Need Netgraph Help

Harry Schmalzbauer freebsd at omnilan.de
Thu Dec 14 07:18:27 UTC 2017 

 Bezüglich John Lyon's Nachricht vom 13.12.2017 21:38 (localtime):
> Hello All,
>
> I'm a new Netgraph user, but am having some problems with a simple Netgraph
> script I have written.  Unfortunately, the error message is cryptic and I
> can't tell what I am doing wrong since my script closely follows the
> example provided in the ng_etf man page.
>
> For some context, I'm trying to filter EAP traffic coming in on my LAN
> interface.  Any ethernet frames that correspond to EAP traffic need to be
> immediately forwarded from the LAN interface to my WAN interface.  All
> other ethernet frames coming in on my LAN interface need to be handled by
> the kernel's network stack.  A (horrid) ASCII art representation of my
> desired netgraph would look like this:
>
> lower -> em0 -> downstream -> ETF -> no match -> upper em0
>                                                            -> match ->
> lower em1
>
> The script I have written is this:
>
>     #! /bin/sh
>     ngctl mkpeer em0: etf lower downstream
>     ngctl name em0:lower lan_filter
>     ngctl connect em0: lan_filter: upper nomatch
>     ngctl msg lan_filter: setfilter { matchhook="em1:lower"
> ethertype=0x888e }
>
> Unfortunately, the last line of my script generates the following error
> message:
>
>     ngctl: send msg: Invalid Argument

I strongly guess shell interferes here.  Try quoting your braces part.
I'm handling auto startup (rc(8) integration) and mitigating quoting
issues like that:

Put into /etc/start_if.em0:

#!/bin/sh
if [ -r /etc/rc.conf.d/ng_etf.em0 ]; then
        if ! /usr/sbin/ngctl show lan_filter: 2>/dev/null | grep -q
lan_filter; then
                /usr/sbin/ngctl -f /etc/rc.conf.d/ng_etf.em0
        fi
fi

Your /etc/rc.conf.d/ng_etf.em0 would look like that:

# to be loaded by ngctl script
mkpeer em0: etf lower downstream
name em0:lower lan_filter
connect em0: lan_filter: upper nomatch
msg lan_filter: setfilter { matchhook="em1:lower" }

Once I had a naming race suspision, so I always do the real control without relying on names, those are just for later admin tasks/reading:
# to be loaded by ngctl script
mkpeer em0: etf lower downstream
name em0:lower lan_filter
connect em0: em0:lower upper nomatch
msg em0:lower setfilter { matchhook="em1:lower" }


Be ware of typos, hope that helps,

-harry

More information about the freebsd-net mailing list