From owner-freebsd-net@freebsd.org Sat Jan 6 13:22:29 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3A0C0EB91FA for ; Sat, 6 Jan 2018 13:22:29 +0000 (UTC) (envelope-from johnllyon@gmail.com) Received: from mail-yb0-x232.google.com (mail-yb0-x232.google.com [IPv6:2607:f8b0:4002:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E2B126D815; Sat, 6 Jan 2018 13:22:28 +0000 (UTC) (envelope-from johnllyon@gmail.com) Received: by mail-yb0-x232.google.com with SMTP id f16so2885360ybn.0; Sat, 06 Jan 2018 05:22:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=W+fuMXKUPeBIkCpoHhZjnSRepcpKzLwy+hZ6+wpB+Ec=; b=l2/n+LFDmBALRuxhIXhXBDCSAogMVbkolyi675a0WPQjVhkET1Io0DnufaEctVVzFa RX2xT7iohQ4DGPZntzNb5xLaFoJLpk6MPc2LWj+OyrWzjHzqMQJuP0QUR/WDBGa4iHxT Sjf49Qt0IQWX8q1bY9ut/74Z9QpjqGVFvbG2/9L8UFOiWTsku4vcVFvBBlrrl7cdhgcn Pi19Lr+VQx04I7v7XHq6Zw+Zj77PkoobECDThjX2A4iS/M8PSn43+JMfmB3HbnFnbf2h 6G2mKWNsdpFzz4UD9lyKmRAQD8OnaQE5PZpyJCV500XFMGKpSs1xDMlqDlEoEkcDC2f3 PDyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=W+fuMXKUPeBIkCpoHhZjnSRepcpKzLwy+hZ6+wpB+Ec=; b=WI3md/3fEKiSyciJKTIQwz8TH4Qf+f6NOKeL3JdBmHhIsTOcP7b5TFk3p3iAWkW9Qd rryCyMK1yN393bxPh1asH+BlTnah/MZCnUwqouZFDpT6aMGt5L/mNqMYv1xgSX4gCQJX S6wNbGt/v5Oxe9uQ7E07AwcceE9ROvQo1VGpqB11raUt5uEk69XYi7psYeJy7xQAlYK3 v7PDk1dYe5THQy0VF5xJpmwe0Hdm+ojPJPNz6jOa9wsWQOAta5pB7xFfx6KdAPp0eEgA eLHcDQISAzwQlwpNcZZHxjytogwPF4u09sBg8Ds6FHWWYYFymgiImBmTeq09EBpSDizA WfsA== X-Gm-Message-State: AKGB3mIHGDOgNUeoEzqjXAqaRQeClnE14QUlAk9L0+kNc+cpcKaJGl0x wQRVZoFtbQTCeKn+eEt8s2JDBni0 X-Google-Smtp-Source: ACJfBotInTY4kxDdafbkjmtDyPVA/yBImP/Vbns8Dmr+t9jS33xRFv3CLP7W/7oc9JPbli487LzvKw== X-Received: by 10.37.61.194 with SMTP id k185mr6000608yba.221.1515244947632; Sat, 06 Jan 2018 05:22:27 -0800 (PST) Received: from [192.168.1.242] (108-215-31-234.lightspeed.tukrga.sbcglobal.net. [108.215.31.234]) by smtp.gmail.com with ESMTPSA id g37sm3472983ywk.95.2018.01.06.05.22.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 06 Jan 2018 05:22:26 -0800 (PST) Mime-Version: 1.0 (1.0) Subject: Re: Need Netgraph Help [fixed] From: John Lyon X-Mailer: iPhone Mail (15C153) In-Reply-To: Date: Sat, 6 Jan 2018 08:22:25 -0500 Cc: "freebsd-net@freebsd.org" , Eugene Grosbein Message-Id: <47C0E33A-E815-4860-A25C-F29BBB8D6787@gmail.com> References: <5A3225BF.6020205@omnilan.de> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> <4fee4ea6-9b35-afba-6d5d-24ecca3e28c6@freebsd.org> <3b8d46da-75e3-79f2-379c-b27a88e80733@freebsd.org> To: Julian Elischer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jan 2018 13:22:29 -0000 I just woke up with a follow-up question that may be my aha moment. Are Net= graph edges between nodes always bidirectional? I have been treating all of t= he edges as unidirectional, requiring me to create two separate Netgraphs. B= ut if they are bidirectional, that would explain some things. Thanks. Sent from my iPhone > On Jan 5, 2018, at 11:16 PM, John Lyon wrote: >=20 > Julian, >=20 > So this didn't work when I tried to implement it on hardware in real life a= nd I can't figure out why. I am sure it's really basic, but the error messa= ge is not very descriptive. >=20 > I use the following script to create a graph that filters the EAP traffic a= nd forwards directly from the first Ethernet interface to the second. It wo= rks perfectly. >=20 > kldload ng_etf > ngctl mkpeer igb0: etf lower downstream > ngctl name igb0:lower waneapfilter > ngctl connect waneapfilter: igb0: nomatch upper > ngctl connect wanfilter: igb1: waneapout lower > ngctl msg wanfilter: 'setfilter { matchhook=3D"waneapout" ethertype=3D= 0x888e }' >=20 > The end result is that EAPOL frames are forwarded directly from igb0 (WAN)= to igb1 (LAN). Graphically, it looks like (arrows indicating flow of traff= ic): > igb0]lower--->>downstream[ETF0]nomatch--->>upper[igb0... > waneapout > | > |------>>lower[igb1.... > However, I also need to do the reverse and forward EAPOL frames in the opp= osite direction from igb1 (LAN) to igb0 (WAN). Graphically, I want (arrows i= ndicating flow): > igb1]lower--->>downstream[ETF1]nomatch--->>upper[igb1... > laneapout > | > |------>>lower[igb0.... > So I try a mirror image of my first script. However, when I type the firs= t line of: > ngctl mkpeer igb1: etf lower downstream > I get the following error message: > ngctl: send msg: File exists. > My guess (based on an earlier email in this thread) is that because I've a= lready connected my first NG_ETF node to the lower hook of igb1 (in order to= forward traffic out that interface), I am getting the error that the "File e= xists" when I try to connect a second ETF node to igb1 lower. If this is th= e case, how can I write traffic out the interface, while filtering incoming t= raffic on the same interface? I tried to used two different ETF nodes, as su= ggested, but get an error message when I try.=20 > Thanks for any help. I feel like I am so close. At this point, I probabl= y should have just jumped ship and tried an alternate solution, but I just c= an't allow the machine to win. :-) I have to get this working! >=20 >=20 > -------------------------------- > John L. Lyon > PGP Key Available At:=20 > https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >=20 >> On Fri, Dec 29, 2017 at 4:06 AM, Julian Elischer wro= te: >>> On 29/12/17 10:52 am, John Lyon wrote: >>> It works!!! In virtual machine land at least, it works! It will be int= eresting to see what happens when the rubber meets the road and I actually t= est it "in the field." >>>=20 >>> The issue was a missing single line that was not obvious from the man pa= ges: >>>=20 >>> sudo ngctl connect eapfilter: ix1: eapout lower >> your next issue will be that you can only attach em1:lower to a single pe= er at a time. So return packets can not DTRT. >>=20 >> You will need to either put a multiplexing node in each interface, OR if I= wrote it correctly, use the fact that packets fed into an etf match hook wi= ll feed back out the input hook. >>=20 >> so you need this: >>=20 >> em0]lower---downstream[ETF0]nomatch---upper[em0... >> eapout >> | >> | >> eapout >> em1]lower---downstream[ETF1]nomatch---upper[em1... >>=20 >> =20 >> ie. use an etf node on each interface. >>=20 >>=20 >> =20 >>=20 >>>=20 >>> Apparently, I had not created an alias for the connection between the ET= F and the ether nodes. Once this connect command was issued, the connection= to the lower hook of the ether node was ready to be connected to the ETF. >>>=20 >>> Thanks so much for your help. >>>=20 >>>=20 >>> -------------------------------- >>> John L. Lyon >>> PGP Key Available At:=20 >>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >>>=20 >>>> On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer w= rote: >>>>> On 28/12/17 9:59 pm, Julian Elischer wrote: >>>>>> On 28/12/17 1:37 am, John Lyon wrote: >>>>>> Julian, >>>>>>=20 >>>>>> Unfortunately, this issue remains unresolved. I would like to think t= hat this is just a PEBKAC issue, but I have tried every permutation of escap= e characters in case it's an issue with my syntax and I get the same set of e= rrors. No matter what I do, I can't connect the no match hook of an ETF nod= e to the upper hook of an ng_ether node. Do you have any insights into why t= his might be occurring? >>>>>>=20 >>>>>> By the way, thanks for reaching out to me! I was going to email you d= irectly after the holidays since your name and email address are at the bott= om of the relevant Netgraph man pages. I figured that must mean if you didn= 't know the answer, no one does. :-) >>>>>=20 >>>>> what is EAP? >>>>> what about return EAP packets? (are there any?) >>>>=20 >>>> oops left out a line from the cut-n-paste... >>>>>=20 >>>>> I think this is what you want: >>>>> $ sudo ngctl list >>>>> There are 7 total nodes: >>>>> Name: igb0 Type: ether ID: 00000001 Num hooks= : 0 >>>>> Name: igb1 Type: ether ID: 00000002 Num hooks= : 0 >>>>> Name: ix0 Type: ether ID: 00000003 Num hooks= : 0 >>>>> Name: ix1 Type: ether ID: 00000004 Num hooks= : 0 >>>>> Name: tap0 Type: ether ID: 00000005 Num hooks= : 0 >>>>> Name: bridge3 Type: ether ID: 00000006 Num hooks= : 0 >>>>> Name: ngctl7372 Type: socket ID: 00000007 Num hooks= : 0 >>>>> $ sudo kldload ng_etf >>>> $ sudo ngctl mkpeer ix0: etf lower downstream >>>>> $ sudo ngctl name ix0:lower eapfilter >>>>> $ sudo ngctl connect eapfilter: ix0: nomatch upper >>>>> $ sudo ngctl connect eapfilter: ix1: eapout lower >>>>> $ sudo ngctl show eapfilter: >>>>> Name: eapfilter Type: etf ID: 00000021 Num hooks= : 3 >>>>> Local hook Peer name Peer type Peer ID Peer hook >>>>> ---------- --------- --------- ------- --------- >>>>> eapout ix1 ether 00000004 l= ower >>>>> nomatch ix0 ether 00000003 upper >>>>> downstream ix0 ether 00000003 lower >>>>> $ sudo ngctl msg eapfilter: 'setfilter { matchhook=3D"eapout" ethertyp= e=3D0x888e }' >>>>> $ >>>>>=20 >>>>>=20 >>>>>>=20 >>>>>> Thanks. >>>>>>=20 >>>>>>=20 >>>>>> -------------------------------- >>>>>> John L. Lyon >>>>>> PGP Key Available At: >>>>>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >>>>>>=20 >>>>>> On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer > wrote: >>>>>>=20 >>>>>> John did you get a resolution to this issue? >>>>>>=20 >>>>>>=20 >>>>>> On 16/12/17 2:59 am, John Lyon wrote: >>>>>>=20 >>>>>> Harry and Eugene (and others), >>>>>>=20 >>>>>> I appreciate all of your help. It's been really >>>>>> insightful. Although I >>>>>> feel like I'm getting much closer to the solution, I don't >>>>>> think my problem >>>>>> has been diagnosed. I've outlined my thought process >>>>>> below. Can you >>>>>> please tell me if I am misunderstanding something? >>>>>> Admittedly, I am not a >>>>>> kernel developer and my C language skills have atrophied the >>>>>> last few >>>>>> years. However, I've reviewed my script and I looked in the >>>>>> code for >>>>>> ng_etf.c and I don't think I am violating any of the >>>>>> requirements for >>>>>> linking a hook for no match. >>>>>>=20 >>>>>> As Eugene stated: >>>>>>=20 >>>>>> 1) referenced "matchook" exists and you should not >>>>>> use "indirect name" >>>>>>=20 >>>>>> here, >>>>>>=20 >>>>>> only hook own name, or else you get error ENOENT (No >>>>>> such file or >>>>>>=20 >>>>>> directory); >>>>>>=20 >>>>>> This does not seem to be a problem as the upper and lower >>>>>> hooks for the em1 >>>>>> already exist (I can confirm this). >>>>>>=20 >>>>>> 2) referenced "matchook" is *not* downstream hook, >>>>>> or else you get error >>>>>> EINVAL (Invalid argument); >>>>>>=20 >>>>>> I read the ng_etf.c file in the source tree and found this >>>>>> little snippet: >>>>>>=20 >>>>>> /* and is not the downstream hook */ >>>>>> if (hook =3D=3D etfp->downstream_hook.hook) { >>>>>> error =3D EINVAL; >>>>>> break; >>>>>> } >>>>>>=20 >>>>>> This appears to be an error check to make sure you are not >>>>>> creating a cycle >>>>>> in the graph by referencing the ETF node's own downstream >>>>>> hook (i.e. >>>>>> filtering incoming traffic and circularly feeding >>>>>> non-matching frames back >>>>>> into the ETF's own filter). I'm not doing this. I am >>>>>> feeding non-matching >>>>>> packets into the *lower* hook of another ether node and not >>>>>> back into the >>>>>> *downstream* hook of the etf node I am creating. As a >>>>>> result, my netgraph >>>>>> should not be triggering this error condition. >>>>>>=20 >>>>>> 3) it was not already configured, or else you get >>>>>> error EEXIST (File >>>>>>=20 >>>>>> exists). >>>>>>=20 >>>>>> I am not getting this error, so it appears not to be an >>>>>> issue in my case. >>>>>>=20 >>>>>> What am I missing here? The man page states that "*any >>>>>> other *hook" can be >>>>>>=20 >>>>>> used for the non-matching packets. So the man page says >>>>>> this should work, >>>>>> and there's no explicit error condition that I see (caveat, >>>>>> I have not >>>>>> written in C for at least 10 years - PEBKAC is entirely >>>>>> possible) that >>>>>> would be triggered in the ng_etf code. So what is going wron= g? >>>>>>=20 >>>>>> Thanks for all of your help, patience, and understanding. >>>>>>=20 >>>>>>=20 >>>>>> -------------------------------- >>>>>> John L. Lyon >>>>>> PGP Key Available At: >>>>>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc >>>>>> >>>>>>=20 >>>>>> On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer >>>>>> > >>>>>> wrote: >>>>>>=20 >>>>>> Bez=C3=BCglich Eugene Grosbein's Nachricht vom 14.12.2017= >>>>>> 23:07 (localtime): >>>>>>=20 >>>>>> 15.12.2017 4:27, John Lyon wrote: >>>>>>=20 >>>>>> I'm a new Netgraph user, but am having >>>>>> some problems with a simple >>>>>> Netgraph >>>>>> script I have written. Unfortunately, >>>>>> the error message is cryptic >>>>>>=20 >>>>>> and I >>>>>>=20 >>>>>> can't tell what I am doing wrong since >>>>>> my script closely follows the >>>>>> example provided in the n= g_etf man page. >>>>>>=20 >>>>>> For some context, I'm trying to filter >>>>>> EAP traffic coming in on my LAN >>>>>> interface. Any ethernet f= rames that >>>>>> correspond to EAP traffic need >>>>>>=20 >>>>>> to be >>>>>>=20 >>>>>> immediately forwarded from the LAN >>>>>> interface to my WAN interface. All >>>>>> other ethernet frames coming in on my >>>>>> LAN interface need to be >>>>>>=20 >>>>>> handled by >>>>>>=20 >>>>>> the kernel's network stack. A (horrid) >>>>>> ASCII art representation of my >>>>>> desired netgraph would look like this: >>>>>>=20 >>>>>> lower -> em0 -> downstream -> ETF -> no >>>>>> match -> upper em0 >>>>>> -> match -> >>>>>> lower em1 >>>>>>=20 >>>>>> The script I have written is this: >>>>>>=20 >>>>>> #! /bin/sh >>>>>> ngctl mkpeer em0: etf lower downstre= am >>>>>> ngctl name em0:lower lan_filter >>>>>> ngctl connect em0: lan_filter: >>>>>> upper nomatch >>>>>> ngctl msg lan_filter: setfilter { >>>>>> matchhook=3D"em1:lower" >>>>>> ethertype=3D0x888e } >>>>>>=20 >>>>>> Unfortunately, the last line of my >>>>>> script generates the following >>>>>>=20 >>>>>> error >>>>>>=20 >>>>>> message: >>>>>>=20 >>>>>> ngctl: send msg: Invalid Argument >>>>>>=20 >>>>>> For "setfilter" command to work, ng_etf requires that= : >>>>>>=20 >>>>>> 1) referenced "matchook" exists and you should not >>>>>> use "indirect name" >>>>>>=20 >>>>>> here, >>>>>>=20 >>>>>> only hook own name, or else you get error ENOENT (No >>>>>> such file or >>>>>>=20 >>>>>> directory); >>>>>>=20 >>>>>> 2) referenced "matchook" is *not* downstream hook, >>>>>> or else you get error >>>>>> EINVAL (Invalid argument); >>>>>> 3) it was not already configured, or else you get >>>>>> error EEXIST (File >>>>>>=20 >>>>>> exists). >>>>>>=20 >>>>>> Eugene kindly looked into the code and found that the >>>>>> error is due to >>>>>> wrong matchhook definition. >>>>>> I've never had any contact with ng_etf yet, but >>>>>> according to the man >>>>>> page, you need to set the (additional) filter hook by >>>>>> 'nghook -a >>>>>> lan_filter: mydrain' and use 'matchhook=3Dmydrain' for th= e >>>>>> 'msg' command. >>>>>>=20 >>>>>> Do idea about the intention, so for the rest you have to >>>>>> tweak as needed. >>>>>>=20 >>>>>> -harry >>>>>>=20 >>>>>>=20 >>>>>> _______________________________________________ >>>>>> freebsd-net@freebsd.org >>>>>> mailing list >>>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>>> >>>>>> To unsubscribe, send any mail to >>>>>> "freebsd-net-unsubscribe@freebsd.org >>>>>> " >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>>=20 >>>>> _______________________________________________ >>>>> freebsd-net@freebsd.org mailing list >>>>> https://lists.freebsd.org/mailman/listinfo/freebsd-net >>>>> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"= >>>>>=20 >>>>>=20 >>>>=20 >>>=20 >>=20 >=20