Re: Bridging between rdomains
2010/1/5 Claudio Jeker : > On Mon, Jan 04, 2010 at 09:04:49PM +0100, Csaba Szip wrote: >> Hello! >> >> I trying to bridge two rdomain with vether device, but it doesnt works >> for me. Is it a bug, or i something misunderstand? >> > > The bridge(4) code is not smart enough to support bridging between > rdomains. I started looking into it. > Actually it is impossible to pass traffic between two local interfaces. > It is on my list to look at during n2k10 > > -- > :wq Claudio > > Oh thank you, so this was the problem.
Bridging between rdomains
Hello! I trying to bridge two rdomain with vether device, but it doesnt works for me. Is it a bug, or i something misunderstand? I use a snapshot from 2009.12.21. Configuration: Interfaces: vether0: flags=8943 rdomain 1 mtu 1500 lladdr 00:bd:2d:cb:d9:01 priority: 0 groups: vether media: Ethernet autoselect status: active inet 192.0.2.1 netmask 0xff00 broadcast 192.0.2.255 vether1: flags=8943 rdomain 2 mtu 1500 lladdr 00:bd:80:0b:20:02 priority: 0 groups: vether media: Ethernet autoselect status: active inet 192.0.2.2 netmask 0xff00 broadcast 192.0.2.255 bridge0: flags=41 groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp vether1 flags=3 port 7 ifpriority 0 ifcost 0 vether0 flags=3 port 6 ifpriority 0 ifcost 0 I ping vether1 ip from vether0 # ping -V1 192.0.2.2 PING 192.0.2.2 (192.0.2.2): 56 data bytes --- 192.0.2.2 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss Or vice versa # ping -V2 192.0.2.1 PING 192.0.2.1 (192.0.2.1): 56 data bytes --- 192.0.2.1 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet loss Arp tables: # arp -V1 -an ? (192.0.2.1) at 00:bd:2d:cb:d9:01 on vether0 static ? (192.0.2.2) at (incomplete) on vether0 # arp -V2 -an ? (192.0.2.1) at (incomplete) on vether1 ? (192.0.2.2) at 00:bd:80:0b:20:02 on vether1 static Routing tables: # route -T1 -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 192.0.2/24 link#6 UC 20 - 4 vether0 192.0.2.1 00:bd:2d:cb:d9:01 UHLc 04 - 4 lo0 192.0.2.2 link#6 UHLc 02 - 4 vether0 # route -T2 -n show Routing tables Internet: DestinationGatewayFlags Refs Use Mtu Prio Iface 192.0.2/24 link#7 UC 20 - 4 vether1 192.0.2.1 link#7 UHLc 02 - 4 vether1 192.0.2.2 00:bd:80:0b:20:02 UHLc 06 - 4 lo0 I sniffing on bridge0 interface and i only see arp request packets. # tcpdump -ni bridge0 tcpdump: listening on bridge0, link-type EN10MB 21:56:17.503668 arp who-has 192.0.2.2 tell 192.0.2.1 21:56:18.510956 arp who-has 192.0.2.2 tell 192.0.2.1 21:56:19.519647 arp who-has 192.0.2.2 tell 192.0.2.1 21:56:20.530857 arp who-has 192.0.2.2 tell 192.0.2.1 21:56:21.542214 arp who-has 192.0.2.2 tell 192.0.2.1 So what is the problem? Any help would be greatly appreciated. Thx Csszep
Re: Virtual pseudo-device 'vwire()' anyone?
Ok i understand, but if i know right rdomains are not only separated in L3 but in L2 too. See this paper: http://www.openbsd.org/papers/f2k9-vrf/ It is possible to use overlapped IP network and it has independent ARP table. In pf or route? documenation i cant find (for the present) any section about routing packet between rdomains. But in my opinion your idea is useful among other things interconnect two rdomain in L2 . Some imaginary example commands (inspired from freebsd epair): ifconfig vwire create it creates two sub interface vwire0a and vwire0b (create a virtual crossover cable) and after that ifconfig vwire0a rdomain 1 ifconfig vwire0b rdomain 2 ifconfig vwire0a 1.1.1.1/24 up ifconfig vwire0b 1.1.1.2/24 up and ping -V1 1.1.1.2 works Sorry for the noise thx Csszep 2009/12/25 Rolf Sommerhalder : > On Fri, Dec 25, 2009 at 2:37 PM, Csaba Szip wrote: >> OpenBSD has some network virtualization (not yet fully ready?) stuff >> in the tree called rdomain. I reading the current documentation, but i >> dont find any solution to interconnect two rdomain. I create two >> vether interface in different rdomain and switched them, but it doesnt >> work. So that would be nice if this vwire (or similar) device will be >> provided and coexist with rdomain. > > Hello Csszep, what you need to "glue" rdomains together is _routing_ > (combined eventually with some firewalling by pf) which operates at > network layer-3 level, based on IP addresses etc. in IP packet > headers. > > The purpose of vwire however is to establish a connection between two > bridges which may have ether(4), other pseudo-device such as tunX, and > real physical interfaces as members. Thus vwire "glues" together two > bridges which become like a large virtual switch with the member > interfaces being switch ports. Note that the bridge and the > interconnecting vwire operate at link layer-2 exclusively, e.g. we > consider _switching_ which looks only at MAC addresses of Ethernet > frames. > > Thus, vwire will not even (need to) be aware of the protocols used by > the payload which these switched Ethernet frames encapsulate. vwire > will essentially just be bi-directional pipes which transport bits > between two bridges. In order to make things interesting, these pipes > might introduce some distortion into those bit streams, like loosing > occasionally some bits, delay them, etc. > > vwire will be a link layer-2 device, much like a UTP cables with some > "bumps" in it. It will not know anything about IP nor routing network > layer-3. > > Regards, > Rolf
Re: Virtual pseudo-device 'vwire()' anyone?
OpenBSD has some network virtualization (not yet fully ready?) stuff in the tree called rdomain. I reading the current documentation, but i dont find any solution to interconnect two rdomain. I create two vether interface in different rdomain and switched them, but it doesnt work. So that would be nice if this vwire (or similar) device will be provided and coexist with rdomain. Ps: FreeBSD has an epair(4) device for its vimage virtualization solution, something similar for rdomain would be great. Ps 2: Sorry for my bad english Thx Csszep 2009/12/24 Rolf Sommerhalder : > Recently, developers added the pseudo-device vether(4). Such virtual > switch ports can be member of bridges. An additional pseudo-device > 'vwire' would come in handy to interconnect two or more switches in a > virtualized environment, without necessarily bridging to a physical > switch port as well. > In addition to providing a simple virtual wire, such a 'vwire' > pseudo-device offers certain properties, such as delay, loss, jitter, > MTU size, etc. Over time, 'vwire' could evolve to a digital "channel > simulator" or even a "link emulator", similar to 'dummynet' for > example which was/is used by m0n0wall and pfSense (primarily to > implement traffic shaping/policing though). > > The description > http://open-mesh.net/wiki/Emulation > comes very close to what I am trying to setup on my OpenBSD laptop as > a physical OpenBSD host, in order to emulate a network with several > virtual OpenBSD machines as guests using qemu (e.g. a bunch of P, PE > and CE routers of a MPLS network that uses lossy wireless links). > > Are you aware of anyone who may already work on an equivalent of > 'wire_filter' and/or 'dummynet' in OpenBSD which connect bridges over > virtual wires? Or do you have recommendations which existing > pseudo-device(s) I should study first to get me started in the right > direction with 'vwire'? > > Thank you, > Rolf
pf logging session init and close with match action
Hi! I would like to log a SYN packet in the beginning of sessions and the FIN and/or RST packet at the end with the new match action. cat pf.conf set skip on lo block in log pass out match in log flags S/S match in log flags F/F match in log flags R/R pass in proto tcp from any to (vic0) port 22 If i initiate a new ssh connection to the firewall the match condition seems ok. Jun 22 13:04:17.797771 rule 2/(match) match in on vic0: 192.168.229.1.3711 > 192.168.229.128.22: S 326636544:326636544(0) win 65535 (DF) But if i terminate the ssh session i dont see any further logs. So my question is: Is it possible to use the match action for this scenario (or something else) or i totally misunderstood anything? Thx Godot PS: Sorry if my english is terrible
