Date: Sat, 16 Dec 2017 10:30:55 +0100 From: Harry Schmalzbauer <freebsd@omnilan.de> To: John Lyon <johnllyon@gmail.com> Cc: freebsd-net@freebsd.org, Eugene Grosbein <eugen@grosbein.net> Subject: Re: Need Netgraph Help Message-ID: <5A34E7CF.2000104@omnilan.de> In-Reply-To: <CAKfTJoW5H82VLyBZ_5_sa9HU7Xbot7imeiP-ogVCNkHGe0_30Q@mail.gmail.com> References: <CAKfTJoUMxo7gsio7JJD8Vj_xPgFx5YEBH3_XViFhR0dt59==Dw@mail.gmail.com> <5A3225BF.6020205@omnilan.de> <CAKfTJoX78JhqsvB669Gxsr5UtZkbwuZrnVhOdU2UMacF7FmP1g@mail.gmail.com> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <CAKfTJoW5H82VLyBZ_5_sa9HU7Xbot7imeiP-ogVCNkHGe0_30Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bezüglich John Lyon's Nachricht vom 15.12.2017 19:59 (localtime):
> Harry and Eugene (and others),
>
> I appreciate all of your help. It's been really insightful. Although I
> feel like I'm getting much closer to the solution, I don't think my problem
> has been diagnosed. I've outlined my thought process below. Can you
> please tell me if I am misunderstanding something? Admittedly, I am not a
> kernel developer and my C language skills have atrophied the last few
> years. However, I've reviewed my script and I looked in the code for
> ng_etf.c and I don't think I am violating any of the requirements for
> linking a hook for no match.
>
> As Eugene stated:
>
>>> 1) referenced "matchook" exists and you should not use "indirect name"
> here,
>>> only hook own name, or else you get error ENOENT (No such file or
> directory);
>
> This does not seem to be a problem as the upper and lower hooks for the em1
> already exist (I can confirm this).
>
>>> 2) referenced "matchook" is *not* downstream hook, or else you get error
>>> EINVAL (Invalid argument);
>
> I read the ng_etf.c file in the source tree and found this little snippet:
>
> /* and is not the downstream hook */
> if (hook == etfp->downstream_hook.hook) {
> error = EINVAL;
> break;
> }
>
> This appears to be an error check to make sure you are not creating a cycle
> in the graph by referencing the ETF node's own downstream hook (i.e.
> filtering incoming traffic and circularly feeding non-matching frames back
> into the ETF's own filter). I'm not doing this. I am feeding non-matching
> packets into the *lower* hook of another ether node and not back into the
> *downstream* hook of the etf node I am creating. As a result, my netgraph
Ah, sorry, I was reading your setup too quickly and missed that em0|em1
detail.
Since I'm no netgraph expert and also no kernel hacker due to C skills,
and on top I don't have any ng_etf experience, I'm out at this point
unfortunately. I just remembered the shell quoting issue I had once
myself and thougth this would be an easy one ;-)
I _think_ it's not possible to redierct the packets that way with
ng_etf. You'd need at least to add the third hook to ng_etf. In the
manpage, it's a user land hook.
Have you tried if
ngctl connect em1: lan_filter: lower mydrain
works?
If so, your "setfilter" message might also work.
I think the missing third hook is the key to your solution – while I
don't know your intention, but I guess you want to get specific
type-tagged frames beeing transmitted on a dedicated interface.
Pleas see
http://www.netbsd.org/gallery/presentations/ast/2012_AsiaBSDCon/Tutorial_NETGRAPH.pdf
on page 32+33. That example corresponds to the man page.
Hope that helps,
-harry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5A34E7CF.2000104>