Re: Allow PING(8) in jails without raw socket access permissions
On 15/10/2020 9:00 am, carlos antonio neira bustos wrote: > Hello, > > I have currently a patch in review with jamie which is the current jail > maintainer and kyle evans, if anyone else could comment/review this patch : > https://reviews.freebsd.org/D26782 > > What has been done is the following : > > Raw socket access is allowed for ICMP protocol as is required by > PING(8) but option IP_HDRINCL is not allowed. to accomplish this > a new privilege PRIV_NETINET_ICMP_ACCESS has been added by default for > jails. > > > Bests > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > Thanks for the heads-up Carlos. I have a use for allowing only icmp traffic, so its beneficial. However I do agree with BZ that it should not be enabled by default, as it weakens the security model, enabling a broken jail to more easily enumerate the wider network environment. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 125845] [tcp] [patch] tcp_lro_rx() should make use of hardware IP cksum assistance when available
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=125845 Navdeep Parhar changed: What|Removed |Added Status|Open|Closed Resolution|--- |Overcome By Events --- Comment #5 from Navdeep Parhar --- The LRO code has been modified extensively since this bug was filed. The latest code does take CSUM_IP_CHECKED and CSUM_IP_VALID into account. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 248652] iflib: netmap pkt-gen large TX performance difference between 11-STABLE and 12-STABLE/CURRENT on ix & ixl NIC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248652 --- Comment #34 from Vincenzo Maffione --- (In reply to Sylvain Galliano from comment #33) Ok, thanks. At this point it's clear that there are two indipendent issues that slow down netmap-iflib on ix/ixl. The first is the lack of a per-tx-queue netmap timer (or taskqueue). The second is the lack of descriptor writeback moderation in ixl. We can start by merging the timer patch, and then work on the separate ixl issue. -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 125845] [tcp] [patch] tcp_lro_rx() should make use of hardware IP cksum assistance when available
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=125845 --- Comment #4 from Hans Petter Selasky --- Change looks good to me. -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 125845] [tcp] [patch] tcp_lro_rx() should make use of hardware IP cksum assistance when available
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=125845 Michael Tuexen changed: What|Removed |Added Summary|[netinet] [patch] |[tcp] [patch] tcp_lro_rx() |tcp_lro_rx() should make|should make use of hardware |use of hardware IP cksum|IP cksum assistance when |assistance when available |available CC||tue...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 237720] [tcp] tcpip network stack seized for six hours after large high-throughput file transfer
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237720 Michael Tuexen changed: What|Removed |Added Summary|tcpip network stack seized |[tcp] tcpip network stack |for six hours after large |seized for six hours after |high-throughput file|large high-throughput file |transfer|transfer -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 61744] [tcp] [patch] TCP hangs onto mbufs with no tcp data unnecessily under certain error conditions
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=61744 Michael Tuexen changed: What|Removed |Added Summary|[netinet] [patch] TCP hangs |[tcp] [patch] TCP hangs |onto mbufs with no tcp data |onto mbufs with no tcp data |unnecessily under certain |unnecessily under certain |error conditions|error conditions CC||tue...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 219991] [tcp][PATCH] TCP process bogus packets with too large ACK
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219991 Michael Tuexen changed: What|Removed |Added Summary|[PATCH] TCP process bogus |[tcp][PATCH] TCP process |packets with too large ACK |bogus packets with too ||large ACK -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 250552] [net] [fib] dangling route table entry after destroying interface
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250552 Mark Linimon changed: What|Removed |Added Assignee|b...@freebsd.org|n...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240946] [tcp] Check for ipv6_zoneid in tcp_hc_lookup() alongside inc6_faddr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240946 Michael Tuexen changed: What|Removed |Added CC||tue...@freebsd.org Summary|netinet: Check for |[tcp] Check for ipv6_zoneid |ipv6_zoneid in |in tcp_hc_lookup() |tcp_hc_lookup() alongside |alongside inc6_faddr |inc6_faddr | -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240416] [tcp] Windows scaling (net.inet.tcp.rfc1323=1) does not start the TCP connection to some systems
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240416 Michael Tuexen changed: What|Removed |Added Summary|Windows scaling |[tcp] Windows scaling |(net.inet.tcp.rfc1323=1)|(net.inet.tcp.rfc1323=1) |does not start the TCP |does not start the TCP |connection to some systems |connection to some systems CC||tue...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 238741] [tcp] RACK stack causes connections to hang
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238741 Michael Tuexen changed: What|Removed |Added Summary|RACK tcpip stack causes |[tcp] RACK stack causes |connections to hang |connections to hang CC||tue...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 242492] [tcp] TCP fast open observability
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=242492 Michael Tuexen changed: What|Removed |Added Summary|TCP fast open observability |[tcp] TCP fast open ||observability -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 217214] [tcp] frequent panics in tcp_output/sbsndptr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=217214 Michael Tuexen changed: What|Removed |Added Summary|frequent panics in |[tcp] frequent panics in |tcp_output/sbsndptr |tcp_output/sbsndptr CC||tue...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 234444] [tcp] cc_htcp + TCP_RFC7413 panic
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=23 Michael Tuexen changed: What|Removed |Added Summary|cc_htcp + TCP_RFC7413 panic |[tcp] cc_htcp + TCP_RFC7413 ||panic -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 214558] [tcp] Improve descriptions for sysctl net.inet.tcp.keepinit
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214558 Michael Tuexen changed: What|Removed |Added Summary|Improve descriptions for|[tcp] Improve descriptions |sysctl |for sysctl |net.inet.tcp.keepinit |net.inet.tcp.keepinit CC||tue...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 250499] [tcp] Should we reject the packet with timestamp if no timestamp in SYN and SYN_ACK?
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=250499 Michael Tuexen changed: What|Removed |Added Status|New |In Progress -- You are receiving this mail because: You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Getting netgraph stats
I am having a problem monitoring network stats on jails on a host. Scenario: One host, FreeBSD 12.1, with a small number of vnet jails. I'm using netgraph to bridge two or more VLANs from physical NICs into each jail - so each jail has at least 2 ngether interfaces which are the only NICs in the jail. All of this works well. And then I wanted to see what each of my ngethX interface statistics were doing - from my host. snmpd only sees the physical NICs (of course, because the ngeth ones don't appear any more since the jails are started - they all moved to the jails). As another approach, is there any way for me to get the network stats (in/out packets and in/out bytes) from my ngeth netgraph nodes directly? Or have I missed some other way? I really need to monitor the jails from the outside as I cannot guarantee I can reach snmpd running inside the jail (think of the jail as being a private environment where I cannot route my SNMP requests to). Thanks Paul. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
