Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 24/4/18 12:11 am, John Lyon wrote:

If you found that thread, you found my answer. :-)  I'm one of the posters
on that particular PFSense thread.

In short summary, I have a theory that should work but I haven't tested it
yet due to a lack of opportunity.  The netgraph code that forwards the
EAP-OL traffic works.  The problem is handling the fact that ATT tags all
traffic as VLAN ID 0, which FreeBSD's vlan interface does not support.  I
filed a bug report on the matter, but was told "use Netgraph".  Basically,
you either have to add/remove the vlan 0 tag since you can't create a
virtual interface on vlan 0 like you can in Linux.


ok so here's what you need to do
disable hw vlan so that vlan headers are visible to netgraph
pass BOTH interfaces directly into a vlan0 netgraph node, oriented so 
the tagged side faces the interface and teh untagged side faces the  
(single) eap filter.
The NON eap traffic is sent to the "upper" hook of the main 
interface..  The second interface has nothing attached to its upper 
hook  (as in teh diagram  sent).
The question is whether ALL traffic is vlan 0 or just traffic direct 
to the RG?


As I said it may be a neat feature to teach the etf node about vlans 
and even Q-in-Q.






John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sun, Apr 22, 2018 at 12:52 AM, GPz1100a  wrote:


@John

Did you ever get this fully figured out?  I'm trying to do what I think is
the same thing with my fiber internet connection - eliminate the need to
use
the isp provided gateway (or at least reduce its function). I'm running
*opnsense*.   This thread
https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 is
what
led me here.

Three nics correspond to the following

em0 - ONT (WAN)
xl0 - 3com pci - isp provided residential gateway (RG)
ue0 - usb nic - LAN

Using Julian's code from Jan 06, 2018; 1:39pm,

  ngctl mkpeer em0: etf lower downstream
  ngctl name em0:lower waneapfilter
  ngctl connect waneapfilter: em0: nomatch upper

  ngctl mkpeer xl0: etf lower downstream
  ngctl name  xl0:lower laneapfilter
  ngctl connect laneapfilter:  xl0: nomatch upper

*ngctl connect waneapfilter laneapfilter eapout eapout*

  ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
  ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'

When I get to the command in bold it comes back with this error:

root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter eapout
eapout
ngctl: send msg: No such file or directory

I'm not sure how to proceed from here.

Thanks for any help you (or others) can offer.

--J




--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"


___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[John Lyon]

That's interesting.  Why did you insert ng_vlan "backwards".  My though is
that you would want to do something like this (because the whole point is
you want to remove the VID=0 tag since FreeBSD won't bind to VID=0):

ONT]em0]lower---downstream_vlan0[VLAN]--downstream
[eapfilter:]nomatchupper[em0...

 eapout

 |

 |

 |
RG]--em1]lower--
---/


John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Mon, Apr 23, 2018 at 5:55 AM, Julian Elischer  wrote:

> On 22/4/18 12:52 pm, GPz1100a wrote:
>
>> @John
>>
>> Did you ever get this fully figured out?  I'm trying to do what I think is
>> the same thing with my fiber internet connection - eliminate the need to
>> use
>> the isp provided gateway (or at least reduce its function). I'm running
>> *opnsense*.   This thread
>> https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 is
>> what
>> led me here.
>>
>> Three nics correspond to the following
>>
>> em0 - ONT (WAN)
>> xl0 - 3com pci - isp provided residential gateway (RG)
>> ue0 - usb nic - LAN
>>
>> Using Julian's code from Jan 06, 2018; 1:39pm,
>>
>>   ngctl mkpeer em0: etf lower downstream
>>   ngctl name em0:lower waneapfilter
>>   ngctl connect waneapfilter: em0: nomatch upper
>>
>>   ngctl mkpeer xl0: etf lower downstream
>>   ngctl name  xl0:lower laneapfilter
>>   ngctl connect laneapfilter:  xl0: nomatch upper
>>
>> *ngctl connect waneapfilter laneapfilter eapout eapout*
>>
>>   ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
>> ethertype=0x888e }'
>>   ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
>> ethertype=0x888e }'
>>
>> When I get to the command in bold it comes back with this error:
>>
>> root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter eapout
>> eapout
>> ngctl: send msg: No such file or directory
>>
>> I'm not sure how to proceed from here.
>>
>> Thanks for any help you (or others) can offer.
>>
>> --J
>>
>>
> I wish I had known the full picture before..
> then I could have added the required bits:
>
> So  think you need this:
>
> ONT]em0]lower---downstream[eapfilter:]nomatchvlan0[
> VLAN]downstreamupper[em0...
>  eapout
>  |
>  |
>  |
> RG]--em1]lower---/
>
>   ie. use an etf node on each interface.
>
> ngctl mkpeer igb0: etf lower downstream
> ngctl name igb0:lower eapfilter
> ngctl mkpeer igb0: vlan upper downstream
> ngctl name igb0:upper vlanheader
> ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
> ngctl connect vlanheader: eapfilter: vlan0 nomatch
> ngctl connect eapfilter: igb1: eapout lower
> ngctl msg waneapfilter: 'setfilter { matchhook="eapout" ethertype=0x888e }'
>
> note the vlan node is inserted "backwards"..
>
>
>
>>
>> --
>> Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html
>> ___
>> freebsd-net@freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-net
>> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>>
>>
>
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[John Lyon]

If you found that thread, you found my answer. :-)  I'm one of the posters
on that particular PFSense thread.

In short summary, I have a theory that should work but I haven't tested it
yet due to a lack of opportunity.  The netgraph code that forwards the
EAP-OL traffic works.  The problem is handling the fact that ATT tags all
traffic as VLAN ID 0, which FreeBSD's vlan interface does not support.  I
filed a bug report on the matter, but was told "use Netgraph".  Basically,
you either have to add/remove the vlan 0 tag since you can't create a
virtual interface on vlan 0 like you can in Linux.




John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sun, Apr 22, 2018 at 12:52 AM, GPz1100a  wrote:

> @John
>
> Did you ever get this fully figured out?  I'm trying to do what I think is
> the same thing with my fiber internet connection - eliminate the need to
> use
> the isp provided gateway (or at least reduce its function). I'm running
> *opnsense*.   This thread
> https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 is
> what
> led me here.
>
> Three nics correspond to the following
>
> em0 - ONT (WAN)
> xl0 - 3com pci - isp provided residential gateway (RG)
> ue0 - usb nic - LAN
>
> Using Julian's code from Jan 06, 2018; 1:39pm,
>
>  ngctl mkpeer em0: etf lower downstream
>  ngctl name em0:lower waneapfilter
>  ngctl connect waneapfilter: em0: nomatch upper
>
>  ngctl mkpeer xl0: etf lower downstream
>  ngctl name  xl0:lower laneapfilter
>  ngctl connect laneapfilter:  xl0: nomatch upper
>
> *ngctl connect waneapfilter laneapfilter eapout eapout*
>
>  ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
> ethertype=0x888e }'
>  ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
> ethertype=0x888e }'
>
> When I get to the command in bold it comes back with this error:
>
> root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter eapout
> eapout
> ngctl: send msg: No such file or directory
>
> I'm not sure how to proceed from here.
>
> Thanks for any help you (or others) can offer.
>
> --J
>
>
>
>
> --
> Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html
> ___
> freebsd-net@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
>
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 23/4/18 6:11 pm, Julian Elischer wrote:

On 23/4/18 5:55 pm, Julian Elischer wrote:

On 22/4/18 12:52 pm, GPz1100a wrote:

@John

Did you ever get this fully figured out?  I'm trying to do what I 
think is
the same thing with my fiber internet connection - eliminate the 
need to use
the isp provided gateway (or at least reduce its function). I'm 
running

*opnsense*.   This thread
https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 
is what

led me here.

Three nics correspond to the following

em0 - ONT (WAN)
xl0 - 3com pci - isp provided residential gateway (RG)
ue0 - usb nic - LAN

Using Julian's code from Jan 06, 2018; 1:39pm,

  ngctl mkpeer em0: etf lower downstream
  ngctl name em0:lower waneapfilter
  ngctl connect waneapfilter: em0: nomatch upper

  ngctl mkpeer xl0: etf lower downstream
  ngctl name  xl0:lower laneapfilter
  ngctl connect laneapfilter:  xl0: nomatch upper

*    ngctl connect waneapfilter laneapfilter eapout eapout*

  ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
  ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'

When I get to the command in bold it comes back with this error:

root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter 
eapout eapout

ngctl: send msg: No such file or directory

I'm not sure how to proceed from here.

Thanks for any help you (or others) can offer.

--J



I wish I had known the full picture before..
then I could have added the required bits:

So  think you need this:

ONT]em0]lower---downstream[eapfilter:]nomatchvlan0[VLAN]downstreamupper[em0... 


                                         eapout
                                             |
                                             |
                 |
RG]--em1]lower---/


the following line is no longer true of course

  ie. use an etf node on each interface.




ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
    ngctl mkpeer igb0: vlan upper downstream
    ngctl name igb0:upper vlanheader
    ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
    ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'


however having sent this I realise it may not work.. because the etf 
node doesn't take into account vlan labels, because vlan labels are 
them selvesm in fact a special case of ethertype.. (0x8100)


so to know if this will work I need to know what a packet at the 
netgraph insertion point looks like:


to find this out, attach the nghook program to an inserted ngtee 
node (inserted somewhere in your current graph) and see what comes 
out. (with -a ).


so we can see what the packets look like.


see 
https://forum.pfsense.org/index.php?action=post;topic=111043.30;last_msg=798618









note the vlan node is inserted "backwards"..




--
Sent from: 
http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to 
"freebsd-net-unsubscr...@freebsd.org"




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 23/4/18 5:55 pm, Julian Elischer wrote:

On 22/4/18 12:52 pm, GPz1100a wrote:

@John

Did you ever get this fully figured out?  I'm trying to do what I 
think is
the same thing with my fiber internet connection - eliminate the 
need to use
the isp provided gateway (or at least reduce its function). I'm 
running

*opnsense*.   This thread
https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 
is what

led me here.

Three nics correspond to the following

em0 - ONT (WAN)
xl0 - 3com pci - isp provided residential gateway (RG)
ue0 - usb nic - LAN

Using Julian's code from Jan 06, 2018; 1:39pm,

  ngctl mkpeer em0: etf lower downstream
  ngctl name em0:lower waneapfilter
  ngctl connect waneapfilter: em0: nomatch upper

  ngctl mkpeer xl0: etf lower downstream
  ngctl name  xl0:lower laneapfilter
  ngctl connect laneapfilter:  xl0: nomatch upper

*    ngctl connect waneapfilter laneapfilter eapout eapout*

  ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
  ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'

When I get to the command in bold it comes back with this error:

root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter 
eapout eapout

ngctl: send msg: No such file or directory

I'm not sure how to proceed from here.

Thanks for any help you (or others) can offer.

--J



I wish I had known the full picture before..
then I could have added the required bits:

So  think you need this:

ONT]em0]lower---downstream[eapfilter:]nomatchvlan0[VLAN]downstreamupper[em0... 


                                         eapout
                                             |
                                             |
                 |
RG]--em1]lower---/


the following line is no longer true of course

  ie. use an etf node on each interface.




ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
    ngctl mkpeer igb0: vlan upper downstream
    ngctl name igb0:upper vlanheader
    ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
    ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'


however having sent this I realise it may not work.. because the etf 
node doesn't take into account vlan labels, because vlan labels are 
them selvesm in fact a special case of ethertype.. (0x8100)


so to know if this will work I need to know what a packet at the 
netgraph insertion point looks like:


to find this out, attach the nghook program to an inserted ngtee node 
(inserted somewhere in your current graph) and see what comes out. 
(with -a ).


so we can see what the packets look like.






note the vlan node is inserted "backwards"..




--
Sent from: 
http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 22/4/18 12:52 pm, GPz1100a wrote:

@John

Did you ever get this fully figured out?  I'm trying to do what I think is
the same thing with my fiber internet connection - eliminate the need to use
the isp provided gateway (or at least reduce its function). I'm running
*opnsense*.   This thread
https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 is what
led me here.

Three nics correspond to the following

em0 - ONT (WAN)
xl0 - 3com pci - isp provided residential gateway (RG)
ue0 - usb nic - LAN

Using Julian's code from Jan 06, 2018; 1:39pm,

  ngctl mkpeer em0: etf lower downstream
  ngctl name em0:lower waneapfilter
  ngctl connect waneapfilter: em0: nomatch upper

  ngctl mkpeer xl0: etf lower downstream
  ngctl name  xl0:lower laneapfilter
  ngctl connect laneapfilter:  xl0: nomatch upper

*ngctl connect waneapfilter laneapfilter eapout eapout*

  ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
  ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'

When I get to the command in bold it comes back with this error:

root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter eapout eapout
ngctl: send msg: No such file or directory

I'm not sure how to proceed from here.

Thanks for any help you (or others) can offer.

--J



I wish I had known the full picture before..
then I could have added the required bits:

So  think you need this:

ONT]em0]lower---downstream[eapfilter:]nomatchvlan0[VLAN]downstreamupper[em0... 


                                         eapout
                                             |
                                             |
                 |
RG]--em1]lower---/

  ie. use an etf node on each interface.

ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower eapfilter
    ngctl mkpeer igb0: vlan upper downstream
    ngctl name igb0:upper vlanheader
    ngctl msg vlanheader: addfilter '{ vlan=0 hook="vlan0" }'
ngctl connect vlanheader: eapfilter: vlan0 nomatch
    ngctl connect eapfilter: igb1: eapout lower
ngctl msg waneapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'


note the vlan node is inserted "backwards"..




--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 22/4/18 12:52 pm, GPz1100a wrote:

@John

Did you ever get this fully figured out?  I'm trying to do what I think is
the same thing with my fiber internet connection - eliminate the need to use
the isp provided gateway (or at least reduce its function). I'm running
*opnsense*.   This thread
https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 is what
led me here.

Three nics correspond to the following

em0 - ONT (WAN)
xl0 - 3com pci - isp provided residential gateway (RG)
ue0 - usb nic - LAN

Using Julian's code from Jan 06, 2018; 1:39pm,

  ngctl mkpeer em0: etf lower downstream
  ngctl name em0:lower waneapfilter
  ngctl connect waneapfilter: em0: nomatch upper

  ngctl mkpeer xl0: etf lower downstream
  ngctl name  xl0:lower laneapfilter
  ngctl connect laneapfilter:  xl0: nomatch upper

*ngctl connect waneapfilter laneapfilter eapout eapout*


missing colon after waneapfilter



  ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
  ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'

When I get to the command in bold it comes back with this error:

root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter eapout eapout
ngctl: send msg: No such file or directory

I'm not sure how to proceed from here.

Thanks for any help you (or others) can offer.

--J




--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[GPz1100a]

@John

Did you ever get this fully figured out?  I'm trying to do what I think is
the same thing with my fiber internet connection - eliminate the need to use
the isp provided gateway (or at least reduce its function). I'm running
*opnsense*.   This thread 
https://forum.pfsense.org/index.php?topic=111043.msg793292#msg793292 is what
led me here.

Three nics correspond to the following

em0 - ONT (WAN)
xl0 - 3com pci - isp provided residential gateway (RG)
ue0 - usb nic - LAN

Using Julian's code from Jan 06, 2018; 1:39pm,

 ngctl mkpeer em0: etf lower downstream
 ngctl name em0:lower waneapfilter
 ngctl connect waneapfilter: em0: nomatch upper

 ngctl mkpeer xl0: etf lower downstream
 ngctl name  xl0:lower laneapfilter
 ngctl connect laneapfilter:  xl0: nomatch upper

*ngctl connect waneapfilter laneapfilter eapout eapout*

 ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
 ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'

When I get to the command in bold it comes back with this error:

root@OPNsense:~ #  ngctl connect waneapfilter laneapfilter eapout eapout
ngctl: send msg: No such file or directory

I'm not sure how to proceed from here.  

Thanks for any help you (or others) can offer.

--J




--
Sent from: http://freebsd.1045724.x6.nabble.com/freebsd-net-f4005075.html
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[Julian Elischer]

Hi John, did you ever try out my version?

Julian

On 7/1/18 4:06 am, Julian Elischer wrote:

On 7/1/18 4:02 am, John Lyon wrote:

Thanks for the clarification and all the help.

After Marko clarified that that edges/hooks are bidirectional, I 
was able to get it working WAN to LAN and LAN to WAN by using a 
pair of one2many and ETF nodes.


The commands were (from memory):

#Create Unfiltered WAN Path
ngctl mkpeer igb0: one2many lower one
ngctl name igb0:lower wanmux
ngctl mkpeer wanmux: etf many0 downstream
ngctl name wanmux:many0 wanfilter
ngctl connect wanfilter: igb0: nomatch upper

#Create Unfilter LAN Path
ngctl mkpeer igb1: one2many lower one
ngctl name igb1:lower lanmux
ngctl mkpeer lanmux: etf many0 downstream
ngctl name lanmux:many0 lanfilter
ngctl connect lanfilter: igb1 nomatch upper

#Cross Connect Two Paths
ngctl connect wanfilter wanmux waneapout many1
ngctl connect lanfilter lanmux laneapout many1

#Filter Cross Connections
ngctl msg wanfilter: 'setfilter { matchhook="waneapout" 
ethertype=0x888e }'
ngctl msg lanfilter: 'setfilter { matchhook="laneapout" 
ethertype=0x888e }'


The graph looks like this:

igb0] <> [mux0] <---> [etf0] <> [igb0
                               \       /
                                  X
                               /      \
igb1] <> [mux1] <---> [etf1] <> [igb1


It was conceptually easier for me to wrap my head around and it 
appears to work (somewhat).  But if I can get it to work, I like 
Julian's approach better as it is simpler and uses fewer nodes.


etf includes a mux/demux..  the link is bidirectional.




Thanks again for all the help!


John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sat, Jan 6, 2018 at 2:39 PM, Julian Elischer > wrote:




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 7/1/18 4:02 am, John Lyon wrote:

Thanks for the clarification and all the help.

After Marko clarified that that edges/hooks are bidirectional, I was 
able to get it working WAN to LAN and LAN to WAN by using a pair of 
one2many and ETF nodes.


The commands were (from memory):

#Create Unfiltered WAN Path
ngctl mkpeer igb0: one2many lower one
ngctl name igb0:lower wanmux
ngctl mkpeer wanmux: etf many0 downstream
ngctl name wanmux:many0 wanfilter
ngctl connect wanfilter: igb0: nomatch upper

#Create Unfilter LAN Path
ngctl mkpeer igb1: one2many lower one
ngctl name igb1:lower lanmux
ngctl mkpeer lanmux: etf many0 downstream
ngctl name lanmux:many0 lanfilter
ngctl connect lanfilter: igb1 nomatch upper

#Cross Connect Two Paths
ngctl connect wanfilter wanmux waneapout many1
ngctl connect lanfilter lanmux laneapout many1

#Filter Cross Connections
ngctl msg wanfilter: 'setfilter { matchhook="waneapout" 
ethertype=0x888e }'
ngctl msg lanfilter: 'setfilter { matchhook="laneapout" 
ethertype=0x888e }'


The graph looks like this:

igb0] <> [mux0] <---> [etf0] <> [igb0
                               \       /
                                  X
                               /      \
igb1] <> [mux1] <---> [etf1] <> [igb1


It was conceptually easier for me to wrap my head around and it 
appears to work (somewhat).  But if I can get it to work, I like 
Julian's approach better as it is simpler and uses fewer nodes.


etf includes a mux/demux..  the link is bidirectional.




Thanks again for all the help!


John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sat, Jan 6, 2018 at 2:39 PM, Julian Elischer > wrote:


On 6/1/18 9:22 pm, John Lyon wrote:

I just woke up with a follow-up question that may be my aha
moment.  Are Netgraph edges between nodes always bidirectional?
I have been treating all of the edges as unidirectional,
requiring me to create two separate Netgraphs.  But if they are
bidirectional, that would explain some things.


yes edges are bidirectional

see the following paragraph from the ng_etf man page:
-
     Packets traveling in the other direction (towards the
downstream hook)
 are also examined and filtered.  If a packet has an
ethertype that
 matches one of the values configured into the node, it must
have arrived
 in on the hook for which that value was configured,
otherwise it will be
 discarded.  Ethertypes of values other than those
configured by the con-
 trol messages must have arrived via the nomatch hook.
-

here is the picture of what you need,
You will see this below in the old emails:

so you need this:

em0]lower---downstream[ETF0]nomatch---upper[em0...
   eapout
   |
   |
   eapout
em1]lower---downstream[ETF1]nomatch---upper[em1...

  ie. use an etf node on each interface.

    ngctl mkpeer igb0: etf lower downstream
    ngctl name igb0:lower waneapfilter
    ngctl connect waneapfilter: igb0: nomatch upper

    ngctl mkpeer igb1: etf lower downstream
    ngctl name igb1:lower laneapfilter
    ngctl connect laneapfilter: igb1: nomatch upper

    ngctl connect waneapfilter laneapfilter eapout eapout

    ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
    ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'



Thanks.

Sent from my iPhone

On Jan 5, 2018, at 11:16 PM, John Lyon > wrote:


Julian,

So this didn't work when I tried to implement it on hardware
in real life and I can't figure out why.  I am sure it's
really basic, but the error message is not very descriptive.

I use the following script to create a graph that filters the
EAP traffic and forwards directly from the first Ethernet
interface to the second.  It works perfectly.

    kldload ng_etf
    ngctl mkpeer igb0: etf lower downstream
    ngctl name igb0:lower waneapfilter
    ngctl connect waneapfilter: igb0: nomatch upper
    ngctl connect wanfilter: igb1: waneapout lower
    ngctl msg wanfilter: 'setfilter { matchhook="waneapout"
ethertype=0x888e }'

The end result is that EAPOL frames are forwarded directly
from igb0 (WAN) to igb1 (LAN).  Graphically, it looks like
(arrows indicating flow of traffic):
igb0]lower--->>downstream[ETF0]nomatch--->>upper[igb0...
waneapout
|
|-->>lower[igb1
However, I also need to do the reverse and forward EAPOL frames in the 
opposite direction from igb1 (LAN) to igb0 (WAN).  

Re: Need Netgraph Help [fixed]

[John Lyon]

Thanks for the clarification and all the help.

After Marko clarified that that edges/hooks are bidirectional, I was able
to get it working WAN to LAN and LAN to WAN by using a pair of one2many and
ETF nodes.

The commands were (from memory):

#Create Unfiltered WAN Path
ngctl mkpeer igb0: one2many lower one
ngctl name igb0:lower wanmux
ngctl mkpeer wanmux: etf many0 downstream
ngctl name wanmux:many0 wanfilter
ngctl connect wanfilter: igb0: nomatch upper

#Create Unfilter LAN Path
ngctl mkpeer igb1: one2many lower one
ngctl name igb1:lower lanmux
ngctl mkpeer lanmux: etf many0 downstream
ngctl name lanmux:many0 lanfilter
ngctl connect lanfilter: igb1 nomatch upper

#Cross Connect Two Paths
ngctl connect wanfilter wanmux waneapout many1
ngctl connect lanfilter lanmux laneapout many1

#Filter Cross Connections
ngctl msg wanfilter: 'setfilter { matchhook="waneapout" ethertype=0x888e }'
ngctl msg lanfilter: 'setfilter { matchhook="laneapout" ethertype=0x888e }'

The graph looks like this:

igb0] <> [mux0] <---> [etf0] <> [igb0
   \   /
  X
   /  \
igb1] <> [mux1] <---> [etf1] <> [igb1


It was conceptually easier for me to wrap my head around and it appears to
work (somewhat).  But if I can get it to work, I like Julian's approach
better as it is simpler and uses fewer nodes.

Thanks again for all the help!


John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sat, Jan 6, 2018 at 2:39 PM, Julian Elischer  wrote:

> On 6/1/18 9:22 pm, John Lyon wrote:
>
> I just woke up with a follow-up question that may be my aha moment.  Are
> Netgraph edges between nodes always bidirectional? I have been treating all
> of the edges as unidirectional, requiring me to create two separate
> Netgraphs.  But if they are bidirectional, that would explain some things.
>
>
> yes edges are bidirectional
>
> see the following paragraph from the ng_etf man page:
> -
>  Packets traveling in the other direction (towards the downstream hook)
>  are also examined and filtered.  If a packet has an ethertype that
>  matches one of the values configured into the node, it must have
> arrived
>  in on the hook for which that value was configured, otherwise it will
> be
>  discarded.  Ethertypes of values other than those configured by the
> con-
>  trol messages must have arrived via the nomatch hook.
> -
>
> here is the picture of what you need,
> You will see this below in the old emails:
>
> so you need this:
>
> em0]lower---downstream[ETF0]nomatch---upper[em0...
>eapout
>|
>|
>eapout
> em1]lower---downstream[ETF1]nomatch---upper[em1...
>
>   ie. use an etf node on each interface.
>
> ngctl mkpeer igb0: etf lower downstream
> ngctl name igb0:lower waneapfilter
> ngctl connect waneapfilter: igb0: nomatch upper
>
> ngctl mkpeer igb1: etf lower downstream
> ngctl name igb1:lower laneapfilter
> ngctl connect laneapfilter: igb1: nomatch upper
>
> ngctl connect waneapfilter laneapfilter eapout eapout
>
> ngctl msg waneapfilter: 'setfilter { matchhook="eapout"
> ethertype=0x888e }'
> ngctl msg laneapfilter: 'setfilter { matchhook="eapout"
> ethertype=0x888e }'
>
>
> Thanks.
>
> Sent from my iPhone
>
> On Jan 5, 2018, at 11:16 PM, John Lyon  wrote:
>
> Julian,
>
> So this didn't work when I tried to implement it on hardware in real life
> and I can't figure out why.  I am sure it's really basic, but the error
> message is not very descriptive.
>
> I use the following script to create a graph that filters the EAP traffic
> and forwards directly from the first Ethernet interface to the second.  It
> works perfectly.
>
> kldload ng_etf
> ngctl mkpeer igb0: etf lower downstream
> ngctl name igb0:lower waneapfilter
> ngctl connect waneapfilter: igb0: nomatch upper
> ngctl connect wanfilter: igb1: waneapout lower
> ngctl msg wanfilter: 'setfilter { matchhook="waneapout"
> ethertype=0x888e }'
>
> The end result is that EAPOL frames are forwarded directly from igb0 (WAN)
> to igb1 (LAN).  Graphically, it looks like (arrows indicating flow of
> traffic):
>
> igb0]lower--->>downstream[ETF0]nomatch--->>upper[igb0...
>waneapout
>|
>|-->>lower[igb1
>
> However, I also need to do the reverse and forward EAPOL frames in the 
> opposite direction from igb1 (LAN) to igb0 (WAN).  Graphically, I want 
> (arrows indicating flow):
>
> igb1]lower--->>downstream[ETF1]nomatch--->>upper[igb1...
>laneapout
>|
>|-->>lower[igb0
>
> So I try a mirror image of my first script.  However, when I type 

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 6/1/18 9:22 pm, John Lyon wrote:
I just woke up with a follow-up question that may be my aha moment. 
 Are Netgraph edges between nodes always bidirectional? I have been 
treating all of the edges as unidirectional, requiring me to create 
two separate Netgraphs.  But if they are bidirectional, that would 
explain some things.


yes edges are bidirectional

see the following paragraph from the ng_etf man page:
-
     Packets traveling in the other direction (towards the downstream 
hook)

 are also examined and filtered.  If a packet has an ethertype that
 matches one of the values configured into the node, it must have 
arrived
 in on the hook for which that value was configured, otherwise it 
will be
 discarded.  Ethertypes of values other than those configured by 
the con-

 trol messages must have arrived via the nomatch hook.
-

here is the picture of what you need,
You will see this below in the old emails:

so you need this:

em0]lower---downstream[ETF0]nomatch---upper[em0...
   eapout
   |
   |
   eapout
em1]lower---downstream[ETF1]nomatch---upper[em1...

  ie. use an etf node on each interface.

    ngctl mkpeer igb0: etf lower downstream
    ngctl name igb0:lower waneapfilter
    ngctl connect waneapfilter: igb0: nomatch upper

    ngctl mkpeer igb1: etf lower downstream
    ngctl name igb1:lower laneapfilter
    ngctl connect laneapfilter: igb1: nomatch upper

    ngctl connect waneapfilter laneapfilter eapout eapout

    ngctl msg waneapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'
    ngctl msg laneapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'




Thanks.

Sent from my iPhone

On Jan 5, 2018, at 11:16 PM, John Lyon > wrote:



Julian,

So this didn't work when I tried to implement it on hardware in 
real life and I can't figure out why.  I am sure it's really basic, 
but the error message is not very descriptive.


I use the following script to create a graph that filters the EAP 
traffic and forwards directly from the first Ethernet interface to 
the second.  It works perfectly.


    kldload ng_etf
    ngctl mkpeer igb0: etf lower downstream
    ngctl name igb0:lower waneapfilter
    ngctl connect waneapfilter: igb0: nomatch upper
    ngctl connect wanfilter: igb1: waneapout lower
    ngctl msg wanfilter: 'setfilter { matchhook="waneapout" 
ethertype=0x888e }'


The end result is that EAPOL frames are forwarded directly from 
igb0 (WAN) to igb1 (LAN).  Graphically, it looks like (arrows 
indicating flow of traffic):

igb0]lower--->>downstream[ETF0]nomatch--->>upper[igb0...
waneapout
|
|-->>lower[igb1
However, I also need to do the reverse and forward EAPOL frames in the opposite 
direction from igb1 (LAN) to igb0 (WAN).  Graphically, I want (arrows 
indicating flow):
igb1]lower--->>downstream[ETF1]nomatch--->>upper[igb1... laneapout | 
|-->>lower[igb0

So I try a mirror image of my first script.  However, when I type the first 
line of:
 ngctl mkpeer igb1: etf lower downstream
I get the following error message:
 ngctl: send msg: File exists.
My guess (based on an earlier email in this thread) is that because I've already 
connected my first NG_ETF node to the lower hook of igb1 (in order to forward traffic out 
that interface), I am getting the error that the "File exists" when I try to 
connect a second ETF node to igb1 lower.  If this is the case, how can I write traffic 
out the interface, while filtering incoming traffic on the same interface? I tried to 
used two different ETF nodes, as suggested, but get an error message when I try.
Thanks for any help.  I feel like I am so close.  At this point, I probably 
should have just jumped ship and tried an alternate solution, but I just can't 
allow the machine to win. :-)  I have to get this working!


John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Fri, Dec 29, 2017 at 4:06 AM, Julian Elischer 
> wrote:


On 29/12/17 10:52 am, John Lyon wrote:

It works!!!  In virtual machine land at least, it works!  It
will be interesting to see what happens when the rubber meets
the road and I actually test it "in the field."

The issue was a missing single line that was not obvious from
the man pages:

    sudo ngctl connect eapfilter: ix1: eapout lower

your next issue will be that you can only attach em1:lower to a
single peer at a time. So return packets can not DTRT.

You will need to either put a multiplexing node in each
interface, OR if I wrote it correctly, use the fact that
packets fed into an etf match hook will feed back out the input
hook.

so you need this:

Re: Need Netgraph Help [fixed]

[Marko Zec]

On Sat, 6 Jan 2018 08:22:25 -0500
John Lyon  wrote:

> I just woke up with a follow-up question that may be my aha moment.
> Are Netgraph edges between nodes always bidirectional? I have been
> treating all of the edges as unidirectional, requiring me to create
> two separate Netgraphs.  But if they are bidirectional, that would
> explain some things.

edges -> hooks in netgraph parlance

man 4 netgraph -> /Hooks -> "Data flows bidirectionally between nodes"

A lot of people arrive at BSD / netgraph with previous experiences
with the Click modular router, which might have caused the confusion,
since in Click all datapaths are always unidirectional.  Not
(necessarily) so in netgraph.
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help [fixed]

[John Lyon]

I just woke up with a follow-up question that may be my aha moment.  Are 
Netgraph edges between nodes always bidirectional? I have been treating all of 
the edges as unidirectional, requiring me to create two separate Netgraphs.  
But if they are bidirectional, that would explain some things.

Thanks.

Sent from my iPhone

> On Jan 5, 2018, at 11:16 PM, John Lyon  wrote:
> 
> Julian,
> 
> So this didn't work when I tried to implement it on hardware in real life and 
> I can't figure out why.  I am sure it's really basic, but the error message 
> is not very descriptive.
> 
> I use the following script to create a graph that filters the EAP traffic and 
> forwards directly from the first Ethernet interface to the second.  It works 
> perfectly.
> 
> kldload ng_etf
> ngctl mkpeer igb0: etf lower downstream
> ngctl name igb0:lower waneapfilter
> ngctl connect waneapfilter: igb0: nomatch upper
> ngctl connect wanfilter: igb1: waneapout lower
> ngctl msg wanfilter: 'setfilter { matchhook="waneapout" ethertype=0x888e 
> }'
> 
> The end result is that EAPOL frames are forwarded directly from igb0 (WAN) to 
> igb1 (LAN).  Graphically, it looks like (arrows indicating flow of traffic):
>  igb0]lower--->>downstream[ETF0]nomatch--->>upper[igb0...
>waneapout
>|
>|-->>lower[igb1
> However, I also need to do the reverse and forward EAPOL frames in the 
> opposite direction from igb1 (LAN) to igb0 (WAN).  Graphically, I want 
> (arrows indicating flow):
> igb1]lower--->>downstream[ETF1]nomatch--->>upper[igb1...
>laneapout
>|
>|-->>lower[igb0
> So I try a mirror image of my first script.  However, when I type the first 
> line of:
> ngctl mkpeer igb1: etf lower downstream
> I get the following error message:
> ngctl: send msg: File exists.
> My guess (based on an earlier email in this thread) is that because I've 
> already connected my first NG_ETF node to the lower hook of igb1 (in order to 
> forward traffic out that interface), I am getting the error that the "File 
> exists" when I try to connect a second ETF node to igb1 lower.  If this is 
> the case, how can I write traffic out the interface, while filtering incoming 
> traffic on the same interface? I tried to used two different ETF nodes, as 
> suggested, but get an error message when I try. 
> Thanks for any help.  I feel like I am so close.  At this point, I probably 
> should have just jumped ship and tried an alternate solution, but I just 
> can't allow the machine to win. :-)  I have to get this working!
> 
> 
> 
> John L. Lyon
> PGP Key Available At: 
> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
> 
>> On Fri, Dec 29, 2017 at 4:06 AM, Julian Elischer  wrote:
>>> On 29/12/17 10:52 am, John Lyon wrote:
>>> It works!!!  In virtual machine land at least, it works!  It will be 
>>> interesting to see what happens when the rubber meets the road and I 
>>> actually test it "in the field."
>>> 
>>> The issue was a missing single line that was not obvious from the man pages:
>>> 
>>> sudo ngctl connect eapfilter: ix1: eapout lower
>> your next issue will be that you can only attach em1:lower to a single peer 
>> at a time. So return packets can not DTRT.
>> 
>> You will need to either put a multiplexing node in each interface, OR if I 
>> wrote it correctly, use the fact that packets fed into an etf match hook 
>> will feed back out the input hook.
>> 
>> so you need this:
>> 
>> em0]lower---downstream[ETF0]nomatch---upper[em0...
>>eapout
>>|
>>|
>>eapout
>> em1]lower---downstream[ETF1]nomatch---upper[em1...
>> 
>>   
>> ie. use an etf node on each interface.
>> 
>> 
>>  
>> 
>>> 
>>> Apparently, I had not created an alias for the connection between the ETF 
>>> and the ether nodes.  Once this connect command was issued, the connection 
>>> to the lower hook of the ether node was ready to be connected to the ETF.
>>> 
>>> Thanks so much for your help.
>>> 
>>> 
>>> 
>>> John L. Lyon
>>> PGP Key Available At: 
>>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>>> 
 On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer  
 wrote:
> On 28/12/17 9:59 pm, Julian Elischer wrote:
>> On 28/12/17 1:37 am, John Lyon wrote:
>> Julian,
>> 
>> Unfortunately, this issue remains unresolved.  I would like to think 
>> that this is just a PEBKAC issue, but I have tried every permutation of 
>> escape characters in case it's an issue with my syntax and I get the 
>> same set of errors.  No matter what I do, I can't connect the no match 
>> hook of an ETF node to the upper hook of an ng_ether node.  Do 

Re: Need Netgraph Help [fixed]

[John Lyon]

Julian,

So this didn't work when I tried to implement it on hardware in real life
and I can't figure out why.  I am sure it's really basic, but the error
message is not very descriptive.

I use the following script to create a graph that filters the EAP traffic
and forwards directly from the first Ethernet interface to the second.  It
works perfectly.

kldload ng_etf
ngctl mkpeer igb0: etf lower downstream
ngctl name igb0:lower waneapfilter
ngctl connect waneapfilter: igb0: nomatch upper
ngctl connect wanfilter: igb1: waneapout lower
ngctl msg wanfilter: 'setfilter { matchhook="waneapout"
ethertype=0x888e }'

The end result is that EAPOL frames are forwarded directly from igb0 (WAN)
to igb1 (LAN).  Graphically, it looks like (arrows indicating flow of
traffic):

igb0]lower--->>downstream[ETF0]nomatch--->>upper[igb0...
   waneapout
   |
   |-->>lower[igb1

However, I also need to do the reverse and forward EAPOL frames in the
opposite direction from igb1 (LAN) to igb0 (WAN).  Graphically, I want
(arrows indicating flow):

igb1]lower--->>downstream[ETF1]nomatch--->>upper[igb1...
   laneapout
   |
   |-->>lower[igb0

So I try a mirror image of my first script.  However, when I type the
first line of:

ngctl mkpeer igb1: etf lower downstream

I get the following error message:

ngctl: send msg: File exists.

My guess (based on an earlier email in this thread) is that because
I've already connected my first NG_ETF node to the lower hook of igb1
(in order to forward traffic out that interface), I am getting the
error that the "File exists" when I try to connect a second ETF node
to igb1 lower.  If this is the case, how can I write traffic out the
interface, while filtering incoming traffic on the same interface? I
tried to used two different ETF nodes, as suggested, but get an error
message when I try.

Thanks for any help.  I feel like I am so close.  At this point, I
probably should have just jumped ship and tried an alternate solution,
but I just can't allow the machine to win. :-)  I have to get this
working!




John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Fri, Dec 29, 2017 at 4:06 AM, Julian Elischer  wrote:

> On 29/12/17 10:52 am, John Lyon wrote:
>
> It works!!!  In virtual machine land at least, it works!  It will be
> interesting to see what happens when the rubber meets the road and I
> actually test it "in the field."
>
> The issue was a missing single line that was not obvious from the man
> pages:
>
> sudo ngctl connect eapfilter: ix1: eapout lower
>
> your next issue will be that you can only attach em1:lower to a single
> peer at a time. So return packets can not DTRT.
>
> You will need to either put a multiplexing node in each interface, OR if I
> wrote it correctly, use the fact that packets fed into an etf match hook
> will feed back out the input hook.
>
> so you need this:
>
> em0]lower---downstream[ETF0]nomatch---upper[em0...
>eapout
>|
>|
>eapout
> em1]lower---downstream[ETF1]nomatch---upper[em1...
>
>
> ie. use an etf node on each interface.
>
>
>
>
>
>
>
> Apparently, I had not created an alias for the connection between the ETF
> and the ether nodes.  Once this connect command was issued, the connection
> to the lower hook of the ether node was ready to be connected to the ETF.
>
> Thanks *so much* for your help.
>
>
> 
> John L. Lyon
> PGP Key Available At:
> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>
> On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer 
> wrote:
>
>> On 28/12/17 9:59 pm, Julian Elischer wrote:
>>
>>> On 28/12/17 1:37 am, John Lyon wrote:
>>>
 Julian,

 Unfortunately, this issue remains unresolved.  I would like to think
 that this is just a PEBKAC issue, but I have tried every permutation of
 escape characters in case it's an issue with my syntax and I get the same
 set of errors.  No matter what I do, I can't connect the no match hook of
 an ETF node to the upper hook of an ng_ether node.  Do you have any
 insights into why this might be occurring?

 By the way, thanks for reaching out to me!  I was going to email you
 directly after the holidays since your name and email address are at the
 bottom of the relevant Netgraph man pages.  I figured that must mean if you
 didn't know the answer, no one does. :-)

>>>
>>> what is EAP?
>>> what about return EAP packets? (are there any?)
>>>
>>
>> oops left out a line from the cut-n-paste...
>>
>>>
>>> I think this is what you want:
>>> $ sudo ngctl list
>>> There are 7 total nodes:
>>>   Name: igb0Type: ether   ID: 

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 29/12/17 10:52 am, John Lyon wrote:
It works!!!  In virtual machine land at least, it works!  It will be 
interesting to see what happens when the rubber meets the road and I 
actually test it "in the field."


The issue was a missing single line that was not obvious from the 
man pages:


    sudo ngctl connect eapfilter: ix1: eapout lower
your next issue will be that you can only attach em1:lower to a single 
peer at a time. So return packets can not DTRT.


You will need to either put a multiplexing node in each interface, OR 
if I wrote it correctly, use the fact that packets fed into an etf 
match hook will feed back out the input hook.


so you need this:

em0]lower---downstream[ETF0]nomatch---upper[em0...
   eapout
   |
   |
   eapout
em1]lower---downstream[ETF1]nomatch---upper[em1...

  
ie. use an etf node on each interface.



 





Apparently, I had not created an alias for the connection between 
the ETF and the ether nodes.  Once this connect command was issued, 
the connection to the lower hook of the ether node was ready to be 
connected to the ETF.


Thanks _so much_ for your help.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer > wrote:


On 28/12/17 9:59 pm, Julian Elischer wrote:

On 28/12/17 1:37 am, John Lyon wrote:

Julian,

Unfortunately, this issue remains unresolved.  I would
like to think that this is just a PEBKAC issue, but I
have tried every permutation of escape characters in
case it's an issue with my syntax and I get the same set
of errors.  No matter what I do, I can't connect the no
match hook of an ETF node to the upper hook of an
ng_ether node.  Do you have any insights into why this
might be occurring?

By the way, thanks for reaching out to me!  I was going
to email you directly after the holidays since your name
and email address are at the bottom of the relevant
Netgraph man pages.  I figured that must mean if you
didn't know the answer, no one does. :-)


what is EAP?
what about return EAP packets? (are there any?)


oops left out a line from the cut-n-paste...


I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
  Name: igb0    Type: ether   ID: 0001  
Num hooks: 0
  Name: igb1    Type: ether   ID: 0002  
Num hooks: 0
  Name: ix0 Type: ether   ID: 0003  
Num hooks: 0
  Name: ix1 Type: ether   ID: 0004  
Num hooks: 0
  Name: tap0    Type: ether   ID: 0005  
Num hooks: 0
  Name: bridge3 Type: ether   ID: 0006  
Num hooks: 0
  Name: ngctl7372   Type: socket  ID: 0007  
Num hooks: 0
$ sudo kldload ng_etf

$ sudo ngctl mkpeer ix0: etf lower downstream

$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
  Name: eapfilter   Type: etf ID: 0021  
Num hooks: 3
  Local hook  Peer name   Peer type    Peer ID Peer hook
  --  -   - --- -
  eapout  ix1 ether 0004 lower
  nomatch ix0 ether 0003 upper
  downstream  ix0 ether 0003 lower
$ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
$



Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc


On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer

>>
wrote:

    John did you get a resolution to this issue?


    On 16/12/17 2:59 am, John Lyon wrote:

    Harry and Eugene (and others),

    I appreciate all of your help.  It's been really
    insightful.  Although I
    feel like I'm getting much closer to the
solution, I don't
    think my problem
    has been diagnosed.  I've outlined my 

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 29/12/17 10:52 am, John Lyon wrote:
It works!!!  In virtual machine land at least, it works!  It will be 
interesting to see what happens when the rubber meets the road and I 
actually test it "in the field."


The issue was a missing single line that was not obvious from the 
man pages:


    sudo ngctl connect eapfilter: ix1: eapout lower

Apparently, I had not created an alias for the connection between 
the ETF and the ether nodes.  Once this connect command was issued, 
the connection to the lower hook of the ether node was ready to be 
connected to the ETF.


The  shown line assigns a linkage for matching frames to use.
Until it exists, you can not use it in a rule.
Match rules can only reference existing hooks.



Thanks _so much_ for your help.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer > wrote:


On 28/12/17 9:59 pm, Julian Elischer wrote:

On 28/12/17 1:37 am, John Lyon wrote:

Julian,

Unfortunately, this issue remains unresolved.  I would
like to think that this is just a PEBKAC issue, but I
have tried every permutation of escape characters in
case it's an issue with my syntax and I get the same set
of errors.  No matter what I do, I can't connect the no
match hook of an ETF node to the upper hook of an
ng_ether node.  Do you have any insights into why this
might be occurring?

By the way, thanks for reaching out to me!  I was going
to email you directly after the holidays since your name
and email address are at the bottom of the relevant
Netgraph man pages.  I figured that must mean if you
didn't know the answer, no one does. :-)


what is EAP?
what about return EAP packets? (are there any?)


oops left out a line from the cut-n-paste...


I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
  Name: igb0    Type: ether   ID: 0001  
Num hooks: 0
  Name: igb1    Type: ether   ID: 0002  
Num hooks: 0
  Name: ix0 Type: ether   ID: 0003  
Num hooks: 0
  Name: ix1 Type: ether   ID: 0004  
Num hooks: 0
  Name: tap0    Type: ether   ID: 0005  
Num hooks: 0
  Name: bridge3 Type: ether   ID: 0006  
Num hooks: 0
  Name: ngctl7372   Type: socket  ID: 0007  
Num hooks: 0
$ sudo kldload ng_etf

$ sudo ngctl mkpeer ix0: etf lower downstream

$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
  Name: eapfilter   Type: etf ID: 0021  
Num hooks: 3
  Local hook  Peer name   Peer type    Peer ID Peer hook
  --  -   - --- -
  eapout  ix1 ether 0004 lower
  nomatch ix0 ether 0003 upper
  downstream  ix0 ether 0003 lower
$ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
$



Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc


On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer

>>
wrote:

    John did you get a resolution to this issue?


    On 16/12/17 2:59 am, John Lyon wrote:

    Harry and Eugene (and others),

    I appreciate all of your help.  It's been really
    insightful.  Although I
    feel like I'm getting much closer to the
solution, I don't
    think my problem
    has been diagnosed.  I've outlined my thought
process
    below.  Can you
    please tell me if I am misunderstanding something?
    Admittedly, I am not a
    kernel developer and my C language skills have
atrophied the
    last few
    years.  However, I've reviewed my script and I
looked in the
    code for
    

Re: Need Netgraph Help [fixed]

[John Lyon]

It works!!!  In virtual machine land at least, it works!  It will be
interesting to see what happens when the rubber meets the road and I
actually test it "in the field."

The issue was a missing single line that was not obvious from the man pages:

sudo ngctl connect eapfilter: ix1: eapout lower

Apparently, I had not created an alias for the connection between the ETF
and the ether nodes.  Once this connect command was issued, the connection
to the lower hook of the ether node was ready to be connected to the ETF.

Thanks *so much* for your help.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 9:48 AM, Julian Elischer  wrote:

> On 28/12/17 9:59 pm, Julian Elischer wrote:
>
>> On 28/12/17 1:37 am, John Lyon wrote:
>>
>>> Julian,
>>>
>>> Unfortunately, this issue remains unresolved.  I would like to think
>>> that this is just a PEBKAC issue, but I have tried every permutation of
>>> escape characters in case it's an issue with my syntax and I get the same
>>> set of errors.  No matter what I do, I can't connect the no match hook of
>>> an ETF node to the upper hook of an ng_ether node.  Do you have any
>>> insights into why this might be occurring?
>>>
>>> By the way, thanks for reaching out to me!  I was going to email you
>>> directly after the holidays since your name and email address are at the
>>> bottom of the relevant Netgraph man pages.  I figured that must mean if you
>>> didn't know the answer, no one does. :-)
>>>
>>
>> what is EAP?
>> what about return EAP packets? (are there any?)
>>
>
> oops left out a line from the cut-n-paste...
>
>>
>> I think this is what you want:
>> $ sudo ngctl list
>> There are 7 total nodes:
>>   Name: igb0Type: ether   ID: 0001   Num hooks: 0
>>   Name: igb1Type: ether   ID: 0002   Num hooks: 0
>>   Name: ix0 Type: ether   ID: 0003   Num hooks: 0
>>   Name: ix1 Type: ether   ID: 0004   Num hooks: 0
>>   Name: tap0Type: ether   ID: 0005   Num hooks: 0
>>   Name: bridge3 Type: ether   ID: 0006   Num hooks: 0
>>   Name: ngctl7372   Type: socket  ID: 0007   Num hooks: 0
>> $ sudo kldload ng_etf
>>
> $ sudo ngctl mkpeer ix0: etf lower downstream
>
>> $ sudo ngctl name ix0:lower eapfilter
>> $ sudo ngctl connect eapfilter: ix0: nomatch upper
>> $ sudo ngctl connect eapfilter: ix1: eapout lower
>> $ sudo ngctl show eapfilter:
>>   Name: eapfilter   Type: etf ID: 0021   Num hooks: 3
>>   Local hook  Peer name   Peer typePeer ID Peer hook
>>   --  -   - --- -
>>   eapout  ix1 ether 0004lower
>>   nomatch ix0 ether 0003upper
>>   downstream  ix0 ether 0003lower
>> $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
>> ethertype=0x888e }'
>> $
>>
>>
>>
>>> Thanks.
>>>
>>>
>>> 
>>> John L. Lyon
>>> PGP Key Available At:
>>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>>>
>>> On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer >> > wrote:
>>>
>>> John did you get a resolution to this issue?
>>>
>>>
>>> On 16/12/17 2:59 am, John Lyon wrote:
>>>
>>> Harry and Eugene (and others),
>>>
>>> I appreciate all of your help.  It's been really
>>> insightful.  Although I
>>> feel like I'm getting much closer to the solution, I don't
>>> think my problem
>>> has been diagnosed.  I've outlined my thought process
>>> below.  Can you
>>> please tell me if I am misunderstanding something?
>>> Admittedly, I am not a
>>> kernel developer and my C language skills have atrophied the
>>> last few
>>> years.  However, I've reviewed my script and I looked in the
>>> code for
>>> ng_etf.c and I don't think I am violating any of the
>>> requirements for
>>> linking a hook for no match.
>>>
>>> As Eugene stated:
>>>
>>> 1) referenced "matchook" exists and you should not
>>> use "indirect name"
>>>
>>> here,
>>>
>>> only hook own name, or else you get error ENOENT (No
>>> such file or
>>>
>>> directory);
>>>
>>> This does not seem to be a problem as the upper and lower
>>> hooks for the em1
>>> already exist (I can confirm this).
>>>
>>> 2) referenced "matchook" is *not* downstream hook,
>>> or else you get error
>>> EINVAL (Invalid argument);
>>>
>>> I read the ng_etf.c file in the source tree and found this
>>> little snippet:
>>>
>>> /* and is not 

Re: Need Netgraph Help

[Julian Elischer]

On 29/12/17 12:36 am, John Lyon wrote:
The netgraph bridge would probably forward the 802.1x frames, but 
the man page says that firewalling on the netgraph bridge is not 
supported.  I need to process with the firewall all of the other 
traffic that is not EAPOL frames.

ok







John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 11:10 AM, Julian Elischer 
> wrote:


On 28/12/17 11:58 pm, John Lyon wrote:

Julian,

That looks exactly like what I want!  It also looks like what I
thought I was doing.  I have no idea why it worked for you and
not for me.  :-(

I will copy and paste tonight after work (making changes for
em0 and em1 on my own test system) and see if I can get it to
work.  If it works, I will figure out what I was doing wrong
and let the world know in case anyone wants to Google it in the
future. If it doesn't work -- I'll be back. :-)

To answer your other questions:

(1) EAP (or more accurately in this case EAPOL) is the
extensible authentication protocol over LAN and is used for
802.1X port authentication.  The authentication frames are
marked with the ethertype 0x888e to distinguish them from other
Ethernet frames. They are also assigned the broadcast MAC
address of 01:80:c2:00:00:03. Because 802.1D states that a
standard compliant switch or bridge cannot forward frames with
a MAC address inthe range of 01:80:c2:00:00:00 to
01:80:c2:00:00:0f, you can't just create a bridge in FreeBSD
between the two interfaces since the FreeBSD bridge code is
standard compliant.  So I have to process and forward the
frames another way and it looks like Netgraph will let me do
it.  Otherwise, I'm going to have to patch the bridge code in
the kernel to include a sysctl variable that enables or
disables this compliance.

or use the netgraph bridge. ng_bridge. it doesn't care as far as
I know. it's job it to produce "bump in the wire" devices.
see /usr/share/examples/netgraph.




(2) You are correct that there are return frames (not packets
as this all occurs at layer 2).  However, the graph to handle
the return frames is going to just be a mirror of the the graph
for processing the outgoing frames.  So if I can get it working
in one direction, it's trivial to create a mirror image graph
for the reverse direction.

Thanks!






John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc


On Thu, Dec 28, 2017 at 8:59 AM, Julian Elischer
> wrote:

On 28/12/17 1:37 am, John Lyon wrote:

Julian,

Unfortunately, this issue remains unresolved.  I would
like to think that this is just a PEBKAC issue, but I have
tried every permutation of escape characters in case it's
an issue with my syntax and I get the same set of errors. 
No matter what I do, I can't connect the no match hook of
an ETF node to the upper hook of an ng_ether node.  Do you
have any insights into why this might be occurring?

By the way, thanks for reaching out to me!  I was going to
email you directly after the holidays since your name and
email address are at the bottom of the relevant Netgraph
man pages.  I figured that must mean if you didn't know
the answer, no one does. :-)


what is EAP?
what about return EAP packets? (are there any?)

I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
  Name: igb0    Type: ether   ID:
0001   Num hooks: 0
  Name: igb1    Type: ether   ID:
0002   Num hooks: 0
  Name: ix0 Type: ether   ID:
0003   Num hooks: 0
  Name: ix1 Type: ether   ID:
0004   Num hooks: 0
  Name: tap0    Type: ether   ID:
0005   Num hooks: 0
  Name: bridge3 Type: ether   ID:
0006   Num hooks: 0
  Name: ngctl7372   Type: socket  ID:
0007   Num hooks: 0
$ sudo kldload ng_etf
$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
  Name: eapfilter   Type: etf ID:
0021   Num hooks: 3
  Local hook  Peer name Peer type    Peer ID
Peer hook
  --  - -    ---
-
  

Re: Need Netgraph Help

[John Lyon]

The netgraph bridge would probably forward the 802.1x frames, but the man
page says that firewalling on the netgraph bridge is not supported.  I need
to process with the firewall all of the other traffic that is not EAPOL
frames.




John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 11:10 AM, Julian Elischer 
wrote:

> On 28/12/17 11:58 pm, John Lyon wrote:
>
> Julian,
>
> That looks exactly like what I want!  It also looks like what I thought I
> was doing.  I have no idea why it worked for you and not for me.  :-(
>
> I will copy and paste tonight after work (making changes for em0 and em1
> on my own test system) and see if I can get it to work.  If it works, I
> will figure out what I was doing wrong and let the world know in case
> anyone wants to Google it in the future.  If it doesn't work -- I'll be
> back. :-)
>
> To answer your other questions:
>
> (1) EAP (or more accurately in this case EAPOL) is the extensible
> authentication protocol over LAN and is used for 802.1X port
> authentication.  The authentication frames are marked with the ethertype
> 0x888e to distinguish them from other Ethernet frames.  They are also
> assigned the broadcast MAC address of 01:80:c2:00:00:03.  Because 802.1D
> states that a standard compliant switch or bridge cannot forward frames
> with a MAC address in the range of 01:80:c2:00:00:00 to
> 01:80:c2:00:00:0f, you can't just create a bridge in FreeBSD between the
> two interfaces since the FreeBSD bridge code is standard compliant.  So I
> have to process and forward the frames another way and it looks like
> Netgraph will let me do it.  Otherwise, I'm going to have to patch the
> bridge code in the kernel to include a sysctl variable that enables or
> disables this compliance.
>
> or use the netgraph bridge. ng_bridge. it doesn't care as far as I know.
> it's job it to produce "bump in the wire" devices.
> see /usr/share/examples/netgraph.
>
>
>
> (2) You are correct that there are return frames (not packets as this all
> occurs at layer 2).  However, the graph to handle the return frames is
> going to just be a mirror of the the graph for processing the outgoing
> frames.  So if I can get it working in one direction, it's trivial to
> create a mirror image graph for the reverse direction.
>
> Thanks!
>
>
>
>
>
> 
> John L. Lyon
> PGP Key Available At:
> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>
> On Thu, Dec 28, 2017 at 8:59 AM, Julian Elischer 
> wrote:
>
>> On 28/12/17 1:37 am, John Lyon wrote:
>>
>> Julian,
>>
>> Unfortunately, this issue remains unresolved.  I would like to think that
>> this is just a PEBKAC issue, but I have tried every permutation of escape
>> characters in case it's an issue with my syntax and I get the same set of
>> errors.  No matter what I do, I can't connect the no match hook of an ETF
>> node to the upper hook of an ng_ether node.  Do you have any insights into
>> why this might be occurring?
>>
>> By the way, thanks for reaching out to me!  I was going to email you
>> directly after the holidays since your name and email address are at the
>> bottom of the relevant Netgraph man pages.  I figured that must mean if you
>> didn't know the answer, no one does. :-)
>>
>>
>> what is EAP?
>> what about return EAP packets? (are there any?)
>>
>> I think this is what you want:
>> $ sudo ngctl list
>> There are 7 total nodes:
>>   Name: igb0Type: ether   ID: 0001   Num hooks: 0
>>   Name: igb1Type: ether   ID: 0002   Num hooks: 0
>>   Name: ix0 Type: ether   ID: 0003   Num hooks: 0
>>   Name: ix1 Type: ether   ID: 0004   Num hooks: 0
>>   Name: tap0Type: ether   ID: 0005   Num hooks: 0
>>   Name: bridge3 Type: ether   ID: 0006   Num hooks: 0
>>   Name: ngctl7372   Type: socket  ID: 0007   Num hooks: 0
>> $ sudo kldload ng_etf
>> $ sudo ngctl name ix0:lower eapfilter
>> $ sudo ngctl connect eapfilter: ix0: nomatch upper
>> $ sudo ngctl connect eapfilter: ix1: eapout lower
>> $ sudo ngctl show eapfilter:
>>   Name: eapfilter   Type: etf ID: 0021   Num hooks: 3
>>   Local hook  Peer name   Peer typePeer ID Peer hook
>>   --  -   ---- -
>>   eapout  ix1 ether0004lower
>>   nomatch ix0 ether0003upper
>>   downstream  ix0 ether0003lower
>> $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
>> ethertype=0x888e }'
>> $
>>
>>
>>
>>
>> Thanks.
>>
>>
>> 
>> John L. Lyon
>> PGP Key Available At:
>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>>
>> On Wed, Dec 

Re: Need Netgraph Help

[Julian Elischer]

On 28/12/17 11:58 pm, John Lyon wrote:

Julian,

That looks exactly like what I want! It also looks like what I 
thought I was doing.  I have no idea why it worked for you and not 
for me.  :-(


I will copy and paste tonight after work (making changes for em0 and 
em1 on my own test system) and see if I can get it to work.  If it 
works, I will figure out what I was doing wrong and let the world 
know in case anyone wants to Google it in the future. If it doesn't 
work -- I'll be back. :-)


To answer your other questions:

(1) EAP (or more accurately in this case EAPOL) is the extensible 
authentication protocol over LAN and is used for 802.1X port 
authentication.  The authentication frames are marked with the 
ethertype 0x888e to distinguish them from other Ethernet frames.  
They are also assigned the broadcast MAC address of 
01:80:c2:00:00:03. Because 802.1D states that a standard compliant 
switch or bridge cannot forward frames with a MAC address inthe 
range of 01:80:c2:00:00:00 to 01:80:c2:00:00:0f, you can't just 
create a bridge in FreeBSD between the two interfaces since the 
FreeBSD bridge code is standard compliant.  So I have to process and 
forward the frames another way and it looks like Netgraph will let 
me do it.  Otherwise, I'm going to have to patch the bridge code in 
the kernel to include a sysctl variable that enables or disables 
this compliance.
or use the netgraph bridge. ng_bridge. it doesn't care as far as I 
know. it's job it to produce "bump in the wire" devices.

see /usr/share/examples/netgraph.



(2) You are correct that there are return frames (not packets as 
this all occurs at layer 2). However, the graph to handle the return 
frames is going to just be a mirror of the the graph for processing 
the outgoing frames.  So if I can get it working in one direction, 
it's trivial to create a mirror image graph for the reverse direction.


Thanks!






John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 8:59 AM, Julian Elischer > wrote:


On 28/12/17 1:37 am, John Lyon wrote:

Julian,

Unfortunately, this issue remains unresolved. I would like to
think that this is just a PEBKAC issue, but I have tried every
permutation of escape characters in case it's an issue with my
syntax and I get the same set of errors.  No matter what I do,
I can't connect the no match hook of an ETF node to the upper
hook of an ng_ether node.  Do you have any insights into why
this might be occurring?

By the way, thanks for reaching out to me!  I was going to
email you directly after the holidays since your name and email
address are at the bottom of the relevant Netgraph man pages. 
I figured that must mean if you didn't know the answer, no one
does. :-)


what is EAP?
what about return EAP packets? (are there any?)

I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
  Name: igb0    Type: ether   ID: 0001   Num
hooks: 0
  Name: igb1    Type: ether   ID: 0002   Num
hooks: 0
  Name: ix0 Type: ether   ID: 0003   Num
hooks: 0
  Name: ix1 Type: ether   ID: 0004   Num
hooks: 0
  Name: tap0    Type: ether   ID: 0005   Num
hooks: 0
  Name: bridge3 Type: ether   ID: 0006   Num
hooks: 0
  Name: ngctl7372   Type: socket  ID: 0007   Num
hooks: 0
$ sudo kldload ng_etf
$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
  Name: eapfilter   Type: etf ID: 0021   Num
hooks: 3
  Local hook  Peer name   Peer type Peer ID Peer
hook
  --  -   - ---
-
  eapout  ix1 ether 0004    lower
  nomatch ix0 ether 0003    upper
  downstream  ix0 ether 0003    lower
$ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
ethertype=0x888e }'
$





Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc


On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer
> wrote:

John did you get a resolution to this issue?


On 16/12/17 2:59 am, John Lyon wrote:

Harry and Eugene (and others),

I appreciate all of your help.  It's been really
insightful.  Although I
feel like I'm getting 

Re: Need Netgraph Help

[John Lyon]

Julian,

That looks exactly like what I want!  It also looks like what I thought I
was doing.  I have no idea why it worked for you and not for me.  :-(

I will copy and paste tonight after work (making changes for em0 and em1 on
my own test system) and see if I can get it to work.  If it works, I will
figure out what I was doing wrong and let the world know in case anyone
wants to Google it in the future.  If it doesn't work -- I'll be back. :-)

To answer your other questions:

(1) EAP (or more accurately in this case EAPOL) is the extensible
authentication protocol over LAN and is used for 802.1X port
authentication.  The authentication frames are marked with the ethertype
0x888e to distinguish them from other Ethernet frames.  They are also
assigned the broadcast MAC address of 01:80:c2:00:00:03.  Because 802.1D
states that a standard compliant switch or bridge cannot forward frames
with a MAC address in the range of 01:80:c2:00:00:00 to 01:80:c2:00:00:0f,
you can't just create a bridge in FreeBSD between the two interfaces since
the FreeBSD bridge code is standard compliant.  So I have to process and
forward the frames another way and it looks like Netgraph will let me do
it.  Otherwise, I'm going to have to patch the bridge code in the kernel to
include a sysctl variable that enables or disables this compliance.

(2) You are correct that there are return frames (not packets as this all
occurs at layer 2).  However, the graph to handle the return frames is
going to just be a mirror of the the graph for processing the outgoing
frames.  So if I can get it working in one direction, it's trivial to
create a mirror image graph for the reverse direction.

Thanks!






John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 28, 2017 at 8:59 AM, Julian Elischer  wrote:

> On 28/12/17 1:37 am, John Lyon wrote:
>
> Julian,
>
> Unfortunately, this issue remains unresolved.  I would like to think that
> this is just a PEBKAC issue, but I have tried every permutation of escape
> characters in case it's an issue with my syntax and I get the same set of
> errors.  No matter what I do, I can't connect the no match hook of an ETF
> node to the upper hook of an ng_ether node.  Do you have any insights into
> why this might be occurring?
>
> By the way, thanks for reaching out to me!  I was going to email you
> directly after the holidays since your name and email address are at the
> bottom of the relevant Netgraph man pages.  I figured that must mean if you
> didn't know the answer, no one does. :-)
>
>
> what is EAP?
> what about return EAP packets? (are there any?)
>
> I think this is what you want:
> $ sudo ngctl list
> There are 7 total nodes:
>   Name: igb0Type: ether   ID: 0001   Num hooks: 0
>   Name: igb1Type: ether   ID: 0002   Num hooks: 0
>   Name: ix0 Type: ether   ID: 0003   Num hooks: 0
>   Name: ix1 Type: ether   ID: 0004   Num hooks: 0
>   Name: tap0Type: ether   ID: 0005   Num hooks: 0
>   Name: bridge3 Type: ether   ID: 0006   Num hooks: 0
>   Name: ngctl7372   Type: socket  ID: 0007   Num hooks: 0
> $ sudo kldload ng_etf
> $ sudo ngctl name ix0:lower eapfilter
> $ sudo ngctl connect eapfilter: ix0: nomatch upper
> $ sudo ngctl connect eapfilter: ix1: eapout lower
> $ sudo ngctl show eapfilter:
>   Name: eapfilter   Type: etf ID: 0021   Num hooks: 3
>   Local hook  Peer name   Peer typePeer ID Peer hook
>   --  -   ---- -
>   eapout  ix1 ether0004lower
>   nomatch ix0 ether0003upper
>   downstream  ix0 ether0003lower
> $ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout"
> ethertype=0x888e }'
> $
>
>
>
>
> Thanks.
>
>
> 
> John L. Lyon
> PGP Key Available At:
> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>
> On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer 
> wrote:
>
>> John did you get a resolution to this issue?
>>
>>
>> On 16/12/17 2:59 am, John Lyon wrote:
>>
>>> Harry and Eugene (and others),
>>>
>>> I appreciate all of your help.  It's been really insightful.  Although I
>>> feel like I'm getting much closer to the solution, I don't think my
>>> problem
>>> has been diagnosed.  I've outlined my thought process below.  Can you
>>> please tell me if I am misunderstanding something?  Admittedly, I am not
>>> a
>>> kernel developer and my C language skills have atrophied the last few
>>> years.  However, I've reviewed my script and I looked in the code for
>>> ng_etf.c and I don't think I am violating any of the requirements for
>>> linking a hook for no match.
>>>

Re: Need Netgraph Help [fixed]

[Julian Elischer]

On 28/12/17 9:59 pm, Julian Elischer wrote:

On 28/12/17 1:37 am, John Lyon wrote:

Julian,

Unfortunately, this issue remains unresolved.  I would like to 
think that this is just a PEBKAC issue, but I have tried every 
permutation of escape characters in case it's an issue with my 
syntax and I get the same set of errors.  No matter what I do, I 
can't connect the no match hook of an ETF node to the upper hook of 
an ng_ether node.  Do you have any insights into why this might be 
occurring?


By the way, thanks for reaching out to me!  I was going to email 
you directly after the holidays since your name and email address 
are at the bottom of the relevant Netgraph man pages.  I figured 
that must mean if you didn't know the answer, no one does. :-)


what is EAP?
what about return EAP packets? (are there any?)


oops left out a line from the cut-n-paste...


I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
  Name: igb0    Type: ether   ID: 0001   Num 
hooks: 0
  Name: igb1    Type: ether   ID: 0002   Num 
hooks: 0
  Name: ix0 Type: ether   ID: 0003   Num 
hooks: 0
  Name: ix1 Type: ether   ID: 0004   Num 
hooks: 0
  Name: tap0    Type: ether   ID: 0005   Num 
hooks: 0
  Name: bridge3 Type: ether   ID: 0006   Num 
hooks: 0
  Name: ngctl7372   Type: socket  ID: 0007   Num 
hooks: 0

$ sudo kldload ng_etf

$ sudo ngctl mkpeer ix0: etf lower downstream

$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
  Name: eapfilter   Type: etf ID: 0021   Num 
hooks: 3

  Local hook  Peer name   Peer type    Peer ID Peer hook
  --  -   - --- -
  eapout  ix1 ether 0004    lower
  nomatch ix0 ether 0003    upper
  downstream  ix0 ether 0003    lower
$ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'

$




Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer 
> wrote:


    John did you get a resolution to this issue?


    On 16/12/17 2:59 am, John Lyon wrote:

    Harry and Eugene (and others),

    I appreciate all of your help.  It's been really
    insightful.  Although I
    feel like I'm getting much closer to the solution, I don't
    think my problem
    has been diagnosed.  I've outlined my thought process
    below.  Can you
    please tell me if I am misunderstanding something?
    Admittedly, I am not a
    kernel developer and my C language skills have atrophied the
    last few
    years.  However, I've reviewed my script and I looked in the
    code for
    ng_etf.c and I don't think I am violating any of the
    requirements for
    linking a hook for no match.

    As Eugene stated:

    1) referenced "matchook" exists and you should not
    use "indirect name"

    here,

    only hook own name, or else you get error ENOENT (No
    such file or

    directory);

    This does not seem to be a problem as the upper and lower
    hooks for the em1
    already exist (I can confirm this).

    2) referenced "matchook" is *not* downstream hook,
    or else you get error
    EINVAL (Invalid argument);

    I read the ng_etf.c file in the source tree and found this
    little snippet:

    /* and is not the downstream hook */
    if (hook == etfp->downstream_hook.hook) {
         error = EINVAL;
         break;
    }

    This appears to be an error check to make sure you are not
    creating a cycle
    in the graph by referencing the ETF node's own downstream
    hook (i.e.
    filtering incoming traffic and circularly feeding
    non-matching frames back
    into the ETF's own filter).  I'm not doing this.  I am
    feeding non-matching
    packets into the *lower* hook of another ether node and not
    back into the
    *downstream* hook of the etf node I am creating.  As a
    result, my netgraph
    should not be triggering this error condition.

    3) it was not already configured, or else you get
    error EEXIST (File

    exists).

    I am not getting this error, so it appears not to be an
    issue in my case.

    What am I missing here?  The man page states that "*any
    other *hook" can be

    used for the non-matching packets.  So the man page says
    this 

Re: Need Netgraph Help

[Julian Elischer]

On 28/12/17 1:37 am, John Lyon wrote:

Julian,

Unfortunately, this issue remains unresolved.  I would like to think 
that this is just a PEBKAC issue, but I have tried every permutation 
of escape characters in case it's an issue with my syntax and I get 
the same set of errors.  No matter what I do, I can't connect the no 
match hook of an ETF node to the upper hook of an ng_ether node.  Do 
you have any insights into why this might be occurring?


By the way, thanks for reaching out to me!  I was going to email you 
directly after the holidays since your name and email address are at 
the bottom of the relevant Netgraph man pages.  I figured that must 
mean if you didn't know the answer, no one does. :-)


what is EAP?
what about return EAP packets? (are there any?)

I think this is what you want:
$ sudo ngctl list
There are 7 total nodes:
  Name: igb0    Type: ether   ID: 0001   Num hooks: 0
  Name: igb1    Type: ether   ID: 0002   Num hooks: 0
  Name: ix0 Type: ether   ID: 0003   Num hooks: 0
  Name: ix1 Type: ether   ID: 0004   Num hooks: 0
  Name: tap0    Type: ether   ID: 0005   Num hooks: 0
  Name: bridge3 Type: ether   ID: 0006   Num hooks: 0
  Name: ngctl7372   Type: socket  ID: 0007   Num hooks: 0
$ sudo kldload ng_etf
$ sudo ngctl name ix0:lower eapfilter
$ sudo ngctl connect eapfilter: ix0: nomatch upper
$ sudo ngctl connect eapfilter: ix1: eapout lower
$ sudo ngctl show eapfilter:
  Name: eapfilter   Type: etf ID: 0021   Num hooks: 3
  Local hook  Peer name   Peer type    Peer ID Peer hook
  --  -   - --- -
  eapout  ix1 ether 0004    lower
  nomatch ix0 ether 0003    upper
  downstream  ix0 ether 0003    lower
$ sudo ngctl msg eapfilter: 'setfilter { matchhook="eapout" 
ethertype=0x888e }'

$




Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer 
> wrote:


John did you get a resolution to this issue?


On 16/12/17 2:59 am, John Lyon wrote:

Harry and Eugene (and others),

I appreciate all of your help.  It's been really
insightful.  Although I
feel like I'm getting much closer to the solution, I don't
think my problem
has been diagnosed.  I've outlined my thought process
below.  Can you
please tell me if I am misunderstanding something?
Admittedly, I am not a
kernel developer and my C language skills have atrophied the
last few
years.  However, I've reviewed my script and I looked in the
code for
ng_etf.c and I don't think I am violating any of the
requirements for
linking a hook for no match.

As Eugene stated:

1) referenced "matchook" exists and you should not
use "indirect name"

here,

only hook own name, or else you get error ENOENT (No
such file or

directory);

This does not seem to be a problem as the upper and lower
hooks for the em1
already exist (I can confirm this).

2) referenced "matchook" is *not* downstream hook,
or else you get error
EINVAL (Invalid argument);

I read the ng_etf.c file in the source tree and found this
little snippet:

/* and is not the downstream hook */
if (hook == etfp->downstream_hook.hook) {
     error = EINVAL;
     break;
}

This appears to be an error check to make sure you are not
creating a cycle
in the graph by referencing the ETF node's own downstream
hook (i.e.
filtering incoming traffic and circularly feeding
non-matching frames back
into the ETF's own filter).  I'm not doing this.  I am
feeding non-matching
packets into the *lower* hook of another ether node and not
back into the
*downstream* hook of the etf node I am creating.  As a
result, my netgraph
should not be triggering this error condition.

3) it was not already configured, or else you get
error EEXIST (File

exists).

I am not getting this error, so it appears not to be an
issue in my case.

What am I missing here?  The man page states that "*any
other *hook" can be

used for the non-matching packets.  So the man page says
this should work,
and there's no explicit error condition that I see (caveat,
I have not
written in C for at least 

Re: Need Netgraph Help

[John Lyon]

Julian,

Unfortunately, this issue remains unresolved.  I would like to think that
this is just a PEBKAC issue, but I have tried every permutation of escape
characters in case it's an issue with my syntax and I get the same set of
errors.  No matter what I do, I can't connect the no match hook of an ETF
node to the upper hook of an ng_ether node.  Do you have any insights into
why this might be occurring?

By the way, thanks for reaching out to me!  I was going to email you
directly after the holidays since your name and email address are at the
bottom of the relevant Netgraph man pages.  I figured that must mean if you
didn't know the answer, no one does. :-)

Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Wed, Dec 27, 2017 at 10:32 AM, Julian Elischer 
wrote:

> John did you get a resolution to this issue?
>
>
> On 16/12/17 2:59 am, John Lyon wrote:
>
>> Harry and Eugene (and others),
>>
>> I appreciate all of your help.  It's been really insightful.  Although I
>> feel like I'm getting much closer to the solution, I don't think my
>> problem
>> has been diagnosed.  I've outlined my thought process below.  Can you
>> please tell me if I am misunderstanding something?  Admittedly, I am not a
>> kernel developer and my C language skills have atrophied the last few
>> years.  However, I've reviewed my script and I looked in the code for
>> ng_etf.c and I don't think I am violating any of the requirements for
>> linking a hook for no match.
>>
>> As Eugene stated:
>>
>> 1) referenced "matchook" exists and you should not use "indirect name"

>>> here,
>>
>>> only hook own name, or else you get error ENOENT (No such file or

>>> directory);
>>
>> This does not seem to be a problem as the upper and lower hooks for the
>> em1
>> already exist (I can confirm this).
>>
>> 2) referenced "matchook" is *not* downstream hook, or else you get error
 EINVAL (Invalid argument);

>>> I read the ng_etf.c file in the source tree and found this little
>> snippet:
>>
>> /* and is not the downstream hook */
>> if (hook == etfp->downstream_hook.hook) {
>>  error = EINVAL;
>>  break;
>> }
>>
>> This appears to be an error check to make sure you are not creating a
>> cycle
>> in the graph by referencing the ETF node's own downstream hook (i.e.
>> filtering incoming traffic and circularly feeding non-matching frames back
>> into the ETF's own filter).  I'm not doing this.  I am feeding
>> non-matching
>> packets into the *lower* hook of another ether node and not back into the
>> *downstream* hook of the etf node I am creating.  As a result, my netgraph
>> should not be triggering this error condition.
>>
>> 3) it was not already configured, or else you get error EEXIST (File

>>> exists).
>>
>> I am not getting this error, so it appears not to be an issue in my case.
>>
>> What am I missing here?  The man page states that "*any other *hook" can
>> be
>>
>> used for the non-matching packets.  So the man page says this should work,
>> and there's no explicit error condition that I see (caveat, I have not
>> written in C for at least 10 years  - PEBKAC is entirely possible) that
>> would be triggered in the ng_etf code.  So what is going wrong?
>>
>> Thanks for all of your help, patience, and understanding.
>>
>>
>> 
>> John L. Lyon
>> PGP Key Available At:
>> https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc
>>
>> On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer 
>> wrote:
>>
>> Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtime):
>>>
 15.12.2017 4:27, John Lyon wrote:

 I'm a new Netgraph user, but am having some problems with a simple
>>> Netgraph
>>> script I have written.  Unfortunately, the error message is cryptic
>>>
>> and I
>>>
 can't tell what I am doing wrong since my script closely follows the
>>> example provided in the ng_etf man page.
>>>
>>> For some context, I'm trying to filter EAP traffic coming in on my
>>> LAN
>>> interface.  Any ethernet frames that correspond to EAP traffic need
>>>
>> to be
>>>
 immediately forwarded from the LAN interface to my WAN interface.  All
>>> other ethernet frames coming in on my LAN interface need to be
>>>
>> handled by
>>>
 the kernel's network stack.  A (horrid) ASCII art representation of my
>>> desired netgraph would look like this:
>>>
>>> lower -> em0 -> downstream -> ETF -> no match -> upper em0
>>> -> match
>>> ->
>>> lower em1
>>>
>>> The script I have written is this:
>>>
>>>  #! /bin/sh
>>>  ngctl mkpeer em0: etf lower downstream
>>>  ngctl name em0:lower lan_filter
>>>  ngctl connect em0: lan_filter: upper nomatch
>>>  ngctl msg lan_filter: 

Re: Need Netgraph Help

[Julian Elischer]

John did you get a resolution to this issue?

On 16/12/17 2:59 am, John Lyon wrote:

Harry and Eugene (and others),

I appreciate all of your help.  It's been really insightful.  Although I
feel like I'm getting much closer to the solution, I don't think my problem
has been diagnosed.  I've outlined my thought process below.  Can you
please tell me if I am misunderstanding something?  Admittedly, I am not a
kernel developer and my C language skills have atrophied the last few
years.  However, I've reviewed my script and I looked in the code for
ng_etf.c and I don't think I am violating any of the requirements for
linking a hook for no match.

As Eugene stated:


1) referenced "matchook" exists and you should not use "indirect name"

here,

only hook own name, or else you get error ENOENT (No such file or

directory);

This does not seem to be a problem as the upper and lower hooks for the em1
already exist (I can confirm this).


2) referenced "matchook" is *not* downstream hook, or else you get error
EINVAL (Invalid argument);

I read the ng_etf.c file in the source tree and found this little snippet:

/* and is not the downstream hook */
if (hook == etfp->downstream_hook.hook) {
 error = EINVAL;
 break;
}

This appears to be an error check to make sure you are not creating a cycle
in the graph by referencing the ETF node's own downstream hook (i.e.
filtering incoming traffic and circularly feeding non-matching frames back
into the ETF's own filter).  I'm not doing this.  I am feeding non-matching
packets into the *lower* hook of another ether node and not back into the
*downstream* hook of the etf node I am creating.  As a result, my netgraph
should not be triggering this error condition.


3) it was not already configured, or else you get error EEXIST (File

exists).

I am not getting this error, so it appears not to be an issue in my case.

What am I missing here?  The man page states that "*any other *hook" can be
used for the non-matching packets.  So the man page says this should work,
and there's no explicit error condition that I see (caveat, I have not
written in C for at least 10 years  - PEBKAC is entirely possible) that
would be triggered in the ng_etf code.  So what is going wrong?

Thanks for all of your help, patience, and understanding.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer 
wrote:


Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtime):

15.12.2017 4:27, John Lyon wrote:


I'm a new Netgraph user, but am having some problems with a simple
Netgraph
script I have written.  Unfortunately, the error message is cryptic

and I

can't tell what I am doing wrong since my script closely follows the
example provided in the ng_etf man page.

For some context, I'm trying to filter EAP traffic coming in on my LAN
interface.  Any ethernet frames that correspond to EAP traffic need

to be

immediately forwarded from the LAN interface to my WAN interface.  All
other ethernet frames coming in on my LAN interface need to be

handled by

the kernel's network stack.  A (horrid) ASCII art representation of my
desired netgraph would look like this:

lower -> em0 -> downstream -> ETF -> no match -> upper em0
-> match ->
lower em1

The script I have written is this:

 #! /bin/sh
 ngctl mkpeer em0: etf lower downstream
 ngctl name em0:lower lan_filter
 ngctl connect em0: lan_filter: upper nomatch
 ngctl msg lan_filter: setfilter { matchhook="em1:lower"
ethertype=0x888e }

Unfortunately, the last line of my script generates the following

error

message:

 ngctl: send msg: Invalid Argument

For "setfilter" command to work, ng_etf requires that:

1) referenced "matchook" exists and you should not use "indirect name"

here,

only hook own name, or else you get error ENOENT (No such file or

directory);

2) referenced "matchook" is *not* downstream hook, or else you get error
EINVAL (Invalid argument);
3) it was not already configured, or else you get error EEXIST (File

exists).

Eugene kindly looked into the code and found that the error is due to
wrong matchhook definition.
I've never had any contact with ng_etf yet, but according to the man
page, you need to set the (additional) filter hook by 'nghook -a
lan_filter: mydrain' and use 'matchhook=mydrain' for the 'msg' command.

Do idea about the intention, so for the rest you have to tweak as needed.

-harry



___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"




___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to 

Re: Need Netgraph Help

[John Lyon]

Harry,

Thanks for the help.  I haven't had the chance to sit down and tinker over
the weekend, but I hope I may get sometime in the next day or two.  I will
see what happens when I try to connect my filter as you suggested.

My intention is essentially to use NetGraph in order to add some simple
layer 2 firewalling capabilities to my PFSense router (FreeBSD + pf +
pretty GUI for other functions) on my network.  Unfortunately, pf on
FreeBSD only appears to filter at layers 3 and 4.  I need to also filter
and redirect layer 2 traffic.

I'm aware that IPFW can probably do what I want (filter and redirect based
on MAC address and ethernet frame type).  However, I prefer the pretty GUI
of PFSense for convenience and time saving (I could duplicate all of the
rules and functionality in the command line, but the GUI makes
administration a lot easier).  However, I don't want to hack together a
solution that involves two firewalls running on the same box when I was
hoping to use Netgraph to filter at layer 2 before passing other traffic up
to pf for layer 3 and 4 filtering.  However, this may be the route I have
to go (PFSense does use both PF and IPFW when the "captive portal"
functionality is enabled, so it is technically possible).

Thanks for the link to the NetBSD presentation.  I'm already aware of it,
it was one of the first things I found when I googled about netgraph trying
to sort through this whole mess. :-)


John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sat, Dec 16, 2017 at 4:30 AM, Harry Schmalzbauer 
wrote:

> Bezüglich John Lyon's Nachricht vom 15.12.2017 19:59 (localtime):
> > Harry and Eugene (and others),
> >
> > I appreciate all of your help.  It's been really insightful.  Although I
> > feel like I'm getting much closer to the solution, I don't think my
> problem
> > has been diagnosed.  I've outlined my thought process below.  Can you
> > please tell me if I am misunderstanding something?  Admittedly, I am not
> a
> > kernel developer and my C language skills have atrophied the last few
> > years.  However, I've reviewed my script and I looked in the code for
> > ng_etf.c and I don't think I am violating any of the requirements for
> > linking a hook for no match.
> >
> > As Eugene stated:
> >
> >>> 1) referenced "matchook" exists and you should not use "indirect name"
> > here,
> >>> only hook own name, or else you get error ENOENT (No such file or
> > directory);
> >
> > This does not seem to be a problem as the upper and lower hooks for the
> em1
> > already exist (I can confirm this).
> >
> >>> 2) referenced "matchook" is *not* downstream hook, or else you get
> error
> >>> EINVAL (Invalid argument);
> >
> > I read the ng_etf.c file in the source tree and found this little
> snippet:
> >
> > /* and is not the downstream hook */
> > if (hook == etfp->downstream_hook.hook) {
> > error = EINVAL;
> > break;
> > }
> >
> > This appears to be an error check to make sure you are not creating a
> cycle
> > in the graph by referencing the ETF node's own downstream hook (i.e.
> > filtering incoming traffic and circularly feeding non-matching frames
> back
> > into the ETF's own filter).  I'm not doing this.  I am feeding
> non-matching
> > packets into the *lower* hook of another ether node and not back into the
> > *downstream* hook of the etf node I am creating.  As a result, my
> netgraph
>
> Ah, sorry, I was reading your setup too quickly and missed that em0|em1
> detail.
> Since I'm no netgraph expert and also no kernel hacker due to C skills,
> and on top I don't have any ng_etf experience, I'm out at this point
> unfortunately.  I just remembered the shell quoting issue I had once
> myself and thougth this would be an easy one ;-)
>
> I _think_ it's not possible to redierct the packets that way with
> ng_etf.  You'd need at least to add the third hook to ng_etf.  In the
> manpage, it's a user land hook.
> Have you tried if
> ngctl connect em1: lan_filter: lower mydrain
> works?
> If so, your "setfilter" message might also work.
> I think the missing third hook is the key to your solution – while I
> don't know your intention, but I guess you want to get specific
> type-tagged frames beeing transmitted on a dedicated interface.
>
> Pleas see
> http://www.netbsd.org/gallery/presentations/ast/2012_
> AsiaBSDCon/Tutorial_NETGRAPH.pdf
> on page 32+33.  That example corresponds to the man page.
>
> Hope that helps,
>
> -harry
>
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help

[Harry Schmalzbauer]

Bezüglich John Lyon's Nachricht vom 15.12.2017 19:59 (localtime):
> Harry and Eugene (and others),
> 
> I appreciate all of your help.  It's been really insightful.  Although I
> feel like I'm getting much closer to the solution, I don't think my problem
> has been diagnosed.  I've outlined my thought process below.  Can you
> please tell me if I am misunderstanding something?  Admittedly, I am not a
> kernel developer and my C language skills have atrophied the last few
> years.  However, I've reviewed my script and I looked in the code for
> ng_etf.c and I don't think I am violating any of the requirements for
> linking a hook for no match.
> 
> As Eugene stated:
> 
>>> 1) referenced "matchook" exists and you should not use "indirect name"
> here,
>>> only hook own name, or else you get error ENOENT (No such file or
> directory);
> 
> This does not seem to be a problem as the upper and lower hooks for the em1
> already exist (I can confirm this).
> 
>>> 2) referenced "matchook" is *not* downstream hook, or else you get error
>>> EINVAL (Invalid argument);
> 
> I read the ng_etf.c file in the source tree and found this little snippet:
> 
> /* and is not the downstream hook */
> if (hook == etfp->downstream_hook.hook) {
> error = EINVAL;
> break;
> }
> 
> This appears to be an error check to make sure you are not creating a cycle
> in the graph by referencing the ETF node's own downstream hook (i.e.
> filtering incoming traffic and circularly feeding non-matching frames back
> into the ETF's own filter).  I'm not doing this.  I am feeding non-matching
> packets into the *lower* hook of another ether node and not back into the
> *downstream* hook of the etf node I am creating.  As a result, my netgraph

Ah, sorry, I was reading your setup too quickly and missed that em0|em1
detail.
Since I'm no netgraph expert and also no kernel hacker due to C skills,
and on top I don't have any ng_etf experience, I'm out at this point
unfortunately.  I just remembered the shell quoting issue I had once
myself and thougth this would be an easy one ;-)

I _think_ it's not possible to redierct the packets that way with
ng_etf.  You'd need at least to add the third hook to ng_etf.  In the
manpage, it's a user land hook.
Have you tried if
ngctl connect em1: lan_filter: lower mydrain
works?
If so, your "setfilter" message might also work.
I think the missing third hook is the key to your solution – while I
don't know your intention, but I guess you want to get specific
type-tagged frames beeing transmitted on a dedicated interface.

Pleas see
http://www.netbsd.org/gallery/presentations/ast/2012_AsiaBSDCon/Tutorial_NETGRAPH.pdf
on page 32+33.  That example corresponds to the man page.

Hope that helps,

-harry
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help

[John Lyon]

Harry and Eugene (and others),

I appreciate all of your help.  It's been really insightful.  Although I
feel like I'm getting much closer to the solution, I don't think my problem
has been diagnosed.  I've outlined my thought process below.  Can you
please tell me if I am misunderstanding something?  Admittedly, I am not a
kernel developer and my C language skills have atrophied the last few
years.  However, I've reviewed my script and I looked in the code for
ng_etf.c and I don't think I am violating any of the requirements for
linking a hook for no match.

As Eugene stated:

>>1) referenced "matchook" exists and you should not use "indirect name"
here,
>>only hook own name, or else you get error ENOENT (No such file or
directory);

This does not seem to be a problem as the upper and lower hooks for the em1
already exist (I can confirm this).

>>2) referenced "matchook" is *not* downstream hook, or else you get error
>>EINVAL (Invalid argument);

I read the ng_etf.c file in the source tree and found this little snippet:

/* and is not the downstream hook */
if (hook == etfp->downstream_hook.hook) {
error = EINVAL;
break;
}

This appears to be an error check to make sure you are not creating a cycle
in the graph by referencing the ETF node's own downstream hook (i.e.
filtering incoming traffic and circularly feeding non-matching frames back
into the ETF's own filter).  I'm not doing this.  I am feeding non-matching
packets into the *lower* hook of another ether node and not back into the
*downstream* hook of the etf node I am creating.  As a result, my netgraph
should not be triggering this error condition.

>>3) it was not already configured, or else you get error EEXIST (File
exists).

I am not getting this error, so it appears not to be an issue in my case.

What am I missing here?  The man page states that "*any other *hook" can be
used for the non-matching packets.  So the man page says this should work,
and there's no explicit error condition that I see (caveat, I have not
written in C for at least 10 years  - PEBKAC is entirely possible) that
would be triggered in the ng_etf code.  So what is going wrong?

Thanks for all of your help, patience, and understanding.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Fri, Dec 15, 2017 at 3:48 AM, Harry Schmalzbauer 
wrote:

> Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtime):
> > 15.12.2017 4:27, John Lyon wrote:
> >
>  I'm a new Netgraph user, but am having some problems with a simple
>  Netgraph
>  script I have written.  Unfortunately, the error message is cryptic
> and I
>  can't tell what I am doing wrong since my script closely follows the
>  example provided in the ng_etf man page.
> 
>  For some context, I'm trying to filter EAP traffic coming in on my LAN
>  interface.  Any ethernet frames that correspond to EAP traffic need
> to be
>  immediately forwarded from the LAN interface to my WAN interface.  All
>  other ethernet frames coming in on my LAN interface need to be
> handled by
>  the kernel's network stack.  A (horrid) ASCII art representation of my
>  desired netgraph would look like this:
> 
>  lower -> em0 -> downstream -> ETF -> no match -> upper em0
> -> match ->
>  lower em1
> 
>  The script I have written is this:
> 
>  #! /bin/sh
>  ngctl mkpeer em0: etf lower downstream
>  ngctl name em0:lower lan_filter
>  ngctl connect em0: lan_filter: upper nomatch
>  ngctl msg lan_filter: setfilter { matchhook="em1:lower"
>  ethertype=0x888e }
> 
>  Unfortunately, the last line of my script generates the following
> error
>  message:
> 
>  ngctl: send msg: Invalid Argument
> >
> > For "setfilter" command to work, ng_etf requires that:
> >
> > 1) referenced "matchook" exists and you should not use "indirect name"
> here,
> > only hook own name, or else you get error ENOENT (No such file or
> directory);
> > 2) referenced "matchook" is *not* downstream hook, or else you get error
> > EINVAL (Invalid argument);
> > 3) it was not already configured, or else you get error EEXIST (File
> exists).
>
> Eugene kindly looked into the code and found that the error is due to
> wrong matchhook definition.
> I've never had any contact with ng_etf yet, but according to the man
> page, you need to set the (additional) filter hook by 'nghook -a
> lan_filter: mydrain' and use 'matchhook=mydrain' for the 'msg' command.
>
> Do idea about the intention, so for the rest you have to tweak as needed.
>
> -harry
>
>
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help

[Harry Schmalzbauer]

Bezüglich Eugene Grosbein's Nachricht vom 14.12.2017 23:07 (localtime):
> 15.12.2017 4:27, John Lyon wrote:
> 
 I'm a new Netgraph user, but am having some problems with a simple
 Netgraph
 script I have written.  Unfortunately, the error message is cryptic and I
 can't tell what I am doing wrong since my script closely follows the
 example provided in the ng_etf man page.

 For some context, I'm trying to filter EAP traffic coming in on my LAN
 interface.  Any ethernet frames that correspond to EAP traffic need to be
 immediately forwarded from the LAN interface to my WAN interface.  All
 other ethernet frames coming in on my LAN interface need to be handled by
 the kernel's network stack.  A (horrid) ASCII art representation of my
 desired netgraph would look like this:

 lower -> em0 -> downstream -> ETF -> no match -> upper em0
-> match ->
 lower em1

 The script I have written is this:

 #! /bin/sh
 ngctl mkpeer em0: etf lower downstream
 ngctl name em0:lower lan_filter
 ngctl connect em0: lan_filter: upper nomatch
 ngctl msg lan_filter: setfilter { matchhook="em1:lower"
 ethertype=0x888e }

 Unfortunately, the last line of my script generates the following error
 message:

 ngctl: send msg: Invalid Argument
> 
> For "setfilter" command to work, ng_etf requires that:
> 
> 1) referenced "matchook" exists and you should not use "indirect name" here,
> only hook own name, or else you get error ENOENT (No such file or directory);
> 2) referenced "matchook" is *not* downstream hook, or else you get error
> EINVAL (Invalid argument);
> 3) it was not already configured, or else you get error EEXIST (File exists).

Eugene kindly looked into the code and found that the error is due to
wrong matchhook definition.
I've never had any contact with ng_etf yet, but according to the man
page, you need to set the (additional) filter hook by 'nghook -a
lan_filter: mydrain' and use 'matchhook=mydrain' for the 'msg' command.

Do idea about the intention, so for the rest you have to tweak as needed.

-harry

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help

[Eugene Grosbein]

15.12.2017 4:27, John Lyon wrote:

>>> I'm a new Netgraph user, but am having some problems with a simple
>>> Netgraph
>>> script I have written.  Unfortunately, the error message is cryptic and I
>>> can't tell what I am doing wrong since my script closely follows the
>>> example provided in the ng_etf man page.
>>>
>>> For some context, I'm trying to filter EAP traffic coming in on my LAN
>>> interface.  Any ethernet frames that correspond to EAP traffic need to be
>>> immediately forwarded from the LAN interface to my WAN interface.  All
>>> other ethernet frames coming in on my LAN interface need to be handled by
>>> the kernel's network stack.  A (horrid) ASCII art representation of my
>>> desired netgraph would look like this:
>>>
>>> lower -> em0 -> downstream -> ETF -> no match -> upper em0
>>>-> match ->
>>> lower em1
>>>
>>> The script I have written is this:
>>>
>>> #! /bin/sh
>>> ngctl mkpeer em0: etf lower downstream
>>> ngctl name em0:lower lan_filter
>>> ngctl connect em0: lan_filter: upper nomatch
>>> ngctl msg lan_filter: setfilter { matchhook="em1:lower"
>>> ethertype=0x888e }
>>>
>>> Unfortunately, the last line of my script generates the following error
>>> message:
>>>
>>> ngctl: send msg: Invalid Argument

For "setfilter" command to work, ng_etf requires that:

1) referenced "matchook" exists and you should not use "indirect name" here,
only hook own name, or else you get error ENOENT (No such file or directory);
2) referenced "matchook" is *not* downstream hook, or else you get error
EINVAL (Invalid argument);
3) it was not already configured, or else you get error EEXIST (File exists).

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help

[John Lyon]

Thanks for the advice.  The issue may be a shell issue, but without knowing
which argument is "invalid," it's hard to debug.  I took your advice and
skipped the naming to simplify debugging and also tried different
approaches to quoting the braces (or lack thereof), including:

msg em0:lower setfilter "{ matchhook=\"em1:lower\" ethertype=0x888e }"
msg em0:lower setfilter { matchhook=\"em1:lower\" ethertype=0x888e }
msg em0:lower setfilter { matchhook="em1:lower" ethertype=0x888e }
msg em0:lower setfilter { matchhook=em1:lower ethertype=0x888e }

All generate the same error message of "ngctl: send msg: Invalid argument"
without any further information to assist in debugging.

Moreover, using your example of:

msg em0:lower setfilter { matchook="em1:lower" }

Gives me the error message of:

   ngctl: send msg: No such file or directory.

At this point, I am at my wit's end.  This should be a simple script to
write based on the man pages. I am apparently missing something but cannot
figure out what it is from the error messages.

Any other ideas?

Thanks.



John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Thu, Dec 14, 2017 at 2:18 AM, Harry Schmalzbauer 
wrote:

>  Bezüglich John Lyon's Nachricht vom 13.12.2017 21:38 (localtime):
> > Hello All,
> >
> > I'm a new Netgraph user, but am having some problems with a simple
> Netgraph
> > script I have written.  Unfortunately, the error message is cryptic and I
> > can't tell what I am doing wrong since my script closely follows the
> > example provided in the ng_etf man page.
> >
> > For some context, I'm trying to filter EAP traffic coming in on my LAN
> > interface.  Any ethernet frames that correspond to EAP traffic need to be
> > immediately forwarded from the LAN interface to my WAN interface.  All
> > other ethernet frames coming in on my LAN interface need to be handled by
> > the kernel's network stack.  A (horrid) ASCII art representation of my
> > desired netgraph would look like this:
> >
> > lower -> em0 -> downstream -> ETF -> no match -> upper em0
> >-> match ->
> > lower em1
> >
> > The script I have written is this:
> >
> > #! /bin/sh
> > ngctl mkpeer em0: etf lower downstream
> > ngctl name em0:lower lan_filter
> > ngctl connect em0: lan_filter: upper nomatch
> > ngctl msg lan_filter: setfilter { matchhook="em1:lower"
> > ethertype=0x888e }
> >
> > Unfortunately, the last line of my script generates the following error
> > message:
> >
> > ngctl: send msg: Invalid Argument
>
> I strongly guess shell interferes here.  Try quoting your braces part.
> I'm handling auto startup (rc(8) integration) and mitigating quoting
> issues like that:
>
> Put into /etc/start_if.em0:
>
> #!/bin/sh
> if [ -r /etc/rc.conf.d/ng_etf.em0 ]; then
> if ! /usr/sbin/ngctl show lan_filter: 2>/dev/null | grep -q
> lan_filter; then
> /usr/sbin/ngctl -f /etc/rc.conf.d/ng_etf.em0
> fi
> fi
>
> Your /etc/rc.conf.d/ng_etf.em0 would look like that:
>
> # to be loaded by ngctl script
> mkpeer em0: etf lower downstream
> name em0:lower lan_filter
> connect em0: lan_filter: upper nomatch
> msg lan_filter: setfilter { matchhook="em1:lower" }
>
> Once I had a naming race suspision, so I always do the real control
> without relying on names, those are just for later admin tasks/reading:
> # to be loaded by ngctl script
> mkpeer em0: etf lower downstream
> name em0:lower lan_filter
> connect em0: em0:lower upper nomatch
> msg em0:lower setfilter { matchhook="em1:lower" }
>
>
> Be ware of typos, hope that helps,
>
> -harry
>
>
___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Need Netgraph Help

[Harry Schmalzbauer]

 Bezüglich John Lyon's Nachricht vom 13.12.2017 21:38 (localtime):
> Hello All,
>
> I'm a new Netgraph user, but am having some problems with a simple Netgraph
> script I have written.  Unfortunately, the error message is cryptic and I
> can't tell what I am doing wrong since my script closely follows the
> example provided in the ng_etf man page.
>
> For some context, I'm trying to filter EAP traffic coming in on my LAN
> interface.  Any ethernet frames that correspond to EAP traffic need to be
> immediately forwarded from the LAN interface to my WAN interface.  All
> other ethernet frames coming in on my LAN interface need to be handled by
> the kernel's network stack.  A (horrid) ASCII art representation of my
> desired netgraph would look like this:
>
> lower -> em0 -> downstream -> ETF -> no match -> upper em0
>-> match ->
> lower em1
>
> The script I have written is this:
>
> #! /bin/sh
> ngctl mkpeer em0: etf lower downstream
> ngctl name em0:lower lan_filter
> ngctl connect em0: lan_filter: upper nomatch
> ngctl msg lan_filter: setfilter { matchhook="em1:lower"
> ethertype=0x888e }
>
> Unfortunately, the last line of my script generates the following error
> message:
>
> ngctl: send msg: Invalid Argument

I strongly guess shell interferes here.  Try quoting your braces part.
I'm handling auto startup (rc(8) integration) and mitigating quoting
issues like that:

Put into /etc/start_if.em0:

#!/bin/sh
if [ -r /etc/rc.conf.d/ng_etf.em0 ]; then
if ! /usr/sbin/ngctl show lan_filter: 2>/dev/null | grep -q
lan_filter; then
/usr/sbin/ngctl -f /etc/rc.conf.d/ng_etf.em0
fi
fi

Your /etc/rc.conf.d/ng_etf.em0 would look like that:

# to be loaded by ngctl script
mkpeer em0: etf lower downstream
name em0:lower lan_filter
connect em0: lan_filter: upper nomatch
msg lan_filter: setfilter { matchhook="em1:lower" }

Once I had a naming race suspision, so I always do the real control without 
relying on names, those are just for later admin tasks/reading:
# to be loaded by ngctl script
mkpeer em0: etf lower downstream
name em0:lower lan_filter
connect em0: em0:lower upper nomatch
msg em0:lower setfilter { matchhook="em1:lower" }


Be ware of typos, hope that helps,

-harry

___
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"