Request to developers of if_bridge.ko - ETHER_BPF_MTAP vs BPF_MTAP
Back in FreeBSD 6.3 and 6.4 there was a bpf-bug in if_bridge.c. This bug was sometimes a nice feature though, since it normalised the traffic sent to bpf, making it easier to sniff, analyse and debug the mirrored traffic. My request is for the possibility to have packet normalisation turned on based on a sysctl flag. Scenario: I create a bridge0 interface using one or multiple parent NICs. Then I sniff traffic on this cloned NIC (tcpdump -nli bridge0 port 80). Benefit: Multiple NICs are bonded together and can easily be sniffed on ONE interface with ONE sniffer process. Drawback: The problem is that if the sniffer use a bpf filter like port 80, and the mirrored traffic consist of a mix of untagged and vlan tagged (802.1q) packets, only the untagged packets will match. To see if there are any www-traffic in the mirrored vlans, one need to change the filter to vlan and port 80, but then you loose the untagged lan. ...catch 22. The bug (feature) in sys/net/if_bridge.c prior to revision 186365 (http://svn.freebsd.org/viewvc/base?view=revisionrevision=186365) was that if_bridge sent a copy of a packet to bpf using BPF_MTAP instead of using ETHER_BPF_MTAP. The result was that the sniffer got a copy of packets that had their vlan header (tag) stripped off. In the patched version, the full frame is mirrored to bpf. While this is correct, I'd like the possibility to override and see stripped packets instead. Having a function that simply strips off any vlan tags from tagged packets is wonderful when it comes to sniffing. Especially since switches from all brands behave differently when it comes to SPAN and vlan tags (a SYN could be mirrorred untagged while the corresponding SYN+ACK is mirrored with a vlan tag set). It is also quite common that net admins configure uplink ports with multiple vlans AND an untagged lan. When you SPAN this uplink you get both tagged and untagged traffic in a mix. By normalising the mirrored traffic sent to bpf, a network technician can more easily perform his network debugging. Also, there are less risk of human mistakes due to the lack of insight that he need to use the 'vlan' keyword in his tcpdump/tshark/ngrep/whatever to see the full scope of the traffic. Also state-keeping tools like snort and argus benefit from normalised traffic since they cann't build a correct state table if the SYN and SYN+ACK belong to two different vlans. My request is that if a sysctl variable (like net.link.bridge.bpf.strip_header) equals true, then if_bridge.ko will pass stripped (BPF_MTAP) packets to bpf. By default it should naturally pass the entire frame (ETHER_BPF_MTAP). I know that passing stripped packets to bpf could be seen as ugly and bad, but compared to some of the problems a mixed environment can cause, I think that the possibility to manually override the default would be very useful. (in fact I know it, since I relied on the bug during the FreeBSD 6.3-6.4 period) There are only four places in if_bridge.c that need to be updated to something like this: if (net.link.bridge.bpf.strip_header == 1) BPF_MTAP(bifp, m); else ETHER_BPF_MTAP(bifp, m); The question is if other people besides myself see the benefits? Could we have this feature added to FreeBSD base? What are your thoughts? /Elof ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
DLNA - IGMPProxy
Hi, I've got a shiny new Sony TV with DLNA Support :) My fileserver is located in a different subnet so it is not accessibly by the TV. The TV itself detects my netbook which is in the same subnet (and runs Win7) as a DLNA source. I've now tried to setup igmpproxy because I thought this might solve my problem accessing my DLNA server in another subnet. - Sony TV: 10.0.2.102 (fxp2) - FreeBSD System running mediatomb: 10.0.0.21 (fxp0) - Win7 System: 10.0.1.51 (fxp1) - I did kldload ip_mroute on my router to get MROUTING - I added allow ip from any to any { via fxp0 or via fxp1 or via fxp2 } as a top rule to my ipfw configuration for testing. - I installed igmpproxy, configuration: quickleave phyint fxp2 upstream ratelimit 0 threshold 1 altnet 10.0.2.0/24 phyint fxp0 downstream ratelimit 0 threshold 1 phyint fxp1 downstream ratelimit 0 threshold 1 phyint fxp3 disabled phyint tun0 disabled phyint lo0 disabled phyint ipfw0 disabled - I started igmpproxy My TV still does not find any DLNA sources. I did a tcpdump on my FreeBSD system and saw that some information was exchanged. IGMP-Proxy Output: Current routing table (Insert Route): - #0: Src: 0.0.0.0, Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x0002 #1: Src: 10.0.2.102, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x0003 #2: Src: 0.0.0.0, Dst: 224.0.0.252, Age:2, St: I, OutVifs: 0x0002 - RECV V2 member report from 10.0.0.21 to 239.255.255.250 Should insert group 239.255.255.250 (from: 10.0.0.21) to route table. Vif Ix : 0 Updated route entry for 239.255.255.250 on VIF #0 Vif bits : 0x0003 Setting TTL for Vif 0 to 1 Setting TTL for Vif 1 to 1 Adding MFC: 10.0.2.102 - 239.255.255.250, InpVIf: 2 TCPDUMP from my FreeBSD system running mediatomb: 16:30:36.785232 IP gurke-fxp0.salatschuessel.net ALL-SYSTEMS.MCAST.NET: igmp query v2 16:30:37.341940 IP nudel.salatschuessel.net.47362 gurke-fxp0.salatschuessel.net.domain: 59241+ PTR? 1.0.0.224.in-addr.arpa. (40) 16:30:37.348578 IP gurke-fxp0.salatschuessel.net.domain nudel.salatschuessel.net.47362: 59241 1/3/5 PTR[|domain] 16:30:37.348955 IP nudel.salatschuessel.net.19714 gurke-fxp0.salatschuessel.net.domain: 59242+ PTR? 1.0.0.10.in-addr.arpa. (39) 16:30:37.351946 IP gurke-fxp0.salatschuessel.net.domain nudel.salatschuessel.net.19714: 59242* 1/1/0 PTR[|domain] 16:30:38.352099 IP nudel.salatschuessel.net.43548 gurke-fxp0.salatschuessel.net.domain: 59243+ PTR? 21.0.0.10.in-addr.arpa. (40) 16:30:38.357630 IP gurke-fxp0.salatschuessel.net.domain nudel.salatschuessel.net.43548: 59243* 1/1/0 PTR[|domain] 16:30:40.761988 IP gurke-fxp0.salatschuessel.net ALL-ROUTERS.MCAST.NET: igmp v2 report ALL-ROUTERS.MCAST.NET 16:30:41.357794 IP nudel.salatschuessel.net.49398 gurke-fxp0.salatschuessel.net.domain: 59244+ PTR? 2.0.0.224.in-addr.arpa. (40) 16:30:41.361834 IP gurke-fxp0.salatschuessel.net.domain nudel.salatschuessel.net.49398: 59244 1/3/5 PTR[|domain] 16:30:44.403547 IP nudel.salatschuessel.net 239.255.255.250: igmp v2 report 239.255.255.250 16:30:45.361817 IP nudel.salatschuessel.net.15540 gurke-fxp0.salatschuessel.net.domain: 59245+ PTR? 250.255.255.239.in-addr.arpa. (46) 16:30:45.364535 IP gurke-fxp0.salatschuessel.net.domain nudel.salatschuessel.net.15540: 59245 NXDomain 0/1/0 (103) 16:31:05.596118 ARP, Request who-has gurke-fxp0.salatschuessel.net tell nudel.salatschuessel.net, length 28 16:31:05.596255 ARP, Reply gurke-fxp0.salatschuessel.net is-at 00:50:8b:e3:3f:60 (oui Unknown), length 46 16:31:07.616378 ARP, Request who-has fiori.salatschuessel.net tell gurke-fxp0.salatschuessel.net, length 46 16:31:07.616394 ARP, Reply fiori.salatschuessel.net is-at 90:e6:ba:cc:ba:76 (oui Unknown), length 28 16:31:08.363958 IP nudel.salatschuessel.net.56335 gurke-fxp0.salatschuessel.net.domain: 59246+ PTR? 22.0.0.10.in-addr.arpa. (40) 16:31:08.367086 IP gurke-fxp0.salatschuessel.net.domain nudel.salatschuessel.net.56335: 59246* 1/1/0 PTR[|domain] 16:31:50.178559 IP gurke-fxp0.salatschuessel.net ALL-ROUTERS.MCAST.NET: igmp leave ALL-ROUTERS.MCAST.NET 16:31:51.002428 IP gurke-fxp0.salatschuessel.net ALL-ROUTERS.MCAST.NET: igmp v2 report ALL-ROUTERS.MCAST.NET 16:31:51.006396 IP gurke-fxp0.salatschuessel.net ALL-SYSTEMS.MCAST.NET: igmp query v2 16:31:54.964621 IP gurke-fxp0.salatschuessel.net ALL-ROUTERS.MCAST.NET: igmp v2 report ALL-ROUTERS.MCAST.NET 16:31:58.168975 IP nudel.salatschuessel.net 239.255.255.250: igmp v2 report 239.255.255.250 16:32:22.165428 IP gurke-fxp0.salatschuessel.net ALL-SYSTEMS.MCAST.NET: igmp query v2 16:32:26.163901 IP gurke-fxp0.salatschuessel.net ALL-ROUTERS.MCAST.NET: igmp v2 report ALL-ROUTERS.MCAST.NET 16:32:29.124139 IP nudel.salatschuessel.net 239.255.255.250: igmp v2 report 239.255.255.250 16:32:53.369482 IP gurke-fxp0.salatschuessel.net ALL-SYSTEMS.MCAST.NET:
Re: bwi vs. bwn
On Thu, 17 Feb 2011, grarpamp wrote: I have a BCM94312MCG, which driver should I choose and why? The man pages are nearly identical. The FreeBSD bwn and bwi modules seem to be equivalent to the Linux b43 and b43legacy drivers. This page may or may not help: http://wireless.kernel.org/en/users/Drivers/b43 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Bridging + VLANS + RSTP / MSTP
Hello, I have a fairly straightforward network in a collocated facility. I have a FreeBSD PF Bridging firewall (2 interfaces bridged, 1 interface for access). The FreeBSD 8.0-RELEASE firewall provides inbound filtering through a Dell PowerConnect 5448 switch, divided into two vlans. My network is best described by the following diagram : [ISP GW] | [--switch 1 [vlan1]--] | [FW1 BRIDGE] | [--switch 1 [vlan2]--] | [clients] I have been playing around with the possibility to add another FreeBSD Bridging firewall to provide access from vlan1 vlan2 for the clients. I originally posted on the freebsd-pf list, and the only viable solution would be to employ STP on the two freebsd server's bridge ports on vlan1 , and turn stp off for every other port. My switch also supports MSTP and RSTP protocols. Honestly I have little experience with this, but I was hoping to get some general insight as to how I could employ my switch and a redundant freebsd firewall for hardware failovers. My current testing has shown little promise -- both firewalls will go up, traffic will only go to the first firewall. If I reboot that first firewall, no traffic will flow to the second bridging firewall. Note that all IPs on my network (inside and out) are public IPs, there are no private ips on my network. Here is my rc.conf : defaultrouter=x.x.x.x gateway_enable=YES cloned_interfaces=bridge0 ifconfig_bridge0=up addm bge0 stp bge0 addm bge1 stp bge1 ifconfig_bge0=up ifconfig_bge1=up ifconfig_em0=inet y.y.y.y netmask 255.255.255.0 # PF Options pf_enable=YES # Enable PF (load module if required) pf_rules=/etc/pf.conf # rules definition file for pf pf_flags= # additional flags for pfctl startup pflog_enable=YES # start pflogd(8) pflog_logfile=/var/log/pflog # where pflogd should store the logfile pflog_flags= # additional flags for pflogd startup My pf.conf is really standard, I don't think there is really a point to posting it. just a block in all and a series of pass in's. nothing fancy. Any help or ideas or insight is GREATLY appreciated -- I have been tackling this for about a year (not actively, passively) and would LOVE to employ this properly. I see commercial firewalls like Juniper offer transparent bridging and failover hardware redundancies so I'm pretty sure this would be possible with FreeBSD, but again my switching and networking experience is somewhat limited. Thanks, Kevin ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: DLNA - IGMPProxy
Oliver Lehmann wrote this message on Fri, Feb 18, 2011 at 16:42 +0100: I've got a shiny new Sony TV with DLNA Support :) My fileserver is located in a different subnet so it is not accessibly by the TV. The TV itself detects my netbook which is in the same subnet (and runs Win7) as a DLNA source. I've now tried to setup igmpproxy because I thought this might solve my problem accessing my DLNA server in another subnet. - Sony TV: 10.0.2.102 (fxp2) - FreeBSD System running mediatomb: 10.0.0.21 (fxp0) - Win7 System: 10.0.1.51 (fxp1) [...] My TV still does not find any DLNA sources. I did a tcpdump on my FreeBSD system and saw that some information was exchanged. [...] 16:33:40.700010 IP 10.0.2.102.52323 239.255.255.250.1900: UDP, length 404 [...] What am I missing to get it to work? I also tried NATing the network where the TV is attached with divert/natd but that also did not help. Please keep me CCed First, UPnP is advertised over SSDP... Those port 1900 packets are the TV trying to find a media server, but no one responds to them. I have not tried to get UPnP working across subnets (yet, but I plan to in the future), but you could look at: http://frinring.wordpress.com/2010/07/27/first-release-of-cagibi-prototype-of-cacheproxy-daemon-for-upnp-device-listening-and-publishing/ I haven't d/l'd the source, but it says it's an SSDP proxy, and it could possibly work by running on the router that is on both networks... Somehow those SSDP discovery/announce packets need to make it across... Once the multicast SSDP packets get across, the rest happens on normal routable IP, so there shouldn't be additional issues, though as I said, I haven't tried it myself... Also, make sure that once they do, that the Sony TV has the proper routing to the necessary boxes...It's easy to set the default route wrong, or in some cases not set it (I did this once) causing the device to not know how to send the proper replies... Good luck! -- John-Mark Gurney Voice: +1 415 225 5579 All that I will do, has been done, All that I have, has not. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: bwi vs. bwn
I have a BCM94312MCG, which driver should I choose and why? The man pages are nearly identical. The FreeBSD bwn and bwi modules seem to be equivalent to the Linux b43 and b43legacy drivers. This page may or may not help: http://wireless.kernel.org/en/users/Drivers/b43 I'll see if I can find somewhere that relation between the two sets. The kernel may say something when detected/loaded. I guess only my first question about which of bwi/bwn to use applies to FreeBSD, and the other ones to the b43 guys. But I think I've got it below... Can the newer upstream firmware at openwrt be used with bwn-firmware-kmod? http://downloads.openwrt.org/sources/broadcom-wl-4.150.10.5.3.tar.bz2 I played with this, the answer is not yet. fwcutter does not yet know how to chop up the included objects. Between the two, the objects have the same version string (author possibly neglected to change) and are different sizes, hashes, etc. # 4.150.10.5 879467 Jan 6 2008 broadcom-wl-4.150.10.5/driver/wl_apsta.o 1194265 Jan 6 2008 broadcom-wl-4.150.10.5/driver/wl_apsta_mimo.o 880539 Jan 6 2009 broadcom-wl-4.150.10.5.3/driver/wl_apsta.o 1195329 Jan 6 2009 broadcom-wl-4.150.10.5.3/driver/wl_apsta_mimo.o # 4.174.64.19 9900134 Feb 19 2009 broadcom-wl-4.178.10.4/linux/wl_apsta.o Where did the firmware blobs in the above file come from, here? I now think the firmware blobs are fully proprietary (coming from the OEM), and are being cut up based on some hardware hacking. And that I'm likely missing the distinction between that firmware being needed in all cases, and then choosing which driver you want on top of that from amongst the (b43/kernel.org)/FreeBSD driver projects and broadcom-wl. http://www.broadcom.com/support/802.11/linux_sta.php Doesn't FreeBSD have some sort of ndiswrapper function for this? Seems in the future I should give my money to Atheros instead :) ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: DLNA - IGMPProxy
John-Mark Gurney j...@funkthat.com wrote: First, UPnP is advertised over SSDP... Those port 1900 packets are the TV trying to find a media server, but no one responds to them. I have not tried to get UPnP working across subnets (yet, but I plan to in the future), but you could look at: http://frinring.wordpress.com/2010/07/27/first-release-of-cagibi-prototype-of-cacheproxy-daemon-for-upnp-device-listening-and-publishing/ that unfortunally requires QT for whatever reason (yeah KDE - but QT for a proxy??) I do not have this on my router of course :( This message was sent using IMP, the Internet Messaging Program. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
b43-fwcutter port update to v13 [patch]
I diffed the source of b43-fwcutter, v12 to v13. And also between v12 + fbsd port patches and v13 native. It all looks clean, both compile, and v13 produces digest identical output files to v12 + fbsd port when used as in the bwi and bwn kmod ports. The current fwcutter port can thus be bumped to v13. Update Makefile, distinfo, pkg-descr, distfiles, etc. Replace the entire patch set with these new native patches. Update the requires for the bw{i,n}-firmware-kmod ports. Can someone check and commit all this? I bcc'd the fwcutter author for inclusion of the patch in the next release. patch_b43-fwcutter-013 Description: Binary data ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: bwi vs. bwn
On Fri, Feb 18, 2011 at 9:54 PM, grarpamp grarp...@gmail.com wrote: Doesn't FreeBSD have some sort of ndiswrapper function for this? NDISulator, ndis(4). ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: DLNA - IGMPProxy
On Feb 18, 2011, at 1:12 PM, Oliver Lehmann wrote: that unfortunally requires QT for whatever reason (yeah KDE - but QT for a proxy??) I do not have this on my router of course :( Most of this stuff uses subnet-local broadcasts to perform device discovery. It would probably be a lot easier to bridge your networks together than it would be to proxy DLNA Regards, -- -Chuck ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: bwi vs. bwn
Doesn't FreeBSD have some sort of ndiswrapper function for this? http://www.broadcom.com/support/802.11/linux_sta.php NDISulator, ndis(4). Hmm, maybe that only applies to the Windows driver bundles as distributed by the vendors (Dell, HP, Lenovo, etc). Or from Microsoft itself as part of the OS. And not to this Linux thing. Once I figure out how to extract the Microsoft (Windows/Vendor) and Linux (Broadcom) bundles, hopefully with the same underlying version, I'll know more, call it an excercise :) I'm sure bwn will work. Thanks. # Broadcom Linux 1195817 Dec 22 20:59 hybrid-portsrc_x86_32-v5_100_82_38.tar.gz 1150253 Dec 22 20:59 hybrid-portsrc_x86_64-v5_100_82_38.tar.gz ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: b43-fwcutter port update to v13 [patch]
On Fri, 2011-02-18 at 16:34 -0500, grarpamp wrote: I bcc'd the fwcutter author for inclusion of the patch in the next release. Thanks a lot. I'll commit it to git. -- Greetings Michael. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org