logs/traces
Hi, Could someone please guide me on how to turn on tracing/log? I would like to follow/track how packets go in/out of TCP code block... Please let me know what knobs are available to achieve this. Thanks for any pointers. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: DHCPv6 client in base
Roy Marples wrote in : ro> On 13/10/2019 20:32, Hiroki Sato wrote: ro> > Ben Woods wrote ro> >in ro> >: ro> > wo> On Fri, 11 Oct 2019 at 08:32, Ben Woods ro> > wrote: ro> > wo> As promised, I have completed my initial work to import dhcpcd ro> > into FreeBSD ro> > wo> base, and it is ready for review, testing and comment at the link ro> > below. ro> > wo> https://reviews.freebsd.org/D22012 ro> > wo> ro> > wo> As per the comment from brooks@, I have opted to have it installed ro> > in ro> > wo> parallel with dhclient (which remains the default). ro> > How do you want to proceed the discussion? I sent my view and made ro> > myself clear that importing dhcpcd into the base system as-is is not ro> > a good idea. What is your answer to my concerns? I also agree with ro> > Brooks about a need for sandboxing before the import if it will ro> > happen. Do you have any plan to add changes to the imported dhcpcd? ro> ro> Sorry if it was not clear. The discussion involves what is the ro> required acceptance for Priviledge Seperation because this is quite ro> new to me. ro> ro> My current idea is to open DHCP, IPv6RA and DHCP6 ports, chroot, drop ro> privs and fork. This concept is pretty standard thus far. These are ro> listening ports only and will dry-run any received message through ro> dhcpcd's two commons paths: ro> 1) extract address and routing information without applying it ro> 2) environment option generation from the whole message A typical separation is three process model which contains processes for 1) sending/accepting packets (and parsing them), 2) state machine for each protocol handling, and 3) global namespace access (file, routing socket, network interface state, etc). The superuser privilege can be dropped in 1) and 2) completely. 1) and 3) communicate with 2) on demand or event-driven basis. 1) do not communicate directly with 3). Protocol-specific routines are in 1) and 2)---the former handles its wire-format, and the latter deals with protocol-specific state machines. However, this is often an overkill for a small, single-protocol network daemon. A two process model which contains one for 1)+2) and another for 3) above is used in sbin/dhclient, for example. I think this separation is the minimum level. 3) performs privileged tasks such as ioctls for network interfaces. I believe the three process model is appropriate for dhcpcd because of the nature of multi-protocol support. Parsing is one of the attack surfaces. For instances, a dhcp6_findoption() loop in dhcp6_recv() should be in process 1 and changes of D6_STATE(ifp) should be managed in process 2. The current dhcp6_bind() directly uses dhcp6_findmoption() to extract options from a DHCP message on demand and also directly accesses the global namespace by using dhcp6_writelease(ifp). These packet inspection and file access can be replaced with IPC requests to process 1 or 3 in the model, and it can be realized without a big structural change to the original logic in dhcp6.c (though it requires a certain amount of changes to the current code). In the ideal world everything should work fine and this kind of separation just sounds to make the program complex unnecessary, but an incomplete separation between the possible attack surfaces and access to the global namespace does not provide a good security even if the superuser privilege dropped. Note that these are just my own view, not a requirement for something nor feature request. I think lack of privsep must be considered if dhclient is replaced, but I also think replacing dhclient is beyond the discussion of DHCPv6. Anyway, You might want to create a new email thread for sandboxing of dhcpcd on FreeBSD if you want to continue to discuss it. Probably developers with more expertise in security can make a comment. -- Hiroki pgpwyQgQP7bHt.pgp Description: PGP signature
[Bug 241162] Panic in closefp() triggered by nginx
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241162 --- Comment #4 from Dmitry Marakasov --- I've built 12.0-RELEASE kernel with the patch from 239893, but this didn't help. However, I've discovered what has triggered the panic - I have uwsgi behing nginx setup on that box, and the panic appears every ~1-3 hours if sendfile is enabled in uwsgi (sendfile is disabled in nginx). I'll try updating to 12.1-RC now -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 241162] Panic in closefp() triggered by nginx
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241162 mark.marti...@ijs.si changed: What|Removed |Added CC||mark.marti...@ijs.si --- Comment #5 from mark.marti...@ijs.si --- Similar to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=59 (also nginx+uwsgi+sendfile), although that was fixed in 2017. -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 240320] ixgbe: EEE state change causes core dump on X552
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240320 Eric Joyner changed: What|Removed |Added CC||e...@freebsd.org Assignee|n...@freebsd.org |e...@freebsd.org -- You are receiving this mail because: You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 241162] Panic in closefp() triggered by nginx (uwsgi with sendfile(2) enabled)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241162 Kubilay Kocak changed: What|Removed |Added CC||gleb...@freebsd.org, ||kbowl...@freebsd.org See Also||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id=2398 ||93, ||https://bugs.freebsd.org/bu ||gzilla/show_bug.cgi?id= ||59 Summary|Panic in closefp() |Panic in closefp() |triggered by nginx |triggered by nginx (uwsgi ||with sendfile(2) enabled) Severity|Affects Only Me |Affects Some People -- You are receiving this mail because: You are on the CC list for the bug. You are the assignee for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
[Bug 241162] Panic in closefp() triggered by nginx (uwsgi with sendfile(2) enabled)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=241162 --- Comment #6 from Kubilay Kocak --- (In reply to Dmitry Marakasov from comment #4) @Dmitry Could you attach the nginx / uwsgi configurations, as an attachment, sanitized if necessary, that reproduce the issue -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: logs/traces
Use tcpdump(1) and/or net/wireshark(5). See man tcpdump and pcap-filter for usage details. wireshark can analyze files collected by tcpdump and dissect the packets. It can also do packet capture, itself. -- Kevin Oberman, Part time kid herder and retired Network Engineer E-mail: rkober...@gmail.com PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 On Tue, Oct 15, 2019 at 3:17 AM vm finance wrote: > Hi, > > Could someone please guide me on how to turn on tracing/log? > > I would like to follow/track how packets go in/out of TCP code block... > Please let me know what knobs are available to achieve this. > > Thanks for any pointers. > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: logs/traces
Hi Kevin, I am looking to enable traces/log messages (like syslog or /var/log/messages) inside the codebase... any pointers for tcp/ip. tcpdump shows what is going on wire - but I would like to trace code internals...printk.. Thanks a lot! On Tue, Oct 15, 2019 at 6:11 PM Kevin Oberman wrote: > Use tcpdump(1) and/or net/wireshark(5). See man tcpdump and pcap-filter > for usage details. wireshark can analyze files collected by tcpdump and > dissect the packets. It can also do packet capture, itself. > -- > Kevin Oberman, Part time kid herder and retired Network Engineer > E-mail: rkober...@gmail.com > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > On Tue, Oct 15, 2019 at 3:17 AM vm finance wrote: > >> Hi, >> >> Could someone please guide me on how to turn on tracing/log? >> >> I would like to follow/track how packets go in/out of TCP code block... >> Please let me know what knobs are available to achieve this. >> >> Thanks for any pointers. >> ___ >> freebsd-net@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-net >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" >> > ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
Re: logs/traces
Have you looked at siftr(4) or dtrace_tcp(4)? Regards, Navdeep On Tue, Oct 15, 2019 at 07:15:27PM -0700, vm finance wrote: > Hi Kevin, > > I am looking to enable traces/log messages (like syslog or > /var/log/messages) inside the codebase... any pointers for tcp/ip. > tcpdump shows what is going on wire - but I would like to trace code > internals...printk.. > > Thanks a lot! > > On Tue, Oct 15, 2019 at 6:11 PM Kevin Oberman wrote: > > > Use tcpdump(1) and/or net/wireshark(5). See man tcpdump and pcap-filter > > for usage details. wireshark can analyze files collected by tcpdump and > > dissect the packets. It can also do packet capture, itself. > > -- > > Kevin Oberman, Part time kid herder and retired Network Engineer > > E-mail: rkober...@gmail.com > > PGP Fingerprint: D03FB98AFA78E3B78C1694B318AB39EF1B055683 > > > > > > On Tue, Oct 15, 2019 at 3:17 AM vm finance wrote: > > > >> Hi, > >> > >> Could someone please guide me on how to turn on tracing/log? > >> > >> I would like to follow/track how packets go in/out of TCP code block... > >> Please let me know what knobs are available to achieve this. > >> > >> Thanks for any pointers. > >> ___ > >> freebsd-net@freebsd.org mailing list > >> https://lists.freebsd.org/mailman/listinfo/freebsd-net > >> To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" > >> > > > ___ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org" ___ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
