From owner-freebsd-net@freebsd.org Thu Dec 14 07:18:27 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6A5CFE99A15 for ; Thu, 14 Dec 2017 07:18:27 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1BBCF78126 for ; Thu, 14 Dec 2017 07:18:26 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id vBE7ION3037533; Thu, 14 Dec 2017 08:18:24 +0100 (CET) (envelope-from freebsd@omnilan.de) Received: from titan.inop.mo1.omnilan.net (s1.omnilan.de [217.91.127.234]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id F2FE76A4; Thu, 14 Dec 2017 08:18:23 +0100 (CET) Message-ID: <5A3225BF.6020205@omnilan.de> Date: Thu, 14 Dec 2017 08:18:23 +0100 From: Harry Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: John Lyon CC: freebsd-net@freebsd.org Subject: Re: Need Netgraph Help References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Thu, 14 Dec 2017 08:18:24 +0100 (CET) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Dec 2017 07:18:27 -0000 Bezüglich John Lyon's Nachricht vom 13.12.2017 21:38 (localtime): > Hello All, > > I'm a new Netgraph user, but am having some problems with a simple Netgraph > script I have written. Unfortunately, the error message is cryptic and I > can't tell what I am doing wrong since my script closely follows the > example provided in the ng_etf man page. > > For some context, I'm trying to filter EAP traffic coming in on my LAN > interface. Any ethernet frames that correspond to EAP traffic need to be > immediately forwarded from the LAN interface to my WAN interface. All > other ethernet frames coming in on my LAN interface need to be handled by > the kernel's network stack. A (horrid) ASCII art representation of my > desired netgraph would look like this: > > lower -> em0 -> downstream -> ETF -> no match -> upper em0 > -> match -> > lower em1 > > The script I have written is this: > > #! /bin/sh > ngctl mkpeer em0: etf lower downstream > ngctl name em0:lower lan_filter > ngctl connect em0: lan_filter: upper nomatch > ngctl msg lan_filter: setfilter { matchhook="em1:lower" > ethertype=0x888e } > > Unfortunately, the last line of my script generates the following error > message: > > ngctl: send msg: Invalid Argument I strongly guess shell interferes here. Try quoting your braces part. I'm handling auto startup (rc(8) integration) and mitigating quoting issues like that: Put into /etc/start_if.em0: #!/bin/sh if [ -r /etc/rc.conf.d/ng_etf.em0 ]; then if ! /usr/sbin/ngctl show lan_filter: 2>/dev/null | grep -q lan_filter; then /usr/sbin/ngctl -f /etc/rc.conf.d/ng_etf.em0 fi fi Your /etc/rc.conf.d/ng_etf.em0 would look like that: # to be loaded by ngctl script mkpeer em0: etf lower downstream name em0:lower lan_filter connect em0: lan_filter: upper nomatch msg lan_filter: setfilter { matchhook="em1:lower" } Once I had a naming race suspision, so I always do the real control without relying on names, those are just for later admin tasks/reading: # to be loaded by ngctl script mkpeer em0: etf lower downstream name em0:lower lan_filter connect em0: em0:lower upper nomatch msg em0:lower setfilter { matchhook="em1:lower" } Be ware of typos, hope that helps, -harry