svn commit: r367594 - head/sys/net
Author: ae
Date: Wed Nov 11 15:53:36 2020
New Revision: 367594
URL: https://svnweb.freebsd.org/changeset/base/367594
Log:
Fix possible NULL pointer dereference.
lagg(4) replaces if_output method of its child interfaces and expects
that this method can be called only by child interfaces. But it is
possible that lagg_port_output() could be called by children of child
interfaces. In this case ifnet's if_lagg field is NULL. Add check that
lp is not NULL.
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Modified:
head/sys/net/if_lagg.c
Modified: head/sys/net/if_lagg.c
==
--- head/sys/net/if_lagg.c Wed Nov 11 15:01:17 2020(r367593)
+++ head/sys/net/if_lagg.c Wed Nov 11 15:53:36 2020(r367594)
@@ -1145,7 +1145,8 @@ lagg_port_output(struct ifnet *ifp, struct mbuf *m,
switch (dst->sa_family) {
case pseudo_AF_HDRCMPLT:
case AF_UNSPEC:
- return ((*lp->lp_output)(ifp, m, dst, ro));
+ if (lp != NULL)
+ return ((*lp->lp_output)(ifp, m, dst, ro));
}
/* drop any other frames */
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r366908 - in head: share/dtrace sys/netpfil/ipfw
Author: ae
Date: Wed Oct 21 15:01:33 2020
New Revision: 366908
URL: https://svnweb.freebsd.org/changeset/base/366908
Log:
Add dtrace SDT probe ipfw:::rule-matched.
It helps to reduce complexity with debugging of large ipfw rulesets.
Also define several constants and translators, that can by used by
dtrace scripts with this probe.
Reviewed by: gnn
Obtained from:Yandex LLC
MFC after:2 weeks
Sponsored by: Yandex LLC
Differential Revision:https://reviews.freebsd.org/D26879
Added:
head/share/dtrace/ipfw.d (contents, props changed)
Modified:
head/share/dtrace/Makefile
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/share/dtrace/Makefile
==
--- head/share/dtrace/Makefile Wed Oct 21 05:57:25 2020(r366907)
+++ head/share/dtrace/Makefile Wed Oct 21 15:01:33 2020(r366908)
@@ -21,7 +21,7 @@ SCRIPTS= blocking \
SCRIPTSDIR= ${SHAREDIR}/dtrace
-DSRCS= mbuf.d
+DSRCS= mbuf.d ipfw.d
FILES= ${DSRCS}
FILESDIR= /usr/lib/dtrace
Added: head/share/dtrace/ipfw.d
==
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/share/dtrace/ipfw.dWed Oct 21 15:01:33 2020(r366908)
@@ -0,0 +1,219 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2020 Yandex LLC
+ * Copyright (c) 2020 Andrey V. Elsukov
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#pragma D depends_on provider ipfw
+
+/* ipfw_chk() return values */
+#pragma D binding "1.0" IP_FW_PASS
+inline int IP_FW_PASS =0;
+#pragma D binding "1.0" IP_FW_DENY
+inline int IP_FW_DENY =1;
+#pragma D binding "1.0" IP_FW_DIVERT
+inline int IP_FW_DIVERT = 2;
+#pragma D binding "1.0" IP_FW_TEE
+inline int IP_FW_TEE = 3;
+#pragma D binding "1.0" IP_FW_DUMMYNET
+inline int IP_FW_DUMMYNET =4;
+#pragma D binding "1.0" IP_FW_NETGRAPH
+inline int IP_FW_NETGRAPH =5;
+#pragma D binding "1.0" IP_FW_NGTEE
+inline int IP_FW_NGTEE = 6;
+#pragma D binding "1.0" IP_FW_NAT
+inline int IP_FW_NAT = 7;
+#pragma D binding "1.0" IP_FW_REASS
+inline int IP_FW_REASS = 8;
+#pragma D binding "1.0" IP_FW_NAT64
+inline int IP_FW_NAT64 = 9;
+
+#pragma D binding "1.0" ipfw_retcodes
+inline string ipfw_retcodes[int ret] =
+ ret == IP_FW_PASS ? "PASS" :
+ ret == IP_FW_DENY ? "DENY" :
+ ret == IP_FW_DIVERT ? "DIVERT" :
+ ret == IP_FW_TEE ? "TEE" :
+ ret == IP_FW_DUMMYNET ? "DUMMYNET" :
+ ret == IP_FW_NETGRAPH ? "NETGRAPH" :
+ ret == IP_FW_NGTEE ? "NGTEE" :
+ ret == IP_FW_NAT ? "NAT" :
+ ret == IP_FW_REASS ? "REASS" :
+ ret == IP_FW_NAT64 ? "NAT64" :
+ "";
+
+/* ip_fw_args flags */
+#pragma D binding "1.0" IPFW_ARGS_ETHER
+inline int IPFW_ARGS_ETHER = 0x0001; /* valid ethernet header */
+#pragma D binding "1.0" IPFW_ARGS_NH4
+inline int IPFW_ARGS_NH4 = 0x0002; /* IPv4 next hop in hopstore */
+#pragma D binding "1.0" IPFW_ARGS_NH6
+inline int IPFW_ARGS_NH6 = 0x0004; /* IPv6 next hop in hopstore */
+#pragma D binding "1.0" IPFW_ARGS_NH4PTR
+inline int IPFW_ARGS_NH4PTR = 0x0008; /* IPv4 next hop in next_hop */
+#pragma D binding "1.0" IPFW_ARGS_NH6PTR
+inline int IPFW_ARGS_NH6PTR = 0x0010; /* IPv6 next hop in
svn commit: r366695 - in head: share/man/man4 sys/netinet sys/sys
Author: ae
Date: Wed Oct 14 09:22:54 2020
New Revision: 366695
URL: https://svnweb.freebsd.org/changeset/base/366695
Log:
Implement SIOCGIFALIAS.
It is lightweight way to check if an IPv4 address exists.
Submitted by: Roy Marples
Reviewed by: gnn, melifaro
MFC after:2 weeks
Differential Revision:https://reviews.freebsd.org/D26636
Modified:
head/share/man/man4/netintro.4
head/sys/netinet/in.c
head/sys/sys/sockio.h
Modified: head/share/man/man4/netintro.4
==
--- head/share/man/man4/netintro.4 Wed Oct 14 08:04:39 2020
(r366694)
+++ head/share/man/man4/netintro.4 Wed Oct 14 09:22:54 2020
(r366695)
@@ -28,7 +28,7 @@
.\" @(#)netintro.4 8.2 (Berkeley) 11/30/93
.\" $FreeBSD$
.\"
-.Dd January 26, 2012
+.Dd October 14, 2020
.Dt NETINTRO 4
.Os
.Sh NAME
@@ -349,6 +349,13 @@ multiple masks or destination addresses, and also adop
convention that specification of the default address means
to delete the first address for the interface belonging to
the address family in which the original socket was opened.
+.It Dv SIOCGIFALIAS
+This request provides means to get additional addresses
+together with netmask and broadcast/destination from an
+interface.
+It also uses the
+.Vt ifaliasreq
+structure.
.It Dv SIOCGIFCONF
Get interface configuration list.
This request takes an
Modified: head/sys/netinet/in.c
==
--- head/sys/netinet/in.c Wed Oct 14 08:04:39 2020(r366694)
+++ head/sys/netinet/in.c Wed Oct 14 09:22:54 2020(r366695)
@@ -72,6 +72,7 @@ __FBSDID("$FreeBSD$");
static int in_aifaddr_ioctl(u_long, caddr_t, struct ifnet *, struct thread *);
static int in_difaddr_ioctl(u_long, caddr_t, struct ifnet *, struct thread *);
+static int in_gifaddr_ioctl(u_long, caddr_t, struct ifnet *, struct thread *);
static voidin_socktrim(struct sockaddr_in *);
static voidin_purgemaddrs(struct ifnet *);
@@ -237,6 +238,11 @@ in_control(struct socket *so, u_long cmd, caddr_t data
case SIOCGIFDSTADDR:
case SIOCGIFNETMASK:
break;
+ case SIOCGIFALIAS:
+ sx_xlock(_control_sx);
+ error = in_gifaddr_ioctl(cmd, data, ifp, td);
+ sx_xunlock(_control_sx);
+ return (error);
case SIOCDIFADDR:
sx_xlock(_control_sx);
error = in_difaddr_ioctl(cmd, data, ifp, td);
@@ -646,6 +652,60 @@ in_difaddr_ioctl(u_long cmd, caddr_t data, struct ifne
IFADDR_EVENT_DEL);
ifa_free(>ia_ifa); /* in_ifaddrhead */
+ return (0);
+}
+
+static int
+in_gifaddr_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp, struct thread
*td)
+{
+ struct in_aliasreq *ifra = (struct in_aliasreq *)data;
+ const struct sockaddr_in *addr = >ifra_addr;
+ struct epoch_tracker et;
+ struct ifaddr *ifa;
+ struct in_ifaddr *ia;
+
+ /*
+* ifra_addr must be present and be of INET family.
+*/
+ if (addr->sin_len != sizeof(struct sockaddr_in) ||
+ addr->sin_family != AF_INET)
+ return (EINVAL);
+
+ /*
+* See whether address exist.
+*/
+ ia = NULL;
+ NET_EPOCH_ENTER(et);
+ CK_STAILQ_FOREACH(ifa, >if_addrhead, ifa_link) {
+ struct in_ifaddr *it;
+
+ if (ifa->ifa_addr->sa_family != AF_INET)
+ continue;
+
+ it = (struct in_ifaddr *)ifa;
+ if (it->ia_addr.sin_addr.s_addr == addr->sin_addr.s_addr &&
+ prison_check_ip4(td->td_ucred, >sin_addr) == 0) {
+ ia = it;
+ break;
+ }
+ }
+ if (ia == NULL) {
+ NET_EPOCH_EXIT(et);
+ return (EADDRNOTAVAIL);
+ }
+
+ ifra->ifra_mask = ia->ia_sockmask;
+ if ((ifp->if_flags & IFF_POINTOPOINT) &&
+ ia->ia_dstaddr.sin_family == AF_INET)
+ ifra->ifra_dstaddr = ia->ia_dstaddr;
+ else if ((ifp->if_flags & IFF_BROADCAST) &&
+ ia->ia_broadaddr.sin_family == AF_INET)
+ ifra->ifra_broadaddr = ia->ia_broadaddr;
+ else
+ memset(>ifra_broadaddr, 0,
+ sizeof(ifra->ifra_broadaddr));
+
+ NET_EPOCH_EXIT(et);
return (0);
}
Modified: head/sys/sys/sockio.h
==
--- head/sys/sys/sockio.h Wed Oct 14 08:04:39 2020(r366694)
+++ head/sys/sys/sockio.h Wed Oct 14 09:22:54 2020(r366695)
@@ -84,6 +84,7 @@
#defineSIOCGIFDESCR_IOWR('i', 42, struct ifreq)/* get ifnet
descr */
#defineSIOCAIFADDR _IOW('i', 43, struct ifaliasreq)/* add/chg IF
alias */
#defineSIOCGIFDATA _IOW('i', 44,
svn commit: r366682 - head/sys/netinet
Author: ae Date: Tue Oct 13 19:34:36 2020 New Revision: 366682 URL: https://svnweb.freebsd.org/changeset/base/366682 Log: Join to AllHosts multicast group again when adding an existing IPv4 address. When SIOCAIFADDR ioctl configures an IPv4 address that is already exist, it removes old ifaddr. When this IPv4 address is only one configured on the interface, this also leads to leaving from AllHosts multicast group. Then an address is added again, but due to the bug, this doesn't lead to joining to AllHosts multicast group. Submitted by: yannis.planus_alstomgroup.com Reviewed by: gnn MFC after:1 week Differential Revision:https://reviews.freebsd.org/D26757 Modified: head/sys/netinet/in.c Modified: head/sys/netinet/in.c == --- head/sys/netinet/in.c Tue Oct 13 18:57:42 2020(r366681) +++ head/sys/netinet/in.c Tue Oct 13 19:34:36 2020(r366682) @@ -377,10 +377,11 @@ in_aifaddr_ioctl(u_long cmd, caddr_t data, struct ifne continue; it = (struct in_ifaddr *)ifa; - iaIsFirst = false; if (it->ia_addr.sin_addr.s_addr == addr->sin_addr.s_addr && prison_check_ip4(td->td_ucred, >sin_addr) == 0) ia = it; + else + iaIsFirst = false; } NET_EPOCH_EXIT(et); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r366681 - head/sys/netpfil/ipfw/nat64
Author: ae
Date: Tue Oct 13 18:57:42 2020
New Revision: 366681
URL: https://svnweb.freebsd.org/changeset/base/366681
Log:
Add IPv4 fragments reassembling to NAT64LSN.
NAT64LSN requires the presence of upper level protocol header
in a IPv4 datagram to find corresponding state to make translation.
Now it will be handled automatically by nat64lsn instance.
Reviewed by: melifaro
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Differential Revision:https://reviews.freebsd.org/D26758
Modified:
head/sys/netpfil/ipfw/nat64/nat64lsn.c
Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c
==
--- head/sys/netpfil/ipfw/nat64/nat64lsn.c Tue Oct 13 18:36:35 2020
(r366680)
+++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Tue Oct 13 18:57:42 2020
(r366681)
@@ -547,6 +547,57 @@ nat64lsn_get_state4to6(struct nat64lsn_cfg *cfg, struc
return (NULL);
}
+/*
+ * Reassemble IPv4 fragments, make PULLUP if needed, get some ULP fields
+ * that might be unknown until reassembling is completed.
+ */
+static struct mbuf*
+nat64lsn_reassemble4(struct nat64lsn_cfg *cfg, struct mbuf *m,
+uint16_t *port)
+{
+ struct ip *ip;
+ int len;
+
+ m = ip_reass(m);
+ if (m == NULL)
+ return (NULL);
+ /* IP header must be contigious after ip_reass() */
+ ip = mtod(m, struct ip *);
+ len = ip->ip_hl << 2;
+ switch (ip->ip_p) {
+ case IPPROTO_ICMP:
+ len += ICMP_MINLEN; /* Enough to get icmp_id */
+ break;
+ case IPPROTO_TCP:
+ len += sizeof(struct tcphdr);
+ break;
+ case IPPROTO_UDP:
+ len += sizeof(struct udphdr);
+ break;
+ default:
+ m_freem(m);
+ NAT64STAT_INC(>base.stats, noproto);
+ return (NULL);
+ }
+ if (m->m_len < len) {
+ m = m_pullup(m, len);
+ if (m == NULL) {
+ NAT64STAT_INC(>base.stats, nomem);
+ return (NULL);
+ }
+ ip = mtod(m, struct ip *);
+ }
+ switch (ip->ip_p) {
+ case IPPROTO_TCP:
+ *port = ntohs(L3HDR(ip, struct tcphdr *)->th_dport);
+ break;
+ case IPPROTO_UDP:
+ *port = ntohs(L3HDR(ip, struct udphdr *)->uh_dport);
+ break;
+ }
+ return (m);
+}
+
static int
nat64lsn_translate4(struct nat64lsn_cfg *cfg,
const struct ipfw_flow_id *f_id, struct mbuf **mp)
@@ -566,6 +617,14 @@ nat64lsn_translate4(struct nat64lsn_cfg *cfg,
if (addr < cfg->prefix4 || addr > cfg->pmask4) {
NAT64STAT_INC(>base.stats, nomatch4);
return (cfg->nomatch_verdict);
+ }
+
+ /* Reassemble fragments if needed */
+ ret = ntohs(mtod(*mp, struct ip *)->ip_off);
+ if ((ret & (IP_MF | IP_OFFMASK)) != 0) {
+ *mp = nat64lsn_reassemble4(cfg, *mp, );
+ if (*mp == NULL)
+ return (IP_FW_DENY);
}
/* Check if protocol is supported */
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r366568 - head/usr.bin/cpuset
Author: ae
Date: Fri Oct 9 11:24:19 2020
New Revision: 366568
URL: https://svnweb.freebsd.org/changeset/base/366568
Log:
Fix EINVAL message when CPU binding information is requested for IRQ.
`cpuset -g -x N` along with requested information always prints
message `cpuset: getdomain: Invalid argument'. The EINVAL is returned
from kern_cpuset_getdomain(), since it doesn't expect CPU_LEVEL_WHICH
and CPU_WHICH_IRQ parameters.
To fix the error, do not call cpuset_getdomain() when `-x' is specified.
MFC after:1 week
Modified:
head/usr.bin/cpuset/cpuset.c
Modified: head/usr.bin/cpuset/cpuset.c
==
--- head/usr.bin/cpuset/cpuset.cFri Oct 9 10:55:19 2020
(r366567)
+++ head/usr.bin/cpuset/cpuset.cFri Oct 9 11:24:19 2020
(r366568)
@@ -253,7 +253,7 @@ printaffinity(void)
printf("%s %jd%s mask: ", whichnames[which], (intmax_t)id,
levelnames[level]);
printset((struct bitset *), CPU_SETSIZE);
- if (dflag)
+ if (dflag || xflag)
goto out;
if (cpuset_getdomain(level, which, id, sizeof(domain), ,
) != 0)
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r365628 - head/sbin/ipfw
Author: ae
Date: Fri Sep 11 10:07:09 2020
New Revision: 365628
URL: https://svnweb.freebsd.org/changeset/base/365628
Log:
Fix compatibility regression after r364117.
Properly handle the case, when some opcode keywords follow after
the `frag` opcode without additional options.
Reported by: Evgeniy Khramtsov
Modified:
head/sbin/ipfw/ipfw2.c
Modified: head/sbin/ipfw/ipfw2.c
==
--- head/sbin/ipfw/ipfw2.c Fri Sep 11 10:05:44 2020(r365627)
+++ head/sbin/ipfw/ipfw2.c Fri Sep 11 10:07:09 2020(r365628)
@@ -4560,17 +4560,24 @@ read_options:
fill_cmd(cmd, O_DIVERTED, 0, 2);
break;
- case TOK_FRAG:
- fill_flags_cmd(cmd, O_FRAG, f_ipoff, *av);
- /*
-* Compatibility: no argument after "frag"
-* keyword equals to "frag offset".
-*/
- if (cmd->arg1 == 0)
- cmd->arg1 = 0x1;
- else
+ case TOK_FRAG: {
+ uint32_t set = 0, clear = 0;
+
+ if (*av != NULL && fill_flags(f_ipoff, *av, NULL,
+ , ) == 0)
av++;
+ else {
+ /*
+* Compatibility: no argument after "frag"
+* keyword equals to "frag offset".
+*/
+ set = 0x01;
+ clear = 0;
+ }
+ fill_cmd(cmd, O_FRAG, 0,
+ (set & 0xff) | ( (clear & 0xff) << 8));
break;
+ }
case TOK_LAYER2:
fill_cmd(cmd, O_LAYER2, 0, 0);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r365449 - head/sbin/rcorder
Author: ae
Date: Tue Sep 8 10:36:11 2020
New Revision: 365449
URL: https://svnweb.freebsd.org/changeset/base/365449
Log:
Add a few features to rcorder:
o Enhance dependency loop logging: print full chain instead of the
last link competing the loop;
o Add -g option to generate dependency graph suitable for GraphViz
visualization, loops and other graph generation issues are highlighted
automatically;
o Add -p option that enables grouping items that can be processed in
parallel.
Submitted by: Boris Lytochkin
Reviewed by: melifaro
MFC after:1 week
Differential Revision:https://reviews.freebsd.org/D25389
Modified:
head/sbin/rcorder/rcorder.8
head/sbin/rcorder/rcorder.c
Modified: head/sbin/rcorder/rcorder.8
==
--- head/sbin/rcorder/rcorder.8 Tue Sep 8 07:37:45 2020(r365448)
+++ head/sbin/rcorder/rcorder.8 Tue Sep 8 10:36:11 2020(r365449)
@@ -31,7 +31,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 22, 2020
+.Dd September 8, 2020
.Dt RCORDER 8
.Os
.Sh NAME
@@ -39,6 +39,7 @@
.Nd print a dependency ordering of interdependent files
.Sh SYNOPSIS
.Nm
+.Op Fl gp
.Op Fl k Ar keep
.Op Fl s Ar skip
.Ar
@@ -95,6 +96,9 @@ is reached, parsing stops.
.Pp
The options are as follows:
.Bl -tag -width "-k keep"
+.It Fl g
+Produce a GraphViz (.dot) of the complete dependency graph instead of
+plaintext calling order list.
.It Fl k Ar keep
Add the specified keyword to the
.Dq "keep list" .
@@ -102,6 +106,9 @@ If any
.Fl k
option is given, only those files containing the matching keyword are listed.
This option can be specified multiple times.
+.It Fl p
+Generate ordering suitable for parallel startup, placing files that can be
+executed simultaneously on the same line.
.It Fl s Ar skip
Add the specified keyword to the
.Dq "skip list" .
@@ -178,19 +185,46 @@ The
utility may print one of the following error messages and exit with a non-zero
status if it encounters an error while processing the file list.
.Bl -diag
-.It "Requirement %s has no providers, aborting."
+.It "Requirement %s in file %s has no providers."
No file has a
.Ql PROVIDE
line corresponding to a condition present in a
.Ql REQUIRE
line in another file.
-.It "Circular dependency on provision %s, aborting."
+.It "Circular dependency on provision %s in file %s."
A set of files has a circular dependency which was detected while
processing the stated condition.
-.It "Circular dependency on file %s, aborting."
+Loop visualization follows this message.
+.It "Circular dependency on file %s."
A set of files has a circular dependency which was detected while
processing the stated file.
+.It "%s was seen in circular dependencies for %d times."
+Each node that was a part of circular dependency loops reports total number of
+such encounters.
+Start with files having biggest counter when fighting with broken dependencies.
.El
+.Sh DIAGNOSTICS WITH GRAPHVIZ
+Direct dependency is drawn with solid line,
+.Ql BEFORE
+dependency is drawn as a dashed line.
+Each node of a graph represents an item from
+.Ql PROVIDE
+lines.
+In case there are more than one file providing an item, a list of filenames
+shortened with
+.Xr basename 3
+is shown.
+Shortened filenames are also shown in case
+.Ql PROVIDE
+item does not match file name.
+.Pp
+Edges and nodes where circular dependencies were detected are drawn bold red.
+If a file has an item in
+.Ql REQUIRE
+or in
+.Ql BEFORE
+that could not be provided,
+this missing provider and the requirement will be drawn bold red as well.
.Sh SEE ALSO
.Xr acpiconf 8 ,
.Xr rc 8 ,
Modified: head/sbin/rcorder/rcorder.c
==
--- head/sbin/rcorder/rcorder.c Tue Sep 8 07:37:45 2020(r365448)
+++ head/sbin/rcorder/rcorder.c Tue Sep 8 10:36:11 2020(r365449)
@@ -9,6 +9,8 @@
* All rights reserved.
* Copyright (c) 1998
* Perry E. Metzger. All rights reserved.
+ * Copyright (c) 2020
+ * Boris N. Lytochkin. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -48,6 +50,8 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
+#include
+#include
#include "ealloc.h"
#include "sprite.h"
@@ -75,17 +79,21 @@ static int debug = 0;
#define KEYWORDS_STR "# KEYWORDS:"
#define KEYWORDS_LEN (sizeof(KEYWORDS_STR) - 1)
+#defineFAKE_PROV_NAME "fake_prov_"
+
static int exit_code;
static int file_count;
static char **file_list;
-typedef int bool;
#define TRUE 1
#define FALSE 0
typedef bool flag;
#define SET TRUE
#define RESET FALSE
+static flag do_graphviz = false;
+static flag do_parallel = false;
+
static Hash_Table provide_hash_s, *provide_hash;
typedef struct provnode provnode;
@@ -97,12 +105,14 @@ typedef struct strnodelist strnodelist;
svn commit: r363908 - head/share/dtrace
Author: ae
Date: Wed Aug 5 11:54:02 2020
New Revision: 363908
URL: https://svnweb.freebsd.org/changeset/base/363908
Log:
Synchronize definitions in mbuf.d with values from mbuf.h
Obtained from:Yandex LLC
Sponsored by: Yandex LLC
Modified:
head/share/dtrace/mbuf.d
Modified: head/share/dtrace/mbuf.d
==
--- head/share/dtrace/mbuf.dWed Aug 5 11:41:41 2020(r363907)
+++ head/share/dtrace/mbuf.dWed Aug 5 11:54:02 2020(r363908)
@@ -53,37 +53,41 @@ inline int M_MCAST =0x0020; /* send/received as
l
inline int M_PROMISC = 0x0040; /* packet was not for us */
#pragma D binding "1.6.3" M_VLANTAG
inline int M_VLANTAG = 0x0080; /* ether_vtag is valid */
-#pragma D binding "1.6.3" M_UNUSED_8
-inline int M_UNUSED_8 =0x0100; /* --available-- */
+#pragma D binding "1.13" M_EXTPG
+inline int M_EXTPG = 0x0100; /* has array of unmapped pages and TLS */
#pragma D binding "1.6.3" M_NOFREE
inline int M_NOFREE = 0x0200; /* do not free mbuf, embedded in cluster */
+#pragma D binding "1.13" M_TSTMP
+inline int M_TSTMP = 0x0400; /* rcv_tstmp field is valid */
+#pragma D binding "1.13" M_TSTMP_HPREC
+inline int M_TSTMP_HPREC = 0x0800; /* rcv_tstmp is high-prec */
+#pragma D binding "1.13" M_TSTMP_LRO
+inline int M_TSTMP_LRO = 0x1000; /* Time LRO pushed in pkt is valid */
+
+#pragma D binding "1.13" M_PROTO1
+inline int M_PROTO1 = 0x2000; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO2
+inline int M_PROTO2 = 0x4000; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO3
+inline int M_PROTO3 = 0x8000; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO4
+inline int M_PROTO4 = 0x0001; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO5
+inline int M_PROTO5 = 0x0002; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO6
+inline int M_PROTO6 = 0x0004; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO7
+inline int M_PROTO7 = 0x0008; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO8
+inline int M_PROTO8 = 0x0010; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO9
+inline int M_PROTO9 = 0x0020; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO10
+inline int M_PROTO10 = 0x0040; /* protocol-specific */
+#pragma D binding "1.13" M_PROTO11
+inline int M_PROTO11 = 0x0080; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO1
-inline int M_PROTO1 = 0x1000; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO2
-inline int M_PROTO2 = 0x2000; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO3
-inline int M_PROTO3 = 0x4000; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO4
-inline int M_PROTO4 = 0x8000; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO5
-inline int M_PROTO5 = 0x0001; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO6
-inline int M_PROTO6 = 0x0002; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO7
-inline int M_PROTO7 = 0x0004; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO8
-inline int M_PROTO8 = 0x0008; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO9
-inline int M_PROTO9 = 0x0010; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO10
-inline int M_PROTO10 = 0x0020; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO11
-inline int M_PROTO11 = 0x0040; /* protocol-specific */
-#pragma D binding "1.6.3" M_PROTO12
-inline int M_PROTO12 = 0x0080; /* protocol-specific */
-
-#pragma D binding "1.6.3" mbufflags_string
+#pragma D binding "1.13" mbufflags_string
inline string mbufflags_string[uint32_t flags] =
flags & M_EXT ? "M_EXT" :
flags & M_PKTHDR ? "M_PKTHDR" :
@@ -93,8 +97,11 @@ inline string mbufflags_string[uint32_t flags] =
flags & M_MCAST? "M_MCAST" :
flags & M_PROMISC ? "M_PROMISC" :
flags & M_VLANTAG ? "M_VLANTAG" :
-flags & M_UNUSED_8 ? "M_UNUSED_8" :
-flags & M_NOFREE ? "M_NOFREE" :
+flags & M_EXTPG? "M_EXTPG" :
+flags & M_NOFREE ? "M_NOFREE" :
+flags & M_TSTMP? "M_TSTMP" :
+flags & M_TSTMP_HPREC ? "M_TSTMP_HPREC" :
+flags & M_TSTMP_LRO ? "M_TSTMP_LRO" :
flags & M_PROTO1 ? "M_PROTO1" :
flags & M_PROTO2 ? "M_PROTO2" :
flags & M_PROTO3 ? "M_PROTO3" :
@@ -106,7 +113,6 @@ inline string mbufflags_string[uint32_t flags] =
flags & M_PROTO9 ? "M_PROTO9" :
flags & M_PROTO10 ? "M_PROTO10" :
flags & M_PROTO11 ? "M_PROTO11" :
-flags & M_PROTO12 ? "M_PROTO12" :
"none" ;
typedef struct mbufinfo {
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363906 - in head/sys: kern sys
Author: ae Date: Wed Aug 5 11:39:09 2020 New Revision: 363906 URL: https://svnweb.freebsd.org/changeset/base/363906 Log: Add m__getjcl SDT probe. Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/kern/kern_mbuf.c head/sys/kern/uipc_mbuf.c head/sys/sys/mbuf.h Modified: head/sys/kern/kern_mbuf.c == --- head/sys/kern/kern_mbuf.c Wed Aug 5 11:38:33 2020(r363905) +++ head/sys/kern/kern_mbuf.c Wed Aug 5 11:39:09 2020(r363906) @@ -1397,6 +1397,7 @@ m_getjcl(int how, short type, int flags, int size) uma_zfree(zone_mbuf, m); return (NULL); } + MBUF_PROBE5(m__getjcl, how, type, flags, size, m); return (m); } Modified: head/sys/kern/uipc_mbuf.c == --- head/sys/kern/uipc_mbuf.c Wed Aug 5 11:38:33 2020(r363905) +++ head/sys/kern/uipc_mbuf.c Wed Aug 5 11:39:09 2020(r363906) @@ -78,6 +78,13 @@ SDT_PROBE_DEFINE4_XLATE(sdt, , , m__getcl, "uint32_t", "uint32_t", "struct mbuf *", "mbufinfo_t *"); +SDT_PROBE_DEFINE5_XLATE(sdt, , , m__getjcl, +"uint32_t", "uint32_t", +"uint16_t", "uint16_t", +"uint32_t", "uint32_t", +"uint32_t", "uint32_t", +"struct mbuf *", "mbufinfo_t *"); + SDT_PROBE_DEFINE3_XLATE(sdt, , , m__clget, "struct mbuf *", "mbufinfo_t *", "uint32_t", "uint32_t", Modified: head/sys/sys/mbuf.h == --- head/sys/sys/mbuf.h Wed Aug 5 11:38:33 2020(r363905) +++ head/sys/sys/mbuf.h Wed Aug 5 11:39:09 2020(r363906) @@ -65,6 +65,7 @@ SDT_PROBE_DECLARE(sdt, , , m__init); SDT_PROBE_DECLARE(sdt, , , m__gethdr); SDT_PROBE_DECLARE(sdt, , , m__get); SDT_PROBE_DECLARE(sdt, , , m__getcl); +SDT_PROBE_DECLARE(sdt, , , m__getjcl); SDT_PROBE_DECLARE(sdt, , , m__clget); SDT_PROBE_DECLARE(sdt, , , m__cljget); SDT_PROBE_DECLARE(sdt, , , m__cljset); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363904 - head/sbin/ipfw
Author: ae
Date: Wed Aug 5 11:26:49 2020
New Revision: 363904
URL: https://svnweb.freebsd.org/changeset/base/363904
Log:
Fix SIGSEGV in ipfw(8) when NAT64 prefix length is omitted.
Submitted by: Evgeniy Khramtsov
MFC after:1 week
Differential Revision:https://reviews.freebsd.org/D25734
Modified:
head/sbin/ipfw/nat64clat.c
head/sbin/ipfw/nat64stl.c
Modified: head/sbin/ipfw/nat64clat.c
==
--- head/sbin/ipfw/nat64clat.c Wed Aug 5 11:26:14 2020(r363903)
+++ head/sbin/ipfw/nat64clat.c Wed Aug 5 11:26:49 2020(r363904)
@@ -303,6 +303,9 @@ nat64clat_config(const char *name, uint8_t set, int ac
if ((p = strchr(*av, '/')) != NULL)
*p++ = '\0';
+ else
+ errx(EX_USAGE,
+ "Prefix length required: %s", *av);
if (inet_pton(AF_INET6, *av, ) != 1)
errx(EX_USAGE,
"Bad prefix: %s", *av);
Modified: head/sbin/ipfw/nat64stl.c
==
--- head/sbin/ipfw/nat64stl.c Wed Aug 5 11:26:14 2020(r363903)
+++ head/sbin/ipfw/nat64stl.c Wed Aug 5 11:26:49 2020(r363904)
@@ -249,6 +249,9 @@ nat64stl_create(const char *name, uint8_t set, int ac,
NEED1("IPv6 prefix6 required");
if ((p = strchr(*av, '/')) != NULL)
*p++ = '\0';
+ else
+ errx(EX_USAGE,
+ "Prefix length required: %s", *av);
if (inet_pton(AF_INET6, *av, >prefix6) != 1)
errx(EX_USAGE,
"Bad prefix: %s", *av);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363900 - head/sys/netinet6
Author: ae Date: Wed Aug 5 10:27:11 2020 New Revision: 363900 URL: https://svnweb.freebsd.org/changeset/base/363900 Log: Fix typo. Submitted by: Evgeniy Khramtsov MFC after:1 week Differential Revision:https://reviews.freebsd.org/D25932 Modified: head/sys/netinet6/in6_proto.c Modified: head/sys/netinet6/in6_proto.c == --- head/sys/netinet6/in6_proto.c Wed Aug 5 10:12:19 2020 (r363899) +++ head/sys/netinet6/in6_proto.c Wed Aug 5 10:27:11 2020 (r363900) @@ -586,7 +586,7 @@ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_USELOOPBACK "Create a loopback route when configuring an IPv6 address"); SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_NODEINFO, nodeinfo, CTLFLAG_VNET | CTLFLAG_RW, _NAME(icmp6_nodeinfo), 0, - "Mask of enabled RF4620 node information query types"); + "Mask of enabled RFC4620 node information query types"); SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_NODEINFO_OLDMCPREFIX, nodeinfo_oldmcprefix, CTLFLAG_VNET | CTLFLAG_RW, _NAME(icmp6_nodeinfo_oldmcprefix), 0, ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363888 - head/sys/netpfil/ipfw/nat64
Author: ae
Date: Wed Aug 5 09:16:35 2020
New Revision: 363888
URL: https://svnweb.freebsd.org/changeset/base/363888
Log:
Handle delayed checksums if needed in NAT64.
Upper level protocols defer checksums calculation in hope we have
checksums offloading in a network card. CSUM_DELAY_DATA flag is used
to determine that checksum calculation was deferred. And IP output
routine checks for this flag before pass mbuf to lower layer. Forwarded
packets have not this flag.
NAT64 uses checksums adjustment when it translates IP headers.
In most cases NAT64 is used for forwarded packets, but in case when it
handles locally originated packets we need to finish checksum calculation
that was deferred to correctly adjust it.
Add check for presence of CSUM_DELAY_DATA flag and finish checksum
calculation before adjustment.
Reported and tested by: Evgeniy Khramtsov
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/nat64/nat64_translate.c
Modified: head/sys/netpfil/ipfw/nat64/nat64_translate.c
==
--- head/sys/netpfil/ipfw/nat64/nat64_translate.c Wed Aug 5 08:31:26
2020(r363887)
+++ head/sys/netpfil/ipfw/nat64/nat64_translate.c Wed Aug 5 09:16:35
2020(r363888)
@@ -1294,6 +1294,12 @@ nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *s
ip6.ip6_hlim -= IPTTLDEC;
ip6.ip6_plen = htons(plen);
ip6.ip6_nxt = (proto == IPPROTO_ICMP) ? IPPROTO_ICMPV6: proto;
+
+ /* Handle delayed checksums if needed. */
+ if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+ in_delayed_cksum(m);
+ m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
+ }
/* Convert checksums. */
switch (proto) {
case IPPROTO_TCP:
@@ -1665,6 +1671,12 @@ nat64_do_handle_ip6(struct mbuf *m, uint32_t aaddr, ui
return (NAT64RETURN);
}
nat64_init_ip4hdr(ip6, frag, plen, proto, );
+
+ /* Handle delayed checksums if needed. */
+ if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) {
+ in6_delayed_cksum(m, plen, hlen);
+ m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6;
+ }
/* Convert checksums. */
switch (proto) {
case IPPROTO_TCP:
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r362338 - in head: share/man/man4 sys/conf sys/kern sys/netinet sys/netinet6 sys/netipsec sys/netpfil/pf
On 23.06.2020 01:20, John Baldwin wrote: >> I tend to assume that a buildkernel of GENERIC without any special flags >> will always build all modules (except those not available for the target >> platform of course), so I was a bit surprised to see that this isn't the >> case for ipsec.ko. As Rodney pointed out it provides marginally better >> coverage against build breaks. If you think we can restore the old >> behaviour for ipsec without too much work I think it'd be reasonable to >> change that and compile sctp.ko even when "options SCTP" is configured. >> I can't spot any similar cases in sys/modules/Makefile with a bit of >> skimming. > > I don't think ipsec.ko is easily fixable when I looked at it. I think it > is fine to leave sctp.ko building as part of GENERIC though. Hi, I'm sorry, I missed these changes, but in the past there weren't any problems in building ipsec.ko module with/without any possible options. I'll try to look what happened and what can be do to fix this at the weekend. -- WBR, Andrey V. Elsukov ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r361749 - head/sys/net
Author: ae
Date: Wed Jun 3 13:02:31 2020
New Revision: 361749
URL: https://svnweb.freebsd.org/changeset/base/361749
Log:
Add if_reassing method to all tunneling interfaces.
After r339550 tunneling interfaces have started handle appearing and
disappearing of ingress IP address on the host system.
When such interfaces are moving into VNET jail, they lose ability to
properly handle ifaddr_event_ext event. And this leads to need to
reconfigure tunnel to make it working again.
Since moving an interface into VNET jail leads to removing of all IP
addresses, it looks consistent, that tunnel configuration should also
be cleared. This is what will do if_reassing method.
Reported by: John W. O'Brien
MFC after:1 week
Modified:
head/sys/net/if_gif.c
head/sys/net/if_gre.c
head/sys/net/if_ipsec.c
head/sys/net/if_me.c
Modified: head/sys/net/if_gif.c
==
--- head/sys/net/if_gif.c Wed Jun 3 09:38:51 2020(r361748)
+++ head/sys/net/if_gif.c Wed Jun 3 13:02:31 2020(r361749)
@@ -104,6 +104,9 @@ void(*ng_gif_input_orphan_p)(struct ifnet *ifp,
struc
void (*ng_gif_attach_p)(struct ifnet *ifp);
void (*ng_gif_detach_p)(struct ifnet *ifp);
+#ifdef VIMAGE
+static voidgif_reassign(struct ifnet *, struct vnet *, char *);
+#endif
static voidgif_delete_tunnel(struct gif_softc *);
static int gif_ioctl(struct ifnet *, u_long, caddr_t);
static int gif_transmit(struct ifnet *, struct mbuf *);
@@ -150,6 +153,9 @@ gif_clone_create(struct if_clone *ifc, int unit, caddr
GIF2IFP(sc)->if_transmit = gif_transmit;
GIF2IFP(sc)->if_qflush = gif_qflush;
GIF2IFP(sc)->if_output = gif_output;
+#ifdef VIMAGE
+ GIF2IFP(sc)->if_reassign = gif_reassign;
+#endif
GIF2IFP(sc)->if_capabilities |= IFCAP_LINKSTATE;
GIF2IFP(sc)->if_capenable |= IFCAP_LINKSTATE;
if_attach(GIF2IFP(sc));
@@ -159,6 +165,21 @@ gif_clone_create(struct if_clone *ifc, int unit, caddr
return (0);
}
+
+#ifdef VIMAGE
+static void
+gif_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
+char *unused __unused)
+{
+ struct gif_softc *sc;
+
+ sx_xlock(_ioctl_sx);
+ sc = ifp->if_softc;
+ if (sc != NULL)
+ gif_delete_tunnel(sc);
+ sx_xunlock(_ioctl_sx);
+}
+#endif /* VIMAGE */
static void
gif_clone_destroy(struct ifnet *ifp)
Modified: head/sys/net/if_gre.c
==
--- head/sys/net/if_gre.c Wed Jun 3 09:38:51 2020(r361748)
+++ head/sys/net/if_gre.c Wed Jun 3 13:02:31 2020(r361749)
@@ -107,6 +107,9 @@ static void gre_clone_destroy(struct ifnet *);
VNET_DEFINE_STATIC(struct if_clone *, gre_cloner);
#defineV_gre_clonerVNET(gre_cloner)
+#ifdef VIMAGE
+static voidgre_reassign(struct ifnet *, struct vnet *, char *);
+#endif
static voidgre_qflush(struct ifnet *);
static int gre_transmit(struct ifnet *, struct mbuf *);
static int gre_ioctl(struct ifnet *, u_long, caddr_t);
@@ -183,12 +186,30 @@ gre_clone_create(struct if_clone *ifc, int unit, caddr
GRE2IFP(sc)->if_ioctl = gre_ioctl;
GRE2IFP(sc)->if_transmit = gre_transmit;
GRE2IFP(sc)->if_qflush = gre_qflush;
+#ifdef VIMAGE
+ GRE2IFP(sc)->if_reassign = gre_reassign;
+#endif
GRE2IFP(sc)->if_capabilities |= IFCAP_LINKSTATE;
GRE2IFP(sc)->if_capenable |= IFCAP_LINKSTATE;
if_attach(GRE2IFP(sc));
bpfattach(GRE2IFP(sc), DLT_NULL, sizeof(u_int32_t));
return (0);
}
+
+#ifdef VIMAGE
+static void
+gre_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
+char *unused __unused)
+{
+ struct gre_softc *sc;
+
+ sx_xlock(_ioctl_sx);
+ sc = ifp->if_softc;
+ if (sc != NULL)
+ gre_delete_tunnel(sc);
+ sx_xunlock(_ioctl_sx);
+}
+#endif /* VIMAGE */
static void
gre_clone_destroy(struct ifnet *ifp)
Modified: head/sys/net/if_ipsec.c
==
--- head/sys/net/if_ipsec.c Wed Jun 3 09:38:51 2020(r361748)
+++ head/sys/net/if_ipsec.c Wed Jun 3 13:02:31 2020(r361749)
@@ -170,6 +170,9 @@ static int ipsec_set_addresses(struct ifnet *, struct
static int ipsec_set_reqid(struct ipsec_softc *, uint32_t);
static voidipsec_set_running(struct ipsec_softc *);
+#ifdef VIMAGE
+static voidipsec_reassign(struct ifnet *, struct vnet *, char *);
+#endif
static voidipsec_srcaddr(void *, const struct sockaddr *, int);
static int ipsec_ioctl(struct ifnet *, u_long, caddr_t);
static int ipsec_transmit(struct ifnet *, struct mbuf *);
@@ -201,11 +204,29 @@ ipsec_clone_create(struct if_clone *ifc, int unit, cad
ifp->if_transmit = ipsec_transmit;
ifp->if_qflush = ipsec_qflush;
svn commit: r361624 - head/sys/netpfil/ipfw
Author: ae
Date: Fri May 29 10:37:42 2020
New Revision: 361624
URL: https://svnweb.freebsd.org/changeset/base/361624
Log:
Fix O_IP_FLOW_LOOKUP opcode handling.
Do not check table value matching when table lookup has failed.
Reported by: Sergey Lobanov
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Fri May 29 10:09:47 2020
(r361623)
+++ head/sys/netpfil/ipfw/ip_fw2.c Fri May 29 10:37:42 2020
(r361624)
@@ -2106,6 +2106,8 @@ do {
\
uint32_t v = 0;
match = ipfw_lookup_table(chain,
cmd->arg1, 0, >f_id, );
+ if (!match)
+ break;
if (cmdlen ==
F_INSN_SIZE(ipfw_insn_u32))
match = ((ipfw_insn_u32
*)cmd)->d[0] ==
TARG_VAL(chain, v, tag);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r359498 - head/sys/netinet6
Author: ae
Date: Wed Apr 1 02:13:01 2020
New Revision: 359498
URL: https://svnweb.freebsd.org/changeset/base/359498
Log:
Ignore ND6 neighbor advertisement received for static link-layer entries.
Previously such NA could override manually created LLE.
Reported by: Martin Beran
Reviewed by: melifaro
MFC after:10 days
Modified:
head/sys/netinet6/nd6_nbr.c
Modified: head/sys/netinet6/nd6_nbr.c
==
--- head/sys/netinet6/nd6_nbr.c Tue Mar 31 22:41:57 2020(r359497)
+++ head/sys/netinet6/nd6_nbr.c Wed Apr 1 02:13:01 2020(r359498)
@@ -754,6 +754,12 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len)
goto freeit;
}
+ /*
+* Do not try to override static entry.
+*/
+ if (ln->la_flags & LLE_STATIC)
+ goto freeit;
+
if (ln->ln_state == ND6_LLINFO_INCOMPLETE) {
/*
* If the link-layer has address, and no lladdr option came,
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r359328 - head/usr.sbin/syslogd
Author: ae Date: Thu Mar 26 12:00:26 2020 New Revision: 359328 URL: https://svnweb.freebsd.org/changeset/base/359328 Log: Fix typo. MFC after:2 weeks Modified: head/usr.sbin/syslogd/syslog.conf.5 Modified: head/usr.sbin/syslogd/syslog.conf.5 == --- head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 11:54:25 2020 (r359327) +++ head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 12:00:26 2020 (r359328) @@ -465,7 +465,7 @@ or followed by three comma-separated fields .Em property , operator , \&"value\&" . Value must be double-quoted. A double quote and backslash must be escaped by -a blackslash. +a backslash. .Pp Following .Em properties ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r359327 - head/usr.sbin/syslogd
Author: ae Date: Thu Mar 26 11:54:25 2020 New Revision: 359327 URL: https://svnweb.freebsd.org/changeset/base/359327 Log: Add property-based filters for syslogd. Property-based filters allow substring and regular expressions (see re_format(7)) matching against various message attributes. Filter specification starts with '#:' or ':' followed by three comma-separated fields property, operator, "value". Value must be double-quoted. A double quote and backslash must be escaped by a blackslash. Following properties are supported as test value: o msg - body of the message received; o programname - program name sent the message; o hostname - hostname of message's originator; o source - an alias for hostname. Supported operators: o contains - true if filter value is found as a substring of property; o isequal - true if filter value is equal to property; o startswith - true if property starts with filter value; o regex - true if property matches basic regular expression defined in filter value; o ereregex - true if property matches extended regular expression defined in filter value; Operator may be prefixed by '!' to invert compare logic or by 'icase_' to make comparison function case insensitive. Submitted by: Boris N. Lytochkin MFC after:2 weeks Relnotes: yes Differential Revision:https://reviews.freebsd.org/D23468 Modified: head/usr.sbin/syslogd/syslog.conf.5 head/usr.sbin/syslogd/syslogd.c Modified: head/usr.sbin/syslogd/syslog.conf.5 == --- head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 11:24:43 2020 (r359326) +++ head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 11:54:25 2020 (r359327) @@ -28,7 +28,7 @@ .\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 .\" $FreeBSD$ .\" -.Dd November 1, 2016 +.Dd March 26, 2020 .Dt SYSLOG.CONF 5 .Os .Sh NAME @@ -44,9 +44,10 @@ file is the configuration file for the program. It consists of blocks of lines separated by -.Em program -and +.Em program , .Em hostname +or +.Em property-based filter specifications (separations appear alone on their lines), with each line containing two fields: the .Em selector @@ -154,14 +155,16 @@ values specified to the library routine. .Pp Each block of lines is separated from the previous block by a -.Em program -or +.Em program , .Em hostname +or +.Em property-based filter specification. A block will only log messages corresponding to the most recent -.Em program -and +.Em program , .Em hostname +and +.Em property-based filter specifications given. Thus, with a block which selects .Ql ppp @@ -236,11 +239,24 @@ As for program specifications, multiple comma-separate values may be specified for hostname specifications. .Pp A -.Em program +.Em property-based filter +specification is a line beginning with +.Ql #: or +.Ql \&: +and the following blocks will be applied only when filter value +matches given filter propertie's value. See +.Sx PROPERTY-BASED FILTERS +section for more details. +.Pp +A +.Em program , .Em hostname -specification may be reset by giving the program or hostname as -.Ql * . +or +.Em property-based filter +specification may be reset by giving +.Ql * +as an argument. .Pp See .Xr syslog 3 @@ -434,6 +450,78 @@ in this case preceding is removed and .Ql # is treated as an ordinary character. +.Sh PROPERTY-BASED FILTERS +.Em program , +.Em hostname +specifications performs exact match filtering against explicit field only. +.Em Property-based filters +feature substring and regular expressions (see +.Xr re_format 7 ) +matching against various message attributes. +Filter specification starts with +.Ql #: +or +.Ql \&: +followed by three comma-separated fields +.Em property , operator , \&"value\&" . +Value must be double-quoted. A double quote and backslash must be escaped by +a blackslash. +.Pp +Following +.Em properties +are supported as test value: +.Pp +.Bl -bullet -compact +.It +.Ql msg +- body of the message received. +.It +.Ql programname +- program name sent the message +.It +.Ql hostname +- hostname of message's originator +.It +.Ql source +- an alias for hostname +.El +.Pp +Operator specifies a comparison function between +.Em propertie's + value against filter's value. +Possible operators: +.Pp +.Bl -bullet -compact +.It +.Ql contains +- true if filter value is found as a substring of +.Em property +.It +.Ql isequal +- true if filter value is equal to +.Em property +.It +.Ql startswith +- true if property starts with filter value +.It +.Ql regex +- true if property matches basic regular expression defined in filter value +.It +.Ql ereregex +- true if property matches extended regular expression defined in filter value +.El +.Pp +Operator may be prefixed by +.Pp +.Bl -bullet -compact +.It +.Ql \&! +- to invert compare logic +.It +.Ql icase_ +- to make comparison function case insensitive +.El +.Pp .Sh
svn commit: r359271 - head/sbin/ipfw
Author: ae
Date: Tue Mar 24 12:27:02 2020
New Revision: 359271
URL: https://svnweb.freebsd.org/changeset/base/359271
Log:
Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy
NAT instance.
The NAT44 group of opcodes for IP_FW3 socket option is modern way
to control NAT instances and this method can be used in future to
switch from numeric to named NAT instances, like was done for ipfw
tables.
The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control
plane that doesn't support versioned operations. This interface will
be retired soon.
Reviewed by: melifaro
MFC after:10 days
Sponsored by: Yandex LLC
Modified:
head/sbin/ipfw/ipfw2.c
head/sbin/ipfw/ipfw2.h
head/sbin/ipfw/nat.c
Modified: head/sbin/ipfw/ipfw2.c
==
--- head/sbin/ipfw/ipfw2.c Tue Mar 24 07:08:39 2020(r359270)
+++ head/sbin/ipfw/ipfw2.c Tue Mar 24 12:27:02 2020(r359271)
@@ -3328,13 +3328,7 @@ ipfw_delete(char *av[])
j = strtol(sep + 1, NULL, 10);
av++;
if (co.do_nat) {
- exitval = do_cmd(IP_FW_NAT_DEL, , sizeof i);
- if (exitval) {
- exitval = EX_UNAVAILABLE;
- if (co.do_quiet)
- continue;
- warn("nat %u not available", i);
- }
+ exitval = ipfw_delete_nat(i);
} else if (co.do_pipe) {
exitval = ipfw_delete_pipe(co.do_pipe, i);
} else {
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Tue Mar 24 07:08:39 2020(r359270)
+++ head/sbin/ipfw/ipfw2.h Tue Mar 24 12:27:02 2020(r359271)
@@ -387,6 +387,7 @@ extern int resvd_set_number;
/* first-level command handlers */
void ipfw_add(char *av[]);
void ipfw_show_nat(int ac, char **av);
+int ipfw_delete_nat(int i);
void ipfw_config_pipe(int ac, char **av);
void ipfw_config_nat(int ac, char **av);
void ipfw_sets_handler(char *av[]);
Modified: head/sbin/ipfw/nat.c
==
--- head/sbin/ipfw/nat.cTue Mar 24 07:08:39 2020(r359270)
+++ head/sbin/ipfw/nat.cTue Mar 24 12:27:02 2020(r359271)
@@ -939,6 +939,34 @@ ipfw_config_nat(int ac, char **av)
}
}
+static void
+nat_fill_ntlv(ipfw_obj_ntlv *ntlv, int i)
+{
+
+ ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */
+ ntlv->head.length = sizeof(ipfw_obj_ntlv);
+ ntlv->idx = 1;
+ ntlv->set = 0; /* not yet */
+ snprintf(ntlv->name, sizeof(ntlv->name), "%d", i);
+}
+
+int
+ipfw_delete_nat(int i)
+{
+ ipfw_obj_header oh;
+ int ret;
+
+ memset(, 0, sizeof(oh));
+ nat_fill_ntlv(, i);
+ ret = do_set3(IP_FW_NAT44_DESTROY, , sizeof(oh));
+ if (ret == -1) {
+ if (!co.do_quiet)
+ warn("nat %u not available", i);
+ return (EX_UNAVAILABLE);
+ }
+ return (EX_OK);
+}
+
struct nat_list_arg {
uint16_tcmd;
int is_all;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 21.12.2019 01:14, Gleb Smirnoff wrote: > A> > Another future feature is possiblity to create pfil heads, that provide > A> > not an mbuf pointer but just a memory pointer with length. That would > A> > allow filtering at very early stages of a packet lifecycle, e.g. when > A> > packet has just been received by a NIC and no mbuf was yet allocated. > A> It seems that this commit has changed the error code returned from > A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but > A> now it became EPERM. Was it intentional? > > I don't think that was intentional. Can you please review this patch? LGTM, thanks! -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 01.02.2019 02:01, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 > > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > > The KPI have been reviewed and cleansed of features that were planned > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same time > more extensible, as kernel uses same command structures that userland > ioctl uses. > > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > > Now it possible for a single packet filter to provide multiple rulesets > that may be linked to different points. Think of per-interface ACLs in > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > > Another future feature is possiblity to create pfil heads, that provide > not an mbuf pointer but just a memory pointer with length. That would > allow filtering at very early stages of a packet lifecycle, e.g. when > packet has just been received by a NIC and no mbuf was yet allocated. It seems that this commit has changed the error code returned from ip[6]_output() when a packet is blocked. Previously it was EACCES, but now it became EPERM. Was it intentional? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341578 - head/sys/dev/mlx5/mlx5_en
On 13.12.2019 17:27, Hans Petter Selasky wrote: > On 2019-12-13 14:40, Andrey V. Elsukov wrote: >> On 05.12.2018 17:20, Slava Shwartsman wrote: >>> Author: slavash >>> Date: Wed Dec 5 14:20:57 2018 >>> New Revision: 341578 >>> URL: https://svnweb.freebsd.org/changeset/base/341578 >>> >>> Log: >>>   mlx5en: Remove the DRBR and associated logic in the transmit path. >>>     The hardware queues are deep enough currently and using the >>> DRBR and associated >>>   callbacks only leads to more task switching in the TX path. The is >>> also a race >>>   setting the queue_state which can lead to hung TX rings. >> >> JFYI. We have compared the same router+firewall workloads on the host >> with this change and before, and I can say, that without DRBR on TX now >> we constantly have several percents of packets drops due to ENOBUFS >> error from mlx5e_xmit(). >> > > Have you tried to tune the TX/RX parameters? > > Especially the tx_queue_size . We use the following settings: % sysctl dev.mce.4.conf. | grep que dev.mce.4.conf.rx_queue_size: 16384 dev.mce.4.conf.tx_queue_size: 16384 dev.mce.4.conf.rx_queue_size_max: 16384 dev.mce.4.conf.tx_queue_size_max: 16384 Also, previously I have patched MLX5E_SQ_TX_QUEUE_SIZE value up to 16384. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341578 - head/sys/dev/mlx5/mlx5_en
On 05.12.2018 17:20, Slava Shwartsman wrote: > Author: slavash > Date: Wed Dec 5 14:20:57 2018 > New Revision: 341578 > URL: https://svnweb.freebsd.org/changeset/base/341578 > > Log: > mlx5en: Remove the DRBR and associated logic in the transmit path. > > The hardware queues are deep enough currently and using the DRBR and > associated > callbacks only leads to more task switching in the TX path. The is also a > race > setting the queue_state which can lead to hung TX rings. JFYI. We have compared the same router+firewall workloads on the host with this change and before, and I can say, that without DRBR on TX now we constantly have several percents of packets drops due to ENOBUFS error from mlx5e_xmit(). -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r355712 - head/sys/netpfil/ipfw
Author: ae
Date: Fri Dec 13 11:47:58 2019
New Revision: 355712
URL: https://svnweb.freebsd.org/changeset/base/355712
Log:
Make TCP options parsing stricter.
Rework tcpopts_parse() to be more strict. Use const pointer. Add length
checks for specific TCP options. The main purpose of the change is
avoiding of possible out of mbuf's data access.
Reported by: Maxime Villard
Reviewed by: melifaro, emaste
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Fri Dec 13 11:21:28 2019
(r355711)
+++ head/sys/netpfil/ipfw/ip_fw2.c Fri Dec 13 11:47:58 2019
(r355712)
@@ -330,22 +330,27 @@ ipopts_match(struct ip *ip, ipfw_insn *cmd)
return (flags_match(cmd, bits));
}
+/*
+ * Parse TCP options. The logic copied from tcp_dooptions().
+ */
static int
-tcpopts_parse(struct tcphdr *tcp, uint16_t *mss)
+tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss)
{
- u_char *cp = (u_char *)(tcp + 1);
+ const u_char *cp = (const u_char *)(tcp + 1);
int optlen, bits = 0;
- int x = (tcp->th_off << 2) - sizeof(struct tcphdr);
+ int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr);
- for (; x > 0; x -= optlen, cp += optlen) {
+ for (; cnt > 0; cnt -= optlen, cp += optlen) {
int opt = cp[0];
if (opt == TCPOPT_EOL)
break;
if (opt == TCPOPT_NOP)
optlen = 1;
else {
+ if (cnt < 2)
+ break;
optlen = cp[1];
- if (optlen <= 0)
+ if (optlen < 2 || optlen > cnt)
break;
}
@@ -354,22 +359,31 @@ tcpopts_parse(struct tcphdr *tcp, uint16_t *mss)
break;
case TCPOPT_MAXSEG:
+ if (optlen != TCPOLEN_MAXSEG)
+ break;
bits |= IP_FW_TCPOPT_MSS;
if (mss != NULL)
*mss = be16dec(cp + 2);
break;
case TCPOPT_WINDOW:
- bits |= IP_FW_TCPOPT_WINDOW;
+ if (optlen == TCPOLEN_WINDOW)
+ bits |= IP_FW_TCPOPT_WINDOW;
break;
case TCPOPT_SACK_PERMITTED:
+ if (optlen == TCPOLEN_SACK_PERMITTED)
+ bits |= IP_FW_TCPOPT_SACK;
+ break;
+
case TCPOPT_SACK:
- bits |= IP_FW_TCPOPT_SACK;
+ if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0)
+ bits |= IP_FW_TCPOPT_SACK;
break;
case TCPOPT_TIMESTAMP:
- bits |= IP_FW_TCPOPT_TS;
+ if (optlen == TCPOLEN_TIMESTAMP)
+ bits |= IP_FW_TCPOPT_TS;
break;
}
}
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r355650 - in head/sys: modules/ipfw_nat64 netpfil/ipfw/nat64
Author: ae
Date: Thu Dec 12 13:28:46 2019
New Revision: 355650
URL: https://svnweb.freebsd.org/changeset/base/355650
Log:
Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6
datagrams.
Previously destination address from original datagram was used. That
looked confusing, especially in the traceroute6 output.
Also honor IPSTEALTH kernel option and do TTL/HLIM decrementing only
when stealth mode is disabled.
Reported by: Marco van Tol
Reviewed by: melifaro
MFC after:2 weeks
Sponsored by: Yandex LLC
Differential Revision:https://reviews.freebsd.org/D22631
Modified:
head/sys/modules/ipfw_nat64/Makefile
head/sys/netpfil/ipfw/nat64/nat64_translate.c
Modified: head/sys/modules/ipfw_nat64/Makefile
==
--- head/sys/modules/ipfw_nat64/MakefileThu Dec 12 13:21:43 2019
(r355649)
+++ head/sys/modules/ipfw_nat64/MakefileThu Dec 12 13:28:46 2019
(r355650)
@@ -7,6 +7,7 @@ SRCS= ip_fw_nat64.c nat64_translate.c
SRCS+= nat64clat.c nat64clat_control.c
SRCS+= nat64lsn.c nat64lsn_control.c
SRCS+= nat64stl.c nat64stl_control.c
+SRCS+= opt_ipstealth.h
CFLAGS+= -I${SRCTOP}/sys/contrib/ck/include
Modified: head/sys/netpfil/ipfw/nat64/nat64_translate.c
==
--- head/sys/netpfil/ipfw/nat64/nat64_translate.c Thu Dec 12 13:21:43
2019(r355649)
+++ head/sys/netpfil/ipfw/nat64/nat64_translate.c Thu Dec 12 13:28:46
2019(r355650)
@@ -29,6 +29,8 @@
#include
__FBSDID("$FreeBSD$");
+#include "opt_ipstealth.h"
+
#include
#include
#include
@@ -101,14 +103,39 @@ static const struct nat64_methods nat64_direct = {
.output = nat64_direct_output,
.output_one = nat64_direct_output_one
};
-VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out) = _netisr;
-#defineV_nat64out VNET(nat64out)
+/* These variables should be initialized explicitly on module loading */
+VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out);
+VNET_DEFINE_STATIC(const int *, nat64ipstealth);
+VNET_DEFINE_STATIC(const int *, nat64ip6stealth);
+#defineV_nat64out VNET(nat64out)
+#defineV_nat64ipstealthVNET(nat64ipstealth)
+#defineV_nat64ip6stealth VNET(nat64ip6stealth)
+
+static const int stealth_on = 1;
+#ifndef IPSTEALTH
+static const int stealth_off = 0;
+#endif
+
void
nat64_set_output_method(int direct)
{
- V_nat64out = direct != 0 ? _direct: _netisr;
+ if (direct != 0) {
+ V_nat64out = _direct;
+#ifdef IPSTEALTH
+ /* Honor corresponding variables, if IPSTEALTH is defined */
+ V_nat64ipstealth = _ipstealth;
+ V_nat64ip6stealth = _ip6stealth;
+#else
+ /* otherwise we need to decrement HLIM/TTL for direct case */
+ V_nat64ipstealth = V_nat64ip6stealth = _off;
+#endif
+ } else {
+ V_nat64out = _netisr;
+ /* Leave TTL/HLIM decrementing to forwarding code */
+ V_nat64ipstealth = V_nat64ip6stealth = _on;
+ }
}
int
@@ -486,8 +513,7 @@ nat64_init_ip4hdr(const struct ip6_hdr *ip6, const str
ip->ip_tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
ip->ip_len = htons(sizeof(*ip) + plen);
ip->ip_ttl = ip6->ip6_hlim;
- /* Forwarding code will decrement TTL for netisr based output. */
- if (V_nat64out == _direct)
+ if (*V_nat64ip6stealth == 0)
ip->ip_ttl -= IPV6_HLIMDEC;
ip->ip_sum = 0;
ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto;
@@ -623,18 +649,18 @@ nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint
struct icmp6_hdr *icmp6;
struct ip6_hdr *ip6, *oip6;
struct mbuf *n;
- int len, plen;
+ int len, plen, proto;
len = 0;
- plen = nat64_getlasthdr(m, );
- if (plen < 0) {
+ proto = nat64_getlasthdr(m, );
+ if (proto < 0) {
DPRINTF(DP_DROPS, "mbuf isn't contigious");
goto freeit;
}
/*
* Do not send ICMPv6 in reply to ICMPv6 errors.
*/
- if (plen == IPPROTO_ICMPV6) {
+ if (proto == IPPROTO_ICMPV6) {
if (m->m_len < len + sizeof(*icmp6)) {
DPRINTF(DP_DROPS, "mbuf isn't contigious");
goto freeit;
@@ -646,6 +672,21 @@ nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint
"ICMPv6 errors");
goto freeit;
}
+ /*
+* If there are extra headers between IPv6 and ICMPv6,
+* strip off them.
+*/
+ if (len > sizeof(struct ip6_hdr)) {
+ /*
+* NOTE: ipfw_chk already did m_pullup() and it is
+
svn commit: r355581 - head/sys/netpfil/ipfw
Author: ae
Date: Tue Dec 10 10:35:32 2019
New Revision: 355581
URL: https://svnweb.freebsd.org/changeset/base/355581
Log:
Avoid access to stale ip pointer and call UPDATE_POINTERS() after
PULLUP_LEN_LOCKED().
PULLUP_LEN_LOCKED() could update mbuf and thus we need to update related
pointers that can be used in next opcodes.
Reported by: Maxime Villard
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Tue Dec 10 08:16:19 2019
(r355580)
+++ head/sys/netpfil/ipfw/ip_fw2.c Tue Dec 10 10:35:32 2019
(r355581)
@@ -1465,7 +1465,8 @@ do {
\
#definePULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, )
#definePULLUP_LEN_LOCKED(_len, p, T) \
-_PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain))
+_PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain));\
+UPDATE_POINTERS()
/*
* In case pointers got stale after pullups, update them.
*/
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r355129 - head/sys/netipsec
Author: ae Date: Wed Nov 27 10:24:46 2019 New Revision: 355129 URL: https://svnweb.freebsd.org/changeset/base/355129 Log: Add support for dummy ESP packets with next header field equal to IPPROTO_NONE. According to RFC4303 2.6 they should be silently dropped. Submitted by: aurelien.cazuc.external_stormshield.eu MFC after:10 days Sponsored by: Stormshield Differential Revision:https://reviews.freebsd.org/D22557 Modified: head/sys/netipsec/xform_esp.c Modified: head/sys/netipsec/xform_esp.c == --- head/sys/netipsec/xform_esp.c Wed Nov 27 07:51:29 2019 (r355128) +++ head/sys/netipsec/xform_esp.c Wed Nov 27 10:24:46 2019 (r355129) @@ -614,6 +614,13 @@ esp_input_cb(struct cryptop *crp) } } + /* +* RFC4303 2.6: +* Silently drop packet if next header field is IPPROTO_NONE. +*/ + if (lastthree[2] == IPPROTO_NONE) + goto bad; + /* Trim the mbuf chain to remove trailing authenticator and padding */ m_adj(m, -(lastthree[1] + 2)); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r354858 - head/contrib/bsnmp/snmpd
Author: ae
Date: Tue Nov 19 16:29:47 2019
New Revision: 354858
URL: https://svnweb.freebsd.org/changeset/base/354858
Log:
Fix the byte order of IPv4 address parsed from begemotSnmpdTransInetStatus
config option.
An address is already in network byte order, there is no need to do
htonl().
PR: 242056
MFC after:1 week
Modified:
head/contrib/bsnmp/snmpd/trans_inet.c
Modified: head/contrib/bsnmp/snmpd/trans_inet.c
==
--- head/contrib/bsnmp/snmpd/trans_inet.c Tue Nov 19 15:38:55 2019
(r354857)
+++ head/contrib/bsnmp/snmpd/trans_inet.c Tue Nov 19 16:29:47 2019
(r354858)
@@ -458,12 +458,10 @@ struct inet_port_params {
static int
ipv4_create(struct inet_port *port, struct inet_port_params *params)
{
- uint32_t ip;
if (params->addr_len != 4)
return (SNMP_ERR_INCONS_VALUE);
- memcpy(, params->addr, 4);
struct port_sock *sock = calloc(1, sizeof(struct port_sock));
if (sock == NULL)
return (SNMP_ERR_GENERR);
@@ -477,8 +475,8 @@ ipv4_create(struct inet_port *port, struct inet_port_p
sin->sin_len = sizeof(struct sockaddr_in);
sin->sin_family = AF_INET;
- sin->sin_addr.s_addr = htonl(ip);
sin->sin_port = htons(params->port);
+ memcpy(>sin_addr, params->addr, 4); /* network byte order */
sock->port = port;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r354443 - head/sys/net
Author: ae
Date: Thu Nov 7 15:00:37 2019
New Revision: 354443
URL: https://svnweb.freebsd.org/changeset/base/354443
Log:
Enqueue lladdr_task to update link level address of vlan, when its parent
interface has changed.
During vlan reconfiguration without destroying interface, it is possible,
that parent interface will be changed. This usually means, that link
layer address of vlan will be different. Therefore we need to update all
associated with vlan's addresses permanent llentries - NDP for IPv6
addresses, and ARP for IPv4 addresses. This is done via lladdr_task
execution. To avoid extra work, before execution do the check, that L2
address is different.
No objection from:#network
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Differential Revision:https://reviews.freebsd.org/D22243
Modified:
head/sys/net/if_vlan.c
Modified: head/sys/net/if_vlan.c
==
--- head/sys/net/if_vlan.c Thu Nov 7 14:16:55 2019(r354442)
+++ head/sys/net/if_vlan.c Thu Nov 7 15:00:37 2019(r354443)
@@ -1459,11 +1459,19 @@ vlan_config(struct ifvlan *ifv, struct ifnet *p, uint1
* Set up our interface address to reflect the underlying
* physical interface's.
*/
- bcopy(IF_LLADDR(p), IF_LLADDR(ifp), p->if_addrlen);
+ TASK_INIT(>lladdr_task, 0, vlan_lladdr_fn, ifv);
((struct sockaddr_dl *)ifp->if_addr->ifa_addr)->sdl_alen =
p->if_addrlen;
- TASK_INIT(>lladdr_task, 0, vlan_lladdr_fn, ifv);
+ /*
+* Do not schedule link address update if it was the same
+* as previous parent's. This helps avoid updating for each
+* associated llentry.
+*/
+ if (memcmp(IF_LLADDR(p), IF_LLADDR(ifp), p->if_addrlen) != 0) {
+ bcopy(IF_LLADDR(p), IF_LLADDR(ifp), p->if_addrlen);
+ taskqueue_enqueue(taskqueue_thread, >lladdr_task);
+ }
/* We are ready for operation now. */
ifp->if_drv_flags |= IFF_DRV_RUNNING;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r354333 - in head/sys/cddl: compat/opensolaris/kern compat/opensolaris/sys contrib/opensolaris/uts/common/fs/zfs contrib/opensolaris/uts/common/fs/zfs/sys
On 04.11.2019 16:30, Andriy Gapon wrote: > Author: avg > Date: Mon Nov 4 13:30:37 2019 > New Revision: 354333 > URL: https://svnweb.freebsd.org/changeset/base/354333 > > Log: > zfs: enable SPA_PROCESS on the kernel side > > The purpose of this change is to group kernelthreads specific to a > particular ZFS pool under a kernel process. There can be many dozens of > threads per pool. This change improves observability of those threads. > > This change consists of several subchanges: > 1. illumos taskq_create_proc can now pass its process parameter to > taskqueue. Also, use zfsproc instead of NULL for taskq_create. Caveat: > zfsproc might not be initialized yet. But in that case it is still NULL, > so not worse than before. This commit probably breaks dtrace module loading: link_elf_obj: symbol zfsproc undefined linker_load_file: /boot/kernel/dtrace.ko - unsupported file type KLD dtraceall.ko: depends on dtrace - not available or version mismatch linker_load_file: /boot/kernel/dtraceall.ko - unsupported file type Does it works for you and this is my local problem? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r353480 - in head/sys: net netinet sys
On 13.10.2019 21:17, Michael Tuexen wrote: > Author: tuexen > Date: Sun Oct 13 18:17:08 2019 > New Revision: 353480 > URL: https://svnweb.freebsd.org/changeset/base/353480 > > Log: > Use an event handler to notify the SCTP about IP address changes > instead of calling an SCTP specific function from the IP code. > This is a requirement of supporting SCTP as a kernel loadable module. > This patch was developed by markj@, I tweaked a bit the SCTP related > code. > Modified: head/sys/sys/eventhandler.h > == > --- head/sys/sys/eventhandler.h Sun Oct 13 18:03:23 2019 > (r353479) > +++ head/sys/sys/eventhandler.h Sun Oct 13 18:17:08 2019 > (r353480) > @@ -312,4 +312,9 @@ typedef void (*device_detach_fn)(void *, device_t, enu > EVENTHANDLER_DECLARE(device_attach, device_attach_fn); > EVENTHANDLER_DECLARE(device_detach, device_detach_fn); > > +/* Interface address addition and removal event */ > +struct ifaddr; > +typedef void (*rt_addrmsg_fn)(void *, struct ifaddr *, int); > +EVENTHANDLER_DECLARE(rt_addrmsg, rt_addrmsg_fn); > + > #endif /* _SYS_EVENTHANDLER_H_ */ Hi, it looks like duplicate functional of ifaddr_event_ext event handler. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r353545 - head/sbin/ipfw
Author: ae
Date: Tue Oct 15 09:50:02 2019
New Revision: 353545
URL: https://svnweb.freebsd.org/changeset/base/353545
Log:
Explicitly initialize the memory buffer to store O_ICMP6TYPE opcode.
By default next_cmd() initializes only first u32 of opcode. O_ICMP6TYPE
opcode has array of bit masks to store corresponding ICMPv6 types.
An opcode that precedes O_ICMP6TYPE, e.g. O_IP6_DST, can have variable
length and during opcode filling it can modify memory that will be used
by O_ICMP6TYPE opcode. Without explicit initialization this leads to
creation of wrong opcode.
Reported by: Boris N. Lytochkin
Obtained from:Yandex LLC
MFC after:3 days
Modified:
head/sbin/ipfw/ipv6.c
Modified: head/sbin/ipfw/ipv6.c
==
--- head/sbin/ipfw/ipv6.c Tue Oct 15 08:33:05 2019(r353544)
+++ head/sbin/ipfw/ipv6.c Tue Oct 15 09:50:02 2019(r353545)
@@ -143,6 +143,7 @@ fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cb
uint8_t type;
CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6));
+ memset(cmd, 0, sizeof(*cmd));
while (*av) {
if (*av == ',')
av++;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346630 - in head: sbin/ifconfig share/man/man4 sys/modules/if_gre sys/net sys/netinet sys/netinet6
Author: ae
Date: Wed Apr 24 09:05:45 2019
New Revision: 346630
URL: https://svnweb.freebsd.org/changeset/base/346630
Log:
Add GRE-in-UDP encapsulation support as defined in RFC8086.
This GRE-in-UDP encapsulation allows the UDP source port field to be
used as an entropy field for load-balancing of GRE traffic in transit
networks. Also most of multiqueue network cards are able distribute
incoming UDP datagrams to different NIC queues, while very little are
able do this for GRE packets.
When an administrator enables UDP encapsulation with command
`ifconfig gre0 udpencap`, the driver creates kernel socket, that binds
to tunnel source address and after udp_set_kernel_tunneling() starts
receiving of all UDP packets destined to 4754 port. Each kernel socket
maintains list of tunnels with different destination addresses. Thus
when several tunnels use the same source address, they all handled by
single socket. The IP[V6]_BINDANY socket option is used to be able bind
socket to source address even if it is not yet available in the system.
This may happen on system boot, when gre(4) interface is created before
source address become available. The encapsulation and sending of packets
is done directly from gre(4) into ip[6]_output() without using sockets.
Reviewed by: eugen
MFC after:1 month
Relnotes: yes
Differential Revision:https://reviews.freebsd.org/D19921
Modified:
head/sbin/ifconfig/ifgre.c
head/share/man/man4/gre.4
head/sys/modules/if_gre/Makefile
head/sys/net/if_gre.c
head/sys/net/if_gre.h
head/sys/netinet/ip_gre.c
head/sys/netinet6/ip6_gre.c
Modified: head/sbin/ifconfig/ifgre.c
==
--- head/sbin/ifconfig/ifgre.c Wed Apr 24 06:41:52 2019(r346629)
+++ head/sbin/ifconfig/ifgre.c Wed Apr 24 09:05:45 2019(r346630)
@@ -44,15 +44,16 @@ __FBSDID("$FreeBSD$");
#include "ifconfig.h"
-#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ"
+#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ\03UDPENCAP"
static void gre_status(int s);
static void
gre_status(int s)
{
- uint32_t opts = 0;
+ uint32_t opts, port;
+ opts = 0;
ifr.ifr_data = (caddr_t)
if (ioctl(s, GREGKEY, ) == 0)
if (opts != 0)
@@ -60,6 +61,11 @@ gre_status(int s)
opts = 0;
if (ioctl(s, GREGOPTS, ) != 0 || opts == 0)
return;
+
+ port = 0;
+ ifr.ifr_data = (caddr_t)
+ if (ioctl(s, GREGPORT, ) == 0 && port != 0)
+ printf("\tudpport: %u\n", port);
printb("\toptions", opts, GREBITS);
putchar('\n');
}
@@ -77,6 +83,18 @@ setifgrekey(const char *val, int dummy __unused, int s
}
static void
+setifgreport(const char *val, int dummy __unused, int s,
+const struct afswtch *afp)
+{
+ uint32_t udpport = strtol(val, NULL, 0);
+
+ strlcpy(ifr.ifr_name, name, sizeof (ifr.ifr_name));
+ ifr.ifr_data = (caddr_t)
+ if (ioctl(s, GRESPORT, (caddr_t)) < 0)
+ warn("ioctl (set udpport)");
+}
+
+static void
setifgreopts(const char *val, int d, int s, const struct afswtch *afp)
{
uint32_t opts;
@@ -101,10 +119,13 @@ setifgreopts(const char *val, int d, int s, const stru
static struct cmd gre_cmds[] = {
DEF_CMD_ARG("grekey", setifgrekey),
+ DEF_CMD_ARG("udpport", setifgreport),
DEF_CMD("enable_csum", GRE_ENABLE_CSUM, setifgreopts),
DEF_CMD("-enable_csum",-GRE_ENABLE_CSUM,setifgreopts),
DEF_CMD("enable_seq", GRE_ENABLE_SEQ, setifgreopts),
DEF_CMD("-enable_seq",-GRE_ENABLE_SEQ, setifgreopts),
+ DEF_CMD("udpencap", GRE_UDPENCAP, setifgreopts),
+ DEF_CMD("-udpencap",-GRE_UDPENCAP, setifgreopts),
};
static struct afswtch af_gre = {
.af_name= "af_gre",
Modified: head/share/man/man4/gre.4
==
--- head/share/man/man4/gre.4 Wed Apr 24 06:41:52 2019(r346629)
+++ head/share/man/man4/gre.4 Wed Apr 24 09:05:45 2019(r346630)
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 2, 2015
+.Dd April 24, 2019
.Dt GRE 4
.Os
.Sh NAME
@@ -89,7 +89,45 @@ A value of 0 disables the key option.
Enables checksum calculation for outgoing packets.
.It Ar enable_seq
Enables use of sequence number field in the GRE header for outgoing packets.
+.It Ar udpencap
+Enables UDP-in-GRE encapsulation (see the
+.Sx GRE-IN-UDP ENCAPSULATION
+Section below for details).
+.It Ar udpport
+Set the source UDP port for outgoing packets.
+A value of 0 disables the persistence of source UDP port for outgoing packets.
+See the
+.Sx GRE-IN-UDP ENCAPSULATION
+Section below for details.
.El
+.Sh GRE-IN-UDP ENCAPSULATION
+The
+.Nm
+supports GRE in UDP encapsulation as defined in RFC 8086.
+A GRE in UDP tunnel offers the possibility of
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 16.04.2019 18:26, Slava Shwartsman wrote: > Thanks for letting us know about this regression. > I would like to try to reproduce this issue in house. > > Can you please share the exact steps to reproduce it? > - Can I reproduce the issue with B2B setup? > - What is the route command you used to make the route between the VLANs? > - What app are you using to generate the traffic? > I think this can be reproduced on simple router, where single mce(4) interface is used as parent for several vlan(4) interfaces. E.g. [host1] vlan100 <--> mce0.100 [gateway] mce0.200 <--> vlan200 [host2] 10.0.0.110.0.0.254 192.168.0.254192.168.0.1 gateway: sysctl net.inet.ip.forwarding=1 host1: route add 192.168.0.0/24 10.0.0.254 host2: route add 10.0.0.0/24 192.168.0.254 ping 10.0.0.1 I.e. you need to make setup, where ingress and egress interface is the same - mce0. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 05.12.2018 17:25, Slava Shwartsman wrote:
> Author: slavash
> Date: Wed Dec 5 14:25:03 2018
> New Revision: 341586
> URL: https://svnweb.freebsd.org/changeset/base/341586
>
> Log:
> mlx5en: Implement backpressure indication.
>
> The backpressure indication is implemented using an unlimited rate type of
> mbuf send tag. When the upper layers typically the socket layer has
> obtained such
> a tag, it can then query the destination driver queue for the current
> amount of space available in the send queue.
>
> A single mbuf send tag may be referenced multiple times and a refcount has
> been added
> to the mlx5e_priv structure to track its usage. Because the send tag resides
> in the mlx5e_channel structure, there is no need to wait for refcounts to
> reach
> zero until the mlx4en(4) driver is detached. The channels structure is
> persistant
> during the lifetime of the mlx5en(4) driver it belongs to and can so be
> accessed
> without any need of synchronization.
>
> The mlx5e_snd_tag structure was extended to contain a type field, because
> there are now
> two different tag types which end up in the driver which need to be
> distinguished.
>
> Submitted by: hselasky@
> Approved by:hselasky (mentor)
> MFC after: 1 week
> Sponsored by: Mellanox Technologies
> @@ -587,27 +609,33 @@ mlx5e_xmit(struct ifnet *ifp, struct mbuf *mb)
> struct mlx5e_sq *sq;
> int ret;
>
> - sq = mlx5e_select_queue(ifp, mb);
> - if (unlikely(sq == NULL)) {
> -#ifdef RATELIMIT
> - /* Check for route change */
> - if (mb->m_pkthdr.snd_tag != NULL &&
> - mb->m_pkthdr.snd_tag->ifp != ifp) {
> + if (mb->m_pkthdr.snd_tag != NULL) {
> + sq = mlx5e_select_queue_by_send_tag(ifp, mb);
> + if (unlikely(sq == NULL)) {
> + /* Check for route change */
> + if (mb->m_pkthdr.snd_tag->ifp != ifp) {
> + /* Free mbuf */
> + m_freem(mb);
> +
> + /*
> + * Tell upper layers about route
> + * change and to re-transmit this
> + * packet:
> + */
> + return (EAGAIN);
> + }
Hi,
I just discovered something strange and found that this commit is the
cause.
The test system has mlx5en 100G interface. It has two vlans: vlan500 and
vlan100.
Via vlan500 it receives some packets flows. Then it routes these packets
into vlan100.
But packets are dropped in mlx5e_xmit() with EAGAIN error code.
# dtrace -n 'fbt::ip6_output:return {printf("%d", arg1);}'
dtrace: description 'fbt::ip6_output:return ' matched 1 probe
CPU IDFUNCTION:NAME
23 54338ip6_output:return 35
16 54338ip6_output:return 35
21 54338ip6_output:return 35
22 54338ip6_output:return 35
24 54338ip6_output:return 35
23 54338ip6_output:return 35
14 54338ip6_output:return 35
^C
# dtrace -n 'fbt::mlx5e_xmit:return {printf("%d", arg1);}'
dtrace: description 'fbt::mlx5e_xmit:return ' matched 1 probe
CPU IDFUNCTION:NAME
16 69030mlx5e_xmit:return 35
23 69030mlx5e_xmit:return 35
26 69030mlx5e_xmit:return 35
25 69030mlx5e_xmit:return 35
24 69030 mlx5e_xmit:return 35
21 69030mlx5e_xmit:return 35
26 69030mlx5e_xmit:return 35
^C
The kernel config is GENERIC.
13.0-CURRENT #9 r345758+82f3d57(svn_head)-dirty
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
Re: svn commit: r346052 - head/sys/dev/usb/net
On 09.04.2019 16:54, Ganbold Tsagaankhuu wrote:
> Author: ganbold
> Date: Tue Apr 9 13:54:08 2019
> New Revision: 346052
> URL: https://svnweb.freebsd.org/changeset/base/346052
>
> Log:
> In some cases like NanoPI R1, its second USB ethernet
> RTL8152 (chip version URE_CHIP_VER_4C10) doesn't
> have hardwired MAC address, in other words, it is all zeros.
> This commit fixes it by setting random MAC address
> when MAC address is all zeros.
>
> - if (sc->sc_chip & URE_CHIP_VER_4C00)
> + if ((sc->sc_chip & URE_CHIP_VER_4C00) ||
> + (sc->sc_chip & URE_CHIP_VER_4C10))
> ure_read_mem(sc, URE_PLA_IDR, URE_MCU_TYPE_PLA,
> ue->ue_eaddr, 8);
> else
> ure_read_mem(sc, URE_PLA_BACKUP, URE_MCU_TYPE_PLA,
> ue->ue_eaddr, 8);
> +
> + if (ETHER_IS_ZERO(sc->sc_ue.ue_eaddr)) {
> + device_printf(sc->sc_ue.ue_dev, "MAC assigned randomly\n");
> + arc4rand(sc->sc_ue.ue_eaddr, ETHER_ADDR_LEN, 0);
> + sc->sc_ue.ue_eaddr[0] &= ~0x01; /* unicast */
> + sc->sc_ue.ue_eaddr[0] |= 0x02; /* locally administered */
> + }
> }
Hi,
there is ether_fakeaddr() function that is used for such purpose.
Maybe is it better to use it? Look at this commit:
https://svnweb.freebsd.org/base?view=revision=345139
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
svn commit: r345985 - head/libexec/rc
Author: ae Date: Sat Apr 6 17:21:05 2019 New Revision: 345985 URL: https://svnweb.freebsd.org/changeset/base/345985 Log: Add firewall_[nat64|nptv6|pmod]_enable variables to /etc/defaults/rc.conf Reported by: Andrey Fesenko X-MFC after: r345450 Modified: head/libexec/rc/rc.conf Modified: head/libexec/rc/rc.conf == --- head/libexec/rc/rc.conf Sat Apr 6 11:24:43 2019(r345984) +++ head/libexec/rc/rc.conf Sat Apr 6 17:21:05 2019(r345985) @@ -178,6 +178,9 @@ firewall_nologports="135-139,445 1026,1027 1433,1434" firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters +firewall_nat64_enable="NO" # Enable kernel NAT64 module. +firewall_nptv6_enable="NO" # Enable kernel NPTv6 module. +firewall_pmod_enable="NO" # Enable kernel protocols modification module. dummynet_enable="NO" # Load the dummynet(4) module ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow ip_portrange_first="NO"# Set first dynamically allocated port ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345843 - head/contrib/bsnmp/lib
Author: ae
Date: Wed Apr 3 12:47:49 2019
New Revision: 345843
URL: https://svnweb.freebsd.org/changeset/base/345843
Log:
Follow the declared behaviour that specifies server string format in
bsnmpclient(3).
snmp_parse_server() function accepts string where some fields can be
omitted: [trans::][community@][server][:port]
"trans" field can be "udp", "udp6", "dgram" and "stream".
"community" can be empty string, if it is omitted, the default value
will be used. For read_community it is "public", for write_comminity
it is "private". "server" field can be hostname, IPv4 address or IPv6
address. IPv6 address should be specified in brackets "[]".
If port is omitted, the default value "snmp" will be used for "udp"
and "udp6" transports. So, now for bsnmpget(1) and bsnmwalk(1) it is
not required to specify all fields in argument of '-s' option. E.g.
# bsnmpget -s 127.1 sysName.0
# bsnmpget -s "udp::127.1" sysName.0
# bsnmpget -s "udp::public@127.1" sysName.0
# bsnmpget -s "udp::public@127.1:161" sysName.0
# bsnmpget -s "udp::[::1]" sysName.0
# bsnmpget -s "udp6::[::1]" sysName.0
# bsnmpget -s "[fe80::1%lo0]" sysName.0
PR: 236664
Reported by: olivier
MFC after:1 month
Modified:
head/contrib/bsnmp/lib/snmpclient.c
Modified: head/contrib/bsnmp/lib/snmpclient.c
==
--- head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 08:22:58 2019
(r345842)
+++ head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 12:47:49 2019
(r345843)
@@ -1874,38 +1874,47 @@ snmp_client_set_port(struct snmp_client *cl, const cha
return (0);
}
+static const char *const trans_list[] = {
+ [SNMP_TRANS_UDP]= "udp::",
+ [SNMP_TRANS_LOC_DGRAM] = "dgram::",
+ [SNMP_TRANS_LOC_STREAM] = "stream::",
+ [SNMP_TRANS_UDP6] = "udp6::",
+};
+
/**
* Try to get a transport identifier which is a leading alphanumeric string
- * (starting with '_' or a letter and including also '_') terminated by
- * a double colon. The string may not be empty. The transport identifier
- * is optional.
+ * terminated by a double colon. The string may not be empty. The transport
+ * identifier is optional.
*
* \param sc client struct to set errors
* \param strp possible start of transport; updated to point to
* the next character to parse
*
- * \return end of transport; equals *strp if there is none; NULL if there
- * was an error
+ * \return transport identifier
*/
-static inline const char *
+static inline int
get_transp(struct snmp_client *sc, const char **strp)
{
- const char *p = *strp;
+ const char *p;
+ size_t i;
- if (isascii(*p) && (isalpha(*p) || *p == '_')) {
- p++;
- while (isascii(*p) && (isalnum(*p) || *p == '_'))
- p++;
- if (p[0] == ':' && p[1] == ':') {
- *strp = p + 2;
- return (p);
+ for (i = 0; i < nitems(trans_list); i++) {
+ if (trans_list[i] == NULL || *trans_list[i] == '\0')
+ continue;
+ p = strstr(*strp, trans_list[i]);
+ if (p == *strp) {
+ *strp += strlen(trans_list[i]);
+ return ((int)i);
}
}
+
+ p = *strp;
if (p[0] == ':' && p[1] == ':') {
seterr(sc, "empty transport specifier");
- return (NULL);
+ return (-1);
}
- return (*strp);
+ /* by default assume UDP */
+ return (SNMP_TRANS_UDP);
}
/**
@@ -2143,24 +2152,13 @@ save_str(struct snmp_client *sc, const char *const s[2
int
snmp_parse_server(struct snmp_client *sc, const char *str)
{
-#if DEBUG_PARSE
const char *const orig = str;
-#endif
-
- const char *const trans_list[] = {
- [SNMP_TRANS_UDP]= "udp",
- [SNMP_TRANS_LOC_DGRAM] = "dgram",
- [SNMP_TRANS_LOC_STREAM] = "stream",
- [SNMP_TRANS_UDP6] = "udp6",
- };
-
/* parse input */
- const char *const transp[2] = {
- str,
- get_transp(sc, ),
- };
- if (transp[1] == NULL)
+ int i, trans = get_transp(sc, );
+ if (trans < 0)
return (-1);
+ /* choose automatically */
+ i = orig == str ? -1: trans;
const char *const comm[2] = {
str,
@@ -2206,7 +2204,7 @@ snmp_parse_server(struct snmp_client *sc, const char *
}
#if DEBUG_PARSE
- printf("transp: %zu %zu\n", transp[0] - orig, transp[1] - orig);
+ printf("transp: %u\n", trans);
printf("comm: %zu %zu\n", comm[0] - orig, comm[1] - orig);
printf("ipv6: %zu %zu\n", ipv6[0] - orig, ipv6[1] - orig);
printf("ipv4: %zu %zu\n", ipv4[0] - orig,
Re: svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
On 02.04.2019 16:40, Baptiste Daroussin wrote: >> URL: https://svnweb.freebsd.org/changeset/base/345797 >> >> Log: >> Add IPv6 transport for bsnmp. >> >> This patch adds a new table begemotSnmpdTransInetTable that uses the >> InetAddressType textual convention and can be used to create listening >> ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports >> future extension beyond UDP by adding a protocol identifier to the table >> index. In order to support this gensnmptree had to be modified. >> >> Submitted by: harti >> MFC after: 1 month >> Relnotes: yes >> Differential Revision: https://reviews.freebsd.org/D16654 >> > Jumping in this commit, maybe it is time to move bsnmpd out of contrib, given > that all the dev appears to only be in our own source tree right? I think it is better to ask harti@ -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345798 - head/contrib/bsnmp/snmp_mibII
Author: ae
Date: Tue Apr 2 13:38:00 2019
New Revision: 345798
URL: https://svnweb.freebsd.org/changeset/base/345798
Log:
Create 64bit mibII counters for all interfaces.
PR: 157015
Obtained from:Yandex LLC
MFC after:1 month
Modified:
head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c
Modified: head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c
==
--- head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 12:50:01
2019(r345797)
+++ head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 13:38:00
2019(r345798)
@@ -373,11 +373,6 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu
switch (op) {
- again:
- if (op != SNMP_OP_GETNEXT)
- return (SNMP_ERR_NOSUCHNAME);
- /* FALLTHROUGH */
-
case SNMP_OP_GETNEXT:
if ((ifp = NEXT_OBJECT_INT(_list, >var, sub)) ==
NULL)
return (SNMP_ERR_NOSUCHNAME);
@@ -460,52 +455,36 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu
break;
case LEAF_ifHCInOctets:
- if (!(ifp->flags & MIBIF_HIGHSPEED))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_inoctets;
break;
case LEAF_ifHCInUcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_ipackets -
MIBIF_PRIV(ifp)->hc_imcasts;
break;
case LEAF_ifHCInMulticastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_imcasts;
break;
case LEAF_ifHCInBroadcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = 0;
break;
case LEAF_ifHCOutOctets:
- if (!(ifp->flags & MIBIF_HIGHSPEED))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_outoctets;
break;
case LEAF_ifHCOutUcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_opackets -
MIBIF_PRIV(ifp)->hc_omcasts;
break;
case LEAF_ifHCOutMulticastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_omcasts;
break;
case LEAF_ifHCOutBroadcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = 0;
break;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
Author: ae
Date: Tue Apr 2 12:50:01 2019
New Revision: 345797
URL: https://svnweb.freebsd.org/changeset/base/345797
Log:
Add IPv6 transport for bsnmp.
This patch adds a new table begemotSnmpdTransInetTable that uses the
InetAddressType textual convention and can be used to create listening
ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports
future extension beyond UDP by adding a protocol identifier to the table
index. In order to support this gensnmptree had to be modified.
Submitted by: harti
MFC after: 1 month
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16654
Added:
head/contrib/bsnmp/snmpd/trans_inet.c
head/contrib/bsnmp/snmpd/trans_inet.h
Modified:
head/contrib/bsnmp/gensnmptree/gensnmptree.1
head/contrib/bsnmp/gensnmptree/gensnmptree.c
head/contrib/bsnmp/lib/snmpclient.c
head/contrib/bsnmp/lib/snmpclient.h
head/contrib/bsnmp/lib/tc.def
head/contrib/bsnmp/snmpd/BEGEMOT-SNMPD.txt
head/contrib/bsnmp/snmpd/main.c
head/contrib/bsnmp/snmpd/snmpd.config
head/contrib/bsnmp/snmpd/snmpd.h
head/contrib/bsnmp/snmpd/snmpmod.h
head/contrib/bsnmp/snmpd/trans_lsock.c
head/contrib/bsnmp/snmpd/trans_udp.c
head/contrib/bsnmp/snmpd/tree.def
head/lib/libbsnmp/libbsnmp/Makefile
head/usr.sbin/bsnmpd/bsnmpd/Makefile
head/usr.sbin/bsnmpd/bsnmpd/snmpd.config
Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.1
==
--- head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:02:35
2019(r345796)
+++ head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:50:01
2019(r345797)
@@ -31,7 +31,7 @@
.\"
.\" $Begemot: gensnmptree.1 383 2006-05-30 07:40:49Z brandt_h $
.\"
-.Dd June 29, 2018
+.Dd April 2, 2019
.Dt GENSNMPTREE 1
.Os
.Sh NAME
@@ -100,25 +100,11 @@ is the length of the OID.
is the last component of the OID.
.El
.It Fl F
-Together with
-.Fl E
-causes
-.Nm
-instead of the generation of enum definitions the generation of
-functions for checking a value to be one of the enumeration variants and
-for conversion between strings and the enum. The file is sent to standard
-output and is meant to be included into a C-file for compilation.
+emit definitions for C-functions includeable in a C-file that do some basic
+stuff on enums like value checking and conversion between value and strings.
.It Fl f
-This flag can be used together with
-.Fl E
-or when generating the tree files. It causes
-.Nm
-to emit static inline functions for checking a value to be one of the
-enumeration values and for conversion between strings and the enum.
-If used when generating the tree files, the preprocessor symbol
-.Ar SNMPTREE_TYPES
-must be defined when including the tree header file for these definitions
-to become visible.
+emit definitions for inline C-functions that do some basic
+stuff on enums like value checking and conversion between value and strings.
.It Fl h
Print a short help page.
.It Fl I Ar directory
@@ -136,36 +122,6 @@ Instead of normal output print the resulting tree.
Prefix the file names and the table name with
.Ar prefix .
.El
-.Pp
-The following functions are generated by
-.Fl f
-or
-.Fl F :
-.Pp
-.Ft static inline int
-.Fn isok_EnumName "enum EnumName" ;
-.Pp
-.Ft static inline const char *
-.Fn tostr_EnumName "enum EnumName" ;
-.Pp
-.Ft static inline int
-.Fn fromstr_EnumName "const char *" "enum EnumName *" ;
-.Pp
-The
-.Fa EnumName
-is replaced with the enumeration name.
-.Fn isok_EnumName
-returns 1 if the argument is one of the valid enum values and 0 otherwise.
-.Fn tostr_EnumName
-returns a string representation of the enumeration value.
-If the values is not one of the legal values
-.Ar EnumName???
-is returned.
-.Fn fromstr_EnumName
-returns 1 if the string represents one of the legal enumeration values and
-0 otherwise.
-If 1 is return the variable pointed to by the second argument is set to
-the enumeration value.
.Sh MIBS
The syntax of the MIB description file can formally be specified as follows:
.Bd -unfilled -offset indent
Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.c
==
--- head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:02:35
2019(r345796)
+++ head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:50:01
2019(r345797)
@@ -110,7 +110,6 @@ static int debug;
static const char usgtxt[] = "\
Generate SNMP tables.\n\
-$Id$\n\
usage: gensnmptree [-dEeFfhlt] [-I directory] [-i infile] [-p prefix]\n\
[name]...\n\
options:\n\
@@ -127,6 +126,37 @@ options:\n\
-t generate a .def file\n\
";
+/**
+ * Program operation.
+ */
+enum op {
+ /** generate the tree */
+ OP_GEN,
+
+ /** extract OIDs */
+ OP_EXTRACT,
+
+ /** print the parsed tree */
+ OP_TREE,
+
+ /** extract
svn commit: r345763 - head/contrib/bsnmp/snmpd
Author: ae
Date: Mon Apr 1 12:14:45 2019
New Revision: 345763
URL: https://svnweb.freebsd.org/changeset/base/345763
Log:
Correct a port number assignment.
PR: 236930
MFC after:1 week
Modified:
head/contrib/bsnmp/snmpd/trap.c
Modified: head/contrib/bsnmp/snmpd/trap.c
==
--- head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 10:51:24 2019
(r345762)
+++ head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 12:14:45 2019
(r345763)
@@ -726,8 +726,7 @@ target_activate_address(struct target_address *addrs)
sa.sin_addr.s_addr = htonl((addrs->address[0] << 24) |
(addrs->address[1] << 16) | (addrs->address[2] << 8) |
(addrs->address[3] << 0));
- sa.sin_port = htons(addrs->address[4]) << 8 |
-htons(addrs->address[5]) << 0;
+ sa.sin_port = htons(addrs->address[4] << 8 | addrs->address[5]);
if (connect(addrs->socket, (struct sockaddr *), sa.sin_len) == -1) {
syslog(LOG_ERR, "connect(%s,%u): %m",
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r351214 - head/sys/kern
Author: ae
Date: Mon Aug 19 12:42:03 2019
New Revision: 351214
URL: https://svnweb.freebsd.org/changeset/base/351214
Log:
Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose().
PR: 239893
MFC after:1 week
Modified:
head/sys/kern/uipc_socket.c
Modified: head/sys/kern/uipc_socket.c
==
--- head/sys/kern/uipc_socket.c Mon Aug 19 11:18:36 2019(r351213)
+++ head/sys/kern/uipc_socket.c Mon Aug 19 12:42:03 2019(r351214)
@@ -1131,9 +1131,9 @@ drop:
so->so_state |= SS_NOFDREF;
sorele(so);
if (listening) {
- struct socket *sp;
+ struct socket *sp, *tsp;
- TAILQ_FOREACH(sp, , so_list) {
+ TAILQ_FOREACH_SAFE(sp, , so_list, tsp) {
SOCK_LOCK(sp);
if (sp->so_count == 0) {
SOCK_UNLOCK(sp);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r351071 - head/sys/netpfil/ipfw
Author: ae
Date: Thu Aug 15 13:44:33 2019
New Revision: 351071
URL: https://svnweb.freebsd.org/changeset/base/351071
Log:
Fix rule truncation on external action module unloading.
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw_eaction.c
Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c
==
--- head/sys/netpfil/ipfw/ip_fw_eaction.c Thu Aug 15 13:27:57 2019
(r351070)
+++ head/sys/netpfil/ipfw/ip_fw_eaction.c Thu Aug 15 13:44:33 2019
(r351071)
@@ -391,19 +391,19 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f
cmd->arg1 != eaction_id)
return (0);
/*
-* If instance_id is specified, we need to truncate the
-* rule length. Check if there is O_EXTERNAL_INSTANCE opcode.
+* Check if there is O_EXTERNAL_INSTANCE opcode, we need
+* to truncate the rule length.
*
* NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode,
* and rule length should be enough to keep O_EXTERNAL_INSTANCE
* opcode, thus we do check for l > 1.
*/
l = rule->cmd + rule->cmd_len - cmd;
- if (instance_id != 0 && l > 1) {
+ if (l > 1) {
MPASS(F_LEN(cmd) == 1);
icmd = cmd + 1;
- if (icmd->opcode != O_EXTERNAL_INSTANCE ||
- icmd->arg1 != instance_id)
+ if (icmd->opcode == O_EXTERNAL_INSTANCE &&
+ instance_id != 0 && icmd->arg1 != instance_id)
return (0);
/*
* Since named_object related to this instance will be
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350974 - head/sys/netinet
Author: ae Date: Tue Aug 13 12:47:53 2019 New Revision: 350974 URL: https://svnweb.freebsd.org/changeset/base/350974 Log: Save ip_ttl value and restore it after checksum calculation. Since ipvoly is used for checksum calculation, part of original IP header is zeroed. This part includes ip_ttl field, that can be used later in IP_MINTTL socket option handling. PR: 239799 MFC after:1 week Modified: head/sys/netinet/tcp_input.c Modified: head/sys/netinet/tcp_input.c == --- head/sys/netinet/tcp_input.cTue Aug 13 12:41:15 2019 (r350973) +++ head/sys/netinet/tcp_input.cTue Aug 13 12:47:53 2019 (r350974) @@ -554,6 +554,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto) int optlen = 0; #ifdef INET int len; + uint8_t ipttl; #endif int tlen = 0, off; int drop_hdrlen; @@ -676,6 +677,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto) * Checksum extended TCP header and data. */ len = off0 + tlen; + ipttl = ip->ip_ttl; bzero(ipov->ih_x1, sizeof(ipov->ih_x1)); ipov->ih_len = htons(tlen); th->th_sum = in_cksum(m, len); @@ -684,6 +686,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto) /* Reset TOS bits */ ip->ip_tos = iptos; /* Re-initialization for later version check */ + ip->ip_ttl = ipttl; ip->ip_v = IPVERSION; ip->ip_hl = off0 >> 2; } ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350816 - head/sys/netipsec
Author: ae
Date: Fri Aug 9 08:58:09 2019
New Revision: 350816
URL: https://svnweb.freebsd.org/changeset/base/350816
Log:
Add missing new line in several log messages.
PR: 239694
MFC after:1 week
Modified:
head/sys/netipsec/key.c
Modified: head/sys/netipsec/key.c
==
--- head/sys/netipsec/key.c Fri Aug 9 05:18:59 2019(r350815)
+++ head/sys/netipsec/key.c Fri Aug 9 08:58:09 2019(r350816)
@@ -284,7 +284,7 @@ key_addrprotohash(const union sockaddr_union *src,
#endif
default:
hval = 0;
- ipseclog((LOG_DEBUG, "%s: unknown address family %d",
+ ipseclog((LOG_DEBUG, "%s: unknown address family %d\n",
__func__, dst->sa.sa_family));
}
return (hval);
@@ -2039,8 +2039,8 @@ key_spdadd(struct socket *so, struct mbuf *m, const st
key_freesp();
} else {
key_freesp();
- ipseclog((LOG_DEBUG, "%s: a SP entry exists already.",
- __func__));
+ ipseclog((LOG_DEBUG,
+ "%s: a SP entry exists already.\n", __func__));
return (key_senderror(so, m, EEXIST));
}
}
@@ -5409,7 +5409,7 @@ key_update(struct socket *so, struct mbuf *m, const st
}
/* saidx should match with SA. */
if (key_cmpsaidx(>sah->saidx, , CMP_MODE_REQID) == 0) {
- ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u",
+ ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n",
__func__, ntohl(sav->spi)));
key_freesav();
return key_senderror(so, m, ESRCH);
@@ -6885,14 +6885,14 @@ key_acqdone(const struct secasindex *saidx, uint32_t s
if (acq != NULL) {
if (key_cmpsaidx(>saidx, saidx, CMP_EXACTLY) == 0) {
ipseclog((LOG_DEBUG,
- "%s: Mismatched saidx for ACQ %u", __func__, seq));
+ "%s: Mismatched saidx for ACQ %u\n", __func__,
seq));
acq = NULL;
} else {
acq->created = 0;
}
} else {
ipseclog((LOG_DEBUG,
- "%s: ACQ %u is not found.", __func__, seq));
+ "%s: ACQ %u is not found.\n", __func__, seq));
}
ACQ_UNLOCK();
if (acq == NULL)
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350417 - head/sys/netpfil/ipfw
Author: ae
Date: Mon Jul 29 15:09:12 2019
New Revision: 350417
URL: https://svnweb.freebsd.org/changeset/base/350417
Log:
dd ipfw_get_action() function to get the pointer to action opcode.
ACTION_PTR() returns pointer to the start of rule action section,
but rule can keep several rule modifiers like O_LOG, O_TAG and O_ALTQ,
and only then real action opcode is stored.
ipfw_get_action() function inspects the rule action section, skips
all modifiers and returns action opcode.
Use this function in ipfw_reset_eaction() and flush_nat_ptrs().
MFC after:1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw_eaction.c
head/sys/netpfil/ipfw/ip_fw_nat.c
head/sys/netpfil/ipfw/ip_fw_private.h
head/sys/netpfil/ipfw/ip_fw_sockopt.c
Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c
==
--- head/sys/netpfil/ipfw/ip_fw_eaction.c Mon Jul 29 14:59:14 2019
(r350416)
+++ head/sys/netpfil/ipfw/ip_fw_eaction.c Mon Jul 29 15:09:12 2019
(r350417)
@@ -377,33 +377,30 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f
uint16_t eaction_id, uint16_t default_id, uint16_t instance_id)
{
ipfw_insn *cmd, *icmd;
- int l, cmdlen;
+ int l;
IPFW_UH_WLOCK_ASSERT(ch);
IPFW_WLOCK_ASSERT(ch);
- cmd = ACTION_PTR(rule);
- l = rule->cmd_len - rule->act_ofs;
- while (l > 0) {
- cmdlen = F_LEN(cmd);
- l -= cmdlen;
- if (cmd->opcode == O_EXTERNAL_ACTION || l <= 0)
- break;
- cmd += cmdlen;
- }
/*
* Return if there is not O_EXTERNAL_ACTION or its id is
* different.
*/
+ cmd = ipfw_get_action(rule);
if (cmd->opcode != O_EXTERNAL_ACTION ||
cmd->arg1 != eaction_id)
return (0);
/*
* If instance_id is specified, we need to truncate the
* rule length. Check if there is O_EXTERNAL_INSTANCE opcode.
+*
+* NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode,
+* and rule length should be enough to keep O_EXTERNAL_INSTANCE
+* opcode, thus we do check for l > 1.
*/
- if (instance_id != 0 && l > 0) {
- MPASS(cmdlen == 1);
+ l = rule->cmd + rule->cmd_len - cmd;
+ if (instance_id != 0 && l > 1) {
+ MPASS(F_LEN(cmd) == 1);
icmd = cmd + 1;
if (icmd->opcode != O_EXTERNAL_INSTANCE ||
icmd->arg1 != instance_id)
@@ -415,8 +412,9 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f
* opcode.
*/
EACTION_DEBUG("truncate rule %d: len %u -> %u",
- rule->rulenum, rule->cmd_len, rule->cmd_len - l);
- rule->cmd_len -= l;
+ rule->rulenum, rule->cmd_len,
+ rule->cmd_len - F_LEN(icmd));
+ rule->cmd_len -= F_LEN(icmd);
MPASS(((uint32_t *)icmd -
(uint32_t *)rule->cmd) == rule->cmd_len);
}
Modified: head/sys/netpfil/ipfw/ip_fw_nat.c
==
--- head/sys/netpfil/ipfw/ip_fw_nat.c Mon Jul 29 14:59:14 2019
(r350416)
+++ head/sys/netpfil/ipfw/ip_fw_nat.c Mon Jul 29 15:09:12 2019
(r350417)
@@ -140,13 +140,12 @@ ifaddr_change(void *arg __unused, struct ifnet *ifp)
static void
flush_nat_ptrs(struct ip_fw_chain *chain, const int ix)
{
- int i;
ipfw_insn_nat *cmd;
+ int i;
IPFW_WLOCK_ASSERT(chain);
for (i = 0; i < chain->n_rules; i++) {
- cmd = (ipfw_insn_nat *)ACTION_PTR(chain->map[i]);
- /* XXX skip log and the like ? */
+ cmd = (ipfw_insn_nat *)ipfw_get_action(chain->map[i]);
if (cmd->o.opcode == O_NAT && cmd->nat != NULL &&
(ix < 0 || cmd->nat->id == ix))
cmd->nat = NULL;
Modified: head/sys/netpfil/ipfw/ip_fw_private.h
==
--- head/sys/netpfil/ipfw/ip_fw_private.h Mon Jul 29 14:59:14 2019
(r350416)
+++ head/sys/netpfil/ipfw/ip_fw_private.h Mon Jul 29 15:09:12 2019
(r350417)
@@ -665,6 +665,7 @@ struct ip_fw *ipfw_alloc_rule(struct ip_fw_chain *chai
void ipfw_free_rule(struct ip_fw *rule);
int ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt);
int ipfw_mark_object_kidx(uint32_t *bmask, uint16_t etlv, uint16_t kidx);
+ipfw_insn *ipfw_get_action(struct ip_fw *);
typedef int (sopt_handler_f)(struct ip_fw_chain *ch,
ip_fw3_opheader *op3, struct sockopt_data *sd);
Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c
==
---
svn commit: r350413 - head/sys/netpfil/ipfw
Author: ae
Date: Mon Jul 29 12:55:48 2019
New Revision: 350413
URL: https://svnweb.freebsd.org/changeset/base/350413
Log:
Avoid possible lock leaking.
After r343619 ipfw uses own locking for packets flow. PULLUP_LEN() macro
is used in ipfw_chk() to make m_pullup(). When m_pullup() fails, it just
returns via `goto pullup_failed`. There are two places where PULLUP_LEN()
is called with IPFW_PF_RLOCK() held.
Add PULLUP_LEN_LOCKED() macro to use in these places to be able release
the lock, when m_pullup() fails.
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Mon Jul 29 10:44:04 2019
(r350412)
+++ head/sys/netpfil/ipfw/ip_fw2.c Mon Jul 29 12:55:48 2019
(r350413)
@@ -1442,9 +1442,9 @@ ipfw_chk(struct ip_fw_args *args)
* pointer might become stale after other pullups (but we never use it
* this way).
*/
-#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
+#definePULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T))
#defineEHLEN (eh != NULL ? ((char *)ip - (char *)eh) : 0)
-#define PULLUP_LEN(_len, p, T) \
+#define_PULLUP_LOCKED(_len, p, T, unlock) \
do { \
int x = (_len) + T + EHLEN; \
if (mem) { \
@@ -1453,12 +1453,18 @@ do {
\
} else {\
if (__predict_false((m)->m_len < x)) { \
args->m = m = m_pullup(m, x); \
- if (m == NULL) \
+ if (m == NULL) {\
+ unlock; \
goto pullup_failed; \
+ } \
} \
p = mtod(m, char *) + (_len) + EHLEN; \
} \
} while (0)
+
+#definePULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, )
+#definePULLUP_LEN_LOCKED(_len, p, T) \
+_PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain))
/*
* In case pointers got stale after pullups, update them.
*/
@@ -2310,7 +2316,7 @@ do {
\
case O_TCPOPTS:
if (proto == IPPROTO_TCP && offset == 0 && ulp){
- PULLUP_LEN(hlen, ulp,
+ PULLUP_LEN_LOCKED(hlen, ulp,
(TCP(ulp)->th_off << 2));
match = tcpopts_match(TCP(ulp), cmd);
}
@@ -2335,7 +2341,7 @@ do {
\
uint16_t mss, *p;
int i;
- PULLUP_LEN(hlen, ulp,
+ PULLUP_LEN_LOCKED(hlen, ulp,
(TCP(ulp)->th_off << 2));
if ((tcpopts_parse(TCP(ulp), ) &
IP_FW_TCPOPT_MSS) == 0)
@@ -3182,6 +3188,7 @@ do {
\
} /* end of inner loop, scan opcodes */
#undef PULLUP_LEN
+#undef PULLUP_LEN_LOCKED
if (done)
break;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350240 - head/sys/netpfil/ipfw
Author: ae
Date: Tue Jul 23 12:52:36 2019
New Revision: 350240
URL: https://svnweb.freebsd.org/changeset/base/350240
Log:
Eliminate rmlock from ipfw's BPF code.
After r343631 pfil hooks are invoked in net_epoch_preempt section,
this allows to avoid extra locking. Add NET_EPOCH_ASSER() assertion
to each ipfw_bpf_*tap*() call to require to be called from inside
epoch section.
Use NET_EPOCH_WAIT() in ipfw_clone_destroy() to wait until it becomes
safe to free() ifnet. And use on-stack ifnet pointer in each
ipfw_bpf_*tap*() call to avoid NULL pointer dereference in case when
V_*log_if global variable will become NULL during ipfw_bpf_*tap*() call.
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw_bpf.c
Modified: head/sys/netpfil/ipfw/ip_fw_bpf.c
==
--- head/sys/netpfil/ipfw/ip_fw_bpf.c Tue Jul 23 09:39:27 2019
(r350239)
+++ head/sys/netpfil/ipfw/ip_fw_bpf.c Tue Jul 23 12:52:36 2019
(r350240)
@@ -32,7 +32,6 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
-#include
#include
#include
#include
@@ -57,15 +56,6 @@ VNET_DEFINE_STATIC(struct if_clone *, ipfwlog_cloner);
#defineV_log_ifVNET(log_if)
#defineV_pflog_if VNET(pflog_if)
-static struct rmlock log_if_lock;
-#defineLOGIF_LOCK_INIT(x) rm_init(_if_lock, "ipfw log_if
lock")
-#defineLOGIF_LOCK_DESTROY(x) rm_destroy(_if_lock)
-#defineLOGIF_RLOCK_TRACKER struct rm_priotracker _log_tracker
-#defineLOGIF_RLOCK(x) rm_rlock(_if_lock, &_log_tracker)
-#defineLOGIF_RUNLOCK(x)rm_runlock(_if_lock, &_log_tracker)
-#defineLOGIF_WLOCK(x) rm_wlock(_if_lock)
-#defineLOGIF_WUNLOCK(x)rm_wunlock(_if_lock)
-
static const char ipfwname[] = "ipfw";
static const char ipfwlogname[] = "ipfwlog";
@@ -90,13 +80,12 @@ static void
ipfw_clone_destroy(struct ifnet *ifp)
{
- LOGIF_WLOCK();
if (ifp->if_hdrlen == ETHER_HDR_LEN)
V_log_if = NULL;
else
V_pflog_if = NULL;
- LOGIF_WUNLOCK();
+ NET_EPOCH_WAIT();
bpfdetach(ifp);
if_detach(ifp);
if_free(ifp);
@@ -118,16 +107,13 @@ ipfw_clone_create(struct if_clone *ifc, int unit, cadd
ifp->if_hdrlen = ETHER_HDR_LEN;
if_attach(ifp);
bpfattach(ifp, DLT_EN10MB, ETHER_HDR_LEN);
- LOGIF_WLOCK();
if (V_log_if != NULL) {
- LOGIF_WUNLOCK();
bpfdetach(ifp);
if_detach(ifp);
if_free(ifp);
return (EEXIST);
}
V_log_if = ifp;
- LOGIF_WUNLOCK();
return (0);
}
@@ -147,48 +133,42 @@ ipfwlog_clone_create(struct if_clone *ifc, int unit, c
ifp->if_hdrlen = PFLOG_HDRLEN;
if_attach(ifp);
bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN);
- LOGIF_WLOCK();
if (V_pflog_if != NULL) {
- LOGIF_WUNLOCK();
bpfdetach(ifp);
if_detach(ifp);
if_free(ifp);
return (EEXIST);
}
V_pflog_if = ifp;
- LOGIF_WUNLOCK();
return (0);
}
void
ipfw_bpf_tap(u_char *pkt, u_int pktlen)
{
- LOGIF_RLOCK_TRACKER;
+ struct ifnet *ifp = V_log_if;
- LOGIF_RLOCK();
- if (V_log_if != NULL)
- BPF_TAP(V_log_if, pkt, pktlen);
- LOGIF_RUNLOCK();
+ NET_EPOCH_ASSERT();
+ if (ifp != NULL)
+ BPF_TAP(ifp, pkt, pktlen);
}
void
ipfw_bpf_mtap(struct mbuf *m)
{
- LOGIF_RLOCK_TRACKER;
+ struct ifnet *ifp = V_log_if;
- LOGIF_RLOCK();
- if (V_log_if != NULL)
- BPF_MTAP(V_log_if, m);
- LOGIF_RUNLOCK();
+ NET_EPOCH_ASSERT();
+ if (ifp != NULL)
+ BPF_MTAP(ifp, m);
}
void
ipfw_bpf_mtap2(void *data, u_int dlen, struct mbuf *m)
{
struct ifnet *logif;
- LOGIF_RLOCK_TRACKER;
- LOGIF_RLOCK();
+ NET_EPOCH_ASSERT();
switch (dlen) {
case (ETHER_HDR_LEN):
logif = V_log_if;
@@ -205,19 +185,14 @@ ipfw_bpf_mtap2(void *data, u_int dlen, struct mbuf *m)
if (logif != NULL)
BPF_MTAP2(logif, data, dlen, m);
-
- LOGIF_RUNLOCK();
}
void
-ipfw_bpf_init(int first)
+ipfw_bpf_init(int first __unused)
{
- if (first) {
- LOGIF_LOCK_INIT();
- V_log_if = NULL;
- V_pflog_if = NULL;
- }
+ V_log_if = NULL;
+ V_pflog_if = NULL;
V_ipfw_cloner = if_clone_simple(ipfwname, ipfw_clone_create,
ipfw_clone_destroy, 0);
V_ipfwlog_cloner = if_clone_simple(ipfwlogname, ipfwlog_clone_create,
@@ -225,12 +200,10 @@ ipfw_bpf_init(int first)
}
void
-ipfw_bpf_uninit(int last)
+ipfw_bpf_uninit(int last __unused)
{
svn commit: r349941 - head/sys/netpfil/ipfw
Author: ae
Date: Fri Jul 12 09:59:21 2019
New Revision: 349941
URL: https://svnweb.freebsd.org/changeset/base/349941
Log:
Do not modify cmd pointer if it is already last opcode in the rule.
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/ip_fw_eaction.c
Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c
==
--- head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:48:42 2019
(r349940)
+++ head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:59:21 2019
(r349941)
@@ -387,7 +387,7 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f
while (l > 0) {
cmdlen = F_LEN(cmd);
l -= cmdlen;
- if (cmd->opcode == O_EXTERNAL_ACTION)
+ if (cmd->opcode == O_EXTERNAL_ACTION || l <= 0)
break;
cmd += cmdlen;
}
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349940 - head/sys/netpfil/ipfw
Author: ae
Date: Fri Jul 12 09:48:42 2019
New Revision: 349940
URL: https://svnweb.freebsd.org/changeset/base/349940
Log:
Correctly truncate the rule in case when it has several action opcodes.
It is possible, that opcode at the ACTION_PTR() location is not real
action, but action modificator like "log", "tag" etc. In this case we
need to check for each opcode in the loop to find O_EXTERNAL_ACTION.
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw_eaction.c
Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c
==
--- head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:02:12 2019
(r349939)
+++ head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:48:42 2019
(r349940)
@@ -377,35 +377,51 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f
uint16_t eaction_id, uint16_t default_id, uint16_t instance_id)
{
ipfw_insn *cmd, *icmd;
+ int l, cmdlen;
IPFW_UH_WLOCK_ASSERT(ch);
IPFW_WLOCK_ASSERT(ch);
cmd = ACTION_PTR(rule);
+ l = rule->cmd_len - rule->act_ofs;
+ while (l > 0) {
+ cmdlen = F_LEN(cmd);
+ l -= cmdlen;
+ if (cmd->opcode == O_EXTERNAL_ACTION)
+ break;
+ cmd += cmdlen;
+ }
+ /*
+* Return if there is not O_EXTERNAL_ACTION or its id is
+* different.
+*/
if (cmd->opcode != O_EXTERNAL_ACTION ||
cmd->arg1 != eaction_id)
return (0);
-
- if (instance_id != 0 && rule->act_ofs < rule->cmd_len - 1) {
+ /*
+* If instance_id is specified, we need to truncate the
+* rule length. Check if there is O_EXTERNAL_INSTANCE opcode.
+*/
+ if (instance_id != 0 && l > 0) {
+ MPASS(cmdlen == 1);
icmd = cmd + 1;
if (icmd->opcode != O_EXTERNAL_INSTANCE ||
icmd->arg1 != instance_id)
return (0);
- /* FALLTHROUGH */
+ /*
+* Since named_object related to this instance will be
+* destroyed, truncate the chain of opcodes to remove
+* the rest of cmd chain just after O_EXTERNAL_ACTION
+* opcode.
+*/
+ EACTION_DEBUG("truncate rule %d: len %u -> %u",
+ rule->rulenum, rule->cmd_len, rule->cmd_len - l);
+ rule->cmd_len -= l;
+ MPASS(((uint32_t *)icmd -
+ (uint32_t *)rule->cmd) == rule->cmd_len);
}
cmd->arg1 = default_id; /* Set to default id */
- /*
-* Since named_object related to this instance will be
-* also destroyed, truncate the chain of opcodes to
-* remove the rest of cmd chain just after O_EXTERNAL_ACTION
-* opcode.
-*/
- if (rule->act_ofs < rule->cmd_len - 1) {
- EACTION_DEBUG("truncate rule %d: len %u -> %u",
- rule->rulenum, rule->cmd_len, rule->act_ofs + 1);
- rule->cmd_len = rule->act_ofs + 1;
- }
/*
* Return 1 when reset successfully happened.
*/
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r349366 - head/sys/netpfil/ipfw
On 25.06.2019 16:28, Rodney W. Grimes wrote: >> Author: ae >> Date: Tue Jun 25 11:40:37 2019 >> New Revision: 349366 >> URL: https://svnweb.freebsd.org/changeset/base/349366 >> >> Log: >> Follow the RFC 3128 and drop short TCP fragments with offset = 1. >> >> Reported by: emaste >> MFC after: 1 week > > Can we get a counter or something so that the dropping of these > is not totally silent and invisible? They are logged as all short packets with "Pullup failed" message when net.inet.ip.fw.verbose is enabled. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r349366 - head/sys/netpfil/ipfw
Author: ae
Date: Tue Jun 25 11:40:37 2019
New Revision: 349366
URL: https://svnweb.freebsd.org/changeset/base/349366
Log:
Follow the RFC 3128 and drop short TCP fragments with offset = 1.
Reported by: emaste
MFC after:1 week
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:11:22 2019
(r349365)
+++ head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 11:40:37 2019
(r349366)
@@ -1719,6 +1719,11 @@ do {
\
default:
break;
}
+ } else {
+ if (offset == 1 && proto == IPPROTO_TCP) {
+ /* RFC 3128 */
+ goto pullup_failed;
+ }
}
UPDATE_POINTERS();
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349365 - head/sys/netpfil/ipfw
Author: ae Date: Tue Jun 25 09:11:22 2019 New Revision: 349365 URL: https://svnweb.freebsd.org/changeset/base/349365 Log: Mark default rule with IPFW_RULE_NOOPT flag, so it can be showed in compact form. MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:08:24 2019 (r349364) +++ head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:11:22 2019 (r349365) @@ -3364,6 +3364,7 @@ vnet_ipfw_init(const void *unused) /* fill and insert the default rule */ rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw)); + rule->flags |= IPFW_RULE_NOOPT; rule->cmd_len = 1; rule->cmd[0].len = 1; rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349364 - head/sbin/ipfw
Author: ae Date: Tue Jun 25 09:08:24 2019 New Revision: 349364 URL: https://svnweb.freebsd.org/changeset/base/349364 Log: Restore ipfw(8)'s compact output support broken after r331668. Also modify it a bit. Now -c option omits only 'from any to any' part and works for different protocols (not just for ip). Reported by: Dmitry Selivanov MFC after:1 week Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Tue Jun 25 07:44:37 2019(r349363) +++ head/sbin/ipfw/ipfw2.c Tue Jun 25 09:08:24 2019(r349364) @@ -2223,6 +2223,8 @@ show_static_rule(struct cmdline_opts *co, struct forma } print_proto(bp, fo, ); + if (co->do_compact != 0 && (rule->flags & IPFW_RULE_NOOPT)) + goto justopts; /* Print source */ bprintf(bp, " from"); @@ -4395,6 +4397,8 @@ chkarg: } OR_BLOCK(get_proto); + first_cmd = cmd; /* update pointer to use in compact form */ + /* * "from", mandatory */ @@ -4466,6 +4470,8 @@ chkarg: cmd = next_cmd(cmd, ); } } + if (first_cmd == cmd) + rule->flags |= IPFW_RULE_NOOPT; read_options: prev = NULL; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349267 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw
Author: ae
Date: Fri Jun 21 10:54:51 2019
New Revision: 349267
URL: https://svnweb.freebsd.org/changeset/base/349267
Log:
Add "tcpmss" opcode to match the TCP MSS value.
With this opcode it is possible to match TCP packets with specified
MSS option, whose value corresponds to configured in opcode value.
It is allowed to specify single value, range of values, or array of
specific values or ranges. E.g.
# ipfw add deny log tcp from any to any tcpmss 0-500
Reviewed by: melifaro,bcr
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Modified:
head/sbin/ipfw/ipfw.8
head/sbin/ipfw/ipfw2.c
head/sbin/ipfw/ipfw2.h
head/sys/netinet/ip_fw.h
head/sys/netpfil/ipfw/ip_fw2.c
head/sys/netpfil/ipfw/ip_fw_sockopt.c
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Fri Jun 21 07:58:08 2019(r349266)
+++ head/sbin/ipfw/ipfw.8 Fri Jun 21 10:54:51 2019(r349267)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd May 24, 2019
+.Dd June 21, 2019
.Dt IPFW 8
.Os
.Sh NAME
@@ -1989,6 +1989,12 @@ a non-zero offset.
See the
.Cm frag
option for details on matching fragmented packets.
+.It Cm tcpmss Ar tcpmss-list
+Matches TCP packets whose MSS (maximum segment size) value is set to
+.Ar tcpmss-list ,
+which is either a single value or a list of values or ranges
+specified in the same way as
+.Ar ports .
.It Cm tcpseq Ar seq
TCP packets only.
Match if the TCP header sequence number field is set to
Modified: head/sbin/ipfw/ipfw2.c
==
--- head/sbin/ipfw/ipfw2.c Fri Jun 21 07:58:08 2019(r349266)
+++ head/sbin/ipfw/ipfw2.c Fri Jun 21 10:54:51 2019(r349267)
@@ -338,6 +338,7 @@ static struct _s_x rule_options[] = {
{ "tcpdatalen", TOK_TCPDATALEN },
{ "tcpflags", TOK_TCPFLAGS },
{ "tcpflgs",TOK_TCPFLAGS },
+ { "tcpmss", TOK_TCPMSS },
{ "tcpoptions", TOK_TCPOPTS },
{ "tcpopts",TOK_TCPOPTS },
{ "tcpseq", TOK_TCPSEQ },
@@ -881,6 +882,7 @@ static struct _s_x _port_name[] = {
{"ipttl", O_IPTTL},
{"mac-type",O_MAC_TYPE},
{"tcpdatalen", O_TCPDATALEN},
+ {"tcpmss", O_TCPMSS},
{"tcpwin", O_TCPWIN},
{"tagged", O_TAGGED},
{NULL, 0}
@@ -1588,6 +1590,7 @@ print_instruction(struct buf_pr *bp, const struct form
case O_IPTTL:
case O_IPLEN:
case O_TCPDATALEN:
+ case O_TCPMSS:
case O_TCPWIN:
if (F_LEN(cmd) == 1) {
switch (cmd->opcode) {
@@ -1603,6 +1606,9 @@ print_instruction(struct buf_pr *bp, const struct form
case O_TCPDATALEN:
s = "tcpdatalen";
break;
+ case O_TCPMSS:
+ s = "tcpmss";
+ break;
case O_TCPWIN:
s = "tcpwin";
break;
@@ -4709,14 +4715,18 @@ read_options:
av++;
break;
+ case TOK_TCPMSS:
case TOK_TCPWIN:
- NEED1("tcpwin requires length");
+ NEED1("tcpmss/tcpwin requires size");
if (strpbrk(*av, "-,")) {
- if (!add_ports(cmd, *av, 0, O_TCPWIN, cblen))
- errx(EX_DATAERR, "invalid tcpwin len %s", *av);
+ if (add_ports(cmd, *av, 0,
+ i == TOK_TCPWIN ? O_TCPWIN : O_TCPMSS,
+ cblen) == NULL)
+ errx(EX_DATAERR, "invalid %s size %s",
+ s, *av);
} else
- fill_cmd(cmd, O_TCPWIN, 0,
- strtoul(*av, NULL, 0));
+ fill_cmd(cmd, i == TOK_TCPWIN ? O_TCPWIN :
+ O_TCPMSS, 0, strtoul(*av, NULL, 0));
av++;
break;
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Fri Jun 21 07:58:08 2019(r349266)
+++ head/sbin/ipfw/ipfw2.h Fri Jun 21 10:54:51 2019(r349267)
@@ -151,6 +151,7 @@ enum tokens {
TOK_TCPOPTS,
TOK_TCPSEQ,
TOK_TCPACK,
+ TOK_TCPMSS,
TOK_TCPWIN,
TOK_ICMPTYPES,
TOK_MAC,
Modified: head/sys/netinet/ip_fw.h
==
---
svn commit: r348774 - head/sys/sys
Author: ae
Date: Fri Jun 7 08:30:35 2019
New Revision: 348774
URL: https://svnweb.freebsd.org/changeset/base/348774
Log:
Use underscores for internal variable name to avoid conflicts.
MFC after:1 week
Modified:
head/sys/sys/counter.h
Modified: head/sys/sys/counter.h
==
--- head/sys/sys/counter.h Fri Jun 7 08:21:01 2019(r348773)
+++ head/sys/sys/counter.h Fri Jun 7 08:30:35 2019(r348774)
@@ -43,23 +43,23 @@ voidcounter_u64_zero(counter_u64_t);
uint64_t counter_u64_fetch(counter_u64_t);
#defineCOUNTER_ARRAY_ALLOC(a, n, wait) do {\
- for (int i = 0; i < (n); i++) \
- (a)[i] = counter_u64_alloc(wait); \
+ for (int _i = 0; _i < (n); _i++)\
+ (a)[_i] = counter_u64_alloc(wait); \
} while (0)
#defineCOUNTER_ARRAY_FREE(a, n)do {\
- for (int i = 0; i < (n); i++) \
- counter_u64_free((a)[i]); \
+ for (int _i = 0; _i < (n); _i++)\
+ counter_u64_free((a)[_i]); \
} while (0)
#defineCOUNTER_ARRAY_COPY(a, dstp, n) do {\
- for (int i = 0; i < (n); i++) \
- ((uint64_t *)(dstp))[i] = counter_u64_fetch((a)[i]);\
+ for (int _i = 0; _i < (n); _i++)\
+ ((uint64_t *)(dstp))[_i] = counter_u64_fetch((a)[_i]);\
} while (0)
#defineCOUNTER_ARRAY_ZERO(a, n)do {\
- for (int i = 0; i < (n); i++) \
- counter_u64_zero((a)[i]); \
+ for (int _i = 0; _i < (n); _i++)\
+ counter_u64_zero((a)[_i]); \
} while (0)
/*
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348682 - head/sys/netpfil/ipfw/nat64
Author: ae Date: Wed Jun 5 09:25:40 2019 New Revision: 348682 URL: https://svnweb.freebsd.org/changeset/base/348682 Log: Initialize V_nat64out methods explicitly. It looks like initialization of static variable doesn't work for VIMAGE and this leads to panic. Reported by: olivier MFC after:1 week Modified: head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c Modified: head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c == --- head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c Wed Jun 5 04:58:42 2019 (r348681) +++ head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c Wed Jun 5 09:25:40 2019 (r348682) @@ -83,6 +83,8 @@ vnet_ipfw_nat64_init(const void *arg __unused) ch = _layer3_chain; first = IS_DEFAULT_VNET(curvnet) ? 1: 0; + /* Initialize V_nat64out methods explicitly. */ + nat64_set_output_method(0); error = nat64stl_init(ch, first); if (error != 0) return (error); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r348303 - head/sys/net
On 29.05.2019 06:12, Gleb Smirnoff wrote: > A> bpf_mtap() is not the only consumer of bd_bif, some of them expect it > A> becomes NULL when descriptor is detached. > > May be then make a flag attached/detached? Do you have benchmark results that show some benefits in performance? :) I prefer to wait some time after MFC to get a bit wide testing, before doing another performance optimizations. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r348303 - head/sys/net
29.05.2019 3:10, Gleb Smirnoff пишет:
> Hi Andrey,
>
> I made a different change to mitigate this panic: don't clear the pointer.
>
> --- a/FreeBSD/sys/net/bpf.c
> +++ b/FreeBSD/sys/net/bpf.c
> @@ -857,7 +857,6 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp)
> /* Save bd_writer value */
> error = d->bd_writer;
> ifp = bp->bif_ifp;
> - d->bd_bif = NULL;
> if (detached_ifp) {
> /*
> * Notify descriptor as it's detached, so that any
>
> Since every bpf_d holds a reference on bpf_if until delayed free happens,
> the the bpf_if is going to be valid.
>
> This allows not to use epoch_wait and run fully async. The patch above is
> a minimal patch: with NULL assignment removed, several more pieces of code
> can be removed in bpf.c
>
> Of course your patch also is going to work, but what do you think:
> are there any landmines with fully async approach?
Hi,
bpf_mtap() is not the only consumer of bd_bif, some of them expect it
becomes NULL when descriptor is detached.
--
WBR, Andrey V. Elsukov
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348324 - head/sys/net
Author: ae
Date: Tue May 28 11:45:00 2019
New Revision: 348324
URL: https://svnweb.freebsd.org/changeset/base/348324
Log:
Rework r348303 to reduce the time of holding global BPF lock.
It appeared that using NET_EPOCH_WAIT() while holding global BPF lock
can lead to another panic:
spin lock 0xf800183c9840 (turnstile lock) held by 0xf80018e2c5a0 (tid
100325) too long
panic: spin lock held too long
...
#0 sched_switch (td=0xf80018e2c5a0, newtd=0xf8000389e000,
flags=) at /usr/src/sys/kern/sched_ule.c:2133
#1 0x80bf9912 in mi_switch (flags=256, newtd=0x0) at
/usr/src/sys/kern/kern_synch.c:439
#2 0x80c21db7 in sched_bind (td=, cpu=) at /usr/src/sys/kern/sched_ule.c:2704
#3 0x80c34c33 in epoch_block_handler_preempt (global=, cr=0xfe5a1a00, arg=)
at /usr/src/sys/kern/subr_epoch.c:394
#4 0x803c741b in epoch_block (global=, cr=, cb=, ct=)
at /usr/src/sys/contrib/ck/src/ck_epoch.c:416
#5 ck_epoch_synchronize_wait (global=0xf8000380cd80, cb=,
ct=) at /usr/src/sys/contrib/ck/src/ck_epoch.c:465
#6 0x80c3475e in epoch_wait_preempt (epoch=0xf8000380cd80) at
/usr/src/sys/kern/subr_epoch.c:513
#7 0x80ce970b in bpf_detachd_locked (d=0xf801d309cc00,
detached_ifp=) at /usr/src/sys/net/bpf.c:856
#8 0x80ced166 in bpf_detachd (d=) at
/usr/src/sys/net/bpf.c:836
#9 bpf_dtor (data=0xf801d309cc00) at /usr/src/sys/net/bpf.c:914
To fix this add the check to the catchpacket() that BPF descriptor was
not detached just before we acquired BPFD_LOCK().
Reported by: slavash
Tested by:slavash
MFC after:1 week
Modified:
head/sys/net/bpf.c
Modified: head/sys/net/bpf.c
==
--- head/sys/net/bpf.c Tue May 28 10:55:59 2019(r348323)
+++ head/sys/net/bpf.c Tue May 28 11:45:00 2019(r348324)
@@ -850,15 +850,10 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp)
/* Check if descriptor is attached */
if ((bp = d->bd_bif) == NULL)
return;
- /*
-* Remove d from the interface's descriptor list.
-* And wait until bpf_[m]tap*() will finish their possible work
-* with descriptor.
-*/
- CK_LIST_REMOVE(d, bd_next);
- NET_EPOCH_WAIT();
BPFD_LOCK(d);
+ /* Remove d from the interface's descriptor list. */
+ CK_LIST_REMOVE(d, bd_next);
/* Save bd_writer value */
error = d->bd_writer;
ifp = bp->bif_ifp;
@@ -2494,6 +2489,11 @@ catchpacket(struct bpf_d *d, u_char *pkt, u_int pktlen
int tstype;
BPFD_LOCK_ASSERT(d);
+ if (d->bd_bif == NULL) {
+ /* Descriptor was detached in concurrent thread */
+ counter_u64_add(d->bd_dcount, 1);
+ return;
+ }
/*
* Detect whether user space has released a buffer back to us, and if
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348303 - head/sys/net
Author: ae Date: Mon May 27 12:41:41 2019 New Revision: 348303 URL: https://svnweb.freebsd.org/changeset/base/348303 Log: Fix possible NULL pointer dereference. bpf_mtap() can invoke catchpacket() for already detached descriptor. And this can lead to NULL pointer dereference, since bd_bif pointer was reset to NULL in bpf_detachd_locked(). To avoid this, use NET_EPOCH_WAIT() when descriptor is removed from interface's descriptors list. After the wait it is safe to modify descriptor's content. Submitted by: kib Reported by: slavash MFC after:1 week Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Mon May 27 06:37:23 2019(r348302) +++ head/sys/net/bpf.c Mon May 27 12:41:41 2019(r348303) @@ -850,10 +850,15 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) /* Check if descriptor is attached */ if ((bp = d->bd_bif) == NULL) return; + /* +* Remove d from the interface's descriptor list. +* And wait until bpf_[m]tap*() will finish their possible work +* with descriptor. +*/ + CK_LIST_REMOVE(d, bd_next); + NET_EPOCH_WAIT(); BPFD_LOCK(d); - /* Remove d from the interface's descriptor list. */ - CK_LIST_REMOVE(d, bd_next); /* Save bd_writer value */ error = d->bd_writer; ifp = bp->bif_ifp; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348301 - head/sbin/ipfw
Author: ae
Date: Mon May 27 06:34:36 2019
New Revision: 348301
URL: https://svnweb.freebsd.org/changeset/base/348301
Log:
Remove unused token that was added in r348235.
MFC after:2 weeks
Modified:
head/sbin/ipfw/ipfw2.h
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Mon May 27 06:22:43 2019(r348300)
+++ head/sbin/ipfw/ipfw2.h Mon May 27 06:34:36 2019(r348301)
@@ -266,7 +266,6 @@ enum tokens {
TOK_OLIST,
TOK_MISSING,
TOK_ORFLUSH,
- TOK_OPTIONAL,
/* NAT64 tokens */
TOK_NAT64STL,
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348236 - head/sys/netinet6
Author: ae
Date: Fri May 24 11:45:32 2019
New Revision: 348236
URL: https://svnweb.freebsd.org/changeset/base/348236
Log:
Restore IPV6_NEXTHOP option support that seem was partially broken
since r286195.
Do not forget results of route lookup and initialize rt and ifp pointers.
PR: 238098
Submitted by: Masse Nicolas
MFC after:1 week
Modified:
head/sys/netinet6/in6_src.c
Modified: head/sys/netinet6/in6_src.c
==
--- head/sys/netinet6/in6_src.c Fri May 24 11:06:24 2019(r348235)
+++ head/sys/netinet6/in6_src.c Fri May 24 11:45:32 2019(r348236)
@@ -724,6 +724,10 @@ selectroute(struct sockaddr_in6 *dstsock, struct ip6_p
if (ron->ro_rt == NULL ||
(ron->ro_rt->rt_flags & RTF_GATEWAY) != 0)
error = EHOSTUNREACH;
+ else {
+ rt = ron->ro_rt;
+ ifp = rt->rt_ifp;
+ }
goto done;
}
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348235 - head/sbin/ipfw
Author: ae
Date: Fri May 24 11:06:24 2019
New Revision: 348235
URL: https://svnweb.freebsd.org/changeset/base/348235
Log:
Add `missing` and `or-flush` options to "ipfw table create"
command to simplify firewall reloading.
The `missing` option suppresses EEXIST error code, but does check that
existing table has the same parameters as new one. The `or-flush` option
implies `missing` option and additionally does flush for table if it
is already exist.
Submitted by: lev
MFC after:2 weeks
Differential Revision:https://reviews.freebsd.org/D18339
Modified:
head/sbin/ipfw/ipfw.8
head/sbin/ipfw/ipfw2.h
head/sbin/ipfw/tables.c
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Fri May 24 09:01:54 2019(r348234)
+++ head/sbin/ipfw/ipfw.8 Fri May 24 11:06:24 2019(r348235)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd April 21, 2019
+.Dd May 24, 2019
.Dt IPFW 8
.Os
.Sh NAME
@@ -2138,7 +2138,7 @@ The following creation options are supported:
.Bl -tag -width indent
.It Ar create-options : Ar create-option | create-options
.It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm
algo Ar algo-desc |
-.Cm limit Ar number | Cm locked
+.Cm limit Ar number | Cm locked | Cm missing | Cm or-flush
.It Cm type
Table key type.
.It Cm valtype
@@ -2149,6 +2149,13 @@ Table algorithm to use (see below).
Maximum number of items that may be inserted into table.
.It Cm locked
Restrict any table modifications.
+.It Cm missing
+Do not fail if table already exists and has exactly same options as new one.
+.It Cm or-flush
+Flush existing table with same name instead of returning error.
+Implies
+.Cm missing
+so existing table must be compatible with new one.
.El
.Pp
Some of these options may be modified later via
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Fri May 24 09:01:54 2019(r348234)
+++ head/sbin/ipfw/ipfw2.h Fri May 24 11:06:24 2019(r348235)
@@ -264,6 +264,9 @@ enum tokens {
TOK_UNLOCK,
TOK_VLIST,
TOK_OLIST,
+ TOK_MISSING,
+ TOK_ORFLUSH,
+ TOK_OPTIONAL,
/* NAT64 tokens */
TOK_NAT64STL,
Modified: head/sbin/ipfw/tables.c
==
--- head/sbin/ipfw/tables.c Fri May 24 09:01:54 2019(r348234)
+++ head/sbin/ipfw/tables.c Fri May 24 11:06:24 2019(r348235)
@@ -327,6 +327,8 @@ static struct _s_x tablenewcmds[] = {
{ "algo",TOK_ALGO },
{ "limit", TOK_LIMIT },
{ "locked", TOK_LOCK },
+ { "missing", TOK_MISSING },
+ { "or-flush",TOK_ORFLUSH },
{ NULL, 0 }
};
@@ -389,19 +391,19 @@ table_print_type(char *tbuf, size_t size, uint8_t type
* Creates new table
*
* ipfw table NAME create [ type { addr | iface | number | flow } ]
- * [ algo algoname ]
+ * [ algo algoname ] [missing] [or-flush]
*/
static void
table_create(ipfw_obj_header *oh, int ac, char *av[])
{
- ipfw_xtable_info xi;
- int error, tcmd, val;
+ ipfw_xtable_info xi, xie;
+ int error, missing, orflush, tcmd, val;
uint32_t fset, fclear;
char *e, *p;
char tbuf[128];
+ missing = orflush = 0;
memset(, 0, sizeof(xi));
-
while (ac > 0) {
tcmd = get_token(tablenewcmds, *av, "option");
ac--; av++;
@@ -457,6 +459,12 @@ table_create(ipfw_obj_header *oh, int ac, char *av[])
case TOK_LOCK:
xi.flags |= IPFW_TGFLAGS_LOCKED;
break;
+ case TOK_ORFLUSH:
+ orflush = 1;
+ /* FALLTHROUGH */
+ case TOK_MISSING:
+ missing = 1;
+ break;
}
}
@@ -466,8 +474,28 @@ table_create(ipfw_obj_header *oh, int ac, char *av[])
if (xi.vmask == 0)
xi.vmask = IPFW_VTYPE_LEGACY;
- if ((error = table_do_create(oh, )) != 0)
+ error = table_do_create(oh, );
+
+ if (error == 0)
+ return;
+
+ if (errno != EEXIST || missing == 0)
err(EX_OSERR, "Table creation failed");
+
+ /* Check that existing table is the same we are trying to create */
+ if (table_get_info(oh, ) != 0)
+ err(EX_OSERR, "Existing table check failed");
+
+ if (xi.limit != xie.limit || xi.type != xie.type ||
+ xi.tflags != xie.tflags || xi.vmask != xie.vmask || (
+ xi.algoname[0] != '\0' && strcmp(xi.algoname,
+ xie.algoname) != 0) || xi.flags != xie.flags)
+ errx(EX_DATAERR, "The existing table is not compatible "
+ "with one you are
svn commit: r347563 - head/sys/kern
Author: ae
Date: Tue May 14 10:21:28 2019
New Revision: 347563
URL: https://svnweb.freebsd.org/changeset/base/347563
Log:
Remove bpf interface lock, it is no longer exist.
Modified:
head/sys/kern/subr_witness.c
Modified: head/sys/kern/subr_witness.c
==
--- head/sys/kern/subr_witness.cTue May 14 04:34:58 2019
(r347562)
+++ head/sys/kern/subr_witness.cTue May 14 10:21:28 2019
(r347563)
@@ -576,7 +576,6 @@ static struct witness_order_list_entry order_lists[] =
* BPF
*/
{ "bpf global lock", _class_sx },
- { "bpf interface lock", _class_rw },
{ "bpf cdev lock", _class_mtx_sleep },
{ NULL, NULL },
/*
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347527 - head/sys/net
Author: ae
Date: Mon May 13 14:07:02 2019
New Revision: 347527
URL: https://svnweb.freebsd.org/changeset/base/347527
Log:
Do not leak memory used for binary filter.
Modified:
head/sys/net/bpf.c
Modified: head/sys/net/bpf.c
==
--- head/sys/net/bpf.c Mon May 13 13:45:28 2019(r347526)
+++ head/sys/net/bpf.c Mon May 13 14:07:02 2019(r347527)
@@ -2628,11 +2628,17 @@ bpfd_free(epoch_context_t ctx)
if (d->bd_rfilter != NULL) {
p = __containerof((void *)d->bd_rfilter,
struct bpf_program_buffer, buffer);
+#ifdef BPF_JITTER
+ p->func = d->bd_bfilter;
+#endif
bpf_program_buffer_free(>epoch_ctx);
}
if (d->bd_wfilter != NULL) {
p = __containerof((void *)d->bd_wfilter,
struct bpf_program_buffer, buffer);
+#ifdef BPF_JITTER
+ p->func = NULL;
+#endif
bpf_program_buffer_free(>epoch_ctx);
}
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347526 - head/sys/net
Author: ae
Date: Mon May 13 13:45:28 2019
New Revision: 347526
URL: https://svnweb.freebsd.org/changeset/base/347526
Log:
Rework locking in BPF code to remove rwlock from fast path.
On high packets rate the contention on rwlock in bpf_*tap*() functions
can lead to packets dropping. To avoid this, migrate this code to use
epoch(9) KPI and ConcurrencyKit's lists.
* all lists changed to use CK_LIST;
* reference counting added to bpf_if and bpf_d;
* now bpf_if references ifnet and releases this reference on destroy;
* each bpf_d descriptor references bpf_if when it is attached;
* new struct bpf_program_buffer introduced to keep BPF filter programs;
* bpf_program_buffer, bpf_d and bpf_if structures are freed by
epoch_call();
* bpf_freelist and ifnet_departure event are no longer needed, thus
both are removed;
Reviewed by: melifaro
Sponsored by: Yandex LLC
Differential Revision:https://reviews.freebsd.org/D20224
Modified:
head/sys/net/bpf.c
head/sys/net/bpf.h
head/sys/net/bpfdesc.h
Modified: head/sys/net/bpf.c
==
--- head/sys/net/bpf.c Mon May 13 13:30:34 2019(r347525)
+++ head/sys/net/bpf.c Mon May 13 13:45:28 2019(r347526)
@@ -3,6 +3,7 @@
*
* Copyright (c) 1990, 1991, 1993
* The Regents of the University of California. All rights reserved.
+ * Copyright (c) 2019 Andrey V. Elsukov
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
@@ -46,7 +47,6 @@ __FBSDID("$FreeBSD$");
#include
#include
#include
-#include
#include
#include
#include
@@ -99,7 +99,7 @@ __FBSDID("$FreeBSD$");
MALLOC_DEFINE(M_BPF, "BPF", "BPF data");
static struct bpf_if_ext dead_bpf_if = {
- .bif_dlist = LIST_HEAD_INITIALIZER()
+ .bif_dlist = CK_LIST_HEAD_INITIALIZER()
};
struct bpf_if {
@@ -108,19 +108,22 @@ struct bpf_if {
struct bpf_if_ext bif_ext; /* public members */
u_int bif_dlt;/* link layer type */
u_int bif_hdrlen; /* length of link header */
+ struct bpfd_list bif_wlist; /* writer-only list */
struct ifnet*bif_ifp; /* corresponding interface */
- struct rwlock bif_lock; /* interface lock */
- LIST_HEAD(, bpf_d) bif_wlist; /* writer-only list */
- int bif_flags; /* Interface flags */
struct bpf_if **bif_bpf; /* Pointer to pointer to us */
+ volatile u_int bif_refcnt;
+ struct epoch_context epoch_ctx;
};
CTASSERT(offsetof(struct bpf_if, bif_ext) == 0);
-#define BPFIF_RLOCK(bif) rw_rlock(&(bif)->bif_lock)
-#define BPFIF_RUNLOCK(bif) rw_runlock(&(bif)->bif_lock)
-#define BPFIF_WLOCK(bif) rw_wlock(&(bif)->bif_lock)
-#define BPFIF_WUNLOCK(bif) rw_wunlock(&(bif)->bif_lock)
+struct bpf_program_buffer {
+ struct epoch_contextepoch_ctx;
+#ifdef BPF_JITTER
+ bpf_jit_filter *func;
+#endif
+ void*buffer[0];
+};
#if defined(DEV_BPF) || defined(NETGRAPH_BPF)
@@ -173,18 +176,24 @@ struct bpf_dltlist32 {
#define BPF_LOCK_ASSERT() sx_assert(_sx, SA_XLOCKED)
/*
* bpf_iflist is a list of BPF interface structures, each corresponding to a
- * specific DLT. The same network interface might have several BPF interface
+ * specific DLT. The same network interface might have several BPF interface
* structures registered by different layers in the stack (i.e., 802.11
* frames, ethernet frames, etc).
*/
-static LIST_HEAD(, bpf_if) bpf_iflist, bpf_freelist;
+CK_LIST_HEAD(bpf_iflist, bpf_if);
+static struct bpf_iflist bpf_iflist;
static struct sx bpf_sx; /* bpf global lock */
static int bpf_bpfd_cnt;
+static voidbpfif_ref(struct bpf_if *);
+static voidbpfif_rele(struct bpf_if *);
+
+static voidbpfd_ref(struct bpf_d *);
+static voidbpfd_rele(struct bpf_d *);
static voidbpf_attachd(struct bpf_d *, struct bpf_if *);
static voidbpf_detachd(struct bpf_d *);
-static voidbpf_detachd_locked(struct bpf_d *);
-static voidbpf_freed(struct bpf_d *);
+static voidbpf_detachd_locked(struct bpf_d *, bool);
+static voidbpfd_free(epoch_context_t);
static int bpf_movein(struct uio *, int, struct ifnet *, struct mbuf **,
struct sockaddr *, int *, struct bpf_d *);
static int bpf_setif(struct bpf_d *, struct ifreq *);
@@ -243,37 +252,106 @@ static struct filterops bpfread_filtops = {
.f_event = filt_bpfread,
};
-eventhandler_tag bpf_ifdetach_cookie = NULL;
-
/*
- * LOCKING MODEL USED BY BPF:
+ * LOCKING MODEL USED BY BPF
+ *
* Locks:
- * 1) global lock (BPF_LOCK). Mutex, used to protect interface
addition/removal,
- * some global counters and every b
svn commit: r347519 - head/sys/modules/ipsec
Author: ae
Date: Mon May 13 08:34:13 2019
New Revision: 347519
URL: https://svnweb.freebsd.org/changeset/base/347519
Log:
Revert r347402. After r347429 symlink is no longer needed.
Modified:
head/sys/modules/ipsec/Makefile
Modified: head/sys/modules/ipsec/Makefile
==
--- head/sys/modules/ipsec/Makefile Mon May 13 08:29:28 2019
(r347518)
+++ head/sys/modules/ipsec/Makefile Mon May 13 08:34:13 2019
(r347519)
@@ -7,7 +7,6 @@ SRCS= if_ipsec.c ipsec.c ipsec_input.c ipsec_mbuf.c ip
ipsec_output.c xform_ah.c xform_esp.c xform_ipcomp.c \
opt_inet.h opt_inet6.h opt_ipsec.h opt_sctp.h
SRCS.INET= udpencap.c
-SYMLINKS= ${KMOD}.ko ${KMODDIR}/if_${KMOD}.ko
opt_ipsec.h:
@echo "#define IPSEC_SUPPORT 1" > ${.TARGET}
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
On 10.05.2019 21:39, Alexey Dokuchaev wrote:
>> The second cause -- reduce overhead that IPSEC produces even when it
>> is not used.
>
> So does it mean that if I don't plan to use IPSEC, I can safely remove
> IPSEC_SUPPORT from my config and also get slight performance boost?
Yes, currently each call to IPsec has check like
`if (ipsec_enabled) {...}`, when you build the kernel without
IPSEC/IPSEC_SUPPORT, this check will be removed too, this can add some
performance boost :-)
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
On 10.05.2019 18:31, Andrew Gallatin wrote: > On 2019-05-10 08:44, Slawa Olhovchenkov wrote: > >> pf have ifdef for IPSEC, but don't have support IPSEC_SUPPORT >> (netpfil/pf/if_pfsync.c). >> > > Thanks for pointing this out. It seems like IPSEC_SUPPORT would work > for this. I've made a patch, and it compiles and the pf module loads. > However, I have no knowledge of how to test it. Is this something > that you use, and which you can test? > I think you need to include opt_ipsec.h to have chance compile it. But as Kristof said, it wont work. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
On 10.05.2019 11:46, Alexey Dokuchaev wrote: > On Thu, May 09, 2019 at 10:38:15PM +, Andrew Gallatin wrote: >> Author: gallatin >> Date: Thu May 9 22:38:15 2019 >> New Revision: 347410 >> URL: https://svnweb.freebsd.org/changeset/base/347410 >> >> Log: >> Remove IPSEC from GENERIC due to performance issues >> >> @@ -30,7 +30,6 @@ optionsPREEMPTION # Enable ... >> options VIMAGE # Subsystem virtualization, e.g. VNET >> options INET# InterNETworking >> options INET6 # IPv6 communications protocols >> -options IPSEC # IP (v4/v6) security >> options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 > > I've asked this question some two years ago, but no one could answer it > back then, so I'll try again. > > What is the reason behind having IPSEC_SUPPORT option instead of no special > option at all? If I grep for SUPPORT in conf/GENERIC, I see things like > INVARIANT_SUPPORT or IEEE80211_SUPPORT_MESH (with meaningful explanations) > but IPSEC_SUPPORT which, per the comment, "allows to kldload of ipsec and > tcpmd5", is totally beyond me. Lots of kernel features are/can be loaded > as modules, but we don't have things like SOUND_SUPPORT or USB_SUPPORT. IPSEC_SUPPORT builds into the kernel PF_KEY domain protocol, that is required by IPsec implementation to interact with userlevel. Currently the kernel does not support unregistering of protocol domains. This is mostly why option IPSEC_SUPPORT was introduced. The second cause - reduce overhead that IPSEC produces even when it is not used. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347402 - head/sys/modules/ipsec
On 09.05.2019 22:13, Kyle Evans wrote: >> there is two IPsec related interfaces that have problem with automatic >> loading - if_enc and if_ipsec. So, if you add both to the mapping list, >> this will be useful. CAM enc driver has conflicting name and prevents to >> automatic loading of if_enc(4). It is probably always build in the >> kernel, but renaming it into "ses" may break some third-party device >> drivers. >> > > I think you want something like [0] to add both of these to the map > and stop ifconfig(8) from bailing on loading if_enc because 'enc' is > loaded. This is safe at least for the set of modules currently mapped. > > Thanks, > > Kyle Evans > > [0] https://people.freebsd.org/~kevans/ipsec.diff It looks good to me. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347402 - head/sys/modules/ipsec
On 09.05.2019 21:36, Kyle Evans wrote: > Any chance the mechanism I introduced for ifconfig mapping ifname <-> > kld in r347241 would solve the same set of problems this would? > (unsure if there are any non-ifconfig(8) problems in consideration) If > we have more consumers of it than just vmnet (from a stable/ point of > view) then I'd be more than happy to MFC that separately from the rest > of the commit. > Hi, there is two IPsec related interfaces that have problem with automatic loading - if_enc and if_ipsec. So, if you add both to the mapping list, this will be useful. CAM enc driver has conflicting name and prevents to automatic loading of if_enc(4). It is probably always build in the kernel, but renaming it into "ses" may break some third-party device drivers. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r347402 - head/sys/modules/ipsec
Author: ae
Date: Thu May 9 18:06:11 2019
New Revision: 347402
URL: https://svnweb.freebsd.org/changeset/base/347402
Log:
Add if_ipsec.ko symlink to ipsec.ko kernel module.
This add ability to automatically load ipsec kernel module, when
if_ipsec(4) virtual interface is created using ifconfig(8).
Reviewed by: gallatin
MFC after:1 week
Differential Revision:https://reviews.freebsd.org/D20169
Modified:
head/sys/modules/ipsec/Makefile
Modified: head/sys/modules/ipsec/Makefile
==
--- head/sys/modules/ipsec/Makefile Thu May 9 17:57:04 2019
(r347401)
+++ head/sys/modules/ipsec/Makefile Thu May 9 18:06:11 2019
(r347402)
@@ -7,6 +7,7 @@ SRCS= if_ipsec.c ipsec.c ipsec_input.c ipsec_mbuf.c ip
ipsec_output.c xform_ah.c xform_esp.c xform_ipcomp.c \
opt_inet.h opt_inet6.h opt_ipsec.h opt_sctp.h
SRCS.INET= udpencap.c
+SYMLINKS= ${KMOD}.ko ${KMODDIR}/if_${KMOD}.ko
opt_ipsec.h:
@echo "#define IPSEC_SUPPORT 1" > ${.TARGET}
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347383 - head/sys/netinet6
Author: ae
Date: Thu May 9 07:57:33 2019
New Revision: 347383
URL: https://svnweb.freebsd.org/changeset/base/347383
Log:
In mld_v2_cancel_link_timers() check number of references and disconnect
inm before releasing the last reference. This fixes possible panics and
assertion.
PR: 237329
Reviewed by: mmacy
MFC after:2 weeks
Modified:
head/sys/netinet6/mld6.c
Modified: head/sys/netinet6/mld6.c
==
--- head/sys/netinet6/mld6.cThu May 9 07:34:15 2019(r347382)
+++ head/sys/netinet6/mld6.cThu May 9 07:57:33 2019(r347383)
@@ -1708,6 +1708,8 @@ mld_v2_cancel_link_timers(struct mld_ifsoftc *mli)
* version, we need to release the final
* reference held for issuing the INCLUDE {}.
*/
+ if (inm->in6m_refcount == 1)
+ in6m_disconnect_locked(, inm);
in6m_rele_locked(, inm);
/* FALLTHROUGH */
case MLD_G_QUERY_PENDING_MEMBER:
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347178 - head/libexec/rc/rc.d
Author: ae Date: Mon May 6 08:30:53 2019 New Revision: 347178 URL: https://svnweb.freebsd.org/changeset/base/347178 Log: Add ipsec.ko to required_modules for rc.d/ipsec script. Thus it can be automatically loaded if ipsec_enable="YES" and option IPSEC is not in the kernel config. MFC after:1 week Modified: head/libexec/rc/rc.d/ipsec Modified: head/libexec/rc/rc.d/ipsec == --- head/libexec/rc/rc.d/ipsec Mon May 6 03:39:25 2019(r347177) +++ head/libexec/rc/rc.d/ipsec Mon May 6 08:30:53 2019(r347178) @@ -20,6 +20,7 @@ stop_cmd="ipsec_stop" reload_cmd="ipsec_reload" extra_commands="reload" ipsec_program="/sbin/setkey" +required_modules="ipsec" # ipsec_file is set by rc.conf ipsec_prestart() ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 30.04.2019 00:14, John Baldwin wrote: >> Yes, we were able to reproduce this issue in house. If you don't mind, I >> prefer to wait for John's update - where he eliminates the EAGAIN >> handling in the network drivers. > > I have rebased the branch for this, but for now it will just panic sooner > I believe by tripping an assertion. Can you grab the diff (or just the > branch) > from the 'send_tags' branch at github/bsdjhb/freebsd and reproduce under a > kernel with INVARIANTS? I think we will have to explicitly clear the 'rcvif' > pointer somewhere, but I want to see what the stack trace looks like so I can > think about the "right" place to clear it. Hi, please note, that rcvif is used by firewall to track inbound interface and clearing it can be unexpected in some cases, and can break firewall rules. -- WBR, Andrey V. Elsukov ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346885 - head/sbin/ipfw
Author: ae Date: Mon Apr 29 09:52:53 2019 New Revision: 346885 URL: https://svnweb.freebsd.org/changeset/base/346885 Log: Handle HAVE_PROTO flag and print "proto" keyword for O_IP4 and O_IP6 opcodes when it is needed. This should fix the problem, when printed by `ipfw show` rule could not be added due to missing "proto" keyword. MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Mon Apr 29 09:33:16 2019(r346884) +++ head/sbin/ipfw/ipfw2.c Mon Apr 29 09:52:53 2019(r346885) @@ -1701,9 +1701,13 @@ print_instruction(struct buf_pr *bp, const struct form IPFW_TLV_STATE_NAME)); break; case O_IP6: + if (state->flags & HAVE_PROTO) + bprintf(bp, " proto"); bprintf(bp, " ip6"); break; case O_IP4: + if (state->flags & HAVE_PROTO) + bprintf(bp, " proto"); bprintf(bp, " ip4"); break; case O_ICMP6TYPE: ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346884 - head/sys/netpfil/ipfw
Author: ae
Date: Mon Apr 29 09:33:16 2019
New Revision: 346884
URL: https://svnweb.freebsd.org/changeset/base/346884
Log:
Add IPv6 support for O_IPLEN opcode.
Obtained from:Yandex LLC
MFC after:1 week
Sponsored by: Yandex LLC
Modified:
head/sys/netpfil/ipfw/ip_fw2.c
Modified: head/sys/netpfil/ipfw/ip_fw2.c
==
--- head/sys/netpfil/ipfw/ip_fw2.c Mon Apr 29 05:35:52 2019
(r346883)
+++ head/sys/netpfil/ipfw/ip_fw2.c Mon Apr 29 09:33:16 2019
(r346884)
@@ -2191,9 +2191,11 @@ do {
\
break;
case O_IPID:
- case O_IPLEN:
case O_IPTTL:
- if (is_ipv4) { /* only for IP packets */
+ if (!is_ipv4)
+ break;
+ case O_IPLEN:
+ { /* only for IP packets */
uint16_t x;
uint16_t *p;
int i;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346630 - in head: sbin/ifconfig share/man/man4 sys/modules/if_gre sys/net sys/netinet sys/netinet6
Author: ae
Date: Wed Apr 24 09:05:45 2019
New Revision: 346630
URL: https://svnweb.freebsd.org/changeset/base/346630
Log:
Add GRE-in-UDP encapsulation support as defined in RFC8086.
This GRE-in-UDP encapsulation allows the UDP source port field to be
used as an entropy field for load-balancing of GRE traffic in transit
networks. Also most of multiqueue network cards are able distribute
incoming UDP datagrams to different NIC queues, while very little are
able do this for GRE packets.
When an administrator enables UDP encapsulation with command
`ifconfig gre0 udpencap`, the driver creates kernel socket, that binds
to tunnel source address and after udp_set_kernel_tunneling() starts
receiving of all UDP packets destined to 4754 port. Each kernel socket
maintains list of tunnels with different destination addresses. Thus
when several tunnels use the same source address, they all handled by
single socket. The IP[V6]_BINDANY socket option is used to be able bind
socket to source address even if it is not yet available in the system.
This may happen on system boot, when gre(4) interface is created before
source address become available. The encapsulation and sending of packets
is done directly from gre(4) into ip[6]_output() without using sockets.
Reviewed by: eugen
MFC after:1 month
Relnotes: yes
Differential Revision:https://reviews.freebsd.org/D19921
Modified:
head/sbin/ifconfig/ifgre.c
head/share/man/man4/gre.4
head/sys/modules/if_gre/Makefile
head/sys/net/if_gre.c
head/sys/net/if_gre.h
head/sys/netinet/ip_gre.c
head/sys/netinet6/ip6_gre.c
Modified: head/sbin/ifconfig/ifgre.c
==
--- head/sbin/ifconfig/ifgre.c Wed Apr 24 06:41:52 2019(r346629)
+++ head/sbin/ifconfig/ifgre.c Wed Apr 24 09:05:45 2019(r346630)
@@ -44,15 +44,16 @@ __FBSDID("$FreeBSD$");
#include "ifconfig.h"
-#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ"
+#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ\03UDPENCAP"
static void gre_status(int s);
static void
gre_status(int s)
{
- uint32_t opts = 0;
+ uint32_t opts, port;
+ opts = 0;
ifr.ifr_data = (caddr_t)
if (ioctl(s, GREGKEY, ) == 0)
if (opts != 0)
@@ -60,6 +61,11 @@ gre_status(int s)
opts = 0;
if (ioctl(s, GREGOPTS, ) != 0 || opts == 0)
return;
+
+ port = 0;
+ ifr.ifr_data = (caddr_t)
+ if (ioctl(s, GREGPORT, ) == 0 && port != 0)
+ printf("\tudpport: %u\n", port);
printb("\toptions", opts, GREBITS);
putchar('\n');
}
@@ -77,6 +83,18 @@ setifgrekey(const char *val, int dummy __unused, int s
}
static void
+setifgreport(const char *val, int dummy __unused, int s,
+const struct afswtch *afp)
+{
+ uint32_t udpport = strtol(val, NULL, 0);
+
+ strlcpy(ifr.ifr_name, name, sizeof (ifr.ifr_name));
+ ifr.ifr_data = (caddr_t)
+ if (ioctl(s, GRESPORT, (caddr_t)) < 0)
+ warn("ioctl (set udpport)");
+}
+
+static void
setifgreopts(const char *val, int d, int s, const struct afswtch *afp)
{
uint32_t opts;
@@ -101,10 +119,13 @@ setifgreopts(const char *val, int d, int s, const stru
static struct cmd gre_cmds[] = {
DEF_CMD_ARG("grekey", setifgrekey),
+ DEF_CMD_ARG("udpport", setifgreport),
DEF_CMD("enable_csum", GRE_ENABLE_CSUM, setifgreopts),
DEF_CMD("-enable_csum",-GRE_ENABLE_CSUM,setifgreopts),
DEF_CMD("enable_seq", GRE_ENABLE_SEQ, setifgreopts),
DEF_CMD("-enable_seq",-GRE_ENABLE_SEQ, setifgreopts),
+ DEF_CMD("udpencap", GRE_UDPENCAP, setifgreopts),
+ DEF_CMD("-udpencap",-GRE_UDPENCAP, setifgreopts),
};
static struct afswtch af_gre = {
.af_name= "af_gre",
Modified: head/share/man/man4/gre.4
==
--- head/share/man/man4/gre.4 Wed Apr 24 06:41:52 2019(r346629)
+++ head/share/man/man4/gre.4 Wed Apr 24 09:05:45 2019(r346630)
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 2, 2015
+.Dd April 24, 2019
.Dt GRE 4
.Os
.Sh NAME
@@ -89,7 +89,45 @@ A value of 0 disables the key option.
Enables checksum calculation for outgoing packets.
.It Ar enable_seq
Enables use of sequence number field in the GRE header for outgoing packets.
+.It Ar udpencap
+Enables UDP-in-GRE encapsulation (see the
+.Sx GRE-IN-UDP ENCAPSULATION
+Section below for details).
+.It Ar udpport
+Set the source UDP port for outgoing packets.
+A value of 0 disables the persistence of source UDP port for outgoing packets.
+See the
+.Sx GRE-IN-UDP ENCAPSULATION
+Section below for details.
.El
+.Sh GRE-IN-UDP ENCAPSULATION
+The
+.Nm
+supports GRE in UDP encapsulation as defined in RFC 8086.
+A GRE in UDP tunnel offers the possibility of
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 16.04.2019 18:26, Slava Shwartsman wrote: > Thanks for letting us know about this regression. > I would like to try to reproduce this issue in house. > > Can you please share the exact steps to reproduce it? > - Can I reproduce the issue with B2B setup? > - What is the route command you used to make the route between the VLANs? > - What app are you using to generate the traffic? > I think this can be reproduced on simple router, where single mce(4) interface is used as parent for several vlan(4) interfaces. E.g. [host1] vlan100 <--> mce0.100 [gateway] mce0.200 <--> vlan200 [host2] 10.0.0.110.0.0.254 192.168.0.254192.168.0.1 gateway: sysctl net.inet.ip.forwarding=1 host1: route add 192.168.0.0/24 10.0.0.254 host2: route add 10.0.0.0/24 192.168.0.254 ping 10.0.0.1 I.e. you need to make setup, where ingress and egress interface is the same - mce0. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 05.12.2018 17:25, Slava Shwartsman wrote:
> Author: slavash
> Date: Wed Dec 5 14:25:03 2018
> New Revision: 341586
> URL: https://svnweb.freebsd.org/changeset/base/341586
>
> Log:
> mlx5en: Implement backpressure indication.
>
> The backpressure indication is implemented using an unlimited rate type of
> mbuf send tag. When the upper layers typically the socket layer has
> obtained such
> a tag, it can then query the destination driver queue for the current
> amount of space available in the send queue.
>
> A single mbuf send tag may be referenced multiple times and a refcount has
> been added
> to the mlx5e_priv structure to track its usage. Because the send tag resides
> in the mlx5e_channel structure, there is no need to wait for refcounts to
> reach
> zero until the mlx4en(4) driver is detached. The channels structure is
> persistant
> during the lifetime of the mlx5en(4) driver it belongs to and can so be
> accessed
> without any need of synchronization.
>
> The mlx5e_snd_tag structure was extended to contain a type field, because
> there are now
> two different tag types which end up in the driver which need to be
> distinguished.
>
> Submitted by: hselasky@
> Approved by:hselasky (mentor)
> MFC after: 1 week
> Sponsored by: Mellanox Technologies
> @@ -587,27 +609,33 @@ mlx5e_xmit(struct ifnet *ifp, struct mbuf *mb)
> struct mlx5e_sq *sq;
> int ret;
>
> - sq = mlx5e_select_queue(ifp, mb);
> - if (unlikely(sq == NULL)) {
> -#ifdef RATELIMIT
> - /* Check for route change */
> - if (mb->m_pkthdr.snd_tag != NULL &&
> - mb->m_pkthdr.snd_tag->ifp != ifp) {
> + if (mb->m_pkthdr.snd_tag != NULL) {
> + sq = mlx5e_select_queue_by_send_tag(ifp, mb);
> + if (unlikely(sq == NULL)) {
> + /* Check for route change */
> + if (mb->m_pkthdr.snd_tag->ifp != ifp) {
> + /* Free mbuf */
> + m_freem(mb);
> +
> + /*
> + * Tell upper layers about route
> + * change and to re-transmit this
> + * packet:
> + */
> + return (EAGAIN);
> + }
Hi,
I just discovered something strange and found that this commit is the
cause.
The test system has mlx5en 100G interface. It has two vlans: vlan500 and
vlan100.
Via vlan500 it receives some packets flows. Then it routes these packets
into vlan100.
But packets are dropped in mlx5e_xmit() with EAGAIN error code.
# dtrace -n 'fbt::ip6_output:return {printf("%d", arg1);}'
dtrace: description 'fbt::ip6_output:return ' matched 1 probe
CPU IDFUNCTION:NAME
23 54338ip6_output:return 35
16 54338ip6_output:return 35
21 54338ip6_output:return 35
22 54338ip6_output:return 35
24 54338ip6_output:return 35
23 54338ip6_output:return 35
14 54338ip6_output:return 35
^C
# dtrace -n 'fbt::mlx5e_xmit:return {printf("%d", arg1);}'
dtrace: description 'fbt::mlx5e_xmit:return ' matched 1 probe
CPU IDFUNCTION:NAME
16 69030mlx5e_xmit:return 35
23 69030mlx5e_xmit:return 35
26 69030mlx5e_xmit:return 35
25 69030mlx5e_xmit:return 35
24 69030 mlx5e_xmit:return 35
21 69030mlx5e_xmit:return 35
26 69030mlx5e_xmit:return 35
^C
The kernel config is GENERIC.
13.0-CURRENT #9 r345758+82f3d57(svn_head)-dirty
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
Re: svn commit: r346052 - head/sys/dev/usb/net
On 09.04.2019 16:54, Ganbold Tsagaankhuu wrote:
> Author: ganbold
> Date: Tue Apr 9 13:54:08 2019
> New Revision: 346052
> URL: https://svnweb.freebsd.org/changeset/base/346052
>
> Log:
> In some cases like NanoPI R1, its second USB ethernet
> RTL8152 (chip version URE_CHIP_VER_4C10) doesn't
> have hardwired MAC address, in other words, it is all zeros.
> This commit fixes it by setting random MAC address
> when MAC address is all zeros.
>
> - if (sc->sc_chip & URE_CHIP_VER_4C00)
> + if ((sc->sc_chip & URE_CHIP_VER_4C00) ||
> + (sc->sc_chip & URE_CHIP_VER_4C10))
> ure_read_mem(sc, URE_PLA_IDR, URE_MCU_TYPE_PLA,
> ue->ue_eaddr, 8);
> else
> ure_read_mem(sc, URE_PLA_BACKUP, URE_MCU_TYPE_PLA,
> ue->ue_eaddr, 8);
> +
> + if (ETHER_IS_ZERO(sc->sc_ue.ue_eaddr)) {
> + device_printf(sc->sc_ue.ue_dev, "MAC assigned randomly\n");
> + arc4rand(sc->sc_ue.ue_eaddr, ETHER_ADDR_LEN, 0);
> + sc->sc_ue.ue_eaddr[0] &= ~0x01; /* unicast */
> + sc->sc_ue.ue_eaddr[0] |= 0x02; /* locally administered */
> + }
> }
Hi,
there is ether_fakeaddr() function that is used for such purpose.
Maybe is it better to use it? Look at this commit:
https://svnweb.freebsd.org/base?view=revision=345139
--
WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
svn commit: r345985 - head/libexec/rc
Author: ae Date: Sat Apr 6 17:21:05 2019 New Revision: 345985 URL: https://svnweb.freebsd.org/changeset/base/345985 Log: Add firewall_[nat64|nptv6|pmod]_enable variables to /etc/defaults/rc.conf Reported by: Andrey Fesenko X-MFC after: r345450 Modified: head/libexec/rc/rc.conf Modified: head/libexec/rc/rc.conf == --- head/libexec/rc/rc.conf Sat Apr 6 11:24:43 2019(r345984) +++ head/libexec/rc/rc.conf Sat Apr 6 17:21:05 2019(r345985) @@ -178,6 +178,9 @@ firewall_nologports="135-139,445 1026,1027 1433,1434" firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters +firewall_nat64_enable="NO" # Enable kernel NAT64 module. +firewall_nptv6_enable="NO" # Enable kernel NPTv6 module. +firewall_pmod_enable="NO" # Enable kernel protocols modification module. dummynet_enable="NO" # Load the dummynet(4) module ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow ip_portrange_first="NO"# Set first dynamically allocated port ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345843 - head/contrib/bsnmp/lib
Author: ae
Date: Wed Apr 3 12:47:49 2019
New Revision: 345843
URL: https://svnweb.freebsd.org/changeset/base/345843
Log:
Follow the declared behaviour that specifies server string format in
bsnmpclient(3).
snmp_parse_server() function accepts string where some fields can be
omitted: [trans::][community@][server][:port]
"trans" field can be "udp", "udp6", "dgram" and "stream".
"community" can be empty string, if it is omitted, the default value
will be used. For read_community it is "public", for write_comminity
it is "private". "server" field can be hostname, IPv4 address or IPv6
address. IPv6 address should be specified in brackets "[]".
If port is omitted, the default value "snmp" will be used for "udp"
and "udp6" transports. So, now for bsnmpget(1) and bsnmwalk(1) it is
not required to specify all fields in argument of '-s' option. E.g.
# bsnmpget -s 127.1 sysName.0
# bsnmpget -s "udp::127.1" sysName.0
# bsnmpget -s "udp::public@127.1" sysName.0
# bsnmpget -s "udp::public@127.1:161" sysName.0
# bsnmpget -s "udp::[::1]" sysName.0
# bsnmpget -s "udp6::[::1]" sysName.0
# bsnmpget -s "[fe80::1%lo0]" sysName.0
PR: 236664
Reported by: olivier
MFC after:1 month
Modified:
head/contrib/bsnmp/lib/snmpclient.c
Modified: head/contrib/bsnmp/lib/snmpclient.c
==
--- head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 08:22:58 2019
(r345842)
+++ head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 12:47:49 2019
(r345843)
@@ -1874,38 +1874,47 @@ snmp_client_set_port(struct snmp_client *cl, const cha
return (0);
}
+static const char *const trans_list[] = {
+ [SNMP_TRANS_UDP]= "udp::",
+ [SNMP_TRANS_LOC_DGRAM] = "dgram::",
+ [SNMP_TRANS_LOC_STREAM] = "stream::",
+ [SNMP_TRANS_UDP6] = "udp6::",
+};
+
/**
* Try to get a transport identifier which is a leading alphanumeric string
- * (starting with '_' or a letter and including also '_') terminated by
- * a double colon. The string may not be empty. The transport identifier
- * is optional.
+ * terminated by a double colon. The string may not be empty. The transport
+ * identifier is optional.
*
* \param sc client struct to set errors
* \param strp possible start of transport; updated to point to
* the next character to parse
*
- * \return end of transport; equals *strp if there is none; NULL if there
- * was an error
+ * \return transport identifier
*/
-static inline const char *
+static inline int
get_transp(struct snmp_client *sc, const char **strp)
{
- const char *p = *strp;
+ const char *p;
+ size_t i;
- if (isascii(*p) && (isalpha(*p) || *p == '_')) {
- p++;
- while (isascii(*p) && (isalnum(*p) || *p == '_'))
- p++;
- if (p[0] == ':' && p[1] == ':') {
- *strp = p + 2;
- return (p);
+ for (i = 0; i < nitems(trans_list); i++) {
+ if (trans_list[i] == NULL || *trans_list[i] == '\0')
+ continue;
+ p = strstr(*strp, trans_list[i]);
+ if (p == *strp) {
+ *strp += strlen(trans_list[i]);
+ return ((int)i);
}
}
+
+ p = *strp;
if (p[0] == ':' && p[1] == ':') {
seterr(sc, "empty transport specifier");
- return (NULL);
+ return (-1);
}
- return (*strp);
+ /* by default assume UDP */
+ return (SNMP_TRANS_UDP);
}
/**
@@ -2143,24 +2152,13 @@ save_str(struct snmp_client *sc, const char *const s[2
int
snmp_parse_server(struct snmp_client *sc, const char *str)
{
-#if DEBUG_PARSE
const char *const orig = str;
-#endif
-
- const char *const trans_list[] = {
- [SNMP_TRANS_UDP]= "udp",
- [SNMP_TRANS_LOC_DGRAM] = "dgram",
- [SNMP_TRANS_LOC_STREAM] = "stream",
- [SNMP_TRANS_UDP6] = "udp6",
- };
-
/* parse input */
- const char *const transp[2] = {
- str,
- get_transp(sc, ),
- };
- if (transp[1] == NULL)
+ int i, trans = get_transp(sc, );
+ if (trans < 0)
return (-1);
+ /* choose automatically */
+ i = orig == str ? -1: trans;
const char *const comm[2] = {
str,
@@ -2206,7 +2204,7 @@ snmp_parse_server(struct snmp_client *sc, const char *
}
#if DEBUG_PARSE
- printf("transp: %zu %zu\n", transp[0] - orig, transp[1] - orig);
+ printf("transp: %u\n", trans);
printf("comm: %zu %zu\n", comm[0] - orig, comm[1] - orig);
printf("ipv6: %zu %zu\n", ipv6[0] - orig, ipv6[1] - orig);
printf("ipv4: %zu %zu\n", ipv4[0] - orig,
Re: svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
On 02.04.2019 16:40, Baptiste Daroussin wrote: >> URL: https://svnweb.freebsd.org/changeset/base/345797 >> >> Log: >> Add IPv6 transport for bsnmp. >> >> This patch adds a new table begemotSnmpdTransInetTable that uses the >> InetAddressType textual convention and can be used to create listening >> ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports >> future extension beyond UDP by adding a protocol identifier to the table >> index. In order to support this gensnmptree had to be modified. >> >> Submitted by: harti >> MFC after: 1 month >> Relnotes: yes >> Differential Revision: https://reviews.freebsd.org/D16654 >> > Jumping in this commit, maybe it is time to move bsnmpd out of contrib, given > that all the dev appears to only be in our own source tree right? I think it is better to ask harti@ -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345798 - head/contrib/bsnmp/snmp_mibII
Author: ae
Date: Tue Apr 2 13:38:00 2019
New Revision: 345798
URL: https://svnweb.freebsd.org/changeset/base/345798
Log:
Create 64bit mibII counters for all interfaces.
PR: 157015
Obtained from:Yandex LLC
MFC after:1 month
Modified:
head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c
Modified: head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c
==
--- head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 12:50:01
2019(r345797)
+++ head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 13:38:00
2019(r345798)
@@ -373,11 +373,6 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu
switch (op) {
- again:
- if (op != SNMP_OP_GETNEXT)
- return (SNMP_ERR_NOSUCHNAME);
- /* FALLTHROUGH */
-
case SNMP_OP_GETNEXT:
if ((ifp = NEXT_OBJECT_INT(_list, >var, sub)) ==
NULL)
return (SNMP_ERR_NOSUCHNAME);
@@ -460,52 +455,36 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu
break;
case LEAF_ifHCInOctets:
- if (!(ifp->flags & MIBIF_HIGHSPEED))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_inoctets;
break;
case LEAF_ifHCInUcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_ipackets -
MIBIF_PRIV(ifp)->hc_imcasts;
break;
case LEAF_ifHCInMulticastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_imcasts;
break;
case LEAF_ifHCInBroadcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = 0;
break;
case LEAF_ifHCOutOctets:
- if (!(ifp->flags & MIBIF_HIGHSPEED))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_outoctets;
break;
case LEAF_ifHCOutUcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_opackets -
MIBIF_PRIV(ifp)->hc_omcasts;
break;
case LEAF_ifHCOutMulticastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = MIBIF_PRIV(ifp)->hc_omcasts;
break;
case LEAF_ifHCOutBroadcastPkts:
- if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED)))
- goto again;
value->v.counter64 = 0;
break;
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
Author: ae
Date: Tue Apr 2 12:50:01 2019
New Revision: 345797
URL: https://svnweb.freebsd.org/changeset/base/345797
Log:
Add IPv6 transport for bsnmp.
This patch adds a new table begemotSnmpdTransInetTable that uses the
InetAddressType textual convention and can be used to create listening
ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports
future extension beyond UDP by adding a protocol identifier to the table
index. In order to support this gensnmptree had to be modified.
Submitted by: harti
MFC after: 1 month
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D16654
Added:
head/contrib/bsnmp/snmpd/trans_inet.c
head/contrib/bsnmp/snmpd/trans_inet.h
Modified:
head/contrib/bsnmp/gensnmptree/gensnmptree.1
head/contrib/bsnmp/gensnmptree/gensnmptree.c
head/contrib/bsnmp/lib/snmpclient.c
head/contrib/bsnmp/lib/snmpclient.h
head/contrib/bsnmp/lib/tc.def
head/contrib/bsnmp/snmpd/BEGEMOT-SNMPD.txt
head/contrib/bsnmp/snmpd/main.c
head/contrib/bsnmp/snmpd/snmpd.config
head/contrib/bsnmp/snmpd/snmpd.h
head/contrib/bsnmp/snmpd/snmpmod.h
head/contrib/bsnmp/snmpd/trans_lsock.c
head/contrib/bsnmp/snmpd/trans_udp.c
head/contrib/bsnmp/snmpd/tree.def
head/lib/libbsnmp/libbsnmp/Makefile
head/usr.sbin/bsnmpd/bsnmpd/Makefile
head/usr.sbin/bsnmpd/bsnmpd/snmpd.config
Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.1
==
--- head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:02:35
2019(r345796)
+++ head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:50:01
2019(r345797)
@@ -31,7 +31,7 @@
.\"
.\" $Begemot: gensnmptree.1 383 2006-05-30 07:40:49Z brandt_h $
.\"
-.Dd June 29, 2018
+.Dd April 2, 2019
.Dt GENSNMPTREE 1
.Os
.Sh NAME
@@ -100,25 +100,11 @@ is the length of the OID.
is the last component of the OID.
.El
.It Fl F
-Together with
-.Fl E
-causes
-.Nm
-instead of the generation of enum definitions the generation of
-functions for checking a value to be one of the enumeration variants and
-for conversion between strings and the enum. The file is sent to standard
-output and is meant to be included into a C-file for compilation.
+emit definitions for C-functions includeable in a C-file that do some basic
+stuff on enums like value checking and conversion between value and strings.
.It Fl f
-This flag can be used together with
-.Fl E
-or when generating the tree files. It causes
-.Nm
-to emit static inline functions for checking a value to be one of the
-enumeration values and for conversion between strings and the enum.
-If used when generating the tree files, the preprocessor symbol
-.Ar SNMPTREE_TYPES
-must be defined when including the tree header file for these definitions
-to become visible.
+emit definitions for inline C-functions that do some basic
+stuff on enums like value checking and conversion between value and strings.
.It Fl h
Print a short help page.
.It Fl I Ar directory
@@ -136,36 +122,6 @@ Instead of normal output print the resulting tree.
Prefix the file names and the table name with
.Ar prefix .
.El
-.Pp
-The following functions are generated by
-.Fl f
-or
-.Fl F :
-.Pp
-.Ft static inline int
-.Fn isok_EnumName "enum EnumName" ;
-.Pp
-.Ft static inline const char *
-.Fn tostr_EnumName "enum EnumName" ;
-.Pp
-.Ft static inline int
-.Fn fromstr_EnumName "const char *" "enum EnumName *" ;
-.Pp
-The
-.Fa EnumName
-is replaced with the enumeration name.
-.Fn isok_EnumName
-returns 1 if the argument is one of the valid enum values and 0 otherwise.
-.Fn tostr_EnumName
-returns a string representation of the enumeration value.
-If the values is not one of the legal values
-.Ar EnumName???
-is returned.
-.Fn fromstr_EnumName
-returns 1 if the string represents one of the legal enumeration values and
-0 otherwise.
-If 1 is return the variable pointed to by the second argument is set to
-the enumeration value.
.Sh MIBS
The syntax of the MIB description file can formally be specified as follows:
.Bd -unfilled -offset indent
Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.c
==
--- head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:02:35
2019(r345796)
+++ head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:50:01
2019(r345797)
@@ -110,7 +110,6 @@ static int debug;
static const char usgtxt[] = "\
Generate SNMP tables.\n\
-$Id$\n\
usage: gensnmptree [-dEeFfhlt] [-I directory] [-i infile] [-p prefix]\n\
[name]...\n\
options:\n\
@@ -127,6 +126,37 @@ options:\n\
-t generate a .def file\n\
";
+/**
+ * Program operation.
+ */
+enum op {
+ /** generate the tree */
+ OP_GEN,
+
+ /** extract OIDs */
+ OP_EXTRACT,
+
+ /** print the parsed tree */
+ OP_TREE,
+
+ /** extract
svn commit: r345763 - head/contrib/bsnmp/snmpd
Author: ae
Date: Mon Apr 1 12:14:45 2019
New Revision: 345763
URL: https://svnweb.freebsd.org/changeset/base/345763
Log:
Correct a port number assignment.
PR: 236930
MFC after:1 week
Modified:
head/contrib/bsnmp/snmpd/trap.c
Modified: head/contrib/bsnmp/snmpd/trap.c
==
--- head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 10:51:24 2019
(r345762)
+++ head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 12:14:45 2019
(r345763)
@@ -726,8 +726,7 @@ target_activate_address(struct target_address *addrs)
sa.sin_addr.s_addr = htonl((addrs->address[0] << 24) |
(addrs->address[1] << 16) | (addrs->address[2] << 8) |
(addrs->address[3] << 0));
- sa.sin_port = htons(addrs->address[4]) << 8 |
-htons(addrs->address[5]) << 0;
+ sa.sin_port = htons(addrs->address[4] << 8 | addrs->address[5]);
if (connect(addrs->socket, (struct sockaddr *), sa.sin_len) == -1) {
syslog(LOG_ERR, "connect(%s,%u): %m",
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345450 - in head: libexec/rc/rc.d share/man/man5
Author: ae Date: Sat Mar 23 15:41:32 2019 New Revision: 345450 URL: https://svnweb.freebsd.org/changeset/base/345450 Log: Add ability to automatically load ipfw_nat64, ipfw_nptv6 and ipfw_pmod modules by declaring corresponding variables in rc.conf. Also document them in rc.conf(5). Submitted by: Dries Michiels Differential Revision:https://reviews.freebsd.org/D19673 Modified: head/libexec/rc/rc.d/ipfw head/share/man/man5/rc.conf.5 Modified: head/libexec/rc/rc.d/ipfw == --- head/libexec/rc/rc.d/ipfw Sat Mar 23 14:10:05 2019(r345449) +++ head/libexec/rc/rc.d/ipfw Sat Mar 23 15:41:32 2019(r345450) @@ -34,6 +34,15 @@ ipfw_prestart() if checkyesno firewall_nat_enable; then required_modules="$required_modules ipfw_nat" fi + if checkyesno firewall_nat64_enable; then + required_modules="$required_modules ipfw_nat64" + fi + if checkyesno firewall_nptv6_enable; then + required_modules="$required_modules ipfw_nptv6" + fi + if checkyesno firewall_pmod_enable; then + required_modules="$required_modules ipfw_pmod" + fi } ipfw_start() Modified: head/share/man/man5/rc.conf.5 == --- head/share/man/man5/rc.conf.5 Sat Mar 23 14:10:05 2019 (r345449) +++ head/share/man/man5/rc.conf.5 Sat Mar 23 15:41:32 2019 (r345450) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 19, 2018 +.Dd March 21, 2019 .Dt RC.CONF 5 .Os .Sh NAME @@ -573,9 +573,11 @@ equivalent of .Va natd_enable . Setting this to .Dq Li YES -enables kernel NAT. +will automatically load the +.Xr ipfw 8 +NAT kernel module if .Va firewall_enable -must also be set to +is also set to .Dq Li YES . .It Va firewall_nat_interface .Pq Vt str @@ -588,6 +590,36 @@ kernel NAT should run. .It Va firewall_nat_flags .Pq Vt str Additional configuration parameters for kernel NAT should be placed here. +.It Va firewall_nat64_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will automatically load the +.Xr ipfw 8 +NAT64 kernel module if +.Va firewall_enable +is also set to +.Dq Li YES . +.It Va firewall_nptv6_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will automatically load the +.Xr ipfw 8 +NPTv6 kernel module if +.Va firewall_enable +is also set to +.Dq Li YES . +.It Va firewall_pmod_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will automatically load the +.Xr ipfw 8 +pmod kernel module if +.Va firewall_enable +is also set to +.Dq Li YES . .It Va dummynet_enable .Pq Vt bool Setting this to ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345321 - head/sys/netpfil/ipfw/nat64
Author: ae
Date: Wed Mar 20 10:11:21 2019
New Revision: 345321
URL: https://svnweb.freebsd.org/changeset/base/345321
Log:
Do not enter epoch section recursively.
A pfil hook is already invoked in NET_EPOCH section.
Modified:
head/sys/netpfil/ipfw/nat64/nat64lsn.c
Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c
==
--- head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 10:09:38 2019
(r345320)
+++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 10:11:21 2019
(r345321)
@@ -1514,7 +1514,6 @@ int
ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_args *args,
ipfw_insn *cmd, int *done)
{
- struct epoch_tracker et;
struct nat64lsn_cfg *cfg;
ipfw_insn *icmd;
int ret;
@@ -1531,7 +1530,6 @@ ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_arg
*done = 1; /* terminate the search */
- NAT64LSN_EPOCH_ENTER(et);
switch (args->f_id.addr_type) {
case 4:
ret = nat64lsn_translate4(cfg, >f_id, >m);
@@ -1551,7 +1549,6 @@ ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_arg
default:
ret = cfg->nomatch_verdict;
}
- NAT64LSN_EPOCH_EXIT(et);
if (ret != IP_FW_PASS && args->m != NULL) {
m_freem(args->m);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345319 - head/sys/netpfil/ipfw/nat64
Author: ae
Date: Wed Mar 20 10:06:44 2019
New Revision: 345319
URL: https://svnweb.freebsd.org/changeset/base/345319
Log:
Use NET_EPOCH instead of allocating separate one.
MFC after:1 month
Modified:
head/sys/netpfil/ipfw/nat64/nat64lsn.c
Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c
==
--- head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 07:40:38 2019
(r345318)
+++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 10:06:44 2019
(r345319)
@@ -72,12 +72,10 @@ __FBSDID("$FreeBSD$");
MALLOC_DEFINE(M_NAT64LSN, "NAT64LSN", "NAT64LSN");
-static epoch_t nat64lsn_epoch;
-#defineNAT64LSN_EPOCH_ENTER(et) epoch_enter_preempt(nat64lsn_epoch,
&(et))
-#defineNAT64LSN_EPOCH_EXIT(et) epoch_exit_preempt(nat64lsn_epoch,
&(et))
-#defineNAT64LSN_EPOCH_WAIT() epoch_wait_preempt(nat64lsn_epoch)
-#defineNAT64LSN_EPOCH_ASSERT() MPASS(in_epoch(nat64lsn_epoch))
-#defineNAT64LSN_EPOCH_CALL(c, f) epoch_call(nat64lsn_epoch, (c), (f))
+#defineNAT64LSN_EPOCH_ENTER(et) NET_EPOCH_ENTER(et)
+#defineNAT64LSN_EPOCH_EXIT(et) NET_EPOCH_EXIT(et)
+#defineNAT64LSN_EPOCH_ASSERT() NET_EPOCH_ASSERT()
+#defineNAT64LSN_EPOCH_CALL(c, f) epoch_call(net_epoch_preempt, (c),
(f))
static uma_zone_t nat64lsn_host_zone;
static uma_zone_t nat64lsn_pgchunk_zone;
@@ -1578,8 +1576,6 @@ void
nat64lsn_init_internal(void)
{
- nat64lsn_epoch = epoch_alloc(EPOCH_PREEMPT);
-
nat64lsn_host_zone = uma_zcreate("NAT64LSN hosts",
sizeof(struct nat64lsn_host), NULL, NULL, NULL, NULL,
UMA_ALIGN_PTR, 0);
@@ -1606,8 +1602,6 @@ nat64lsn_uninit_internal(void)
{
/* XXX: epoch_task drain */
- epoch_free(nat64lsn_epoch);
-
JQUEUE_LOCK_DESTROY();
uma_zdestroy(nat64lsn_host_zone);
uma_zdestroy(nat64lsn_pgchunk_zone);
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345294 - head/sbin/ipfw
Author: ae
Date: Tue Mar 19 11:16:42 2019
New Revision: 345294
URL: https://svnweb.freebsd.org/changeset/base/345294
Log:
Remove extra spaces.
MFC after:1 month
Modified:
head/sbin/ipfw/nat64lsn.c
Modified: head/sbin/ipfw/nat64lsn.c
==
--- head/sbin/ipfw/nat64lsn.c Tue Mar 19 10:57:03 2019(r345293)
+++ head/sbin/ipfw/nat64lsn.c Tue Mar 19 11:16:42 2019(r345294)
@@ -783,7 +783,7 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *n
if (co.verbose || cfg->nh_delete_delay != NAT64LSN_HOST_AGE)
printf(" host_del_age %u", cfg->nh_delete_delay);
if (co.verbose || cfg->pg_delete_delay != NAT64LSN_PG_AGE)
- printf(" pg_del_age %u ", cfg->pg_delete_delay);
+ printf(" pg_del_age %u", cfg->pg_delete_delay);
if (co.verbose || cfg->st_syn_ttl != NAT64LSN_TCP_SYN_AGE)
printf(" tcp_syn_age %u", cfg->st_syn_ttl);
if (co.verbose || cfg->st_close_ttl != NAT64LSN_TCP_FIN_AGE)
@@ -795,7 +795,7 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *n
if (co.verbose || cfg->st_icmp_ttl != NAT64LSN_ICMP_AGE)
printf(" icmp_age %u", cfg->st_icmp_ttl);
if (co.verbose || cfg->jmaxlen != NAT64LSN_JMAXLEN)
- printf(" jmaxlen %u ", cfg->jmaxlen);
+ printf(" jmaxlen %u", cfg->jmaxlen);
if (cfg->flags & NAT64_LOG)
printf(" log");
if (cfg->flags & NAT64_ALLOW_PRIVATE)
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345293 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
Author: ae
Date: Tue Mar 19 10:57:03 2019
New Revision: 345293
URL: https://svnweb.freebsd.org/changeset/base/345293
Log:
Reapply r345274 with build fixes for 32-bit architectures.
Update NAT64LSN implementation:
o most of data structures and relations were modified to be able support
large number of translation states. Now each supported protocol can
use full ports range. Ports groups now are belongs to IPv4 alias
addresses, not hosts. Each ports group can keep several states chunks.
This is controlled with new `states_chunks` config option. States
chunks allow to have several translation states for single alias address
and port, but for different destination addresses.
o by default all hash tables now use jenkins hash.
o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast
path.
o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
special prefix "::" value should be used for this purpose when instance
is created.
o due to modified internal data structures relations, the socket opcode
that does states listing was changed.
Obtained from:Yandex LLC
MFC after:1 month
Sponsored by: Yandex LLC
Modified:
head/sbin/ipfw/ipfw.8
head/sbin/ipfw/ipfw2.h
head/sbin/ipfw/nat64lsn.c
head/sys/conf/files
head/sys/modules/ipfw_nat64/Makefile
head/sys/netinet6/ip_fw_nat64.h
head/sys/netpfil/ipfw/nat64/nat64lsn.c
head/sys/netpfil/ipfw/nat64/nat64lsn.h
head/sys/netpfil/ipfw/nat64/nat64lsn_control.c
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Tue Mar 19 10:29:32 2019(r345292)
+++ head/sbin/ipfw/ipfw.8 Tue Mar 19 10:57:03 2019(r345293)
@@ -1,7 +1,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 18, 2019
+.Dd March 19, 2019
.Dt IPFW 8
.Os
.Sh NAME
@@ -3300,6 +3300,7 @@ See
.Sx SYSCTL VARIABLES
for more info.
.Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+.Ss Stateful translation
.Nm
supports in-kernel IPv6/IPv4 network address and protocol translation.
Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
@@ -3317,7 +3318,8 @@ to be able use stateful NAT64 translator.
Stateful NAT64 uses a bunch of memory for several types of objects.
When IPv6 client initiates connection, NAT64 translator creates a host entry
in the states table.
-Each host entry has a number of ports group entries allocated on demand.
+Each host entry uses preallocated IPv4 alias entry.
+Each alias entry has a number of ports group entries allocated on demand.
Ports group entries contains connection state entries.
There are several options to control limits and lifetime for these objects.
.Pp
@@ -3337,6 +3339,11 @@ First time an original packet is handled and consumed
and then it is handled again as translated packet.
This behavior can be changed by sysctl variable
.Va net.inet.ip.fw.nat64_direct_output .
+Also translated packet can be tagged using
+.Cm tag
+rule action, and then matched by
+.Cm tagged
+opcode to avoid loops and extra overhead.
.Pp
The stateful NAT64 configuration command is the following:
.Bd -ragged -offset indent
@@ -3364,15 +3371,16 @@ to represent IPv4 addresses. This IPv6 prefix should b
The translator implementation follows RFC6052, that restricts the length of
prefixes to one of following: 32, 40, 48, 56, 64, or 96.
The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
-.It Cm max_ports Ar number
-Maximum number of ports reserved for upper level protocols to one IPv6 client.
-All reserved ports are divided into chunks between supported protocols.
-The number of connections from one IPv6 client is limited by this option.
-Note that closed TCP connections still remain in the list of connections until
-.Cm tcp_close_age
-interval will not expire.
-Default value is
-.Ar 2048 .
+The special
+.Ar ::/length
+prefix can be used to handle several IPv6 prefixes with one NAT64 instance.
+The NAT64 instance will determine a destination IPv4 address from prefix
+.Ar length .
+.It Cm states_chunks Ar number
+The number of states chunks in single ports group.
+Each ports group by default can keep 64 state entries in single chunk.
+The above value affects the maximum number of states that can be associated
with single IPv4 alias address and port.
+The value must be power of 2, and up to 128.
.It Cm host_del_age Ar seconds
The number of seconds until the host entry for a IPv6 client will be deleted
and all its resources will be released due to inactivity.
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Tue Mar 19 10:29:32 2019(r345292)
+++ head/sbin/ipfw/ipfw2.h Tue Mar 19 10:57:03 2019(r345293)
@@ -278,6 +278,7 @@ enum tokens {
TOK_AGG_LEN,
TOK_AGG_COUNT,
TOK_MAX_PORTS,
+
svn commit: r345292 - head/sys/net
Author: ae
Date: Tue Mar 19 10:29:32 2019
New Revision: 345292
URL: https://svnweb.freebsd.org/changeset/base/345292
Log:
Convert allocation of bpf_if in bpfattach2 from M_NOWAIT to M_WAITOK
and remove possible panic condition.
It is already allowed to sleep in bpfattach[2], since BPF_LOCK was
converted to SX lock in r332388. Also move KASSERT() to the top of
function and make full initialization before bpf_if will be linked
to BPF's list of interfaces.
MFC after:2 weeks
Modified:
head/sys/net/bpf.c
Modified: head/sys/net/bpf.c
==
--- head/sys/net/bpf.c Tue Mar 19 06:58:28 2019(r345291)
+++ head/sys/net/bpf.c Tue Mar 19 10:29:32 2019(r345292)
@@ -2592,24 +2592,22 @@ bpfattach2(struct ifnet *ifp, u_int dlt, u_int hdrlen,
{
struct bpf_if *bp;
- bp = malloc(sizeof(*bp), M_BPF, M_NOWAIT | M_ZERO);
- if (bp == NULL)
- panic("bpfattach");
+ KASSERT(*driverp == NULL, ("bpfattach2: driverp already initialized"));
+ bp = malloc(sizeof(*bp), M_BPF, M_WAITOK | M_ZERO);
+
+ rw_init(>bif_lock, "bpf interface lock");
LIST_INIT(>bif_dlist);
LIST_INIT(>bif_wlist);
bp->bif_ifp = ifp;
bp->bif_dlt = dlt;
- rw_init(>bif_lock, "bpf interface lock");
- KASSERT(*driverp == NULL, ("bpfattach2: driverp already initialized"));
+ bp->bif_hdrlen = hdrlen;
bp->bif_bpf = driverp;
*driverp = bp;
BPF_LOCK();
LIST_INSERT_HEAD(_iflist, bp, bif_next);
BPF_UNLOCK();
-
- bp->bif_hdrlen = hdrlen;
if (bootverbose && IS_DEFAULT_VNET(curvnet))
if_printf(ifp, "bpf attached\n");
___
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r345274 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
On 19.03.2019 02:09, Gleb Smirnoff wrote: > Hi, > > On Mon, Mar 18, 2019 at 12:59:09PM +0000, Andrey V. Elsukov wrote: > A> Author: ae > A> Date: Mon Mar 18 12:59:08 2019 > A> New Revision: 345274 > A> URL: https://svnweb.freebsd.org/changeset/base/345274 > A> > A> Log: > A> Update NAT64LSN implementation: > ... > A> o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast > path. > > Why did you create a separate epoch? All the pfil hooks already run at network > epoch. Hi, You did not specified, when you plan to merge you changes. I assume that you didn't plan to do that. :) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345275 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
Author: ae
Date: Mon Mar 18 14:00:19 2019
New Revision: 345275
URL: https://svnweb.freebsd.org/changeset/base/345275
Log:
Revert r345274. It appears that not all 32-bit architectures have
necessary CK primitives.
Modified:
head/sbin/ipfw/ipfw.8
head/sbin/ipfw/ipfw2.h
head/sbin/ipfw/nat64lsn.c
head/sys/conf/files
head/sys/modules/ipfw_nat64/Makefile
head/sys/netinet6/ip_fw_nat64.h
head/sys/netpfil/ipfw/nat64/nat64lsn.c
head/sys/netpfil/ipfw/nat64/nat64lsn.h
head/sys/netpfil/ipfw/nat64/nat64lsn_control.c
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Mon Mar 18 12:59:08 2019(r345274)
+++ head/sbin/ipfw/ipfw.8 Mon Mar 18 14:00:19 2019(r345275)
@@ -3300,7 +3300,6 @@ See
.Sx SYSCTL VARIABLES
for more info.
.Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
-.Ss Stateful translation
.Nm
supports in-kernel IPv6/IPv4 network address and protocol translation.
Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
@@ -3318,8 +3317,7 @@ to be able use stateful NAT64 translator.
Stateful NAT64 uses a bunch of memory for several types of objects.
When IPv6 client initiates connection, NAT64 translator creates a host entry
in the states table.
-Each host entry uses preallocated IPv4 alias entry.
-Each alias entry has a number of ports group entries allocated on demand.
+Each host entry has a number of ports group entries allocated on demand.
Ports group entries contains connection state entries.
There are several options to control limits and lifetime for these objects.
.Pp
@@ -3339,11 +3337,6 @@ First time an original packet is handled and consumed
and then it is handled again as translated packet.
This behavior can be changed by sysctl variable
.Va net.inet.ip.fw.nat64_direct_output .
-Also translated packet can be tagged using
-.Cm tag
-rule action, and then matched by
-.Cm tagged
-opcode to avoid loops and extra overhead.
.Pp
The stateful NAT64 configuration command is the following:
.Bd -ragged -offset indent
@@ -3371,16 +3364,15 @@ to represent IPv4 addresses. This IPv6 prefix should b
The translator implementation follows RFC6052, that restricts the length of
prefixes to one of following: 32, 40, 48, 56, 64, or 96.
The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
-The special
-.Ar ::/length
-prefix can be used to handle several IPv6 prefixes with one NAT64 instance.
-The NAT64 instance will determine a destination IPv4 address from prefix
-.Ar length .
-.It Cm states_chunks Ar number
-The number of states chunks in single ports group.
-Each ports group by default can keep 64 state entries in single chunk.
-The above value affects the maximum number of states that can be associated
with single IPv4 alias address and port.
-The value must be power of 2, and up to 128.
+.It Cm max_ports Ar number
+Maximum number of ports reserved for upper level protocols to one IPv6 client.
+All reserved ports are divided into chunks between supported protocols.
+The number of connections from one IPv6 client is limited by this option.
+Note that closed TCP connections still remain in the list of connections until
+.Cm tcp_close_age
+interval will not expire.
+Default value is
+.Ar 2048 .
.It Cm host_del_age Ar seconds
The number of seconds until the host entry for a IPv6 client will be deleted
and all its resources will be released due to inactivity.
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Mon Mar 18 12:59:08 2019(r345274)
+++ head/sbin/ipfw/ipfw2.h Mon Mar 18 14:00:19 2019(r345275)
@@ -278,7 +278,6 @@ enum tokens {
TOK_AGG_LEN,
TOK_AGG_COUNT,
TOK_MAX_PORTS,
- TOK_STATES_CHUNKS,
TOK_JMAXLEN,
TOK_PORT_RANGE,
TOK_HOST_DEL_AGE,
Modified: head/sbin/ipfw/nat64lsn.c
==
--- head/sbin/ipfw/nat64lsn.c Mon Mar 18 12:59:08 2019(r345274)
+++ head/sbin/ipfw/nat64lsn.c Mon Mar 18 14:00:19 2019(r345275)
@@ -87,70 +87,68 @@ nat64lsn_print_states(void *buf)
char sflags[4], *sf, *proto;
ipfw_obj_header *oh;
ipfw_obj_data *od;
- ipfw_nat64lsn_stg_v1 *stg;
- ipfw_nat64lsn_state_v1 *ste;
+ ipfw_nat64lsn_stg *stg;
+ ipfw_nat64lsn_state *ste;
uint64_t next_idx;
int i, sz;
oh = (ipfw_obj_header *)buf;
od = (ipfw_obj_data *)(oh + 1);
- stg = (ipfw_nat64lsn_stg_v1 *)(od + 1);
+ stg = (ipfw_nat64lsn_stg *)(od + 1);
sz = od->head.length - sizeof(*od);
next_idx = 0;
while (sz > 0 && next_idx != 0xFF) {
- next_idx = stg->next.index;
+ next_idx = stg->next_idx;
sz -= sizeof(*stg);
if (stg->count == 0) {
svn commit: r345274 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
Author: ae
Date: Mon Mar 18 12:59:08 2019
New Revision: 345274
URL: https://svnweb.freebsd.org/changeset/base/345274
Log:
Update NAT64LSN implementation:
o most of data structures and relations were modified to be able support
large number of translation states. Now each supported protocol can
use full ports range. Ports groups now are belongs to IPv4 alias
addresses, not hosts. Each ports group can keep several states chunks.
This is controlled with new `states_chunks` config option. States
chunks allow to have several translation states for single alias address
and port, but for different destination addresses.
o by default all hash tables now use jenkins hash.
o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path.
o one NAT64LSN instance now can be used to handle several IPv6 prefixes,
special prefix "::" value should be used for this purpose when instance
is created.
o due to modified internal data structures relations, the socket opcode
that does states listing was changed.
Obtained from:Yandex LLC
MFC after:1 month
Sponsored by: Yandex LLC
Modified:
head/sbin/ipfw/ipfw.8
head/sbin/ipfw/ipfw2.h
head/sbin/ipfw/nat64lsn.c
head/sys/conf/files
head/sys/modules/ipfw_nat64/Makefile
head/sys/netinet6/ip_fw_nat64.h
head/sys/netpfil/ipfw/nat64/nat64lsn.c
head/sys/netpfil/ipfw/nat64/nat64lsn.h
head/sys/netpfil/ipfw/nat64/nat64lsn_control.c
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Mon Mar 18 12:41:42 2019(r345273)
+++ head/sbin/ipfw/ipfw.8 Mon Mar 18 12:59:08 2019(r345274)
@@ -3300,6 +3300,7 @@ See
.Sx SYSCTL VARIABLES
for more info.
.Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION
+.Ss Stateful translation
.Nm
supports in-kernel IPv6/IPv4 network address and protocol translation.
Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers
@@ -3317,7 +3318,8 @@ to be able use stateful NAT64 translator.
Stateful NAT64 uses a bunch of memory for several types of objects.
When IPv6 client initiates connection, NAT64 translator creates a host entry
in the states table.
-Each host entry has a number of ports group entries allocated on demand.
+Each host entry uses preallocated IPv4 alias entry.
+Each alias entry has a number of ports group entries allocated on demand.
Ports group entries contains connection state entries.
There are several options to control limits and lifetime for these objects.
.Pp
@@ -3337,6 +3339,11 @@ First time an original packet is handled and consumed
and then it is handled again as translated packet.
This behavior can be changed by sysctl variable
.Va net.inet.ip.fw.nat64_direct_output .
+Also translated packet can be tagged using
+.Cm tag
+rule action, and then matched by
+.Cm tagged
+opcode to avoid loops and extra overhead.
.Pp
The stateful NAT64 configuration command is the following:
.Bd -ragged -offset indent
@@ -3364,15 +3371,16 @@ to represent IPv4 addresses. This IPv6 prefix should b
The translator implementation follows RFC6052, that restricts the length of
prefixes to one of following: 32, 40, 48, 56, 64, or 96.
The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long.
-.It Cm max_ports Ar number
-Maximum number of ports reserved for upper level protocols to one IPv6 client.
-All reserved ports are divided into chunks between supported protocols.
-The number of connections from one IPv6 client is limited by this option.
-Note that closed TCP connections still remain in the list of connections until
-.Cm tcp_close_age
-interval will not expire.
-Default value is
-.Ar 2048 .
+The special
+.Ar ::/length
+prefix can be used to handle several IPv6 prefixes with one NAT64 instance.
+The NAT64 instance will determine a destination IPv4 address from prefix
+.Ar length .
+.It Cm states_chunks Ar number
+The number of states chunks in single ports group.
+Each ports group by default can keep 64 state entries in single chunk.
+The above value affects the maximum number of states that can be associated
with single IPv4 alias address and port.
+The value must be power of 2, and up to 128.
.It Cm host_del_age Ar seconds
The number of seconds until the host entry for a IPv6 client will be deleted
and all its resources will be released due to inactivity.
Modified: head/sbin/ipfw/ipfw2.h
==
--- head/sbin/ipfw/ipfw2.h Mon Mar 18 12:41:42 2019(r345273)
+++ head/sbin/ipfw/ipfw2.h Mon Mar 18 12:59:08 2019(r345274)
@@ -278,6 +278,7 @@ enum tokens {
TOK_AGG_LEN,
TOK_AGG_COUNT,
TOK_MAX_PORTS,
+ TOK_STATES_CHUNKS,
TOK_JMAXLEN,
TOK_PORT_RANGE,
TOK_HOST_DEL_AGE,
Modified: head/sbin/ipfw/nat64lsn.c
