svn commit: r367594 - head/sys/net
Author: ae Date: Wed Nov 11 15:53:36 2020 New Revision: 367594 URL: https://svnweb.freebsd.org/changeset/base/367594 Log: Fix possible NULL pointer dereference. lagg(4) replaces if_output method of its child interfaces and expects that this method can be called only by child interfaces. But it is possible that lagg_port_output() could be called by children of child interfaces. In this case ifnet's if_lagg field is NULL. Add check that lp is not NULL. Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/net/if_lagg.c Modified: head/sys/net/if_lagg.c == --- head/sys/net/if_lagg.c Wed Nov 11 15:01:17 2020(r367593) +++ head/sys/net/if_lagg.c Wed Nov 11 15:53:36 2020(r367594) @@ -1145,7 +1145,8 @@ lagg_port_output(struct ifnet *ifp, struct mbuf *m, switch (dst->sa_family) { case pseudo_AF_HDRCMPLT: case AF_UNSPEC: - return ((*lp->lp_output)(ifp, m, dst, ro)); + if (lp != NULL) + return ((*lp->lp_output)(ifp, m, dst, ro)); } /* drop any other frames */ ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r366908 - in head: share/dtrace sys/netpfil/ipfw
Author: ae Date: Wed Oct 21 15:01:33 2020 New Revision: 366908 URL: https://svnweb.freebsd.org/changeset/base/366908 Log: Add dtrace SDT probe ipfw:::rule-matched. It helps to reduce complexity with debugging of large ipfw rulesets. Also define several constants and translators, that can by used by dtrace scripts with this probe. Reviewed by: gnn Obtained from:Yandex LLC MFC after:2 weeks Sponsored by: Yandex LLC Differential Revision:https://reviews.freebsd.org/D26879 Added: head/share/dtrace/ipfw.d (contents, props changed) Modified: head/share/dtrace/Makefile head/sys/netpfil/ipfw/ip_fw2.c Modified: head/share/dtrace/Makefile == --- head/share/dtrace/Makefile Wed Oct 21 05:57:25 2020(r366907) +++ head/share/dtrace/Makefile Wed Oct 21 15:01:33 2020(r366908) @@ -21,7 +21,7 @@ SCRIPTS= blocking \ SCRIPTSDIR= ${SHAREDIR}/dtrace -DSRCS= mbuf.d +DSRCS= mbuf.d ipfw.d FILES= ${DSRCS} FILESDIR= /usr/lib/dtrace Added: head/share/dtrace/ipfw.d == --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/dtrace/ipfw.dWed Oct 21 15:01:33 2020(r366908) @@ -0,0 +1,219 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Copyright (c) 2020 Yandex LLC + * Copyright (c) 2020 Andrey V. Elsukov + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#pragma D depends_on provider ipfw + +/* ipfw_chk() return values */ +#pragma D binding "1.0" IP_FW_PASS +inline int IP_FW_PASS =0; +#pragma D binding "1.0" IP_FW_DENY +inline int IP_FW_DENY =1; +#pragma D binding "1.0" IP_FW_DIVERT +inline int IP_FW_DIVERT = 2; +#pragma D binding "1.0" IP_FW_TEE +inline int IP_FW_TEE = 3; +#pragma D binding "1.0" IP_FW_DUMMYNET +inline int IP_FW_DUMMYNET =4; +#pragma D binding "1.0" IP_FW_NETGRAPH +inline int IP_FW_NETGRAPH =5; +#pragma D binding "1.0" IP_FW_NGTEE +inline int IP_FW_NGTEE = 6; +#pragma D binding "1.0" IP_FW_NAT +inline int IP_FW_NAT = 7; +#pragma D binding "1.0" IP_FW_REASS +inline int IP_FW_REASS = 8; +#pragma D binding "1.0" IP_FW_NAT64 +inline int IP_FW_NAT64 = 9; + +#pragma D binding "1.0" ipfw_retcodes +inline string ipfw_retcodes[int ret] = + ret == IP_FW_PASS ? "PASS" : + ret == IP_FW_DENY ? "DENY" : + ret == IP_FW_DIVERT ? "DIVERT" : + ret == IP_FW_TEE ? "TEE" : + ret == IP_FW_DUMMYNET ? "DUMMYNET" : + ret == IP_FW_NETGRAPH ? "NETGRAPH" : + ret == IP_FW_NGTEE ? "NGTEE" : + ret == IP_FW_NAT ? "NAT" : + ret == IP_FW_REASS ? "REASS" : + ret == IP_FW_NAT64 ? "NAT64" : + ""; + +/* ip_fw_args flags */ +#pragma D binding "1.0" IPFW_ARGS_ETHER +inline int IPFW_ARGS_ETHER = 0x0001; /* valid ethernet header */ +#pragma D binding "1.0" IPFW_ARGS_NH4 +inline int IPFW_ARGS_NH4 = 0x0002; /* IPv4 next hop in hopstore */ +#pragma D binding "1.0" IPFW_ARGS_NH6 +inline int IPFW_ARGS_NH6 = 0x0004; /* IPv6 next hop in hopstore */ +#pragma D binding "1.0" IPFW_ARGS_NH4PTR +inline int IPFW_ARGS_NH4PTR = 0x0008; /* IPv4 next hop in next_hop */ +#pragma D binding "1.0" IPFW_ARGS_NH6PTR +inline int IPFW_ARGS_NH6PTR = 0x0010; /* IPv6 next hop in
svn commit: r366695 - in head: share/man/man4 sys/netinet sys/sys
Author: ae Date: Wed Oct 14 09:22:54 2020 New Revision: 366695 URL: https://svnweb.freebsd.org/changeset/base/366695 Log: Implement SIOCGIFALIAS. It is lightweight way to check if an IPv4 address exists. Submitted by: Roy Marples Reviewed by: gnn, melifaro MFC after:2 weeks Differential Revision:https://reviews.freebsd.org/D26636 Modified: head/share/man/man4/netintro.4 head/sys/netinet/in.c head/sys/sys/sockio.h Modified: head/share/man/man4/netintro.4 == --- head/share/man/man4/netintro.4 Wed Oct 14 08:04:39 2020 (r366694) +++ head/share/man/man4/netintro.4 Wed Oct 14 09:22:54 2020 (r366695) @@ -28,7 +28,7 @@ .\" @(#)netintro.4 8.2 (Berkeley) 11/30/93 .\" $FreeBSD$ .\" -.Dd January 26, 2012 +.Dd October 14, 2020 .Dt NETINTRO 4 .Os .Sh NAME @@ -349,6 +349,13 @@ multiple masks or destination addresses, and also adop convention that specification of the default address means to delete the first address for the interface belonging to the address family in which the original socket was opened. +.It Dv SIOCGIFALIAS +This request provides means to get additional addresses +together with netmask and broadcast/destination from an +interface. +It also uses the +.Vt ifaliasreq +structure. .It Dv SIOCGIFCONF Get interface configuration list. This request takes an Modified: head/sys/netinet/in.c == --- head/sys/netinet/in.c Wed Oct 14 08:04:39 2020(r366694) +++ head/sys/netinet/in.c Wed Oct 14 09:22:54 2020(r366695) @@ -72,6 +72,7 @@ __FBSDID("$FreeBSD$"); static int in_aifaddr_ioctl(u_long, caddr_t, struct ifnet *, struct thread *); static int in_difaddr_ioctl(u_long, caddr_t, struct ifnet *, struct thread *); +static int in_gifaddr_ioctl(u_long, caddr_t, struct ifnet *, struct thread *); static voidin_socktrim(struct sockaddr_in *); static voidin_purgemaddrs(struct ifnet *); @@ -237,6 +238,11 @@ in_control(struct socket *so, u_long cmd, caddr_t data case SIOCGIFDSTADDR: case SIOCGIFNETMASK: break; + case SIOCGIFALIAS: + sx_xlock(_control_sx); + error = in_gifaddr_ioctl(cmd, data, ifp, td); + sx_xunlock(_control_sx); + return (error); case SIOCDIFADDR: sx_xlock(_control_sx); error = in_difaddr_ioctl(cmd, data, ifp, td); @@ -646,6 +652,60 @@ in_difaddr_ioctl(u_long cmd, caddr_t data, struct ifne IFADDR_EVENT_DEL); ifa_free(>ia_ifa); /* in_ifaddrhead */ + return (0); +} + +static int +in_gifaddr_ioctl(u_long cmd, caddr_t data, struct ifnet *ifp, struct thread *td) +{ + struct in_aliasreq *ifra = (struct in_aliasreq *)data; + const struct sockaddr_in *addr = >ifra_addr; + struct epoch_tracker et; + struct ifaddr *ifa; + struct in_ifaddr *ia; + + /* +* ifra_addr must be present and be of INET family. +*/ + if (addr->sin_len != sizeof(struct sockaddr_in) || + addr->sin_family != AF_INET) + return (EINVAL); + + /* +* See whether address exist. +*/ + ia = NULL; + NET_EPOCH_ENTER(et); + CK_STAILQ_FOREACH(ifa, >if_addrhead, ifa_link) { + struct in_ifaddr *it; + + if (ifa->ifa_addr->sa_family != AF_INET) + continue; + + it = (struct in_ifaddr *)ifa; + if (it->ia_addr.sin_addr.s_addr == addr->sin_addr.s_addr && + prison_check_ip4(td->td_ucred, >sin_addr) == 0) { + ia = it; + break; + } + } + if (ia == NULL) { + NET_EPOCH_EXIT(et); + return (EADDRNOTAVAIL); + } + + ifra->ifra_mask = ia->ia_sockmask; + if ((ifp->if_flags & IFF_POINTOPOINT) && + ia->ia_dstaddr.sin_family == AF_INET) + ifra->ifra_dstaddr = ia->ia_dstaddr; + else if ((ifp->if_flags & IFF_BROADCAST) && + ia->ia_broadaddr.sin_family == AF_INET) + ifra->ifra_broadaddr = ia->ia_broadaddr; + else + memset(>ifra_broadaddr, 0, + sizeof(ifra->ifra_broadaddr)); + + NET_EPOCH_EXIT(et); return (0); } Modified: head/sys/sys/sockio.h == --- head/sys/sys/sockio.h Wed Oct 14 08:04:39 2020(r366694) +++ head/sys/sys/sockio.h Wed Oct 14 09:22:54 2020(r366695) @@ -84,6 +84,7 @@ #defineSIOCGIFDESCR_IOWR('i', 42, struct ifreq)/* get ifnet descr */ #defineSIOCAIFADDR _IOW('i', 43, struct ifaliasreq)/* add/chg IF alias */ #defineSIOCGIFDATA _IOW('i', 44,
svn commit: r366682 - head/sys/netinet
Author: ae Date: Tue Oct 13 19:34:36 2020 New Revision: 366682 URL: https://svnweb.freebsd.org/changeset/base/366682 Log: Join to AllHosts multicast group again when adding an existing IPv4 address. When SIOCAIFADDR ioctl configures an IPv4 address that is already exist, it removes old ifaddr. When this IPv4 address is only one configured on the interface, this also leads to leaving from AllHosts multicast group. Then an address is added again, but due to the bug, this doesn't lead to joining to AllHosts multicast group. Submitted by: yannis.planus_alstomgroup.com Reviewed by: gnn MFC after:1 week Differential Revision:https://reviews.freebsd.org/D26757 Modified: head/sys/netinet/in.c Modified: head/sys/netinet/in.c == --- head/sys/netinet/in.c Tue Oct 13 18:57:42 2020(r366681) +++ head/sys/netinet/in.c Tue Oct 13 19:34:36 2020(r366682) @@ -377,10 +377,11 @@ in_aifaddr_ioctl(u_long cmd, caddr_t data, struct ifne continue; it = (struct in_ifaddr *)ifa; - iaIsFirst = false; if (it->ia_addr.sin_addr.s_addr == addr->sin_addr.s_addr && prison_check_ip4(td->td_ucred, >sin_addr) == 0) ia = it; + else + iaIsFirst = false; } NET_EPOCH_EXIT(et); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r366681 - head/sys/netpfil/ipfw/nat64
Author: ae Date: Tue Oct 13 18:57:42 2020 New Revision: 366681 URL: https://svnweb.freebsd.org/changeset/base/366681 Log: Add IPv4 fragments reassembling to NAT64LSN. NAT64LSN requires the presence of upper level protocol header in a IPv4 datagram to find corresponding state to make translation. Now it will be handled automatically by nat64lsn instance. Reviewed by: melifaro Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Differential Revision:https://reviews.freebsd.org/D26758 Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c == --- head/sys/netpfil/ipfw/nat64/nat64lsn.c Tue Oct 13 18:36:35 2020 (r366680) +++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Tue Oct 13 18:57:42 2020 (r366681) @@ -547,6 +547,57 @@ nat64lsn_get_state4to6(struct nat64lsn_cfg *cfg, struc return (NULL); } +/* + * Reassemble IPv4 fragments, make PULLUP if needed, get some ULP fields + * that might be unknown until reassembling is completed. + */ +static struct mbuf* +nat64lsn_reassemble4(struct nat64lsn_cfg *cfg, struct mbuf *m, +uint16_t *port) +{ + struct ip *ip; + int len; + + m = ip_reass(m); + if (m == NULL) + return (NULL); + /* IP header must be contigious after ip_reass() */ + ip = mtod(m, struct ip *); + len = ip->ip_hl << 2; + switch (ip->ip_p) { + case IPPROTO_ICMP: + len += ICMP_MINLEN; /* Enough to get icmp_id */ + break; + case IPPROTO_TCP: + len += sizeof(struct tcphdr); + break; + case IPPROTO_UDP: + len += sizeof(struct udphdr); + break; + default: + m_freem(m); + NAT64STAT_INC(>base.stats, noproto); + return (NULL); + } + if (m->m_len < len) { + m = m_pullup(m, len); + if (m == NULL) { + NAT64STAT_INC(>base.stats, nomem); + return (NULL); + } + ip = mtod(m, struct ip *); + } + switch (ip->ip_p) { + case IPPROTO_TCP: + *port = ntohs(L3HDR(ip, struct tcphdr *)->th_dport); + break; + case IPPROTO_UDP: + *port = ntohs(L3HDR(ip, struct udphdr *)->uh_dport); + break; + } + return (m); +} + static int nat64lsn_translate4(struct nat64lsn_cfg *cfg, const struct ipfw_flow_id *f_id, struct mbuf **mp) @@ -566,6 +617,14 @@ nat64lsn_translate4(struct nat64lsn_cfg *cfg, if (addr < cfg->prefix4 || addr > cfg->pmask4) { NAT64STAT_INC(>base.stats, nomatch4); return (cfg->nomatch_verdict); + } + + /* Reassemble fragments if needed */ + ret = ntohs(mtod(*mp, struct ip *)->ip_off); + if ((ret & (IP_MF | IP_OFFMASK)) != 0) { + *mp = nat64lsn_reassemble4(cfg, *mp, ); + if (*mp == NULL) + return (IP_FW_DENY); } /* Check if protocol is supported */ ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r366568 - head/usr.bin/cpuset
Author: ae Date: Fri Oct 9 11:24:19 2020 New Revision: 366568 URL: https://svnweb.freebsd.org/changeset/base/366568 Log: Fix EINVAL message when CPU binding information is requested for IRQ. `cpuset -g -x N` along with requested information always prints message `cpuset: getdomain: Invalid argument'. The EINVAL is returned from kern_cpuset_getdomain(), since it doesn't expect CPU_LEVEL_WHICH and CPU_WHICH_IRQ parameters. To fix the error, do not call cpuset_getdomain() when `-x' is specified. MFC after:1 week Modified: head/usr.bin/cpuset/cpuset.c Modified: head/usr.bin/cpuset/cpuset.c == --- head/usr.bin/cpuset/cpuset.cFri Oct 9 10:55:19 2020 (r366567) +++ head/usr.bin/cpuset/cpuset.cFri Oct 9 11:24:19 2020 (r366568) @@ -253,7 +253,7 @@ printaffinity(void) printf("%s %jd%s mask: ", whichnames[which], (intmax_t)id, levelnames[level]); printset((struct bitset *), CPU_SETSIZE); - if (dflag) + if (dflag || xflag) goto out; if (cpuset_getdomain(level, which, id, sizeof(domain), , ) != 0) ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r365628 - head/sbin/ipfw
Author: ae Date: Fri Sep 11 10:07:09 2020 New Revision: 365628 URL: https://svnweb.freebsd.org/changeset/base/365628 Log: Fix compatibility regression after r364117. Properly handle the case, when some opcode keywords follow after the `frag` opcode without additional options. Reported by: Evgeniy Khramtsov Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Fri Sep 11 10:05:44 2020(r365627) +++ head/sbin/ipfw/ipfw2.c Fri Sep 11 10:07:09 2020(r365628) @@ -4560,17 +4560,24 @@ read_options: fill_cmd(cmd, O_DIVERTED, 0, 2); break; - case TOK_FRAG: - fill_flags_cmd(cmd, O_FRAG, f_ipoff, *av); - /* -* Compatibility: no argument after "frag" -* keyword equals to "frag offset". -*/ - if (cmd->arg1 == 0) - cmd->arg1 = 0x1; - else + case TOK_FRAG: { + uint32_t set = 0, clear = 0; + + if (*av != NULL && fill_flags(f_ipoff, *av, NULL, + , ) == 0) av++; + else { + /* +* Compatibility: no argument after "frag" +* keyword equals to "frag offset". +*/ + set = 0x01; + clear = 0; + } + fill_cmd(cmd, O_FRAG, 0, + (set & 0xff) | ( (clear & 0xff) << 8)); break; + } case TOK_LAYER2: fill_cmd(cmd, O_LAYER2, 0, 0); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r365449 - head/sbin/rcorder
Author: ae Date: Tue Sep 8 10:36:11 2020 New Revision: 365449 URL: https://svnweb.freebsd.org/changeset/base/365449 Log: Add a few features to rcorder: o Enhance dependency loop logging: print full chain instead of the last link competing the loop; o Add -g option to generate dependency graph suitable for GraphViz visualization, loops and other graph generation issues are highlighted automatically; o Add -p option that enables grouping items that can be processed in parallel. Submitted by: Boris Lytochkin Reviewed by: melifaro MFC after:1 week Differential Revision:https://reviews.freebsd.org/D25389 Modified: head/sbin/rcorder/rcorder.8 head/sbin/rcorder/rcorder.c Modified: head/sbin/rcorder/rcorder.8 == --- head/sbin/rcorder/rcorder.8 Tue Sep 8 07:37:45 2020(r365448) +++ head/sbin/rcorder/rcorder.8 Tue Sep 8 10:36:11 2020(r365449) @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 22, 2020 +.Dd September 8, 2020 .Dt RCORDER 8 .Os .Sh NAME @@ -39,6 +39,7 @@ .Nd print a dependency ordering of interdependent files .Sh SYNOPSIS .Nm +.Op Fl gp .Op Fl k Ar keep .Op Fl s Ar skip .Ar @@ -95,6 +96,9 @@ is reached, parsing stops. .Pp The options are as follows: .Bl -tag -width "-k keep" +.It Fl g +Produce a GraphViz (.dot) of the complete dependency graph instead of +plaintext calling order list. .It Fl k Ar keep Add the specified keyword to the .Dq "keep list" . @@ -102,6 +106,9 @@ If any .Fl k option is given, only those files containing the matching keyword are listed. This option can be specified multiple times. +.It Fl p +Generate ordering suitable for parallel startup, placing files that can be +executed simultaneously on the same line. .It Fl s Ar skip Add the specified keyword to the .Dq "skip list" . @@ -178,19 +185,46 @@ The utility may print one of the following error messages and exit with a non-zero status if it encounters an error while processing the file list. .Bl -diag -.It "Requirement %s has no providers, aborting." +.It "Requirement %s in file %s has no providers." No file has a .Ql PROVIDE line corresponding to a condition present in a .Ql REQUIRE line in another file. -.It "Circular dependency on provision %s, aborting." +.It "Circular dependency on provision %s in file %s." A set of files has a circular dependency which was detected while processing the stated condition. -.It "Circular dependency on file %s, aborting." +Loop visualization follows this message. +.It "Circular dependency on file %s." A set of files has a circular dependency which was detected while processing the stated file. +.It "%s was seen in circular dependencies for %d times." +Each node that was a part of circular dependency loops reports total number of +such encounters. +Start with files having biggest counter when fighting with broken dependencies. .El +.Sh DIAGNOSTICS WITH GRAPHVIZ +Direct dependency is drawn with solid line, +.Ql BEFORE +dependency is drawn as a dashed line. +Each node of a graph represents an item from +.Ql PROVIDE +lines. +In case there are more than one file providing an item, a list of filenames +shortened with +.Xr basename 3 +is shown. +Shortened filenames are also shown in case +.Ql PROVIDE +item does not match file name. +.Pp +Edges and nodes where circular dependencies were detected are drawn bold red. +If a file has an item in +.Ql REQUIRE +or in +.Ql BEFORE +that could not be provided, +this missing provider and the requirement will be drawn bold red as well. .Sh SEE ALSO .Xr acpiconf 8 , .Xr rc 8 , Modified: head/sbin/rcorder/rcorder.c == --- head/sbin/rcorder/rcorder.c Tue Sep 8 07:37:45 2020(r365448) +++ head/sbin/rcorder/rcorder.c Tue Sep 8 10:36:11 2020(r365449) @@ -9,6 +9,8 @@ * All rights reserved. * Copyright (c) 1998 * Perry E. Metzger. All rights reserved. + * Copyright (c) 2020 + * Boris N. Lytochkin. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -48,6 +50,8 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include +#include #include "ealloc.h" #include "sprite.h" @@ -75,17 +79,21 @@ static int debug = 0; #define KEYWORDS_STR "# KEYWORDS:" #define KEYWORDS_LEN (sizeof(KEYWORDS_STR) - 1) +#defineFAKE_PROV_NAME "fake_prov_" + static int exit_code; static int file_count; static char **file_list; -typedef int bool; #define TRUE 1 #define FALSE 0 typedef bool flag; #define SET TRUE #define RESET FALSE +static flag do_graphviz = false; +static flag do_parallel = false; + static Hash_Table provide_hash_s, *provide_hash; typedef struct provnode provnode; @@ -97,12 +105,14 @@ typedef struct strnodelist strnodelist;
svn commit: r363908 - head/share/dtrace
Author: ae Date: Wed Aug 5 11:54:02 2020 New Revision: 363908 URL: https://svnweb.freebsd.org/changeset/base/363908 Log: Synchronize definitions in mbuf.d with values from mbuf.h Obtained from:Yandex LLC Sponsored by: Yandex LLC Modified: head/share/dtrace/mbuf.d Modified: head/share/dtrace/mbuf.d == --- head/share/dtrace/mbuf.dWed Aug 5 11:41:41 2020(r363907) +++ head/share/dtrace/mbuf.dWed Aug 5 11:54:02 2020(r363908) @@ -53,37 +53,41 @@ inline int M_MCAST =0x0020; /* send/received as l inline int M_PROMISC = 0x0040; /* packet was not for us */ #pragma D binding "1.6.3" M_VLANTAG inline int M_VLANTAG = 0x0080; /* ether_vtag is valid */ -#pragma D binding "1.6.3" M_UNUSED_8 -inline int M_UNUSED_8 =0x0100; /* --available-- */ +#pragma D binding "1.13" M_EXTPG +inline int M_EXTPG = 0x0100; /* has array of unmapped pages and TLS */ #pragma D binding "1.6.3" M_NOFREE inline int M_NOFREE = 0x0200; /* do not free mbuf, embedded in cluster */ +#pragma D binding "1.13" M_TSTMP +inline int M_TSTMP = 0x0400; /* rcv_tstmp field is valid */ +#pragma D binding "1.13" M_TSTMP_HPREC +inline int M_TSTMP_HPREC = 0x0800; /* rcv_tstmp is high-prec */ +#pragma D binding "1.13" M_TSTMP_LRO +inline int M_TSTMP_LRO = 0x1000; /* Time LRO pushed in pkt is valid */ + +#pragma D binding "1.13" M_PROTO1 +inline int M_PROTO1 = 0x2000; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO2 +inline int M_PROTO2 = 0x4000; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO3 +inline int M_PROTO3 = 0x8000; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO4 +inline int M_PROTO4 = 0x0001; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO5 +inline int M_PROTO5 = 0x0002; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO6 +inline int M_PROTO6 = 0x0004; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO7 +inline int M_PROTO7 = 0x0008; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO8 +inline int M_PROTO8 = 0x0010; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO9 +inline int M_PROTO9 = 0x0020; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO10 +inline int M_PROTO10 = 0x0040; /* protocol-specific */ +#pragma D binding "1.13" M_PROTO11 +inline int M_PROTO11 = 0x0080; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO1 -inline int M_PROTO1 = 0x1000; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO2 -inline int M_PROTO2 = 0x2000; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO3 -inline int M_PROTO3 = 0x4000; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO4 -inline int M_PROTO4 = 0x8000; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO5 -inline int M_PROTO5 = 0x0001; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO6 -inline int M_PROTO6 = 0x0002; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO7 -inline int M_PROTO7 = 0x0004; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO8 -inline int M_PROTO8 = 0x0008; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO9 -inline int M_PROTO9 = 0x0010; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO10 -inline int M_PROTO10 = 0x0020; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO11 -inline int M_PROTO11 = 0x0040; /* protocol-specific */ -#pragma D binding "1.6.3" M_PROTO12 -inline int M_PROTO12 = 0x0080; /* protocol-specific */ - -#pragma D binding "1.6.3" mbufflags_string +#pragma D binding "1.13" mbufflags_string inline string mbufflags_string[uint32_t flags] = flags & M_EXT ? "M_EXT" : flags & M_PKTHDR ? "M_PKTHDR" : @@ -93,8 +97,11 @@ inline string mbufflags_string[uint32_t flags] = flags & M_MCAST? "M_MCAST" : flags & M_PROMISC ? "M_PROMISC" : flags & M_VLANTAG ? "M_VLANTAG" : -flags & M_UNUSED_8 ? "M_UNUSED_8" : -flags & M_NOFREE ? "M_NOFREE" : +flags & M_EXTPG? "M_EXTPG" : +flags & M_NOFREE ? "M_NOFREE" : +flags & M_TSTMP? "M_TSTMP" : +flags & M_TSTMP_HPREC ? "M_TSTMP_HPREC" : +flags & M_TSTMP_LRO ? "M_TSTMP_LRO" : flags & M_PROTO1 ? "M_PROTO1" : flags & M_PROTO2 ? "M_PROTO2" : flags & M_PROTO3 ? "M_PROTO3" : @@ -106,7 +113,6 @@ inline string mbufflags_string[uint32_t flags] = flags & M_PROTO9 ? "M_PROTO9" : flags & M_PROTO10 ? "M_PROTO10" : flags & M_PROTO11 ? "M_PROTO11" : -flags & M_PROTO12 ? "M_PROTO12" : "none" ; typedef struct mbufinfo { ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363906 - in head/sys: kern sys
Author: ae Date: Wed Aug 5 11:39:09 2020 New Revision: 363906 URL: https://svnweb.freebsd.org/changeset/base/363906 Log: Add m__getjcl SDT probe. Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/kern/kern_mbuf.c head/sys/kern/uipc_mbuf.c head/sys/sys/mbuf.h Modified: head/sys/kern/kern_mbuf.c == --- head/sys/kern/kern_mbuf.c Wed Aug 5 11:38:33 2020(r363905) +++ head/sys/kern/kern_mbuf.c Wed Aug 5 11:39:09 2020(r363906) @@ -1397,6 +1397,7 @@ m_getjcl(int how, short type, int flags, int size) uma_zfree(zone_mbuf, m); return (NULL); } + MBUF_PROBE5(m__getjcl, how, type, flags, size, m); return (m); } Modified: head/sys/kern/uipc_mbuf.c == --- head/sys/kern/uipc_mbuf.c Wed Aug 5 11:38:33 2020(r363905) +++ head/sys/kern/uipc_mbuf.c Wed Aug 5 11:39:09 2020(r363906) @@ -78,6 +78,13 @@ SDT_PROBE_DEFINE4_XLATE(sdt, , , m__getcl, "uint32_t", "uint32_t", "struct mbuf *", "mbufinfo_t *"); +SDT_PROBE_DEFINE5_XLATE(sdt, , , m__getjcl, +"uint32_t", "uint32_t", +"uint16_t", "uint16_t", +"uint32_t", "uint32_t", +"uint32_t", "uint32_t", +"struct mbuf *", "mbufinfo_t *"); + SDT_PROBE_DEFINE3_XLATE(sdt, , , m__clget, "struct mbuf *", "mbufinfo_t *", "uint32_t", "uint32_t", Modified: head/sys/sys/mbuf.h == --- head/sys/sys/mbuf.h Wed Aug 5 11:38:33 2020(r363905) +++ head/sys/sys/mbuf.h Wed Aug 5 11:39:09 2020(r363906) @@ -65,6 +65,7 @@ SDT_PROBE_DECLARE(sdt, , , m__init); SDT_PROBE_DECLARE(sdt, , , m__gethdr); SDT_PROBE_DECLARE(sdt, , , m__get); SDT_PROBE_DECLARE(sdt, , , m__getcl); +SDT_PROBE_DECLARE(sdt, , , m__getjcl); SDT_PROBE_DECLARE(sdt, , , m__clget); SDT_PROBE_DECLARE(sdt, , , m__cljget); SDT_PROBE_DECLARE(sdt, , , m__cljset); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363904 - head/sbin/ipfw
Author: ae Date: Wed Aug 5 11:26:49 2020 New Revision: 363904 URL: https://svnweb.freebsd.org/changeset/base/363904 Log: Fix SIGSEGV in ipfw(8) when NAT64 prefix length is omitted. Submitted by: Evgeniy Khramtsov MFC after:1 week Differential Revision:https://reviews.freebsd.org/D25734 Modified: head/sbin/ipfw/nat64clat.c head/sbin/ipfw/nat64stl.c Modified: head/sbin/ipfw/nat64clat.c == --- head/sbin/ipfw/nat64clat.c Wed Aug 5 11:26:14 2020(r363903) +++ head/sbin/ipfw/nat64clat.c Wed Aug 5 11:26:49 2020(r363904) @@ -303,6 +303,9 @@ nat64clat_config(const char *name, uint8_t set, int ac if ((p = strchr(*av, '/')) != NULL) *p++ = '\0'; + else + errx(EX_USAGE, + "Prefix length required: %s", *av); if (inet_pton(AF_INET6, *av, ) != 1) errx(EX_USAGE, "Bad prefix: %s", *av); Modified: head/sbin/ipfw/nat64stl.c == --- head/sbin/ipfw/nat64stl.c Wed Aug 5 11:26:14 2020(r363903) +++ head/sbin/ipfw/nat64stl.c Wed Aug 5 11:26:49 2020(r363904) @@ -249,6 +249,9 @@ nat64stl_create(const char *name, uint8_t set, int ac, NEED1("IPv6 prefix6 required"); if ((p = strchr(*av, '/')) != NULL) *p++ = '\0'; + else + errx(EX_USAGE, + "Prefix length required: %s", *av); if (inet_pton(AF_INET6, *av, >prefix6) != 1) errx(EX_USAGE, "Bad prefix: %s", *av); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363900 - head/sys/netinet6
Author: ae Date: Wed Aug 5 10:27:11 2020 New Revision: 363900 URL: https://svnweb.freebsd.org/changeset/base/363900 Log: Fix typo. Submitted by: Evgeniy Khramtsov MFC after:1 week Differential Revision:https://reviews.freebsd.org/D25932 Modified: head/sys/netinet6/in6_proto.c Modified: head/sys/netinet6/in6_proto.c == --- head/sys/netinet6/in6_proto.c Wed Aug 5 10:12:19 2020 (r363899) +++ head/sys/netinet6/in6_proto.c Wed Aug 5 10:27:11 2020 (r363900) @@ -586,7 +586,7 @@ SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_ND6_USELOOPBACK "Create a loopback route when configuring an IPv6 address"); SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_NODEINFO, nodeinfo, CTLFLAG_VNET | CTLFLAG_RW, _NAME(icmp6_nodeinfo), 0, - "Mask of enabled RF4620 node information query types"); + "Mask of enabled RFC4620 node information query types"); SYSCTL_INT(_net_inet6_icmp6, ICMPV6CTL_NODEINFO_OLDMCPREFIX, nodeinfo_oldmcprefix, CTLFLAG_VNET | CTLFLAG_RW, _NAME(icmp6_nodeinfo_oldmcprefix), 0, ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r363888 - head/sys/netpfil/ipfw/nat64
Author: ae Date: Wed Aug 5 09:16:35 2020 New Revision: 363888 URL: https://svnweb.freebsd.org/changeset/base/363888 Log: Handle delayed checksums if needed in NAT64. Upper level protocols defer checksums calculation in hope we have checksums offloading in a network card. CSUM_DELAY_DATA flag is used to determine that checksum calculation was deferred. And IP output routine checks for this flag before pass mbuf to lower layer. Forwarded packets have not this flag. NAT64 uses checksums adjustment when it translates IP headers. In most cases NAT64 is used for forwarded packets, but in case when it handles locally originated packets we need to finish checksum calculation that was deferred to correctly adjust it. Add check for presence of CSUM_DELAY_DATA flag and finish checksum calculation before adjustment. Reported and tested by: Evgeniy Khramtsov MFC after:1 week Modified: head/sys/netpfil/ipfw/nat64/nat64_translate.c Modified: head/sys/netpfil/ipfw/nat64/nat64_translate.c == --- head/sys/netpfil/ipfw/nat64/nat64_translate.c Wed Aug 5 08:31:26 2020(r363887) +++ head/sys/netpfil/ipfw/nat64/nat64_translate.c Wed Aug 5 09:16:35 2020(r363888) @@ -1294,6 +1294,12 @@ nat64_do_handle_ip4(struct mbuf *m, struct in6_addr *s ip6.ip6_hlim -= IPTTLDEC; ip6.ip6_plen = htons(plen); ip6.ip6_nxt = (proto == IPPROTO_ICMP) ? IPPROTO_ICMPV6: proto; + + /* Handle delayed checksums if needed. */ + if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { + in_delayed_cksum(m); + m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; + } /* Convert checksums. */ switch (proto) { case IPPROTO_TCP: @@ -1665,6 +1671,12 @@ nat64_do_handle_ip6(struct mbuf *m, uint32_t aaddr, ui return (NAT64RETURN); } nat64_init_ip4hdr(ip6, frag, plen, proto, ); + + /* Handle delayed checksums if needed. */ + if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA_IPV6) { + in6_delayed_cksum(m, plen, hlen); + m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA_IPV6; + } /* Convert checksums. */ switch (proto) { case IPPROTO_TCP: ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r362338 - in head: share/man/man4 sys/conf sys/kern sys/netinet sys/netinet6 sys/netipsec sys/netpfil/pf
On 23.06.2020 01:20, John Baldwin wrote: >> I tend to assume that a buildkernel of GENERIC without any special flags >> will always build all modules (except those not available for the target >> platform of course), so I was a bit surprised to see that this isn't the >> case for ipsec.ko. As Rodney pointed out it provides marginally better >> coverage against build breaks. If you think we can restore the old >> behaviour for ipsec without too much work I think it'd be reasonable to >> change that and compile sctp.ko even when "options SCTP" is configured. >> I can't spot any similar cases in sys/modules/Makefile with a bit of >> skimming. > > I don't think ipsec.ko is easily fixable when I looked at it. I think it > is fine to leave sctp.ko building as part of GENERIC though. Hi, I'm sorry, I missed these changes, but in the past there weren't any problems in building ipsec.ko module with/without any possible options. I'll try to look what happened and what can be do to fix this at the weekend. -- WBR, Andrey V. Elsukov ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r361749 - head/sys/net
Author: ae Date: Wed Jun 3 13:02:31 2020 New Revision: 361749 URL: https://svnweb.freebsd.org/changeset/base/361749 Log: Add if_reassing method to all tunneling interfaces. After r339550 tunneling interfaces have started handle appearing and disappearing of ingress IP address on the host system. When such interfaces are moving into VNET jail, they lose ability to properly handle ifaddr_event_ext event. And this leads to need to reconfigure tunnel to make it working again. Since moving an interface into VNET jail leads to removing of all IP addresses, it looks consistent, that tunnel configuration should also be cleared. This is what will do if_reassing method. Reported by: John W. O'Brien MFC after:1 week Modified: head/sys/net/if_gif.c head/sys/net/if_gre.c head/sys/net/if_ipsec.c head/sys/net/if_me.c Modified: head/sys/net/if_gif.c == --- head/sys/net/if_gif.c Wed Jun 3 09:38:51 2020(r361748) +++ head/sys/net/if_gif.c Wed Jun 3 13:02:31 2020(r361749) @@ -104,6 +104,9 @@ void(*ng_gif_input_orphan_p)(struct ifnet *ifp, struc void (*ng_gif_attach_p)(struct ifnet *ifp); void (*ng_gif_detach_p)(struct ifnet *ifp); +#ifdef VIMAGE +static voidgif_reassign(struct ifnet *, struct vnet *, char *); +#endif static voidgif_delete_tunnel(struct gif_softc *); static int gif_ioctl(struct ifnet *, u_long, caddr_t); static int gif_transmit(struct ifnet *, struct mbuf *); @@ -150,6 +153,9 @@ gif_clone_create(struct if_clone *ifc, int unit, caddr GIF2IFP(sc)->if_transmit = gif_transmit; GIF2IFP(sc)->if_qflush = gif_qflush; GIF2IFP(sc)->if_output = gif_output; +#ifdef VIMAGE + GIF2IFP(sc)->if_reassign = gif_reassign; +#endif GIF2IFP(sc)->if_capabilities |= IFCAP_LINKSTATE; GIF2IFP(sc)->if_capenable |= IFCAP_LINKSTATE; if_attach(GIF2IFP(sc)); @@ -159,6 +165,21 @@ gif_clone_create(struct if_clone *ifc, int unit, caddr return (0); } + +#ifdef VIMAGE +static void +gif_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, +char *unused __unused) +{ + struct gif_softc *sc; + + sx_xlock(_ioctl_sx); + sc = ifp->if_softc; + if (sc != NULL) + gif_delete_tunnel(sc); + sx_xunlock(_ioctl_sx); +} +#endif /* VIMAGE */ static void gif_clone_destroy(struct ifnet *ifp) Modified: head/sys/net/if_gre.c == --- head/sys/net/if_gre.c Wed Jun 3 09:38:51 2020(r361748) +++ head/sys/net/if_gre.c Wed Jun 3 13:02:31 2020(r361749) @@ -107,6 +107,9 @@ static void gre_clone_destroy(struct ifnet *); VNET_DEFINE_STATIC(struct if_clone *, gre_cloner); #defineV_gre_clonerVNET(gre_cloner) +#ifdef VIMAGE +static voidgre_reassign(struct ifnet *, struct vnet *, char *); +#endif static voidgre_qflush(struct ifnet *); static int gre_transmit(struct ifnet *, struct mbuf *); static int gre_ioctl(struct ifnet *, u_long, caddr_t); @@ -183,12 +186,30 @@ gre_clone_create(struct if_clone *ifc, int unit, caddr GRE2IFP(sc)->if_ioctl = gre_ioctl; GRE2IFP(sc)->if_transmit = gre_transmit; GRE2IFP(sc)->if_qflush = gre_qflush; +#ifdef VIMAGE + GRE2IFP(sc)->if_reassign = gre_reassign; +#endif GRE2IFP(sc)->if_capabilities |= IFCAP_LINKSTATE; GRE2IFP(sc)->if_capenable |= IFCAP_LINKSTATE; if_attach(GRE2IFP(sc)); bpfattach(GRE2IFP(sc), DLT_NULL, sizeof(u_int32_t)); return (0); } + +#ifdef VIMAGE +static void +gre_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused, +char *unused __unused) +{ + struct gre_softc *sc; + + sx_xlock(_ioctl_sx); + sc = ifp->if_softc; + if (sc != NULL) + gre_delete_tunnel(sc); + sx_xunlock(_ioctl_sx); +} +#endif /* VIMAGE */ static void gre_clone_destroy(struct ifnet *ifp) Modified: head/sys/net/if_ipsec.c == --- head/sys/net/if_ipsec.c Wed Jun 3 09:38:51 2020(r361748) +++ head/sys/net/if_ipsec.c Wed Jun 3 13:02:31 2020(r361749) @@ -170,6 +170,9 @@ static int ipsec_set_addresses(struct ifnet *, struct static int ipsec_set_reqid(struct ipsec_softc *, uint32_t); static voidipsec_set_running(struct ipsec_softc *); +#ifdef VIMAGE +static voidipsec_reassign(struct ifnet *, struct vnet *, char *); +#endif static voidipsec_srcaddr(void *, const struct sockaddr *, int); static int ipsec_ioctl(struct ifnet *, u_long, caddr_t); static int ipsec_transmit(struct ifnet *, struct mbuf *); @@ -201,11 +204,29 @@ ipsec_clone_create(struct if_clone *ifc, int unit, cad ifp->if_transmit = ipsec_transmit; ifp->if_qflush = ipsec_qflush;
svn commit: r361624 - head/sys/netpfil/ipfw
Author: ae Date: Fri May 29 10:37:42 2020 New Revision: 361624 URL: https://svnweb.freebsd.org/changeset/base/361624 Log: Fix O_IP_FLOW_LOOKUP opcode handling. Do not check table value matching when table lookup has failed. Reported by: Sergey Lobanov MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Fri May 29 10:09:47 2020 (r361623) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri May 29 10:37:42 2020 (r361624) @@ -2106,6 +2106,8 @@ do { \ uint32_t v = 0; match = ipfw_lookup_table(chain, cmd->arg1, 0, >f_id, ); + if (!match) + break; if (cmdlen == F_INSN_SIZE(ipfw_insn_u32)) match = ((ipfw_insn_u32 *)cmd)->d[0] == TARG_VAL(chain, v, tag); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r359498 - head/sys/netinet6
Author: ae Date: Wed Apr 1 02:13:01 2020 New Revision: 359498 URL: https://svnweb.freebsd.org/changeset/base/359498 Log: Ignore ND6 neighbor advertisement received for static link-layer entries. Previously such NA could override manually created LLE. Reported by: Martin Beran Reviewed by: melifaro MFC after:10 days Modified: head/sys/netinet6/nd6_nbr.c Modified: head/sys/netinet6/nd6_nbr.c == --- head/sys/netinet6/nd6_nbr.c Tue Mar 31 22:41:57 2020(r359497) +++ head/sys/netinet6/nd6_nbr.c Wed Apr 1 02:13:01 2020(r359498) @@ -754,6 +754,12 @@ nd6_na_input(struct mbuf *m, int off, int icmp6len) goto freeit; } + /* +* Do not try to override static entry. +*/ + if (ln->la_flags & LLE_STATIC) + goto freeit; + if (ln->ln_state == ND6_LLINFO_INCOMPLETE) { /* * If the link-layer has address, and no lladdr option came, ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r359328 - head/usr.sbin/syslogd
Author: ae Date: Thu Mar 26 12:00:26 2020 New Revision: 359328 URL: https://svnweb.freebsd.org/changeset/base/359328 Log: Fix typo. MFC after:2 weeks Modified: head/usr.sbin/syslogd/syslog.conf.5 Modified: head/usr.sbin/syslogd/syslog.conf.5 == --- head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 11:54:25 2020 (r359327) +++ head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 12:00:26 2020 (r359328) @@ -465,7 +465,7 @@ or followed by three comma-separated fields .Em property , operator , \&"value\&" . Value must be double-quoted. A double quote and backslash must be escaped by -a blackslash. +a backslash. .Pp Following .Em properties ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r359327 - head/usr.sbin/syslogd
Author: ae Date: Thu Mar 26 11:54:25 2020 New Revision: 359327 URL: https://svnweb.freebsd.org/changeset/base/359327 Log: Add property-based filters for syslogd. Property-based filters allow substring and regular expressions (see re_format(7)) matching against various message attributes. Filter specification starts with '#:' or ':' followed by three comma-separated fields property, operator, "value". Value must be double-quoted. A double quote and backslash must be escaped by a blackslash. Following properties are supported as test value: o msg - body of the message received; o programname - program name sent the message; o hostname - hostname of message's originator; o source - an alias for hostname. Supported operators: o contains - true if filter value is found as a substring of property; o isequal - true if filter value is equal to property; o startswith - true if property starts with filter value; o regex - true if property matches basic regular expression defined in filter value; o ereregex - true if property matches extended regular expression defined in filter value; Operator may be prefixed by '!' to invert compare logic or by 'icase_' to make comparison function case insensitive. Submitted by: Boris N. Lytochkin MFC after:2 weeks Relnotes: yes Differential Revision:https://reviews.freebsd.org/D23468 Modified: head/usr.sbin/syslogd/syslog.conf.5 head/usr.sbin/syslogd/syslogd.c Modified: head/usr.sbin/syslogd/syslog.conf.5 == --- head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 11:24:43 2020 (r359326) +++ head/usr.sbin/syslogd/syslog.conf.5 Thu Mar 26 11:54:25 2020 (r359327) @@ -28,7 +28,7 @@ .\" @(#)syslog.conf.5 8.1 (Berkeley) 6/9/93 .\" $FreeBSD$ .\" -.Dd November 1, 2016 +.Dd March 26, 2020 .Dt SYSLOG.CONF 5 .Os .Sh NAME @@ -44,9 +44,10 @@ file is the configuration file for the program. It consists of blocks of lines separated by -.Em program -and +.Em program , .Em hostname +or +.Em property-based filter specifications (separations appear alone on their lines), with each line containing two fields: the .Em selector @@ -154,14 +155,16 @@ values specified to the library routine. .Pp Each block of lines is separated from the previous block by a -.Em program -or +.Em program , .Em hostname +or +.Em property-based filter specification. A block will only log messages corresponding to the most recent -.Em program -and +.Em program , .Em hostname +and +.Em property-based filter specifications given. Thus, with a block which selects .Ql ppp @@ -236,11 +239,24 @@ As for program specifications, multiple comma-separate values may be specified for hostname specifications. .Pp A -.Em program +.Em property-based filter +specification is a line beginning with +.Ql #: or +.Ql \&: +and the following blocks will be applied only when filter value +matches given filter propertie's value. See +.Sx PROPERTY-BASED FILTERS +section for more details. +.Pp +A +.Em program , .Em hostname -specification may be reset by giving the program or hostname as -.Ql * . +or +.Em property-based filter +specification may be reset by giving +.Ql * +as an argument. .Pp See .Xr syslog 3 @@ -434,6 +450,78 @@ in this case preceding is removed and .Ql # is treated as an ordinary character. +.Sh PROPERTY-BASED FILTERS +.Em program , +.Em hostname +specifications performs exact match filtering against explicit field only. +.Em Property-based filters +feature substring and regular expressions (see +.Xr re_format 7 ) +matching against various message attributes. +Filter specification starts with +.Ql #: +or +.Ql \&: +followed by three comma-separated fields +.Em property , operator , \&"value\&" . +Value must be double-quoted. A double quote and backslash must be escaped by +a blackslash. +.Pp +Following +.Em properties +are supported as test value: +.Pp +.Bl -bullet -compact +.It +.Ql msg +- body of the message received. +.It +.Ql programname +- program name sent the message +.It +.Ql hostname +- hostname of message's originator +.It +.Ql source +- an alias for hostname +.El +.Pp +Operator specifies a comparison function between +.Em propertie's + value against filter's value. +Possible operators: +.Pp +.Bl -bullet -compact +.It +.Ql contains +- true if filter value is found as a substring of +.Em property +.It +.Ql isequal +- true if filter value is equal to +.Em property +.It +.Ql startswith +- true if property starts with filter value +.It +.Ql regex +- true if property matches basic regular expression defined in filter value +.It +.Ql ereregex +- true if property matches extended regular expression defined in filter value +.El +.Pp +Operator may be prefixed by +.Pp +.Bl -bullet -compact +.It +.Ql \&! +- to invert compare logic +.It +.Ql icase_ +- to make comparison function case insensitive +.El +.Pp .Sh
svn commit: r359271 - head/sbin/ipfw
Author: ae Date: Tue Mar 24 12:27:02 2020 New Revision: 359271 URL: https://svnweb.freebsd.org/changeset/base/359271 Log: Use IP_FW_NAT44_DESTROY opcode for IP_FW3 socket option to destroy NAT instance. The NAT44 group of opcodes for IP_FW3 socket option is modern way to control NAT instances and this method can be used in future to switch from numeric to named NAT instances, like was done for ipfw tables. The IP_FW_NAT_DEL opcode is the last remnant of old ipfw_ctl control plane that doesn't support versioned operations. This interface will be retired soon. Reviewed by: melifaro MFC after:10 days Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw2.c head/sbin/ipfw/ipfw2.h head/sbin/ipfw/nat.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Tue Mar 24 07:08:39 2020(r359270) +++ head/sbin/ipfw/ipfw2.c Tue Mar 24 12:27:02 2020(r359271) @@ -3328,13 +3328,7 @@ ipfw_delete(char *av[]) j = strtol(sep + 1, NULL, 10); av++; if (co.do_nat) { - exitval = do_cmd(IP_FW_NAT_DEL, , sizeof i); - if (exitval) { - exitval = EX_UNAVAILABLE; - if (co.do_quiet) - continue; - warn("nat %u not available", i); - } + exitval = ipfw_delete_nat(i); } else if (co.do_pipe) { exitval = ipfw_delete_pipe(co.do_pipe, i); } else { Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Tue Mar 24 07:08:39 2020(r359270) +++ head/sbin/ipfw/ipfw2.h Tue Mar 24 12:27:02 2020(r359271) @@ -387,6 +387,7 @@ extern int resvd_set_number; /* first-level command handlers */ void ipfw_add(char *av[]); void ipfw_show_nat(int ac, char **av); +int ipfw_delete_nat(int i); void ipfw_config_pipe(int ac, char **av); void ipfw_config_nat(int ac, char **av); void ipfw_sets_handler(char *av[]); Modified: head/sbin/ipfw/nat.c == --- head/sbin/ipfw/nat.cTue Mar 24 07:08:39 2020(r359270) +++ head/sbin/ipfw/nat.cTue Mar 24 12:27:02 2020(r359271) @@ -939,6 +939,34 @@ ipfw_config_nat(int ac, char **av) } } +static void +nat_fill_ntlv(ipfw_obj_ntlv *ntlv, int i) +{ + + ntlv->head.type = IPFW_TLV_EACTION_NAME(1); /* it doesn't matter */ + ntlv->head.length = sizeof(ipfw_obj_ntlv); + ntlv->idx = 1; + ntlv->set = 0; /* not yet */ + snprintf(ntlv->name, sizeof(ntlv->name), "%d", i); +} + +int +ipfw_delete_nat(int i) +{ + ipfw_obj_header oh; + int ret; + + memset(, 0, sizeof(oh)); + nat_fill_ntlv(, i); + ret = do_set3(IP_FW_NAT44_DESTROY, , sizeof(oh)); + if (ret == -1) { + if (!co.do_quiet) + warn("nat %u not available", i); + return (EX_UNAVAILABLE); + } + return (EX_OK); +} + struct nat_list_arg { uint16_tcmd; int is_all; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 21.12.2019 01:14, Gleb Smirnoff wrote: > A> > Another future feature is possiblity to create pfil heads, that provide > A> > not an mbuf pointer but just a memory pointer with length. That would > A> > allow filtering at very early stages of a packet lifecycle, e.g. when > A> > packet has just been received by a NIC and no mbuf was yet allocated. > A> It seems that this commit has changed the error code returned from > A> ip[6]_output() when a packet is blocked. Previously it was EACCES, but > A> now it became EPERM. Was it intentional? > > I don't think that was intentional. Can you please review this patch? LGTM, thanks! -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r343631 - in head: . sbin sbin/pfilctl share/man/man9 sys/contrib/ipfilter/netinet sys/net sys/netinet sys/netinet6 sys/netpfil/ipfw sys/netpfil/pf
On 01.02.2019 02:01, Gleb Smirnoff wrote: > Author: glebius > Date: Thu Jan 31 23:01:03 2019 > New Revision: 343631 > URL: https://svnweb.freebsd.org/changeset/base/343631 > > Log: > New pfil(9) KPI together with newborn pfil API and control utility. > > The KPI have been reviewed and cleansed of features that were planned > back 20 years ago and never implemented. The pfil(9) internals have > been made opaque to protocols with only returned types and function > declarations exposed. The KPI is made more strict, but at the same time > more extensible, as kernel uses same command structures that userland > ioctl uses. > > In nutshell [KA]PI is about declaring filtering points, declaring > filters and linking and unlinking them together. > > New [KA]PI makes it possible to reconfigure pfil(9) configuration: > change order of hooks, rehook filter from one filtering point to a > different one, disconnect a hook on output leaving it on input only, > prepend/append a filter to existing list of filters. > > Now it possible for a single packet filter to provide multiple rulesets > that may be linked to different points. Think of per-interface ACLs in > Cisco or Juniper. None of existing packet filters yet support that, > however limited usage is already possible, e.g. default ruleset can > be moved to single interface, as soon as interface would pride their > filtering points. > > Another future feature is possiblity to create pfil heads, that provide > not an mbuf pointer but just a memory pointer with length. That would > allow filtering at very early stages of a packet lifecycle, e.g. when > packet has just been received by a NIC and no mbuf was yet allocated. It seems that this commit has changed the error code returned from ip[6]_output() when a packet is blocked. Previously it was EACCES, but now it became EPERM. Was it intentional? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341578 - head/sys/dev/mlx5/mlx5_en
On 13.12.2019 17:27, Hans Petter Selasky wrote: > On 2019-12-13 14:40, Andrey V. Elsukov wrote: >> On 05.12.2018 17:20, Slava Shwartsman wrote: >>> Author: slavash >>> Date: Wed Dec 5 14:20:57 2018 >>> New Revision: 341578 >>> URL: https://svnweb.freebsd.org/changeset/base/341578 >>> >>> Log: >>>   mlx5en: Remove the DRBR and associated logic in the transmit path. >>>     The hardware queues are deep enough currently and using the >>> DRBR and associated >>>   callbacks only leads to more task switching in the TX path. The is >>> also a race >>>   setting the queue_state which can lead to hung TX rings. >> >> JFYI. We have compared the same router+firewall workloads on the host >> with this change and before, and I can say, that without DRBR on TX now >> we constantly have several percents of packets drops due to ENOBUFS >> error from mlx5e_xmit(). >> > > Have you tried to tune the TX/RX parameters? > > Especially the tx_queue_size . We use the following settings: % sysctl dev.mce.4.conf. | grep que dev.mce.4.conf.rx_queue_size: 16384 dev.mce.4.conf.tx_queue_size: 16384 dev.mce.4.conf.rx_queue_size_max: 16384 dev.mce.4.conf.tx_queue_size_max: 16384 Also, previously I have patched MLX5E_SQ_TX_QUEUE_SIZE value up to 16384. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341578 - head/sys/dev/mlx5/mlx5_en
On 05.12.2018 17:20, Slava Shwartsman wrote: > Author: slavash > Date: Wed Dec 5 14:20:57 2018 > New Revision: 341578 > URL: https://svnweb.freebsd.org/changeset/base/341578 > > Log: > mlx5en: Remove the DRBR and associated logic in the transmit path. > > The hardware queues are deep enough currently and using the DRBR and > associated > callbacks only leads to more task switching in the TX path. The is also a > race > setting the queue_state which can lead to hung TX rings. JFYI. We have compared the same router+firewall workloads on the host with this change and before, and I can say, that without DRBR on TX now we constantly have several percents of packets drops due to ENOBUFS error from mlx5e_xmit(). -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r355712 - head/sys/netpfil/ipfw
Author: ae Date: Fri Dec 13 11:47:58 2019 New Revision: 355712 URL: https://svnweb.freebsd.org/changeset/base/355712 Log: Make TCP options parsing stricter. Rework tcpopts_parse() to be more strict. Use const pointer. Add length checks for specific TCP options. The main purpose of the change is avoiding of possible out of mbuf's data access. Reported by: Maxime Villard Reviewed by: melifaro, emaste MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Fri Dec 13 11:21:28 2019 (r355711) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri Dec 13 11:47:58 2019 (r355712) @@ -330,22 +330,27 @@ ipopts_match(struct ip *ip, ipfw_insn *cmd) return (flags_match(cmd, bits)); } +/* + * Parse TCP options. The logic copied from tcp_dooptions(). + */ static int -tcpopts_parse(struct tcphdr *tcp, uint16_t *mss) +tcpopts_parse(const struct tcphdr *tcp, uint16_t *mss) { - u_char *cp = (u_char *)(tcp + 1); + const u_char *cp = (const u_char *)(tcp + 1); int optlen, bits = 0; - int x = (tcp->th_off << 2) - sizeof(struct tcphdr); + int cnt = (tcp->th_off << 2) - sizeof(struct tcphdr); - for (; x > 0; x -= optlen, cp += optlen) { + for (; cnt > 0; cnt -= optlen, cp += optlen) { int opt = cp[0]; if (opt == TCPOPT_EOL) break; if (opt == TCPOPT_NOP) optlen = 1; else { + if (cnt < 2) + break; optlen = cp[1]; - if (optlen <= 0) + if (optlen < 2 || optlen > cnt) break; } @@ -354,22 +359,31 @@ tcpopts_parse(struct tcphdr *tcp, uint16_t *mss) break; case TCPOPT_MAXSEG: + if (optlen != TCPOLEN_MAXSEG) + break; bits |= IP_FW_TCPOPT_MSS; if (mss != NULL) *mss = be16dec(cp + 2); break; case TCPOPT_WINDOW: - bits |= IP_FW_TCPOPT_WINDOW; + if (optlen == TCPOLEN_WINDOW) + bits |= IP_FW_TCPOPT_WINDOW; break; case TCPOPT_SACK_PERMITTED: + if (optlen == TCPOLEN_SACK_PERMITTED) + bits |= IP_FW_TCPOPT_SACK; + break; + case TCPOPT_SACK: - bits |= IP_FW_TCPOPT_SACK; + if (optlen > 2 && (optlen - 2) % TCPOLEN_SACK == 0) + bits |= IP_FW_TCPOPT_SACK; break; case TCPOPT_TIMESTAMP: - bits |= IP_FW_TCPOPT_TS; + if (optlen == TCPOLEN_TIMESTAMP) + bits |= IP_FW_TCPOPT_TS; break; } } ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r355650 - in head/sys: modules/ipfw_nat64 netpfil/ipfw/nat64
Author: ae Date: Thu Dec 12 13:28:46 2019 New Revision: 355650 URL: https://svnweb.freebsd.org/changeset/base/355650 Log: Follow RFC 4443 p2.2 and always use own addresses for reflected ICMPv6 datagrams. Previously destination address from original datagram was used. That looked confusing, especially in the traceroute6 output. Also honor IPSTEALTH kernel option and do TTL/HLIM decrementing only when stealth mode is disabled. Reported by: Marco van Tol Reviewed by: melifaro MFC after:2 weeks Sponsored by: Yandex LLC Differential Revision:https://reviews.freebsd.org/D22631 Modified: head/sys/modules/ipfw_nat64/Makefile head/sys/netpfil/ipfw/nat64/nat64_translate.c Modified: head/sys/modules/ipfw_nat64/Makefile == --- head/sys/modules/ipfw_nat64/MakefileThu Dec 12 13:21:43 2019 (r355649) +++ head/sys/modules/ipfw_nat64/MakefileThu Dec 12 13:28:46 2019 (r355650) @@ -7,6 +7,7 @@ SRCS= ip_fw_nat64.c nat64_translate.c SRCS+= nat64clat.c nat64clat_control.c SRCS+= nat64lsn.c nat64lsn_control.c SRCS+= nat64stl.c nat64stl_control.c +SRCS+= opt_ipstealth.h CFLAGS+= -I${SRCTOP}/sys/contrib/ck/include Modified: head/sys/netpfil/ipfw/nat64/nat64_translate.c == --- head/sys/netpfil/ipfw/nat64/nat64_translate.c Thu Dec 12 13:21:43 2019(r355649) +++ head/sys/netpfil/ipfw/nat64/nat64_translate.c Thu Dec 12 13:28:46 2019(r355650) @@ -29,6 +29,8 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_ipstealth.h" + #include #include #include @@ -101,14 +103,39 @@ static const struct nat64_methods nat64_direct = { .output = nat64_direct_output, .output_one = nat64_direct_output_one }; -VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out) = _netisr; -#defineV_nat64out VNET(nat64out) +/* These variables should be initialized explicitly on module loading */ +VNET_DEFINE_STATIC(const struct nat64_methods *, nat64out); +VNET_DEFINE_STATIC(const int *, nat64ipstealth); +VNET_DEFINE_STATIC(const int *, nat64ip6stealth); +#defineV_nat64out VNET(nat64out) +#defineV_nat64ipstealthVNET(nat64ipstealth) +#defineV_nat64ip6stealth VNET(nat64ip6stealth) + +static const int stealth_on = 1; +#ifndef IPSTEALTH +static const int stealth_off = 0; +#endif + void nat64_set_output_method(int direct) { - V_nat64out = direct != 0 ? _direct: _netisr; + if (direct != 0) { + V_nat64out = _direct; +#ifdef IPSTEALTH + /* Honor corresponding variables, if IPSTEALTH is defined */ + V_nat64ipstealth = _ipstealth; + V_nat64ip6stealth = _ip6stealth; +#else + /* otherwise we need to decrement HLIM/TTL for direct case */ + V_nat64ipstealth = V_nat64ip6stealth = _off; +#endif + } else { + V_nat64out = _netisr; + /* Leave TTL/HLIM decrementing to forwarding code */ + V_nat64ipstealth = V_nat64ip6stealth = _on; + } } int @@ -486,8 +513,7 @@ nat64_init_ip4hdr(const struct ip6_hdr *ip6, const str ip->ip_tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; ip->ip_len = htons(sizeof(*ip) + plen); ip->ip_ttl = ip6->ip6_hlim; - /* Forwarding code will decrement TTL for netisr based output. */ - if (V_nat64out == _direct) + if (*V_nat64ip6stealth == 0) ip->ip_ttl -= IPV6_HLIMDEC; ip->ip_sum = 0; ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto; @@ -623,18 +649,18 @@ nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint struct icmp6_hdr *icmp6; struct ip6_hdr *ip6, *oip6; struct mbuf *n; - int len, plen; + int len, plen, proto; len = 0; - plen = nat64_getlasthdr(m, ); - if (plen < 0) { + proto = nat64_getlasthdr(m, ); + if (proto < 0) { DPRINTF(DP_DROPS, "mbuf isn't contigious"); goto freeit; } /* * Do not send ICMPv6 in reply to ICMPv6 errors. */ - if (plen == IPPROTO_ICMPV6) { + if (proto == IPPROTO_ICMPV6) { if (m->m_len < len + sizeof(*icmp6)) { DPRINTF(DP_DROPS, "mbuf isn't contigious"); goto freeit; @@ -646,6 +672,21 @@ nat64_icmp6_reflect(struct mbuf *m, uint8_t type, uint "ICMPv6 errors"); goto freeit; } + /* +* If there are extra headers between IPv6 and ICMPv6, +* strip off them. +*/ + if (len > sizeof(struct ip6_hdr)) { + /* +* NOTE: ipfw_chk already did m_pullup() and it is +
svn commit: r355581 - head/sys/netpfil/ipfw
Author: ae Date: Tue Dec 10 10:35:32 2019 New Revision: 355581 URL: https://svnweb.freebsd.org/changeset/base/355581 Log: Avoid access to stale ip pointer and call UPDATE_POINTERS() after PULLUP_LEN_LOCKED(). PULLUP_LEN_LOCKED() could update mbuf and thus we need to update related pointers that can be used in next opcodes. Reported by: Maxime Villard MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Tue Dec 10 08:16:19 2019 (r355580) +++ head/sys/netpfil/ipfw/ip_fw2.c Tue Dec 10 10:35:32 2019 (r355581) @@ -1465,7 +1465,8 @@ do { \ #definePULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, ) #definePULLUP_LEN_LOCKED(_len, p, T) \ -_PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)) +_PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain));\ +UPDATE_POINTERS() /* * In case pointers got stale after pullups, update them. */ ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r355129 - head/sys/netipsec
Author: ae Date: Wed Nov 27 10:24:46 2019 New Revision: 355129 URL: https://svnweb.freebsd.org/changeset/base/355129 Log: Add support for dummy ESP packets with next header field equal to IPPROTO_NONE. According to RFC4303 2.6 they should be silently dropped. Submitted by: aurelien.cazuc.external_stormshield.eu MFC after:10 days Sponsored by: Stormshield Differential Revision:https://reviews.freebsd.org/D22557 Modified: head/sys/netipsec/xform_esp.c Modified: head/sys/netipsec/xform_esp.c == --- head/sys/netipsec/xform_esp.c Wed Nov 27 07:51:29 2019 (r355128) +++ head/sys/netipsec/xform_esp.c Wed Nov 27 10:24:46 2019 (r355129) @@ -614,6 +614,13 @@ esp_input_cb(struct cryptop *crp) } } + /* +* RFC4303 2.6: +* Silently drop packet if next header field is IPPROTO_NONE. +*/ + if (lastthree[2] == IPPROTO_NONE) + goto bad; + /* Trim the mbuf chain to remove trailing authenticator and padding */ m_adj(m, -(lastthree[1] + 2)); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r354858 - head/contrib/bsnmp/snmpd
Author: ae Date: Tue Nov 19 16:29:47 2019 New Revision: 354858 URL: https://svnweb.freebsd.org/changeset/base/354858 Log: Fix the byte order of IPv4 address parsed from begemotSnmpdTransInetStatus config option. An address is already in network byte order, there is no need to do htonl(). PR: 242056 MFC after:1 week Modified: head/contrib/bsnmp/snmpd/trans_inet.c Modified: head/contrib/bsnmp/snmpd/trans_inet.c == --- head/contrib/bsnmp/snmpd/trans_inet.c Tue Nov 19 15:38:55 2019 (r354857) +++ head/contrib/bsnmp/snmpd/trans_inet.c Tue Nov 19 16:29:47 2019 (r354858) @@ -458,12 +458,10 @@ struct inet_port_params { static int ipv4_create(struct inet_port *port, struct inet_port_params *params) { - uint32_t ip; if (params->addr_len != 4) return (SNMP_ERR_INCONS_VALUE); - memcpy(, params->addr, 4); struct port_sock *sock = calloc(1, sizeof(struct port_sock)); if (sock == NULL) return (SNMP_ERR_GENERR); @@ -477,8 +475,8 @@ ipv4_create(struct inet_port *port, struct inet_port_p sin->sin_len = sizeof(struct sockaddr_in); sin->sin_family = AF_INET; - sin->sin_addr.s_addr = htonl(ip); sin->sin_port = htons(params->port); + memcpy(>sin_addr, params->addr, 4); /* network byte order */ sock->port = port; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r354443 - head/sys/net
Author: ae Date: Thu Nov 7 15:00:37 2019 New Revision: 354443 URL: https://svnweb.freebsd.org/changeset/base/354443 Log: Enqueue lladdr_task to update link level address of vlan, when its parent interface has changed. During vlan reconfiguration without destroying interface, it is possible, that parent interface will be changed. This usually means, that link layer address of vlan will be different. Therefore we need to update all associated with vlan's addresses permanent llentries - NDP for IPv6 addresses, and ARP for IPv4 addresses. This is done via lladdr_task execution. To avoid extra work, before execution do the check, that L2 address is different. No objection from:#network Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Differential Revision:https://reviews.freebsd.org/D22243 Modified: head/sys/net/if_vlan.c Modified: head/sys/net/if_vlan.c == --- head/sys/net/if_vlan.c Thu Nov 7 14:16:55 2019(r354442) +++ head/sys/net/if_vlan.c Thu Nov 7 15:00:37 2019(r354443) @@ -1459,11 +1459,19 @@ vlan_config(struct ifvlan *ifv, struct ifnet *p, uint1 * Set up our interface address to reflect the underlying * physical interface's. */ - bcopy(IF_LLADDR(p), IF_LLADDR(ifp), p->if_addrlen); + TASK_INIT(>lladdr_task, 0, vlan_lladdr_fn, ifv); ((struct sockaddr_dl *)ifp->if_addr->ifa_addr)->sdl_alen = p->if_addrlen; - TASK_INIT(>lladdr_task, 0, vlan_lladdr_fn, ifv); + /* +* Do not schedule link address update if it was the same +* as previous parent's. This helps avoid updating for each +* associated llentry. +*/ + if (memcmp(IF_LLADDR(p), IF_LLADDR(ifp), p->if_addrlen) != 0) { + bcopy(IF_LLADDR(p), IF_LLADDR(ifp), p->if_addrlen); + taskqueue_enqueue(taskqueue_thread, >lladdr_task); + } /* We are ready for operation now. */ ifp->if_drv_flags |= IFF_DRV_RUNNING; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r354333 - in head/sys/cddl: compat/opensolaris/kern compat/opensolaris/sys contrib/opensolaris/uts/common/fs/zfs contrib/opensolaris/uts/common/fs/zfs/sys
On 04.11.2019 16:30, Andriy Gapon wrote: > Author: avg > Date: Mon Nov 4 13:30:37 2019 > New Revision: 354333 > URL: https://svnweb.freebsd.org/changeset/base/354333 > > Log: > zfs: enable SPA_PROCESS on the kernel side > > The purpose of this change is to group kernelthreads specific to a > particular ZFS pool under a kernel process. There can be many dozens of > threads per pool. This change improves observability of those threads. > > This change consists of several subchanges: > 1. illumos taskq_create_proc can now pass its process parameter to > taskqueue. Also, use zfsproc instead of NULL for taskq_create. Caveat: > zfsproc might not be initialized yet. But in that case it is still NULL, > so not worse than before. This commit probably breaks dtrace module loading: link_elf_obj: symbol zfsproc undefined linker_load_file: /boot/kernel/dtrace.ko - unsupported file type KLD dtraceall.ko: depends on dtrace - not available or version mismatch linker_load_file: /boot/kernel/dtraceall.ko - unsupported file type Does it works for you and this is my local problem? -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r353480 - in head/sys: net netinet sys
On 13.10.2019 21:17, Michael Tuexen wrote: > Author: tuexen > Date: Sun Oct 13 18:17:08 2019 > New Revision: 353480 > URL: https://svnweb.freebsd.org/changeset/base/353480 > > Log: > Use an event handler to notify the SCTP about IP address changes > instead of calling an SCTP specific function from the IP code. > This is a requirement of supporting SCTP as a kernel loadable module. > This patch was developed by markj@, I tweaked a bit the SCTP related > code. > Modified: head/sys/sys/eventhandler.h > == > --- head/sys/sys/eventhandler.h Sun Oct 13 18:03:23 2019 > (r353479) > +++ head/sys/sys/eventhandler.h Sun Oct 13 18:17:08 2019 > (r353480) > @@ -312,4 +312,9 @@ typedef void (*device_detach_fn)(void *, device_t, enu > EVENTHANDLER_DECLARE(device_attach, device_attach_fn); > EVENTHANDLER_DECLARE(device_detach, device_detach_fn); > > +/* Interface address addition and removal event */ > +struct ifaddr; > +typedef void (*rt_addrmsg_fn)(void *, struct ifaddr *, int); > +EVENTHANDLER_DECLARE(rt_addrmsg, rt_addrmsg_fn); > + > #endif /* _SYS_EVENTHANDLER_H_ */ Hi, it looks like duplicate functional of ifaddr_event_ext event handler. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r353545 - head/sbin/ipfw
Author: ae Date: Tue Oct 15 09:50:02 2019 New Revision: 353545 URL: https://svnweb.freebsd.org/changeset/base/353545 Log: Explicitly initialize the memory buffer to store O_ICMP6TYPE opcode. By default next_cmd() initializes only first u32 of opcode. O_ICMP6TYPE opcode has array of bit masks to store corresponding ICMPv6 types. An opcode that precedes O_ICMP6TYPE, e.g. O_IP6_DST, can have variable length and during opcode filling it can modify memory that will be used by O_ICMP6TYPE opcode. Without explicit initialization this leads to creation of wrong opcode. Reported by: Boris N. Lytochkin Obtained from:Yandex LLC MFC after:3 days Modified: head/sbin/ipfw/ipv6.c Modified: head/sbin/ipfw/ipv6.c == --- head/sbin/ipfw/ipv6.c Tue Oct 15 08:33:05 2019(r353544) +++ head/sbin/ipfw/ipv6.c Tue Oct 15 09:50:02 2019(r353545) @@ -143,6 +143,7 @@ fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av, int cb uint8_t type; CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn_icmp6)); + memset(cmd, 0, sizeof(*cmd)); while (*av) { if (*av == ',') av++; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346630 - in head: sbin/ifconfig share/man/man4 sys/modules/if_gre sys/net sys/netinet sys/netinet6
Author: ae Date: Wed Apr 24 09:05:45 2019 New Revision: 346630 URL: https://svnweb.freebsd.org/changeset/base/346630 Log: Add GRE-in-UDP encapsulation support as defined in RFC8086. This GRE-in-UDP encapsulation allows the UDP source port field to be used as an entropy field for load-balancing of GRE traffic in transit networks. Also most of multiqueue network cards are able distribute incoming UDP datagrams to different NIC queues, while very little are able do this for GRE packets. When an administrator enables UDP encapsulation with command `ifconfig gre0 udpencap`, the driver creates kernel socket, that binds to tunnel source address and after udp_set_kernel_tunneling() starts receiving of all UDP packets destined to 4754 port. Each kernel socket maintains list of tunnels with different destination addresses. Thus when several tunnels use the same source address, they all handled by single socket. The IP[V6]_BINDANY socket option is used to be able bind socket to source address even if it is not yet available in the system. This may happen on system boot, when gre(4) interface is created before source address become available. The encapsulation and sending of packets is done directly from gre(4) into ip[6]_output() without using sockets. Reviewed by: eugen MFC after:1 month Relnotes: yes Differential Revision:https://reviews.freebsd.org/D19921 Modified: head/sbin/ifconfig/ifgre.c head/share/man/man4/gre.4 head/sys/modules/if_gre/Makefile head/sys/net/if_gre.c head/sys/net/if_gre.h head/sys/netinet/ip_gre.c head/sys/netinet6/ip6_gre.c Modified: head/sbin/ifconfig/ifgre.c == --- head/sbin/ifconfig/ifgre.c Wed Apr 24 06:41:52 2019(r346629) +++ head/sbin/ifconfig/ifgre.c Wed Apr 24 09:05:45 2019(r346630) @@ -44,15 +44,16 @@ __FBSDID("$FreeBSD$"); #include "ifconfig.h" -#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ" +#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ\03UDPENCAP" static void gre_status(int s); static void gre_status(int s) { - uint32_t opts = 0; + uint32_t opts, port; + opts = 0; ifr.ifr_data = (caddr_t) if (ioctl(s, GREGKEY, ) == 0) if (opts != 0) @@ -60,6 +61,11 @@ gre_status(int s) opts = 0; if (ioctl(s, GREGOPTS, ) != 0 || opts == 0) return; + + port = 0; + ifr.ifr_data = (caddr_t) + if (ioctl(s, GREGPORT, ) == 0 && port != 0) + printf("\tudpport: %u\n", port); printb("\toptions", opts, GREBITS); putchar('\n'); } @@ -77,6 +83,18 @@ setifgrekey(const char *val, int dummy __unused, int s } static void +setifgreport(const char *val, int dummy __unused, int s, +const struct afswtch *afp) +{ + uint32_t udpport = strtol(val, NULL, 0); + + strlcpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); + ifr.ifr_data = (caddr_t) + if (ioctl(s, GRESPORT, (caddr_t)) < 0) + warn("ioctl (set udpport)"); +} + +static void setifgreopts(const char *val, int d, int s, const struct afswtch *afp) { uint32_t opts; @@ -101,10 +119,13 @@ setifgreopts(const char *val, int d, int s, const stru static struct cmd gre_cmds[] = { DEF_CMD_ARG("grekey", setifgrekey), + DEF_CMD_ARG("udpport", setifgreport), DEF_CMD("enable_csum", GRE_ENABLE_CSUM, setifgreopts), DEF_CMD("-enable_csum",-GRE_ENABLE_CSUM,setifgreopts), DEF_CMD("enable_seq", GRE_ENABLE_SEQ, setifgreopts), DEF_CMD("-enable_seq",-GRE_ENABLE_SEQ, setifgreopts), + DEF_CMD("udpencap", GRE_UDPENCAP, setifgreopts), + DEF_CMD("-udpencap",-GRE_UDPENCAP, setifgreopts), }; static struct afswtch af_gre = { .af_name= "af_gre", Modified: head/share/man/man4/gre.4 == --- head/share/man/man4/gre.4 Wed Apr 24 06:41:52 2019(r346629) +++ head/share/man/man4/gre.4 Wed Apr 24 09:05:45 2019(r346630) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 2, 2015 +.Dd April 24, 2019 .Dt GRE 4 .Os .Sh NAME @@ -89,7 +89,45 @@ A value of 0 disables the key option. Enables checksum calculation for outgoing packets. .It Ar enable_seq Enables use of sequence number field in the GRE header for outgoing packets. +.It Ar udpencap +Enables UDP-in-GRE encapsulation (see the +.Sx GRE-IN-UDP ENCAPSULATION +Section below for details). +.It Ar udpport +Set the source UDP port for outgoing packets. +A value of 0 disables the persistence of source UDP port for outgoing packets. +See the +.Sx GRE-IN-UDP ENCAPSULATION +Section below for details. .El +.Sh GRE-IN-UDP ENCAPSULATION +The +.Nm +supports GRE in UDP encapsulation as defined in RFC 8086. +A GRE in UDP tunnel offers the possibility of
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 16.04.2019 18:26, Slava Shwartsman wrote: > Thanks for letting us know about this regression. > I would like to try to reproduce this issue in house. > > Can you please share the exact steps to reproduce it? > - Can I reproduce the issue with B2B setup? > - What is the route command you used to make the route between the VLANs? > - What app are you using to generate the traffic? > I think this can be reproduced on simple router, where single mce(4) interface is used as parent for several vlan(4) interfaces. E.g. [host1] vlan100 <--> mce0.100 [gateway] mce0.200 <--> vlan200 [host2] 10.0.0.110.0.0.254 192.168.0.254192.168.0.1 gateway: sysctl net.inet.ip.forwarding=1 host1: route add 192.168.0.0/24 10.0.0.254 host2: route add 10.0.0.0/24 192.168.0.254 ping 10.0.0.1 I.e. you need to make setup, where ingress and egress interface is the same - mce0. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 05.12.2018 17:25, Slava Shwartsman wrote: > Author: slavash > Date: Wed Dec 5 14:25:03 2018 > New Revision: 341586 > URL: https://svnweb.freebsd.org/changeset/base/341586 > > Log: > mlx5en: Implement backpressure indication. > > The backpressure indication is implemented using an unlimited rate type of > mbuf send tag. When the upper layers typically the socket layer has > obtained such > a tag, it can then query the destination driver queue for the current > amount of space available in the send queue. > > A single mbuf send tag may be referenced multiple times and a refcount has > been added > to the mlx5e_priv structure to track its usage. Because the send tag resides > in the mlx5e_channel structure, there is no need to wait for refcounts to > reach > zero until the mlx4en(4) driver is detached. The channels structure is > persistant > during the lifetime of the mlx5en(4) driver it belongs to and can so be > accessed > without any need of synchronization. > > The mlx5e_snd_tag structure was extended to contain a type field, because > there are now > two different tag types which end up in the driver which need to be > distinguished. > > Submitted by: hselasky@ > Approved by:hselasky (mentor) > MFC after: 1 week > Sponsored by: Mellanox Technologies > @@ -587,27 +609,33 @@ mlx5e_xmit(struct ifnet *ifp, struct mbuf *mb) > struct mlx5e_sq *sq; > int ret; > > - sq = mlx5e_select_queue(ifp, mb); > - if (unlikely(sq == NULL)) { > -#ifdef RATELIMIT > - /* Check for route change */ > - if (mb->m_pkthdr.snd_tag != NULL && > - mb->m_pkthdr.snd_tag->ifp != ifp) { > + if (mb->m_pkthdr.snd_tag != NULL) { > + sq = mlx5e_select_queue_by_send_tag(ifp, mb); > + if (unlikely(sq == NULL)) { > + /* Check for route change */ > + if (mb->m_pkthdr.snd_tag->ifp != ifp) { > + /* Free mbuf */ > + m_freem(mb); > + > + /* > + * Tell upper layers about route > + * change and to re-transmit this > + * packet: > + */ > + return (EAGAIN); > + } Hi, I just discovered something strange and found that this commit is the cause. The test system has mlx5en 100G interface. It has two vlans: vlan500 and vlan100. Via vlan500 it receives some packets flows. Then it routes these packets into vlan100. But packets are dropped in mlx5e_xmit() with EAGAIN error code. # dtrace -n 'fbt::ip6_output:return {printf("%d", arg1);}' dtrace: description 'fbt::ip6_output:return ' matched 1 probe CPU IDFUNCTION:NAME 23 54338ip6_output:return 35 16 54338ip6_output:return 35 21 54338ip6_output:return 35 22 54338ip6_output:return 35 24 54338ip6_output:return 35 23 54338ip6_output:return 35 14 54338ip6_output:return 35 ^C # dtrace -n 'fbt::mlx5e_xmit:return {printf("%d", arg1);}' dtrace: description 'fbt::mlx5e_xmit:return ' matched 1 probe CPU IDFUNCTION:NAME 16 69030mlx5e_xmit:return 35 23 69030mlx5e_xmit:return 35 26 69030mlx5e_xmit:return 35 25 69030mlx5e_xmit:return 35 24 69030 mlx5e_xmit:return 35 21 69030mlx5e_xmit:return 35 26 69030mlx5e_xmit:return 35 ^C The kernel config is GENERIC. 13.0-CURRENT #9 r345758+82f3d57(svn_head)-dirty -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r346052 - head/sys/dev/usb/net
On 09.04.2019 16:54, Ganbold Tsagaankhuu wrote: > Author: ganbold > Date: Tue Apr 9 13:54:08 2019 > New Revision: 346052 > URL: https://svnweb.freebsd.org/changeset/base/346052 > > Log: > In some cases like NanoPI R1, its second USB ethernet > RTL8152 (chip version URE_CHIP_VER_4C10) doesn't > have hardwired MAC address, in other words, it is all zeros. > This commit fixes it by setting random MAC address > when MAC address is all zeros. > > - if (sc->sc_chip & URE_CHIP_VER_4C00) > + if ((sc->sc_chip & URE_CHIP_VER_4C00) || > + (sc->sc_chip & URE_CHIP_VER_4C10)) > ure_read_mem(sc, URE_PLA_IDR, URE_MCU_TYPE_PLA, > ue->ue_eaddr, 8); > else > ure_read_mem(sc, URE_PLA_BACKUP, URE_MCU_TYPE_PLA, > ue->ue_eaddr, 8); > + > + if (ETHER_IS_ZERO(sc->sc_ue.ue_eaddr)) { > + device_printf(sc->sc_ue.ue_dev, "MAC assigned randomly\n"); > + arc4rand(sc->sc_ue.ue_eaddr, ETHER_ADDR_LEN, 0); > + sc->sc_ue.ue_eaddr[0] &= ~0x01; /* unicast */ > + sc->sc_ue.ue_eaddr[0] |= 0x02; /* locally administered */ > + } > } Hi, there is ether_fakeaddr() function that is used for such purpose. Maybe is it better to use it? Look at this commit: https://svnweb.freebsd.org/base?view=revision=345139 -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345985 - head/libexec/rc
Author: ae Date: Sat Apr 6 17:21:05 2019 New Revision: 345985 URL: https://svnweb.freebsd.org/changeset/base/345985 Log: Add firewall_[nat64|nptv6|pmod]_enable variables to /etc/defaults/rc.conf Reported by: Andrey Fesenko X-MFC after: r345450 Modified: head/libexec/rc/rc.conf Modified: head/libexec/rc/rc.conf == --- head/libexec/rc/rc.conf Sat Apr 6 11:24:43 2019(r345984) +++ head/libexec/rc/rc.conf Sat Apr 6 17:21:05 2019(r345985) @@ -178,6 +178,9 @@ firewall_nologports="135-139,445 1026,1027 1433,1434" firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters +firewall_nat64_enable="NO" # Enable kernel NAT64 module. +firewall_nptv6_enable="NO" # Enable kernel NPTv6 module. +firewall_pmod_enable="NO" # Enable kernel protocols modification module. dummynet_enable="NO" # Load the dummynet(4) module ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow ip_portrange_first="NO"# Set first dynamically allocated port ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345843 - head/contrib/bsnmp/lib
Author: ae Date: Wed Apr 3 12:47:49 2019 New Revision: 345843 URL: https://svnweb.freebsd.org/changeset/base/345843 Log: Follow the declared behaviour that specifies server string format in bsnmpclient(3). snmp_parse_server() function accepts string where some fields can be omitted: [trans::][community@][server][:port] "trans" field can be "udp", "udp6", "dgram" and "stream". "community" can be empty string, if it is omitted, the default value will be used. For read_community it is "public", for write_comminity it is "private". "server" field can be hostname, IPv4 address or IPv6 address. IPv6 address should be specified in brackets "[]". If port is omitted, the default value "snmp" will be used for "udp" and "udp6" transports. So, now for bsnmpget(1) and bsnmwalk(1) it is not required to specify all fields in argument of '-s' option. E.g. # bsnmpget -s 127.1 sysName.0 # bsnmpget -s "udp::127.1" sysName.0 # bsnmpget -s "udp::public@127.1" sysName.0 # bsnmpget -s "udp::public@127.1:161" sysName.0 # bsnmpget -s "udp::[::1]" sysName.0 # bsnmpget -s "udp6::[::1]" sysName.0 # bsnmpget -s "[fe80::1%lo0]" sysName.0 PR: 236664 Reported by: olivier MFC after:1 month Modified: head/contrib/bsnmp/lib/snmpclient.c Modified: head/contrib/bsnmp/lib/snmpclient.c == --- head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 08:22:58 2019 (r345842) +++ head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 12:47:49 2019 (r345843) @@ -1874,38 +1874,47 @@ snmp_client_set_port(struct snmp_client *cl, const cha return (0); } +static const char *const trans_list[] = { + [SNMP_TRANS_UDP]= "udp::", + [SNMP_TRANS_LOC_DGRAM] = "dgram::", + [SNMP_TRANS_LOC_STREAM] = "stream::", + [SNMP_TRANS_UDP6] = "udp6::", +}; + /** * Try to get a transport identifier which is a leading alphanumeric string - * (starting with '_' or a letter and including also '_') terminated by - * a double colon. The string may not be empty. The transport identifier - * is optional. + * terminated by a double colon. The string may not be empty. The transport + * identifier is optional. * * \param sc client struct to set errors * \param strp possible start of transport; updated to point to * the next character to parse * - * \return end of transport; equals *strp if there is none; NULL if there - * was an error + * \return transport identifier */ -static inline const char * +static inline int get_transp(struct snmp_client *sc, const char **strp) { - const char *p = *strp; + const char *p; + size_t i; - if (isascii(*p) && (isalpha(*p) || *p == '_')) { - p++; - while (isascii(*p) && (isalnum(*p) || *p == '_')) - p++; - if (p[0] == ':' && p[1] == ':') { - *strp = p + 2; - return (p); + for (i = 0; i < nitems(trans_list); i++) { + if (trans_list[i] == NULL || *trans_list[i] == '\0') + continue; + p = strstr(*strp, trans_list[i]); + if (p == *strp) { + *strp += strlen(trans_list[i]); + return ((int)i); } } + + p = *strp; if (p[0] == ':' && p[1] == ':') { seterr(sc, "empty transport specifier"); - return (NULL); + return (-1); } - return (*strp); + /* by default assume UDP */ + return (SNMP_TRANS_UDP); } /** @@ -2143,24 +2152,13 @@ save_str(struct snmp_client *sc, const char *const s[2 int snmp_parse_server(struct snmp_client *sc, const char *str) { -#if DEBUG_PARSE const char *const orig = str; -#endif - - const char *const trans_list[] = { - [SNMP_TRANS_UDP]= "udp", - [SNMP_TRANS_LOC_DGRAM] = "dgram", - [SNMP_TRANS_LOC_STREAM] = "stream", - [SNMP_TRANS_UDP6] = "udp6", - }; - /* parse input */ - const char *const transp[2] = { - str, - get_transp(sc, ), - }; - if (transp[1] == NULL) + int i, trans = get_transp(sc, ); + if (trans < 0) return (-1); + /* choose automatically */ + i = orig == str ? -1: trans; const char *const comm[2] = { str, @@ -2206,7 +2204,7 @@ snmp_parse_server(struct snmp_client *sc, const char * } #if DEBUG_PARSE - printf("transp: %zu %zu\n", transp[0] - orig, transp[1] - orig); + printf("transp: %u\n", trans); printf("comm: %zu %zu\n", comm[0] - orig, comm[1] - orig); printf("ipv6: %zu %zu\n", ipv6[0] - orig, ipv6[1] - orig); printf("ipv4: %zu %zu\n", ipv4[0] - orig,
Re: svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
On 02.04.2019 16:40, Baptiste Daroussin wrote: >> URL: https://svnweb.freebsd.org/changeset/base/345797 >> >> Log: >> Add IPv6 transport for bsnmp. >> >> This patch adds a new table begemotSnmpdTransInetTable that uses the >> InetAddressType textual convention and can be used to create listening >> ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports >> future extension beyond UDP by adding a protocol identifier to the table >> index. In order to support this gensnmptree had to be modified. >> >> Submitted by: harti >> MFC after: 1 month >> Relnotes: yes >> Differential Revision: https://reviews.freebsd.org/D16654 >> > Jumping in this commit, maybe it is time to move bsnmpd out of contrib, given > that all the dev appears to only be in our own source tree right? I think it is better to ask harti@ -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345798 - head/contrib/bsnmp/snmp_mibII
Author: ae Date: Tue Apr 2 13:38:00 2019 New Revision: 345798 URL: https://svnweb.freebsd.org/changeset/base/345798 Log: Create 64bit mibII counters for all interfaces. PR: 157015 Obtained from:Yandex LLC MFC after:1 month Modified: head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c Modified: head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c == --- head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 12:50:01 2019(r345797) +++ head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 13:38:00 2019(r345798) @@ -373,11 +373,6 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu switch (op) { - again: - if (op != SNMP_OP_GETNEXT) - return (SNMP_ERR_NOSUCHNAME); - /* FALLTHROUGH */ - case SNMP_OP_GETNEXT: if ((ifp = NEXT_OBJECT_INT(_list, >var, sub)) == NULL) return (SNMP_ERR_NOSUCHNAME); @@ -460,52 +455,36 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu break; case LEAF_ifHCInOctets: - if (!(ifp->flags & MIBIF_HIGHSPEED)) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_inoctets; break; case LEAF_ifHCInUcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_ipackets - MIBIF_PRIV(ifp)->hc_imcasts; break; case LEAF_ifHCInMulticastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_imcasts; break; case LEAF_ifHCInBroadcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = 0; break; case LEAF_ifHCOutOctets: - if (!(ifp->flags & MIBIF_HIGHSPEED)) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_outoctets; break; case LEAF_ifHCOutUcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_opackets - MIBIF_PRIV(ifp)->hc_omcasts; break; case LEAF_ifHCOutMulticastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_omcasts; break; case LEAF_ifHCOutBroadcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = 0; break; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
Author: ae Date: Tue Apr 2 12:50:01 2019 New Revision: 345797 URL: https://svnweb.freebsd.org/changeset/base/345797 Log: Add IPv6 transport for bsnmp. This patch adds a new table begemotSnmpdTransInetTable that uses the InetAddressType textual convention and can be used to create listening ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports future extension beyond UDP by adding a protocol identifier to the table index. In order to support this gensnmptree had to be modified. Submitted by: harti MFC after: 1 month Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16654 Added: head/contrib/bsnmp/snmpd/trans_inet.c head/contrib/bsnmp/snmpd/trans_inet.h Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.1 head/contrib/bsnmp/gensnmptree/gensnmptree.c head/contrib/bsnmp/lib/snmpclient.c head/contrib/bsnmp/lib/snmpclient.h head/contrib/bsnmp/lib/tc.def head/contrib/bsnmp/snmpd/BEGEMOT-SNMPD.txt head/contrib/bsnmp/snmpd/main.c head/contrib/bsnmp/snmpd/snmpd.config head/contrib/bsnmp/snmpd/snmpd.h head/contrib/bsnmp/snmpd/snmpmod.h head/contrib/bsnmp/snmpd/trans_lsock.c head/contrib/bsnmp/snmpd/trans_udp.c head/contrib/bsnmp/snmpd/tree.def head/lib/libbsnmp/libbsnmp/Makefile head/usr.sbin/bsnmpd/bsnmpd/Makefile head/usr.sbin/bsnmpd/bsnmpd/snmpd.config Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.1 == --- head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:02:35 2019(r345796) +++ head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:50:01 2019(r345797) @@ -31,7 +31,7 @@ .\" .\" $Begemot: gensnmptree.1 383 2006-05-30 07:40:49Z brandt_h $ .\" -.Dd June 29, 2018 +.Dd April 2, 2019 .Dt GENSNMPTREE 1 .Os .Sh NAME @@ -100,25 +100,11 @@ is the length of the OID. is the last component of the OID. .El .It Fl F -Together with -.Fl E -causes -.Nm -instead of the generation of enum definitions the generation of -functions for checking a value to be one of the enumeration variants and -for conversion between strings and the enum. The file is sent to standard -output and is meant to be included into a C-file for compilation. +emit definitions for C-functions includeable in a C-file that do some basic +stuff on enums like value checking and conversion between value and strings. .It Fl f -This flag can be used together with -.Fl E -or when generating the tree files. It causes -.Nm -to emit static inline functions for checking a value to be one of the -enumeration values and for conversion between strings and the enum. -If used when generating the tree files, the preprocessor symbol -.Ar SNMPTREE_TYPES -must be defined when including the tree header file for these definitions -to become visible. +emit definitions for inline C-functions that do some basic +stuff on enums like value checking and conversion between value and strings. .It Fl h Print a short help page. .It Fl I Ar directory @@ -136,36 +122,6 @@ Instead of normal output print the resulting tree. Prefix the file names and the table name with .Ar prefix . .El -.Pp -The following functions are generated by -.Fl f -or -.Fl F : -.Pp -.Ft static inline int -.Fn isok_EnumName "enum EnumName" ; -.Pp -.Ft static inline const char * -.Fn tostr_EnumName "enum EnumName" ; -.Pp -.Ft static inline int -.Fn fromstr_EnumName "const char *" "enum EnumName *" ; -.Pp -The -.Fa EnumName -is replaced with the enumeration name. -.Fn isok_EnumName -returns 1 if the argument is one of the valid enum values and 0 otherwise. -.Fn tostr_EnumName -returns a string representation of the enumeration value. -If the values is not one of the legal values -.Ar EnumName??? -is returned. -.Fn fromstr_EnumName -returns 1 if the string represents one of the legal enumeration values and -0 otherwise. -If 1 is return the variable pointed to by the second argument is set to -the enumeration value. .Sh MIBS The syntax of the MIB description file can formally be specified as follows: .Bd -unfilled -offset indent Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.c == --- head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:02:35 2019(r345796) +++ head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:50:01 2019(r345797) @@ -110,7 +110,6 @@ static int debug; static const char usgtxt[] = "\ Generate SNMP tables.\n\ -$Id$\n\ usage: gensnmptree [-dEeFfhlt] [-I directory] [-i infile] [-p prefix]\n\ [name]...\n\ options:\n\ @@ -127,6 +126,37 @@ options:\n\ -t generate a .def file\n\ "; +/** + * Program operation. + */ +enum op { + /** generate the tree */ + OP_GEN, + + /** extract OIDs */ + OP_EXTRACT, + + /** print the parsed tree */ + OP_TREE, + + /** extract
svn commit: r345763 - head/contrib/bsnmp/snmpd
Author: ae Date: Mon Apr 1 12:14:45 2019 New Revision: 345763 URL: https://svnweb.freebsd.org/changeset/base/345763 Log: Correct a port number assignment. PR: 236930 MFC after:1 week Modified: head/contrib/bsnmp/snmpd/trap.c Modified: head/contrib/bsnmp/snmpd/trap.c == --- head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 10:51:24 2019 (r345762) +++ head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 12:14:45 2019 (r345763) @@ -726,8 +726,7 @@ target_activate_address(struct target_address *addrs) sa.sin_addr.s_addr = htonl((addrs->address[0] << 24) | (addrs->address[1] << 16) | (addrs->address[2] << 8) | (addrs->address[3] << 0)); - sa.sin_port = htons(addrs->address[4]) << 8 | -htons(addrs->address[5]) << 0; + sa.sin_port = htons(addrs->address[4] << 8 | addrs->address[5]); if (connect(addrs->socket, (struct sockaddr *), sa.sin_len) == -1) { syslog(LOG_ERR, "connect(%s,%u): %m", ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r351214 - head/sys/kern
Author: ae Date: Mon Aug 19 12:42:03 2019 New Revision: 351214 URL: https://svnweb.freebsd.org/changeset/base/351214 Log: Use TAILQ_FOREACH_SAFE() macro to avoid use after free in soclose(). PR: 239893 MFC after:1 week Modified: head/sys/kern/uipc_socket.c Modified: head/sys/kern/uipc_socket.c == --- head/sys/kern/uipc_socket.c Mon Aug 19 11:18:36 2019(r351213) +++ head/sys/kern/uipc_socket.c Mon Aug 19 12:42:03 2019(r351214) @@ -1131,9 +1131,9 @@ drop: so->so_state |= SS_NOFDREF; sorele(so); if (listening) { - struct socket *sp; + struct socket *sp, *tsp; - TAILQ_FOREACH(sp, , so_list) { + TAILQ_FOREACH_SAFE(sp, , so_list, tsp) { SOCK_LOCK(sp); if (sp->so_count == 0) { SOCK_UNLOCK(sp); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r351071 - head/sys/netpfil/ipfw
Author: ae Date: Thu Aug 15 13:44:33 2019 New Revision: 351071 URL: https://svnweb.freebsd.org/changeset/base/351071 Log: Fix rule truncation on external action module unloading. Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c == --- head/sys/netpfil/ipfw/ip_fw_eaction.c Thu Aug 15 13:27:57 2019 (r351070) +++ head/sys/netpfil/ipfw/ip_fw_eaction.c Thu Aug 15 13:44:33 2019 (r351071) @@ -391,19 +391,19 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f cmd->arg1 != eaction_id) return (0); /* -* If instance_id is specified, we need to truncate the -* rule length. Check if there is O_EXTERNAL_INSTANCE opcode. +* Check if there is O_EXTERNAL_INSTANCE opcode, we need +* to truncate the rule length. * * NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode, * and rule length should be enough to keep O_EXTERNAL_INSTANCE * opcode, thus we do check for l > 1. */ l = rule->cmd + rule->cmd_len - cmd; - if (instance_id != 0 && l > 1) { + if (l > 1) { MPASS(F_LEN(cmd) == 1); icmd = cmd + 1; - if (icmd->opcode != O_EXTERNAL_INSTANCE || - icmd->arg1 != instance_id) + if (icmd->opcode == O_EXTERNAL_INSTANCE && + instance_id != 0 && icmd->arg1 != instance_id) return (0); /* * Since named_object related to this instance will be ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350974 - head/sys/netinet
Author: ae Date: Tue Aug 13 12:47:53 2019 New Revision: 350974 URL: https://svnweb.freebsd.org/changeset/base/350974 Log: Save ip_ttl value and restore it after checksum calculation. Since ipvoly is used for checksum calculation, part of original IP header is zeroed. This part includes ip_ttl field, that can be used later in IP_MINTTL socket option handling. PR: 239799 MFC after:1 week Modified: head/sys/netinet/tcp_input.c Modified: head/sys/netinet/tcp_input.c == --- head/sys/netinet/tcp_input.cTue Aug 13 12:41:15 2019 (r350973) +++ head/sys/netinet/tcp_input.cTue Aug 13 12:47:53 2019 (r350974) @@ -554,6 +554,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto) int optlen = 0; #ifdef INET int len; + uint8_t ipttl; #endif int tlen = 0, off; int drop_hdrlen; @@ -676,6 +677,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto) * Checksum extended TCP header and data. */ len = off0 + tlen; + ipttl = ip->ip_ttl; bzero(ipov->ih_x1, sizeof(ipov->ih_x1)); ipov->ih_len = htons(tlen); th->th_sum = in_cksum(m, len); @@ -684,6 +686,7 @@ tcp_input(struct mbuf **mp, int *offp, int proto) /* Reset TOS bits */ ip->ip_tos = iptos; /* Re-initialization for later version check */ + ip->ip_ttl = ipttl; ip->ip_v = IPVERSION; ip->ip_hl = off0 >> 2; } ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350816 - head/sys/netipsec
Author: ae Date: Fri Aug 9 08:58:09 2019 New Revision: 350816 URL: https://svnweb.freebsd.org/changeset/base/350816 Log: Add missing new line in several log messages. PR: 239694 MFC after:1 week Modified: head/sys/netipsec/key.c Modified: head/sys/netipsec/key.c == --- head/sys/netipsec/key.c Fri Aug 9 05:18:59 2019(r350815) +++ head/sys/netipsec/key.c Fri Aug 9 08:58:09 2019(r350816) @@ -284,7 +284,7 @@ key_addrprotohash(const union sockaddr_union *src, #endif default: hval = 0; - ipseclog((LOG_DEBUG, "%s: unknown address family %d", + ipseclog((LOG_DEBUG, "%s: unknown address family %d\n", __func__, dst->sa.sa_family)); } return (hval); @@ -2039,8 +2039,8 @@ key_spdadd(struct socket *so, struct mbuf *m, const st key_freesp(); } else { key_freesp(); - ipseclog((LOG_DEBUG, "%s: a SP entry exists already.", - __func__)); + ipseclog((LOG_DEBUG, + "%s: a SP entry exists already.\n", __func__)); return (key_senderror(so, m, EEXIST)); } } @@ -5409,7 +5409,7 @@ key_update(struct socket *so, struct mbuf *m, const st } /* saidx should match with SA. */ if (key_cmpsaidx(>sah->saidx, , CMP_MODE_REQID) == 0) { - ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u", + ipseclog((LOG_DEBUG, "%s: saidx mismatched for SPI %u\n", __func__, ntohl(sav->spi))); key_freesav(); return key_senderror(so, m, ESRCH); @@ -6885,14 +6885,14 @@ key_acqdone(const struct secasindex *saidx, uint32_t s if (acq != NULL) { if (key_cmpsaidx(>saidx, saidx, CMP_EXACTLY) == 0) { ipseclog((LOG_DEBUG, - "%s: Mismatched saidx for ACQ %u", __func__, seq)); + "%s: Mismatched saidx for ACQ %u\n", __func__, seq)); acq = NULL; } else { acq->created = 0; } } else { ipseclog((LOG_DEBUG, - "%s: ACQ %u is not found.", __func__, seq)); + "%s: ACQ %u is not found.\n", __func__, seq)); } ACQ_UNLOCK(); if (acq == NULL) ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350417 - head/sys/netpfil/ipfw
Author: ae Date: Mon Jul 29 15:09:12 2019 New Revision: 350417 URL: https://svnweb.freebsd.org/changeset/base/350417 Log: dd ipfw_get_action() function to get the pointer to action opcode. ACTION_PTR() returns pointer to the start of rule action section, but rule can keep several rule modifiers like O_LOG, O_TAG and O_ALTQ, and only then real action opcode is stored. ipfw_get_action() function inspects the rule action section, skips all modifiers and returns action opcode. Use this function in ipfw_reset_eaction() and flush_nat_ptrs(). MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c head/sys/netpfil/ipfw/ip_fw_nat.c head/sys/netpfil/ipfw/ip_fw_private.h head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c == --- head/sys/netpfil/ipfw/ip_fw_eaction.c Mon Jul 29 14:59:14 2019 (r350416) +++ head/sys/netpfil/ipfw/ip_fw_eaction.c Mon Jul 29 15:09:12 2019 (r350417) @@ -377,33 +377,30 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f uint16_t eaction_id, uint16_t default_id, uint16_t instance_id) { ipfw_insn *cmd, *icmd; - int l, cmdlen; + int l; IPFW_UH_WLOCK_ASSERT(ch); IPFW_WLOCK_ASSERT(ch); - cmd = ACTION_PTR(rule); - l = rule->cmd_len - rule->act_ofs; - while (l > 0) { - cmdlen = F_LEN(cmd); - l -= cmdlen; - if (cmd->opcode == O_EXTERNAL_ACTION || l <= 0) - break; - cmd += cmdlen; - } /* * Return if there is not O_EXTERNAL_ACTION or its id is * different. */ + cmd = ipfw_get_action(rule); if (cmd->opcode != O_EXTERNAL_ACTION || cmd->arg1 != eaction_id) return (0); /* * If instance_id is specified, we need to truncate the * rule length. Check if there is O_EXTERNAL_INSTANCE opcode. +* +* NOTE: F_LEN(cmd) must be 1 for O_EXTERNAL_ACTION opcode, +* and rule length should be enough to keep O_EXTERNAL_INSTANCE +* opcode, thus we do check for l > 1. */ - if (instance_id != 0 && l > 0) { - MPASS(cmdlen == 1); + l = rule->cmd + rule->cmd_len - cmd; + if (instance_id != 0 && l > 1) { + MPASS(F_LEN(cmd) == 1); icmd = cmd + 1; if (icmd->opcode != O_EXTERNAL_INSTANCE || icmd->arg1 != instance_id) @@ -415,8 +412,9 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f * opcode. */ EACTION_DEBUG("truncate rule %d: len %u -> %u", - rule->rulenum, rule->cmd_len, rule->cmd_len - l); - rule->cmd_len -= l; + rule->rulenum, rule->cmd_len, + rule->cmd_len - F_LEN(icmd)); + rule->cmd_len -= F_LEN(icmd); MPASS(((uint32_t *)icmd - (uint32_t *)rule->cmd) == rule->cmd_len); } Modified: head/sys/netpfil/ipfw/ip_fw_nat.c == --- head/sys/netpfil/ipfw/ip_fw_nat.c Mon Jul 29 14:59:14 2019 (r350416) +++ head/sys/netpfil/ipfw/ip_fw_nat.c Mon Jul 29 15:09:12 2019 (r350417) @@ -140,13 +140,12 @@ ifaddr_change(void *arg __unused, struct ifnet *ifp) static void flush_nat_ptrs(struct ip_fw_chain *chain, const int ix) { - int i; ipfw_insn_nat *cmd; + int i; IPFW_WLOCK_ASSERT(chain); for (i = 0; i < chain->n_rules; i++) { - cmd = (ipfw_insn_nat *)ACTION_PTR(chain->map[i]); - /* XXX skip log and the like ? */ + cmd = (ipfw_insn_nat *)ipfw_get_action(chain->map[i]); if (cmd->o.opcode == O_NAT && cmd->nat != NULL && (ix < 0 || cmd->nat->id == ix)) cmd->nat = NULL; Modified: head/sys/netpfil/ipfw/ip_fw_private.h == --- head/sys/netpfil/ipfw/ip_fw_private.h Mon Jul 29 14:59:14 2019 (r350416) +++ head/sys/netpfil/ipfw/ip_fw_private.h Mon Jul 29 15:09:12 2019 (r350417) @@ -665,6 +665,7 @@ struct ip_fw *ipfw_alloc_rule(struct ip_fw_chain *chai void ipfw_free_rule(struct ip_fw *rule); int ipfw_match_range(struct ip_fw *rule, ipfw_range_tlv *rt); int ipfw_mark_object_kidx(uint32_t *bmask, uint16_t etlv, uint16_t kidx); +ipfw_insn *ipfw_get_action(struct ip_fw *); typedef int (sopt_handler_f)(struct ip_fw_chain *ch, ip_fw3_opheader *op3, struct sockopt_data *sd); Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c == ---
svn commit: r350413 - head/sys/netpfil/ipfw
Author: ae Date: Mon Jul 29 12:55:48 2019 New Revision: 350413 URL: https://svnweb.freebsd.org/changeset/base/350413 Log: Avoid possible lock leaking. After r343619 ipfw uses own locking for packets flow. PULLUP_LEN() macro is used in ipfw_chk() to make m_pullup(). When m_pullup() fails, it just returns via `goto pullup_failed`. There are two places where PULLUP_LEN() is called with IPFW_PF_RLOCK() held. Add PULLUP_LEN_LOCKED() macro to use in these places to be able release the lock, when m_pullup() fails. Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Mon Jul 29 10:44:04 2019 (r350412) +++ head/sys/netpfil/ipfw/ip_fw2.c Mon Jul 29 12:55:48 2019 (r350413) @@ -1442,9 +1442,9 @@ ipfw_chk(struct ip_fw_args *args) * pointer might become stale after other pullups (but we never use it * this way). */ -#define PULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) +#definePULLUP_TO(_len, p, T) PULLUP_LEN(_len, p, sizeof(T)) #defineEHLEN (eh != NULL ? ((char *)ip - (char *)eh) : 0) -#define PULLUP_LEN(_len, p, T) \ +#define_PULLUP_LOCKED(_len, p, T, unlock) \ do { \ int x = (_len) + T + EHLEN; \ if (mem) { \ @@ -1453,12 +1453,18 @@ do { \ } else {\ if (__predict_false((m)->m_len < x)) { \ args->m = m = m_pullup(m, x); \ - if (m == NULL) \ + if (m == NULL) {\ + unlock; \ goto pullup_failed; \ + } \ } \ p = mtod(m, char *) + (_len) + EHLEN; \ } \ } while (0) + +#definePULLUP_LEN(_len, p, T) _PULLUP_LOCKED(_len, p, T, ) +#definePULLUP_LEN_LOCKED(_len, p, T) \ +_PULLUP_LOCKED(_len, p, T, IPFW_PF_RUNLOCK(chain)) /* * In case pointers got stale after pullups, update them. */ @@ -2310,7 +2316,7 @@ do { \ case O_TCPOPTS: if (proto == IPPROTO_TCP && offset == 0 && ulp){ - PULLUP_LEN(hlen, ulp, + PULLUP_LEN_LOCKED(hlen, ulp, (TCP(ulp)->th_off << 2)); match = tcpopts_match(TCP(ulp), cmd); } @@ -2335,7 +2341,7 @@ do { \ uint16_t mss, *p; int i; - PULLUP_LEN(hlen, ulp, + PULLUP_LEN_LOCKED(hlen, ulp, (TCP(ulp)->th_off << 2)); if ((tcpopts_parse(TCP(ulp), ) & IP_FW_TCPOPT_MSS) == 0) @@ -3182,6 +3188,7 @@ do { \ } /* end of inner loop, scan opcodes */ #undef PULLUP_LEN +#undef PULLUP_LEN_LOCKED if (done) break; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r350240 - head/sys/netpfil/ipfw
Author: ae Date: Tue Jul 23 12:52:36 2019 New Revision: 350240 URL: https://svnweb.freebsd.org/changeset/base/350240 Log: Eliminate rmlock from ipfw's BPF code. After r343631 pfil hooks are invoked in net_epoch_preempt section, this allows to avoid extra locking. Add NET_EPOCH_ASSER() assertion to each ipfw_bpf_*tap*() call to require to be called from inside epoch section. Use NET_EPOCH_WAIT() in ipfw_clone_destroy() to wait until it becomes safe to free() ifnet. And use on-stack ifnet pointer in each ipfw_bpf_*tap*() call to avoid NULL pointer dereference in case when V_*log_if global variable will become NULL during ipfw_bpf_*tap*() call. Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw_bpf.c Modified: head/sys/netpfil/ipfw/ip_fw_bpf.c == --- head/sys/netpfil/ipfw/ip_fw_bpf.c Tue Jul 23 09:39:27 2019 (r350239) +++ head/sys/netpfil/ipfw/ip_fw_bpf.c Tue Jul 23 12:52:36 2019 (r350240) @@ -32,7 +32,6 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include #include #include #include @@ -57,15 +56,6 @@ VNET_DEFINE_STATIC(struct if_clone *, ipfwlog_cloner); #defineV_log_ifVNET(log_if) #defineV_pflog_if VNET(pflog_if) -static struct rmlock log_if_lock; -#defineLOGIF_LOCK_INIT(x) rm_init(_if_lock, "ipfw log_if lock") -#defineLOGIF_LOCK_DESTROY(x) rm_destroy(_if_lock) -#defineLOGIF_RLOCK_TRACKER struct rm_priotracker _log_tracker -#defineLOGIF_RLOCK(x) rm_rlock(_if_lock, &_log_tracker) -#defineLOGIF_RUNLOCK(x)rm_runlock(_if_lock, &_log_tracker) -#defineLOGIF_WLOCK(x) rm_wlock(_if_lock) -#defineLOGIF_WUNLOCK(x)rm_wunlock(_if_lock) - static const char ipfwname[] = "ipfw"; static const char ipfwlogname[] = "ipfwlog"; @@ -90,13 +80,12 @@ static void ipfw_clone_destroy(struct ifnet *ifp) { - LOGIF_WLOCK(); if (ifp->if_hdrlen == ETHER_HDR_LEN) V_log_if = NULL; else V_pflog_if = NULL; - LOGIF_WUNLOCK(); + NET_EPOCH_WAIT(); bpfdetach(ifp); if_detach(ifp); if_free(ifp); @@ -118,16 +107,13 @@ ipfw_clone_create(struct if_clone *ifc, int unit, cadd ifp->if_hdrlen = ETHER_HDR_LEN; if_attach(ifp); bpfattach(ifp, DLT_EN10MB, ETHER_HDR_LEN); - LOGIF_WLOCK(); if (V_log_if != NULL) { - LOGIF_WUNLOCK(); bpfdetach(ifp); if_detach(ifp); if_free(ifp); return (EEXIST); } V_log_if = ifp; - LOGIF_WUNLOCK(); return (0); } @@ -147,48 +133,42 @@ ipfwlog_clone_create(struct if_clone *ifc, int unit, c ifp->if_hdrlen = PFLOG_HDRLEN; if_attach(ifp); bpfattach(ifp, DLT_PFLOG, PFLOG_HDRLEN); - LOGIF_WLOCK(); if (V_pflog_if != NULL) { - LOGIF_WUNLOCK(); bpfdetach(ifp); if_detach(ifp); if_free(ifp); return (EEXIST); } V_pflog_if = ifp; - LOGIF_WUNLOCK(); return (0); } void ipfw_bpf_tap(u_char *pkt, u_int pktlen) { - LOGIF_RLOCK_TRACKER; + struct ifnet *ifp = V_log_if; - LOGIF_RLOCK(); - if (V_log_if != NULL) - BPF_TAP(V_log_if, pkt, pktlen); - LOGIF_RUNLOCK(); + NET_EPOCH_ASSERT(); + if (ifp != NULL) + BPF_TAP(ifp, pkt, pktlen); } void ipfw_bpf_mtap(struct mbuf *m) { - LOGIF_RLOCK_TRACKER; + struct ifnet *ifp = V_log_if; - LOGIF_RLOCK(); - if (V_log_if != NULL) - BPF_MTAP(V_log_if, m); - LOGIF_RUNLOCK(); + NET_EPOCH_ASSERT(); + if (ifp != NULL) + BPF_MTAP(ifp, m); } void ipfw_bpf_mtap2(void *data, u_int dlen, struct mbuf *m) { struct ifnet *logif; - LOGIF_RLOCK_TRACKER; - LOGIF_RLOCK(); + NET_EPOCH_ASSERT(); switch (dlen) { case (ETHER_HDR_LEN): logif = V_log_if; @@ -205,19 +185,14 @@ ipfw_bpf_mtap2(void *data, u_int dlen, struct mbuf *m) if (logif != NULL) BPF_MTAP2(logif, data, dlen, m); - - LOGIF_RUNLOCK(); } void -ipfw_bpf_init(int first) +ipfw_bpf_init(int first __unused) { - if (first) { - LOGIF_LOCK_INIT(); - V_log_if = NULL; - V_pflog_if = NULL; - } + V_log_if = NULL; + V_pflog_if = NULL; V_ipfw_cloner = if_clone_simple(ipfwname, ipfw_clone_create, ipfw_clone_destroy, 0); V_ipfwlog_cloner = if_clone_simple(ipfwlogname, ipfwlog_clone_create, @@ -225,12 +200,10 @@ ipfw_bpf_init(int first) } void -ipfw_bpf_uninit(int last) +ipfw_bpf_uninit(int last __unused) {
svn commit: r349941 - head/sys/netpfil/ipfw
Author: ae Date: Fri Jul 12 09:59:21 2019 New Revision: 349941 URL: https://svnweb.freebsd.org/changeset/base/349941 Log: Do not modify cmd pointer if it is already last opcode in the rule. MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c == --- head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:48:42 2019 (r349940) +++ head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:59:21 2019 (r349941) @@ -387,7 +387,7 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f while (l > 0) { cmdlen = F_LEN(cmd); l -= cmdlen; - if (cmd->opcode == O_EXTERNAL_ACTION) + if (cmd->opcode == O_EXTERNAL_ACTION || l <= 0) break; cmd += cmdlen; } ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349940 - head/sys/netpfil/ipfw
Author: ae Date: Fri Jul 12 09:48:42 2019 New Revision: 349940 URL: https://svnweb.freebsd.org/changeset/base/349940 Log: Correctly truncate the rule in case when it has several action opcodes. It is possible, that opcode at the ACTION_PTR() location is not real action, but action modificator like "log", "tag" etc. In this case we need to check for each opcode in the loop to find O_EXTERNAL_ACTION. Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c Modified: head/sys/netpfil/ipfw/ip_fw_eaction.c == --- head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:02:12 2019 (r349939) +++ head/sys/netpfil/ipfw/ip_fw_eaction.c Fri Jul 12 09:48:42 2019 (r349940) @@ -377,35 +377,51 @@ ipfw_reset_eaction(struct ip_fw_chain *ch, struct ip_f uint16_t eaction_id, uint16_t default_id, uint16_t instance_id) { ipfw_insn *cmd, *icmd; + int l, cmdlen; IPFW_UH_WLOCK_ASSERT(ch); IPFW_WLOCK_ASSERT(ch); cmd = ACTION_PTR(rule); + l = rule->cmd_len - rule->act_ofs; + while (l > 0) { + cmdlen = F_LEN(cmd); + l -= cmdlen; + if (cmd->opcode == O_EXTERNAL_ACTION) + break; + cmd += cmdlen; + } + /* +* Return if there is not O_EXTERNAL_ACTION or its id is +* different. +*/ if (cmd->opcode != O_EXTERNAL_ACTION || cmd->arg1 != eaction_id) return (0); - - if (instance_id != 0 && rule->act_ofs < rule->cmd_len - 1) { + /* +* If instance_id is specified, we need to truncate the +* rule length. Check if there is O_EXTERNAL_INSTANCE opcode. +*/ + if (instance_id != 0 && l > 0) { + MPASS(cmdlen == 1); icmd = cmd + 1; if (icmd->opcode != O_EXTERNAL_INSTANCE || icmd->arg1 != instance_id) return (0); - /* FALLTHROUGH */ + /* +* Since named_object related to this instance will be +* destroyed, truncate the chain of opcodes to remove +* the rest of cmd chain just after O_EXTERNAL_ACTION +* opcode. +*/ + EACTION_DEBUG("truncate rule %d: len %u -> %u", + rule->rulenum, rule->cmd_len, rule->cmd_len - l); + rule->cmd_len -= l; + MPASS(((uint32_t *)icmd - + (uint32_t *)rule->cmd) == rule->cmd_len); } cmd->arg1 = default_id; /* Set to default id */ - /* -* Since named_object related to this instance will be -* also destroyed, truncate the chain of opcodes to -* remove the rest of cmd chain just after O_EXTERNAL_ACTION -* opcode. -*/ - if (rule->act_ofs < rule->cmd_len - 1) { - EACTION_DEBUG("truncate rule %d: len %u -> %u", - rule->rulenum, rule->cmd_len, rule->act_ofs + 1); - rule->cmd_len = rule->act_ofs + 1; - } /* * Return 1 when reset successfully happened. */ ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r349366 - head/sys/netpfil/ipfw
On 25.06.2019 16:28, Rodney W. Grimes wrote: >> Author: ae >> Date: Tue Jun 25 11:40:37 2019 >> New Revision: 349366 >> URL: https://svnweb.freebsd.org/changeset/base/349366 >> >> Log: >> Follow the RFC 3128 and drop short TCP fragments with offset = 1. >> >> Reported by: emaste >> MFC after: 1 week > > Can we get a counter or something so that the dropping of these > is not totally silent and invisible? They are logged as all short packets with "Pullup failed" message when net.inet.ip.fw.verbose is enabled. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r349366 - head/sys/netpfil/ipfw
Author: ae Date: Tue Jun 25 11:40:37 2019 New Revision: 349366 URL: https://svnweb.freebsd.org/changeset/base/349366 Log: Follow the RFC 3128 and drop short TCP fragments with offset = 1. Reported by: emaste MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:11:22 2019 (r349365) +++ head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 11:40:37 2019 (r349366) @@ -1719,6 +1719,11 @@ do { \ default: break; } + } else { + if (offset == 1 && proto == IPPROTO_TCP) { + /* RFC 3128 */ + goto pullup_failed; + } } UPDATE_POINTERS(); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349365 - head/sys/netpfil/ipfw
Author: ae Date: Tue Jun 25 09:11:22 2019 New Revision: 349365 URL: https://svnweb.freebsd.org/changeset/base/349365 Log: Mark default rule with IPFW_RULE_NOOPT flag, so it can be showed in compact form. MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:08:24 2019 (r349364) +++ head/sys/netpfil/ipfw/ip_fw2.c Tue Jun 25 09:11:22 2019 (r349365) @@ -3364,6 +3364,7 @@ vnet_ipfw_init(const void *unused) /* fill and insert the default rule */ rule = ipfw_alloc_rule(chain, sizeof(struct ip_fw)); + rule->flags |= IPFW_RULE_NOOPT; rule->cmd_len = 1; rule->cmd[0].len = 1; rule->cmd[0].opcode = default_to_accept ? O_ACCEPT : O_DENY; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349364 - head/sbin/ipfw
Author: ae Date: Tue Jun 25 09:08:24 2019 New Revision: 349364 URL: https://svnweb.freebsd.org/changeset/base/349364 Log: Restore ipfw(8)'s compact output support broken after r331668. Also modify it a bit. Now -c option omits only 'from any to any' part and works for different protocols (not just for ip). Reported by: Dmitry Selivanov MFC after:1 week Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Tue Jun 25 07:44:37 2019(r349363) +++ head/sbin/ipfw/ipfw2.c Tue Jun 25 09:08:24 2019(r349364) @@ -2223,6 +2223,8 @@ show_static_rule(struct cmdline_opts *co, struct forma } print_proto(bp, fo, ); + if (co->do_compact != 0 && (rule->flags & IPFW_RULE_NOOPT)) + goto justopts; /* Print source */ bprintf(bp, " from"); @@ -4395,6 +4397,8 @@ chkarg: } OR_BLOCK(get_proto); + first_cmd = cmd; /* update pointer to use in compact form */ + /* * "from", mandatory */ @@ -4466,6 +4470,8 @@ chkarg: cmd = next_cmd(cmd, ); } } + if (first_cmd == cmd) + rule->flags |= IPFW_RULE_NOOPT; read_options: prev = NULL; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r349267 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw
Author: ae Date: Fri Jun 21 10:54:51 2019 New Revision: 349267 URL: https://svnweb.freebsd.org/changeset/base/349267 Log: Add "tcpmss" opcode to match the TCP MSS value. With this opcode it is possible to match TCP packets with specified MSS option, whose value corresponds to configured in opcode value. It is allowed to specify single value, range of values, or array of specific values or ranges. E.g. # ipfw add deny log tcp from any to any tcpmss 0-500 Reviewed by: melifaro,bcr Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw.8 head/sbin/ipfw/ipfw2.c head/sbin/ipfw/ipfw2.h head/sys/netinet/ip_fw.h head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Fri Jun 21 07:58:08 2019(r349266) +++ head/sbin/ipfw/ipfw.8 Fri Jun 21 10:54:51 2019(r349267) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd May 24, 2019 +.Dd June 21, 2019 .Dt IPFW 8 .Os .Sh NAME @@ -1989,6 +1989,12 @@ a non-zero offset. See the .Cm frag option for details on matching fragmented packets. +.It Cm tcpmss Ar tcpmss-list +Matches TCP packets whose MSS (maximum segment size) value is set to +.Ar tcpmss-list , +which is either a single value or a list of values or ranges +specified in the same way as +.Ar ports . .It Cm tcpseq Ar seq TCP packets only. Match if the TCP header sequence number field is set to Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Fri Jun 21 07:58:08 2019(r349266) +++ head/sbin/ipfw/ipfw2.c Fri Jun 21 10:54:51 2019(r349267) @@ -338,6 +338,7 @@ static struct _s_x rule_options[] = { { "tcpdatalen", TOK_TCPDATALEN }, { "tcpflags", TOK_TCPFLAGS }, { "tcpflgs",TOK_TCPFLAGS }, + { "tcpmss", TOK_TCPMSS }, { "tcpoptions", TOK_TCPOPTS }, { "tcpopts",TOK_TCPOPTS }, { "tcpseq", TOK_TCPSEQ }, @@ -881,6 +882,7 @@ static struct _s_x _port_name[] = { {"ipttl", O_IPTTL}, {"mac-type",O_MAC_TYPE}, {"tcpdatalen", O_TCPDATALEN}, + {"tcpmss", O_TCPMSS}, {"tcpwin", O_TCPWIN}, {"tagged", O_TAGGED}, {NULL, 0} @@ -1588,6 +1590,7 @@ print_instruction(struct buf_pr *bp, const struct form case O_IPTTL: case O_IPLEN: case O_TCPDATALEN: + case O_TCPMSS: case O_TCPWIN: if (F_LEN(cmd) == 1) { switch (cmd->opcode) { @@ -1603,6 +1606,9 @@ print_instruction(struct buf_pr *bp, const struct form case O_TCPDATALEN: s = "tcpdatalen"; break; + case O_TCPMSS: + s = "tcpmss"; + break; case O_TCPWIN: s = "tcpwin"; break; @@ -4709,14 +4715,18 @@ read_options: av++; break; + case TOK_TCPMSS: case TOK_TCPWIN: - NEED1("tcpwin requires length"); + NEED1("tcpmss/tcpwin requires size"); if (strpbrk(*av, "-,")) { - if (!add_ports(cmd, *av, 0, O_TCPWIN, cblen)) - errx(EX_DATAERR, "invalid tcpwin len %s", *av); + if (add_ports(cmd, *av, 0, + i == TOK_TCPWIN ? O_TCPWIN : O_TCPMSS, + cblen) == NULL) + errx(EX_DATAERR, "invalid %s size %s", + s, *av); } else - fill_cmd(cmd, O_TCPWIN, 0, - strtoul(*av, NULL, 0)); + fill_cmd(cmd, i == TOK_TCPWIN ? O_TCPWIN : + O_TCPMSS, 0, strtoul(*av, NULL, 0)); av++; break; Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Fri Jun 21 07:58:08 2019(r349266) +++ head/sbin/ipfw/ipfw2.h Fri Jun 21 10:54:51 2019(r349267) @@ -151,6 +151,7 @@ enum tokens { TOK_TCPOPTS, TOK_TCPSEQ, TOK_TCPACK, + TOK_TCPMSS, TOK_TCPWIN, TOK_ICMPTYPES, TOK_MAC, Modified: head/sys/netinet/ip_fw.h == ---
svn commit: r348774 - head/sys/sys
Author: ae Date: Fri Jun 7 08:30:35 2019 New Revision: 348774 URL: https://svnweb.freebsd.org/changeset/base/348774 Log: Use underscores for internal variable name to avoid conflicts. MFC after:1 week Modified: head/sys/sys/counter.h Modified: head/sys/sys/counter.h == --- head/sys/sys/counter.h Fri Jun 7 08:21:01 2019(r348773) +++ head/sys/sys/counter.h Fri Jun 7 08:30:35 2019(r348774) @@ -43,23 +43,23 @@ voidcounter_u64_zero(counter_u64_t); uint64_t counter_u64_fetch(counter_u64_t); #defineCOUNTER_ARRAY_ALLOC(a, n, wait) do {\ - for (int i = 0; i < (n); i++) \ - (a)[i] = counter_u64_alloc(wait); \ + for (int _i = 0; _i < (n); _i++)\ + (a)[_i] = counter_u64_alloc(wait); \ } while (0) #defineCOUNTER_ARRAY_FREE(a, n)do {\ - for (int i = 0; i < (n); i++) \ - counter_u64_free((a)[i]); \ + for (int _i = 0; _i < (n); _i++)\ + counter_u64_free((a)[_i]); \ } while (0) #defineCOUNTER_ARRAY_COPY(a, dstp, n) do {\ - for (int i = 0; i < (n); i++) \ - ((uint64_t *)(dstp))[i] = counter_u64_fetch((a)[i]);\ + for (int _i = 0; _i < (n); _i++)\ + ((uint64_t *)(dstp))[_i] = counter_u64_fetch((a)[_i]);\ } while (0) #defineCOUNTER_ARRAY_ZERO(a, n)do {\ - for (int i = 0; i < (n); i++) \ - counter_u64_zero((a)[i]); \ + for (int _i = 0; _i < (n); _i++)\ + counter_u64_zero((a)[_i]); \ } while (0) /* ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348682 - head/sys/netpfil/ipfw/nat64
Author: ae Date: Wed Jun 5 09:25:40 2019 New Revision: 348682 URL: https://svnweb.freebsd.org/changeset/base/348682 Log: Initialize V_nat64out methods explicitly. It looks like initialization of static variable doesn't work for VIMAGE and this leads to panic. Reported by: olivier MFC after:1 week Modified: head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c Modified: head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c == --- head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c Wed Jun 5 04:58:42 2019 (r348681) +++ head/sys/netpfil/ipfw/nat64/ip_fw_nat64.c Wed Jun 5 09:25:40 2019 (r348682) @@ -83,6 +83,8 @@ vnet_ipfw_nat64_init(const void *arg __unused) ch = _layer3_chain; first = IS_DEFAULT_VNET(curvnet) ? 1: 0; + /* Initialize V_nat64out methods explicitly. */ + nat64_set_output_method(0); error = nat64stl_init(ch, first); if (error != 0) return (error); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r348303 - head/sys/net
On 29.05.2019 06:12, Gleb Smirnoff wrote: > A> bpf_mtap() is not the only consumer of bd_bif, some of them expect it > A> becomes NULL when descriptor is detached. > > May be then make a flag attached/detached? Do you have benchmark results that show some benefits in performance? :) I prefer to wait some time after MFC to get a bit wide testing, before doing another performance optimizations. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r348303 - head/sys/net
29.05.2019 3:10, Gleb Smirnoff пишет: > Hi Andrey, > > I made a different change to mitigate this panic: don't clear the pointer. > > --- a/FreeBSD/sys/net/bpf.c > +++ b/FreeBSD/sys/net/bpf.c > @@ -857,7 +857,6 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) > /* Save bd_writer value */ > error = d->bd_writer; > ifp = bp->bif_ifp; > - d->bd_bif = NULL; > if (detached_ifp) { > /* > * Notify descriptor as it's detached, so that any > > Since every bpf_d holds a reference on bpf_if until delayed free happens, > the the bpf_if is going to be valid. > > This allows not to use epoch_wait and run fully async. The patch above is > a minimal patch: with NULL assignment removed, several more pieces of code > can be removed in bpf.c > > Of course your patch also is going to work, but what do you think: > are there any landmines with fully async approach? Hi, bpf_mtap() is not the only consumer of bd_bif, some of them expect it becomes NULL when descriptor is detached. -- WBR, Andrey V. Elsukov ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348324 - head/sys/net
Author: ae Date: Tue May 28 11:45:00 2019 New Revision: 348324 URL: https://svnweb.freebsd.org/changeset/base/348324 Log: Rework r348303 to reduce the time of holding global BPF lock. It appeared that using NET_EPOCH_WAIT() while holding global BPF lock can lead to another panic: spin lock 0xf800183c9840 (turnstile lock) held by 0xf80018e2c5a0 (tid 100325) too long panic: spin lock held too long ... #0 sched_switch (td=0xf80018e2c5a0, newtd=0xf8000389e000, flags=) at /usr/src/sys/kern/sched_ule.c:2133 #1 0x80bf9912 in mi_switch (flags=256, newtd=0x0) at /usr/src/sys/kern/kern_synch.c:439 #2 0x80c21db7 in sched_bind (td=, cpu=) at /usr/src/sys/kern/sched_ule.c:2704 #3 0x80c34c33 in epoch_block_handler_preempt (global=, cr=0xfe5a1a00, arg=) at /usr/src/sys/kern/subr_epoch.c:394 #4 0x803c741b in epoch_block (global=, cr=, cb=, ct=) at /usr/src/sys/contrib/ck/src/ck_epoch.c:416 #5 ck_epoch_synchronize_wait (global=0xf8000380cd80, cb=, ct=) at /usr/src/sys/contrib/ck/src/ck_epoch.c:465 #6 0x80c3475e in epoch_wait_preempt (epoch=0xf8000380cd80) at /usr/src/sys/kern/subr_epoch.c:513 #7 0x80ce970b in bpf_detachd_locked (d=0xf801d309cc00, detached_ifp=) at /usr/src/sys/net/bpf.c:856 #8 0x80ced166 in bpf_detachd (d=) at /usr/src/sys/net/bpf.c:836 #9 bpf_dtor (data=0xf801d309cc00) at /usr/src/sys/net/bpf.c:914 To fix this add the check to the catchpacket() that BPF descriptor was not detached just before we acquired BPFD_LOCK(). Reported by: slavash Tested by:slavash MFC after:1 week Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Tue May 28 10:55:59 2019(r348323) +++ head/sys/net/bpf.c Tue May 28 11:45:00 2019(r348324) @@ -850,15 +850,10 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) /* Check if descriptor is attached */ if ((bp = d->bd_bif) == NULL) return; - /* -* Remove d from the interface's descriptor list. -* And wait until bpf_[m]tap*() will finish their possible work -* with descriptor. -*/ - CK_LIST_REMOVE(d, bd_next); - NET_EPOCH_WAIT(); BPFD_LOCK(d); + /* Remove d from the interface's descriptor list. */ + CK_LIST_REMOVE(d, bd_next); /* Save bd_writer value */ error = d->bd_writer; ifp = bp->bif_ifp; @@ -2494,6 +2489,11 @@ catchpacket(struct bpf_d *d, u_char *pkt, u_int pktlen int tstype; BPFD_LOCK_ASSERT(d); + if (d->bd_bif == NULL) { + /* Descriptor was detached in concurrent thread */ + counter_u64_add(d->bd_dcount, 1); + return; + } /* * Detect whether user space has released a buffer back to us, and if ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348303 - head/sys/net
Author: ae Date: Mon May 27 12:41:41 2019 New Revision: 348303 URL: https://svnweb.freebsd.org/changeset/base/348303 Log: Fix possible NULL pointer dereference. bpf_mtap() can invoke catchpacket() for already detached descriptor. And this can lead to NULL pointer dereference, since bd_bif pointer was reset to NULL in bpf_detachd_locked(). To avoid this, use NET_EPOCH_WAIT() when descriptor is removed from interface's descriptors list. After the wait it is safe to modify descriptor's content. Submitted by: kib Reported by: slavash MFC after:1 week Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Mon May 27 06:37:23 2019(r348302) +++ head/sys/net/bpf.c Mon May 27 12:41:41 2019(r348303) @@ -850,10 +850,15 @@ bpf_detachd_locked(struct bpf_d *d, bool detached_ifp) /* Check if descriptor is attached */ if ((bp = d->bd_bif) == NULL) return; + /* +* Remove d from the interface's descriptor list. +* And wait until bpf_[m]tap*() will finish their possible work +* with descriptor. +*/ + CK_LIST_REMOVE(d, bd_next); + NET_EPOCH_WAIT(); BPFD_LOCK(d); - /* Remove d from the interface's descriptor list. */ - CK_LIST_REMOVE(d, bd_next); /* Save bd_writer value */ error = d->bd_writer; ifp = bp->bif_ifp; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348301 - head/sbin/ipfw
Author: ae Date: Mon May 27 06:34:36 2019 New Revision: 348301 URL: https://svnweb.freebsd.org/changeset/base/348301 Log: Remove unused token that was added in r348235. MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.h Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Mon May 27 06:22:43 2019(r348300) +++ head/sbin/ipfw/ipfw2.h Mon May 27 06:34:36 2019(r348301) @@ -266,7 +266,6 @@ enum tokens { TOK_OLIST, TOK_MISSING, TOK_ORFLUSH, - TOK_OPTIONAL, /* NAT64 tokens */ TOK_NAT64STL, ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348236 - head/sys/netinet6
Author: ae Date: Fri May 24 11:45:32 2019 New Revision: 348236 URL: https://svnweb.freebsd.org/changeset/base/348236 Log: Restore IPV6_NEXTHOP option support that seem was partially broken since r286195. Do not forget results of route lookup and initialize rt and ifp pointers. PR: 238098 Submitted by: Masse Nicolas MFC after:1 week Modified: head/sys/netinet6/in6_src.c Modified: head/sys/netinet6/in6_src.c == --- head/sys/netinet6/in6_src.c Fri May 24 11:06:24 2019(r348235) +++ head/sys/netinet6/in6_src.c Fri May 24 11:45:32 2019(r348236) @@ -724,6 +724,10 @@ selectroute(struct sockaddr_in6 *dstsock, struct ip6_p if (ron->ro_rt == NULL || (ron->ro_rt->rt_flags & RTF_GATEWAY) != 0) error = EHOSTUNREACH; + else { + rt = ron->ro_rt; + ifp = rt->rt_ifp; + } goto done; } ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r348235 - head/sbin/ipfw
Author: ae Date: Fri May 24 11:06:24 2019 New Revision: 348235 URL: https://svnweb.freebsd.org/changeset/base/348235 Log: Add `missing` and `or-flush` options to "ipfw table create" command to simplify firewall reloading. The `missing` option suppresses EEXIST error code, but does check that existing table has the same parameters as new one. The `or-flush` option implies `missing` option and additionally does flush for table if it is already exist. Submitted by: lev MFC after:2 weeks Differential Revision:https://reviews.freebsd.org/D18339 Modified: head/sbin/ipfw/ipfw.8 head/sbin/ipfw/ipfw2.h head/sbin/ipfw/tables.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Fri May 24 09:01:54 2019(r348234) +++ head/sbin/ipfw/ipfw.8 Fri May 24 11:06:24 2019(r348235) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd April 21, 2019 +.Dd May 24, 2019 .Dt IPFW 8 .Os .Sh NAME @@ -2138,7 +2138,7 @@ The following creation options are supported: .Bl -tag -width indent .It Ar create-options : Ar create-option | create-options .It Ar create-option : Cm type Ar table-type | Cm valtype Ar value-mask | Cm algo Ar algo-desc | -.Cm limit Ar number | Cm locked +.Cm limit Ar number | Cm locked | Cm missing | Cm or-flush .It Cm type Table key type. .It Cm valtype @@ -2149,6 +2149,13 @@ Table algorithm to use (see below). Maximum number of items that may be inserted into table. .It Cm locked Restrict any table modifications. +.It Cm missing +Do not fail if table already exists and has exactly same options as new one. +.It Cm or-flush +Flush existing table with same name instead of returning error. +Implies +.Cm missing +so existing table must be compatible with new one. .El .Pp Some of these options may be modified later via Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Fri May 24 09:01:54 2019(r348234) +++ head/sbin/ipfw/ipfw2.h Fri May 24 11:06:24 2019(r348235) @@ -264,6 +264,9 @@ enum tokens { TOK_UNLOCK, TOK_VLIST, TOK_OLIST, + TOK_MISSING, + TOK_ORFLUSH, + TOK_OPTIONAL, /* NAT64 tokens */ TOK_NAT64STL, Modified: head/sbin/ipfw/tables.c == --- head/sbin/ipfw/tables.c Fri May 24 09:01:54 2019(r348234) +++ head/sbin/ipfw/tables.c Fri May 24 11:06:24 2019(r348235) @@ -327,6 +327,8 @@ static struct _s_x tablenewcmds[] = { { "algo",TOK_ALGO }, { "limit", TOK_LIMIT }, { "locked", TOK_LOCK }, + { "missing", TOK_MISSING }, + { "or-flush",TOK_ORFLUSH }, { NULL, 0 } }; @@ -389,19 +391,19 @@ table_print_type(char *tbuf, size_t size, uint8_t type * Creates new table * * ipfw table NAME create [ type { addr | iface | number | flow } ] - * [ algo algoname ] + * [ algo algoname ] [missing] [or-flush] */ static void table_create(ipfw_obj_header *oh, int ac, char *av[]) { - ipfw_xtable_info xi; - int error, tcmd, val; + ipfw_xtable_info xi, xie; + int error, missing, orflush, tcmd, val; uint32_t fset, fclear; char *e, *p; char tbuf[128]; + missing = orflush = 0; memset(, 0, sizeof(xi)); - while (ac > 0) { tcmd = get_token(tablenewcmds, *av, "option"); ac--; av++; @@ -457,6 +459,12 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) case TOK_LOCK: xi.flags |= IPFW_TGFLAGS_LOCKED; break; + case TOK_ORFLUSH: + orflush = 1; + /* FALLTHROUGH */ + case TOK_MISSING: + missing = 1; + break; } } @@ -466,8 +474,28 @@ table_create(ipfw_obj_header *oh, int ac, char *av[]) if (xi.vmask == 0) xi.vmask = IPFW_VTYPE_LEGACY; - if ((error = table_do_create(oh, )) != 0) + error = table_do_create(oh, ); + + if (error == 0) + return; + + if (errno != EEXIST || missing == 0) err(EX_OSERR, "Table creation failed"); + + /* Check that existing table is the same we are trying to create */ + if (table_get_info(oh, ) != 0) + err(EX_OSERR, "Existing table check failed"); + + if (xi.limit != xie.limit || xi.type != xie.type || + xi.tflags != xie.tflags || xi.vmask != xie.vmask || ( + xi.algoname[0] != '\0' && strcmp(xi.algoname, + xie.algoname) != 0) || xi.flags != xie.flags) + errx(EX_DATAERR, "The existing table is not compatible " + "with one you are
svn commit: r347563 - head/sys/kern
Author: ae Date: Tue May 14 10:21:28 2019 New Revision: 347563 URL: https://svnweb.freebsd.org/changeset/base/347563 Log: Remove bpf interface lock, it is no longer exist. Modified: head/sys/kern/subr_witness.c Modified: head/sys/kern/subr_witness.c == --- head/sys/kern/subr_witness.cTue May 14 04:34:58 2019 (r347562) +++ head/sys/kern/subr_witness.cTue May 14 10:21:28 2019 (r347563) @@ -576,7 +576,6 @@ static struct witness_order_list_entry order_lists[] = * BPF */ { "bpf global lock", _class_sx }, - { "bpf interface lock", _class_rw }, { "bpf cdev lock", _class_mtx_sleep }, { NULL, NULL }, /* ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347527 - head/sys/net
Author: ae Date: Mon May 13 14:07:02 2019 New Revision: 347527 URL: https://svnweb.freebsd.org/changeset/base/347527 Log: Do not leak memory used for binary filter. Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Mon May 13 13:45:28 2019(r347526) +++ head/sys/net/bpf.c Mon May 13 14:07:02 2019(r347527) @@ -2628,11 +2628,17 @@ bpfd_free(epoch_context_t ctx) if (d->bd_rfilter != NULL) { p = __containerof((void *)d->bd_rfilter, struct bpf_program_buffer, buffer); +#ifdef BPF_JITTER + p->func = d->bd_bfilter; +#endif bpf_program_buffer_free(>epoch_ctx); } if (d->bd_wfilter != NULL) { p = __containerof((void *)d->bd_wfilter, struct bpf_program_buffer, buffer); +#ifdef BPF_JITTER + p->func = NULL; +#endif bpf_program_buffer_free(>epoch_ctx); } ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347526 - head/sys/net
Author: ae Date: Mon May 13 13:45:28 2019 New Revision: 347526 URL: https://svnweb.freebsd.org/changeset/base/347526 Log: Rework locking in BPF code to remove rwlock from fast path. On high packets rate the contention on rwlock in bpf_*tap*() functions can lead to packets dropping. To avoid this, migrate this code to use epoch(9) KPI and ConcurrencyKit's lists. * all lists changed to use CK_LIST; * reference counting added to bpf_if and bpf_d; * now bpf_if references ifnet and releases this reference on destroy; * each bpf_d descriptor references bpf_if when it is attached; * new struct bpf_program_buffer introduced to keep BPF filter programs; * bpf_program_buffer, bpf_d and bpf_if structures are freed by epoch_call(); * bpf_freelist and ifnet_departure event are no longer needed, thus both are removed; Reviewed by: melifaro Sponsored by: Yandex LLC Differential Revision:https://reviews.freebsd.org/D20224 Modified: head/sys/net/bpf.c head/sys/net/bpf.h head/sys/net/bpfdesc.h Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Mon May 13 13:30:34 2019(r347525) +++ head/sys/net/bpf.c Mon May 13 13:45:28 2019(r347526) @@ -3,6 +3,7 @@ * * Copyright (c) 1990, 1991, 1993 * The Regents of the University of California. All rights reserved. + * Copyright (c) 2019 Andrey V. Elsukov * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed @@ -46,7 +47,6 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include #include #include #include @@ -99,7 +99,7 @@ __FBSDID("$FreeBSD$"); MALLOC_DEFINE(M_BPF, "BPF", "BPF data"); static struct bpf_if_ext dead_bpf_if = { - .bif_dlist = LIST_HEAD_INITIALIZER() + .bif_dlist = CK_LIST_HEAD_INITIALIZER() }; struct bpf_if { @@ -108,19 +108,22 @@ struct bpf_if { struct bpf_if_ext bif_ext; /* public members */ u_int bif_dlt;/* link layer type */ u_int bif_hdrlen; /* length of link header */ + struct bpfd_list bif_wlist; /* writer-only list */ struct ifnet*bif_ifp; /* corresponding interface */ - struct rwlock bif_lock; /* interface lock */ - LIST_HEAD(, bpf_d) bif_wlist; /* writer-only list */ - int bif_flags; /* Interface flags */ struct bpf_if **bif_bpf; /* Pointer to pointer to us */ + volatile u_int bif_refcnt; + struct epoch_context epoch_ctx; }; CTASSERT(offsetof(struct bpf_if, bif_ext) == 0); -#define BPFIF_RLOCK(bif) rw_rlock(&(bif)->bif_lock) -#define BPFIF_RUNLOCK(bif) rw_runlock(&(bif)->bif_lock) -#define BPFIF_WLOCK(bif) rw_wlock(&(bif)->bif_lock) -#define BPFIF_WUNLOCK(bif) rw_wunlock(&(bif)->bif_lock) +struct bpf_program_buffer { + struct epoch_contextepoch_ctx; +#ifdef BPF_JITTER + bpf_jit_filter *func; +#endif + void*buffer[0]; +}; #if defined(DEV_BPF) || defined(NETGRAPH_BPF) @@ -173,18 +176,24 @@ struct bpf_dltlist32 { #define BPF_LOCK_ASSERT() sx_assert(_sx, SA_XLOCKED) /* * bpf_iflist is a list of BPF interface structures, each corresponding to a - * specific DLT. The same network interface might have several BPF interface + * specific DLT. The same network interface might have several BPF interface * structures registered by different layers in the stack (i.e., 802.11 * frames, ethernet frames, etc). */ -static LIST_HEAD(, bpf_if) bpf_iflist, bpf_freelist; +CK_LIST_HEAD(bpf_iflist, bpf_if); +static struct bpf_iflist bpf_iflist; static struct sx bpf_sx; /* bpf global lock */ static int bpf_bpfd_cnt; +static voidbpfif_ref(struct bpf_if *); +static voidbpfif_rele(struct bpf_if *); + +static voidbpfd_ref(struct bpf_d *); +static voidbpfd_rele(struct bpf_d *); static voidbpf_attachd(struct bpf_d *, struct bpf_if *); static voidbpf_detachd(struct bpf_d *); -static voidbpf_detachd_locked(struct bpf_d *); -static voidbpf_freed(struct bpf_d *); +static voidbpf_detachd_locked(struct bpf_d *, bool); +static voidbpfd_free(epoch_context_t); static int bpf_movein(struct uio *, int, struct ifnet *, struct mbuf **, struct sockaddr *, int *, struct bpf_d *); static int bpf_setif(struct bpf_d *, struct ifreq *); @@ -243,37 +252,106 @@ static struct filterops bpfread_filtops = { .f_event = filt_bpfread, }; -eventhandler_tag bpf_ifdetach_cookie = NULL; - /* - * LOCKING MODEL USED BY BPF: + * LOCKING MODEL USED BY BPF + * * Locks: - * 1) global lock (BPF_LOCK). Mutex, used to protect interface addition/removal, - * some global counters and every b
svn commit: r347519 - head/sys/modules/ipsec
Author: ae Date: Mon May 13 08:34:13 2019 New Revision: 347519 URL: https://svnweb.freebsd.org/changeset/base/347519 Log: Revert r347402. After r347429 symlink is no longer needed. Modified: head/sys/modules/ipsec/Makefile Modified: head/sys/modules/ipsec/Makefile == --- head/sys/modules/ipsec/Makefile Mon May 13 08:29:28 2019 (r347518) +++ head/sys/modules/ipsec/Makefile Mon May 13 08:34:13 2019 (r347519) @@ -7,7 +7,6 @@ SRCS= if_ipsec.c ipsec.c ipsec_input.c ipsec_mbuf.c ip ipsec_output.c xform_ah.c xform_esp.c xform_ipcomp.c \ opt_inet.h opt_inet6.h opt_ipsec.h opt_sctp.h SRCS.INET= udpencap.c -SYMLINKS= ${KMOD}.ko ${KMODDIR}/if_${KMOD}.ko opt_ipsec.h: @echo "#define IPSEC_SUPPORT 1" > ${.TARGET} ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
On 10.05.2019 21:39, Alexey Dokuchaev wrote: >> The second cause -- reduce overhead that IPSEC produces even when it >> is not used. > > So does it mean that if I don't plan to use IPSEC, I can safely remove > IPSEC_SUPPORT from my config and also get slight performance boost? Yes, currently each call to IPsec has check like `if (ipsec_enabled) {...}`, when you build the kernel without IPSEC/IPSEC_SUPPORT, this check will be removed too, this can add some performance boost :-) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
On 10.05.2019 18:31, Andrew Gallatin wrote: > On 2019-05-10 08:44, Slawa Olhovchenkov wrote: > >> pf have ifdef for IPSEC, but don't have support IPSEC_SUPPORT >> (netpfil/pf/if_pfsync.c). >> > > Thanks for pointing this out. It seems like IPSEC_SUPPORT would work > for this. I've made a patch, and it compiles and the pf module loads. > However, I have no knowledge of how to test it. Is this something > that you use, and which you can test? > I think you need to include opt_ipsec.h to have chance compile it. But as Kristof said, it wont work. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347410 - in head: . sys/amd64/conf sys/arm/conf sys/arm64/conf sys/i386/conf sys/powerpc/conf sys/riscv/conf sys/sparc64/conf
On 10.05.2019 11:46, Alexey Dokuchaev wrote: > On Thu, May 09, 2019 at 10:38:15PM +, Andrew Gallatin wrote: >> Author: gallatin >> Date: Thu May 9 22:38:15 2019 >> New Revision: 347410 >> URL: https://svnweb.freebsd.org/changeset/base/347410 >> >> Log: >> Remove IPSEC from GENERIC due to performance issues >> >> @@ -30,7 +30,6 @@ optionsPREEMPTION # Enable ... >> options VIMAGE # Subsystem virtualization, e.g. VNET >> options INET# InterNETworking >> options INET6 # IPv6 communications protocols >> -options IPSEC # IP (v4/v6) security >> options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 > > I've asked this question some two years ago, but no one could answer it > back then, so I'll try again. > > What is the reason behind having IPSEC_SUPPORT option instead of no special > option at all? If I grep for SUPPORT in conf/GENERIC, I see things like > INVARIANT_SUPPORT or IEEE80211_SUPPORT_MESH (with meaningful explanations) > but IPSEC_SUPPORT which, per the comment, "allows to kldload of ipsec and > tcpmd5", is totally beyond me. Lots of kernel features are/can be loaded > as modules, but we don't have things like SOUND_SUPPORT or USB_SUPPORT. IPSEC_SUPPORT builds into the kernel PF_KEY domain protocol, that is required by IPsec implementation to interact with userlevel. Currently the kernel does not support unregistering of protocol domains. This is mostly why option IPSEC_SUPPORT was introduced. The second cause - reduce overhead that IPSEC produces even when it is not used. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347402 - head/sys/modules/ipsec
On 09.05.2019 22:13, Kyle Evans wrote: >> there is two IPsec related interfaces that have problem with automatic >> loading - if_enc and if_ipsec. So, if you add both to the mapping list, >> this will be useful. CAM enc driver has conflicting name and prevents to >> automatic loading of if_enc(4). It is probably always build in the >> kernel, but renaming it into "ses" may break some third-party device >> drivers. >> > > I think you want something like [0] to add both of these to the map > and stop ifconfig(8) from bailing on loading if_enc because 'enc' is > loaded. This is safe at least for the set of modules currently mapped. > > Thanks, > > Kyle Evans > > [0] https://people.freebsd.org/~kevans/ipsec.diff It looks good to me. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r347402 - head/sys/modules/ipsec
On 09.05.2019 21:36, Kyle Evans wrote: > Any chance the mechanism I introduced for ifconfig mapping ifname <-> > kld in r347241 would solve the same set of problems this would? > (unsure if there are any non-ifconfig(8) problems in consideration) If > we have more consumers of it than just vmnet (from a stable/ point of > view) then I'd be more than happy to MFC that separately from the rest > of the commit. > Hi, there is two IPsec related interfaces that have problem with automatic loading - if_enc and if_ipsec. So, if you add both to the mapping list, this will be useful. CAM enc driver has conflicting name and prevents to automatic loading of if_enc(4). It is probably always build in the kernel, but renaming it into "ses" may break some third-party device drivers. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r347402 - head/sys/modules/ipsec
Author: ae Date: Thu May 9 18:06:11 2019 New Revision: 347402 URL: https://svnweb.freebsd.org/changeset/base/347402 Log: Add if_ipsec.ko symlink to ipsec.ko kernel module. This add ability to automatically load ipsec kernel module, when if_ipsec(4) virtual interface is created using ifconfig(8). Reviewed by: gallatin MFC after:1 week Differential Revision:https://reviews.freebsd.org/D20169 Modified: head/sys/modules/ipsec/Makefile Modified: head/sys/modules/ipsec/Makefile == --- head/sys/modules/ipsec/Makefile Thu May 9 17:57:04 2019 (r347401) +++ head/sys/modules/ipsec/Makefile Thu May 9 18:06:11 2019 (r347402) @@ -7,6 +7,7 @@ SRCS= if_ipsec.c ipsec.c ipsec_input.c ipsec_mbuf.c ip ipsec_output.c xform_ah.c xform_esp.c xform_ipcomp.c \ opt_inet.h opt_inet6.h opt_ipsec.h opt_sctp.h SRCS.INET= udpencap.c +SYMLINKS= ${KMOD}.ko ${KMODDIR}/if_${KMOD}.ko opt_ipsec.h: @echo "#define IPSEC_SUPPORT 1" > ${.TARGET} ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347383 - head/sys/netinet6
Author: ae Date: Thu May 9 07:57:33 2019 New Revision: 347383 URL: https://svnweb.freebsd.org/changeset/base/347383 Log: In mld_v2_cancel_link_timers() check number of references and disconnect inm before releasing the last reference. This fixes possible panics and assertion. PR: 237329 Reviewed by: mmacy MFC after:2 weeks Modified: head/sys/netinet6/mld6.c Modified: head/sys/netinet6/mld6.c == --- head/sys/netinet6/mld6.cThu May 9 07:34:15 2019(r347382) +++ head/sys/netinet6/mld6.cThu May 9 07:57:33 2019(r347383) @@ -1708,6 +1708,8 @@ mld_v2_cancel_link_timers(struct mld_ifsoftc *mli) * version, we need to release the final * reference held for issuing the INCLUDE {}. */ + if (inm->in6m_refcount == 1) + in6m_disconnect_locked(, inm); in6m_rele_locked(, inm); /* FALLTHROUGH */ case MLD_G_QUERY_PENDING_MEMBER: ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r347178 - head/libexec/rc/rc.d
Author: ae Date: Mon May 6 08:30:53 2019 New Revision: 347178 URL: https://svnweb.freebsd.org/changeset/base/347178 Log: Add ipsec.ko to required_modules for rc.d/ipsec script. Thus it can be automatically loaded if ipsec_enable="YES" and option IPSEC is not in the kernel config. MFC after:1 week Modified: head/libexec/rc/rc.d/ipsec Modified: head/libexec/rc/rc.d/ipsec == --- head/libexec/rc/rc.d/ipsec Mon May 6 03:39:25 2019(r347177) +++ head/libexec/rc/rc.d/ipsec Mon May 6 08:30:53 2019(r347178) @@ -20,6 +20,7 @@ stop_cmd="ipsec_stop" reload_cmd="ipsec_reload" extra_commands="reload" ipsec_program="/sbin/setkey" +required_modules="ipsec" # ipsec_file is set by rc.conf ipsec_prestart() ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 30.04.2019 00:14, John Baldwin wrote: >> Yes, we were able to reproduce this issue in house. If you don't mind, I >> prefer to wait for John's update - where he eliminates the EAGAIN >> handling in the network drivers. > > I have rebased the branch for this, but for now it will just panic sooner > I believe by tripping an assertion. Can you grab the diff (or just the > branch) > from the 'send_tags' branch at github/bsdjhb/freebsd and reproduce under a > kernel with INVARIANTS? I think we will have to explicitly clear the 'rcvif' > pointer somewhere, but I want to see what the stack trace looks like so I can > think about the "right" place to clear it. Hi, please note, that rcvif is used by firewall to track inbound interface and clearing it can be unexpected in some cases, and can break firewall rules. -- WBR, Andrey V. Elsukov ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346885 - head/sbin/ipfw
Author: ae Date: Mon Apr 29 09:52:53 2019 New Revision: 346885 URL: https://svnweb.freebsd.org/changeset/base/346885 Log: Handle HAVE_PROTO flag and print "proto" keyword for O_IP4 and O_IP6 opcodes when it is needed. This should fix the problem, when printed by `ipfw show` rule could not be added due to missing "proto" keyword. MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Mon Apr 29 09:33:16 2019(r346884) +++ head/sbin/ipfw/ipfw2.c Mon Apr 29 09:52:53 2019(r346885) @@ -1701,9 +1701,13 @@ print_instruction(struct buf_pr *bp, const struct form IPFW_TLV_STATE_NAME)); break; case O_IP6: + if (state->flags & HAVE_PROTO) + bprintf(bp, " proto"); bprintf(bp, " ip6"); break; case O_IP4: + if (state->flags & HAVE_PROTO) + bprintf(bp, " proto"); bprintf(bp, " ip4"); break; case O_ICMP6TYPE: ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346884 - head/sys/netpfil/ipfw
Author: ae Date: Mon Apr 29 09:33:16 2019 New Revision: 346884 URL: https://svnweb.freebsd.org/changeset/base/346884 Log: Add IPv6 support for O_IPLEN opcode. Obtained from:Yandex LLC MFC after:1 week Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Mon Apr 29 05:35:52 2019 (r346883) +++ head/sys/netpfil/ipfw/ip_fw2.c Mon Apr 29 09:33:16 2019 (r346884) @@ -2191,9 +2191,11 @@ do { \ break; case O_IPID: - case O_IPLEN: case O_IPTTL: - if (is_ipv4) { /* only for IP packets */ + if (!is_ipv4) + break; + case O_IPLEN: + { /* only for IP packets */ uint16_t x; uint16_t *p; int i; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r346630 - in head: sbin/ifconfig share/man/man4 sys/modules/if_gre sys/net sys/netinet sys/netinet6
Author: ae Date: Wed Apr 24 09:05:45 2019 New Revision: 346630 URL: https://svnweb.freebsd.org/changeset/base/346630 Log: Add GRE-in-UDP encapsulation support as defined in RFC8086. This GRE-in-UDP encapsulation allows the UDP source port field to be used as an entropy field for load-balancing of GRE traffic in transit networks. Also most of multiqueue network cards are able distribute incoming UDP datagrams to different NIC queues, while very little are able do this for GRE packets. When an administrator enables UDP encapsulation with command `ifconfig gre0 udpencap`, the driver creates kernel socket, that binds to tunnel source address and after udp_set_kernel_tunneling() starts receiving of all UDP packets destined to 4754 port. Each kernel socket maintains list of tunnels with different destination addresses. Thus when several tunnels use the same source address, they all handled by single socket. The IP[V6]_BINDANY socket option is used to be able bind socket to source address even if it is not yet available in the system. This may happen on system boot, when gre(4) interface is created before source address become available. The encapsulation and sending of packets is done directly from gre(4) into ip[6]_output() without using sockets. Reviewed by: eugen MFC after:1 month Relnotes: yes Differential Revision:https://reviews.freebsd.org/D19921 Modified: head/sbin/ifconfig/ifgre.c head/share/man/man4/gre.4 head/sys/modules/if_gre/Makefile head/sys/net/if_gre.c head/sys/net/if_gre.h head/sys/netinet/ip_gre.c head/sys/netinet6/ip6_gre.c Modified: head/sbin/ifconfig/ifgre.c == --- head/sbin/ifconfig/ifgre.c Wed Apr 24 06:41:52 2019(r346629) +++ head/sbin/ifconfig/ifgre.c Wed Apr 24 09:05:45 2019(r346630) @@ -44,15 +44,16 @@ __FBSDID("$FreeBSD$"); #include "ifconfig.h" -#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ" +#defineGREBITS "\020\01ENABLE_CSUM\02ENABLE_SEQ\03UDPENCAP" static void gre_status(int s); static void gre_status(int s) { - uint32_t opts = 0; + uint32_t opts, port; + opts = 0; ifr.ifr_data = (caddr_t) if (ioctl(s, GREGKEY, ) == 0) if (opts != 0) @@ -60,6 +61,11 @@ gre_status(int s) opts = 0; if (ioctl(s, GREGOPTS, ) != 0 || opts == 0) return; + + port = 0; + ifr.ifr_data = (caddr_t) + if (ioctl(s, GREGPORT, ) == 0 && port != 0) + printf("\tudpport: %u\n", port); printb("\toptions", opts, GREBITS); putchar('\n'); } @@ -77,6 +83,18 @@ setifgrekey(const char *val, int dummy __unused, int s } static void +setifgreport(const char *val, int dummy __unused, int s, +const struct afswtch *afp) +{ + uint32_t udpport = strtol(val, NULL, 0); + + strlcpy(ifr.ifr_name, name, sizeof (ifr.ifr_name)); + ifr.ifr_data = (caddr_t) + if (ioctl(s, GRESPORT, (caddr_t)) < 0) + warn("ioctl (set udpport)"); +} + +static void setifgreopts(const char *val, int d, int s, const struct afswtch *afp) { uint32_t opts; @@ -101,10 +119,13 @@ setifgreopts(const char *val, int d, int s, const stru static struct cmd gre_cmds[] = { DEF_CMD_ARG("grekey", setifgrekey), + DEF_CMD_ARG("udpport", setifgreport), DEF_CMD("enable_csum", GRE_ENABLE_CSUM, setifgreopts), DEF_CMD("-enable_csum",-GRE_ENABLE_CSUM,setifgreopts), DEF_CMD("enable_seq", GRE_ENABLE_SEQ, setifgreopts), DEF_CMD("-enable_seq",-GRE_ENABLE_SEQ, setifgreopts), + DEF_CMD("udpencap", GRE_UDPENCAP, setifgreopts), + DEF_CMD("-udpencap",-GRE_UDPENCAP, setifgreopts), }; static struct afswtch af_gre = { .af_name= "af_gre", Modified: head/share/man/man4/gre.4 == --- head/share/man/man4/gre.4 Wed Apr 24 06:41:52 2019(r346629) +++ head/share/man/man4/gre.4 Wed Apr 24 09:05:45 2019(r346630) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 2, 2015 +.Dd April 24, 2019 .Dt GRE 4 .Os .Sh NAME @@ -89,7 +89,45 @@ A value of 0 disables the key option. Enables checksum calculation for outgoing packets. .It Ar enable_seq Enables use of sequence number field in the GRE header for outgoing packets. +.It Ar udpencap +Enables UDP-in-GRE encapsulation (see the +.Sx GRE-IN-UDP ENCAPSULATION +Section below for details). +.It Ar udpport +Set the source UDP port for outgoing packets. +A value of 0 disables the persistence of source UDP port for outgoing packets. +See the +.Sx GRE-IN-UDP ENCAPSULATION +Section below for details. .El +.Sh GRE-IN-UDP ENCAPSULATION +The +.Nm +supports GRE in UDP encapsulation as defined in RFC 8086. +A GRE in UDP tunnel offers the possibility of
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 16.04.2019 18:26, Slava Shwartsman wrote: > Thanks for letting us know about this regression. > I would like to try to reproduce this issue in house. > > Can you please share the exact steps to reproduce it? > - Can I reproduce the issue with B2B setup? > - What is the route command you used to make the route between the VLANs? > - What app are you using to generate the traffic? > I think this can be reproduced on simple router, where single mce(4) interface is used as parent for several vlan(4) interfaces. E.g. [host1] vlan100 <--> mce0.100 [gateway] mce0.200 <--> vlan200 [host2] 10.0.0.110.0.0.254 192.168.0.254192.168.0.1 gateway: sysctl net.inet.ip.forwarding=1 host1: route add 192.168.0.0/24 10.0.0.254 host2: route add 10.0.0.0/24 192.168.0.254 ping 10.0.0.1 I.e. you need to make setup, where ingress and egress interface is the same - mce0. -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r341586 - head/sys/dev/mlx5/mlx5_en
On 05.12.2018 17:25, Slava Shwartsman wrote: > Author: slavash > Date: Wed Dec 5 14:25:03 2018 > New Revision: 341586 > URL: https://svnweb.freebsd.org/changeset/base/341586 > > Log: > mlx5en: Implement backpressure indication. > > The backpressure indication is implemented using an unlimited rate type of > mbuf send tag. When the upper layers typically the socket layer has > obtained such > a tag, it can then query the destination driver queue for the current > amount of space available in the send queue. > > A single mbuf send tag may be referenced multiple times and a refcount has > been added > to the mlx5e_priv structure to track its usage. Because the send tag resides > in the mlx5e_channel structure, there is no need to wait for refcounts to > reach > zero until the mlx4en(4) driver is detached. The channels structure is > persistant > during the lifetime of the mlx5en(4) driver it belongs to and can so be > accessed > without any need of synchronization. > > The mlx5e_snd_tag structure was extended to contain a type field, because > there are now > two different tag types which end up in the driver which need to be > distinguished. > > Submitted by: hselasky@ > Approved by:hselasky (mentor) > MFC after: 1 week > Sponsored by: Mellanox Technologies > @@ -587,27 +609,33 @@ mlx5e_xmit(struct ifnet *ifp, struct mbuf *mb) > struct mlx5e_sq *sq; > int ret; > > - sq = mlx5e_select_queue(ifp, mb); > - if (unlikely(sq == NULL)) { > -#ifdef RATELIMIT > - /* Check for route change */ > - if (mb->m_pkthdr.snd_tag != NULL && > - mb->m_pkthdr.snd_tag->ifp != ifp) { > + if (mb->m_pkthdr.snd_tag != NULL) { > + sq = mlx5e_select_queue_by_send_tag(ifp, mb); > + if (unlikely(sq == NULL)) { > + /* Check for route change */ > + if (mb->m_pkthdr.snd_tag->ifp != ifp) { > + /* Free mbuf */ > + m_freem(mb); > + > + /* > + * Tell upper layers about route > + * change and to re-transmit this > + * packet: > + */ > + return (EAGAIN); > + } Hi, I just discovered something strange and found that this commit is the cause. The test system has mlx5en 100G interface. It has two vlans: vlan500 and vlan100. Via vlan500 it receives some packets flows. Then it routes these packets into vlan100. But packets are dropped in mlx5e_xmit() with EAGAIN error code. # dtrace -n 'fbt::ip6_output:return {printf("%d", arg1);}' dtrace: description 'fbt::ip6_output:return ' matched 1 probe CPU IDFUNCTION:NAME 23 54338ip6_output:return 35 16 54338ip6_output:return 35 21 54338ip6_output:return 35 22 54338ip6_output:return 35 24 54338ip6_output:return 35 23 54338ip6_output:return 35 14 54338ip6_output:return 35 ^C # dtrace -n 'fbt::mlx5e_xmit:return {printf("%d", arg1);}' dtrace: description 'fbt::mlx5e_xmit:return ' matched 1 probe CPU IDFUNCTION:NAME 16 69030mlx5e_xmit:return 35 23 69030mlx5e_xmit:return 35 26 69030mlx5e_xmit:return 35 25 69030mlx5e_xmit:return 35 24 69030 mlx5e_xmit:return 35 21 69030mlx5e_xmit:return 35 26 69030mlx5e_xmit:return 35 ^C The kernel config is GENERIC. 13.0-CURRENT #9 r345758+82f3d57(svn_head)-dirty -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
Re: svn commit: r346052 - head/sys/dev/usb/net
On 09.04.2019 16:54, Ganbold Tsagaankhuu wrote: > Author: ganbold > Date: Tue Apr 9 13:54:08 2019 > New Revision: 346052 > URL: https://svnweb.freebsd.org/changeset/base/346052 > > Log: > In some cases like NanoPI R1, its second USB ethernet > RTL8152 (chip version URE_CHIP_VER_4C10) doesn't > have hardwired MAC address, in other words, it is all zeros. > This commit fixes it by setting random MAC address > when MAC address is all zeros. > > - if (sc->sc_chip & URE_CHIP_VER_4C00) > + if ((sc->sc_chip & URE_CHIP_VER_4C00) || > + (sc->sc_chip & URE_CHIP_VER_4C10)) > ure_read_mem(sc, URE_PLA_IDR, URE_MCU_TYPE_PLA, > ue->ue_eaddr, 8); > else > ure_read_mem(sc, URE_PLA_BACKUP, URE_MCU_TYPE_PLA, > ue->ue_eaddr, 8); > + > + if (ETHER_IS_ZERO(sc->sc_ue.ue_eaddr)) { > + device_printf(sc->sc_ue.ue_dev, "MAC assigned randomly\n"); > + arc4rand(sc->sc_ue.ue_eaddr, ETHER_ADDR_LEN, 0); > + sc->sc_ue.ue_eaddr[0] &= ~0x01; /* unicast */ > + sc->sc_ue.ue_eaddr[0] |= 0x02; /* locally administered */ > + } > } Hi, there is ether_fakeaddr() function that is used for such purpose. Maybe is it better to use it? Look at this commit: https://svnweb.freebsd.org/base?view=revision=345139 -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345985 - head/libexec/rc
Author: ae Date: Sat Apr 6 17:21:05 2019 New Revision: 345985 URL: https://svnweb.freebsd.org/changeset/base/345985 Log: Add firewall_[nat64|nptv6|pmod]_enable variables to /etc/defaults/rc.conf Reported by: Andrey Fesenko X-MFC after: r345450 Modified: head/libexec/rc/rc.conf Modified: head/libexec/rc/rc.conf == --- head/libexec/rc/rc.conf Sat Apr 6 11:24:43 2019(r345984) +++ head/libexec/rc/rc.conf Sat Apr 6 17:21:05 2019(r345985) @@ -178,6 +178,9 @@ firewall_nologports="135-139,445 1026,1027 1433,1434" firewall_nat_enable="NO" # Enable kernel NAT (if firewall_enable == YES) firewall_nat_interface="" # Public interface or IPaddress to use firewall_nat_flags="" # Additional configuration parameters +firewall_nat64_enable="NO" # Enable kernel NAT64 module. +firewall_nptv6_enable="NO" # Enable kernel NPTv6 module. +firewall_pmod_enable="NO" # Enable kernel protocols modification module. dummynet_enable="NO" # Load the dummynet(4) module ipfw_netflow_enable="NO" # Enable netflow logging via ng_netflow ip_portrange_first="NO"# Set first dynamically allocated port ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345843 - head/contrib/bsnmp/lib
Author: ae Date: Wed Apr 3 12:47:49 2019 New Revision: 345843 URL: https://svnweb.freebsd.org/changeset/base/345843 Log: Follow the declared behaviour that specifies server string format in bsnmpclient(3). snmp_parse_server() function accepts string where some fields can be omitted: [trans::][community@][server][:port] "trans" field can be "udp", "udp6", "dgram" and "stream". "community" can be empty string, if it is omitted, the default value will be used. For read_community it is "public", for write_comminity it is "private". "server" field can be hostname, IPv4 address or IPv6 address. IPv6 address should be specified in brackets "[]". If port is omitted, the default value "snmp" will be used for "udp" and "udp6" transports. So, now for bsnmpget(1) and bsnmwalk(1) it is not required to specify all fields in argument of '-s' option. E.g. # bsnmpget -s 127.1 sysName.0 # bsnmpget -s "udp::127.1" sysName.0 # bsnmpget -s "udp::public@127.1" sysName.0 # bsnmpget -s "udp::public@127.1:161" sysName.0 # bsnmpget -s "udp::[::1]" sysName.0 # bsnmpget -s "udp6::[::1]" sysName.0 # bsnmpget -s "[fe80::1%lo0]" sysName.0 PR: 236664 Reported by: olivier MFC after:1 month Modified: head/contrib/bsnmp/lib/snmpclient.c Modified: head/contrib/bsnmp/lib/snmpclient.c == --- head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 08:22:58 2019 (r345842) +++ head/contrib/bsnmp/lib/snmpclient.c Wed Apr 3 12:47:49 2019 (r345843) @@ -1874,38 +1874,47 @@ snmp_client_set_port(struct snmp_client *cl, const cha return (0); } +static const char *const trans_list[] = { + [SNMP_TRANS_UDP]= "udp::", + [SNMP_TRANS_LOC_DGRAM] = "dgram::", + [SNMP_TRANS_LOC_STREAM] = "stream::", + [SNMP_TRANS_UDP6] = "udp6::", +}; + /** * Try to get a transport identifier which is a leading alphanumeric string - * (starting with '_' or a letter and including also '_') terminated by - * a double colon. The string may not be empty. The transport identifier - * is optional. + * terminated by a double colon. The string may not be empty. The transport + * identifier is optional. * * \param sc client struct to set errors * \param strp possible start of transport; updated to point to * the next character to parse * - * \return end of transport; equals *strp if there is none; NULL if there - * was an error + * \return transport identifier */ -static inline const char * +static inline int get_transp(struct snmp_client *sc, const char **strp) { - const char *p = *strp; + const char *p; + size_t i; - if (isascii(*p) && (isalpha(*p) || *p == '_')) { - p++; - while (isascii(*p) && (isalnum(*p) || *p == '_')) - p++; - if (p[0] == ':' && p[1] == ':') { - *strp = p + 2; - return (p); + for (i = 0; i < nitems(trans_list); i++) { + if (trans_list[i] == NULL || *trans_list[i] == '\0') + continue; + p = strstr(*strp, trans_list[i]); + if (p == *strp) { + *strp += strlen(trans_list[i]); + return ((int)i); } } + + p = *strp; if (p[0] == ':' && p[1] == ':') { seterr(sc, "empty transport specifier"); - return (NULL); + return (-1); } - return (*strp); + /* by default assume UDP */ + return (SNMP_TRANS_UDP); } /** @@ -2143,24 +2152,13 @@ save_str(struct snmp_client *sc, const char *const s[2 int snmp_parse_server(struct snmp_client *sc, const char *str) { -#if DEBUG_PARSE const char *const orig = str; -#endif - - const char *const trans_list[] = { - [SNMP_TRANS_UDP]= "udp", - [SNMP_TRANS_LOC_DGRAM] = "dgram", - [SNMP_TRANS_LOC_STREAM] = "stream", - [SNMP_TRANS_UDP6] = "udp6", - }; - /* parse input */ - const char *const transp[2] = { - str, - get_transp(sc, ), - }; - if (transp[1] == NULL) + int i, trans = get_transp(sc, ); + if (trans < 0) return (-1); + /* choose automatically */ + i = orig == str ? -1: trans; const char *const comm[2] = { str, @@ -2206,7 +2204,7 @@ snmp_parse_server(struct snmp_client *sc, const char * } #if DEBUG_PARSE - printf("transp: %zu %zu\n", transp[0] - orig, transp[1] - orig); + printf("transp: %u\n", trans); printf("comm: %zu %zu\n", comm[0] - orig, comm[1] - orig); printf("ipv6: %zu %zu\n", ipv6[0] - orig, ipv6[1] - orig); printf("ipv4: %zu %zu\n", ipv4[0] - orig,
Re: svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
On 02.04.2019 16:40, Baptiste Daroussin wrote: >> URL: https://svnweb.freebsd.org/changeset/base/345797 >> >> Log: >> Add IPv6 transport for bsnmp. >> >> This patch adds a new table begemotSnmpdTransInetTable that uses the >> InetAddressType textual convention and can be used to create listening >> ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports >> future extension beyond UDP by adding a protocol identifier to the table >> index. In order to support this gensnmptree had to be modified. >> >> Submitted by: harti >> MFC after: 1 month >> Relnotes: yes >> Differential Revision: https://reviews.freebsd.org/D16654 >> > Jumping in this commit, maybe it is time to move bsnmpd out of contrib, given > that all the dev appears to only be in our own source tree right? I think it is better to ask harti@ -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345798 - head/contrib/bsnmp/snmp_mibII
Author: ae Date: Tue Apr 2 13:38:00 2019 New Revision: 345798 URL: https://svnweb.freebsd.org/changeset/base/345798 Log: Create 64bit mibII counters for all interfaces. PR: 157015 Obtained from:Yandex LLC MFC after:1 month Modified: head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c Modified: head/contrib/bsnmp/snmp_mibII/mibII_interfaces.c == --- head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 12:50:01 2019(r345797) +++ head/contrib/bsnmp/snmp_mibII/mibII_interfaces.cTue Apr 2 13:38:00 2019(r345798) @@ -373,11 +373,6 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu switch (op) { - again: - if (op != SNMP_OP_GETNEXT) - return (SNMP_ERR_NOSUCHNAME); - /* FALLTHROUGH */ - case SNMP_OP_GETNEXT: if ((ifp = NEXT_OBJECT_INT(_list, >var, sub)) == NULL) return (SNMP_ERR_NOSUCHNAME); @@ -460,52 +455,36 @@ op_ifxtable(struct snmp_context *ctx, struct snmp_valu break; case LEAF_ifHCInOctets: - if (!(ifp->flags & MIBIF_HIGHSPEED)) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_inoctets; break; case LEAF_ifHCInUcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_ipackets - MIBIF_PRIV(ifp)->hc_imcasts; break; case LEAF_ifHCInMulticastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_imcasts; break; case LEAF_ifHCInBroadcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = 0; break; case LEAF_ifHCOutOctets: - if (!(ifp->flags & MIBIF_HIGHSPEED)) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_outoctets; break; case LEAF_ifHCOutUcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_opackets - MIBIF_PRIV(ifp)->hc_omcasts; break; case LEAF_ifHCOutMulticastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = MIBIF_PRIV(ifp)->hc_omcasts; break; case LEAF_ifHCOutBroadcastPkts: - if (!(ifp->flags & (MIBIF_VERYHIGHSPEED|MIBIF_HIGHSPEED))) - goto again; value->v.counter64 = 0; break; ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345797 - in head: contrib/bsnmp/gensnmptree contrib/bsnmp/lib contrib/bsnmp/snmpd lib/libbsnmp/libbsnmp usr.sbin/bsnmpd/bsnmpd
Author: ae Date: Tue Apr 2 12:50:01 2019 New Revision: 345797 URL: https://svnweb.freebsd.org/changeset/base/345797 Log: Add IPv6 transport for bsnmp. This patch adds a new table begemotSnmpdTransInetTable that uses the InetAddressType textual convention and can be used to create listening ports for IPv4, IPv6, zoned IPv6 and based on DNS names. It also supports future extension beyond UDP by adding a protocol identifier to the table index. In order to support this gensnmptree had to be modified. Submitted by: harti MFC after: 1 month Relnotes: yes Differential Revision: https://reviews.freebsd.org/D16654 Added: head/contrib/bsnmp/snmpd/trans_inet.c head/contrib/bsnmp/snmpd/trans_inet.h Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.1 head/contrib/bsnmp/gensnmptree/gensnmptree.c head/contrib/bsnmp/lib/snmpclient.c head/contrib/bsnmp/lib/snmpclient.h head/contrib/bsnmp/lib/tc.def head/contrib/bsnmp/snmpd/BEGEMOT-SNMPD.txt head/contrib/bsnmp/snmpd/main.c head/contrib/bsnmp/snmpd/snmpd.config head/contrib/bsnmp/snmpd/snmpd.h head/contrib/bsnmp/snmpd/snmpmod.h head/contrib/bsnmp/snmpd/trans_lsock.c head/contrib/bsnmp/snmpd/trans_udp.c head/contrib/bsnmp/snmpd/tree.def head/lib/libbsnmp/libbsnmp/Makefile head/usr.sbin/bsnmpd/bsnmpd/Makefile head/usr.sbin/bsnmpd/bsnmpd/snmpd.config Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.1 == --- head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:02:35 2019(r345796) +++ head/contrib/bsnmp/gensnmptree/gensnmptree.1Tue Apr 2 12:50:01 2019(r345797) @@ -31,7 +31,7 @@ .\" .\" $Begemot: gensnmptree.1 383 2006-05-30 07:40:49Z brandt_h $ .\" -.Dd June 29, 2018 +.Dd April 2, 2019 .Dt GENSNMPTREE 1 .Os .Sh NAME @@ -100,25 +100,11 @@ is the length of the OID. is the last component of the OID. .El .It Fl F -Together with -.Fl E -causes -.Nm -instead of the generation of enum definitions the generation of -functions for checking a value to be one of the enumeration variants and -for conversion between strings and the enum. The file is sent to standard -output and is meant to be included into a C-file for compilation. +emit definitions for C-functions includeable in a C-file that do some basic +stuff on enums like value checking and conversion between value and strings. .It Fl f -This flag can be used together with -.Fl E -or when generating the tree files. It causes -.Nm -to emit static inline functions for checking a value to be one of the -enumeration values and for conversion between strings and the enum. -If used when generating the tree files, the preprocessor symbol -.Ar SNMPTREE_TYPES -must be defined when including the tree header file for these definitions -to become visible. +emit definitions for inline C-functions that do some basic +stuff on enums like value checking and conversion between value and strings. .It Fl h Print a short help page. .It Fl I Ar directory @@ -136,36 +122,6 @@ Instead of normal output print the resulting tree. Prefix the file names and the table name with .Ar prefix . .El -.Pp -The following functions are generated by -.Fl f -or -.Fl F : -.Pp -.Ft static inline int -.Fn isok_EnumName "enum EnumName" ; -.Pp -.Ft static inline const char * -.Fn tostr_EnumName "enum EnumName" ; -.Pp -.Ft static inline int -.Fn fromstr_EnumName "const char *" "enum EnumName *" ; -.Pp -The -.Fa EnumName -is replaced with the enumeration name. -.Fn isok_EnumName -returns 1 if the argument is one of the valid enum values and 0 otherwise. -.Fn tostr_EnumName -returns a string representation of the enumeration value. -If the values is not one of the legal values -.Ar EnumName??? -is returned. -.Fn fromstr_EnumName -returns 1 if the string represents one of the legal enumeration values and -0 otherwise. -If 1 is return the variable pointed to by the second argument is set to -the enumeration value. .Sh MIBS The syntax of the MIB description file can formally be specified as follows: .Bd -unfilled -offset indent Modified: head/contrib/bsnmp/gensnmptree/gensnmptree.c == --- head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:02:35 2019(r345796) +++ head/contrib/bsnmp/gensnmptree/gensnmptree.cTue Apr 2 12:50:01 2019(r345797) @@ -110,7 +110,6 @@ static int debug; static const char usgtxt[] = "\ Generate SNMP tables.\n\ -$Id$\n\ usage: gensnmptree [-dEeFfhlt] [-I directory] [-i infile] [-p prefix]\n\ [name]...\n\ options:\n\ @@ -127,6 +126,37 @@ options:\n\ -t generate a .def file\n\ "; +/** + * Program operation. + */ +enum op { + /** generate the tree */ + OP_GEN, + + /** extract OIDs */ + OP_EXTRACT, + + /** print the parsed tree */ + OP_TREE, + + /** extract
svn commit: r345763 - head/contrib/bsnmp/snmpd
Author: ae Date: Mon Apr 1 12:14:45 2019 New Revision: 345763 URL: https://svnweb.freebsd.org/changeset/base/345763 Log: Correct a port number assignment. PR: 236930 MFC after:1 week Modified: head/contrib/bsnmp/snmpd/trap.c Modified: head/contrib/bsnmp/snmpd/trap.c == --- head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 10:51:24 2019 (r345762) +++ head/contrib/bsnmp/snmpd/trap.c Mon Apr 1 12:14:45 2019 (r345763) @@ -726,8 +726,7 @@ target_activate_address(struct target_address *addrs) sa.sin_addr.s_addr = htonl((addrs->address[0] << 24) | (addrs->address[1] << 16) | (addrs->address[2] << 8) | (addrs->address[3] << 0)); - sa.sin_port = htons(addrs->address[4]) << 8 | -htons(addrs->address[5]) << 0; + sa.sin_port = htons(addrs->address[4] << 8 | addrs->address[5]); if (connect(addrs->socket, (struct sockaddr *), sa.sin_len) == -1) { syslog(LOG_ERR, "connect(%s,%u): %m", ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345450 - in head: libexec/rc/rc.d share/man/man5
Author: ae Date: Sat Mar 23 15:41:32 2019 New Revision: 345450 URL: https://svnweb.freebsd.org/changeset/base/345450 Log: Add ability to automatically load ipfw_nat64, ipfw_nptv6 and ipfw_pmod modules by declaring corresponding variables in rc.conf. Also document them in rc.conf(5). Submitted by: Dries Michiels Differential Revision:https://reviews.freebsd.org/D19673 Modified: head/libexec/rc/rc.d/ipfw head/share/man/man5/rc.conf.5 Modified: head/libexec/rc/rc.d/ipfw == --- head/libexec/rc/rc.d/ipfw Sat Mar 23 14:10:05 2019(r345449) +++ head/libexec/rc/rc.d/ipfw Sat Mar 23 15:41:32 2019(r345450) @@ -34,6 +34,15 @@ ipfw_prestart() if checkyesno firewall_nat_enable; then required_modules="$required_modules ipfw_nat" fi + if checkyesno firewall_nat64_enable; then + required_modules="$required_modules ipfw_nat64" + fi + if checkyesno firewall_nptv6_enable; then + required_modules="$required_modules ipfw_nptv6" + fi + if checkyesno firewall_pmod_enable; then + required_modules="$required_modules ipfw_pmod" + fi } ipfw_start() Modified: head/share/man/man5/rc.conf.5 == --- head/share/man/man5/rc.conf.5 Sat Mar 23 14:10:05 2019 (r345449) +++ head/share/man/man5/rc.conf.5 Sat Mar 23 15:41:32 2019 (r345450) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd December 19, 2018 +.Dd March 21, 2019 .Dt RC.CONF 5 .Os .Sh NAME @@ -573,9 +573,11 @@ equivalent of .Va natd_enable . Setting this to .Dq Li YES -enables kernel NAT. +will automatically load the +.Xr ipfw 8 +NAT kernel module if .Va firewall_enable -must also be set to +is also set to .Dq Li YES . .It Va firewall_nat_interface .Pq Vt str @@ -588,6 +590,36 @@ kernel NAT should run. .It Va firewall_nat_flags .Pq Vt str Additional configuration parameters for kernel NAT should be placed here. +.It Va firewall_nat64_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will automatically load the +.Xr ipfw 8 +NAT64 kernel module if +.Va firewall_enable +is also set to +.Dq Li YES . +.It Va firewall_nptv6_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will automatically load the +.Xr ipfw 8 +NPTv6 kernel module if +.Va firewall_enable +is also set to +.Dq Li YES . +.It Va firewall_pmod_enable +.Pq Vt bool +Setting this to +.Dq Li YES +will automatically load the +.Xr ipfw 8 +pmod kernel module if +.Va firewall_enable +is also set to +.Dq Li YES . .It Va dummynet_enable .Pq Vt bool Setting this to ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345321 - head/sys/netpfil/ipfw/nat64
Author: ae Date: Wed Mar 20 10:11:21 2019 New Revision: 345321 URL: https://svnweb.freebsd.org/changeset/base/345321 Log: Do not enter epoch section recursively. A pfil hook is already invoked in NET_EPOCH section. Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c == --- head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 10:09:38 2019 (r345320) +++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 10:11:21 2019 (r345321) @@ -1514,7 +1514,6 @@ int ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_args *args, ipfw_insn *cmd, int *done) { - struct epoch_tracker et; struct nat64lsn_cfg *cfg; ipfw_insn *icmd; int ret; @@ -1531,7 +1530,6 @@ ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_arg *done = 1; /* terminate the search */ - NAT64LSN_EPOCH_ENTER(et); switch (args->f_id.addr_type) { case 4: ret = nat64lsn_translate4(cfg, >f_id, >m); @@ -1551,7 +1549,6 @@ ipfw_nat64lsn(struct ip_fw_chain *ch, struct ip_fw_arg default: ret = cfg->nomatch_verdict; } - NAT64LSN_EPOCH_EXIT(et); if (ret != IP_FW_PASS && args->m != NULL) { m_freem(args->m); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345319 - head/sys/netpfil/ipfw/nat64
Author: ae Date: Wed Mar 20 10:06:44 2019 New Revision: 345319 URL: https://svnweb.freebsd.org/changeset/base/345319 Log: Use NET_EPOCH instead of allocating separate one. MFC after:1 month Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c Modified: head/sys/netpfil/ipfw/nat64/nat64lsn.c == --- head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 07:40:38 2019 (r345318) +++ head/sys/netpfil/ipfw/nat64/nat64lsn.c Wed Mar 20 10:06:44 2019 (r345319) @@ -72,12 +72,10 @@ __FBSDID("$FreeBSD$"); MALLOC_DEFINE(M_NAT64LSN, "NAT64LSN", "NAT64LSN"); -static epoch_t nat64lsn_epoch; -#defineNAT64LSN_EPOCH_ENTER(et) epoch_enter_preempt(nat64lsn_epoch, &(et)) -#defineNAT64LSN_EPOCH_EXIT(et) epoch_exit_preempt(nat64lsn_epoch, &(et)) -#defineNAT64LSN_EPOCH_WAIT() epoch_wait_preempt(nat64lsn_epoch) -#defineNAT64LSN_EPOCH_ASSERT() MPASS(in_epoch(nat64lsn_epoch)) -#defineNAT64LSN_EPOCH_CALL(c, f) epoch_call(nat64lsn_epoch, (c), (f)) +#defineNAT64LSN_EPOCH_ENTER(et) NET_EPOCH_ENTER(et) +#defineNAT64LSN_EPOCH_EXIT(et) NET_EPOCH_EXIT(et) +#defineNAT64LSN_EPOCH_ASSERT() NET_EPOCH_ASSERT() +#defineNAT64LSN_EPOCH_CALL(c, f) epoch_call(net_epoch_preempt, (c), (f)) static uma_zone_t nat64lsn_host_zone; static uma_zone_t nat64lsn_pgchunk_zone; @@ -1578,8 +1576,6 @@ void nat64lsn_init_internal(void) { - nat64lsn_epoch = epoch_alloc(EPOCH_PREEMPT); - nat64lsn_host_zone = uma_zcreate("NAT64LSN hosts", sizeof(struct nat64lsn_host), NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); @@ -1606,8 +1602,6 @@ nat64lsn_uninit_internal(void) { /* XXX: epoch_task drain */ - epoch_free(nat64lsn_epoch); - JQUEUE_LOCK_DESTROY(); uma_zdestroy(nat64lsn_host_zone); uma_zdestroy(nat64lsn_pgchunk_zone); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345294 - head/sbin/ipfw
Author: ae Date: Tue Mar 19 11:16:42 2019 New Revision: 345294 URL: https://svnweb.freebsd.org/changeset/base/345294 Log: Remove extra spaces. MFC after:1 month Modified: head/sbin/ipfw/nat64lsn.c Modified: head/sbin/ipfw/nat64lsn.c == --- head/sbin/ipfw/nat64lsn.c Tue Mar 19 10:57:03 2019(r345293) +++ head/sbin/ipfw/nat64lsn.c Tue Mar 19 11:16:42 2019(r345294) @@ -783,7 +783,7 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *n if (co.verbose || cfg->nh_delete_delay != NAT64LSN_HOST_AGE) printf(" host_del_age %u", cfg->nh_delete_delay); if (co.verbose || cfg->pg_delete_delay != NAT64LSN_PG_AGE) - printf(" pg_del_age %u ", cfg->pg_delete_delay); + printf(" pg_del_age %u", cfg->pg_delete_delay); if (co.verbose || cfg->st_syn_ttl != NAT64LSN_TCP_SYN_AGE) printf(" tcp_syn_age %u", cfg->st_syn_ttl); if (co.verbose || cfg->st_close_ttl != NAT64LSN_TCP_FIN_AGE) @@ -795,7 +795,7 @@ nat64lsn_show_cb(ipfw_nat64lsn_cfg *cfg, const char *n if (co.verbose || cfg->st_icmp_ttl != NAT64LSN_ICMP_AGE) printf(" icmp_age %u", cfg->st_icmp_ttl); if (co.verbose || cfg->jmaxlen != NAT64LSN_JMAXLEN) - printf(" jmaxlen %u ", cfg->jmaxlen); + printf(" jmaxlen %u", cfg->jmaxlen); if (cfg->flags & NAT64_LOG) printf(" log"); if (cfg->flags & NAT64_ALLOW_PRIVATE) ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
svn commit: r345293 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
Author: ae Date: Tue Mar 19 10:57:03 2019 New Revision: 345293 URL: https://svnweb.freebsd.org/changeset/base/345293 Log: Reapply r345274 with build fixes for 32-bit architectures. Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from:Yandex LLC MFC after:1 month Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw.8 head/sbin/ipfw/ipfw2.h head/sbin/ipfw/nat64lsn.c head/sys/conf/files head/sys/modules/ipfw_nat64/Makefile head/sys/netinet6/ip_fw_nat64.h head/sys/netpfil/ipfw/nat64/nat64lsn.c head/sys/netpfil/ipfw/nat64/nat64lsn.h head/sys/netpfil/ipfw/nat64/nat64lsn_control.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Tue Mar 19 10:29:32 2019(r345292) +++ head/sbin/ipfw/ipfw.8 Tue Mar 19 10:57:03 2019(r345293) @@ -1,7 +1,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 18, 2019 +.Dd March 19, 2019 .Dt IPFW 8 .Os .Sh NAME @@ -3300,6 +3300,7 @@ See .Sx SYSCTL VARIABLES for more info. .Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +.Ss Stateful translation .Nm supports in-kernel IPv6/IPv4 network address and protocol translation. Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers @@ -3317,7 +3318,8 @@ to be able use stateful NAT64 translator. Stateful NAT64 uses a bunch of memory for several types of objects. When IPv6 client initiates connection, NAT64 translator creates a host entry in the states table. -Each host entry has a number of ports group entries allocated on demand. +Each host entry uses preallocated IPv4 alias entry. +Each alias entry has a number of ports group entries allocated on demand. Ports group entries contains connection state entries. There are several options to control limits and lifetime for these objects. .Pp @@ -3337,6 +3339,11 @@ First time an original packet is handled and consumed and then it is handled again as translated packet. This behavior can be changed by sysctl variable .Va net.inet.ip.fw.nat64_direct_output . +Also translated packet can be tagged using +.Cm tag +rule action, and then matched by +.Cm tagged +opcode to avoid loops and extra overhead. .Pp The stateful NAT64 configuration command is the following: .Bd -ragged -offset indent @@ -3364,15 +3371,16 @@ to represent IPv4 addresses. This IPv6 prefix should b The translator implementation follows RFC6052, that restricts the length of prefixes to one of following: 32, 40, 48, 56, 64, or 96. The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. -.It Cm max_ports Ar number -Maximum number of ports reserved for upper level protocols to one IPv6 client. -All reserved ports are divided into chunks between supported protocols. -The number of connections from one IPv6 client is limited by this option. -Note that closed TCP connections still remain in the list of connections until -.Cm tcp_close_age -interval will not expire. -Default value is -.Ar 2048 . +The special +.Ar ::/length +prefix can be used to handle several IPv6 prefixes with one NAT64 instance. +The NAT64 instance will determine a destination IPv4 address from prefix +.Ar length . +.It Cm states_chunks Ar number +The number of states chunks in single ports group. +Each ports group by default can keep 64 state entries in single chunk. +The above value affects the maximum number of states that can be associated with single IPv4 alias address and port. +The value must be power of 2, and up to 128. .It Cm host_del_age Ar seconds The number of seconds until the host entry for a IPv6 client will be deleted and all its resources will be released due to inactivity. Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Tue Mar 19 10:29:32 2019(r345292) +++ head/sbin/ipfw/ipfw2.h Tue Mar 19 10:57:03 2019(r345293) @@ -278,6 +278,7 @@ enum tokens { TOK_AGG_LEN, TOK_AGG_COUNT, TOK_MAX_PORTS, +
svn commit: r345292 - head/sys/net
Author: ae Date: Tue Mar 19 10:29:32 2019 New Revision: 345292 URL: https://svnweb.freebsd.org/changeset/base/345292 Log: Convert allocation of bpf_if in bpfattach2 from M_NOWAIT to M_WAITOK and remove possible panic condition. It is already allowed to sleep in bpfattach[2], since BPF_LOCK was converted to SX lock in r332388. Also move KASSERT() to the top of function and make full initialization before bpf_if will be linked to BPF's list of interfaces. MFC after:2 weeks Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Tue Mar 19 06:58:28 2019(r345291) +++ head/sys/net/bpf.c Tue Mar 19 10:29:32 2019(r345292) @@ -2592,24 +2592,22 @@ bpfattach2(struct ifnet *ifp, u_int dlt, u_int hdrlen, { struct bpf_if *bp; - bp = malloc(sizeof(*bp), M_BPF, M_NOWAIT | M_ZERO); - if (bp == NULL) - panic("bpfattach"); + KASSERT(*driverp == NULL, ("bpfattach2: driverp already initialized")); + bp = malloc(sizeof(*bp), M_BPF, M_WAITOK | M_ZERO); + + rw_init(>bif_lock, "bpf interface lock"); LIST_INIT(>bif_dlist); LIST_INIT(>bif_wlist); bp->bif_ifp = ifp; bp->bif_dlt = dlt; - rw_init(>bif_lock, "bpf interface lock"); - KASSERT(*driverp == NULL, ("bpfattach2: driverp already initialized")); + bp->bif_hdrlen = hdrlen; bp->bif_bpf = driverp; *driverp = bp; BPF_LOCK(); LIST_INSERT_HEAD(_iflist, bp, bif_next); BPF_UNLOCK(); - - bp->bif_hdrlen = hdrlen; if (bootverbose && IS_DEFAULT_VNET(curvnet)) if_printf(ifp, "bpf attached\n"); ___ svn-src-head@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/svn-src-head To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
Re: svn commit: r345274 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
On 19.03.2019 02:09, Gleb Smirnoff wrote: > Hi, > > On Mon, Mar 18, 2019 at 12:59:09PM +0000, Andrey V. Elsukov wrote: > A> Author: ae > A> Date: Mon Mar 18 12:59:08 2019 > A> New Revision: 345274 > A> URL: https://svnweb.freebsd.org/changeset/base/345274 > A> > A> Log: > A> Update NAT64LSN implementation: > ... > A> o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast > path. > > Why did you create a separate epoch? All the pfil hooks already run at network > epoch. Hi, You did not specified, when you plan to merge you changes. I assume that you didn't plan to do that. :) -- WBR, Andrey V. Elsukov signature.asc Description: OpenPGP digital signature
svn commit: r345275 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
Author: ae Date: Mon Mar 18 14:00:19 2019 New Revision: 345275 URL: https://svnweb.freebsd.org/changeset/base/345275 Log: Revert r345274. It appears that not all 32-bit architectures have necessary CK primitives. Modified: head/sbin/ipfw/ipfw.8 head/sbin/ipfw/ipfw2.h head/sbin/ipfw/nat64lsn.c head/sys/conf/files head/sys/modules/ipfw_nat64/Makefile head/sys/netinet6/ip_fw_nat64.h head/sys/netpfil/ipfw/nat64/nat64lsn.c head/sys/netpfil/ipfw/nat64/nat64lsn.h head/sys/netpfil/ipfw/nat64/nat64lsn_control.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Mon Mar 18 12:59:08 2019(r345274) +++ head/sbin/ipfw/ipfw.8 Mon Mar 18 14:00:19 2019(r345275) @@ -3300,7 +3300,6 @@ See .Sx SYSCTL VARIABLES for more info. .Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION -.Ss Stateful translation .Nm supports in-kernel IPv6/IPv4 network address and protocol translation. Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers @@ -3318,8 +3317,7 @@ to be able use stateful NAT64 translator. Stateful NAT64 uses a bunch of memory for several types of objects. When IPv6 client initiates connection, NAT64 translator creates a host entry in the states table. -Each host entry uses preallocated IPv4 alias entry. -Each alias entry has a number of ports group entries allocated on demand. +Each host entry has a number of ports group entries allocated on demand. Ports group entries contains connection state entries. There are several options to control limits and lifetime for these objects. .Pp @@ -3339,11 +3337,6 @@ First time an original packet is handled and consumed and then it is handled again as translated packet. This behavior can be changed by sysctl variable .Va net.inet.ip.fw.nat64_direct_output . -Also translated packet can be tagged using -.Cm tag -rule action, and then matched by -.Cm tagged -opcode to avoid loops and extra overhead. .Pp The stateful NAT64 configuration command is the following: .Bd -ragged -offset indent @@ -3371,16 +3364,15 @@ to represent IPv4 addresses. This IPv6 prefix should b The translator implementation follows RFC6052, that restricts the length of prefixes to one of following: 32, 40, 48, 56, 64, or 96. The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. -The special -.Ar ::/length -prefix can be used to handle several IPv6 prefixes with one NAT64 instance. -The NAT64 instance will determine a destination IPv4 address from prefix -.Ar length . -.It Cm states_chunks Ar number -The number of states chunks in single ports group. -Each ports group by default can keep 64 state entries in single chunk. -The above value affects the maximum number of states that can be associated with single IPv4 alias address and port. -The value must be power of 2, and up to 128. +.It Cm max_ports Ar number +Maximum number of ports reserved for upper level protocols to one IPv6 client. +All reserved ports are divided into chunks between supported protocols. +The number of connections from one IPv6 client is limited by this option. +Note that closed TCP connections still remain in the list of connections until +.Cm tcp_close_age +interval will not expire. +Default value is +.Ar 2048 . .It Cm host_del_age Ar seconds The number of seconds until the host entry for a IPv6 client will be deleted and all its resources will be released due to inactivity. Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Mon Mar 18 12:59:08 2019(r345274) +++ head/sbin/ipfw/ipfw2.h Mon Mar 18 14:00:19 2019(r345275) @@ -278,7 +278,6 @@ enum tokens { TOK_AGG_LEN, TOK_AGG_COUNT, TOK_MAX_PORTS, - TOK_STATES_CHUNKS, TOK_JMAXLEN, TOK_PORT_RANGE, TOK_HOST_DEL_AGE, Modified: head/sbin/ipfw/nat64lsn.c == --- head/sbin/ipfw/nat64lsn.c Mon Mar 18 12:59:08 2019(r345274) +++ head/sbin/ipfw/nat64lsn.c Mon Mar 18 14:00:19 2019(r345275) @@ -87,70 +87,68 @@ nat64lsn_print_states(void *buf) char sflags[4], *sf, *proto; ipfw_obj_header *oh; ipfw_obj_data *od; - ipfw_nat64lsn_stg_v1 *stg; - ipfw_nat64lsn_state_v1 *ste; + ipfw_nat64lsn_stg *stg; + ipfw_nat64lsn_state *ste; uint64_t next_idx; int i, sz; oh = (ipfw_obj_header *)buf; od = (ipfw_obj_data *)(oh + 1); - stg = (ipfw_nat64lsn_stg_v1 *)(od + 1); + stg = (ipfw_nat64lsn_stg *)(od + 1); sz = od->head.length - sizeof(*od); next_idx = 0; while (sz > 0 && next_idx != 0xFF) { - next_idx = stg->next.index; + next_idx = stg->next_idx; sz -= sizeof(*stg); if (stg->count == 0) {
svn commit: r345274 - in head: sbin/ipfw sys/conf sys/modules/ipfw_nat64 sys/netinet6 sys/netpfil/ipfw/nat64
Author: ae Date: Mon Mar 18 12:59:08 2019 New Revision: 345274 URL: https://svnweb.freebsd.org/changeset/base/345274 Log: Update NAT64LSN implementation: o most of data structures and relations were modified to be able support large number of translation states. Now each supported protocol can use full ports range. Ports groups now are belongs to IPv4 alias addresses, not hosts. Each ports group can keep several states chunks. This is controlled with new `states_chunks` config option. States chunks allow to have several translation states for single alias address and port, but for different destination addresses. o by default all hash tables now use jenkins hash. o ConcurrencyKit and epoch(9) is used to make NAT64LSN lockless on fast path. o one NAT64LSN instance now can be used to handle several IPv6 prefixes, special prefix "::" value should be used for this purpose when instance is created. o due to modified internal data structures relations, the socket opcode that does states listing was changed. Obtained from:Yandex LLC MFC after:1 month Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw.8 head/sbin/ipfw/ipfw2.h head/sbin/ipfw/nat64lsn.c head/sys/conf/files head/sys/modules/ipfw_nat64/Makefile head/sys/netinet6/ip_fw_nat64.h head/sys/netpfil/ipfw/nat64/nat64lsn.c head/sys/netpfil/ipfw/nat64/nat64lsn.h head/sys/netpfil/ipfw/nat64/nat64lsn_control.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Mon Mar 18 12:41:42 2019(r345273) +++ head/sbin/ipfw/ipfw.8 Mon Mar 18 12:59:08 2019(r345274) @@ -3300,6 +3300,7 @@ See .Sx SYSCTL VARIABLES for more info. .Sh IPv6/IPv4 NETWORK ADDRESS AND PROTOCOL TRANSLATION +.Ss Stateful translation .Nm supports in-kernel IPv6/IPv4 network address and protocol translation. Stateful NAT64 translation allows IPv6-only clients to contact IPv4 servers @@ -3317,7 +3318,8 @@ to be able use stateful NAT64 translator. Stateful NAT64 uses a bunch of memory for several types of objects. When IPv6 client initiates connection, NAT64 translator creates a host entry in the states table. -Each host entry has a number of ports group entries allocated on demand. +Each host entry uses preallocated IPv4 alias entry. +Each alias entry has a number of ports group entries allocated on demand. Ports group entries contains connection state entries. There are several options to control limits and lifetime for these objects. .Pp @@ -3337,6 +3339,11 @@ First time an original packet is handled and consumed and then it is handled again as translated packet. This behavior can be changed by sysctl variable .Va net.inet.ip.fw.nat64_direct_output . +Also translated packet can be tagged using +.Cm tag +rule action, and then matched by +.Cm tagged +opcode to avoid loops and extra overhead. .Pp The stateful NAT64 configuration command is the following: .Bd -ragged -offset indent @@ -3364,15 +3371,16 @@ to represent IPv4 addresses. This IPv6 prefix should b The translator implementation follows RFC6052, that restricts the length of prefixes to one of following: 32, 40, 48, 56, 64, or 96. The Well-Known IPv6 Prefix 64:ff9b:: must be 96 bits long. -.It Cm max_ports Ar number -Maximum number of ports reserved for upper level protocols to one IPv6 client. -All reserved ports are divided into chunks between supported protocols. -The number of connections from one IPv6 client is limited by this option. -Note that closed TCP connections still remain in the list of connections until -.Cm tcp_close_age -interval will not expire. -Default value is -.Ar 2048 . +The special +.Ar ::/length +prefix can be used to handle several IPv6 prefixes with one NAT64 instance. +The NAT64 instance will determine a destination IPv4 address from prefix +.Ar length . +.It Cm states_chunks Ar number +The number of states chunks in single ports group. +Each ports group by default can keep 64 state entries in single chunk. +The above value affects the maximum number of states that can be associated with single IPv4 alias address and port. +The value must be power of 2, and up to 128. .It Cm host_del_age Ar seconds The number of seconds until the host entry for a IPv6 client will be deleted and all its resources will be released due to inactivity. Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Mon Mar 18 12:41:42 2019(r345273) +++ head/sbin/ipfw/ipfw2.h Mon Mar 18 12:59:08 2019(r345274) @@ -278,6 +278,7 @@ enum tokens { TOK_AGG_LEN, TOK_AGG_COUNT, TOK_MAX_PORTS, + TOK_STATES_CHUNKS, TOK_JMAXLEN, TOK_PORT_RANGE, TOK_HOST_DEL_AGE, Modified: head/sbin/ipfw/nat64lsn.c