From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 02:00:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E51171065670 for ; Sun, 6 Apr 2008 02:00:09 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id AA4608FC17 for ; Sun, 6 Apr 2008 02:00:09 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id CF481EAA88; Sat, 5 Apr 2008 22:00:08 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Sat, 05 Apr 2008 22:00:08 -0400 X-Sasl-enc: fvYgtTfOhp/bFMgwMlsZaT5orUD4uy9gO/okVsQwE+iq 1207447208 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 5F33210E07; Sat, 5 Apr 2008 22:00:08 -0400 (EDT) Message-ID: <47F82EA7.3070000@FreeBSD.org> Date: Sun, 06 Apr 2008 03:00:07 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.12 (X11/20080405) MIME-Version: 1.0 To: frenchy@driven-monkey.com References: <200804052050.09531.frenchy@driven-monkey.com> In-Reply-To: <200804052050.09531.frenchy@driven-monkey.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Initialising networking protocol X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 02:00:10 -0000 frenchy@driven-monkey.com wrote: > Hi All, > > I am working on implementing MPLS in FreeBSD at the moment. I was wondering if > anyone had some links to any references I could use, or recommend any books I > can use to help me in that. Failing that, I am struggling with trying to work > out how to initialise my MPLS protocol in the netisr stack, so the mpls_input > function I am writing is called when an MPLS packet is received. > Seen ayame? http://www.ayame.org/ From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 02:29:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00C5D1065673 for ; Sun, 6 Apr 2008 02:29:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outE.internet-mail-service.net (oute.internet-mail-service.net [216.240.47.228]) by mx1.freebsd.org (Postfix) with ESMTP id D710D8FC18 for ; Sun, 6 Apr 2008 02:29:16 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Sat, 05 Apr 2008 22:17:32 -0700 Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id A36FD2D600F; Sat, 5 Apr 2008 19:29:13 -0700 (PDT) Message-ID: <47F8357D.5090302@elischer.org> Date: Sat, 05 Apr 2008 19:29:17 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 To: "Bruce M. Simpson" References: <200804052050.09531.frenchy@driven-monkey.com> <47F82EA7.3070000@FreeBSD.org> In-Reply-To: <47F82EA7.3070000@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, frenchy@driven-monkey.com Subject: Re: Initialising networking protocol X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 02:29:17 -0000 Bruce M. Simpson wrote: > frenchy@driven-monkey.com wrote: >> Hi All, >> >> I am working on implementing MPLS in FreeBSD at the moment. I was >> wondering if anyone had some links to any references I could use, or >> recommend any books I can use to help me in that. Failing that, I am >> struggling with trying to work out how to initialise my MPLS protocol >> in the netisr stack, so the mpls_input function I am writing is called >> when an MPLS packet is received. >> > > Seen ayame? http://www.ayame.org/ looks like a stalled affort.. things stop in 2002 > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 03:20:29 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2DDE106564A for ; Sun, 6 Apr 2008 03:20:28 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out4.smtp.messagingengine.com (out4.smtp.messagingengine.com [66.111.4.28]) by mx1.freebsd.org (Postfix) with ESMTP id 7F4578FC1B for ; Sun, 6 Apr 2008 03:20:28 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 07026EAAFE; Sat, 5 Apr 2008 23:20:28 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Sat, 05 Apr 2008 23:20:27 -0400 X-Sasl-enc: Z92Arjdj77AUnE3Uxj9f7JXk0xkrkX8+YJHTOLOcDVB4 1207452027 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 6D824BBB0; Sat, 5 Apr 2008 23:20:27 -0400 (EDT) Message-ID: <47F8417A.2060805@FreeBSD.org> Date: Sun, 06 Apr 2008 04:20:26 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.12 (X11/20080405) MIME-Version: 1.0 To: Julian Elischer References: <200804052050.09531.frenchy@driven-monkey.com> <47F82EA7.3070000@FreeBSD.org> <47F8357D.5090302@elischer.org> In-Reply-To: <47F8357D.5090302@elischer.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, frenchy@driven-monkey.com Subject: Re: Initialising networking protocol X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 03:20:29 -0000 Julian Elischer wrote: >> >> Seen ayame? http://www.ayame.org/ > > looks like a stalled affort.. things stop in 2002 [greater-than] From what I've read of the code, it seems close to KAME and BSD style, and could actually get merged. With a little bit more work, the userland could slot into XORP's BGP implementation. Of course, all this takes time and effort, however I believe Ayame was a working example of MPLS in NetBSD, so it's as good a place to start as any. cheers BMS From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 03:50:58 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF50E1065670 for ; Sun, 6 Apr 2008 03:50:58 +0000 (UTC) (envelope-from if@xip.at) Received: from chile.gbit.at (ns1.xip.at [193.239.188.99]) by mx1.freebsd.org (Postfix) with ESMTP id 279A78FC24 for ; Sun, 6 Apr 2008 03:50:57 +0000 (UTC) (envelope-from if@xip.at) Received: (qmail 17440 invoked from network); 6 Apr 2008 05:50:55 +0200 Received: from unknown (HELO filebunker.xip.at) (86.59.10.180) by chile.gbit.at with (DHE-RSA-AES256-SHA encrypted) SMTP; 6 Apr 2008 05:50:55 +0200 Date: Sun, 6 Apr 2008 05:50:55 +0200 (CEST) From: Ingo Flaschberger To: "Bruce M. Simpson" In-Reply-To: <47F8417A.2060805@FreeBSD.org> Message-ID: References: <200804052050.09531.frenchy@driven-monkey.com> <47F82EA7.3070000@FreeBSD.org> <47F8357D.5090302@elischer.org> <47F8417A.2060805@FreeBSD.org> User-Agent: Alpine 1.10 (LFD 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, Julian Elischer , frenchy@driven-monkey.com Subject: Re: Initialising networking protocol X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 03:50:59 -0000 Dear Bruce, >>> Seen ayame? http://www.ayame.org/ http://lists.freebsd.org/pipermail/freebsd-net/2008-February/016815.html I think, Ryan already know this... bye, Ingo From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 12:11:56 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC114106566B for ; Sun, 6 Apr 2008 12:11:56 +0000 (UTC) (envelope-from gamato@users.sf.net) Received: from slimak.dkm.cz (smtp.dkm.cz [62.24.64.34]) by mx1.freebsd.org (Postfix) with SMTP id 29E308FC19 for ; Sun, 6 Apr 2008 12:11:55 +0000 (UTC) (envelope-from gamato@users.sf.net) Received: (qmail 17331 invoked by uid 0); 6 Apr 2008 11:45:14 -0000 Received: from r5j117.net.upc.cz (HELO ?192.168.11.3?) (86.49.9.117) by smtp.dkm.cz with SMTP; 6 Apr 2008 11:45:14 -0000 Message-ID: <47F8B7CA.1040001@users.sf.net> Date: Sun, 06 Apr 2008 13:45:14 +0200 From: martinko User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.13) Gecko/20080402 SeaMonkey/1.1.9 MIME-Version: 1.0 Newsgroups: gmane.os.freebsd.devel.mobile To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: Wi-Fi connection via iwi(4) dies regularly X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 12:11:56 -0000 Hallo, I'm trying to use my Intel 2200bg WiFi card to access the internet (via D-Link DIR-655 gateway) but it is very unreliable. Usually within 1-3 hours connection dies and I have to restart it (I do it with /etc/rc.d/netif script). Then it works for some time and dies again and thus cycle repeats. :-/ Is there something I can do to help someone debug and fix this issue please ? Thanks! With regards, Martin I've got this in my /etc/rc.conf.local: ifconfig_iwi0="WPA DHCP" $ pciconf -lv [...] iwi0@pci2:3:0: class=0x028000 card=0x27018086 chip=0x42208086 rev=0x05 hdr=0x00 vendor = 'Intel Corporation' device = 'MPCI3B driverIntel PRO/Wireless 2200BG' class = network $ ifconfig iwi0 iwi0: flags=8843 mtu 1500 inet 192.168.11.3 netmask 0xffffff00 broadcast 192.168.11.255 ether 00:0e:35:90:b1:7a media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps) status: associated ssid gamato channel 1 bssid 00:1c:f0:f4:ab:a4 authmode WPA privacy ON deftxkey UNDEF TKIP 2:128-bit TKIP 3:128-bit txpowmax 100 bmiss 10 protmode CTS roaming MANUAL bintval 100 $ uname -a FreeBSD mb-aw1n-bsd 6.3-STABLE FreeBSD 6.3-STABLE #0: Fri Mar 28 22:29:49 CET 2008 root@mb-aw1n-bsd:/usr/obj/usr/src/sys/MB-AW1N i386 PS: Please note that I'm not subscribed to freebsd-net@ From owner-freebsd-net@FreeBSD.ORG Sun Apr 6 17:18:32 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A9801065677 for ; Sun, 6 Apr 2008 17:18:32 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from hosted.kievnet.com (hosted.kievnet.com [193.138.144.10]) by mx1.freebsd.org (Postfix) with ESMTP id 4E62F8FC33 for ; Sun, 6 Apr 2008 17:18:32 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from localhost ([127.0.0.1] helo=edge.pp.kiev.ua) by hosted.kievnet.com with esmtpa (Exim 4.62) (envelope-from ) id 1JiXRh-0009Gk-Vx for freebsd-net@freebsd.org; Sun, 06 Apr 2008 19:10:18 +0300 Message-ID: <47F8F5E9.6060303@icyb.net.ua> Date: Sun, 06 Apr 2008 19:10:17 +0300 From: Andriy Gapon User-Agent: Thunderbird 2.0.0.12 (X11/20080320) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: arplookup 10.0.0.68 failed: host is not on local network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2008 17:18:32 -0000 My message log is spammed with thousands of the messages like quoted below to the extent that this could be considered some form of an attack. kernel: arplookup 10.0.0.68 failed: host is not on local network kernel: arplookup 10.0.0.6 failed: host is not on local network kernel: arplookup 10.0.0.68 failed: host is not on local network kernel: arplookup 10.0.0.6 failed: host is not on local network I wasn't there to see how this started, but I was able to monitor a little bit of the process and here are my uneducated guesses. Uneducated because I didn't examine sources yet. There should not be any hosts with 10.0.0.0/24 addresses on this network. There are no special routes for it on my machine, outgoing packets should go to 'default'. I suspect that this was triggered when an offending machine sent an arp response packet (that was unasked for) to my machine saying that 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it broadcast an arp request asking to tell my MAC address to that machine. And I suspect that it tricked the OS into (almost endlessly) trying to do an arp lookup for that 10.0.0.X address. But updating arp table failed for the obvious reason. I saw with tcpdump that my machine indeed sent arp request for 10.0.0.X address. I see two issues here: 1. we should not send arp requests for the addresses that are not supposed to be on the local network(s) 2. there is no way to disable or throttle the log messages -- Andriy Gapon From owner-freebsd-net@FreeBSD.ORG Mon Apr 7 08:42:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 256DC1065671 for ; Mon, 7 Apr 2008 08:42:09 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id AFB6B8FC1F for ; Mon, 7 Apr 2008 08:42:08 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fg-out-1718.google.com with SMTP id 16so1494330fgg.35 for ; Mon, 07 Apr 2008 01:42:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject:message-id:mime-version:content-type:content-disposition:user-agent:sender; bh=jOB9p7/0RwByAF5DQ8ZFxrLjGP4AU7Yt3SWWS/UKWek=; b=MHj4sANPOVXdpozVyhxgd+U3OyaQPhjuTf3FgPOjvw0go8Z6Nxwes4HW/c1drXGC3yHy/KjRBP2fazuQXvO6/U5O/eryrHkOuVWtAPTTVhiQCDMZJVbq11OMNzIznOQc5LRKmu+fURRFNMH+AvJ/IFzSzVkCFMXKcKdBKIQFZVg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type:content-disposition:user-agent:sender; b=LWPafytvsljgNHYR1hWvTdjvS8nvG8TGIwYr+QVuXQVmPQDmLdvoQsF15In6c3drV3i6Mg9S9mAQ2TVo0Lez9oS5vA7PclxCKQZV5zPB7Q/KxGFpsXn3GSO9dMH5p66Ro3ZcvhEeR8BWTmfNowgExvWKHVI3ur81eHzrtZj2eaI= Received: by 10.82.111.8 with SMTP id j8mr725986buc.75.1207556025893; Mon, 07 Apr 2008 01:13:45 -0700 (PDT) Received: from dg.local ( [83.237.35.138]) by mx.google.com with ESMTPS id 12sm13976093fks.12.2008.04.07.01.13.43 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 07 Apr 2008 01:13:44 -0700 (PDT) Date: Mon, 7 Apr 2008 12:14:00 +0400 From: Yar Tikhiy To: freebsd-net@freebsd.org Message-ID: <20080407081400.GA78448@dg.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.17 (2007-11-01) Sender: Yar Tikhiy Cc: luigi@freebsd.org, oleg@freebsd.org Subject: ipfw uid/gid to match listening TCP sockets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 08:42:09 -0000 Hi there, Our ipfw currently doesn't seem to match this host's traffic by uid/gid if the traffic goes to a listening TCP socket. E.g., if one tries to allow passive data connections to a local anonymous FTP server as follows, it won't work: ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state This behaviour is obvious from ip_fw2.c: 2009 if (proto == IPPROTO_TCP) { 2010 wildcard = 0; 2011 pi = &tcbinfo; 2012 } else if (proto == IPPROTO_UDP) { 2013 wildcard = INPLOOKUP_WILDCARD; 2014 pi = &udbinfo; 2015 } else 2016 return 0; I.e., it is OK for UDP to match PCBs (essentially sockets) with a wildcard foreign (remote) address, but not for TCP. I wonder if there will be any security or whatever issues if the wildcard flag is set for TCP, too. The only peculiarity I can see now is that listening sockets shouldn't generate outbound traffic; as soon a 3-way handshake starts, a separate PCB is created. Thus a listening socket can match inbound packets only. Are there any other points I missed? Thanks! -- Yar From owner-freebsd-net@FreeBSD.ORG Mon Apr 7 10:37:14 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D878C106566B for ; Mon, 7 Apr 2008 10:37:14 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.188]) by mx1.freebsd.org (Postfix) with ESMTP id 684A78FC19 for ; Mon, 7 Apr 2008 10:37:14 +0000 (UTC) (envelope-from rpaulo@gmail.com) Received: by nf-out-0910.google.com with SMTP id b2so525073nfb.33 for ; Mon, 07 Apr 2008 03:37:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject:message-id:references:mime-version:content-type:content-disposition:in-reply-to:user-agent:sender; bh=9r56QE600S55Y5qxTdwij5eBDVOEwBD8Kztl2abohqo=; b=PB9zlyvIfLZsks7dSGWqQWgqFVfumm+LgosilYb+kexHGSQSQyeMX7RVOso5/1G16uk/W1WxRlrvbGC3YmikizYpnzIrhmliZ/JhIv3+GP0Qi2zi2xGWL4rVSF2T2/IcyOqU/RHtBe+02ceAmkwmcvu46pGPlVjmpCF4O4oOgAU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:references:mime-version:content-type:content-disposition:in-reply-to:user-agent:sender; b=kSCATx+iB5mpCktv3/iH41aCgtrwWujMp49IL3odXxJ7KYWXKweFNC2jteOjaeGes/DnH5xUNdxdKVZvfBJY11uwqWUPSUIVXkxwXzzv2FZWeAmAoht+mR5txXMoczGHHN5VglUHQg5CMRwShAPA9a81rsIRwSNWe2wTDrPPPJM= Received: by 10.78.173.20 with SMTP id v20mr377349hue.80.1207564625784; Mon, 07 Apr 2008 03:37:05 -0700 (PDT) Received: from fnop.net ( [89.214.139.146]) by mx.google.com with ESMTPS id d2sm13816285nfc.11.2008.04.07.03.37.02 (version=SSLv3 cipher=OTHER); Mon, 07 Apr 2008 03:37:04 -0700 (PDT) Date: Mon, 7 Apr 2008 11:36:54 +0100 From: Rui Paulo To: "Bruce M. Simpson" Message-ID: <20080407103654.GA895@fnop.net> References: <200804052050.09531.frenchy@driven-monkey.com> <47F82EA7.3070000@FreeBSD.org> <47F8357D.5090302@elischer.org> <47F8417A.2060805@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47F8417A.2060805@FreeBSD.org> User-Agent: Mutt/1.5.17 (2007-11-01) Sender: Rui Paulo Cc: freebsd-net@freebsd.org, Julian Elischer , frenchy@driven-monkey.com Subject: Re: Initialising networking protocol X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 10:37:14 -0000 On Sun, Apr 06, 2008 at 04:20:26AM +0100, Bruce M. Simpson wrote: > Julian Elischer wrote: >>> >>> Seen ayame? http://www.ayame.org/ >> >> looks like a stalled affort.. things stop in 2002 > > [greater-than] From what I've read of the code, it seems close to KAME and > BSD style, and could actually get merged. With a little bit more work, the > userland could slot into XORP's BGP implementation. Of course, all this > takes time and effort, however I believe Ayame was a working example of > MPLS in NetBSD, so it's as good a place to start as any. Yes, I started working on it a couple years ago: http://ftp.netbsd.org/pub/NetBSD/misc/rpaulo/ayame/ Krefen's version is more up to date and fixes some bugs, IIRC: http://ftp.netbsd.org/pub/NetBSD/misc/kefren/mpls/ HTH, -- Rui Paulo From owner-freebsd-net@FreeBSD.ORG Mon Apr 7 11:07:04 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91689106564A for ; Mon, 7 Apr 2008 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 80F768FC20 for ; Mon, 7 Apr 2008 11:07:04 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m37B74um048861 for ; Mon, 7 Apr 2008 11:07:04 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m37B73I6048857 for freebsd-net@FreeBSD.org; Mon, 7 Apr 2008 11:07:03 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 7 Apr 2008 11:07:03 GMT Message-Id: <200804071107.m37B73I6048857@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-net@FreeBSD.org X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 11:07:04 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/35442 net [sis] [patch] Problem transmitting runts in if_sis dri a kern/38554 net changing interface ipaddress doesn't seem to work s kern/39937 net ipstealth issue s kern/81147 net [net] [patch] em0 reinitialization while adding aliase s kern/86920 net [ndis] ifconfig: SIOCS80211: Invalid argument (regress o kern/92090 net [bge] bge0: watchdog timeout -- resetting f kern/92552 net A serious bug in most network drivers from 5.X to 6.X o kern/95288 net [pppd] [tty] [panic] if_ppp panic in sys/kern/tty_subr s kern/105943 net Network stack may modify read-only mbuf chain copies o kern/106316 net [dummynet] dummynet with multipass ipfw drops packets o kern/108542 net [bce]: Huge network latencies with 6.2-RELEASE / STABL o kern/112528 net [nfs] NFS over TCP under load hangs with "impossible p o kern/112686 net [patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o kern/112722 net [udp] IP v4 udp fragmented packet reject o kern/113842 net [ipv6] PF_INET6 proto domain state can't be cleared wi o kern/114714 net [gre][patch] gre(4) is not MPSAFE and does not support o kern/114839 net [fxp] fxp looses ability to speak with traffic o kern/115239 net [ipnat] panic with 'kmem_map too small' using ipnat o kern/116077 net [ip] [patch] 6.2-STABLE panic during use of multi-cast f kern/116172 net [tun] [panic] Network / ipv6 recursive mutex panic o kern/116185 net [iwi] if_iwi driver leads system to reboot o kern/116328 net [bge]: Solid hang with bge interface o kern/116747 net [ndis] FreeBSD 7.0-CURRENT crash with Dell TrueMobile o kern/116837 net [tun] [panic] [patch] ifconfig tunX destroy: panic o kern/117043 net [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM o kern/117271 net [tap] OpenVPN TAP uses 99% CPU on releng_6 when if_tap o kern/117423 net [vlan] Duplicate IP on different interfaces o kern/117448 net [carp] 6.2 kernel crash (regression) o kern/118880 net [ipv6] IP_RECVDSTADDR & IP_SENDSRCADDR not implemented o kern/119225 net [wi] 7.0-RC1 no carrier with Prism 2.5 wifi card (regr o kern/119345 net [ath] Unsuported Atheros 5424/2424 and CPU speedstep n o kern/119361 net [bge] bge(4) transmit performance problem o kern/119945 net [rum] [panic] rum device in hostap mode, cause kernel o kern/120130 net [carp] [panic] carp causes kernel panics in any conste o kern/120266 net [panic] gnugk causes kernel panic when closing UDP soc o kern/120304 net [netgraph] [patch] netgraph source assumes 32-bit time f kern/120725 net [bce] On board second lan port 'bce1' with Broadcom Ne f kern/120966 net [rum]: kernel panic with if_rum and WPA encryption o kern/121181 net [panic] Fatal trap 3: breakpoint instruction fault whi o kern/121437 net [vlan] Routing to layer-2 address does not work on VLA o kern/121555 net Fatal trap 12: current process = 12 (swi1: net) o kern/121624 net [em] [regression] Intel em WOL fails after upgrade to o kern/121872 net [wpi] driver fails to attach on a fujitsu-siemens s711 o kern/121983 net [fxp] fxp0 MBUF and PAE o kern/122033 net [ral] Lock order reversal in ral0 at bootup (regressio o kern/122058 net [em] [panic] Panic on em1: taskq o kern/122082 net [in_pcb] NULL pointer dereference in in_pcbdrop o kern/122290 net [netgraph] [panic] Netgraph related "kmem_map too smal o kern/122427 net [apm] [panic] apm and mDNSResponder cause panic during 49 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- o conf/23063 net [PATCH] for static ARP tables in rc.network s bin/41647 net ifconfig(8) doesn't accept lladdr along with inet addr o kern/54383 net [nfs] [patch] NFS root configurations without dynamic s kern/60293 net FreeBSD arp poison patch o kern/64556 net [sis] if_sis short cable fix problems with NetGear FA3 o kern/77913 net [wi] [patch] Add the APDL-325 WLAN pccard to wi(4) o bin/79228 net [patch] extend /sbin/arp to be able to create blackhol o kern/93378 net [tcp] Slow data transfer in Postfix and Cyrus IMAP (wo o kern/95267 net packet drops periodically appear o kern/95277 net [netinet] [patch] IP Encapsulation mask_match() return o kern/100519 net [netisr] suggestion to fix suboptimal network polling o kern/102035 net [plip] plip networking disables parallel port printing o conf/102502 net [patch] ifconfig name does't rename netgraph node in n o conf/107035 net [patch] bridge interface given in rc.conf not taking a o kern/109470 net [wi] Orinoco Classic Gold PC Card Can't Channel Hop o kern/112179 net [sis] [patch] sis driver for natsemi DP83815D autonego o bin/112557 net [patch] ppp(8) lock file should not use symlink name o kern/114915 net [patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f o bin/116643 net [patch] [request] fstat(1): add INET/INET6 socket deta o bin/117339 net [patch] route(8): loading routing management commands o kern/118727 net [ng] [patch] [request] add new ng_pf module a kern/118879 net [bge] [patch] bge has checksum problems on the 5703 ch o kern/118975 net [bge] [patch] Broadcom 5906 not handled by FreeBSD o bin/118987 net ifconfig(8): ifconfig -l (address_family) does not wor o kern/119432 net [arp] route add -host -iface causes arp e o kern/119617 net [nfs] nfs error on wpa network when reseting/shutdown o kern/119791 net [nfs] UDP NFS mount of aliased IP addresses from a Sol o kern/120232 net [nfe] [patch] Bring in nfe(4) to RELENG_6 o kern/120566 net [request]: ifconfig(8) make order of arguments more fr o kern/120958 net no response to ICMP traffic on interface configured wi o kern/121242 net [ate] [patch] Promiscuous mode of if_ate (arm) doesn't o kern/121257 net [tcp] TSO + natd -> slow outgoing tcp traffic o kern/121443 net [gif] LOR icmp6_input/nd6_lookup o kern/121706 net [netinet] [patch] "rtfree: 0xc4383870 has 1 refs" emit s kern/121774 net [swi] [panic] 6.3 kernel panic in swi1: net o kern/122068 net [ppp] ppp can not set the correct interface with pptpd o kern/122145 net error while compiling with device ath_rate_amrr o kern/122295 net [bge] bge Ierr rate increase (since 6.0R) (regression) o kern/122319 net [wi] imposible to enable ad-hoc demo mode with Orinoco 39 problems total. From owner-freebsd-net@FreeBSD.ORG Mon Apr 7 13:09:42 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D71C41065675 for ; Mon, 7 Apr 2008 13:09:42 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id 9CB568FC1A for ; Mon, 7 Apr 2008 13:09:42 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (vanquish.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.162]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Mon, 07 Apr 2008 09:00:06 -0400 id 00056453.47FA1AD6.0000686F Date: Mon, 7 Apr 2008 08:59:23 -0400 From: Bill Moran To: Andriy Gapon Message-Id: <20080407085923.42271757.wmoran@collaborativefusion.com> In-Reply-To: <47F8F5E9.6060303@icyb.net.ua> References: <47F8F5E9.6060303@icyb.net.ua> Organization: Collaborative Fusion X-Mailer: Sylpheed 2.4.8 (GTK+ 2.12.8; i386-portbld-freebsd6.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: arplookup 10.0.0.68 failed: host is not on local network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 13:09:42 -0000 In response to Andriy Gapon : > My message log is spammed with thousands of the messages like quoted > below to the extent that this could be considered some form of an attack. > kernel: arplookup 10.0.0.68 failed: host is not on local network > kernel: arplookup 10.0.0.6 failed: host is not on local network > kernel: arplookup 10.0.0.68 failed: host is not on local network > kernel: arplookup 10.0.0.6 failed: host is not on local network > > I wasn't there to see how this started, but I was able to monitor a > little bit of the process and here are my uneducated guesses. Uneducated > because I didn't examine sources yet. > > There should not be any hosts with 10.0.0.0/24 addresses on this > network. There are no special routes for it on my machine, outgoing > packets should go to 'default'. > > I suspect that this was triggered when an offending machine sent an arp > response packet (that was unasked for) to my machine saying that > 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it That prefix belongs to Epox Computers. Any Epox motherboards on your network? > broadcast an arp request asking to tell my MAC address to that machine. > And I suspect that it tricked the OS into (almost endlessly) trying to > do an arp lookup for that 10.0.0.X address. But updating arp table > failed for the obvious reason. I saw with tcpdump that my machine indeed > sent arp request for 10.0.0.X address. > > I see two issues here: > 1. we should not send arp requests for the addresses that are not > supposed to be on the local network(s) > 2. there is no way to disable or throttle the log messages I suspect this is operator error. You mention no details about your local network, but I would guess that you have two separate IP ranges on a single segment. Has the "attack" ended? If not, grab some tcpdumps and see who's actually sending those packets. What IP address does this machine have? What's the network like that it's connected to? -- Bill Moran Collaborative Fusion Inc. http://people.collaborativefusion.com/~wmoran/ wmoran@collaborativefusion.com Phone: 412-422-3463x4023 From owner-freebsd-net@FreeBSD.ORG Mon Apr 7 19:30:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AF90E106567F for ; Mon, 7 Apr 2008 19:30:17 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from hosted.kievnet.com (hosted.kievnet.com [193.138.144.10]) by mx1.freebsd.org (Postfix) with ESMTP id 683098FC3E for ; Mon, 7 Apr 2008 19:30:16 +0000 (UTC) (envelope-from avg@icyb.net.ua) Received: from localhost ([127.0.0.1] helo=edge.pp.kiev.ua) by hosted.kievnet.com with esmtpa (Exim 4.62) (envelope-from ) id 1Jix2k-000Lbz-0Z; Mon, 07 Apr 2008 22:30:14 +0300 Message-ID: <47FA763E.8020509@icyb.net.ua> Date: Mon, 07 Apr 2008 22:30:06 +0300 From: Andriy Gapon User-Agent: Thunderbird 2.0.0.12 (X11/20080320) MIME-Version: 1.0 To: Bill Moran References: <47F8F5E9.6060303@icyb.net.ua> <20080407085923.42271757.wmoran@collaborativefusion.com> In-Reply-To: <20080407085923.42271757.wmoran@collaborativefusion.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: arplookup 10.0.0.68 failed: host is not on local network X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2008 19:30:17 -0000 on 07/04/2008 15:59 Bill Moran said the following: > In response to Andriy Gapon : > >> My message log is spammed with thousands of the messages like quoted >> below to the extent that this could be considered some form of an attack. >> kernel: arplookup 10.0.0.68 failed: host is not on local network >> kernel: arplookup 10.0.0.6 failed: host is not on local network >> kernel: arplookup 10.0.0.68 failed: host is not on local network >> kernel: arplookup 10.0.0.6 failed: host is not on local network >> >> I wasn't there to see how this started, but I was able to monitor a >> little bit of the process and here are my uneducated guesses. Uneducated >> because I didn't examine sources yet. >> >> There should not be any hosts with 10.0.0.0/24 addresses on this >> network. There are no special routes for it on my machine, outgoing >> packets should go to 'default'. >> >> I suspect that this was triggered when an offending machine sent an arp >> response packet (that was unasked for) to my machine saying that >> 10.0.0.X has MAC address 00:04:61:01:23:45 (note 12345). Or maybe it > > That prefix belongs to Epox Computers. Any Epox motherboards on your > network? This is something that I should have started with. This is not an intra-organization LAN, this is so called "home network", where an ISP provides service via ethernet. >> broadcast an arp request asking to tell my MAC address to that machine. >> And I suspect that it tricked the OS into (almost endlessly) trying to >> do an arp lookup for that 10.0.0.X address. But updating arp table >> failed for the obvious reason. I saw with tcpdump that my machine indeed >> sent arp request for 10.0.0.X address. >> >> I see two issues here: >> 1. we should not send arp requests for the addresses that are not >> supposed to be on the local network(s) >> 2. there is no way to disable or throttle the log messages > > I suspect this is operator error. You mention no details about your > local network, but I would guess that you have two separate IP ranges > on a single segment. Has the "attack" ended? If not, grab some tcpdumps > and see who's actually sending those packets. > > What IP address does this machine have? What's the network like that > it's connected to? The ISP controls which addresses are on this network. And it might be very well be that this is an operator error indeed. I.e. incorrectly configured network mask for some special service machine. It is not the fact itself that I am concerned about, but how the FreeBSD machine (RELENG_7, btw) responded to it. It seems that everything in norm now, I did some tcpdump-ing just in case and here are some results: 12. 076469 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.19 tell 10.0.0.68 0x0000: 0001 0800 0604 0001 0004 6101 2345 0a00 ..........a.#E.. 0x0010: 0044 0000 0000 0000 0a00 0013 0000 0000 .D.............. 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 8. 942133 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.19 tell 10.0.0.68 0x0000: 0001 0800 0604 0001 0004 6101 2345 0a00 ..........a.#E.. 0x0010: 0044 0000 0000 0000 0a00 0013 0000 0000 .D.............. 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. 12. 124816 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: arp who-has 10.0.0.20 tell 10.0.0.68 0x0000: 0001 0800 0604 0001 0004 6101 2345 0a00 ..........a.#E.. 0x0010: 0044 0000 0000 0000 0a00 0014 0000 0000 .D.............. 0x0020: 0000 0000 0000 0000 0000 0000 0000 .............. In general it seems that 10.0.0.68 does some sort of consecutive scanning of the network, but now it is limited to 10.0.0.0/24 range. No other addresses are queried. I searched through some Russian-language forums and it seems that some MS(r) Virus might be doing that. In addition to ARP traffic I've also just sniffed some quite strange packets from the same host: 226632 00:04:61:01:23:45 (oui Unknown) > Broadcast, ethertype Unknown (0x1702), length 293: I guess I should report this to my ISP. -- Andriy Gapon From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 03:56:44 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C5739106566C for ; Tue, 8 Apr 2008 03:56:44 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66]) by mx1.freebsd.org (Postfix) with ESMTP id 678C08FC19 for ; Tue, 8 Apr 2008 03:56:44 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from ZyTWBE03.ZyXEL.com ([172.23.5.49]) by zyfb01-66.zyxel.com.tw with Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 11:56:42 +0800 Received: from zytwfe01.zyxel.com ([172.23.5.5]) by ZyTWBE03.ZyXEL.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 11:56:42 +0800 Received: from [172.23.18.25] ([172.23.18.25]) by zytwfe01.zyxel.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 11:56:42 +0800 Message-ID: <47FAECE5.1070008@zyxel.com.tw> Date: Tue, 08 Apr 2008 11:56:21 +0800 From: blue User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 08 Apr 2008 03:56:42.0158 (UTC) FILETIME=[8E1794E0:01C8992C] Subject: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 03:56:44 -0000 Dear all: About the KEY_FREESAV() in key_checkrequest() in key.c: line 806: if (isr->sav != NULL) { KEY_FREESAV(&isr->sav); isr->sav = NULL; } The codes are only going to free the sav used LAST TIME. For outgoing SA entries, the reference count will be always 2, instead of 1 like incoming SA. I thought the proper place to call KEY_FREESAV() should be ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each transform's output function. Then the SA will be freed after its usage rather than being freed if there's next IPsec packet. If the above condition is accpeted, then key_delsp() in key.c should not call KEY_FREESAV() in case SA reference count underflow! BR, blue From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 06:50:56 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2E9B1065671 for ; Tue, 8 Apr 2008 06:50:56 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66]) by mx1.freebsd.org (Postfix) with ESMTP id 3A3F58FC19 for ; Tue, 8 Apr 2008 06:50:53 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from ZyTWBE03.ZyXEL.com ([172.23.5.49]) by zyfb01-66.zyxel.com.tw with Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 14:50:51 +0800 Received: from zytwfe01.zyxel.com ([172.23.5.5]) by ZyTWBE03.ZyXEL.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 14:50:51 +0800 Received: from [172.23.18.25] ([172.23.18.25]) by zytwfe01.zyxel.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 8 Apr 2008 14:50:51 +0800 Message-ID: <47FB15B7.8080202@zyxel.com.tw> Date: Tue, 08 Apr 2008 14:50:31 +0800 From: blue User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 08 Apr 2008 06:50:51.0063 (UTC) FILETIME=[E21FF470:01C89944] Subject: [ipsec] bug report: possible memory overwrite for IPv6 IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 06:50:56 -0000 Dear all: struct secashead defined in keydb.h line 89: /* Security Association Data Base */ struct secashead { LIST_ENTRY(secashead) chain; struct secasindex saidx; struct secident *idents; /* source identity */ struct secident *identd; /* destination identity */ /* XXX I don't know how to use them. */ u_int8_t state; /* MATURE or DEAD. */ LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; /* SA chain */ /* The first of this list is newer SA */ struct route sa_route; /* route cache */ }; The last field "sa_route" is "struct route", whose space is not enough for IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field could possibly be assigned with an IPv6 address. My suggestion is to enlarge the field as struct route_in6, which could accommodate both IPv4 and IPv6 address. BR, blue From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 07:40:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 07F031065679 for ; Tue, 8 Apr 2008 07:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id B6D9A8FC1A for ; Tue, 8 Apr 2008 07:40:07 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 22B1141C7A3; Tue, 8 Apr 2008 09:40:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id evxRHCslE2Yl; Tue, 8 Apr 2008 09:40:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id C4BDE41C799; Tue, 8 Apr 2008 09:40:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 5F2394448DD; Tue, 8 Apr 2008 07:38:51 +0000 (UTC) Date: Tue, 8 Apr 2008 07:38:51 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: blue In-Reply-To: <47FAECE5.1070008@zyxel.com.tw> Message-ID: <20080408073822.Q66744@maildrop.int.zabbadoz.net> References: <47FAECE5.1070008@zyxel.com.tw> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: [ipsec] KEY_FREESAV() in FreeBSD-Release7.0 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 07:40:08 -0000 On Tue, 8 Apr 2008, blue wrote: Hi, > Dear all: > > About the KEY_FREESAV() in key_checkrequest() in key.c: > > line 806: > if (isr->sav != NULL) { > KEY_FREESAV(&isr->sav); > isr->sav = NULL; > } > > The codes are only going to free the sav used LAST TIME. For outgoing SA > entries, the reference count will be always 2, instead of 1 like incoming SA. > I thought the proper place to call KEY_FREESAV() should be > ipsec6_output_trans() and ipsec6_output_tunnel() after invoking each > transform's output function. Then the SA will be freed after its usage rather > than being freed if there's next IPsec packet. > > If the above condition is accpeted, then key_delsp() in key.c should not call > KEY_FREESAV() in case SA reference count underflow! Can you please file a PR for this as well? Thanks -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 07:40:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 553C7106566C for ; Tue, 8 Apr 2008 07:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 101E58FC32 for ; Tue, 8 Apr 2008 07:40:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 5327641C759; Tue, 8 Apr 2008 09:40:07 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id WJP8wBC7I6n0; Tue, 8 Apr 2008 09:40:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id BFAEF41C75C; Tue, 8 Apr 2008 09:40:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 0C9D444487F; Tue, 8 Apr 2008 07:38:18 +0000 (UTC) Date: Tue, 8 Apr 2008 07:38:17 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: blue In-Reply-To: <47FB15B7.8080202@zyxel.com.tw> Message-ID: <20080408073749.D66744@maildrop.int.zabbadoz.net> References: <47FB15B7.8080202@zyxel.com.tw> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: [ipsec] bug report: possible memory overwrite for IPv6 IPsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 07:40:08 -0000 On Tue, 8 Apr 2008, blue wrote: > Dear all: > > struct secashead defined in keydb.h line 89: > > /* Security Association Data Base */ > struct secashead { > LIST_ENTRY(secashead) chain; > > struct secasindex saidx; > > struct secident *idents; /* source identity */ > struct secident *identd; /* destination identity */ > /* XXX I don't know how to use them. */ > > u_int8_t state; /* MATURE or DEAD. */ > LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; > /* SA chain */ > /* The first of this list is newer SA */ > > struct route sa_route; /* route cache */ > }; > > The last field "sa_route" is "struct route", whose space is not enough for > IPv6 address. However, in ipsec6_output_tunnel() in ipsec_output.c, the field > could possibly be assigned with an IPv6 address. > > My suggestion is to enlarge the field as struct route_in6, which could > accommodate both IPv4 and IPv6 address. Can you please file a PR for this. Thanks. -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 11:19:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26AB81065676 for ; Tue, 8 Apr 2008 11:19:08 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id EF1528FC37 for ; Tue, 8 Apr 2008 11:19:07 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 464BC46B4B; Tue, 8 Apr 2008 07:19:07 -0400 (EDT) Date: Tue, 8 Apr 2008 12:19:07 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Yar Tikhiy In-Reply-To: <20080407081400.GA78448@dg.local> Message-ID: <20080408121535.D10870@fledge.watson.org> References: <20080407081400.GA78448@dg.local> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, luigi@freebsd.org, oleg@freebsd.org Subject: Re: ipfw uid/gid to match listening TCP sockets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 11:19:08 -0000 On Mon, 7 Apr 2008, Yar Tikhiy wrote: > Our ipfw currently doesn't seem to match this host's traffic by uid/gid if > the traffic goes to a listening TCP socket. E.g., if one tries to allow > passive data connections to a local anonymous FTP server as follows, it > won't work: > > ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid ftp in keep-state > > This behaviour is obvious from ip_fw2.c: > > 2009 if (proto == IPPROTO_TCP) { > 2010 wildcard = 0; > 2011 pi = &tcbinfo; > 2012 } else if (proto == IPPROTO_UDP) { > 2013 wildcard = INPLOOKUP_WILDCARD; > 2014 pi = &udbinfo; > 2015 } else > 2016 return 0; > > I.e., it is OK for UDP to match PCBs (essentially sockets) with a wildcard > foreign (remote) address, but not for TCP. > > I wonder if there will be any security or whatever issues if the wildcard > flag is set for TCP, too. The only peculiarity I can see now is that > listening sockets shouldn't generate outbound traffic; as soon a 3-way > handshake starts, a separate PCB is created. Thus a listening socket can > match inbound packets only. > > Are there any other points I missed? Thanks! None of this code really makes very much sense anyway, and is vulnerable to a number of races and semantic inconsistencies, not to mention application behavior that confuses it (such as sshd's opening forwarded sockets using a privileged credential). I'm not sure I agree with your analysis that listen sockets don't generate packets, btw: the syncache generates packets that are not yet from a specific socket, so arguably they are from the listen socket. All that said, I don't see any reason not to match listen sockets in the pcb lookup here. Be aware that uid/gid/jail rules may become less maintainable as our TCP locking becomes more mature. We already jump through some uncomfortable hoops to keep it working, but I'm not sure how long that can go on. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 12:43:35 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E28EC106566C for ; Tue, 8 Apr 2008 12:43:34 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.189]) by mx1.freebsd.org (Postfix) with ESMTP id 5B37C8FC1A for ; Tue, 8 Apr 2008 12:43:33 +0000 (UTC) (envelope-from yar.tikhiy@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so3119786fka.11 for ; Tue, 08 Apr 2008 05:43:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=lUX6OFZ43hB6GmxdEGxZCn/6AJG0/kZXR6JfeYaLdcc=; b=fYXI3+Lp9VpCtZRXHm1UJq+GOFfiFw77ebDJ8h1weEHsMRmgJ4T7upFQRBUoOJjldN37s6B3ztaBQhlDI+jun+GhZiUEZNlokfx7Bdlrr4H+hhKjTNDsKuBmZNPhll0wsKa9vtRzZ2tvpaJwo7VUFxva3bD8PIGm8OxnRxw+ai0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=S9lpyCn3H35t2uJgJfntvZIJ7lC/vJsfQE9T+66hyDBm2plH6FtZN0A9Sp2PgehEU2jq354WYaUhu9scwUTYjPybRnX8YJ+zQ0HDAfPmcfcq5TLi0TEImybIsmlsK2Ya80EndFepQz3s/CHQNuKs+9CCh4nINr1msP3hE6UBQrc= Received: by 10.82.118.1 with SMTP id q1mr2587048buc.62.1207658611841; Tue, 08 Apr 2008 05:43:31 -0700 (PDT) Received: by 10.82.145.1 with HTTP; Tue, 8 Apr 2008 05:43:31 -0700 (PDT) Message-ID: Date: Tue, 8 Apr 2008 16:43:31 +0400 From: "Yar Tikhiy" Sender: yar.tikhiy@gmail.com To: "Robert Watson" In-Reply-To: <20080408121535.D10870@fledge.watson.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080407081400.GA78448@dg.local> <20080408121535.D10870@fledge.watson.org> X-Google-Sender-Auth: f7391823761e2084 Cc: freebsd-net@freebsd.org, luigi@freebsd.org, oleg@freebsd.org Subject: Re: ipfw uid/gid to match listening TCP sockets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 12:43:36 -0000 On Tue, Apr 8, 2008 at 3:19 PM, Robert Watson wrote: > > > On Mon, 7 Apr 2008, Yar Tikhiy wrote: > > > > Our ipfw currently doesn't seem to match this host's traffic by uid/gid if > the traffic goes to a listening TCP socket. E.g., if one tries to allow > passive data connections to a local anonymous FTP server as follows, it > won't work: > > > > ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid > ftp in keep-state > > > > This behaviour is obvious from ip_fw2.c: > > > > 2009 if (proto == IPPROTO_TCP) { > > 2010 wildcard = 0; > > 2011 pi = &tcbinfo; > > 2012 } else if (proto == IPPROTO_UDP) { > > 2013 wildcard = INPLOOKUP_WILDCARD; > > 2014 pi = &udbinfo; > > 2015 } else > > 2016 return 0; > > > > I.e., it is OK for UDP to match PCBs (essentially sockets) with a wildcard > foreign (remote) address, but not for TCP. > > > > I wonder if there will be any security or whatever issues if the wildcard > flag is set for TCP, too. The only peculiarity I can see now is that > listening sockets shouldn't generate outbound traffic; as soon a 3-way > handshake starts, a separate PCB is created. Thus a listening socket can > match inbound packets only. > > > > Are there any other points I missed? Thanks! > > > > None of this code really makes very much sense anyway, and is vulnerable to > a number of races and semantic inconsistencies, not to mention application > behavior that confuses it (such as sshd's opening forwarded sockets using a > privileged credential). I'm not sure I agree with your analysis that listen > sockets don't generate packets, btw: the syncache generates packets that are > not yet from a specific socket, so arguably they are from the listen socket. > All that said, I don't see any reason not to match listen sockets in the pcb > lookup here. Thank you for these points! Matching packets from listen sockets makes the case even simpler; then it's the matter of changing the "wildcard = 0;" to "wildcard = INPLOOKUP_WILDCARD;". At least matching listen sockets doesn't seem to break things not already broken. > Be aware that uid/gid/jail rules may become less maintainable as our TCP > locking becomes more mature. We already jump through some uncomfortable > hoops to keep it working, but I'm not sure how long that can go on. I've always viewed uid/gid rules as a hack that works for now. In the long run we may want to consider an API allowing privileged apps to punch holes in the firewall in a controllable manner. Of course, the API should be agnostic of the particular firewall type. Then, e.g., ftpd(8) would be able to open its current passive data port only and to a single remote IP, and the whole port range wouldn't need to be exposed. Such holes could be handled as dynamic rules/states so that they don't stay there forever if the app crashes. -- Yar From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 14:06:57 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 227FF1065673; Tue, 8 Apr 2008 14:06:57 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id E6EB78FC27; Tue, 8 Apr 2008 14:06:56 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 2CD9746B3F; Tue, 8 Apr 2008 10:06:56 -0400 (EDT) Date: Tue, 8 Apr 2008 15:06:56 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Yar Tikhiy In-Reply-To: Message-ID: <20080408150533.Y10870@fledge.watson.org> References: <20080407081400.GA78448@dg.local> <20080408121535.D10870@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, luigi@freebsd.org, oleg@freebsd.org Subject: Re: ipfw uid/gid to match listening TCP sockets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 14:06:57 -0000 On Tue, 8 Apr 2008, Yar Tikhiy wrote: >> Be aware that uid/gid/jail rules may become less maintainable as our TCP >> locking becomes more mature. We already jump through some uncomfortable >> hoops to keep it working, but I'm not sure how long that can go on. > > I've always viewed uid/gid rules as a hack that works for now. In the long > run we may want to consider an API allowing privileged apps to punch holes > in the firewall in a controllable manner. Of course, the API should be > agnostic of the particular firewall type. Then, e.g., ftpd(8) would be able > to open its current passive data port only and to a single remote IP, and > the whole port range wouldn't need to be exposed. Such holes could be > handled as dynamic rules/states so that they don't stay there forever if the > app crashes. Once open sourced, we may want to take a look at Apple's new application level firewall parts, which as I understand it are based (at least in part) on our MAC Framework. It allows you to bind network rights to specific applications, although I'm not sure how they accomplish the binding -- be it via labels on executables, or pattern matching on binary names, or what exactly. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 17:29:05 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1FC71065672 for ; Tue, 8 Apr 2008 17:29:05 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outF.internet-mail-service.net (outf.internet-mail-service.net [216.240.47.229]) by mx1.freebsd.org (Postfix) with ESMTP id D763C8FC15 for ; Tue, 8 Apr 2008 17:29:05 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Tue, 08 Apr 2008 15:46:02 -0700 Received: from julian-mac.elischer.org (localhost [127.0.0.1]) by idiom.com (Postfix) with ESMTP id 6D4E42D70F0; Tue, 8 Apr 2008 10:29:01 -0700 (PDT) Message-ID: <47FBAB61.2050604@elischer.org> Date: Tue, 08 Apr 2008 10:29:05 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 To: Yar Tikhiy References: <20080407081400.GA78448@dg.local> <20080408121535.D10870@fledge.watson.org> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, luigi@freebsd.org, oleg@freebsd.org, Robert Watson Subject: Re: ipfw uid/gid to match listening TCP sockets? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 17:29:06 -0000 Yar Tikhiy wrote: > On Tue, Apr 8, 2008 at 3:19 PM, Robert Watson wrote: >> >> On Mon, 7 Apr 2008, Yar Tikhiy wrote: >> >> >>> Our ipfw currently doesn't seem to match this host's traffic by uid/gid if >> the traffic goes to a listening TCP socket. E.g., if one tries to allow >> passive data connections to a local anonymous FTP server as follows, it >> won't work: >>> ipfw add 10000 allow tcp from any to me dst-port 49152-65535 uid >> ftp in keep-state >>> This behaviour is obvious from ip_fw2.c: >>> >>> 2009 if (proto == IPPROTO_TCP) { >>> 2010 wildcard = 0; >>> 2011 pi = &tcbinfo; >>> 2012 } else if (proto == IPPROTO_UDP) { >>> 2013 wildcard = INPLOOKUP_WILDCARD; >>> 2014 pi = &udbinfo; >>> 2015 } else >>> 2016 return 0; >>> >>> I.e., it is OK for UDP to match PCBs (essentially sockets) with a wildcard >> foreign (remote) address, but not for TCP. >>> I wonder if there will be any security or whatever issues if the wildcard >> flag is set for TCP, too. The only peculiarity I can see now is that >> listening sockets shouldn't generate outbound traffic; as soon a 3-way >> handshake starts, a separate PCB is created. Thus a listening socket can >> match inbound packets only. >>> Are there any other points I missed? Thanks! >>> >> None of this code really makes very much sense anyway, and is vulnerable to >> a number of races and semantic inconsistencies, not to mention application >> behavior that confuses it (such as sshd's opening forwarded sockets using a >> privileged credential). I'm not sure I agree with your analysis that listen >> sockets don't generate packets, btw: the syncache generates packets that are >> not yet from a specific socket, so arguably they are from the listen socket. >> All that said, I don't see any reason not to match listen sockets in the pcb >> lookup here. > > Thank you for these points! Matching packets from listen sockets makes > the case even simpler; then it's the matter of changing the "wildcard = 0;" > to "wildcard = INPLOOKUP_WILDCARD;". At least matching listen sockets > doesn't seem to break things not already broken. > >> Be aware that uid/gid/jail rules may become less maintainable as our TCP >> locking becomes more mature. We already jump through some uncomfortable >> hoops to keep it working, but I'm not sure how long that can go on. > > I've always viewed uid/gid rules as a hack that works for now. In the long run > we may want to consider an API allowing privileged apps to punch holes > in the firewall in a controllable manner. Of course, the API should be agnostic > of the particular firewall type. Then, e.g., ftpd(8) would be able to > open its current > passive data port only and to a single remote IP, and the whole port > range wouldn't > need to be exposed. Such holes could be handled as dynamic rules/states so that > they don't stay there forever if the app crashes. we use these rules in a totally different manner... i.e. so one 'replacement' may not suit all users.. only people that use it in that manner. how we use it: transparent redirection for a proxy, where the proxy is pretending to be the client.... fwd 127.0.0.1:80 tcp from any 80 to any in recv ${outside_iface} uid ${proxy_uid} If the proxy has a socket that matches the packet it gets captured, even if there is no other reason tho think it would be local.. > From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 18:26:15 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEBD2106564A for ; Tue, 8 Apr 2008 18:26:15 +0000 (UTC) (envelope-from martes@mgwigglesworth.com) Received: from omr1.networksolutionsemail.com (omr1.networksolutionsemail.com [205.178.146.51]) by mx1.freebsd.org (Postfix) with ESMTP id 723B88FC2D for ; Tue, 8 Apr 2008 18:26:15 +0000 (UTC) (envelope-from martes@mgwigglesworth.com) Received: from mail.networksolutionsemail.com (ns-omr1.mgt.netsol.com [10.49.6.64]) by omr1.networksolutionsemail.com (8.13.6/8.13.6) with SMTP id m38ICPIE012709 for ; Tue, 8 Apr 2008 14:12:25 -0400 Received: (qmail 1079 invoked by uid 78); 8 Apr 2008 18:12:25 -0000 Received: from unknown (HELO ?192.168.11.10?) (martes@mgwigglesworth.com@71.68.255.45) by ns-omr1.lb.hosting.dc2.netsol.com with SMTP; 8 Apr 2008 18:12:25 -0000 From: Martes G Wigglesworth To: "freebsd-net@freebsd.org" Content-Type: text/plain Organization: M.G.Wigglesworth,LLC Date: Tue, 08 Apr 2008 14:10:58 -0400 Message-Id: <1207678258.93249.11.camel@localhost> Mime-Version: 1.0 X-Mailer: Evolution 2.12.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Can routed cause interference with hostap and stability of Wireless Connectivity? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: martes@mgwigglesworth.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 18:26:15 -0000 I have inquired about this on local lists, however, no one ever seems to even comprehend what I am asking, so I will inquire here. When fielding a newer, less resource rich system as access point/router, I noticed that after about five minutes of a client securing a good connection, the ip address of the ath0 device dissappeared from the routing table, and routed began spitting out errors indicating that it could not find the route, etc... When this behavior starts/started the connectivity also becomes unstable; meaning that any client connected to the AP sees the connection fail, and restore, in a sinusoidal manor. I am using WPA-PSK on hostap, with no other authentication facilities. When I killed routed and restored the system to functional levels, there was no new appearance of the issues with connectivity, or loss of ath0's ip from the routing table. Have any other BSD router installs shown such issues? And when should routed even be used? I was just experimenting with it so see if it would be useful for any more complex routing environments, however, I never actually got a chance to research acurate uses of the daemon process, prior to the issues being seen. Thanks. SPECS: Pentium III 850Mhz 128MB SDRAM Freebsd-6.3-Stable Netgear W311 Wireless-G PCI -- Martes G Wigglesworth M.G.Wigglesworth,LLC From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 18:48:51 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D37BA1065670 for ; Tue, 8 Apr 2008 18:48:51 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id BAAC08FC22 for ; Tue, 8 Apr 2008 18:48:51 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id E172428AF98B; Tue, 8 Apr 2008 11:32:49 -0700 (PDT) Received: from relay14.apple.com (unknown [127.0.0.1]) by relay14.apple.com (Symantec Mail Security) with ESMTP id C7D1B2803F; Tue, 8 Apr 2008 11:32:49 -0700 (PDT) X-AuditID: 11807134-adf35bb0000008f8-f7-47fbba51cbe6 Received: from cswiger1.apple.com (cswiger1.apple.com [17.214.13.96]) by relay14.apple.com (Apple SCV relay) with ESMTP id A5C6D2802F; Tue, 8 Apr 2008 11:32:49 -0700 (PDT) Message-Id: From: Chuck Swiger To: martes@mgwigglesworth.com In-Reply-To: <1207678258.93249.11.camel@localhost> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Tue, 8 Apr 2008 11:32:49 -0700 References: <1207678258.93249.11.camel@localhost> X-Mailer: Apple Mail (2.919.2) X-Brightmail-Tracker: AAAAAA== Cc: "freebsd-net@freebsd.org" Subject: Re: Can routed cause interference with hostap and stability of Wireless Connectivity? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 18:48:51 -0000 On Apr 8, 2008, at 11:10 AM, Martes G Wigglesworth wrote: > When fielding a newer, less resource rich system as access point/ > router, > I noticed that after about five minutes of a client securing a good > connection, the ip address of the ath0 device dissappeared from the > routing table, and routed began spitting out errors indicating that it > could not find the route, etc... That sounds like this: " When started (or when a network interface is later turned on), routed uses an AF_ROUTE address family facility to find those directly connected interfaces configured into the system and marked "up". It adds necessary routes for the interfaces to the kernel routing table. Soon after being first started, and provided there is at least one interface on which RIP has not been disabled, routed deletes all pre-existing non- static routes in kernel table. Static routes in the kernel table are preserved and included in RIP responses if they have a valid RIP metric (see route(8))." > And when should routed even be used? Do you have a need to perform dynamic routing? Most people don't...a static route to a default gateway works fine. -- -Chuck From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 19:02:30 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4E96B106567D; Tue, 8 Apr 2008 19:02:30 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 253DA8FC20; Tue, 8 Apr 2008 19:02:30 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38J2Usf028849; Tue, 8 Apr 2008 19:02:30 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38J2UWI028845; Tue, 8 Apr 2008 19:02:30 GMT (envelope-from linimon) Date: Tue, 8 Apr 2008 19:02:30 GMT Message-Id: <200804081902.m38J2UWI028845@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/122582: [re] Realtek RTL8111/8168B nic not supported (no carrier) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 19:02:30 -0000 Old Synopsis: Realtek RTL8111/8168B nic not supported (no carrier) New Synopsis: [re] Realtek RTL8111/8168B nic not supported (no carrier) Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Tue Apr 8 19:02:09 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=122582 From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 20:06:08 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF7F9106566C; Tue, 8 Apr 2008 20:06:08 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id CF54B8FC1E; Tue, 8 Apr 2008 20:06:08 +0000 (UTC) (envelope-from remko@FreeBSD.org) Received: from freefall.freebsd.org (remko@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38K689K033669; Tue, 8 Apr 2008 20:06:08 GMT (envelope-from remko@freefall.freebsd.org) Received: (from remko@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38K68S0033665; Tue, 8 Apr 2008 20:06:08 GMT (envelope-from remko) Date: Tue, 8 Apr 2008 20:06:08 GMT Message-Id: <200804082006.m38K68S0033665@freefall.freebsd.org> To: Jochen@herr-schmitt.de, remko@FreeBSD.org, freebsd-net@FreeBSD.org From: remko@FreeBSD.org Cc: Subject: Re: kern/122582: [re] Realtek RTL8111/8168B nic not supported (no carrier) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 20:06:09 -0000 Synopsis: [re] Realtek RTL8111/8168B nic not supported (no carrier) State-Changed-From-To: open->closed State-Changed-By: remko State-Changed-When: Tue Apr 8 20:06:08 UTC 2008 State-Changed-Why: Hello, I dont feel this is a PR but a general question. when you have a if_re(4) device (re0 in your ifconfig) that shows that at least the machine recognized the device. Perhaps you can test this with a cross cable directly to another machine or something like that. No carrier mostly means that it didn't detect the link, or that you didn't plug anything in. Could you please discuss this on the mailinglist (net@FreeBSD.org) first please and get back to me in case this is worth a PR? (http://lists.freebsd.org/mailman/listinfo/freebsd-net for more information about the mailinglist). Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=122582 From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 20:47:54 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 844361065678; Tue, 8 Apr 2008 20:47:54 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 5B3D08FC13; Tue, 8 Apr 2008 20:47:54 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38Klsk5038522; Tue, 8 Apr 2008 20:47:54 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38KlsE5038518; Tue, 8 Apr 2008 20:47:54 GMT (envelope-from vwe) Date: Tue, 8 Apr 2008 20:47:54 GMT Message-Id: <200804082047.m38KlsE5038518@freefall.freebsd.org> To: vwe@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/122551: [bge] Broadcom 5715S no carrier on HP BL460c blade using 6.3-RELEASE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 20:47:54 -0000 Synopsis: [bge] Broadcom 5715S no carrier on HP BL460c blade using 6.3-RELEASE Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: vwe Responsible-Changed-When: Tue Apr 8 20:47:21 UTC 2008 Responsible-Changed-Why: looking like a phy problem Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=122551 From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 22:12:27 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CD7D1065674; Tue, 8 Apr 2008 22:12:27 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E7F6F8FC1F; Tue, 8 Apr 2008 22:12:26 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38MCQ9w044472; Tue, 8 Apr 2008 22:12:26 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38MCQIc044468; Tue, 8 Apr 2008 22:12:26 GMT (envelope-from vwe) Date: Tue, 8 Apr 2008 22:12:26 GMT Message-Id: <200804082212.m38MCQIc044468@freefall.freebsd.org> To: vwe@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/122252: [ipmi] [bge] IPMI problem with BCM5704 (does not work after driver loaded) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 22:12:27 -0000 Synopsis: [ipmi] [bge] IPMI problem with BCM5704 (does not work after driver loaded) Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: vwe Responsible-Changed-When: Tue Apr 8 22:12:13 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=122252 From owner-freebsd-net@FreeBSD.ORG Tue Apr 8 22:16:19 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25384106566C; Tue, 8 Apr 2008 22:16:19 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F05B68FC18; Tue, 8 Apr 2008 22:16:18 +0000 (UTC) (envelope-from vwe@FreeBSD.org) Received: from freefall.freebsd.org (vwe@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m38MGITx045779; Tue, 8 Apr 2008 22:16:18 GMT (envelope-from vwe@freefall.freebsd.org) Received: (from vwe@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m38MGIfL045775; Tue, 8 Apr 2008 22:16:18 GMT (envelope-from vwe) Date: Tue, 8 Apr 2008 22:16:18 GMT Message-Id: <200804082216.m38MGIfL045775@freefall.freebsd.org> To: vwe@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-net@FreeBSD.org From: vwe@FreeBSD.org Cc: Subject: Re: kern/121298: [panic] Fatal trap 12: page fault while in kernel mode (em0 taskq) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2008 22:16:19 -0000 Synopsis: [panic] Fatal trap 12: page fault while in kernel mode (em0 taskq) Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: vwe Responsible-Changed-When: Tue Apr 8 22:15:44 UTC 2008 Responsible-Changed-Why: sounds network related (if_em) Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=121298 From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 05:52:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D86F106564A for ; Wed, 9 Apr 2008 05:52:08 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from zyfb01-66.zyxel.com.tw (zyfb01-66.zyxel.com.tw [59.124.183.66]) by mx1.freebsd.org (Postfix) with ESMTP id 282FD8FC19 for ; Wed, 9 Apr 2008 05:52:07 +0000 (UTC) (envelope-from Susan.Lan@zyxel.com.tw) Received: from ZyTWBE03.ZyXEL.com ([172.23.5.49]) by zyfb01-66.zyxel.com.tw with Microsoft SMTPSVC(6.0.3790.1830); Wed, 9 Apr 2008 13:52:06 +0800 Received: from zytwfe01.zyxel.com ([172.23.5.5]) by ZyTWBE03.ZyXEL.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 9 Apr 2008 13:52:06 +0800 Received: from [172.23.17.141] ([172.23.17.141]) by zytwfe01.zyxel.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 9 Apr 2008 13:52:06 +0800 Message-ID: <47FC590B.9010608@zyxel.com.tw> Date: Wed, 09 Apr 2008 13:50:03 +0800 From: blue User-Agent: Mozilla Thunderbird 0.9 (Windows/20041103) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 09 Apr 2008 05:52:06.0265 (UTC) FILETIME=[D7983690:01C89A05] Subject: [ipsec] Packet Too Big message handling in esp6_ctlinput() X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 05:52:08 -0000 Dear all: In line 814 to line 843 in esp6_ctlinput(), if (cmd == PRC_MSGSIZE) { struct secasvar *sav; u_int32_t spi; int valid; /* check header length before using m_copydata */ if (m->m_pkthdr.len < off + sizeof (struct esp)) return; m_copydata(m, off + offsetof(struct esp, esp_spi), sizeof(u_int32_t), (caddr_t) &spi); /* * Check to see if we have a valid SA corresponding to * the address in the ICMP message payload. */ sav = KEY_ALLOCSA((union sockaddr_union *)sa, IPPROTO_ESP, spi); valid = (sav != NULL); if (sav) KEY_FREESAV(&sav); /* XXX Further validation? */ /* * Depending on whether the SA is "valid" and * routing table size (mtudisc_{hi,lo}wat), we will: * - recalcurate the new MTU and create the * corresponding routing entry, or * - ignore the MTU change notification. */ icmp6_mtudisc_update(ip6cp, valid); } I don't know why ESP needs to take care of ICMP Packet Too Big message specially since icmp6_mtudisc_update() will be called in icmp6_notify_error(), which will already update the PMTU of the host. I think the codes here could be removed. BR, Yi-Wen From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 07:35:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 190FF1065677 for ; Wed, 9 Apr 2008 07:35:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id C679B8FC1B for ; Wed, 9 Apr 2008 07:35:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 799A441C7A7; Wed, 9 Apr 2008 09:35:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id GGI1RUqFeiFU; Wed, 9 Apr 2008 09:35:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 9C10541C7AC; Wed, 9 Apr 2008 09:35:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 8695F44487F; Wed, 9 Apr 2008 07:31:43 +0000 (UTC) Date: Wed, 9 Apr 2008 07:31:43 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: blue In-Reply-To: <47FC590B.9010608@zyxel.com.tw> Message-ID: <20080409072517.Y66744@maildrop.int.zabbadoz.net> References: <47FC590B.9010608@zyxel.com.tw> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: [ipsec] Packet Too Big message handling in esp6_ctlinput() X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 07:35:09 -0000 On Wed, 9 Apr 2008, blue wrote: Hi, > In line 814 to line 843 in esp6_ctlinput(), > ... > I don't know why ESP needs to take care of ICMP Packet Too Big message > specially since icmp6_mtudisc_update() will be called in > icmp6_notify_error(), > which will already update the PMTU of the host. I think the codes here could > be removed. I am wondering if the correct solution would be to limit the ICMP6_PACKET_TOO_BIG handling in icmp6_notify_error() to the non-esp cases as I think that we would actually only want to update the hc if there is an SA and it is valid. Looking at the original KAME repo you can see that the code in icmp6_notify_error() was done before esp6_ctlinput(): http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/icmp6.c#rev1.43 and http://www.kame.net/dev/cvsweb2.cgi/kame/kame/sys/netinet6/esp_input.c#rev1.35 What has been there since that time seems bogus for ESP, indeed. What do you think? /bz -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 08:13:57 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8340D1065670 for ; Wed, 9 Apr 2008 08:13:57 +0000 (UTC) (envelope-from anders@FreeBSD.org) Received: from fupp.net (totem.fix.no [80.91.36.20]) by mx1.freebsd.org (Postfix) with ESMTP id 0A04D8FC1A for ; Wed, 9 Apr 2008 08:13:56 +0000 (UTC) (envelope-from anders@FreeBSD.org) Received: from localhost (totem.fix.no [80.91.36.20]) by fupp.net (Postfix) with ESMTP id 476D18DAA51; Wed, 9 Apr 2008 09:55:53 +0200 (CEST) Received: from fupp.net ([80.91.36.20]) by localhost (totem.fix.no [80.91.36.20]) (amavisd-new, port 10024) with LMTP id CkJqkam47RyG; Wed, 9 Apr 2008 09:55:52 +0200 (CEST) Received: by fupp.net (Postfix, from userid 1000) id 5E5408DAA47; Wed, 9 Apr 2008 09:55:52 +0200 (CEST) Date: Wed, 9 Apr 2008 09:55:52 +0200 From: Anders Nordby To: s3raphi Message-ID: <20080409075552.GA19027@fupp.net> References: <47D860AC.6030707@freebsd.org> <16497816.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <16497816.post@talk.nabble.com> X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 User-Agent: Mutt/1.5.17 (2007-11-01) Cc: freebsd-net@freebsd.org Subject: Re: TCP options order changed in FreeBSD 7, incompatible with some routers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 08:13:57 -0000 Hi, I had the same problem, and temporarily worked around it by disabling SACK: sysctl net.inet.tcp.sack.enable=0 Which solved my problems. It would be interesting to see if this helps you also? If so, it seems this issue is related to SACK and TCP order maybe? Hmm. On Fri, Apr 04, 2008 at 01:14:19PM -0700, s3raphi wrote: > I upgraded many web servers to FreeBSD 7.0-Release several weeks ago. These > servers serve hundreds of thousands of users. Since then, we have had many > users complain that they cannot connect to these servers any more. This was > a very tricky problem to diagnose, but using packet captures on both the > servers and the clients who have the problem I ended up with the same > results as the original poster. The user can ping the server with ICMP. The > user cannot complete a TCP connection. > Client sends SYN to server > Server responds SYN/ACK > Client packet capture does not show the SYN/ACK arrive. > Connection fails. > > The windows client was running wireshark. > > This problem is specific to windows, but also the network it is on or > devices it goes through. The same user experiencing the problem tried to > connect using a mac, and the problem does not manifest itself. Both the mac > and the windows pc were on the same network, behind the same SOHO router, > same ISP, and talking to the same FreeBSD7.0-RELEASE server. > > Baffled by what the problem could have been, I stood up one of the old > FreeBSD 6.1 servers which had not yet been replaced with FreeBSD7. The user > has no trouble at all accessing the FreeBSD 6.1 server. > > More interesting info: > -This makes it look like windows: > Fails: WindowsXPpro PC -> SOHO -> ISP -> Internet -> MyDataCenter -> > FreeBSD7 > Works: MacBook -> SOHO -> ISP -> Internet -> MyDataCenter -> FreeBSD7 > > -This makes it look like the network(router/firewall/etc..): > If the WindowsPC connects to our office VPN, the connection to the FreeBSD7 > server will work without issue. > > The problem is specific to some combination of Windows and networks or > network devices. I have seen users on many different ISPs, and with many > different flavors of routers/firewalls. > > -The problem only effects a small percentage of our users. Most of our > Windows users have no issue. > > This is a very serious problem for anyone using FreeBSD7 in production as an > internet facing server as a huge percentage of clients will be windows, and > a percentage of those users will no longer be able to use your web services. > > Can the patch be made available to freebsd-update? > > -Seraphi > > > Matt Reimer wrote: > > > > On Thu, Mar 20, 2008 at 7:09 PM, d.s. al coda > > wrote: > >> On 3/12/08, Andre Oppermann wrote: > >> > >> > > >> > >> > I'd be very interesting to know the exactly models and their firmware > >> > version > >> > of the affected routers. If available locally I'd like to obtain a > >> > similar > >> > model myself for future regression tests. > >> > >> > >> Here are the models we managed to hear about via email: > >> D-Link WBR-1310 > >> Linksys WCG200 (with firewall enabled) > >> Encore Broadband Router > >> Linksys WAG354G > >> Ambit U10C019 > >> Netgear CG814GCMR > > > > I've seen this on a Netgear CG814WG. > > > > Matt > > _______________________________________________ > > freebsd-net@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-net > > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > > > -- > View this message in context: http://www.nabble.com/TCP-options-order-changed-in-FreeBSD-7%2C-incompatible-with-some-routers-tp15996110p16497816.html > Sent from the freebsd-net mailing list archive at Nabble.com. > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" -- Anders. From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 08:25:09 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F99D1065671 for ; Wed, 9 Apr 2008 08:25:09 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 27B7A8FC7A for ; Wed, 9 Apr 2008 08:25:08 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 0266941C53E; Wed, 9 Apr 2008 10:25:06 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id 2zmWQi71Mzw5; Wed, 9 Apr 2008 10:25:05 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id A1BE841C7B5; Wed, 9 Apr 2008 10:25:05 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 75CFD44487F; Wed, 9 Apr 2008 08:21:38 +0000 (UTC) Date: Wed, 9 Apr 2008 08:21:38 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: Anders Nordby In-Reply-To: <20080409075552.GA19027@fupp.net> Message-ID: <20080409081957.G66744@maildrop.int.zabbadoz.net> References: <47D860AC.6030707@freebsd.org> <16497816.post@talk.nabble.com> <20080409075552.GA19027@fupp.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, s3raphi Subject: Re: TCP options order changed in FreeBSD 7, incompatible with some routers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 08:25:09 -0000 On Wed, 9 Apr 2008, Anders Nordby wrote: Hi, > I had the same problem, and temporarily worked around it by disabling > SACK: > > sysctl net.inet.tcp.sack.enable=0 > > Which solved my problems. It would be interesting to see if this helps > you also? This will hide any of the real problems in most cases, not fix them. > If so, it seems this issue is related to SACK and TCP order maybe? Hmm. So you hadn't been following the threads here the last 6 weeks? 7-STABLE already has patches. See my other mails in here.... -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 13:31:32 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E6B61065673 for ; Wed, 9 Apr 2008 13:31:32 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 57D0B8FC15 for ; Wed, 9 Apr 2008 13:31:32 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 4885C42D916; Wed, 9 Apr 2008 15:05:31 +0200 (CEST) Date: Wed, 9 Apr 2008 15:05:31 +0200 From: Guido van Rooij To: freebsd-net@freebsd.org Message-ID: <20080409130531.GA73375@gvr.gvr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 13:31:32 -0000 What is the best way to be able to have a FreeBSD system connect via 802.1x to a wired network? Wap_supplicant seems to insist on calling 80211 ioctl's and thus fails. I found the open1x project, but did not find it in the ports tree. This suggests that perhaps there is a native solution after all, yet I can't seem to find it. Any suggestions? -Guido From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 14:33:45 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B7FC106564A for ; Wed, 9 Apr 2008 14:33:45 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) by mx1.freebsd.org (Postfix) with ESMTP id 313988FC15 for ; Wed, 9 Apr 2008 14:33:45 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.2/8.14.2) with ESMTP id m39EDOcF043746; Wed, 9 Apr 2008 09:13:24 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.2/8.14.2/Submit) id m39EDOBT043745; Wed, 9 Apr 2008 09:13:24 -0500 (CDT) (envelope-from brooks) Date: Wed, 9 Apr 2008 09:13:24 -0500 From: Brooks Davis To: Guido van Rooij Message-ID: <20080409141324.GA43689@lor.one-eyed-alien.net> References: <20080409130531.GA73375@gvr.gvr.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline In-Reply-To: <20080409130531.GA73375@gvr.gvr.org> User-Agent: Mutt/1.5.17 (2007-11-01) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Wed, 09 Apr 2008 09:13:25 -0500 (CDT) Cc: freebsd-net@freebsd.org Subject: Re: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 14:33:45 -0000 --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van Rooij wrote: > What is the best way to be able to have a FreeBSD system connect > via 802.1x to a wired network? Wap_supplicant seems to insist on > calling 80211 ioctl's and thus fails. >=20 > I found the open1x project, but did not find it in the ports tree. > This suggests that perhaps there is a native solution after all, yet > I can't seem to find it. >=20 > Any suggestions? Sam just comitted support to /etc/rc.d/wpa_supplicant in head to set the driver to bsd or wired based on the device media type. -- Brooks --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (FreeBSD) iD8DBQFH/M8EXY6L6fI4GtQRApSwAJ9E/fKYLkn67YAiI00AUO0N70rgUACdFD40 68/9t8Bn3lxwtOamESfuFAA= =zT3L -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 16:11:05 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C17F7106564A; Wed, 9 Apr 2008 16:11:05 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9B0D98FC1F; Wed, 9 Apr 2008 16:11:05 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from Macintosh-2.local ([10.0.0.194]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id m39GB4pu076250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Apr 2008 09:11:04 -0700 (PDT) (envelope-from sam@freebsd.org) Message-ID: <47FCEA99.4050000@freebsd.org> Date: Wed, 09 Apr 2008 09:11:05 -0700 From: Sam Leffler Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.12 (Macintosh/20080213) MIME-Version: 1.0 To: Brooks Davis References: <20080409130531.GA73375@gvr.gvr.org> <20080409141324.GA43689@lor.one-eyed-alien.net> In-Reply-To: <20080409141324.GA43689@lor.one-eyed-alien.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC--Metrics: ebb.errno.com; whitelist Cc: freebsd-net@freebsd.org Subject: Re: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 16:11:05 -0000 Brooks Davis wrote: > On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van Rooij wrote: >> What is the best way to be able to have a FreeBSD system connect >> via 802.1x to a wired network? Wap_supplicant seems to insist on >> calling 80211 ioctl's and thus fails. >> >> I found the open1x project, but did not find it in the ports tree. >> This suggests that perhaps there is a native solution after all, yet >> I can't seem to find it. >> >> Any suggestions? > > Sam just comitted support to /etc/rc.d/wpa_supplicant in head to set the > driver to bsd or wired based on the device media type. > > -- Brooks Right; you need to specify -Dwired to get the "wired driver". Note I have no way of testing wired supplicant operation so if it works I'd like to hear about it. Sam From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 17:10:03 2008 Return-Path: Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7B3BD1065675 for ; Wed, 9 Apr 2008 17:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6011A8FC24 for ; Wed, 9 Apr 2008 17:10:03 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m39HA3fk055513 for ; Wed, 9 Apr 2008 17:10:03 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m39HA3Tj055511; Wed, 9 Apr 2008 17:10:03 GMT (envelope-from gnats) Date: Wed, 9 Apr 2008 17:10:03 GMT Message-Id: <200804091710.m39HA3Tj055511@freefall.freebsd.org> To: freebsd-net@FreeBSD.org From: Szymon Roczniak Cc: Subject: Re: kern/121298: [em] [panic] Fatal trap 12: page fault while in kernel mode (em0 taskq) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Szymon Roczniak List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 17:10:03 -0000 The following reply was made to PR kern/121298; it has been noted by GNATS. From: Szymon Roczniak To: bug-followup@FreeBSD.org Cc: Subject: Re: kern/121298: [em] [panic] Fatal trap 12: page fault while in kernel mode (em0 taskq) Date: Wed, 9 Apr 2008 17:49:00 +0100 A similar problem here (well, at least two out of three kernel dumps look a bit similar). The hardware is a dell PE2850, running GENERIC (only file name is different) FreeBSD 7-STABLE as of yesterday (8.04.2008). It's a web/mail server and it's not under heavy load. server# dmesg=0D Copyright (c) 1992-2008 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 7.0-STABLE #2: Tue Apr 8 12:04:29 BST 2008 szymon@server:/usr/obj/usr/src/sys/VALIUM Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(TM) CPU 2.80GHz (2793.01-MHz 686-class CPU) Origin =3D "GenuineIntel" Id =3D 0xf41 Stepping =3D 1 Features=3D0xbfebfbff Features2=3D0x641d AMD Features=3D0x20000000 real memory =3D 2147221504 (2047 MB) avail memory =3D 2091679744 (1994 MB) ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 6 ioapic0: Changing APIC ID to 7 ioapic1: Changing APIC ID to 8 ioapic2: Changing APIC ID to 9 ioapic3: Changing APIC ID to 10 ioapic0 irqs 0-23 on motherboard ioapic1 irqs 32-55 on motherboard ioapic2 irqs 64-87 on motherboard ioapic3 irqs 96-119 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.20.3 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: on motherboard acpi0: [ITHREAD] acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x808-0x80b on acpi0 acpi_hpet0: iomem 0xfed00000-0xfed003ff on acp= i0 Timecounter "HPET" frequency 14318180 Hz quality 900 cpu0: on acpi0 p4tcc0: on cpu0 cpu1: on acpi0 p4tcc1: on cpu1 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pcib1: at device 2.0 on pci0 pci1: on pcib1 pcib2: at device 0.0 on pci1 pci2: on pcib2 amr0: mem 0xd80f0000-0xd80fffff,0xdfdc0000-0xdfdff= fff irq 46 at device 14.0 on pci2 amr0: [ITHREAD] amr0: delete logical drives supported by controller amr0: Firmware 513O, BIOS H418, 256MB RAM pcib3: at device 0.2 on pci1 pci3: on pcib3 pcib4: at device 4.0 on pci0 pci4: on pcib4 pcib5: at device 5.0 on pci0 pci5: on pcib5 pcib6: at device 0.0 on pci5 pci6: on pcib6 em0: port 0xecc0-0xe= cff mem 0xdfae0000-0xdfafffff irq 64 at device 7.0 on pci6 em0: Ethernet address: 00:11:43:36:f3:3c em0: [FILTER] pcib7: at device 0.2 on pci5 pci7: on pcib7 em1: port 0xdcc0-0xd= cff mem 0xdf8e0000-0xdf8fffff irq 65 at device 8.0 on pci7 em1: Ethernet address: 00:11:43:36:f3:3d em1: [FILTER] pcib8: at device 6.0 on pci0 pci8: on pcib8 pcib9: at device 0.0 on pci8 pci9: on pcib9 pcib10: at device 0.2 on pci8 pci10: on pcib10 uhci0: port 0xbce0-0xbcff irq 1= 6 at device 29.0 on pci0 uhci0: [GIANT-LOCKED] uhci0: [ITHREAD] usb0: on uhci0 usb0: USB revision 1.0 uhub0: on usb0 uhub0: 2 ports with 2 removable, self powered uhci1: port 0xbcc0-0xbcdf irq 1= 9 at device 29.1 on pci0 uhci1: [GIANT-LOCKED] uhci1: [ITHREAD] usb1: on uhci1 usb1: USB revision 1.0 uhub1: on usb1 uhub1: 2 ports with 2 removable, self powered uhci2: port 0xbca0-0xbcbf irq 1= 8 at device 29.2 on pci0 uhci2: [GIANT-LOCKED] uhci2: [ITHREAD] usb2: on uhci2 usb2: USB revision 1.0 uhub2: on usb2 uhub2: 2 ports with 2 removable, self powered ehci0: mem 0xdff00000-0xdff003f= f irq 23 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] ehci0: [ITHREAD] usb3: EHCI version 1.0 usb3: companion controllers, 2 ports each: usb0 usb1 usb2 usb3: on ehci0 usb3: USB revision 2.0 uhub3: on usb3 uhub3: 6 ports with 6 removable, self powered uhub4: on = uhub3 uhub4: multiple transaction translators uhub4: 2 ports with 2 removable, self powered pcib11: at device 30.0 on pci0 pci11: on pcib11 vgapci0: port 0xcc00-0xccff mem 0xd0000000-0xd7fff= fff,0xdf4f0000-0xdf4fffff irq 18 at device 13.0 on pci11 isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177= ,0x376,0xfc00-0xfc0f at device 31.1 on pci0 ata0: on atapci0 ata0: [ITHREAD] ata1: on atapci0 ata1: [ITHREAD] fdc0: port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FILTER] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] atkbd0: [ITHREAD] sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acp= i0 sio0: type 16550A sio0: [FILTER] pmtimer0 on isa0 orm0: at iomem 0xc0000-0xcafff,0xcb000-0xcbfff,0xce800-0x= cf7ff,0xec000-0xeffff pnpid ORM0000 on isa0 ppc0: parallel port not found. sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=3D0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounters tick every 1.000 msec acd0: CDROM at ata0-master UDMA33 amr0: delete logical drives supported by controller amrd0: on amr0 amrd0: 34680MB (71024640 sectors) RAID 1 (optimal) SMP: AP CPU #1 Launched! Trying to mount root from ufs:/dev/amrd0s1a WARNING: / was not properly dismounted /: mount pending error: blocks 204 files 14 pid 3380 (httpd), uid 65534: exited on signal 11 server# kgdb /boot/kernel/kernel vm=07=0D vmcore.0 vmcore.1 vmcore.2 =0D server# kgdb /boot/kernel/kernel vmcore.0=0D [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:= Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". There is no member named pathname. Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kern= el/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /boot/kernel/fdescfs.ko...Reading symbols from /boot/k= ernel/fdescfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/fdescfs.ko Reading symbols from /boot/kernel/pflog.ko...Reading symbols from /boot/ker= nel/pflog.ko.symbols...done. done. Loaded symbols for /boot/kernel/pflog.ko Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel= /pf.ko.symbols...done. done. Loaded symbols for /boot/kernel/pf.ko Unread portion of the kernel message buffer: <6>pid 49337 (megarc), uid 0: exited on signal 11 TPTE at 0xbfc20120 IS ZERO @ VA 08048000 panic: bad pte cpuid =3D 1 Uptime: 7h21m35s Physical memory: 2035 MB Dumping 275 MB: 260 244 228 212 196 180 164 148 132 116 100 84 68 52 36 20 4 #0 doadump () at pcpu.h:195 195 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:195 #1 0xc075b1a7 in boot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:4= 18 #2 0xc075b469 in panic (fmt=3DVariable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:572 #3 0xc0a509e6 in pmap_remove_pages (pmap=3D0xc6579a84) at /usr/src/sys/i38= 6/i386/pmap.c:3093 #4 0xc097e07c in vmspace_exit (td=3D0xc63dc000) at /usr/src/sys/vm/vm_map.= c:404 #5 0xc0739c3a in exit1 (td=3D0xc63dc000, rv=3D11) at /usr/src/sys/kern/ker= n_exit.c:294 #6 0xc075d633 in sigexit (td=3DVariable "td" is not available. ) at /usr/src/sys/kern/kern_sig.c:2877 #7 0xc075e8be in postsig (sig=3D11) at /usr/src/sys/kern/kern_sig.c:2749 #8 0xc078cd28 in ast (framep=3D0xe7d82d38) at /usr/src/sys/kern/subr_trap.= c:250 #9 0xc0a3c3fd in doreti_ast () at /usr/src/sys/i386/i386/exception.s:290 #10 0xe7d82d38 in ?? () #11 0x0000003b in ?? () #12 0x0000003b in ?? () #13 0x0000003b in ?? () #14 0xbfbfe834 in ?? () #15 0xbfbfe850 in ?? () #16 0xbfbfe2e8 in ?? () #17 0xe7d82d64 in ?? () #18 0x00000006 in ?? () #19 0x00000006 in ?? () #20 0x00000000 in ?? () #21 0x00000000 in ?? () #22 0x0000000c in ?? () #23 0x00000004 in ?? () #24 0x00000000 in ?? () #25 0x00000033 in ?? () #26 0x00010292 in ?? () #27 0xbfbfe280 in ?? () #28 0x0000003b in ?? () #29 0x00000000 in ?? () #30 0x00000004 in ?? () #31 0xbfbfedc8 in ?? () #32 0x282d6618 in ?? () #33 0x49700000 in ?? () #34 0xc0bf09c0 in tdq_cpu () #35 0xc63dc1e4 in ?? () #36 0xe7d8273c in ?? () #37 0xe7d82700 in ?? () #38 0x01944ce9 in ?? () #39 0xc07786bb in sched_switch (td=3DCannot access memory at address 0xbfbf= e2f0 ) at /usr/src/sys/kern/sched_ule.c:1898 Previous frame inner to this frame (corrupt stack?) (kgdb) server# kgdb /boot/kernel/kernel vmcore.0=08=1B[K1=0D [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:= Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". There is no member named pathname. Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kern= el/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /boot/kernel/fdescfs.ko...Reading symbols from /boot/k= ernel/fdescfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/fdescfs.ko Reading symbols from /boot/kernel/pflog.ko...Reading symbols from /boot/ker= nel/pflog.ko.symbols...done. done. Loaded symbols for /boot/kernel/pflog.ko Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel= /pf.ko.symbols...done. done. Loaded symbols for /boot/kernel/pf.ko Unread portion of the kernel message buffer: <6>pid 8628 (megarc), uid 0: exited on signal 11 Fatal trap 12: page fault while in kernel mode cpuid =3D 1; apic id =3D 06 fault virtual address =3D 0xbfc00000 fault code =3D supervisor read, page not present instruction pointer =3D 0x20:0xc0a5096f stack pointer =3D 0x28:0xe7c74a74 frame pointer =3D 0x28:0xe7c74ab4 code segment =3D base 0x0, limit 0xfffff, type 0x1b =3D DPL 0, pres 1, def32 1, gran 1 processor eflags =3D interrupt enabled, resume, IOPL =3D 0 current process =3D 8628 (megarc) trap number =3D 12 panic: page fault cpuid =3D 1 Uptime: 2h14m34s Physical memory: 2035 MB Dumping 253 MB: 238 222 206 190 174 158 142 126 110 94 78 62 46 30 14 #0 doadump () at pcpu.h:195 195 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:195 #1 0xc075b1a7 in boot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:4= 18 #2 0xc075b469 in panic (fmt=3DVariable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:572 #3 0xc0a54cdc in trap_fatal (frame=3D0xe7c74a34, eva=3D3217031168) at /usr= /src/sys/i386/i386/trap.c:899 #4 0xc0a54f60 in trap_pfault (frame=3D0xe7c74a34, usermode=3D0, eva=3D3217= 031168) at /usr/src/sys/i386/i386/trap.c:812 #5 0xc0a5590c in trap (frame=3D0xe7c74a34) at /usr/src/sys/i386/i386/trap.= c:490 #6 0xc0a3badb in calltrap () at /usr/src/sys/i386/i386/exception.s:139 #7 0xc0a5096f in pmap_remove_pages (pmap=3D0xc569db6c) at /usr/src/sys/i38= 6/i386/pmap.c:3086 #8 0xc097e07c in vmspace_exit (td=3D0xc62b6660) at /usr/src/sys/vm/vm_map.= c:404 #9 0xc0739c3a in exit1 (td=3D0xc62b6660, rv=3D11) at /usr/src/sys/kern/ker= n_exit.c:294 #10 0xc075d633 in sigexit (td=3DVariable "td" is not available. ) at /usr/src/sys/kern/kern_sig.c:2877 #11 0xc075e8be in postsig (sig=3D11) at /usr/src/sys/kern/kern_sig.c:2749 #12 0xc078cd28 in ast (framep=3D0xe7c74d38) at /usr/src/sys/kern/subr_trap.= c:250 #13 0xc0a3c3fd in doreti_ast () at /usr/src/sys/i386/i386/exception.s:290 #14 0xe7c74d38 in ?? () #15 0x0000003b in ?? () #16 0x0000003b in ?? () #17 0x0000003b in ?? () #18 0xbfbfee90 in ?? () #19 0x00000000 in ?? () #20 0xbfbfed58 in ?? () #21 0xe7c74d64 in ?? () #22 0x00000006 in ?? () #23 0x00000000 in ?? () #24 0x00000000 in ?? () #25 0x0809d094 in ?? () #26 0x0000000c in ?? () #27 0x00000004 in ?? () #28 0x0807b261 in ?? () #29 0x00000033 in ?? () #30 0x00010246 in ?? () #31 0xbfbfeb40 in ?? () #32 0x0000003b in ?? () #33 0x78617270 in ?? () #34 0x24007369 in ?? () #35 0x78502431 in ?? () #36 0x706d4959 in ?? () #37 0x17ed4000 in ?? () #38 0xc0bf09c0 in tdq_cpu () #39 0xc62b6844 in ?? () #40 0xe7c746a8 in ?? () #41 0xe7c7466c in ?? () #42 0x007b355a in ?? () #43 0xc07786bb in sched_switch (td=3DCannot access memory at address 0xbfbf= ed60 ) at /usr/src/sys/kern/sched_ule.c:1898 Previous frame inner to this frame (corrupt stack?) (kgdb) server# kgdb /boot/kernel/kernel vmcore.1=08=1B[K2=0D [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:= Undefined symbol "ps_pglobal_lookup"] GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain condition= s. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-marcel-freebsd". There is no member named pathname. Reading symbols from /boot/kernel/acpi.ko...Reading symbols from /boot/kern= el/acpi.ko.symbols...done. done. Loaded symbols for /boot/kernel/acpi.ko Reading symbols from /boot/kernel/fdescfs.ko...Reading symbols from /boot/k= ernel/fdescfs.ko.symbols...done. done. Loaded symbols for /boot/kernel/fdescfs.ko Reading symbols from /boot/kernel/pflog.ko...Reading symbols from /boot/ker= nel/pflog.ko.symbols...done. done. Loaded symbols for /boot/kernel/pflog.ko Reading symbols from /boot/kernel/pf.ko...Reading symbols from /boot/kernel= /pf.ko.symbols...done. done. Loaded symbols for /boot/kernel/pf.ko Unread portion of the kernel message buffer: TPTE at 0xbfefeffc IS ZERO @ VA bfbff000 panic: bad pte cpuid =3D 1 Uptime: 7h43m42s Physical memory: 2035 MB Dumping 270 MB: 255 239 223 207 191 175 159 143 127 111 95 79 63 47 31 15 #0 doadump () at pcpu.h:195 195 pcpu.h: No such file or directory. in pcpu.h (kgdb) bt #0 doadump () at pcpu.h:195 #1 0xc075b1a7 in boot (howto=3D260) at /usr/src/sys/kern/kern_shutdown.c:4= 18 #2 0xc075b469 in panic (fmt=3DVariable "fmt" is not available. ) at /usr/src/sys/kern/kern_shutdown.c:572 #3 0xc0a509e6 in pmap_remove_pages (pmap=3D0xc62c3d3c) at /usr/src/sys/i38= 6/i386/pmap.c:3093 #4 0xc097e07c in vmspace_exit (td=3D0xc608e660) at /usr/src/sys/vm/vm_map.= c:404 #5 0xc0739c3a in exit1 (td=3D0xc608e660, rv=3D0) at /usr/src/sys/kern/kern= _exit.c:294 #6 0xc073af8d in sys_exit (td=3DCould not find the frame base for "sys_exi= t". ) at /usr/src/sys/kern/kern_exit.c:98 #7 0xc0a552b5 in syscall (frame=3D0xe7c65d38) at /usr/src/sys/i386/i386/tr= ap.c:1035 #8 0xc0a3bb40 in Xint0x80_syscall () at /usr/src/sys/i386/i386/exception.s= :196 #9 0x00000033 in ?? () Previous frame inner to this frame (corrupt stack?) --=20 szymon roczniak=20 simon(a)dischaos.com=20 From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 19:58:33 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 178E41065676 for ; Wed, 9 Apr 2008 19:58:33 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 8A9B98FC13 for ; Wed, 9 Apr 2008 19:58:32 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id A7BBA42D81D; Wed, 9 Apr 2008 21:58:31 +0200 (CEST) Date: Wed, 9 Apr 2008 21:58:31 +0200 From: Guido van Rooij To: Sam Leffler Message-ID: <20080409195831.GA79835@gvr.gvr.org> References: <20080409130531.GA73375@gvr.gvr.org> <20080409141324.GA43689@lor.one-eyed-alien.net> <47FCEA99.4050000@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47FCEA99.4050000@freebsd.org> Cc: freebsd-net@freebsd.org, Brooks Davis Subject: Re: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 19:58:33 -0000 On Wed, Apr 09, 2008 at 09:11:05AM -0700, Sam Leffler wrote: > Brooks Davis wrote: >> On Wed, Apr 09, 2008 at 03:05:31PM +0200, Guido van Rooij wrote: >>> What is the best way to be able to have a FreeBSD system connect >>> via 802.1x to a wired network? Wap_supplicant seems to insist on >>> calling 80211 ioctl's and thus fails. >>> >>> I found the open1x project, but did not find it in the ports tree. >>> This suggests that perhaps there is a native solution after all, yet >>> I can't seem to find it. >>> >>> Any suggestions? >> Sam just comitted support to /etc/rc.d/wpa_supplicant in head to set the >> driver to bsd or wired based on the device media type. >> -- Brooks > > Right; you need to specify -Dwired to get the "wired driver". Note I have > no way of testing wired supplicant operation so if it works I'd like to > hear about it. I backported the latest wap_supplicant to FreeBSD 6 but with no luck on a HP procurve 2610. What I see is that there seems to be some kind of protocol mismatch. I have no clue if this is due to wpa_supplicant or the procurve being non-cmpliant. Here's what happens, packet wise: wpa_supplicant send a EAPOL start (version 1, type start) procurve sends EAP failure (version 1, type: eap packet (code failure, id: 2) procurve send EAP request identify (veersion 1, type: eap packet (code: request type: identify). And that's it. wpa_supplicant does not respond. After a timeout, the start eapol packet is sent again. Here's wpa_supplicant output with -dd: beck# obj/wpa_supplicant -D wired -dd -c /etc/wpa_supplicant.conf -i bge0 Initializing interface 'bge0' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A' Configuration file '/etc/wpa_supplicant.conf' -> '/etc/wpa_supplicant.conf' Reading configuration file '/etc/wpa_supplicant.conf' ctrl_interface='/var/run/wpa_supplicant' ctrl_interface_group='wheel' (DEPRECATED) ap_scan=0 eapol_version=1 fast_reauth=1 Line: 14 - start of a new network block key_mgmt: 0x1 identity - hexdump_ascii(len=4): 6f 70 65 72 oper password - hexdump_ascii(len=6): [REMOVED] eapol_flags=0 (0x0) Priority group 0 id=0 ssid='' Initializing interface (2) 'bge0' EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 wpa_driver_wired_init: Added multicast membership with SIOCADDMULTI Own MAC address: 00:19:b9:58:51:22 Setting scan request: 0 sec 100000 usec ctrl_interface_group=0 (from group name 'wheel') Added interface bge0 EAPOL: External notification - portControl=Auto Already associated with a configured network - generating associated event Association info event State: DISCONNECTED -> ASSOCIATED Associated to a new BSS: BSSID=01:80:c2:00:00:03 No keys have been configured - skip key clearing Network configuration found for the current AP WPA: No WPA/RSN IE available from association info WPA: Set cipher suites based on configuration WPA: Selected cipher suites: group 30 pairwise 24 key_mgmt 1 proto 2 WPA: clearing AP WPA IE WPA: clearing AP RSN IE WPA: using GTK CCMP WPA: using PTK CCMP WPA: using KEY_MGMT 802.1X WPA: Set own WPA IE default - hexdump(len=22): 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 01 00 00 EAPOL: External notification - portControl=Auto Associated with 01:80:c2:00:00:03 WPA: Association event - clear replay counter EAPOL: External notification - portEnabled=0 EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Cancelling scan request EAPOL: startWhen --> 0 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: txStart TX EAPOL - hexdump(len=4): 01 01 00 00 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: txStart TX EAPOL - hexdump(len=4): 01 01 00 00 etc. wpa_supllicant.conf: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel ap_scan=0 eapol_version=1 fast_reauth=1 network={ #key_mgmt=IEEE8021X key_mgmt=WPA-EAP identity="oper" password="xxx" eapol_flags=0 } Note that the key_mgmt value seems of no importance to the observed behaviour. It seems to me like the procurve is somehow not reacting to the EAPOL start request but immediately enters the EAP phase. I am not sure how to make wpa_supplicant do the same (if at all possible). -Guido From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 20:38:41 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BED991065671; Wed, 9 Apr 2008 20:38:41 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 7DE018FC17; Wed, 9 Apr 2008 20:38:41 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id B502442D841; Wed, 9 Apr 2008 22:38:40 +0200 (CEST) Date: Wed, 9 Apr 2008 22:38:40 +0200 From: Guido van Rooij To: Sam Leffler Message-ID: <20080409203840.GA80481@gvr.gvr.org> References: <20080409130531.GA73375@gvr.gvr.org> <20080409141324.GA43689@lor.one-eyed-alien.net> <47FCEA99.4050000@freebsd.org> <20080409195831.GA79835@gvr.gvr.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080409195831.GA79835@gvr.gvr.org> Cc: freebsd-net@freebsd.org, Brooks Davis Subject: Re: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 20:38:41 -0000 On Wed, Apr 09, 2008 at 09:58:31PM +0200, Guido van Rooij wrote: > > wpa_supplicant send a EAPOL start (version 1, type start) > procurve sends EAP failure (version 1, type: eap packet (code failure, id: 2) > procurve send EAP request identify (veersion 1, type: eap packet (code: request > type: identify). > > And that's it. wpa_supplicant does not respond. After a timeout, the > start eapol packet is sent again. After some research, it seems that wpa_supplicant is supposed to indeed react to the requests identity with a repsonse identity. It does not however. I verified that the multicast address as used by the switch is the correct one. On the other hand it seems that the request identity is not received.. I tried debugging and it seems that indeed nothing is received (I asume that reception of packets is handled in eloop.c:eloop_run(), and I see no calling of eloop_sock_table_dispatch() there. Right now, I can't find thee place where a socket is created from which to read the multicast frames. -Guido From owner-freebsd-net@FreeBSD.ORG Wed Apr 9 20:43:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1765B1065672; Wed, 9 Apr 2008 20:43:08 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from ebb.errno.com (ebb.errno.com [69.12.149.25]) by mx1.freebsd.org (Postfix) with ESMTP id DE6FC8FC14; Wed, 9 Apr 2008 20:43:07 +0000 (UTC) (envelope-from sam@freebsd.org) Received: from trouble.errno.com (trouble.errno.com [10.0.0.248]) (authenticated bits=0) by ebb.errno.com (8.13.6/8.12.6) with ESMTP id m39Kh7rG078338 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Apr 2008 13:43:07 -0700 (PDT) (envelope-from sam@freebsd.org) Message-ID: <47FD2A5B.6070706@freebsd.org> Date: Wed, 09 Apr 2008 13:43:07 -0700 From: Sam Leffler Organization: FreeBSD Project User-Agent: Thunderbird 2.0.0.9 (X11/20071125) MIME-Version: 1.0 To: Guido van Rooij References: <20080409130531.GA73375@gvr.gvr.org> <20080409141324.GA43689@lor.one-eyed-alien.net> <47FCEA99.4050000@freebsd.org> <20080409195831.GA79835@gvr.gvr.org> <20080409203840.GA80481@gvr.gvr.org> In-Reply-To: <20080409203840.GA80481@gvr.gvr.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-DCC--Metrics: ebb.errno.com; whitelist Cc: freebsd-net@freebsd.org, Brooks Davis Subject: Re: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2008 20:43:08 -0000 Guido van Rooij wrote: > On Wed, Apr 09, 2008 at 09:58:31PM +0200, Guido van Rooij wrote: > >> wpa_supplicant send a EAPOL start (version 1, type start) >> procurve sends EAP failure (version 1, type: eap packet (code failure, id: 2) >> procurve send EAP request identify (veersion 1, type: eap packet (code: request >> type: identify). >> >> And that's it. wpa_supplicant does not respond. After a timeout, the >> start eapol packet is sent again. >> > > > After some research, it seems that wpa_supplicant is supposed to indeed > react to the requests identity with a repsonse identity. It does not > however. I verified that the multicast address as used by the switch > is the correct one. On the other hand it seems that the request identity > is not received.. > I tried debugging and it seems that indeed nothing is received (I asume > that reception of packets is handled in eloop.c:eloop_run(), > and I see no calling of eloop_sock_table_dispatch() there. > > Right now, I can't find thee place where a socket is created from which > to read the multicast frames. > I believe it's done w/ bpf and the important change for wired support was to accept mcast frames from the PAE mcast address. Like I said to you privately; you might try this on releng7 where it was tested by someone. Sam From owner-freebsd-net@FreeBSD.ORG Thu Apr 10 02:50:43 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61EEE1065677; Thu, 10 Apr 2008 02:50:43 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from noop.in-addr.com (in-addr.broker.freenet6.net [IPv6:2001:5c0:8fff:fffe::214d]) by mx1.freebsd.org (Postfix) with ESMTP id 343AF8FC13; Thu, 10 Apr 2008 02:50:43 +0000 (UTC) (envelope-from gpalmer@freebsd.org) Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD)) id 1Jjms6-000ADR-6Q; Wed, 09 Apr 2008 22:50:42 -0400 Date: Wed, 9 Apr 2008 22:50:42 -0400 From: Gary Palmer To: Pyun YongHyeon Message-ID: <20080410025042.GA97739@in-addr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Cc: freebsd-net@freebsd.org Subject: if_vr MFC? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 02:50:43 -0000 Hi, Just wondering if if_vr is going to be merged back to RELENG_7 at any point? Its been in CURRENT for about a month at this point so it should be OK I think? I've been using your patch against RELENG_7 on a Soekris NET-5501 in testing for a few weeks now, no real traffic but no problems either. Thanks, Gary From owner-freebsd-net@FreeBSD.ORG Thu Apr 10 07:07:32 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46F41106566B for ; Thu, 10 Apr 2008 07:07:32 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: from wf-out-1314.google.com (wf-out-1314.google.com [209.85.200.170]) by mx1.freebsd.org (Postfix) with ESMTP id 1501C8FC1C for ; Thu, 10 Apr 2008 07:07:31 +0000 (UTC) (envelope-from pyunyh@gmail.com) Received: by wf-out-1314.google.com with SMTP id 25so2884789wfa.7 for ; Thu, 10 Apr 2008 00:07:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:received:received:date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; bh=WfYzhUj34zv8MlpHEBsTyOAm5d+wJvWOLr/DqkP7pEQ=; b=Ym9BMvoNBpr7iUUK8n+YeSWlFoaabQQp4IwWzwXV5BAS0Y5fQQX2b4OZWY9LScPPTKPF8sg2tPGypLs3oG+MLjL8VjNfty9I94C6HLf8otWX19LXGOjmjHfF/5d782iyRkdsMfFKD+CqkQaq0IRxzXOGqopIiPiZrQ26bcSyU+w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:reply-to:references:mime-version:content-type:content-disposition:in-reply-to:user-agent; b=vOxyiBayRg4WCX1x1EO9lhBDr4MrSq29qsWgQiLQQkINUR6WuWR6sTaI3vQ4ZrOAHzwXmTkWqWYNuQvhhtGgZ2VdYGLzThTnxphk0Nfn+tyexj89T5cSYuObNmJunLwn6aqadM7DCNurfmfeup84wOXnwM7UVwMuH3zK+eBDuds= Received: by 10.142.82.8 with SMTP id f8mr330768wfb.303.1207811251670; Thu, 10 Apr 2008 00:07:31 -0700 (PDT) Received: from michelle.cdnetworks.co.kr ( [211.53.35.84]) by mx.google.com with ESMTPS id 30sm2201720wfc.6.2008.04.10.00.07.28 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 10 Apr 2008 00:07:30 -0700 (PDT) Received: from michelle.cdnetworks.co.kr (localhost.cdnetworks.co.kr [127.0.0.1]) by michelle.cdnetworks.co.kr (8.13.5/8.13.5) with ESMTP id m3A763m8000926 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Apr 2008 16:06:03 +0900 (KST) (envelope-from pyunyh@gmail.com) Received: (from yongari@localhost) by michelle.cdnetworks.co.kr (8.13.5/8.13.5/Submit) id m3A7632G000925; Thu, 10 Apr 2008 16:06:03 +0900 (KST) (envelope-from pyunyh@gmail.com) Date: Thu, 10 Apr 2008 16:06:03 +0900 From: Pyun YongHyeon To: Gary Palmer Message-ID: <20080410070603.GB870@cdnetworks.co.kr> References: <20080410025042.GA97739@in-addr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080410025042.GA97739@in-addr.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org, Pyun YongHyeon Subject: Re: if_vr MFC? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: pyunyh@gmail.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 07:07:32 -0000 On Wed, Apr 09, 2008 at 10:50:42PM -0400, Gary Palmer wrote: > Hi, > > Just wondering if if_vr is going to be merged back to RELENG_7 at any > point? Its been in CURRENT for about a month at this point so it > should be OK I think? I've been using your patch against RELENG_7 > on a Soekris NET-5501 in testing for a few weeks now, no real traffic > but no problems either. > I'm somewhat busy for other pending works. But I may be able to MFC vr(4) to RELENG_7 in a week. Thanks for reminding this. :-) > Thanks, > > Gary -- Regards, Pyun YongHyeon From owner-freebsd-net@FreeBSD.ORG Thu Apr 10 10:03:15 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DBD231065681; Thu, 10 Apr 2008 10:03:15 +0000 (UTC) (envelope-from guido@gvr.org) Received: from gvr.gvr.org (gvr-gw.gvr.org [82.95.154.195]) by mx1.freebsd.org (Postfix) with ESMTP id 9F0528FC2B; Thu, 10 Apr 2008 10:03:15 +0000 (UTC) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id F212D42D819; Thu, 10 Apr 2008 12:03:14 +0200 (CEST) Date: Thu, 10 Apr 2008 12:03:14 +0200 From: Guido van Rooij To: Sam Leffler Message-ID: <20080410100314.GA92733@gvr.gvr.org> References: <20080409130531.GA73375@gvr.gvr.org> <20080409141324.GA43689@lor.one-eyed-alien.net> <47FCEA99.4050000@freebsd.org> <20080409195831.GA79835@gvr.gvr.org> <20080409203840.GA80481@gvr.gvr.org> <47FD2A5B.6070706@freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <47FD2A5B.6070706@freebsd.org> Cc: freebsd-net@freebsd.org, Brooks Davis Subject: Re: 802.1x for wired networks X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2008 10:03:16 -0000 On Wed, Apr 09, 2008 at 01:43:07PM -0700, Sam Leffler wrote: > > I believe it's done w/ bpf and the important change for wired support was > to accept mcast frames from the PAE mcast address. Like I said to you > privately; you might try this on releng7 where it was tested by someone. I debuged further and it turns out that my backporting did not include the update l2_packet.c in the usr.sbin/wpa directory. After updating that file, everything works as expected. -Guido From owner-freebsd-net@FreeBSD.ORG Fri Apr 11 09:03:39 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 126481065673 for ; Fri, 11 Apr 2008 09:03:39 +0000 (UTC) (envelope-from mjl@luckie.org.nz) Received: from mailfilter5.ihug.co.nz (mailfilter5.ihug.co.nz [203.109.136.5]) by mx1.freebsd.org (Postfix) with ESMTP id B17AA8FC0C for ; Fri, 11 Apr 2008 09:03:38 +0000 (UTC) (envelope-from mjl@luckie.org.nz) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgoFAGe//kd2XAcy/2dsb2JhbACBXao/ X-IronPort-AV: E=Sophos;i="4.25,640,1199617200"; d="scan'208";a="88958481" Ironport-Content-Filter: send-to-smtp Ironport-OCF: send-to-smtp Received: from 118-92-7-50.dsl.dyn.ihug.co.nz (HELO spandex.luckie.org.nz) ([118.92.7.50]) by smtp.mailfilter5.ihug.co.nz with ESMTP/TLS/DHE-RSA-AES256-SHA; 11 Apr 2008 20:33:42 +1200 Received: from rayon.luckie.org.nz ([192.168.1.25]) by spandex.luckie.org.nz with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JkEhZ-0007U7-Dp for freebsd-net@freebsd.org; Fri, 11 Apr 2008 20:33:41 +1200 Message-ID: <47FF2265.2050308@luckie.org.nz> Date: Fri, 11 Apr 2008 20:33:41 +1200 From: Matthew Luckie User-Agent: Thunderbird 2.0.0.9 (X11/20080129) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: BPF JIT compiler X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2008 09:03:39 -0000 The existing intel BPF JIT compiler has one flaw. sys/net/bpf_filter.c initialises the A and X registers to zero when called. The just in time compiler does not. This means the JIT compiler will behave differently to the interpreter on any filter that does not set the A or X registers before using them. One approach is to put two additional ops in the procedure header of all compiled filters to zero these registers. This is the easiest thing to do, though it does mean a slower JIT compiler. Another approach is to reject any filter that might use A or X before setting it. This approach is really no different to having code check the filter and conditionally include zero operations if necessary. Below is a recursive function to check if A or X need to be set in the procedure header. This function would go in bpf_jitter.c and set two additional struct members in bpf_jit_filter to allow the machdep code to do the right thing. To my way of thinking, the bpf_insn_seta, bpf_insn_usea, bpf_insn_setx, bpf_insn_seta functions could perhaps be macros. Of greater concern to me is any policy that may exist on recursion in the kernel. Comments, please. jkim@ is busy with other things, so if you're interested, please speak up. static int bpf_insn_seta(const struct bpf_insn *ins) { if(BPF_CLASS(ins->code) == BPF_LD || ins->code == (BPF_MISC|BPF_TXA)) { return 1; } return 0; } static int bpf_insn_usea(const struct bpf_insn *ins) { if(BPF_CLASS(ins->code) == BPF_ALU || (BPF_CLASS(ins->code) == BPF_JMP && BPF_OP(ins->code) != BPF_JA) || ins->code == (BPF_RET|BPF_A) || ins->code == (BPF_ST) || ins->code == (BPF_MISC|BPF_TAX)) { return 1; } return 0; } static int bpf_insn_setx(const struct bpf_insn *ins) { if(BPF_CLASS(ins->code) == BPF_LDX || ins->code == (BPF_MISC|BPF_TAX)) { return 1; } return 0; } static int bpf_insn_usex(const struct bpf_insn *ins) { if((BPF_CLASS(ins->code) == BPF_ALU && BPF_SRC(ins->code) == BPF_X) || (BPF_CLASS(ins->code) == BPF_LD && BPF_MODE(ins->code) == BPF_IND) || (BPF_CLASS(ins->code) == BPF_JMP && BPF_SRC(ins->code) == BPF_X) || ins->code == (BPF_STX) || ins->code == (BPF_MISC|BPF_TXA)) { return 1; } return 0; } /* * bpf_ax * * determine if we need to initialise the accumulator and index * registers. */ static void bpf_ax(const struct bpf_insn *fp, int i, int nins, int *a, int *x) { const struct bpf_insn *ins; int a1, a2, x1, x2; while(icode) == BPF_JMP) { if(BPF_OP(ins->code) == BPF_JA) { bpf_ax(fp, i+1+ins->k, nins, a, x); } else { a1 = a2 = *a; x1 = x2 = *x; bpf_ax(fp, i+1+ins->jt, nins, &a1, &x1); bpf_ax(fp, i+1+ins->jf, nins, &a2, &x2); if(a1 == 1 || a2 == 1) *a = 1; else *a = 0; if(x1 == 1 || x2 == 1) *x = 1; else *x = 0; } break; } i++; } if(*a != 1) *a = 0; if(*x != 1) *x = 0; return; } From owner-freebsd-net@FreeBSD.ORG Fri Apr 11 12:24:47 2008 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F2AA106564A for ; Fri, 11 Apr 2008 12:24:47 +0000 (UTC) (envelope-from anders@FreeBSD.org) Received: from fupp.net (totem.fix.no [80.91.36.20]) by mx1.freebsd.org (Postfix) with ESMTP id C6CDE8FC13 for ; Fri, 11 Apr 2008 12:24:46 +0000 (UTC) (envelope-from anders@FreeBSD.org) Received: from localhost (totem.fix.no [80.91.36.20]) by fupp.net (Postfix) with ESMTP id 2453D8DAA4F; Fri, 11 Apr 2008 14:24:45 +0200 (CEST) Received: from fupp.net ([80.91.36.20]) by localhost (totem.fix.no [80.91.36.20]) (amavisd-new, port 10024) with LMTP id bIx6XSC3BMY2; Fri, 11 Apr 2008 14:24:44 +0200 (CEST) Received: by fupp.net (Postfix, from userid 1000) id B21328DAA47; Fri, 11 Apr 2008 14:24:44 +0200 (CEST) Date: Fri, 11 Apr 2008 14:24:44 +0200 From: Anders Nordby To: "Bjoern A. Zeeb" , freebsd-net@FreeBSD.org Message-ID: <20080411122444.GA24519@fupp.net> References: <47D860AC.6030707@freebsd.org> <16497816.post@talk.nabble.com> <20080409075552.GA19027@fupp.net> <20080409082153.W66744@maildrop.int.zabbadoz.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080409082153.W66744@maildrop.int.zabbadoz.net> X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 User-Agent: Mutt/1.5.17 (2007-11-01) Cc: Subject: Re: TCP options order changed in FreeBSD 7, incompatible with some routers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2008 12:24:47 -0000 Hi, On Wed, Apr 09, 2008 at 08:23:13AM +0000, Bjoern A. Zeeb wrote: >> I had the same problem, and temporarily worked around it by disabling >> SACK: > ok, here we go... > > as I had explained on freebsd-net@ lately there had been 2 changes to > possibly fix this issue. > > I am currently in the process to find out which of the two is actually > needed and which of the two prior versions caused the problems. > > I have a testbed setup and will have it running for another day or so. > > So could you try to reproduce your problems with the following three > servers (if you could ask your affected customers to test and > report back to you that would be highly appreciated as well). I just got access to a remote PC which has the problem, finally. It runs Windows 2000, service pack 4. > Simply open the following URLs in a browser is enough. If you can > see the pages, fine. If you cannot, tell me which worked, which > didn't. > > http://tcptest1.sbone.de/ This URL does not work, I get "siden kan ikke vises" (page can not be displayed in Norwegian). > http://tcptest2.sbone.de/ This URL works fine, I get the FreeBSD 7.0 TCP options test page. > http://tcptest3.sbone.de/ This URL does not work, I get "siden kan ikke vises" (page can not be displayed in Norwegian). > I have a tcpdump running on my side so all connections will be fully > logged. Good. Your patch on http://sources.zabbadoz.net/freebsd/patchset/20080309-01-tcp-options-padding.diff fixes the problem for me, with SACK still being on as it is by default. I would be much happy if this fix could find it's way to RELENG_7_0 and errata. Thanks a lot! Cheers, -- Anders. From owner-freebsd-net@FreeBSD.ORG Fri Apr 11 12:35:15 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E8DB1065670 for ; Fri, 11 Apr 2008 12:35:15 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from mail.cksoft.de (mail.cksoft.de [62.111.66.27]) by mx1.freebsd.org (Postfix) with ESMTP id 1DFA88FC15 for ; Fri, 11 Apr 2008 12:35:15 +0000 (UTC) (envelope-from bzeeb-lists@lists.zabbadoz.net) Received: from localhost (amavis.str.cksoft.de [192.168.74.71]) by mail.cksoft.de (Postfix) with ESMTP id 76B6E41C7A9 for ; Fri, 11 Apr 2008 14:35:13 +0200 (CEST) X-Virus-Scanned: amavisd-new at cksoft.de Received: from mail.cksoft.de ([62.111.66.27]) by localhost (amavis.str.cksoft.de [192.168.74.71]) (amavisd-new, port 10024) with ESMTP id HdPILNyAM03o for ; Fri, 11 Apr 2008 14:35:13 +0200 (CEST) Received: by mail.cksoft.de (Postfix, from userid 66) id 0B72741C7A6; Fri, 11 Apr 2008 14:35:13 +0200 (CEST) Received: from maildrop.int.zabbadoz.net (maildrop.int.zabbadoz.net [10.111.66.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.int.zabbadoz.net (Postfix) with ESMTP id 151F64448FA for ; Fri, 11 Apr 2008 12:35:08 +0000 (UTC) Date: Fri, 11 Apr 2008 12:35:08 +0000 (UTC) From: "Bjoern A. Zeeb" X-X-Sender: bz@maildrop.int.zabbadoz.net To: freebsd-net@FreeBSD.org In-Reply-To: <20080411122444.GA24519@fupp.net> Message-ID: <20080411123206.B66744@maildrop.int.zabbadoz.net> References: <47D860AC.6030707@freebsd.org> <16497816.post@talk.nabble.com> <20080409075552.GA19027@fupp.net> <20080409082153.W66744@maildrop.int.zabbadoz.net> <20080411122444.GA24519@fupp.net> X-OpenPGP-Key: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Re: TCP options order changed in FreeBSD 7, incompatible with some routers X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2008 12:35:15 -0000 On Fri, 11 Apr 2008, Anders Nordby wrote: Hi, in case you did not receive a private mail from me please do not go to any of the mentioned urls or you will make a one week data collection worthless. Thank you. PS: the webservers will go away within a few hours anyway... >> Simply open the following URLs in a browser is enough. If you can >> see the pages, fine. If you cannot, tell me which worked, which >> didn't. >> >> http://tcptest1.sbone.../ >> http://tcptest2.sbone.../ >> http://tcptest3.sbone.../ -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 06:22:56 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3CFA6106567B for ; Sat, 12 Apr 2008 06:22:56 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id AECE08FC15 for ; Sat, 12 Apr 2008 06:22:54 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m3C6MpAV002846 for ; Sat, 12 Apr 2008 14:22:51 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m3C6MpYL002845 for net@freebsd.org; Sat, 12 Apr 2008 14:22:51 +0800 (KRAST) (envelope-from eugen) Date: Sat, 12 Apr 2008 14:22:51 +0800 From: Eugene Grosbein To: net@freebsd.org Message-ID: <20080412062251.GA2199@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Cc: Subject: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 06:22:56 -0000 Hi! One of 7.0 users has reported in some cyrillic newsgroup a problem that I have reproduced in my 7.0-STABLE system. That is: tcpdump does not show locally originated outgoing IP packets that were processed by 'ipfw fwd' rule. The same configuration presents no problems with 6.3-STABLE. Consider simple schema: two FreeBSD boxes (A and B) directly connected with ethernet intefaces. The box A has another ethernet interface and uses "ipfw fwd" as its very first ipfw rule to forward some packets to B, while these packets would normally go out trough mentioned another interface. Now, tcpdump does NOT show outgoing packets but host B also runs tcpdump on its incoming interface and does see them. I double-checked all paramerets for tcpdump, all routing tables. I even connected A and B with cross-over ethernet cable, without a switch. Still, B sees incoming packets coming over the cable and A does not see them leaving. This bothers me a bit :-) Eugene Grosbein From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 11:18:00 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 61E84106566B for ; Sat, 12 Apr 2008 11:18:00 +0000 (UTC) (envelope-from alireza.torabi@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.182]) by mx1.freebsd.org (Postfix) with ESMTP id 452038FC0A for ; Sat, 12 Apr 2008 11:18:00 +0000 (UTC) (envelope-from alireza.torabi@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so839459waf.3 for ; Sat, 12 Apr 2008 04:18:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=1tx0wGVN/VJ+E11dmM+MuBXosspfFF7nwj7Zt4t+slo=; b=mMF03jVk3ubHfy6PejxMog9NQ/OIWAURIj4GRksrJvRdaMInM0ELgs7tOnsaZ8dUUjr1RETtSZRLT6aGfsfwGdTh9zHG63QFf0Y/cY7tIuO+2ZwzVcrblbwru4FVU4OBDsXFPK/hGUo0zdfXs3sBriTfjvOe2PLMxCflTQfXvJY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hMS5QrMpYr0X61OCTdncVOZCNR1+BrlX9FIEuorB8yoVkGhxFH9K8XtByOygYYOV4jBoOrTPFO5Hv6WcHLbUrdO/59R9clO92cywKcuzJuw6CVxIrC3Jc++O8JL0f7/9+prp7WmSOMR+rMcytzs9ZrrGlvF/c093nfnOzn3oSoQ= Received: by 10.114.194.1 with SMTP id r1mr4686248waf.40.1207997580786; Sat, 12 Apr 2008 03:53:00 -0700 (PDT) Received: by 10.115.17.16 with HTTP; Sat, 12 Apr 2008 03:53:00 -0700 (PDT) Message-ID: Date: Sat, 12 Apr 2008 11:53:00 +0100 From: "Alireza Torabi" To: "Eugene Grosbein" In-Reply-To: <20080412062251.GA2199@svzserv.kemerovo.su> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080412062251.GA2199@svzserv.kemerovo.su> Cc: net@freebsd.org Subject: Re: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 11:18:00 -0000 Is BIOCFEEDBACK set? On Sat, Apr 12, 2008 at 7:22 AM, Eugene Grosbein wrote: > Hi! > > One of 7.0 users has reported in some cyrillic newsgroup > a problem that I have reproduced in my 7.0-STABLE system. > That is: tcpdump does not show locally originated outgoing IP packets > that were processed by 'ipfw fwd' rule. The same configuration presents > no problems with 6.3-STABLE. > > Consider simple schema: two FreeBSD boxes (A and B) directly connected > with ethernet intefaces. The box A has another ethernet interface and uses > "ipfw fwd" as its very first ipfw rule to forward some packets to B, > while these packets would normally go out trough mentioned another > interface. Now, tcpdump does NOT show outgoing packets but host B also > runs tcpdump on its incoming interface and does see them. > > I double-checked all paramerets for tcpdump, all routing tables. > I even connected A and B with cross-over ethernet cable, without a switch. > Still, B sees incoming packets coming over the cable and A does not see > them leaving. This bothers me a bit :-) > > Eugene Grosbein > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 12:43:14 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB04E106564A for ; Sat, 12 Apr 2008 12:43:14 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 368D88FC1F for ; Sat, 12 Apr 2008 12:43:13 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m3CChA5i035170; Sat, 12 Apr 2008 20:43:10 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m3CChAQG035168; Sat, 12 Apr 2008 20:43:10 +0800 (KRAST) (envelope-from eugen) Date: Sat, 12 Apr 2008 20:43:10 +0800 From: Eugene Grosbein To: Alireza Torabi Message-ID: <20080412124310.GA35111@svzserv.kemerovo.su> References: <20080412062251.GA2199@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: net@freebsd.org Subject: Re: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 12:43:14 -0000 On Sat, Apr 12, 2008 at 11:53:00AM +0100, Alireza Torabi wrote: > Is BIOCFEEDBACK set? What's that and how to check it? Eugene Grosbein From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 12:50:17 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B10201065670 for ; Sat, 12 Apr 2008 12:50:17 +0000 (UTC) (envelope-from alireza.torabi@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 91D238FC0C for ; Sat, 12 Apr 2008 12:50:17 +0000 (UTC) (envelope-from alireza.torabi@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so874790waf.3 for ; Sat, 12 Apr 2008 05:50:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=Ulo57gqxVN07tcDMpcXsAyX2UR9hz2UmE20OEsGvkhg=; b=F2cohtBzd3GxVWogyaztKxE7B1AT2CaU8AfY+TdWUJU5iAMn2yQrdulF7REubAHndVgQ4+6VoXAjszQtFesNztqvvbTdQncmbCuOJXvdxU8OebbXoHVm5PBkyfAFh2KHLTcxo0OzZpNfM3ALoReXhS34DNtEz4x6//askjyZx5E= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=HpNPHR/WhLfEcqey8lpvZFwkNwpCS0zEZdXRutx3p/JbstgjdU8U6ZTVaoQ5xJ6ZS/JhSYeb+SSbrH25MV37eXcS5kEbZ5CsHU+W4IK0nBZUCKCeMQHhUuMYu7G5NWDIg6L0hTEVHQ+t0FPYbcibdb2j2ESeJlnbC6s3R1uAxjA= Received: by 10.114.81.1 with SMTP id e1mr4771566wab.11.1208004617052; Sat, 12 Apr 2008 05:50:17 -0700 (PDT) Received: by 10.115.17.16 with HTTP; Sat, 12 Apr 2008 05:50:17 -0700 (PDT) Message-ID: Date: Sat, 12 Apr 2008 13:50:17 +0100 From: "Alireza Torabi" To: "Eugene Grosbein" In-Reply-To: <20080412124310.GA35111@svzserv.kemerovo.su> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20080412062251.GA2199@svzserv.kemerovo.su> <20080412124310.GA35111@svzserv.kemerovo.su> Cc: net@freebsd.org Subject: Re: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 12:50:17 -0000 It'll be in tcpdump code where it sets up BPF. It's a new IOCTL in 7 BPF. Is your tcpdump source up to date? On Sat, Apr 12, 2008 at 1:43 PM, Eugene Grosbein wrote: > On Sat, Apr 12, 2008 at 11:53:00AM +0100, Alireza Torabi wrote: > > > Is BIOCFEEDBACK set? > > What's that and how to check it? > > Eugene Grosbein > From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 12:59:33 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 097E6106564A for ; Sat, 12 Apr 2008 12:59:33 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id 582D18FC18 for ; Sat, 12 Apr 2008 12:59:32 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m3CCxUIo036803; Sat, 12 Apr 2008 20:59:30 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m3CCxToo036802; Sat, 12 Apr 2008 20:59:29 +0800 (KRAST) (envelope-from eugen) Date: Sat, 12 Apr 2008 20:59:29 +0800 From: Eugene Grosbein To: Alireza Torabi Message-ID: <20080412125929.GA36759@svzserv.kemerovo.su> References: <20080412062251.GA2199@svzserv.kemerovo.su> <20080412124310.GA35111@svzserv.kemerovo.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i Cc: net@freebsd.org Subject: Re: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 12:59:33 -0000 On Sat, Apr 12, 2008 at 01:50:17PM +0100, Alireza Torabi wrote: > It'll be in tcpdump code where it sets up BPF. It's a new IOCTL in 7 BPF. How to check? > Is your tcpdump source up to date? I use stock tcpdump that comes with 7.0-STABLE. Eugene Grosbein From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 16:42:44 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0B2A3106564A for ; Sat, 12 Apr 2008 16:42:44 +0000 (UTC) (envelope-from tmm@fastmail.fm) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id CE1018FC16 for ; Sat, 12 Apr 2008 16:42:43 +0000 (UTC) (envelope-from tmm@fastmail.fm) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id 62FEBECC07 for ; Sat, 12 Apr 2008 12:27:10 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Sat, 12 Apr 2008 12:27:10 -0400 X-Sasl-enc: w/v+prkZYslqAj91EbjM0oOHwtd8xYpje7ONjACb1+oo 1208017630 Received: from [192.168.11.4] (bas4-toronto46-1279334009.dsl.bell.ca [76.65.22.121]) by mail.messagingengine.com (Postfix) with ESMTPSA id F2331D5E2 for ; Sat, 12 Apr 2008 12:27:09 -0400 (EDT) Message-ID: <4800E2D5.20107@fastmail.fm> Date: Sat, 12 Apr 2008 12:27:01 -0400 From: tmm User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 8bit Subject: Howto send a limited broadcast? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 16:42:44 -0000 Hi. I'm using the FreeBSD network stack (on top of the eCos embedded OS), and I want to send a limited broadcast (a broadcast with destination IP of 255.255.255.255). Normally (I believe) the stack will only send a broadcast like this if there is no subnet mask set on the interface, or an all zeros mask (this is how bootp/dhcp work). Once I set a normal subnet mask, the stack will change my broadcasts into subnet broadcasts, eg. 192.168.0.255. In my situation the interface is active, so I can't just remove the netmask - I must find another way to send the limited broadcast. When the interface gets setup with IP and netmask it creates a default broadcast address. If I override this and set it to 255.255.255.255 (using SIOCSIFBRDADDR), then it will try to send my limited broadcast as is, rather then changing it into a subnet braodcast. Unforunately this fails, because there is no route available that matches this destination. Okay, so just add a route? But when I try to add a route that would match 255.255.255.255 it gets rejected – it is not valid for the interface as currently configured. The next step – which I would rather avoid - is modify the ip code. If the SO_DONTROUTE/IP_ROUTETOIF flag is set then you only need a route in order to pick an interface, not for any actual routing. So, I could add some code to manually pick an interface (even though none really match my destination address). But I’d rather avoid changing the code. So, can anyone suggest how I can send a limited broadcast (on an interface that has been initalized with an IP and a subnet)? Thanks for any suggestions. Tom. From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 17:50:43 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DB25A106564A for ; Sat, 12 Apr 2008 17:50:43 +0000 (UTC) (envelope-from dr@nevernet.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.30]) by mx1.freebsd.org (Postfix) with ESMTP id D83028FC12 for ; Sat, 12 Apr 2008 17:50:26 +0000 (UTC) (envelope-from dr@nevernet.com) Received: by yw-out-2324.google.com with SMTP id 2so360880ywt.13 for ; Sat, 12 Apr 2008 10:50:19 -0700 (PDT) Received: by 10.151.15.13 with SMTP id s13mr4623574ybi.200.1208021015944; Sat, 12 Apr 2008 10:23:35 -0700 (PDT) Received: from ?192.168.20.6? ( [97.97.98.50]) by mx.google.com with ESMTPS id h34sm16430026wxd.10.2008.04.12.10.23.34 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 12 Apr 2008 10:23:35 -0700 (PDT) Message-Id: From: david robertson To: freebsd-net@freebsd.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v919.2) Date: Sat, 12 Apr 2008 13:23:33 -0400 X-Mailer: Apple Mail (2.919.2) Subject: bridge interface down, yet still bridging? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 17:50:43 -0000 I've got an issue that only crops up every so often (every few months), and it's theoretically impossible. I've got two FreeBSD 6.2 firewalls in a failover state, using bridging (I don't control .1, and don't have a choice). I use ifstated and carp to monitor which one is master, and which is slave. The slave has the bridge0 interface down, and the master has it up. On to the issue: Last night the problem came back, the network looped via the bridges, even though the bridge interface on the backup failover was in a 'down' state. The loop was verified by our hosting company, the two uplink ports that the firewalls are in were doing the exact same amount of traffic inbound and outbound - definately a loop. As soon as they disabled one of the firewall ports, everything went back to normal. At this point, I verified the bridge interface was infact down on the failover firewall. Hosting company turned back on the port, and blam - loop. Has anyone ever come across this specific issue before? From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 18:10:39 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AD65A1065670 for ; Sat, 12 Apr 2008 18:10:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.freebsd.org (Postfix) with ESMTP id 701DD8FC14 for ; Sat, 12 Apr 2008 18:10:39 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E36E546B08; Sat, 12 Apr 2008 14:10:38 -0400 (EDT) Date: Sat, 12 Apr 2008 19:10:38 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Eugene Grosbein In-Reply-To: <20080412062251.GA2199@svzserv.kemerovo.su> Message-ID: <20080412190939.O7693@fledge.watson.org> References: <20080412062251.GA2199@svzserv.kemerovo.su> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: net@freebsd.org Subject: Re: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 18:10:39 -0000 On Sat, 12 Apr 2008, Eugene Grosbein wrote: > One of 7.0 users has reported in some cyrillic newsgroup a problem that I > have reproduced in my 7.0-STABLE system. That is: tcpdump does not show > locally originated outgoing IP packets that were processed by 'ipfw fwd' > rule. The same configuration presents no problems with 6.3-STABLE. > > Consider simple schema: two FreeBSD boxes (A and B) directly connected with > ethernet intefaces. The box A has another ethernet interface and uses "ipfw > fwd" as its very first ipfw rule to forward some packets to B, while these > packets would normally go out trough mentioned another interface. Now, > tcpdump does NOT show outgoing packets but host B also runs tcpdump on its > incoming interface and does see them. > > I double-checked all paramerets for tcpdump, all routing tables. I even > connected A and B with cross-over ethernet cable, without a switch. Still, B > sees incoming packets coming over the cable and A does not see them leaving. > This bothers me a bit :-) If you ping from host A to host B, does tcpdump see both the ICMP echo request and reply on both boxes? In principle, ipfw fwd uses the same output paths as the rest of the IP stack, so it would be useful to know whether it sees other outbound traffic properly or not. Robert N M Watson Computer Laboratory University of Cambridge From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 18:25:32 2008 Return-Path: Delivered-To: net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9B27E106564A for ; Sat, 12 Apr 2008 18:25:32 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (www.svzserv.kemerovo.su [213.184.65.80]) by mx1.freebsd.org (Postfix) with ESMTP id E295D8FC1D for ; Sat, 12 Apr 2008 18:25:31 +0000 (UTC) (envelope-from eugen@kuzbass.ru) Received: from www.svzserv.kemerovo.su (eugen@localhost [127.0.0.1]) by www.svzserv.kemerovo.su (8.13.8/8.13.8) with ESMTP id m3CIPSoV077865; Sun, 13 Apr 2008 02:25:28 +0800 (KRAST) (envelope-from eugen@www.svzserv.kemerovo.su) Received: (from eugen@localhost) by www.svzserv.kemerovo.su (8.13.8/8.13.8/Submit) id m3CIPSbX077863; Sun, 13 Apr 2008 02:25:28 +0800 (KRAST) (envelope-from eugen) Date: Sun, 13 Apr 2008 02:25:28 +0800 From: Eugene Grosbein To: Robert Watson Message-ID: <20080412182528.GA77159@svzserv.kemerovo.su> References: <20080412062251.GA2199@svzserv.kemerovo.su> <20080412190939.O7693@fledge.watson.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20080412190939.O7693@fledge.watson.org> User-Agent: Mutt/1.4.2.3i Cc: net@FreeBSD.org Subject: Re: bpf does not see packets forwarded with ipfw fwd X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 18:25:32 -0000 On Sat, Apr 12, 2008 at 07:10:38PM +0100, Robert Watson wrote: > If you ping from host A to host B, does tcpdump see both the ICMP echo > request and reply on both boxes? In principle, ipfw fwd uses the same > output paths as the rest of the IP stack, so it would be useful to know > whether it sees other outbound traffic properly or not. Yes, it does. It sees oubound traffic that is not processed with 'ipfw fwd'. That's so funny: 1) A has IP 10.58.0.2/24 and B has. 10.58.0.1/24. From A, I start to ping 10.58.0.1, tcpdump shows requests and replys. 2) I add a rule: "ipfw add 5 fwd 10.58.0.1 from any to 10.58.0.1" ping contiunes to run Ok, ipfw shows that rule maches packes (counters increase) but now tcpdump shows only replies. No request. Very funny. Eugene Grosbein From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 22:53:39 2008 Return-Path: Delivered-To: net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 377BA106564A for ; Sat, 12 Apr 2008 22:53:39 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 174688FC16 for ; Sat, 12 Apr 2008 22:53:38 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id DF7723C04E9; Sat, 12 Apr 2008 15:36:45 -0700 (PDT) Date: Sat, 12 Apr 2008 15:36:45 -0700 From: Christopher Cowart To: net@freebsd.org Message-ID: <20080412223645.GN81568@hal.rescomp.berkeley.edu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XzwO5SPJOYU+7Pos" Content-Disposition: inline Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Cc: Subject: Redirect functionality in ng_nat X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 22:53:39 -0000 --XzwO5SPJOYU+7Pos Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, I'm running a 7.0-RELEASE machine. I've backported the 7-STABLE for ng_nat, because I'm really interested in the static NAT features from libalias. ng_nat(4) says: | NGM_NAT_REDIRECT_ADDR (redirectaddr) | Redirect traffic for public IP address to a machine on the local | network. This function is known as static NAT. The following | struct ng_nat_redirect_addr must be supplied as argument. | | struct ng_nat_redirect_addr { | struct in_addr local_addr; | struct in_addr alias_addr; | char description[NG_NAT_DESC_LENGTH]; | }; | | Unique ID for this redirection is returned as response to this | message. I'm a little confused on exactly how to pass a struct as a message to a netgraph node via ngctl. What am I missing here? Thanks, --=20 Chris Cowart Network Technical Lead Network & Infrastructure Services, RSSP-IT UC Berkeley --XzwO5SPJOYU+7Pos Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBSAE5fSPHEDszU3zYAQLCDhAApAXrkUv+byoc0C/QeafWdwuhU7VuMDFm b36nykc0WdLPjv0ZLJhOstT5hTk9txf2CK2DTMLXSemGhr2iQ5vl+/gflSXansX+ TxATsQXLbHFsedR2pFPaVKrLw7ohSzQ0WjzCtR17X0CCtIsvxK0iPBqH38jmaP+d xOJNfc5c08iIKCSyIuN2N7JxmrTR/qH/53gTH0OIXIkNN19KPIrIQbvB+aZiwOHu atZrjqKEZZAxM++RZoIiSZOOn985rv6mtbBi41NzTIOP+Ja7dYg5roLTqNv20bGu m8rfYTV48YzIPqBDnMfSXjOCbVeRRtfj9Lfg69NJ5/mwTtl07GQSBqpE+c68fRnn HbLPNk0AHqnPCHVHSpCPlSNAwqQQLxqonvsydQgz11Qn60ggc+fSD8BYbc15lpYZ FNcWEVdnOTSuktpm1HjbnyWmQn4J2vKNFlOrxEXMdV/kAH2vaL5Rb/JAcllAFYCO Azyy7AvKZXPhZc8YDh+fCYeOrq/oONc/cmUak2QF7sD0ZfHJMpQyOEl6oxRPJe91 laIi9VLCIkXAcwYdY345btLd/E0mUsYroyEp2DqQnkKlNjIdv/elr2h1RB3EnrE8 Eqt/cdU4+aL/57FMbQ4EGQvqnBM1UPlg2Sy6Z8Eufj/5lG1RfQKBDN22seMJLuV4 djsb6HGfGi8= =xjtn -----END PGP SIGNATURE----- --XzwO5SPJOYU+7Pos-- From owner-freebsd-net@FreeBSD.ORG Sat Apr 12 23:37:46 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7DBA106564A for ; Sat, 12 Apr 2008 23:37:46 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8F4E08FC16 for ; Sat, 12 Apr 2008 23:37:46 +0000 (UTC) (envelope-from bms@FreeBSD.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id B9449EC24C for ; Sat, 12 Apr 2008 19:37:45 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute1.internal (MEProxy); Sat, 12 Apr 2008 19:37:45 -0400 X-Sasl-enc: KussmjI2kkim2P9Rek3Avpwsh8ibGz5QaP12mFz5jsRN 1208043465 Received: from empiric.lon.incunabulum.net (82-35-112-254.cable.ubr07.dals.blueyonder.co.uk [82.35.112.254]) by mail.messagingengine.com (Postfix) with ESMTPSA id 277E01480E; Sat, 12 Apr 2008 19:37:45 -0400 (EDT) Message-ID: <480147C7.6090107@FreeBSD.org> Date: Sun, 13 Apr 2008 00:37:43 +0100 From: "Bruce M. Simpson" User-Agent: Thunderbird 2.0.0.12 (X11/20080405) MIME-Version: 1.0 To: tmm References: <4800E2D5.20107@fastmail.fm> In-Reply-To: <4800E2D5.20107@fastmail.fm> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: Howto send a limited broadcast? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2008 23:37:46 -0000 tmm wrote: > So, can anyone suggest how I can send a limited broadcast (on an > interface that has been initalized with an IP and a subnet)? Use the IP_ONESBCAST option and send to the network broadcast address for that subnet. The stack will change it into 255.255.255.255 on output. See man page ip(4) for details. It's a hack, but it's largely due to how the stack has worked historically. BMS