Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Dec 2017 21:59:40 +0800
From:      Julian Elischer <julian@freebsd.org>
To:        John Lyon <johnllyon@gmail.com>
Cc:        "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.ORG>, Eugene Grosbein <eugen@grosbein.net>
Subject:   Re: Need Netgraph Help
Message-ID:  <ac0e236e-f27c-d4ed-8527-010dd025efff@freebsd.org>
In-Reply-To: <CAKfTJoXe%2BZjDEMbF12-JcwBAs0uQoAFYAC3g1A_d0yM8by-z6g@mail.gmail.com>
References:  <CAKfTJoUMxo7gsio7JJD8Vj_xPgFx5YEBH3_XViFhR0dt59==Dw@mail.gmail.com> <5A3225BF.6020205@omnilan.de> <CAKfTJoX78JhqsvB669Gxsr5UtZkbwuZrnVhOdU2UMacF7FmP1g@mail.gmail.com> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <CAKfTJoW5H82VLyBZ_5_sa9HU7Xbot7imeiP-ogVCNkHGe0_30Q@mail.gmail.com> <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> <CAKfTJoXe%2BZjDEMbF12-JcwBAs0uQoAFYAC3g1A_d0yM8by-z6g@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 28/12/17 1:37 am, John Lyon wrote:
> Julian,
>
> Unfortunately, this issue remains unresolved.  I would like to think 
> that this is just a PEBKAC issue, but I have tried every permutation 
> of escape characters in case it's an issue with my syntax and I get 
> the same set of errors.  No matter what I do, I can't connect the no 
> match hook of an ETF node to the upper hook of an ng_ether node.  Do 
> you have any insights into why this might be occurring?
>
> By the way, thanks for reaching out to me!  I was going to email you 
> directly after the holidays since your name and email address are at 
> the bottom of the relevant Netgraph man pages.  I figured that must 
> mean if you didn't know the answer, no one does. :-)

what is EAP?
what about return EAP packets? (are there any?)

I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
   Name: igb0            Type: ether           ID: 00000001   Num hooks: 0
   Name: igb1            Type: ether           ID: 00000002   Num hooks: 0
   Name: ix0             Type: ether           ID: 00000003   Num hooks: 0
   Name: ix1             Type: ether           ID: 00000004   Num hooks: 0
   Name: tap0            Type: ether           ID: 00000005   Num hooks: 0
   Name: bridge3         Type: ether           ID: 00000006   Num hooks: 0
   Name: ngctl7372       Type: socket          ID: 00000007   Num hooks: 0
$ sudo kldload ng_etf
$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
   Name: eapfilter       Type: etf             ID: 00000021   Num hooks: 3
   Local hook      Peer name       Peer type    Peer ID         Peer hook
   ----------      ---------       --------- -------         ---------
   eapout          ix1             ether 00000004        lower
   nomatch         ix0             ether 00000003        upper
   downstream      ix0             ether 00000003        lower
$ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'
$


>
> Thanks.
>
>
> --------------------------------
> John L. Lyon
> PGP Key Available At:
> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>
> On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer 
> <julian@freebsd.org <mailto:julian@freebsd.org>> wrote:
>
>     John did you get a resolution to this issue?
>
>
>     On 16/12/17 2:59 am, John Lyon wrote:
>
>         Harry and Eugene (and others),
>
>         I appreciate all of your help.  It's been really
>         insightful.  Although I
>         feel like I'm getting much closer to the solution, I don't
>         think my problem
>         has been diagnosed.  I've outlined my thought process
>         below.  Can you
>         please tell me if I am misunderstanding something?
>         Admittedly, I am not a
>         kernel developer and my C language skills have atrophied the
>         last few
>         years.  However, I've reviewed my script and I looked in the
>         code for
>         ng_etf.c and I don't think I am violating any of the
>         requirements for
>         linking a hook for no match.
>
>         As Eugene stated:
>
>                 1) referenced "matchook" exists and you should not
>                 use "indirect name"
>
>         here,
>
>                 only hook own name, or else you get error ENOENT (No
>                 such file or
>
>         directory);
>
>         This does not seem to be a problem as the upper and lower
>         hooks for the em1
>         already exist (I can confirm this).
>
>                 2) referenced "matchook" is *not* downstream hook,
>                 or else you get error
>                 EINVAL (Invalid argument);
>
>         I read the ng_etf.c file in the source tree and found this
>         little snippet:
>
>         /* and is not the downstream hook */
>         if (hook == etfp->downstream_hook.hook) {
>              error = EINVAL;
>              break;
>         }
>
>         This appears to be an error check to make sure you are not
>         creating a cycle
>         in the graph by referencing the ETF node's own downstream
>         hook (i.e.
>         filtering incoming traffic and circularly feeding
>         non-matching frames back
>         into the ETF's own filter).  I'm not doing this.  I am
>         feeding non-matching
>         packets into the *lower* hook of another ether node and not
>         back into the
>         *downstream* hook of the etf node I am creating.  As a
>         result, my netgraph
>         should not be triggering this error condition.
>
>                 3) it was not already configured, or else you get
>                 error EEXIST (File
>
>         exists).
>
>         I am not getting this error, so it appears not to be an
>         issue in my case.
>
>         What am I missing here?  The man page states that "*any
>         other *hook" can be
>
>         used for the non-matching packets.  So the man page says
>         this should work,
>         and there's no explicit error condition that I see (caveat,
>         I have not
>         written in C for at least 10 years  - PEBKAC is entirely
>         possible) that
>         would be triggered in the ng_etf code.  So what is going wrong?
>
>         Thanks for all of your help, patience, and understanding.
>
>
>         --------------------------------
>         John L. Lyon
>         PGP Key Available At:
>         https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>         <https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc>;
>
>         On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer
>         <freebsd@omnilan.de <mailto:freebsd@omnilan.de>>
>         wrote:
>
>             Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017
>             23:07 (localtime):
>
>                 15.12.2017 4:27, John Lyon wrote:
>
>                             I'm a new Netgraph user, but am having
>                             some problems with a simple
>                             Netgraph
>                             script I have written.  Unfortunately,
>                             the error message is cryptic
>
>             and I
>
>                             can't tell what I am doing wrong since
>                             my script closely follows the
>                             example provided in the ng_etf man page.
>
>                             For some context, I'm trying to filter
>                             EAP traffic coming in on my LAN
>                             interface.  Any ethernet frames that
>                             correspond to EAP traffic need
>
>             to be
>
>                             immediately forwarded from the LAN
>                             interface to my WAN interface.  All
>                             other ethernet frames coming in on my
>                             LAN interface need to be
>
>             handled by
>
>                             the kernel's network stack.  A (horrid)
>                             ASCII art representation of my
>                             desired netgraph would look like this:
>
>                             lower -> em0 -> downstream -> ETF -> no
>                             match -> upper em0
>                                             -> match ->
>                             lower em1
>
>                             The script I have written is this:
>
>                                  #! /bin/sh
>                                  ngctl mkpeer em0: etf lower downstream
>                                  ngctl name em0:lower lan_filter
>                                  ngctl connect em0: lan_filter:
>                             upper nomatch
>                                  ngctl msg lan_filter: setfilter {
>                             matchhook="em1:lower"
>                             ethertype=0x888e }
>
>                             Unfortunately, the last line of my
>                             script generates the following
>
>             error
>
>                             message:
>
>                                  ngctl: send msg: Invalid Argument
>
>                 For "setfilter" command to work, ng_etf requires that:
>
>                 1) referenced "matchook" exists and you should not
>                 use "indirect name"
>
>             here,
>
>                 only hook own name, or else you get error ENOENT (No
>                 such file or
>
>             directory);
>
>                 2) referenced "matchook" is *not* downstream hook,
>                 or else you get error
>                 EINVAL (Invalid argument);
>                 3) it was not already configured, or else you get
>                 error EEXIST (File
>
>             exists).
>
>             Eugene kindly looked into the code and found that the
>             error is due to
>             wrong matchhook definition.
>             I've never had any contact with ng_etf yet, but
>             according to the man
>             page, you need to set the (additional) filter hook by
>             'nghook -a
>             lan_filter: mydrain' and use 'matchhook=mydrain' for the
>             'msg' command.
>
>             Do idea about the intention, so for the rest you have to
>             tweak as needed.
>
>             -harry
>
>
>         _______________________________________________
>         freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org>
>         mailing list
>         https://lists.freebsd.org/mailman/listinfo/freebsd-net
>         <https://lists.freebsd.org/mailman/listinfo/freebsd-net>;
>         To unsubscribe, send any mail to
>         "freebsd-net-unsubscribe@freebsd.org
>         <mailto:freebsd-net-unsubscribe@freebsd.org>"
>
>
>
>




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac0e236e-f27c-d4ed-8527-010dd025efff>