Re: 75 second delay using telnet/ssh (ipv6 related)
> Machine A is trying to access a filesystem on machine B via amd + > nfs. Machine A first looks up machine B's record, this fails and > then it looks up machine B's A record. This succeeds and the file > accesses go through. > > However, when Machine B's named goes to lunch (this is the named that > machine A is using), the query for the record times out and then > the query for A happens some 30-45 seconds later and succeeds right > away. > > At least that's my reading of the tcpdump traffic. > > None of these machines should be using IPv6 since we have no IPv6 > machines and don't use IPv6 address. No records are defined at > all. And it only seems to happen sometimes. I don't know what kills > named in the first place, just what happens when it goes partially > brain dead. > > Warner Ah, that will be same problem with others and it is not named problem but resolver problem, I think. Could you please try applying my patches to the 4.0 machine? Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 75 second delay using telnet/ssh (ipv6 related)
> In message <38EBB04B.13877.3416842@localhost> [EMAIL PROTECTED] writes: > : Is this problem just with current? I am having the same type of > : problem with the sshd daemon on 4.0-STABLE > > We found that the records were confusing our local name server. > Kill and restart it and it was fine again for a while. When we > rebuilt the kernel on the machine that was slow w/o INET6 the name > server stopped, and it stopped going out to lunch. 4.0 machine > against a 3.4release-ish named. > > Warner Are those records defined for local machines on the local name server? Then, I would like to try same configuration, and could you please give me that zone files? Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 75 second delay using telnet/ssh (ipv6 related)
> On 6 Apr 2000, at 12:53, Yoshinobu Inoue wrote: > Is this problem just with current? I am having the same type of > problem with the sshd daemon on 4.0-STABLE The problem also happens on 4.0-STABLE, and my patch also applies to it. I'll MFC it to 4.0-STABLE after I confirmed it on the current. But if you have trouble now, please try this patch on your 4.0-STABLE machine. I'll also send this patch to freebsd-stable. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 75 second delay using telnet/ssh (ipv6 related)
> > > > Sorry for the inconvenience and I'll try the fix.
> > >
> > > Sorry to be late, but I tried resolver fix and it seems to work.
> > > This should remove such 75 seconds delay in apps which use
> > > getaddrinfo().
> > >
> > > Please review and try this patches.
> >
> > I applied it and am running with it now, but I can't say one way or another
> > if it has fixed the problem :-). It only cropped up every couple of
> > weeks and seemingly random at that. I'll assume it works if I don't see
> > it happening again.
> >
> > Thanks,
>
> OK, anyway it is rather critical fix, so I think it needs some
> testing period.
I did a little bit cleanup, and made new patches.
(with no behaviour change)
I already received several positive confirmations for the
patches.
I'll wait more several days and will commit this if no
significant problem is found for this.
Thanks,
Yoshinobu Inoue
Index: getaddrinfo.c
===
RCS file: /home/ncvs/src/lib/libc/net/getaddrinfo.c,v
retrieving revision 1.9
diff -u -r1.9 getaddrinfo.c
--- getaddrinfo.c 2000/02/19 16:10:12 1.9
+++ getaddrinfo.c 2000/04/06 03:50:46
@@ -108,7 +108,6 @@
};
struct explore {
- int e_af;
int e_socktype;
int e_protocol;
const char *e_protostr;
@@ -119,15 +118,10 @@
};
static const struct explore explore[] = {
-#ifdef INET6
- { PF_INET6, SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
- { PF_INET6, SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
- { PF_INET6, SOCK_RAW, ANY, NULL, 0x05 },
-#endif
- { PF_INET, SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
- { PF_INET, SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
- { PF_INET, SOCK_RAW, ANY, NULL, 0x05 },
- { -1, 0, 0, NULL, 0 },
+ { SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
+ { SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
+ { SOCK_RAW, ANY, NULL, 0x05 },
+ { 0, 0, NULL, 0 },
};
#ifdef INET6
@@ -136,7 +130,8 @@
#definePTON_MAX4
#endif
-
+extern struct hostent * _getipnodebyname_multi __P((const char *name,
+ int af, int flags, int *errp));
static int str_isnumber __P((const char *));
static int explore_fqdn __P((const struct addrinfo *, const char *,
const char *, struct addrinfo **));
@@ -307,9 +302,7 @@
if (pai->ai_socktype != ANY && pai->ai_protocol != ANY) {
int matched = 0;
- for (ex = explore; ex->e_af >= 0; ex++) {
- if (pai->ai_family != ex->e_af)
- continue;
+ for (ex = explore; ex->e_socktype; ex++) {
if (ex->e_socktype == ANY)
continue;
if (ex->e_protocol == ANY)
@@ -353,10 +346,12 @@
}
/* NULL hostname, or numeric hostname */
- for (ex = explore; ex->e_af >= 0; ex++) {
+ for (afd = afdl; afd->a_af; afd++)
+ {
+ for (ex = explore; ex->e_socktype; ex++) {
*pai = ai0;
- if (!MATCH_FAMILY(pai->ai_family, ex->e_af, WILD_AF(ex)))
+ if (!MATCH_FAMILY(pai->ai_family, afd->a_af, WILD_AF(ex)))
continue;
if (!MATCH(pai->ai_socktype, ex->e_socktype, WILD_SOCKTYPE(ex)))
continue;
@@ -364,7 +359,7 @@
continue;
if (pai->ai_family == PF_UNSPEC)
- pai->ai_family = ex->e_af;
+ pai->ai_family = afd->a_af;
if (pai->ai_socktype == ANY && ex->e_socktype != ANY)
pai->ai_socktype = ex->e_socktype;
if (pai->ai_protocol == ANY && ex->e_protocol != ANY)
@@ -381,6 +376,7 @@
while (cur && cur->ai_next)
cur = cur->ai_next;
}
+ }
/*
* XXX
@@ -394,27 +390,12 @@
ERR(EAI_NONAME);
if (hostname == NULL)
ERR(EAI_NONAME);
-
- /*
-* hostname as alphabetical name.
-* we would like to prefer AF_INET6 than AF_INET, so we'll make a
-* outer loop by AFs.
-*/
- for (afd = afdl; afd->a_af; afd++) {
- *pai = ai0;
- if (!MATCH_FAMILY(pai->ai_family, afd->a_af, 1))
- continue;
-
- for (ex = explore; ex->e_af >= 0; ex++) {
+ /* hostname as alphabetical name. */
+ {
+ for (ex = explore; ex->e_socktype; ex++) {
Re: IPSec & ppp
> Hi, Hi, > I've configured my laptop to use IPSec to set up a link > back to my office network. Every encapsulated packet > generates an error message "cksum: out of data". The link > works fine otherwise. > > I'm using AH+ESP over a normal PPP dialup link to my ISP. > Normal internet packets do not generate this message. By the way, how about the communication itself? I also confirmed the same error messages in my local environment, but IPsec communication itself has no problem. I suppose there are some garbages at the end of cksum'ed area. I'll more investigate this. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 75 second delay using telnet/ssh (ipv6 related)
> > > Sorry for the inconvenience and I'll try the fix. > > > > Sorry to be late, but I tried resolver fix and it seems to work. > > This should remove such 75 seconds delay in apps which use > > getaddrinfo(). > > > > Please review and try this patches. > > I applied it and am running with it now, but I can't say one way or another > if it has fixed the problem :-). It only cropped up every couple of > weeks and seemingly random at that. I'll assume it works if I don't see > it happening again. > > Thanks, OK, anyway it is rather critical fix, so I think it needs some testing period. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: kernel build broken without INET6
> Patch included... Sorry for it and thanks for the patch. I'll committ the fix. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 75 second delay using telnet/ssh (ipv6 related)
> Hi,
>
> > This is kind of weird, so I want to see if anyone else has noticed
> > this or has a solution to it.
> >
> > If I use telnet or ssh (there might be more programs,
> > but I have only noticed these two so far), and supply a hostname to it,
> > my machine is constantly requesting records, and finally after
> > 75 seconds it requests and receives an A record from the nameserver.
>
> Currently, using -4 option is a workaround for the problem,
> but I think this should be fixed by a resolver change as
> discussed on this list before.
>
> The change is from,
> all trial, then all A trial,
> to
> try and A for each trial.
>
> Sorry for the inconvenience and I'll try the fix.
Sorry to be late, but I tried resolver fix and it seems to work.
This should remove such 75 seconds delay in apps which use
getaddrinfo().
Please review and try this patches.
Thanks,
Yoshinobu Inoue
Index: getaddrinfo.c
===
RCS file: /home/ncvs/src/lib/libc/net/getaddrinfo.c,v
retrieving revision 1.9
diff -u -r1.9 getaddrinfo.c
--- getaddrinfo.c 2000/02/19 16:10:12 1.9
+++ getaddrinfo.c 2000/04/01 20:38:03
@@ -108,7 +108,6 @@
};
struct explore {
- int e_af;
int e_socktype;
int e_protocol;
const char *e_protostr;
@@ -119,15 +118,10 @@
};
static const struct explore explore[] = {
-#ifdef INET6
- { PF_INET6, SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
- { PF_INET6, SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
- { PF_INET6, SOCK_RAW, ANY, NULL, 0x05 },
-#endif
- { PF_INET, SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
- { PF_INET, SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
- { PF_INET, SOCK_RAW, ANY, NULL, 0x05 },
- { -1, 0, 0, NULL, 0 },
+ { SOCK_DGRAM, IPPROTO_UDP, "udp", 0x07 },
+ { SOCK_STREAM, IPPROTO_TCP, "tcp", 0x07 },
+ { SOCK_RAW, ANY, NULL, 0x05 },
+ { 0, 0, NULL, 0 },
};
#ifdef INET6
@@ -136,7 +130,8 @@
#definePTON_MAX4
#endif
-
+extern struct hostent * _getipnodebyname_multi __P((const char *name,
+ int af, int flags, int *errp));
static int str_isnumber __P((const char *));
static int explore_fqdn __P((const struct addrinfo *, const char *,
const char *, struct addrinfo **));
@@ -307,9 +302,7 @@
if (pai->ai_socktype != ANY && pai->ai_protocol != ANY) {
int matched = 0;
- for (ex = explore; ex->e_af >= 0; ex++) {
- if (pai->ai_family != ex->e_af)
- continue;
+ for (ex = explore; ex->e_socktype; ex++) {
if (ex->e_socktype == ANY)
continue;
if (ex->e_protocol == ANY)
@@ -353,10 +346,12 @@
}
/* NULL hostname, or numeric hostname */
- for (ex = explore; ex->e_af >= 0; ex++) {
+ for (afd = afdl; afd->a_af; afd++)
+ {
+ for (ex = explore; ex->e_socktype; ex++) {
*pai = ai0;
- if (!MATCH_FAMILY(pai->ai_family, ex->e_af, WILD_AF(ex)))
+ if (!MATCH_FAMILY(pai->ai_family, afd->a_af, WILD_AF(ex)))
continue;
if (!MATCH(pai->ai_socktype, ex->e_socktype, WILD_SOCKTYPE(ex)))
continue;
@@ -364,7 +359,7 @@
continue;
if (pai->ai_family == PF_UNSPEC)
- pai->ai_family = ex->e_af;
+ pai->ai_family = afd->a_af;
if (pai->ai_socktype == ANY && ex->e_socktype != ANY)
pai->ai_socktype = ex->e_socktype;
if (pai->ai_protocol == ANY && ex->e_protocol != ANY)
@@ -381,6 +376,7 @@
while (cur && cur->ai_next)
cur = cur->ai_next;
}
+ }
/*
* XXX
@@ -394,27 +390,12 @@
ERR(EAI_NONAME);
if (hostname == NULL)
ERR(EAI_NONAME);
-
- /*
-* hostname as alphabetical name.
-* we would like to prefer AF_INET6 than AF_INET, so we'll make a
-* outer loop by AFs.
-*/
- for (afd = afdl; afd->a_af; afd++) {
- *pai = ai0;
- if (!MATCH_FAMILY(pai->ai_family, afd->a_af, 1))
- continue;
-
- for (ex = explore; ex->e_af >= 0; ex++) {
+ /* hostname as alphabetical name. */
+ {
+ for (ex = explore; ex->e_socktype; ex++) {
Re: 'machine/param.h' required for 'sys/socket.h'
> > I created the patches. > > It become a little bit more complicated than I expected, to > > avoid duplicated inclusion independently in each of namespace > > polluted part and non polluted part. > > Now I don't like this for a quick fix :-). It is more complicated than > a correct fix. > > I think it would be OK without any anti-redefinition ifdefs. Redefinition > is only a micro-pessimization since there are only #define's (no > typedefs, etc.) and won't occur often since should only > be included by , and . Reinclusion > can be optimized in the including file using e.g. #ifndef _ALIGN in > . I once tried more simpler patches, but then I had a build problem at sbin/ipfw/ipfw.c. It includes before , so is once included via but namespace non-polluted part only. Then it is re-included via , but nothing actually included due to anti-redefiition ifdefs. And build failed because the file needs namespace polluted definitions in . This seems to be difficult issue, and some considration in seems to be inevitable. This time I created less complicated patches, which define namespace non-polluted macros outside of anti-redefiition ifdefs for the file. But each such namespace non-polluted macros have each anti-redefinition ifdef itself. Yoshinobu Inoue Index: sys/socket.h === RCS file: /home/ncvs/src/sys/sys/socket.h,v retrieving revision 1.39 diff -u -r1.39 socket.h --- sys/socket.h2000/03/11 19:51:04 1.39 +++ sys/socket.h2000/04/01 20:40:30 @@ -37,6 +37,14 @@ #ifndef _SYS_SOCKET_H_ #define_SYS_SOCKET_H_ +#ifdef _NO_NAMESPACE_POLLUTION +#include +#else +#define_NO_NAMESPACE_POLLUTION +#include +#undef _NO_NAMESPACE_POLLUTION +#endif + /* * Definitions related to sockets: types, address families, options. */ @@ -352,20 +360,20 @@ /* given pointer to struct cmsghdr, return pointer to data */ #defineCMSG_DATA(cmsg) ((u_char *)(cmsg) + \ -ALIGN(sizeof(struct cmsghdr))) +_ALIGN(sizeof(struct cmsghdr))) /* given pointer to struct cmsghdr, return pointer to next cmsghdr */ #defineCMSG_NXTHDR(mhdr, cmsg) \ - (((caddr_t)(cmsg) + ALIGN((cmsg)->cmsg_len) + \ - ALIGN(sizeof(struct cmsghdr)) > \ + (((caddr_t)(cmsg) + _ALIGN((cmsg)->cmsg_len) + \ + _ALIGN(sizeof(struct cmsghdr)) > \ (caddr_t)(mhdr)->msg_control + (mhdr)->msg_controllen) ? \ (struct cmsghdr *)NULL : \ - (struct cmsghdr *)((caddr_t)(cmsg) + ALIGN((cmsg)->cmsg_len))) + (struct cmsghdr *)((caddr_t)(cmsg) + _ALIGN((cmsg)->cmsg_len))) #defineCMSG_FIRSTHDR(mhdr) ((struct cmsghdr *)(mhdr)->msg_control) -#defineCMSG_SPACE(l) (ALIGN(sizeof(struct cmsghdr)) + ALIGN(l)) -#defineCMSG_LEN(l) (ALIGN(sizeof(struct cmsghdr)) + (l)) +#defineCMSG_SPACE(l) (_ALIGN(sizeof(struct cmsghdr)) + _ALIGN(l)) +#defineCMSG_LEN(l) (_ALIGN(sizeof(struct cmsghdr)) + (l)) /* "Socket"-level control message types: */ #defineSCM_RIGHTS 0x01/* access rights (array of int) */ Index: i386/include/param.h === RCS file: /home/ncvs/src/sys/i386/include/param.h,v retrieving revision 1.55 diff -u -r1.55 param.h --- i386/include/param.h2000/03/29 05:39:04 1.55 +++ i386/include/param.h2000/04/01 20:40:31 @@ -37,8 +37,17 @@ * $FreeBSD: src/sys/i386/include/param.h,v 1.55 2000/03/29 05:39:04 jlemon Exp $ */ -#ifndef _MACHINE_PARAM_H_ -#define_MACHINE_PARAM_H_ +/* + * Round p (pointer or byte index) up to a correctly-aligned value + * for all data types (int, long, ...). The result is unsigned int + * and must be cast to any desired pointer type. + */ +#ifndef _ALIGNBYTES +#define _ALIGNBYTES(sizeof(int) - 1) +#endif +#ifndef _ALIGN +#define _ALIGN(p) (((unsigned)(p) + _ALIGNBYTES) & ~_ALIGNBYTES) +#endif /* * Machine dependent constants for Intel 386. @@ -46,12 +55,21 @@ #ifndef _MACHINE #define_MACHINEi386 #endif -#ifndef MACHINE -#define MACHINE"i386" -#endif #ifndef _MACHINE_ARCH #define_MACHINE_ARCH i386 #endif + +#ifndef _NO_NAMESPACE_POLLUTION + +#ifndef _MACHINE_PARAM_H_ +#define_MACHINE_PARAM_H_ + +/* + * Machine dependent constants for Intel 386. + */ +#ifndef MACHINE +#define MACHINE"i386" +#endif #ifndef MACHINE_ARCH #defineMACHINE_ARCH"i386" #endif @@ -70,13 +88,8 @@ #define NCPUS 1 #endif -/* - * Round p (pointer or byte index) up to a correctly-aligned value - * for all data types (int, long, ...). The result is unsigned
Re: 'machine/param.h' required for 'sys/socket.h'
> > sys/socket.h: > > #ifdef _NO_NAME_SPACE_POLLUTION > > #include > > #else > > #define _NO_NAME_SPACE_POLLUTION > > #include > > #undef _NO_NAME_SPACE_POLLUTION > > #endif > > I like this for a quick fix. Only define _ALIGN() like the current > ALIGN(). Don't define all the variants given in your previous mail. I created the patches. It become a little bit more complicated than I expected, to avoid duplicated inclusion independently in each of namespace polluted part and non polluted part. Please give me comments if any. Thanks, Yoshinobu Inoue Index: sys/socket.h === RCS file: /home/ncvs/src/sys/sys/socket.h,v retrieving revision 1.39 diff -u -r1.39 socket.h --- sys/socket.h2000/03/11 19:51:04 1.39 +++ sys/socket.h2000/03/28 12:02:12 @@ -37,6 +37,14 @@ #ifndef _SYS_SOCKET_H_ #define_SYS_SOCKET_H_ +#ifdef _NO_NAMESPACE_POLLUTION +#include +#else +#define_NO_NAMESPACE_POLLUTION +#include +#undef _NO_NAMESPACE_POLLUTION +#endif + /* * Definitions related to sockets: types, address families, options. */ Index: i386/include/param.h === RCS file: /home/ncvs/src/sys/i386/include/param.h,v retrieving revision 1.54 diff -u -r1.54 param.h --- i386/include/param.h1999/12/11 10:54:06 1.54 +++ i386/include/param.h2000/03/28 12:02:13 @@ -37,8 +37,16 @@ * $FreeBSD: src/sys/i386/include/param.h,v 1.54 1999/12/11 10:54:06 peter Exp $ */ -#ifndef _MACHINE_PARAM_H_ -#define_MACHINE_PARAM_H_ +#ifndef _MACHINE_PARAM_H_NO_NAMESPACE_POLLUTION +#define_MACHINE_PARAM_H_NO_NAMESPACE_POLLUTION + +/* + * Round p (pointer or byte index) up to a correctly-aligned value + * for all data types (int, long, ...). The result is unsigned int + * and must be cast to any desired pointer type. + */ +#define _ALIGNBYTES(sizeof(int) - 1) +#define _ALIGN(p) (((unsigned)(p) + _ALIGNBYTES) & ~_ALIGNBYTES) /* * Machine dependent constants for Intel 386. @@ -46,12 +54,23 @@ #ifndef _MACHINE #define_MACHINEi386 #endif -#ifndef MACHINE -#define MACHINE"i386" -#endif #ifndef _MACHINE_ARCH #define_MACHINE_ARCH i386 #endif + +#endif /* !_MACHINE_PARAM_H_NO_NAMESPACE_POLLUTION */ + +#ifndef _NO_NAMESPACE_POLLUTION + +#ifndef _MACHINE_PARAM_H_ +#define_MACHINE_PARAM_H_ + +/* + * Machine dependent constants for Intel 386. + */ +#ifndef MACHINE +#define MACHINE"i386" +#endif #ifndef MACHINE_ARCH #defineMACHINE_ARCH"i386" #endif @@ -70,13 +89,8 @@ #define NCPUS 1 #endif -/* - * Round p (pointer or byte index) up to a correctly-aligned value - * for all data types (int, long, ...). The result is unsigned int - * and must be cast to any desired pointer type. - */ -#define ALIGNBYTES (sizeof(int) - 1) -#define ALIGN(p) (((unsigned)(p) + ALIGNBYTES) & ~ALIGNBYTES) +#define ALIGNBYTES _ALIGNBYTES +#define ALIGN(p) _ALIGN(p) #define PAGE_SHIFT 12 /* LOG2(PAGE_SIZE) */ #define PAGE_SIZE (1<
Re: libl.a in libipsec
> > It seems to me (and my buildworld agree with this) > > that 'liby' is also not necessary for building of 'libipsec'. > > liby is used. Linking to the static version of it isn't good. > I think it results in functions from liby.a being included in > libipsec.so. Since liby.a isn't compiled with -fpic, it's not > clear how this can work. I think the linker prints RRS warnings > when it doesn't work. I haven't seen those, so maybe it does > work. > > Bruce In the build after the trial change of removing liby dependency from libipsec Makefile, misteriously libipsec is not built as if it is just neglected, and buildworld continues. :-\ Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: libl.a in libipsec
> > Thanks, after removing libl related dependency from libipsec > > Makefile, buildworld just passed libipsec part. > > libl.a was not used on the first place. :-< > > > > I'll commit the fix. > > It seems to me (and my buildworld agree with this) > that 'liby' is also not necessary for building of 'libipsec'. > > N.Dudorov I'll also commit that change after one more check. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: libl.a in libipsec
> > I am checking it now, but not yet clear why it happens. In
> > old environments, libl.a seemed to be already installed at
> > that time, but now it doesn't exist at libipsec build time.
>
> libl.a isn't necessary for libipsec building at all.
> The error now is the result of adding ${LIBL} to DPADD by bde
> in the ver 1.3 of the Makefile in the src/lib/libipsec.
>
> N.Dudorov
Thanks, after removing libl related dependency from libipsec
Makefile, buildworld just passed libipsec part.
libl.a was not used on the first place. :-<
I'll commit the fix.
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: buildworld failure
> I had the same build failure. There is a suggestion to fix the build > failure in cvs messages. Is that the way to solve it? I am trying buildworld again with no libl in libipsec Makefile, as previous Dimitar's message. If it is OK(and will be OK), I'll commit the fix. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: libl.a in libipsec
> These days I've cvsup-ed to current and start to 'make world' from my > 3.4 RELEASE. Everything was ok, till making /usr/src/lib/libipsec where some > dependencies of /usr/src/lib/libl.a was not found? Any ideas? I am checking it now, but not yet clear why it happens. In old environments, libl.a seemed to be already installed at that time, but now it doesn't exist at libipsec build time. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: buildworld failure
> Any idea? > > - > INET6 -I/usr/obj/usr/src/i386/usr/include -c policy_token.c -o > policy_token.So > cc -fpic -DPIC -O -pipe -I/usr/obj/usr/src/lib/libipsec -DIPSEC_DEBUG > -DIPSEC -D > INET6 -I/usr/obj/usr/src/i386/usr/include -c > /usr/src/lib/libipsec/ipsec_dump_po > licy.c -o ipsec_dump_policy.So > cc -fpic -DPIC -O -pipe -I/usr/obj/usr/src/lib/libipsec -DIPSEC_DEBUG > -DIPSEC -D > INET6 -I/usr/obj/usr/src/i386/usr/include -c > /usr/src/lib/libipsec/ipsec_get_pol > icylen.c -o ipsec_get_policylen.So > cc -fpic -DPIC -O -pipe -I/usr/obj/usr/src/lib/libipsec -DIPSEC_DEBUG > -DIPSEC -D > INET6 -I/usr/obj/usr/src/i386/usr/include -c > /usr/src/lib/libipsec/../../sys/net > key/key_debug.c -o key_debug.So > make: don't know how to make /usr/obj/usr/src/i386/usr/lib/libl.a. Stop > *** Error code 2 What is your src/lib/libipsec/Makefile version? It might have been fixed by recent commit from bde which adds define of DPADD. (Sorry I can't check it by myself now, because I can't update my local source from repository from yesterday, due to several issues.) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 'machine/param.h' required for 'sys/socket.h'
> > > Instead, CMSG* should use _ALIGN() and _ALIGN() should be implemented > > > somewhere that doesn't add any namespace pollution. We currently > > > use for things like this, but it is already too > > > overloaded. > > > OK, then how about creating machine/align.h? > > That approach in general would give too many headers. > > is more wrongly loaded than overloaded. It is used > to avoid certain namespace problems in general, not just ones in ANSI > headers. It is mainly used to avoid namespace problems with typedefs. > Typedefs should all be handled in , but currently > aren't because would give namespace pollution in > ANSI headers. I think headers like and > should define only names in the implementation namespace, so that they > can be used in standard headers. The standard headers then export > precisely the names specified by the applicable standard, if any. Then, how about defining a macro which specifies name space polluted part, for short term solution. machine/param.h: #ifdef _NO_NAME_SPACE_POLLUTION #define _ALIGN(x) .. #else #endif sys/socket.h: #ifdef _NO_NAME_SPACE_POLLUTION #include #else #define _NO_NAME_SPACE_POLLUTION #include #undef _NO_NAME_SPACE_POLLUTION #endif The macro might be also handy for fixing each of apps which depends on current machine/param.h and machine/types.h one by one. It can be specified for each apps, each dir, or in make.conf. When all apps are fixed, then the macro and name space polluted part in machine/param.h and machine/types.h can be removed. Or am I still too optimistic? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 'machine/param.h' required for 'sys/socket.h'
> > So I think machine/param.h should be included from > > sys/socket.h for more portability. > > can't be included in any standard header > (except in ) because it gives massive, undocumented > namespace pollution. The macro `MACHINE' is especially likely > to conflict with an application macro. Thanks again for your advice(and sorry for my ignorance). > Instead, CMSG* should use _ALIGN() and _ALIGN() should be implemented > somewhere that doesn't add any namespace pollution. We currently > use for things like this, but it is already too > overloaded. > > Bruce OK, then how about creating machine/align.h? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 'machine/param.h' required for 'sys/socket.h'
> Arrgh. Now it seems I might need to reverse my position. I looked > through some code fragments in UNIX Network Programming (Volume 1, > Second Edition, pp. 362-365), and there's some precedent for needing > with the CMSG*() macros. > > On the other hand, RFC 2292 and draft-ietf-ipngwg-rfc2292bis (the > references I was originally working from) don't mention this requirement > at all; they just say that CMSG*() are defined with . I'm > slightly confused by now. > > I'm going to send off a note to the authors of > draft-ietf-ipngwg-rfc229bis asking for some clarification. In the > meantime, maybe we should hold off on doing any changes. > > Bruce. There seems to be no message from bmah related to this, so I now add a follow-up here. The authors' reply is that, >The X/Open (as well as POSIX I think) man pages for sendmsg() >only list socket.h as an include file. >The old BSD man pages list both param.h and socket.h. And, from `man sendmsg` on FreeBSD, only, >SYNOPSIS > #include > #include are required. So I think machine/param.h should be included from sys/socket.h for more portability. It is my fault and sorry for bmah and possibly other ports maintainers. I'll also create an ERRATA entry for this. And I'll fix it on current and stable tree. I checked the following patch on 5.0 and make world was OK. I'll commit this, so if param.h inclusion related problem happens for any of ports, please let me know. Thanks, Yoshinobu Inoue === RCS file: /home/ncvs/src/sys/sys/socket.h,v retrieving revision 1.39 diff -u -r1.39 socket.h --- socket.h2000/03/11 19:51:04 1.39 +++ socket.h2000/03/25 10:13:45 @@ -37,6 +37,9 @@ #ifndef _SYS_SOCKET_H_ #define_SYS_SOCKET_H_ +/* for ALIGN() */ +#include + /* * Definitions related to sockets: types, address families, options. */ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current, ep and fragment problems.
> Also I tried to set mtu 1200 to my fxp, and login other > machines with mtu 1500, and did `ls -lR /`, and also there > seems to be no problem. Woops, this latter check was meaningless for checking fragments. No fragments were happening due to tcp mss negotiation and path mtu discovery. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current, ep and fragment problems.
> [cc:'d shin] :-) I have only fxp and fe for 4.0/5.0 machines at my work place, but I have a 4.0 machine with ep at my home. I think I'can test it tonight if it also happens in my environment. As far as I confirmed it here, many pinging with -s 1600 won't make any problems between my 3.x/4.0/5.0 machines with fxp/fe. Also I tried to set mtu 1200 to my fxp, and login other machines with mtu 1500, and did `ls -lR /`, and also there seems to be no problem. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current sudden panics :(
> : This problem should now be fixed, it's probably the problem I just fixed > : a moment ago in netinet/if_ether.c based on a thread in -hackers. The > : m_pullup() NULL check in arpintr() was broken, resulting in a NULL > : pointer dereference. > > inoue-san's patch survived the night. I'll check into your patch and > give it a try instead. My patch is just a workaround to avoid m_pullup() when it is not necessary, and his fix seems to be the real one for the problem. But I think my patch to if_rl.c is also better to be applied for performance reason. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current sudden panics :(
Hi,
> : This is driver for ed(ne2000) cards. I have realtek(rl driver). I took a
> : look at his source and didn't find such strings. There is comment there
> : about cutting off mbuf header before passing it to ether_input - what's
> : this?
>
> I applied a similar patch to the end of the rl packet handling
> routine. It didn't solve my arp crashes, however. It is almost as
> if sometimes the rl driver passes a packet to ether_input and then
> does bad things to it behind the scenes... I've not had a lot of time
> to try to track down why this does what it does.
>
> Warner
I would like to narrow down the problem more and could you
please try if this patch stop the problem or not?
(The m_pullup() is recently added to if_rl.c. It should not be
harmful, but I suspect that this might have invoked another
hidden bug.)
Yoshinobu Inoue
Index: if_rl.c
===
RCS file: /home/ncvs/src/sys/pci/if_rl.c,v
retrieving revision 1.38
diff -u -r1.38 if_rl.c
--- if_rl.c 1999/12/28 06:04:29 1.38
+++ if_rl.c 2000/03/23 01:35:02
@@ -1130,7 +1130,8 @@
m_adj(m, RL_ETHER_ALIGN);
m_copyback(m, wrap, total_len - wrap,
sc->rl_cdata.rl_rx_buf);
- m = m_pullup(m, sizeof(struct ether_header));
+ if (m->m_len < sizeof(struct ether_header))
+ m = m_pullup(m, sizeof(struct ether_header));
if (m == NULL) {
printf("rl%d: m_pullup failed",
sc->rl_unit);
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: -current sudden panics :(
> > -Any kernel crash dump? > Can you tell me ddb command to make a kernel dump? -Please confirm that your /var/crash has enough size for your machine's memory. -Please check your swap device using "swapinfo" etc. In case of my machine, % swapinfo Device 1K-blocks UsedAvail Capacity Type /dev/wd0s2b26214475612 18640429%Interleaved -Please sepcify it as dumpdev in your /etc/rc.conf dumpdev="/dev/wd0s2b" Then at the reboot of after a panic, crash dump will be written to files under /var/crash/. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current sudden panics :(
> > The driver for his card does not set packet header pointer, thus > > arp stuff see NULL pointer. small patch will cure this problem > > (at least I hope so). > > > > *** if_ed.c.old Tue Mar 21 19:21:40 2000 > > --- if_ed.c Tue Mar 21 19:23:27 2000 > > *** > > *** 2728,2733 > > --- 2728,2734 > > */ > > m->m_pkthdr.len = m->m_len = len - sizeof(struct ether_header); > > m->m_data += sizeof(struct ether_header); > > + m->m_pkthdr.header = (void *)eh; > > > > ether_input(&sc->arpcom.ac_if, eh, m); > > return; > This is driver for ed(ne2000) cards. I have realtek(rl driver). I took a > look at his source and didn't find such strings. There is comment there > about cutting off mbuf header before passing it to ether_input - what's > this? I think this fix is only necessary for token-ring case (as he say in his following mail), and not related to ethernet. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 'machine/param.h' required for 'sys/socket.h'
> > I feel requesting inclusion of machine/param.h for any apps > > which use socket is better. But if there are any other smarter > > solution, please let me know and I'll appreciate it much. > > should never be included by applications since > it is an implementation detail. > > Specify including in apps which use the CMSG*() macros. > doesn't depend on <*/param.h> unless these macros are used. > Since these macros are undocumented, applications that use them should > expect problems :-). > > Bruce After reading bmah's message, now I am inclined to including machine/param.h from sys/socket.h for maximum portability, if there is no spec for it, and if all other platforms doing it. Of course, I think enough testing for it is necessary. I can test make world for it. And if it is OK, then I think it should be once just committed and checked if any other ports build problem happens for it, or any other person claim another problem. Any more comments for this approach? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current sudden panics :(
> > -What is your LAN card? Woops, I often do a needless query. That should be using rl driver as the kernel log. > The driver for his card does not set packet header pointer, thus > arp stuff see NULL pointer. small patch will cure this problem > (at least I hope so). > > *** if_ed.c.old Tue Mar 21 19:21:40 2000 > --- if_ed.c Tue Mar 21 19:23:27 2000 > *** > *** 2728,2733 > --- 2728,2734 >*/ > m->m_pkthdr.len = m->m_len = len - sizeof(struct ether_header); > m->m_data += sizeof(struct ether_header); > + m->m_pkthdr.header = (void *)eh; > > ether_input(&sc->arpcom.ac_if, eh, m); > return; But shouldn't it be sys/pci/if_rl.c ? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 'machine/param.h' required for 'sys/socket.h'
Hello, > 'sys/scocket.h' header file start using ALIGN macro > defined in 'machine/param.h' header file while the man page > for "socket" only mentioned 'sys/types.h' as the prerequisite > for 'sys/socket.h'. > > As a result the 'net/pchar' port is now broken. Yes, this problem is already found by Bruce A. Mah and some mail is exchanged between related people. > What must be done to solve this ? > Is it possible to '#include ' in 'sys/socket.h' OR > the man page must be corrected to explicitly state 'param.h' > (sys/ or machine/ ?) as the prerequisite to 'sys/socket.h' and > all the programms using it patched accordingly ? As itojun's experience, including machine/param.h in socket.h also cause problems in some other apps. I feel requesting inclusion of machine/param.h for any apps which use socket is better. But if there are any other smarter solution, please let me know and I'll appreciate it much. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: -current sudden panics :(
Hello, > Fatal 12 trap: page fault while in kernel mode > fault virtual address = 0x8 > fault code = supervisor read, page not present > instruction pointer = 0x8:0xc01843fc > stack pointer = 0x10:0xc026bd64 > frame pointer = 0x10:0xc026bd64 > code segment= base 0x0, limit 0xf, type 0x1b > = DPL 0, pres 1, def32 1, gran 1 > processor eflags= interrupt enabled, resume, IOPL = 0 > current process = Idle > interrupt mask = > kernel: type 12 trap, code=0 > Stopped at arpintr+0x9c: movl0x8(%ebx),%ecx > > trace gave this: > arpint(c022537b,0,10,10,c0220010) at arpintr+0x9c > swi_net_next() at awi_net_next > > I'm sending kernel config and dmesg in the attachment. I have INET6 there, > but it is not configured by ifconfig. > > What's this and how can i avoid this panics? Do you have any other hints for the problem?, because at least I couldn't reproduce it in my 4.0 and 5.0 machines. -Any kernel crash dump? -Is there any typical situation or condition where the problem happens? -What is your LAN card? Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: 75 second delay using telnet/ssh (ipv6 related)
> Hi. Hi, > This is kind of weird, so I want to see if anyone else has noticed > this or has a solution to it. > > If I use telnet or ssh (there might be more programs, > but I have only noticed these two so far), and supply a hostname to it, > my machine is constantly requesting records, and finally after > 75 seconds it requests and receives an A record from the nameserver. Currently, using -4 option is a workaround for the problem, but I think this should be fixed by a resolver change as discussed on this list before. The change is from, all trial, then all A trial, to try and A for each trial. Sorry for the inconvenience and I'll try the fix. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> > echo 24.113.25.85 | sed -e s/"\."/" "/g | awk '{$5 = $1*256 + $2; $6 = $3*256 +
>$4; printf "2002:%x:%x:\n", $5, $6}'
>
> Or, without only one extra process:
>
> myaddr=24.113.25.85
> OIFS="$IFS"
> IFS=".$IFS"
> set $myaddr
> IFS="$OIFS"
> printf "2002:%x:%x:\n" $(($1 * 256 + $2)) $(($3 * 256 + $4))
>
> -GAWollman
It's fine.
I'll also use it in /etc/rc.network6.
Thanks,
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> > echo 24.113.25.85 | sed -e s/"\."/" "/g | awk '{$5 = $1*256 + $2; $6 = $3*256 +
>$4; printf "2002:%x:%x:\n", $5, $6}'
> >
> >Then it will print out first 6byte for your 6to4 prefix.
>
> just checking. from code inspection on cvsweb,
> - rc.network6 is called before performing nfs mounts.
I think this need to be done before nfs mount, because nfs
might also use IPv6 in the future.
> - awk and sed are in /usr
> so the above sentence disallows NFS-mounted /usr. is it really okay
> to do?
Wmmm, on the first place, all of gifconfig, rtadvd, route6d,
pim6dd, pim6sd, are already under /usr
This issue need to be resolved, but I think it can't be done
before 4.0. Maybe this become a known problem for 4.0?,
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> > (Now I am comfirming a new rc.conf entry which automate above > > IPv6 prefix calucuration, and etc, for 6to4 interface configuration.) As I also said in my previous mail with this subject, this is committed. If anyone intersted, please try it. If you have IPv4 1.2.3.4 for your 6to4 interface, and if you add following entry, and reboot, stf_interface_ipv4addr="1.2.3.4" then your stf(6to4) interface will be automatically configured. Now 7th and 8th octet value(Site Level Aggregator) for the prefix of stf interface is set to 0 by default. To change them, please add stf_interface_ipv6_slaid="" and change the value between and as you like. Also interface id of stf 6to4 IPv6 addr is set to 0:0:0:1 by default. To change them, please add stf_interface_ipv6_ifid="0:0:0:1" and change the value. If you want it to be automatically set to something like used for your other interface's IPv6 link local addr, then please choose AUTO, like below. stf_interface_ipv6_ifid="AUTO" Also, the prefixlen of stf interface can be set to longer than 16, to limit the remote site to some extent of IPv4 address scope. It can be changed by adding following entry, stf_interface_ipv4plen="0" and change the value between 0 to 31. > Nice. You have been doing a great job. You are welcome. :-) And also much part of acknowledgments should go to other KAME members, testers and patches contributor for FreeBSD project and KAME project. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> OK,
> What is the correct one??
>
> How do I calulate the IP from IPv6, what is the formula?
> oh The IPv4 I want to use is 24.113.25.85 and 24.113.130.83
Are you tring to do multihoming? Then things might be more
complicated.
Let's forget the 2nd IPv4 addr for simplicity, now.
If your addr is 24.113.25.85, and you have updated your
source, and your /etc dir, then I think you can setup your
6to4 interface by specifying rc.conf entry.
If following entry is added to /etc/rc.conf, and system rebooted,
stf_interface_ipv4addr="24.113.25.85"
then I expect your stf interface to be collectly setup.
The result and the 6to4 prefix can be check by "ifconfig stf0".
And if you want to check 6to4 prefix for some IPv4 addr
without doing 6to4 interface configuration, please try
following command.
echo 24.113.25.85 | sed -e s/"\."/" "/g | awk '{$5 = $1*256 + $2; $6 = $3*256 + $4;
printf "2002:%x:%x:\n", $5, $6}'
Then it will print out first 6byte for your 6to4 prefix.
And then let's talk about 2 IPv4 addr issue.
Do you want to setup 2 6to4 interface on same host?
Unfortunately, current implementation don't support it.
If you have 2 separate machine, then each host can setup 6to4
interface. But there will be another general multihoming issue.
-Which 6to4 interface should be choosed for outgoing
connection, from your site to outside.
-Which source addr(source prefix) should be choosed for
outgoing connection.
(because there will be 2 different 6to4 prefixes.)
-Which internal routes should be announced to which interface.
(because there will be 2 different 6to4 prefix routes.)
-Do packets for a connection traverse same 6to4 interface for
outgoing case and incoming case?
etc.
Cheers,
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> > > So my IPv4 address is 24.113.130.83 that in IPv6 would be > > > 2002:240:113:130:083 ?? > > > > No, no, because IPv6 address is printed in hex format each > > 2bytes separated by collon, so the 1st 6bytes will be, > > > > 2002:1871:8253: > > Shouldn't this be 2002:e071:8253: instead? Ah, if real IPv4 addr is 240:113:130:083, then I think it will be, 2002:f071:8253: (Now I am comfirming a new rc.conf entry which automate above IPv6 prefix calucuration, and etc, for 6to4 interface configuration.) Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
Hi, > So my IPv4 address is 24.113.130.83 that in IPv6 would be > 2002:240:113:130:083 ?? No, no, because IPv6 address is printed in hex format each 2bytes separated by collon, so the 1st 6bytes will be, 2002:1871:8253: and if printed in full 16bytes, 2002:1871:8253:-::::/64 is the prefixes you can use in your site. You can assign each prefixes, 2002:1871:8253:::, 2002:1871:8253:0001::, 2002:1871:8253:::,,,etc, onto your site's subnets. I just imported a man for "stf" interfaces into src/share/man/man4. So if you update it, then I think you can also refer "man 4 stf". Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> I believe I'm looking for a public IPv6 address to use for testing > purposes. So where/what addresses can I use is my question. > then how I intergrate that into my setup. > > Hope that makes the question more clearer. > Thanks OK, then I think you should try 6to4 addr. The format is like below. 2002your IPv4 addr site prefix interface ID 2byte 4byte2byte 8byte You need to choose one of your own IPv4 addr which is reachable from internet. Site prefix part is 2byte. This means you can have 65535 IPv6 subnets. If your IPv4 address is 1.2.3.4, then your IPv6 address blocks will be, 2002:0102:0304:-::/64 Then you can assign each IPv6 prefix to each of your subnets, like prefix ed0 2002:0102:0304::: prefix ed1 2002:0102:0304:0001:: etc... And you need to setup 6to4 outer interface on the router which is reachable form internet. That is just committed yesterday, so you need to cvs update your source, and rebuild your kernel. The necessary procedure is below. (I suppose your IPv4 addr is 1.2.3.4) gifconfig stf0 1.2.3.4 255.255.255.255 ifconfig stf0 inet6 2002:0102:0304::1 -prefix 16 I think you should setup ip6fw entries for "stf0" interface for security reasons. About more details for 6to4, please check draft-ietf-ngtrans-6to4-0x.txt Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: netstat output for inet6
> > And sorry, it is not added to netstat man yet. > > I see you've just commited a change there, but I think it needs adding to > the usage message as well: > > ben@platinum:~$ netstat -\? > netstat: illegal option -- ? > usage: netstat [-Aan] [-f address_family] [-M core] [-N system] >netstat [-abdghimnrs] [-f address_family] [-M core] [-N system] >netstat [-bdn] [-I interface] [-M core] [-N system] [-w wait] >netstat [-M core] [-N system] [-p protocol] I see. I'll try to request permission to fix it. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: netstat output for inet6
> Is there any way to see the full IPv6 address with netstat? I just see: > > ben@strontium:~$ netstat -an -f inet6 > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address(state) > tcp6 0 0 2002:d4e4:e0d:0:.989 2002:d4e4:e0d:0:.22ESTABLISHED > ... Please add "-l" flag. And sorry, it is not added to netstat man yet. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
>> And here is the patches. > >The last patches should work but I found a improvement related >to coexistence with gif, so this is the updated patches. > > I applied a variant of your patch to my NetBSD/i386 -currentish box that > also uses the KAME stack and was able to ping6 your 6to4 address. That is fine. :-) However, my patches are temporal hack for FreeBSD4.0. KAME code is changing tunnel interface implementations more generally, so I think different fixes and support for 6to4 will be introduced eventually. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 setup...
> How/Where is the setup for the IPv6? > > Shaun If you have recent tree or Freebsd4.0 RC3, then there will be IPv6 specific configuration examples in /etc/defaults/rc.conf. The lines which start from "ipv6_..." are them. At least you need to set ipv6_enable to YES. You need to add the follwing line into /etc/rc.conf. ipv6_enable="YES" If you want to use your machine as IPv6 router, then you need to assigne your interfaces IPv6 prefix (like IPv4 subnet). Typical configurations will be, ipv6_gateway_enable="YES"# Set to YES if this host will be a gateway. ipv6_router_enable="YES" # Set to YES to enable an IPv6 routing daemon. ipv6_router_flags="-l"# Flags to IPv6 routing daemon. Also, if your router has ed0 and ep0, and you want to assigne IPv6 site local prefixes fec0:::0001::/64 and fec0:::0003::/64, then following additions will be enough. ipv6_network_interfaces="ed0 ep0" ipv6_prefix_ed0=fec0:0000::0001 ipv6_prefix_ep0=fec0:::0003 Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
> > > I tried deleting the 6to4 address from an interface on the > > > interior node and did a ping6, but I get no replies (I think > > > you have to configure the route on your end first?). > > > > Yes, I have configured it, so it should work now. > > Yes, it does. It all looks good. > > PING6(56=40+8+8 bytes) c000::2a0:c9ff:feb1:23ae --> >3ffe:501:4819:2000:210:5aff:fe86:b65a > 16 bytes from 3ffe:501:4819:2000:210:5aff:fe86:b65a, icmp_seq=0 hlim=63 time=452.312 >ms > 16 bytes from 3ffe:501:4819:2000:210:5aff:fe86:b65a, icmp_seq=1 hlim=63 time=361.945 >ms Much thanks for your help! :-) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
> > By the way, I'm now very much interested in next round of > > test, that non 6to4 IPv6 prefix routing via 6to4 cloud. > > > > Could you please assign some non 6to4 prefix inside your > > environment? > > Ok. c000::/64 > > > route add -inet6 3ffe:501:4819:2000:: -prefixlen 64 2002:cbb2:8dd8::1 > > Did it on the router. > > > Then I believe I can ping to some of your non 6to4 addresses > > from my non 6to4 address. > > Try: > > c000::2a0:c9ff:feb1:23ae (border router) > c000::200:c0ff:fe34:41c6 (interior box) Either seems to be OK. % ping6 c000::2a0:c9ff:feb1:23ae PING6(56=40+8+8 bytes) 3ffe:501:4819:2000:200:eff:fe2e:def6 --> c000::2a0:c9ff:feb1:23ae 16 bytes from c000::2a0:c9ff:feb1:23ae, icmp_seq=0 hlim=62 time=1136.08 ms 16 bytes from c000::2a0:c9ff:feb1:23ae, icmp_seq=2 hlim=62 time=351.348 ms 16 bytes from c000::2a0:c9ff:feb1:23ae, icmp_seq=3 hlim=62 time=352.258 ms 16 bytes from c000::2a0:c9ff:feb1:23ae, icmp_seq=4 hlim=62 time=346.276 ms 16 bytes from c000::2a0:c9ff:feb1:23ae, icmp_seq=5 hlim=62 time=342.058 ms ^C --- c000::2a0:c9ff:feb1:23ae ping6 statistics --- 6 packets transmitted, 5 packets received, 16% packet loss round-trip min/avg/max = 342.058/505.603/1136.08 ms phoenix% ping6 c000::200:c0ff:fe34:41c6 PING6(56=40+8+8 bytes) 3ffe:501:4819:2000:200:eff:fe2e:def6 --> c000::200:c0ff:fe34:41c6 16 bytes from c000::200:c0ff:fe34:41c6, icmp_seq=0 hlim=63 time=385.097 ms 16 bytes from c000::200:c0ff:fe34:41c6, icmp_seq=1 hlim=63 time=372.819 ms 16 bytes from c000::200:c0ff:fe34:41c6, icmp_seq=2 hlim=63 time=361.545 ms ^C --- c000::200:c0ff:fe34:41c6 ping6 statistics --- 4 packets transmitted, 3 packets received, 25% packet loss round-trip min/avg/max = 361.545/373.153/385.097 ms > > Also, I think you can ping to my non > > 6to4 addr, 3ffe:501:4819:2000:210:5aff:fe86:b65a, from your > > non 6to4 address. > > I tried deleting the 6to4 address from an interface on the > interior node and did a ping6, but I get no replies (I think > you have to configure the route on your end first?). Yes, I have configured it, so it should work now. > Is > there a simpler way to force ping6 to use the non 6to4 > address as the source? Woops, ping6 don't have "-S" option. I also tried it from internal machine, and enabled the 6to4 machine as router. > I can ping6 your non 6to4 address from my 6to4 address, see > attached. Thanks, thus, this stf interface seems to be working very well. Also I believe, your machine can setup other gif tunnel to other IPv4 addr at the same time. It seems to be OK for my machine. The gif src addr and dst addr need to be explicitly defined, but the src addr can be same with stf interface addr. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: inetd broken w/o INET6
> It appears inetd is broken if you don't have INET6 defined. This is > the case for picoBSD, for example: Woops, sorry. I'll reflect it. Thanks for the patches. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
> > > 6to4 support seems to be very important for initial IPv6 > > > deployment on FreeBSD4.0, so I tried small additinal patches > > > to make it available. And It seems to work. > > > > > > Could some FreeBSD4.0 user with direct internet connectivity > > > please try this patches and try to ping6 to my host's 6to4 > > > address? > > > The procedure is, > > > > For the benefit of the lists, and confirming private mail I sent, > > ping6 works using the second of the patches sent (I didn't try the > > first). Thanks very much for your confirmations! > Ok. In addition to your instructions I also configured the > box as an IPv6 router (using the rc.conf switches) and > used a prefix of 2002:cc5f:bb02::0/64 on the interior > ethernet interface de0 with 2002:cc5f:bb02::1/16 on stf0. I'm > not sure if this is quite right. Maybe it is OK. > Anyway, I can ping6 to 2002:cbb2:8dd8::1 from my interior ipv6 > box as well as from the router box. I also configured DNS > for the two boxes, assigning ipv6 addresses to test.ipv6.tar.com > and ns.ipv6.tar.com. One of my DNS secondaries does not update > immediately on notification, so you might not get the ipv6 > resolution until it updates on schedule if you happen to query > that box. However, once all the secondaries are up, i hope > you can ping6 to both ns.ipv6.tar.com (router) and > test.ipv6.tar.com (interior). Yes I could successfully ping them! % ping6 test.ipv6.tar.com PING6(56=40+8+8 bytes) 2002:cbb2:8dd8::1 --> 2002:cc5f:bb02:0:2a0:c9ff:feb1:23ae 16 bytes from 2002:cc5f:bb02:0:2a0:c9ff:feb1:23ae, icmp_seq=0 hlim=63 time=715.85 ms 16 bytes from 2002:cc5f:bb02:0:2a0:c9ff:feb1:23ae, icmp_seq=1 hlim=63 time=426.515 ms ^C --- test.ipv6.tar.com ping6 statistics --- 3 packets transmitted, 2 packets received, 33% packet loss round-trip min/avg/max = 426.515/571.182/715.85 ms % ping6 ns.ipv6.tar.com PING6(56=40+8+8 bytes) 2002:cbb2:8dd8::1 --> 2002:cc5f:bb02:0:200:c0ff:fe34:41c6 16 bytes from 2002:cc5f:bb02:0:200:c0ff:fe34:41c6, icmp_seq=0 hlim=64 time=396.449 ms 16 bytes from 2002:cc5f:bb02:0:200:c0ff:fe34:41c6, icmp_seq=1 hlim=64 time=363.181 ms ^C --- ns.ipv6.tar.com ping6 statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 363.181/379.815/396.449 ms > I also had to adjust my ipv4 firewall rules to allow protocol > ipv6 through. Strange that I didn't have to do that when > doing a gif tunnel to freenet6.net. Also, what do I have to > do to enable ip6fw? Wmmm, it is strange that freenet6 was OK. About ip6fw, I think you can enable ip6fw over 6to4 by specifying "via stf" for each rules for IPv6. Here are some examples. (I belive following examples will work, but not tested yet.) If you want to allow 1:2:3::/48, add 10 allow ipv6 from 1:2:3:::/48 to any via stf* in add 15 allow ipv6 from any to 1:2:3::/48 via stf* out If you want to allow only ssh from 3:4:5::/48 outside to 6:7:8:9::/64 inside, (stf0 below can be stf*. Choosed it just for variety.) add 700 allow tcp from 3:4:5::/48 to 6:7:8:9::/64 ssh via stf0 in add 800 allow tcp from 6:7:8:9::/64 ssh to 3:4:5::/48 via stf0 out By the way, I'm now very much interested in next round of test, that non 6to4 IPv6 prefix routing via 6to4 cloud. Could you please assign some non 6to4 prefix inside your environment? If your non 6to4 prefix is 1:2:3:4::/64 for example, then I would like to configure a route for it, like below. route add -inet6 1:2:3:4:: -prefixlen 64 2002:cc5f:bb02::1 And my non 6to4 prefix is 3ffe:501:4819:2000::/64. So please assigne following route. route add -inet6 3ffe:501:4819:2000:: -prefixlen 64 2002:cbb2:8dd8::1 Then I believe I can ping to some of your non 6to4 addresses from my non 6to4 address. Also, I think you can ping to my non 6to4 addr, 3ffe:501:4819:2000:210:5aff:fe86:b65a, from your non 6to4 address. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
> And here is the patches.
The last patches should work but I found a improvement related
to coexistence with gif, so this is the updated patches.
Thanks,
Yoshinobu Inoue
Index: net/if_gif.c
===
RCS file: /home/ncvs/src/sys/net/if_gif.c,v
retrieving revision 1.3
diff -u -r1.3 if_gif.c
--- net/if_gif.c2000/02/27 18:36:30 1.3
+++ net/if_gif.c2000/03/10 11:32:38
@@ -83,7 +83,7 @@
/*
* gif global variable definitions
*/
-int ngif = NGIF; /* number of interfaces */
+int ngif = NGIF + 1; /* number of interfaces. +1 for stf. */
struct gif_softc *gif = 0;
void
@@ -95,7 +95,7 @@
gif = sc = malloc (ngif * sizeof(struct gif_softc), M_DEVBUF, M_WAIT);
bzero(sc, ngif * sizeof(struct gif_softc));
- for (i = 0; i < ngif; sc++, i++) {
+ for (i = 0; i < ngif - 1; sc++, i++) { /* leave last one for stf */
sc->gif_if.if_name = "gif";
sc->gif_if.if_unit = i;
sc->gif_if.if_mtu= GIF_MTU;
@@ -107,6 +107,16 @@
if_attach(&sc->gif_if);
bpfattach(&sc->gif_if, DLT_NULL, sizeof(u_int));
}
+ sc->gif_if.if_name = "stf";
+ sc->gif_if.if_unit = 0;
+ sc->gif_if.if_mtu= GIF_MTU;
+ sc->gif_if.if_flags = IFF_MULTICAST;
+ sc->gif_if.if_ioctl = gif_ioctl;
+ sc->gif_if.if_output = gif_output;
+ sc->gif_if.if_type = IFT_GIF;
+ sc->gif_if.if_snd.ifq_maxlen = ifqmaxlen;
+ if_attach(&sc->gif_if);
+ bpfattach(&sc->gif_if, DLT_NULL, sizeof(u_int));
}
PSEUDO_SET(gifattach, if_gif);
@@ -322,6 +332,11 @@
/* only one gif can have dst = INADDR_ANY */
#definesatosaddr(sa) (((struct sockaddr_in *)(sa))->sin_addr.s_addr)
+
+#ifdef INET6
+ if (bcmp(ifp->if_name, "stf", 3) == 0)
+ satosaddr(dst) = INADDR_BROADCAST;
+#endif
if (satosaddr(dst) == INADDR_ANY) {
int i;
Index: netinet/in_gif.c
===
RCS file: /home/ncvs/src/sys/netinet/in_gif.c,v
retrieving revision 1.3
diff -u -r1.3 in_gif.c
--- netinet/in_gif.c1999/12/22 19:13:18 1.3
+++ netinet/in_gif.c2000/03/10 11:32:38
@@ -84,6 +84,9 @@
SYSCTL_INT(_net_inet_ip, IPCTL_GIF_TTL, gifttl, CTLFLAG_RW,
&ip_gif_ttl,0, "");
+#define IN6_IS_ADDR_6TO4(x)(ntohs((x)->s6_addr16[0]) == 0x2002)
+#define GET_V4(x) ((struct in_addr *)(&(x)->s6_addr16[1]))
+
int
in_gif_output(ifp, family, m, rt)
struct ifnet*ifp;
@@ -98,6 +101,9 @@
struct ip iphdr;/* capsule IP header, host byte ordered */
int proto, error;
u_int8_t tos;
+#ifdef INET6
+ struct ip6_hdr *ip6 = NULL;
+#endif
if (sin_src == NULL || sin_dst == NULL ||
sin_src->sin_family != AF_INET ||
@@ -124,7 +130,6 @@
#ifdef INET6
case AF_INET6:
{
- struct ip6_hdr *ip6;
proto = IPPROTO_IPV6;
if (m->m_len < sizeof(*ip6)) {
m = m_pullup(m, sizeof(*ip6));
@@ -147,6 +152,24 @@
bzero(&iphdr, sizeof(iphdr));
iphdr.ip_src = sin_src->sin_addr;
+#ifdef INET6
+ /* XXX: temporal stf support hack */
+ if (bcmp(ifp->if_name, "stf", 3) == 0 && ip6 != NULL) {
+ if (IN6_IS_ADDR_6TO4(&ip6->ip6_dst))
+ iphdr.ip_dst = *GET_V4(&ip6->ip6_dst);
+ else if (rt && rt->rt_gateway->sa_family == AF_INET6) {
+ struct in6_addr *dst6;
+
+ dst6 = &((struct sockaddr_in6 *)
+(rt->rt_gateway))->sin6_addr;
+ if (IN6_IS_ADDR_6TO4(dst6))
+ iphdr.ip_dst = *GET_V4(dst6);
+ } else {
+ m_freem(m);
+ return ENETUNREACH;
+ }
+ } else
+#endif
if (ifp->if_flags & IFF_LINK0) {
/* multi-destination mode */
if (sin_dst->sin_addr.s_addr != INADDR_ANY)
@@ -232,6 +255,19 @@
if ((sc->gif_if.if_flags & IFF_UP) == 0)
continue;
+
+#ifdef INET6
+ /* XXX: temporal stf support hack */
+ if (proto == IPPROTO_IPV6 &&
+ bcmp(sc->gif_if.if_name, "stf", 3) == 0 &&
+ satosin(sc->gif_psrc)->sin_addr.s_addr ==
+ ip->ip_dst.s_addr &&
+ satosin(sc->gif_pdst)->sin_addr.s_addr ==
+ INADDR_BRO
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
> >Very unfortunately, 6to4 is not yet supported in FreeBSD/KAME.
> >So now available options will be,
> > -Use freenet6 (for one hosts).
> > -Get IPv6 address block and connect to 6bone using gif tunnel.
>
> We hope to add 6to4 support for KAME/FreeBSD very soon (next week is a
> good guess). We may need some more testing before real use,
> but it should work. it is in KAME/NetBSD already, I just don't have
> time to make it work on othre *BSDs yet...
6to4 support seems to be very important for initial IPv6
deployment on FreeBSD4.0, so I tried small additinal patches
to make it available. And It seems to work.
Could some FreeBSD4.0 user with direct internet connectivity
please try this patches and try to ping6 to my host's 6to4
address?
The procedure is,
(1)apply this patch and rebuild your kernel
(2)configure 6to4 interface
I suppose that your IPv4 address is 1.2.3.4
-configure stf interface's outer addr, using gifconfig
gifconfig stf0 1.2.3.4 255.255.255.255
(The destination IPv4 addr can be anything.)
-encode your IPv4 address to hex format per 2 byte, for
later use
If it is 1.2.3.4, then it will be, 0102:0304.
-encode your IPv6 address on stf interface, for later
configuration
The format is, like below.
2002: 4byte v4 addr : 2byte SLA ID : 8byte interface ID
For simplicity, I choose 0 for SLA ID, and 1 for interface ID.
Then, if your IPv4 addr is 1.2.3.4, then your IPv6 addr on stf is,
2002:0102:0304::1
-configure stf interface's IPv6 addr
Please use ifconfig.
ifconfig stf0 inet6 2002:0102:0304::1 prefixlen 16
(3)try pinging to my host's 6to4 address
My machine's 6to4 address is 2002:cbb2:8dd8::1.
Please try,
ping6 2002:cbb2:8dd8::1
I hope there is reply from my machine.
And here is the patches.
Thanks,
Yoshinobu Inoue
Index: net/if_gif.c
===
RCS file: /home/ncvs/src/sys/net/if_gif.c,v
retrieving revision 1.3
diff -u -r1.3 if_gif.c
--- net/if_gif.c2000/02/27 18:36:30 1.3
+++ net/if_gif.c2000/03/10 10:09:25
@@ -83,7 +83,7 @@
/*
* gif global variable definitions
*/
-int ngif = NGIF; /* number of interfaces */
+int ngif = NGIF + 1; /* number of interfaces. +1 for stf. */
struct gif_softc *gif = 0;
void
@@ -95,7 +95,7 @@
gif = sc = malloc (ngif * sizeof(struct gif_softc), M_DEVBUF, M_WAIT);
bzero(sc, ngif * sizeof(struct gif_softc));
- for (i = 0; i < ngif; sc++, i++) {
+ for (i = 0; i < ngif - 1; sc++, i++) { /* leave last one for stf */
sc->gif_if.if_name = "gif";
sc->gif_if.if_unit = i;
sc->gif_if.if_mtu= GIF_MTU;
@@ -107,6 +107,16 @@
if_attach(&sc->gif_if);
bpfattach(&sc->gif_if, DLT_NULL, sizeof(u_int));
}
+ sc->gif_if.if_name = "stf";
+ sc->gif_if.if_unit = 0;
+ sc->gif_if.if_mtu= GIF_MTU;
+ sc->gif_if.if_flags = IFF_MULTICAST;
+ sc->gif_if.if_ioctl = gif_ioctl;
+ sc->gif_if.if_output = gif_output;
+ sc->gif_if.if_type = IFT_GIF;
+ sc->gif_if.if_snd.ifq_maxlen = ifqmaxlen;
+ if_attach(&sc->gif_if);
+ bpfattach(&sc->gif_if, DLT_NULL, sizeof(u_int));
}
PSEUDO_SET(gifattach, if_gif);
@@ -322,6 +332,11 @@
/* only one gif can have dst = INADDR_ANY */
#definesatosaddr(sa) (((struct sockaddr_in *)(sa))->sin_addr.s_addr)
+
+#ifdef INET6
+ if (bcmp(ifp->if_name, "stf", 3) == 0)
+ satosaddr(dst) = INADDR_BROADCAST;
+#endif
if (satosaddr(dst) == INADDR_ANY) {
int i;
Index: netinet/in_gif.c
===
RCS file: /home/ncvs/src/sys/netinet/in_gif.c,v
retrieving revision 1.3
diff -u -r1.3 in_gif.c
--- netinet/in_gif.c1999/12/22 19:13:18 1.3
+++ netinet/in_gif.c2000/03/10 10:09:25
@@ -84,6 +84,9 @@
SYSCTL_INT(_net_inet_ip, IPCTL_GIF_TTL, gifttl, CTLFLAG_RW,
&ip_gif_ttl,0, "");
+#define IN6_IS_ADDR_6TO4(x)(ntohs((x)->s6_addr16[0]) == 0x2002)
+#define GET_V4(x) ((struct in_addr *)(&(x)->s6_addr16[1]))
+
int
in_gif_output(ifp, family, m, rt)
struct ifnet*ifp;
@@ -98,6 +101,9 @@
struct ip iphdr;/* capsule IP header, host byte ordered */
int proto, error;
u_int8_t tos;
+#ifdef INET6
+ struct ip6_hdr *ip6 = NULL;
+#endif
if (sin_src == NULL || sin_dst == NULL ||
sin_src->sin_family != AF_INET ||
@@ -124,7 +130,6 @@
#ifdef INET
Re: ipv6 and rc.conf questions
> I think that I know just enough about IPv6 to be dangerous, at this > point. With that in mind, I think we should keep the name (because that > describes exactly what it does), and just change the default to "YES". OK, I'll choose the option, and also add some more description for "rtadvd_enable". Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configuredinrc.conf?
> > (By the way, this is local addr here, and please not use > > exactly same prefix at another place. :-) > > Yes, I am using site-local addresses like "fec0::9ee3:6b4", where I > am coding the IPv4 address in the lower 32 bits, and I am using > a prefixlen=120. I think there have been not much experiences in using non 64 prefixlen for IPv6 on LAN, so there might be some problem hidden behind the usage, or maybe not. > Just wondering: is the "alias" necessary? I can add a site-local IPv6 > address to the same interface without the "alias" ifconfig keyword. Yes, alias is not necessary for IPv6. > If this > is valid, then something as > ifconfig_fxp0="inet 158.227.6.180 netmask 255.255.255.0 inet6 fec0::9ee3:6b4 >prefixlen 120" > should be OK. But above config does not seems work here. I think ifconfig_ifname_aliasnum is just necessary for configuring multiple addrs for one interface purpose. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipv6 and rc.conf questions
> > > Wmmm, should rtadvd always be invoked when 'ipv6_gateway_enable="YES" ? Oh, I need to conclude about this. > (2): Yes there is. Usually it is desirable that only upstream > router invoke rtadvd to suppress too many redirects. > In following case, only R-backbone should invoke rtadvd. > (But there will be no serious problem even if R-local > also invoke rtadvd.) > > backbone > | > R-backbone > | >--- my subnet > | > R-local > | >-- just one or two subnets > > > I have this fuzzy feeling that always invoking rtadvd on routers might > > not be a good idea, but that perhaps making it the default might be good > > (right now, rtadvd is turned off by default). > > > > Bruce. To think about the above case, always enabling rtadvd might not be good idea. And now I think the problem is that entry name, rtadvd_enable="NO" is not intuitive for users. So how about changing the name to something like, ipv6_to_be_defaultrouter="NO" and if it is set to YES, then rc.network6 invoke rtadvd (and possibly do other works)? Please give me comments if it seems reasonable or not, and also if the name is good or bad. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
Hi, Very unfortunately, 6to4 is not yet supported in FreeBSD/KAME. So now available options will be, -Use freenet6 (for one hosts). -Get IPv6 address block and connect to 6bone using gif tunnel. Cheers, Yoshinobu Inoue > > Please read, then ask any questions you may have. 6to4 is currently > > supported, and there are relay routers up and running. > > My apologies if I sound like I need "IPv6 for Dummies". > > Just to clarify. You mean that 6to4 is currently supported in FreeBSD/KAME? > Of course, I'm not quite sure what I mean by this. I guess, if I configure > a FreeBSD/KAME host as an IPv6 router, will the router automatically do the > IPv6->IPv4 encapsulation when it encounters a destination prefix of 2002::/16 > and vice versa for incoming packets? Or, do I need to configure a pseudo > interface somehow (gif doesn't look quite like the right thing?). Also, will > FreeBSD/KAME hosts (both router and non-router hosts) somehow automatically > do the proper address selection algorithm when they encounter multiple IPv6 > addresses, or is that an application level requirement? > > Also, if I have (for example) IPv4 addresses of 204.95.187/24, I assume > I can use any of the 2002:[V4ADDR]:/48 prefixes within my allocation, but > for external 6to4 connectivity I should probably choose the V4ADDR of the > external interface of the 6to4 router? > > And, finally, do some of the 6to4 relay routers that are "up and running" > serve small isolated sites? I assume the best case is that one's ISP > provides IPv6 connectivity in some shape or form. But, if thats not the > case, I assume the main options are IPv6-IPv4 tunnel to a co-operative > IPv6 site, or 6to4 with a default route to a relay router (who I assume > must configure a static route back?). Or, run a more sophisticated routing > protocol (BGP), but thats a little much for me, I think. > > Of course, if everyone configures 6to4 (or at least everyone you want to reach) > then am I correct that you don't really need 6to4 "relay" routers? This is > only for reaching native IPv6 sites without 6to4 addresses? > > Thanks. > > -- > Richard Seaman, Jr. email: [EMAIL PROTECTED] > 5182 N. Maple Lanephone: 262-367-5450 > Chenequa WI 53058 fax: 262-367-5852 > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-current" in the body of the message > > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: /usr/bin/ssh and SOCKS
> : I'd like to get this committed - I'll try and take a look at it tonight,
> : time permitting. I would definitely like to allow SSH to work with dante,
> : though, since that's a better (BSDL) alternative than the restricted NEC
> : version.
I don't know well about dante, but if it is one of socks
implementation, then I think it will also need getaddrinfo
wrapper support.
In socks5 port case, the following patches are already added,
so it should be able to support apps which use getaddrinfo().
Cheers,
Yoshinobu Inoue
--- lib/rld.c.orig Wed Aug 4 04:59:28 1999
+++ lib/rld.c Mon Feb 21 03:55:45 2000
@@ -197,6 +197,26 @@
lsInRLDFunctions = 0;
S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "RLD: gethostbyname2
results: %s %s", name, hp?hp->h_name:"???");
return hp;
+}
+#endif
+
+#ifdef HAVE_GETADDRINFO
+int REAL(getaddrinfo)(const char *hostname, const char *servname,
+ const struct addrinfo *hints, struct addrinfo **aip) {
+int error;
+static void *func = NULL;
+
+S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "RLD: getaddrinfo: %s",
+hostname);
+GetOriginalFunc(&func, "_getaddrinfo", TRY_LIBC | TRY_LIBNSL | TRY_LIBRESOLV);
+if (!func || func == (void *)-1) return NULL;
+
+lsInRLDFunctions = 1;
+error = ((int (*)P((const char *, const char *, const struct addrinfo *,
+ struct addrinfo **)))func)(hostname, servname,
+ hints, aip);
+lsInRLDFunctions = 0;
+S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "RLD: getaddrinfo results:
+%s %s", hostname, (*aip&&(*aip)->ai_canonname)?(*aip)->ai_canonname:"???");
+return error;
}
#endif
--- lib/hostname.c.orig Wed Aug 4 04:59:29 1999
+++ lib/hostname.c Tue Feb 22 09:51:48 2000
@@ -17,6 +17,10 @@
#define S5_HOSTLIST_SIZE256
#define S5_HOSTALIASES_SIZE 16
#define S5_FAKEHOSTFILE ".s5fakehost"
+
+#ifndef NI_WITHSCOPEID
+#defineNI_WITHSCOPEID 0
+#endif
struct hostEntry {
char name[S5_HOSTNAME_SIZE];
@@ -402,6 +406,129 @@
}
#endif
+#if defined(HAVE_GETADDRINFO) && defined(HAVE_GETNAMEINFO)
+/* wrapper around the getaddrinfo call. */
+/* similar to getaddrinfo() except for: */
+/* *** if getaddrinfo() fails, then it returns a pointer to a addrinfo */
+/* structure filled with a special value, so that SOCKSxx() will */
+/* realize that this host was unresolved and fill in the protocol*/
+/* accordingly...*/
+/* */
+/* returns an error number on failure; 0 on success */
+int LIBPREFIX(getaddrinfo)(const char *hostname, const char *servname,
+ const struct addrinfo *hints,
+ struct addrinfo **aip) {
+static char numaddrbuf[MAXHOSTNAMELEN];
+static struct addrinfo *ai;
+char *local, *fake;
+int error = 0, i;
+int addrlen, namelen, family;
+
+#ifdef FOR_SHARED_LIBRARY
+if (lsInRLDFunctions || lsInWrapFunction || lsInWrapHostname) return
+REAL(getaddrinfo)(hostname, servname, hints, aip);
+#endif
+
+lsInWrapFunction = 1;
+lsInWrapHostname = 1;
+LIBPREFIX2(init)("libsocks5");
+S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "SOCKS getaddrinfo: looking
+up %s", hostname);
+
+fake = getenv("SOCKS5_FAKEALLHOSTS");
+local = getenv("SOCKS5_LOCALDNSONLY");
+
+if (!fake &&
+ (error = REAL(getaddrinfo)(hostname, servname, hints, aip)) == NULL) {
+getnameinfo((*aip)->ai_addr, (*aip)->ai_addrlen, numaddrbuf,
+ sizeof(numaddrbuf) - 1, NULL, 0,
+ NI_NUMERICHOST|NI_WITHSCOPEID);
+ S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "SOCKS getaddrinfo: REAL:
+%s", numaddrbuf);
+
+lsInWrapFunction = 0;
+lsInWrapHostname = 0;
+ return error;
+}
+
+/* If your DNS is the same as the socks server, don't fake a correct */
+/* lookup when you know it won't work... */
+if (local) {
+ S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "SOCKS getaddrinfo: REAL:
+Fake not configured");
+lsInWrapFunction = 0;
+lsInWrapHostname = 0;
+ return (error != 0) ? error : EAI_FAIL;
+}
+
+/* Fill in some UNRESOLVED values and let the daemon resolve it */
+if ((i = GetFakeHost(hostname)) <= 0) {
+S5LogUpdate(S5LogDefaultHandle, S5_LOG_ERROR, 0, "SOCKS getaddrinfo: Get fake
+host failed");
+lsInWrapFunction = 0;
+lsInW
Re: ipv6 and rc.conf questions
Hi, > > Wmmm, should rtadvd always be invoked when 'ipv6_gateway_enable="YES" ? > > Hmmm...two things come to mind. 1) What happens if there are two > routers running rtadvd on a single subnet? 2) Are there environments in > which a netadmin might not want to use router advertisements? (1): It is OK. Host randomly choose one of routers as its default router, and other routers are also kept as backup default routers. Host always send its packet to the default router, and if it is not correct router for the destination, then the packet is just redirected to the correct router. (2): Yes there is. Usually it is desirable that only upstream router invoke rtadvd to suppress too many redirects. In following case, only R-backbone should invoke rtadvd. (But there will be no serious problem even if R-local also invoke rtadvd.) backbone | R-backbone | --- my subnet | R-local | -- just one or two subnets But if you have more than 2 upstream routers, it might be desirable that either upstream router invoke rtadvd as redundancy. - backbone | | R-backbone1 R-backbone2 | | ------ my subnet Yoshinobu Inoue > I have this fuzzy feeling that always invoking rtadvd on routers might > not be a good idea, but that perhaps making it the default might be good > (right now, rtadvd is turned off by default). > > Bruce. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6: can a link-site (or global) address be configured inrc.conf?
Hi, > Hello, > > Now that I have several machines running FreeBSD 4.0, I started to > play with IPv6. It's fun! I have plans to set up a v6-over-v4 tunnel > and connect to the 6Bone. > > I read /usr/share/examples/IPv6/USAGE, /usr/share/doc/IPv6/IMPLEMENTATION > and some documents at the KAME web site. However, I still have to figure out > how to assign a not-link-local address (i.e., a site or global address) to > the [unique] Ethernet interface of each host in an automatic manner (from > /etc/rc.conf). After reading /etc/rc.network6 I concluded that no addresses > apart from the link-local ones are assigned to the interfaces. I am using > ifconfig manually to do this (BTW, I found that there is no need to specify > "alias"). I am new to IPv6, so maybe I am asking for something with no > sense... There seems to be already another answers and I might be missing a point, but you might mean you want to assigne an address with simple number in its lower 8byte? Such as, 3ffe:501:100e:2000::1 or 3ffe:501:100e:2000::2 not like 3ffe:501:100e:2000:200:eff:fe74:41d2 ? In that case, yes, you need to do ifconfig to assign former kind of address. They are relatively easy to memorize and useful as server addr. But you don't necessarily need to manually assign it. You can use existing ifconfig_ifname= and ifconfig_ifname_aliasnum= also for IPv6. (But there is no example for IPv6. I'll add examles.) E.g. if you want to assign 3ffe:501:100e:2000::1 and 3ffe:501:100e:2000::2 to ed0, I think following configuration works. ifconfig_ed0_alias0="inet6 3ffe:501:100e:2000::1 prefixlen 64" ifconfig_ed0_alias1="inet6 3ffe:501:100e:2000::2 prefixlen 64" (By the way, this is local addr here, and please not use exactly same prefix at another place. :-) Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ipv6 and rc.conf questions
Hi, > Hi, > > I have been playing with IPv6 on a few machines and I must say that it > is very easy to get the basic IPv6 configuration on the "endpoints" ie. > machines with just a ethernet connection. Just a line with > 'ipv6_enable="YES"' /etc/rc.conf and it is done. I'm glad to know that is working. :-) > But how do you configure an IPv6 in IPv4 tunnel in rc.conf? I can do it > on the commandline, I'm just trying to figure out how to do it in rc.conf. > I can get the IPv4 part configured with something like this: > > gif_interfaces="gif0" > gifconfig_gif0="146.64.84.9 146.64.8.68" > > But how/where do you configure the IPv6 part of the tunnel? Do you have to > put it in the network_interfaces= section where the normal IPv4 > configuration is done? After gif tunnel is configured by the above setup, you can just use ifconfig to assigne any IPv4 and/or IPv6 addresses to the gif p2p link. Such as, ifconfig gif0 10.0.0.1 10.0.0.2 netmask 255.255.255.0 ifconfig gif0 inett6 fec0:0:0:1000::1 fec0:0:0:1000::2 prefixlen 64 alias However, an IPv6 machine already has each IPv6 link local address on all of its interfaces by default, so it is found that no more additional IPv6 addr is necessary on p2p links. When you ping6 on a gif tunnel, you will see replies from IPv6 link local addresses of local machin and remote machine like below. (if the tunnel is setup correctly on each side.) hoge% ping6 ff02::1%gif0 PING6(56=40+8+8 bytes) fe80::200:eff:fe2e:dfe1 --> ff02::1 16 bytes from fe80::200:eff:fe2e:dfe1%lo0, icmp_seq=0 hlim=64 time=5.2 ms 16 bytes from fe80::200:e2ff:fe0d:bd18%gif0, icmp_seq=0 hlim=64 time=22.185 ms(DUP!) 16 bytes from fe80::200:eff:fe2e:dfe1%lo0, icmp_seq=1 hlim=64 time=8.127 ms 16 bytes from fe80::200:e2ff:fe0d:bd18%gif0, icmp_seq=1 hlim=64 time=33.705 ms(DUP!) ^C --- ff02::1%gif0 ping6 statistics --- 2 packets transmitted, 2 packets received, +2 duplicates, 0% packet loss round-trip min/avg/max = 5.2/17.304/33.705 ms If you need to reach other addrs over the tunnel, then, -just assigne IPv6 route to the gif tunnel using "route add -inet6 " command. or -enable following lines on each end of machines, and reboot them. ipv6_gateway_enable="YES" ipv6_router_enable="YES" If you did update and make world recently, please check /usr/share/examples/IPv6/USAGE. There will be more detailed info. A handbook chapter version is now under preparation. > Another question, how do you add a default IPv6 route in rc.conf? There is > an ipv6_default_interface= variable, but from the comments it looks like > it is only meant for link local multicast addresses. In IPv6, a host's default router is automatically registered by receiving Router Advertisement messages from routers. To let routers send Router Advertisement, you need to invoke rtadvd on your router. It will be available by enabling the following config line on the router. rtadvd_enable="YES" If you want to enable it after the reboot, then please invoke rtadvd as root, and give it list of interface names to which you want Router Advertisement messages to be sent over. Such as, rtadvd ed0 ed1 ep0 ep1 Wmmm, should rtadvd always be invoked when 'ipv6_gateway_enable="YES" ? Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPSec in 4.0-current questions..
> >I've been messing about with IPSEC in 4.0-current, and have observed some > >unexpected behavior. Is there someone I can swap some email with off > >the list to determine if what I'm seeing is a bug, or I'm just confused? > >It has to do with security policy specifications and what SAID is being > >selected when a TCP connection is being opened. > > could you try sending details to [EMAIL PROTECTED] (KAME users > mailing list, you may want to subscribe it - see www.kam.enet). There might be also a possibility of freebsd specific problem, and also, usual freebsd users might also wish to know the issue. How about cross posting [EMAIL PROTECTED] and freebsd-security ? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 trouble
> I suspect,
>
> * fetchmail inquire "localhost" to resolver
> * resolver returns "::1" because there is the entry in /etc/hosts
> * fetchmail try to connect port 25 on "::1"
> * sendmail listen on only port 25 of inet4, not of inet6
> * trial failes, and fetchmail giving up
>
> Then, I commented out "::1" from /etc/hosts, works fine.
>
>
> By the way, WHO is responsible for this?
> fetchmail? resolver? my setting?
It seems to be fetchmail bug. It should try IPv4 if IPv6
access is failed.
Could you please copy this patches as your
ports/mail/fetchmail/patches/patch-ak file, and rebuild
fetchmail, and try again?
Sorry for your problem.
Yoshinobu Inoue
*** socket.c~ Tue Feb 8 08:44:01 2000
--- socket.cThu Mar 2 21:00:00 2000
***
*** 126,131
--- 126,133
#if NET_SECURITY
void *request = NULL;
int requestlen;
+ #else /* NET_SECURITY */
+ struct addrinfo *ai0;
#endif /* NET_SECURITY */
#ifdef HAVE_SOCKETPAIR
***
*** 156,171
#ifdef HAVE_INNER_CONNECT
i = inner_connect(ai, NULL, 0, NULL, NULL, "fetchmail", NULL);
#else
i = socket(ai->ai_family, ai->ai_socktype, 0);
! if (i < 0) {
! freeaddrinfo(ai);
! return -1;
! }
if (connect(i, (struct sockaddr *) ai->ai_addr, ai->ai_addrlen) < 0) {
- freeaddrinfo(ai);
close(i); /* don't use SockClose, no traffic yet */
! return -1;
}
#endif
#endif /* NET_SECURITY */
--- 158,174
#ifdef HAVE_INNER_CONNECT
i = inner_connect(ai, NULL, 0, NULL, NULL, "fetchmail", NULL);
#else
+ for (ai0 = ai; ai != NULL; ai = ai->ai_next)
+ {
i = socket(ai->ai_family, ai->ai_socktype, 0);
! if (i < 0)
! continue;
if (connect(i, (struct sockaddr *) ai->ai_addr, ai->ai_addrlen) < 0) {
close(i); /* don't use SockClose, no traffic yet */
! continue;
}
+ }
+ ai = ai0;
#endif
#endif /* NET_SECURITY */
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: lo0 tcp connections in TIME_WAIT/LAST_ACK/FIN_WAIT?
> After upgrading from 3.4 to RC2, i'm noticing something that I never saw > before: > > Active Internet connections (including servers) > Proto Recv-Q Send-Q Local Address Foreign Address(state) > tcp0 0 127.0.0.1.4954 127.0.0.1.4242 SYN_SENT > tcp0 0 127.0.0.1.4953 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4952 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4951 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4950 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4949 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4948 127.0.0.1.4242 LAST_ACK > tcp0 0 127.0.0.1.4947 127.0.0.1.4242 CLOSE_WAIT > tcp0 0 127.0.0.1.4945 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4944 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4942 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4940 127.0.0.1.4242 FIN_WAIT_1 > tcp0 0 127.0.0.1.4938 127.0.0.1.4242 FIN_WAIT_1 > tcp0 0 127.0.0.1.4937 127.0.0.1.4242 TIME_WAIT > tcp0 0 127.0.0.1.4936 127.0.0.1.4242 TIME_WAIT > > > Are tcp connections going through lo0 ever supposed to end up like this? I > thought everything that went through lo0 was supposed to be.. well.. > instant and mostly lossless. Any ideas? > > Kevin Hi, does that happen for any apps? Could you please give me info about what is the apps which use the port 4242? Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6 diagnostic VMWARE 2 beta
> World of 2228 under VMWARE 2.0-468 under NT4. > > Is this one for VMWARE? > > lnc0 = bridged adapter (network cable disconnected) > lnc1 = host adapter > > The following kernel diagnostics are presented during boot. > > lnc0: starting DAD for fe80:0001::0250:56ff:fe98:95ec > lnc1: starting DAD for fe80:0002::0250:56ff:fee7:93ca > lnc0: DAD detected duplicate IPv6 address fe80:0001::0250:56ff:fe98:95ec > : 1 NS, 0 NA > lnc0: DAD complete for fe80:0001::0250:56ff:fe98:95ec - duplicate found > lnc0: manual intervention required > lnc1: DAD complete for fe80:0002::0250:56ff:fee7:93ca - no duplicates > found > -- > Mark Knight The above log message is of IPv6 duplicated address detection. It is defined in RFC2462, and briefly it does following things, on each of connected interfaces. -Automatically create own addr. -But before actually enable it, do link local multicast query for the addr to the assocated interface, to check if there is already same addr assigned to another host. -Usually it success if no reply is obtained in some period, and fails if an reply is obtained. (It think same addr is already used by some other host.) So this procedure will fail in following cases. -Its own outstanding multicast packets are copyied back from network. -The interface is in PROMISCUS mode. (e.g. tcpdump is exec,ed on the interface.) I have not ever used VMWARE, but I suppose the above lnc0 is VMWARE's virtual bridging interface and copying back its own outstanding multicast packets? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: is inet6 preffered when resolving names?
> Hi! > > Is it right behavior to try IPv6 address first? > > work# telnet localhost > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > Only solution for it is to comment out in /etc/hosts: > > ::1localhost localhost.my.domain myname.my.domain > > I've tried to switch 127.0.0.1 and ::1 is /etc/hosts but there was no effect. Now the order of the searching address family is statically defined in libc. So if the target has recored, then it is tried first. Currently, another workaround is, using '-4' option. telnet -4 localhost And what is your desired behaviour? If your desire is that always IPv4 address is tried first, then we can add some swith to change the order. (But it will be after 4.0.) Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: patches for SIOCGIFCONF
> > usr.sbin/xntpd/xntpd:
>
> These directories don't exist anymore in -CURRENT because we now have ntp4.
Woops sorry, a machine in my home which I used to produce
those diffs, still mistakenly had the directory.
> > --- contrib/ntp/ntpd/ntp_io.c.orig Fri Jan 28 15:44:00 2000
> > +++ contrib/ntp/ntpd/ntp_io.c Mon Feb 28 02:26:46 2000
> > @@ -444,7 +444,7 @@
> > continue;
> > }
> > # endif /* SYS_WINNT */
> > - ifreq = *ifr;
> > + memcpy(&ifreq, ifr, sizeof(ifreq));
> > inter_list[i].flags = 0;
> > /* is it broadcast capable? */
> > # ifndef SYS_WINNT
>
> This one should be sent to the NTP guys before ntpd 4.1.0 goes out.
OK, I sent it to [EMAIL PROTECTED]
And I found that my patches to
contrib/bind/lib/irs/gethotent.c needs a fix.
- memcpy(&ifreq, cp, sizeof *ifreqs);
+ memcpy(ifreqp, cp, sizeof ifreqbuf);
This is updated patches.
Thanks,
Yoshinobu Inoue
--- contrib/bind/lib/irs/gethostent.c.orig Tue Nov 30 15:38:00 1999
+++ contrib/bind/lib/irs/gethostent.c Mon Feb 28 13:55:43 2000
@@ -462,13 +462,16 @@
static int
scan_interfaces(int *have_v4, int *have_v6) {
struct ifconf ifc;
- struct ifreq ifreq;
+ struct ifreq* ifreqp;
struct in_addr in4;
struct in6_addr in6;
char *buf = NULL, *cp, *cplim;
+ char ifreqbuf[IFNAMSIZ + sizeof(struct sockaddr_storage)];
static int bufsiz = 4095;
int s, cpsize, n;
+ ifreqp = (struct ifreq *)ifreqbuf;
+
/* Set to zero. Used as loop terminators below. */
*have_v4 = *have_v6 = 0;
@@ -504,7 +507,7 @@
* buffer we will grow it just in case and
* retry.
*/
- if (ifc.ifc_len + 2 * sizeof(ifreq) < bufsiz)
+ if (ifc.ifc_len + 2 * sizeof(*ifreqp) < bufsiz)
break;
}
#endif
@@ -523,40 +526,40 @@
for (cp = buf;
(*have_v4 == 0 || *have_v6 == 0) && cp < cplim;
cp += cpsize) {
- memcpy(&ifreq, cp, sizeof ifreq);
+ memcpy(ifreqp, cp, sizeof ifreqbuf);
#ifdef HAVE_SA_LEN
#ifdef FIX_ZERO_SA_LEN
- if (ifreq.ifr_addr.sa_len == 0)
- ifreq.ifr_addr.sa_len = 16;
+ if (ifreqp->ifr_addr.sa_len == 0)
+ ifreqp->ifr_addr.sa_len = 16;
#endif
#ifdef HAVE_MINIMUM_IFREQ
- cpsize = sizeof ifreq;
- if (ifreq.ifr_addr.sa_len > sizeof (struct sockaddr))
- cpsize += (int)ifreq.ifr_addr.sa_len -
+ cpsize = sizeof *ifreqp;
+ if (ifreqp->ifr_addr.sa_len > sizeof (struct sockaddr))
+ cpsize += (int)ifreqp->ifr_addr.sa_len -
(int)(sizeof (struct sockaddr));
#else
- cpsize = sizeof ifreq.ifr_name + ifreq.ifr_addr.sa_len;
+ cpsize = sizeof ifreqp->ifr_name + ifreqp->ifr_addr.sa_len;
#endif /* HAVE_MINIMUM_IFREQ */
#elif defined SIOCGIFCONF_ADDR
- cpsize = sizeof ifreq;
+ cpsize = sizeof *ifreqp;
#else
- cpsize = sizeof ifreq.ifr_name;
+ cpsize = sizeof ifreq->ifr_name;
/* XXX maybe this should be a hard error? */
- if (ioctl(s, SIOCGIFADDR, (char *)&ifreq) < 0)
+ if (ioctl(s, SIOCGIFADDR, (char *)ifreqp) < 0)
continue;
#endif
- switch (ifreq.ifr_addr.sa_family) {
+ switch (ifreqp->ifr_addr.sa_family) {
case AF_INET:
if (*have_v4 == 0) {
memcpy(&in4,
&((struct sockaddr_in *)
- &ifreq.ifr_addr)->sin_addr, sizeof in4);
+ &ifreqp->ifr_addr)->sin_addr, sizeof in4);
if (in4.s_addr == INADDR_ANY)
break;
- n = ioctl(s, SIOCGIFFLAGS, (char *)&ifreq);
+ n = ioctl(s, SIOCGIFFLAGS, (char *)ifreqp);
if (n < 0)
break;
- if ((ifreq.ifr_flags & IFF_UP) == 0)
+ if ((ifreqp->ifr_flags & IFF_UP) == 0)
break;
*have_v4 = 1;
}
@@ -565,13 +568,13 @@
if (*have_v6 == 0) {
memcpy(&in6,
patches for SIOCGIFCONF
Hi,
I checked apps under /usr/src which are using SIOCGIFCONF, and
might have some effect on INET6 enabled kernel, and created
patches for them. (Some of the patches are not directly
related to SIOCGIFCONF)
These are build checked on i386, but not actually confirmed on
alpha.
Please review this, and if someone have time to test it on
INET6 enabled alpha, it is very appreciated.
usr.sbin/xntpd/xntpd:
lib/libc/rpc:
crypto/kerberosIV/lib/krb:
contrib/ntp/ntpd:
Doing structure copy ifreq obtained by SIOCGIFCONF.
This might cause unaligend access trap, and thus cause
some performance issue.
contrib/bind/lib/irs:
Copying the contents of ifreq obtained by SIOCGIFCONF
into local ifreq var. And doing IPv6 related operation with it.
This cause problem because IPv6 info don't fit into ifreq
structure.
These are not SIOCGIFCONF problem.
usr.sbin/timed/timed:
usr.sbin/arp:
Using u_long to keep in_addr.s_addr, and doing some
operation with such values.
This might not be acutally problem but better to be fixed.
contrib/amd/libamu:
Using u_long to keep in_addr.s_addr value in many place.
I'm not sure if this really cause problem on alpha,
but I am afraid that ntohl() is done on some of such vars.
Thanks,
Yoshinobu Inoue
--- usr.sbin/xntpd/xntpd/ntp_io.c.orig Mon Feb 28 01:53:00 2000
+++ usr.sbin/xntpd/xntpd/ntp_io.c Mon Feb 28 01:53:30 2000
@@ -285,7 +285,7 @@
n -= size;
if (ifr->ifr_addr.sa_family != AF_INET)
continue;
- ifreq = *ifr;
+ memcpy(&ifreq, ifr, sizeof(ifreq));
#ifdef STREAMS_TLI
ioc.ic_cmd = SIOCGIFFLAGS;
ioc.ic_timout = 0;
--- lib/libc/rpc/get_myaddress.c.orig Fri Jan 28 10:12:00 2000
+++ lib/libc/rpc/get_myaddress.cMon Feb 28 02:16:35 2000
@@ -81,7 +81,7 @@
end = (struct ifreq *) (ifc.ifc_buf + ifc.ifc_len);
while (ifr < end) {
- ifreq = *ifr;
+ memcpy(&ifreq, ifr, sizeof(ifreq));
if (ioctl(s, SIOCGIFFLAGS, (char *)&ifreq) < 0) {
_close(s);
return(-1);
--- lib/libc/rpc/pmap_rmt.c.origMon Feb 28 02:16:13 2000
+++ lib/libc/rpc/pmap_rmt.c Mon Feb 28 02:12:33 2000
@@ -189,7 +189,7 @@
ifr = (struct ifreq *)cp;
if (ifr->ifr_addr.sa_family != AF_INET)
continue;
- memcpy(&ifreq, ifr, sizeof(ifreq));
+ ifreq = *ifr;
if (ioctl(sock, SIOCGIFFLAGS, (char *)&ifreq) < 0) {
perror("broadcast: ioctl (get interface flags)");
continue;
--- crypto/kerberosIV/lib/krb/getaddrs.c.orig Sun Jan 9 19:49:00 2000
+++ crypto/kerberosIV/lib/krb/getaddrs.cMon Feb 28 02:24:18 2000
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H
skolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
@@ -128,7 +128,7 @@
continue;
(*l)[j++] = ((struct sockaddr_in *)&ifr->ifr_addr)->sin_addr;
}
- ifreq = *ifr;
+ memcpy(&ifreq, ifr, sizeof(ifreq));
}
}
if (j != num) {
--- contrib/ntp/ntpd/ntp_io.c.orig Fri Jan 28 15:44:00 2000
+++ contrib/ntp/ntpd/ntp_io.c Mon Feb 28 02:26:46 2000
@@ -444,7 +444,7 @@
continue;
}
# endif /* SYS_WINNT */
- ifreq = *ifr;
+ memcpy(&ifreq, ifr, sizeof(ifreq));
inter_list[i].flags = 0;
/* is it broadcast capable? */
# ifndef SYS_WINNT
--- contrib/bind/lib/irs/gethostent.c.orig Tue Nov 30 15:38:00 1999
+++ contrib/bind/lib/irs/gethostent.c Mon Feb 28 02:43:39 2000
@@ -462,13 +462,16 @@
static int
scan_interfaces(int *have_v4, int *have_v6) {
struct ifconf ifc;
- struct ifreq ifreq;
+ struct ifreq* ifreqp;
struct in_addr in4;
struct in6_addr in6;
char *buf = NULL, *cp, *cplim;
+ char ifreqbuf[IFNAMSIZ + sizeof(struct sockaddr_storage)];
static int bufsiz = 4095;
int s, cpsize, n;
+ ifreqp = (struct ifreq *)ifreqbuf;
+
/* Set to zero. Used as loop terminators below. */
*have_v4 = *have_v6 = 0;
@@ -504,7 +507,7 @@
* buffer we will grow it just in case and
* retry.
*/
- if (ifc.ifc_len + 2 * sizeof(ifreq) < bufsiz)
+ if (ifc.ifc_len + 2 * sizeof(*ifreqp) < bufsiz)
break;
}
#endif
@@ -523,40 +526,40 @@
for (cp = buf;
Re: IPSec/VPN Config
> Hi all, > > Is there a howto/example guide for configuring IPSec for -current. Hi, I prepared one and sent the patches to freebsd-doc yesterday. I'll attach IPsec part from the document to end of this mail. Also, http://www.kame.net/newsletter/19991007/ might have better description about IPsec tunnel setup. Thanks, Yoshinobu Inoue > Needless to say I've spent fruitless hours trying to convince "setkey" > to sent an IPSec packet to my network's internet gateway w/o success. > My setup is typical: mobile/dynamic-assigned-ip-address freebsd box > trying to contact fixed address/private address network/(net 10)/ network > via an Ascend router with IPSec support. But according to "tcpdump" my > IPSec packets never leave. Help would be appreciated. > > Thanks a bunch. > > Kent --- +<<>> + +The current KAME supports both transport mode and tunnel mode. +However, tunnel mode comes with some restrictions. + +IPsec requires fairly complex configuration, so here we show transport +mode only. http://www.kame.net/newsletter/ has more comprehensive +examples. + +Let's setup security association to deploy a secure channel between +HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little +complicated example. From HOST A to HOST B, only old AH is used. +From HOST B to HOST A, new AH and new ESP are combined. + +Now we should choose algorithm to be used corresponding to "AH"/"new +AH"/"ESP"/"new ESP". Please refer to the "setkey" man page to know +algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, +and new-DES-expIV with 8 byte IV for new ESP. + +Key length highly depends on each algorithm. For example, key +length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, +and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", +"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. + +OK, let's assign SPI (Security Parameter Index) for each protocol. +Please note that we need 3 SPIs for this secure channel since three +security headers are produced (one for from HOST A to HOST B, two for +from HOST B to HOST A). Please also note that SPI MUST be greater +than or equal to 256. We choose, 1000, 2000, and 3000, respectively. + + +(1) + HOST A --> HOST B + + (1)PROTO=AH + ALG=MD5(RFC1826) + KEY=MYSECRETMYSECRET + SPI=1000 + +(2.1) + HOST A <-- HOST B + <-- +(2.2) + + (2.1) + PROTO=AH + ALG=new-HMAC-SHA1(new AH) + KEY=KAMEKAMEKAMEKAMEKAME + SPI=2000 + + (2.2) + PROTO=ESP + ALG=new-DES-expIV(new ESP) + IV length = 8 + KEY=PASSWORD + SPI=3000 + +Now, let's setup security association. Execute "setkey" on both HOST +A and B: + +# setkey -c +add 10.2.3.4 10.6.7.8 ah 1000 -m transport -A keyed-md5 "MYSECRETMYSECRET" ; +add 10.6.7.8 10.2.3.4 ah 2000 -m transport -A hmac-sha1 "KAMEKAMEKAMEKAMEKAME" ; +add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ; +^D + +Actually, IPsec communication doesn't process until security policy +entries will be defined. In this case, you must setup each host. + +At A: +# setkey -c +spdadd 10.2.3.4 10.6.7.8 any -P out ipsec + ah/transport/10.2.3.4-10.6.7.8/require ; +^D + +At B: +spdadd 10.6.7.8 10.2.3.4 any -P out ipsec + esp/transport/10.6.7.8-10.2.3.4/require ; +spdadd 10.6.7.8 10.2.3.4 any -P out ipsec + ah/transport/10.6.7.8-10.2.3.4/require ; +^D + +To utilize the security associations installed into the kernel, you +must set the socket security level by using setsockopt(). +This is per-application (or per-socket) security. For example, +the "ping" command has the -P option with parameter to enable AH and/or ESP. + +For example: +% ping -P "out ipsec \ + ah/transport/10.0.1.1-10.0.2.2/use \ + esp/tunnel/10.0.1.1-10.0.1.2/require" 10.0.2.2 + +If there are proper SAs, this policy specification causes ICMP packet +to be AH transport mode inner ESP tunnel mode like below. + + HOST C ---> GATEWAY D --> HOST E + 10.0.1.110.0.1.2 10.0.2.1 10.0.2.2 + | | || + | === ESP ===| + AH == + + To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Panic (TCP)
> > If persist timer is working, and if it happen to timeout between > > callout_reset(tp->tt_rexmt, tp->t_rxtcur, > > tcp_timer_rexmt, tp); > > and > > callout_stop(tp->tt_persist); > > then the panic might happen at tcp_setpersist(). > > This should never happen, since this code is supposed to be running at > splnet(), which is supposed to block timeouts. Rather than papering > over the problem, I'd like to understand how it's possible. I also later thought so, but again I suspect that the part is also one of the cause of the problem. Because as the value of tp->t_rexmt at panic, retransmit timer also seemed to be running at the time, and I can't find any other place which might cause this situation. Also I think anyway the patch is better to be applied. My assumption might be wrong but I am now trying if I can create some patch that make the problem very likely to happen. Thanks, Yoshinobu Inoue > -GAWollman > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > [EMAIL PROTECTED] | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Panic (TCP)
> >Woops sorry I was worng.
> >tp->tt_rexmt->c_flags is actually causing the panic, and the
> >necessary data is the contents of the tp->tt_rexmt->c_flags.
>
> (kgdb) print tp->tt_rexmt->c_flags
> $1 = 6
>
> (kgdb) print tp->tt_rexmt
> $2 = (struct callout *) 0xd5ce6c2c
>
> (kgdb) print (*tp->tt_rexmt)
> $3 = {c_links = {sle = {sle_next = 0xd5cd7c2c}, tqe = {tqe_next = 0xd5cd7c2c,
> tqe_prev = 0xd5cd83ac}}, c_time = 22275144, c_arg = 0xd5ce6b60,
> c_func = 0xc018bcdc , c_flags = 6}
Wmm, the contents of tp->tt_rexmt not seems to be broken.
As the result of more review, I found one part which might
cause the problem in very delicate timing, tcp_output.c around line 776.
if (!callout_active(tp->tt_rexmt) &&
tp->snd_nxt != tp->snd_una) {
callout_reset(tp->tt_rexmt, tp->t_rxtcur,
tcp_timer_rexmt, tp);
if (callout_active(tp->tt_persist)) {
callout_stop(tp->tt_persist);
tp->t_rxtshift = 0;
}
}
If persist timer is working, and if it happen to timeout between
callout_reset(tp->tt_rexmt, tp->t_rxtcur,
tcp_timer_rexmt, tp);
and
callout_stop(tp->tt_persist);
then the panic might happen at tcp_setpersist().
This is same as Jan 5 version, but in more previous version,
the code was like below,
if (tp->t_timer[TCPT_REXMT] == 0 &&
tp->snd_nxt != tp->snd_una) {
tp->t_timer[TCPT_REXMT] = tp->t_rxtcur;
if (tp->t_timer[TCPT_PERSIST]) {
tp->t_timer[TCPT_PERSIST] = 0;
tp->t_rxtshift = 0;
}
}
Same problem might also happen in this case but the running
step were more fewer than now, so it was more difficult to
happen.
I think applying following patch will be safer.
Please review this patch.
(Same kind of patch might better to be applied into stable also.)
Thanks,
Yoshinobu Inoue
Index: tcp_output.c
===
RCS file: /home/ncvs/src/sys/netinet/tcp_output.c,v
retrieving revision 1.39
diff -u -r1.39 tcp_output.c
--- tcp_output.c2000/02/09 00:34:40 1.39
+++ tcp_output.c2000/02/22 04:13:32
@@ -775,12 +775,12 @@
*/
if (!callout_active(tp->tt_rexmt) &&
tp->snd_nxt != tp->snd_una) {
- callout_reset(tp->tt_rexmt, tp->t_rxtcur,
- tcp_timer_rexmt, tp);
if (callout_active(tp->tt_persist)) {
callout_stop(tp->tt_persist);
tp->t_rxtshift = 0;
}
+ callout_reset(tp->tt_rexmt, tp->t_rxtcur,
+ tcp_timer_rexmt, tp);
}
} else
if (SEQ_GT(tp->snd_nxt + len, tp->snd_max))
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: Panic (TCP)
> >Now I am very much interested in the value of > >tp->tt_persist->c_flags at panic, if CALLOUT_PENDING and > >possibly other flags are just set, or completely broken data > >is written on it. > > 893 > (kgdb) print tp->tt_persist->c_flags > $1 = 0 Woops sorry I was worng. tp->tt_rexmt->c_flags is actually causing the panic, and the necessary data is the contents of the tp->tt_rexmt->c_flags. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Panic (TCP)
> >Might there be incorrect memory over writing? > > How you mean? I think one possibility of the problem is that some code is incorrectly overwriting some part of the memory, and a tcpcb's tt_persist->c_flags is happen to overwritten. Now I am very much interested in the value of tp->tt_persist->c_flags at panic, if CALLOUT_PENDING and possibly other flags are just set, or completely broken data is written on it. And if later, I am also interested in other values around tp->tt_persist->c_flags, to check what kind of value is written around there. > Debugging tips are welcome, since I am not the biggest bulb wrt > debugging. I am not also, and you might have already known these things, but in case they are useful, -If DDB is specified in kernel config file, and all src/sys tree including sys/compile dir is saved onto another machine, it will be very useful at next panic, because remote GDB debugging is available by those data. (Though if the bug happens at very delicate timing, it might prevent the bug from happening again.) -Adding some printfs in tcp_output.c:tcp_setpersist() panic case might be useful. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Panic (TCP)
> > Just caught panic #3 on my Diablo newstransit box running 4.0 from the > > 7th of February. > We have 60GB IN/OUT each day, and it runs fine: > > $ uptime > 12:09PM up 46 days, 17:19, 1 user, load averages: 0.62, 0.66, 0.64 > > 4.0-CURRENT FreeBSD 4.0-CURRENT #4: Wed Jan 5 14:36:46 CET 2000 > > Try downgrading ? Wmmm, there were much changes to tcp code for IPv6 support after Jan 5. I reviewed tcp_setpersist related code and such problem not seems to happen in correct state. Might there be incorrect memory over writing? Do you have any other date, such as *tt_persist value at panic? And is there any other person who experienced same kind of problem and have any hints to diagnose this? I'll again review my changes. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: EPSV patch for review (was Re: Broken FTP)
> Please review this patch. It fix all problems I mention. Thanks, as far as I reviewed and actually confirmed, your patches solved every problem. :-) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
IPv6 scoped addr format change
Hello, Unfortunately, I have a notice that IPv6 scoped addr format will change again. It is once changed as the recent discussion between people who are preparing IPv6 scoped addr draft for next IETF meeting in March, like below. Fromaddr@scope To scope%addr And I committed the change. But, in more recent discussion, it further changed like below. Fromscope%addr To addr%scope Because some MIB expert commented that optional data before addr is not suitable for MIB definition. About that change I didn't committed yet, because I'm afraid of another change. But this time the proposal seems to be stable. But anyway, there is no guarantee that it can get concensus at March IETF meeting, and same format could be adopted in the RFC to be published after the meeting, maybe around April or later. But some scope addr format is need to be supported in 4.0. So now I think of following things. -Adopt the format below now, and never change it again before 4.0 release. addr%scope -If future RFC will adopt another format, then support it also. E.g, Print out in new format. Support each format as input. Sorry for flapping, but it is the best approach I can think of now. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6
> I ran across a few problems after I remade world. The new scoped > address syntax breaks /etc/rc.network6. In particular, some lines that > look like: Sorry not to announce it yet, but scoped addr format will still change, like below. addr%scope I'll send another mail to describe it in next to this mail. When this change happens, those problems will be resolved. > Finally, could you say whether or not lo0 should really be the default > value for ipv6_default_interface in /etc/defaults/rc.conf? I have this > vague feeling it's wrong but I don't know enough to say why: > > > +ipv6_default_interface="lo0" # Default output interface for scoped addrs. Maybe your concern is that packets to the default interface should be sent out to outside of host, at least? On the other hand, I thought there should be some default interface by default, but I afraid that an approach of just choosing some interface as default interface might be end up to choose non working interface. But now I feel choosing lo0 approach is also somewhat strange. So I'll try following approach. -"ipv6_default_interface" is empty by default -When all of "ipv6_network_interfaces", "gif_interfaces", and "ipv6_default_interface" are empty, then there will be no default interface -When "ipv6_default_interface" are empty but "ipv6_network_interfaces" and/or "gif_interfaces" is not empty, then choose one default interface from there. Thanks, Yoshinobu Inoue > Thanks! > > Bruce. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Broken FTP
> > Could you please create the patch which seems to be safely
> > committed? That will be very much help.
>
> Well, I can try but I need to know most shortest and most trivial EPSV
> check sequence from you since can't check it locally and don't know about EPSV.
EPSV is just enhanced version of PASV, and I think it needs to
check same kind of errors. Maybe same check as getreply() in
ftp/ftp.c will be necessary. About the spec, please check RFC2428.
But the problem is that the error message is printed in
getreply() which is called from command(), because the error
message is sent from server.
So following type of check won't work because when returned
from command(), the error message is already printed out...
> Look at util.c setpeer() function lines
>
> if (command("PASSERVE %s", argv[1]) != COMPLETE) { ...
>
> and below
>
> if (command("SYST") == COMPLETE && overbose) { ...
>
> the check must be in this style...
> --
> Andrey A. Chernov
> <[EMAIL PROTECTED]>
> http://nagual.pp.ru/~ache/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: IP tunnel
> Hello!
>
> What about ${subj} in current?
> Or maybe someone know how to make
> ip tunnel on current using patches, tools, etc.?
>
> Thanx.
Maybe there are several ways, and one thing I know is gif
interface recently added.
It can be used by adding following entry in your kernel
config. (Any number can be specified.)
pseudo-device gif 4
It can do,
IPv6 over IPv4
IPv4 over IPv6
IPv4 over IPv4
IPv6 over IPv6
tunnelings.
To configure outer addresses, use gifconfig, like,
gifconfig gif0 10.1.1.1 10.1.1.2
You need to do opposite on the 10.1.1.2 machine.
And to configure inner addresses, just use ifconfig for gif
interfaces.
Also please take care not to create infinite loop tunnel, when
you do,
IPv4 over IPv4
IPv6 over IPv6
Please check man for gifconfig for details.
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
Re: Broken FTP
> > OK I'll change not to try it once it fails. > > It seems your last patch _not_ fix the problem. Now I got: > > ftp> dir > 500 'EPSV': command not understood. > > on first 'dir' command issued. This is with wu-ftpd. Remember that different > ftpd's could have slightly different format for response so you should > not relay on it much. > > Could you please try EPSV automatically on _login_ and eat predictable response > instead of trying on first user command? In that way you can reflect EPSV-able > status in ftp's 'status' command to give user info is remote ftpd > EPSV-compatible or not, as I already describe in previous messages. But the change to do it seems to be not so simple as can be done in this code freeze phase. (At least with my level of understanding of ftp code.) Somewhat no printing version of getreply() seems to be necessary. Could you please create the patch which seems to be safely committed? That will be very much help. Thanks, Yoshinobu Inoue > Andrey A. Chernov > <[EMAIL PROTECTED]> > http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6
> I fixed it and other problems, and added another changes. (In
> particular, I mistakenly left my testing part in router
> case. Sorry.)
> I'll attach the new diffs.
I still made more several fixes to IPv6 configuration scripts.
-changed the file rc.net6 to rc.network6
-changed the func net6_pass1 to network6_pass1
-changed several var name more unlikely to confilict
-changed if several sentenses in rc.network6 to case sentence
like in rc.network
-wrapped many var names by {}
-and other fixes
I believe now it successfully configure each of router and
host case, very well.
Please try it anyone interested.
Thanks,
Yoshinobu Inoue
Index: defaults/rc.conf
===
RCS file: /home/ncvs/src/etc/defaults/rc.conf,v
retrieving revision 1.48
diff -u -r1.48 rc.conf
--- defaults/rc.conf2000/02/06 19:25:00 1.48
+++ defaults/rc.conf2000/02/18 12:53:06
@@ -184,6 +184,32 @@
### Miscellaneous network options: ###
icmp_bmcastecho="NO" # respond to broadcast ping packets
+### IPv6 options: ###
+ipv6_enable="NO" # Set to YES to set up for IPv6.
+ipv6_network_interfaces="auto" # List of network interfaces (or "auto").
+ipv6_gateway_enable="NO" # Set to YES if this host will be a gateway.
+ipv6_router_enable="NO"# Set to YES to enable an IPv6 routing daemon.
+ipv6_router="/usr/sbin/route6d"# Name of IPv6 routing daemon.
+ipv6_router_flags="" # Flags to IPv6 routing daemon.
+#ipv6_router_flags="-l"# Example for route6d with only IPv6 site local
+ # addrs.
+#ipv6_network_interfaces="ed0 ep0" # Examples for router.
+ # Choose correct prefix value.
+#ipv6_prefix_ed0="fec0:::0001 fec0:::0002" # Examples for rtr.
+#ipv6_prefix_ep0="fec0:::0003 fec0:::0004" # Examples for rtr.
+prefixcmd_enable="YES" # Use prefix command to assigne router prefix.
+rtadvd_enable="NO" # Set to YES to enable an IPv6 router
+ # advertisement daemon.
+mroute6d_enable="NO" # Do IPv6 multicast routing.
+mroute6d_program="/usr/sbin/pim6dd"# Name of IPv6 multicast routing
+ # daemon.
+mroute6d_flags="" # Flags to IPv6 multicast routing daemon.
+gif_interfaces="NO"# List of GIF tunnels (or "NO").
+#gif_interfaces="gif0 gif1"# Examples typically for a router.
+ # Choose correct tunnel addrs.
+#gifconfig_gif0="10.1.1.1 10.1.2.1"# Examples typically for a router.
+#gifconfig_gif1="10.1.1.2 10.1.2.2"# Examples typically for a router.
+ipv6_default_interface="lo0" # Default output interface for scoped addrs.
##
### System console options #
Index: rc
===
RCS file: /home/ncvs/src/etc/rc,v
retrieving revision 1.210
diff -u -r1.210 rc
--- rc 2000/02/03 06:06:36 1.210
+++ rc 2000/02/18 12:53:07
@@ -191,6 +191,15 @@
network_pass1
fi
+case ${ipv6_enable} in
+[Yy][Ee][Ss])
+ if [ -r /etc/rc.network6 ]; then
+ . /etc/rc.network6 # We only need to do this once also.
+ network6_pass1
+ fi
+ ;;
+esac
+
# Mount NFS filesystems.
echo -n "Mounting NFS file systems"
mount -a -t nfs
Index: rc.network6
===
RCS file: rc.network6
diff -N rc.network6
--- /dev/null Fri Feb 18 03:29:51 2000
+++ rc.network6 Fri Feb 18 04:53:07 2000
@@ -0,0 +1,219 @@
+#! /bin/sh
+# $FreeBSD$
+
+# Note that almost all of the user-configurable behavior is no longer in
+# this file, but rather in /etc/defaults/rc.conf. Please check that file
+# first before contemplating any changes here. If you do need to change
+# this file for some reason, we would like to know about it.
+
+# IPv6 startup
+
+network6_pass1() {
+ echo -n 'Doing IPv6 network setup:'
+
+ case ${ipv6_gateway_enable} in
+ [Yy][Ee][Ss])
+ #
+ # list of interfaces, and prefix for interfaces
+ #
+ case ${ipv6_network_interfaces} in
+ [Aa][Uu][Tt][Oo])
+ ipv6_network_interfaces="`ifconfig -l`"
+ ;;
+ esac
+ ;;
+ *)
+ #
+ # manual configurations - in case ip6_gateway_enable=NO
+ # you can configure only single interface,
Re: Broken FTP
> > But maybe it is better to print out the first error, as the fact? > > I have nothing against EPSV itself, I am against additional verbosity and > performance degradation since it is tried before _each_ command. OK I'll change not to try it once it fails. But trying to do that I noticed that suppressing the first error message is not easy, because it is sent by server. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: Broken FTP
Hello, EPSV and EPRT is new ftp command defind in RFC2428 and it is used for IPv6 and NAT/firewall friendly IPv4 connection. Current implementation is, (1)EPRT is only used if destination is IPv6 host. (2)EPSV is always tried first, and if server doesn't support it, then try PASV. EPRT don't includes IP address in its command, so it gives performance benefit for NAT/firewall environment. Above (2) might surprised you, but if EPSV is not tried first, then it won't be used, there will be no performance benefit happens. > I was experiencing the same thing with EPRT commands... I cvsupped, > remade/installed ftp, and haven't seen that behavior since. Someone > mentioned it was IPv6 related but I have no idea if that is the case. EPRT was tried for any destination before, but now is changed to be tried only for IPv6 host, so EPRT error won't happen now. > -Will > > On Wed, 16 Feb 2000, Andrey A. Chernov wrote: > > > Current ftp client tries to put this unknown command on each remote > > request: > > 500 'EPSV': command not understood. > > It is just too bothering. > > Could it silently try once at the beginning and remember status during the > > session? Remembering the status might be reasonable. I'll try the fix. But maybe it is better to print out the first error, as the fact? Thanks, Yoshinobu Inoue > > -- > > Andrey A. Chernov > > <[EMAIL PROTECTED]> > > http://nagual.pp.ru/~ache/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6
> It seems to Do The Right Thing for my single-homed endhost case
> (unfortunately I still do not have a router I can test). There is one
> change I would make, as a result of some feedback from Ollivier Robert
> <[EMAIL PROTECTED]>: All instances of the variable $mroute6d
> should probably be replaced by $mroute6d_program. (Most of the
> variables defining programs in /etc/defaults/rc.conf are of the form
> *_program.)
I fixed it and other problems, and added another changes. (In
particular, I mistakenly left my testing part in router
case. Sorry.)
I'll attach the new diffs.
> I think it's important that we get something like this commited before
> the release, if we want to say we're serious about supporting IPv6 in
> FreeBSD 4.0-RELEASE. It's asking a little too much of users to figure
> out the right sequence of commands to bring up an IPv6 node, so that
> they can stick it into /etc/rc.local or something like that.
OK, but I'll wait some more time to check if there is any
problems.
Yoshinobu Inoue
Index: rc
===
RCS file: /home/ncvs/src/etc/rc,v
retrieving revision 1.210
diff -u -r1.210 rc
--- rc 2000/02/03 06:06:36 1.210
+++ rc 2000/02/15 18:42:06
@@ -191,6 +191,15 @@
network_pass1
fi
+case ${ipv6_enable} in
+[Yy][Ee][Ss])
+ if [ -r /etc/rc.net6 ]; then
+ . /etc/rc.net6 # We only need to do this once also.
+ net6_pass1
+ fi
+ ;;
+esac
+
# Mount NFS filesystems.
echo -n "Mounting NFS file systems"
mount -a -t nfs
Index: rc.net6
===
RCS file: rc.net6
diff -N rc.net6
--- /dev/null Tue Feb 15 09:59:59 2000
+++ rc.net6 Tue Feb 15 10:42:07 2000
@@ -0,0 +1,198 @@
+#! /bin/sh
+# $FreeBSD$
+
+# Note that almost all of the user-configurable behavior is no longer in
+# this file, but rather in /etc/defaults/rc.conf. Please check that file
+# first before contemplating any changes here. If you do need to change
+# this file for some reason, we would like to know about it.
+
+# IPv6 startup
+
+net6_pass1() {
+
+ echo -n 'Doing IPv6 network setup:'
+
+ if [ X"${ipv6_gateway_enable}" = X"YES" ]; then
+ #
+ # list of interfaces, and prefix for interfaces
+ # NOTE: no trailing double colon necessary here!
+ #
+ case ${ipv6_network_interfaces} in
+ [Aa][Uu][Tt][Oo])
+ ipv6_network_interfaces="`ifconfig -l`"
+ ;;
+ esac
+ else
+ #
+ # manual configurations - in case ip6router=NO
+ # you can configure only single interface,
+ # as specification assumes that
+ # autoconfigured host has single interface only.
+ #
+ case ${ipv6_network_interfaces} in
+ [Aa][Uu][Tt][Oo])
+ ipv6_network_interfaces="`ifconfig -l \
+ | sed -e 's/ .*//'`"
+ ;;
+ esac
+ fi
+
+ # tool locations
+ prefixconfig=/usr/sbin/prefix
+ rtsol=/sbin/rtsol
+ gifconfig=/usr/sbin/gifconfig
+ route=/sbin/route
+ rtadvd=/usr/sbin/rtadvd
+ ndp=/usr/sbin/ndp
+
+ # just to make sure
+ ifconfig lo0 up
+
+ #determine the "default interface" used below
+ #if [ X"$defaultiface" = X"" ]; then
+ # use 1st interface in the list
+ # for i in $ipv6_network_interfaces; do
+ # defaultiface=$i
+ # break
+ # done
+ #fi
+ # disallow unicast packets without outgoing scope identifiers.
+ # if you instead want to route such packets to a "default" interface,
+ # comment out the 1st two lines, and enable the lines after them.
+ if [ X"$defaultiface" != X"" ]; then
+ $route add -inet6 fe80:: ::1 -prefixlen 10 -interface \
+ -ifp $defaultiface -cloning
+ $route add -inet6 fec0:: ::1 -prefixlen 10 -interface \
+ -ifp $defaultiface -cloning
+ else
+ $route add -inet6 fe80:: -prefixlen 10 ::1 -reject
+ $route add -inet6 fec0:: -prefixlen 10 ::1 -reject
+ fi
+
+ # disallow "internal" addresses to appear on the wire
+ $route add -inet6 :::0.0.0.0 -prefixlen 96 ::1 -reject
+ $route add -inet6 ::0.0.0.0 -prefixlen 96 ::1 -reject
+
+ if [ X"${ipv6_gateway_enable}" = X"YES" ]; then
+ # act as a router
+ sysctl -w net.inet6.ip6.forwarding=1
+
Re: IPv6
> I haven't really tested it very well (in particular, the router-specific
> code is completely untested, because, well I don't really have the
> ability at the moment). Comments welcome, or if one of the KAME team
> members with commit privileges wants to fix it up and/or try to get
> this code commited, that's fine too.
>
> Cheers,
>
> Bruce.
Hi, sorry for delay but I tried it and added some fixes
including change of some variable names to look like somewhat
consistent with IPv4 variables.
Please try if this works in your environment.
Other people's trials are also welcome.
And again, thanks for creating the template. :-)
That was very helpful and I might not have tried to make this
because I am lazy.
Yoshinobu
--- rc.orig Tue Feb 15 03:59:38 2000
+++ rc Sun Feb 13 17:27:21 2000
@@ -191,6 +191,15 @@
network_pass1
fi
+case ${ipv6_enable} in
+[Yy][Ee][Ss])
+ if [ -r /etc/rc.net6 ]; then
+ . /etc/rc.net6 # We only need to do this once also.
+ net6_pass1
+ fi
+ ;;
+esac
+
# Mount NFS filesystems.
echo -n "Mounting NFS file systems"
mount -a -t nfs
--- defaults/rc.conf.orig Tue Feb 15 03:59:29 2000
+++ defaults/rc.confTue Feb 15 03:58:15 2000
@@ -184,6 +184,29 @@
### Miscellaneous network options: ###
icmp_bmcastecho="NO" # respond to broadcast ping packets
+### IPv6 options: ###
+ipv6_enable="NO" # Set to YES to set up for IPv6.
+ipv6_network_interfaces="auto" # List of network interfaces (or "auto").
+ipv6_gateway_enable="NO" # Set to YES if this host will be a gateway.
+ipv6_router_enable="NO"# Set to YES to enable an IPv6 routing daemon.
+ipv6_router="/usr/sbin/route6d"# Name of IPv6 routing daemon.
+ipv6_router_flags="" # Flags to IPv6 routing daemon.
+#ipv6_router_flags="-l"# example for route6d with IPv6 site local addr
+#ipv6_network_interfaces="ed0 ep0" #examples for router
+#prefix_ed0="fec0:::0001 fec0:::0002" #examples for router
+#prefix_ep0="fec0:::0003 fec0:::0004" #examples for router
+rtadvd_enable="NO" # Set to YES to enable an IPv6 Router
+ # Advertisement daemon
+rtadvd_flags=""
+mroute6d_enable="NO" # Do IPv6 multicast routing.
+mroute6d="/usr/sbin/pim6dd"# Name of IPv6 multicast routing daemon.
+mroute6d_flags="" # Flags to IPv6 multicast routing daemon.
+gifs="NO" # List of GIF tunnels (or "NO").
+#gifs="gif0 gif1" #examples typically for a router
+#gifconfig_gif0="10.1.1.1 10.1.2.1"#examples typically for a router
+#gifconfig_gif1="10.1.1.2 10.1.2.2"#examples typically for a router
+defaultiface=""# Default output interface for scoped addrs
+
##
### System console options #
#! /bin/sh
# $FreeBSD$
# Note that almost all of the user-configurable behavior is no longer in
# this file, but rather in /etc/defaults/rc.conf. Please check that file
# first before contemplating any changes here. If you do need to change
# this file for some reason, we would like to know about it.
# IPv6 startup
net6_pass1() {
echo -n 'Doing IPv6 network setup:'
if [ X"${ipv6_gateway_enable}" = X"YES" ]; then
#
# list of interfaces, and prefix for interfaces
# NOTE: no trailing double colon necessary here!
#
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
ipv6_network_interfaces="`ifconfig -l`"
;;
esac
else
#
# manual configurations - in case ip6router=NO
# you can configure only single interface, as specification assumes
that
# autoconfigured host has single interface only.
#
case ${ipv6_network_interfaces} in
[Aa][Uu][Tt][Oo])
ipv6_network_interfaces="`ifconfig -l | sed -e 's/ .*//'`"
;;
esac
fi
# tool locations
prefixconfig=/usr/sbin/prefix
rtsol=/sbin/rtsol
gifconfig=/usr/sbin/gifconfig
route=/sbin/route
rtadvd=/usr/sbin/rtadvd
ndp=/usr/sbin/ndp
# just to make sure
ifconfig lo0 up
#determine the "default interface" used below
#if [ X"$defaultiface" = X"" ]; then
# for i in $ipv6_network_interfaces; do # use 1st interface in the list
# defaultiface=$i
# break
# done
#fi
# disallow unicast packets without outgoing scope identifiers.
# if you instead want to route such packet
Re: getaddrinfo with IPv6 and unqualified hostname
> >lookup "foo" in /etc/hosts for either address type > >lookup "foo.domain." in DNS () > >lookup "foo.domain." in DNS (A) > >lookup "foo." in DNS () > >lookup "foo." in DNS (A) > > > >this seems the best to me, but I wouldn't know if it's a) easy, b) possible, > >c) standards conforming. I'm not sure where /etc/hosts would go. > > As I said, the above order makes more sense. However, to do the above > we need a MAJOR rewrite in src/lib/libc/net. BIND9 does not address > this problem either. Let us (KAME) think what is the best solution > in long-term, and short-term. I think of doing at least followings soon. -Add "::1 localhost" into src/etc/hosts -Leave getaddrinfo() as is (not resolving system non-supporting af) -Add -4 options to dual stack apps, which restrict them to only resolv AF_INET. This is useful on INET6 enabled sysytems. (most of such apps already support it, but some apps not yet.) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: getaddrinfo with IPv6 and unqualified hostname
> >>I'm not sure what is meant in above (shin, if possible email me > >>in Japanese privately). > >Woops sorry, just replace AI_CANNONNAME with AI_ADDRCONFIG. > > Now I see what you meant. Thanks. Then maybe getipnodebyname() > misbehaving? Yes it won't be spec conformant. But,,, > NOTE: all existing getaddrinfo code (BIND8 = NRL, BIND9, KAME) has > the same problem. To address this right I think there needs to be a > big rewrite in src/lib/libc/net (can we meet 4.0 deadline with it? > I'm not sure). Big rewrite in this period will be impossible, and I think just using AI_ADDRCONFIG inside getaddrinfo() will be realistic choice. (And also need to fix maybe another problem which is happening now.) The effect is (in commit permission format :-) ), upside: IPv4 apps on IPv4 only kernel don't need to wait resolving downside: getaddrinfo() on IPv4 only kernel don't do resolving. And it won't be spec conformant. (But I think if AI_ADDRCONFIG become available for geetaddrinfo(), then most of apps will just specify AI_ADDRCONFIG for getaddrinfo(), so the behaviour of each apps will be same.) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: getaddrinfo with IPv6 and unqualified hostname
> >Wmmm, strangely enough, current getaddrinfo() still specifying > >AI_CANONNAME inside. (It should be removed to conform current > >spec, but as far as I checked, still there seems to be apps > >which got into trouble with that change.) > > I'm not sure what is meant in above (shin, if possible email me > in Japanese privately). Woops sorry, just replace AI_CANNONNAME with AI_ADDRCONFIG. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: getaddrinfo with IPv6 and unqualified hostname
> >> Is it just some misconfiguration of mine which causes getaddrinfo() > >> with an unqualified hostname, IPv6 and hints->ai_family == AF_UNSPEC > >> to block (trying a DNS lookup I guess), even when the hostname has a > >> perfectly good IPv4 address, or is this normal behaviour? This seems > >> rather annoying, and means something as simple as "ftp otherhost" will > >> block unless I use the FQDN. Is there any way to avoid this behaviour? > >It may happen with older versioin of getaddrinfo() at least. > >getaddrinfo() in getaddrinfo.c before 1.5 did reverse lookup > >when AI_CANONNAME flag is specified, so if reverse lookup > >information was not obtained, it would block. > > Ben, if you run tcpdump, do you see forward lookups for ? > > If so, I believe this problem is same as this one, not AI_CANONNAME > issue in old getaddrinfo code: > http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=9413 Wmmm, strangely enough, current getaddrinfo() still specifying AI_CANONNAME inside. (It should be removed to conform current spec, but as far as I checked, still there seems to be apps which got into trouble with that change.) So same problem should not happen, though I have already received same kind of problem report before privately. (And not resolving it yet.) I'll more look into this problem. Thanks for info. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: INET6 changes for tcp_wrappers broke libwrap?
> On Sun, Feb 13, 2000 at 01:48:04PM +0100, Blaz Zupan wrote: > > > Bumping libwrap's shared lib version is trivial. Lets *quickly* decided > > > if this is necessary. > > > > I see that this has been done. It should also not be forgotten to add > > libwrap to the compat3x libraries! > > Yes, and I've already secured JKH's ok to do this yesterday. Please also consider libutil if it is not yet included in it. (I just committed libutil version up, because it also depends on libc.so.4) Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: getaddrinfo with IPv6 and unqualified hostname
> Is it just some misconfiguration of mine which causes getaddrinfo() > with an unqualified hostname, IPv6 and hints->ai_family == AF_UNSPEC > to block (trying a DNS lookup I guess), even when the hostname has a > perfectly good IPv4 address, or is this normal behaviour? This seems > rather annoying, and means something as simple as "ftp otherhost" will > block unless I use the FQDN. Is there any way to avoid this behaviour? It may happen with older versioin of getaddrinfo() at least. getaddrinfo() in getaddrinfo.c before 1.5 did reverse lookup when AI_CANONNAME flag is specified, so if reverse lookup information was not obtained, it would block. If the problem happens with newest getaddrinfo.c (1.8), then there might be another problem. I can't repeat it on my remote current machine, (As far as I tested as below. -find some IP addrs which I fail reverse lookup -and set it some name in my host's /etc/hosts file -and try with the name) but I'll also try it with my local machin when I back to my home today. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: S/Key authentication fails for ftpd
> I am not good at this, but I thought about it more and now I > feel adding following entries for 'other' like for 'login' > might be better? > (I confirmed it works.) > > +other authsufficient pam_unix.so > other authrequired pam_unix.so try_first_pass Woops, there was a mistake, it should be, +other authsufficient pam_skey.so other authrequired pam_unix.so try_first_pass Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: S/Key authentication fails for ftpd
> > -Or, change the pam.conf entry like below. > > > > - other authrequiredpam_unix.so try_first_pass > > + other authrequiredpam_skey.so try_first_pass > > > > I confirm that the change in the pam.conf entry also fixes the problem > in my environment. I am not good at this, but I thought about it more and now I feel adding following entries for 'other' like for 'login' might be better? (I confirmed it works.) +other authsufficient pam_unix.so other authrequired pam_unix.so try_first_pass Comments from experts for this are really welcome! Thanks, Yoshinobu Inoue > Thanks, > -- JMA > --- > José Mª Alcaide | mailto:[EMAIL PROTECTED] > Universidad del País Vasco | mailto:[EMAIL PROTECTED] > Dpto. de Electricidad y Electrónica | http://www.we.lc.ehu.es/~jose > Facultad de Ciencias - Campus de Lejona | Tel.: +34-946012479 > 48940 Lejona (Vizcaya) - SPAIN | Fax: +34-946013071 > --- > "Beware of Programmers who carry screwdrivers" -- Leonard Brandwein To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: S/Key authentication fails for ftpd
> The subject says all ;-). System version: 4.0-2229-CURRENT (ftpd 6.00LS).
>
> However, S/Key authentication works for telnet and login. Of course,
> the simple cleartext password authentication method does work for ftpd.
> It looks like a bug in ftpd (or PAM?).
> I log auth.info messages in /var/log/authlog, but there aren't any ftpd or
> PAM messages in that file.
>
> I also upgraded /etc/pam.conf to version 1.5.
>
> -- JMA
I'm not sure what is the correct solution, but I think I found
what is happening.
In ftpd.c pass() function, pam authentication is tried before
skey authentication, and if pam auth failed, then it fails
without trying skey authentication.
#if !defined(NOPAM)
rval = auth_pam(&pw, passwd);
if (rval >= 0)
goto skip;
#endif
#ifdef SKEY
rval = strcmp(skey_crypt(passwd, pw->pw_passwd, pw, pwok),
pw->pw_passwd);
pwok = 0;
#else
rval = strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd);
#endif
/* The strcmp does not catch null passwords! */
if (*pw->pw_passwd == '\0' ||
(pw->pw_expire && time(NULL) >= pw->pw_expire))
rval = 1; /* failure */
skip:
/*
* If rval == 1, the user failed the authentication check
* above. If rval == 0, either PAM or local authentication
* succeeded.
*/
if (rval) {
reply(530, "Login incorrect.");
if (logging)
syslog(LOG_NOTICE,
"FTP LOGIN FAILED FROM %s, %s",
remotehost, curname);
And in /etc/pam.conf version 1.5, ftp seems to be matching the
following entry.
other authrequiredpam_unix.so try_first_pass
Because pam_unix.so is used for skey authentication, it is
naturally failed.
(In my environment, my old pam.conf don't have the entry, so
the problem didn't happened.)
As far as I confirmed, following trial fixed this situation.
-Disabled pam authentication in ftpd.c, pass()
-Or, change the pam.conf entry like below.
- other authrequiredpam_unix.so try_first_pass
+ other authrequiredpam_skey.so try_first_pass
But I don't think these are real solution.
Maybe,
-Change ftpd.c user() function to use pam also?
(I don't know how to do it.)
-Or, if pam authentication failed in pass() function, then try
skey authentication?
-Or else?
Advise from more experts is welcome.
Thanks,
Yoshinobu Inoue
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
IPv6 scoped addr format change
Hello, FYI, recently IPv6 scoped addr format is changed on KAME repository, so the change is also merged to 4.0. The scoped addr format is typically used for IPv6 link local addr. before: addr@scope after:scope%addr Before change, they were printed like this, %netstat -r -f inet6 Routing tables Internet6: DestinationGatewayFlags Netif Expire localhost localhost UH lo0 fe80::@xl0 link#1 UC xl0 fe80::@lo0 fe80::1@lo0Uc lo0 fe80::@gif0fe80::210:5af Uc gif0 After the change, they are printed like this, Internet6: DestinationGatewayFlags Netif Expire localhost localhost UH lo0 xl0%fe80:: link#1 UC xl0 lo0%fe80:: lo0%fe80::1Uc lo0 gif0%fe80::gif0%fe80::210:5af Uc gif0 The change from '@' to '%' is to prevent the confusion with existent notations such as user@host. And IPv6 addr is long and tend to be truncated at the end just seen as above gif0 Gateway, so placing scope part at the top of addr will be convenient. Cheers, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp 10.10
> >> >also support shortend form(such as 172.16 for 172.0.0.16 above), > >> >after some more wait, maybe today. > >> > >> In which case, could you also make the following change (untested) to > >> netstat(1) to remove the ambiguity in address abbreviations: > >Wmmm, this might be reasonable, but are not there any hidden > >thought on this? > > My feeling is that both changes should be applied together, but > it would be nice to get a broader range of views. Yes, but about getaddrinfo(), I think it is backing to original(gethostbyname) behaviour before 1 month ago, rather than changing. Cheers, Yoshinobu Inoue > Peter To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp 10.10
> >So I think I'll make small changes to getaddrinfo() for it to > >also support shortend form(such as 172.16 for 172.0.0.16 above), > >after some more wait, maybe today. > > In which case, could you also make the following change (untested) to > netstat(1) to remove the ambiguity in address abbreviations: Wmmm, this might be reasonable, but are not there any hidden thought on this? As I checked the cvsweb, this code seems to be there from the beginning. I feel discussing and trying this after 4.0 will be safer, because this contradiction have been there for a long time. Yoshinobu Inoue > } > if (cp) > strncpy(line, cp, sizeof(line) - 1); > - else if ((i & 0xff) == 0) > - sprintf(line, "%lu", C(i >> 24)); > - else if ((i & 0x) == 0) > - sprintf(line, "%lu.%lu", C(i >> 24) , C(i >> 16)); > - else if ((i & 0xff) == 0) > - sprintf(line, "%lu.%lu.%lu", C(i >> 24), C(i >> 16), C(i >> 8)); To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
> shin> The 1st trial seems to be rejected at, > shin> 500 Illegal PORT range rejected. > shin> and 2nd trial seems to be accepted at, > shin> 200 pcmd command successful. > > This problem was reported at [FreeBSD-users-jp 46521]. It is > Japanese FreeBSD mailing list. > In my experience, EPRT didn't fail in such case. I didn't > understand what you say. At last, I understand it. It's my > misunderstanding of my test environment. > I used NetBSD-current for FTP server. FreeBSD version of ftpd > checks the validity of PORT request for security reson by default. > EPRT request via NAT box is rejected by this check. But, NetBSD's > ftpd need `checkportcmd' options to behave as FreeBSD does, and I > didn't specified it. I think `ftpd -R' causes same situation. OK, I realized it and actually confirmed that EPRT cause problem via NAT when ftpd is execed with -R option. > shin> The connection hanged at > shin> 229 Entering Extended Passive Mode (|||1044|) > shin> for a while, so I aborted it. > > This is something strange. I still cannot understand why it > occures. It seems libalias does no additional thing for PASV. So, I > think, if EPSV isn't NAT friendly, PASV would also fail. Sorry this is my firewall setting mistake and PASV also failed. After I fixed the configuration, both EPSV and PASV was OK. I'll just change ftp command to use PORT command for IPv4. Thanks, Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp 10.10
> Not supporting 127.1 violates POLA. Me, I hate 127.1. But some people > expect it to work, and they have every right to. Now there is some discussion about it on ietf/ipng list, but not yet clear if future document allow it or not. If it does not become clear in this 1 or 2 days, I'll change getaddrinfo() and related functions to use inet_aton() for IPv4. (e.g. change it to allow 127.1) Because, -RFC2553 doesn't forbid it. -X/Open spec clearly require it. so it is standard conformant now. If standard documents would be updated to disallow it in the future, then we need to think of changing getaddrinfo() behaviour at that time. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6
> > > The two tweaks I remember off-hand was that the paths to commands are > > > (of course) different under a 4.0-CURRENT environment and that ndp in > > > -CURRENT works a little different than in the KAME snapshots I was > > > using earlier. > > What point is different for ndp? > At least in the snapshot I have, ndp in KAME takes -I to show/specify an > interface for the default route. ndp in 4.0-CURRENT doesn't have > this option. I don't know how crucial this is. Because -I option is added to KAME repository after KAME merging to freebsd-current started. I think missing the option is not so serious. > > In KAME environment, IPv6 related configurations are done at > > last of rc.conf. So it is at almost end of configuration. > > It turns out this won't work real well, because if I do this, then > inetd gets started before we start up the IPv6 interfaces, which is > bad for any IPv6 services to get started from inetd. Oh, yes you are right. > > I don't know if still such kind of change is permitted to > > commit or not, but if you try to make some initial patch for > > it, I think that is anyway good start and very helpful. > > OK, I've attached the results of a few hours of hacking. There's a > diff for /etc/defaults/rc.conf, a diff for /etc/rc, and a new > /etc/rc.net6 file all attached here. The /etc/rc.net6 file is a > modified version of /usr/local/v6/etc/rc.net6 from the KAME > distribution. Patches are all against 4.0-CURRENT, as of the middle of > last week. > > I haven't really tested it very well (in particular, the router-specific > code is completely untested, because, well I don't really have the > ability at the moment). Comments welcome, or if one of the KAME team > members with commit privileges wants to fix it up and/or try to get > this code commited, that's fine too. Thanks! I'll try it. Yoshinobu Inoue > Cheers, > > Bruce. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp 10.10
> > | > inet_pton(). inet_pton() is defined in RFC2553 and it does not permit > > | > non-standard IPv4 dotted-decimal, such as 10.10 > > | > > | Do people have troubles with this change? > > I think supporting non-standard IPv4 addr form in > getaddrinfo() is possible, because RFC2553 just says > inet_pton() doesn't support non-standard form, but it doesn't > say getaddrinfo() must use inet_pton() nor can't use > inet_addr(). Itojun found that X/Open Networking Services Spec defines similar to above thing for getaddrinfo(). -inet_addr() compatible IPv4 format is valid for AF_INET or AF_UNSPEC -inet_pton() compatible IPv6 format is valid for AF_INET6 or AF_UNSPEC So replacing inet_pton() to inet_addr() in getaddrinfo() IPv4 related processing part seems to be a good answer. :-) Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: IPv6
Hello, > The two tweaks I remember off-hand was that the paths to commands are > (of course) different under a 4.0-CURRENT environment and that ndp in > -CURRENT works a little different than in the KAME snapshots I was > using earlier. What point is different for ndp? > It seems to me that most of the functionality of rc.net6 could be folded > into /etc/network. I've thought of writing up patches for this, but I'm > not sure when the IPv6 initialization should take place with respect to > the IPv4 interface configuration, starting up of daemons, setting of > various syctls, etc. (Also, there's some new variables that should be > defined in /etc/defaults/rc.conf.) In KAME environment, IPv6 related configurations are done at last of rc.conf. So it is at almost end of configuration. I don't know if still such kind of change is permitted to commit or not, but if you try to make some initial patch for it, I think that is anyway good start and very helpful. Yoshinobu Inoue > Bruce. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp 10.10
> | > inet_pton(). inet_pton() is defined in RFC2553 and it does not permit > | > non-standard IPv4 dotted-decimal, such as 10.10 > | > | Do people have troubles with this change? I think supporting non-standard IPv4 addr form in getaddrinfo() is possible, because RFC2553 just says inet_pton() doesn't support non-standard form, but it doesn't say getaddrinfo() must use inet_pton() nor can't use inet_addr(). And to think about existing many scripts which would be using non-standard forms, I gradually tend to think giving away it is not clever choice. Also I haven't yet find any grounds of abondoning the non-standard forms. But I'll think about this a little bit more. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp 10.10
> marc> With ping it is still functioning. I cannot find what changed this. > marc> cvs messages for Changes to /usr/src/usr.bin/ftp/util.c of 18 and 20 > marc> Jan do not mention it. So maybe somewhere else to look? > > Several applications which support both IPv4 and IPv6, such as > telnet/ftp, has used getaddrinfo() for resolving hostnames. > > If IPv4 dotted-decimal forms are given, getaddrinfo() calls finally > inet_pton(). inet_pton() is defined in RFC2553 and it does not permit > non-standard IPv4 dotted-decimal, such as 10.10 Do people have troubles with this change? Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
> shin> (About EPRT, initiating client retry PORT command next if EPRT > shin> failes, so trying EPRT first will be OK.) > No. In this senario, if server knows EPRT, EPRT request will be > accepted, and will not fail. But, existing NAT box doesn't handle > EPRT request. So, NAT box cannot treat data connetion as if it treat > for PORT. Then, data connection request from server will not reach to > client. > shin> As RFC2428(FTP Extensions for IPv6 and NATs), EPSV can be used > shin> for IPv4 and IPv6 and it has performance benefit for firewall > shin> and NAT, because it doesn't include an IP address in its > shin> command, so firewall and NAT doesn't need to translate them. > No problem will occur with EPSV on even if IPv4. If server doesn't > know EPRT, client will try PASV next. There seems to be also some problem in the reverse case. I actually tested in the following environment. (I should have checked it more earlier on the first place.) My home router remote current 3.3 current /usr/bin/ftp/usr/sbin/ppp -nat /usr/libexec/ftpd In non passive case, ftp> dir 500 Illegal PORT range rejected. 200 pcmd command successful. 150 Opening ASCII mode data connection for '/bin/ls'. total 4 dr-xr-xr-x 2 root operator 512 Jan 2 14:50 bin dr-xr-xr-x 2 root operator 512 Jan 2 14:50 etc drwxrwxrwt 2 root operator 512 Jan 2 14:50 incoming drwxr-xr-x 2 root operator 1024 Feb 4 12:54 pub 226 Transfer complete. The 1st trial seems to be rejected at, 500 Illegal PORT range rejected. and 2nd trial seems to be accepted at, 200 pcmd command successful. And then I tried passive mode. ftp> passive Passive mode on. ftp> dir 229 Entering Extended Passive Mode (|||1044|) ^C receive aborted waiting for remote to finish abort. The connection hanged at 229 Entering Extended Passive Mode (|||1044|) for a while, so I aborted it. > shin> So if no other better suggestion, I think I'll get permission > shin> to fix 4.0 ftp client to try EPSV only for IPv6. > > EPSV is NAT frendly. I think disabling EPRT on IPv4 is better for a > while. I now feel disabling either of EPSV and EPRT via IPv4 is safe for 4.0. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: ftp passive modem is on by defaut?
> Since KAME version of ftp/ftpd was merged, ftp speaks EPSV/EPRT as > default not only IPv6 but also IPv4. Currently, existing natd is not > recognize EPRT. So, NAT user may be confuse. Please examine > bin/14305. Wmmm, I actually enabled it, but it is causing problems, so should EPSV only allowed for IPv6 at least for several starting 4.x releases? (About EPRT, initiating client retry PORT command next if EPRT failes, so trying EPRT first will be OK.) As RFC2428(FTP Extensions for IPv6 and NATs), EPSV can be used for IPv4 and IPv6 and it has performance benefit for firewall and NAT, because it doesn't include an IP address in its command, so firewall and NAT doesn't need to translate them. And there is also a chicken and egg issue, because if usual ftp clients don't try EPSV first, then usuall firewall and NAT don't notice the necessity of supporting EPSV. But now passive is used by default, and not many firewall and NAT support it yet, so many user will be upset that they can't connect to some of ftp servers. So if no other better suggestion, I think I'll get permission to fix 4.0 ftp client to try EPSV only for IPv6. Yoshinobu Inoue To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
