rpki-client: limit number of RSC checklist entries?
When compared to manifest FileAndHash, the RSC code doesn't limit the
size of the FileNameAndHash list. Should we do this for consistency?
The situation is of course not quite the same since we're in -f mode.
However, we do impose limits on the sizes of other resources, so it
looks like a missing check.
Index: extern.h
===
RCS file: /cvs/src/usr.sbin/rpki-client/extern.h,v
retrieving revision 1.140
diff -u -p -r1.140 extern.h
--- extern.h31 May 2022 18:41:43 - 1.140
+++ extern.h31 May 2022 20:35:41 -
@@ -700,6 +700,9 @@ int mkpathat(int, const char *);
/* Maximum acceptable file size */
#define MAX_FILE_SIZE 400
+
+/* Maximum number of FileNameAndHash entries per RSC checklist. */
+#define MAX_CHECKLIST_ENTRIES 10
/* Maximum number of FileAndHash entries per manifest. */
#define MAX_MANIFEST_ENTRIES 10
Index: mft.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/mft.c,v
retrieving revision 1.69
diff -u -p -r1.69 mft.c
--- mft.c 31 May 2022 18:51:35 - 1.69
+++ mft.c 1 Jun 2022 06:34:39 -
@@ -323,7 +323,7 @@ mft_parse_econtent(const unsigned char *
goto out;
}
- if (sk_FileAndHash_num(mft->fileList) > MAX_MANIFEST_ENTRIES) {
+ if (sk_FileAndHash_num(mft->fileList) >= MAX_MANIFEST_ENTRIES) {
warnx("%s: %d exceeds manifest entry limit (%d)", p->fn,
sk_FileAndHash_num(mft->fileList), MAX_MANIFEST_ENTRIES);
goto out;
Index: rsc.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/rsc.c,v
retrieving revision 1.7
diff -u -p -r1.7 rsc.c
--- rsc.c 31 May 2022 18:51:35 - 1.7
+++ rsc.c 1 Jun 2022 06:36:15 -
@@ -279,6 +279,12 @@ rsc_parse_checklist(struct parse *p, con
return 0;
}
+ if (sz >= MAX_CHECKLIST_ENTRIES) {
+ warnx("%s: %zu exceeds checklist entry limit (%d)", p->fn, sz,
+ MAX_CHECKLIST_ENTRIES);
+ return 0;
+ }
+
p->res->files = calloc(sz, sizeof(struct rscfile));
if (p->res->files == NULL)
err(1, NULL);
Re: rpki-client: implement rsc-08.txt with templates
On Tue, May 31, 2022 at 04:16:20PM +0200, Claudio Jeker wrote: > On Tue, May 31, 2022 at 01:16:19PM +0200, Theo Buehler wrote: > > I chose to implement the constrained versions of the RFC 3779 types from > > the draft because the OpenSSL RFC 3779 code has static IPAddrBlocks_it, > > so we have to work around that anyway. This isn't quite minimal, but it > > avoids asymmetry between ASIdentifiers and IPAddrBlocks and it's cleaner > > than reusing as many of the available RFC 3779 types as possible (which > > also means additional checks either when walking the structs or after). > > > > The diff has three parts that build on top of each other. There is no > > overlap outside of extern.h, so it should not make the review harder. > > > > The mechanical cert.c diff adjusts some sbgp_addr_*() and sbgp_as_*() to > > remove the struct parse argument so that we can use them from rsc.c. > > > > The rsc.c diff is the tricky part: it switches to templates and uses the > > cert.c functions. rsc_parse_aslist() and rsc_parse_iplist() are similar > > to sbgp_assysnum() and sbgp_ipaddrblk(), but somewhat easier. We get > > rid of the copy-paste XXXs and the last bit of low level ASN.1 fiddling. > > > > Remove the unused ASN1_frame() and cms_econtent_version() from cms.c. > > I checked the changes outside of rsc.c and am OK with those. > I also looked at the new version of rsc.c and think it is much nicer code. > I did not test the rsc.c changes with an RSC file though. I tested with an RSC! :-) OK job@ Kind regards, Job
Re: start unlocking kbind(2)
On 18/05/22(Wed) 15:53, Alexander Bluhm wrote:
> On Tue, May 17, 2022 at 10:44:54AM +1000, David Gwynne wrote:
> > + cookie = SCARG(uap, proc_cookie);
> > + if (pr->ps_kbind_addr == pc) {
> > + membar_datadep_consumer();
> > + if (pr->ps_kbind_cookie != cookie)
> > + goto sigill;
> > + } else {
>
> You must use membar_consumer() here. membar_datadep_consumer() is
> a barrier between reading pointer and pointed data. Only alpha
> requires membar_datadep_consumer() for that, everywhere else it is
> a NOP.
>
> > + mtx_enter(&pr->ps_mtx);
> > + kpc = pr->ps_kbind_addr;
>
> Do we need kpc variable? I would prefer to read explicit
> pr->ps_kbind_addr in the two places where we use it.
>
> I think the logic of barriers and mutexes is correct.
>
> with the suggestions above OK bluhm@
I believe you should go ahead with the current diff. ok with me. Moving
the field under the scope of another lock can be easily done afterward.
Re: rpki-client: implement rsc-08.txt with templates
On Tue, May 31, 2022 at 01:16:19PM +0200, Theo Buehler wrote:
> I chose to implement the constrained versions of the RFC 3779 types from
> the draft because the OpenSSL RFC 3779 code has static IPAddrBlocks_it,
> so we have to work around that anyway. This isn't quite minimal, but it
> avoids asymmetry between ASIdentifiers and IPAddrBlocks and it's cleaner
> than reusing as many of the available RFC 3779 types as possible (which
> also means additional checks either when walking the structs or after).
>
> The diff has three parts that build on top of each other. There is no
> overlap outside of extern.h, so it should not make the review harder.
>
> The mechanical cert.c diff adjusts some sbgp_addr_*() and sbgp_as_*() to
> remove the struct parse argument so that we can use them from rsc.c.
>
> The rsc.c diff is the tricky part: it switches to templates and uses the
> cert.c functions. rsc_parse_aslist() and rsc_parse_iplist() are similar
> to sbgp_assysnum() and sbgp_ipaddrblk(), but somewhat easier. We get
> rid of the copy-paste XXXs and the last bit of low level ASN.1 fiddling.
>
> Remove the unused ASN1_frame() and cms_econtent_version() from cms.c.
I checked the changes outside of rsc.c and am OK with those.
I also looked at the new version of rsc.c and think it is much nicer code.
I did not test the rsc.c changes with an RSC file though.
OK claudio@
> Index: cert.c
> ===
> RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
> retrieving revision 1.82
> diff -u -p -r1.82 cert.c
> --- cert.c15 May 2022 15:00:53 - 1.82
> +++ cert.c31 May 2022 10:46:00 -
> @@ -58,11 +58,12 @@ extern ASN1_OBJECT*notify_oid;/* 1.3.6
> * Returns zero on failure (IP overlap) non-zero on success.
> */
> static int
> -append_ip(struct parse *p, const struct cert_ip *ip)
> +append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz,
> +const struct cert_ip *ip)
> {
> - if (!ip_addr_check_overlap(ip, p->fn, p->res->ips, p->res->ipsz))
> + if (!ip_addr_check_overlap(ip, fn, ips, *ipsz))
> return 0;
> - p->res->ips[p->res->ipsz++] = *ip;
> + ips[(*ipsz)++] = *ip;
> return 1;
> }
>
> @@ -72,11 +73,12 @@ append_ip(struct parse *p, const struct
> * as defined by RFC 3779 section 3.3.
> */
> static int
> -append_as(struct parse *p, const struct cert_as *as)
> +append_as(const char *fn, struct cert_as *ases, size_t *asz,
> +const struct cert_as *as)
> {
> - if (!as_check_overlap(as, p->fn, p->res->as, p->res->asz))
> + if (!as_check_overlap(as, fn, ases, *asz))
> return 0;
> - p->res->as[p->res->asz++] = *as;
> + ases[(*asz)++] = *as;
> return 1;
> }
>
> @@ -84,8 +86,9 @@ append_as(struct parse *p, const struct
> * Parse a range of AS identifiers as in 3.2.3.8.
> * Returns zero on failure, non-zero on success.
> */
> -static int
> -sbgp_asrange(struct parse *p, const ASRange *range)
> +int
> +sbgp_as_range(const char *fn, struct cert_as *ases, size_t *asz,
> +const ASRange *range)
> {
> struct cert_as as;
>
> @@ -94,34 +97,35 @@ sbgp_asrange(struct parse *p, const ASRa
>
> if (!as_id_parse(range->min, &as.range.min)) {
> warnx("%s: RFC 3779 section 3.2.3.8 (via RFC 1930): "
> - "malformed AS identifier", p->fn);
> + "malformed AS identifier", fn);
> return 0;
> }
>
> if (!as_id_parse(range->max, &as.range.max)) {
> warnx("%s: RFC 3779 section 3.2.3.8 (via RFC 1930): "
> - "malformed AS identifier", p->fn);
> + "malformed AS identifier", fn);
> return 0;
> }
>
> if (as.range.max == as.range.min) {
> warnx("%s: RFC 3379 section 3.2.3.8: ASRange: "
> - "range is singular", p->fn);
> + "range is singular", fn);
> return 0;
> } else if (as.range.max < as.range.min) {
> warnx("%s: RFC 3379 section 3.2.3.8: ASRange: "
> - "range is out of order", p->fn);
> + "range is out of order", fn);
> return 0;
> }
>
> - return append_as(p, &as);
> + return append_as(fn, ases, asz, &as);
> }
>
> /*
> * Parse an entire 3.2.3.10 integer type.
> */
> -static int
> -sbgp_asid(struct parse *p, const ASN1_INTEGER *i)
> +int
> +sbgp_as_id(const char *fn, struct cert_as *ases, size_t *asz,
> +const ASN1_INTEGER *i)
> {
> struct cert_as as;
>
> @@ -130,27 +134,27 @@ sbgp_asid(struct parse *p, const ASN1_IN
>
> if (!as_id_parse(i, &as.id)) {
> warnx("%s: RFC 3779 section 3.2.3.10 (via RFC 1930): "
> - "malformed AS identifier", p->fn);
> + "malformed AS identifier", fn);
> return 0;
> }
> if (as.id == 0) {
> warnx("%s: RFC 3779
TLSv1.3 PSK: add support for psk_key_exchange_modes extension
The diff below implements sending and parsing the psk_key_exchange_modes
extension. Only PSK_DHE_KE will be supported, so clients only indicate
support for this mode and servers ignore all other modes (i.e., PSK_KE).
This is currently gated behind a use_psk_dhe_ke Boolean in the TLSv1.3
handshake struct, which isn't set client side and ignored server side.
The diff also adds boiler plate for the pre-shared key extension. Due to
the way the transcript hash for PSK binders is calculated, clients MUST
send this as the last extension, so the extension is added to the end of
tls_extensions[] which makes sure of this for both clients and servers.
Index: ssl_locl.h
===
RCS file: /cvs/src/lib/libssl/ssl_locl.h,v
retrieving revision 1.388
diff -u -p -r1.388 ssl_locl.h
--- ssl_locl.h 17 Mar 2022 17:22:16 - 1.388
+++ ssl_locl.h 31 May 2022 13:16:07 -
@@ -548,6 +548,9 @@ typedef struct ssl_handshake_tls13_st {
int use_legacy;
int hrr;
+ /* Client indicates psk_dhe_ke support in PskKeyExchangeMode. */
+ int use_psk_dhe_ke;
+
/* Certificate selected for use (static pointer). */
const SSL_CERT_PKEY *cpk;
Index: ssl_tlsext.c
===
RCS file: /cvs/src/lib/libssl/ssl_tlsext.c,v
retrieving revision 1.110
diff -u -p -r1.110 ssl_tlsext.c
--- ssl_tlsext.c5 Feb 2022 14:54:10 - 1.110
+++ ssl_tlsext.c31 May 2022 13:15:05 -
@@ -1832,6 +1832,119 @@ tlsext_cookie_client_parse(SSL *s, uint1
return 0;
}
+/*
+ * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9.
+ */
+
+int
+tlsext_psk_key_exchange_modes_client_needs(SSL *s, uint16_t msg_type)
+{
+ return (s->s3->hs.tls13.use_psk_dhe_ke &&
+ s->s3->hs.our_max_tls_version >= TLS1_3_VERSION);
+}
+
+int
+tlsext_psk_key_exchange_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
+{
+ CBB ke_modes;
+
+ if (!CBB_add_u8_length_prefixed(cbb, &ke_modes))
+ return 0;
+
+ /* Do not indicate support for PSK-only key establishment. */
+ if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE))
+ return 0;
+
+ if (!CBB_flush(cbb))
+ return 0;
+
+ return 1;
+}
+
+int
+tlsext_psk_key_exchange_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
+int *alert)
+{
+ CBS ke_modes;
+ uint8_t ke_mode;
+
+ if (!CBS_get_u8_length_prefixed(cbs, &ke_modes))
+ return 0;
+
+ while (CBS_len(&ke_modes) > 0) {
+ if (!CBS_get_u8(&ke_modes, &ke_mode))
+ return 0;
+
+ if (ke_mode == TLS13_PSK_DHE_KE)
+ s->s3->hs.tls13.use_psk_dhe_ke = 1;
+ }
+
+ return 1;
+}
+
+/* Servers MUST NOT send this extension. */
+
+int
+tlsext_psk_key_exchange_modes_server_needs(SSL *s, uint16_t msg_type)
+{
+ return 0;
+}
+
+int
+tlsext_psk_key_exchange_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
+{
+ return 0;
+}
+
+int
+tlsext_psk_key_exchange_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
+int *alert)
+{
+ return 0;
+}
+
+/*
+ * Pre-Shared Key Extension - RFC 8446, 4.2.11
+ */
+
+int
+tlsext_pre_shared_key_client_needs(SSL *s, uint16_t msg_type)
+{
+ return 0;
+}
+
+int
+tlsext_pre_shared_key_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
+{
+ return 0;
+}
+
+int
+tlsext_pre_shared_key_client_parse(SSL *s, uint16_t msg_type, CBS *cbs,
+int *alert)
+{
+ return 0;
+}
+
+int
+tlsext_pre_shared_key_server_needs(SSL *s, uint16_t msg_type)
+{
+ return 0;
+}
+
+int
+tlsext_pre_shared_key_server_build(SSL *s, uint16_t msg_type, CBB *cbb)
+{
+ return 0;
+}
+
+int
+tlsext_pre_shared_key_server_parse(SSL *s, uint16_t msg_type, CBS *cbs,
+int *alert)
+{
+ return 0;
+}
+
struct tls_extension_funcs {
int (*needs)(SSL *s, uint16_t msg_type);
int (*build)(SSL *s, uint16_t msg_type, CBB *cbb);
@@ -2018,8 +2131,38 @@ static const struct tls_extension tls_ex
.build = tlsext_srtp_server_build,
.parse = tlsext_srtp_server_parse,
},
- }
+ },
#endif /* OPENSSL_NO_SRTP */
+ {
+ .type = TLSEXT_TYPE_psk_key_exchange_modes,
+ .messages = SSL_TLSEXT_MSG_CH,
+ .client = {
+ .needs = tlsext_psk_key_exchange_modes_client_needs,
+ .build = tlsext_psk_key_exchange_modes_client_build,
+ .parse = tlsext_psk_key_exchange_modes_client_parse,
+ },
+ .server = {
+ .needs = tlsext_psk_key_exchange_modes_server_needs,
+ .build = tlsext_psk_key_exchange_modes_server_build,
+ .parse = tlsext_psk_key_exchange_modes_server_parse,
+ },
+ },
+
TLSv1.3 PSK: reject PSK without psk_key_exchange_modes
RFC 8446, 4.2.9:
A client MUST provide a "psk_key_exchange_modes" extension if it
offers a "pre_shared_key" extension. If clients offer
"pre_shared_key" without a "psk_key_exchange_modes" extension,
servers MUST abort the handshake.
The check below will make servers abort the handshake with a
missing_extension alert. Since we don't support these extensions
(i.e., we ignore them), this is currently a noop.
Index: tls13_server.c
===
RCS file: /cvs/src/lib/libssl/tls13_server.c,v
retrieving revision 1.96
diff -u -p -r1.96 tls13_server.c
--- tls13_server.c 3 Feb 2022 16:33:12 - 1.96
+++ tls13_server.c 31 May 2022 13:02:49 -
@@ -108,10 +108,15 @@ tls13_client_hello_required_extensions(s
*/
/*
-* If we got no pre_shared_key, then signature_algorithms and
-* supported_groups must both be present.
+* RFC 8446, 4.2.9: if we got a pre_shared_key, then we also need
+* psk_key_exchange_modes. Otherwise, section 9.2 specifies that we
+* need both signature_algorithms and supported_groups.
*/
- if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
+ if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) {
+ if (!tlsext_extension_seen(s,
+ TLSEXT_TYPE_psk_key_exchange_modes))
+ return 0;
+ } else {
if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms))
return 0;
if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups))
rpki-client: implement rsc-08.txt with templates
I chose to implement the constrained versions of the RFC 3779 types from
the draft because the OpenSSL RFC 3779 code has static IPAddrBlocks_it,
so we have to work around that anyway. This isn't quite minimal, but it
avoids asymmetry between ASIdentifiers and IPAddrBlocks and it's cleaner
than reusing as many of the available RFC 3779 types as possible (which
also means additional checks either when walking the structs or after).
The diff has three parts that build on top of each other. There is no
overlap outside of extern.h, so it should not make the review harder.
The mechanical cert.c diff adjusts some sbgp_addr_*() and sbgp_as_*() to
remove the struct parse argument so that we can use them from rsc.c.
The rsc.c diff is the tricky part: it switches to templates and uses the
cert.c functions. rsc_parse_aslist() and rsc_parse_iplist() are similar
to sbgp_assysnum() and sbgp_ipaddrblk(), but somewhat easier. We get
rid of the copy-paste XXXs and the last bit of low level ASN.1 fiddling.
Remove the unused ASN1_frame() and cms_econtent_version() from cms.c.
Index: cert.c
===
RCS file: /cvs/src/usr.sbin/rpki-client/cert.c,v
retrieving revision 1.82
diff -u -p -r1.82 cert.c
--- cert.c 15 May 2022 15:00:53 - 1.82
+++ cert.c 31 May 2022 10:46:00 -
@@ -58,11 +58,12 @@ extern ASN1_OBJECT *notify_oid;/* 1.3.6
* Returns zero on failure (IP overlap) non-zero on success.
*/
static int
-append_ip(struct parse *p, const struct cert_ip *ip)
+append_ip(const char *fn, struct cert_ip *ips, size_t *ipsz,
+const struct cert_ip *ip)
{
- if (!ip_addr_check_overlap(ip, p->fn, p->res->ips, p->res->ipsz))
+ if (!ip_addr_check_overlap(ip, fn, ips, *ipsz))
return 0;
- p->res->ips[p->res->ipsz++] = *ip;
+ ips[(*ipsz)++] = *ip;
return 1;
}
@@ -72,11 +73,12 @@ append_ip(struct parse *p, const struct
* as defined by RFC 3779 section 3.3.
*/
static int
-append_as(struct parse *p, const struct cert_as *as)
+append_as(const char *fn, struct cert_as *ases, size_t *asz,
+const struct cert_as *as)
{
- if (!as_check_overlap(as, p->fn, p->res->as, p->res->asz))
+ if (!as_check_overlap(as, fn, ases, *asz))
return 0;
- p->res->as[p->res->asz++] = *as;
+ ases[(*asz)++] = *as;
return 1;
}
@@ -84,8 +86,9 @@ append_as(struct parse *p, const struct
* Parse a range of AS identifiers as in 3.2.3.8.
* Returns zero on failure, non-zero on success.
*/
-static int
-sbgp_asrange(struct parse *p, const ASRange *range)
+int
+sbgp_as_range(const char *fn, struct cert_as *ases, size_t *asz,
+const ASRange *range)
{
struct cert_as as;
@@ -94,34 +97,35 @@ sbgp_asrange(struct parse *p, const ASRa
if (!as_id_parse(range->min, &as.range.min)) {
warnx("%s: RFC 3779 section 3.2.3.8 (via RFC 1930): "
- "malformed AS identifier", p->fn);
+ "malformed AS identifier", fn);
return 0;
}
if (!as_id_parse(range->max, &as.range.max)) {
warnx("%s: RFC 3779 section 3.2.3.8 (via RFC 1930): "
- "malformed AS identifier", p->fn);
+ "malformed AS identifier", fn);
return 0;
}
if (as.range.max == as.range.min) {
warnx("%s: RFC 3379 section 3.2.3.8: ASRange: "
- "range is singular", p->fn);
+ "range is singular", fn);
return 0;
} else if (as.range.max < as.range.min) {
warnx("%s: RFC 3379 section 3.2.3.8: ASRange: "
- "range is out of order", p->fn);
+ "range is out of order", fn);
return 0;
}
- return append_as(p, &as);
+ return append_as(fn, ases, asz, &as);
}
/*
* Parse an entire 3.2.3.10 integer type.
*/
-static int
-sbgp_asid(struct parse *p, const ASN1_INTEGER *i)
+int
+sbgp_as_id(const char *fn, struct cert_as *ases, size_t *asz,
+const ASN1_INTEGER *i)
{
struct cert_as as;
@@ -130,27 +134,27 @@ sbgp_asid(struct parse *p, const ASN1_IN
if (!as_id_parse(i, &as.id)) {
warnx("%s: RFC 3779 section 3.2.3.10 (via RFC 1930): "
- "malformed AS identifier", p->fn);
+ "malformed AS identifier", fn);
return 0;
}
if (as.id == 0) {
warnx("%s: RFC 3779 section 3.2.3.10 (via RFC 1930): "
- "AS identifier zero is reserved", p->fn);
+ "AS identifier zero is reserved", fn);
return 0;
}
- return append_as(p, &as);
+ return append_as(fn, ases, asz, &as);
}
static int
-sbgp_asinherit(struct parse *p)
+sbgp_as_inherit(const char *fn, struct cert_as *ases, size_t *asz)
{
struct cert_as as;
Re: ix(4): Add support for TCP Large Receive Offloading
Might need "make obj"
--
Sent from a phone, apologies for poor formatting.
On 31 May 2022 10:22:46 Hrvoje Popovski wrote:
On 27.5.2022. 18:25, Jan Klemkow wrote:
Hi,
The following diff enables the TCP Large Receive Offloading feature for
ix(4) interfaces. It also includes a default off sysctl(2) switch.
The TCP single stream receiving performance increased from 3.6 Gbit/s to
9.4 Gbit/s. Measured from Linux to OpenBSD with tcpbench.
I tested the diff with:
ix0 at pci3 dev 0 function 0 "Intel 82599" rev 0x01, msix, 12 queues,
address 00:1b:21:87:fb:2c
If you want to test the diff:
1. Apply the diff
2. Rebuild the kernel
3. Rebuild header files
# cd /usr/src && make includes
Hi,
I'm sorry but I' stuck here.
smc24# cd /usr/src && make includes
cd /usr/src/include && su build -c 'exec make prereq' && exec make
includes
preparing in /usr/src/include/../lib/libcrypto
cat /usr/src/lib/libcrypto/objects/obj_mac.num > obj_mac.num.tmp
/bin/sh: cannot create obj_mac.num.tmp: Permission denied
*** Error 1 in lib/libcrypto (Makefile:460 'obj_mac.h')
*** Error 2 in include (Makefile:81 'prereq': @for i in ../lib/libcrypto
../lib/librpcsvc; do echo preparing in /usr/src/include/$i; cd /u...)
*** Error 2 in /usr/src (Makefile:55 'includes')
I'm doing "make includes" as root ..
4. Rebuild sysctl(8)
# cd /usr/src/sbin/sysctl && make && make install
5. Reboot
6. Enable the feature
# sysctl net.inet.tcp.large_recv_offload=1
# ifconfig ix0 down && ifconfig ix0 up
I tested this diff for a while in different scenarios (receiving,
routing, relaying) without noticing any problems yet.
bluhm@ already suggested that I could change the feature switch from a
global sysctl(2) to an per interface ifconfig(8) option. This would
give the user more control.
Tests with other ix(4) NICs are welcome and needed!
bye,
Jan
Index: dev/pci/if_ix.c
===
RCS file: /cvs/src/sys/dev/pci/if_ix.c,v
retrieving revision 1.185
diff -u -p -r1.185 if_ix.c
--- dev/pci/if_ix.c 15 Mar 2022 11:22:10 - 1.185
+++ dev/pci/if_ix.c 23 May 2022 14:39:45 -
@@ -2870,7 +2870,7 @@ ixgbe_initialize_receive_units(struct ix
{
struct rx_ring *rxr = sc->rx_rings;
struct ixgbe_hw *hw = &sc->hw;
- uint32_tbufsz, fctrl, srrctl, rxcsum;
+ uint32_tbufsz, fctrl, srrctl, rxcsum, rdrxctl;
uint32_thlreg;
int i;
@@ -2894,6 +2894,14 @@ ixgbe_initialize_receive_units(struct ix
hlreg |= IXGBE_HLREG0_JUMBOEN;
IXGBE_WRITE_REG(hw, IXGBE_HLREG0, hlreg);
+ if (tcp_lro) {
+ /* enable RSCACKC for RSC */
+ rdrxctl = IXGBE_READ_REG(hw, IXGBE_RDRXCTL);
+ rdrxctl |= IXGBE_RDRXCTL_RSCACKC;
+ rdrxctl |= IXGBE_RDRXCTL_FCOE_WRFIX;
+ IXGBE_WRITE_REG(hw, IXGBE_RDRXCTL, rdrxctl);
+ }
+
bufsz = (sc->rx_mbuf_sz - ETHER_ALIGN) >> IXGBE_SRRCTL_BSIZEPKT_SHIFT;
for (i = 0; i < sc->num_queues; i++, rxr++) {
@@ -2909,6 +2917,12 @@ ixgbe_initialize_receive_units(struct ix
/* Set up the SRRCTL register */
srrctl = bufsz | IXGBE_SRRCTL_DESCTYPE_ADV_ONEBUF;
IXGBE_WRITE_REG(hw, IXGBE_SRRCTL(i), srrctl);
+
+ if (tcp_lro) {
+ /* Enable Receive Side Coalescing */
+ IXGBE_WRITE_REG(hw, IXGBE_RSCCTL(i),
+ IXGBE_RSCCTL_RSCEN|IXGBE_RSCCTL_MAXDESC_16);
+ }
/* Setup the HW Rx Head and Tail Descriptor Pointers */
IXGBE_WRITE_REG(hw, IXGBE_RDH(i), 0);
Index: dev/pci/ixgbe.h
===
RCS file: /cvs/src/sys/dev/pci/ixgbe.h,v
retrieving revision 1.33
diff -u -p -r1.33 ixgbe.h
--- dev/pci/ixgbe.h 8 Feb 2022 03:38:00 - 1.33
+++ dev/pci/ixgbe.h 23 May 2022 14:53:59 -
@@ -61,11 +61,16 @@
#include
#include
#include
+#include
#include
#include
#include
+#include
#include
+#include
+#include
+#include
#if NBPFILTER > 0
#include
Index: netinet/tcp_input.c
===
RCS file: /cvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.375
diff -u -p -r1.375 tcp_input.c
--- netinet/tcp_input.c 4 Jan 2022 06:32:39 - 1.375
+++ netinet/tcp_input.c 23 May 2022 14:41:59 -
@@ -126,6 +126,7 @@ struct timeval tcp_rst_ppslim_last;
int tcp_ackdrop_ppslim = 100; /* 100pps */
int tcp_ackdrop_ppslim_count = 0;
struct timeval tcp_ackdrop_ppslim_last;
+int tcp_lro = 0; /* TCP Large Receive Offload */
#define TCP_PAWS_IDLE (24 * 24 * 60 * 60 * PR_SLOWHZ)
Index: netinet/tcp_usrreq.c
===
RCS file: /cvs/src/sys/netinet/tcp_usrreq.c,v
retrieving revision 1.183
diff -u -p -r1.183 tcp_usrreq.c
--- net
Re: ix(4): Add support for TCP Large Receive Offloading
On 31.5.2022. 11:36, Theo Buehler wrote: >> smc24# cd /usr/src && make includes > > Do 'cd /usr/src && make obj' first. > Yes, thank you ...
Re: ix(4): Add support for TCP Large Receive Offloading
> smc24# cd /usr/src && make includes Do 'cd /usr/src && make obj' first.
Re: ix(4): Add support for TCP Large Receive Offloading
On 27.5.2022. 18:25, Jan Klemkow wrote:
> Hi,
>
> The following diff enables the TCP Large Receive Offloading feature for
> ix(4) interfaces. It also includes a default off sysctl(2) switch.
>
> The TCP single stream receiving performance increased from 3.6 Gbit/s to
> 9.4 Gbit/s. Measured from Linux to OpenBSD with tcpbench.
>
> I tested the diff with:
> ix0 at pci3 dev 0 function 0 "Intel 82599" rev 0x01, msix, 12 queues, address
> 00:1b:21:87:fb:2c
>
> If you want to test the diff:
>
> 1. Apply the diff
> 2. Rebuild the kernel
> 3. Rebuild header files
> # cd /usr/src && make includes
Hi,
I'm sorry but I' stuck here.
smc24# cd /usr/src && make includes
cd /usr/src/include && su build -c 'exec make prereq' && exec make
includes
preparing in /usr/src/include/../lib/libcrypto
cat /usr/src/lib/libcrypto/objects/obj_mac.num > obj_mac.num.tmp
/bin/sh: cannot create obj_mac.num.tmp: Permission denied
*** Error 1 in lib/libcrypto (Makefile:460 'obj_mac.h')
*** Error 2 in include (Makefile:81 'prereq': @for i in ../lib/libcrypto
../lib/librpcsvc; do echo preparing in /usr/src/include/$i; cd /u...)
*** Error 2 in /usr/src (Makefile:55 'includes')
I'm doing "make includes" as root ..
> 4. Rebuild sysctl(8)
> # cd /usr/src/sbin/sysctl && make && make install
> 5. Reboot
> 6. Enable the feature
> # sysctl net.inet.tcp.large_recv_offload=1
> # ifconfig ix0 down && ifconfig ix0 up
>
> I tested this diff for a while in different scenarios (receiving,
> routing, relaying) without noticing any problems yet.
>
> bluhm@ already suggested that I could change the feature switch from a
> global sysctl(2) to an per interface ifconfig(8) option. This would
> give the user more control.
>
> Tests with other ix(4) NICs are welcome and needed!
>
> bye,
> Jan
>
> Index: dev/pci/if_ix.c
> ===
> RCS file: /cvs/src/sys/dev/pci/if_ix.c,v
> retrieving revision 1.185
> diff -u -p -r1.185 if_ix.c
> --- dev/pci/if_ix.c 15 Mar 2022 11:22:10 - 1.185
> +++ dev/pci/if_ix.c 23 May 2022 14:39:45 -
> @@ -2870,7 +2870,7 @@ ixgbe_initialize_receive_units(struct ix
> {
> struct rx_ring *rxr = sc->rx_rings;
> struct ixgbe_hw *hw = &sc->hw;
> - uint32_tbufsz, fctrl, srrctl, rxcsum;
> + uint32_tbufsz, fctrl, srrctl, rxcsum, rdrxctl;
> uint32_thlreg;
> int i;
>
> @@ -2894,6 +2894,14 @@ ixgbe_initialize_receive_units(struct ix
> hlreg |= IXGBE_HLREG0_JUMBOEN;
> IXGBE_WRITE_REG(hw, IXGBE_HLREG0, hlreg);
>
> + if (tcp_lro) {
> + /* enable RSCACKC for RSC */
> + rdrxctl = IXGBE_READ_REG(hw, IXGBE_RDRXCTL);
> + rdrxctl |= IXGBE_RDRXCTL_RSCACKC;
> + rdrxctl |= IXGBE_RDRXCTL_FCOE_WRFIX;
> + IXGBE_WRITE_REG(hw, IXGBE_RDRXCTL, rdrxctl);
> + }
> +
> bufsz = (sc->rx_mbuf_sz - ETHER_ALIGN) >> IXGBE_SRRCTL_BSIZEPKT_SHIFT;
>
> for (i = 0; i < sc->num_queues; i++, rxr++) {
> @@ -2909,6 +2917,12 @@ ixgbe_initialize_receive_units(struct ix
> /* Set up the SRRCTL register */
> srrctl = bufsz | IXGBE_SRRCTL_DESCTYPE_ADV_ONEBUF;
> IXGBE_WRITE_REG(hw, IXGBE_SRRCTL(i), srrctl);
> +
> + if (tcp_lro) {
> + /* Enable Receive Side Coalescing */
> + IXGBE_WRITE_REG(hw, IXGBE_RSCCTL(i),
> + IXGBE_RSCCTL_RSCEN|IXGBE_RSCCTL_MAXDESC_16);
> + }
>
> /* Setup the HW Rx Head and Tail Descriptor Pointers */
> IXGBE_WRITE_REG(hw, IXGBE_RDH(i), 0);
> Index: dev/pci/ixgbe.h
> ===
> RCS file: /cvs/src/sys/dev/pci/ixgbe.h,v
> retrieving revision 1.33
> diff -u -p -r1.33 ixgbe.h
> --- dev/pci/ixgbe.h 8 Feb 2022 03:38:00 - 1.33
> +++ dev/pci/ixgbe.h 23 May 2022 14:53:59 -
> @@ -61,11 +61,16 @@
> #include
> #include
> #include
> +#include
>
> #include
> #include
> #include
> +#include
> #include
> +#include
> +#include
> +#include
>
> #if NBPFILTER > 0
> #include
> Index: netinet/tcp_input.c
> ===
> RCS file: /cvs/src/sys/netinet/tcp_input.c,v
> retrieving revision 1.375
> diff -u -p -r1.375 tcp_input.c
> --- netinet/tcp_input.c 4 Jan 2022 06:32:39 - 1.375
> +++ netinet/tcp_input.c 23 May 2022 14:41:59 -
> @@ -126,6 +126,7 @@ struct timeval tcp_rst_ppslim_last;
> int tcp_ackdrop_ppslim = 100;/* 100pps */
> int tcp_ackdrop_ppslim_count = 0;
> struct timeval tcp_ackdrop_ppslim_last;
> +int tcp_lro = 0; /* TCP Large Receive Offload */
>
> #define TCP_PAWS_IDLE(24 * 24 * 60 * 60 * PR_SLOWHZ)
>
> Index: netinet/tcp_usrreq.c
> ===
> RCS file: /cvs/src/sys/netinet
