From owner-freebsd-net@freebsd.org Fri Dec 29 08:58:03 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 82173EB2B5D for ; Fri, 29 Dec 2017 08:58:03 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 56A4329FB for ; Fri, 29 Dec 2017 08:58:02 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (115-166-0-128.dyn.iinet.net.au [115.166.0.128]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id vBT8vphs007687 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Fri, 29 Dec 2017 00:57:56 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: Need Netgraph Help [fixed] To: John Lyon Cc: "freebsd-net@freebsd.org" , Eugene Grosbein References: <5A3225BF.6020205@omnilan.de> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> <4fee4ea6-9b35-afba-6d5d-24ecca3e28c6@freebsd.org> From: Julian Elischer Message-ID: <17173623-2aee-4259-6bd3-6ba0bfd7e404@freebsd.org> Date: Fri, 29 Dec 2017 16:57:45 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Language: en-US Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 08:58:03 -0000 On 29/12/17 10:52 am, John Lyon wrote: > It works!!!  In virtual machine land at least, it works!  It will be > interesting to see what happens when the rubber meets the road and I > actually test it "in the field." > > The issue was a missing single line that was not obvious from the > man pages: > >     sudo ngctl connect eapfilter: ix1: eapout lower > > Apparently, I had not created an alias for the connection between > the ETF and the ether nodes.  Once this connect command was issued, > the connection to the lower hook of the ether node was ready to be > connected to the ETF. The  shown line assigns a linkage for matching frames to use. Until it exists, you can not use it in a rule. Match rules can only reference existing hooks. > > Thanks _so much_ for your help. > > > -------------------------------- > John L. Lyon > PGP Key Available At: > https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc > > On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer > wrote: > > On 28/12/17 9:59 pm, Julian Elischer wrote: > > On 28/12/17 1:37 am, John Lyon wrote: > > Julian, > > Unfortunately, this issue remains unresolved.  I would > like to think that this is just a PEBKAC issue, but I > have tried every permutation of escape characters in > case it's an issue with my syntax and I get the same set > of errors.  No matter what I do, I can't connect the no > match hook of an ETF node to the upper hook of an > ng_ether node.  Do you have any insights into why this > might be occurring? > > By the way, thanks for reaching out to me!  I was going > to email you directly after the holidays since your name > and email address are at the bottom of the relevant > Netgraph man pages.  I figured that must mean if you > didn't know the answer, no one does. :-) > > > what is EAP? > what about return EAP packets? (are there any?) > > > oops left out a line from the cut-n-paste... > > > I think this is what you want: > $ sudo ngctl list > There are 7 total nodes: >   Name: igb0            Type: ether           ID: 00000001   > Num hooks: 0 >   Name: igb1            Type: ether           ID: 00000002   > Num hooks: 0 >   Name: ix0             Type: ether           ID: 00000003   > Num hooks: 0 >   Name: ix1             Type: ether           ID: 00000004   > Num hooks: 0 >   Name: tap0            Type: ether           ID: 00000005   > Num hooks: 0 >   Name: bridge3         Type: ether           ID: 00000006   > Num hooks: 0 >   Name: ngctl7372       Type: socket          ID: 00000007   > Num hooks: 0 > $ sudo kldload ng_etf > > $ sudo ngctl mkpeer ix0: etf lower downstream > > $ sudo ngctl name ix0:lower eapfilter > $ sudo ngctl connect eapfilter: ix0: nomatch upper > $ sudo ngctl connect eapfilter: ix1: eapout lower > $ sudo ngctl show eapfilter: >   Name: eapfilter       Type: etf             ID: 00000021   > Num hooks: 3 >   Local hook      Peer name       Peer type    Peer ID Peer hook >   ----------      ---------       --------- ------- --------- >   eapout          ix1             ether 00000004 lower >   nomatch         ix0             ether 00000003 upper >   downstream      ix0             ether 00000003 lower > $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout" > ethertype=0x888e }' > $ > > > > Thanks. > > > -------------------------------- > John L. Lyon > PGP Key Available At: > https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc > > > On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer > > >> > wrote: > >     John did you get a resolution to this issue? > > >     On 16/12/17 2:59 am, John Lyon wrote: > >         Harry and Eugene (and others), > >         I appreciate all of your help.  It's been really >         insightful.  Although I >         feel like I'm getting much closer to the > solution, I don't >         think my problem >         has been diagnosed.  I've outlined my thought > process >         below.  Can you >         please tell me if I am misunderstanding something? >         Admittedly, I am not a >         kernel developer and my C language skills have > atrophied the >         last few >         years.  However, I've reviewed my script and I > looked in the >         code for >         ng_etf.c and I don't think I am violating any of the >         requirements for >         linking a hook for no match. > >         As Eugene stated: > >                 1) referenced "matchook" exists and you > should not >                 use "indirect name" > >         here, > >                 only hook own name, or else you get > error ENOENT (No >                 such file or > >         directory); > >         This does not seem to be a problem as the upper > and lower >         hooks for the em1 >         already exist (I can confirm this). > >                 2) referenced "matchook" is *not* > downstream hook, >                 or else you get error >                 EINVAL (Invalid argument); > >         I read the ng_etf.c file in the source tree and > found this >         little snippet: > >         /* and is not the downstream hook */ >         if (hook == etfp->downstream_hook.hook) { >              error = EINVAL; >              break; >         } > >         This appears to be an error check to make sure > you are not >         creating a cycle >         in the graph by referencing the ETF node's own > downstream >         hook (i.e. >         filtering incoming traffic and circularly feeding >         non-matching frames back >         into the ETF's own filter).  I'm not doing > this.  I am >         feeding non-matching >         packets into the *lower* hook of another ether > node and not >         back into the >         *downstream* hook of the etf node I am > creating.  As a >         result, my netgraph >         should not be triggering this error condition. > >                 3) it was not already configured, or > else you get >                 error EEXIST (File > >         exists). > >         I am not getting this error, so it appears not > to be an >         issue in my case. > >         What am I missing here?  The man page states > that "*any >         other *hook" can be > >         used for the non-matching packets.  So the man > page says >         this should work, >         and there's no explicit error condition that I > see (caveat, >         I have not >         written in C for at least 10 years  - PEBKAC is > entirely >         possible) that >         would be triggered in the ng_etf code.  So what > is going wrong? > >         Thanks for all of your help, patience, and > understanding. > > >         -------------------------------- >         John L. Lyon >         PGP Key Available At: > https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc > > > > >         On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer >         > >> >         wrote: > >             Bezüglich Eugene Grosbein's Nachricht vom > 14.12.2017 >             23:07 (localtime): > >                 15.12.2017 4:27, John Lyon wrote: > >                             I'm a new Netgraph user, but > am having >                             some problems with a simple >                             Netgraph >                             script I have written. > Unfortunately, >                             the error message is cryptic > >             and I > >                             can't tell what I am doing > wrong since >                             my script closely follows the >                             example provided in the > ng_etf man page. > >                             For some context, I'm trying > to filter >                             EAP traffic coming in on my LAN >                             interface.  Any ethernet > frames that >                             correspond to EAP traffic need > >             to be > >                             immediately forwarded from > the LAN >                             interface to my WAN > interface.  All >                             other ethernet frames coming > in on my >                             LAN interface need to be > >             handled by > >                             the kernel's network stack. > A (horrid) >                             ASCII art representation of my >                             desired netgraph would look > like this: > >                             lower -> em0 -> downstream > -> ETF -> no >                             match -> upper em0 >                                             -> match -> >                             lower em1 > >                             The script I have written is > this: > >                                  #! /bin/sh >                                  ngctl mkpeer em0: etf > lower downstream >                                  ngctl name em0:lower > lan_filter >                                  ngctl connect em0: > lan_filter: >                             upper nomatch >                                  ngctl msg lan_filter: > setfilter { >                             matchhook="em1:lower" >                             ethertype=0x888e } > >                             Unfortunately, the last line > of my >                             script generates the following > >             error > >                             message: > >                                  ngctl: send msg: > Invalid Argument > >                 For "setfilter" command to work, ng_etf > requires that: > >                 1) referenced "matchook" exists and you > should not >                 use "indirect name" > >             here, > >                 only hook own name, or else you get > error ENOENT (No >                 such file or > >             directory); > >                 2) referenced "matchook" is *not* > downstream hook, >                 or else you get error >                 EINVAL (Invalid argument); >                 3) it was not already configured, or > else you get >                 error EEXIST (File > >             exists). > >             Eugene kindly looked into the code and found > that the >             error is due to >             wrong matchhook definition. >             I've never had any contact with ng_etf yet, but >             according to the man >             page, you need to set the (additional) > filter hook by >             'nghook -a >             lan_filter: mydrain' and use > 'matchhook=mydrain' for the >             'msg' command. > >             Do idea about the intention, so for the rest > you have to >             tweak as needed. > >             -harry > > >         _______________________________________________ > freebsd-net@freebsd.org > > >         mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > > >         To unsubscribe, send any mail to >         "freebsd-net-unsubscribe@freebsd.org > >         >" > > > > > > _______________________________________________ > freebsd-net@freebsd.org > mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org > " > > > >