Re: Howto: ipsec tunnel routing both IPv4 and IPv6? Possible?

xff00 reqid: 104 pf firewall entries are set to allow esp over that tunnel. Now, I do want to route local IPv6 in addition, *if* that is possible, at all. Hi, try something like this: ifconfig_ipsec0_ipv6="inet6 fd00:b:b:b::250 fd00:a:a:a::254 prefixlen 128" -- WBR, Andrey V. Elsukov

Re: Restarting IPv6

missing? Hi, probably you need to use rtsold(8). -- WBR, Andrey V. Elsukov

Re: em0: No buffer space available for IPv6 traffic but IPv4 is OK

IPv6. Make sure your firewall doesn't block ICMPv6 types needed for IPv6 to work. Check that multicast functions correctly. # ifconfig # ndp -an # netstat -s # ifmstat -- WBR, Andrey V. Elsukov

Re: Is there a FreeBSD equivalent of 'tcpdump -i any' from Linux?

ETHER_BPF_MTAP() macro, probably make some tweaks for tcpdump and you will get what you need. It seems not so hard. -- WBR, Andrey V. Elsukov

Re: IPFW: IPv6 and NPTv6 issues: multiple IPv6 addresses confuses IPFW

rance of new IPv6 address. 2. Then, even if you delete old IPv6 address by hand, NPTv6 won't try to peak another one until there won't appear new address. 3. There should be some logic that takes into account presence of temporary and deprecated addresses on the interface. -- WBR, Andrey V

Re: NPTv6: prefix doesn't change in IPFW when prefix changes on dynamic interface

deprecated addresses from an interface. Then NPTv6 module will use first global prefix on the interface. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: ICMPv6 over lo0

, sizeof(optval)) == -1) err(1, "setsockopt(IPV6_USE_MIN_MTU)"); } ``` -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: Poor performance with stable/13 and Mellanox ConnectX-6 (mlx5)

=ffed07bb     ether b8:ce:f6:81:df:6a     inet 192.168.10.31 netmask 0xff00 broadcast 192.168.10.255     media: Ethernet 25GBase-CR     status: active     nd6 options=29 Hi, Do you have the same MTU size on linux machine? -- WBR, Andrey V. Elsukov OpenPGP_signature

Re: if_enc(4) and net.inet.ipcomp.ipcomp_enable

IPsec stack. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: Porting OpenBSD MPLS to FreeBSD

MPLS implementation independent from netgraph. At least until it become lockless. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: dtrace to trace incoming connection not suceeding ?

has not TCP-MD5 signature, but listen socket expects it. Such SYN segment will be dropped by syncache code. Probably your BGP daemon configured to use TCP-MD5 for connection, but remote side does not. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: IPSEC problems with pf

l family, > as it may affect, too. If you do not use enc(4) pseudo-interface, make sure > you changed defaults to: > > net.enc.in.ipsec_filter_mask=0 > net.enc.out.ipsec_filter_mask=0 Another important variable that needs an attention is net.inet.ipsec.filtertunnel -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: TCP6 regression for MTU path on stable/13

t point. Hi, Take a look at: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255749 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=248005 does the problem described in these PRs is the same as yours? -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: Wired Memory Increasing about 500MBytes per day

nd only these zones are grow. > > How are you measuring this? USED or USED+FREE? AFAIK, monitoring uses sysctl variables: vm.stats.vm.v_page_size vm.stats.vm.v_free_count vm.stats.vm.v_wire_count -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: Wired Memory Increasing about 500MBytes per day

pgcache:4096, 0, 4249924, 706,224519238, 562, 0, 0 % bc >>> 5336+3126129+49771+4249924 7431160 >>> 7431160*4096/1024/1024/1024 28 >>> Look at the graph: https://imgur.com/yhqK1p8.png -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: Wired Memory Increasing about 500MBytes per day

or USED bytes? Yes, USED is the number of entries with SIZE bytes each. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: Wired Memory Increasing about 500MBytes per day

Hi, We noticed the same problem, I'm not sure the exact version, but you can check the output: # vmstat -z | egrep "ITEM|pgcache" The page cache grows until lowmem is not reached. Then it automatically cleans and begins to grow again. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

Re: IPsec performace - netisr hits %100

> source IPs using multiple iperf to scale across multiple queues) > My hardware is Xeon D-2146NT (8 core + SoC Qat), cc0 and cc1 is Chelsio > T62100-LP-CR. I suspect you are using 9k MTU on cc(4) interfaces. If you set bigger MTU on the if_ipsec(4) interfaces, this can increase thr

Re: IPsec performace - netisr hits %100

sing. In your example there is only one IPsec transform is configured, but it is possible to configure several in the bundle, AFAIR, it is limited to 4 transforms. E.g. if you configure ESP+AH - it is bundle of two transforms and this will grow kernel stack requirements. -- WBR, Andrey V. Elsukov

Re: Src IP 0.0.0.0 for outgoing off-net ping & SSH packets

t someone will try debug the problem in the such outdated code. -- WBR, Andrey V. Elsukov OpenPGP_signature Description: OpenPGP digital signature

BFD failures with bird on FreeBSD (was: LACP BPDU packets priority?)

ul for the mail archives :) -- WBR, Andrey V. Elsukov ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: FreeBSD does not reply to IPv6 Neighbor Solicitations

6 code. In the PR 233535 the problem was reproducible with MLDv1, so if you disable MLDv2 will it work (to reduce possible scope of problematic code)? net.inet6.mld.v2enable=0 -- WBR, Andrey V. Elsukov ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: FreeBSD does not reply to IPv6 Neighbor Solicitations

t packets don't hit IP stack. Probably some multicast related problem. In this case it could be useful to obtain output of ifmcstat(8). -- WBR, Andrey V. Elsukov #!/usr/sbin/dtrace -s fbt::nd6_ns_input:entry { ip = (struct ip6_hdr *)args[0]->m_data; nd = (struct nd_neighbor_solicit *)

[Differential] D26757: Fix to join AllHost mcast group again when adding an existing IP address

ae accepted this revision. ae added a comment. This revision is now accepted and ready to land. Looks correct to me. REPOSITORY rS FreeBSD src repository CHANGES SINCE LAST ACTION https://reviews.freebsd.org/D26757/new/ REVISION DETAIL https://reviews.freebsd.org/D26757 EMAIL

Re: IP reassembly

fragment comes first. > > In fact, I see this results in broken reassembly. Hi, IP reassembly is done in ip_input(), it doesn't matter what UL protocol is inside. Do you have some traces? You can use dtrace fbt probes to track your datagramms. -- WBR, Andrey V. Elsukov signature.asc D

Re: Ipv6 neighbor limit

he, for example, > to support more ipv6 neighbors. Hi, there is no such limit. When your system will approach to memory limits, new ND entries creating will fail. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

[Differential] D24989: netinet: Generate a random RSS key on boot.

ae added a comment. In D24989#552576 , @avg wrote: > I have a vague memory, maybe wrong, that commonly used fixed RSS keys were selected because they had some property (-ies). > So, maybe just being random is not good enough? > I think that

Re: RUNNING flag remains unset upon reinserting a gre into VNET jail

On 06.05.2020 10:00, Andrey V. Elsukov wrote: >> # create a gre outside the jail, configure its tunnel endpoints >> >> ifconfig gre0 create tunnel 10.1.1.1 10.2.2.2 >> ifconfig gre0 # not RUNNING (OK) >> >> # place the gre into the jail, it should be runni

[Differential] D24061: Hyper-V socket implementation for FreeBSD guest

ae added a comment. Do you have performance test results for already existing linux implementation? From a quick look it seems to me there will be bottleneck regarding locking that seems can be reduced using CK and epoch. But this task can be done in future, if you plan support this code.

[Differential] D23737: nat64: Get the IPv4 address from a NAT64 address when comparing addresses in a ICMP translate

ae added a comment. Also, how did test your changes? :) NAT64 currently is not widely used, thus changes here can break something and you will know about breakage when it will be not so easy to fix, e.g. after release. REPOSITORY rS FreeBSD src repository CHANGES SINCE LAST ACTION

[Differential] D23737: nat64: Get the IPv4 address from a NAT64 address when comparing addresses in a ICMP translate

ae added a comment. In D23737#521593 , @neel_neelc.org wrote: > Here, I also compare the destination addresses. Is this what you want? No, take a look at RFC 6052 p2.2. . REPOSITORY rS

[Differential] D23737: nat64: Get the IPv4 address from a NAT64 address when comparing addresses in a ICMP translate

ae requested changes to this revision. ae added a comment. This revision now requires changes to proceed. The patch is not correct. IPv4 address can be embedded in different places depending from configuration. REPOSITORY rS FreeBSD src repository CHANGES SINCE LAST ACTION

Re: Issue with BGP router / high interrupt / Chelsio / FreeBSD 12.1

u use some firewall? Also, can you show the snapshot from the `top -HPSIzts1` output. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPSec transport mode, mtu, fragmentation...

On 16.01.2020 19:36, Andrey V. Elsukov wrote: > For transport mode inner and outer headers will be the same. > I guess the problem can be reproduced in the lab using the following config: > > [Host A] <--> [Router] <--> [Host B] > > IPsec should be configured b

Re: IPSec transport mode, mtu, fragmentation...

s way. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPSec transport mode, mtu, fragmentation...

[Host A] <--> [Router] <--> [Host B] IPsec should be configured between hosts A and B. Then you need to reduce MTU on the router. This should lead to ICMP NEEDFRAG messages from the router, and then host should correctly handle them. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPSec transport mode, mtu, fragmentation...

On 16.01.2020 17:24, Eugene Grosbein wrote: > 16.01.2020 20:39, Andrey V. Elsukov wrote: > >> I prepared the PoC patch that should fix the problem with TCP and >> transport mode IPsec. But I have not free time currently to properly >> test and debug it. It is only compile

Re: IPSec transport mode, mtu, fragmentation...

On 23.12.2019 15:00, Andrey V. Elsukov wrote: > On 20.12.2019 18:23, Victor Sudakov wrote: >> Dear Colleagues, >> >> I've set up IPSec in transport mode between two regular FreeBSD hosts, >> for testing. Now TCP sessions between those hosts don't work normally &g

Re: IPSec transport mode, mtu, fragmentation...

On 23.12.2019 15:12, Eugene Grosbein wrote: > 23.12.2019 19:00, Andrey V. Elsukov wrote: > >> I think the silence from ping is due to IPsec works asynchronously. >> I.e. when application sends data to the stack, it receives good feedback >> and thinks that data was send

Re: IPSec transport mode, mtu, fragmentation...

milar problem is with TCP. Probably we can try to send PRC_MSGSIZE notify when EMSGSIZE is returned from ip_output(). At least for TCP. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPSec transport mode, mtu, fragmentation...

en route, and such fragments MUST be reassembled prior to IPsec processing at a receiver." If fragmentation was allowed at previous step, the receiver will have several fragments that will be reassembled into single ESP packet, and then it will be decrypted and passed to IP stack. I.e. IPsec will not

Re: IPSec transport mode, mtu, fragmentation...

't we? As I said I didn't find that other OSes do this. Linux has enabled by PMTUD by default, strongswan doesn't set SADB_SAFLAGS_NOPMTUDISC flag, OpenBSD hasn't such quirk. Why should we add this instead of try to fix PMTUD? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPSec transport mode, mtu, fragmentation...

bl ip_no_pmtu_disc and flag SADB_SAFLAGS_NOPMTUDISC for SA that can disable PMTUD for IPv4 and IP_DF flag will not be set. We can add some similar quirks, but it would be better to fix PMTUD. We already have hundreds sysctl in our system and remembering all them is a problem too. -- WBR, Andrey V. El

Re: IPSec transport mode, mtu, fragmentation...

On 23.12.2019 12:39, Andrey V. Elsukov wrote: > On 20.12.2019 19:22, Victor Sudakov wrote: >>> What's the root of the problem? ESP packets cannot get fragmented or >>> what? >> >> Wireshark has shown that the "Don't Fragment" flag is set on all ESP &

Re: IPSec transport mode, mtu, fragmentation...

t off > globally? Hi, I think this DF flag is originally from TCP packet. ESP xform for transport mode just replaces protocol in IP header and adds some info to the end of a packet. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: NAT64 return traffic vanishes after successful de-alias

stat -s" for clues, and even now that I know what > to look for, I'm not sure I know what I'm seeing. Is it "ip6: output > packets discarded due to no route"? I think you can see such drops in the `netstat -isp ip6` output for each specific interface in the `input datagram

Re: NAT64 return traffic vanishes after successful de-alias

nterface, but from another address family, so if you have disabled IPv6, a packet will be just dropped by ip6_input. You can enable IPv6 by the following command: # ifconfig igb0 inet6 -ifdisabled -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: icmp v4 redirect timeout

eeBSD 11.2-STABLE #0 r339734 > and I think this sysctl set timeout for routes installed via > ICMP-redirects (route deletes after this timeout?). > > Is it possible to get such sysctl for ipv4 ? I think expiring doesn't work for IPv6 too. At least, I didn't find related code from a qu

Re: How to disable tryforward ?

later. You need to disable icmpredirects to enable tryforward. So, if you don't need tryforward, just enable ICMP redirects. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: FRR on FreeBSD 12 - problems with OSPFv3

cess killed, signal = 4 > SIGILL usually means that a binary/library was built for specific CPU and you need to rebuild it on the local host. If it was installed from the official packages, this means that the port should be fixed to not have such specific optimization flags. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: dummynet: bandwidth is limited to 2 Gbit/s ?

t pipes (traffic shaping) configured > meantime. Is it big deal? Note, that if you have ipfw rule with pipe, that does not exist, all matched traffic will be dropped. :-) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: dummynet: bandwidth is limited to 2 Gbit/s ?

, then such jails will stop work. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: finding optimal ipfw strategy

_nh_basic:0.6 As you can see, when ipfw produces high load, interrupt column is more than system. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: finding optimal ipfw strategy

icient. A bit. I have not any performance measurements, but this code is for compatibility and it has more checks to implement this compatibility. So, I doubt it is more efficient :) Internally all symbolic names are mapped into indexes and there should not be any performance impact on packets process

Re: finding optimal ipfw strategy

ay use symbolic names still at source level: There isn't any old tables, all tables have symbolic names. Even when you are creating "table(1)", its name is converted into symbolic name. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: pf (rules and nat) + (ipfw + dummynet)

ive mutex and this kills performance on modern hardware. If you don't have some patches that are ready for committing, I think after several months this code will be significantly rewritten by me and your WIP patches will become stale. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPG

Re: igb netstat input counters 2x?

o I'd check L2/L3 addresses to be sure that they by accident are not broadcast/multicast. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Preferring internal IPv6 source address over gif tunnel IP?

addrctl_policy="AUTO" Yes, in general this should help. "no_prefer_iface" will lead to ignoring of "Rule 5: Prefer outgoing interface", and then address with "prefer_source" flag will be chosen in "Rule 10: prefer address with `prefer_source' flag" bef

Re: How to set up ipfw(8) NAT between an alias and the main IP address, when the alias is in another network?

ep-state' creates state for TCP connection that is not yet translated, thus it won't handle the reply packet, that has translated address/port. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPFW NAT64 changed 11.2 --> 11.3?

On 26.06.2019 14:23, Patrick M. Hausen wrote: > Hi all, > >> Am 26.06.2019 um 12:28 schrieb Andrey V. Elsukov : >> >> On 26.06.2019 13:10, Patrick M. Hausen wrote: >>> tcpdump will take some more time, currently we do not have /dev/bpf in >>> these j

Re: IPFW NAT64 changed 11.2 --> 11.3?

On 26.06.2019 13:10, Patrick M. Hausen wrote: > tcpdump will take some more time, currently we do not have /dev/bpf in these > jails. So, nat64_direct_output didn't help? Does `ipfw nat64lsn NAT64 list states` shows correct addresses? -- WBR, Andrey V. Elsukov signature.asc Descr

Re: IPFW NAT64 changed 11.2 --> 11.3?

ut is preferable for you (try to set net.inet.ip.fw.nat64_direct_output=1). -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: ng_snd_item: Panic?

On 25.06.2019 15:59, Larry Rosenman wrote: > On 06/25/2019 4:18 am, Andrey V. Elsukov wrote: >> On 24.06.2019 23:10, Larry Rosenman wrote: >>>>> #5  0x828ee5b7 in ng_snd_item (item=0xf8021e3b4d80, >>>>> flags=0) >>>>>     at /usr/s

Re: ng_snd_item: Panic?

ssumption is correct :) Can you show the output of the following commands from the kgdb for this core? (kgdb) f 7 (kgdb) p *m (kgdb) p *m->m_next -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: ng_snd_item: Panic?

/usr/src/sys/kern/kern_intr.c:1148 > #25 ithread_execute_handlers (p=, ie=) > at /usr/src/sys/kern/kern_intr.c:1161 > #26 ithread_loop (arg=) at /usr/src/sys/kern/kern_intr.c:1241 > #27 0x8047ac74 in fork_exit ( > callout=0x8047df60 , arg=0xf8012c883100, > frame=0xfe012628dc00) at /usr/src/sys/kern/kern_fork.c:1056 > #28 > (kgdb) > -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPSec with if_ipsec strongswan and dynamic roadwarriors

re it, i.e. set tunnel addresses and some internal if needed. Note, you need to use the same reqid for if_ipsec(4) and for "conn" option. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: unicast vxlan - unable to tcp connect to ipv6 ip's on endpoint host

not work correctly. You can try to disable checksum offloading on your interfaces and then try. Also you can use tcpdump to try determine what the problem you have with TCP. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: bnxt(4) and VLANs - supposed to work?

vlan1 or bnxt0 - simply zero. > There must be some broadcast frames flying past even if the switch on the > other end should be misconfigured which I doubt ;-) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: UDP broadcast

me result as nc. Do > I need to use raw sockets, perheps? Take a look at ip(4) manual page, read about SO_BROADCAST and IP_ONESBCAST. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: UDP broadcast

pture size I think it is because netcat does not send real broadcast, you can add -e flag to tcpdump and compare ethernet destination addresses. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: RFC 5549?

, link-type EN10MB (Ethernet), capture size 262144 bytes > 11:41:59.559457 IP 0.0.0.0 > 192.168.230.1: ICMP echo request, id > 2119, seq 27, length 64 For now I think source address specifying should help to use ping(8). -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: RFC 5549?

bsd.org/base/head/sys/netinet/ip_output.c?annotate=339219#l452 it uses some zero filled word as source address. Probably, we can just drop the packet, when gw->af_family == AF_INET6 and ip_src == INADDR_ANY. Also we can do some sort of source address selection, but this variant needs more code :) I think generic forwarding should work, when you use router only as transit point. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: RFC 5549?

On 11.12.2018 15:07, Andrey V. Elsukov wrote: >> The FRRouting project has some basic support for rfc 5549 and I've >> been asked to see if it is possible to get this bit of code working >> with the FRRouting freebsd kernel interface. What is RFC 5549 you >> ask? The tl;d

Re: RFC 5549?

s that can be used as IPv4 source, and how existing programs will handle such routes when they will appear in a routing socket. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPsec: is it possible to encrypt transit traffic in transport mode?

e, that can take packets and do IPsec processing. Then this module can be attached to Ethernet pfil hook and together with first idea, I think this can give a measurable improvement of PPS rate. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPsec: is it possible to encrypt transit traffic in transport mode?

, that are not destined to your IP address. Inbound packets are handled based on the destination address, protocol and SPI value, so if ip_input() doesn't decide that ESP packet is for your host, it will not invoke IPSEC_INPUT() and encrypted packet will be routed as is. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: ASUS PCE-AC88 AC3100 Supported?

k > > Nothing appears in ifconfig. OpenBSD/NetBSD has bwfm driver, that seems supports this card. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Configuring IPv6 on jails

only in head/ yet. > > Would be nice! I’m on 12-STABLE. Hi, I published the patch: https://reviews.freebsd.org/D17765 For stable/12 you need to apply patch from r339537: https://reviews.freebsd.org/D17100 -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Configuring IPv6 on jails

t; the external IPv4 address) Hi, I think I can add this feature to ipfw_nptv6 module, but I need some spare time to implement it. If you are interested, I'll send the patch to you later. What version do you use? I suspect the patch will use some features, that are present only in head/

Re: get rid of the eui64 address

On 19.10.2018 15:41, Victor Sudakov wrote: > Andrey V. Elsukov wrote: >>> >>> BTW do you know the diffrence between the "accept_rtadv" and >>> "autoconf" flags in ifconfig? >> >> The accept_rtadv is interface's attribute and it is sho

Re: get rid of the eui64 address

On 19.10.2018 12:35, Victor Sudakov wrote: > Andrey V. Elsukov wrote: >> On 18.10.2018 18:56, Victor Sudakov wrote: >>> Thank you Andrey, you made my day! I'm beginning to love IPv6 more and >>> more. >>> >>> How would the prefer_source flag look li

Re: get rid of the eui64 address

; > ifconfig_fxp0_alias0="inet6 2001:19f0:8001:1219::10 prefer_source" Hi, I think you can just use all these options in one line: ifconfig_fxp0_ipv6="2001:19f0:8001:1219::10/64 prefer_source accept_rtadv" -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: get rid of the eui64 address

flag for your static address, and for most cases it will be chosen by IPv6 SAS algorithm (if it is from the same prefix as autoconfigured one). -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Patching ng_iface to allow setting the MTU via netgraph API

tribution section in the handbook. > > If someone could point me in the right direction, it would be > appreciated. I'll attach the patch to this mail as well since it is a > quite small one. Hi, take a look at this review https://reviews.freebsd.org/D17180 You can

Re: IPv6 fragment reassembly regression following FreeBSD-SA-18:10.ip

/base/337828 > [2] https://svnweb.freebsd.org/changeset/base/337776 > [3] https://lists.freebsd.org/pipermail/svn-src-head/2018-August/117514.html > [4] https://bugs.freebsd.org/231045 Your analysis looks correct to me. r338406 was not merged to releng/11.2. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: NFS poor performance in ipfw_nat

; 192.168.1.243:22 22243 > > Is there any suggestions ? > Hi, try to disable TSO on your NICs. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Is if_ipsec/ipsec - AESNI accelerated ?

172.30.1.4/30 any -P in  ipsec > esp/tunnel/10.245.0.203-10.245.0.201/unique:4; You don't need to create security policies for if_ipsec interfaces. They are created by interface automatically. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Is if_ipsec/ipsec - AESNI accelerated ?

- [ 3] local 192.168.0.15 port 37641 connected with 192.168.0.25 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0- 8.0 sec 5.64 GBytes 6.06 Gbits/sec [ 3] 8.0-16.0 sec 5.76 GBytes 6.19 Gbits/sec [ 3] 0.0-16.0 sec 11.4 GBytes 6.12 Gbits/sec -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: Is if_ipsec/ipsec - AESNI accelerated ?

u need to recreate security associations after module loading to take effect. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: IPv6 scope handling, was Re: svn commit: r335806 - projects/pnfs-planb-server/usr.sbin/nfsd

v6 header, i.e. embed scope zone >> identifier. Otherwise the kernel will fail to send such packets. > How would HostA know what HostC should use? > (I don't think it can know?) > [stuff snipped] The possible solution can be: * for the sending host use scope zone id to determin

Re: IPv6 scope handling, was Re: svn commit: r335806 - projects/pnfs-planb-server/usr.sbin/nfsd

nt to use > to connect > to a data server (DS). I'm not sure if the "%..." stuff is useful in this > case and, > when it gets to the client, it will be translated to an address via the kernel > version of inet_pton(), which does not parse "%..." as far as I

Re: [PATCH]: The 6to4 stf0 interface flapping in/out of tentative in FreeBSD 11

alti * it is rather harmful to have one. */ ND_IFINFO(ifp)->flags &= ~ND6_IFF_AUTO_LINKLOCAL; + ND_IFINFO(ifp)->flags |= ND6_IFF_NO_DAD; break; default: break; -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: [PATCH]: The 6to4 stf0 interface flapping in/out of tentative in FreeBSD 11

IFF_DRV_RUNNING flag. But actually it seems the right solution should be disabling DAD for if_stf(4) interface. IPv6 DAD requires that given interface should be multicast capable, but for if_stf(4) it is not true. Will it help if you use `ifconfig stf0 inet6 no_dad` before assigning IPv6 address? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: In-kernel NAT [ipfw] dropping large UDP return packets

(len <= MJUM9BYTES) mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM9BYTES); else if (len <= MJUM16BYTES) mcl = m_getjcl(M_NOWAIT, MT_DATA, M_PKTHDR, MJUM16BYTES); else goto bad; -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: In-kernel NAT [ipfw] dropping large UDP return packets

reater than 4k, ipfw_nat() function will drop this packet. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: 11.2-RC1 setkey invalid spi ?

ed values. Two years ago I have sent the patch to bird developers, but have not received any answers. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: GRE/gif/netgraph tunnel speed on 10Gbit channel

On 29.05.2018 13:58, Vitalij Satanivskij wrote: > Thank you Andrey. > > I'm test with value of 62 without any success ^( So, is there no difference at all? The same bit rate with and without loaded module? Can you share your configs and parameters used for testing? -- WBR, Andrey V

Re: GRE/gif/netgraph tunnel speed on 10Gbit channel

can increase throughput a bit, since this can reduce the > AVE> need to allocate extra mbuf when new IP header is encapsulated. Hm, yes it is readonly. Probably I thought about my local patches... You can try this kernel module to change this value in run time. -- WBR, Andrey V. Elsuk

Re: GRE/gif/netgraph tunnel speed on 10Gbit channel

-80 bytes. I think this can increase throughput a bit, since this can reduce the need to allocate extra mbuf when new IP header is encapsulated. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature

Re: multiple if_ipsec

On 08.05.2018 16:51, Andrey V. Elsukov wrote: > I think for proper support of several if_ipsec interfaces racoon needs > some patches. But I have not spare time to do this job. > I recommend to use strongswan, it has active developers that are > responsive and may give some help a

  1   2   3   4   >