CARP Active-Active

2012-03-21 Thread Mike Barnard 
Hi,

I hope this is the right place to ask about this (didn't think PF list
would be ideal for this question).

I have been reading on CARP in active-active mode and was wondering whether
this is possible in FreeBSD. It is possible to get it done on OpenBSD (
www.kernel-panic.it/openbsd/carp/carp4.html#carp-4.2.2)?

Does FreeBSD yet have IP load balacing on CARP? Are there plans to do this
on FreeBSD?


-- 
Mike

Of course, you might discount this possibility, but remember that one in a
million chances happen 99% of the time.

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Cloning VLAN interfaces

2012-03-21 Thread Matt Burke 
On 03/20/12 14:54, Gustau Perez Querol wrote:
>  VBoxManage modifyvm "FreeBSD virtual machine" --nic1 bridge --nictype
> bridge virtio --bridgeadapter vlan10

On my machines running virtualbox-ose-4.0.14, VBoxManage won't accept vlan
interfaces either - I need to kill the GUI then edit the config files to
change the physical interface to vlanN.

Also, when altering any other setting by the GUI, the process needs repeating.



-- 
Sorry for the following...
 
The information contained in this message is confidential and is intended for 
the addressee only. If you have received this message in error or there are any 
problems please notify the originator immediately. The unauthorised use, 
disclosure, copying or alteration of this message is strictly forbidden. 

Critical Software Ltd. reserves the right to monitor and record e-mail messages 
sent to and from this address for the purposes of investigating or detecting 
any unauthorised use of its system and ensuring its effective operation.

Critical Software Ltd. registered in England, 04909220. Registered Office: IC2, 
Keele Science Park, Keele, Staffordshire, ST5 5NH.


This message has been scanned for security threats by iCritical.
For further information, please visit www.icritical.com



___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: netstat: memstat_sysctl_all: Too many CPUs

2012-03-21 Thread Tom Evans 
On Wed, Mar 21, 2012 at 5:57 AM, Ihsan Junaidi Ibrahim
 wrote:
> Sergey,
>
> It was upgraded from 8.2-RELEASE via freebsd-update so I'd assume the kernel 
> and world are in sync.
>

Confirm this, eg by running "ident /usr/bin/netstat"

You could also try the IDS feature of freebsd-update to check the
status of world - "freebsd-update IDS"

I'm not sure of the best way of restoring a particular release, but
you could always download {base,doc,games,kernel,ports,src}.txz from
9.0 release and install them over what you already have there.

Cheers

Tom
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Cloning VLAN interfaces

2012-03-21 Thread Gustau Perez Querol 

On Wed, 21 Mar 2012 11:02:24 +, Matt Burke wrote:

On 03/20/12 14:54, Gustau Perez Querol wrote:
 VBoxManage modifyvm "FreeBSD virtual machine" --nic1 bridge 
--nictype

bridge virtio --bridgeadapter vlan10


On my machines running virtualbox-ose-4.0.14, VBoxManage won't accept 
vlan
interfaces either - I need to kill the GUI then edit the config files 
to

change the physical interface to vlanN.


  Mmm, I first tried the 4.1.51r40008 (the devel one). Now I'm running 
4.1.X (from redports) and the VBoxManage accepts an vlan interface as a 
bridged interface.




Also, when altering any other setting by the GUI, the process needs
repeating.



  That is correct, I have just checked that behavior and it also 
happens to me. I also noticed that the vbox GUI gets confused only if 
you go the properties of the machine using a bridged vlan interface. If 
you don't go to the properties of the virtual machine, you will see in 
the panel on the right side that the virtual interfaces remain bridged 
to your real vlan interfaces.


  It would appear I've been lucky, as I'm running vbox in a headless 
machine so I have always used the TUI (which doesn't get confused about 
using vlan interfaces).


  If you succeed with ng, please let us know, I'm interested in 
netgraph. If you don't, at least you know you can do it by using the 
VBoxManage tool...


  Gustau
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: bin/165413: [netgraph]: ngctl(8) does not work as advertised

2012-03-21 Thread glebius 
Synopsis: [netgraph]: ngctl(8) does not work as advertised

State-Changed-From-To: open->closed
State-Changed-By: glebius
State-Changed-When: Wed Mar 21 13:40:46 UTC 2012
State-Changed-Why: 
Not a bug.

The code:

# ngctl mkpeer em0: netflow lower iface0

expects presense of em0: node. And you don't have thise node unless
you have loaded ng_ether(4).

See ng_ether(4) for details.

http://www.freebsd.org/cgi/query-pr.cgi?pr=165413
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

RE: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

2012-03-21 Thread Seyit Özgür 
Hello chris,

Here i get tcpdump with X param.. 

First look input errors.. its about 60 mbit/sec and much more packets can't
process

   packets  errs idrops  bytespackets  errs  bytes colls
 36356 42777 07747642243 0 263462 0
 36732 41709 07681242240 0 359432 0
 36422 41975 07677434197 0 258142 0
 34042 42339 07487618222 0 227152 0
 35987 44405 07863192304 0 377624 0
 36454 41799 07665082120 0 276008 0
 36870 41471 07671950249 0 402546 0
 35951 42431 07674562328 0 258136 0
 36398 41853 07667556 28 0  78640 0
 36098 42070 07660804  2 0256 0
18446744073709551273  8555 0 836906  3 0642
0
 2 0 0144  2 0272 0
 4 0 0276  4 0708 0
 2 0 0148  2 0260 0
 4 0 0270  3 0642 0
 2 0 0148  2 0256 0


Then tcpdump with X param, also i attach txt file in mail..

16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp
0x:  4500 0050 10ba 07d0 6b06 7382 5885 0f4e  E..Pk.s.X..N
0x0010:  556f 065a f386 0050 45c4 8c77 9592 0241  Uo.Z...PE..w...A
0x0020:  00a3 3c4c b5a3  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 9a48 07d0 6c06 dd1e 5899 1b0f  E..P.H..l...X...
0x0010:  556f 065a 718a 0050 9c79 672b c680 a521  Uo.Zq..P.yg+...!
0x0020:  00a3 3c4c 2693  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 6c2b 07d0 6c06 e837 5815 3e97  E..Pl+..l..7X.>.
0x0010:  556f 065a 8ae5 0050 aac1 6265 1a53 5749  Uo.Z...P..be.SWI
0x0020:  00a3 3c4c dab7  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 4807 07d0 6b06 9ee4 582e acf5  E..PH...k...X...
0x0010:  556f 065a a76b 0050 e3f3 5b68 1e1c 9773  Uo.Z.k.P..[h...s
0x0020:  00a3 3c4c d991  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 0db9 07d0 6b06 d159 58f6 b406  E..Pk..YX...
0x0010:  556f 065a 3348 0050 2817 6a1f 444e 8273  Uo.Z3H.P(.j.DN.s
0x0020:  00a3 3c4c e1cf  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 b767 07d0 6b06 b307 58d7 28c9  E..P.g..k...X.(.
0x0010:  556f 065a abf4 0050 947a 1e32 3a04 e901  Uo.Z...P.z.2:...
0x0020:  00a3 3c4c 77c5  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 3789 07d0 6c06 cf55 5853 8bdd  E..P7...l..UXS..
0x0010:  556f 065a f541 0050 5c12 f670 137b bd08  Uo.Z.A.P\..p.{..
0x0020:  00a3 3c4c 7e93  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 71dc 07d0 6b06 193e 58d0 0825  E..Pq...k..>X..%
0x0010:  556f 065a 437b 0050 8045 710e dfc0 f23b  Uo.ZC{.P.Eq;
0x0020:  00a3 3c4c 134c  8807 a83a f215 b40d  ..mailto:cswi...@mac.com] 
Sent: Thursday, March 15, 2012 10:12 PM
To: Seyit Özgür
Cc: freebsd-net@freebsd.org
Subject: Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0
release

On Mar 15, 2012, at 12:49 PM, Seyit Özgür wrote:
> Today we tried to see what happens Malformed syn packets on FreeBSD 9.0
release..
> 
> Those packets rise to CPU %100 and stucks..
> 
> listening on ix0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 18:33:30.010215 IP vgn44-1-88-123-89-40.fbx.proxad.net > 85.xxx.xxx.90:
tcp
> 18:33:30.010242 IP 225.74.196.88.sta.estpak.ee > 85.xxx.xxx.90: tcp
> 18:33:30.010269 IP Nnov-Prospekt.71.quantum.rn > 85.xxx.xxx.90: tcp
> 18:33:30.010296 IP host52-108-static.49-88-b.business.telecomitalia.it >
85.xxx.xxx.90: tcp
> 18:33:30.010325 IP 125.Red-88-1-75.dynamicIP.rima-tde.net > 85.xxx.xxx.90:
tcp
> 
> i dont know which tool generate those packets.. but as we see i dont see
seq, flag, lenth etc.. just this ouput on tcpdump...
> 
> Is there any kernel feature for do NOT process malformed syn packets ??

A firewall can block them before the system will see and try to process them
as incoming traffic.

Also, running tcpdump with -X will give both hex and ASCII rendition of the
packets, which would be helpful to identify what you mean by "malformed".

Regards,
-- 
-Chuck

16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp
0x:  4500 0050 10ba 07d0 6b06 7382 5885 0f4e  E..Pk.s.X..N
0x0010:  556f 065a f386 0050 45c4 8c77 9592 0241  Uo.Z...PE..w...A
0x0020:  00a3 3c4c b5a3  8807 a83a f215 b40d  .. x.x.x.x: tcp
0x:  4500 0050 9a48 07d0 6c06 dd1e 5899 1b0f  E..P.H..l...X...
0x0010:  556f 065a 718a 0050 9c79 672b c680 a521  Uo.Zq..P.yg+...!
0x0020:  00a3 3c4c 2693  8807 a83a f215 b40d  .. x.x.x

Re: Cloning VLAN interfaces

2012-03-21 Thread jammin2night 

On 21.03.2012 09:21, Gustau Perez Querol wrote:

On Wed, 21 Mar 2012 11:02:24 +, Matt Burke wrote:

On 03/20/12 14:54, Gustau Perez Querol wrote:
 VBoxManage modifyvm "FreeBSD virtual machine" --nic1 bridge 
--nictype

bridge virtio --bridgeadapter vlan10


On my machines running virtualbox-ose-4.0.14, VBoxManage won't 
accept vlan
interfaces either - I need to kill the GUI then edit the config 
files to

change the physical interface to vlanN.


  Mmm, I first tried the 4.1.51r40008 (the devel one). Now I'm
running 4.1.X (from redports) and the VBoxManage accepts an vlan
interface as a bridged interface.



Also, when altering any other setting by the GUI, the process needs
repeating.



  That is correct, I have just checked that behavior and it also
happens to me. I also noticed that the vbox GUI gets confused only if
you go the properties of the machine using a bridged vlan interface.
If you don't go to the properties of the virtual machine, you will 
see

in the panel on the right side that the virtual interfaces remain
bridged to your real vlan interfaces.

  It would appear I've been lucky, as I'm running vbox in a headless
machine so I have always used the TUI (which doesn't get confused
about using vlan interfaces).

  If you succeed with ng, please let us know, I'm interested in
netgraph. If you don't, at least you know you can do it by using the
VBoxManage tool...

  Gustau
___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to 
"freebsd-net-unsubscr...@freebsd.org"


I was successful in creating the netgraph interface with the help of 
rozhuk...@gmail.com like:


#!/usr/local/bin/bash

ngctl shutdown re0:lower
ngctl shutdown re0:upper

ngctl mkpeer re0: hub lower lower
ngctl name re0:lower re0-hub
ngctl connect re0: re0-hub: upper upper

ngctl mkpeer re0-hub: vlan downstream downstream
ngctl name re0-hub:downstream re0-vlan
ngctl mkpeer re0-vlan: eiface vlan10 ether
ngctl msg re0-vlan: addfilter '{ vlan=10 hook="vlan10" }'
ifconfig ngeth0 up

Using tcpdump on ngeth0 I could see traffic that mirrored the traffic 
of VLAN 10, but when traffic was generated in a VM, specifically I 
looked at DHCP traffic I could see the DHCP requests in the VM and on 
ngeth0, and I could see the DHCP offers back to the VM's MAC address on 
ngeth0, but I DID NOT see the traffic on the VM's ethernet port.  In my 
case I tested with FreeBSD-9.0-RELASE AMD64 in the VM.


I hope to test the VBoxManage command line soon.

--mikej




___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Re: Malformed syn packet cause %100 cpu and interrupts FreeBSD 9.0 release

2012-03-21 Thread Chuck Swiger 
On Mar 21, 2012, at 7:15 AM, Seyit Özgür wrote:
> Hello chris,

I'm Chuck, but no matter.

> Here i get tcpdump with X param.. 
> 
> First look input errors.. its about 60 mbit/sec and much more packets can't
> process
> 
>   packets  errs idrops  bytespackets  errs  bytes colls
> 36356 42777 07747642243 0 263462 0
> 36732 41709 07681242240 0 359432 0
[ ... ]

60 mbit/s of SYNs is a pretty significant DoS attack.  You should be involving 
your ISP to filter the source IPs before they hit your pipe, and probably pull 
in the police and/or national CERT organization.

> Then tcpdump with X param, also i attach txt file in mail..
> 
> 16:02:53.954863 IP 88.133.15.78 > x.x.x.x: tcp
>0x:  4500 0050 10ba 07d0 6b06 7382 5885 0f4e  E..Pk.s.X..N
>0x0010:  556f 065a f386 0050 45c4 8c77 9592 0241  Uo.Z...PE..w...A
>0x0020:  00a3 3c4c b5a3  8807 a83a f215 b40d  ..0x0030:  0006 acb5 0038 8f76 afd7 3d00    .8.v..=.
>0x0040:           


From inspection, that looks to be a normal TCP over IPv4 SYN packet from client 
port 62342 to your port 80...I didn't validate the checksums, though.  (No real 
point in obscuring the destination IP address, as it's in the packets you're 
showing.)

Regards,
-- 
-Chuck

___
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"