Harry and Eugene (and others),
I appreciate all of your help. It's been really insightful. Although I
feel like I'm getting much closer to the solution, I don't think my problem
has been diagnosed. I've outlined my thought process below. Can you
please tell me if I am misunderstanding something? Admittedly, I am not a
kernel developer and my C language skills have atrophied the last few
years. However, I've reviewed my script and I looked in the code for
ng_etf.c and I don't think I am violating any of the requirements for
linking a hook for no match.
As Eugene stated:
>>1) referenced "matchook" exists and you should not use "indirect name"
here,
>>only hook own name, or else you get error ENOENT (No such file or
directory);
This does not seem to be a problem as the upper and lower hooks for the em1
already exist (I can confirm this).
>>2) referenced "matchook" is *not* downstream hook, or else you get error
>>EINVAL (Invalid argument);
I read the ng_etf.c file in the source tree and found this little snippet:
/* and is not the downstream hook */
if (hook == etfp->downstream_hook.hook) {
error = EINVAL;
break;
}
This appears to be an error check to make sure you are not creating a cycle
in the graph by referencing the ETF node's own downstream hook (i.e.
filtering incoming traffic and circularly feeding non-matching frames back
into the ETF's own filter). I'm not doing this. I am feeding non-matching
packets into the *lower* hook of another ether node and not back into the
*downstream* hook of the etf node I am creating. As a result, my netgraph
should not be triggering this error condition.
>>3) it was not already configured, or else you get error EEXIST (File
exists).
I am not getting this error, so it appears not to be an issue in my case.
What am I missing here? The man page states that "*any other *hook" can be
used for the non-matching packets. So the man page says this should work,
and there's no explicit error condition that I see (caveat, I have not
written in C for at least 10 years - PEBKAC is entirely possible) that
would be triggered in the ng_etf code. So what is going wrong?
Thanks for all of your help, patience, and understanding.
--------------------------------
John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer <free...@omnilan.de>
wrote:
> Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtime):
> > 15.12.2017 4:27, John Lyon wrote:
> >
> >>>> I'm a new Netgraph user, but am having some problems with a simple
> >>>> Netgraph
> >>>> script I have written. Unfortunately, the error message is cryptic
> and I
> >>>> can't tell what I am doing wrong since my script closely follows the
> >>>> example provided in the ng_etf man page.
> >>>>
> >>>> For some context, I'm trying to filter EAP traffic coming in on my LAN
> >>>> interface. Any ethernet frames that correspond to EAP traffic need
> to be
> >>>> immediately forwarded from the LAN interface to my WAN interface. All
> >>>> other ethernet frames coming in on my LAN interface need to be
> handled by
> >>>> the kernel's network stack. A (horrid) ASCII art representation of my
> >>>> desired netgraph would look like this:
> >>>>
> >>>> lower -> em0 -> downstream -> ETF -> no match -> upper em0
> >>>> -> match ->
> >>>> lower em1
> >>>>
> >>>> The script I have written is this:
> >>>>
> >>>> #! /bin/sh
> >>>> ngctl mkpeer em0: etf lower downstream
> >>>> ngctl name em0:lower lan_filter
> >>>> ngctl connect em0: lan_filter: upper nomatch
> >>>> ngctl msg lan_filter: setfilter { matchhook="em1:lower"
> >>>> ethertype=0x888e }
> >>>>
> >>>> Unfortunately, the last line of my script generates the following
> error
> >>>> message:
> >>>>
> >>>> ngctl: send msg: Invalid Argument
> >
> > For "setfilter" command to work, ng_etf requires that:
> >
> > 1) referenced "matchook" exists and you should not use "indirect name"
> here,
> > only hook own name, or else you get error ENOENT (No such file or
> directory);
> > 2) referenced "matchook" is *not* downstream hook, or else you get error
> > EINVAL (Invalid argument);
> > 3) it was not already configured, or else you get error EEXIST (File
> exists).
>
> Eugene kindly looked into the code and found that the error is due to
> wrong matchhook definition.
> I've never had any contact with ng_etf yet, but according to the man
> page, you need to set the (additional) filter hook by 'nghook -a
> lan_filter: mydrain' and use 'matchhook=mydrain' for the 'msg' command.
>
> Do idea about the intention, so for the rest you have to tweak as needed.
>
> -harry
>
>
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
