Need Netgraph Help [fixed]
Julian Elischer
julian at freebsd.org
Thu Dec 28 14:48:37 UTC 2017
On 28/12/17 9:59 pm, Julian Elischer wrote:
> On 28/12/17 1:37 am, John Lyon wrote:
>> Julian,
>>
>> Unfortunately, this issue remains unresolved. I would like to
>> think that this is just a PEBKAC issue, but I have tried every
>> permutation of escape characters in case it's an issue with my
>> syntax and I get the same set of errors. No matter what I do, I
>> can't connect the no match hook of an ETF node to the upper hook of
>> an ng_ether node. Do you have any insights into why this might be
>> occurring?
>>
>> By the way, thanks for reaching out to me! I was going to email
>> you directly after the holidays since your name and email address
>> are at the bottom of the relevant Netgraph man pages. I figured
>> that must mean if you didn't know the answer, no one does. :-)
>
> what is EAP?
> what about return EAP packets? (are there any?)
oops left out a line from the cut-n-paste...
>
> I think this is what you want:
> $ sudo ngctl list
> There are 7 total nodes:
> Name: igb0 Type: ether ID: 00000001 Num
> hooks: 0
> Name: igb1 Type: ether ID: 00000002 Num
> hooks: 0
> Name: ix0 Type: ether ID: 00000003 Num
> hooks: 0
> Name: ix1 Type: ether ID: 00000004 Num
> hooks: 0
> Name: tap0 Type: ether ID: 00000005 Num
> hooks: 0
> Name: bridge3 Type: ether ID: 00000006 Num
> hooks: 0
> Name: ngctl7372 Type: socket ID: 00000007 Num
> hooks: 0
> $ sudo kldload ng_etf
$ sudo ngctl mkpeer ix0: etf lower downstream
> $ sudo ngctl name ix0:lower eapfilter
> $ sudo ngctl connect eapfilter: ix0: nomatch upper
> $ sudo ngctl connect eapfilter: ix1: eapout lower
> $ sudo ngctl show eapfilter:
> Name: eapfilter Type: etf ID: 00000021 Num
> hooks: 3
> Local hook Peer name Peer type Peer ID Peer hook
> ---------- --------- --------- ------- ---------
> eapout ix1 ether 00000004 lower
> nomatch ix0 ether 00000003 upper
> downstream ix0 ether 00000003 lower
> $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
> ethertype=0x888e }'
> $
>
>
>>
>> Thanks.
>>
>>
>> --------------------------------
>> John L. Lyon
>> PGP Key Available At:
>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>>
>> On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer
>> <julian at freebsd.org <mailto:julian at freebsd.org>> wrote:
>>
>> John did you get a resolution to this issue?
>>
>>
>> On 16/12/17 2:59 am, John Lyon wrote:
>>
>> Harry and Eugene (and others),
>>
>> I appreciate all of your help. It's been really
>> insightful. Although I
>> feel like I'm getting much closer to the solution, I don't
>> think my problem
>> has been diagnosed. I've outlined my thought process
>> below. Can you
>> please tell me if I am misunderstanding something?
>> Admittedly, I am not a
>> kernel developer and my C language skills have atrophied the
>> last few
>> years. However, I've reviewed my script and I looked in the
>> code for
>> ng_etf.c and I don't think I am violating any of the
>> requirements for
>> linking a hook for no match.
>>
>> As Eugene stated:
>>
>> 1) referenced "matchook" exists and you should not
>> use "indirect name"
>>
>> here,
>>
>> only hook own name, or else you get error ENOENT (No
>> such file or
>>
>> directory);
>>
>> This does not seem to be a problem as the upper and lower
>> hooks for the em1
>> already exist (I can confirm this).
>>
>> 2) referenced "matchook" is *not* downstream hook,
>> or else you get error
>> EINVAL (Invalid argument);
>>
>> I read the ng_etf.c file in the source tree and found this
>> little snippet:
>>
>> /* and is not the downstream hook */
>> if (hook == etfp->downstream_hook.hook) {
>> error = EINVAL;
>> break;
>> }
>>
>> This appears to be an error check to make sure you are not
>> creating a cycle
>> in the graph by referencing the ETF node's own downstream
>> hook (i.e.
>> filtering incoming traffic and circularly feeding
>> non-matching frames back
>> into the ETF's own filter). I'm not doing this. I am
>> feeding non-matching
>> packets into the *lower* hook of another ether node and not
>> back into the
>> *downstream* hook of the etf node I am creating. As a
>> result, my netgraph
>> should not be triggering this error condition.
>>
>> 3) it was not already configured, or else you get
>> error EEXIST (File
>>
>> exists).
>>
>> I am not getting this error, so it appears not to be an
>> issue in my case.
>>
>> What am I missing here? The man page states that "*any
>> other *hook" can be
>>
>> used for the non-matching packets. So the man page says
>> this should work,
>> and there's no explicit error condition that I see (caveat,
>> I have not
>> written in C for at least 10 years - PEBKAC is entirely
>> possible) that
>> would be triggered in the ng_etf code. So what is going
>> wrong?
>>
>> Thanks for all of your help, patience, and understanding.
>>
>>
>> --------------------------------
>> John L. Lyon
>> PGP Key Available At:
>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>> <https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc>
>>
>> On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer
>> <freebsd at omnilan.de <mailto:freebsd at omnilan.de>>
>> wrote:
>>
>> Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017
>> 23:07 (localtime):
>>
>> 15.12.2017 4:27, John Lyon wrote:
>>
>> I'm a new Netgraph user, but am having
>> some problems with a simple
>> Netgraph
>> script I have written. Unfortunately,
>> the error message is cryptic
>>
>> and I
>>
>> can't tell what I am doing wrong since
>> my script closely follows the
>> example provided in the ng_etf man page.
>>
>> For some context, I'm trying to filter
>> EAP traffic coming in on my LAN
>> interface. Any ethernet frames that
>> correspond to EAP traffic need
>>
>> to be
>>
>> immediately forwarded from the LAN
>> interface to my WAN interface. All
>> other ethernet frames coming in on my
>> LAN interface need to be
>>
>> handled by
>>
>> the kernel's network stack. A (horrid)
>> ASCII art representation of my
>> desired netgraph would look like this:
>>
>> lower -> em0 -> downstream -> ETF -> no
>> match -> upper em0
>> -> match ->
>> lower em1
>>
>> The script I have written is this:
>>
>> #! /bin/sh
>> ngctl mkpeer em0: etf lower
>> downstream
>> ngctl name em0:lower lan_filter
>> ngctl connect em0: lan_filter:
>> upper nomatch
>> ngctl msg lan_filter: setfilter {
>> matchhook="em1:lower"
>> ethertype=0x888e }
>>
>> Unfortunately, the last line of my
>> script generates the following
>>
>> error
>>
>> message:
>>
>> ngctl: send msg: Invalid Argument
>>
>> For "setfilter" command to work, ng_etf requires that:
>>
>> 1) referenced "matchook" exists and you should not
>> use "indirect name"
>>
>> here,
>>
>> only hook own name, or else you get error ENOENT (No
>> such file or
>>
>> directory);
>>
>> 2) referenced "matchook" is *not* downstream hook,
>> or else you get error
>> EINVAL (Invalid argument);
>> 3) it was not already configured, or else you get
>> error EEXIST (File
>>
>> exists).
>>
>> Eugene kindly looked into the code and found that the
>> error is due to
>> wrong matchhook definition.
>> I've never had any contact with ng_etf yet, but
>> according to the man
>> page, you need to set the (additional) filter hook by
>> 'nghook -a
>> lan_filter: mydrain' and use 'matchhook=mydrain' for the
>> 'msg' command.
>>
>> Do idea about the intention, so for the rest you have to
>> tweak as needed.
>>
>> -harry
>>
>>
>> _______________________________________________
>> freebsd-net at freebsd.org <mailto:freebsd-net at freebsd.org>
>> mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>> <https://lists.freebsd.org/mailman/listinfo/freebsd-net>
>> To unsubscribe, send any mail to
>> "freebsd-net-unsubscribe at freebsd.org
>> <mailto:freebsd-net-unsubscribe at freebsd.org>"
>>
>>
>>
>>
>
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
>
More information about the freebsd-net
mailing list