#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
4d846d26 |
|
10-May-2023 |
Warner Losh <imp@FreeBSD.org> |
spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch up to that fact and revert to their recommended match of BSD-2-Clause. Discussed with: pfg MFC After: 3 days Sponsored by: Netflix
|
#
7b676698 |
|
03-May-2023 |
Kristof Provost <kp@FreeBSD.org> |
pf: simplify structs with anonymous unions Rather than playing preprocessor hacks use actual anonymous unions. No functional change. Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
efc64d02 |
|
21-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: counter argument to pfr_pool_get() may never be NULL Coverity points out that if counter was NULL when passed to pfr_pool_get() we could potentially end up dereferencing it. Happily all users of the function pass a non-NULL pointer. Enforce this by assertion and remove the pointless NULL check. Reported by: Coverity (CID 273309) MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
812839e5 |
|
12-Apr-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: allow the use of tables in ethernet rules Allow tables to be used for the l3 source/destination matching. This requires taking the PF_RULES read lock. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34917
|
#
7d1ab866 |
|
30-Mar-2022 |
Mark Johnston <markj@FreeBSD.org> |
pf: Initialize the table entry zone limit at initialization time The limit may later be updated by the "set limit" directive in pf.conf. UMA does not permit a limit to be set on a zone after any items have been allocated from a zone. Other UMA zones used by pf do not appear to be susceptible to this problem: they either set a limit at zone creation time or never set one at all. PR: 260406 Reviewed by: kp MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D34713
|
#
b21826bf |
|
01-Feb-2022 |
Kristof Provost <kp@FreeBSD.org> |
pf: deal with tables gaining or losing counters When we create a table without counters, add an entry and later re-define the table to have counters we wound up trying to read non-existent counters. We now cope with this by attempting to add them if needed, removing them when they're no longer needed and not trying to read from counters that are not present. MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D34131
|
#
8cceacc0 |
|
05-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Remove unneeded NULL check pidx is never NULL, and is used unconditionally later on in the function. Add an assertion, as documentation for the requirement to provide an idx pointer. Reported by: clang --analyze MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
dc1ab04e |
|
02-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: allow table stats clearing and reading with ruleset rlock Instead serialize against these operations with a dedicated lock. Prior to the change, When pushing 17 mln pps of traffic, calling DIOCRGETTSTATS in a loop would restrict throughput to about 7 mln. With the change there is no slowdown. Reviewed by: kp (previous version) Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
f92c21a2 |
|
02-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: depessimize table handling Creating tables and zeroing their counters induces excessive IPIs (14 per table), which in turns kills single- and multi-threaded performance. Work around the problem by extending per-CPU counters with a general counter populated on "zeroing" requests -- it stores the currently found sum. Then requests to report the current value are the sum of per-CPU counters subtracted by the saved value. Sample timings when loading a config with 100k tables on a 104-way box: stock: pfctl -f tables100000.conf 0.39s user 69.37s system 99% cpu 1:09.76 total pfctl -f tables100000.conf 0.40s user 68.14s system 99% cpu 1:08.54 total patched: pfctl -f tables100000.conf 0.35s user 6.41s system 99% cpu 6.771 total pfctl -f tables100000.conf 0.48s user 6.47s system 99% cpu 6.949 total Reviewed by: kp (previous version) Sponsored by: Rubicon Communications, LLC ("Netgate")
|
#
60a38abb |
|
01-Jun-2021 |
Mark Johnston <markj@FreeBSD.org> |
pf: Avoid leaking pad bytes in struct pfr_astats when copying out There is padding between pfr_astats.pfras_a and pfras_packets that was not getting initialized. Reported by: KMSAN Reviewed by: kp, imp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D30585
|
#
e86bddea |
|
05-Dec-2020 |
Kristof Provost <kp@FreeBSD.org> |
pf: Split pf_rule into kernel and user space versions No functional change intended. MFC after: 2 weeks Sponsored by: Orange Business Services Differential Revision: https://reviews.freebsd.org/D27758
|
#
e6aed06f |
|
02-Dec-2020 |
Mark Johnston <markj@FreeBSD.org> |
pf: Fix table entry counter toggling When updating a table, pf will keep existing table entry structures corresponding to addresses that are in both of the old and new tables. However, the update may also enable or disable per-entry counters which are allocated separately. Thus when toggling PFR_TFLAG_COUNTERS, the entries may be missing counters or may have unused counters allocated. Fix the problem by modifying pfr_ina_commit() to transfer counters from or to entries in the shadow table. PR: 251414 Reported by: sigsys@gmail.com Reviewed by: kp MFC after: 1 week Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D27440
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
c1be8399 |
|
15-May-2020 |
Mark Johnston <markj@FreeBSD.org> |
pf: Add a new zone for per-table entry counters. Right now we optionally allocate 8 counters per table entry, so in addition to memory consumed by counters, we require 8 pointers worth of space in each entry even when counters are not allocated (the default). Instead, define a UMA zone that returns contiguous per-CPU counter arrays for use in table entries. On amd64 this reduces sizeof(struct pfr_kentry) from 216 to 160. The smaller size also results in better slab efficiency, so memory usage for large tables is reduced by about 28%. Reviewed by: kp MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D24843
|
#
21121f9b |
|
11-May-2020 |
Mark Johnston <markj@FreeBSD.org> |
pf: Don't allocate per-table entry counters unless required. pf by default does not do per-table address accounting unless the "counters" keyword is specified in the corresponding pf.conf table definition. Yet, we always allocate 12 per-CPU counters per table. For large tables this carries a lot of overhead, so only allocate counters when they will actually be used. A further enhancement might be to use a dedicated UMA zone to allocate counter arrays for table entries, since close to half of the structure size comes from counter pointers. A related issue is the cost of zeroing counters, since counter_u64_zero() calls smp_rendezvous() on some architectures. Reported by: loos, Jim Pingle <jimp@netgate.com> Reviewed by: kp MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC (Netgate) Differential Revision: https://reviews.freebsd.org/D24803
|
#
59048686 |
|
15-Mar-2019 |
Kristof Provost <kp@FreeBSD.org> |
pf :Use counter(9) in pf tables. The counters of pf tables are updated outside the rule lock. That means state updates might overwrite each other. Furthermore allocation and freeing of counters happens outside the lock as well. Use counter(9) for the counters, and always allocate the counter table element, so that the race condition cannot happen any more. PR: 230619 Submitted by: Kajetan Staszkiewicz <vegeta@tuxpowered.net> Reviewed by: glebius MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D19558
|
#
032dff66 |
|
15-Jan-2019 |
Kristof Provost <kp@FreeBSD.org> |
pf: silence a runtime warning Sometimes, for negated tables, pf can log 'pfr_update_stats: assertion failed'. This warning does not clarify anything for users, so silence it, just as OpenBSD has. PR: 234874 MFC after: 1 week
|
#
87e4ca37 |
|
08-Nov-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Prevent tables referenced by rules in anchors from getting disabled. PR: 183198 Obtained from: OpenBSD MFC after: 2 weeks
|
#
5f901c92 |
|
24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables. Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
#
455969d3 |
|
30-May-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Replace rwlock on PF_RULES_LOCK with rmlock Given that PF_RULES_LOCK is a mostly read lock, replace the rwlock with rmlock. This change improves packet processing rate in high pps environments. Benchmarking by olivier@ shows a 65% improvement in pps. While here, also eliminate all appearances of "sys/rwlock.h" includes since it is not used anymore. Submitted by: farrokhi@ Differential Revision: https://reviews.freebsd.org/D15502
|
#
adfe2f6a |
|
06-Apr-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Improve ioctl validation for DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and DIOCRSETTFLAGS These ioctls can process a number of items at a time, which puts us at risk of overflow in mallocarray() and of impossibly large allocations even if we don't overflow. Limit the allocation to required size (or the user allocation, if that's smaller). That does mean we need to do the allocation with the rules lock held (so the number doesn't change while we're doing this), so it can't M_WAITOK. MFC after: 1 week
|
#
b4b8fa33 |
|
19-Mar-2018 |
Kristof Provost <kp@FreeBSD.org> |
pf: Fix memory leak in DIOCRADDTABLES If a user attempts to add two tables with the same name the duplicate table will not be added, but we forgot to free the duplicate table, leaking memory. Ensure we free the duplicate table in the error path. Reported by: Coverity CID: 1382111 MFC after: 3 weeks
|
#
fe267a55 |
|
27-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: general adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. No functional change intended.
|
#
1e9e3741 |
|
25-Apr-2017 |
Marko Zec <zec@FreeBSD.org> |
Fix VNET leakages in PF by V_irtualizing pfr_ktables and friends. Apparently this resolves a PF-triggered panic when destroying VNET jails. Submitted by: Peter Blok <peter.blok@bsd4all.org> Reviewed by: kp
|
#
61eee0e2 |
|
24-Jan-2016 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
MFP r287070,r287073: split radix implementation and route table structure. There are number of radix consumers in kernel land (pf,ipfw,nfs,route) with different requirements. In fact, first 3 don't have _any_ requirements and first 2 does not use radix locking. On the other hand, routing structure do have these requirements (rnh_gen, multipath, custom to-be-added control plane functions, different locking). Additionally, radix should not known anything about its consumers internals. So, radix code now uses tiny 'struct radix_head' structure along with internal 'struct radix_mask_head' instead of 'struct radix_node_head'. Existing consumers still uses the same 'struct radix_node_head' with slight modifications: they need to pass pointer to (embedded) 'struct radix_head' to all radix callbacks. Routing code now uses new 'struct rib_head' with different locking macro: RADIX_NODE_HEAD prefix was renamed to RIB_ (which stands for routing information base). New net/route_var.h header was added to hold routing subsystem internal data. 'struct rib_head' was placed there. 'struct rtentry' will also be moved there soon.
|
#
efc6c51f |
|
21-Jan-2015 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Back out r276841, r276756, r276747, r276746. The change in r276747 is very very questionable, since it makes vimages more dependent on each other. But the reason for the backout is that it screwed up shutting down the pf purge threads, and now kernel immedially panics on pf module unload. Although module unloading isn't an advertised feature of pf, it is very important for development process. I'd like to not backout r276746, since in general it is good. But since it has introduced numerous build breakages, that later were addressed in r276841, r276756, r276747, I need to back it out as well. Better replay it in clean fashion from scratch.
|
#
c75820c7 |
|
06-Jan-2015 |
Craig Rodrigues <rodrigc@FreeBSD.org> |
Merge: r258322 from projects/pf branch Split functions that initialize various pf parts into their vimage parts and global parts. Since global parts appeared to be only mutex initializations, just abandon them and use MTX_SYSINIT() instead. Kill my incorrect VNET_FOREACH() iterator and instead use correct approach with VNET_SYSINIT(). PR: 194515 Differential Revision: D1309 Submitted by: glebius, Nikos Vassiliadis <nvass@gmx.com> Reviewed by: trociny, zec, gnn
|
#
55e5eda6 |
|
08-Nov-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Separate radix and routing: use different structures for route and for other customers. Introduce new 'struct rib_head' for routing purposes and make all routing api use it.
|
#
22b08fd8 |
|
07-Nov-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Split radix implementation and system route table structure: use new 'struct radix_head' for radix.
|
#
31f0d081 |
|
01-Oct-2014 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Remove lock init from radix.c. Radix has never managed its locking itself. The only consumer using radix with embeded rwlock is system routing table. Move per-AF lock inits there.
|
#
495a22b5 |
|
01-Oct-2014 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Use rn_detachhead() instead of direct free(9) for radix tables. Sponsored by: Nginx, Inc.
|
#
eedc7fd9 |
|
26-Oct-2013 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Provide includes that are needed in these files, and before were read in implicitly via if.h -> if_var.h pollution. Sponsored by: Netflix Sponsored by: Nginx, Inc.
|
#
d8aa10cc |
|
28-Dec-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
In netpfil/pf: - Add my copyright to files I've touched a lot this year. - Add dash in front of all copyright notices according to style(9). - Move $OpenBSD$ down below copyright notices. - Remove extra line between cdefs.h and __FBSDID.
|
#
29bdd62c |
|
22-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
When connection rate hits and we overload a source to a table, we are actually editing table, which means editing rules, thus we need writer access to 'em. Fix this by offloading the update of table to the same taskqueue, we already use for flushing. Since taskqueues major task is now overloading, and flushing is optional, do mechanical rename s/flush/overload/ in the code related to the taskqueue. Since overloading tasks do unsafe referencing of rules, provide a bandaid in pf_purge_unlinked_rules(). If the latter sees any queued tasks, then it skips purging for this run. In table code: - Assert any lock in pfr_lookup_addr(). - Assert writer lock in pfr_route_kentry().
|
#
e706fd3a |
|
22-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
In pfr_insert_kentry() return ENOMEM if memory allocation failed.
|
#
7348c524 |
|
22-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Fix fallout from r236397 in pfr_update_stats(), that was missed later in r237155. We need to zero sockaddr before lookup. While here, make pfr_update_stats() panic on unknown af.
|
#
3b3a8eb9 |
|
14-Sep-2012 |
Gleb Smirnoff <glebius@FreeBSD.org> |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4). o Move most modified parts of pf out of contrib. Actual movements: sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5 sys/netinet/ipfw -> sys/netpfil/ipfw The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice. Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd. The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match. Discussed with: bz, luigi
|