IPFW tablearg questions
Hello, I started to test some more features of IPFW, namely skipto and fwd, both in conjunction with tablearg. The question: Why can't you add a skipto to the default rule (65535)? I also consider using tablearg with divert, but manpage is contradicting itself in regards to divert with tablearg: divert port Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates. vs The tablearg argument can be used with the following actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action parameters: tag, untag, rule options: limit, tagged. Also, in the EXAMPLES section one can find: In the following example per-interface firewall is created: ipfw table 10 add vlan20 12000 ipfw table 10 add vlan30 13000 ipfw table 20 add vlan20 22000 ipfw table 20 add vlan30 23000 .. ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(10)' in ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(10)' out where ipfw add 100 ipfw skipto seems wrong... Best regards Andreas Nilsson ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
RE: Create pkey on FreeBSD 9.1
Hi John. I did it, but there is no ping between the vlans. Ping without VLANs on that ports pass. Host1: [root@qa-h-vrt-030-006 ~]# ifconfig ib0.100 create [root@qa-h-vrt-030-006 ~]# ifconfig ib0.100 11.195.30.1/16 up [root@qa-h-vrt-030-006 ~]# ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=209bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC ether 00:50:56:23:1e:06 inet6 fe80::250:56ff:fe23:1e06%em0 prefixlen 64 scopeid 0x2 inet 10.195.30.6 netmask 0x broadcast 10.195.255.255 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL media: Ethernet autoselect (1000baseT full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL ib0: flags=8043UP,BROADCAST,RUNNING,MULTICAST metric 0 mtu 65520 options=80018VLAN_MTU,VLAN_HWTAGGING,LINKSTATE lladdr 80.0.0.48.fe.80.0.0.0.0.0.0.0.2.c9.0.1.0.d0.51 inet6 fe80::250:56ff:fe23:1e06%ib0 prefixlen 64 scopeid 0x4 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL ib1: flags=8002BROADCAST,MULTICAST metric 0 mtu 65520 options=80018VLAN_MTU,VLAN_HWTAGGING,LINKSTATE lladdr 80.0.0.49.fe.80.0.0.0.0.0.0.0.2.c9.0.1.0.d0.52 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL ib0.100: flags=8003UP,BROADCAST,MULTICAST metric 0 mtu 65520 options=80018VLAN_MTU,VLAN_HWTAGGING,LINKSTATE lladdr 80.0.0.4a.fe.80.0.0.0.0.0.0.0.2.c9.0.1.0.d0.51 inet6 fe80::8200:4a:fe80:0%ib0.100 prefixlen 64 scopeid 0x6 inet 11.195.30.1 netmask 0x broadcast 11.195.255.255 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL vlan: 100 parent interface: ib0 Host2: [root@qa-h-vrt-031-005 ~]# ifconfig ib0.100 create [root@qa-h-vrt-031-005 ~]# ifconfig ib0.100 11.195.31.1/16 up [root@qa-h-vrt-031-005 ~]# ifconfig em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST metric 0 mtu 1500 options=209bRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC ether 00:50:56:23:1f:05 inet6 fe80::250:56ff:fe23:1f05%em0 prefixlen 64 scopeid 0x2 inet 10.195.31.5 netmask 0x broadcast 10.195.255.255 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL media: Ethernet autoselect (1000baseT full-duplex) status: active lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST metric 0 mtu 16384 options=63RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3 inet 127.0.0.1 netmask 0xff00 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL ib0: flags=8043UP,BROADCAST,RUNNING,MULTICAST metric 0 mtu 65520 options=80018VLAN_MTU,VLAN_HWTAGGING,LINKSTATE lladdr 80.0.0.48.fe.80.0.0.0.0.0.0.0.2.c9.3.0.a0.65.91 inet6 fe80::250:56ff:fe23:1f05%ib0 prefixlen 64 scopeid 0x4 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL ib1: flags=8002BROADCAST,MULTICAST metric 0 mtu 65520 options=80018VLAN_MTU,VLAN_HWTAGGING,LINKSTATE lladdr 80.0.0.49.fe.80.0.0.0.0.0.0.0.2.c9.3.0.a0.65.92 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL ib0.100: flags=8003UP,BROADCAST,MULTICAST metric 0 mtu 65520 options=80018VLAN_MTU,VLAN_HWTAGGING,LINKSTATE lladdr 80.0.0.4a.fe.80.0.0.0.0.0.0.0.2.c9.3.0.a0.65.91 inet6 fe80::8200:4a:fe80:0%ib0.100 prefixlen 64 scopeid 0x6 inet 11.195.31.1 netmask 0x broadcast 11.195.255.255 nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL vlan: 100 parent interface: ib0 [root@qa-h-vrt-031-005 ~]# ping 11.195.30.1 PING 11.195.30.1 (11.195.30.1): 56 data bytes ping: sendto: Network is down ping: sendto: Network is down ping: sendto: Network is down Regards, Alex Liptsin Software Quality Assurance Engineer | Mellanox Technologies Ltd. Office: +972 (74) 7236141 Mobile: +972(54) 7833986 Fax: +972(74) 7236161 Email: al...@mellanox.com Mellanox, Tel-Hai Industrial Park. Building 7, M.P. Upper Galilee 12100 Israel -Original Message- From: John Baldwin [mailto:j...@freebsd.org] Sent: Wednesday, May 29, 2013 9:17 PM To: freebsd-net@freebsd.org Cc: Ryan Stone; Alex Liptsin Subject: Re: Create pkey on FreeBSD 9.1 On Thursday, May 23, 2013 2:36:25 pm Ryan Stone wrote: On Thu, May 23, 2013 at 4:32 AM, Alex Liptsin al...@mellanox.com wrote: Hello. I have FreeBSD 9.1 installed. There is mellanox adapter inside. OFED support is already installed. I try to add pkeys on ib0 port. Usually in Linux I did: echo 0x800c /sys/class/net/ib0/create_child ifconfig -a To Make sure you see a new interface: ib0.800c How can I do it on
Re: kern/179083: [netmap] [patch] Invalid index calucation in netmap macro expansion
Old Synopsis: Invalid index calucation in netmap macro expansion New Synopsis: [netmap] [patch] Invalid index calucation in netmap macro expansion Responsible-Changed-From-To: freebsd-bugs-freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Thu May 30 07:43:27 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=179083 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: kern/179083: [netmap] [patch] Invalid index calucation in netmap macro expansion
On Thu, May 30, 2013 at 07:43:47AM +, lini...@freebsd.org wrote: Old Synopsis: Invalid index calucation in netmap macro expansion New Synopsis: [netmap] [patch] Invalid index calucation in netmap macro expansion Responsible-Changed-From-To: freebsd-bugs-freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Thu May 30 07:43:27 UTC 2013 Responsible-Changed-Why: Over to maintainer(s). Thanks for the report. The macro is correct as implemented. The problem, in case, is in the description in netmap_user.h which is confusing and should be improved as follows: -* char *buf = NETMAP_BUF(ring, index) returns a pointer to -* the i-th buffer +* char *buf = NETMAP_BUF(ring, x) returns a pointer to +* the buffer numbered 'x' This will be committed soon, so please close the PR cheers luigi http://www.freebsd.org/cgi/query-pr.cgi?pr=179083 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: kern/179083: [netmap] [patch] Invalid index calucation in netmap macro expansion
Synopsis: [netmap] [patch] Invalid index calucation in netmap macro expansion State-Changed-From-To: open-closed State-Changed-By: linimon State-Changed-When: Thu May 30 07:58:15 UTC 2013 State-Changed-Why: apparently the code is correct and the comments are wrong. The comments will be fixed soon. http://www.freebsd.org/cgi/query-pr.cgi?pr=179083 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: kern/179083: [netmap] [patch] Invalid index calucation in netmap macro expansion
The following reply was made to PR kern/179083; it has been noted by GNATS. From: Mark Linimon lini...@lonesome.com To: bug-follo...@freebsd.org Cc: Subject: Re: kern/179083: [netmap] [patch] Invalid index calucation in netmap macro expansion Date: Thu, 30 May 2013 02:58:04 -0500 - Forwarded message from Luigi Rizzo ri...@iet.unipi.it - Date: Thu, 30 May 2013 09:57:15 +0200 From: Luigi Rizzo ri...@iet.unipi.it To: freebsd-b...@freebsd.org, freebsd-net@freebsd.org Subject: Re: kern/179083: [netmap] [patch] Invalid index calucation in netmap macro expansion User-Agent: Mutt/1.5.20 (2009-06-14) Thanks for the report. The macro is correct as implemented. The problem, in case, is in the description in netmap_user.h which is confusing and should be improved as follows: -* char *buf = NETMAP_BUF(ring, index) returns a pointer to -* the i-th buffer +* char *buf = NETMAP_BUF(ring, x) returns a pointer to +* the buffer numbered 'x' This will be committed soon, so please close the PR cheers luigi - End forwarded message - ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPFW tablearg questions
The question: Why can't you add a skipto to the default rule (65535)? http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html I also consider using tablearg with divert, but manpage is contradicting itself in regards to divert with tablearg: divert port Divert packets that match this rule to the divert(4) socket bound to port port. The search terminates. vs The tablearg argument can be used with the following actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd, skipto, setfib, action parameters: tag, untag, rule options: limit, tagged. Also, in the EXAMPLES section one can find: In the following example per-interface firewall is created: ipfw table 10 add vlan20 12000 ipfw table 10 add vlan30 13000 ipfw table 20 add vlan20 22000 ipfw table 20 add vlan30 23000 .. ipfw add 100 ipfw skipto tablearg ip from any to any recv 'table(10)' in ipfw add 200 ipfw skipto tablearg ip from any to any xmit 'table(10)' out where ipfw add 100 ipfw skipto seems wrong... I'm not sure where the contradiction is. Have you tried something like the following as an example? I'm not sure the below works, but in my mind it does. ;) # ipfw table 10 add 129.168.0.0/24 1234 ipfw table 10 add 10.5.21.0/24 5678 ipfw add 100 divert tablearg ip from table(10) to any # Perhaps knowing what it is you are trying to accomplish would lead to a more concrete answer. ~Paul This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: IPFW tablearg questions
On Thu, May 30, 2013 at 1:01 PM, Paul A. Procacci pproca...@datapipe.comwrote:
The question:
Why can't you add a skipto to the default rule (65535)?
http://lists.freebsd.org/pipermail/freebsd-ipfw/2007-June/003067.html
I also consider using tablearg with divert, but manpage is contradicting
itself in regards to divert with tablearg:
divert port
Divert packets that match this rule to the divert(4) socket
bound
to port port. The search terminates.
vs
The tablearg argument can be used with the following
actions: nat, pipe, queue, divert, tee, netgraph, ngtee, fwd,
skipto,
setfib, action parameters: tag, untag, rule options: limit, tagged.
Also, in the EXAMPLES section one can find:
In the following example per-interface firewall is created:
ipfw table 10 add vlan20 12000
ipfw table 10 add vlan30 13000
ipfw table 20 add vlan20 22000
ipfw table 20 add vlan30 23000
..
ipfw add 100 ipfw skipto tablearg ip from any to any recv
'table(10)' in
ipfw add 200 ipfw skipto tablearg ip from any to any xmit
'table(10)' out
where ipfw add 100 ipfw skipto seems wrong...
I'm not sure where the contradiction is. Have you tried something like
the following as an example? I'm not sure the below works, but in my
mind it does. ;)
#
ipfw table 10 add 129.168.0.0/24 1234
ipfw table 10 add 10.5.21.0/24 5678
ipfw add 100 divert tablearg ip from table(10) to any
#
Perhaps knowing what it is you are trying to accomplish would lead
to a more concrete answer.
~Paul
This message may contain confidential or privileged information. If you
are not the intended recipient, please advise us immediately and delete
this message. See http://www.datapipe.com/legal/email_disclaimer/ for
further information on confidentiality and the risks of non-secure
electronic communication. If you cannot access these links, please notify
us by reply message and we will send the contents to you.
Whoops, reply to all is good...
The contradiction is that for most of the other directives in man-page,
when it is possible to use tablearg it is listed, like
fwd | forward ipaddr | tablearg[,port]
or
nat nat_nr | tablearg
but not so for divert which just reads:
divert port
The pipe and queue directives as well are missing the | tablearg and
corresponding description.
Yes, your example is how I also imagine it to work.
I'm pondering how something like:
ipfw skipto tablearg all from any to any in { recv table(10) }
ipfw add $rulenr divert tablearg tcp from table(11) to any
ipfw add $rulenr fwd tablearg all from table(12) to any divert-output
would work out.
Best regards
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
how to bind ppp to definite tun device?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, may somebody help with the subject, please? is there way to bind tun device which ppp creates/uses to the definite one, let's say tun0 ? to avoid interface appointment change (in case I need binding WAN on tunN) for example OpenVPN allows to set tunN to open link only on N-th device I didn't find the way :( - -- Zeus V. Panchenko jid:z...@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlGnPKQACgkQr3jpPg/3oyr27ACgkfs7Fx1qLMkG+S2e+0fy+3Ic 14sAoLMBHR1gwHDJWI+fL2FT3jN7hwlJ =h9Im -END PGP SIGNATURE- ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: how to bind ppp to definite tun device?
El día Thursday, May 30, 2013 a las 02:48:52PM +0300, Zeus Panchenko escribió: hi, may somebody help with the subject, please? is there way to bind tun device which ppp creates/uses to the definite one, let's say tun0 ? to avoid interface appointment change (in case I need binding WAN on tunN) for example OpenVPN allows to set tunN to open link only on N-th device I didn't find the way :( $ man ppp | col -b | fgrep unit -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: Create pkey on FreeBSD 9.1
On Thursday, May 30, 2013 3:29:46 am Alex Liptsin wrote: Hi John. I did it, but there is no ping between the vlans. Ping without VLANs on that ports pass. Unfortunately I do not have an IB setup to test this. I also don't know how IB treats vlans (e.g. does it use an 802.1(q) type header?). Can you tcpdump on the ib0 interface and see if your pings on ib0.100 show up and if they have the appropriate headers? -- John Baldwin ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Re: misc/179033: [dc] dc ethernet driver seems to have issues with some multiport card and mother board combinations
On Thursday, May 30, 2013 1:12:14 am YongHyeon PYUN wrote: On Wed, May 29, 2013 at 08:58:10PM -0700, Mr. Clif wrote: Sorry for the confusion Pyun, I started looking at it in the context of pfsense, but they rejected my bug report which was understandable because it's an upstream issue. They suggested I resubmit it to you guys if I could reproduce it. So I booted FreeBSD and lo and behold the same two ports failed in exactly the same Ok, I'd like to fix that. Hmmm, the dc(4) driver is using the I/O port BARs rather than the memory BARs for its registers and this bug seems to be that the dc(4) device can't properly access its registers on dc0 and dc1 on the Atom box. The one thing I see is that the BIOS on the Atom box assigns addresses in the 0x1100-0x11ff range for dc0 and dc1. Those addresses conflict with ISA I/O aliases for the 0x100-0x1ff range. The Dell BIOS is more careful to avoid these ranges. I think the fix is that I need to fix the PCI-PCI bridge to reject these resource ranges if the ISA enable bit is set in the bridge's control register. However, for the time being you can change dc(4) to use the memory BAR instead of the I/O port BAR as a workaround: Index: if_dc.c === --- if_dc.c (revision 251132) +++ if_dc.c (working copy) @@ -128,7 +128,7 @@ __FBSDID($FreeBSD$); #include dev/pci/pcireg.h #include dev/pci/pcivar.h -#defineDC_USEIOSPACE +//#define DC_USEIOSPACE #include dev/dc/if_dcreg.h If this fixes it then I can take this PR as a test case for handling the ISA enable bit in the PCI-PCI bridge code. -- John Baldwin ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
Basic NAT server setup
I'm building a server to handle outbound NAT to the internet using FreeBSD 9.1 and its built-in distribution of pf. What I want to be able to do is NAT three unique internal (private) VLANs to three unique public IPs. Our current setup utilizes a single external IP address for all three internal networks and seems to work well when our internal hosts use the BSD box as their gateway. pf.conf is as follows: ext_if = vlan11 ext_addr = a.b.c.2 int_network1 = 10.0.1.0/24 int_network2 = 172.16.1.0/24 int_network3 = 192.168.1.0/24 nat on $ext_if from $int_network1 to any - $ext_addr nat on $ext_if from $int_network2 to any - $ext_addr nat on $ext_if from $int_network3 to any - $ext_addr However, when we introduce two additional external IPs the system fails to establish external connections. pf.conf again: ext_if = vlan11 ext_addr1 = a.b.c.3 ext_addr2 = a.b.c.4 ext_addr3 = a.b.c.5 int_network1 = 10.0.1.0/24 int_network2 = 172.16.1.0/24 int_network3 = 192.168.1.0/24 nat on $ext_if from $int_network1 to any - $ext_addr1 nat on $ext_if from $int_network2 to any - $ext_addr2 nat on $ext_if from $int_network3 to any - $ext_addr3 On our border router we have a route to send all traffic belonging to the a.b.c.0/24 network to the public side of the NAT host, and as mentioned before, single-IP NAT works fine. pfctl -s nat indicates that the host knows how to translate the connections, but the connections somehow do not succeed. We are not leveraging the packet filtering capabilities of pf at this time -- all we need the host to do right now is NAT. I might also note that on the host we have a dot1q trunk carrying our three internal VLANs to the host, and we are routing all private traffic through another dedicated private VLAN. Default gateway on the NAT host is the router address for its public-facing IP. I realize some of this may be more specific to pf, but since there are (obviously) many moving parts here I thought it best to start with the freebsd-net list and see if I can get some direction. Thank you Joe ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org
