Re: kern/179901: [netinet] [patch] Multicast SO_REUSEADDR handled incorrectly

2013-06-30 Thread Mikolaj Golub 
The following reply was made to PR kern/179901; it has been noted by GNATS.

From: Mikolaj Golub troc...@freebsd.org
To: bug-follo...@freebsd.org
Cc: Michael Gmelin free...@grem.de
Subject: Re: kern/179901: [netinet] [patch] Multicast SO_REUSEADDR handled
 incorrectly
Date: Sun, 30 Jun 2013 10:17:05 +0300

 --EeQfGwPcQSOJBaQU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Thu, Jun 27, 2013 at 11:00:16PM +0300, Mikolaj Golub wrote:
 
  I don't insist on maintaining the old behaviour. But as actually we
  have 2 issues here (regression introduced by me in FreeBSD9 and
  historical behavior that looks wrong), with different priority, I
  would like to fix the issues separately. This way it will be easier to
  track the changes, e.g. when after a year it turns out that the second
  change has broken some other case.
 
 Here is a patch for the second issue.
 
 -- 
 Mikolaj Golub
 
 --EeQfGwPcQSOJBaQU
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename=pr179901.2.1.patch
 
 commit 7cf3a6a95d74ae91c80350fc1ae8e96fe59c3c65
 Author: Mikolaj Golub troc...@freebsd.org
 Date:   Sun Jun 30 00:09:20 2013 +0300
 
 A complete duplication of binding should be allowed if on both new and
 duplicated sockets a multicast address is bound and either
 SO_REUSEPORT or SO_REUSEADDR is set.
 
 But actually it works for the following combinations:
 
  * SO_REUSEPORT is set for the fist socket and SO_REUSEPORT for the new;
  * SO_REUSEADDR is set for the fist socket and SO_REUSEADDR for the new;
  * SO_REUSEPORT is set for the fist socket and SO_REUSEADDR for the new;
 
 and fails for this:
 
  * SO_REUSEADDR is set for the fist socket and SO_REUSEPORT for the new.
 
 Fix the last case.
 
 PR:179901
 
 diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
 index 3506b74..eb15a38 100644
 --- a/sys/netinet/in_pcb.c
 +++ b/sys/netinet/in_pcb.c
 @@ -554,7 +554,7 @@ in_pcbbind_setup(struct inpcb *inp, struct sockaddr *nam, 
in_addr_t *laddrp,
 * and a multicast address is bound on both
 * new and duplicated sockets.
 */
 -  if (so-so_options  SO_REUSEADDR)
 +  if ((so-so_options  (SO_REUSEADDR|SO_REUSEPORT)) != 0)
reuseport = SO_REUSEADDR|SO_REUSEPORT;
} else if (sin-sin_addr.s_addr != INADDR_ANY) {
sin-sin_port = 0;  /* yech... */
 diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
 index a0a6874..fb84279 100644
 --- a/sys/netinet6/in6_pcb.c
 +++ b/sys/netinet6/in6_pcb.c
 @@ -156,7 +156,7 @@ in6_pcbbind(register struct inpcb *inp, struct sockaddr 
*nam,
 * and a multicast address is bound on both
 * new and duplicated sockets.
 */
 -  if (so-so_options  SO_REUSEADDR)
 +  if ((so-so_options  (SO_REUSEADDR|SO_REUSEPORT)) != 0)
reuseport = SO_REUSEADDR|SO_REUSEPORT;
} else if (!IN6_IS_ADDR_UNSPECIFIED(sin6-sin6_addr)) {
struct ifaddr *ifa;
 
 --EeQfGwPcQSOJBaQU--
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: DNAT in freebsd

2013-06-30 Thread Paul A. Procacci 

On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
 I think I was misunderstood...
 Here is the situation i want to handle:
 My box is a router that handles several /24 behind.
 One of my links (em0) is connected to a private network 192.168.0.1 is me,
 my neighbour is 192.168.0.2.
 I want to make that any connection comes to 192.168.0.1  to go to ip
 193.xxx.yyy.2 using specific public ip 84.xx.yy.1
 And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
 from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
 behind(192.168.1.xx/24).

 Hope that makes it clearer, and I appreciate any help.

 Sami
  29  2013 03:30, ?? Paul A. Procacci 
 pproca...@datapipe.com:

The answer I provided you does exactly what you want it to do.  Not to mention
the man page goes over other things as well if the answer I provided you
wasn't accurate.  Here is my config that I use for my home setup.

The config:

- binds a nat instance on the primary interface
- denies all inbound syn's among other things
- Forward packets originating on the internal network interface through nat
- and returns packets (ack's) back to the original sender.

!!
#!/bin/sh
## Start of IPFW Configuration 
# Set rules command prefix :: Rule numbering cannot exceed 900

cmd=/sbin/ipfw -q
pif=de0   # Public NIC
iif=bridge0   # Internal NIC

##
# Flush current rules and do config.
$cmd -f flush
$cmd enable one_pass
##

${cmd} add 1 allow all from any to any via lo0
${cmd} add 2 deny all from any to 127.0.0.0/8
${cmd} add 3 deny ip from 127.0.0.0/8 to any

${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
${cmd} add 00020 nat 1 all from any to any via ${pif}

${cmd} add 00050 allow all from any to any via ${iif}

${cmd} add 65534 deny log all from any to any
!!

Again, this information is found in `man ipfw(8)` and does what you are
asking.

~Paul



This message may contain confidential or privileged information. If you are not 
the intended recipient, please advise us immediately and delete this message. 
See http://www.datapipe.com/legal/email_disclaimer/ for further information on 
confidentiality and the risks of non-secure electronic communication. If you 
cannot access these links, please notify us by reply message and we will send 
the contents to you.
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: DNAT in freebsd

2013-06-30 Thread Eugene Grosbein 
On 29.06.2013 13:50, Sami Halabi wrote:
 I think I was misunderstood...
 Here is the situation i want to handle:
 My box is a router that handles several /24 behind.
 One of my links (em0) is connected to a private network 192.168.0.1 is me,
 my neighbour is 192.168.0.2.
 I want to make that any connection comes to 192.168.0.1  to go to ip
 193.xxx.yyy.2 using specific public ip 84.xx.yy.1
 And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
 from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
 behind(192.168.1.xx/24).
 
 Hope that makes it clearer, and I appreciate any help.

You need to setup 2 ipfw nat instanses, one to translate source IPs,
another to translate destination IPs (this one needs reverse mode).


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: DNAT in freebsd

2013-06-30 Thread Sami Halabi 
Hi,

Thanks for your time.

What this configuration does is normal NAT configuration (SNAT).
what I'm seeking is combination of SNAT  DNAT to act as a transparent
proxy as:
192.168.0.2 connects to me (192.168.0.1) it'll talk actually with
193.xx.yy.1 whithout knowing it using my special public ip 194.xx.yy.1, and
when 193.xx.yy.1 wants to open connection with 192.168.0.2 it will connect
to 194.xx.yy.1 and 192.168.0.2 will think 192.168.0.1 is talking with it...

Any ideas???

Sami


On Sun, Jun 30, 2013 at 12:15 PM, Paul A. Procacci
pproca...@datapipe.comwrote:


 On Sat, Jun 29, 2013 at 09:50:15AM +0300, Sami Halabi wrote:
  I think I was misunderstood...
  Here is the situation i want to handle:
  My box is a router that handles several /24 behind.
  One of my links (em0) is connected to a private network 192.168.0.1 is
 me,
  my neighbour is 192.168.0.2.
  I want to make that any connection comes to 192.168.0.1  to go to ip
  193.xxx.yyy.2 using specific public ip 84.xx.yy.1
  And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
  from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
  behind(192.168.1.xx/24).
 
  Hope that makes it clearer, and I appreciate any help.
 
  Sami
   29  2013 03:30, ?? Paul A. Procacci 
 pproca...@datapipe.com:

 The answer I provided you does exactly what you want it to do.  Not to
 mention
 the man page goes over other things as well if the answer I provided you
 wasn't accurate.  Here is my config that I use for my home setup.

 The config:

 - binds a nat instance on the primary interface
 - denies all inbound syn's among other things
 - Forward packets originating on the internal network interface through nat
 - and returns packets (ack's) back to the original sender.

 !!
 #!/bin/sh
 ## Start of IPFW Configuration 
 # Set rules command prefix :: Rule numbering cannot exceed 900

 cmd=/sbin/ipfw -q
 pif=de0   # Public NIC
 iif=bridge0   # Internal NIC

 ##
 # Flush current rules and do config.
 $cmd -f flush
 $cmd enable one_pass
 ##

 ${cmd} add 1 allow all from any to any via lo0
 ${cmd} add 2 deny all from any to 127.0.0.0/8
 ${cmd} add 3 deny ip from 127.0.0.0/8 to any

 ${cmd} nat 1 config if ${pif} log deny_in reset unreg_only same_ports
 ${cmd} add 00020 nat 1 all from any to any via ${pif}

 ${cmd} add 00050 allow all from any to any via ${iif}

 ${cmd} add 65534 deny log all from any to any
 !!

 Again, this information is found in `man ipfw(8)` and does what you are
 asking.

 ~Paul

 

 This message may contain confidential or privileged information. If you
 are not the intended recipient, please advise us immediately and delete
 this message. See http://www.datapipe.com/legal/email_disclaimer/ for
 further information on confidentiality and the risks of non-secure
 electronic communication. If you cannot access these links, please notify
 us by reply message and we will send the contents to you.




-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: DNAT in freebsd

2013-06-30 Thread Sami Halabi 
Hi,
I don't understand how reverse mode works exactly, and didn't find a good
example.


can you try and help on the configuration?

Thanks in advance,
Sami


On Sun, Jun 30, 2013 at 1:22 PM, Eugene Grosbein eu...@grosbein.net wrote:

 On 29.06.2013 13:50, Sami Halabi wrote:
  I think I was misunderstood...
  Here is the situation i want to handle:
  My box is a router that handles several /24 behind.
  One of my links (em0) is connected to a private network 192.168.0.1 is
 me,
  my neighbour is 192.168.0.2.
  I want to make that any connection comes to 192.168.0.1  to go to ip
  193.xxx.yyy.2 using specific public ip 84.xx.yy.1
  And packets comming to my public 84.xx.yy.1 ip to be trsnslated as came
  from 192.168.0.1 and sent to 192.168.0.2/or ant other ips
  behind(192.168.1.xx/24).
 
  Hope that makes it clearer, and I appreciate any help.

 You need to setup 2 ipfw nat instanses, one to translate source IPs,
 another to translate destination IPs (this one needs reverse mode).





-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

cxgbetool hw filtering issues

2013-06-30 Thread Alexander V. Chernikov 

Hello list!

While experimenting with Chelsio T440-CR (cxgbe) internal firewall, I'm 
getting some kind of unexpected results:


filtering 'type ipv4 action drop' permits IPv4 TCP traffic with bad 
checksum.
filtering 'type IPv6 action drop' permits IPv6 traffic to multicast 
addresses (MLDv2, etc..)
filtering 'ethtype 34525 action drop' (drop all IPv6) results in 
'CHELSIO_T4_SET_FILTER: Argument list too long' despite to what is said 
in budget table from cxgbetool.8
filtering 'matchtype 4 action drop' or similar (4,5,4:0,4:4, 5:0, 5:5) 
does not match anything despite some traffic definitely falls into that 
conditions.

filtering 'action drop' and 'iport X action drop' filters IPv4 traffic only.
filter 'type ipv6 ...' can be set on (0,4,8,12,...) filter numbers 
yelling 'CHELSIO_T4_SET_FILTER: Invalid argument' on other numbers.


What can I do to debug further/fix this behavior?

Some more questions:
Does anybody known how I can get/set total number of HW firewall 
records? There is such tunable in Linux version.
Is there any way to retrieve _host_ interface statistic (e.g. how much 
traffic in packets/bytes are thrown to NIC driver)?




Setup description:

[packet generator replaying small PCAP with 280kpps rate] - cxgbe3 
[[FreeBSD 10-CURRENT r248721]].


PCAP is captured on my host machine so
1) Outgoing TCP checksums are almost all wrong
2) DST macs are not modified (so they are all unknown to NIC).

cxgbe3: 
flags=28943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST,PPROMISC 
metric 0 mtu 1500

options=6c00bbRXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6
ether 00:07:43:11:88:d8
inet6 fe80::207:43ff:fe11:88d8%cxgbe3 prefixlen 64 scopeid 0x9
inet6 2a02:6b8:0:401:207:43ff:fe11:88d8 prefixlen 64 detached 
deprecated autoconf

nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL
media: Ethernet 10Gbase-Twinax full-duplex
status: active

dev.t4nex.0.%desc: Chelsio T440-CR NIC (rev 2), S/N:PT42110574, 
E/C:01234567890123

dev.t4nex.0.%driver: t4nex
dev.t4nex.0.%location: slot=0 function=4
dev.t4nex.0.%pnpinfo: vendor=0x1425 device=0x4403 subvendor=0x1425 
subdevice=0x class=0x02

dev.t4nex.0.%parent: pci8
dev.t4nex.0.nports: 4
dev.t4nex.0.hw_revision: 2
dev.t4nex.0.firmware_version: 1.8.4.0
dev.t4nex.0.cf: default
dev.t4nex.0.cfcsum: 4260083439
dev.t4nex.0.linkcaps: 0
dev.t4nex.0.niccaps: 1NIC
dev.t4nex.0.toecaps: 0
dev.t4nex.0.rdmacaps: 0
dev.t4nex.0.iscsicaps: 0
dev.t4nex.0.fcoecaps: 0
dev.t4nex.0.core_clock: 228125
dev.t4nex.0.holdoff_timers: 1 5 10 50 100 200
dev.t4nex.0.holdoff_pkt_counts: 1 8 16 32
dev.t4nex.0.fwq.abs_id: 0
dev.t4nex.0.fwq.cntxt_id: 0
dev.t4nex.0.fwq.cidx: 121
dev.t4nex.0.mgmtq.cntxt_id: 0
dev.t4nex.0.mgmtq.cidx: 95
dev.t4nex.0.mgmtq.pidx: 111
dev.t4nex.0.mgmtq.tx_wrs: 119
dev.t4nex.0.mgmtq.no_desc: 0
dev.t4nex.0.mgmtq.unstalled: 0

# kenv | grep cxgbe
hw.cxgbe.fcoecaps_allowed=0
hw.cxgbe.iscsicaps_allowed=0
hw.cxgbe.nrxq10g=4
hw.cxgbe.ntxq10g=4
hw.cxgbe.qsize_rxq=4096
hw.cxgbe.qsize_txq=4096
hw.cxgbe.rdmacaps_allowed=0
hw.cxgbe.toecaps_allowed=0


TRAFFIC PART:
input   (cxgbe3)   output
   packets  errs idrops  bytespackets  errs  bytes colls
284368 0 0   85436494  0 0  0 0
284340 0 0   85442168  0 0  0 0
284205 0 0   85464055  0 0  0 0
...
(not changing, nearly constant rate, is not affected by filters)

# ipfw show 200
00200  16860  2685762 deny ip from any to any via cxgbe3

# Running counter to see how much is actually dropped/passed
# while true; do sleep 1; ipfw show 200 ; ipfw -q zero 200 ;done
[[ empty filters ]]
00200 281769 80351685 deny ip from any to any via cxgbe3
..
[[ ### (1) IPv4 EXPERIMENT ]]
[[ # ./cxgbetool t4nex0 filter 0 type ipv4 action drop ]]
00200 115263 15431259 deny ip from any to any via cxgbe3
00200 116523 15584332 deny ip from any to any via cxgbe3

[[# time tcpdump -i cxgbe3 -lnps0 -c 100 ip
18:18:42.621728 IP 95.108.170.36.39215  93.158.158.93.80: Flags [.], 
ack 4252241156, win 995, options [nop,nop,TS val 538195932 ecr 
1194270183], length 0

..
tcpdump -i cxgbe3 -lnps0 -c 100 ip  0,00s user 0,01s system 15% cpu 
0,059 total

#]]

[[ ### (2) IPv6 EXPERIMENT ]]
[[ # ./cxgbetool t4nex0 filter 4 type ipv6 action drop ]]
00200  64962 10332022 deny ip from any to any via cxgbe3
00200  64878 10327694 deny ip from any to any via cxgbe3
...
[[# time tcpdump -i cxgbe3 -lnps0 -c 100 ip6
18:21:34.553596 IP6 fe80::884:a1e8:86ae:57f7  ff02::16: HBH ICMP6, 
multicast listener report v2, 3 group record(s), length 68

..
tcpdump -i cxgbe3 -lnps0 -c 100 ip6  0,00s user 0,00s system 0% cpu 
0,483 total

#]]


Address in (1) is my host machine address, viewing resulting .pcap file 
in wireshark shows incorrect TCP checksums for IPv4 packets.
Other pcaps not

Re: DNAT in freebsd

2013-06-30 Thread Eugene Grosbein 
On 30.06.2013 18:48, Sami Halabi wrote:
 Hi,
 I don't understand how reverse mode works exactly, and didn't find a good 
 example.
 
 
 can you try and help on the configuration?

Well, that's pretty simple. Generally, NAT translates source IP address of the 
packet
keeping destination IP intact. You need both of source and
destination addresses get translated. Reverse NAT translates does,
well, reverse thing: it translates destination IP keeping source IP intact.
So, you just need setup two ipfw nat instances, one general and one reverse
and pass your packets through both instances.

Eugene Grosbein


___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Inconsistent NIC behavior

2013-06-30 Thread Barney Cordoba 
One particular annoyance with Freebsd is that different NICs have different 
dormant behavior.

For example em and igb both will show the link being active or not on boot 
whether the interface
has been UPed or not, while ixgbe and bce do not. 

I think it's a worthy goal to have NICs work the same in this manner. It's very 
valuable to know that
a nic is connected without having to UP it. And an annoyance when  you fire up 
a new box with a
new nic that shows No Carrier when the link light is on. 

It's really too much of a project for one person to have enough knowledge of 
multiple drivers to make the 
changes, so it would be best if the maintainers would do it.

BC
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: cxgbetool hw filtering issues

2013-06-30 Thread Navdeep Parhar 
On 06/30/13 07:25, Alexander V. Chernikov wrote:
 Hello list!
 
 While experimenting with Chelsio T440-CR (cxgbe) internal firewall, I'm
 getting some kind of unexpected results:

One bit of general advice to begin with: add hitcnts 1 to all your
filter rules and then you can see how many incoming packets hit that
filter in the output of cxgbetool t4nex0 filter list.  I really should
make hitcnts=1 the default in the driver.

 filtering 'type ipv4 action drop' permits IPv4 TCP traffic with bad
 checksum.

It may be that a bad checksum makes it an invalid IPv4 packet to the
chip and so it doesn't hit the type ipv4 rule.  There is an entirely
separate knob available to have the chip drop bad packets if you don't
want to see them.  The default is to let them through so that users can
examine them with tcpdump etc.

 filtering 'type IPv6 action drop' permits IPv6 traffic to multicast
 addresses (MLDv2, etc..)

The DMAC is an L2 multicast address?  Try proto 58 hitcnts 1 action
drop to get these ICMP6 packets.

 filtering 'ethtype 34525 action drop' (drop all IPv6) results in
 'CHELSIO_T4_SET_FILTER: Argument list too long' despite to what is said
 in budget table from cxgbetool.8

This _would_ have gotten everything with ethertype ipv6 but the default
filter mode doesn't have ethtype enabled, which is why it's complaining:
# cxgbetool t4nex0 filter mode
ipv4 ipv6 sip dip sport dport matchtype proto ivlan iport fcoe

 filtering 'matchtype 4 action drop' or similar (4,5,4:0,4:4, 5:0, 5:5)
 does not match anything despite some traffic definitely falls into that
 conditions.
 filtering 'action drop' and 'iport X action drop' filters IPv4 traffic
 only.

Strange.  I use iport X action drop hitcnts 1 as a packet black hole
all the time.  Were these the only filters when you tried them?  Are you
sure your packets didn't hit some other rule and were delivered as a
result of that?  Check the order in cxgbetool t4nex0 filter list

Also, are you going by the ifnet rx stats as displayed by netstat etc.?
 Right now the driver fills the ifnet stats directly from hardware
registers rather than counting the packets that it actually received
from the chip.  The hardware registers include packets that would have
been delivered to the driver if no filters were present but are dropped
due to a filter.

 filter 'type ipv6 ...' can be set on (0,4,8,12,...) filter numbers
 yelling 'CHELSIO_T4_SET_FILTER: Invalid argument' on other numbers.

Yes, IPv6 filters take 4 tid's (non-IPv6 take 1) and these tid's have to
start at a naturally aligned boundary.  No way around this.

 What can I do to debug further/fix this behavior?
 
 Some more questions:
 Does anybody known how I can get/set total number of HW firewall
 records? There is such tunable in Linux version.

I will add a simple sysctl for this.  For now you can indirectly figure
this out from the output of sysctl -n dev.t4nex.0.misc.tids -- the
FTIDs are the filter tids.  For example I see 1456 filters on this card:
trantor:~# sysctl -n dev.t4nex.0.misc.tids
ATID range: 0-8191, in use: 0
TID range: 2048-18431, in use: 0
STID range: 0-511, in use: 0
FTID range: 512-1967
HW TID usage: 0 IP users, 0 IPv6 users
trantor:~# echo $((1967 - 512 + 1))
1456

 Is there any way to retrieve _host_ interface statistic (e.g. how much
 traffic in packets/bytes are thrown to NIC driver)?

cxgbe(4) doesn't count this stuff itself.  Currently it just reads the
hardware registers once per second and it's done.  Software stats would
have to be per queue (and then aggregated from time to time).  I'll wait
to see where the PCPU counter work in the kernel goes before reworking
this part of the driver.

Regards,
Navdeep
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: DNAT in freebsd

2013-06-30 Thread Sami Halabi 
Hi Eugene,

It simply doesn't work for me, the reverse option doesn't work properly for
me it keeps translating the source instead of the destination...


On Sun, Jun 30, 2013 at 6:32 PM, Eugene Grosbein eu...@grosbein.net wrote:

 On 30.06.2013 18:48, Sami Halabi wrote:
  Hi,
  I don't understand how reverse mode works exactly, and didn't find a
 good example.
 
 
  can you try and help on the configuration?

 Well, that's pretty simple. Generally, NAT translates source IP address of
 the packet
 keeping destination IP intact. You need both of source and
 destination addresses get translated. Reverse NAT translates does,
 well, reverse thing: it translates destination IP keeping source IP intact.
 So, you just need setup two ipfw nat instances, one general and one
 reverse
 and pass your packets through both instances.

 Eugene Grosbein





-- 
Sami Halabi
Information Systems Engineer
NMS Projects Expert
FreeBSD SysAdmin Expert
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Duplicate Address Detection misfire?

2013-06-30 Thread Zaphod Beeblebrox 
I have a FreeBSD 9.1-RELEASE vmware guest running. It is using the
bridged type of networking with VMWare.  It gets it's IPv4 address from
DHCP (successfully) and then fails to initialize IPv6.  The relevant
rc.conf is:

ipv6_activate_all_interfaces=YES
ifconfig_em0_ipv6=inet6 accept_rtadv
ip6addrctl_verbose=YES

The console output says:

em0: DAD detected duplicate IPv6 address fe80:2::20c:29ff:fe0a:3989: NS
in/out=2/1, NA in=0
em0: DAD complete for fe80:2::20c:29ff:fe0a:3989 - duplicate found
em0: manual intervention required
em0: possible hardware address duplication deteted, disable IPv6

And subsequently, em0's nd6 has IFDISABLED in it.

With wireshark, I see two ICMPv6 neighbor solicitations that are identical
--- is this the problem?

How do I fix this?
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org

Re: Duplicate Address Detection misfire?

2013-06-30 Thread Hiroki Sato 
Zaphod Beeblebrox zbee...@gmail.com wrote
  in CACpH0McSM7HDeJcQ1pLcXuEZ96n=15ymcap4yhezghbbyeg...@mail.gmail.com:

zb I have a FreeBSD 9.1-RELEASE vmware guest running. It is using the
zb bridged type of networking with VMWare.  It gets it's IPv4 address from
zb DHCP (successfully) and then fails to initialize IPv6.  The relevant
zb rc.conf is:
zb
zb ipv6_activate_all_interfaces=YES
zb ifconfig_em0_ipv6=inet6 accept_rtadv
zb ip6addrctl_verbose=YES
zb
zb The console output says:
zb
zb em0: DAD detected duplicate IPv6 address fe80:2::20c:29ff:fe0a:3989: NS
zb in/out=2/1, NA in=0
zb em0: DAD complete for fe80:2::20c:29ff:fe0a:3989 - duplicate found
zb em0: manual intervention required
zb em0: possible hardware address duplication deteted, disable IPv6
zb
zb And subsequently, em0's nd6 has IFDISABLED in it.
zb
zb With wireshark, I see two ICMPv6 neighbor solicitations that are identical
zb --- is this the problem?
zb
zb How do I fix this?

 Does your host environment have the same address on the bridged
 interface?

-- Hiroki


pgpZ6CRgYpGOd.pgp
Description: PGP signature

Re: Duplicate Address Detection misfire?

2013-06-30 Thread Kevin Day 

On Jun 30, 2013, at 6:48 PM, Zaphod Beeblebrox zbee...@gmail.com wrote:

 I have a FreeBSD 9.1-RELEASE vmware guest running. It is using the
 bridged type of networking with VMWare.  It gets it's IPv4 address from
 DHCP (successfully) and then fails to initialize IPv6.  The relevant
 rc.conf is:
 
 ipv6_activate_all_interfaces=YES
 ifconfig_em0_ipv6=inet6 accept_rtadv
 ip6addrctl_verbose=YES
 
 The console output says:
 
 em0: DAD detected duplicate IPv6 address fe80:2::20c:29ff:fe0a:3989: NS
 in/out=2/1, NA in=0
 em0: DAD complete for fe80:2::20c:29ff:fe0a:3989 - duplicate found
 em0: manual intervention required
 em0: possible hardware address duplication deteted, disable IPv6
 
 And subsequently, em0's nd6 has IFDISABLED in it.
 
 With wireshark, I see two ICMPv6 neighbor solicitations that are identical
 --- is this the problem?
 
 How do I fix this?

Did you copy this VM and have both copies running at once? If so, it assigned 
the same MAC address to each VM. 

VMware is suppose to detect this and ask if you copied or moved the VM, and 
if you say copied it will randomly assign a new MAC to the VM. If this didn't 
happen or if you said moved when you actually copied it, just go in and 
delete/re-create the network interface in the VM's settings to create a new MAC 
for it.

If that's not the issue, we'd probably need more details about your 
configuration.




smime.p7s
Description: S/MIME cryptographic signature