From a2ad263b26e1744b41ed9cd9b8af91ab637fb289 Mon Sep 17 00:00:00 2001 From: Stephan Date: Thu, 12 May 2022 11:16:49 +0200 Subject: [PATCH] Troubleshooting / Network: restructure old sections and provide netmap bridge guide --- source/troubleshooting/gateways.rst | 19 +---------- source/troubleshooting/network.rst | 50 +++++++++++++++++++++++++++-- 2 files changed, 48 insertions(+), 21 deletions(-) diff --git a/source/troubleshooting/gateways.rst b/source/troubleshooting/gateways.rst index db6d15da..b923564f 100644 --- a/source/troubleshooting/gateways.rst +++ b/source/troubleshooting/gateways.rst @@ -12,24 +12,7 @@ dpinger:.. sendto error: XXX Usually found in :menuselection:`System --> Log Files --> General`, every code has a meaning, usually explained in `errno.h `__ (:code:`man errno`) -Some common ones are explained below: - -====== ==================== ================================================================================= -XX Name Description -====== ==================== ================================================================================= -55 ENOBUFS No buffer space available. An operation on a socket or pipe was not performed - because the system lacked sufficient buffer space or because a queue was full. - **Check connectivity from the machine itself using** :code:`ping`, most common - mistakes are misconfigured routes, interface issues (disconnected) and - policy based routing issues forcing traffic to the wrong target - (using :code:`reply-to`) -64 EHOSTDOWN Host is down. A socket operation failed because the destination host was down. - **Expecting an (layer 2) ARP response but none was returned, often misconfigured - subnets or hosts are actually not accessible over L2** -65 EHOSTUNREACH No route to host. A socket operation was attempted to an unreachable host - **The routing table is a good place to look** - (:menuselection:`System --> Routes --> Status`) -====== ==================== ================================================================================= +Some common ones are explained in the :ref:`errno` section. ------------------------------------------ arpresolve: can't allocate llinfo for.. diff --git a/source/troubleshooting/network.rst b/source/troubleshooting/network.rst index 2ef39d90..70d2a380 100644 --- a/source/troubleshooting/network.rst +++ b/source/troubleshooting/network.rst @@ -4,10 +4,12 @@ Network --------------------------------- -netmap (IPS, Sensei, ...) +Netmap (IPS, Sensei, ...) --------------------------------- -Netmap is a technology which enables fast packet processing while minimizing overhead, there are however some pittfals +**General** + +Netmap is a technology which enables fast packet processing while minimizing overhead, there are however some pitfalls which may turn your network interface unreachable. Before using this technology, always make sure you have access via another interface (or console) to your firewall @@ -26,5 +28,47 @@ Tunable Description =========================================== ================================================================================= hw.ixl.enable_head_writeback Intel :code:`ixl(4)` tunable for increased tx performance, OPNsense standard value is disabled. - +dev.ax..sph_enable AMD tunable to split header and payload into a separate buffer respectively, + Netmap requires a uniform view of a packet. Disabled by default + on OPNsense. =========================================== ================================================================================= + +**Decoupling Netmap from an application** + +It can be useful to split the functionality of Netmap and the application using it in order to determine whether it's +Netmap or the application at fault for connectivity issues. To aid in this, Netmap's :code:`bridge` utility has been +added to our pkg repository for easy installation and use. To avoid ambiguity, it has been renamed to :code:`netmap-bridge`. + +You can install it by running :code:`pkg install netmap-bridge` (:code:`man netmap-bridge`). + +:code:`netmap-bridge` provides a L2 software bridge between two interfaces, but can also be used to bridge an interface +and the host network stack like Suricata does. To replicate the behaviour of Suricata without actually running Suricata, run +:code:`netmap-bridge -i netmap:igb1`. Replace the interface as appropriate. While it is running, pass traffic as normal to +determine if an original issue persists. + +.. _errno: + +--------------------------------- +Common error codes +--------------------------------- + +Any piece of software that uses system calls to communicate over sockets use the standard interface +`errno.h `__ (:code:`man errno`). If an error +is logged, a return code is associated to a specific reason of failure. Some common ones are explained below: + +====== ==================== ================================================================================= +XX Name Description +====== ==================== ================================================================================= +55 ENOBUFS No buffer space available. An operation on a socket or pipe was not performed + because the system lacked sufficient buffer space or because a queue was full. + **Check connectivity from the machine itself using** :code:`ping`, most common + mistakes are misconfigured routes, interface issues (disconnected) and + policy based routing issues forcing traffic to the wrong target + (using :code:`reply-to`) +64 EHOSTDOWN Host is down. A socket operation failed because the destination host was down. + **Expecting an (layer 2) ARP response but none was returned, often misconfigured + subnets or hosts are actually not accessible over L2** +65 EHOSTUNREACH No route to host. A socket operation was attempted to an unreachable host + **The routing table is a good place to look** + (:menuselection:`System --> Routes --> Status`) +====== ==================== =================================================================================