Re: How to enable ECMP flow based forwarding ?

[Andrey V. Elsukov]

On 14.02.2017 22:52, Ermal Luçi wrote:
> I think you need to implement some code first. The fastfwd has not
> supported MPATH and tryforward also doesn't support it. For IPv4 you can
> try to add some IPsec security policy to disable ip_tryforward. In this
> case ip_forward() will be used, and it uses rtalloc_mpath_fib(), so,
> probably, it will work.
> 
> This seems to be a bug to file and which can quickly be fixed by
> presenting same 
> behaviour that slow path does when RADIX_MPATH is active.
>  
> It does not impact performance or any of the problems ip_tryforward() is
> trying to
> solve.
> 
> Try the attached patch it should fix your issues.

ip_tryforward() was changed to FIB4 KPI and your path is not applicable
anymore.

-- 
WBR, Andrey V. Elsukov



signature.asc
Description: OpenPGP digital signature

Re: carp and subnets

[Julien Cigar]

On Tue, Feb 14, 2017 at 09:03:00AM -0800, Freddie Cash wrote:
> On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar  wrote:
> 
> > Hello,
> >
> > I have a redundant router/firewall with CARP and PF/PFSync with the
> > following configuration (simplified for example):
> >
> > on FW1 (MASTER):
> >
> > ifconfig_em3="inet 1.2.208.89 netmask 255.255.255.224 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
> >
> > on FW2 (BACKUP):
> >
> > ifconfig_em3="inet 1.2.208.91 netmask 255.255.255.224 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
> >
> > on both machines I have something like this in my /etc/pf.conf:
> > net_local="10.209.1.0/24"
> > net_prod="192.168.10.0/24"
> > if_wan="em3"
> > CARPvhid53="1.2.208.90"
> > nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
> >
> > it works great but I have a couple of questions:
> >
> > - is it possible to use differents subnets for the "real" ips and the
> >   CARP vip ? in other words: I only have three public IPs and I'd like
> >   to reuse two of them. I wondered of something like this would work:
> >
> > on FW1 (MASTER):
> >
> > ifconfig_em3="inet 192.168.88.1 netmask 255.255.255.0 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
> >
> > on FW2 (BACKUP):
> >
> > ifconfig_em3="inet 192.168.88.2 netmask 255.255.255.0 -tso"
> > ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
> >
> > (assuming that the switch is configured properly)
> >
> > - as the state table is synced between FW1 and FW2, is it possible to
> > do some load-balancing on the outgoing address?
> >
> > Thanks!
> >
> 
> ​With FreeBSD 9.x and earlier, no, you can't.  The CARP setup uses the
> IP/subnet of the host interface for sending the CARP messages.
> 
> With FreeBSD 10.x and above, yes, you can.  The CARP setup uses the
> IP/subnet of the VHID for sending CARP messages, which can be set to
> anything.  So long as all the member VHID interfaces are on the same subnet
> and connection.  It's one of the many nice things about the new CARP stuff
> on FreeBSD 10.x.​

excellent, thank you!

> 
> -- 
> Freddie Cash
> fjwc...@gmail.com

-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.


signature.asc
Description: PGP signature

Re: How to enable ECMP flow based forwarding ?

[Ermal Luçi]

On Tue, Feb 14, 2017 at 6:13 AM, Andrey V. Elsukov 
wrote:

> On 14.02.2017 03:23, Olivier Cochard-Labbé wrote:
> > Hi,
> >
> > I'm testing FreeBSD ECMP behavior by adding "options RADIX_MPATH" to my
> > kernel configuration (11-stable).
> > Now I can configure two identical routes toward 2 different next-hop:
> First
> > step achieved :-)
> > But it uses only the first entry and never uses the second one.
> >
> > I've tried to shutdown the first next-hop router (then no more arp-reply
> > from this next-hop): But the ECMP FreeBSD router sticks to its first
> route
> > entry and never try the second entry :-(
> >
> > Is there something else to enable (like RSS?) for having a real ECMP flow
> > based router ?
>
> I think you need to implement some code first. The fastfwd has not
> supported MPATH and tryforward also doesn't support it. For IPv4 you can
> try to add some IPsec security policy to disable ip_tryforward. In this
> case ip_forward() will be used, and it uses rtalloc_mpath_fib(), so,
> probably, it will work.
>
> This seems to be a bug to file and which can quickly be fixed by
presenting same
behaviour that slow path does when RADIX_MPATH is active.

It does not impact performance or any of the problems ip_tryforward() is
trying to
solve.

Try the attached patch it should fix your issues.


--
> WBR, Andrey V. Elsukov
>
> --
> Ermal
>
diff --git a/sys/netinet/ip_fastfwd.c b/sys/netinet/ip_fastfwd.c
index ea59c10..0a50f62 100644
--- a/sys/netinet/ip_fastfwd.c
+++ b/sys/netinet/ip_fastfwd.c
@@ -108,7 +108,8 @@ __FBSDID("$FreeBSD$");
 #include 
 
 static struct sockaddr_in *
-ip_findroute(struct route *ro, struct in_addr dest, struct mbuf *m)
+ip_findroute(struct route *ro, struct ip *ip, struct in_addr dest,
+   struct mbuf *m)
 {
struct sockaddr_in *dst;
struct rtentry *rt;
@@ -121,7 +122,14 @@ ip_findroute(struct route *ro, struct in_addr dest, struct 
mbuf *m)
dst->sin_family = AF_INET;
dst->sin_len = sizeof(*dst);
dst->sin_addr.s_addr = dest.s_addr;
-   in_rtalloc_ign(ro, 0, M_GETFIB(m));
+#ifdef RADIX_MPATH
+rtalloc_mpath_fib(,
+ntohl(ip->ip_src.s_addr ^ ip->ip_dst.s_addr),
+M_GETFIB(m));
+#else
+in_rtalloc_ign(, 0, M_GETFIB(m));
+#endif
+
 
/*
 * Route there and interface still up?
@@ -305,7 +313,7 @@ passin:
/*
 * Find route to destination.
 */
-   if ((dst = ip_findroute(, dest, m)) == NULL)
+   if ((dst = ip_findroute(, ip, dest, m)) == NULL)
return NULL;/* icmp unreach already sent */
ifp = ro.ro_rt->rt_ifp;
 
@@ -366,7 +374,7 @@ forwardlocal:
m->m_flags &= ~M_IP_NEXTHOP;
}
RTFREE(ro.ro_rt);
-   if ((dst = ip_findroute(, dest, m)) == NULL)
+   if ((dst = ip_findroute(, ip, dest, m)) == NULL)
return NULL;/* icmp unreach already sent */
ifp = ro.ro_rt->rt_ifp;
}

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: How to enable ECMP flow based forwarding ?

[Scott Larson]

 I'm successfully using ECMP on 11.0-RELEASE firewalls, but in my case
they're also using OSPF with a pair of upstream MX480 routers via Quagga.
BIRD would be nicer to work with but the last time I checked it wasn't
playing nice with ECMP on FreeBSD. Regardless, if OSPF is an option you can
pursue that will definitely work.


*[image: userimage]Scott Larson[image: los angeles]
Lead
Systems Administrator[image: wdlogo]  [image:
linkedin]  [image: facebook]
 [image: twitter]
 [image: instagram]
T 310 823 8238
<310%20823%208238%20x1106>  |  M 310 904 8818 <310%20904%208818>*

On Mon, Feb 13, 2017 at 4:23 PM, Olivier Cochard-Labbé 
wrote:

> Hi,
>
> I'm testing FreeBSD ECMP behavior by adding "options RADIX_MPATH" to my
> kernel configuration (11-stable).
> Now I can configure two identical routes toward 2 different next-hop: First
> step achieved :-)
> But it uses only the first entry and never uses the second one.
>
> I've tried to shutdown the first next-hop router (then no more arp-reply
> from this next-hop): But the ECMP FreeBSD router sticks to its first route
> entry and never try the second entry :-(
>
> Is there something else to enable (like RSS?) for having a real ECMP flow
> based router ?
>
> Thanks,
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

[Bug 204340] [panic] nfsd, em, msix, fatal trap 9

[bugzilla-noreply]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=204340

--- Comment #27 from commit-h...@freebsd.org ---
A commit references this bug:

Author: avg
Date: Tue Feb 14 17:49:08 UTC 2017
New revision: 313735
URL: https://svnweb.freebsd.org/changeset/base/313735

Log:
  add svcpool_close to handle killed nfsd threads

  This patch adds a new function to the server krpc called
  svcpool_close().  It is similar to svcpool_destroy(), but does not free
  the data structures, so that the pool can be used again.

  This function is then used instead of svcpool_destroy(),
  svcpool_create() when the nfsd threads are killed.

  PR:   204340
  Reported by:  Panzura
  Approved by:  rmacklem
  Obtained from:rmacklem
  MFC after:1 week

Changes:
  head/sys/fs/nfsserver/nfs_nfsdkrpc.c
  head/sys/rpc/svc.c
  head/sys/rpc/svc.h

-- 
You are receiving this mail because:
You are on the CC list for the bug.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: carp and subnets

[Freddie Cash]

On Tue, Feb 14, 2017 at 7:41 AM, Julien Cigar  wrote:

> Hello,
>
> I have a redundant router/firewall with CARP and PF/PFSync with the
> following configuration (simplified for example):
>
> on FW1 (MASTER):
>
> ifconfig_em3="inet 1.2.208.89 netmask 255.255.255.224 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
>
> on FW2 (BACKUP):
>
> ifconfig_em3="inet 1.2.208.91 netmask 255.255.255.224 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
>
> on both machines I have something like this in my /etc/pf.conf:
> net_local="10.209.1.0/24"
> net_prod="192.168.10.0/24"
> if_wan="em3"
> CARPvhid53="1.2.208.90"
> nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
>
> it works great but I have a couple of questions:
>
> - is it possible to use differents subnets for the "real" ips and the
>   CARP vip ? in other words: I only have three public IPs and I'd like
>   to reuse two of them. I wondered of something like this would work:
>
> on FW1 (MASTER):
>
> ifconfig_em3="inet 192.168.88.1 netmask 255.255.255.0 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
>
> on FW2 (BACKUP):
>
> ifconfig_em3="inet 192.168.88.2 netmask 255.255.255.0 -tso"
> ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
>
> (assuming that the switch is configured properly)
>
> - as the state table is synced between FW1 and FW2, is it possible to
> do some load-balancing on the outgoing address?
>
> Thanks!
>

​With FreeBSD 9.x and earlier, no, you can't.  The CARP setup uses the
IP/subnet of the host interface for sending the CARP messages.

With FreeBSD 10.x and above, yes, you can.  The CARP setup uses the
IP/subnet of the VHID for sending CARP messages, which can be set to
anything.  So long as all the member VHID interfaces are on the same subnet
and connection.  It's one of the many nice things about the new CARP stuff
on FreeBSD 10.x.​

-- 
Freddie Cash
fjwc...@gmail.com
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

carp and subnets

[Julien Cigar]

Hello,

I have a redundant router/firewall with CARP and PF/PFSync with the
following configuration (simplified for example):

on FW1 (MASTER):

ifconfig_em3="inet 1.2.208.89 netmask 255.255.255.224 -tso"
ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"

on FW2 (BACKUP):

ifconfig_em3="inet 1.2.208.91 netmask 255.255.255.224 -tso"
ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"

on both machines I have something like this in my /etc/pf.conf:
net_local="10.209.1.0/24"
net_prod="192.168.10.0/24"
if_wan="em3" 
CARPvhid53="1.2.208.90"
nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53

it works great but I have a couple of questions:

- is it possible to use differents subnets for the "real" ips and the
  CARP vip ? in other words: I only have three public IPs and I'd like
  to reuse two of them. I wondered of something like this would work:

on FW1 (MASTER):

ifconfig_em3="inet 192.168.88.1 netmask 255.255.255.0 -tso"
ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"

on FW2 (BACKUP):

ifconfig_em3="inet 192.168.88.2 netmask 255.255.255.0 -tso"
ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"

(assuming that the switch is configured properly)

- as the state table is synced between FW1 and FW2, is it possible to 
do some load-balancing on the outgoing address?

Thanks!

Julien

-- 
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11  6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.


signature.asc
Description: PGP signature

Re: How to enable ECMP flow based forwarding ?

[Andrey V. Elsukov]

On 14.02.2017 03:23, Olivier Cochard-Labbé wrote:
> Hi,
> 
> I'm testing FreeBSD ECMP behavior by adding "options RADIX_MPATH" to my
> kernel configuration (11-stable).
> Now I can configure two identical routes toward 2 different next-hop: First
> step achieved :-)
> But it uses only the first entry and never uses the second one.
> 
> I've tried to shutdown the first next-hop router (then no more arp-reply
> from this next-hop): But the ECMP FreeBSD router sticks to its first route
> entry and never try the second entry :-(
> 
> Is there something else to enable (like RSS?) for having a real ECMP flow
> based router ?

I think you need to implement some code first. The fastfwd has not
supported MPATH and tryforward also doesn't support it. For IPv4 you can
try to add some IPsec security policy to disable ip_tryforward. In this
case ip_forward() will be used, and it uses rtalloc_mpath_fib(), so,
probably, it will work.

-- 
WBR, Andrey V. Elsukov



signature.asc
Description: OpenPGP digital signature

Re: Duplicate MAC addresses in VNET epair interaces

[Giulio Ferro]

On 14/02/2017 13:51, Bjoern A. Zeeb wrote:

ifconfig epair0b ether ether 02:ff:e0:00:00:0b

ifconfig: can't set link-level netmask or broadcast


Two “ether”s there but I assume that’s a copy and paste issue?




No, it's just me being stupid and careless... ;)

Ok, it works great both in the jail and in the host.
I've put the ether address in the /etc/start_if.epairxx files, as I 
think it should be supposed to be.


Thanks a lot for your support!

Giulio.





I've tried manually, in the rc.conf file 
(ifconfig_epair0b="ether..."), and in the /etc/start_if.epair0b file,
but neither of these three ways actually work to set the mac address 
of the epair interface within the jail.


On the other hand, no problem setting the mac of epair in the host...


And that’s what you should do.  Despite epairs being virtual 
interfaces, think of them as hardware that you are only “loaning” to 
the vnet-jail but don’t want the jail to mess with all the hw settings.


And you probably want to change the ether addresses on both ends anyway.

/bz
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Duplicate MAC addresses in VNET epair interaces

[Bjoern A. Zeeb]

On 14 Feb 2017, at 9:26, Giulio Ferro wrote:


Hi Bjoern, thanks for your reply...

the idea is sound, but unfortunately setting the mac address of the 
epair interface

inside the jail doesn't work:

ifconfig epair0b ether ether 02:ff:e0:00:00:0b
ifconfig: can't set link-level netmask or broadcast


Two “ether”s there but I assume that’s a copy and paste issue?




I've tried manually, in the rc.conf file 
(ifconfig_epair0b="ether..."), and in the /etc/start_if.epair0b file,
but neither of these three ways actually work to set the mac address 
of the epair interface within the jail.


On the other hand, no problem setting the mac of epair in the host...


And that’s what you should do.  Despite epairs being virtual 
interfaces, think of them as hardware that you are only “loaning” to 
the vnet-jail but don’t want the jail to mess with all the hw 
settings.


And you probably want to change the ether addresses on both ends anyway.

/bz
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: netmap_mem_get_info

[Slawa Olhovchenkov]

On Tue, Feb 14, 2017 at 12:26:55PM +0100, Vincenzo Maffione wrote:

> Hi,
>   Have you tried to play with netmap sysctl parameters like:
> 
> dev.netmap.buf_num
> dev.netmap.ring_num
> dev.netmap.if_num
> 
> those are listed in the sysctl section of the netmap man page.

man page hide details about calcul rules of this parameters.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: netmap_mem_get_info

[Vincenzo Maffione]

Hi,
  Have you tried to play with netmap sysctl parameters like:

dev.netmap.buf_num
dev.netmap.ring_num
dev.netmap.if_num

those are listed in the sysctl section of the netmap man page.

Cheers,
  Vincenzo

2017-02-11 13:34 GMT+01:00 amir alipour :

> hi
> i am trying to assign more memory to netmap but it fails
> i trace it to "netmap_mem_get_info" function ,this function changes my
> defined memory size to 343019520 and i cant find the implementation of it
> in the source code!
>
> Thank you for any help you can provide
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>



-- 
Vincenzo Maffione
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Duplicate MAC addresses in VNET epair interaces

[Giulio Ferro]

On 06/02/2017 20:53, Bjoern A. Zeeb wrote:


This is a potentially bad behavior, because if I want to bridge say 
epair1a on A with epair10a on B with a VPN or


a physical connection giving 192.168.1.1 to epair1b and 192.168.1.2 
to epair10b, I won't be able to make them


talk to each other since they have the same MAC address.


My question is: is this a bug or something I'm doing wrong? If there 
any workaround I can use?



From the man page:

 Like any other Ethernet interface, an epair needs to have a network
 address.  Each epair will be assigned a locally administered 
address by
 default, that is only guaranteed to be unique within one network 
stack.
 To change the default addresses one may use the SIOCSIFADDR 
ioctl(2) or

 ifconfig(8) utility.

I thought someone patched it a few years ago to have a pseudo-random 
part to make collisions less likely and use the FreeBSD vendor space, 
but it seems that never happened for epair (or didn’t make it into the 
tree).


ifconfig epair[ab] ether 02:xx:xx:xx:xx  is your friend for now.



Hi Bjoern, thanks for your reply...

the idea is sound, but unfortunately setting the mac address of the 
epair interface

inside the jail doesn't work:

ifconfig epair0b ether ether 02:ff:e0:00:00:0b
ifconfig: can't set link-level netmask or broadcast

I've tried manually, in the rc.conf file (ifconfig_epair0b="ether..."), 
and in the /etc/start_if.epair0b file,
but neither of these three ways actually work to set the mac address of 
the epair interface within the jail.


On the other hand, no problem setting the mac of epair in the host...


Do you know of any way to work around this?

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"