Date: Thu, 28 Dec 2017 21:59:40 +0800 From: Julian Elischer <julian@freebsd.org> To: John Lyon <johnllyon@gmail.com> Cc: "freebsd-net@freebsd.org" <freebsd-net@FreeBSD.ORG>, Eugene Grosbein <eugen@grosbein.net> Subject: Re: Need Netgraph Help Message-ID: <ac0e236e-f27c-d4ed-8527-010dd025efff@freebsd.org> In-Reply-To: <CAKfTJoXe%2BZjDEMbF12-JcwBAs0uQoAFYAC3g1A_d0yM8by-z6g@mail.gmail.com> References: <CAKfTJoUMxo7gsio7JJD8Vj_xPgFx5YEBH3_XViFhR0dt59==Dw@mail.gmail.com> <5A3225BF.6020205@omnilan.de> <CAKfTJoX78JhqsvB669Gxsr5UtZkbwuZrnVhOdU2UMacF7FmP1g@mail.gmail.com> <5A32F63E.8010205@grosbein.net> <5A338C5A.20300@omnilan.de> <CAKfTJoW5H82VLyBZ_5_sa9HU7Xbot7imeiP-ogVCNkHGe0_30Q@mail.gmail.com> <2e0525c8-2251-a5f5-45d1-fe44ebe318f7@freebsd.org> <CAKfTJoXe%2BZjDEMbF12-JcwBAs0uQoAFYAC3g1A_d0yM8by-z6g@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28/12/17 1:37 am, John Lyon wrote: > Julian, > > Unfortunately, this issue remains unresolved. I would like to think > that this is just a PEBKAC issue, but I have tried every permutation > of escape characters in case it's an issue with my syntax and I get > the same set of errors. No matter what I do, I can't connect the no > match hook of an ETF node to the upper hook of an ng_ether node. Do > you have any insights into why this might be occurring? > > By the way, thanks for reaching out to me! I was going to email you > directly after the holidays since your name and email address are at > the bottom of the relevant Netgraph man pages. I figured that must > mean if you didn't know the answer, no one does. :-) what is EAP? what about return EAP packets? (are there any?) I think this is what you want: $ sudo ngctl list There are 7 total nodes: Name: igb0 Type: ether ID: 00000001 Num hooks: 0 Name: igb1 Type: ether ID: 00000002 Num hooks: 0 Name: ix0 Type: ether ID: 00000003 Num hooks: 0 Name: ix1 Type: ether ID: 00000004 Num hooks: 0 Name: tap0 Type: ether ID: 00000005 Num hooks: 0 Name: bridge3 Type: ether ID: 00000006 Num hooks: 0 Name: ngctl7372 Type: socket ID: 00000007 Num hooks: 0 $ sudo kldload ng_etf $ sudo ngctl name ix0:lower eapfilter $ sudo ngctl connect eapfilter: ix0: nomatch upper $ sudo ngctl connect eapfilter: ix1: eapout lower $ sudo ngctl show eapfilter: Name: eapfilter Type: etf ID: 00000021 Num hooks: 3 Local hook Peer name Peer type Peer ID Peer hook ---------- --------- --------- ------- --------- eapout ix1 ether 00000004 lower nomatch ix0 ether 00000003 upper downstream ix0 ether 00000003 lower $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }' $ > > Thanks. > > > -------------------------------- > John L. Lyon > PGP Key Available At: > https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc > > On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer > <julian@freebsd.org <mailto:julian@freebsd.org>> wrote: > > John did you get a resolution to this issue? > > > On 16/12/17 2:59 am, John Lyon wrote: > > Harry and Eugene (and others), > > I appreciate all of your help. It's been really > insightful. Although I > feel like I'm getting much closer to the solution, I don't > think my problem > has been diagnosed. I've outlined my thought process > below. Can you > please tell me if I am misunderstanding something? > Admittedly, I am not a > kernel developer and my C language skills have atrophied the > last few > years. However, I've reviewed my script and I looked in the > code for > ng_etf.c and I don't think I am violating any of the > requirements for > linking a hook for no match. > > As Eugene stated: > > 1) referenced "matchook" exists and you should not > use "indirect name" > > here, > > only hook own name, or else you get error ENOENT (No > such file or > > directory); > > This does not seem to be a problem as the upper and lower > hooks for the em1 > already exist (I can confirm this). > > 2) referenced "matchook" is *not* downstream hook, > or else you get error > EINVAL (Invalid argument); > > I read the ng_etf.c file in the source tree and found this > little snippet: > > /* and is not the downstream hook */ > if (hook == etfp->downstream_hook.hook) { > error = EINVAL; > break; > } > > This appears to be an error check to make sure you are not > creating a cycle > in the graph by referencing the ETF node's own downstream > hook (i.e. > filtering incoming traffic and circularly feeding > non-matching frames back > into the ETF's own filter). I'm not doing this. I am > feeding non-matching > packets into the *lower* hook of another ether node and not > back into the > *downstream* hook of the etf node I am creating. As a > result, my netgraph > should not be triggering this error condition. > > 3) it was not already configured, or else you get > error EEXIST (File > > exists). > > I am not getting this error, so it appears not to be an > issue in my case. > > What am I missing here? The man page states that "*any > other *hook" can be > > used for the non-matching packets. So the man page says > this should work, > and there's no explicit error condition that I see (caveat, > I have not > written in C for at least 10 years - PEBKAC is entirely > possible) that > would be triggered in the ng_etf code. So what is going wrong? > > Thanks for all of your help, patience, and understanding. > > > -------------------------------- > John L. Lyon > PGP Key Available At: > https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc > <https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc> > > On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer > <freebsd@omnilan.de <mailto:freebsd@omnilan.de>> > wrote: > > Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 > 23:07 (localtime): > > 15.12.2017 4:27, John Lyon wrote: > > I'm a new Netgraph user, but am having > some problems with a simple > Netgraph > script I have written. Unfortunately, > the error message is cryptic > > and I > > can't tell what I am doing wrong since > my script closely follows the > example provided in the ng_etf man page. > > For some context, I'm trying to filter > EAP traffic coming in on my LAN > interface. Any ethernet frames that > correspond to EAP traffic need > > to be > > immediately forwarded from the LAN > interface to my WAN interface. All > other ethernet frames coming in on my > LAN interface need to be > > handled by > > the kernel's network stack. A (horrid) > ASCII art representation of my > desired netgraph would look like this: > > lower -> em0 -> downstream -> ETF -> no > match -> upper em0 > -> match -> > lower em1 > > The script I have written is this: > > #! /bin/sh > ngctl mkpeer em0: etf lower downstream > ngctl name em0:lower lan_filter > ngctl connect em0: lan_filter: > upper nomatch > ngctl msg lan_filter: setfilter { > matchhook="em1:lower" > ethertype=0x888e } > > Unfortunately, the last line of my > script generates the following > > error > > message: > > ngctl: send msg: Invalid Argument > > For "setfilter" command to work, ng_etf requires that: > > 1) referenced "matchook" exists and you should not > use "indirect name" > > here, > > only hook own name, or else you get error ENOENT (No > such file or > > directory); > > 2) referenced "matchook" is *not* downstream hook, > or else you get error > EINVAL (Invalid argument); > 3) it was not already configured, or else you get > error EEXIST (File > > exists). > > Eugene kindly looked into the code and found that the > error is due to > wrong matchhook definition. > I've never had any contact with ng_etf yet, but > according to the man > page, you need to set the (additional) filter hook by > 'nghook -a > lan_filter: mydrain' and use 'matchhook=mydrain' for the > 'msg' command. > > Do idea about the intention, so for the rest you have to > tweak as needed. > > -harry > > > _______________________________________________ > freebsd-net@freebsd.org <mailto:freebsd-net@freebsd.org> > mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > <https://lists.freebsd.org/mailman/listinfo/freebsd-net> > To unsubscribe, send any mail to > "freebsd-net-unsubscribe@freebsd.org > <mailto:freebsd-net-unsubscribe@freebsd.org>" > > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac0e236e-f27c-d4ed-8527-010dd025efff>