panic: resize_storage() notify failure [Was: HEADS UP: Merging projects/ipfw to HEAD]
On Sat, Oct 04, 2014 at 04:35:51PM +0400, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. OK; I was able to build install head @r272938 this morning on my laptop; on reboot, I was greeted by a panic. Now, this is a laptop, so I don't have a serial console -- but I was able to call doadump, then reboot with the wireless NIC disabled (to avoid the panic) and get the dump core.txt captured. Here's the first chunk of the core.txt file: localhost dumped core - see /var/crash/vmcore.0 Sat Oct 11 07:02:26 PDT 2014 FreeBSD localhost 11.0-CURRENT FreeBSD 11.0-CURRENT #1392 r272938M/272938:1100037: Sat Oct 11 05:44:30 PDT 2014 r...@g1-235.catwhisker.org:/common/S4/obj/usr/src/sys/CANARY i386 panic: resize_storage() notify failure GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-marcel-freebsd... Unread portion of the kernel message buffer: panic: resize_storage() notify failure cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper(c10ebfd8,d1070720,fc,1000,1,...) at 0xc0528cdd = db_trace_self_wrapper+0x2d/frame 0xfa0cc508 kdb_backtrace(c12a9e27,0,c111af52,fa0cc5dc,fa0cc598,...) at 0xc0b22180 = kdb_backtrace+0x30/frame 0xfa0cc570 vpanic(c1447c52,100,c111af52,fa0cc5dc,fa0cc5dc,...) at 0xc0ae7b8d = vpanic+0x11d/frame 0xfa0cc5ac kassert_panic(c111af52,fa0cc6f8,223,1e8,c0b71417,...) at 0xc0ae7a6a = kassert_panic+0xea/frame 0xfa0cc5d0 ipfw_link_table_values(c1518498,fa0cc6f8,25a,fa0cc728,c1469c5c,...) at 0xc0d25cfd = ipfw_link_table_values+0x5ed/frame 0xfa0cc6a0 add_table_entry(c1518498,fa0cc7f0,fa0cc800,0,1,...) at 0xc0d1be78 = add_table_entry+0x348/frame 0xfa0cc7c8 manage_table_ent_v1(c1518498,fa0cca08,fa0cc870,8,c0d17710,...) at 0xc0d202b9 = manage_table_ent_v1+0x1c9/frame 0xfa0cc828 ipfw_ctl3(fa0ccbe0,2,fa0ccba8,c0a9ffc4,fa0ccbd0,...) at 0xc0d1834d = ipfw_ctl3+0xacd/frame 0xfa0ccb20 rip_ctloutput(d2432dc0,fa0ccbe0,,27f,1f,...) at 0xc0c3cf49 = rip_ctloutput+0x299/frame 0xfa0ccb48 sogetopt(d2432dc0,fa0ccbe0,fa0ccbd0,0,fa0ccbf8,...) at 0xc0b6c670 = sogetopt+0xb0/frame 0xfa0ccba8 kern_getsockopt(d03afc40,4,0,30,bfbfd850,...) at 0xc0b71556 = kern_getsockopt+0x116/frame 0xfa0ccc0c sys_getsockopt(d03afc40,fa08,c12ab55e,d5,c1455210,...) at 0xc0b71417 = sys_getsockopt+0x67/frame 0xfa0ccc40 syscall(fa0ccd08) at 0xc0f7c76b = syscall+0x31b/frame 0xfa0cccfc Xint0x80_syscall() at 0xc0f665b1 = Xint0x80_syscall+0x21/frame 0xfa0cccfc --- syscall (118, FreeBSD ELF32, sys_getsockopt), eip = 0x2815a3c7, esp = 0xbfbfd2e4, ebp = 0xbfbfd300 --- KDB: enter: panic Reading symbols from /boot/kernel/linux.ko.symbols...done. Loaded symbols for /boot/kernel/linux.ko.symbols Reading symbols from /boot/kernel/coretemp.ko.symbols...done. Loaded symbols for /boot/kernel/coretemp.ko.symbols Reading symbols from /boot/kernel/iwn5000fw.ko.symbols...done. Loaded symbols for /boot/kernel/iwn5000fw.ko.symbols Reading symbols from /boot/modules/nvidia.ko...done. Loaded symbols for /boot/modules/nvidia.ko Reading symbols from /boot/kernel/tmpfs.ko.symbols...done. Loaded symbols for /boot/kernel/tmpfs.ko.symbols Reading symbols from /boot/kernel/fdescfs.ko.symbols...done. Loaded symbols for /boot/kernel/fdescfs.ko.symbols Reading symbols from /boot/kernel/linprocfs.ko.symbols...done. Loaded symbols for /boot/kernel/linprocfs.ko.symbols #0 doadump (textdump=0) at pcpu.h:233 233 pcpu.h: No such file or directory. in pcpu.h (kgdb) #0 doadump (textdump=0) at pcpu.h:233 #1 0xc0526acd in db_fncall (dummy1=-99826980, dummy2=0, dummy3=1573888, dummy4=0xfa0cc2b4 \036\211\220À¸\026MÁ) at /usr/src/sys/ddb/db_command.c:578 #2 0xc05267ab in db_command (cmd_table=value optimized out) at /usr/src/sys/ddb/db_command.c:449 #3 0xc05264f0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502 #4 0xc0528e20 in db_trap (type=value optimized out, code=value optimized out) at /usr/src/sys/ddb/db_main.c:251 #5 0xc0b226f4 in kdb_trap (type=value optimized out, code=value optimized out, tf=value optimized out) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xc0f7ba87 in trap (frame=value optimized out) at /usr/src/sys/i386/i386/trap.c:693 #7 0xc0f6651c in calltrap () at /usr/src/sys/i386/i386/exception.s:169 #8 0xc0b21f7d in kdb_enter (why=0xc10e77dd panic, msg=value optimized out) at cpufunc.h:71 #9 0xc0ae7bb1 in vpanic (fmt=value optimized out, ap=value optimized out) at /usr/src/sys/kern/kern_shutdown.c:739 #10 0xc0ae7a6a in kassert_panic (fmt=value optimized out) at /usr/src/sys/kern/kern_shutdown.c:634 #11 0xc0d25cfd in ipfw_link_table_values (ch=0x0, ts=0xfa0cc6f8) at
Re: panic: resize_storage() notify failure [Was: HEADS UP: Merging projects/ipfw to HEAD]
On 11.10.2014 18:15, David Wolfskill wrote: On Sat, Oct 04, 2014 at 04:35:51PM +0400, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. OK; I was able to build install head @r272938 this morning on my laptop; on reboot, I was greeted by a panic. Ups. Not the best greeting, definitely. Can you send me ipfw ruleset? Now, this is a laptop, so I don't have a serial console -- but I was able to call doadump, then reboot with the wireless NIC disabled (to Do you have some hooks to run ipfw on iface-up? avoid the panic) and get the dump core.txt captured. Here's the first chunk of the core.txt file: localhost dumped core - see /var/crash/vmcore.0 Sat Oct 11 07:02:26 PDT 2014 FreeBSD localhost 11.0-CURRENT FreeBSD 11.0-CURRENT #1392 r272938M/272938:1100037: Sat Oct 11 05:44:30 PDT 2014 r...@g1-235.catwhisker.org:/common/S4/obj/usr/src/sys/CANARY i386 panic: resize_storage() notify failure GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-marcel-freebsd... Unread portion of the kernel message buffer: panic: resize_storage() notify failure cpuid = 0 KDB: stack backtrace: db_trace_self_wrapper(c10ebfd8,d1070720,fc,1000,1,...) at 0xc0528cdd = db_trace_self_wrapper+0x2d/frame 0xfa0cc508 kdb_backtrace(c12a9e27,0,c111af52,fa0cc5dc,fa0cc598,...) at 0xc0b22180 = kdb_backtrace+0x30/frame 0xfa0cc570 vpanic(c1447c52,100,c111af52,fa0cc5dc,fa0cc5dc,...) at 0xc0ae7b8d = vpanic+0x11d/frame 0xfa0cc5ac kassert_panic(c111af52,fa0cc6f8,223,1e8,c0b71417,...) at 0xc0ae7a6a = kassert_panic+0xea/frame 0xfa0cc5d0 ipfw_link_table_values(c1518498,fa0cc6f8,25a,fa0cc728,c1469c5c,...) at 0xc0d25cfd = ipfw_link_table_values+0x5ed/frame 0xfa0cc6a0 add_table_entry(c1518498,fa0cc7f0,fa0cc800,0,1,...) at 0xc0d1be78 = add_table_entry+0x348/frame 0xfa0cc7c8 manage_table_ent_v1(c1518498,fa0cca08,fa0cc870,8,c0d17710,...) at 0xc0d202b9 = manage_table_ent_v1+0x1c9/frame 0xfa0cc828 ipfw_ctl3(fa0ccbe0,2,fa0ccba8,c0a9ffc4,fa0ccbd0,...) at 0xc0d1834d = ipfw_ctl3+0xacd/frame 0xfa0ccb20 rip_ctloutput(d2432dc0,fa0ccbe0,,27f,1f,...) at 0xc0c3cf49 = rip_ctloutput+0x299/frame 0xfa0ccb48 sogetopt(d2432dc0,fa0ccbe0,fa0ccbd0,0,fa0ccbf8,...) at 0xc0b6c670 = sogetopt+0xb0/frame 0xfa0ccba8 kern_getsockopt(d03afc40,4,0,30,bfbfd850,...) at 0xc0b71556 = kern_getsockopt+0x116/frame 0xfa0ccc0c sys_getsockopt(d03afc40,fa08,c12ab55e,d5,c1455210,...) at 0xc0b71417 = sys_getsockopt+0x67/frame 0xfa0ccc40 syscall(fa0ccd08) at 0xc0f7c76b = syscall+0x31b/frame 0xfa0cccfc Xint0x80_syscall() at 0xc0f665b1 = Xint0x80_syscall+0x21/frame 0xfa0cccfc --- syscall (118, FreeBSD ELF32, sys_getsockopt), eip = 0x2815a3c7, esp = 0xbfbfd2e4, ebp = 0xbfbfd300 --- KDB: enter: panic Reading symbols from /boot/kernel/linux.ko.symbols...done. Loaded symbols for /boot/kernel/linux.ko.symbols Reading symbols from /boot/kernel/coretemp.ko.symbols...done. Loaded symbols for /boot/kernel/coretemp.ko.symbols Reading symbols from /boot/kernel/iwn5000fw.ko.symbols...done. Loaded symbols for /boot/kernel/iwn5000fw.ko.symbols Reading symbols from /boot/modules/nvidia.ko...done. Loaded symbols for /boot/modules/nvidia.ko Reading symbols from /boot/kernel/tmpfs.ko.symbols...done. Loaded symbols for /boot/kernel/tmpfs.ko.symbols Reading symbols from /boot/kernel/fdescfs.ko.symbols...done. Loaded symbols for /boot/kernel/fdescfs.ko.symbols Reading symbols from /boot/kernel/linprocfs.ko.symbols...done. Loaded symbols for /boot/kernel/linprocfs.ko.symbols #0 doadump (textdump=0) at pcpu.h:233 233 pcpu.h: No such file or directory. in pcpu.h (kgdb) #0 doadump (textdump=0) at pcpu.h:233 #1 0xc0526acd in db_fncall (dummy1=-99826980, dummy2=0, dummy3=1573888, dummy4=0xfa0cc2b4 \036\211\220À¸\026MÁ) at /usr/src/sys/ddb/db_command.c:578 #2 0xc05267ab in db_command (cmd_table=value optimized out) at /usr/src/sys/ddb/db_command.c:449 #3 0xc05264f0 in db_command_loop () at /usr/src/sys/ddb/db_command.c:502 #4 0xc0528e20 in db_trap (type=value optimized out, code=value optimized out) at /usr/src/sys/ddb/db_main.c:251 #5 0xc0b226f4 in kdb_trap (type=value optimized out, code=value optimized out, tf=value optimized out) at /usr/src/sys/kern/subr_kdb.c:654 #6 0xc0f7ba87 in trap (frame=value optimized out) at /usr/src/sys/i386/i386/trap.c:693 #7 0xc0f6651c in calltrap () at /usr/src/sys/i386/i386/exception.s:169 #8 0xc0b21f7d in kdb_enter (why=0xc10e77dd panic, msg=value optimized out) at cpufunc.h:71 #9 0xc0ae7bb1 in vpanic (fmt=value optimized out, ap=value optimized out) at /usr/src/sys/kern/kern_shutdown.c:739 #10
Re: panic: resize_storage() notify failure [Was: HEADS UP: Merging projects/ipfw to HEAD]
On Sat, Oct 11, 2014 at 07:05:12PM +0400, Alexander V. Chernikov wrote: ... Whoops. My bad. It should be fixed in r272940. ... Confirmed: I'm not running: FreeBSD localhost 11.0-CURRENT FreeBSD 11.0-CURRENT #1393 r272938M/272938:1100037: Sat Oct 11 08:45:34 PDT 2014 root@localhost:/common/S4/obj/usr/src/sys/CANARY i386 after having hand-applied the patch in r272940, rebuilt, reinstalled, and rebooted. Thank you for the quick work! :-) Peace, david -- David H. Wolfskill da...@catwhisker.org Taliban: Evil cowards with guns afraid of truth from a 14-year old girl. See http://www.catwhisker.org/~david/publickey.gpg for my public key. pgpmiQ0SurcCW.pgp Description: PGP signature
Re: HEADS UP: Merging projects/ipfw to HEAD
On 04 Oct 2014, at 16:35, Alexander V. Chernikov melif...@freebsd.org wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. Merged in r 272840. What has changed: Main user-visible changes are related to tables: * Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users Some examples (see ipfw(8) manual page for the description): 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' ipfw table mi_test create type cidr algo cidr:hash masks=/30,/64 ipfw table mi_test add 10.0.0.8/30 ipfw table mi_test add 2a02:6b8:b010::1/64 25 # ipfw table si add 1.1.1.1/32 2.2.2.2/32 added: 1.1.1.1/32 added: 2.2.2.2/32 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 ipfw: Adding record failed: record already exists ^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 2.2.2.2/32 4.4.4.4/32 # ipfw table si atomic add 3.3.3.3/32 4.4.4.4/32 4400 5.5.5.5/32 added(reverted): 3.3.3.3/32 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 ipfw: Adding record failed: record already exists ^ Returns error and reverts added records Performance changes: * Main ipfw lock was converted to rmlock * Rule counters were separated from rule itself and made per-cpu. * Radix table entries fits into 128 bytes * struct ip_fw is now more compact so more rules will fit into 64 bytes * interface tables uses array of existing ifindexes for faster match ABI changes: All functionality supported by old ipfw(8) remains functional. Old new binaries can work together with the following restrictions: * Tables named other than ^\d+$ are shown as table(65535) in ruleset in old binaries * I'm a bit unsure about lookup src-port|dst-port N case, something may be broken here. Anyway, this can be fixed for MFC Internal changes:. Changing table ids to numbers resulted in format modification for most sockopt codes. Old sopt format was compact, but very hard to extend (no versioning, inability to add more opcodes), so * All relevant opcodes were converted to TLV-based versioned IP_FW3-based codes. * The remaining opcodes were also converted to be able to eliminate all older opcodes at once * All IP_FW3 handlers uses special API instead of calling sooptcopy* directly to ease adding another communication methods * struct ip_fw is now different for kernel and userland * tablearg value has been changed to 0 to ease future extensions * table values are now indexes in special value array which holds extended data for given index * Batched add/delete has been added to tables code * Most changes has been done to permit batched rule addition. * interface tracking API has been added (started on demand) to permit effective interface tables operations * O(1) skipto cache, currently turned off by default at compile-time (eats 512K). * Several steps has been made towards making libipfw: * most of new functions were separated into parse/prepare/show and actuall-do-stuff pieces (already merged). * there are separate functions for parsing text string into struct ip_fw and printing struct ip_fw to supplied buffer (already merged). * Probably some more less significant/forgotten features ___ freebsd-...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org ___ freebsd-ipfw@freebsd.org
Re: HEADS UP: Merging projects/ipfw to HEAD
On 5-10-2014 4:18, John W. O'Brien wrote: On 10/4/14 8:35 AM, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. Alexander, Nice job.. The change list looks impressive. Really looking forward to start working with the new table styles and options.. It will take time to get a real grasp of what new opportunities have become possible. Not running any HEAD systems at the moment, but looking eagerly for a possible MFC to STABLE. Is that in the start at any point in time? --WjW ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: HEADS UP: Merging projects/ipfw to HEAD
On 05.10.2014 14:13, Willem Jan Withagen wrote: On 5-10-2014 4:18, John W. O'Brien wrote: On 10/4/14 8:35 AM, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. Alexander, Nice job.. The change list looks impressive. Really looking forward to start working with the new table styles and options.. It will take time to get a real grasp of what new opportunities have become possible. Not running any HEAD systems at the moment, but looking eagerly for a possible MFC to STABLE. Is that in the start at any point in time? I plan to merge it in 1 moth after committing to HEAD. --WjW ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: HEADS UP: Merging projects/ipfw to HEAD
On 10/4/14 20:35, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. What has changed: Main user-visible changes are related to tables: * Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users Some examples (see ipfw(8) manual page for the description): 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' ipfw table mi_test create type cidr algo cidr:hash masks=/30,/64 ipfw table mi_test add 10.0.0.8/30 ipfw table mi_test add 2a02:6b8:b010::1/64 25 # ipfw table si add 1.1.1.1/32 2.2.2.2/32 added: 1.1.1.1/32 added: 2.2.2.2/32 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 ipfw: Adding record failed: record already exists ^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 2.2.2.2/32 4.4.4.4/32 # ipfw table si atomic add 3.3.3.3/32 4.4.4.4/32 4400 5.5.5.5/32 added(reverted): 3.3.3.3/32 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 ipfw: Adding record failed: record already exists ^ Returns error and reverts added records Performance changes: * Main ipfw lock was converted to rmlock * Rule counters were separated from rule itself and made per-cpu. * Radix table entries fits into 128 bytes * struct ip_fw is now more compact so more rules will fit into 64 bytes * interface tables uses array of existing ifindexes for faster match ABI changes: All functionality supported by old ipfw(8) remains functional. Old new binaries can work together with the following restrictions: * Tables named other than ^\d+$ are shown as table(65535) in ruleset in old binaries * I'm a bit unsure about lookup src-port|dst-port N case, something may be broken here. Anyway, this can be fixed for MFC Internal changes:. Changing table ids to numbers resulted in format modification for most sockopt codes. Old sopt format was compact, but very hard to extend (no versioning, inability to add more opcodes), so * All relevant opcodes were converted to TLV-based versioned IP_FW3-based codes. * The remaining opcodes were also converted to be able to eliminate all older opcodes at once * All IP_FW3 handlers uses special API instead of calling sooptcopy* directly to ease adding another communication methods * struct ip_fw is now different for kernel and userland * tablearg value has been changed to 0 to ease future extensions * table values are now indexes in special value array which holds extended data for given index * Batched add/delete has been added to tables code * Most changes has been done to permit batched rule addition. * interface tracking API has been added (started on demand) to permit effective interface tables operations * O(1) skipto cache, currently turned off by default at compile-time (eats 512K). * Several steps has been made towards making libipfw: * most of new functions were separated into parse/prepare/show and actuall-do-stuff pieces (already merged). * there are separate functions for parsing text string into struct ip_fw and printing struct ip_fw to supplied buffer (already merged). * Probably some more less significant/forgotten features ___ freebsd-...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to freebsd-net-unsubscr...@freebsd.org Hi, Good job, Waiting for your code :) Regards, Bycn82 ___ freebsd-ipfw@freebsd.org mailing list
Re: HEADS UP: Merging projects/ipfw to HEAD
On 04.10.2014 14:35, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. What has changed: Main user-visible changes are related to tables: * Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users Are IPv6 addresses supported as tablearg (in fwd)? ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: HEADS UP: Merging projects/ipfw to HEAD
On 05.10.2014 20:33, Jan Bramkamp wrote: On 04.10.2014 14:35, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. What has changed: Main user-visible changes are related to tables: * Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users Are IPv6 addresses supported as tablearg (in fwd)? Well, _currently_ not. However, it can be done in 1-2 hours of work. You already can specify IPv6 address as one of the value types for tablearg, the only thing that needs to be implemented is runtime code that applies this tablearg. ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: HEADS UP: Merging projects/ipfw to HEAD
Hey Alexander, Very nice work, thank you so much to bring these stuff to us. Best Regards, 2014-10-04 20:35 GMT+08:00 Alexander V. Chernikov melif...@freebsd.org: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. What has changed: Main user-visible changes are related to tables: * Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users Some examples (see ipfw(8) manual page for the description): 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' ipfw table mi_test create type cidr algo cidr:hash masks=/30,/64 ipfw table mi_test add 10.0.0.8/30 ipfw table mi_test add 2a02:6b8:b010::1/64 25 # ipfw table si add 1.1.1.1/32 2.2.2.2/32 added: 1.1.1.1/32 added: 2.2.2.2/32 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 ipfw: Adding record failed: record already exists ^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 2.2.2.2/32 4.4.4.4/32 # ipfw table si atomic add 3.3.3.3/32 4.4.4.4/32 4400 5.5.5.5/32 added(reverted): 3.3.3.3/32 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 ipfw: Adding record failed: record already exists ^ Returns error and reverts added records Performance changes: * Main ipfw lock was converted to rmlock * Rule counters were separated from rule itself and made per-cpu. * Radix table entries fits into 128 bytes * struct ip_fw is now more compact so more rules will fit into 64 bytes * interface tables uses array of existing ifindexes for faster match ABI changes: All functionality supported by old ipfw(8) remains functional. Old new binaries can work together with the following restrictions: * Tables named other than ^\d+$ are shown as table(65535) in ruleset in old binaries * I'm a bit unsure about lookup src-port|dst-port N case, something may be broken here. Anyway, this can be fixed for MFC Internal changes:. Changing table ids to numbers resulted in format modification for most sockopt codes. Old sopt format was compact, but very hard to extend (no versioning, inability to add more opcodes), so * All relevant opcodes were converted to TLV-based versioned IP_FW3-based codes. * The remaining opcodes were also converted to be able to eliminate all older opcodes at once * All IP_FW3 handlers uses special API instead of calling sooptcopy* directly to ease adding another communication methods * struct ip_fw is now different for kernel and userland * tablearg value has been changed to 0 to ease future extensions * table values are now indexes in special value array which holds extended data for given index * Batched add/delete has been added to tables code * Most changes has been done to permit batched rule addition. * interface tracking API has been added (started on demand) to permit effective interface tables operations * O(1) skipto cache, currently turned off by default at compile-time (eats 512K). * Several steps has been made towards making libipfw: * most of new functions were separated into parse/prepare/show and actuall-do-stuff pieces (already merged). * there are separate functions for parsing text string into struct ip_fw and printing struct ip_fw to supplied buffer (already merged). * Probably some more less significant/forgotten features ___ freebsd-curr...@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to
HEADS UP: Merging projects/ipfw to HEAD
Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. What has changed: Main user-visible changes are related to tables: * Tables are now identified by names, not numbers. There can be up to 65k tables with up to 63-byte long names. * Tables are now set-aware (default off), so you can switch/move them atomically with rules. * More functionality is supported (swap, lock, limits, user-level lookup, batched add/del) by generic table code. * New table types are added (flow) so you can match multiple packet fields at once. * Ability to add different type of lookup algorithms for particular table type has been added. * New table algorithms are added (cidr:hash, iface:array, number:array and flow:hash) to make certain types of lookup more effective. * Table value are now capable of holding multiple data fields for different tablearg users Some examples (see ipfw(8) manual page for the description): 0:02 [2] zfscurr0# ipfw table fl2 create type flow:src-ip,proto,dst-port algo flow:hash valtype skipto,fib 0:02 [2] zfscurr0# ipfw table fl2 info +++ table(fl2), set(0) +++ kindex: 0, type: flow:src-ip,proto,dst-port valtype: number, references: 0 algorithm: flow:hash items: 0, size: 280 0:02 [2] zfscurr0# ipfw table fl2 add 2a02:6b8::333,tcp,443 45000,12 0:02 [2] zfscurr0# ipfw table fl2 add 10.0.0.92,tcp,80 22000,13 0:02 [2] zfscurr0# ipfw table fl2 list +++ table(fl2), set(0) +++ 2a02:6b8::333,6,443 45000 10.0.0.92,6,80 22000 0:02 [2] zfscurr0# ipfw add 200 count tcp from me to 78.46.89.105 80 flow 'table(fl2)' ipfw table mi_test create type cidr algo cidr:hash masks=/30,/64 ipfw table mi_test add 10.0.0.8/30 ipfw table mi_test add 2a02:6b8:b010::1/64 25 # ipfw table si add 1.1.1.1/32 2.2.2.2/32 added: 1.1.1.1/32 added: 2.2.2.2/32 # ipfw table si add 2.2.2.2/32 2200 4.4.4.4/32 exists: 2.2.2.2/32 2200 added: 4.4.4.4/32 ipfw: Adding record failed: record already exists ^ Returns error but keeps inserted items # ipfw table si list +++ table(si), set(0) +++ 1.1.1.1/32 2.2.2.2/32 4.4.4.4/32 # ipfw table si atomic add 3.3.3.3/32 4.4.4.4/32 4400 5.5.5.5/32 added(reverted): 3.3.3.3/32 exists: 4.4.4.4/32 4400 ignored: 5.5.5.5/32 ipfw: Adding record failed: record already exists ^ Returns error and reverts added records Performance changes: * Main ipfw lock was converted to rmlock * Rule counters were separated from rule itself and made per-cpu. * Radix table entries fits into 128 bytes * struct ip_fw is now more compact so more rules will fit into 64 bytes * interface tables uses array of existing ifindexes for faster match ABI changes: All functionality supported by old ipfw(8) remains functional. Old new binaries can work together with the following restrictions: * Tables named other than ^\d+$ are shown as table(65535) in ruleset in old binaries * I'm a bit unsure about lookup src-port|dst-port N case, something may be broken here. Anyway, this can be fixed for MFC Internal changes:. Changing table ids to numbers resulted in format modification for most sockopt codes. Old sopt format was compact, but very hard to extend (no versioning, inability to add more opcodes), so * All relevant opcodes were converted to TLV-based versioned IP_FW3-based codes. * The remaining opcodes were also converted to be able to eliminate all older opcodes at once * All IP_FW3 handlers uses special API instead of calling sooptcopy* directly to ease adding another communication methods * struct ip_fw is now different for kernel and userland * tablearg value has been changed to 0 to ease future extensions * table values are now indexes in special value array which holds extended data for given index * Batched add/delete has been added to tables code * Most changes has been done to permit batched rule addition. * interface tracking API has been added (started on demand) to permit effective interface tables operations * O(1) skipto cache, currently turned off by default at compile-time (eats 512K). * Several steps has been made towards making libipfw: * most of new functions were separated into parse/prepare/show and actuall-do-stuff pieces (already merged). * there are separate functions for parsing text string into struct ip_fw and printing struct ip_fw to supplied buffer (already merged). * Probably some more less significant/forgotten features ___ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to freebsd-ipfw-unsubscr...@freebsd.org
Re: HEADS UP: Merging projects/ipfw to HEAD
On 10/4/14 8:35 AM, Alexander V. Chernikov wrote: Hi, I'm going to merge projects/ipfw branch to HEAD in the middle of next week. What has changed: [crap ton of awesome stuff] Alexander, Nice work! I'm impressed by the sound of these new capabilities, and look forward to trying them out. Thank you for your efforts. Regards, John signature.asc Description: OpenPGP digital signature
