From owner-freebsd-net@freebsd.org Fri Dec 15 19:00:11 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77BA7E896D4 for ; Fri, 15 Dec 2017 19:00:11 +0000 (UTC) (envelope-from johnllyon@gmail.com) Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1761A179B for ; Fri, 15 Dec 2017 19:00:11 +0000 (UTC) (envelope-from johnllyon@gmail.com) Received: by mail-wm0-x230.google.com with SMTP id t8so19282625wmc.3 for ; Fri, 15 Dec 2017 11:00:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=krZUc5r2kMs/00lPl7OFXxscVuKFDJCU/dy7bUQjl8Y=; b=og4MBm+3n1kzgVB6Y/e/vIamYDrbUHwDhRLx9nt4K1QWlpBKwWTKn/V+IXAmmX9bbr vioyeyTdTPVtrDGNbGe6YHsaePKXUQqYpHELCd4ialNB4+w2Xi1uYsDPxWJdFKOqNqyD Y8xnVy/dnegp5V97e5O1iXovLPU9+udz20wJ9OshqhyuVpTEpGj2w4w5IzYAaqqltedV T137IRNVVss8hih0YOR7H5ZY1xqD0m3Z2V9Lo9CWe2RW8IwfzswEAqrQ5yVfYoNglt95 56IOqXtLVpjCMa2X9dP5ybeN63B7L/eTV6BsRnW0MNPU6fMMwJmGItiEl10dMIBTwbCY tlOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=krZUc5r2kMs/00lPl7OFXxscVuKFDJCU/dy7bUQjl8Y=; b=fRkoXXYraBBjFZJywLarSuvmYB1MXwy03ApmdOczg388DVPzZfOIUY5mhMHzyKHRVe u64CBbFg9+yAS53UHspvfW0n7MFIP4xquTsdeThAZ1mVMTU6/bx1tsi4qWpC9dFaqVG/ zCw4+J0z7pDcSz9MqGJrjDpjQPiIjCnOAHPSXTAv1mcb571VDMSVcK6yo1mH6fDGVb6R R51YpT6/Pi1neOmWn0s/vp9nPgvgI5c4Xv5ppe4RAg1g2mOZQvSeCqqEKnMphrdv6CUV hVegHglU6vA2vz3Ft/pMyvfRCfFy228Qo0agVydx0462bEt1FnUXCiMsvxZuRzwL45ey Krqw== X-Gm-Message-State: AKGB3mJzP9jJ7iHxwzLCfdHdgy2IaPlhsLk3Ol1qnspejOuEQxcDpxK5 RUZME1NS/nNTaVYePNQIcbE711WlCPAuM7jTLGm38JfO X-Google-Smtp-Source: ACJfBotifGvQVmUQ8pWKzPvDtip3wQL7c/Jsov/pAmXgUloSBT3QWcnZ8Wy4T8Q1AJ+FFwV/I/OgQ+/AaIyeX+1pxmQ= X-Received: by 10.80.243.18 with SMTP id p18mr18358358edm.38.1513364409224; Fri, 15 Dec 2017 11:00:09 -0800 (PST) MIME-Version: 1.0 Received: by 10.80.211.20 with HTTP; Fri, 15 Dec 2017 10:59:48 -0800 (PST) In-Reply-To: <5A338C5A.20300@omnilan.de> References: <5A3225BF.6020205@omnilan.de> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> From: John Lyon Date: Fri, 15 Dec 2017 13:59:48 -0500 Message-ID: Subject: Re: Need Netgraph Help To: Harry Schmalzbauer Cc: Eugene Grosbein , freebsd-net@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.25 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 19:00:11 -0000 Harry and Eugene (and others), I appreciate all of your help. It's been really insightful. Although I feel like I'm getting much closer to the solution, I don't think my problem has been diagnosed. I've outlined my thought process below. Can you please tell me if I am misunderstanding something? Admittedly, I am not a kernel developer and my C language skills have atrophied the last few years. However, I've reviewed my script and I looked in the code for ng_etf.c and I don't think I am violating any of the requirements for linking a hook for no match. As Eugene stated: >>1) referenced "matchook" exists and you should not use "indirect name" here, >>only hook own name, or else you get error ENOENT (No such file or directory); This does not seem to be a problem as the upper and lower hooks for the em1 already exist (I can confirm this). >>2) referenced "matchook" is *not* downstream hook, or else you get error >>EINVAL (Invalid argument); I read the ng_etf.c file in the source tree and found this little snippet: /* and is not the downstream hook */ if (hook =3D=3D etfp->downstream_hook.hook) { error =3D EINVAL; break; } This appears to be an error check to make sure you are not creating a cycle in the graph by referencing the ETF node's own downstream hook (i.e. filtering incoming traffic and circularly feeding non-matching frames back into the ETF's own filter). I'm not doing this. I am feeding non-matching packets into the *lower* hook of another ether node and not back into the *downstream* hook of the etf node I am creating. As a result, my netgraph should not be triggering this error condition. >>3) it was not already configured, or else you get error EEXIST (File exists). I am not getting this error, so it appears not to be an issue in my case. What am I missing here? The man page states that "*any other *hook" can be used for the non-matching packets. So the man page says this should work, and there's no explicit error condition that I see (caveat, I have not written in C for at least 10 years - PEBKAC is entirely possible) that would be triggered in the ng_etf code. So what is going wrong? Thanks for all of your help, patience, and understanding. -------------------------------- John L. Lyon PGP Key Available At: https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer wrote: > Bez=C3=BCglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtim= e): > > 15.12.2017 4:27, John Lyon wrote: > > > >>>> I'm a new Netgraph user, but am having some problems with a simple > >>>> Netgraph > >>>> script I have written. Unfortunately, the error message is cryptic > and I > >>>> can't tell what I am doing wrong since my script closely follows the > >>>> example provided in the ng_etf man page. > >>>> > >>>> For some context, I'm trying to filter EAP traffic coming in on my L= AN > >>>> interface. Any ethernet frames that correspond to EAP traffic need > to be > >>>> immediately forwarded from the LAN interface to my WAN interface. A= ll > >>>> other ethernet frames coming in on my LAN interface need to be > handled by > >>>> the kernel's network stack. A (horrid) ASCII art representation of = my > >>>> desired netgraph would look like this: > >>>> > >>>> lower -> em0 -> downstream -> ETF -> no match -> upper em0 > >>>> -> match = -> > >>>> lower em1 > >>>> > >>>> The script I have written is this: > >>>> > >>>> #! /bin/sh > >>>> ngctl mkpeer em0: etf lower downstream > >>>> ngctl name em0:lower lan_filter > >>>> ngctl connect em0: lan_filter: upper nomatch > >>>> ngctl msg lan_filter: setfilter { matchhook=3D"em1:lower" > >>>> ethertype=3D0x888e } > >>>> > >>>> Unfortunately, the last line of my script generates the following > error > >>>> message: > >>>> > >>>> ngctl: send msg: Invalid Argument > > > > For "setfilter" command to work, ng_etf requires that: > > > > 1) referenced "matchook" exists and you should not use "indirect name" > here, > > only hook own name, or else you get error ENOENT (No such file or > directory); > > 2) referenced "matchook" is *not* downstream hook, or else you get erro= r > > EINVAL (Invalid argument); > > 3) it was not already configured, or else you get error EEXIST (File > exists). > > Eugene kindly looked into the code and found that the error is due to > wrong matchhook definition. > I've never had any contact with ng_etf yet, but according to the man > page, you need to set the (additional) filter hook by 'nghook -a > lan_filter: mydrain' and use 'matchhook=3Dmydrain' for the 'msg' command. > > Do idea about the intention, so for the rest you have to tweak as needed. > > -harry > >