| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Notes:
svn path=/head/; revision=205831
|
| |
|
|
|
|
|
|
|
|
| |
This patch has two fixes for potential kernel panics (one wrong
index, one access to the wrong lock) and two fixes to wrong logic
in a conditional. The potential panics are also on stable/8,
so I am going to MFC the fix quickly.
Notes:
svn path=/head/; revision=205830
|
| |
|
|
|
|
|
|
|
| |
I forgot to handle this case when i did the mtag cleanup three months ago.
PR: 145004
Notes:
svn path=/head/; revision=205602
|
| |
|
|
|
|
|
|
| |
Sponsored by: The ONELAB2 Project
Submitted by: Riccardo Panicucci
Notes:
svn path=/head/; revision=205417
|
| |
|
|
| |
Notes:
svn path=/head/; revision=205415
|
| |
|
|
| |
Notes:
svn path=/head/; revision=205414
|
| |
|
|
| |
Notes:
svn path=/head/; revision=205178
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dscp as a search key in table lookups;
+ (re)implement a sysctl variable to control the expire frequency of
pipes and queues when they become empty;
+ add 'queue number' as optional part of the flow_id. This can be
enabled with the command
queue X config mask queue ...
and makes it possible to support priority-based schedulers, where
packets should be grouped according to the priority and not some
fields in the 5-tuple.
This is implemented as follows:
- redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but
without changing the size or shape of the structure, so there are
no ABI changes. On passing, also document how other fields are
used, and remove some useless assignments in ip_fw2.c
- implement small changes in the userland code to set/read the field;
- revise the functions in ip_dummynet.c to manipulate masks so they
also handle the additional field;
There are no ABI changes in this commit.
Notes:
svn path=/head/; revision=205173
|
| |
|
|
|
|
|
|
| |
The filtering of the output is done in the kernel instead of userland
to reduce the amount of data transfered.
Notes:
svn path=/head/; revision=205050
|
| |
|
|
|
|
|
| |
Submitted by: Riccardo Panicucci
Notes:
svn path=/head/; revision=204954
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204866
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204865
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204862
|
| |
|
|
|
|
|
|
|
|
|
| |
down a virtual netowrk stack, but also free the Radix Node Head.
Sponsored by: ISPsystem
Reviewed by: julian
MFC after: 5 days
Notes:
svn path=/head/; revision=204837
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204763
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204754
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204736
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204735
|
| |
|
|
|
|
|
|
|
| |
This prevents a potential deadlock.
Submitted by: Francesco Magno
Notes:
svn path=/head/; revision=204714
|
| |
|
|
| |
Notes:
svn path=/head/; revision=204713
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and tested over the past two months in the ipfw3-head branch. This
also happens to be the same code available in the Linux and Windows
ports of ipfw and dummynet.
The major enhancement is a completely restructured version of
dummynet, with support for different packet scheduling algorithms
(loadable at runtime), faster queue/pipe lookup, and a much cleaner
internal architecture and kernel/userland ABI which simplifies
future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include
a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new,
very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that
lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests
from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries,
and replies correctly (at least, it does its best; sometimes you
just cannot tell who sent the request and how to answer).
The compatibility layer should make it possible to MFC this code in a
relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable,
and a workaround for a bug in RELENG_7's /sbin/ipfw) will be
fixed with separate commits.
CREDITS:
This work has been partly supported by the ONELAB2 project, and
mostly developed by Riccardo Panicucci and myself.
The code for the qfq scheduler is mostly from Fabio Checconi,
and Marta Carbone and Francesco Magno have helped with testing,
debugging and some bug fixes.
Notes:
svn path=/head/; revision=204591
|
| |
|
|
|
|
|
|
|
| |
the switch.
Reported by: Marta Carbone
Notes:
svn path=/head/; revision=204003
|
| |
|
|
|
|
|
|
|
|
| |
the system as well as any IPv4 address.
Reviewed by: David Horn <dhorn2000__at__gmail.com>, luigi, qingli
MFC after: 2 weeks
Notes:
svn path=/head/; revision=202459
|
| |
|
|
| |
Notes:
svn path=/head/; revision=201745
|
| |
|
|
|
|
|
|
|
|
| |
This should fix the handling of ipv6 packets which i broke when i
made ipfw operate on packets in network format.
Reported by: Hajimu UMEMOTO
Notes:
svn path=/head/; revision=201740
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ip_divert work as a client of pf(4),
make ip_divert not depend on ipfw.
This is achieved by moving to ip_var.h the struct ipfw_rule_ref
(which is part of the mtag for all reinjected packets) and other
declarations of global variables, and moving to raw_ip.c global
variables for filter and divert hooks.
Note that names and locations could be made more generic
(ipfw_rule_ref is really a generic reference robust to reconfigurations;
the packet filter is not necessarily ipfw; filters and their clients
are not necessarily limited to ipv4), but _right now_ most
of this stuff works on ipfw and ipv4, so i don't feel like
doing a gratuitous renaming, at least for the time being.
Notes:
svn path=/head/; revision=201735
|
| |
|
|
| |
Notes:
svn path=/head/; revision=201732
|
| |
|
|
|
|
|
|
|
|
| |
This prevents a panic when ipfw generates packets on its own
(such as reject or keepalives for dynamic rules).
Reported by: Chagin Dmitry
Notes:
svn path=/head/; revision=201722
|
| |
|
|
| |
Notes:
svn path=/head/; revision=201568
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- use a uniform mtag format for all packets that exit and re-enter
the firewall in the middle of a rulechain. On reentry, all tags
containing reinject info are renamed to MTAG_IPFW_RULE so the
processing is simpler.
- make ipfw and dummynet use ip_len and ip_off in network format
everywhere. Conversion is done only once instead of tracking
the format in every place.
- use a macro FREE_PKT to dispose of mbufs. This eases portability.
On passing i also removed a few typos, staticise or localise variables,
remove useless declarations and other minor things.
Overall the code shrinks a bit and is hopefully more readable.
I have tested functionality for all but ng_ipfw and if_bridge/if_ethersubr.
For ng_ipfw i am actually waiting for feedback from glebius@ because
we might have some small changes to make.
For if_bridge and if_ethersubr feedback would be welcome
(there are still some redundant parts in these two modules that
I would like to remove, but first i need to check functionality).
Notes:
svn path=/head/; revision=201527
|
| |
|
|
| |
Notes:
svn path=/head/; revision=201150
|
| |
|
|
|
|
|
|
| |
to find it there. Unfortunately this reintroduces the dependency
on ip_fw_pfil.c
Notes:
svn path=/head/; revision=201124
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r201011
- move most of ng_ipfw.h into ip_fw_private.h, as this code is
ipfw-specific. This removes a dependency on ng_ipfw.h from some files.
- move many equivalent definitions of direction (IN, OUT) for
reinjected packets into ip_fw_private.h
- document the structure of the packet tags used for dummynet
and netgraph;
r201049
- merge some common code to attach/detach hooks into
a single function.
r201055
- remove some duplicated code in ip_fw_pfil. The input
and output processing uses almost exactly the same code so
there is no need to use two separate hooks.
ip_fw_pfil.o goes from 2096 to 1382 bytes of .text
r201057 (see the svn log for full details)
- macros to make the conversion of ip_len and ip_off
between host and network format more explicit
r201113 (the remaining parts)
- readability fixes -- put braces around some large for() blocks,
localize variables so the compiler does not think they are uninitialized,
do not insist on precise allocation size if we have more than we need.
r201119
- when doing a lookup, keys must be in big endian format because
this is what the radix code expects (this fixes a bug in the
recently-introduced 'lookup' option)
No ABI changes in this commit.
MFC after: 1 week
Notes:
svn path=/head/; revision=201122
|
| |
|
|
|
|
|
| |
initializations
Notes:
svn path=/head/; revision=201121
|
| |
|
|
| |
Notes:
svn path=/head/; revision=201120
|
| |
|
|
|
|
|
|
|
|
|
| |
or we create loops.
The divert cookie (that can be set from userland too)
contains the matching rule nr, so we must start from nr+1.
Reported by: Joe Marcus Clarke
Notes:
svn path=/head/; revision=201046
|
| |
|
|
| |
Notes:
svn path=/head/; revision=200951
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
reformatting to avoid unnecessary line breaks, small block
restructuring to avoid unnecessary nesting, replace macros
with function calls, etc.
As a side effect of code restructuring, this commit fixes one bug:
previously, if a realloc() failed, memory was leaked. Now, the
realloc is not there anymore, as we first count how much memory
we need and then do a single malloc.
Notes:
svn path=/head/; revision=200909
|
| |
|
|
|
|
|
| |
Also remove some unnecessary headers
Notes:
svn path=/head/; revision=200897
|
| |
|
|
|
|
|
| |
Also fix the indentation on a few lines.
Notes:
svn path=/head/; revision=200896
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
and remove all O(N) sequences from kernel critical sections in ipfw.
In detail:
1. introduce a IPFW_UH_LOCK to arbitrate requests from
the upper half of the kernel. Some things, such as 'ipfw show',
can be done holding this lock in read mode, whereas insert and
delete require IPFW_UH_WLOCK.
2. introduce a mapping structure to keep rules together. This replaces
the 'next' chain currently used in ipfw rules. At the moment
the map is a simple array (sorted by rule number and then rule_id),
so we can find a rule quickly instead of having to scan the list.
This reduces many expensive lookups from O(N) to O(log N).
3. when an expensive operation (such as insert or delete) is done
by userland, we grab IPFW_UH_WLOCK, create a new copy of the map
without blocking the bottom half of the kernel, then acquire
IPFW_WLOCK and quickly update pointers to the map and related info.
After dropping IPFW_LOCK we can then continue the cleanup protected
by IPFW_UH_LOCK. So userland still costs O(N) but the kernel side
is only blocked for O(1).
4. do not pass pointers to rules through dummynet, netgraph, divert etc,
but rather pass a <slot, chain_id, rulenum, rule_id> tuple.
We validate the slot index (in the array of #2) with chain_id,
and if successful do a O(1) dereference; otherwise, we can find
the rule in O(log N) through <rulenum, rule_id>
All the above does not change the userland/kernel ABI, though there
are some disgusting casts between pointers and uint32_t
Operation costs now are as follows:
Function Old Now Planned
-------------------------------------------------------------------
+ skipto X, non cached O(N) O(log N)
+ skipto X, cached O(1) O(1)
XXX dynamic rule lookup O(1) O(log N) O(1)
+ skipto tablearg O(N) O(1)
+ reinject, non cached O(N) O(log N)
+ reinject, cached O(1) O(1)
+ kernel blocked during setsockopt() O(N) O(1)
-------------------------------------------------------------------
The only (very small) regression is on dynamic rule lookup and this will
be fixed in a day or two, without changing the userland/kernel ABI
Supported by: Valeria Paoli
MFC after: 1 month
Notes:
svn path=/head/; revision=200855
|
| |
|
|
|
|
|
|
|
|
|
|
| |
+ in many places, replace &V_layer3_chain with a local
variable chain;
+ bring the counter of rules and static_len within ip_fw_chain
replacing static variables;
+ remove some spurious comments and extern declaration;
+ document which lock protects certain data structures
Notes:
svn path=/head/; revision=200838
|
| |
|
|
|
|
|
| |
Requested by: luigi
Notes:
svn path=/head/; revision=200673
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
similar to pflog(4).
To use the feature, just put the 'log' options on rules
you are interested in, e.g.
ipfw add 5000 count log ....
and run
tcpdump -ni ipfw0 ...
net.inet.ip.fw.verbose=0 enables logging to ipfw0,
net.inet.ip.fw.verbose=1 sends logging to syslog as before.
More features can be added, similar to pflog(), to store in
the MAC header metadata such as rule numbers and actions.
Manpage to come once features are settled.
Notes:
svn path=/head/; revision=200654
|
| |
|
|
| |
Notes:
svn path=/head/; revision=200634
|
| |
|
|
|
|
|
| |
MFC after: 1 week
Notes:
svn path=/head/; revision=200629
|
| |
|
|
| |
Notes:
svn path=/head/; revision=200610
|
| |
|
|
|
|
|
| |
and explain why they are used.
Notes:
svn path=/head/; revision=200603
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- move global variables around to reduce the scope and make them
static if possible;
- add an ipfw_ prefix to all public functions to prevent conflicts
(the same should be done for variables);
- try to pack variable declaration in an uniform way across files;
- clarify some comments;
- remove some misspelling of names (#define V_foo VNET(bar)) that
slipped in due to cut&paste
- remove duplicate static variables in different files;
MFC after: 1 month
Notes:
svn path=/head/; revision=200601
|
| |
|
|
|
|
|
|
| |
Remove redundant extern declearations.
If the maintainer has a better fix, then feel free to back this out.
Notes:
svn path=/head/; revision=200598
|
