >>>> >>> exists). >>> >>> Eugene kindly looked into the code and found that the error is due to >>> wrong matchhook definition. >>> I've never had any contact with ng_etf yet, but according to the man >>> page, you need to set the (additional) filter hook by 'nghook -a >>> lan_filter: mydrain' and use 'matchhook=3Dmydrain' for the 'msg' comman= d. >>> >>> Do idea about the intention, so for the rest you have to tweak as neede= d. >>> >>> -harry >>> >>> >>> _______________________________________________ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >> >> >> >