From owner-freebsd-net@FreeBSD.ORG Sun May 7 20:45:12 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC9116A43D for ; Sun, 7 May 2006 20:45:12 +0000 (UTC) (envelope-from yamamoto436@oki.com) Received: from iscan1.intra.oki.co.jp (okigate.oki.co.jp [202.226.91.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7EF9E43D8D for ; Sun, 7 May 2006 20:44:53 +0000 (GMT) (envelope-from yamamoto436@oki.com) Received: from aoi.bmc.oki.co.jp (IDENT:root@localhost.localdomain [127.0.0.1]) by iscan1.intra.oki.co.jp (8.9.3/8.9.3) with SMTP id FAA27524 for ; Mon, 8 May 2006 05:44:51 +0900 Received: (qmail 12377 invoked from network); 8 May 2006 05:44:52 +0900 Received: from tulip.bmc.oki.co.jp (172.19.236.119) by aoi.bmc.oki.co.jp with SMTP; 8 May 2006 05:44:52 +0900 Received: from localhost (tulip.bmc.oki.co.jp [172.19.236.119]) by tulip.bmc.oki.co.jp (8.13.6/8.13.6) with ESMTP id k47Kipus061730; Mon, 8 May 2006 05:44:51 +0900 (JST) (envelope-from yamamoto436@oki.com) Date: Mon, 08 May 2006 05:44:51 +0900 (JST) Message-Id: <20060508.054451.41688849.yamamoto436@oki.com> To: freebsd-net@freebsd.org, freebsd-pf@freebsd.org From: Hideki Yamamoto X-Mailer: Mew version 4.2 on Emacs 21.3 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: IPv6 raw socket to send original udp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2006 20:45:15 -0000 Hi, I tried to use pf as a traffic shaper for a streaming server, but it does not work well. Input of pf is bursted packets within around 20 msec, but is not bursted packets within around 100 msec or longer. This traffic pattern is the feature of the streaming server. As pf is does not work well, I am thinking designinig original shaper command on bridge-like freebsd box, and that the command will receive the sever packet via libpcap, shape it and then send it constantly to another device. To send packet from bridge-like freebsd box, I plan to use RAW IPV6 socket. However in my small experiment, it does not seems good, IP_HDRINCL option does not woks. I wonder if IPv6 raw socket can be used only for ICMPv6. I would like to use IPv6 raw socket for original udp packet. Thanks in advance. Hideki Yamamoto -- From owner-freebsd-net@FreeBSD.ORG Mon May 8 04:04:28 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA66516A54E for ; Mon, 8 May 2006 04:04:28 +0000 (UTC) (envelope-from bmah@freebsd.org) Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id 894EE43D64 for ; Mon, 8 May 2006 04:04:19 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from [64.142.31.109] (phantom.kitchenlab.org [64.142.31.109]) (authenticated bits=0) by a.mail.sonic.net (8.13.6/8.13.3) with ESMTP id k4844IAR017154 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 May 2006 21:04:19 -0700 Message-ID: <445EC341.60406@freebsd.org> Date: Sun, 07 May 2006 21:04:17 -0700 From: "Bruce A. Mah" User-Agent: Thunderbird 1.5.0.2 (Macintosh/20060308) MIME-Version: 1.0 To: Ed Schouten References: <20060506172742.GM15353@hoeg.nl> In-Reply-To: <20060506172742.GM15353@hoeg.nl> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=5ba052c3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigFC6AB091FFE13E16F4E1318A" Cc: Interlink Beheer , FreeBSD Net Subject: Re: nd6_lookup prints bogus messages with point to point devices X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 04:04:29 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigFC6AB091FFE13E16F4E1318A Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable If memory serves me right, Ed Schouten wrote: > On one of the FreeBSD machines we maintain at Dispuut Interlink[1], we > get a lot of messages like these: >=20 > | nd6_lookup: failed to add route for a neighbor(), errno=3D= 17 >=20 > The addresses mentioned in the messages are all addresses of endpoint > addresses of point-to-point devices. The nd6_lookup() call in the > function nd6_output() is responsible for it. If you look through > nd6_output(), you see that a couple of lines below the nd6_lookup() cal= l > it doesn't really care when dealing with IFF_POINTOPOINT devices. >=20 > It would be really useful to drop the messages when dealing with point > to point devices, so I write a patch[2] for nd6_lookup() to make it > print the message when not dealing with IFF_POINTOPOINT devices. >=20 > Should I open a PR for this patch? I think that suz@ and ume@ are the people who have worked in this area most recently, hopefully one of them will speak up. You didn't give a lot of details...please give (at a minimum) the version of FreeBSD you're using and more details about the interface over which you're having this problem. I saw this on RELENG_6 sometime after some IPv6 ND changes that were merged in late last year. I have a gif(4) tunnel to my ISP over which I do IPv6. The GIF tunnel was originally configured as a point-to-point interface and I got the same messages you mentioned. My workaround was to configure the gif(4) interface as a /127, which was obviously only possible because the two interface addresses on each end of the tunnel just happened to differ only in their least-significant bits. (I know this isn't the right solution.) Bruce. --------------enigFC6AB091FFE13E16F4E1318A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEXsNB2MoxcVugUsMRAlY1AKDOFsX42piD/RB1LXbkUCklqwsddACg9JHe KfhTxU8vXu8SiOwE2ZO77BY= =A0Cx -----END PGP SIGNATURE----- --------------enigFC6AB091FFE13E16F4E1318A-- From owner-freebsd-net@FreeBSD.ORG Mon May 8 06:58:43 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85EDA16A4C7; Mon, 8 May 2006 06:58:43 +0000 (UTC) (envelope-from ed@hoeg.nl) Received: from palm.hoeg.nl (mx0.hoeg.nl [83.98.131.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id E298043D6E; Mon, 8 May 2006 06:58:42 +0000 (GMT) (envelope-from ed@hoeg.nl) Received: by palm.hoeg.nl (Postfix, from userid 1000) id 1A1F017101; Mon, 8 May 2006 08:58:41 +0200 (CEST) Date: Mon, 8 May 2006 08:58:41 +0200 From: Ed Schouten To: "Bruce A. Mah" Message-ID: <20060508065841.GN15353@hoeg.nl> References: <20060506172742.GM15353@hoeg.nl> <445EC341.60406@freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="arYKMy5bKB/hcRo6" Content-Disposition: inline In-Reply-To: <445EC341.60406@freebsd.org> User-Agent: Mutt/1.5.11 Cc: FreeBSD Net Subject: Re: nd6_lookup prints bogus messages with point to point devices X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 06:58:44 -0000 --arYKMy5bKB/hcRo6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello Bruce, * Bruce A. Mah wrote: > I think that suz@ and ume@ are the people who have worked in this area > most recently, hopefully one of them will speak up. You didn't give a > lot of details...please give (at a minimum) the version of FreeBSD > you're using and more details about the interface over which you're > having this problem. >=20 > I saw this on RELENG_6 sometime after some IPv6 ND changes that were > merged in late last year. I have a gif(4) tunnel to my ISP over which I > do IPv6. The GIF tunnel was originally configured as a point-to-point > interface and I got the same messages you mentioned. My workaround was > to configure the gif(4) interface as a /127, which was obviously only > possible because the two interface addresses on each end of the tunnel > just happened to differ only in their least-significant bits. (I know > this isn't the right solution.) I'm seeing the messages on the machine in Eindhoven (running RELENG_6 =66rom a few days/weeks ago), but they also show up on my HEAD machine at home. Below is the output of `ifconfig gif0` on my machine at home: | gif0: flags=3D8051 mtu 1280 | tunnel inet 83.181.147.170 --> 193.109.122.244 | inet6 fe80::202:a5ff:fe58:4927%gif0 prefixlen 64 scopeid 0x7=20 | inet6 2001:7b8:310::1 --> 2001:7b8:2ff:a4::1 prefixlen 128=20 As far as I know, the latest FreeBSD releases show an error message when assigning an address with a non-128 prefixlen. --=20 Ed Schouten WWW: http://g-rave.nl/ --arYKMy5bKB/hcRo6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEXuwg52SDGA2eCwURAiqTAJ9mKqasKfUYn4z1IptYKqorsxgecACcClUl JrWdrEIxkttt/bAlCTFhMzc= =fHy7 -----END PGP SIGNATURE----- --arYKMy5bKB/hcRo6-- From owner-freebsd-net@FreeBSD.ORG Mon May 8 11:02:45 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D684A16A40D for ; Mon, 8 May 2006 11:02:45 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC17943D83 for ; Mon, 8 May 2006 11:02:32 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k48B2VsS048358 for ; Mon, 8 May 2006 11:02:31 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k48B2UJq048352 for freebsd-net@freebsd.org; Mon, 8 May 2006 11:02:30 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 May 2006 11:02:30 GMT Message-Id: <200605081102.k48B2UJq048352@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-net@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 11:02:46 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2006/01/30] kern/92552 net A serious bug in most network drivers fro f [2006/02/12] kern/93220 net [inet6] nd6_lookup: failed to add route f 2 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/07/11] kern/54383 net [nfs] [patch] NFS root configurations wit o [2006/04/03] kern/95267 net packet drops periodically appear 2 problems total. From owner-freebsd-net@FreeBSD.ORG Mon May 8 22:01:03 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A542116A400 for ; Mon, 8 May 2006 22:01:03 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 328A443D49 for ; Mon, 8 May 2006 22:01:03 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FdDmo-00006x-Gk for freebsd-net@freebsd.org; Mon, 08 May 2006 22:01:02 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1FdDmo-0005mM-75 for freebsd-net@freebsd.org; Mon, 08 May 2006 22:01:02 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id B5BF88E2E6; Mon, 8 May 2006 17:01:01 -0500 (CDT) Date: Mon, 8 May 2006 17:01:01 -0500 From: David DeSimone To: freebsd-net@freebsd.org Message-ID: <20060508220101.GA15248@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.9i Subject: IPSEC Interop problem with Cisco using multiple SA's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 22:01:03 -0000 I am having a problem establishing peering between my FreeBSD 6.0 gateway and a Cisco device, using IPSEC. The peering works fine if there is only one subnet behind the remote gateway, but it fails when there is more than one subnet. I believe the FreeBSD side is failing to be as strict with the Security Associations being negotiated. More details below: ======================== Basic info: Gateway 1: Cisco 7200VXR IP: 1.2.3.4 Subnets: 10.11.11.0/24 10.22.22.0/24 Gateway 2: FreeBSD 6.0-RELEASE IP: 4.3.2.1 Subnet: 10.99.99.0/24 ======================== Cisco config: interface GigabitEthernet0/1 ip address 1.2.3.4 255.255.255.0 crypto map IPSEC crypto map IPSEC local-address GigabitEthernet0/1 crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 86000 crypto isakmp key address 4.3.2.1 crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac crypto map IPSEC 1 ipsec-isakmp set peer 4.3.2.1 set transform-set 3DES-MD5 match address remote-lan ip access-list extended remote-lan permit ip 10.11.11.0 0.0.0.255 10.99.99.0 0.0.0.255 permit ip 10.22.22.0 0.0.0.255 10.99.99.0 0.0.0.255 ======================== ipsec.conf: spdadd 10.11.11.0/24 10.99.99.0/24 any -P in ipsec \ esp/tunnel/1.2.3.4-4.3.2.1/require; spdadd 10.22.22.0/24 10.99.99.0/24 any -P in ipsec \ esp/tunnel/1.2.3.4-4.3.2.1/require; spdadd 10.99.99.0/24 10.11.11.0/24 any -P out ipsec \ esp/tunnel/4.3.2.1-1.2.3.4/require; spdadd 10.99.99.0/24 10.22.22.0/24 any -P out ipsec \ esp/tunnel/4.3.2.1-1.2.3.4/require; ======================== racoon.conf: path pre_shared_key "/usr/local/etc/ipsec.keys"; listen { isakmp 4.3.2.1; } remote 1.2.3.4 { exchange_mode aggressive,main,base; my_identifier address 4.3.2.1; peers_identifier address 1.2.3.4; verify_identifier off; proposal_check claim; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; lifetime time 24 hours; } } sainfo address 10.11.11.0/24 any address 10.99.99.0/24 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } sainfo address 10.22.22.0/24 any address 10.99.99.0/24 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } sainfo address 10.99.99.0/24 any address 10.11.11.0/24 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } sainfo address 10.99.99.0/24 any address 10.22.22.0/24 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ======================== ipsec.keys: 1.2.3.4 ======================== I believe my configuration is sound, even though it may not match some of the recipes found on the net. First test: Inbound traffic A remote system (10.11.11.88) pings a system (10.99.99.11) behind my gateway. The result is success. Here is the resulting SA on the Cisco side: # show crypto ipsec sa peer 4.3.2.1 interface: GigabitEthernet0/1 Crypto map tag: IPSEC, local addr. 1.2.3.4 protected vrf: local ident (addr/mask/prot/port): (10.11.11.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0) current_peer: 4.3.2.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 173, #pkts encrypt: 173, #pkts digest 173 #pkts decaps: 839, #pkts decrypt: 839, #pkts verify 839 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 101, #recv errors 636 local crypto endpt.: 1.2.3.4, remote crypto endpt.: 4.3.2.1 path mtu 1500, media mtu 1500 current outbound spi: EA6BAC9 inbound esp sas: spi: 0x307C7433(813462579) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 8531, flow_id: 8169, crypto map: IPSEC sa timing: remaining key lifetime (k/sec): (4445960/3275) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEA6BAC9(245807817) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 8532, flow_id: 8170, crypto map: IPSEC sa timing: remaining key lifetime (k/sec): (4445962/3275) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: And here is the resulting SA on my side: # setkey -D 4.3.2.1 1.2.3.4 esp mode=tunnel spi=813462579(0x307c7433) reqid=0(0x00000000) E: 3des-cbc 7c5e61ce d9c097ab 77724344 51fddf8d 854a8797 d0dffbca A: hmac-md5 d878b88f d9a90dfd c239ca10 e6705098 seq=0x00000001 replay=4 flags=0x00000000 state=mature created: May 8 12:23:29 2006 current: May 8 12:24:28 2006 diff: 59(s) hard: 3600(s) soft: 2880(s) last: May 8 12:23:29 2006 hard: 0(s) soft: 0(s) current: 136(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=1 pid=10602 refcnt=2 1.2.3.4 4.3.2.1 esp mode=tunnel spi=245807817(0x0ea6bac9) reqid=0(0x00000000) E: 3des-cbc 963f91b6 a0e56342 ad32f99c 295e3260 a20b211b 1a8b1539 A: hmac-md5 c8ca1452 3413049e e69f93d7 ad7f1490 seq=0x00000001 replay=4 flags=0x00000000 state=mature created: May 8 12:23:29 2006 current: May 8 12:24:28 2006 diff: 59(s) hard: 3600(s) soft: 2880(s) last: May 8 12:23:29 2006 hard: 0(s) soft: 0(s) current: 84(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=0 pid=10602 refcnt=1 Here is a tcpdump showing the packet exchange that occurs: 12:22:44 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 ? ident[E] 12:23:23 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 I ident 12:23:23 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 1 R ident 12:23:24 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 I ident 12:23:24 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 1 R ident 12:23:26 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 I ident[E] 12:23:26 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 1 R ident[E] 12:23:28 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] 12:23:28 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 2/others R oakley-quick[E] 12:23:29 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] 12:23:29 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0ea6bac9,seq=0x1), length 116 12:23:29 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x1), length 116 The IKE negotiation succeeded, and the SPI's match for the inbound and outbound encrypted traffic. Second test: Inbound traffic A remote system (10.22.22.88) located on a different remote subnet behind the same gateway as before, pings a system (10.99.99.11) behind my gateway. The result is failure. Again, here is the resulting SA set on the Cisco side: # show crypto ipsec sa peer 4.3.2.1 interface: GigabitEthernet0/1 Crypto map tag: IPSEC, local addr. 1.2.3.4 protected vrf: local ident (addr/mask/prot/port): (10.11.11.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0) current_peer: 4.3.2.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 173, #pkts encrypt: 173, #pkts digest 173 #pkts decaps: 839, #pkts decrypt: 839, #pkts verify 839 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 101, #recv errors 636 local crypto endpt.: 1.2.3.4, remote crypto endpt.: 4.3.2.1 path mtu 1500, media mtu 1500 current outbound spi: EA6BAC9 inbound esp sas: spi: 0x307C7433(813462579) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 8531, flow_id: 8169, crypto map: IPSEC sa timing: remaining key lifetime (k/sec): (4445960/3275) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEA6BAC9(245807817) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 8532, flow_id: 8170, crypto map: IPSEC sa timing: remaining key lifetime (k/sec): (4445962/3275) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: protected vrf: local ident (addr/mask/prot/port): (10.22.22.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0) current_peer: 4.3.2.1:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 188, #pkts encrypt: 188, #pkts digest 188 #pkts decaps: 98, #pkts decrypt: 98, #pkts verify 98 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 3, #recv errors 47 local crypto endpt.: 1.2.3.4, remote crypto endpt.: 4.3.2.1 path mtu 1500, media mtu 1500 current outbound spi: 625C4B6 inbound esp sas: spi: 0xC7C085BD(3351283133) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 8535, flow_id: 8173, crypto map: IPSEC sa timing: remaining key lifetime (k/sec): (4554069/3414) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x625C4B6(103138486) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 8536, flow_id: 8174, crypto map: IPSEC sa timing: remaining key lifetime (k/sec): (4554066/3414) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: And here is the SA list on my side, showing that two pairs of SA's have been negotiated: # setkey -D 4.3.2.1 1.2.3.4 esp mode=tunnel spi=3351283133(0xc7c085bd) reqid=0(0x00000000) E: 3des-cbc 3323af44 bb35454d 452d6e45 781ff741 5ddea450 bdc4e6f8 A: hmac-md5 f5ebb9cd 4bd9c7ef 8ecdb8fa 95dc21d1 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: May 8 12:25:48 2006 current: May 8 12:28:06 2006 diff: 138(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=3 pid=10609 refcnt=1 4.3.2.1 1.2.3.4 esp mode=tunnel spi=813462579(0x307c7433) reqid=0(0x00000000) E: 3des-cbc 7c5e61ce d9c097ab 77724344 51fddf8d 854a8797 d0dffbca A: hmac-md5 d878b88f d9a90dfd c239ca10 e6705098 seq=0x00000015 replay=4 flags=0x00000000 state=mature created: May 8 12:23:29 2006 current: May 8 12:28:06 2006 diff: 277(s) hard: 3600(s) soft: 2880(s) last: May 8 12:27:05 2006 hard: 0(s) soft: 0(s) current: 2856(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 21 hard: 0 soft: 0 sadb_seq=2 pid=10609 refcnt=3 1.2.3.4 4.3.2.1 esp mode=tunnel spi=103138486(0x0625c4b6) reqid=0(0x00000000) E: 3des-cbc 490cd807 2d8efeb2 9bc39e74 176f791b 63d1f8d1 3451442c A: hmac-md5 808f7344 bfc44b18 09a8a61d 97c0aa98 seq=0x00000014 replay=4 flags=0x00000000 state=mature created: May 8 12:25:48 2006 current: May 8 12:28:06 2006 diff: 138(s) hard: 3600(s) soft: 2880(s) last: May 8 12:27:05 2006 hard: 0(s) soft: 0(s) current: 1680(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 20 hard: 0 soft: 0 sadb_seq=1 pid=10609 refcnt=1 1.2.3.4 4.3.2.1 esp mode=tunnel spi=245807817(0x0ea6bac9) reqid=0(0x00000000) E: 3des-cbc 963f91b6 a0e56342 ad32f99c 295e3260 a20b211b 1a8b1539 A: hmac-md5 c8ca1452 3413049e e69f93d7 ad7f1490 seq=0x00000001 replay=4 flags=0x00000000 state=mature created: May 8 12:23:29 2006 current: May 8 12:28:06 2006 diff: 277(s) hard: 3600(s) soft: 2880(s) last: May 8 12:23:29 2006 hard: 0(s) soft: 0(s) current: 84(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=0 pid=10609 refcnt=1 The packet trace shows part of the problem: 12:25:47 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] 12:25:47 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 2/others R oakley-quick[E] 12:25:48 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] 12:25:49 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0625c4b6,seq=0x1), length 116 12:25:49 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x2), length 116 12:25:50 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0625c4b6,seq=0x2), length 116 12:25:50 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x3), length 116 12:25:51 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0625c4b6,seq=0x3), length 116 12:25:51 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x4), length 116 As you can see, the Cisco gateway is sending traffic using the newly- negotiated SPI, however the FreeBSD gateway is responding using the previously negotiated SPI for the other subnet, 10.11.11.0/24. The Cisco gateway (correctly, in my opinion) rejects this traffic: IPSEC(epa_des_crypt): decrypted packet failed SA identity check IPSEC(epa_des_crypt): decrypted packet failed SA identity check Third test: Outbound traffic A local system (10.99.99.11) tries to ping two systems (10.11.11.88 and 10.22.22.61) behind the remote gateway. The first ping succeeds. The second fails. I will leave out the status output as shown above, as it is getting redundant. For the first ping, the SA is established correctly as above. However, when the second ping is attempted, the FreeBSD box DOES NOT attempt to negotiate a second SA for the second subnet. Instead, it begins generating ESP traffic immediately, using the existing SPI that was negotiated for the first subnet. There is no attempt to contact the racoon daemon in order to attempt the negotiation. Summary: It appears to me that FreeBSD is only paying attention to one SPI per gateway, rather than one SPI per subnet as IPSEC standards would suggest. It seems that, once the FreeBSD gateway determines which destination gateway is going to be used for traffic, it does not search the list of SPI's negotiated, nor does it pay attention to which SPD was matched for the outbound traffic. It simply picks the first (or last) SPI that was negotiated, and uses that. This leads to an interoperability problem when I attempt to peer with remote systems managed by other vendors. Is there anyone I can talk to that can help me understand how this problem comes about, and assist me in developing a fix? I am willing to bang on kernel code if necessary, but I could use some help in understanding the source and how the ipsec modules interrelate to the rest of the networking code. Thanks for any assistance you can give. -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley From owner-freebsd-net@FreeBSD.ORG Mon May 8 23:11:12 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A0F6416A402 for ; Mon, 8 May 2006 23:11:12 +0000 (UTC) (envelope-from tpeixoto@widesoft.com.br) Received: from srv1.netconsultoria.com.br (srv1.netconsultoria.com.br [200.230.201.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B50643D46 for ; Mon, 8 May 2006 23:11:10 +0000 (GMT) (envelope-from tpeixoto@widesoft.com.br) Received: from [192.168.0.1] (mailgw.netconsultoria.com.br [200.230.201.249]) by srv1.netconsultoria.com.br (8.13.6/8.13.3) with ESMTP id k48NAfiJ016602; Mon, 8 May 2006 20:10:41 -0300 (BRT) (envelope-from tpeixoto@widesoft.com.br) Message-ID: <445FCFF7.9070403@widesoft.com.br> Date: Mon, 08 May 2006 20:10:47 -0300 From: tpeixoto@widesoft.com.br User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: tpeixoto@widesoft.com.br, .@babolo.ru, Lee Johnston , freebsd-net@freebsd.org, Julian Elischer , mihai@duras.ro References: <1146645702.297895.80691.nullmailer@cicuta.babolo.ru> <44595B76.9010901@widesoft.com.br> <20060504015524.GV728@funkthat.com> In-Reply-To: <20060504015524.GV728@funkthat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.2/1450/Mon May 8 13:38:31 2006 on srv1.netconsultoria.com.br X-Virus-Status: Clean Cc: Subject: Re: Packet loss with traffic shaper and routing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 23:11:12 -0000 Interesting. I'll try to take a look when I have some free time and then post some comments. Thanks. John-Mark Gurney wrote: > tpeixoto@widesoft.com.br wrote this message on Wed, May 03, 2006 at 22:40 -0300: >> Anyway, I am very curious about the result of test 2. Why do the pipes >> have influence on system performance if there is nothing passing through >> them? > > It looks like each tick all the pipes are scanned... In dummynet: > /* Sweep pipes trying to expire idle flow_queues. */ > for (i = 0; i < HASHSIZE; i++) > SLIST_FOREACH(pipe, &pipehash[i], next) > > That bit of code should probably be run less often... > From owner-freebsd-net@FreeBSD.ORG Mon May 8 23:23:30 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B902816A407 for ; Mon, 8 May 2006 23:23:30 +0000 (UTC) (envelope-from tpeixoto@widesoft.com.br) Received: from srv1.netconsultoria.com.br (srv1.netconsultoria.com.br [200.230.201.252]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0603B43D64 for ; Mon, 8 May 2006 23:23:27 +0000 (GMT) (envelope-from tpeixoto@widesoft.com.br) Received: from [192.168.0.1] (mailgw.netconsultoria.com.br [200.230.201.249]) by srv1.netconsultoria.com.br (8.13.6/8.13.3) with ESMTP id k48NN6I7017949; Mon, 8 May 2006 20:23:06 -0300 (BRT) (envelope-from tpeixoto@widesoft.com.br) Message-ID: <445FD2E3.8000900@widesoft.com.br> Date: Mon, 08 May 2006 20:23:15 -0300 From: tpeixoto@widesoft.com.br User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: .@babolo.ru References: <1146762831.921056.82828.nullmailer@cicuta.babolo.ru> In-Reply-To: <1146762831.921056.82828.nullmailer@cicuta.babolo.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.2/1450/Mon May 8 13:38:31 2006 on srv1.netconsultoria.com.br X-Virus-Status: Clean Cc: Lee Johnston , freebsd-net@freebsd.org, Julian Elischer , mihai@duras.ro Subject: Re: Packet loss with traffic shaper and routing X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 May 2006 23:23:30 -0000 I guess traffic stops if you have pipe rules. In test 1, I did: ${fwcmd} pipe 1 config bw 512Kbit/s ${fwcmd} pipe 2 config bw 512Kbit/s ${fwcmd} add _allow_ all from any to any MAC any 00:11:22:33:44:55 in ${fwcmd} add _allow_ all from any to any MAC 00:11:22:33:44:55 any out x 1600 times. That caused lots of interrupts. Traffic was flowing although no shaping was done. Then, in test 2, with the same rules above, I just flushed the pipes: ipfw pipe flush The traffic was there, and the result is what I said in last post... "."@babolo.ru wrote: > [ Charset ISO-8859-1 unsupported, converting... ] >> Very good. You're right! >> I inserted a rule to match all non-layer2 packets on the top of the >> ruleset and interrupts dropped 10~20% immediately. >> Given that, I went to apply Julian's idea of grouping 'in' and 'out' >> pipe rules to reduce the searching on the firewall and that gave me a >> little bit more of performance. >> As interrupts were still hitting 60% mark, I did some more experiences: >> >> Test 1: I changed all 'pipe' rules to 'allow' rules, so all packets were >> allowed and no shaping was done. The pipes were still there, but there >> were no rules pointing packets to them. >> Result: No difference. Interrupts are the same as before. >> Conclusion: It's not the shaping itself that slows the system. >> >> Test 2: With the same ruleset of test 1, I just removed all pipes (ipfw >> pipe flush). > As far as I understand traffic stops after pipe flush, > and this is reason for CPU goes down > >> Result: Interrupts were only 20%! >> Conclusion: Lots of pipes bother the system. I didn't figure out why, >> but it's not a coincidence. I tested several times to make sure. >> [...] From owner-freebsd-net@FreeBSD.ORG Tue May 9 00:01:57 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9224716A401 for ; Tue, 9 May 2006 00:01:57 +0000 (UTC) (envelope-from ab@astralblue.net) Received: from purple.the-7.net (purple.the-7.net [207.158.28.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 406D143D45 for ; Tue, 9 May 2006 00:01:56 +0000 (GMT) (envelope-from ab@astralblue.net) Received: from [216.69.70.43] (bbq.nttmcl.com [216.69.70.43]) by purple.the-7.net (8.13.6/8.13.4) with ESMTP id k4901t2m037189; Mon, 8 May 2006 17:01:55 -0700 (PDT) (envelope-from ab@astralblue.net) Message-ID: <445FDB7B.1060704@astralblue.net> Date: Mon, 08 May 2006 16:59:55 -0700 From: "Eugene M. Kim" User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: David DeSimone References: <20060508220101.GA15248@verio.net> In-Reply-To: <20060508220101.GA15248@verio.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: IPSEC Interop problem with Cisco using multiple SA's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 00:01:57 -0000 I haven't tried this myself, but you may want to try using "unique:" instead of "require" as the policy level, with set to a unique policy identifier, which is an integer you can pick between 1 and 32767 inclusive, for each security policy. This makes the security policy "claim" the security associations whose generation it triggers, by marking the SAs with its integer identifier so that they are not used for any other security policy. I guess Cisco does this automatically; FreeBSD/KAME does not. Cheers, Eugene David DeSimone wrote: > I am having a problem establishing peering between my FreeBSD 6.0 > gateway and a Cisco device, using IPSEC. The peering works fine if > there is only one subnet behind the remote gateway, but it fails when > there is more than one subnet. I believe the FreeBSD side is failing > to be as strict with the Security Associations being negotiated. > > More details below: > > ======================== > > Basic info: > > Gateway 1: Cisco 7200VXR > > IP: 1.2.3.4 > > Subnets: 10.11.11.0/24 > 10.22.22.0/24 > > Gateway 2: FreeBSD 6.0-RELEASE > > IP: 4.3.2.1 > > Subnet: 10.99.99.0/24 > > ======================== > > Cisco config: > > interface GigabitEthernet0/1 > ip address 1.2.3.4 255.255.255.0 > crypto map IPSEC > > crypto map IPSEC local-address GigabitEthernet0/1 > > crypto isakmp policy 1 > encr 3des > hash md5 > authentication pre-share > group 2 > lifetime 86000 > > crypto isakmp key address 4.3.2.1 > > crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac > > crypto map IPSEC 1 ipsec-isakmp > set peer 4.3.2.1 > set transform-set 3DES-MD5 > match address remote-lan > > ip access-list extended remote-lan > permit ip 10.11.11.0 0.0.0.255 10.99.99.0 0.0.0.255 > permit ip 10.22.22.0 0.0.0.255 10.99.99.0 0.0.0.255 > > ======================== > > ipsec.conf: > > spdadd 10.11.11.0/24 10.99.99.0/24 any -P in ipsec \ > esp/tunnel/1.2.3.4-4.3.2.1/require; > spdadd 10.22.22.0/24 10.99.99.0/24 any -P in ipsec \ > esp/tunnel/1.2.3.4-4.3.2.1/require; > > spdadd 10.99.99.0/24 10.11.11.0/24 any -P out ipsec \ > esp/tunnel/4.3.2.1-1.2.3.4/require; > spdadd 10.99.99.0/24 10.22.22.0/24 any -P out ipsec \ > esp/tunnel/4.3.2.1-1.2.3.4/require; > > ======================== > > racoon.conf: > > path pre_shared_key "/usr/local/etc/ipsec.keys"; > > listen > { > isakmp 4.3.2.1; > } > > remote 1.2.3.4 > { > exchange_mode aggressive,main,base; > my_identifier address 4.3.2.1; > peers_identifier address 1.2.3.4; > verify_identifier off; > proposal_check claim; > > proposal > { > encryption_algorithm 3des; > hash_algorithm md5; > authentication_method pre_shared_key; > dh_group 2; > lifetime time 24 hours; > } > } > > sainfo address 10.11.11.0/24 any address 10.99.99.0/24 any > { > lifetime time 1 hour; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > sainfo address 10.22.22.0/24 any address 10.99.99.0/24 any > { > lifetime time 1 hour; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > sainfo address 10.99.99.0/24 any address 10.11.11.0/24 any > { > lifetime time 1 hour; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > sainfo address 10.99.99.0/24 any address 10.22.22.0/24 any > { > lifetime time 1 hour; > encryption_algorithm 3des; > authentication_algorithm hmac_md5; > compression_algorithm deflate; > } > > ======================== > > ipsec.keys: > > 1.2.3.4 > > ======================== > > I believe my configuration is sound, even though it may not match some > of the recipes found on the net. > > > First test: Inbound traffic > > A remote system (10.11.11.88) pings a system (10.99.99.11) behind my > gateway. The result is success. Here is the resulting SA on the Cisco > side: > > # show crypto ipsec sa peer 4.3.2.1 > > interface: GigabitEthernet0/1 > Crypto map tag: IPSEC, local addr. 1.2.3.4 > > protected vrf: > local ident (addr/mask/prot/port): (10.11.11.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0) > current_peer: 4.3.2.1:500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 173, #pkts encrypt: 173, #pkts digest 173 > #pkts decaps: 839, #pkts decrypt: 839, #pkts verify 839 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 101, #recv errors 636 > > local crypto endpt.: 1.2.3.4, remote crypto endpt.: 4.3.2.1 > path mtu 1500, media mtu 1500 > current outbound spi: EA6BAC9 > > inbound esp sas: > spi: 0x307C7433(813462579) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 8531, flow_id: 8169, crypto map: IPSEC > sa timing: remaining key lifetime (k/sec): (4445960/3275) > IV size: 8 bytes > replay detection support: Y > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xEA6BAC9(245807817) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 8532, flow_id: 8170, crypto map: IPSEC > sa timing: remaining key lifetime (k/sec): (4445962/3275) > IV size: 8 bytes > replay detection support: Y > > outbound ah sas: > > outbound pcp sas: > > And here is the resulting SA on my side: > > # setkey -D > > 4.3.2.1 1.2.3.4 > esp mode=tunnel spi=813462579(0x307c7433) reqid=0(0x00000000) > E: 3des-cbc 7c5e61ce d9c097ab 77724344 51fddf8d 854a8797 d0dffbca > A: hmac-md5 d878b88f d9a90dfd c239ca10 e6705098 > seq=0x00000001 replay=4 flags=0x00000000 state=mature > created: May 8 12:23:29 2006 current: May 8 12:24:28 2006 > diff: 59(s) hard: 3600(s) soft: 2880(s) > last: May 8 12:23:29 2006 hard: 0(s) soft: 0(s) > current: 136(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 1 hard: 0 soft: 0 > sadb_seq=1 pid=10602 refcnt=2 > 1.2.3.4 4.3.2.1 > esp mode=tunnel spi=245807817(0x0ea6bac9) reqid=0(0x00000000) > E: 3des-cbc 963f91b6 a0e56342 ad32f99c 295e3260 a20b211b 1a8b1539 > A: hmac-md5 c8ca1452 3413049e e69f93d7 ad7f1490 > seq=0x00000001 replay=4 flags=0x00000000 state=mature > created: May 8 12:23:29 2006 current: May 8 12:24:28 2006 > diff: 59(s) hard: 3600(s) soft: 2880(s) > last: May 8 12:23:29 2006 hard: 0(s) soft: 0(s) > current: 84(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 1 hard: 0 soft: 0 > sadb_seq=0 pid=10602 refcnt=1 > > Here is a tcpdump showing the packet exchange that occurs: > > 12:22:44 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 ? ident[E] > 12:23:23 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 I ident > 12:23:23 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 1 R ident > 12:23:24 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 I ident > 12:23:24 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 1 R ident > 12:23:26 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 1 I ident[E] > 12:23:26 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 1 R ident[E] > 12:23:28 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] > 12:23:28 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 2/others R oakley-quick[E] > 12:23:29 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] > > 12:23:29 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0ea6bac9,seq=0x1), length 116 > 12:23:29 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x1), length 116 > > The IKE negotiation succeeded, and the SPI's match for the inbound and > outbound encrypted traffic. > > > Second test: Inbound traffic > > A remote system (10.22.22.88) located on a different remote subnet > behind the same gateway as before, pings a system (10.99.99.11) behind > my gateway. The result is failure. > > Again, here is the resulting SA set on the Cisco side: > > > # show crypto ipsec sa peer 4.3.2.1 > > interface: GigabitEthernet0/1 > Crypto map tag: IPSEC, local addr. 1.2.3.4 > > protected vrf: > local ident (addr/mask/prot/port): (10.11.11.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0) > current_peer: 4.3.2.1:500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 173, #pkts encrypt: 173, #pkts digest 173 > #pkts decaps: 839, #pkts decrypt: 839, #pkts verify 839 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 101, #recv errors 636 > > local crypto endpt.: 1.2.3.4, remote crypto endpt.: 4.3.2.1 > path mtu 1500, media mtu 1500 > current outbound spi: EA6BAC9 > > inbound esp sas: > spi: 0x307C7433(813462579) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 8531, flow_id: 8169, crypto map: IPSEC > sa timing: remaining key lifetime (k/sec): (4445960/3275) > IV size: 8 bytes > replay detection support: Y > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0xEA6BAC9(245807817) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 8532, flow_id: 8170, crypto map: IPSEC > sa timing: remaining key lifetime (k/sec): (4445962/3275) > IV size: 8 bytes > replay detection support: Y > > outbound ah sas: > > outbound pcp sas: > > protected vrf: > local ident (addr/mask/prot/port): (10.22.22.0/255.255.255.0/0/0) > remote ident (addr/mask/prot/port): (10.99.99.0/255.255.255.0/0/0) > current_peer: 4.3.2.1:500 > PERMIT, flags={origin_is_acl,} > #pkts encaps: 188, #pkts encrypt: 188, #pkts digest 188 > #pkts decaps: 98, #pkts decrypt: 98, #pkts verify 98 > #pkts compressed: 0, #pkts decompressed: 0 > #pkts not compressed: 0, #pkts compr. failed: 0 > #pkts not decompressed: 0, #pkts decompress failed: 0 > #send errors 3, #recv errors 47 > > local crypto endpt.: 1.2.3.4, remote crypto endpt.: 4.3.2.1 > path mtu 1500, media mtu 1500 > current outbound spi: 625C4B6 > > inbound esp sas: > spi: 0xC7C085BD(3351283133) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 8535, flow_id: 8173, crypto map: IPSEC > sa timing: remaining key lifetime (k/sec): (4554069/3414) > IV size: 8 bytes > replay detection support: Y > > inbound ah sas: > > inbound pcp sas: > > outbound esp sas: > spi: 0x625C4B6(103138486) > transform: esp-3des esp-md5-hmac , > in use settings ={Tunnel, } > slot: 0, conn id: 8536, flow_id: 8174, crypto map: IPSEC > sa timing: remaining key lifetime (k/sec): (4554066/3414) > IV size: 8 bytes > replay detection support: Y > > outbound ah sas: > > outbound pcp sas: > > > And here is the SA list on my side, showing that two pairs of SA's have > been negotiated: > > # setkey -D > 4.3.2.1 1.2.3.4 > esp mode=tunnel spi=3351283133(0xc7c085bd) reqid=0(0x00000000) > E: 3des-cbc 3323af44 bb35454d 452d6e45 781ff741 5ddea450 bdc4e6f8 > A: hmac-md5 f5ebb9cd 4bd9c7ef 8ecdb8fa 95dc21d1 > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: May 8 12:25:48 2006 current: May 8 12:28:06 2006 > diff: 138(s) hard: 3600(s) soft: 2880(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3 pid=10609 refcnt=1 > 4.3.2.1 1.2.3.4 > esp mode=tunnel spi=813462579(0x307c7433) reqid=0(0x00000000) > E: 3des-cbc 7c5e61ce d9c097ab 77724344 51fddf8d 854a8797 d0dffbca > A: hmac-md5 d878b88f d9a90dfd c239ca10 e6705098 > seq=0x00000015 replay=4 flags=0x00000000 state=mature > created: May 8 12:23:29 2006 current: May 8 12:28:06 2006 > diff: 277(s) hard: 3600(s) soft: 2880(s) > last: May 8 12:27:05 2006 hard: 0(s) soft: 0(s) > current: 2856(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 21 hard: 0 soft: 0 > sadb_seq=2 pid=10609 refcnt=3 > 1.2.3.4 4.3.2.1 > esp mode=tunnel spi=103138486(0x0625c4b6) reqid=0(0x00000000) > E: 3des-cbc 490cd807 2d8efeb2 9bc39e74 176f791b 63d1f8d1 3451442c > A: hmac-md5 808f7344 bfc44b18 09a8a61d 97c0aa98 > seq=0x00000014 replay=4 flags=0x00000000 state=mature > created: May 8 12:25:48 2006 current: May 8 12:28:06 2006 > diff: 138(s) hard: 3600(s) soft: 2880(s) > last: May 8 12:27:05 2006 hard: 0(s) soft: 0(s) > current: 1680(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 20 hard: 0 soft: 0 > sadb_seq=1 pid=10609 refcnt=1 > 1.2.3.4 4.3.2.1 > esp mode=tunnel spi=245807817(0x0ea6bac9) reqid=0(0x00000000) > E: 3des-cbc 963f91b6 a0e56342 ad32f99c 295e3260 a20b211b 1a8b1539 > A: hmac-md5 c8ca1452 3413049e e69f93d7 ad7f1490 > seq=0x00000001 replay=4 flags=0x00000000 state=mature > created: May 8 12:23:29 2006 current: May 8 12:28:06 2006 > diff: 277(s) hard: 3600(s) soft: 2880(s) > last: May 8 12:23:29 2006 hard: 0(s) soft: 0(s) > current: 84(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 1 hard: 0 soft: 0 > sadb_seq=0 pid=10609 refcnt=1 > > The packet trace shows part of the problem: > > 12:25:47 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] > 12:25:47 IP 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 2/others R oakley-quick[E] > 12:25:48 IP 1.2.3.4.500 > 4.3.2.1.500: isakmp: phase 2/others I oakley-quick[E] > > 12:25:49 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0625c4b6,seq=0x1), length 116 > 12:25:49 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x2), length 116 > 12:25:50 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0625c4b6,seq=0x2), length 116 > 12:25:50 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x3), length 116 > 12:25:51 IP 1.2.3.4 > 4.3.2.1: ESP(spi=0x0625c4b6,seq=0x3), length 116 > 12:25:51 IP 4.3.2.1 > 1.2.3.4: ESP(spi=0x307c7433,seq=0x4), length 116 > > As you can see, the Cisco gateway is sending traffic using the newly- > negotiated SPI, however the FreeBSD gateway is responding using the > previously negotiated SPI for the other subnet, 10.11.11.0/24. The > Cisco gateway (correctly, in my opinion) rejects this traffic: > > IPSEC(epa_des_crypt): decrypted packet failed SA identity check > IPSEC(epa_des_crypt): decrypted packet failed SA identity check > > > Third test: Outbound traffic > > A local system (10.99.99.11) tries to ping two systems (10.11.11.88 and > 10.22.22.61) behind the remote gateway. The first ping succeeds. The > second fails. > > I will leave out the status output as shown above, as it is getting > redundant. > > For the first ping, the SA is established correctly as above. However, > when the second ping is attempted, the FreeBSD box DOES NOT attempt to > negotiate a second SA for the second subnet. Instead, it begins > generating ESP traffic immediately, using the existing SPI that was > negotiated for the first subnet. There is no attempt to contact the > racoon daemon in order to attempt the negotiation. > > > Summary: It appears to me that FreeBSD is only paying attention to one > SPI per gateway, rather than one SPI per subnet as IPSEC standards would > suggest. It seems that, once the FreeBSD gateway determines which > destination gateway is going to be used for traffic, it does not search > the list of SPI's negotiated, nor does it pay attention to which SPD was > matched for the outbound traffic. It simply picks the first (or last) > SPI that was negotiated, and uses that. > > This leads to an interoperability problem when I attempt to peer with > remote systems managed by other vendors. > > Is there anyone I can talk to that can help me understand how this > problem comes about, and assist me in developing a fix? I am willing to > bang on kernel code if necessary, but I could use some help in > understanding the source and how the ipsec modules interrelate to the > rest of the networking code. > > Thanks for any assistance you can give. > > From owner-freebsd-net@FreeBSD.ORG Tue May 9 03:04:31 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ACC716A405 for ; Tue, 9 May 2006 03:04:31 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout4.email.verio.net (dfw-smtpout4.email.verio.net [129.250.36.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84D8943D4C for ; Tue, 9 May 2006 03:04:30 +0000 (GMT) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout4.email.verio.net with esmtp id 1FdIWT-0002MO-Qb for freebsd-net@freebsd.org; Tue, 09 May 2006 03:04:29 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1FdIWT-0006d6-M2 for freebsd-net@freebsd.org; Tue, 09 May 2006 03:04:29 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 4FE7F8E2E6; Mon, 8 May 2006 22:04:29 -0500 (CDT) Date: Mon, 8 May 2006 22:04:29 -0500 From: David DeSimone To: freebsd-net@freebsd.org Message-ID: <20060509030428.GA16965@verio.net> Mail-Followup-To: freebsd-net@freebsd.org References: <20060508220101.GA15248@verio.net> <445FDB7B.1060704@astralblue.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <445FDB7B.1060704@astralblue.net> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: IPSEC Interop problem with Cisco using multiple SA's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 03:04:31 -0000 Eugene M. Kim wrote: > > I haven't tried this myself, but you may want to try using > "unique:" instead of "require" as the policy level After reading up on this behavior, I gave it a try, replacing all "require" policies with "unique". I found that there was no need to set a policy identifier, as the system apparently chooses a random identifier if none is specified, and so all SPD's create unique SAD's as a result. The result leads to exactly the behavior that I (and Cisco) expect to see, and my mutiple tunnels are now fully operational. Thank you for the help with this! -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley From owner-freebsd-net@FreeBSD.ORG Tue May 9 03:22:15 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05DAB16A403 for ; Tue, 9 May 2006 03:22:15 +0000 (UTC) (envelope-from pramod@juniper.net) Received: from borg.juniper.net (borg.juniper.net [207.17.137.119]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB58B43D46 for ; Tue, 9 May 2006 03:22:14 +0000 (GMT) (envelope-from pramod@juniper.net) Received: from unknown (HELO alpha.jnpr.net) ([172.24.18.126]) by borg.juniper.net with ESMTP; 08 May 2006 20:22:14 -0700 X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAA== X-IronPort-AV: i="4.05,103,1146466800"; d="scan'208"; a="549217188:sNHT21569228" Received: from electron.jnpr.net ([172.24.15.21]) by alpha.jnpr.net with Microsoft SMTPSVC(6.0.3790.1830); Mon, 8 May 2006 20:22:14 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Mon, 8 May 2006 20:22:13 -0700 Message-ID: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: vrf support in FreeBSD Thread-Index: AcZzF8HR3gL5dsLgTBqwZDc/JRVk1g== From: "Pramod Srinivasan" To: X-OriginalArrivalTime: 09 May 2006 03:22:14.0266 (UTC) FILETIME=[C45F4DA0:01C67317] Subject: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 03:22:15 -0000 Hi Folks, I am curious to know if there is any plans to support multiple routing tables in FreeBSD's official release?=20 There was some discussion on this topic last year, if there is any vrf patch for a latest release of FreeBSD, I would love to give it a try. Any help greatly appreciated. Thanks, Pramod From owner-freebsd-net@FreeBSD.ORG Tue May 9 04:54:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0129A16A404 for ; Tue, 9 May 2006 04:54:21 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id D033843D73 for ; Tue, 9 May 2006 04:54:18 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.19.131]) ([10.251.19.131]) by a50.ironport.com with ESMTP; 08 May 2006 21:54:19 -0700 Message-ID: <4460207A.9050505@elischer.org> Date: Mon, 08 May 2006 21:54:18 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Pramod Srinivasan References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> In-Reply-To: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 04:54:21 -0000 Pramod Srinivasan wrote: >Hi Folks, > >I am curious to know if there is any plans to support multiple routing >tables in FreeBSD's official release? > >There was some discussion on this topic last year, if there is any vrf >patch for a latest release of FreeBSD, I would love to give it a try. > > I am doing some small bits of work on this.. how do you want to select which table should be used? (This is more of a 'survey' as I am trying to work out what I should support) >Any help greatly appreciated. > >Thanks, >Pramod >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > From owner-freebsd-net@FreeBSD.ORG Tue May 9 06:00:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECF3E16A400 for ; Tue, 9 May 2006 06:00:21 +0000 (UTC) (envelope-from eddy+public+spam@noc.everquick.net) Received: from a.mx.ict1.everquick.net (a.mx.ict1.everquick.net [204.10.191.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 34AE743D53 for ; Tue, 9 May 2006 06:00:21 +0000 (GMT) (envelope-from eddy+public+spam@noc.everquick.net) Received: from pop.ict1.everquick.net (localhost [127.0.0.1]) by a.mx.ict1.everquick.net (8.12.10/8.12.10) with ESMTP id k4960DJk026882 for ; Tue, 9 May 2006 06:00:13 GMT X-Everquick-No-Abuse-1: Report any email abuse to or X-Everquick-No-Abuse-2: call +1 (785) 865-5885. Please be sure to reference X-Everquick-No-Abuse-3: the Message-Id and include GMT timestamps. Received: from localhost (eddy@localhost) by pop.ict1.everquick.net (8.13.3/8.13.3/Submit) with ESMTP id k4960DAf026879 for ; Tue, 9 May 2006 06:00:13 GMT X-Authentication-Warning: pop.ict1.everquick.net: eddy owned process doing -bs Date: Tue, 9 May 2006 06:00:12 +0000 (GMT) From: "Edward B. DREGER" X-X-Sender: eddy@pop.ict1.everquick.net To: freebsd-net@freebsd.org In-Reply-To: <4460207A.9050505@elischer.org> Message-ID: References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460207A.9050505@elischer.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 06:00:22 -0000 JE> Date: Mon, 08 May 2006 21:54:18 -0700 JE> From: Julian Elischer JE> how do you want to select which table should be used? Ingress interface. Consider: 802.3ad, ECMP, FIB, multi RIBs (e.g., OSPF vs BGP weight), VRF I started working on all of the above late in 2003 on 4.x; the project was shelved due to lack of interest and [other parts of] $job taking priority. I haven't looked at 5.x or 6.x code, but 4.x certainly would have benefited from an architectural overhaul. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. From owner-freebsd-net@FreeBSD.ORG Tue May 9 06:25:48 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AE4016A40B for ; Tue, 9 May 2006 06:25:48 +0000 (UTC) (envelope-from net@dino.sk) Received: from mail.netlab.sk (mail.netlab.sk [213.215.72.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id E41A343D5D for ; Tue, 9 May 2006 06:25:45 +0000 (GMT) (envelope-from net@dino.sk) Received: from [192.168.16.10] (home.dino.sk [213.215.74.194]) (AUTH: PLAIN milan@netlab.sk, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by mail.netlab.sk with esmtp; Tue, 09 May 2006 08:30:15 +0200 id 00289C0C.446036F7.0000FA4F From: Milan Obuch To: freebsd-net@freebsd.org Date: Tue, 9 May 2006 08:25:27 +0200 User-Agent: KMail/1.9.1 References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460207A.9050505@elischer.org> In-Reply-To: <4460207A.9050505@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605090825.28337.net@dino.sk> Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 06:25:48 -0000 On Tuesday 09 May 2006 06:54, Julian Elischer wrote: > Pramod Srinivasan wrote: > >Hi Folks, > > > >I am curious to know if there is any plans to support multiple routing > >tables in FreeBSD's official release? > > > >There was some discussion on this topic last year, if there is any vrf > >patch for a latest release of FreeBSD, I would love to give it a try. > > I am doing some small bits of work on this.. > Do you have anything to show/test? I am really interested in this and would like to help, however, I have no real kernel knowledge in this area, sorry. > how do you want to select which table should be used? > (This is more of a 'survey' as I am trying to work out what I should > support) > I saw two approaches on this issue - older one (discovered by me sooner - spring 2003) was some MPLS patches made by Luigi Iannone uses per-socket option, somewhat similar to Cisco's method (specifying vrf on command line, however, I have no internal knowledge of IOS). Somewhat later I discovered Marco Zec's vimage patch, which enhances jails for this. This makes routing tables management and understanding simpler - at least for me. I would like to use second one or something similar. Regards, Milan From owner-freebsd-net@FreeBSD.ORG Tue May 9 08:08:08 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AA6716A448 for ; Tue, 9 May 2006 08:08:08 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DCF643D4C for ; Tue, 9 May 2006 08:08:04 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k49882HX026407 for ; Tue, 9 May 2006 10:08:03 +0200 Received: by smtp.zeninc.net (smtpd, from userid 1000) id 37B273F17; Tue, 9 May 2006 10:07:57 +0200 (CEST) Date: Tue, 9 May 2006 10:07:57 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20060509080757.GA20700@zen.inc> References: <20060508220101.GA15248@verio.net> <445FDB7B.1060704@astralblue.net> <20060509030428.GA16965@verio.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060509030428.GA16965@verio.net> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: IPSEC Interop problem with Cisco using multiple SA's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 08:08:11 -0000 On Mon, May 08, 2006 at 10:04:29PM -0500, David DeSimone wrote: > Eugene M. Kim wrote: > > > > I haven't tried this myself, but you may want to try using > > "unique:" instead of "require" as the policy level > > After reading up on this behavior, I gave it a try, replacing all > "require" policies with "unique". I found that there was no need to > set a policy identifier, as the system apparently chooses a random > identifier if none is specified, and so all SPD's create unique SAD's as > a result. To be more exact, you can set up a manual reqid between 1 and IPSEC_MANUAL_REQID_MAX (0x3fff by default), or let the system take the next available value from IPSEC_MANUAL_REQID_MAX+1. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com From owner-freebsd-net@FreeBSD.ORG Tue May 9 12:28:16 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0C2116A405 for ; Tue, 9 May 2006 12:28:16 +0000 (UTC) (envelope-from bms@spc.org) Received: from mindfull.spc.org (mindfull.spc.org [83.167.185.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1839043D46 for ; Tue, 9 May 2006 12:28:04 +0000 (GMT) (envelope-from bms@spc.org) Received: from arginine.spc.org ([83.167.185.2]) by mindfull.spc.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1FdRJr-0001F9-5m; Tue, 09 May 2006 13:28:03 +0100 Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 2F0926565E; Tue, 9 May 2006 13:28:03 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 65355-04; Tue, 9 May 2006 13:28:02 +0100 (BST) Received: by arginine.spc.org (Postfix, from userid 1078) id E49FE65655; Tue, 9 May 2006 13:28:01 +0100 (BST) Date: Tue, 9 May 2006 13:28:01 +0100 From: Bruce M Simpson To: freebsd-net@freebsd.org Message-ID: <20060509122801.GA65297@spc.org> Mail-Followup-To: Bruce M Simpson , freebsd-net@freebsd.org, atanu@icir.org, pavlin@icir.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Organization: Incunabulum X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mindfull.spc.org X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - spc.org X-Source: X-Source-Args: X-Source-Dir: Cc: pavlin@icir.org, atanu@icir.org Subject: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 12:28:17 -0000 A user recently reported a problem with running into IP_MAX_MEMBERSHIPS on a system running FreeBSD with IPv4 forwarding enabled, and running the OSPF routing protocol. I have been investigating how to address this problem. Background: A raw socket was exceeding the permitted number of group memberships. Because the socket layer, and not the link layer, was being used for the transmission and reception of multicast IPv4 traffic, the use of multicast-promiscuous mode is not applicable (except where the underlying NIC driver would enable it to deal with running out of multicast hash filter entries). IPv6 is not affected - read on. Analysis: The reason for this is quite simple. struct ip_moptions contains a field after imo_memberships (the array which is statically sized by IP_MAX_MEMBERSHIPS). This limit is per-socket, *not* per-interface. This is consistent with the description of the code given in TCP/IP Illustrated Volume 2 (Wright/Stevens), section 12.7. However, because we now have a field which is present after this array, referenced by the IGMP code and the IPv4 multicast routing code, a simple expansion (run-time or otherwise) of the array is not adequate to solve the problem. The way KAME avoided this in IPv6 was to hold IPv6 group memberships in a doubly linked list, which is probably acceptable given that these structures are traversed on multicast input/output and socket option manipulation. Both NetBSD and OpenBSD are also affected by this issue, and potentially also Darwin and MacOS X. The way Linux has avoided this is by having the network code structured completely differently. Resolution: 1. Rearrange struct ip_moptions in netinet/ip_var.h such that the IP_MAX_MEMBERSHIPS value, and thus the size of the imo_membership array, may be adjusted via a boot-time tunable. A relatively easy change but one that still breaks the ABI. Or; 2. Change semantics of imo_membership to match those of netinet6, by using a linked list. A somewhat more involved change but one that still breaks the ABI. The loadable kernel modules directly affected by the ABI breakage seem limited only to ip_mroute_mod.ko. Comments? Suggestions? BMS From owner-freebsd-net@FreeBSD.ORG Tue May 9 12:39:46 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B057416A402 for ; Tue, 9 May 2006 12:39:46 +0000 (UTC) (envelope-from net@dino.sk) Received: from mail.netlab.sk (mail.netlab.sk [213.215.72.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id D555743D48 for ; Tue, 9 May 2006 12:39:44 +0000 (GMT) (envelope-from net@dino.sk) Received: from [84.245.65.229] ([84.245.65.229]) (AUTH: PLAIN milan@netlab.sk, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by mail.netlab.sk with esmtp; Tue, 09 May 2006 14:44:16 +0200 id 00289C0C.44608EA0.000120C3 From: Milan Obuch To: freebsd-net@freebsd.org Date: Tue, 9 May 2006 14:39:25 +0200 User-Agent: KMail/1.9.1 References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460207A.9050505@elischer.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605091439.26549.net@dino.sk> Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 12:39:46 -0000 On Tuesday 09 May 2006 08:00, Edward B. DREGER wrote: > JE> Date: Mon, 08 May 2006 21:54:18 -0700 > JE> From: Julian Elischer > > JE> how do you want to select which table should be used? > > Ingress interface. > Sounds reasonable, one important point missing - packets locally originated/'destinated'. Other than that, fully acceptable. > Consider: 802.3ad, ECMP, FIB, multi RIBs (e.g., OSPF vs BGP weight), VRF > > I started working on all of the above late in 2003 on 4.x; the project > was shelved due to lack of interest and [other parts of] $job taking > priority. I haven't looked at 5.x or 6.x code, but 4.x certainly would > have benefited from an architectural overhaul. > Regards, Milan From owner-freebsd-net@FreeBSD.ORG Tue May 9 12:49:47 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.ORG Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0751816A419 for ; Tue, 9 May 2006 12:49:47 +0000 (UTC) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 40B1D43D69 for ; Tue, 9 May 2006 12:49:42 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (uvqlwx@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.4/8.13.4) with ESMTP id k49CnYPv045252 for ; Tue, 9 May 2006 14:49:40 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.4/8.13.1/Submit) id k49CnYOZ045251; Tue, 9 May 2006 14:49:34 +0200 (CEST) (envelope-from olli) Date: Tue, 9 May 2006 14:49:34 +0200 (CEST) Message-Id: <200605091249.k49CnYOZ045251@lurza.secnetix.de> From: Oliver Fromme To: freebsd-net@FreeBSD.ORG In-Reply-To: <4460207A.9050505@elischer.org> X-Newsgroups: list.freebsd-net User-Agent: tin/1.8.0-20051224 ("Ronay") (UNIX) (FreeBSD/4.11-STABLE (i386)) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.1.2 (lurza.secnetix.de [127.0.0.1]); Tue, 09 May 2006 14:49:40 +0200 (CEST) Cc: Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-net@FreeBSD.ORG List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 12:49:47 -0000 Julian Elischer wrote: > Pramod Srinivasan wrote: > > I am curious to know if there is any plans to support multiple routing > > tables in FreeBSD's official release? > > I am doing some small bits of work on this.. > > how do you want to select which table should be used? > (This is more of a 'survey' as I am trying to work out what I should > support) It would be extremely useful if the routing table could be a per-process variable which is inherited by child processes. That way it would be possible, for example, to start Apache with its own routing table (which would be inherited by CGIs and other programs exec'ed by Apache). Another approach would be to assign a routing table to a jail. However, for me personally, jails are currently not very useful because they can only have one IP. That limitation would have to be lifted first. I would also like to have better control over the source IP of outgoing connections. I often have a lot of IP addresses configured on an interface which are assigned to different services (possibly belonging to different customers, i.e. they need to be accounted separately). Currently, the only generic way to force programs to use a certain source IP is to put them into a jail, but again, I often need multiple IPs for a service so it doesn't work with jails. Same problem as above. Just my 2 cents (since you asked for it). :-) Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co. KG, Marktplatz 29, 85567 Grafing Dienstleistungen mit Schwerpunkt FreeBSD: http://www.secnetix.de/bsd Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "The last good thing written in C was Franz Schubert's Symphony number 9." -- Erwin Dieterich From owner-freebsd-net@FreeBSD.ORG Tue May 9 13:15:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6DAF716A415 for ; Tue, 9 May 2006 13:15:21 +0000 (UTC) (envelope-from bms@spc.org) Received: from mindfull.spc.org (mindfull.spc.org [83.167.185.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C36443D49 for ; Tue, 9 May 2006 13:15:20 +0000 (GMT) (envelope-from bms@spc.org) Received: from arginine.spc.org ([83.167.185.2]) by mindfull.spc.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1FdS3a-0001nm-B1; Tue, 09 May 2006 14:15:18 +0100 Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 5F38565654; Tue, 9 May 2006 14:15:18 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 65701-02; Tue, 9 May 2006 14:15:17 +0100 (BST) Received: by arginine.spc.org (Postfix, from userid 1078) id 7BA076564E; Tue, 9 May 2006 14:15:17 +0100 (BST) Date: Tue, 9 May 2006 14:15:17 +0100 From: Bruce M Simpson To: freebsd-net@freebsd.org, atanu@icir.org, pavlin@icir.org Message-ID: <20060509131517.GB79277@spc.org> Mail-Followup-To: Bruce M Simpson , freebsd-net@freebsd.org, atanu@icir.org, pavlin@icir.org References: <20060509122801.GA65297@spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060509122801.GA65297@spc.org> User-Agent: Mutt/1.4.1i Organization: Incunabulum X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mindfull.spc.org X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - spc.org X-Source: X-Source-Args: X-Source-Dir: Cc: Subject: Re: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 13:15:21 -0000 On Tue, May 09, 2006 at 01:28:01PM +0100, Bruce M Simpson wrote: > A user recently reported a problem with running into IP_MAX_MEMBERSHIPS > on a system running FreeBSD with IPv4 forwarding enabled, and running > the OSPF routing protocol. More background. People may be wondering why this is even an issue for FreeBSD as a router. The answer: the imo_membership array contains members which exist as separate entries for each ifnet in the system, and the system where this was observed to be a problem had a number of ifnet interfaces which was larger than IP_MAX_MEMBERSHIPS (20). Regards, BMS From owner-freebsd-net@FreeBSD.ORG Tue May 9 15:39:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 237E316A814 for ; Tue, 9 May 2006 15:39:22 +0000 (UTC) (envelope-from dridik@umoncton.ca) Received: from cujam.umcm.ca (cujam.ci.umoncton.ca [139.103.2.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 69C9743D6B for ; Tue, 9 May 2006 15:39:12 +0000 (GMT) (envelope-from dridik@umoncton.ca) Received: From alya.ci.umoncton.ca ([139.103.5.89]) by cujam.umcm.ca (WebShield SMTP v4.5 MR1a P0803.345); id 1147189167905; Tue, 9 May 2006 12:39:27 -0300 Received: from altair.ci.umoncton.ca (altair.ci.umoncton.ca [139.103.2.3]) by alya.ci.umoncton.ca (8.12.10/8.12.10) with ESMTP id k49Fd9nA053584 for ; Tue, 9 May 2006 12:39:09 -0300 Received: from acrux.ci.umoncton.ca (acrux.ci.umoncton.ca [139.103.8.49]) by altair.ci.umoncton.ca (AIX5.1/8.11.6p2/8.11.0) with SMTP id k49Fd4I167508 for ; Tue, 9 May 2006 12:39:04 -0300 Received: from GW_DO_CdeM_PERS-MTA by acrux.ci.umoncton.ca with Novell_GroupWise; Tue, 09 May 2006 12:38:49 -0300 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.2 Date: Tue, 09 May 2006 12:38:52 -0300 From: "Kais Dridi" To: Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Spam-Score: 0 () X-Scanned-By: MIMEDefang 2.38 Subject: Ask for help! X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 15:39:26 -0000 Hello, I'm Kais DRIDI, an engineering student in telecommunications field. I'm doing my training in the University of Moncton/Canada. I'm looking for some informations (Definitions in general) about VLAN (single and double tagging, translation), Multicast (IGMP proxy, snooping, termination, filtering) So, i'd like to ask if you can give me, please, some informations on these points. Particularly, on those that treat double tagging VLAN. Your prompt reply is appreciated. Sincerely, Kais. From owner-freebsd-net@FreeBSD.ORG Tue May 9 16:44:12 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C54816A5D7 for ; Tue, 9 May 2006 16:44:12 +0000 (UTC) (envelope-from gnn@neville-neil.com) Received: from mrout3.yahoo.com (mrout3.yahoo.com [216.145.54.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id C76A843D5F for ; Tue, 9 May 2006 16:44:11 +0000 (GMT) (envelope-from gnn@neville-neil.com) Received: from minion.local.neville-neil.com (proxy7.corp.yahoo.com [216.145.48.98]) by mrout3.yahoo.com (8.13.6/8.13.4/y.out) with ESMTP id k49Ggpcn011108; Tue, 9 May 2006 09:42:52 -0700 (PDT) Date: Tue, 09 May 2006 15:28:02 +0900 Message-ID: From: gnn@freebsd.org To: Hideki Yamamoto In-Reply-To: <20060508.054451.41688849.yamamoto436@oki.com> References: <20060508.054451.41688849.yamamoto436@oki.com> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.8 (=?ISO-8859-4?Q?Shij=F2?=) APEL/10.6 Emacs/22.0.50 (i386-apple-darwin8.5.1) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: IPv6 raw socket to send original udp X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 16:44:13 -0000 At Mon, 08 May 2006 05:44:51 +0900 (JST), Hideki Yamamoto wrote: > > > Hi, > > I tried to use pf as a traffic shaper for a streaming server, but > it does not work well. Input of pf is bursted packets within around 20 > msec, but is not bursted packets within around 100 msec or longer. > This traffic pattern is the feature of the streaming server. > > As pf is does not work well, I am thinking designinig original shaper > command on bridge-like freebsd box, and that the command will receive > the sever packet via libpcap, shape it and then send it constantly to > another device. To send packet from bridge-like freebsd box, I plan > to use RAW IPV6 socket. However in my small experiment, it does not > seems good, IP_HDRINCL option does not woks. > > I wonder if IPv6 raw socket can be used only for ICMPv6. > I would like to use IPv6 raw socket for original udp packet. > > Thanks in advance. > Hi, I have trimmed the cc to just -net because I am concerned mostly about the possibility of a bug in the networking code. Can you provide more information on what you're seeing on the raw IPv6 socket? If you could send a chunk of code, that might help as well. Best, George From owner-freebsd-net@FreeBSD.ORG Tue May 9 17:47:16 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E19B16A521 for ; Tue, 9 May 2006 17:47:16 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A64D43D67 for ; Tue, 9 May 2006 17:47:03 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.19.131]) ([10.251.19.131]) by a50.ironport.com with ESMTP; 09 May 2006 10:47:03 -0700 Message-ID: <4460D595.8000408@elischer.org> Date: Tue, 09 May 2006 10:47:01 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Milan Obuch References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460207A.9050505@elischer.org> <200605090825.28337.net@dino.sk> In-Reply-To: <200605090825.28337.net@dino.sk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 17:47:18 -0000 Milan Obuch wrote: >On Tuesday 09 May 2006 06:54, Julian Elischer wrote: > > >>Pramod Srinivasan wrote: >> >> >>>Hi Folks, >>> >>>I am curious to know if there is any plans to support multiple routing >>>tables in FreeBSD's official release? >>> >>>There was some discussion on this topic last year, if there is any vrf >>>patch for a latest release of FreeBSD, I would love to give it a try. >>> >>> >>I am doing some small bits of work on this.. >> >> >> > >Do you have anything to show/test? I am really interested in this and would >like to help, however, I have no real kernel knowledge in this area, sorry. > > > >>how do you want to select which table should be used? >>(This is more of a 'survey' as I am trying to work out what I should >>support) >> >> >> > >I saw two approaches on this issue - older one (discovered by me sooner - >spring 2003) was some MPLS patches made by Luigi Iannone uses per-socket >option, somewhat similar to Cisco's method (specifying vrf on command line, >however, I have no internal knowledge of IOS). Somewhat later I discovered >Marco Zec's vimage patch, which enhances jails for this. This makes routing >tables management and understanding simpler - at least for me. I would like >to use second one or something similar. > > I have a rather 'simplistic' solution.. I have alterred ipfw 'table' so that you can do ipfw table 2 add 1.2.3.4/24 2.3.4.5 and you can then use it to do: ipfw add 300 fwd tablearg from myrouter to table(2) out recv fxp2 >Regards, > > >Milan >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > From owner-freebsd-net@FreeBSD.ORG Tue May 9 20:25:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1785C16A6F9 for ; Tue, 9 May 2006 20:25:22 +0000 (UTC) (envelope-from ray.mihm@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB8D343D58 for ; Tue, 9 May 2006 20:25:14 +0000 (GMT) (envelope-from ray.mihm@gmail.com) Received: by wx-out-0102.google.com with SMTP id t13so1109744wxc for ; Tue, 09 May 2006 13:25:14 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=b+X1lkhQTTRIIY74D1jt13khDddKRAKTiD54TG85DJNgYiln2UtPH77w3+yv74PT6gXYmdsskaUiZmhtsihtH9WKD2K0r+ZK21NTD8GxMxxM/nuuKS99D8iubefHSHJtfsqaIIxARIEwC5VIYW/bBqvy/QIi8B8gSyMvAt904+c= Received: by 10.70.47.3 with SMTP id u3mr4446861wxu; Tue, 09 May 2006 13:25:13 -0700 (PDT) Received: by 10.70.46.9 with HTTP; Tue, 9 May 2006 13:25:13 -0700 (PDT) Message-ID: <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> Date: Tue, 9 May 2006 13:25:13 -0700 From: "Ray Mihm" To: "Julian Elischer" In-Reply-To: <4460D595.8000408@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460207A.9050505@elischer.org> <200605090825.28337.net@dino.sk> <4460D595.8000408@elischer.org> Cc: freebsd-net@freebsd.org, Milan Obuch Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 20:25:22 -0000 Can't you just incorporate Marko's work at http://www.tel.fer.hr/zec/BSD/vimage/index.html? The design looks pretty clean too. And, XORP which probably is multiple tables aware, would make FreeBSD a really kick-ass routing platform. Just my $.02 Ray. On 5/9/06, Julian Elischer wrote: > Milan Obuch wrote: > > >On Tuesday 09 May 2006 06:54, Julian Elischer wrote: > > > > > >>Pramod Srinivasan wrote: > >> > >> > >>>Hi Folks, > >>> > >>>I am curious to know if there is any plans to support multiple routing > >>>tables in FreeBSD's official release? > >>> > >>>There was some discussion on this topic last year, if there is any vrf > >>>patch for a latest release of FreeBSD, I would love to give it a try. > >>> > >>> > >>I am doing some small bits of work on this.. > >> > >> > >> > > > >Do you have anything to show/test? I am really interested in this and wo= uld > >like to help, however, I have no real kernel knowledge in this area, sor= ry. > > > > > > > >>how do you want to select which table should be used? > >>(This is more of a 'survey' as I am trying to work out what I should > >>support) > >> > >> > >> > > > >I saw two approaches on this issue - older one (discovered by me sooner = - > >spring 2003) was some MPLS patches made by Luigi Iannone uses per-socket > >option, somewhat similar to Cisco's method (specifying vrf on command li= ne, > >however, I have no internal knowledge of IOS). Somewhat later I discover= ed > >Marco Zec's vimage patch, which enhances jails for this. This makes rout= ing > >tables management and understanding simpler - at least for me. I would l= ike > >to use second one or something similar. > > > > > I have a rather 'simplistic' solution.. > > I have alterred ipfw 'table' so that you can do > > ipfw table 2 add 1.2.3.4/24 2.3.4.5 > > and you can then use it to do: > > ipfw add 300 fwd tablearg from myrouter to table(2) out recv fxp2 > > > > >Regards, > > > > > > > >Milan > >_______________________________________________ > >freebsd-net@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-net > >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > From owner-freebsd-net@FreeBSD.ORG Tue May 9 20:40:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5B4F416A7D2 for ; Tue, 9 May 2006 20:40:15 +0000 (UTC) (envelope-from net@dino.sk) Received: from mail.netlab.sk (mail.netlab.sk [213.215.72.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47F8343D53 for ; Tue, 9 May 2006 20:40:04 +0000 (GMT) (envelope-from net@dino.sk) Received: from work.dino.sk (home.dino.sk [213.215.74.194]) (AUTH: PLAIN milan@netlab.sk, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by mail.netlab.sk with esmtp; Tue, 09 May 2006 22:44:37 +0200 id 00289C0E.4460FF35.00016412 From: Milan Obuch To: "Ray Mihm" Date: Tue, 9 May 2006 22:39:45 +0200 User-Agent: KMail/1.9.1 References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460D595.8000408@elischer.org> <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> In-Reply-To: <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605092239.46594.net@dino.sk> Cc: freebsd-net@freebsd.org, Julian Elischer Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 20:40:22 -0000 On Tuesday 09 May 2006 22:25, Ray Mihm wrote: > Can't you just incorporate Marko's work at > http://www.tel.fer.hr/zec/BSD/vimage/index.html? The design looks > pretty clean too. And, XORP which probably is multiple tables aware, > would make FreeBSD a really kick-ass routing platform. > Unfortunately, this is not easily doable. There is major architecture change after 4.x and Marko's work is 4.x based. But base design is really clean and should be mimicked as close as possible, imho. I know this is not easy task. Just shame on me I can't help here with some code :( Regards, Milan Please reply to maling list only. I read it regularly. From owner-freebsd-net@FreeBSD.ORG Tue May 9 20:45:14 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBBF416A829 for ; Tue, 9 May 2006 20:45:14 +0000 (UTC) (envelope-from cegaspar@ifi.unicamp.br) Received: from terra.ifi.unicamp.br (terra.ifi.unicamp.br [143.106.6.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF10F43D70 for ; Tue, 9 May 2006 20:45:08 +0000 (GMT) (envelope-from cegaspar@ifi.unicamp.br) Received: from lua.ifi.unicamp.br (lua.ifi.unicamp.br [143.106.6.13]) by terra.ifi.unicamp.br (Postfix) with ESMTP id DC6A3264A3A for ; Tue, 9 May 2006 17:44:29 -0300 (BRT) Received: from localhost (sa.ifi.unicamp.br [143.106.6.10]) by lua.ifi.unicamp.br (Postfix) with ESMTP id 70D75679F0 for ; Tue, 9 May 2006 17:44:55 -0300 (BRT) Received: from lua.ifi.unicamp.br ([143.106.6.13]) by localhost (sa.ifi.unicamp.br [143.106.6.10]) (amavisd-new, port 10024) with ESMTP id 63153-16-2 for ; Tue, 9 May 2006 17:44:57 -0300 (BRT) Received: from [143.106.72.17] (gefion.ifi.unicamp.br [143.106.72.17]) by lua.ifi.unicamp.br (Postfix) with ESMTP id 243A5679FB for ; Tue, 9 May 2006 17:44:52 -0300 (BRT) Message-ID: <4460FF4E.10305@ifi.unicamp.br> Date: Tue, 09 May 2006 17:45:02 -0300 From: Carlos E Gaspar User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at ifi.unicamp.br Subject: ipfw divert with layer2 (if_bridge) packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-net@freebsd.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 20:45:16 -0000 Hi. I have the following setup: FreeBSD abc5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #0: Wed Apr 26 14:58:22 BRT 2006 root@abc:/usr/src/sys/alpha/compile/ABC alpha bridge0: flags=8043 mtu 1500 ether xx:xx:xx:xx:xx:xx priority 32768 hellotime 2 fwddelay 15 maxage 20 member: de1 flags=3 member: de0 flags=3 de1 is my internal interface (local) and de0 the external (internet). host1 is on de1. Bridge works fine (if_bridge). With the following sysctl's: net.link.bridge.pfil_onlyip: 0 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.ipfw: 0 net.link.ether.ipfw: 1 I'm trying to divert layer2 packets using this ipfw rule, but the counters are always 0 0 as seen with 'ipfw show'. divert 8000 log all from host1 to any layer2 in via de1 What's wrong? It's possible to do that with if_bridge? Do I need FBSD 6.1? Thanks for advance... sorry about my english Carlos Gaspar carlosgaspar@yahoo.com From owner-freebsd-net@FreeBSD.ORG Tue May 9 21:01:40 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C468B16A505 for ; Tue, 9 May 2006 21:01:40 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CA3D43D45 for ; Tue, 9 May 2006 21:01:40 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.19.131]) ([10.251.19.131]) by a50.ironport.com with ESMTP; 09 May 2006 14:01:39 -0700 Message-ID: <44610333.6070806@elischer.org> Date: Tue, 09 May 2006 14:01:39 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4460FF4E.10305@ifi.unicamp.br> In-Reply-To: <4460FF4E.10305@ifi.unicamp.br> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw divert with layer2 (if_bridge) packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 21:01:41 -0000 Carlos E Gaspar wrote: > Hi. > > I have the following setup: > > FreeBSD abc5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #0: Wed Apr 26 > 14:58:22 BRT 2006 root@abc:/usr/src/sys/alpha/compile/ABC alpha > > bridge0: flags=8043 mtu 1500 > ether xx:xx:xx:xx:xx:xx > priority 32768 hellotime 2 fwddelay 15 maxage 20 > member: de1 flags=3 > member: de0 flags=3 > > de1 is my internal interface (local) and de0 the external (internet). > host1 is on de1. Bridge works fine (if_bridge). > > With the following sysctl's: > > net.link.bridge.pfil_onlyip: 0 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.ipfw: 0 > net.link.ether.ipfw: 1 > > I'm trying to divert layer2 packets using this ipfw rule, but the > counters are always 0 0 as seen with 'ipfw show'. I don't know about if_bridge but layer2 and divert are not allowed together.. I have changes that make it work in 4.x but they will not apply to 5.x or later.. Luigi also has some changes that allow it.. > > divert 8000 log all from host1 to any layer2 in via de1 > > What's wrong? It's possible to do that with if_bridge? Do I need FBSD > 6.1? > Thanks for advance... sorry about my english > > Carlos Gaspar > carlosgaspar@yahoo.com > > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Tue May 9 21:03:42 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E946016A485 for ; Tue, 9 May 2006 21:03:42 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6699643D48 for ; Tue, 9 May 2006 21:03:42 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.19.131]) ([10.251.19.131]) by a50.ironport.com with ESMTP; 09 May 2006 14:03:42 -0700 Message-ID: <446103AD.5020006@elischer.org> Date: Tue, 09 May 2006 14:03:41 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Milan Obuch References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460D595.8000408@elischer.org> <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> <200605092239.46594.net@dino.sk> In-Reply-To: <200605092239.46594.net@dino.sk> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Ray Mihm Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 21:03:43 -0000 Milan Obuch wrote: >On Tuesday 09 May 2006 22:25, Ray Mihm wrote: > > >>Can't you just incorporate Marko's work at >>http://www.tel.fer.hr/zec/BSD/vimage/index.html? The design looks >>pretty clean too. And, XORP which probably is multiple tables aware, >>would make FreeBSD a really kick-ass routing platform. >> >> marco and I have discussed this. it is a very heavyweight solution.. using ipfw tables as ancilary routing tables is a very light weight solution.. >> >> > >Unfortunately, this is not easily doable. There is major architecture change >after 4.x and Marko's work is 4.x based. But base design is really clean and >should be mimicked as close as possible, imho. > >I know this is not easy task. Just shame on me I can't help here with some >code :( > >Regards, >Milan > >Please reply to maling list only. I read it regularly. > > From owner-freebsd-net@FreeBSD.ORG Tue May 9 21:14:04 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E35A16A527 for ; Tue, 9 May 2006 21:14:04 +0000 (UTC) (envelope-from thompsa@freebsd.org) Received: from heff.fud.org.nz (203-109-251-39.static.bliink.ihug.co.nz [203.109.251.39]) by mx1.FreeBSD.org (Postfix) with SMTP id 6C18D43D4C for ; Tue, 9 May 2006 21:14:03 +0000 (GMT) (envelope-from thompsa@freebsd.org) Received: by heff.fud.org.nz (Postfix, from userid 1001) id 436571CCC1; Wed, 10 May 2006 09:13:57 +1200 (NZST) Date: Wed, 10 May 2006 09:13:57 +1200 From: Andrew Thompson To: freebsd-net@freebsd.org Message-ID: <20060509211357.GA939@heff.fud.org.nz> References: <4460FF4E.10305@ifi.unicamp.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4460FF4E.10305@ifi.unicamp.br> User-Agent: Mutt/1.5.11 Subject: Re: ipfw divert with layer2 (if_bridge) packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 21:14:05 -0000 On Tue, May 09, 2006 at 05:45:02PM -0300, Carlos E Gaspar wrote: > Hi. > > I have the following setup: > > FreeBSD abc5.5-PRERELEASE FreeBSD 5.5-PRERELEASE #0: Wed Apr 26 14:58:22 > BRT 2006 root@abc:/usr/src/sys/alpha/compile/ABC alpha > > bridge0: flags=8043 mtu 1500 > ether xx:xx:xx:xx:xx:xx > priority 32768 hellotime 2 fwddelay 15 maxage 20 > member: de1 flags=3 > member: de0 flags=3 > > de1 is my internal interface (local) and de0 the external (internet). > host1 is on de1. Bridge works fine (if_bridge). > > With the following sysctl's: > > net.link.bridge.pfil_onlyip: 0 > net.link.bridge.pfil_member: 1 > net.link.bridge.pfil_bridge: 0 > net.link.bridge.ipfw: 0 ^^^^^^^ This should be 1. net.link.bridge.ipfw Set to 1 to enable layer2 filtering with ipfirewall(4), set to 0 to disable it. This needs to be enabled for dummynet(4) support. When ipfw is enabled, pfil_bridge and pfil_member will be disabled so that IPFW is not run twice; these can be re-enabled if desired. Give that a try. cheers, Andrew From owner-freebsd-net@FreeBSD.ORG Tue May 9 22:00:13 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20AA816A407 for ; Tue, 9 May 2006 22:00:13 +0000 (UTC) (envelope-from ray.mihm@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id 62C2E43D46 for ; Tue, 9 May 2006 22:00:12 +0000 (GMT) (envelope-from ray.mihm@gmail.com) Received: by wx-out-0102.google.com with SMTP id t13so1123590wxc for ; Tue, 09 May 2006 15:00:11 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=kJOK+UIiHc4ySpHpP31HK57/lAwDp3syIpBpUxVjdtNMLGQ1blwkp0EmWpF/EGn8aLtAOeXMu89rxQSurLR9xAK4Vs/n0c0wAbGodK+Yn4aTGn2bUhlFJIV6eu9iQniVrZ9F1rqyybTv9BVDCY+z3r6Xh9nJjS8xtBy4DMp+7gU= Received: by 10.70.34.11 with SMTP id h11mr4600471wxh; Tue, 09 May 2006 15:00:11 -0700 (PDT) Received: by 10.70.46.9 with HTTP; Tue, 9 May 2006 15:00:11 -0700 (PDT) Message-ID: <1aa142960605091500q6aca79d8l8eb2cdd0ff82ffe3@mail.gmail.com> Date: Tue, 9 May 2006 15:00:11 -0700 From: "Ray Mihm" To: "Julian Elischer" In-Reply-To: <446103AD.5020006@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460D595.8000408@elischer.org> <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> <200605092239.46594.net@dino.sk> <446103AD.5020006@elischer.org> Cc: freebsd-net@freebsd.org, Milan Obuch Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 22:00:13 -0000 Using ipfw tables is essentially a non-starter, IMHO. How would routing protocols use ipfw based tables, for example? Marko's work touches a lot of files, but I don't think it's heavy weight. I also think using Marko's idea and Jails would allow create the notion of a logical system and multiple such logical systems may be configured on a single FreeBSD system. Regards, Ray. On 5/9/06, Julian Elischer wrote: > Milan Obuch wrote: > > >On Tuesday 09 May 2006 22:25, Ray Mihm wrote: > > > > > >>Can't you just incorporate Marko's work at > >>http://www.tel.fer.hr/zec/BSD/vimage/index.html? The design looks > >>pretty clean too. And, XORP which probably is multiple tables aware, > >>would make FreeBSD a really kick-ass routing platform. > >> > >> > > marco and I have discussed this. > > it is a very heavyweight solution.. > using ipfw tables as ancilary routing tables is a very light weight > solution.. > > >> > >> > > > >Unfortunately, this is not easily doable. There is major architecture ch= ange > >after 4.x and Marko's work is 4.x based. But base design is really clean= and > >should be mimicked as close as possible, imho. > > > >I know this is not easy task. Just shame on me I can't help here with so= me > >code :( > > > >Regards, > >Milan > > > >Please reply to maling list only. I read it regularly. > > > > > From owner-freebsd-net@FreeBSD.ORG Tue May 9 23:16:32 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 473CF16A403 for ; Tue, 9 May 2006 23:16:32 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03DF643D48 for ; Tue, 9 May 2006 23:16:31 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.19.131]) ([10.251.19.131]) by a50.ironport.com with ESMTP; 09 May 2006 16:16:32 -0700 Message-ID: <446122CE.7010805@elischer.org> Date: Tue, 09 May 2006 16:16:30 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ray Mihm References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460D595.8000408@elischer.org> <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> <200605092239.46594.net@dino.sk> <446103AD.5020006@elischer.org> <1aa142960605091500q6aca79d8l8eb2cdd0ff82ffe3@mail.gmail.com> In-Reply-To: <1aa142960605091500q6aca79d8l8eb2cdd0ff82ffe3@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Milan Obuch Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 May 2006 23:16:32 -0000 Ray Mihm wrote: > Using ipfw tables is essentially a non-starter, IMHO. How would > routing protocols use ipfw based tables, for example? Marko's work > touches a lot of files, but I don't think it's heavy weight. > > I also think using Marko's idea and Jails would allow create the > notion of a logical system and multiple such logical systems may be > configured on a single FreeBSD system. > > Regards, > > Ray. Don't get me wrong.. I very much like vimage, and it is a great pitty that it (in the form it is in now) is basically incompatible in concept with freeBSD 5+ (where most things are modules)(*). I've even done some small work on prototyping how one MIGHT be able to make it happen, but for what I want (just be able to have some packets use an alternative routing table), having ipfw fwd them according to a table does just fine. (*) The problem is that moving all globals to a structure only works if you know what globals are linked in. If you load a module, you need to expand the structure. This is problematic to say the least. The same problem has been solved with Thread-local-storage using hooks in the compiler and linker but I don't think we can do that in the kernel. (at least not easily). From owner-freebsd-net@FreeBSD.ORG Wed May 10 01:49:32 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F226316A401 for ; Wed, 10 May 2006 01:49:31 +0000 (UTC) (envelope-from eddy+public+spam@noc.everquick.net) Received: from a.mx.ict1.everquick.net (a.mx.ict1.everquick.net [204.10.191.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BBE943D49 for ; Wed, 10 May 2006 01:49:31 +0000 (GMT) (envelope-from eddy+public+spam@noc.everquick.net) Received: from pop.ict1.everquick.net (localhost [127.0.0.1]) by a.mx.ict1.everquick.net (8.12.10/8.12.10) with ESMTP id k4A1nSJk004525 for ; Wed, 10 May 2006 01:49:28 GMT X-Everquick-No-Abuse-1: Report any email abuse to or X-Everquick-No-Abuse-2: call +1 (785) 865-5885. Please be sure to reference X-Everquick-No-Abuse-3: the Message-Id and include GMT timestamps. Received: from localhost (eddy@localhost) by pop.ict1.everquick.net (8.13.3/8.13.3/Submit) with ESMTP id k4A1nRMm004522 for ; Wed, 10 May 2006 01:49:27 GMT X-Authentication-Warning: pop.ict1.everquick.net: eddy owned process doing -bs Date: Wed, 10 May 2006 01:49:27 +0000 (GMT) From: "Edward B. DREGER" X-X-Sender: eddy@pop.ict1.everquick.net To: freebsd-net@freebsd.org In-Reply-To: <200605091439.26549.net@dino.sk> Message-ID: References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460207A.9050505@elischer.org> <200605091439.26549.net@dino.sk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 01:49:32 -0000 MO> Date: Tue, 9 May 2006 14:39:25 +0200 MO> From: Milan Obuch MO> > JE> how do you want to select which table should be used? MO> > Ingress interface. MO> MO> Sounds reasonable, one important point missing - packets locally MO> originated/'destinated'. MO> Other than that, fully acceptable. IMNSHO, I'd rather have a { default | manually-specified } table for locally-sourced packets. Eddy -- Everquick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita ________________________________________________________________________ DO NOT send mail to the following addresses: davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net Sending mail to spambait addresses is a great way to get blocked. Ditto for broken OOO autoresponders and foolish AV software backscatter. From owner-freebsd-net@FreeBSD.ORG Wed May 10 04:22:58 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B871116A402; Wed, 10 May 2006 04:22:58 +0000 (UTC) (envelope-from bmah@freebsd.org) Received: from b.mail.sonic.net (b.mail.sonic.net [64.142.19.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 463FA43D46; Wed, 10 May 2006 04:22:58 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from [64.142.31.109] (phantom.kitchenlab.org [64.142.31.109]) (authenticated bits=0) by b.mail.sonic.net (8.13.6/8.13.3) with ESMTP id k4A4MrlJ002399 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 May 2006 21:22:57 -0700 Message-ID: <44616A98.9070707@freebsd.org> Date: Tue, 09 May 2006 21:22:48 -0700 From: "Bruce A. Mah" User-Agent: Thunderbird 1.5.0.2 (Macintosh/20060308) MIME-Version: 1.0 To: Ed Schouten References: <20060506172742.GM15353@hoeg.nl> <445EC341.60406@freebsd.org> <20060508065841.GN15353@hoeg.nl> In-Reply-To: <20060508065841.GN15353@hoeg.nl> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=5ba052c3 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDC0BDD82D2E14B16D744E38B" Cc: FreeBSD Net , ume@freebsd.org Subject: Re: nd6_lookup prints bogus messages with point to point devices X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 04:22:58 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDC0BDD82D2E14B16D744E38B Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable If memory serves me right, Ed Schouten wrote: > I'm seeing the messages on the machine in Eindhoven (running RELENG_6 > from a few days/weeks ago), but they also show up on my HEAD machine at= > home. Below is the output of `ifconfig gif0` on my machine at home: >=20 > | gif0: flags=3D8051 mtu 1280 > | tunnel inet 83.181.147.170 --> 193.109.122.244 > | inet6 fe80::202:a5ff:fe58:4927%gif0 prefixlen 64 scopeid 0x7 = > | inet6 2001:7b8:310::1 --> 2001:7b8:2ff:a4::1 prefixlen 128=20 Hi Ed-- Fair enough...the workaround that I did won't work for you because it's not possible to aggregate the two ends of the tunnel into a single /127. > As far as I know, the latest FreeBSD releases show an error message whe= n > assigning an address with a non-128 prefixlen. Actually I thought the problem was just point-to-point tunnel interfaces with a prefix length of 128. I am not sure what to do with your patch (which is what you originally asked about) since I'm not sure what the correct behavior is in this case. In other words, I know something's wrong but I don't know what the right solution is. I'm copying suz@ and ume@ to see if either of them might have any opinion. (Guys, sorry to bother you but could one of you take a look at this thread on net@ and comment? Thanks!) Bruce. --------------enigDC0BDD82D2E14B16D744E38B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEYWqc2MoxcVugUsMRAg+qAKDP09UGTJIY12NeLiVpyqCJUSwdygCfTIvq Dbz38cml0+K8MUg3JuFHVSI= =YHem -----END PGP SIGNATURE----- --------------enigDC0BDD82D2E14B16D744E38B-- From owner-freebsd-net@FreeBSD.ORG Wed May 10 05:49:29 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0EB5516A400 for ; Wed, 10 May 2006 05:49:29 +0000 (UTC) (envelope-from ray.mihm@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8386D43D45 for ; Wed, 10 May 2006 05:49:28 +0000 (GMT) (envelope-from ray.mihm@gmail.com) Received: by wx-out-0102.google.com with SMTP id t13so1171616wxc for ; Tue, 09 May 2006 22:49:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=X83vt46oA2lN7IEPSSRe+flwSg7eiPFzNH4nfvyWQ8O3SINhtjst7GaNSzC6fnVoioflgnrCwU9wAfcySU7d2Fj853KshH4F76H4bsoRk9BXYlbbf4q5ifl1K7MUzGw2u/O4NZ9nhqyKZfYL+xDbjuI9sgHxJzsD0kLqukdxoxE= Received: by 10.70.50.5 with SMTP id x5mr5040126wxx; Tue, 09 May 2006 22:49:28 -0700 (PDT) Received: by 10.70.46.9 with HTTP; Tue, 9 May 2006 22:49:27 -0700 (PDT) Message-ID: <1aa142960605092249q21cededfq3cdcbd717f5f569f@mail.gmail.com> Date: Tue, 9 May 2006 22:49:27 -0700 From: "Ray Mihm" To: "Julian Elischer" In-Reply-To: <446122CE.7010805@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460D595.8000408@elischer.org> <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> <200605092239.46594.net@dino.sk> <446103AD.5020006@elischer.org> <1aa142960605091500q6aca79d8l8eb2cdd0ff82ffe3@mail.gmail.com> <446122CE.7010805@elischer.org> Cc: freebsd-net@freebsd.org, Milan Obuch Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 05:49:29 -0000 Point taken about the globals but layer 3 (IP) and layer 4 (TCP, UDP, etc) aren't modules yet and that shouldn't be a problem right? I'm not trying to trivialize or solve the problem here. But my point is, these shouldn't be show-stoppers when you consider the benefit of having this feature in FreeBSD. Regards, Ray. On 5/9/06, Julian Elischer wrote: > Ray Mihm wrote: > > > Using ipfw tables is essentially a non-starter, IMHO. How would > > routing protocols use ipfw based tables, for example? Marko's work > > touches a lot of files, but I don't think it's heavy weight. > > > > I also think using Marko's idea and Jails would allow create the > > notion of a logical system and multiple such logical systems may be > > configured on a single FreeBSD system. > > > > Regards, > > > > Ray. > > Don't get me wrong.. I very much like vimage, and it is a great pitty > that it > (in the form it is in now) > is basically incompatible in concept with freeBSD 5+ (where most things > are modules)(*). > > I've even done some small work on prototyping how one MIGHT be able to > make it happen, but for what I want (just be able to have some packets us= e > an alternative routing table), having ipfw fwd them according to a table > does just fine. > > (*) The problem is that moving all globals to a structure only works if > you know what globals > are linked in. If you load a module, you need to expand the structure. > This is problematic > to say the least. The same problem has been solved with > Thread-local-storage using hooks > in the compiler and linker but I don't think we can do that in the > kernel. (at least not easily). > > From owner-freebsd-net@FreeBSD.ORG Wed May 10 06:07:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 92B9916A402 for ; Wed, 10 May 2006 06:07:21 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mgat.rdu.kirov.ru (mgat.rdu.kirov.ru [85.93.37.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7436B43D49 for ; Wed, 10 May 2006 06:07:19 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id 5106833B90; Wed, 10 May 2006 10:07:11 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id 449BF1543B; Wed, 10 May 2006 10:07:11 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id C5DD41539D; Wed, 10 May 2006 10:07:10 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id AE499152A9; Wed, 10 May 2006 10:07:10 +0400 (MSD) Message-ID: <4461830E.8070207@yandex.ru> Date: Wed, 10 May 2006 10:07:10 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Julian Elischer References: <4460FF4E.10305@ifi.unicamp.br> <44610333.6070806@elischer.org> In-Reply-To: <44610333.6070806@elischer.org> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: ipfw divert with layer2 (if_bridge) packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 06:07:21 -0000 Julian Elischer wrote: > I have changes that make it work in 4.x but they will not apply to 5.x > or later.. > Luigi also has some changes that allow it.. I can try porting an older patches which allow this. Is there a chance for including this feature into base system? -- WBR, Andrey V. Elsukov From owner-freebsd-net@FreeBSD.ORG Wed May 10 06:15:05 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB1AC16A421 for ; Wed, 10 May 2006 06:15:05 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB67443D48 for ; Wed, 10 May 2006 06:15:00 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k4A6EvH1067599; Tue, 9 May 2006 23:14:57 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k4A6Ev2R067598; Tue, 9 May 2006 23:14:57 -0700 (PDT) (envelope-from rizzo) Date: Tue, 9 May 2006 23:14:57 -0700 From: Luigi Rizzo To: "Andrey V. Elsukov" Message-ID: <20060509231457.B67417@xorpc.icir.org> References: <4460FF4E.10305@ifi.unicamp.br> <44610333.6070806@elischer.org> <4461830E.8070207@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4461830E.8070207@yandex.ru>; from bu7cher@yandex.ru on Wed, May 10, 2006 at 10:07:10AM +0400 Cc: freebsd-net@freebsd.org, Julian Elischer Subject: Re: ipfw divert with layer2 (if_bridge) packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 06:15:06 -0000 On Wed, May 10, 2006 at 10:07:10AM +0400, Andrey V. Elsukov wrote: > Julian Elischer wrote: > > I have changes that make it work in 4.x but they will not apply to 5.x > > or later.. > > Luigi also has some changes that allow it.. > > I can try porting an older patches which allow this. > Is there a chance for including this feature into base system? sorry if i missed the earlier part of the thread... the earlier patches i posted (for 4.x) had a race problem because L2 packets would be processed with the wrong spl mask leading to possible corruption in the socket buffer. A fix for that involves sending divert packets to the ipintrq so they could be reprocessed with the correct masks. Probably 6.x does not have the same problem as the locking there is different. So in that case it might just be a case of adapting the patch to compile. cheers luigi From owner-freebsd-net@FreeBSD.ORG Wed May 10 06:41:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B6BF16A402 for ; Wed, 10 May 2006 06:41:21 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id A129B43D5A for ; Wed, 10 May 2006 06:41:19 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [192.168.2.2]) ([10.251.60.114]) by a50.ironport.com with ESMTP; 09 May 2006 23:41:20 -0700 Message-ID: <44618B0E.2050506@elischer.org> Date: Tue, 09 May 2006 23:41:18 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Ray Mihm References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <4460D595.8000408@elischer.org> <1aa142960605091325j151df1f6j909ee9ca3ae0ed75@mail.gmail.com> <200605092239.46594.net@dino.sk> <446103AD.5020006@elischer.org> <1aa142960605091500q6aca79d8l8eb2cdd0ff82ffe3@mail.gmail.com> <446122CE.7010805@elischer.org> <1aa142960605092249q21cededfq3cdcbd717f5f569f@mail.gmail.com> In-Reply-To: <1aa142960605092249q21cededfq3cdcbd717f5f569f@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, Milan Obuch Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 06:41:21 -0000 Ray Mihm wrote: > Point taken about the globals but layer 3 (IP) and layer 4 (TCP, UDP, > etc) aren't modules yet and that shouldn't be a problem right? I'm not > trying to trivialize or solve the problem here. But my point is, these > shouldn't be show-stoppers when you consider the benefit of having > this feature in FreeBSD. They WILL be modules. At least we'd LIKE them to become modules. Hopefully eventually almost everything will be a module. > > Regards, > > Ray. > > > On 5/9/06, Julian Elischer wrote: > >> Ray Mihm wrote: >> >> > Using ipfw tables is essentially a non-starter, IMHO. How would >> > routing protocols use ipfw based tables, for example? Marko's work >> > touches a lot of files, but I don't think it's heavy weight. >> > >> > I also think using Marko's idea and Jails would allow create the >> > notion of a logical system and multiple such logical systems may be >> > configured on a single FreeBSD system. >> > >> > Regards, >> > >> > Ray. >> >> Don't get me wrong.. I very much like vimage, and it is a great pitty >> that it >> (in the form it is in now) >> is basically incompatible in concept with freeBSD 5+ (where most things >> are modules)(*). >> >> I've even done some small work on prototyping how one MIGHT be able to >> make it happen, but for what I want (just be able to have some >> packets use >> an alternative routing table), having ipfw fwd them according to a table >> does just fine. >> >> (*) The problem is that moving all globals to a structure only works if >> you know what globals >> are linked in. If you load a module, you need to expand the structure. >> This is problematic >> to say the least. The same problem has been solved with >> Thread-local-storage using hooks >> in the compiler and linker but I don't think we can do that in the >> kernel. (at least not easily). >> >> From owner-freebsd-net@FreeBSD.ORG Wed May 10 06:41:21 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94AA416A401; Wed, 10 May 2006 06:41:21 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mgat.rdu.kirov.ru (mgat.rdu.kirov.ru [85.93.37.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 441EF43D55; Wed, 10 May 2006 06:41:18 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from kirov.so-cdu.ru (kirov [172.21.81.1]) by mail.rdu.kirov.ru (Postfix) with ESMTP id D29BD33B97; Wed, 10 May 2006 10:41:15 +0400 (MSD) Received: from kirov.so-cdu.ru (localhost [127.0.0.1]) by rdu.kirov.ru (Postfix) with SMTP id 4D84E1543B; Wed, 10 May 2006 10:41:15 +0400 (MSD) Received: by rdu.kirov.ru (Postfix, from userid 1014) id 171041539D; Wed, 10 May 2006 10:41:15 +0400 (MSD) Received: from [172.21.81.52] (elsukov.kirov.so-cdu.ru [172.21.81.52]) by rdu.kirov.ru (Postfix) with ESMTP id 01CDC152A9; Wed, 10 May 2006 10:41:15 +0400 (MSD) Message-ID: <44618B0A.60504@yandex.ru> Date: Wed, 10 May 2006 10:41:14 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 06:41:21 -0000 Hi, All! I have written a small patch for a packets tagging with ipfw. The description of OpenBSD packet tagging is here: http://www.openbsd.org/faq/pf/tagging.html An IPFW tags is not compatible with PF tags. This feature can be usable with some netgraph modules. We can create a netgraph node that marks packets with some tags and use this node with other nodes. IPFW can detect and filter packets with tags. Also we can mark packets before NAT and detect tagged packets after translation. NAT based on divert sockets do not allow this, but i think ng_nat can.. Patches can be found here: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ -- WBR, Andrey V. Elsukov From owner-freebsd-net@FreeBSD.ORG Wed May 10 07:18:20 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB58F16A403 for ; Wed, 10 May 2006 07:18:20 +0000 (UTC) (envelope-from net@dino.sk) Received: from mail.netlab.sk (mail.netlab.sk [213.215.72.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8E9743D58 for ; Wed, 10 May 2006 07:18:18 +0000 (GMT) (envelope-from net@dino.sk) Received: from work.dino.sk (home.dino.sk [213.215.74.194]) (AUTH: PLAIN milan@netlab.sk, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by mail.netlab.sk with esmtp; Wed, 10 May 2006 09:22:55 +0200 id 00289C12.446194CF.00002A9B From: Milan Obuch To: freebsd-net@freebsd.org Date: Wed, 10 May 2006 09:18:10 +0200 User-Agent: KMail/1.9.1 References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <200605091439.26549.net@dino.sk> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605100918.10875.net@dino.sk> Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 07:18:20 -0000 On Wednesday 10 May 2006 03:49, Edward B. DREGER wrote: > MO> Date: Tue, 9 May 2006 14:39:25 +0200 > MO> From: Milan Obuch > > MO> > JE> how do you want to select which table should be used? > MO> > Ingress interface. > MO> > MO> Sounds reasonable, one important point missing - packets locally > MO> originated/'destinated'. > MO> Other than that, fully acceptable. > > IMNSHO, I'd rather have a { default | manually-specified } table for > locally-sourced packets. > My point is I need two processes, say apache, running with two different routing tables (typically only default route in there, but this does not conceptually matters). That's whole point why I was using Marko's vimages for. (With more processes, but this does not matter here) Regards, Milan -- Please reply to maling list only. I read it regularly. From owner-freebsd-net@FreeBSD.ORG Wed May 10 07:26:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BBF3216A401 for ; Wed, 10 May 2006 07:26:22 +0000 (UTC) (envelope-from net@dino.sk) Received: from mail.netlab.sk (mail.netlab.sk [213.215.72.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4731943D48 for ; Wed, 10 May 2006 07:26:21 +0000 (GMT) (envelope-from net@dino.sk) Received: from work.dino.sk (home.dino.sk [213.215.74.194]) (AUTH: PLAIN milan@netlab.sk, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by mail.netlab.sk with esmtp; Wed, 10 May 2006 09:30:58 +0200 id 00289C12.446196B2.00002AE8 From: Milan Obuch To: freebsd-net@freebsd.org Date: Wed, 10 May 2006 09:26:15 +0200 User-Agent: KMail/1.9.1 References: <5EB31780BD297F46812C8F495FA08F620438CAE3@electron.jnpr.net> <1aa142960605091500q6aca79d8l8eb2cdd0ff82ffe3@mail.gmail.com> <446122CE.7010805@elischer.org> In-Reply-To: <446122CE.7010805@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200605100926.16146.net@dino.sk> Subject: Re: vrf support in FreeBSD X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 07:26:22 -0000 On Wednesday 10 May 2006 01:16, Julian Elischer wrote: > Ray Mihm wrote: > > Using ipfw tables is essentially a non-starter, IMHO. How would > > routing protocols use ipfw based tables, for example? Marko's work > > touches a lot of files, but I don't think it's heavy weight. > > > > I also think using Marko's idea and Jails would allow create the > > notion of a logical system and multiple such logical systems may be > > configured on a single FreeBSD system. > > > > Regards, > > > > Ray. > > Don't get me wrong.. I very much like vimage, and it is a great pitty > that it > (in the form it is in now) > is basically incompatible in concept with freeBSD 5+ (where most things > are modules)(*). > > I've even done some small work on prototyping how one MIGHT be able to > make it happen, but for what I want (just be able to have some packets use > an alternative routing table), having ipfw fwd them according to a table > does just fine. > Could we eventually add a per-process routing table tag inherited by child? Suggested earlier in this thread, it looks like not that hard to be done temporary solution. With some simple management utility (change routing tag, show routing tag for a given process) it could serve many useful purposes. I do like ipfw solution as well, but this one is conceptually much simpler, at least in my somewhat biased and vimage-influenced eyes. Regards, Milan -- Please reply to maling list only. I read it regularly. From owner-freebsd-net@FreeBSD.ORG Wed May 10 07:27:49 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B4EF16A416 for ; Wed, 10 May 2006 07:27:49 +0000 (UTC) (envelope-from ozkan@mersin.edu.tr) Received: from mail.mersin.edu.tr (mail.mersin.edu.tr [193.255.128.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0085E43D68 for ; Wed, 10 May 2006 07:27:37 +0000 (GMT) (envelope-from ozkan@mersin.edu.tr) Received: from localhost (localhost.mersin.edu.tr [127.0.0.1]) by mail.mersin.edu.tr (Postfix) with ESMTP id 336B747E4E for ; Wed, 10 May 2006 10:27:36 +0300 (EEST) Received: from mail.mersin.edu.tr ([127.0.0.1]) by localhost (mail.mersin.edu.tr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66167-05 for ; Wed, 10 May 2006 10:27:22 +0300 (EEST) Received: from [10.0.2.1] (unknown [10.0.2.1]) by mail.mersin.edu.tr (Postfix) with ESMTP id 7F3CB47E8C for ; Wed, 10 May 2006 10:27:22 +0300 (EEST) Received: from (10.0.2.1) by webshield.mersin.edu.tr via smtp id 5446_ef0ffad6_dff5_11da_851c_001143d1ee6d; Wed, 10 May 2006 10:23:53 +0300 Message-ID: <446195E3.8080903@mersin.edu.tr> Date: Wed, 10 May 2006 10:27:31 +0300 From: =?ISO-8859-9?Q?=D6zkan_KIRIK?= User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050927) X-Accept-Language: tr-TR, tr, en-US, en MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <4460FF4E.10305@ifi.unicamp.br> <44610333.6070806@elischer.org> <4461830E.8070207@yandex.ru> <20060509231457.B67417@xorpc.icir.org> In-Reply-To: <20060509231457.B67417@xorpc.icir.org> Content-Type: text/plain; charset=ISO-8859-9; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Scanned: by amavisd-new at mersin.edu.tr Subject: Re: ipfw divert with layer2 (if_bridge) packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 07:27:49 -0000 hi, i have a question about these similar problems with bridging. i use if_bridge on a FreeBSD 6.1 Box. ipfw doesn't support fwd rules via bridge. So that i had to use pf for transparent proxying. but pf doesnt work like fwd. pf makes nat (rdr) on packets, so that proxy software can't find the original destination address. Once up on a time, someone wrote a patch for FreeBSD 4.x, to make fwd action work with Bridge. What about if_bridge? does that patch works on FreeBSD 6.X? If not, can it be ported to 6.x? i think fwd action likes abit to divert action. If divert action works, i think fwd could be work. what you think about this subject? yours sincerely Ozkan KIRIK Luigi Rizzo yazmЩЧ: >On Wed, May 10, 2006 at 10:07:10AM +0400, Andrey V. Elsukov wrote: > > >>Julian Elischer wrote: >> >> >>>I have changes that make it work in 4.x but they will not apply to 5.x >>>or later.. >>>Luigi also has some changes that allow it.. >>> >>> >>I can try porting an older patches which allow this. >>Is there a chance for including this feature into base system? >> >> > >sorry if i missed the earlier part of the thread... > >the earlier patches i posted (for 4.x) had a race problem because L2 >packets would be processed with the wrong spl mask leading to >possible corruption in the socket buffer. >A fix for that involves sending divert packets to the ipintrq >so they could be reprocessed with the correct masks. > >Probably 6.x does not have the same problem as the locking there >is different. So in that case it might just be a case of adapting >the patch to compile. > > cheers > luigi >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > From owner-freebsd-net@FreeBSD.ORG Wed May 10 12:47:52 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1A0F16A4C6 for ; Wed, 10 May 2006 12:47:52 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36305.mail.mud.yahoo.com (web36305.mail.mud.yahoo.com [209.191.84.235]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F9F343D6E for ; Wed, 10 May 2006 12:47:49 +0000 (GMT) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 5834 invoked by uid 60001); 10 May 2006 12:47:48 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=zrlLNUww4RPzOi38mMjQERcRojuU1z8bx6Wxh23JLPDt7NNe+lsJJSDX1CNjOBDN8Sp7XyiYESmfCS7WHW0BSHiGkZesru7E/pUFO7yAVIvwD0ajl6cGaeCaSrrC5tgb3UCPYKW2MTGSrzKhEJsbr+jNGC6nCFcCYKpPN4azyHg= ; Message-ID: <20060510124748.5832.qmail@web36305.mail.mud.yahoo.com> Received: from [213.227.200.244] by web36305.mail.mud.yahoo.com via HTTP; Wed, 10 May 2006 05:47:48 PDT Date: Wed, 10 May 2006 05:47:48 -0700 (PDT) From: Nash Nipples To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 12:47:53 -0000 hi, i just dont see any options to make it work "| /usr/sbin/sendmail -Ac -t" works fine but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) can not chdir(/var/spool/clientmqueue/... Permission denied Program mode requires special privileges, e.g., root or TrustedUser. 554 5.3.5 Local configuration error I dont want to set up trusted users. Any work-around available? thanks --------------------------------- Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2╒/min or less. From owner-freebsd-net@FreeBSD.ORG Wed May 10 15:47:05 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B227D16A7BC for ; Wed, 10 May 2006 15:47:05 +0000 (UTC) (envelope-from duane@greenmeadow.ca) Received: from smtpout.eastlink.ca (smtpout.eastlink.ca [24.222.0.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A36343D45 for ; Wed, 10 May 2006 15:47:05 +0000 (GMT) (envelope-from duane@greenmeadow.ca) Received: from ip04.eastlink.ca ([24.222.10.20]) by mta01.eastlink.ca (Sun Java System Messaging Server 6.2-4.03 (built Sep 22 2005)) with ESMTP id <0IZ2005173TA1WH2@mta01.eastlink.ca> for freebsd-net@freebsd.org; Wed, 10 May 2006 12:46:22 -0300 (ADT) Received: from blk-224-199-230.eastlink.ca (HELO [192.168.0.103]) ([24.224.199.230]) by ip04.eastlink.ca with ESMTP; Wed, 10 May 2006 12:47:05 -0300 Date: Wed, 10 May 2006 12:46:16 -0300 From: Duane Whitty In-reply-to: <20060510124748.5832.qmail@web36305.mail.mud.yahoo.com> To: Nash Nipples Message-id: <44620AC8.8040806@greenmeadow.ca> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1; format=flowed Content-transfer-encoding: 8BIT X-BrightmailFiltered: true X-Brightmail-Tracker: AAAAAQAAA+k= References: <20060510124748.5832.qmail@web36305.mail.mud.yahoo.com> User-Agent: Thunderbird 1.5.0.2 (X11/20060503) Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 15:47:05 -0000 Nash Nipples wrote: > hi, i just dont see any options to make it work > > "| /usr/sbin/sendmail -Ac -t" works fine > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > can not chdir(/var/spool/clientmqueue/... Permission denied > Program mode requires special privileges, e.g., root or TrustedUser. > 554 5.3.5 Local configuration error > > I dont want to set up trusted users. Any work-around available? > > thanks > > --------------------------------- > Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2╒/min or less. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > Hi, To clarify for myself, are you asking: given domains abc.com, foo.com, bar.com , and anotherdomain.com how to use your local SMTP to send mail to abc.com and foo.com but use an external SMTP to send mail to bar.com and anotherdomain.com? If so, then you can use the SMART_HOST define and the confCW_FILE define in your /etc/mail/sendmail.mc file and put hosts you want processed via local SMTP in the file defined in confCW_FILE define. If you just have one domain you want handled locally then you might also just put an entry like Cwfoo.com in /etc/mailsendmail.cf. Your file names may vary depending upon you configuration. Hope this helps. Sincerely, Duane Whitty -- duane@greenmeadow.ca From owner-freebsd-net@FreeBSD.ORG Wed May 10 17:02:18 2006 Return-Path: X-Original-To: freebsd-net@hub.freebsd.org Delivered-To: freebsd-net@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A27616A5AB; Wed, 10 May 2006 17:02:18 +0000 (UTC) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC82343D62; Wed, 10 May 2006 17:02:17 +0000 (GMT) (envelope-from arved@FreeBSD.org) Received: from freefall.freebsd.org (arved@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k4AH2HcQ054920; Wed, 10 May 2006 17:02:17 GMT (envelope-from arved@freefall.freebsd.org) Received: (from arved@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k4AH2HT1054916; Wed, 10 May 2006 17:02:17 GMT (envelope-from arved) Date: Wed, 10 May 2006 17:02:17 GMT From: Tilman Linneweh Message-Id: <200605101702.k4AH2HT1054916@freefall.freebsd.org> To: arved@FreeBSD.org, diffie@blazebox.homeip.net, arved@FreeBSD.org, freebsd-net@FreeBSD.org Cc: Subject: Re: kern/93220: [inet6] nd6_lookup: failed to add route for a neighbor X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 May 2006 17:02:19 -0000 Synopsis: [inet6] nd6_lookup: failed to add route for a neighbor State-Changed-From-To: feedback->analyzed State-Changed-By: arved State-Changed-When: Wed May 10 17:00:57 UTC 2006 State-Changed-Why: Ed Schouten proposed a patch, http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010540.html http://www.freebsd.org/cgi/query-pr.cgi?pr=93220 From owner-freebsd-net@FreeBSD.ORG Thu May 11 11:27:28 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1118D16A402 for ; Thu, 11 May 2006 11:27:28 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36315.mail.mud.yahoo.com (web36315.mail.mud.yahoo.com [209.191.84.245]) by mx1.FreeBSD.org (Postfix) with SMTP id 69E5F43D5D for ; Thu, 11 May 2006 11:27:27 +0000 (GMT) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 90380 invoked by uid 60001); 11 May 2006 11:27:26 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=eZCKfKD6/D6bQq7HbMjZdhGgOz75DqsXksJCTnBOjLI+5VfuNJKc3e24DBG9gfUvoo1gEzDnZCE3PsMrfHX6nyKYr04+R4DIFflPMn4ZbGTwNnwMuimTSFl+TEbdI2ASRd2ufxt3UYGF17Q8g6/xZtl8ArK6EEKF9eOhUbixyLs= ; Message-ID: <20060511112726.90378.qmail@web36315.mail.mud.yahoo.com> Received: from [213.227.200.244] by web36315.mail.mud.yahoo.com via HTTP; Thu, 11 May 2006 04:27:26 PDT Date: Thu, 11 May 2006 04:27:26 -0700 (PDT) From: Nash Nipples To: Duane Whitty In-Reply-To: <44620AC8.8040806@greenmeadow.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 11:27:28 -0000 Duane Whitty wrote: Nash Nipples wrote: > hi, i just dont see any options to make it work > > "| /usr/sbin/sendmail -Ac -t" works fine > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > can not chdir(/var/spool/clientmqueue/... Permission denied > Program mode requires special privileges, e.g., root or TrustedUser. > 554 5.3.5 Local configuration error > > I dont want to set up trusted users. Any work-around available? > > thanks > > --------------------------------- > Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2О©╫/min or less. > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > Hi, To clarify for myself, are you asking: given domains abc.com, foo.com, bar.com , and anotherdomain.com how to use your local SMTP to send mail to abc.com and foo.com but use an external SMTP to send mail to bar.com and anotherdomain.com? If so, then you can use the SMART_HOST define and the confCW_FILE define in your /etc/mail/sendmail.mc file and put hosts you want processed via local SMTP in the file defined in confCW_FILE define. If you just have one domain you want handled locally then you might also just put an entry like Cwfoo.com in /etc/mailsendmail.cf. Your file names may vary depending upon you configuration. Hope this helps. Sincerely, Duane Whitty -- duane@greenmeadow.ca _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" Umm yea! thanks. its all about SMART_HOST. Nash --------------------------------- Blab-away for as little as 1О©╫/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. --------------------------------- Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates. From owner-freebsd-net@FreeBSD.ORG Thu May 11 13:03:45 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F253816A423 for ; Thu, 11 May 2006 13:03:45 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3086543D48 for ; Thu, 11 May 2006 13:03:44 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 640DB20F26; Thu, 11 May 2006 09:03:44 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 2F97747DA1; Thu, 11 May 2006 09:03:43 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FeApR-0002R4-LQ; Thu, 11 May 2006 14:03:41 +0100 Date: Thu, 11 May 2006 14:03:41 +0100 From: Brian Candler To: Nash Nipples Message-ID: <20060511130341.GA9353@uk.tiscali.com> References: <20060510124748.5832.qmail@web36305.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060510124748.5832.qmail@web36305.mail.mud.yahoo.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 13:03:47 -0000 On Wed, May 10, 2006 at 05:47:48AM -0700, Nash Nipples wrote: > hi, i just dont see any options to make it work > > "| /usr/sbin/sendmail -Ac -t" works fine > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > can not chdir(/var/spool/clientmqueue/... Permission denied > Program mode requires special privileges, e.g., root or TrustedUser. > 554 5.3.5 Local configuration error > > I dont want to set up trusted users. Any work-around available? Upgrade to exim - *any* mail routing policy you can think of can be implemented in exim. From owner-freebsd-net@FreeBSD.ORG Thu May 11 13:25:15 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA57616A402; Thu, 11 May 2006 13:25:15 +0000 (UTC) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from mailhost.u-strasbg.fr (mailhost.u-strasbg.fr [130.79.200.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2731244390; Thu, 11 May 2006 13:25:14 +0000 (GMT) (envelope-from Philippe.Pegon@crc.u-strasbg.fr) Received: from [IPv6:2001:660:2402:1001:20e:cff:fe60:e734] (apophis.u-strasbg.fr [IPv6:2001:660:2402:1001:20e:cff:fe60:e734]) by mailhost.u-strasbg.fr (8.13.4/jtpda-5.5pre1) with ESMTP id k4BDPDKr089402 ; Thu, 11 May 2006 15:25:13 +0200 (CEST) Message-ID: <44633B3A.8090302@crc.u-strasbg.fr> Date: Thu, 11 May 2006 15:25:14 +0200 From: Philippe Pegon User-Agent: Thunderbird 1.5.0.2 (X11/20060503) MIME-Version: 1.0 To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (mailhost.u-strasbg.fr [IPv6:2001:660:2402::154]); Thu, 11 May 2006 15:25:13 +0200 (CEST) X-Virus-Scanned: ClamAV 0.88.1/1456/Thu May 11 07:57:31 2006 on mr4.u-strasbg.fr X-Virus-Status: Clean X-Spam-Status: No, score=0.1 required=5.0 tests=AWL,NO_RELAYS autolearn=disabled version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mr4.u-strasbg.fr Cc: Subject: carp with IPv6 broken on 6.1-RELEASE X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 13:25:16 -0000 Hi, I've already posted this on freebsd-stable@ but maybe freebsd-pf or freebsd-net is a more appropriate place... it seems that carp is broken on FreeBSD 6.1-RELEASE when an inet6 address is configured on a carp interface. Since I upgraded from 6.0 to 6.1 (today) I can't see IPv6 carp advertisement with tcpdump. Did someone else notice this ? thanks -- Philippe Pegon From owner-freebsd-net@FreeBSD.ORG Thu May 11 13:34:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23B9D16A408 for ; Thu, 11 May 2006 13:34:22 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36302.mail.mud.yahoo.com (web36302.mail.mud.yahoo.com [209.191.84.232]) by mx1.FreeBSD.org (Postfix) with SMTP id 7859744377 for ; Thu, 11 May 2006 13:34:21 +0000 (GMT) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 35171 invoked by uid 60001); 11 May 2006 13:34:21 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=i9UVhZ5TGPOpRmFpNylX2Rsg3Rd20udxl9xC7nrijdTDJH973hSYStap5oSYmSaTelxvBJzIZjCZ5M73U4K82OcUL7XbjU2tEKRztXFjl8dAI4yoSgmyeTBqtOIT1WY21MQY6CUa1qUvpfNaWOOIofDUQLzqoBF3mv1uItG9DeU= ; Message-ID: <20060511133421.35169.qmail@web36302.mail.mud.yahoo.com> Received: from [213.227.200.244] by web36302.mail.mud.yahoo.com via HTTP; Thu, 11 May 2006 06:34:21 PDT Date: Thu, 11 May 2006 06:34:21 -0700 (PDT) From: Nash Nipples To: bv@wjv.com In-Reply-To: <20060511131302.GB68254@wjv.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 13:34:22 -0000 how can i ask sendmail to give up an email to "another" smtp agent when the destination user is considered local but not trusted to run a different submit.cf basicly it could turn into a possible leak attempt unless its defined in a local "but not really local" routing table which "implies not!" (no antonym found) the straightforward design of sendmail (along with the internet structure). somewhat like "why cant i send emale when i physically can and why cant you read it here when you physically can"\n "if i cant send it physically helo, i need a fallback mx" but what to do with "helo i cant read it here can i have a replicator please?" see? or not? nash --------------------------------- How low will we go? Check out Yahoo! Messenger▓s low PC-to-Phone call rates. From owner-freebsd-net@FreeBSD.ORG Thu May 11 13:41:08 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BE7A16A525 for ; Thu, 11 May 2006 13:40:59 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36302.mail.mud.yahoo.com (web36302.mail.mud.yahoo.com [209.191.84.232]) by mx1.FreeBSD.org (Postfix) with SMTP id 2CA3F442B2 for ; Thu, 11 May 2006 13:20:28 +0000 (GMT) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 29799 invoked by uid 60001); 11 May 2006 13:20:27 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=cZXI2yYI5F6+1hBfZA2CF/PM648hFSR0kua2VfhJy/cAsDrruvW85vxvMQqYF2jU6nQv+kLSMm4D2ZO8SoewTwh8AyL6u4dKU3bU83eOteSF9d104yElvtPW0ijcPdYhne0xW2IYKhxxQuHaKLcjdldowkpAV5zCYyaxuSHqtsI= ; Message-ID: <20060511132027.29797.qmail@web36302.mail.mud.yahoo.com> Received: from [213.227.200.244] by web36302.mail.mud.yahoo.com via HTTP; Thu, 11 May 2006 06:20:27 PDT Date: Thu, 11 May 2006 06:20:27 -0700 (PDT) From: Nash Nipples To: freebsd-net@freebsd.org In-Reply-To: <20060511130341.GA9353@uk.tiscali.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 13:41:36 -0000 Brian Candler wrote: On Wed, May 10, 2006 at 05:47:48AM -0700, Nash Nipples wrote: > hi, i just dont see any options to make it work > > "| /usr/sbin/sendmail -Ac -t" works fine > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > can not chdir(/var/spool/clientmqueue/... Permission denied > Program mode requires special privileges, e.g., root or TrustedUser. > 554 5.3.5 Local configuration error > > I dont want to set up trusted users. Any work-around available? Upgrade to exim - *any* mail routing policy you can think of can be implemented in exim. _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" lol thanks! i've read about it and i think its awesome but yet i dont know how do i uninstall sendmail? Nash --------------------------------- Get amazing travel prices for air and hotel in one click on Yahoo! FareChase From owner-freebsd-net@FreeBSD.ORG Thu May 11 13:41:36 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8991D16A453 for ; Thu, 11 May 2006 13:41:09 +0000 (UTC) (envelope-from bv@bilver.wjv.com) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33A6F44041 for ; Thu, 11 May 2006 13:13:17 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.13.6/8.13.1) with ESMTP id k4BDDCTV068442; Thu, 11 May 2006 09:13:13 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.13.6/8.13.1/Submit) id k4BDD7h1068441; Thu, 11 May 2006 09:13:07 -0400 (EDT) (envelope-from bv) Date: Thu, 11 May 2006 09:13:02 -0400 From: Bill Vermillion To: Nash Nipples Message-ID: <20060511131302.GB68254@wjv.com> References: <44620AC8.8040806@greenmeadow.ca> <20060511112726.90378.qmail@web36315.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060511112726.90378.qmail@web36315.mail.mud.yahoo.com> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.11 X-Spam-Status: No, score=-2.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_JP_SURBL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on bilver.wjv.com Cc: freebsd-net@freebsd.org, Duane Whitty Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bv@wjv.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 13:42:09 -0000 The door open and in walked trouble - disguised as our our old nemesis Nash Nipples, who uttered, at Thu, May 11, 2006 at 04:27 : > Duane Whitty wrote: Nash Nipples wrote: > > hi, i just dont see any options to make it work > > "| /usr/sbin/sendmail -Ac -t" works fine > > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > > can not chdir(/var/spool/clientmqueue/... Permission denied > > Program mode requires special privileges, e.g., root or TrustedUser. > > 554 5.3.5 Local configuration error > > > > I dont want to set up trusted users. Any work-around available? > > > > thanks > Hi, > > To clarify for myself, are you asking: > given domains abc.com, foo.com, bar.com , and anotherdomain.com > how to use your local SMTP to send mail to abc.com and foo.com but use > an external SMTP to send mail to bar.com and anotherdomain.com? > If so, then you can use the SMART_HOST define and the confCW_FILE define > in your /etc/mail/sendmail.mc file and put hosts you want processed via > local > SMTP in the file defined in confCW_FILE define. If you just have one domain > you want handled locally then you might also just put an entry like > Cwfoo.com in /etc/mailsendmail.cf. Your file names may vary depending > upon you configuration. > > Hope this helps. > > Sincerely, > > Duane Whitty It's really pretty easy. Look at 'mailertable'. You can set mail to any domain you wish to go through any SMTP server you are permitted to use. Some places won't accept my mail as even though I"m on a STATIC IP and have been the same one for 3 years, they consider all DSL lines as spam sources. So depending on end destination I send some to my providers transport, and others off to another machine I manage. Setup is simple. abc.com smtp: And then just run make in /etc/mail to compile it. Sendmail is very flexible. Bill -- Bill Vermillion - bv @ wjv . com From owner-freebsd-net@FreeBSD.ORG Thu May 11 14:23:18 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3450C16A400 for ; Thu, 11 May 2006 14:23:18 +0000 (UTC) (envelope-from trashy_bumper@yahoo.com) Received: from web36309.mail.mud.yahoo.com (web36309.mail.mud.yahoo.com [209.191.84.239]) by mx1.FreeBSD.org (Postfix) with SMTP id B192D443DE for ; Thu, 11 May 2006 14:23:17 +0000 (GMT) (envelope-from trashy_bumper@yahoo.com) Received: (qmail 58535 invoked by uid 60001); 11 May 2006 14:23:17 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=zh8m62wZYc+pli4nWNY5cBgwVoUW24YRKuG0HsVowIONaZQse3rvIi3oDoMnSKt6/hCBYW0UzzJBJjKjSLIFiIpiA9l3jG7yavNL9wp4FvvdfRpeB+P2AcVVklx2VLDOi0HFhye1yigrdcTAzfboKoG1uxbUL6l9vtn9NoFGfjw= ; Message-ID: <20060511142317.58533.qmail@web36309.mail.mud.yahoo.com> Received: from [213.227.200.244] by web36309.mail.mud.yahoo.com via HTTP; Thu, 11 May 2006 07:23:17 PDT Date: Thu, 11 May 2006 07:23:17 -0700 (PDT) From: Nash Nipples To: bv@wjv.com In-Reply-To: <20060511131302.GB68254@wjv.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 14:23:18 -0000 Bill!! you are my superman! lol i dont even know how to thank you. all i had to do is recompile the sendmail!!!!!! it is truly flexible and ununinstallable. :) mailertable did the thing. i would like to consider the problem to be solved. if no objections pending? next time i will pay more time to the sendmail documentation prior to writing out the problems. NASH! -ty Bill Vermillion wrote: The door open and in walked trouble - disguised as our our old nemesis Nash Nipples, who uttered, at Thu, May 11, 2006 at 04:27 : > Duane Whitty wrote: Nash Nipples wrote: > > hi, i just dont see any options to make it work > > "| /usr/sbin/sendmail -Ac -t" works fine > > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > > can not chdir(/var/spool/clientmqueue/... Permission denied > > Program mode requires special privileges, e.g., root or TrustedUser. > > 554 5.3.5 Local configuration error > > > > I dont want to set up trusted users. Any work-around available? > > > > thanks > Hi, > > To clarify for myself, are you asking: > given domains abc.com, foo.com, bar.com , and anotherdomain.com > how to use your local SMTP to send mail to abc.com and foo.com but use > an external SMTP to send mail to bar.com and anotherdomain.com? > If so, then you can use the SMART_HOST define and the confCW_FILE define > in your /etc/mail/sendmail.mc file and put hosts you want processed via > local > SMTP in the file defined in confCW_FILE define. If you just have one domain > you want handled locally then you might also just put an entry like > Cwfoo.com in /etc/mailsendmail.cf. Your file names may vary depending > upon you configuration. > > Hope this helps. > > Sincerely, > > Duane Whitty It's really pretty easy. Look at 'mailertable'. You can set mail to any domain you wish to go through any SMTP server you are permitted to use. Some places won't accept my mail as even though I"m on a STATIC IP and have been the same one for 3 years, they consider all DSL lines as spam sources. So depending on end destination I send some to my providers transport, and others off to another machine I manage. Setup is simple. abc.com smtp: And then just run make in /etc/mail to compile it. Sendmail is very flexible. Bill -- Bill Vermillion - bv @ wjv . com _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" --------------------------------- Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2О©╫/min with Yahoo! Messenger with Voice. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-net@FreeBSD.ORG Thu May 11 14:56:51 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DF7B16A4FB for ; Thu, 11 May 2006 14:56:51 +0000 (UTC) (envelope-from bv@bilver.wjv.com) Received: from wjv.com (fl-65-40-24-38.sta.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6003C43D66 for ; Thu, 11 May 2006 14:56:50 +0000 (GMT) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.13.6/8.13.1) with ESMTP id k4BEujKf069433; Thu, 11 May 2006 10:56:45 -0400 (EDT) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.13.6/8.13.1/Submit) id k4BEudl4069432; Thu, 11 May 2006 10:56:39 -0400 (EDT) (envelope-from bv) Date: Thu, 11 May 2006 10:56:39 -0400 From: Bill Vermillion To: Nash Nipples Message-ID: <20060511145639.GF68254@wjv.com> References: <20060511131302.GB68254@wjv.com> <20060511142317.58533.qmail@web36309.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060511142317.58533.qmail@web36309.mail.mud.yahoo.com> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.11 X-Spam-Status: No, score=-0.3 required=5.0 tests=ALL_TRUSTED,BAYES_00, URIBL_JP_SURBL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on bilver.wjv.com Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bv@wjv.com List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 14:56:51 -0000 On Thu, May 11, 2006 at 07:23 , while impersonating an expert on the internet, Nash Nipples sent this to stdout: > Bill!! you are my superman! lol i dont even know how to thank you. I've been running sendmail since it became more civilized in the early 1990s after running smail for awhile. > all i had to do is recompile the sendmail!!!!!! it is truly > flexible and ununinstallable. :) mailertable did the thing. > i would like to consider the problem to be solved. if no > objections pending? You really didn't have to recompile sendmail. Running make in /etc/mail would have compiled a new mailertable.db with nothing else required by you. > next time i will pay more time to the sendmail documentation > prior to writing out the problems. Reading documentation always help. Learning to read documentation is the road to expertise. And in another post you asked about having some user who is considered local use another SMTP agent. Use virtusertable, also in /etc/mail If you don't want 'joe' a local user, to get mail locally put this in virtusertable joe joe@ And then re-run make. I also use virtusertable to throwaway things for users that dont exist. I just use the @my.domain.name nouser And in /etc/aliases I have 'nouser' aliased to /dev/null Bill > NASH! > > -ty > > Bill Vermillion wrote: The door open and in walked trouble - disguised as our our old > nemesis Nash Nipples, who uttered, at Thu, May 11, 2006 at 04:27 : > > > > Duane Whitty wrote: Nash Nipples wrote: > > > hi, i just dont see any options to make it work > > > > "| /usr/sbin/sendmail -Ac -t" works fine > > > but "| /usr/sbin/sendmail -O ConnectOnlyTo=smtp.external.co... -Ac -t" just wont work: > > > WARNING: RunAsUser for MSP ignored, check group ids (egid=10103, want=25) > > > can not chdir(/var/spool/clientmqueue/... Permission denied > > > Program mode requires special privileges, e.g., root or TrustedUser. > > > 554 5.3.5 Local configuration error > > > > > > I dont want to set up trusted users. Any work-around available? > > > > > > thanks > > > > Hi, > > > > To clarify for myself, are you asking: > > > given domains abc.com, foo.com, bar.com , and anotherdomain.com > > > how to use your local SMTP to send mail to abc.com and foo.com but use > > an external SMTP to send mail to bar.com and anotherdomain.com? > > > If so, then you can use the SMART_HOST define and the confCW_FILE define > > in your /etc/mail/sendmail.mc file and put hosts you want processed via > > local > > SMTP in the file defined in confCW_FILE define. If you just have one domain > > you want handled locally then you might also just put an entry like > > Cwfoo.com in /etc/mailsendmail.cf. Your file names may vary depending > > upon you configuration. > > > > Hope this helps. > > > > Sincerely, > > > > Duane Whitty > > It's really pretty easy. Look at 'mailertable'. You can set mail > to any domain you wish to go through any SMTP server you are > permitted to use. Some places won't accept my mail as even though > I"m on a STATIC IP and have been the same one for 3 years, they > consider all DSL lines as spam sources. So depending on end > destination I send some to my providers transport, and others off > to another machine I manage. > > Setup is simple. > > abc.com smtp: > > And then just run make in /etc/mail to compile it. > > Sendmail is very flexible. > > Bill > -- > Bill Vermillion - bv @ wjv . com > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > > --------------------------------- > Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2???/min with Yahoo! Messenger with Voice. > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com -- Bill Vermillion - bv @ wjv . com From owner-freebsd-net@FreeBSD.ORG Thu May 11 19:12:23 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38C2316A553 for ; Thu, 11 May 2006 19:12:23 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE36543D68 for ; Thu, 11 May 2006 19:12:15 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 101FE243AF; Thu, 11 May 2006 15:12:15 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id C8EA42C5B5; Thu, 11 May 2006 15:12:13 -0400 (EDT) Received: from brian by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1FeGa4-0002gw-De; Thu, 11 May 2006 20:12:12 +0100 Date: Thu, 11 May 2006 20:12:12 +0100 From: Brian Candler To: Nash Nipples Message-ID: <20060511191212.GA10296@uk.tiscali.com> References: <20060511130341.GA9353@uk.tiscali.com> <20060511131959.29296.qmail@web36302.mail.mud.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060511131959.29296.qmail@web36302.mail.mud.yahoo.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: How do i send mail to certain domain users over external smtp using sendmail? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 May 2006 19:12:26 -0000 On Thu, May 11, 2006 at 06:19:59AM -0700, Nash Nipples wrote: > Upgrade to exim - *any* mail routing policy you can think of can be > implemented in exim. > > lol thanks! i've read about it and i think its awesome but yet i dont > know how do i uninstall sendmail? It's part of the base system, so you just ignore it. 1. Install exim from ports or packages 2. Edit /etc/mail/mailer.conf so that it reads sendmail /usr/local/sbin/exim send-mail /usr/local/sbin/exim mailq /usr/local/sbin/exim # optional extras newaliases /usr/bin/true hoststat /usr/local/sbin/exim_dumpdb /var/spool/exim wait-remote_smtp purgestat /usr/local/sbin/exim_tidydb -t 1d /var/spool/exim wait-remote_smtp (I'm not sure if the port does that for you automatically) 3. Edit /etc/rc.conf sendmail_enable="NONE" exim_enable="YES" So whilst this doesn't actually purge your system of the devil-spawn, it does neutralise it :-) The default install works as a basic out-of-the-box sendmail: i.e. it delivers to mbox files /var/mail/foo, honours /etc/aliases and .forward files. You then read the config samples and start tweaking to add whatever features and policies you like. The entire flow-of-control, from accepting mail to delivering it, is soft-coded in the configure file (but it doesn't look like Snoopy swearing) Regards, Brian. From owner-freebsd-net@FreeBSD.ORG Fri May 12 02:39:33 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD0FB16A42B for ; Fri, 12 May 2006 02:39:33 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F095843EC9 for ; Fri, 12 May 2006 02:05:32 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 6153746D33; Thu, 11 May 2006 22:05:31 -0400 (EDT) Date: Fri, 12 May 2006 03:05:31 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Bruce M Simpson In-Reply-To: <20060509131517.GB79277@spc.org> Message-ID: <20060512030152.X20138@fledge.watson.org> References: <20060509122801.GA65297@spc.org> <20060509131517.GB79277@spc.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org, pavlin@icir.org, atanu@icir.org Subject: Re: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 02:39:38 -0000 On Tue, 9 May 2006, Bruce M Simpson wrote: > On Tue, May 09, 2006 at 01:28:01PM +0100, Bruce M Simpson wrote: >> A user recently reported a problem with running into IP_MAX_MEMBERSHIPS >> on a system running FreeBSD with IPv4 forwarding enabled, and running >> the OSPF routing protocol. > > More background. People may be wondering why this is even an issue for > FreeBSD as a router. > > The answer: the imo_membership array contains members which exist as > separate entries for each ifnet in the system, and the system where this was > observed to be a problem had a number of ifnet interfaces which was larger > than IP_MAX_MEMBERSHIPS (20). I'm loosely of the opinion that the membership array should be variable length, and that we should default it to 20, but have a significantly larger maximum. It's not horribly efficient, but also wouldn't be so particularly terrible either. Robert N M Watson From owner-freebsd-net@FreeBSD.ORG Fri May 12 03:44:03 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CFBD516A56C for ; Fri, 12 May 2006 03:44:03 +0000 (UTC) (envelope-from Stephen.Clark@seclark.us) Received: from smtpout05-04.prod.mesa1.secureserver.net (smtpout05-04.prod.mesa1.secureserver.net [64.202.165.221]) by mx1.FreeBSD.org (Postfix) with SMTP id D4B3B43F26 for ; Fri, 12 May 2006 03:12:30 +0000 (GMT) (envelope-from Stephen.Clark@seclark.us) Received: (qmail 28391 invoked from network); 12 May 2006 03:12:30 -0000 Received: from unknown (24.144.77.138) by smtpout05-04.prod.mesa1.secureserver.net (64.202.165.221) with ESMTP; 12 May 2006 03:12:30 -0000 Message-ID: <4463FD1D.9010600@seclark.us> Date: Thu, 11 May 2006 23:12:29 -0400 From: Stephen Clark User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-22smp i686; en-US; m18) Gecko/20010110 Netscape6/6.5 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert Watson References: <20060509122801.GA65297@spc.org> <20060509131517.GB79277@spc.org> <20060512030152.X20138@fledge.watson.org> In-Reply-To: <20060512030152.X20138@fledge.watson.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: pavlin@icir.org, atanu@icir.org, freebsd-net@freebsd.org Subject: Re: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Stephen.Clark@seclark.us List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 03:44:22 -0000 Robert Watson wrote: >On Tue, 9 May 2006, Bruce M Simpson wrote: > > > >>On Tue, May 09, 2006 at 01:28:01PM +0100, Bruce M Simpson wrote: >> >> >>>A user recently reported a problem with running into IP_MAX_MEMBERSHIPS >>>on a system running FreeBSD with IPv4 forwarding enabled, and running >>>the OSPF routing protocol. >>> >>> >>More background. People may be wondering why this is even an issue for >>FreeBSD as a router. >> >>The answer: the imo_membership array contains members which exist as >>separate entries for each ifnet in the system, and the system where this was >>observed to be a problem had a number of ifnet interfaces which was larger >>than IP_MAX_MEMBERSHIPS (20). >> >> > >I'm loosely of the opinion that the membership array should be variable >length, and that we should default it to 20, but have a significantly larger >maximum. It's not horribly efficient, but also wouldn't be so particularly >terrible either. > >Robert N M Watson >_______________________________________________ >freebsd-net@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-net >To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" > > > I think it should be tunable other than going in a changing the source code, which I have to do every time I do a cvsup. My $.02 Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin) "The course of history shows that as a government grows, liberty decreases." (Thomas Jefferson) From owner-freebsd-net@FreeBSD.ORG Fri May 12 03:59:57 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 990CD16A425 for ; Fri, 12 May 2006 03:59:57 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 571CA43DA9 for ; Fri, 12 May 2006 03:59:56 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id E3D6946CE3; Thu, 11 May 2006 23:59:55 -0400 (EDT) Date: Fri, 12 May 2006 04:59:55 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Stephen Clark In-Reply-To: <4463FD1D.9010600@seclark.us> Message-ID: <20060512045737.H24490@fledge.watson.org> References: <20060509122801.GA65297@spc.org> <20060509131517.GB79277@spc.org> <20060512030152.X20138@fledge.watson.org> <4463FD1D.9010600@seclark.us> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: pavlin@icir.org, atanu@icir.org, freebsd-net@freebsd.org Subject: Re: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 04:00:05 -0000 On Thu, 11 May 2006, Stephen Clark wrote: >> I'm loosely of the opinion that the membership array should be variable >> length, and that we should default it to 20, but have a significantly >> larger maximum. It's not horribly efficient, but also wouldn't be so >> particularly terrible either. >> > I think it should be tunable other than going in a changing the source code, > which I have to do every time I do a cvsup. I'm suggesting we have a dynamically sizes array, which defaults to a limit of 20, but can be reallocated and scaled as necessary up to a larger maximum. Robert N M Watson From owner-freebsd-net@FreeBSD.ORG Fri May 12 13:12:32 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2753E16A400; Fri, 12 May 2006 13:12:32 +0000 (UTC) (envelope-from bms@spc.org) Received: from mindfull.spc.org (mindfull.spc.org [83.167.185.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 723B243D45; Fri, 12 May 2006 13:12:31 +0000 (GMT) (envelope-from bms@spc.org) Received: from arginine.spc.org ([83.167.185.2]) by mindfull.spc.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1FeXRS-0004je-Hr; Fri, 12 May 2006 14:12:26 +0100 Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id BFCEB65499; Fri, 12 May 2006 14:12:28 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 95131-01-2; Fri, 12 May 2006 14:12:27 +0100 (BST) Received: by arginine.spc.org (Postfix, from userid 1078) id B287E653F9; Fri, 12 May 2006 14:12:27 +0100 (BST) Date: Fri, 12 May 2006 14:12:27 +0100 From: Bruce M Simpson To: Stephen Clark Message-ID: <20060512131227.GD79277@spc.org> Mail-Followup-To: Bruce M Simpson , Stephen Clark , Robert Watson , freebsd-net@freebsd.org, pavlin@icir.org, atanu@icir.org References: <20060509122801.GA65297@spc.org> <20060509131517.GB79277@spc.org> <20060512030152.X20138@fledge.watson.org> <4463FD1D.9010600@seclark.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4463FD1D.9010600@seclark.us> User-Agent: Mutt/1.4.1i Organization: Incunabulum X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mindfull.spc.org X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - spc.org X-Source: X-Source-Args: X-Source-Dir: Cc: freebsd-net@freebsd.org, Robert Watson , pavlin@icir.org, atanu@icir.org Subject: Re: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 13:12:32 -0000 On Thu, May 11, 2006 at 11:12:29PM -0400, Stephen Clark wrote: > >I'm loosely of the opinion that the membership array should be > >variable length, and that we should default it to 20, but have a > >significantly larger maximum. It's not horribly efficient, but also > >wouldn't be so particularly terrible either. > > I think it should be tunable other than going in a changing the source > code, which I have to do every time I do a cvsup. This is the express intention of such a change. The problem the user(s) are having is because each imo_membership member's cardinality of relationship is 1:1 with respect to each multicast group membership and each ifnet interface upon which the membership is established. Therefore, joining the same group 20 times on different interfaces would exceed IP_MAX_MEMBERSHIPS. Fixing this in any way would still break the ip_mroute_kmod ABI and as such is a HEAD change. Based on Robert's feedback I would therefore make a change such that imo_membership is dynamically sized at runtime, rather than making IP_MAX_MEMBERSHIPS a load-time tunable. Based on reading of the code it looks like it may be best that imo_moptions becomes a pointer, not an array. I am happier with this kind of change because it is less invasive to other parts of netinet, and also because it fits in with the lazy allocation which already exists viz ip_findmoptions(). It is also much simpler -- the complexity belongs in ip_findmoptions() and ip_freemoptions(). Further feedback hoped for. I will post patches soon. Regards, BMS From owner-freebsd-net@FreeBSD.ORG Fri May 12 13:21:53 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C25A816A454; Fri, 12 May 2006 13:21:53 +0000 (UTC) (envelope-from vadim_nuclight@mail.ru) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65E2B43D68; Fri, 12 May 2006 13:21:53 +0000 (GMT) (envelope-from vadim_nuclight@mail.ru) Received: from [82.211.136.13] (port=16166 helo=nuclight.avtf.net) by mx1.mail.ru with esmtp id 1FeXaM-000AGA-00; Fri, 12 May 2006 17:21:39 +0400 Date: Fri, 12 May 2006 20:20:13 +0700 To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.54 (Win32, build 3865) Cc: Subject: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 13:21:54 -0000 Hi, All! I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ Tested on 5.5-PRERELEASE production server with moderate load - rock stable [I've also looked through the code - patch is small, so it simply can't be any bugs there ;)]. Personally I very like the idea from original Andrey's letter about possibility to make a netgraph(4) node able to mark packets: this is a potential ability to build fast (in-kernel) level 7 firewall / traffic filter without need to fully duplicate entire TCP/IP stack in this marking node - that's ipfw's work. For example, rules can look like this: # node marks traffic as good or bad based on first packets in the flow node=300 good=1 bad=2 check-state # here most sorted traffic goes netgraph $node all from any to any # divert unmarked traffic to node deny all from any to any tagged $bad allow all from any to any tagged $good keep-state -- WBR, Vadim Goncharov From owner-freebsd-net@FreeBSD.ORG Fri May 12 13:32:42 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D33516A417 for ; Fri, 12 May 2006 13:32:42 +0000 (UTC) (envelope-from eksffa@freebsdbrasil.com.br) Received: from capeta.freebsdbrasil.com.br (vrrp.freebsdbrasil.com.br [200.210.70.30]) by mx1.FreeBSD.org (Postfix) with SMTP id 5751143D49 for ; Fri, 12 May 2006 13:32:41 +0000 (GMT) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 97662 invoked by uid 0); 12 May 2006 10:33:38 -0300 Received: from eksffa@freebsdbrasil.com.br by capeta.freebsdbrasil.com.br by uid 82 with qmail-scanner-1.22 (spamassassin: 2.64. Clear:RC:1(201.17.165.158):. Processed in 2.373098 secs); 12 May 2006 13:33:38 -0000 Received: from unknown (HELO ?10.69.69.69?) (201.17.165.158) by capeta.freebsdbrasil.com.br with SMTP; 12 May 2006 10:33:35 -0300 Message-ID: <44648E66.6010800@freebsdbrasil.com.br> Date: Fri, 12 May 2006 10:32:22 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.12) Gecko/20051013 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vadim Goncharov References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 13:32:50 -0000 Vadim Goncharov wrote: > Hi, All! > > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ > > Tested on 5.5-PRERELEASE production server with moderate > load - rock stable [I've also looked through the code - patch > is small, so it simply can't be any bugs there ;)]. > > Personally I very like the idea from original Andrey's letter I have tested on 6.1 and works fine too. Hope it gets commited. Very useful for altq/dummynet flexibility too. -- Patrick Tracanelli From owner-freebsd-net@FreeBSD.ORG Fri May 12 13:53:30 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C44DB16A4C1; Fri, 12 May 2006 13:53:30 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7007C43D73; Fri, 12 May 2006 13:53:30 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k4CDrS8L016557; Fri, 12 May 2006 06:53:28 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k4CDrR8Z016556; Fri, 12 May 2006 06:53:27 -0700 (PDT) (envelope-from rizzo) Date: Fri, 12 May 2006 06:53:27 -0700 From: Luigi Rizzo To: Patrick Tracanelli Message-ID: <20060512065327.B16302@xorpc.icir.org> References: <44648E66.6010800@freebsdbrasil.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <44648E66.6010800@freebsdbrasil.com.br>; from eksffa@freebsdbrasil.com.br on Fri, May 12, 2006 at 10:32:22AM -0300 Cc: Vadim Goncharov , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 13:53:31 -0000 On Fri, May 12, 2006 at 10:32:22AM -0300, Patrick Tracanelli wrote: > Vadim Goncharov wrote: > > Hi, All! > > > > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: > > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ > > > > Tested on 5.5-PRERELEASE production server with moderate > > load - rock stable [I've also looked through the code - patch > > is small, so it simply can't be any bugs there ;)]. > > > > Personally I very like the idea from original Andrey's letter > > I have tested on 6.1 and works fine too. > > Hope it gets commited. Very useful for altq/dummynet flexibility too. i would, however, like to have a bit more documentation in the patch, in particular: - a manpage patch describing how to use the thing, and also the behaviour in in odd situations (e.g. what happens when we try to tag a packet multiple times ? does the tag survive between the 'input' and 'output' path of ipfw for routed packets, etc ?). I can look this up in the code, but the average user cannot, and the patch does not contain a single line of comment, plus we generally want to have some textual description of the behaviour (so we can RTFM), not just an implementation without comments. - more comments in the code, per the above. cheers luigi From owner-freebsd-net@FreeBSD.ORG Fri May 12 15:19:51 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2913416A71D; Fri, 12 May 2006 15:19:51 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 27FCD43D49; Fri, 12 May 2006 15:19:49 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id 006CF10C47F; Fri, 12 May 2006 22:19:46 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id D971410C47C; Fri, 12 May 2006 22:19:46 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Fri, 12 May 2006 22:19:46 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Fri, 12 May 2006 22:19:46 +0700 To: "Luigi Rizzo" References: <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org> Message-ID: Date: Fri, 12 May 2006 22:18:43 +0700 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <20060512065327.B16302@xorpc.icir.org> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 12 May 2006 15:19:46.0499 (UTC) FILETIME=[80BDF930:01C675D7] Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 15:19:52 -0000 12.05.06 в 20:53 Luigi Rizzo wrote: >> > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: >> > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ >> > >> > Tested on 5.5-PRERELEASE production server with moderate >> > load - rock stable [I've also looked through the code - patch >> > is small, so it simply can't be any bugs there ;)]. >> > >> > Personally I very like the idea from original Andrey's letter >> >> I have tested on 6.1 and works fine too. >> >> Hope it gets commited. Very useful for altq/dummynet flexibility too. > > i would, however, like to have a bit more documentation in the patch, > in particular: > > - a manpage patch describing how to use the thing, and also the > behaviour in in odd situations (e.g. what happens when we try to tag > a packet multiple times ? does the tag survive between the 'input' > and 'output' path of ipfw for routed packets, etc ?). > I can look this up in the code, but the average user cannot, I think it will always survive, but not sure, may be it is better for your to review the code and correct description. > and the patch does not contain a single line of comment, > plus we generally want to have some textual description of the > behaviour (so we can RTFM), not just an implementation > without comments. OK, Andrey currently comments the code and implements untag action, and here is my patch for manpage describing all this stuff: --- ipfw.8.orig Fri May 12 21:09:14 2006 +++ ipfw.8 Fri May 12 22:08:42 2006 @@ -563,6 +563,30 @@ Note: logging is done after all other packet matching conditions have been successfully verified, and before performing the final action (accept, deny, etc.) on the packet. +.It Cm tag Ar number +When a packet matches a rule with the +.Cm tag +keyword, the numeric tag for the given +.Ar number +in the range 0..65535 will be attached to the packet. +The tag acts as an internal marker (it is not sent out over +the wire) that can be used to identify these packets later on. +This can be used, for example, to provide trust between interfaces +and to start doing policy-based filtering. +A packet can have mutiple tags at the same time. +Tags are "sticky", meaning once a tag is applied to a packet by a +matching rule it exists everywhere while packet is still in kernel +until explicit removal or sending packet out to the network. +To check for previously applied tags, use the +.Cm tagged +rule option. +.It Cm untag Ar number +When a packet matches a rule with the +.Cm untag +keyword, the tag with the number +.Ar number +is searched in the set of tags attached to +this packet and, if found, removed from this set. .It Cm altq Ar queue When a packet matches a rule with the .Cm altq @@ -1257,6 +1281,15 @@ .It Cm src-port Ar ports Matches IP packets whose source port is one of the port(s) specified as argument. +.It Cm tagged Ar number +Match if packet has a tag with number +.Ar number . +Tags can be applied to the packet using +.Cm tag +rule action parameter or set somewhere in another part of the kernel +network subsytem using +.Xr mbuf_tags 9 +facility. .It Cm tcpack Ar ack TCP packets only. Match if the TCP header acknowledgment number field is set to -- WBR, Vadim Goncharov From owner-freebsd-net@FreeBSD.ORG Fri May 12 15:51:19 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84FAB16A689; Fri, 12 May 2006 15:51:19 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA55B43D46; Fri, 12 May 2006 15:51:18 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id 3589B10C482; Fri, 12 May 2006 22:51:15 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 1A85E10C47C; Fri, 12 May 2006 22:51:15 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Fri, 12 May 2006 22:51:15 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Fri, 12 May 2006 22:51:14 +0700 Date: Fri, 12 May 2006 22:50:10 +0700 To: "Luigi Rizzo" , "Patrick Tracanelli" References: <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org> From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: In-Reply-To: <20060512065327.B16302@xorpc.icir.org> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 12 May 2006 15:51:14.0666 (UTC) FILETIME=[E62D64A0:01C675DB] Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 15:51:19 -0000 12.05.06 в 20:53 Luigi Rizzo в своём письме писал(а): >> > I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: >> > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ >> > >> > Tested on 5.5-PRERELEASE production server with moderate >> > load - rock stable [I've also looked through the code - patch >> > is small, so it simply can't be any bugs there ;)]. >> > >> > Personally I very like the idea from original Andrey's letter >> >> I have tested on 6.1 and works fine too. >> >> Hope it gets commited. Very useful for altq/dummynet flexibility too. > > i would, however, like to have a bit more documentation in the patch, > in particular: > > - a manpage patch describing how to use the thing, and also the > behaviour in in odd situations (e.g. what happens when we try to tag > a packet multiple times ? does the tag survive between the 'input' > and 'output' path of ipfw for routed packets, etc ?). A question about features: is it worth adding functionality of matching range of tags? For example: ipfw add pass ip from any to any tagged 1-5,10,20 -- WBR, Vadim Goncharov From owner-freebsd-net@FreeBSD.ORG Fri May 12 15:56:32 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38B3116A486; Fri, 12 May 2006 15:56:32 +0000 (UTC) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECD8443D46; Fri, 12 May 2006 15:56:31 +0000 (GMT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.11/8.12.11) with ESMTP id k4CFuV9U019529; Fri, 12 May 2006 08:56:31 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.11/8.12.3/Submit) id k4CFuVQm019528; Fri, 12 May 2006 08:56:31 -0700 (PDT) (envelope-from rizzo) Date: Fri, 12 May 2006 08:56:31 -0700 From: Luigi Rizzo To: Vadim Goncharov Message-ID: <20060512085631.A19484@xorpc.icir.org> References: <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from vadimnuclight@tpu.ru on Fri, May 12, 2006 at 10:50:10PM +0700 Cc: Patrick Tracanelli , freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 15:56:32 -0000 On Fri, May 12, 2006 at 10:50:10PM +0700, Vadim Goncharov wrote: > A question about features: is it worth adding functionality of matching > range of tags? For example: > > ipfw add pass ip from any to any tagged 1-5,10,20 i think it is a useful feature, and if you reuse the existing code for matching port ranges etc to implement it, performance should be reasonably good. cheers luigi From owner-freebsd-net@FreeBSD.ORG Fri May 12 16:50:04 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44EB116AB6E for ; Fri, 12 May 2006 16:50:04 +0000 (UTC) (envelope-from yurtesen-dated-1148316597.a7141e@ispro.net) Received: from smtp.ispro.net.tr (smtp.ispro.net.tr [62.244.220.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 5E62843D77 for ; Fri, 12 May 2006 16:50:01 +0000 (GMT) (envelope-from yurtesen-dated-1148316597.a7141e@ispro.net) Received: (qmail 70221 invoked by uid 89); 12 May 2006 16:49:57 -0000 Received: from [80.221.144.106] (dsl-aur-fe90dd00-106.dhcp.inet.fi [80.221.144.106]) by localhost.my.domain (tmda-ofmipd) with ESMTP; Fri, 12 May 2006 19:49:54 +0300 (EEST) Message-ID: <4464BCA0.3010500@ispro.net> Date: Fri, 12 May 2006 19:49:36 +0300 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit From: Evren Yurtesen X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) X-Primary-Address: yurtesen@ispro.net.tr Subject: vlan/bridge problems.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 16:50:05 -0000 I tried to bridge vlan with ethernet but I am having troubles. net.link.ether.bridge_cfg: fxp0:2,fxp3:2,fxp2:3,vlan0:3 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 0 net.link.ether.bridge_ipf: 0 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 fxp0 - fxp3 bridge works fine vlan0 is attached to fxp3 (trunk) vlan0 - fxp2 bridge doesnt work! I can ping IP of fxp2 but not to any host connected to fxp2. Can this be because I am using fxp3 as a normal interface + a vlan trunk at the same time? Thanks, Evren From owner-freebsd-net@FreeBSD.ORG Fri May 12 18:30:56 2006 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C9FEC16B432 for ; Fri, 12 May 2006 18:30:56 +0000 (UTC) (envelope-from silby@silby.com) Received: from relay03.pair.com (relay03.pair.com [209.68.5.17]) by mx1.FreeBSD.org (Postfix) with SMTP id 178C043D5C for ; Fri, 12 May 2006 18:30:53 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 51117 invoked from network); 12 May 2006 18:30:52 -0000 Received: from unknown (HELO localhost) (unknown) by unknown with SMTP; 12 May 2006 18:30:52 -0000 X-pair-Authenticated: 209.68.2.70 Date: Fri, 12 May 2006 13:30:51 -0500 (CDT) From: Mike Silbersack To: net@freebsd.org Message-ID: <20060512132954.X1013@odysseus.silby.com> MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="0-934478144-1028056781=:3793" Content-ID: <20020730150959.O6367@patrocles.silby.com> Cc: Subject: RFC: Updated window update algorithm X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 18:30:59 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --0-934478144-1028056781=:3793 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; format=flowed Content-ID: <20020730150959.D6367@patrocles.silby.com> It's been nearly four years, I was wondering if anyone has had a thought on this change yet. :) Mike "Silby" Silbersack ---------- Forwarded message ---------- Date: Tue, 30 Jul 2002 15:15:55 -0500 (CDT) From: Mike Silbersack To: freebsd-net@freebsd.org Subject: RFC: Updated window update algorithm I'd appreciate if the tcp inclined could take a quick look over the attached patch. What it does is implement a simpler algorithm used to determine whether or not to accept window updates. Our existing algorithm (the one in RFC793/1122) had a weakness in that it will ignore window updates piggybacked on retransmitted packets. In a unidirectional transfer situation, this is not a problem. However, in the case of a bidirectional transfer, this could cause retransmission in one direction to stall transmission in the other direction. For more info on this case, see the thread at: http://tcp-impl.grc.nasa.gov/tcp-impl/list/archive/2184.html The algorithm I used in the attached patch is the one created by Alexey Kuznetsov, currently used in Linux 2.4. Any comments (on the algorithm or implementation) would be appreciated. Thanks, Mike "Silby" Silbersack --0-934478144-1028056781=:3793 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=tcpwindowupdate3.patch Content-Transfer-Encoding: BASE64 Content-ID: <20020730141941.N3793@patrocles.silby.com> Content-Description: Content-Disposition: ATTACHMENT; FILENAME=tcpwindowupdate3.patch LS0tIC91c3Ivc3JjL3N5cy5vbGQvbmV0aW5ldC90Y3BfaW5wdXQuYwlUdWUg SnVsIDMwIDAwOjQxOjM4IDIwMDINCisrKyB0Y3BfaW5wdXQuYwlUdWUgSnVs IDMwIDE0OjE1OjQwIDIwMDINCkBAIC0xOTM5LDExICsxOTM5LDE1IEBADQog CS8qDQogCSAqIFVwZGF0ZSB3aW5kb3cgaW5mb3JtYXRpb24uDQogCSAqIERv bid0IGxvb2sgYXQgd2luZG93IGlmIG5vIEFDSzogVEFDJ3Mgc2VuZCBnYXJi YWdlIG9uIGZpcnN0IFNZTi4NCisJICogVXBkYXRlIHdpbmRvdyBpZjoNCisJ ICogLSBOZXcgZGF0YSBhY2tlZA0KKwkgKiAtIE5ldyBkYXRhIHNlbnQgdG8g dXMNCisJICogLSBEYXRhIGhhcyBub3QgYWR2YW5jZWQsIGJ1dCBsYXJnZXIg d2luZG93IGlzIHJlcG9ydGVkDQogCSAqLw0KIAlpZiAoKHRoZmxhZ3MgJiBU SF9BQ0spICYmDQogCSAgICAoU0VRX0xUKHRwLT5zbmRfd2wxLCB0aC0+dGhf c2VxKSB8fA0KLQkgICAgKHRwLT5zbmRfd2wxID09IHRoLT50aF9zZXEgJiYg KFNFUV9MVCh0cC0+c25kX3dsMiwgdGgtPnRoX2FjaykgfHwNCi0JICAgICAo dHAtPnNuZF93bDIgPT0gdGgtPnRoX2FjayAmJiB0aXdpbiA+IHRwLT5zbmRf d25kKSkpKSkgew0KKwkgICAgIFNFUV9MVCh0cC0+c25kX3VuYSwgdGgtPnRo X2FjaykgfHwNCisJICAgICAoKHRoLT50aF9zZXEgPT0gdHAtPnNuZF93bDEp ICYmICh0aXdpbiA+IHRwLT5zbmRfd25kKSkpKSB7DQogCQkvKiBrZWVwIHRy YWNrIG9mIHB1cmUgd2luZG93IHVwZGF0ZXMgKi8NCiAJCWlmICh0bGVuID09 IDAgJiYNCiAJCSAgICB0cC0+c25kX3dsMiA9PSB0aC0+dGhfYWNrICYmIHRp d2luID4gdHAtPnNuZF93bmQpDQo= --0-934478144-1028056781=:3793-- From owner-freebsd-net@FreeBSD.ORG Fri May 12 19:18:35 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5002416B8C6 for ; Fri, 12 May 2006 19:18:35 +0000 (UTC) (envelope-from ambrisko@ambrisko.com) Received: from mail.ambrisko.com (mail.ambrisko.com [64.174.51.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 675DD43D6D for ; Fri, 12 May 2006 19:18:30 +0000 (GMT) (envelope-from ambrisko@ambrisko.com) Received: from server2.ambrisko.com (HELO www.ambrisko.com) ([192.168.1.2]) by mail.ambrisko.com with ESMTP; 12 May 2006 12:17:32 -0700 Received: from ambrisko.com (localhost [127.0.0.1]) by www.ambrisko.com (8.12.11/8.12.11) with ESMTP id k4CJITf8090719; Fri, 12 May 2006 12:18:29 -0700 (PDT) (envelope-from ambrisko@ambrisko.com) Received: (from ambrisko@localhost) by ambrisko.com (8.12.11/8.12.11/Submit) id k4CJITpR090718; Fri, 12 May 2006 12:18:29 -0700 (PDT) (envelope-from ambrisko) From: Doug Ambrisko Message-Id: <200605121918.k4CJITpR090718@ambrisko.com> In-Reply-To: <4464BCA0.3010500@ispro.net> To: Evren Yurtesen Date: Fri, 12 May 2006 12:18:29 -0700 (PDT) X-Mailer: ELM [version 2.4ME+ PL94b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Cc: freebsd-net@freebsd.org Subject: Re: vlan/bridge problems.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 19:18:37 -0000 Evren Yurtesen writes: | I tried to bridge vlan with ethernet but I am having troubles. | | net.link.ether.bridge_cfg: fxp0:2,fxp3:2,fxp2:3,vlan0:3 | net.link.ether.bridge: 1 | net.link.ether.bridge_ipfw: 0 | net.link.ether.bridge_ipf: 0 | net.link.ether.bridge_ipfw_drop: 0 | net.link.ether.bridge_ipfw_collisions: 0 | | fxp0 - fxp3 bridge works fine | vlan0 is attached to fxp3 (trunk) | | vlan0 - fxp2 bridge doesnt work! I can ping IP of fxp2 but not to any | host connected to fxp2. | | Can this be because I am using fxp3 as a normal interface + a vlan trunk | at the same time? It wouldn't work for me since the if_vlan device call the device driver's output mechanism direct and the SW input path would ignore handling of VLAN packets ... or atleast this used to be issues. My machine's that I needed this for are patched locally to make it work. I don't know the current state of this. It gets to be a bit of a mess re-injection the packet into the stack on output with loops etc. The ordering of post netgraph/bridge has some issues. It probably should be tagged and use that to prevent loops. Doug A. From owner-freebsd-net@FreeBSD.ORG Fri May 12 23:52:22 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48D9816A413 for ; Fri, 12 May 2006 23:52:22 +0000 (UTC) (envelope-from yurtesen-dated-1148341938.5a4c79@ispro.net) Received: from smtp.ispro.net.tr (smtp.ispro.net.tr [62.244.220.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 3002043D48 for ; Fri, 12 May 2006 23:52:20 +0000 (GMT) (envelope-from yurtesen-dated-1148341938.5a4c79@ispro.net) Received: (qmail 89438 invoked by uid 89); 12 May 2006 23:52:18 -0000 Received: from [80.223.250.217] (dsl-aur-fefadf00-217.dhcp.inet.fi [80.223.250.217]) by localhost.my.domain (tmda-ofmipd) with ESMTP; Sat, 13 May 2006 02:52:14 +0300 (EEST) Message-ID: <44651F9B.9060709@ispro.net> Date: Sat, 13 May 2006 02:51:55 +0300 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Doug Ambrisko References: <200605121918.k4CJITpR090718@ambrisko.com> In-Reply-To: <200605121918.k4CJITpR090718@ambrisko.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: Evren Yurtesen X-Primary-Address: yurtesen@ispro.net.tr Cc: freebsd-net@freebsd.org Subject: Re: vlan/bridge problems.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 May 2006 23:52:22 -0000 Doug Ambrisko wrote: > Evren Yurtesen writes: > | I tried to bridge vlan with ethernet but I am having troubles. > | > | net.link.ether.bridge_cfg: fxp0:2,fxp3:2,fxp2:3,vlan0:3 > | net.link.ether.bridge: 1 > | net.link.ether.bridge_ipfw: 0 > | net.link.ether.bridge_ipf: 0 > | net.link.ether.bridge_ipfw_drop: 0 > | net.link.ether.bridge_ipfw_collisions: 0 > | > | fxp0 - fxp3 bridge works fine > | vlan0 is attached to fxp3 (trunk) > | > | vlan0 - fxp2 bridge doesnt work! I can ping IP of fxp2 but not to any > | host connected to fxp2. > | > | Can this be because I am using fxp3 as a normal interface + a vlan trunk > | at the same time? > > It wouldn't work for me since the if_vlan device call the device driver's > output mechanism direct and the SW input path would ignore handling of VLAN > packets ... or atleast this used to be issues. My machine's that I needed > this for are patched locally to make it work. > > I don't know the current state of this. It gets to be a bit of > a mess re-injection the packet into the stack on output with loops etc. > The ordering of post netgraph/bridge has some issues. It probably > should be tagged and use that to prevent loops. > > Doug A. Well, I think vlans do not bridge on 4.x Bridging works in 5.x/6.x but not the way that I explained here I cant bridge 1 interface and its vlan interface at the same time. Thanks, Evren From owner-freebsd-net@FreeBSD.ORG Sat May 13 00:54:24 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D452B16A636 for ; Sat, 13 May 2006 00:54:24 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1BA243D60 for ; Sat, 13 May 2006 00:54:21 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [10.251.19.131]) ([10.251.19.131]) by a50.ironport.com with ESMTP; 12 May 2006 17:54:22 -0700 Message-ID: <44652E3C.4010704@elischer.org> Date: Fri, 12 May 2006 17:54:20 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Evren Yurtesen References: <200605121918.k4CJITpR090718@ambrisko.com> <44651F9B.9060709@ispro.net> In-Reply-To: <44651F9B.9060709@ispro.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: vlan/bridge problems.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 00:54:25 -0000 Evren Yurtesen wrote: > Doug Ambrisko wrote: > >> Evren Yurtesen writes: >> | I tried to bridge vlan with ethernet but I am having troubles. >> | | net.link.ether.bridge_cfg: fxp0:2,fxp3:2,fxp2:3,vlan0:3 >> | net.link.ether.bridge: 1 >> | net.link.ether.bridge_ipfw: 0 >> | net.link.ether.bridge_ipf: 0 >> | net.link.ether.bridge_ipfw_drop: 0 >> | net.link.ether.bridge_ipfw_collisions: 0 >> | | fxp0 - fxp3 bridge works fine >> | vlan0 is attached to fxp3 (trunk) >> | | vlan0 - fxp2 bridge doesnt work! I can ping IP of fxp2 but not to >> any | host connected to fxp2. >> | | Can this be because I am using fxp3 as a normal interface + a >> vlan trunk | at the same time? >> >> It wouldn't work for me since the if_vlan device call the device >> driver's output mechanism direct and the SW input path would ignore >> handling of VLAN >> packets ... or atleast this used to be issues. My machine's that I >> needed >> this for are patched locally to make it work. >> >> I don't know the current state of this. It gets to be a bit of >> a mess re-injection the packet into the stack on output with loops etc. >> The ordering of post netgraph/bridge has some issues. It probably >> should be tagged and use that to prevent loops. >> >> Doug A. > > > Well, I think vlans do not bridge on 4.x that may or may not be true.. I think I have seen it working.. I think netgraph bridging should work. it may depend of whether you are doing hardware vlan tagging. > > Bridging works in 5.x/6.x but not the way that I explained here > > I cant bridge 1 interface and its vlan interface at the same time. > > Thanks, > Evren > > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" From owner-freebsd-net@FreeBSD.ORG Sat May 13 02:52:29 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10A2416A400 for ; Sat, 13 May 2006 02:52:29 +0000 (UTC) (envelope-from ambrisko@ambrisko.com) Received: from mail.ambrisko.com (mail.ambrisko.com [64.174.51.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9198943D48 for ; Sat, 13 May 2006 02:52:28 +0000 (GMT) (envelope-from ambrisko@ambrisko.com) Received: from server2.ambrisko.com (HELO www.ambrisko.com) ([192.168.1.2]) by mail.ambrisko.com with ESMTP; 12 May 2006 19:51:30 -0700 Received: from ambrisko.com (localhost [127.0.0.1]) by www.ambrisko.com (8.12.11/8.12.11) with ESMTP id k4D2qReb014904; Fri, 12 May 2006 19:52:28 -0700 (PDT) (envelope-from ambrisko@ambrisko.com) Received: (from ambrisko@localhost) by ambrisko.com (8.12.11/8.12.11/Submit) id k4D2qRkl014903; Fri, 12 May 2006 19:52:27 -0700 (PDT) (envelope-from ambrisko) From: Doug Ambrisko Message-Id: <200605130252.k4D2qRkl014903@ambrisko.com> In-Reply-To: <44652E3C.4010704@elischer.org> To: Julian Elischer Date: Fri, 12 May 2006 19:52:27 -0700 (PDT) X-Mailer: ELM [version 2.4ME+ PL94b (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Cc: Evren Yurtesen , freebsd-net@freebsd.org Subject: Re: vlan/bridge problems.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 02:52:29 -0000 Julian Elischer writes: | Evren Yurtesen wrote: | > Doug Ambrisko wrote: | > | >> Evren Yurtesen writes: | >> | I tried to bridge vlan with ethernet but I am having troubles. | >> | | net.link.ether.bridge_cfg: fxp0:2,fxp3:2,fxp2:3,vlan0:3 | >> | net.link.ether.bridge: 1 | >> | net.link.ether.bridge_ipfw: 0 | >> | net.link.ether.bridge_ipf: 0 | >> | net.link.ether.bridge_ipfw_drop: 0 | >> | net.link.ether.bridge_ipfw_collisions: 0 | >> | | fxp0 - fxp3 bridge works fine | >> | vlan0 is attached to fxp3 (trunk) | >> | | vlan0 - fxp2 bridge doesnt work! I can ping IP of fxp2 but not to | >> any | host connected to fxp2. | >> | | Can this be because I am using fxp3 as a normal interface + a | >> vlan trunk | at the same time? | >> | >> It wouldn't work for me since the if_vlan device call the device | >> driver's output mechanism direct and the SW input path would ignore | >> handling of VLAN | >> packets ... or atleast this used to be issues. My machine's that I | >> needed | >> this for are patched locally to make it work. | >> | >> I don't know the current state of this. It gets to be a bit of | >> a mess re-injection the packet into the stack on output with loops etc. | >> The ordering of post netgraph/bridge has some issues. It probably | >> should be tagged and use that to prevent loops. | > | > Well, I think vlans do not bridge on 4.x | | that may or may not be true.. I think I have seen it working.. | I think netgraph bridging should work. Only if doing netgraph vlan. Not if_vlan. | it may depend of whether you are doing hardware vlan tagging. I disable HW vlan support. Doug A. From owner-freebsd-net@FreeBSD.ORG Sat May 13 09:32:35 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B503516A401; Sat, 13 May 2006 09:32:35 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id D2BC543D48; Sat, 13 May 2006 09:32:34 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id 045091059EF; Sat, 13 May 2006 16:32:33 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id DF2451059EC; Sat, 13 May 2006 16:32:32 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Sat, 13 May 2006 16:32:32 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Sat, 13 May 2006 16:32:32 +0700 To: "Luigi Rizzo" References: <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org> <20060512085631.A19484@xorpc.icir.org> Message-ID: Date: Sat, 13 May 2006 16:31:27 +0700 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <20060512085631.A19484@xorpc.icir.org> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 13 May 2006 09:32:32.0305 (UTC) FILETIME=[29020210:01C67670] Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 09:32:35 -0000 12.05.06 22:56 Luigi Rizzo wrote: >> A question about features: is it worth adding functionality of matching >> range of tags? For example: >> >> ipfw add pass ip from any to any tagged 1-5,10,20 > > i think it is a useful feature, and if you reuse the existing code > for matching port ranges etc to implement it, performance should > be reasonably good. OK, Andrey made new version of patches available: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ Manpage patch is integrated as well as new untag/tagged range functionality, based on existing port ranges matching code. Short test shown that it works. -- WBR, Vadim Goncharov From owner-freebsd-net@FreeBSD.ORG Sat May 13 09:38:01 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 87F9016A400; Sat, 13 May 2006 09:38:01 +0000 (UTC) (envelope-from julian@elischer.org) Received: from a50.ironport.com (a50.ironport.com [63.251.108.112]) by mx1.FreeBSD.org (Postfix) with ESMTP id 488CA43D48; Sat, 13 May 2006 09:38:01 +0000 (GMT) (envelope-from julian@elischer.org) Received: from unknown (HELO [192.168.2.2]) ([10.251.60.46]) by a50.ironport.com with ESMTP; 13 May 2006 02:38:01 -0700 Message-ID: <4465A8F8.2020601@elischer.org> Date: Sat, 13 May 2006 02:38:00 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.13) Gecko/20060414 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vadim Goncharov References: <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org> <20060512085631.A19484@xorpc.icir.org> In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: Luigi Rizzo , freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 09:38:01 -0000 Vadim Goncharov wrote: > 12.05.06 22:56 Luigi Rizzo wrote: > >>> A question about features: is it worth adding functionality of matching >>> range of tags? For example: >>> >>> ipfw add pass ip from any to any tagged 1-5,10,20 >> >> >> i think it is a useful feature, and if you reuse the existing code >> for matching port ranges etc to implement it, performance should >> be reasonably good. > > > OK, Andrey made new version of patches available: > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ > > Manpage patch is integrated as well as new untag/tagged range > functionality, > based on existing port ranges matching code. Short test shown that it > works. I might suggest that the new 'tablearg' keyword be useable in a tag command allowing a table to contain entries that give different tags. (I don't think it is in 5 but it may be in 6.. (not sure)) would be cool however. From owner-freebsd-net@FreeBSD.ORG Sat May 13 10:09:12 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2FF6116A471; Sat, 13 May 2006 10:09:12 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90E0743D46; Sat, 13 May 2006 10:09:11 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id E46891059EA; Sat, 13 May 2006 17:09:09 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id CB05210584E; Sat, 13 May 2006 17:09:09 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Sat, 13 May 2006 17:09:09 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Sat, 13 May 2006 17:09:09 +0700 To: "Julian Elischer" References: <44648E66.6010800@freebsdbrasil.com.br> <20060512065327.B16302@xorpc.icir.org> <20060512085631.A19484@xorpc.icir.org> <4465A8F8.2020601@elischer.org> Message-ID: Date: Sat, 13 May 2006 17:08:03 +0700 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <4465A8F8.2020601@elischer.org> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 13 May 2006 10:09:09.0373 (UTC) FILETIME=[468FFAD0:01C67675] Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: [patch] ipfw packet tagging X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 10:09:12 -0000 13.05.06 @ 16:38 Julian Elischer wrote: >>>> A question about features: is it worth adding functionality of >>>> matching >>>> range of tags? For example: >>>> >>>> ipfw add pass ip from any to any tagged 1-5,10,20 >>> >>> >>> i think it is a useful feature, and if you reuse the existing code >>> for matching port ranges etc to implement it, performance should >>> be reasonably good. >> >> >> OK, Andrey made new version of patches available: >> http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ >> >> Manpage patch is integrated as well as new untag/tagged range >> functionality, >> based on existing port ranges matching code. Short test shown that it >> works. > > > I might suggest that the new 'tablearg' keyword be useable in a tag > command allowing a table to contain entries that give different tags. > (I don't think it is in 5 but it may be in 6.. (not sure)) > > would be cool however. May be, but I can't imagine a real situation where it can be useful, as tables already contain IP adresses. Can you give a real-life example where it helps ? -- WBR, Vadim Goncharov From owner-freebsd-net@FreeBSD.ORG Sat May 13 12:42:54 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99DF416A402 for ; Sat, 13 May 2006 12:42:54 +0000 (UTC) (envelope-from yurtesen-dated-1148388170.e91b6b@ispro.net) Received: from smtp.ispro.net.tr (smtp.ispro.net.tr [62.244.220.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 8BACD43D46 for ; Sat, 13 May 2006 12:42:53 +0000 (GMT) (envelope-from yurtesen-dated-1148388170.e91b6b@ispro.net) Received: (qmail 35176 invoked by uid 89); 13 May 2006 12:42:50 -0000 Received: from [80.221.144.106] (dsl-aur-fe90dd00-106.dhcp.inet.fi [80.221.144.106]) by localhost.my.domain (tmda-ofmipd) with ESMTP; Sat, 13 May 2006 15:42:45 +0300 (EEST) Message-ID: <4465D438.30506@ispro.net> Date: Sat, 13 May 2006 15:42:32 +0300 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Doug Ambrisko References: <200605130252.k4D2qRkl014903@ambrisko.com> In-Reply-To: <200605130252.k4D2qRkl014903@ambrisko.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Delivery-Agent: TMDA/1.0.3 (Seattle Slew) From: Evren Yurtesen X-Primary-Address: yurtesen@ispro.net.tr Cc: freebsd-net@freebsd.org, Julian Elischer Subject: Re: vlan/bridge problems.. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 12:42:54 -0000 Doug Ambrisko wrote: > Julian Elischer writes: > | Evren Yurtesen wrote: > | > Doug Ambrisko wrote: > | > > | >> Evren Yurtesen writes: > | >> | I tried to bridge vlan with ethernet but I am having troubles. > | >> | | net.link.ether.bridge_cfg: fxp0:2,fxp3:2,fxp2:3,vlan0:3 > | >> | net.link.ether.bridge: 1 > | >> | net.link.ether.bridge_ipfw: 0 > | >> | net.link.ether.bridge_ipf: 0 > | >> | net.link.ether.bridge_ipfw_drop: 0 > | >> | net.link.ether.bridge_ipfw_collisions: 0 > | >> | | fxp0 - fxp3 bridge works fine > | >> | vlan0 is attached to fxp3 (trunk) > | >> | | vlan0 - fxp2 bridge doesnt work! I can ping IP of fxp2 but not to > | >> any | host connected to fxp2. > | >> | | Can this be because I am using fxp3 as a normal interface + a > | >> vlan trunk | at the same time? > | >> > | >> It wouldn't work for me since the if_vlan device call the device > | >> driver's output mechanism direct and the SW input path would ignore > | >> handling of VLAN > | >> packets ... or atleast this used to be issues. My machine's that I > | >> needed > | >> this for are patched locally to make it work. > | >> > | >> I don't know the current state of this. It gets to be a bit of > | >> a mess re-injection the packet into the stack on output with loops etc. > | >> The ordering of post netgraph/bridge has some issues. It probably > | >> should be tagged and use that to prevent loops. > | > > | > Well, I think vlans do not bridge on 4.x > | > | that may or may not be true.. I think I have seen it working.. > | I think netgraph bridging should work. > > Only if doing netgraph vlan. Not if_vlan. > > | it may depend of whether you are doing hardware vlan tagging. > > I disable HW vlan support. > > Doug A. I have to admit. ng_vlan seems much more difficult to use somehow. I have been going through the manual pages of netgraph but it somehow doesnt make sense to read bits and pieces. Not that I am blaming anybody for bad documentation, I need to sit down and read slowly :) I would prefer to use 5.x or 6.x instead. The fact is that my needs are so simple that it is not worth messing with netgraph (I think) Thanks anyway, Evren From owner-freebsd-net@FreeBSD.ORG Sat May 13 23:03:28 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BEE116A405; Sat, 13 May 2006 23:03:28 +0000 (UTC) (envelope-from bms@spc.org) Received: from mindfull.spc.org (mindfull.spc.org [83.167.185.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id A29BF43D45; Sat, 13 May 2006 23:03:27 +0000 (GMT) (envelope-from bms@spc.org) Received: from arginine.spc.org ([83.167.185.2]) by mindfull.spc.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.52) id 1Ff38m-0000jo-RM; Sun, 14 May 2006 00:03:16 +0100 Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 8B1C26564F; Sun, 14 May 2006 00:03:16 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 12469-01-2; Sun, 14 May 2006 00:03:15 +0100 (BST) Received: by arginine.spc.org (Postfix, from userid 1078) id 8C5406564E; Sun, 14 May 2006 00:03:15 +0100 (BST) Date: Sun, 14 May 2006 00:03:15 +0100 From: Bruce M Simpson To: Stephen Clark , Robert Watson , freebsd-net@freebsd.org, pavlin@icir.org, atanu@icir.org Message-ID: <20060513230315.GE79277@spc.org> Mail-Followup-To: Bruce M Simpson , Stephen Clark , Robert Watson , freebsd-net@freebsd.org, pavlin@icir.org, atanu@icir.org References: <20060509122801.GA65297@spc.org> <20060509131517.GB79277@spc.org> <20060512030152.X20138@fledge.watson.org> <4463FD1D.9010600@seclark.us> <20060512131227.GD79277@spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060512131227.GD79277@spc.org> User-Agent: Mutt/1.4.1i Organization: Incunabulum X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - mindfull.spc.org X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - spc.org X-Source: X-Source-Args: X-Source-Dir: Cc: Subject: [PATCH] Re: IP_MAX_MEMBERSHIPS story. X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 May 2006 23:03:28 -0000 Hello, On Fri, May 12, 2006 at 02:12:27PM +0100, Bruce M Simpson wrote: > Therefore, joining the same group 20 times on different interfaces > would exceed IP_MAX_MEMBERSHIPS. > Fixing this in any way would still break the ip_mroute_kmod ABI and > as such is a HEAD change. A patch for this issue, against FreeBSD 6.1-RELEASE, is now available at this location: http://people.freebsd.org/~bms/ipmaxgroups.diff The general logic of the patch should also be applicable to other 4.4BSD-derived operating systems; the patch will probably also apply to HEAD with little or no fuzz. I have performed some initial testing (using mtest driven via jot to join a set of ephemeral multicast groups) on a 2-cpu system and it looks good from here. I would greatly appreciate further testing, particularly in a production routing environment such as yours, if at all possible. When I receive more feedback I will be happy to commit the patch. Because of the nature of this patch, it will break the ABI with regards to the ip_mroute kernel module (IPv4 multicast routing), therefore the patch can only be committed to HEAD for the time being. Regards, BMS