From owner-freebsd-net@FreeBSD.ORG Fri Nov 7 13:02:14 2014 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 28347714 for ; Fri, 7 Nov 2014 13:02:14 +0000 (UTC) Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9DF6AF9E for ; Fri, 7 Nov 2014 13:02:13 +0000 (UTC) Received: by mail-wg0-f50.google.com with SMTP id z12so3606087wgg.9 for ; Fri, 07 Nov 2014 05:02:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wI0P48+4N9HvYnu6pTrAnI/jP4mIX7dtlXtqtaXO8+U=; b=VBaCsPrn+Dpd+catIbc0jcOJUbfmWuh8yv3RqvLpDqF045xEBJJ+UZarKsJf5BvD2r ZF+3FMSUo+VhZT+Rr2iD0Z54vxauyNx+HhIzEEZ7bHFU9ZOfV/IXx5exydjaoda2nMvl iO/KwpwsqFi4Fv4U6ItYy6PKheKZiQDfpaAIu6Bh8nzFInZGJgGcVmOV4k85i0QAWydw Do1UP+Jhvl5nt1MIV6yuZwvlDwIINc1y3tp4ELTsDZkqqK0cxpvVxfxnCpCGIKbWlq7v ntOKxwDExiYo3Wl8lVFZdNa8RJPNwiqdLZfG4t28NcMvceQXO4hpRBFZ9wkpN5/bBl6o WjFA== MIME-Version: 1.0 X-Received: by 10.181.8.72 with SMTP id di8mr14246637wid.1.1415365328798; Fri, 07 Nov 2014 05:02:08 -0800 (PST) Received: by 10.217.92.7 with HTTP; Fri, 7 Nov 2014 05:02:08 -0800 (PST) In-Reply-To: References: <20141104221216.GA17502@onelab2.iet.unipi.it> <9547E931-AF82-4F5C-AA22-865E93831A27@freebsdbrasil.com.br> Date: Fri, 7 Nov 2014 11:02:08 -0200 Message-ID: Subject: Re: netmap-ipfw on em0 em1 From: Evandro Nunes To: Luigi Rizzo Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: "freebsd-net@freebsd.org" X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2014 13:02:14 -0000 On Thu, Nov 6, 2014 at 9:24 PM, Luigi Rizzo wrote: > The code on code.google.com/p/netmap-ipfw/ works well for me > on physical interfaces. > > For using the nics many of your examples show that you are not using the > various programs correctly. There is clearly a > mismatch between what this code does and your expectations, > and there isn't much i can do to fix that. > > I acknowledge that the code might have rough edges and poor error > reporting, but it is what it is. > > cheers > luigi > dear Luigi, do you run with em(4) driver? do you mind point out where I could read additional info on how to netmap-ipfw filter a traffic flow between 2 real boxes? I would love to read further details on netmap filtering on real NICs, because the default info is about vale: ports and not netmap: ports and yes, for vale ports it works very nice > > > On Thu, Nov 6, 2014 at 2:27 PM, Evandro Nunes > wrote: > >> On Wed, Nov 5, 2014 at 10:40 PM, Evandro Nunes >> wrote: >> >>> On Wed, Nov 5, 2014 at 8:44 PM, Patrick Tracanelli < >>> eksffa@freebsdbrasil.com.br> wrote: >>> >>>> Hey, what you are doing wrong is much more simple than you expect. >>>> >>>> > # ./kipfw em1 em2 > & /tmp/kipfw.log & >>>> > [1] 66583 >>>> >>>> Just run ./kipfw netmap:em1 netmap:em2 and this will probably work. >>>> >>>> Please remember to redirect kipfw output to somewhere you are not >>>> reading only *after* you are sure the output is showing errors. If you >>>> could read the output you would probably get something like =E2=80=9Ce= rror opening >>>> em0=E2=80=9D or something like that coming netmap. >>>> >>> >>> hello dear patrick >>> thank you, yes it did work now >>> at least it is counting packets >>> >>> but things are still weird, even though I have only count and allow >>> rules, and yes they are counting packets, when I run kipfw, every packe= t on >>> em1 and em2 gets dropped immediately. no matter they are allow rules >>> counting packets, packets get dropped and machine-A gets completely >>> isolated from machine-C >>> >>> any further help is appreciated >>> >> >> >> hello everybody, >> >> one clear and simple question: is anyone actually using netmap-ipfw on >> real NICs out there? or has anyone ever used? >> >> because every documentation I read, or video I watch, is based on vale >> NICs, not real ones; documentation is also not clear about or in fact >> existant regarding real NICs (this is not a complaint, I know netmap-ipf= w >> is experimental and I dont expect it to be rich yet, but I am talking ab= out >> any sort of doc, readme files, commit messages, mailing list excerpts...= ), >> not even the syntax netmap:NIC was clearly mentioned before I was told t= o >> do that >> >> I read the guy from BSDRP Project mentioning he got down on traffic afte= r >> enabling netmap-ipfw, I have read the same thing from a guy mr Meyer, an= d >> from a couple others in different dates (but mostly in this list here) a= nd >> everyone seem to gave given up. >> >> I started looking at the source code for extras/ and stuff but I am no >> hacker, and I could not figure out what I could be doing wrong. This is = why >> I ask if anyone actually runs netmap-ipfw on real NICs. Im not asking fo= r a >> recipe, Im just trying to figure out if I am focusing on testing somethi= ng >> that will never work because it lacks a usable piece of code to make it = run >> on real NICs (and I am not capable of coding it myself), or if I still >> doing something wrong... >> >> using netmap-ipfw with VALE ports is shows a very different behavior and >> works as expected and documented, not on real NICs has a complete differ= ent >> behavior, dropping everything even though it counts packets on an "allow= " >> rule... >> >> >> >> >> > > > -- > -----------------------------------------+------------------------------- > Prof. Luigi RIZZO, rizzo@iet.unipi.it . Dip. di Ing. dell'Informazione > http://www.iet.unipi.it/~luigi/ . Universita` di Pisa > TEL +39-050-2211611 . via Diotisalvi 2 > Mobile +39-338-6809875 . 56122 PISA (Italy) > -----------------------------------------+------------------------------- >