Re: User-space PPP source code
On Mon, 7 Jan 2008, Krishnan Nair wrote: Hi, I am looking for user-space PPP source code, but couldn't find it. Could you please let me know the path from where I can download it? it lives in usr.sbin/ppp : http://www.freebsd.org/cgi/cvsweb.cgi/src/usr.sbin/ppp/ How you can get get it is described in this chapter: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html -- Bjoern A. Zeeb bzeeb at Zabbadoz dot NeT Software is harder than hardware so better get it right the first time. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Current problem reports assigned to freebsd-net@FreeBSD.org
Current FreeBSD problem reports Critical problems S Tracker Resp. Description f kern/115360 net[ipv6] IPv6 address and if_bridge don't play well toge 1 problem total. Serious problems S Tracker Resp. Description a kern/38554 netchanging interface ipaddress doesn't seem to work s kern/39937 netipstealth issue f kern/62374 netpanic: free: multiple frees s kern/81147 net[net] [patch] em0 reinitialization while adding aliase o kern/92552 netA serious bug in most network drivers from 5.X to 6.X s kern/95665 net[if_tun] "ping: sendto: No buffer space available" wit s kern/105943 netNetwork stack may modify read-only mbuf chain copies o kern/106316 net[dummynet] dummynet with multipass ipfw drops packets o kern/108542 net[bce]: Huge network latencies with 6.2-RELEASE / STABL o kern/112528 net[nfs] NFS over TCP under load hangs with "impossible p o kern/112686 net[patm] patm driver freezes System (FreeBSD 6.2-p4) i38 o kern/112722 netIP v4 udp fragmented packet reject o kern/113457 net[ipv6] deadlock occurs if a tunnel goes down while the o kern/113842 net[ipv6] PF_INET6 proto domain state can't be cleared wi o kern/114714 net[gre][patch] gre(4) is not MPSAFE and does not support o kern/114839 net[fxp] fxp looses ability to speak with traffic o kern/115239 net[ipnat] panic with 'kmem_map too small' using ipnat o kern/116077 net6.2-STABLE panic during use of multi-cast networking c o kern/116172 netNetwork / ipv6 recursive mutex panic o kern/116185 netif_iwi driver leads system to reboot o kern/116328 net[bge]: Solid hang with bge interface o kern/116747 net[ndis] FreeBSD 7.0-CURRENT crash with Dell TrueMobile o kern/116837 netifconfig tunX destroy: panic o kern/117271 net[tap] OpenVPN TAP uses 99% CPU on releng_6 when if_tap o kern/117423 netDuplicate IP on different interfaces o bin/117448 net[carp] 6.2 kernel crash o kern/118880 net[ipv6] IP_RECVDSTADDR & IP_SENDSRCADDR not implemented o kern/119225 net7.0-RC1 no carrier with Prism 2.5 wifi card 28 problems total. Non-critical problems S Tracker Resp. Description o conf/23063 net[PATCH] for static ARP tables in rc.network s bin/41647netifconfig(8) doesn't accept lladdr along with inet addr o kern/54383 net[nfs] [patch] NFS root configurations without dynamic s kern/60293 netFreeBSD arp poison patch o kern/95267 netpacket drops periodically appear f kern/95277 net[netinet] [patch] IP Encapsulation mask_match() return o kern/100519 net[netisr] suggestion to fix suboptimal network polling o kern/102035 net[plip] plip networking disables parallel port printing o conf/102502 net[patch] ifconfig name does't rename netgraph node in n o conf/107035 net[patch] bridge interface given in rc.conf not taking a o kern/112654 net[pcn] Kernel panic upon if_pcn module load on a Netfin o kern/114915 net[patch] [pcn] pcn (sys/pci/if_pcn.c) ethernet driver f o bin/116643 net[patch] fstat(1): add INET/INET6 socket details as in o bin/117339 net[patch] route(8): loading routing management commands o kern/118722 net[tcp] Many old TCP connections in SYN_RCVD state o kern/118727 net[ng] [patch] add new ng_pf module a kern/118879 net[bge] [patch] bge has checksum problems on the 5703 ch o kern/118975 net[bge] [patch] Broadcom 5906 not handled by FreeBSD o bin/118987 netifconfig -l [address_family] does not work correct on 19 problems total. ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ipsec_tools will not compile after IPSEC_NAT_T patch
On Sat, Jan 05, 2008 at 04:55:21PM -0500, Lyle Scott III wrote: > I applied the IPSEC_NAT_T patch from > http://vanhu.free.fr/FreeBSD/patch-natt-freebsd6-2007-05-31.diff to FreeBSD > 6.2-release-p9 > yesterday to include IPSEC_NAT_T support. > i did a make buildworld buildkernel && make installworld installkernel && > shutdown -r now Hi. To answer your previous mail, you'll need to add IPSEC_NAT_T option to your configuration file, or kernel will be compiled without NAT-T support. > Now when i recompile /usr/ports/security/ipsec-tools it passes the test for > checking if the nat_t patch is installed but the port fails in make. I did > some research and noticed the same function it errors at is in the patch. Do you have the configure's output for this test ? > Did i mess something up or what? I'm not sure where to go from here. > Should i just delete /usr/src/* and extract a new src and start over? > > cc -DHAVE_CONFIG_H -I. -I../.. -I./../libipsec > -I./../../src/racoon/missing -D_GNU_SOURCE > -DSYSCONFDIR=\"/usr/local/etc/racoon\" -DADMINPORTDIR=\"/var/db/racoon\" > -pipe -g -Wall -Werror -Wno-unused -MT isakmp.o -MD -MP -MF > .deps/isakmp.Tpo -c -o isakmp.o isakmp.c > isakmp.c: In function `isakmp_open': > isakmp.c:1750: error: `UDP_ENCAP_ESPINUDP' undeclared (first use in this > function) > isakmp.c:1750: error: (Each undeclared identifier is reported only once > isakmp.c:1750: error: for each function it appears in.) > isakmp.c:1753: error: `UDP_ENCAP_ESPINUDP_NON_IKE' undeclared (first use in > this function) > isakmp.c:1757: error: `UDP_ENCAP' undeclared (first use in this function) > *** Error code 1 Those defines are in netinet/udp.h Please check if they are in your /usr/include/netinet/udp.h If you find them there, that means your problem comes from your shell's environment (check SYSDIR, etc...). If you don't find those defines in /usr/include/netinet/udp.h, check in /usr/src/sys/netinet/udp.h If you find them, that means you had a problem while installing world, if you didn't find them, that means you had a problem while applying the patch. Yvan. -- NETASQ http://www.netasq.com ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Implementation of Sampling for BPF
07.01.08 @ 04:01 Peter Wood wrote: I don't think that modifying bpf.c is good solution, as userland is not the only consumer of BPF, think, for example, about ng_bpf. Moreover, what is the purpose of sampling, after all? BPF was never intended to be reliable every-packet solution. Certainly other things do use BPF, however in my case I'm not using them, and in the 1 in X solution I have developed so far it can be turned on and off and if it's of huge concern could be put between defines and a kernel config option be required to include it. It's the question of doing things correctly(tm) so they are appropriate for inclusion into the main src tree of the FreeBSD Project - this must be universal enough to meet other people needs and to be supported. You of course are free to do any patches at your locals site for your individual needs - many people do that customization on their own. I'm not looking to transform BPF into a solution to reliably sample every packet, I am looking at attempting to define which packets it discards so that there is an equal chance of sampling something that happens, rather then an unknown/unpredictable chance. So what if a malicious packet will be skipped due sampling, packet which is by other means undistinguishable from others before detailed analysis? I wanted to stop the packet being sent to BPF as high up the kernel chain as possible as to save as much CPU time as possible. There's no point in capturing everything we can and then having the user land program selectively chuck stuff when it could be done before all the various copying/switching/etc. Low in chain instead of high, you mean? That's of course no point to sort out things in userland, but that's properties of given BPF program to filter - how much the userland program wants to receive before detailed analysis. If you are monitoring in userland, Snort of course will not have enough time to process all of your data, so why not simply put at least two machines in parallel, one for each mirrored line? 1) This doesn't scale, in the next six to twelve months I'm going to be presented with a 10Gb uplink to our regional network. Now I know I'm going to have issues when that link reaches ~40% capacity anyway, but one thing at a time. 2) We don't have the machine room heat or power capacity spare to run more servers, and there are other projects that require capacity that are in the waiting list way ahead of mine. I'd love to buy a commercial hardware solution, unfortunately my budget is short by about $750k. So here I am with my favourite OS instead. God knows I've benefited from using FreeBSD, as has the institute I work for, at least if I do it properly I can say "guys, it's yours if you want it". Putting as many servers as needed does scale well if you need only sampled data - just put an appropriate sampler/load balancer before them. And using FreeBSD on that servers will be cheaper than commercial hardware solution, too. 3) Because of our constraints we are satisfied with sampled data, we don't need full streams, but we would like controlled sampled data. Why sample is enough to you? What exactly do you need? May be you'd rather write some simpler expressions for in-kernel filtering instead of heavy-weighted Snort? -- WBR, Vadim Goncharov ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Implementation of Sampling for BPF
Good Afternoon, It's the question of doing things correctly(tm) so they are appropriate for inclusion into the main src tree of the FreeBSD Project - this must be universal enough to meet other people needs and to be supported. You of course are free to do any patches at your locals site for your individual needs - many people do that customization on their own. Indeed, and the later part of your statement is what my primary goal is, however I'm unfamiliar with this part of the kernel and could do with a few pointers about what the correct way would be from a programmatic point of view. So what if a malicious packet will be skipped due sampling, packet which is by other means undistinguishable from others before detailed analysis? If this case happens it is unfortunate and it slips through the net, however malicious problems that I look for are more often flows rather then individual packets. We drop most protocols at the border that would give us an issue with one packet. There is a greater chance of managing to sample at least one packet of a malicious flow. Low in chain instead of high, you mean? That's of course no point to sort out things in userland, but that's properties of given BPF program to filter - how much the userland program wants to receive before detailed analysis. Please forgive my use of low and high, it seems to depend on which end of the stack you're looking from :). I meant as close to it coming into the kernel as possible, yes. Putting as many servers as needed does scale well if you need only sampled data - just put an appropriate sampler/load balancer before them. And using FreeBSD on that servers will be cheaper than commercial hardware solution, too. Again, no ability to buy a sampler/load balancer, nor any space/heat/power to run one in. My available equipment consists of two core networking devices, some fibre, two Intel gig optical cards and one powerful(ish) Dell server currently running FreeBSD 6.X, which needs bumping to 7.0 when it's released. The kit at the other end of these optical links is either busy or incapable of sampling. Why sample is enough to you? What exactly do you need? May be you'd rather write some simpler expressions for in-kernel filtering instead of heavy-weighted Snort? I'm afraid I will not discuss our exact requirements in an open forum, this seems unwise from a security point of view. I would be happy to implement this as a BPF filter, but I'm unaware of how sample in the filter language and count with variables, rather then look at fields in a packet. More additional uses I could possibly foresee: * NetFlow Generation - For which sampling is perfectly acceptable, although we currently do this in hardware. * Statistics Generation - What are our users using our network for, etc. Now of course a lot of this data can be obtained from NetFlow (as we do at current) but there are aspects that can't, like average packet sizes per protocol, etc, things like that. * Research - I'm regularly asked for sampled data from our network from researchers (which currently I turn down) but I'm assuming that they think sampled data is quite suitable. I can understand your hesitation about including something like this in the project as a whole, but as I've said this is primarily for our purposes. If others would find it useful that's great and I'll maintain a patch on a webserver, if the project as a whole would find it useful that's great too. It would be nice at least from a academic point of view for FreeBSD to support other research too, for example the work being done to separate the congestion control to permit easier testing of different methods. P. -- Peter Wood <[EMAIL PROTECTED]> ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: kern/109470: [wi] Orinoco Classic Gold PC Card Can't Channel Hop
Synopsis: [wi] Orinoco Classic Gold PC Card Can't Channel Hop Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: remko Responsible-Changed-When: Mon Jan 7 17:29:15 UTC 2008 Responsible-Changed-Why: Over to maintainer. http://www.freebsd.org/cgi/query-pr.cgi?pr=109470 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: kern/117043: [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM Checksum is Not Valid
Synopsis: [em] Intel PWLA8492MT Dual-Port Network adapter EEPROM Checksum is Not Valid Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: remko Responsible-Changed-When: Mon Jan 7 17:29:23 UTC 2008 Responsible-Changed-Why: Over to maintainer. http://www.freebsd.org/cgi/query-pr.cgi?pr=117043 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: kern/119345: [ath] Unsuported Atheros 5424/2424 and CPU speedstep not recognized
Synopsis: [ath] Unsuported Atheros 5424/2424 and CPU speedstep not recognized Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: remko Responsible-Changed-When: Mon Jan 7 17:33:18 UTC 2008 Responsible-Changed-Why: For the if_ath part move over to -net http://www.freebsd.org/cgi/query-pr.cgi?pr=119345 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: kern/119361: [bge] bge(4) transmit performance problem
Synopsis: [bge] bge(4) transmit performance problem Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: remko Responsible-Changed-When: Mon Jan 7 17:28:37 UTC 2008 Responsible-Changed-Why: reassign to -net team http://www.freebsd.org/cgi/query-pr.cgi?pr=119361 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
OT: ifconfig bridge0 span foo0 (under linux)
Hi, real quick OT question: I have to move a setup to Linux :-\ and can't figure out how to do span ports with linux' brctl (or otherwise). If any of you happen to know, please let me know. This experiment made me - once again - appreciate the central documentation of FreeBSD. With Linux I just don't know where to look :-\ Thanks and sorry for the noise, but I'm desperate by now. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News signature.asc Description: This is a digitally signed message part.
Re: kern/119432: route add -host -iface causes arp entry with nic's arp address (regression)
Synopsis: route add -host -iface causes arp entry with nic's arp address (regression) Responsible-Changed-From-To: freebsd-bugs->freebsd-net Responsible-Changed-By: linimon Responsible-Changed-When: Mon Jan 7 20:13:12 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=119432 ___ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
