From owner-freebsd-net@freebsd.org Fri Dec 15 08:48:31 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 514E4E9F9F3 for ; Fri, 15 Dec 2017 08:48:31 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mx0.gentlemail.de (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DF1296D37F for ; Fri, 15 Dec 2017 08:48:30 +0000 (UTC) (envelope-from freebsd@omnilan.de) Received: from mh0.gentlemail.de (ezra.dcm1.omnilan.net [IPv6:2a00:e10:2800::a135]) by mx0.gentlemail.de (8.14.5/8.14.5) with ESMTP id vBF8mQXe053999; Fri, 15 Dec 2017 09:48:27 +0100 (CET) (envelope-from freebsd@omnilan.de) Received: from titan.inop.mo1.omnilan.net (s1.omnilan.de [217.91.127.234]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mh0.gentlemail.de (Postfix) with ESMTPSA id B20118CB; Fri, 15 Dec 2017 09:48:26 +0100 (CET) Message-ID: <5A338C5A.20300@omnilan.de> Date: Fri, 15 Dec 2017 09:48:26 +0100 From: Harry Schmalzbauer Organization: OmniLAN User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; de-DE; rv:1.9.2.8) Gecko/20100906 Lightning/1.0b2 Thunderbird/3.1.2 MIME-Version: 1.0 To: Eugene Grosbein CC: John Lyon , freebsd-net@freebsd.org Subject: Re: Need Netgraph Help References: <5A3225BF.6020205@omnilan.de> <5A32F63E.8010205@grosbein.net> In-Reply-To: <5A32F63E.8010205@grosbein.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (mx0.gentlemail.de [IPv6:2a00:e10:2800::a130]); Fri, 15 Dec 2017 09:48:27 +0100 (CET) X-Milter: Spamilter (Reciever: mx0.gentlemail.de; Sender-ip: ; Sender-helo: mh0.gentlemail.de; ) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 08:48:31 -0000 Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtime): > 15.12.2017 4:27, John Lyon wrote: > >>>> I'm a new Netgraph user, but am having some problems with a simple >>>> Netgraph >>>> script I have written. Unfortunately, the error message is cryptic and I >>>> can't tell what I am doing wrong since my script closely follows the >>>> example provided in the ng_etf man page. >>>> >>>> For some context, I'm trying to filter EAP traffic coming in on my LAN >>>> interface. Any ethernet frames that correspond to EAP traffic need to be >>>> immediately forwarded from the LAN interface to my WAN interface. All >>>> other ethernet frames coming in on my LAN interface need to be handled by >>>> the kernel's network stack. A (horrid) ASCII art representation of my >>>> desired netgraph would look like this: >>>> >>>> lower -> em0 -> downstream -> ETF -> no match -> upper em0 >>>> -> match -> >>>> lower em1 >>>> >>>> The script I have written is this: >>>> >>>> #! /bin/sh >>>> ngctl mkpeer em0: etf lower downstream >>>> ngctl name em0:lower lan_filter >>>> ngctl connect em0: lan_filter: upper nomatch >>>> ngctl msg lan_filter: setfilter { matchhook="em1:lower" >>>> ethertype=0x888e } >>>> >>>> Unfortunately, the last line of my script generates the following error >>>> message: >>>> >>>> ngctl: send msg: Invalid Argument > > For "setfilter" command to work, ng_etf requires that: > > 1) referenced "matchook" exists and you should not use "indirect name" here, > only hook own name, or else you get error ENOENT (No such file or directory); > 2) referenced "matchook" is *not* downstream hook, or else you get error > EINVAL (Invalid argument); > 3) it was not already configured, or else you get error EEXIST (File exists). Eugene kindly looked into the code and found that the error is due to wrong matchhook definition. I've never had any contact with ng_etf yet, but according to the man page, you need to set the (additional) filter hook by 'nghook -a lan_filter: mydrain' and use 'matchhook=mydrain' for the 'msg' command. Do idea about the intention, so for the rest you have to tweak as needed. -harry