From owner-freebsd-net@freebsd.org Thu Dec 28 14:48:37 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 529D9EA2A95 for ; Thu, 28 Dec 2017 14:48:37 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3464C7E2EE for ; Thu, 28 Dec 2017 14:48:36 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (115-166-0-128.dyn.iinet.net.au [115.166.0.128]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id vBSEmSAU004193 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 28 Dec 2017 06:48:33 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: Need Netgraph Help [fixed] From: Julian Elischer To: John Lyon Cc: "freebsd-net@freebsd.org" , Eugene Grosbein References: <5A3225BF.6020205@omnilan.de> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> Message-ID: <4fee4ea6-9b35-afba-6d5d-24ecca3e28c6@freebsd.org> Date: Thu, 28 Dec 2017 22:48:22 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Dec 2017 14:48:37 -0000 On 28/12/17 9:59 pm, Julian Elischer wrote: > On 28/12/17 1:37 am, John Lyon wrote: >> Julian, >> >> Unfortunately, this issue remains unresolved.  I would like to >> think that this is just a PEBKAC issue, but I have tried every >> permutation of escape characters in case it's an issue with my >> syntax and I get the same set of errors.  No matter what I do, I >> can't connect the no match hook of an ETF node to the upper hook of >> an ng_ether node.  Do you have any insights into why this might be >> occurring? >> >> By the way, thanks for reaching out to me!  I was going to email >> you directly after the holidays since your name and email address >> are at the bottom of the relevant Netgraph man pages.  I figured >> that must mean if you didn't know the answer, no one does. :-) > > what is EAP? > what about return EAP packets? (are there any?) oops left out a line from the cut-n-paste... > > I think this is what you want: > $ sudo ngctl list > There are 7 total nodes: >   Name: igb0            Type: ether           ID: 00000001   Num > hooks: 0 >   Name: igb1            Type: ether           ID: 00000002   Num > hooks: 0 >   Name: ix0             Type: ether           ID: 00000003   Num > hooks: 0 >   Name: ix1             Type: ether           ID: 00000004   Num > hooks: 0 >   Name: tap0            Type: ether           ID: 00000005   Num > hooks: 0 >   Name: bridge3         Type: ether           ID: 00000006   Num > hooks: 0 >   Name: ngctl7372       Type: socket          ID: 00000007   Num > hooks: 0 > $ sudo kldload ng_etf $ sudo ngctl mkpeer ix0: etf lower downstream > $ sudo ngctl name ix0:lower eapfilter > $ sudo ngctl connect eapfilter: ix0: nomatch upper > $ sudo ngctl connect eapfilter: ix1: eapout lower > $ sudo ngctl show eapfilter: >   Name: eapfilter       Type: etf             ID: 00000021   Num > hooks: 3 >   Local hook      Peer name       Peer type    Peer ID Peer hook >   ----------      ---------       --------- ------- --------- >   eapout          ix1             ether 00000004        lower >   nomatch         ix0             ether 00000003        upper >   downstream      ix0             ether 00000003        lower > $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout" > ethertype=0x888e }' > $ > > >> >> Thanks. >> >> >> -------------------------------- >> John L. Lyon >> PGP Key Available At: >> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >> >> On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer >> > wrote: >> >>     John did you get a resolution to this issue? >> >> >>     On 16/12/17 2:59 am, John Lyon wrote: >> >>         Harry and Eugene (and others), >> >>         I appreciate all of your help.  It's been really >>         insightful.  Although I >>         feel like I'm getting much closer to the solution, I don't >>         think my problem >>         has been diagnosed.  I've outlined my thought process >>         below.  Can you >>         please tell me if I am misunderstanding something? >>         Admittedly, I am not a >>         kernel developer and my C language skills have atrophied the >>         last few >>         years.  However, I've reviewed my script and I looked in the >>         code for >>         ng_etf.c and I don't think I am violating any of the >>         requirements for >>         linking a hook for no match. >> >>         As Eugene stated: >> >>                 1) referenced "matchook" exists and you should not >>                 use "indirect name" >> >>         here, >> >>                 only hook own name, or else you get error ENOENT (No >>                 such file or >> >>         directory); >> >>         This does not seem to be a problem as the upper and lower >>         hooks for the em1 >>         already exist (I can confirm this). >> >>                 2) referenced "matchook" is *not* downstream hook, >>                 or else you get error >>                 EINVAL (Invalid argument); >> >>         I read the ng_etf.c file in the source tree and found this >>         little snippet: >> >>         /* and is not the downstream hook */ >>         if (hook == etfp->downstream_hook.hook) { >>              error = EINVAL; >>              break; >>         } >> >>         This appears to be an error check to make sure you are not >>         creating a cycle >>         in the graph by referencing the ETF node's own downstream >>         hook (i.e. >>         filtering incoming traffic and circularly feeding >>         non-matching frames back >>         into the ETF's own filter).  I'm not doing this.  I am >>         feeding non-matching >>         packets into the *lower* hook of another ether node and not >>         back into the >>         *downstream* hook of the etf node I am creating.  As a >>         result, my netgraph >>         should not be triggering this error condition. >> >>                 3) it was not already configured, or else you get >>                 error EEXIST (File >> >>         exists). >> >>         I am not getting this error, so it appears not to be an >>         issue in my case. >> >>         What am I missing here?  The man page states that "*any >>         other *hook" can be >> >>         used for the non-matching packets.  So the man page says >>         this should work, >>         and there's no explicit error condition that I see (caveat, >>         I have not >>         written in C for at least 10 years  - PEBKAC is entirely >>         possible) that >>         would be triggered in the ng_etf code.  So what is going >> wrong? >> >>         Thanks for all of your help, patience, and understanding. >> >> >>         -------------------------------- >>         John L. Lyon >>         PGP Key Available At: >>         https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >> >> >>         On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer >>         > >>         wrote: >> >>             Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 >>             23:07 (localtime): >> >>                 15.12.2017 4:27, John Lyon wrote: >> >>                             I'm a new Netgraph user, but am having >>                             some problems with a simple >>                             Netgraph >>                             script I have written. Unfortunately, >>                             the error message is cryptic >> >>             and I >> >>                             can't tell what I am doing wrong since >>                             my script closely follows the >>                             example provided in the ng_etf man page. >> >>                             For some context, I'm trying to filter >>                             EAP traffic coming in on my LAN >>                             interface.  Any ethernet frames that >>                             correspond to EAP traffic need >> >>             to be >> >>                             immediately forwarded from the LAN >>                             interface to my WAN interface.  All >>                             other ethernet frames coming in on my >>                             LAN interface need to be >> >>             handled by >> >>                             the kernel's network stack.  A (horrid) >>                             ASCII art representation of my >>                             desired netgraph would look like this: >> >>                             lower -> em0 -> downstream -> ETF -> no >>                             match -> upper em0 >>                                             -> match -> >>                             lower em1 >> >>                             The script I have written is this: >> >>                                  #! /bin/sh >>                                  ngctl mkpeer em0: etf lower >> downstream >>                                  ngctl name em0:lower lan_filter >>                                  ngctl connect em0: lan_filter: >>                             upper nomatch >>                                  ngctl msg lan_filter: setfilter { >>                             matchhook="em1:lower" >>                             ethertype=0x888e } >> >>                             Unfortunately, the last line of my >>                             script generates the following >> >>             error >> >>                             message: >> >>                                  ngctl: send msg: Invalid Argument >> >>                 For "setfilter" command to work, ng_etf requires that: >> >>                 1) referenced "matchook" exists and you should not >>                 use "indirect name" >> >>             here, >> >>                 only hook own name, or else you get error ENOENT (No >>                 such file or >> >>             directory); >> >>                 2) referenced "matchook" is *not* downstream hook, >>                 or else you get error >>                 EINVAL (Invalid argument); >>                 3) it was not already configured, or else you get >>                 error EEXIST (File >> >>             exists). >> >>             Eugene kindly looked into the code and found that the >>             error is due to >>             wrong matchhook definition. >>             I've never had any contact with ng_etf yet, but >>             according to the man >>             page, you need to set the (additional) filter hook by >>             'nghook -a >>             lan_filter: mydrain' and use 'matchhook=mydrain' for the >>             'msg' command. >> >>             Do idea about the intention, so for the rest you have to >>             tweak as needed. >> >>             -harry >> >> >>         _______________________________________________ >>         freebsd-net@freebsd.org >>         mailing list >>         https://lists.freebsd.org/mailman/listinfo/freebsd-net >> >>         To unsubscribe, send any mail to >>         "freebsd-net-unsubscribe@freebsd.org >>         " >> >> >> >> > > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > >