Re: svn commit: r226536 - head/sys/contrib/pf/net
On Wed, Oct 19, 2011 at 1:04 PM, Bjoern A. Zeeb wrote:
> Author: bz
> Date: Wed Oct 19 11:04:49 2011
> New Revision: 226536
> URL: http://svn.freebsd.org/changeset/base/226536
>
> Log:
> De-virtualize the pf_task_mtx lock. At the current state of pf locking
> and virtualization it is not helpful but complicates things.
I would disagree with this since its a step backwards and different
direction with pf(4) code in general.
The patch to actually fix it for vimage enabled kernels was simpler!
>
> Current state of art is to not virtualize these kinds of locks -
> inp_group/hash/info/.. are all not virtualized either.
>
> MFC after: 3 days
>
> Modified:
> head/sys/contrib/pf/net/pf_ioctl.c
> head/sys/contrib/pf/net/pfvar.h
>
> Modified: head/sys/contrib/pf/net/pf_ioctl.c
> ==
> --- head/sys/contrib/pf/net/pf_ioctl.c Wed Oct 19 10:16:42 2011
> (r226535)
> +++ head/sys/contrib/pf/net/pf_ioctl.c Wed Oct 19 11:04:49 2011
> (r226536)
> @@ -266,7 +266,7 @@ static struct cdevsw pf_cdevsw = {
> static volatile VNET_DEFINE(int, pf_pfil_hooked);
> #define V_pf_pfil_hooked VNET(pf_pfil_hooked)
> VNET_DEFINE(int, pf_end_threads);
> -VNET_DEFINE(struct mtx, pf_task_mtx);
> +struct mtx pf_task_mtx;
>
> /* pfsync */
> pfsync_state_import_t *pfsync_state_import_ptr = NULL;
> @@ -287,18 +287,18 @@ SYSCTL_VNET_INT(_debug, OID_AUTO, pfugid
> &VNET_NAME(debug_pfugidhack), 0,
> "Enable/disable pf user/group rules mpsafe hack");
>
> -void
> +static void
> init_pf_mutex(void)
> {
>
> - mtx_init(&V_pf_task_mtx, "pf task mtx", NULL, MTX_DEF);
> + mtx_init(&pf_task_mtx, "pf task mtx", NULL, MTX_DEF);
> }
>
> -void
> +static void
> destroy_pf_mutex(void)
> {
>
> - mtx_destroy(&V_pf_task_mtx);
> + mtx_destroy(&pf_task_mtx);
> }
> void
> init_zone_var(void)
> @@ -4381,11 +4381,8 @@ pf_load(void)
>
> init_zone_var();
> sx_init(&V_pf_consistency_lock, "pf_statetbl_lock");
> - init_pf_mutex();
> - if (pfattach() < 0) {
> - destroy_pf_mutex();
> + if (pfattach() < 0)
> return (ENOMEM);
> - }
>
> return (0);
> }
> @@ -4413,14 +4410,13 @@ pf_unload(void)
> V_pf_end_threads = 1;
> while (V_pf_end_threads < 2) {
> wakeup_one(pf_purge_thread);
> - msleep(pf_purge_thread, &V_pf_task_mtx, 0, "pftmo", hz);
> + msleep(pf_purge_thread, &pf_task_mtx, 0, "pftmo", hz);
> }
> pfi_cleanup();
> pf_osfp_flush();
> pf_osfp_cleanup();
> cleanup_pf_zone();
> PF_UNLOCK();
> - destroy_pf_mutex();
> sx_destroy(&V_pf_consistency_lock);
> return error;
> }
> @@ -4432,10 +4428,12 @@ pf_modevent(module_t mod, int type, void
>
> switch(type) {
> case MOD_LOAD:
> + init_pf_mutex();
> pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
> break;
> case MOD_UNLOAD:
> destroy_dev(pf_dev);
> + destroy_pf_mutex();
> break;
> default:
> error = EINVAL;
>
> Modified: head/sys/contrib/pf/net/pfvar.h
> ==
> --- head/sys/contrib/pf/net/pfvar.h Wed Oct 19 10:16:42 2011
> (r226535)
> +++ head/sys/contrib/pf/net/pfvar.h Wed Oct 19 11:04:49 2011
> (r226536)
> @@ -237,19 +237,18 @@ struct pfi_dynaddr {
> uma_zdestroy(var)
>
> #ifdef __FreeBSD__
> -VNET_DECLARE(struct mtx, pf_task_mtx);
> -#define V_pf_task_mtx VNET(pf_task_mtx)
> +extern struct mtx pf_task_mtx;
>
> -#define PF_LOCK_ASSERT() mtx_assert(&V_pf_task_mtx, MA_OWNED)
> -#define PF_UNLOCK_ASSERT() mtx_assert(&V_pf_task_mtx,
> MA_NOTOWNED)
> +#define PF_LOCK_ASSERT() mtx_assert(&pf_task_mtx, MA_OWNED)
> +#define PF_UNLOCK_ASSERT() mtx_assert(&pf_task_mtx, MA_NOTOWNED)
>
> #define PF_LOCK() do { \
> PF_UNLOCK_ASSERT(); \
> - mtx_lock(&V_pf_task_mtx); \
> + mtx_lock(&pf_task_mtx); \
> } while(0)
> #define PF_UNLOCK() do { \
> PF_LOCK_ASSERT(); \
> - mtx_unlock(&V_pf_task_mtx); \
> + mtx_unlock(&pf_task_mtx); \
> } while(0)
> #else
> #define PF_LOCK_ASSERT()
> @@ -270,9 +269,6 @@ VNET_DECLARE(struct mtx, pf_task_mtx);
> PF_LOCK(); \
> } while(0)
>
> -extern void init_pf_mutex(void);
> -extern void destroy_pf_mutex(void);
> -
> #define PF_MODVER 1
> #define PFL
Re: svn commit: r262196 - head/sys/netpfil/pf
On Wed, Feb 19, 2014 at 4:32 PM, Gleb Smirnoff wrote:
> Martin,
>
> M> > On Tue, Feb 18, 2014 at 10:17:12PM +, Martin Matuska wrote:
> M> > M> Author: mm
> M> > M> Date: Tue Feb 18 22:17:12 2014
> M> > M> New Revision: 262196
> M> > M> URL: http://svnweb.freebsd.org/changeset/base/262196
> M> > M>
> M> > M> Log:
> M> > M> De-virtualize pf_mtag_z [1]
> M> > M> Process V_pf_overloadqueue in vnet context [2]
> M> > M>
> M> > M> This fixes two VIMAGE kernel panics and allows to simultaneously
> M> > run host-pf
> M> > M> and vnet jails. pf inside jails remains broken.
> M> > M>
> M> > M> PR:kern/182964
> M> > M> Submitted by:gleb...@freebsd.org [2], myself [1]
> M> > M> Tested by:rodr...@freebsd.org, myself
> M> > M> MFC after:2 weeks
> M> >
> M> > I've sent your patch to Nikos, who is working on pf+vimage. He
> M> > also accumulates his work on pf+vimage in projects/pf branch,
> M> > planning to do it properly and then merge to head in one go.
> M> > I was waiting for his review. Yes, he is slow with reviews,
> M> > but that's not a reason to commit w/o review.
>
> On Wed, Feb 19, 2014 at 02:01:23PM +0100, Martin Matuska wrote:
> M> I understand your point - if anything is broken (or more broken than
> M> before) I can revert this patch anytime.
> M>
> M> FreeNAS and other folks may fork separate branches and we can wait until
> M> about FreeBSD 12.0 for the patch being reviewed so we can commit it
> around
> M> 14.0 - maybe we have switched to a completely different firewall at that
> M> time and this issue becomes obsolete anyway.
>
> No need for sarcasm and top quoting. Since you already got sharp in
> your reply, let me too.
>
> First of all. I did not submitted you [2], right now I just checked
> my sent mail to ensure that. I submitted you other patch, that later
> was rejected by zec@, and that patch was very unlike [2]. So
> statement in commit message is not true.
>
> Second, these two changes are absolutely unrelated. They shouldn't
> been committed as one patch.
>
> Third. As you already know, there is projects/pf branch, where Nicos
> is getting things right wrt pf+VIMAGE. The patches should first go
> to this branch and tested in it. Committing to head (even a good
> code), you are creating conflicts for Nicos. You are fixing two
> particular problems that hurt you, while Nicos tries to get things
> right in general, for everyones sake. My approach on taskqueue
> context (that was rejected by Marko), was also an attempt to
> create a good and generic way of dealing with the problem. Unfortunately,
> Marko didn't suggest good alternatives.
>
> Anyway this is not a reason to plumb problems in place.
>
> As you may notice yourself the code you added:
>
> if (IS_DEFAULT_VNET(curvnet))
> pf_mtag_z = uma_zcreate("pf mtags", sizeof(struct m_tag) +
> sizeof(struct pf_mtag), NULL, NULL, pf_mtag_init, NULL,
> UMA_ALIGN_PTR, 0);
>
> Is quite not like the rest of the code of the function. That is because
> in head/ the per-VNET initialization in pf isn't separated from global
> initialization. This is a generic problem, that Nikos is solving in
> projects/pf. Making pf mtag zone in projects/pf would be more clean
> than in head. And of course after your change merge of head to
> projects/pf would fail. You could join Nikos efforts, but instead
> you are just putting obstacles on his way. And mine too, since I
> would do next merge.
>
>
Well go do some work instead of runting around.
You did not listen to me as well when you started doing work on pf.
> --
> Totus tuus, Glebius.
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r229850 - in head: etc/rc.d sys/contrib/pf/net sys/netinet
You ARE testing this right?
Since you removed code that you do not actually mention at all in the
commit message!!!
On Mon, Jan 9, 2012 at 9:50 AM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Mon Jan 9 08:50:22 2012
> New Revision: 229850
> URL: http://svn.freebsd.org/changeset/base/229850
>
> Log:
> Bunch of fixes to pfsync(4) module load/unload:
>
> o Make the pfsync.ko actually usable. Before this change loading it
>didn't register protosw, so was a nop. However, a module /boot/kernel
>did confused users.
> o Rewrite the way we are joining multicast group:
>- Move multicast initialization/destruction to separate functions.
>- Don't allocate memory if we aren't going to join a multicast group.
>- Use modern API for joining/leaving multicast group.
>- Now the utterly wrong pfsync_ifdetach() isn't needed.
> o Move module initialization from SYSINIT(9) to moduledata_t method.
> o Refuse to unload module, unless asked forcibly.
> o Improve a bit some FreeBSD porting code:
>- Use separate malloc type.
>- Simplify swi sheduling.
>
> This change is probably wrong from VIMAGE viewpoint, however pfsync
> wasn't VIMAGE-correct before this change, too.
>
> Glanced at by:bz
>
> Modified:
> head/etc/rc.d/pfsync
> head/sys/contrib/pf/net/if_pfsync.c
> head/sys/netinet/in_proto.c
>
> Modified: head/etc/rc.d/pfsync
>
> ==
> --- head/etc/rc.d/pfsyncMon Jan 9 08:36:12 2012(r229849)
> +++ head/etc/rc.d/pfsyncMon Jan 9 08:50:22 2012(r229850)
> @@ -18,13 +18,6 @@ required_modules="pf"
>
> pfsync_prestart()
> {
> - # XXX Currently pfsync cannot be a module as it must register
> - # a network protocol in a static kernel table.
> - if ! kldstat -q -m pfsync; then
> - warn "pfsync(4) must be statically compiled in the kernel."
> - return 1
> - fi
> -
>case "$pfsync_syncdev" in
>'')
>warn "pfsync_syncdev is not set."
>
> Modified: head/sys/contrib/pf/net/if_pfsync.c
>
> ==
> --- head/sys/contrib/pf/net/if_pfsync.c Mon Jan 9 08:36:12 2012
> (r229849)
> +++ head/sys/contrib/pf/net/if_pfsync.c Mon Jan 9 08:50:22 2012
> (r229850)
> @@ -87,6 +87,7 @@ __FBSDID("$FreeBSD$");
> #include
> #include
> #include
> +#include
> #else
> #include
> #include
> @@ -295,21 +296,25 @@ struct pfsync_softc {
> #else
>struct timeout sc_tmo;
> #endif
> -#ifdef __FreeBSD__
> - eventhandler_tag sc_detachtag;
> -#endif
> -
> };
>
> #ifdef __FreeBSD__
> +static MALLOC_DEFINE(M_PFSYNC, "pfsync", "pfsync data");
> static VNET_DEFINE(struct pfsync_softc *, pfsyncif) = NULL;
> #defineV_pfsyncif VNET(pfsyncif)
> -
> +static VNET_DEFINE(void *, pfsync_swi_cookie) = NULL;
> +#defineV_pfsync_swi_cookie VNET(pfsync_swi_cookie)
> static VNET_DEFINE(struct pfsyncstats, pfsyncstats);
> #defineV_pfsyncstats VNET(pfsyncstats)
> static VNET_DEFINE(int, pfsync_carp_adj) = CARP_MAXSKEW;
> #defineV_pfsync_carp_adj VNET(pfsync_carp_adj)
>
> +static voidpfsyncintr(void *);
> +static int pfsync_multicast_setup(struct pfsync_softc *);
> +static voidpfsync_multicast_cleanup(struct pfsync_softc *);
> +static int pfsync_init(void);
> +static voidpfsync_uninit(void);
> +
> SYSCTL_NODE(_net, OID_AUTO, pfsync, CTLFLAG_RW, 0, "PFSYNC");
> SYSCTL_VNET_STRUCT(_net_pfsync, OID_AUTO, stats, CTLFLAG_RW,
> &VNET_NAME(pfsyncstats), pfsyncstats,
> @@ -322,16 +327,6 @@ struct pfsyncstats pfsyncstats;
> #defineV_pfsyncstatspfsyncstats
> #endif
>
> -#ifdef __FreeBSD__
> -static voidpfsyncintr(void *);
> -struct pfsync_swi {
> - void * pfsync_swi_cookie;
> -};
> -static struct pfsync_swipfsync_swi;
> -#defineschednetisr(p) swi_sched(pfsync_swi.pfsync_swi_cookie, 0)
> -#defineNETISR_PFSYNC
> -#endif
> -
> void pfsyncattach(int);
> #ifdef __FreeBSD__
> intpfsync_clone_create(struct if_clone *, int, caddr_t);
> @@ -377,8 +372,6 @@ voidpfsync_bulk_update(void *);
> void pfsync_bulk_fail(void *);
>
> #ifdef __FreeBSD__
> -void pfsync_ifdetach(void *, struct ifnet *);
> -
> /* XXX: ugly */
> #definebetoh64 (unsigned long long)be64toh
> #definetimeout_del callout_stop
> @@ -390,6 +383,10 @@ intpfsync_sync_ok;
> #endif
>
> #ifdef __FreeBSD__
> +VNET_DEFINE(struct ifc_simple_data, pfsync_cloner_data);
> +VNET_DEFINE(struct if_clone, pfsync_cloner);
> +#defineV_pfsync_cloner_dataVNET(pfsync_cloner_data)
> +#defineV_pfsync_cloner VNET(pfsync_cloner)
> IFC_SIMPLE_DECLARE(pfsync, 1);
> #else
> struct if_clonepfsync_cloner =
> @@ -415,25 +412,20 @@ pfsync_clone_create(struct if_clone *ifc
Re: svn commit: r230265 - head/sys/contrib/pf/net
Maybe it does not hurt in general to keep the V_
Some work was done to add it, no?!
On Tue, Jan 17, 2012 at 1:14 PM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Tue Jan 17 12:14:26 2012
> New Revision: 230265
> URL: http://svn.freebsd.org/changeset/base/230265
>
> Log:
> Allocate our mbuf with m_get2().
>
> Modified:
> head/sys/contrib/pf/net/if_pfsync.c
>
> Modified: head/sys/contrib/pf/net/if_pfsync.c
>
> ==
> --- head/sys/contrib/pf/net/if_pfsync.c Tue Jan 17 12:13:36 2012
> (r230264)
> +++ head/sys/contrib/pf/net/if_pfsync.c Tue Jan 17 12:14:26 2012
> (r230265)
> @@ -2121,9 +2121,6 @@ pfsync_sendout(void)
> #ifdef notyet
>struct tdb *t;
> #endif
> -#ifdef __FreeBSD__
> - size_t pktlen;
> -#endif
>int offset;
>int q, count = 0;
>
> @@ -2145,44 +2142,33 @@ pfsync_sendout(void)
>return;
>}
>
> - MGETHDR(m, M_DONTWAIT, MT_DATA);
> - if (m == NULL) {
> #ifdef __FreeBSD__
> + m = m_get2(M_NOWAIT, MT_DATA, M_PKTHDR, max_linkhdr + sc->sc_len);
> + if (m == NULL) {
>sc->sc_ifp->if_oerrors++;
> + V_pfsyncstats.pfsyncs_onomem++;
> + return;
> + }
> #else
> + MGETHDR(m, M_DONTWAIT, MT_DATA);
> + if (m == NULL) {
>sc->sc_if.if_oerrors++;
> -#endif
> - V_pfsyncstats.pfsyncs_onomem++;
> + pfsyncstats.pfsyncs_onomem++;
>pfsync_drop(sc);
>return;
>}
>
> -#ifdef __FreeBSD__
> - pktlen = max_linkhdr + sc->sc_len;
> - if (pktlen > MHLEN) {
> - /* Find the right pool to allocate from. */
> - /* XXX: This is ugly. */
> - m_cljget(m, M_DONTWAIT, pktlen <= MCLBYTES ? MCLBYTES :
> -#if MJUMPAGESIZE != MCLBYTES
> - pktlen <= MJUMPAGESIZE ? MJUMPAGESIZE :
> -#endif
> - pktlen <= MJUM9BYTES ? MJUM9BYTES : MJUM16BYTES);
> -#else
>if (max_linkhdr + sc->sc_len > MHLEN) {
>MCLGETI(m, M_DONTWAIT, NULL, max_linkhdr + sc->sc_len);
> -#endif
>if (!ISSET(m->m_flags, M_EXT)) {
>m_free(m);
> -#ifdef __FreeBSD__
> - sc->sc_ifp->if_oerrors++;
> -#else
>sc->sc_if.if_oerrors++;
> -#endif
> - V_pfsyncstats.pfsyncs_onomem++;
> + pfsyncstats.pfsyncs_onomem++;
>pfsync_drop(sc);
>return;
>}
>}
> +#endif
>m->m_data += max_linkhdr;
>m->m_len = m->m_pkthdr.len = sc->sc_len;
>
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r230265 - head/sys/contrib/pf/net
2012/1/17 Gleb Smirnoff
> On Tue, Jan 17, 2012 at 05:48:10PM +0100, Ermal Lu?i wrote:
> E> Maybe it does not hurt in general to keep the V_
> E> Some work was done to add it, no?!
>
> The V_ has been left under __FreeBSD__.
>
> E> On Tue, Jan 17, 2012 at 1:14 PM, Gleb Smirnoff
> wrote:
> E>
> E> > Author: glebius
> E> > Date: Tue Jan 17 12:14:26 2012
> E> > New Revision: 230265
> E> > URL: http://svn.freebsd.org/changeset/base/230265
> E> >
> E> > Log:
> E> > Allocate our mbuf with m_get2().
> E> >
> E> > Modified:
> E> > head/sys/contrib/pf/net/if_pfsync.c
> E> >
> E> > Modified: head/sys/contrib/pf/net/if_pfsync.c
> E> >
> E> >
> ==
> E> > --- head/sys/contrib/pf/net/if_pfsync.c Tue Jan 17 12:13:36 2012
> E> > (r230264)
> E> > +++ head/sys/contrib/pf/net/if_pfsync.c Tue Jan 17 12:14:26 2012
> E> > (r230265)
> E> > @@ -2121,9 +2121,6 @@ pfsync_sendout(void)
> E> > #ifdef notyet
> E> >struct tdb *t;
> E> > #endif
> E> > -#ifdef __FreeBSD__
> E> > - size_t pktlen;
> E> > -#endif
> E> >int offset;
> E> >int q, count = 0;
> E> >
> E> > @@ -2145,44 +2142,33 @@ pfsync_sendout(void)
> E> >return;
> E> >}
> E> >
> E> > - MGETHDR(m, M_DONTWAIT, MT_DATA);
> E> > - if (m == NULL) {
> E> > #ifdef __FreeBSD__
> E> > + m = m_get2(M_NOWAIT, MT_DATA, M_PKTHDR, max_linkhdr +
> sc->sc_len);
> E> > + if (m == NULL) {
> E> >sc->sc_ifp->if_oerrors++;
> E> > + V_pfsyncstats.pfsyncs_onomem++;
> E> > + return;
> E> > + }
> E> > #else
> E> > + MGETHDR(m, M_DONTWAIT, MT_DATA);
> E> > + if (m == NULL) {
> E> >sc->sc_if.if_oerrors++;
> E> > -#endif
> E> > - V_pfsyncstats.pfsyncs_onomem++;
> E> > + pfsyncstats.pfsyncs_onomem++;
>
^^
What about this?
> E> >pfsync_drop(sc);
> E> >return;
> E> >}
> E> >
> E> > -#ifdef __FreeBSD__
> E> > - pktlen = max_linkhdr + sc->sc_len;
> E> > - if (pktlen > MHLEN) {
> E> > - /* Find the right pool to allocate from. */
> E> > - /* XXX: This is ugly. */
> E> > - m_cljget(m, M_DONTWAIT, pktlen <= MCLBYTES ? MCLBYTES
> :
> E> > -#if MJUMPAGESIZE != MCLBYTES
> E> > - pktlen <= MJUMPAGESIZE ? MJUMPAGESIZE :
> E> > -#endif
> E> > - pktlen <= MJUM9BYTES ? MJUM9BYTES :
> MJUM16BYTES);
> E> > -#else
> E> >if (max_linkhdr + sc->sc_len > MHLEN) {
> E> >MCLGETI(m, M_DONTWAIT, NULL, max_linkhdr + sc->sc_len);
> E> > -#endif
> E> >if (!ISSET(m->m_flags, M_EXT)) {
> E> >m_free(m);
> E> > -#ifdef __FreeBSD__
> E> > - sc->sc_ifp->if_oerrors++;
> E> > -#else
> E> >sc->sc_if.if_oerrors++;
> E> > -#endif
> E> > - V_pfsyncstats.pfsyncs_onomem++;
> E> > + pfsyncstats.pfsyncs_onomem++;
>
^^^
What about this?
> E> >pfsync_drop(sc);
> E> >return;
> E> >}
> E> >}
> E> > +#endif
> E> >m->m_data += max_linkhdr;
> E> >m->m_len = m->m_pkthdr.len = sc->sc_len;
> E> >
> E> >
> E>
> E>
> E> --
> E> Ermal
>
> --
> Totus tuus, Glebius.
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r238600 - stable/9/sys/contrib/pf/net
I would prefer to be in CC for this or at least asked!
On Wed, Jul 18, 2012 at 6:13 PM, Gleb Smirnoff wrote:
> Author: glebius
> Date: Wed Jul 18 16:13:03 2012
> New Revision: 238600
> URL: http://svn.freebsd.org/changeset/base/238600
>
> Log:
> Merge r230119, r238498 from head:
>
>
> r230119 | csjp | 2012-01-15 02:51:34 +0400 (вс, 15 янв 2012) | 9 lines
>
> Revert to the old behavior of allocating table/table entries using
> M_NOWAIT. Currently, the code allows for sleeping in the ioctl path
> to guarantee allocation. However code also handles ENOMEM gracefully, so
> propagate this error back to user-space, rather than sleeping while
> holding the global pf mutex.
>
> Reviewed by:glebius
> Discussed with: bz
>
>
> r238498 | glebius | 2012-07-15 23:10:00 +0400 (вс, 15 июл 2012) | 2 lines
>
> Use M_NOWAIT while holding the pf giant lock.
>
> Approved by: re (kib)
>
> Modified:
> stable/9/sys/contrib/pf/net/pf_if.c
> stable/9/sys/contrib/pf/net/pf_table.c
> Directory Properties:
> stable/9/sys/ (props changed)
> stable/9/sys/contrib/pf/ (props changed)
>
> Modified: stable/9/sys/contrib/pf/net/pf_if.c
> ==
> --- stable/9/sys/contrib/pf/net/pf_if.c Wed Jul 18 15:52:09 2012
> (r238599)
> +++ stable/9/sys/contrib/pf/net/pf_if.c Wed Jul 18 16:13:03 2012
> (r238600)
> @@ -506,8 +506,7 @@ pfi_dynaddr_setup(struct pf_addr_wrap *a
> if (aw->type != PF_ADDR_DYNIFTL)
> return (0);
> #ifdef __FreeBSD__
> - /* XXX: revisit! */
> - if ((dyn = pool_get(&V_pfi_addr_pl, PR_WAITOK | PR_ZERO))
> + if ((dyn = pool_get(&V_pfi_addr_pl, PR_NOWAIT | PR_ZERO))
> #else
> if ((dyn = pool_get(&pfi_addr_pl, PR_WAITOK | PR_LIMITFAIL | PR_ZERO))
> #endif
>
> Modified: stable/9/sys/contrib/pf/net/pf_table.c
> ==
> --- stable/9/sys/contrib/pf/net/pf_table.c Wed Jul 18 15:52:09 2012
> (r238599)
> +++ stable/9/sys/contrib/pf/net/pf_table.c Wed Jul 18 16:13:03 2012
> (r238600)
> @@ -926,16 +926,12 @@ pfr_create_kentry(struct pfr_addr *ad, i
> {
> struct pfr_kentry *ke;
>
> - if (intr)
> #ifdef __FreeBSD__
> - ke = pool_get(&V_pfr_kentry_pl, PR_NOWAIT | PR_ZERO);
> + ke = pool_get(&V_pfr_kentry_pl, PR_NOWAIT | PR_ZERO);
> #else
> + if (intr)
> ke = pool_get(&pfr_kentry_pl, PR_NOWAIT | PR_ZERO);
> -#endif
> else
> -#ifdef __FreeBSD__
> - ke = pool_get(&V_pfr_kentry_pl, PR_WAITOK|PR_ZERO);
> -#else
> ke = pool_get(&pfr_kentry_pl, PR_WAITOK|PR_ZERO|PR_LIMITFAIL);
> #endif
> if (ke == NULL)
> @@ -2080,16 +2076,12 @@ pfr_create_ktable(struct pfr_table *tbl,
> struct pfr_ktable *kt;
> struct pf_ruleset *rs;
>
> - if (intr)
> #ifdef __FreeBSD__
> - kt = pool_get(&V_pfr_ktable_pl, PR_NOWAIT|PR_ZERO);
> + kt = pool_get(&V_pfr_ktable_pl, PR_NOWAIT|PR_ZERO);
> #else
> + if (intr)
> kt = pool_get(&pfr_ktable_pl, PR_NOWAIT|PR_ZERO|PR_LIMITFAIL);
> -#endif
> else
> -#ifdef __FreeBSD__
> - kt = pool_get(&V_pfr_ktable_pl, PR_WAITOK|PR_ZERO);
> -#else
> kt = pool_get(&pfr_ktable_pl, PR_WAITOK|PR_ZERO|PR_LIMITFAIL);
> #endif
> if (kt == NULL)
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r233846 - head/sys/contrib/pf/net
You are sure that the defer feature is linked only to active-active? 2012/4/3 Gleb Smirnoff : > On Tue, Apr 03, 2012 at 06:09:21PM +, Gleb Smirnoff wrote: > T> Author: glebius > T> Date: Tue Apr 3 18:09:20 2012 > T> New Revision: 233846 > T> URL: http://svn.freebsd.org/changeset/base/233846 > T> > T> Log: > T> Since pf 4.5 import pf(4) has a mechanism to defer > T> forwarding a packet, that creates state, until > T> pfsync(4) peer acks state addition (or 10 msec > T> timeout passes). > T> > T> This is needed for active-active CARP configurations, > T> which are poorly supported in FreeBSD and arguably > T> a good idea at all. > T> > T> Unfortunately by the time of import this feature in > T> OpenBSD was turned on, and did not have a switch to > T> turn it off. This leaked to FreeBSD. > T> > T> This change make it possible to turn this feature > T> off via ioctl() and turns it off by default. > > Fortunately, we got an unused field in struct pfsyncreq, > so this commit doesn't break ioctl() ABI, and this is > mergeable. > > -- > Totus tuus, Glebius. -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r234711 - in head/usr.sbin/wpa: . hostapd
Thanks, i actually forgot to submit this.
On Thu, Apr 26, 2012 at 7:35 PM, Bernhard Schmidt wrote:
> Author: bschmidt
> Date: Thu Apr 26 17:35:11 2012
> New Revision: 234711
> URL: http://svn.freebsd.org/changeset/base/234711
>
> Log:
> fix EAP server support after the 0.7.3 import:
> - eap_xxx.c files have been renamed to eap_server_xxx.c
> - additional crypto files are required for some options
> - EAP_MD5 and EAP_GTC is now enabled by default to match vendor config
> - move each file on its own line to hopefully make further diffs easier
> to read
>
> EAP_SERVER is now enabled by default. Fiddling with HOSTAPD_CFLAGS in
> src.conf is no longer required to get a basic WPA-EAP/radius setup
> running.
>
> Tested by: Johann Hugo
> MFC after: 2 weeks
>
> Modified:
> head/usr.sbin/wpa/Makefile.inc
> head/usr.sbin/wpa/hostapd/Makefile
>
> Modified: head/usr.sbin/wpa/Makefile.inc
> ==
> --- head/usr.sbin/wpa/Makefile.inc Thu Apr 26 14:51:12 2012
> (r234710)
> +++ head/usr.sbin/wpa/Makefile.inc Thu Apr 26 17:35:11 2012
> (r234711)
> @@ -7,17 +7,23 @@ WPA_SUPPLICANT_DISTDIR?=${WPA_DISTDIR}/w
> HOSTAPD_DISTDIR?= ${WPA_DISTDIR}/hostapd
>
> .PATH.c:${.CURDIR}/.. \
> + ${WPA_DISTDIR}/src/ap \
> ${WPA_DISTDIR}/src/common \
> ${WPA_DISTDIR}/src/crypto \
> + ${WPA_DISTDIR}/src/eapol_auth \
> ${WPA_DISTDIR}/src/eap_common \
> + ${WPA_DISTDIR}/src/eap_server \
> ${WPA_DISTDIR}/src/eapol_supp \
> ${WPA_DISTDIR}/src/l2_packet \
> + ${WPA_DISTDIR}/src/radius \
> ${WPA_DISTDIR}/src/utils
>
> CFLAGS+=-I${.CURDIR}
> +CFLAGS+=-I${HOSTAPD_DISTDIR}
> CFLAGS+=-I${WPA_DISTDIR}/src
> CFLAGS+=-I${WPA_DISTDIR}/src/common
> CFLAGS+=-I${WPA_DISTDIR}/src/crypto
> +CFLAGS+=-I${WPA_DISTDIR}/src/drivers
> CFLAGS+=-I${WPA_DISTDIR}/src/l2_packet
> CFLAGS+=-I${WPA_DISTDIR}/src/utils
>
>
> Modified: head/usr.sbin/wpa/hostapd/Makefile
> ==
> --- head/usr.sbin/wpa/hostapd/Makefile Thu Apr 26 14:51:12 2012
> (r234710)
> +++ head/usr.sbin/wpa/hostapd/Makefile Thu Apr 26 17:35:11 2012
> (r234711)
> @@ -2,33 +2,59 @@
>
> .include "${.CURDIR}/../Makefile.inc"
>
> -.PATH.c:${HOSTAPD_DISTDIR} \
> - ${WPA_DISTDIR}/src/ap \
> - ${WPA_DISTDIR}/src/eap_server \
> - ${WPA_DISTDIR}/src/eap_common \
> - ${WPA_DISTDIR}/src/eapol_auth \
> - ${WPA_DISTDIR}/src/drivers \
> - ${WPA_DISTDIR}/src/radius \
> - ${WPA_DISTDIR}
> +.PATH.c:${WPA_DISTDIR}/src/drivers
>
> PROG= hostapd
> -SRCS= accounting.c aes-wrap.c ap_config.c \
> - ap_drv_ops.c ap_mlme.c authsrv.c \
> - chap.c common.c config_file.c ctrl_iface.c crypto_openssl.c \
> - ctrl_iface_ap.c drivers.c drv_callbacks.c dump_state.c \
> - eap_common.c eap_peap_common.c eap_register.c eap_server.c \
> - eap_server_gtc.c eap_server_identity.c eap_server_md5.c \
> - eap_server_methods.c eap_server_mschapv2.c eap_server_peap.c \
> - eap_server_tls.c eap_server_tls_common.c eap_server_ttls.c \
> - eapol_auth_dump.c eapol_auth_sm.c eloop.c hostapd.c ieee802_11_auth.c
> \
> - ieee802_11_common.c ieee802_11_ht.c ieee802_1x.c ip_addr.c \
> - md5.c main.c ms_funcs.c peerkey_auth.c pmksa_cache_auth.c \
> - preauth_auth.c radius.c radius_client.c sta_info.c \
> - sha1-pbkdf2.c sha1-tlsprf.c sha1-tprf.c sha1.c \
> - tkip_countermeasures.c utils.c \
> - vlan_init.c wpa_auth.c wpa_auth_glue.c wpa_auth_ie.c wpa_common.c \
> - wpa_debug.c wpabuf.c
> -SRCS+= l2_packet_freebsd.c driver_freebsd.c os_unix.c
> +SRCS= accounting.c \
> + aes-wrap.c \
> + ap_config.c \
> + ap_drv_ops.c \
> + ap_mlme.c \
> + authsrv.c \
> + chap.c \
> + common.c \
> + config_file.c \
> + crypto_openssl.c \
> + ctrl_iface.c \
> + ctrl_iface_ap.c \
> + drivers.c \
> + drv_callbacks.c \
> + eap_common.c \
> + eap_peap_common.c \
> + eap_register.c \
> + eapol_auth_dump.c \
> + eapol_auth_sm.c \
> + eap_server.c \
> + eap_server_methods.c \
> + eloop.c \
> + hostapd.c \
> + ieee802_11_auth.c \
> + ieee802_11_common.c \
> + ieee802_1x.c \
> + ip_addr.c \
> + main.c \
> + md5.c \
> + ms_funcs.c \
> + os_unix.c \
> + peerkey_auth.c \
> + pmksa_cache_auth.c \
> + preauth_auth.c \
> + radius.c \
> + radius_client.c \
> + sha1-pbkdf2.c \
> + sha1-tlsprf.c \
> + sha1.c \
> + sta_info.c \
> + tkip_countermeasures.c \
> + utils.c \
> + vlan_init.c \
> + wpa_auth.c \
> + wpa_auth_glue.c \
> + wpa_auth_ie.c \
> + wpa_common.c \
> + wpa_debug.c \
> + wpabuf.c
>
Re: svn commit: r200183 - head/sbin/ipfw
On Mon, Dec 7, 2009 at 5:31 AM, Max Laier wrote:
> On Sunday 06 December 2009 19:04:27 Luigi Rizzo wrote:
> > Author: luigi
> > Date: Sun Dec 6 18:04:26 2009
> > New Revision: 200183
> > URL: http://svn.freebsd.org/changeset/base/200183
> >
> > Log:
> > restore setting of sin_len (was removed in 1.146 last february) as
> > it seems that now it is necessary for 'forward' to work outside lo0.
> > The bug (and fix) was reported on 8.0. This patch probably applies
> > to RELENG_7 as well.
> > It seems that 'pf' has a similar bug.
> >
> > Submitted by: Lytochkin Boris
>
> Do you have a reference for me?
>
I followed the thread but route-to sets the sin_len see this:
http://fxr.watson.org/fxr/source/contrib/pf/net/pf.c?v=FREEBSD8#L6179
>
> > MFC after: 3 days
> >
> > Modified:
> > head/sbin/ipfw/ipfw2.c
> >
> > Modified: head/sbin/ipfw/ipfw2.c
> >
> ===
> > === --- head/sbin/ipfw/ipfw2.cSun Dec 6 17:26:43 2009
> (r200182)
> > +++ head/sbin/ipfw/ipfw2.cSun Dec 6 18:04:26 2009(r200183)
> > @@ -2740,9 +2740,11 @@ chkarg:
> >
> > /*
> >* In the kernel we assume AF_INET and use only
> > - * sin_port and sin_addr.
> > + * sin_port and sin_addr. Remember to set sin_len as
> > + * the routing code seems to use it too.
> >*/
> > p->sa.sin_family = AF_INET;
> > + p->sa.sin_len = sizeof(struct sockaddr_in);
> > p->sa.sin_port = 0;
> > /*
> >* locate the address-port separator (':' or ',')
> >
> >
> > !DSPAM:4b1bf5b9894172410716004!
> >
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r200183 - head/sbin/ipfw
On Mon, Dec 7, 2009 at 8:45 PM, Lytochkin Boris wrote: > Hi! > > On Mon, Dec 7, 2009 at 10:29 PM, Max Laier wrote: > [cut] > > I just tested an install of r197983 (9.0-CURRENT) that I had on a > test-box and > > route-to works as it is supposed to - AFAICT. FWIW, pf sets sin_len for > every > > use. > > > > Might be a problem/mis-understanding in the OPs configuration that is the > > issue here? > > > > I'll follow up to the thread on -net@ is a second. > > I posted my pf config in original message to -net@: > = > scrub in all fragment reassemble > pass in all flags S/SA keep state > pass out quick route-to (em0 10.60.128.254) inet from 10.60.128.0/24 > to any flags S/SA keep state > = > > Pretty simple. Even when forward is disabled packets that are matched > by route-to rule are forwarded to default gateway instead of specified > in route-to. And I checked rtalloc_ign_fib() arguments when using pf - > seems that pf does not use this function to lookup route-to route. > > +sem@ > > My crystal ball is broken. Explain your freebsd config, your network topology, some debug output and then it can be considered useful. There are many people using route-to on FreeBSD 8 so it would have come up before. > -- > Regards, > Boris Lytochkin > -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r208766 - stable/8/sys/netinet
On Thu, Jun 3, 2010 at 10:55 AM, Robert Watson wrote:
> Author: rwatson
> Date: Thu Jun 3 08:55:45 2010
> New Revision: 208766
> URL: http://svn.freebsd.org/changeset/base/208766
>
> Log:
> Merge r204810 from head to stable/8:
>
> Remove unnecessary locking of divcbinfo lock from div_output(): this has
> not been required since FreeBSD 7.0 when the so_pcb pointer leading to inp
> was guaranteed to be stable when a valid socket reference is held (as it
> is in the output path).
>
> Reviewed by: bz
> Sponsored by: Juniper Networks
>
> Approved by: re (kib)
>
> Modified:
> stable/8/sys/netinet/ip_divert.c
> Directory Properties:
> stable/8/sys/ (props changed)
> stable/8/sys/amd64/include/xen/ (props changed)
> stable/8/sys/cddl/contrib/opensolaris/ (props changed)
> stable/8/sys/contrib/dev/acpica/ (props changed)
> stable/8/sys/contrib/pf/ (props changed)
> stable/8/sys/dev/xen/xenpci/ (props changed)
> stable/8/sys/geom/sched/ (props changed)
>
> Modified: stable/8/sys/netinet/ip_divert.c
> ==
> --- stable/8/sys/netinet/ip_divert.c Thu Jun 3 03:55:22 2010
> (r208765)
> +++ stable/8/sys/netinet/ip_divert.c Thu Jun 3 08:55:45 2010
> (r208766)
> @@ -392,7 +392,6 @@ div_output(struct socket *so, struct mbu
> struct inpcb *inp;
>
> dt->info |= IPFW_IS_DIVERT | IPFW_INFO_OUT;
> - INP_INFO_WLOCK(&V_divcbinfo);
> inp = sotoinpcb(so);
> INP_RLOCK(inp);
> /*
> @@ -403,7 +402,6 @@ div_output(struct socket *so, struct mbu
> ((u_short)ntohs(ip->ip_len) > m->m_pkthdr.len)) {
> error = EINVAL;
> INP_RUNLOCK(inp);
> - INP_INFO_WUNLOCK(&V_divcbinfo);
> m_freem(m);
> } else {
> /* Convert fields to host order for ip_output() */
> @@ -444,7 +442,6 @@ div_output(struct socket *so, struct mbu
> error = ENOBUFS;
> }
> INP_RUNLOCK(inp);
> - INP_INFO_WUNLOCK(&V_divcbinfo);
> if (error == ENOBUFS) {
> m_freem(m);
> return (error);
>
Would it make sense to remove even passing the interface name up and
actually send the
interface index?
That is what we are doing at pfSense and it works quite ok.
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r208766 - stable/8/sys/netinet
On Fri, Jun 4, 2010 at 11:11 AM, Robert N. M. Watson wrote: > > On 3 Jun 2010, at 14:09, Ermal Luçi wrote: > >> Would it make sense to remove even passing the interface name up and >> actually send the >> interface index? >> >> That is what we are doing at pfSense and it works quite ok. > > I see one important argument for doing this: > > - Looking up an interface by number instead of by name has a number of > advantages. > - User programs that already reason about network interfaces by ifindex don't > have to take an indirection. > > However, it has two important downsides: > > - It changes an existing API that a moderate number of applications depend on. > - Applications that reason about ifnet names now have to take an indirection, > which might well mean monitoring routing sockets for interface > renames/additions/removals, additional sysctls, etc. > > As such, I'm not sure the benefits of replacing the current behavior with the > proposed new behavior is worth the cost. An alternative approach might be to > add a socket option to set the disposition of the divert socket, defaulting > to current behavior but optionally switching to a different interpretation of > the sockaddr passed in (i.e., use the ifindex instead when the option is > set). Could you say a bit more about why you found this change advantageous > in your environment, and whether the socket option approach would be > problematic there? Well the main motivation about it was the limitation on interface name length that can be stored in sin_zero. Furthermore speed processing is faster since the interface name does not have to be reconstructed when diverting a packet. The patch is here http://tinyurl.com/3a9h5gs Interface event are not an issue for pfSense architecture since it controls all the underlying data and i think most of the divert applications do not care much about interface events apart renaming. Keeping both options sounds reasonable too. -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r274709 - head/sys/netpfil/pf
Author: eri
Date: Wed Nov 19 13:31:08 2014
New Revision: 274709
URL: https://svnweb.freebsd.org/changeset/base/274709
Log:
pf(4) needs to have a correct checksum during its processing.
Calculate checksums for the IPv6 path when needed before
delving into pf(4) code as required.
PR: 172648, 179392
Reviewed by:glebius@
Approved by:gnn@
Obtained from: pfSense
MFC after: 1 week
Sponsored by: Netgate
Modified:
head/sys/netpfil/pf/pf_ioctl.c
Modified: head/sys/netpfil/pf/pf_ioctl.c
==
--- head/sys/netpfil/pf/pf_ioctl.c Wed Nov 19 13:04:25 2014
(r274708)
+++ head/sys/netpfil/pf/pf_ioctl.c Wed Nov 19 13:31:08 2014
(r274709)
@@ -76,6 +76,7 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
+#include
#include
#ifdef INET6
@@ -3619,12 +3620,11 @@ pf_check6_out(void *arg, struct mbuf **m
int chk;
/* We need a proper CSUM before we start (s. OpenBSD ip_output) */
- if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-#ifdef INET
- /* XXX-BZ copy&paste error from r126261? */
- in_delayed_cksum(*m);
-#endif
- (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+ if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
+ in6_delayed_cksum(*m,
+ (*m)->m_pkthdr.len - sizeof(struct ip6_hdr),
+ sizeof(struct ip6_hdr));
+ (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
}
CURVNET_SET(ifp->if_vnet);
chk = pf_test6(PF_OUT, ifp, m, inp);
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r274709 - head/sys/netpfil/pf
Hello Dag,
if its working for you i have no issues.
For me these changes are taken into consideration during policy routing on
pf(4).
If you check the pf_route() call it does the same checks as outgoing
processing of the modules.
If they need to be considered after pf(4) does it internal processing
probably should be after the call to pf_test6.
There is no reason to have different behaviour for ipv6 from ipv4
internally in pf(4).
Also this only affects the traffic sourced by the host itself and not
forwarded traffic and
i think this patch will provide a regression for the issues that the
committed patch does.
On Tue, Nov 25, 2014 at 12:38 PM, Dag-Erling Smørgrav wrote:
> Here's a patch that doesn't crash and tries not to break TSO.
>
> Index: sys/netpfil/pf/pf_ioctl.c
> ===
> --- sys/netpfil/pf/pf_ioctl.c (revision 274791)
> +++ sys/netpfil/pf/pf_ioctl.c (working copy)
> @@ -3576,9 +3576,10 @@
> int chk;
>
> /* We need a proper CSUM befor we start (s. OpenBSD ip_output) */
> - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
> + if ((*m)->m_pkthdr.csum_flags &
> + ((CSUM_DELAY_IP|CSUM_DELAY_DATA) & ~ifp->if_hwassist)) {
> in_delayed_cksum(*m);
> - (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
> + (*m)->m_pkthdr.csum_flags &=
> ~(CSUM_DELAY_IP|CSUM_DELAY_DATA);
> }
>
> chk = pf_test(PF_OUT, ifp, m, inp);
> @@ -3620,12 +3621,14 @@
> int chk;
>
> /* We need a proper CSUM before we start (s. OpenBSD ip_output) */
> - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
> + if ((*m)->m_pkthdr.csum_flags &
> + (CSUM_DELAY_DATA_IPV6 & ~ifp->if_hwassist)) {
> in6_delayed_cksum(*m,
> (*m)->m_pkthdr.len - sizeof(struct ip6_hdr),
> sizeof(struct ip6_hdr));
> (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
> }
> +
> CURVNET_SET(ifp->if_vnet);
> chk = pf_test6(PF_OUT, ifp, m, inp);
> CURVNET_RESTORE();
>
> DES
> --
> Dag-Erling Smørgrav - d...@des.no
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r274709 - head/sys/netpfil/pf
On Tue, Nov 25, 2014 at 3:14 PM, Dag-Erling Smørgrav wrote:
> Ermal Luçi writes:
> > Also this only affects the traffic sourced by the host itself and not
> > forwarded traffic and I think this patch will provide a regression for
> > the issues that the committed patch does.
>
> How?
>
The code as it stands (after your commit) is incorrect and will trigger
> an assertion in vtnet(4). You could argue that it is less incorrect
> than the original, but the cure is worse than the disease.
>
>
Let me come back to you in the following days with a better analysis.
The existing sate of the world i think there will be checksum issues again
especially in policy routing situations.
I will come back with another patch to solve this, but am busy with some
${WORK} tasks.
> My patch fixes the panic as well as two preexisting bugs (not taking the
> IP checksum into account in the IPv4 path, and ignoring hardware
> offloading). See https://bugs.freebsd.org/192013#c10 for an explanation
> of what it does and why.
>
> DES
> --
> Dag-Erling Smørgrav - d...@des.no
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r276747 - head/sys/netpfil/pf
On Thu, Jan 8, 2015 at 1:21 AM, Bjoern A. Zeeb < bzeeb-li...@lists.zabbadoz.net> wrote: > > > On 07 Jan 2015, at 20:46 , Gleb Smirnoff wrote: > > > > On Tue, Jan 06, 2015 at 09:03:04AM +, Craig Rodrigues wrote: > > C> Author: rodrigc > > C> Date: Tue Jan 6 09:03:03 2015 > > C> New Revision: 276747 > > C> URL: https://svnweb.freebsd.org/changeset/base/276747 > > C> > > C> Log: > > C> Instead of creating a purge thread for every vnet, create > > C> a single purge thread and clean up all vnets from this thread. > > C> > > C> PR: 194515 > > C> Differential Revision: D1315 > > C> Submitted by: Nikos Vassiliadis > > > > I am not sure that this is a good idea. The core idea of VNETs > > is that they are isolated from each other. If we serialize purging, > > then vnets are strongly affecting each other. > > > > AFAIU, from the PR there is some panic fixed. What is the actual bug > > and why couldn't it be fixed with having per-vnet thread? > > You don’t 3 whatever pf purging threads on a system all running, > possibly competing for some resources, e.g., locks? > You can tune your system to your load! I do not agree with this change as well but just saw it! I would have agreed with this if a thread per CPU is created and some improvements in the locking strategy is performed! This is a potential issue since on busy system this thread gets very resource consuming! > > — > Bjoern A. Zeeb Charles Haddon Spurgeon: > "Friendship is one of the sweetest joys of life. Many might have failed > beneath the bitterness of their trial had they not found a friend." > > > -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r282132 - head/sys/netipsec
Hello Andrey, do you plan to MFC this one? On Tue, Apr 28, 2015 at 11:29 AM, Andrey V. Elsukov wrote: > Author: ae > Date: Tue Apr 28 09:29:28 2015 > New Revision: 282132 > URL: https://svnweb.freebsd.org/changeset/base/282132 > > Log: > Since PFIL can change mbuf pointer, we should update pointers after > calling ipsec_filter(). > > Sponsored by: Yandex LLC > > Modified: > head/sys/netipsec/ipsec_input.c > head/sys/netipsec/ipsec_output.c > > Modified: head/sys/netipsec/ipsec_input.c > > == > --- head/sys/netipsec/ipsec_input.c Tue Apr 28 09:19:40 2015 > (r282131) > +++ head/sys/netipsec/ipsec_input.c Tue Apr 28 09:29:28 2015 > (r282132) > @@ -391,6 +391,7 @@ ipsec4_common_input_cb(struct mbuf *m, s > ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE); > if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) > return (error); > + ip = mtod(m, struct ip *); > #endif /* DEV_ENC */ > > /* IP-in-IP encapsulation */ > > Modified: head/sys/netipsec/ipsec_output.c > > == > --- head/sys/netipsec/ipsec_output.cTue Apr 28 09:19:40 2015 > (r282131) > +++ head/sys/netipsec/ipsec_output.cTue Apr 28 09:29:28 2015 > (r282132) > @@ -578,6 +578,7 @@ ipsec4_process_packet(struct mbuf *m, st > /* pass the mbuf to enc0 for packet filtering */ > if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) > goto bad; > + ip = mtod(m, struct ip *); > #endif > /* Do the appropriate encapsulation, if necessary */ > if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ > @@ -699,6 +700,7 @@ ipsec6_process_packet(struct mbuf *m, st > /* pass the mbuf to enc0 for packet filtering */ > if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) > goto bad; > + ip6 = mtod(m, struct ip6_hdr *); > #endif /* DEV_ENC */ > > /* Do the appropriate encapsulation, if necessary */ > > -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r285050 - in head: lib/libutil usr.sbin/pwd_mkdb
On Thu, Jul 2, 2015 at 7:31 PM, Renato Botelho wrote:
> Author: garga (ports committer)
> Date: Thu Jul 2 17:30:59 2015
> New Revision: 285050
> URL: https://svnweb.freebsd.org/changeset/base/285050
>
> Log:
> When passwd or group information is changed (by pw, vipw, chpass, ...)
> temporary file is created and then a rename() call move it to official
> file.
> This operation didn't have any check to make sure data was written to
> disk
> and if a power cycle happens system could end up with a 0 length passwd
> or group database.
>
> There is a pfSense bug with more infor about it:
>
> https://redmine.pfsense.org/issues/4523
>
> The following changes were made to protect passwd and group operations:
>
> * lib/libutil/gr_util.c:
>- Replace mkstemp() by mkostemp() with O_SYNC flag to create temp file
>- After rename(), fsync() call on directory for faster result
>
> * lib/libutil/pw_util.c
>- Replace mkstemp() by mkostemp() with O_SYNC flag to create temp file
>
> * usr.sbin/pwd_mkdb/pwd_mkdb.c
>- Added O_SYNC flag on dbopen() calls
>- After rename(), fsync() call on directory for faster result
>
> * lib/libutil/pw_util.3
>- pw_lock() returns a file descriptor to master password file on success
>
> Differential Revision:https://reviews.freebsd.org/D2978
> Approved by: bapt
> Sponsored by: Netgate
>
> Modified:
> head/lib/libutil/gr_util.c
> head/lib/libutil/pw_util.3
> head/lib/libutil/pw_util.c
> head/usr.sbin/pwd_mkdb/pwd_mkdb.c
>
> Modified: head/lib/libutil/gr_util.c
>
> ==
> --- head/lib/libutil/gr_util.c Thu Jul 2 16:17:05 2015(r285049)
> +++ head/lib/libutil/gr_util.c Thu Jul 2 17:30:59 2015(r285050)
> @@ -141,7 +141,7 @@ gr_tmp(int mfd)
> errno = ENAMETOOLONG;
> return (-1);
> }
> - if ((tfd = mkstemp(tempname)) == -1)
> + if ((tfd = mkostemp(tempname, O_SYNC)) == -1)
> return (-1);
> if (mfd != -1) {
> while ((nr = read(mfd, buf, sizeof(buf))) > 0)
> @@ -318,10 +318,28 @@ gr_copy(int ffd, int tfd, const struct g
> int
> gr_mkdb(void)
> {
> + int fd;
> +
> if (chmod(tempname, 0644) != 0)
> return (-1);
>
> - return (rename(tempname, group_file));
> + if (rename(tempname, group_file) != 0)
> + return (-1);
> +
> + /*
> +* Make sure new group file is safe on disk. To improve
> performance we
> +* will call fsync() to the directory where file lies
> +*/
> + if ((fd = open(group_dir, O_RDONLY|O_DIRECTORY)) == -1)
> + return (-1);
> +
>
This really is not a real failure!
Not sure how you would report this but it really is not a failure since the
rename has completed and you are giving false information back.
> + if (fsync(fd) != 0) {
> + close(fd);
> + return (-1);
> + }
> +
> + close(fd);
> + return(0);
> }
>
> /*
>
> Modified: head/lib/libutil/pw_util.3
>
> ==
> --- head/lib/libutil/pw_util.3 Thu Jul 2 16:17:05 2015(r285049)
> +++ head/lib/libutil/pw_util.3 Thu Jul 2 17:30:59 2015(r285050)
> @@ -233,7 +233,8 @@ function returns 0 in case of success an
> The
> .Fn pw_lock
> function locks the master password file.
> -It returns 0 in case of success and -1 in case of failure.
> +It returns a file descriptor to master password file in case of success
> +and -1 in case of failure.
> .Pp
> The
> .Fn pw_scan
>
> Modified: head/lib/libutil/pw_util.c
>
> ==
> --- head/lib/libutil/pw_util.c Thu Jul 2 16:17:05 2015(r285049)
> +++ head/lib/libutil/pw_util.c Thu Jul 2 17:30:59 2015(r285050)
> @@ -226,7 +226,7 @@ pw_tmp(int mfd)
> errno = ENAMETOOLONG;
> return (-1);
> }
> - if ((tfd = mkstemp(tempname)) == -1)
> + if ((tfd = mkostemp(tempname, O_SYNC)) == -1)
> return (-1);
> if (mfd != -1) {
> while ((nr = read(mfd, buf, sizeof(buf))) > 0)
>
> Modified: head/usr.sbin/pwd_mkdb/pwd_mkdb.c
>
> ==
> --- head/usr.sbin/pwd_mkdb/pwd_mkdb.c Thu Jul 2 16:17:05 2015
> (r285049)
> +++ head/usr.sbin/pwd_mkdb/pwd_mkdb.c Thu Jul 2 17:30:59 2015
> (r285050)
> @@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$");
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -227,14 +228,14 @@ main(int argc, char *argv[])
> clean = FILE_INSECURE;
> cp(buf2, buf, PERM_INSECURE);
> dp = dbopen(buf,
> - O_RDWR|O_EXCL, PERM_INSECURE, DB_HASH, &openinfo);
> +
svn commit: r285051 - head/sys/netinet
Author: eri
Date: Thu Jul 2 18:10:41 2015
New Revision: 285051
URL: https://svnweb.freebsd.org/changeset/base/285051
Log:
Avoid doing multiple route lookups for the same destination IP during
forwarding
ip_forward() does a route lookup for testing this packet can be sent to a
known destination,
it also can do another route lookup if it detects that an ICMP redirect is
needed,
it forgets all of this and handovers to ip_output() to do the same lookup yet
again.
This optimisation just does one route lookup during the forwarding path and
handovers that to be considered by ip_output().
Differential Revision:https://reviews.freebsd.org/D2964
Approved by: ae, gnn(mentor)
MFC after:1 week
Modified:
head/sys/netinet/ip_input.c
Modified: head/sys/netinet/ip_input.c
==
--- head/sys/netinet/ip_input.c Thu Jul 2 17:30:59 2015(r285050)
+++ head/sys/netinet/ip_input.c Thu Jul 2 18:10:41 2015(r285051)
@@ -897,6 +897,7 @@ ip_forward(struct mbuf *m, int srcrt)
struct ip *ip = mtod(m, struct ip *);
struct in_ifaddr *ia;
struct mbuf *mcopy;
+ struct sockaddr_in *sin;
struct in_addr dest;
struct route ro;
int error, type = 0, code = 0, mtu = 0;
@@ -925,7 +926,22 @@ ip_forward(struct mbuf *m, int srcrt)
}
#endif
- ia = ip_rtaddr(ip->ip_dst, M_GETFIB(m));
+ bzero(&ro, sizeof(ro));
+ sin = (struct sockaddr_in *)&ro.ro_dst;
+ sin->sin_family = AF_INET;
+ sin->sin_len = sizeof(*sin);
+ sin->sin_addr = ip->ip_dst;
+#ifdef RADIX_MPATH
+ rtalloc_mpath_fib(&ro,
+ ntohl(ip->ip_src.s_addr ^ ip->ip_dst.s_addr),
+ M_GETFIB(m));
+#else
+ in_rtalloc_ign(&ro, 0, M_GETFIB(m));
+#endif
+ if (ro.ro_rt != NULL) {
+ ia = ifatoia(ro.ro_rt->rt_ifa);
+ ifa_ref(&ia->ia_ifa);
+ }
#ifndef IPSEC
/*
* 'ia' may be NULL if there is no route for this destination.
@@ -934,6 +950,7 @@ ip_forward(struct mbuf *m, int srcrt)
*/
if (!srcrt && ia == NULL) {
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
+ RO_RTFREE(&ro);
return;
}
#endif
@@ -990,16 +1007,8 @@ ip_forward(struct mbuf *m, int srcrt)
dest.s_addr = 0;
if (!srcrt && V_ipsendredirects &&
ia != NULL && ia->ia_ifp == m->m_pkthdr.rcvif) {
- struct sockaddr_in *sin;
struct rtentry *rt;
- bzero(&ro, sizeof(ro));
- sin = (struct sockaddr_in *)&ro.ro_dst;
- sin->sin_family = AF_INET;
- sin->sin_len = sizeof(*sin);
- sin->sin_addr = ip->ip_dst;
- in_rtalloc_ign(&ro, 0, M_GETFIB(m));
-
rt = ro.ro_rt;
if (rt && (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
@@ -1018,16 +1027,8 @@ ip_forward(struct mbuf *m, int srcrt)
code = ICMP_REDIRECT_HOST;
}
}
- if (rt)
- RTFREE(rt);
}
- /*
-* Try to cache the route MTU from ip_output so we can consider it for
-* the ICMP_UNREACH_NEEDFRAG "Next-Hop MTU" field described in RFC1191.
-*/
- bzero(&ro, sizeof(ro));
-
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL);
if (error == EMSGSIZE && ro.ro_rt)
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r285096 - head/sys/netipsec
Author: eri
Date: Fri Jul 3 15:31:56 2015
New Revision: 285096
URL: https://svnweb.freebsd.org/changeset/base/285096
Log:
Reduce overhead of IPSEC for traffic generated from host
When IPSEC is enabled on the kernel the forwarding path has an optimization
to not enter the code paths
for checking security policies but first checks if there is any security
policy active at all.
The patch introduces the same optimization but for traffic generated from the
host itself.
This reduces the overhead by 50% on my tests for generated host traffic
without and SP active.
Differential Revision:https://reviews.freebsd.org/D2980
Reviewed by: ae, gnn
Approved by: gnn(mentor)
Modified:
head/sys/netipsec/ipsec.c
Modified: head/sys/netipsec/ipsec.c
==
--- head/sys/netipsec/ipsec.c Fri Jul 3 14:46:57 2015(r285095)
+++ head/sys/netipsec/ipsec.c Fri Jul 3 15:31:56 2015(r285096)
@@ -334,6 +334,12 @@ ipsec_getpolicybysock(struct mbuf *m, u_
IPSEC_ASSERT(dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND,
("invalid direction %u", dir));
+ if (!key_havesp(dir)) {
+ /* No SP found, use system default. */
+ sp = KEY_ALLOCSP_DEFAULT();
+ return (sp);
+ }
+
/* Set spidx in pcb. */
*error = ipsec_setspidx_inpcb(m, inp);
if (*error)
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r285325 - head/sys/netinet
Author: eri
Date: Thu Jul 9 16:28:36 2015
New Revision: 285325
URL: https://svnweb.freebsd.org/changeset/base/285325
Log:
Correct issue presented in r285051,
apparently neither clang nor gcc complain about this.
But clang intis the var to NULL correctly while gcc on at least mips does not.
Correct the undefined behavior by initializing the variable properly.
PR: 201371
Differential Revision: https://reviews.freebsd.org/D3036
Reviewed by: gnn
Approved by: gnn(mentor)
Modified:
head/sys/netinet/ip_input.c
Modified: head/sys/netinet/ip_input.c
==
--- head/sys/netinet/ip_input.c Thu Jul 9 16:13:05 2015(r285324)
+++ head/sys/netinet/ip_input.c Thu Jul 9 16:28:36 2015(r285325)
@@ -941,7 +941,8 @@ ip_forward(struct mbuf *m, int srcrt)
if (ro.ro_rt != NULL) {
ia = ifatoia(ro.ro_rt->rt_ifa);
ifa_ref(&ia->ia_ifa);
- }
+ } else
+ ia = NULL;
#ifndef IPSEC
/*
* 'ia' may be NULL if there is no route for this destination.
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r285770 - in head/sys: netinet netipsec
Author: eri
Date: Tue Jul 21 21:46:24 2015
New Revision: 285770
URL: https://svnweb.freebsd.org/changeset/base/285770
Log:
IPSEC, remove variable argument function its already due.
Differential Revision:https://reviews.freebsd.org/D3080
Reviewed by: gnn, ae
Approved by: gnn(mentor)
Modified:
head/sys/netinet/udp_usrreq.c
head/sys/netipsec/ipsec.h
head/sys/netipsec/ipsec_input.c
Modified: head/sys/netinet/udp_usrreq.c
==
--- head/sys/netinet/udp_usrreq.c Tue Jul 21 21:12:28 2015
(r285769)
+++ head/sys/netinet/udp_usrreq.c Tue Jul 21 21:46:24 2015
(r285770)
@@ -1666,7 +1666,8 @@ udp4_espdecap(struct inpcb *inp, struct
if (m->m_pkthdr.csum_flags & CSUM_DATA_VALID)
m->m_pkthdr.csum_flags &= ~(CSUM_DATA_VALID|CSUM_PSEUDO_HDR);
- (void) ipsec4_common_input(m, iphlen, ip->ip_p);
+ (void) ipsec_common_input(m, iphlen, offsetof(struct ip, ip_p),
+ AF_INET, ip->ip_p);
return (NULL); /* NB: consumed, bypass processing. */
}
#endif /* defined(IPSEC) && defined(IPSEC_NAT_T) */
Modified: head/sys/netipsec/ipsec.h
==
--- head/sys/netipsec/ipsec.h Tue Jul 21 21:12:28 2015(r285769)
+++ head/sys/netipsec/ipsec.h Tue Jul 21 21:46:24 2015(r285770)
@@ -337,7 +337,7 @@ extern void ah4_ctlinput(int cmd, struct
extern int esp4_input(struct mbuf **mp, int *offp, int proto);
extern void esp4_ctlinput(int cmd, struct sockaddr *sa, void *);
extern int ipcomp4_input(struct mbuf **mp, int *offp, int proto);
-extern int ipsec4_common_input(struct mbuf *m, ...);
+extern int ipsec_common_input(struct mbuf *m, int, int, int, int);
extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
int skip, int protoff);
extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
Modified: head/sys/netipsec/ipsec_input.c
==
--- head/sys/netipsec/ipsec_input.c Tue Jul 21 21:12:28 2015
(r285769)
+++ head/sys/netipsec/ipsec_input.c Tue Jul 21 21:46:24 2015
(r285770)
@@ -118,7 +118,7 @@ static void ipsec4_common_ctlinput(int,
* and call the appropriate transform. The transform callback
* takes care of further processing (like ingress filtering).
*/
-static int
+int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
char buf[INET6_ADDRSTRLEN];
@@ -243,24 +243,6 @@ ipsec_common_input(struct mbuf *m, int s
}
#ifdef INET
-/*
- * Common input handler for IPv4 AH, ESP, and IPCOMP.
- */
-int
-ipsec4_common_input(struct mbuf *m, ...)
-{
- va_list ap;
- int off, nxt;
-
- va_start(ap, m);
- off = va_arg(ap, int);
- nxt = va_arg(ap, int);
- va_end(ap);
-
- return ipsec_common_input(m, off, offsetof(struct ip, ip_p),
- AF_INET, nxt);
-}
-
int
ah4_input(struct mbuf **mp, int *offp, int proto)
{
@@ -271,7 +253,8 @@ ah4_input(struct mbuf **mp, int *offp, i
off = *offp;
*mp = NULL;
- ipsec4_common_input(m, off, IPPROTO_AH);
+ ipsec_common_input(m, off, offsetof(struct ip, ip_p),
+ AF_INET, IPPROTO_AH);
return (IPPROTO_DONE);
}
void
@@ -292,7 +275,8 @@ esp4_input(struct mbuf **mp, int *offp,
off = *offp;
mp = NULL;
- ipsec4_common_input(m, off, IPPROTO_ESP);
+ ipsec_common_input(m, off, offsetof(struct ip, ip_p),
+ AF_INET, IPPROTO_ESP);
return (IPPROTO_DONE);
}
@@ -314,7 +298,8 @@ ipcomp4_input(struct mbuf **mp, int *off
off = *offp;
mp = NULL;
- ipsec4_common_input(m, off, IPPROTO_IPCOMP);
+ ipsec_common_input(m, off, offsetof(struct ip, ip_p),
+ AF_INET, IPPROTO_IPCOMP);
return (IPPROTO_DONE);
}
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r286000 - head/sys/netipsec
Hello John-Mark,
this was forgotten part on my patches merge from gnn@.
Can it be fixed by correcting the patches rather than re-introducing this?
Most probably the constant definition is wrong on the transforms and also
some part of code removal was missed.
On Wed, Jul 29, 2015 at 9:15 AM, John-Mark Gurney wrote:
> Author: jmg
> Date: Wed Jul 29 07:15:16 2015
> New Revision: 286000
> URL: https://svnweb.freebsd.org/changeset/base/286000
>
> Log:
> RFC4868 section 2.3 requires that the output be half... This fixes
> problems that was introduced in r285336... I have verified that
> HMAC-SHA2-256 both ah only and w/ AES-CBC interoperate w/ a NetBSD
> 6.1.5 vm...
>
> Reviewed by: gnn
>
> Modified:
> head/sys/netipsec/xform.h
> head/sys/netipsec/xform_ah.c
> head/sys/netipsec/xform_esp.c
>
> Modified: head/sys/netipsec/xform.h
>
> ==
> --- head/sys/netipsec/xform.h Wed Jul 29 06:35:36 2015(r285999)
> +++ head/sys/netipsec/xform.h Wed Jul 29 07:15:16 2015(r286000)
> @@ -105,6 +105,7 @@ struct xformsw {
> #ifdef _KERNEL
> extern void xform_register(struct xformsw*);
> extern int xform_init(struct secasvar *sav, int xftype);
> +extern int xform_ah_authsize(struct auth_hash *esph);
>
> struct cryptoini;
>
>
> Modified: head/sys/netipsec/xform_ah.c
>
> ==
> --- head/sys/netipsec/xform_ah.cWed Jul 29 06:35:36 2015
> (r285999)
> +++ head/sys/netipsec/xform_ah.cWed Jul 29 07:15:16 2015
> (r286000)
> @@ -85,8 +85,8 @@
> * Return authenticator size in bytes, based on a field in the
> * algorithm descriptor.
> */
> -#defineAUTHSIZE(sav) \
> - ((sav->flags & SADB_X_EXT_OLD) ? 16 :
> (sav)->tdb_authalgxform->hashsize)
> +#defineAUTHSIZE(sav) ((sav->flags & SADB_X_EXT_OLD) ? 16 : \
> +xform_ah_authsize((sav)->tdb_authalgxform))
>
> VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH
> */
> VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc
> */
> @@ -112,6 +112,35 @@ static unsigned char ipseczeroes[256]; /
> static int ah_input_cb(struct cryptop*);
> static int ah_output_cb(struct cryptop*);
>
> +int
> +xform_ah_authsize(struct auth_hash *esph)
> +{
> + int alen;
> +
> + if (esph == NULL)
> + return 0;
> +
> + switch (esph->type) {
> + case CRYPTO_SHA2_256_HMAC:
> + case CRYPTO_SHA2_384_HMAC:
> + case CRYPTO_SHA2_512_HMAC:
> + alen = esph->hashsize / 2; /* RFC4868 2.3 */
> + break;
> +
> + case CRYPTO_AES_128_NIST_GMAC:
> + case CRYPTO_AES_192_NIST_GMAC:
> + case CRYPTO_AES_256_NIST_GMAC:
> + alen = esph->hashsize;
> + break;
> +
> + default:
> + alen = AH_HMAC_HASHLEN;
> + break;
> + }
> +
> + return alen;
> +}
> +
> /*
> * NB: this is public for use by the PF_KEY support.
> */
>
> Modified: head/sys/netipsec/xform_esp.c
>
> ==
> --- head/sys/netipsec/xform_esp.c Wed Jul 29 06:35:36 2015
> (r285999)
> +++ head/sys/netipsec/xform_esp.c Wed Jul 29 07:15:16 2015
> (r286000)
> @@ -320,7 +320,6 @@ esp_input(struct mbuf *m, struct secasva
> IPSEC_ASSERT(sav != NULL, ("null SA"));
> IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding
> xform"));
>
> - alen = 0;
> /* Valid IP Packet length ? */
> if ( (skip&3) || (m->m_pkthdr.len&3) ){
> DPRINTF(("%s: misaligned packet, skip %u pkt len %u",
> @@ -335,13 +334,13 @@ esp_input(struct mbuf *m, struct secasva
> esph = sav->tdb_authalgxform;
> espx = sav->tdb_encalgxform;
>
> - /* Determine the ESP header length */
> + /* Determine the ESP header and auth length */
> if (sav->flags & SADB_X_EXT_OLD)
> hlen = sizeof (struct esp) + sav->ivlen;
> else
> hlen = sizeof (struct newesp) + sav->ivlen;
> - /* Authenticator hash size */
> - alen = esph ? esph->hashsize : 0;
> +
> + alen = xform_ah_authsize(esph);
>
> /*
> * Verify payload length is multiple of encryption algorithm
> @@ -530,7 +529,7 @@ esp_input_cb(struct cryptop *crp)
>
> /* If authentication was performed, check now. */
> if (esph != NULL) {
> - alen = esph->hashsize;
> + alen = xform_ah_authsize(esph);
> AHSTAT_INC(ahs_hist[sav->alg_auth]);
> /* Copy the authenticator from the packet */
> m_copydata(m, m->m_pkthdr.len - alen, alen, aalg);
> @@ -700,10 +699,7 @@ esp_output(struct mbuf *m, struct ipsecr
> /* XXX clamp padding length a la KAME??? */
> padding = ((blks
Re: svn commit: r285051 - head/sys/netinet
On Tue, Jul 28, 2015 at 2:42 PM, Gleb Smirnoff wrote:
> Ermal,
>
> see comments inlined,
>
> On Thu, Jul 02, 2015 at 06:10:42PM +0000, Ermal Luçi wrote:
> E> Author: eri
> E> Date: Thu Jul 2 18:10:41 2015
> E> New Revision: 285051
> E> URL: https://svnweb.freebsd.org/changeset/base/285051
> E>
> E> Log:
> E> Avoid doing multiple route lookups for the same destination IP during
> forwarding
> E>
> E> ip_forward() does a route lookup for testing this packet can be sent
> to a known destination,
> E> it also can do another route lookup if it detects that an ICMP
> redirect is needed,
> E> it forgets all of this and handovers to ip_output() to do the same
> lookup yet again.
> E>
> E> This optimisation just does one route lookup during the forwarding
> path and handovers that to be considered by ip_output().
> E>
> E> Differential Revision: https://reviews.freebsd.org/D2964
> E> Approved by: ae, gnn(mentor)
> E> MFC after: 1 week
> E>
> E> Modified:
> E> head/sys/netinet/ip_input.c
> E>
> E> Modified: head/sys/netinet/ip_input.c
> E>
> ==
> E> --- head/sys/netinet/ip_input.c Thu Jul 2 17:30:59 2015
> (r285050)
> E> +++ head/sys/netinet/ip_input.c Thu Jul 2 18:10:41 2015
> (r285051)
> E> @@ -897,6 +897,7 @@ ip_forward(struct mbuf *m, int srcrt)
> E> struct ip *ip = mtod(m, struct ip *);
> E> struct in_ifaddr *ia;
> E> struct mbuf *mcopy;
> E> +struct sockaddr_in *sin;
> E> struct in_addr dest;
> E> struct route ro;
> E> int error, type = 0, code = 0, mtu = 0;
> E> @@ -925,7 +926,22 @@ ip_forward(struct mbuf *m, int srcrt)
> E> }
> E> #endif
> E>
> E> -ia = ip_rtaddr(ip->ip_dst, M_GETFIB(m));
> E> +bzero(&ro, sizeof(ro));
> E> +sin = (struct sockaddr_in *)&ro.ro_dst;
> E> +sin->sin_family = AF_INET;
> E> +sin->sin_len = sizeof(*sin);
> E> +sin->sin_addr = ip->ip_dst;
> E> +#ifdef RADIX_MPATH
> E> +rtalloc_mpath_fib(&ro,
> E> +ntohl(ip->ip_src.s_addr ^ ip->ip_dst.s_addr),
> E> +M_GETFIB(m));
> E> +#else
> E> +in_rtalloc_ign(&ro, 0, M_GETFIB(m));
> E> +#endif
> E> +if (ro.ro_rt != NULL) {
> E> +ia = ifatoia(ro.ro_rt->rt_ifa);
> E> +ifa_ref(&ia->ia_ifa);
> E> +}
> E> #ifndef IPSEC
> E> /*
> E> * 'ia' may be NULL if there is no route for this destination.
> E> @@ -934,6 +950,7 @@ ip_forward(struct mbuf *m, int srcrt)
> E> */
> E> if (!srcrt && ia == NULL) {
> E> icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
> E> +RO_RTFREE(&ro);
> E> return;
> E> }
>
> Here the ifa reference is leaked upon return.
>
>
Gleb,
the improvement on the ifa_ref not needed is something to look at but the
ifa_ref here is not lost since ia == NULL, no?
Maybe i am missing something else.
Also can we put this on a review?
>
> But don't hurry with fixing that :) Actually you don't need to ifa_ref()
> in this function. You acquired a reference on rtentry in in_rtalloc_ign()
> and hold it until RO_RTFREE(). And the rtentry itself always holds a
> reference on the ifa. So, there is no reason to put extra reference on
> the ifa.
>
> The ip_output() was already improved in r262747. And ip_forward() can
> also be. The only place that touches ia after RO_RTFREE() is EMSGSIZE
> handling, this can be moved up before RO_RTFREE().
>
> Here is suggested patch. Ermal and Oliver, can you please test/benchmark
> it?
>
> --
> Totus tuus, Glebius.
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r285051 - head/sys/netinet
On Wed, Jul 29, 2015 at 6:48 PM, George Neville-Neil
wrote:
>
>
> On 29 Jul 2015, at 11:05, Gleb Smirnoff wrote:
>
> Ermal,
>>
>> On Wed, Jul 29, 2015 at 03:00:59PM +0200, Ermal Luçi wrote:
>> E> > E> @@ -934,6 +950,7 @@ ip_forward(struct mbuf *m, int srcrt)
>> E> > E> */
>> E> > E> if (!srcrt && ia == NULL) {
>> E> > E> icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
>> E> > E> +RO_RTFREE(&ro);
>> E> > E> return;
>> E> > E> }
>> E> >
>> E> > Here the ifa reference is leaked upon return.
>> E> >
>> E> >
>> E> Gleb,
>> E>
>> E> the improvement on the ifa_ref not needed is something to look at but
>> the
>> E> ifa_ref here is not lost since ia == NULL, no?
>> E> Maybe i am missing something else.
>>
>> Sure you are right. Mea culpa.
>>
>> E> Also can we put this on a review?
>>
>> It is possible. Let's just wait for Olivier to return and ask him to
>> do a benchmark :)
>>
>>
> Olivier isnt' the only one that can do a benchmark. I can chuck this up
> in the
> Sentex lab, that's what it's for. Give me a brief outline and I'll code
> something
> up in Conductor.
>
The outline is simple.
Just forwarding performance in terms of PPS for normal forwarding with the
patch suggested from Gleb builtin.
pmcstat data would be useful as well during this bench :)
>
> Best,
> George
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r286000 - head/sys/netipsec
On Wed, Jul 29, 2015 at 5:40 PM, John-Mark Gurney wrote: > Ermal Lui wrote this message on Wed, Jul 29, 2015 at 14:53 +0200: > > this was forgotten part on my patches merge from gnn@. > > Can it be fixed by correcting the patches rather than re-introducing > this? > > > > Most probably the constant definition is wrong on the transforms and also > > some part of code removal was missed. > > No, it cannot be fixed by changing opencrypto/xform.c to truncate the > hash size... The reason it cannot be is that OCF is not an IPsec only > framework... > > Geli also uses the HMAC constructions, and I have not confirmed if they > use the full hash size or not... I would be open to adding a field to > the crypto descriptor that limited how much of the hash is copied out... > > It would have been helpful to comment more of these changes... If you > make a change for a reason (RFC, etc), then throw that in the comments, > which allows someone following to understand why and prevent their > removal... At least if they were commented as to why they changed, we > would have known to rework the change... > > Yes you are right but according to me this is standard practice being done allover SSL/IPSec I am not sure which standard GELI follows to comment on that! Also then it would be better to review the declarations on the transform since they are apparently not generic, no? > > On Wed, Jul 29, 2015 at 9:15 AM, John-Mark Gurney > wrote: > > > > > Author: jmg > > > Date: Wed Jul 29 07:15:16 2015 > > > New Revision: 286000 > > > URL: https://svnweb.freebsd.org/changeset/base/286000 > > > > > > Log: > > > RFC4868 section 2.3 requires that the output be half... This fixes > > > problems that was introduced in r285336... I have verified that > > > HMAC-SHA2-256 both ah only and w/ AES-CBC interoperate w/ a NetBSD > > > 6.1.5 vm... > > > > > > Reviewed by: gnn > > -- > John-Mark Gurney Voice: +1 415 225 5579 > > "All that I will do, has been done, All that I have, has not." > -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r286025 - stable/10/sys/netinet
Author: eri
Date: Wed Jul 29 17:46:16 2015
New Revision: 286025
URL: https://svnweb.freebsd.org/changeset/base/286025
Log:
MFC r285051
Avoid doing multiple route lookups for the same destination IP during
forwarding.
Differential Revision:https://reviews.freebsd.org/D2964
Modified:
stable/10/sys/netinet/ip_input.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/netinet/ip_input.c
==
--- stable/10/sys/netinet/ip_input.cWed Jul 29 17:34:26 2015
(r286024)
+++ stable/10/sys/netinet/ip_input.cWed Jul 29 17:46:16 2015
(r286025)
@@ -1345,6 +1345,7 @@ ip_forward(struct mbuf *m, int srcrt)
struct ip *ip = mtod(m, struct ip *);
struct in_ifaddr *ia;
struct mbuf *mcopy;
+ struct sockaddr_in *sin;
struct in_addr dest;
struct route ro;
int error, type = 0, code = 0, mtu = 0;
@@ -1366,7 +1367,22 @@ ip_forward(struct mbuf *m, int srcrt)
}
#endif
- ia = ip_rtaddr(ip->ip_dst, M_GETFIB(m));
+ bzero(&ro, sizeof(ro));
+ sin = (struct sockaddr_in *)&ro.ro_dst;
+ sin->sin_family = AF_INET;
+ sin->sin_len = sizeof(*sin);
+ sin->sin_addr = ip->ip_dst;
+#ifdef RADIX_MPATH
+ rtalloc_mpath_fib(&ro,
+ ntohl(ip->ip_src.s_addr ^ ip->ip_dst.s_addr),
+ M_GETFIB(m));
+#else
+ in_rtalloc_ign(&ro, 0, M_GETFIB(m));
+#endif
+ if (ro.ro_rt != NULL) {
+ ia = ifatoia(ro.ro_rt->rt_ifa);
+ ifa_ref(&ia->ia_ifa);
+ }
#ifndef IPSEC
/*
* 'ia' may be NULL if there is no route for this destination.
@@ -1375,6 +1391,7 @@ ip_forward(struct mbuf *m, int srcrt)
*/
if (!srcrt && ia == NULL) {
icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
+ RO_RTFREE(&ro);
return;
}
#endif
@@ -1431,16 +1448,8 @@ ip_forward(struct mbuf *m, int srcrt)
dest.s_addr = 0;
if (!srcrt && V_ipsendredirects &&
ia != NULL && ia->ia_ifp == m->m_pkthdr.rcvif) {
- struct sockaddr_in *sin;
struct rtentry *rt;
- bzero(&ro, sizeof(ro));
- sin = (struct sockaddr_in *)&ro.ro_dst;
- sin->sin_family = AF_INET;
- sin->sin_len = sizeof(*sin);
- sin->sin_addr = ip->ip_dst;
- in_rtalloc_ign(&ro, 0, M_GETFIB(m));
-
rt = ro.ro_rt;
if (rt && (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0 &&
@@ -1459,16 +1468,8 @@ ip_forward(struct mbuf *m, int srcrt)
code = ICMP_REDIRECT_HOST;
}
}
- if (rt)
- RTFREE(rt);
}
- /*
-* Try to cache the route MTU from ip_output so we can consider it for
-* the ICMP_UNREACH_NEEDFRAG "Next-Hop MTU" field described in RFC1191.
-*/
- bzero(&ro, sizeof(ro));
-
error = ip_output(m, NULL, &ro, IP_FORWARDING, NULL, NULL);
if (error == EMSGSIZE && ro.ro_rt)
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r286026 - stable/10/sys/netinet
Author: eri
Date: Wed Jul 29 17:50:14 2015
New Revision: 286026
URL: https://svnweb.freebsd.org/changeset/base/286026
Log:
MFC 285325
Correct issue presented in r285051 by properly initializing variable.
Differential Revision: https://reviews.freebsd.org/D3036
Modified:
stable/10/sys/netinet/ip_input.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/netinet/ip_input.c
==
--- stable/10/sys/netinet/ip_input.cWed Jul 29 17:46:16 2015
(r286025)
+++ stable/10/sys/netinet/ip_input.cWed Jul 29 17:50:14 2015
(r286026)
@@ -1382,7 +1382,8 @@ ip_forward(struct mbuf *m, int srcrt)
if (ro.ro_rt != NULL) {
ia = ifatoia(ro.ro_rt->rt_ifa);
ifa_ref(&ia->ia_ifa);
- }
+ } else
+ ia = NULL;
#ifndef IPSEC
/*
* 'ia' may be NULL if there is no route for this destination.
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r286028 - head/sys/netinet
Author: eri
Date: Wed Jul 29 18:04:01 2015
New Revision: 286028
URL: https://svnweb.freebsd.org/changeset/base/286028
Log:
ip_output normalization and fixes
ip_output has a big chunk of code used to handle special cases with pfil
consumers which also forces a reloop on it.
Gather all this code together to make it readable and properly handle the
reloop cases.
Some of the issues identified:
M_IP_NEXTHOP is not handled properly in existing code.
route reference leaking is possible with in FIB number change
route flags checking is not consistent in the function
Differential Revision:https://reviews.freebsd.org/D3022
Reviewed by: gnn
Approved by: gnn(mentor)
MFC after:4 weeks
Modified:
head/sys/netinet/ip_output.c
Modified: head/sys/netinet/ip_output.c
==
--- head/sys/netinet/ip_output.cWed Jul 29 17:59:13 2015
(r286027)
+++ head/sys/netinet/ip_output.cWed Jul 29 18:04:01 2015
(r286028)
@@ -106,6 +106,94 @@ static voidip_mloopback
extern int in_mcast_loop;
extern struct protosw inetsw[];
+static inline int
+ip_output_pfil(struct mbuf *m, struct ifnet *ifp, struct inpcb *inp,
+ struct sockaddr_in *dst, int *fibnum, int *error)
+{
+ struct m_tag *fwd_tag = NULL;
+ struct in_addr odst;
+ struct ip *ip;
+
+ ip = mtod(m, struct ip *);
+
+ /* Run through list of hooks for output packets. */
+ odst.s_addr = ip->ip_dst.s_addr;
+ *error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp);
+ if ((*error) != 0 || m == NULL)
+ return 1; /* Finished */
+
+ ip = mtod(m, struct ip *);
+
+ /* See if destination IP address was changed by packet filter. */
+ if (odst.s_addr != ip->ip_dst.s_addr) {
+ m->m_flags |= M_SKIP_FIREWALL;
+ /* If destination is now ourself drop to ip_input(). */
+ if (in_localip(ip->ip_dst)) {
+ m->m_flags |= M_FASTFWD_OURS;
+ if (m->m_pkthdr.rcvif == NULL)
+ m->m_pkthdr.rcvif = V_loif;
+ if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+ m->m_pkthdr.csum_flags |=
+ CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
+ m->m_pkthdr.csum_data = 0x;
+ }
+ m->m_pkthdr.csum_flags |=
+ CSUM_IP_CHECKED | CSUM_IP_VALID;
+#ifdef SCTP
+ if (m->m_pkthdr.csum_flags & CSUM_SCTP)
+ m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
+#endif
+ *error = netisr_queue(NETISR_IP, m);
+ return 1; /* Finished */
+ }
+
+ bzero(dst, sizeof(*dst));
+ dst->sin_family = AF_INET;
+ dst->sin_len = sizeof(*dst);
+ dst->sin_addr = ip->ip_dst;
+
+ return -1; /* Reloop */
+ }
+ /* See if fib was changed by packet filter. */
+ if ((*fibnum) != M_GETFIB(m)) {
+ m->m_flags |= M_SKIP_FIREWALL;
+ *fibnum = M_GETFIB(m);
+ return -1; /* Reloop for FIB change */
+ }
+
+ /* See if local, if yes, send it to netisr with IP_FASTFWD_OURS. */
+ if (m->m_flags & M_FASTFWD_OURS) {
+ if (m->m_pkthdr.rcvif == NULL)
+ m->m_pkthdr.rcvif = V_loif;
+ if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+ m->m_pkthdr.csum_flags |=
+ CSUM_DATA_VALID | CSUM_PSEUDO_HDR;
+ m->m_pkthdr.csum_data = 0x;
+ }
+#ifdef SCTP
+ if (m->m_pkthdr.csum_flags & CSUM_SCTP)
+ m->m_pkthdr.csum_flags |= CSUM_SCTP_VALID;
+#endif
+ m->m_pkthdr.csum_flags |=
+ CSUM_IP_CHECKED | CSUM_IP_VALID;
+
+ *error = netisr_queue(NETISR_IP, m);
+ return 1; /* Finished */
+ }
+ /* Or forward to some other address? */
+ if ((m->m_flags & M_IP_NEXTHOP) &&
+ ((fwd_tag = m_tag_find(m, PACKET_TAG_IPFORWARD, NULL)) != NULL)) {
+ bcopy((fwd_tag+1), dst, sizeof(struct sockaddr_in));
+ m->m_flags |= M_SKIP_FIREWALL;
+ m->m_flags &= ~M_IP_NEXTHOP;
+ m_tag_delete(m, fwd_tag);
+
+ return -1; /* Reloop for CHANGE of dst */
+ }
+
+ return 0;
+}
+
/*
* IP output. The packet in mbuf chain m contains a skeletal IP
* header (with len, off, ttl, proto, tos, src, dst).
@@ -136,11 +224,8 @@ ip_output(struct mbuf *m, struct mbuf *o
uint16_t ip_len, ip_off;
struct route iproute;
struct rtentry *rte;/* cache for ro->ro_rt */
- struct in_add
svn commit: r286037 - head/sys/netinet
Author: eri Date: Wed Jul 29 20:10:36 2015 New Revision: 286037 URL: https://svnweb.freebsd.org/changeset/base/286037 Log: Avoid double reference decrement when firewalls force relooping of packets When firewalls force a reloop of packets and the caller supplied a route the reference to the route might be reduced twice creating issues. This is especially the scenario when a packet is looped because of operation in the firewall but the new route lookup gives a down route. Differential Revision:https://reviews.freebsd.org/D3037 Reviewed by: gnn Approved by: gnn(mentor) Modified: head/sys/netinet/ip_output.c Modified: head/sys/netinet/ip_output.c == --- head/sys/netinet/ip_output.cWed Jul 29 20:02:20 2015 (r286036) +++ head/sys/netinet/ip_output.cWed Jul 29 20:10:36 2015 (r286037) @@ -681,6 +681,13 @@ sendit: done: if (ro == &iproute) RO_RTFREE(ro); + else if (rte == NULL) + /* +* If the caller supplied a route but somehow the reference +* to it has been released need to prevent the caller +* calling RTFREE on it again. +*/ + ro->ro_rt = NULL; if (have_ia_ref) ifa_free(&ia->ia_ifa); return (error); ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r286095 - head/sys/netipsec
Author: eri Date: Thu Jul 30 20:56:27 2015 New Revision: 286095 URL: https://svnweb.freebsd.org/changeset/base/286095 Log: Correct IPSec SA statistic keeping The IPsec SA statistic keeping is used even for decision making on expiry/rekeying SAs. When there are multiple transformations being done the statistic keeping might be wrong. This mostly impacts multiple encapsulations on IPsec since the usual scenario it is not noticed due to the code path not taken. Differential Revision:https://reviews.freebsd.org/D3239 Reviewed by: ae, gnn Approved by: gnn(mentor) Modified: head/sys/netipsec/ipsec_output.c Modified: head/sys/netipsec/ipsec_output.c == --- head/sys/netipsec/ipsec_output.cThu Jul 30 19:52:43 2015 (r286094) +++ head/sys/netipsec/ipsec_output.cThu Jul 30 20:56:27 2015 (r286095) @@ -158,6 +158,8 @@ ipsec_process_done(struct mbuf *m, struc tdbi->spi = sav->spi; m_tag_prepend(m, mtag); + key_sa_recordxfer(sav, m); /* record data transfer */ + /* * If there's another (bundled) SA to apply, do so. * Note that this puts a burden on the kernel stack size. @@ -202,7 +204,6 @@ ipsec_process_done(struct mbuf *m, struc goto bad; } } - key_sa_recordxfer(sav, m); /* record data transfer */ /* * We're done with IPsec processing, transmit the packet using the ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r286028 - head/sys/netinet
On Sun, Aug 2, 2015 at 8:40 PM, Mark Johnston wrote:
> On Wed, Jul 29, 2015 at 06:04:02PM +0000, Ermal Luçi wrote:
> > Author: eri
> > Date: Wed Jul 29 18:04:01 2015
> > New Revision: 286028
> > URL: https://svnweb.freebsd.org/changeset/base/286028
> >
> > Log:
> > ip_output normalization and fixes
> >
> > ip_output has a big chunk of code used to handle special cases with
> pfil consumers which also forces a reloop on it.
> > Gather all this code together to make it readable and properly handle
> the reloop cases.
> >
> > Some of the issues identified:
> >
> > M_IP_NEXTHOP is not handled properly in existing code.
> > route reference leaking is possible with in FIB number change
> > route flags checking is not consistent in the function
> >
> > Differential Revision: https://reviews.freebsd.org/D3022
> > Reviewed by:gnn
> > Approved by:gnn(mentor)
> > MFC after: 4 weeks
> >
> > Modified:
> > head/sys/netinet/ip_output.c
> >
> > Modified: head/sys/netinet/ip_output.c
> >
> ==
> > --- head/sys/netinet/ip_output.c Wed Jul 29 17:59:13 2015
> (r286027)
> > +++ head/sys/netinet/ip_output.c Wed Jul 29 18:04:01 2015
> (r286028)
> > @@ -106,6 +106,94 @@ static void ip_mloopback
> > extern int in_mcast_loop;
> > extern struct protosw inetsw[];
> >
> > +static inline int
> > +ip_output_pfil(struct mbuf *m, struct ifnet *ifp, struct inpcb *inp,
> > + struct sockaddr_in *dst, int *fibnum, int *error)
> > +{
> > + struct m_tag *fwd_tag = NULL;
> > + struct in_addr odst;
> > + struct ip *ip;
> > +
> > + ip = mtod(m, struct ip *);
> > +
> > + /* Run through list of hooks for output packets. */
> > + odst.s_addr = ip->ip_dst.s_addr;
> > + *error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp);
> > + if ((*error) != 0 || m == NULL)
> > + return 1; /* Finished */
> > +
>
> This can result in a use-after-free in ip_output() if a pfil hook
> consumes the first mbuf in the chain. This happens for example when ipfw
> nat is in use: m_megapullup() copies the input packet into a single
> cluster, which is returned above. However, ip_output() will continue to
> reference the original mbuf chain.
>
> The patch below fixes the problem for me.
>
>
Good catch just push it in.
Ok for me.
> Thanks,
> -Mark
>
> diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
> index 0790777..086a8c9 100644
> --- a/sys/netinet/ip_output.c
> +++ b/sys/netinet/ip_output.c
> @@ -107,18 +107,21 @@ extern int in_mcast_loop;
> extern struct protosw inetsw[];
>
> static inline int
> -ip_output_pfil(struct mbuf *m, struct ifnet *ifp, struct inpcb *inp,
> - struct sockaddr_in *dst, int *fibnum, int *error)
> +ip_output_pfil(struct mbuf **mp, struct ifnet *ifp, struct inpcb *inp,
> +struct sockaddr_in *dst, int *fibnum, int *error)
> {
> struct m_tag *fwd_tag = NULL;
> + struct mbuf *m;
> struct in_addr odst;
> struct ip *ip;
>
> + m = *mp;
> ip = mtod(m, struct ip *);
>
> /* Run through list of hooks for output packets. */
> odst.s_addr = ip->ip_dst.s_addr;
> - *error = pfil_run_hooks(&V_inet_pfil_hook, &m, ifp, PFIL_OUT, inp);
> + *error = pfil_run_hooks(&V_inet_pfil_hook, mp, ifp, PFIL_OUT, inp);
> + m = *mp;
> if ((*error) != 0 || m == NULL)
> return 1; /* Finished */
>
> @@ -552,7 +555,7 @@ sendit:
>
> /* Jump over all PFIL processing if hooks are not active. */
> if (PFIL_HOOKED(&V_inet_pfil_hook)) {
> - switch (ip_output_pfil(m, ifp, inp, dst, &fibnum, &error))
> {
> + switch (ip_output_pfil(&m, ifp, inp, dst, &fibnum,
> &error)) {
> case 1: /* Finished */
> goto done;
>
>
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r285051 - head/sys/netinet
Hello Olivier, its strange seeing so much contention on the arp tables on your PMC stats. Do you run ping(to prepopulate arp) or static arp to remove the noise from that interaction? Also do you run with flowtable active? On Mon, Aug 3, 2015 at 3:06 PM, Olivier Cochard-Labbé wrote: > On Tue, Jul 28, 2015 at 2:42 PM, Gleb Smirnoff > wrote: > >> >> Here is suggested patch. Ermal and Oliver, can you please test/benchmark >> it? >> > > Hi, > > this patch reduce performanece :-( > > Here are the results regarding forwarding: > > x r285046.pps.forwarding (IPSEC compiled but not used) > + r285051.pps.forwarding (IPSEC compiled but not used) > * r285051-glebius-patched.pps.forwarding (IPSEC compiled but not used) > > ++ > |xxx xx > * + +++| > ||_M_A___| > |_A_| |AM|| > > ++ > N Min MaxMedian AvgStddev > x 5397733406951399300 401613.8 4324.9755 > + 5478095482079480869 480543.6 1666.0282 > Difference at 95.0% confidence > 78929.8 +/- 4779.72 > 19.6532% +/- 1.19013% > (Student's t, pooled s = 3277.27) > * 5424720430745427014 427378.4 2351.7439 > Difference at 95.0% confidence > 25764.6 +/- 5076.98 > 6.41527% +/- 1.26415% > (Student's t, pooled s = 3481.1) > > > > PMC stats during forwarding bench: > [root@netgate]/data# pmcannotate pmc.forwarding.out > /data/debug/boot/kernel/kernel.symbols > CONVERSION STATISTICS: > #samples/total 33880 > Profile trace for function: __rw_rlock() [6.29%] > Profile trace for function: ip_forward() [4.68%] > Profile trace for function: ip_output() [4.64%] > Profile trace for function: binuptime() [4.05%] > Profile trace for function: igb_mq_start_locked() [3.79%] > Profile trace for function: igb_rxeof() [3.46%] > Profile trace for function: tsc_get_timecount_low_lfence() [3.25%] > Profile trace for function: ether_output() [3.03%] > Profile trace for function: rtalloc1_fib() [2.77%] > Profile trace for function: random_ivy_read() [2.64%] > Profile trace for function: _rw_runlock_cookie() [2.64%] > Profile trace for function: ether_nh_input() [2.63%] > Profile trace for function: ip_input() [2.55%] > Profile trace for function: key_allocsp_default() [2.39%] > Profile trace for function: igb_mq_start() [2.39%] > Profile trace for function: bzero() [2.08%] > Profile trace for function: uma_zalloc_arg() [1.95%] > Profile trace for function: memcpy() [1.84%] > Profile trace for function: _mtx_lock_spin_cookie() [1.83%] > Profile trace for function: bcopy() [1.76%] > Profile trace for function: random_harvest_queue() [1.63%] > Profile trace for function: __mtx_lock_sleep() [1.56%] > Profile trace for function: uma_zfree_arg() [1.47%] > Profile trace for function: arpresolve() [1.39%] > Profile trace for function: in_cksumdata() [1.25%] > Profile trace for function: bounce_bus_dmamap_load_buffer() [1.22%] > Profile trace for function: bcmp() [1.13%] > Profile trace for function: rtalloc_ign_fib() [1.11%] > Profile trace for function: rn_match() [1.03%] > Profile trace for function: netisr_dispatch_src() [1.03%] > Profile trace for function: critical_exit() [1.02%] > Profile trace for function: bus_dmamap_load_mbuf_sg() [0.87%] > Profile trace for function: spinlock_exit() [0.79%] > Profile trace for function: in_cksum_skip() [0.75%] > Profile trace for function: ip_ipsec_output() [0.75%] > Profile trace for function: acpi_cpu_c1() [0.74%] > Profile trace for function: in_broadcast() [0.74%] > Profile trace for function: spinlock_enter() [0.74%] > Profile trace for function: igb_refresh_mbufs() [0.71%] > Profile trace for function: in_lltable_lookup() [0.71%] > Profile trace for function: ip_fastforward() [0.68%] > Profile trace for function: m_adj() [0.65%] > Profile trace for function: ether_demux() [0.65%] > Profile trace for function: _key_freesp() [0.61%] > Profile trace for function: lockstat_nsecs() [0.60%] > Profile trace for function: m_freem() [0.58%] > Profile trace for function: critical_enter() [0.56%] > Profile trace for function: m_copydata() [0.55%] > Profile trace for function: mb_free_ext() [0.54%] > Profile trace for function: pmap_kextract() [0.50%] > > > > And about fastforwarding: > > x 285046.pps.fastforwarding (IPSEC compiled but not used) > + 285051.pps.fastforwarding (IPSEC compiled but not used) > * r285051-glebius-patched.pps.fastforwarding (IPSEC compiled but not used) > > ++ > |* > +| > |* * * *++ +x > x+ xx x
Re: svn commit: r285051 - head/sys/netinet
On Mon, Aug 3, 2015 at 5:18 PM, Olivier Cochard-Labbé wrote: > On Mon, Aug 3, 2015 at 5:05 PM, Ermal Luçi wrote: > >> Hello Olivier, >> >> its strange seeing so much contention on the arp tables on your PMC stats. >> Do you run ping(to prepopulate arp) or static arp to remove the noise >> from that interaction? >> > > I'm using static ARP on my devices (and static MAC assignement on > switches too) during my benchs. > Then you have to create static ARPs for all your pkt-gen ips :) > > > >> >> Also do you run with flowtable active? >> > > No I didn't have "options FLOWTABLE" in my kernel. > > Regards, > > Olivier > > -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r286337 - head/sys/contrib/dev/ath/ath_hal/ar9300
I did the port for pfSense and the whole stack works from HEAD into 10-STABLE. Just minor modifications were required. If you want i can try to send the diff. On Wed, Aug 5, 2015 at 11:55 PM, Oliver Pinter < oliver.pin...@hardenedbsd.org> wrote: > Yup. :) If you need testers with the backport, then ping me. ;) > > On Wed, Aug 5, 2015 at 11:23 PM, Adrian Chadd wrote: > > The whole wifi stack / drivers need backporting. :) > > > > > > > > -a > > > > > > On 5 August 2015 at 12:41, Shawn Webb > wrote: > >> On Wed, 2015-08-05 at 19:32 +, Adrian Chadd wrote: > >>> Author: adrian > >>> Date: Wed Aug 5 19:32:35 2015 > >>> New Revision: 286337 > >>> URL: https://svnweb.freebsd.org/changeset/base/286337 > >>> > >>> Log: > >>> Add TXOP enforce support to the AR9300 HAL. > >>> > >>> This is required for (more) correct TDMA support. Without it, the > >>> code tries to calculate the required guard interval based on the > >>> current rate, and since this is an 11n NIC and people try using > >>> 11n, it calls ath_hal_computetxtime() on an 11n rate which then > >>> panics. > >>> > >>> This doesn't fix TDMA slave mode on AR9300 - it just makes it > >>> have one less bug. > >>> > >>> Reported by:Berislav Purgar > >>> > >>> Modified: > >>> head/sys/contrib/dev/ath/ath_hal/ar9300/ar9300_misc.c > >> > >> Hey Adrian, > >> > >> Can this be MFC'd? > >> > >> Thanks, > >> > >> -- > >> Shawn Webb > >> HardenedBSD > >> > >> GPG Key ID: 0x6A84658F52456EEE > >> GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE > > ___ > > svn-src-h...@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/svn-src-head > > To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org" > > -- Ermal ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r315877 - head/sys/net
Author: eri Date: Fri Mar 24 00:55:16 2017 New Revision: 315877 URL: https://svnweb.freebsd.org/changeset/base/315877 Log: Correct handling of ALTQ with epair(4) interfaces but presenting that ALTQ(9) is supported. Approved by: ae MFC after:2 weeks Modified: head/sys/net/if_epair.c Modified: head/sys/net/if_epair.c == --- head/sys/net/if_epair.c Fri Mar 24 00:02:12 2017(r315876) +++ head/sys/net/if_epair.c Fri Mar 24 00:55:16 2017(r315877) @@ -831,7 +831,8 @@ epair_clone_create(struct if_clone *ifc, ifp->if_start = epair_start; ifp->if_ioctl = epair_ioctl; ifp->if_init = epair_init; - ifp->if_snd.ifq_maxlen = ifqmaxlen; + if_setsendqlen(ifp, ifqmaxlen); + if_setsendqready(ifp); /* Assign a hopefully unique, locally administered etheraddr. */ eaddr[0] = 0x02; eaddr[3] = (ifp->if_index >> 8) & 0xff; @@ -857,7 +858,8 @@ epair_clone_create(struct if_clone *ifc, ifp->if_start = epair_start; ifp->if_ioctl = epair_ioctl; ifp->if_init = epair_init; - ifp->if_snd.ifq_maxlen = ifqmaxlen; + if_setsendqlen(ifp, ifqmaxlen); + if_setsendqready(ifp); /* We need to play some tricks here for the second interface. */ strlcpy(name, epairname, len); error = if_clone_create(name, len, (caddr_t)scb); ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r313524 - in head/sys: netinet netinet6
Author: eri
Date: Fri Feb 10 05:16:14 2017
New Revision: 313524
URL: https://svnweb.freebsd.org/changeset/base/313524
Log:
The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Unfortunately they will have different integer value due to Linux value being
already assigned in FreeBSD.
The patch is similar to IP_RECVDSTADDR but also provides the destination port
value to the application.
This allows/improves implementation of transparent proxies on UDP sockets due
to having the whole information on forwarded packets.
Sponsored-by: rsync.net
Differential Revision: D9235
Reviewed-by: adrian
Modified:
head/sys/netinet/in.h
head/sys/netinet/in_pcb.c
head/sys/netinet/in_pcb.h
head/sys/netinet/ip_output.c
head/sys/netinet/udp_usrreq.c
head/sys/netinet6/in6.h
head/sys/netinet6/in6_pcb.c
head/sys/netinet6/in6_pcb.h
head/sys/netinet6/ip6_output.c
head/sys/netinet6/raw_ip6.c
head/sys/netinet6/udp6_usrreq.c
Modified: head/sys/netinet/in.h
==
--- head/sys/netinet/in.h Fri Feb 10 05:14:19 2017(r313523)
+++ head/sys/netinet/in.h Fri Feb 10 05:16:14 2017(r313524)
@@ -433,6 +433,8 @@ __END_DECLS
#defineIP_BINDANY 24 /* bool: allow bind to any address
*/
#defineIP_BINDMULTI25 /* bool: allow multiple listeners
on a tuple */
#defineIP_RSS_LISTEN_BUCKET26 /* int; set RSS listen bucket */
+#defineIP_ORIGDSTADDR 27 /* bool: receive IP dst addr/port
w/dgram */
+#defineIP_RECVORIGDSTADDR IP_ORIGDSTADDR
/*
* Options for controlling the firewall and dummynet.
Modified: head/sys/netinet/in_pcb.c
==
--- head/sys/netinet/in_pcb.c Fri Feb 10 05:14:19 2017(r313523)
+++ head/sys/netinet/in_pcb.c Fri Feb 10 05:16:14 2017(r313524)
@@ -2492,6 +2492,10 @@ db_print_inpflags(int inp_flags)
db_printf("%sINP_RECVDSTADDR", comma ? ", " : "");
comma = 1;
}
+ if (inp_flags & INP_ORIGDSTADDR) {
+ db_printf("%sINP_ORIGDSTADDR", comma ? ", " : "");
+ comma = 1;
+ }
if (inp_flags & INP_HDRINCL) {
db_printf("%sINP_HDRINCL", comma ? ", " : "");
comma = 1;
Modified: head/sys/netinet/in_pcb.h
==
--- head/sys/netinet/in_pcb.h Fri Feb 10 05:14:19 2017(r313523)
+++ head/sys/netinet/in_pcb.h Fri Feb 10 05:16:14 2017(r313524)
@@ -618,6 +618,7 @@ short inp_so_options(const struct inpcb
#defineINP_RECVFLOWID 0x0100 /* populate recv datagram
with flow info */
#defineINP_RECVRSSBUCKETID 0x0200 /* populate recv datagram
with bucket id */
#defineINP_RATE_LIMIT_CHANGED 0x0400 /* rate limit needs
attention */
+#defineINP_ORIGDSTADDR 0x0800 /* receive IP dst
address/port */
/*
* Flags passed to in_pcblookup*() functions.
Modified: head/sys/netinet/ip_output.c
==
--- head/sys/netinet/ip_output.cFri Feb 10 05:14:19 2017
(r313523)
+++ head/sys/netinet/ip_output.cFri Feb 10 05:16:14 2017
(r313524)
@@ -1065,6 +1065,7 @@ ip_ctloutput(struct socket *so, struct s
case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
+ case IP_ORIGDSTADDR:
case IP_RECVDSTADDR:
case IP_RECVTTL:
case IP_RECVIF:
@@ -1126,6 +1127,10 @@ ip_ctloutput(struct socket *so, struct s
OPTSET(INP_RECVDSTADDR);
break;
+ case IP_ORIGDSTADDR:
+ OPTSET2(INP_ORIGDSTADDR, optval);
+ break;
+
case IP_RECVTTL:
OPTSET(INP_RECVTTL);
break;
@@ -1258,6 +1263,7 @@ ip_ctloutput(struct socket *so, struct s
case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
+ case IP_ORIGDSTADDR:
case IP_RECVDSTADDR:
case IP_RECVTTL:
case IP_RECVIF:
@@ -1303,6 +1309,10 @@ ip_ctloutput(struct socket *so, struct s
optval = OPTBIT(INP_RECVDSTADDR);
break;
+ case IP_ORIGDSTADDR:
+ optval = OPTBIT2(INP_ORIGDSTADDR);
+ break;
+
case IP_RECVTTL:
optval = OPTBIT(INP_RECVTTL);
break;
Modified: head/sys
svn commit: r313527 - in head/sys: netinet netinet6
Author: eri
Date: Fri Feb 10 05:51:39 2017
New Revision: 313527
URL: https://svnweb.freebsd.org/changeset/base/313527
Log:
Correct missed variable name.
Reported-by: ohartm...@walstatt.org
Modified:
head/sys/netinet/in_pcb.c
head/sys/netinet/in_pcb.h
head/sys/netinet/tcp_usrreq.c
head/sys/netinet/udp_usrreq.c
head/sys/netinet6/in6_pcb.c
head/sys/netinet6/in6_pcb.h
head/sys/netinet6/in6_src.c
head/sys/netinet6/udp6_usrreq.c
Modified: head/sys/netinet/in_pcb.c
==
--- head/sys/netinet/in_pcb.c Fri Feb 10 05:42:06 2017(r313526)
+++ head/sys/netinet/in_pcb.c Fri Feb 10 05:51:39 2017(r313527)
@@ -371,8 +371,8 @@ in_pcbbind(struct inpcb *inp, struct soc
*/
#if defined(INET) || defined(INET6)
int
-in_pcb_lport(struct inpcb *inp, struct in_addr *laddrp, u_short *lportp,
-struct ucred *cred, int lookupflags)
+in_pcb_lport(struct inpcb *inp, struct sockaddr *nam, struct in_addr *laddrp,
+u_short *lportp, struct ucred *cred, int lookupflags)
{
struct inpcbinfo *pcbinfo;
struct inpcb *tmpinp;
@@ -381,6 +381,7 @@ in_pcb_lport(struct inpcb *inp, struct i
u_short aux, first, last, lport;
#ifdef INET
struct in_addr laddr;
+ struct sockaddr_in *sin = NULL;
#endif
pcbinfo = inp->inp_pcbinfo;
@@ -447,6 +448,7 @@ in_pcb_lport(struct inpcb *inp, struct i
KASSERT(laddrp != NULL, ("%s: laddrp NULL for v4 inp %p",
__func__, inp));
laddr = *laddrp;
+ sin = (struct sockaddr_in *)nam;
}
#endif
tmpinp = NULL; /* Make compiler happy. */
@@ -466,16 +468,29 @@ in_pcb_lport(struct inpcb *inp, struct i
lport = htons(*lastport);
#ifdef INET6
- if ((inp->inp_vflag & INP_IPV6) != 0)
- tmpinp = in6_pcblookup_local(pcbinfo,
- &inp->in6p_laddr, lport, lookupflags, cred);
+ if ((inp->inp_vflag & INP_IPV6) != 0) {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)nam;
+ if (sin6 != NULL && (inp->inp_flags & INP_ANONPORT)) {
+ tmpinp = in6_pcblookup_hash_locked(pcbinfo,
+ &sin6->sin6_addr, sin6->sin6_port,
+ &inp->in6p_laddr, lport,
+ lookupflags & (~INPLOOKUP_WILDCARD),
+ NULL);
+ } else
+ tmpinp = in6_pcblookup_local(pcbinfo,
+ &inp->in6p_laddr, lport, lookupflags, cred);
+ }
#endif
#if defined(INET) && defined(INET6)
else
#endif
#ifdef INET
- tmpinp = in_pcblookup_local(pcbinfo, laddr,
- lport, lookupflags, cred);
+ if (sin != NULL && (inp->inp_flags & INP_ANONPORT))
+ tmpinp = in_pcblookup_hash_locked(pcbinfo,
sin->sin_addr, sin->sin_port, laddr,
+ lport, lookupflags & (~INPLOOKUP_WILDCARD),
NULL);
+ else
+ tmpinp = in_pcblookup_local(pcbinfo, laddr,
+ lport, lookupflags, cred);
#endif
} while (tmpinp != NULL);
@@ -571,7 +586,7 @@ in_pcbbind_setup(struct inpcb *inp, stru
return (EINVAL);
if ((so->so_options & (SO_REUSEADDR|SO_REUSEPORT)) == 0)
lookupflags = INPLOOKUP_WILDCARD;
- if (nam == NULL) {
+ if (nam == NULL || ((*lportp) == 0 && (inp->inp_flags & INP_ANONPORT)))
{
if ((error = prison_local_ip4(cred, &laddr)) != 0)
return (error);
} else {
@@ -692,7 +707,7 @@ in_pcbbind_setup(struct inpcb *inp, stru
if (*lportp != 0)
lport = *lportp;
if (lport == 0) {
- error = in_pcb_lport(inp, &laddr, &lport, cred, lookupflags);
+ error = in_pcb_lport(inp, nam, &laddr, &lport, cred,
lookupflags);
if (error != 0)
return (error);
Modified: head/sys/netinet/in_pcb.h
==
--- head/sys/netinet/in_pcb.h Fri Feb 10 05:42:06 2017(r313526)
+++ head/sys/netinet/in_pcb.h Fri Feb 10 05:51:39 2017(r313527)
@@ -697,8 +697,8 @@ voidin_pcbgroup_update_mbuf(struct inpc
void in_pcbpurgeif0(struct inpcbinfo *, struct ifnet *);
intin_pcballoc(struct socket *, struct inpcbinfo *);
intin_pcbbind(struct inpcb *, struct sockaddr *, struct ucred *);
-intin_pcb_lport(struct inpcb *, struct in_addr *, u_short *,
- struct ucred *, int);
+intin_pcb_lport(struct inpcb *, struct sockaddr *, struct in_addr *,
+ u_short *, struct u
svn commit: r313528 - in head/sys: netinet netinet6
Author: eri
Date: Fri Feb 10 05:58:16 2017
New Revision: 313528
URL: https://svnweb.freebsd.org/changeset/base/313528
Log:
Revert r313527
Heh svn is not git
Modified:
head/sys/netinet/in_pcb.c
head/sys/netinet/in_pcb.h
head/sys/netinet/tcp_usrreq.c
head/sys/netinet/udp_usrreq.c
head/sys/netinet6/in6_pcb.c
head/sys/netinet6/in6_pcb.h
head/sys/netinet6/in6_src.c
head/sys/netinet6/udp6_usrreq.c
Modified: head/sys/netinet/in_pcb.c
==
--- head/sys/netinet/in_pcb.c Fri Feb 10 05:51:39 2017(r313527)
+++ head/sys/netinet/in_pcb.c Fri Feb 10 05:58:16 2017(r313528)
@@ -371,8 +371,8 @@ in_pcbbind(struct inpcb *inp, struct soc
*/
#if defined(INET) || defined(INET6)
int
-in_pcb_lport(struct inpcb *inp, struct sockaddr *nam, struct in_addr *laddrp,
-u_short *lportp, struct ucred *cred, int lookupflags)
+in_pcb_lport(struct inpcb *inp, struct in_addr *laddrp, u_short *lportp,
+struct ucred *cred, int lookupflags)
{
struct inpcbinfo *pcbinfo;
struct inpcb *tmpinp;
@@ -381,7 +381,6 @@ in_pcb_lport(struct inpcb *inp, struct s
u_short aux, first, last, lport;
#ifdef INET
struct in_addr laddr;
- struct sockaddr_in *sin = NULL;
#endif
pcbinfo = inp->inp_pcbinfo;
@@ -448,7 +447,6 @@ in_pcb_lport(struct inpcb *inp, struct s
KASSERT(laddrp != NULL, ("%s: laddrp NULL for v4 inp %p",
__func__, inp));
laddr = *laddrp;
- sin = (struct sockaddr_in *)nam;
}
#endif
tmpinp = NULL; /* Make compiler happy. */
@@ -468,29 +466,16 @@ in_pcb_lport(struct inpcb *inp, struct s
lport = htons(*lastport);
#ifdef INET6
- if ((inp->inp_vflag & INP_IPV6) != 0) {
- struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)nam;
- if (sin6 != NULL && (inp->inp_flags & INP_ANONPORT)) {
- tmpinp = in6_pcblookup_hash_locked(pcbinfo,
- &sin6->sin6_addr, sin6->sin6_port,
- &inp->in6p_laddr, lport,
- lookupflags & (~INPLOOKUP_WILDCARD),
- NULL);
- } else
- tmpinp = in6_pcblookup_local(pcbinfo,
- &inp->in6p_laddr, lport, lookupflags, cred);
- }
+ if ((inp->inp_vflag & INP_IPV6) != 0)
+ tmpinp = in6_pcblookup_local(pcbinfo,
+ &inp->in6p_laddr, lport, lookupflags, cred);
#endif
#if defined(INET) && defined(INET6)
else
#endif
#ifdef INET
- if (sin != NULL && (inp->inp_flags & INP_ANONPORT))
- tmpinp = in_pcblookup_hash_locked(pcbinfo,
sin->sin_addr, sin->sin_port, laddr,
- lport, lookupflags & (~INPLOOKUP_WILDCARD),
NULL);
- else
- tmpinp = in_pcblookup_local(pcbinfo, laddr,
- lport, lookupflags, cred);
+ tmpinp = in_pcblookup_local(pcbinfo, laddr,
+ lport, lookupflags, cred);
#endif
} while (tmpinp != NULL);
@@ -586,7 +571,7 @@ in_pcbbind_setup(struct inpcb *inp, stru
return (EINVAL);
if ((so->so_options & (SO_REUSEADDR|SO_REUSEPORT)) == 0)
lookupflags = INPLOOKUP_WILDCARD;
- if (nam == NULL || ((*lportp) == 0 && (inp->inp_flags & INP_ANONPORT)))
{
+ if (nam == NULL) {
if ((error = prison_local_ip4(cred, &laddr)) != 0)
return (error);
} else {
@@ -707,7 +692,7 @@ in_pcbbind_setup(struct inpcb *inp, stru
if (*lportp != 0)
lport = *lportp;
if (lport == 0) {
- error = in_pcb_lport(inp, nam, &laddr, &lport, cred,
lookupflags);
+ error = in_pcb_lport(inp, &laddr, &lport, cred, lookupflags);
if (error != 0)
return (error);
Modified: head/sys/netinet/in_pcb.h
==
--- head/sys/netinet/in_pcb.h Fri Feb 10 05:51:39 2017(r313527)
+++ head/sys/netinet/in_pcb.h Fri Feb 10 05:58:16 2017(r313528)
@@ -697,8 +697,8 @@ voidin_pcbgroup_update_mbuf(struct inpc
void in_pcbpurgeif0(struct inpcbinfo *, struct ifnet *);
intin_pcballoc(struct socket *, struct inpcbinfo *);
intin_pcbbind(struct inpcb *, struct sockaddr *, struct ucred *);
-intin_pcb_lport(struct inpcb *, struct sockaddr *, struct in_addr *,
- u_short *, struct ucred *, int);
+intin_pcb_lport(struct inpcb *, struct in_addr *, u_short *,
+ struct ucred *, int);
intin_pcbbind
svn commit: r313529 - head/sys/netinet
Author: eri Date: Fri Feb 10 06:01:47 2017 New Revision: 313529 URL: https://svnweb.freebsd.org/changeset/base/313529 Log: Fix build after r313524 Reported-by: ohartm...@walstatt.org Modified: head/sys/netinet/udp_usrreq.c Modified: head/sys/netinet/udp_usrreq.c == --- head/sys/netinet/udp_usrreq.c Fri Feb 10 05:58:16 2017 (r313528) +++ head/sys/netinet/udp_usrreq.c Fri Feb 10 06:01:47 2017 (r313529) @@ -636,7 +636,7 @@ udp_input(struct mbuf **mp, int *offp, i goto badunlocked; } UDP_PROBE(receive, NULL, last, ip, last, uh); - if (udp_append(last, ip, m, iphlen, udp_in) == 0) + if (udp_append(last, ip, m, iphlen, udpin) == 0) INP_RUNLOCK(last); inp_lost: INP_INFO_RUNLOCK(pcbinfo); @@ -726,7 +726,7 @@ udp_input(struct mbuf **mp, int *offp, i } UDP_PROBE(receive, NULL, inp, ip, inp, uh); - if (udp_append(inp, ip, m, iphlen, udp_in) == 0) + if (udp_append(inp, ip, m, iphlen, udpin) == 0) INP_RUNLOCK(inp); return (IPPROTO_DONE); ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r313530 - head/sys/netinet6
Author: eri
Date: Fri Feb 10 06:20:27 2017
New Revision: 313530
URL: https://svnweb.freebsd.org/changeset/base/313530
Log:
Use proper value for socket option on IPv6
Reported-by: ohartm...@walstatt.org
Modified:
head/sys/netinet6/in6.h
Modified: head/sys/netinet6/in6.h
==
--- head/sys/netinet6/in6.h Fri Feb 10 06:01:47 2017(r313529)
+++ head/sys/netinet6/in6.h Fri Feb 10 06:20:27 2017(r313530)
@@ -497,7 +497,7 @@ struct route_in6 {
#defineIPV6_RECVFLOWID 70 /* bool; receive IP6 flowid/flowtype
w/ datagram */
#defineIPV6_RECVRSSBUCKETID71 /* bool; receive IP6 RSS bucket id
w/ datagram */
-#defineIPV6_ORIGDSTADDR65 /* bool: allow getting dstaddr /port
info */
+#defineIPV6_ORIGDSTADDR72 /* bool: allow getting dstaddr /port
info */
#defineIPV6_RECVORIGDSTADDRIPV6_ORIGDSTADDR
/*
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r313675 - in head/sys: netinet netinet6
Author: eri
Date: Sun Feb 12 06:56:33 2017
New Revision: 313675
URL: https://svnweb.freebsd.org/changeset/base/313675
Log:
Committed without approval from mentor.
Reported by: gnn
Modified:
head/sys/netinet/in.h
head/sys/netinet/in_pcb.c
head/sys/netinet/in_pcb.h
head/sys/netinet/ip_output.c
head/sys/netinet/udp_usrreq.c
head/sys/netinet6/in6.h
head/sys/netinet6/in6_pcb.c
head/sys/netinet6/in6_pcb.h
head/sys/netinet6/ip6_output.c
head/sys/netinet6/raw_ip6.c
head/sys/netinet6/udp6_usrreq.c
Modified: head/sys/netinet/in.h
==
--- head/sys/netinet/in.h Sun Feb 12 00:52:22 2017(r313674)
+++ head/sys/netinet/in.h Sun Feb 12 06:56:33 2017(r313675)
@@ -433,8 +433,6 @@ __END_DECLS
#defineIP_BINDANY 24 /* bool: allow bind to any address
*/
#defineIP_BINDMULTI25 /* bool: allow multiple listeners
on a tuple */
#defineIP_RSS_LISTEN_BUCKET26 /* int; set RSS listen bucket */
-#defineIP_ORIGDSTADDR 27 /* bool: receive IP dst addr/port
w/dgram */
-#defineIP_RECVORIGDSTADDR IP_ORIGDSTADDR
/*
* Options for controlling the firewall and dummynet.
Modified: head/sys/netinet/in_pcb.c
==
--- head/sys/netinet/in_pcb.c Sun Feb 12 00:52:22 2017(r313674)
+++ head/sys/netinet/in_pcb.c Sun Feb 12 06:56:33 2017(r313675)
@@ -2492,10 +2492,6 @@ db_print_inpflags(int inp_flags)
db_printf("%sINP_RECVDSTADDR", comma ? ", " : "");
comma = 1;
}
- if (inp_flags & INP_ORIGDSTADDR) {
- db_printf("%sINP_ORIGDSTADDR", comma ? ", " : "");
- comma = 1;
- }
if (inp_flags & INP_HDRINCL) {
db_printf("%sINP_HDRINCL", comma ? ", " : "");
comma = 1;
Modified: head/sys/netinet/in_pcb.h
==
--- head/sys/netinet/in_pcb.h Sun Feb 12 00:52:22 2017(r313674)
+++ head/sys/netinet/in_pcb.h Sun Feb 12 06:56:33 2017(r313675)
@@ -618,7 +618,6 @@ short inp_so_options(const struct inpcb
#defineINP_RECVFLOWID 0x0100 /* populate recv datagram
with flow info */
#defineINP_RECVRSSBUCKETID 0x0200 /* populate recv datagram
with bucket id */
#defineINP_RATE_LIMIT_CHANGED 0x0400 /* rate limit needs
attention */
-#defineINP_ORIGDSTADDR 0x0800 /* receive IP dst
address/port */
/*
* Flags passed to in_pcblookup*() functions.
Modified: head/sys/netinet/ip_output.c
==
--- head/sys/netinet/ip_output.cSun Feb 12 00:52:22 2017
(r313674)
+++ head/sys/netinet/ip_output.cSun Feb 12 06:56:33 2017
(r313675)
@@ -1065,7 +1065,6 @@ ip_ctloutput(struct socket *so, struct s
case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
- case IP_ORIGDSTADDR:
case IP_RECVDSTADDR:
case IP_RECVTTL:
case IP_RECVIF:
@@ -1127,10 +1126,6 @@ ip_ctloutput(struct socket *so, struct s
OPTSET(INP_RECVDSTADDR);
break;
- case IP_ORIGDSTADDR:
- OPTSET2(INP_ORIGDSTADDR, optval);
- break;
-
case IP_RECVTTL:
OPTSET(INP_RECVTTL);
break;
@@ -1263,7 +1258,6 @@ ip_ctloutput(struct socket *so, struct s
case IP_MINTTL:
case IP_RECVOPTS:
case IP_RECVRETOPTS:
- case IP_ORIGDSTADDR:
case IP_RECVDSTADDR:
case IP_RECVTTL:
case IP_RECVIF:
@@ -1309,10 +1303,6 @@ ip_ctloutput(struct socket *so, struct s
optval = OPTBIT(INP_RECVDSTADDR);
break;
- case IP_ORIGDSTADDR:
- optval = OPTBIT2(INP_ORIGDSTADDR);
- break;
-
case IP_RECVTTL:
optval = OPTBIT(INP_RECVTTL);
break;
Modified: head/sys/netinet/udp_usrreq.c
==
--- head/sys/netinet/udp_usrreq.c Sun Feb 12 00:52:22 2017
(r313674)
+++ head/sys/netinet/udp_usrreq.c Sun Feb 12 06:56:33 2017
(r313675)
@@ -304,7 +304,7 @@ udp_append(struct inpcb *inp, struct ip
{
struct sockaddr *append_sa;
struct socket *so;
- struct mbuf *tmpopts, *opts = NULL;
+
svn commit: r314722 - in head: share/man/man4 sys/netinet sys/netinet6
Author: eri
Date: Mon Mar 6 04:01:58 2017
New Revision: 314722
URL: https://svnweb.freebsd.org/changeset/base/314722
Log:
The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Unfortunately they will have different integer value due to Linux value being
already assigned in FreeBSD.
The patch is similar to IP_RECVDSTADDR but also provides the destination port
value to the application.
This allows/improves implementation of transparent proxies on UDP sockets due
to having the whole information on forwarded packets.
Reviewed by: adrian, aw
Approved by: ae (mentor)
Sponsored by: rsync.net
Differential Revision:D9235
Modified:
head/share/man/man4/ip.4
head/share/man/man4/ip6.4
head/sys/netinet/in.h
head/sys/netinet/in_pcb.c
head/sys/netinet/in_pcb.h
head/sys/netinet/ip_output.c
head/sys/netinet/udp_usrreq.c
head/sys/netinet6/in6.h
head/sys/netinet6/in6_pcb.c
head/sys/netinet6/in6_pcb.h
head/sys/netinet6/ip6_output.c
head/sys/netinet6/raw_ip6.c
head/sys/netinet6/udp6_usrreq.c
Modified: head/share/man/man4/ip.4
==
--- head/share/man/man4/ip.4Mon Mar 6 03:52:15 2017(r314721)
+++ head/share/man/man4/ip.4Mon Mar 6 04:01:58 2017(r314722)
@@ -136,6 +136,37 @@ determined by the destination address, r
error.
.Pp
If the
+.Dv IP_ORIGDSTADDR
+option is enabled on a
+.Dv SOCK_DGRAM
+socket,
+the
+.Xr recvmsg 2
+call will return the destination
+.Tn IP
+address and destination port or a
+.Tn UDP
+datagram.
+The
+.Vt msg_control
+field in the
+.Vt msghdr
+structure points to a buffer
+that contains a
+.Vt cmsghdr
+structure followed by the
+.Tn in_sockkaddr
+structre.
+The
+.Vt cmsghdr
+fields have the following values:
+.Bd -literal
+cmsg_len = CMSG_LEN(sizeof(struct in_sockaddr))
+cmsg_level = IPPROTO_IP
+cmsg_type = IP_ORIGDSTADDR
+.Ed
+.Pp
+If the
.Dv IP_RECVDSTADDR
option is enabled on a
.Dv SOCK_DGRAM
Modified: head/share/man/man4/ip6.4
==
--- head/share/man/man4/ip6.4 Mon Mar 6 03:52:15 2017(r314721)
+++ head/share/man/man4/ip6.4 Mon Mar 6 04:01:58 2017(r314722)
@@ -156,6 +156,9 @@ datagrams sent on this socket.
.\" .It Dv IPV6_RECVDSTADDR Fa "int *"
.\" Get or set the status of whether datagrams are received with
.\" destination addresses.
+.\" .It Dv IPV6_ORIGDSTADDR Fa "int *"
+.\" Get or set the status of whether datagrams are received with
+.\" destination addresses and destination ports.
.\" .It Dv IPV6_RETOPTS
.\" Get or set IPv6 options.
.It Dv IPV6_MULTICAST_IF Fa "u_int *"
Modified: head/sys/netinet/in.h
==
--- head/sys/netinet/in.h Mon Mar 6 03:52:15 2017(r314721)
+++ head/sys/netinet/in.h Mon Mar 6 04:01:58 2017(r314722)
@@ -433,6 +433,8 @@ __END_DECLS
#defineIP_BINDANY 24 /* bool: allow bind to any address
*/
#defineIP_BINDMULTI25 /* bool: allow multiple listeners
on a tuple */
#defineIP_RSS_LISTEN_BUCKET26 /* int; set RSS listen bucket */
+#defineIP_ORIGDSTADDR 27 /* bool: receive IP dst addr/port
w/dgram */
+#defineIP_RECVORIGDSTADDR IP_ORIGDSTADDR
/*
* Options for controlling the firewall and dummynet.
Modified: head/sys/netinet/in_pcb.c
==
--- head/sys/netinet/in_pcb.c Mon Mar 6 03:52:15 2017(r314721)
+++ head/sys/netinet/in_pcb.c Mon Mar 6 04:01:58 2017(r314722)
@@ -2492,6 +2492,10 @@ db_print_inpflags(int inp_flags)
db_printf("%sINP_RECVDSTADDR", comma ? ", " : "");
comma = 1;
}
+ if (inp_flags & INP_ORIGDSTADDR) {
+ db_printf("%sINP_ORIGDSTADDR", comma ? ", " : "");
+ comma = 1;
+ }
if (inp_flags & INP_HDRINCL) {
db_printf("%sINP_HDRINCL", comma ? ", " : "");
comma = 1;
Modified: head/sys/netinet/in_pcb.h
==
--- head/sys/netinet/in_pcb.h Mon Mar 6 03:52:15 2017(r314721)
+++ head/sys/netinet/in_pcb.h Mon Mar 6 04:01:58 2017(r314722)
@@ -618,6 +618,7 @@ short inp_so_options(const struct inpcb
#defineINP_RECVFLOWID 0x0100 /* populate recv datagram
with flow info */
#defineINP_RECVRSSBUCKETID 0x0200 /* populate recv datagram
with bucket id */
#defineINP_RATE_LIMIT_CHANGED 0x0400 /* rate limit needs
attention */
+#defineINP_ORIGDSTADDR 0x0800 /* receive IP dst
address/port */
/*
* Flags passed to in_pcblookup*() functions.
Modified: head/sys/netinet/ip_output.c
==
Re: svn commit: r315136 - head/sys/netpfil/pf
On Tue, Mar 14, 2017 at 2:57 PM, Gleb Smirnoff wrote:
> Kristof,
>
> On Sun, Mar 12, 2017 at 05:42:57AM +, Kristof Provost wrote:
> K> Log:
> K> pf: Fix incorrect rw_sleep() in pf_unload()
> K>
> K> When we unload we don't hold the pf_rules_lock, so we cannot call
> rw_sleep()
> K> with it, because it would release a lock we do not hold. There's no
> need for the
> K> lock either, so we can just tsleep().
> K>
> K> While here also make the same change in pf_purge_thread(), because it
> explicitly
> K> takes the lock before rw_sleep() and then immediately releases it
> afterwards.
>
> The correct change would to be grab lock in pf_unload(), exactly as
> pf_purge_thread()
> does. With your change you introduces a possible infinite sleep due to
> race, since
> there is no timeout and no lock.
>
> No... Actually both cases should PF_RULES_WLOCK(), and read/write the
> pf_end_threads
> variable under this lock. And use rw_sleep.
>
I already provided the same concerns privately and solutions to it.
>
> K> Modified:
> K> head/sys/netpfil/pf/pf.c
> K> head/sys/netpfil/pf/pf_ioctl.c
> K>
> K> Modified: head/sys/netpfil/pf/pf.c
> K>
> ==
> K> --- head/sys/netpfil/pf/pf.c Sun Mar 12 05:36:31 2017(r315135)
> K> +++ head/sys/netpfil/pf/pf.c Sun Mar 12 05:42:57 2017(r315136)
> K> @@ -1429,9 +1429,7 @@ pf_purge_thread(void *unused __unused)
> K> u_int idx = 0;
> K>
> K> for (;;) {
> K> -PF_RULES_RLOCK();
> K> -rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftm", hz /
> 10);
> K> -PF_RULES_RUNLOCK();
> K> +tsleep(pf_purge_thread, 0, "pftm", hz / 10);
> K>
> K> VNET_LIST_RLOCK();
> K> VNET_FOREACH(vnet_iter) {
> K>
> K> Modified: head/sys/netpfil/pf/pf_ioctl.c
> K>
> ==
> K> --- head/sys/netpfil/pf/pf_ioctl.c Sun Mar 12 05:36:31 2017
> (r315135)
> K> +++ head/sys/netpfil/pf/pf_ioctl.c Sun Mar 12 05:42:57 2017
> (r315136)
> K> @@ -3791,7 +3791,7 @@ pf_unload(void)
> K> pf_end_threads = 1;
> K> while (pf_end_threads < 2) {
> K> wakeup_one(pf_purge_thread);
> K> -rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftmo", 0);
> K> +tsleep(pf_purge_thread, 0, "pftmo", 0);
> K> }
> K>
> K> if (pf_dev != NULL)
> K> ___
> K> svn-src-all@freebsd.org mailing list
> K> https://lists.freebsd.org/mailman/listinfo/svn-src-all
> K> To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
>
> --
> Totus tuus, Glebius.
>
> --
> Ermal
>
___
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r286337 - head/sys/contrib/dev/ath/ath_hal/ar9300
Just an update there. Here is the patch i had prepared https://github.com/pfsense/FreeBSD-src/commit/6ee75bdd7bf7c20359dd6e38c243586cb062edea Now its public at least. On Thu, Aug 6, 2015 at 3:03 PM, Adrian Chadd wrote: > Ermal - yes please. :) Or, just do the MFC yourself. :) > > > -a > > > On 6 August 2015 at 00:21, Ermal Luçi wrote: > > I did the port for pfSense and the whole stack works from HEAD into > > 10-STABLE. > > > > Just minor modifications were required. > > If you want i can try to send the diff. > > > > On Wed, Aug 5, 2015 at 11:55 PM, Oliver Pinter > > wrote: > >> > >> Yup. :) If you need testers with the backport, then ping me. ;) > >> > >> On Wed, Aug 5, 2015 at 11:23 PM, Adrian Chadd > wrote: > >> > The whole wifi stack / drivers need backporting. :) > >> > > >> > > >> > > >> > -a > >> > > >> > > >> > On 5 August 2015 at 12:41, Shawn Webb > >> > wrote: > >> >> On Wed, 2015-08-05 at 19:32 +, Adrian Chadd wrote: > >> >>> Author: adrian > >> >>> Date: Wed Aug 5 19:32:35 2015 > >> >>> New Revision: 286337 > >> >>> URL: https://svnweb.freebsd.org/changeset/base/286337 > >> >>> > >> >>> Log: > >> >>> Add TXOP enforce support to the AR9300 HAL. > >> >>> > >> >>> This is required for (more) correct TDMA support. Without it, the > >> >>> code tries to calculate the required guard interval based on the > >> >>> current rate, and since this is an 11n NIC and people try using > >> >>> 11n, it calls ath_hal_computetxtime() on an 11n rate which then > >> >>> panics. > >> >>> > >> >>> This doesn't fix TDMA slave mode on AR9300 - it just makes it > >> >>> have one less bug. > >> >>> > >> >>> Reported by:Berislav Purgar > >> >>> > >> >>> Modified: > >> >>> head/sys/contrib/dev/ath/ath_hal/ar9300/ar9300_misc.c > >> >> > >> >> Hey Adrian, > >> >> > >> >> Can this be MFC'd? > >> >> > >> >> Thanks, > >> >> > >> >> -- > >> >> Shawn Webb > >> >> HardenedBSD > >> >> > >> >> GPG Key ID: 0x6A84658F52456EEE > >> >> GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 > 6EEE > >> > ___ > >> > svn-src-h...@freebsd.org mailing list > >> > http://lists.freebsd.org/mailman/listinfo/svn-src-head > >> > To unsubscribe, send any mail to " > svn-src-head-unsubscr...@freebsd.org" > >> > > > > > > > > -- > > Ermal > -- Ermal ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r287009 - in head: sbin/pfctl share/man/man4 sys/conf sys/net/altq sys/netpfil/pf
On Sat, Aug 22, 2015 at 12:02 AM, Luiz Otavio O Souza
wrote:
> Author: loos
> Date: Fri Aug 21 22:02:22 2015
> New Revision: 287009
> URL: https://svnweb.freebsd.org/changeset/base/287009
>
> Log:
> Add ALTQ(9) support for the CoDel algorithm.
>
> CoDel is a parameterless queue discipline that handles variable bandwidth
> and RTT.
>
> It can be used as the single queue discipline on an interface or as a sub
> discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, FAIRQ.
>
> Differential Revision:https://reviews.freebsd.org/D3272
> Reviewd by: rpaulo, gnn (previous version)
>
I thought part of this commit message was taken from me as a reviewer, no?
> Obtained from:pfSense
> Sponsored by: Rubicon Communications (Netgate)
>
> Added:
> head/sys/net/altq/altq_codel.c (contents, props changed)
> head/sys/net/altq/altq_codel.h (contents, props changed)
> Modified:
> head/sbin/pfctl/parse.y
> head/sbin/pfctl/pfctl_altq.c
> head/sbin/pfctl/pfctl_parser.h
> head/sbin/pfctl/pfctl_qstats.c
> head/share/man/man4/altq.4
> head/sys/conf/files
> head/sys/conf/options
> head/sys/net/altq/altq.h
> head/sys/net/altq/altq_cbq.c
> head/sys/net/altq/altq_cbq.h
> head/sys/net/altq/altq_classq.h
> head/sys/net/altq/altq_fairq.c
> head/sys/net/altq/altq_fairq.h
> head/sys/net/altq/altq_hfsc.c
> head/sys/net/altq/altq_hfsc.h
> head/sys/net/altq/altq_priq.c
> head/sys/net/altq/altq_priq.h
> head/sys/net/altq/altq_rmclass.c
> head/sys/net/altq/altq_rmclass.h
> head/sys/net/altq/altq_subr.c
> head/sys/net/altq/altq_var.h
> head/sys/netpfil/pf/pf_altq.h
>
> Modified: head/sbin/pfctl/parse.y
>
> ==
> --- head/sbin/pfctl/parse.y Fri Aug 21 21:47:29 2015(r287008)
> +++ head/sbin/pfctl/parse.y Fri Aug 21 22:02:22 2015(r287009)
> @@ -46,6 +46,7 @@ __FBSDID("$FreeBSD$");
> #include
> #include
> #include
> +#include
> #include
> #include
> #include
> @@ -299,7 +300,7 @@ struct pool_opts {
>
> } pool_opts;
>
> -
> +struct codel_opts codel_opts;
> struct node_hfsc_opts hfsc_opts;
> struct node_fairq_opts fairq_opts;
> struct node_state_opt *keep_state_defaults = NULL;
> @@ -425,6 +426,7 @@ typedef struct {
> struct pool_opts pool_opts;
> struct node_hfsc_optshfsc_opts;
> struct node_fairq_opts fairq_opts;
> + struct codel_optscodel_opts;
> } v;
> int lineno;
> } YYSTYPE;
> @@ -449,8 +451,8 @@ int parseport(char *, struct range *r, i
> %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
> %token ANTISPOOF FOR INCLUDE
> %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY
> -%token ALTQ CBQ PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
> UPPERLIMIT
> -%token QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE
> +%token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
> +%token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET
> INTERVAL
> %token LOAD RULESET_OPTIMIZATION
> %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
> %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
> @@ -499,6 +501,7 @@ int parseport(char *, struct range *r, i
> %typepriqflags_list priqflags_item
> %type hfscopts_list hfscopts_item hfsc_opts
> %typefairqopts_list fairqopts_item fairq_opts
> +%typecodelopts_list codelopts_item codel_opts
> %type bandwidth
> %type filter_opts filter_opt filter_opts_l
> %typeantispoof_opts antispoof_opt
> antispoof_opts_l
> @@ -1470,7 +1473,7 @@ altqif: ALTQ interface queue_opts QUEU
> a.scheduler = $3.scheduler.qtype;
> a.qlimit = $3.qlimit;
> a.tbrsize = $3.tbrsize;
> - if ($5 == NULL) {
> + if ($5 == NULL && $3.scheduler.qtype !=
> ALTQT_CODEL) {
> yyerror("no child queues specified");
> YYERROR;
> }
> @@ -1672,6 +1675,15 @@ scheduler: CBQ {
> $$.qtype = ALTQT_FAIRQ;
> $$.data.fairq_opts = $3;
> }
> + | CODEL {
> + $$.qtype = ALTQT_CODEL;
> + bzero(&$$.data.codel_opts,
> + sizeof(struct codel_opts));
> + }
> + | CODEL '(' codel_opts ')' {
> + $$.qtype = ALTQT_CODEL;
> + $$.data.codel_opts = $3;
> + }
> ;
>
> cbqflags_list : cbqflags_item { $$ |= $1; }
> @@ -1689,6 +1701,8 @@ cbqflags_item : S
Re: svn commit: r287009 - in head: sbin/pfctl share/man/man4 sys/conf sys/net/altq sys/netpfil/pf
On Sun, Aug 23, 2015 at 12:34 AM, Luiz Otavio O Souza wrote: > On Sat, Aug 22, 2015 at 6:18 AM, Ermal Luçi wrote: > > > > > > On Sat, Aug 22, 2015 at 12:02 AM, Luiz Otavio O Souza > > wrote: > >> > >> Author: loos > >> Date: Fri Aug 21 22:02:22 2015 > >> New Revision: 287009 > >> URL: https://svnweb.freebsd.org/changeset/base/287009 > >> > >> Log: > >> Add ALTQ(9) support for the CoDel algorithm. > >> > >> CoDel is a parameterless queue discipline that handles variable > >> bandwidth > >> and RTT. > >> > >> It can be used as the single queue discipline on an interface or as a > >> sub > >> discipline of existing queue disciplines such as PRIQ, CBQ, HFSC, > FAIRQ. > >> > >> Differential Revision:https://reviews.freebsd.org/D3272 > >> Reviewd by: rpaulo, gnn (previous version) > > > > > > I thought part of this commit message was taken from me as a reviewer, > no? > > Sorry Ermal, my bad. As you only commented and not accepted the review > I thought you don't want to be implied with a reviewed by. > No issue just to be sure that you understood the whole thing there! > > [...] > > >> Added: head/sys/net/altq/altq_codel.c > >> > >> > == > >> --- /dev/null 00:00:00 1970 (empty, because file is newly added) > >> +++ head/sys/net/altq/altq_codel.c Fri Aug 21 22:02:22 2015 > >> (r287009) > >> @@ -0,0 +1,477 @@ > >> +/* > >> + * CoDel - The Controlled-Delay Active Queue Management algorithm > >> + * > >> + * Copyright (C) 2013 Ermal Luci > > > > > > Can you correct my name? > > > > Sure, I'll commit the fix soon (probably on monday) I'm AFK this weekend. > > No rush :) > I really appreciate your work on Codel. > > Regards, > Luiz > -- Ermal ___ svn-src-all@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r284512 - head/sys/netinet
Author: eri
Date: Wed Jun 17 12:23:04 2015
New Revision: 284512
URL: https://svnweb.freebsd.org/changeset/base/284512
Log:
If there is a system with a bpf consumer running and a packet is wanted
to be transmitted but the arp cache entry expired, which triggers an arp
request
to be sent, the bpf code might want to sleep but crash the system due
to a non sleep lock held from the arp entry not released properly.
Release the lock before calling the arp request code to solve the issue
as is done on all the other code paths.
PR: 200323
Approved by: ae, gnn(mentor)
MFC after:1 week
Sponsored by: Netgate
Differential Revision:https://reviews.freebsd.org/D2828
Modified:
head/sys/netinet/if_ether.c
Modified: head/sys/netinet/if_ether.c
==
--- head/sys/netinet/if_ether.c Wed Jun 17 12:05:04 2015(r284511)
+++ head/sys/netinet/if_ether.c Wed Jun 17 12:23:04 2015(r284512)
@@ -364,6 +364,7 @@ retry:
if ((la->la_flags & LLE_VALID) &&
((la->la_flags & LLE_STATIC) || la->la_expire > time_uptime)) {
bcopy(&la->ll_addr, desten, ifp->if_addrlen);
+ renew = 0;
/*
* If entry has an expiry time and it is approaching,
* see if we need to send an ARP request within this
@@ -371,14 +372,22 @@ retry:
*/
if (!(la->la_flags & LLE_STATIC) &&
time_uptime + la->la_preempt > la->la_expire) {
- arprequest(ifp, NULL, &SIN(dst)->sin_addr, NULL);
+ renew = 1;
la->la_preempt--;
}
if (pflags != NULL)
*pflags = la->la_flags;
- error = 0;
- goto done;
+
+ if (flags & LLE_EXCLUSIVE)
+ LLE_WUNLOCK(la);
+ else
+ LLE_RUNLOCK(la);
+
+ if (renew == 1)
+ arprequest(ifp, NULL, &SIN(dst)->sin_addr, NULL);
+
+ return (0);
}
if (la->la_flags & LLE_STATIC) { /* should not happen! */
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r284776 - stable/10/sys/netinet
Author: eri
Date: Wed Jun 24 19:06:54 2015
New Revision: 284776
URL: https://svnweb.freebsd.org/changeset/base/284776
Log:
MFC r284512: Properly handle locking on the ARP protocol request sending.
Modified:
stable/10/sys/netinet/if_ether.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/sys/netinet/if_ether.c
==
--- stable/10/sys/netinet/if_ether.cWed Jun 24 18:58:42 2015
(r284775)
+++ stable/10/sys/netinet/if_ether.cWed Jun 24 19:06:54 2015
(r284776)
@@ -365,6 +365,7 @@ retry:
if ((la->la_flags & LLE_VALID) &&
((la->la_flags & LLE_STATIC) || la->la_expire > time_uptime)) {
bcopy(&la->ll_addr, desten, ifp->if_addrlen);
+ renew = 0;
/*
* If entry has an expiry time and it is approaching,
* see if we need to send an ARP request within this
@@ -372,13 +373,21 @@ retry:
*/
if (!(la->la_flags & LLE_STATIC) &&
time_uptime + la->la_preempt > la->la_expire) {
- arprequest(ifp, NULL, &SIN(dst)->sin_addr, NULL);
+ renew = 1;
la->la_preempt--;
}
*lle = la;
- error = 0;
- goto done;
+
+ if (flags & LLE_EXCLUSIVE)
+ LLE_WUNLOCK(la);
+ else
+ LLE_RUNLOCK(la);
+
+ if (renew == 1)
+ arprequest(ifp, NULL, &SIN(dst)->sin_addr, NULL);
+
+ return (0);
}
if (la->la_flags & LLE_STATIC) { /* should not happen! */
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
svn commit: r284777 - in head: sbin/pfctl share/man/man4 sys/conf sys/net/altq sys/netpfil/pf
Author: eri
Date: Wed Jun 24 19:16:41 2015
New Revision: 284777
URL: https://svnweb.freebsd.org/changeset/base/284777
Log:
ALTQ FAIRQ discipline import from DragonFLY
Differential Revision: https://reviews.freebsd.org/D2847
Reviewed by:glebius, wblock(manpage)
Approved by:gnn(mentor)
Obtained from: pfSense
Sponsored by: Netgate
Added:
head/sys/net/altq/altq_fairq.c (contents, props changed)
head/sys/net/altq/altq_fairq.h (contents, props changed)
Modified:
head/sbin/pfctl/parse.y
head/sbin/pfctl/pfctl_altq.c
head/sbin/pfctl/pfctl_parser.h
head/sbin/pfctl/pfctl_qstats.c
head/share/man/man4/altq.4
head/sys/conf/NOTES
head/sys/conf/files
head/sys/conf/options
head/sys/net/altq/altq.h
head/sys/net/altq/altq_subr.c
head/sys/net/altq/altq_var.h
head/sys/netpfil/pf/pf.c
head/sys/netpfil/pf/pf_altq.h
head/sys/netpfil/pf/pf_mtag.h
Modified: head/sbin/pfctl/parse.y
==
--- head/sbin/pfctl/parse.y Wed Jun 24 19:06:54 2015(r284776)
+++ head/sbin/pfctl/parse.y Wed Jun 24 19:16:41 2015(r284777)
@@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
+#include
#include
#include
@@ -300,6 +301,7 @@ struct pool_opts {
struct node_hfsc_opts hfsc_opts;
+struct node_fairq_opts fairq_opts;
struct node_state_opt *keep_state_defaults = NULL;
int disallow_table(struct node_host *, const char *);
@@ -422,6 +424,7 @@ typedef struct {
struct table_optstable_opts;
struct pool_opts pool_opts;
struct node_hfsc_optshfsc_opts;
+ struct node_fairq_opts fairq_opts;
} v;
int lineno;
} YYSTYPE;
@@ -446,8 +449,8 @@ int parseport(char *, struct range *r, i
%token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
%token ANTISPOOF FOR INCLUDE
%token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY
-%token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
-%token QUEUE PRIORITY QLIMIT RTABLE
+%token ALTQ CBQ PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
+%token QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE
%token LOAD RULESET_OPTIMIZATION
%token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
%token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
@@ -495,6 +498,7 @@ int parseport(char *, struct range *r, i
%typecbqflags_list cbqflags_item
%typepriqflags_list priqflags_item
%type hfscopts_list hfscopts_item hfsc_opts
+%typefairqopts_list fairqopts_item fairq_opts
%type bandwidth
%type filter_opts filter_opt filter_opts_l
%typeantispoof_opts antispoof_opt antispoof_opts_l
@@ -1659,6 +1663,15 @@ scheduler: CBQ {
$$.qtype = ALTQT_HFSC;
$$.data.hfsc_opts = $3;
}
+ | FAIRQ {
+ $$.qtype = ALTQT_FAIRQ;
+ bzero(&$$.data.fairq_opts,
+ sizeof(struct node_fairq_opts));
+ }
+ | FAIRQ '(' fairq_opts ')' {
+ $$.qtype = ALTQT_FAIRQ;
+ $$.data.fairq_opts = $3;
+ }
;
cbqflags_list : cbqflags_item { $$ |= $1; }
@@ -1807,6 +1820,61 @@ hfscopts_item: LINKSHARE bandwidth
{
}
;
+fairq_opts : {
+ bzero(&fairq_opts,
+ sizeof(struct node_fairq_opts));
+ }
+ fairqopts_list {
+ $$ = fairq_opts;
+ }
+ ;
+
+fairqopts_list : fairqopts_item
+ | fairqopts_list comma fairqopts_item
+ ;
+
+fairqopts_item : LINKSHARE bandwidth {
+ if (fairq_opts.linkshare.used) {
+ yyerror("linkshare already specified");
+ YYERROR;
+ }
+ fairq_opts.linkshare.m2 = $2;
+ fairq_opts.linkshare.used = 1;
+ }
+ | LINKSHARE '(' bandwidth number bandwidth ')' {
+ if (fairq_opts.linkshare.used) {
+ yyerror("linkshare already specified");
+ YYERROR;
+ }
+ fairq_opts.linkshare.m1 = $3;
+ fairq_opts.linkshare.d = $4;
+ fairq_opts.linkshare.m2 = $5;
+ fairq_opts.linkshare.used = 1;
+ }
+ | HOGS bandwidth {
+
Re: svn commit: r284777 - in head: sbin/pfctl share/man/man4 sys/conf sys/net/altq sys/netpfil/pf
On Thu, Jun 25, 2015 at 10:42 AM, Bjoern A. Zeeb wrote: > > > On 24 Jun 2015, at 19:16 , Ermal Luçi wrote: > > > > Author: eri > > Date: Wed Jun 24 19:16:41 2015 > > New Revision: 284777 > > URL: https://svnweb.freebsd.org/changeset/base/284777 > > > > Log: > > ALTQ FAIRQ discipline import from DragonFLY > > > > Differential Revision: https://reviews.freebsd.org/D2847 > > Reviewed by:glebius, wblock(manpage) > > Approved by:gnn(mentor) > > Obtained from: pfSense > > Sponsored by: Netgate > > I see a lot of kernel configurations failing to build dring a universe; > here’s some errors: > > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: expected declaration > specifiers or '...' before 'pf_keyhash' > cc1: warnings being treated as errors > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1461: error: expected declaration > specifiers or '...' before 'pf_idhash' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1461: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1464: error: expected declaration > specifiers or '...' before 'pf_srchash' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1464: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1469: error: expected declaration > specifiers or '...' before 'pf_swi_cookie' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1469: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1472: error: expected declaration > specifiers or '...' before 'pf_stateid' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1472: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1476: error: expected declaration > specifiers or '...' before 'pf_altqs' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1476: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1478: error: expected declaration > specifiers or '...' before 'pf_pabuf' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1478: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1481: error: expected declaration > specifiers or '...' before 'ticket_altqs_active' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1481: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1483: error: expected declaration > specifiers or '...' before 'ticket_altqs_inactive' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1483: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1485: error: expected declaration > specifiers or '...' before 'altqs_inactive_open' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1485: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1487: error: expected declaration > specifiers or '...' before 'ticket_pabuf' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1487: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous declaration > of 'VNET_DECLARE' was here > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1489: error: expected declaration > specifiers or '...' before 'pf_altqs_active' > /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1489: error: conflicting types > for 'VNET_DECLARE' > /scratch/tmp/bz/
Re: svn commit: r284777 - in head: sbin/pfctl share/man/man4 sys/conf sys/net/altq sys/netpfil/pf
Fixed. On Thu, Jun 25, 2015 at 11:00 AM, Ermal Luçi wrote: > > On Thu, Jun 25, 2015 at 10:42 AM, Bjoern A. Zeeb wrote: > >> >> > On 24 Jun 2015, at 19:16 , Ermal Luçi wrote: >> > >> > Author: eri >> > Date: Wed Jun 24 19:16:41 2015 >> > New Revision: 284777 >> > URL: https://svnweb.freebsd.org/changeset/base/284777 >> > >> > Log: >> > ALTQ FAIRQ discipline import from DragonFLY >> > >> > Differential Revision: https://reviews.freebsd.org/D2847 >> > Reviewed by:glebius, wblock(manpage) >> > Approved by:gnn(mentor) >> > Obtained from: pfSense >> > Sponsored by: Netgate >> >> I see a lot of kernel configurations failing to build dring a universe; >> here’s some errors: >> >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: expected >> declaration specifiers or '...' before 'pf_keyhash' >> cc1: warnings being treated as errors >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1461: error: expected >> declaration specifiers or '...' before 'pf_idhash' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1461: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1464: error: expected >> declaration specifiers or '...' before 'pf_srchash' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1464: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1469: error: expected >> declaration specifiers or '...' before 'pf_swi_cookie' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1469: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1472: error: expected >> declaration specifiers or '...' before 'pf_stateid' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1472: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1476: error: expected >> declaration specifiers or '...' before 'pf_altqs' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1476: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1478: error: expected >> declaration specifiers or '...' before 'pf_pabuf' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1478: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1481: error: expected >> declaration specifiers or '...' before 'ticket_altqs_active' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1481: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1483: error: expected >> declaration specifiers or '...' before 'ticket_altqs_inactive' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1483: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1485: error: expected >> declaration specifiers or '...' before 'altqs_inactive_open' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1485: error: conflicting types >> for 'VNET_DECLARE' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1460: error: previous >> declaration of 'VNET_DECLARE' was here >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1487: error: expected >> declaration specifiers or '...' before 'ticket_pabuf' >> /scratch/tmp/bz/head.svn/sys/net/pfvar.h:1487: error: conflicting types >> for 'VNET_DECLARE'
svn commit: r284814 - head/sys/net/altq
Author: eri
Date: Thu Jun 25 15:05:58 2015
New Revision: 284814
URL: https://svnweb.freebsd.org/changeset/base/284814
Log:
Correct r284777 to use proper includes and remove dead code to unbreak kernel
builds.
Differential Revision:https://reviews.freebsd.org/D2847
Modified:
head/sys/net/altq/altq_fairq.c
Modified: head/sys/net/altq/altq_fairq.c
==
--- head/sys/net/altq/altq_fairq.c Thu Jun 25 14:58:50 2015
(r284813)
+++ head/sys/net/altq/altq_fairq.c Thu Jun 25 15:05:58 2015
(r284814)
@@ -103,9 +103,12 @@
#include
#include
+#include
#include
-#include
+#include
+#include
+#include
#include
#include
@@ -406,24 +409,6 @@ fairq_class_create(struct fairq_if *pif,
#endif /* ALTQ_RED */
return (cl);
-
-err_buckets:
- if (cl->cl_buckets != NULL)
- free(cl->cl_buckets, M_DEVBUF);
-err_ret:
-if (cl->cl_red != NULL) {
-#ifdef ALTQ_RIO
-if (cl->cl_qtype == Q_RIO)
-rio_destroy((rio_t *)cl->cl_red);
-#endif
-#ifdef ALTQ_RED
- if (cl->cl_qtype == Q_RED)
- red_destroy(cl->cl_red);
-#endif
-}
-if (cl != NULL)
-free(cl, M_DEVBUF);
-return (NULL);
}
static int
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r284863 - head/sys/net/altq
On Fri, Jun 26, 2015 at 1:16 AM, Bjoern A. Zeeb wrote:
> Author: bz
> Date: Thu Jun 25 23:16:01 2015
> New Revision: 284863
> URL: https://svnweb.freebsd.org/changeset/base/284863
>
> Log:
> Another attempt to make this compile on more architectures after r284777.
>
> Modified:
> head/sys/net/altq/altq_fairq.c
>
> Modified: head/sys/net/altq/altq_fairq.c
>
> ==
> --- head/sys/net/altq/altq_fairq.c Thu Jun 25 20:46:11 2015
> (r284862)
> +++ head/sys/net/altq/altq_fairq.c Thu Jun 25 23:16:01 2015
> (r284863)
> @@ -742,8 +742,8 @@ fairq_pollq(struct fairq_class *cl, uint
> if (bw > cl->cl_bandwidth)
> *hit_limit = 1;
> #ifdef ALTQ_DEBUG
> - printf("BW %6lld relative to %6u %d queue %p\n",
> - bw, cl->cl_bandwidth, *hit_limit, b);
> + printf("BW %6ju relative to %6u %d queue %p\n",
> + (uintmax_t)bw, cl->cl_bandwidth, *hit_limit, b);
> #endif
> }
> return(m);
>
>
Thank you.
--
Ermal
___
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
Re: svn commit: r298091 - in stable/10: sbin/pfctl share/man/man4 sys/conf sys/contrib/altq/altq sys/netpfil/pf
Careful with things you should credit to me :)
Your boss likes to play games do not get in the middle as well.
On Sat, Apr 16, 2016 at 4:11 AM, Luiz Otavio O Souza
wrote:
> Author: loos
> Date: Sat Apr 16 02:11:04 2016
> New Revision: 298091
> URL: https://svnweb.freebsd.org/changeset/base/298091
>
> Log:
> MFC r284777, r284814, r284863 and r298088:
>
> ALTQ FAIRQ discipline import from DragonFLY.
>
> Differential Revision:https://reviews.freebsd.org/D2847
> Obtained from:pfSense
> Sponsored by: Rubicon Communications (Netgate)
>
> Added:
> stable/10/sys/contrib/altq/altq/altq_fairq.c (contents, props changed)
> stable/10/sys/contrib/altq/altq/altq_fairq.h (contents, props changed)
> Modified:
> stable/10/sbin/pfctl/parse.y
> stable/10/sbin/pfctl/pfctl_altq.c
> stable/10/sbin/pfctl/pfctl_parser.h
> stable/10/sbin/pfctl/pfctl_qstats.c
> stable/10/share/man/man4/altq.4
> stable/10/sys/conf/NOTES
> stable/10/sys/conf/files
> stable/10/sys/conf/options
> stable/10/sys/contrib/altq/altq/altq.h
> stable/10/sys/contrib/altq/altq/altq_subr.c
> stable/10/sys/contrib/altq/altq/altq_var.h
> stable/10/sys/netpfil/pf/pf.c
> stable/10/sys/netpfil/pf/pf_altq.h
> stable/10/sys/netpfil/pf/pf_mtag.h
> Directory Properties:
> stable/10/ (props changed)
>
> Modified: stable/10/sbin/pfctl/parse.y
>
> ==
> --- stable/10/sbin/pfctl/parse.ySat Apr 16 00:01:16 2016
> (r298090)
> +++ stable/10/sbin/pfctl/parse.ySat Apr 16 02:11:04 2016
> (r298091)
> @@ -48,6 +48,7 @@ __FBSDID("$FreeBSD$");
> #include
> #include
> #include
> +#include
>
> #include
> #include
> @@ -300,6 +301,7 @@ struct pool_opts {
>
>
> struct node_hfsc_opts hfsc_opts;
> +struct node_fairq_opts fairq_opts;
> struct node_state_opt *keep_state_defaults = NULL;
>
> int disallow_table(struct node_host *, const char *);
> @@ -422,6 +424,7 @@ typedef struct {
> struct table_optstable_opts;
> struct pool_opts pool_opts;
> struct node_hfsc_optshfsc_opts;
> + struct node_fairq_opts fairq_opts;
> } v;
> int lineno;
> } YYSTYPE;
> @@ -446,8 +449,8 @@ int parseport(char *, struct range *r, i
> %token REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID
> %token ANTISPOOF FOR INCLUDE
> %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY
> -%token ALTQ CBQ PRIQ HFSC BANDWIDTH TBRSIZE LINKSHARE REALTIME UPPERLIMIT
> -%token QUEUE PRIORITY QLIMIT RTABLE
> +%token ALTQ CBQ PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME
> UPPERLIMIT
> +%token QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE
> %token LOAD RULESET_OPTIMIZATION
> %token STICKYADDRESS MAXSRCSTATES MAXSRCNODES SOURCETRACK GLOBAL RULE
> %token MAXSRCCONN MAXSRCCONNRATE OVERLOAD FLUSH SLOPPY
> @@ -495,6 +498,7 @@ int parseport(char *, struct range *r, i
> %typecbqflags_list cbqflags_item
> %typepriqflags_list priqflags_item
> %type hfscopts_list hfscopts_item hfsc_opts
> +%typefairqopts_list fairqopts_item fairq_opts
> %type bandwidth
> %type filter_opts filter_opt filter_opts_l
> %typeantispoof_opts antispoof_opt
> antispoof_opts_l
> @@ -1659,6 +1663,15 @@ scheduler: CBQ {
> $$.qtype = ALTQT_HFSC;
> $$.data.hfsc_opts = $3;
> }
> + | FAIRQ {
> + $$.qtype = ALTQT_FAIRQ;
> + bzero(&$$.data.fairq_opts,
> + sizeof(struct node_fairq_opts));
> + }
> + | FAIRQ '(' fairq_opts ')' {
> + $$.qtype = ALTQT_FAIRQ;
> + $$.data.fairq_opts = $3;
> + }
> ;
>
> cbqflags_list : cbqflags_item { $$ |= $1; }
> @@ -1807,6 +1820,61 @@ hfscopts_item: LINKSHARE bandwidth
> {
> }
> ;
>
> +fairq_opts : {
> + bzero(&fairq_opts,
> + sizeof(struct node_fairq_opts));
> + }
> + fairqopts_list {
> + $$ = fairq_opts;
> + }
> + ;
> +
> +fairqopts_list : fairqopts_item
> + | fairqopts_list comma fairqopts_item
> + ;
> +
> +fairqopts_item : LINKSHARE bandwidth {
> + if (fairq_opts.linkshare.used) {
> + yyerror("linkshare already specified");
> + YYERROR;
> + }
> + fairq_opts.linkshare.m2 = $2;
> +
