Page MenuHomeFreeBSD

PFIL_MEMPTR support for ipfw link level hook

Authored by glebius on Feb 25 2019, 9:46 PM.


Group Reviewers
rS345166: PFIL_MEMPTR for ipfw link level hook

This commit brings support PFIL_MEMPTR support to ipfw link level hook.

This hook is expected to be used on NIC bound pfil heads, which provide
memory pointers rather than mbufs. As for now pfil_fake_mbuf() is used
to affiliate that. Skipping pfil_fake_mbuf() and working with memory
pointer directly inside ipfw gives measureable performance boost.

The patch in this review is rather large, so I'd suggest to look
at history of this branch:

The most important commit is the topmost:


This is the most crucial code that I want to be reviewed.

The following commits are preparatory steps:


Commit bfb6a4ff73f1b4dd99ca5165080a63cc6e558a44 is a bugfix and isn't
directly related to this review. Commit isn't directly related as well a014887dd7c60ec96956bcc5cb7fec95a5a6f621.

Diff Detail

rS FreeBSD src repository - subversion
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

1837 ↗(On Diff #54378)

Is it safe to call vtnet_rxq_discard_buf() just after if_input()?

1396 ↗(On Diff #54378)

Is it expected that ipfw_chk() will always get from pfil ethernet frame without VLAN tags?

1757 ↗(On Diff #54378)

This probably can break something. mbuf can have initialized oif and m_pkthdr.rcvif in the same time, this happens when we are processing forwarded packet.

glebius added inline comments.
1837 ↗(On Diff #54378)

This part of patch has changed. I will update pull request soon.

1396 ↗(On Diff #54378)

That's a great question! Is that responsibility of a driver or of a packet filter. We will ponder on that.

1757 ↗(On Diff #54378)

Is it possible to construct a rule that would match on oif and iif at the same time?

rgrimes added inline comments.
1757 ↗(On Diff #54378)

Not only possible, in use. You can make decisions about a packet exiting based on if it arrived via a specific if.
ipfw add 1234 allow ip from any to any in via em0 out via em1

glebius marked an inline comment as done.

Rebase since some changes are already in head.

glebius marked an inline comment as not done.Mar 11 2019, 10:43 PM
glebius added inline comments.
1757 ↗(On Diff #54378)

This particular syntax won't match anything, since "via" always uses either of two interfaces. Also, a rule having "in" and "out" at the same time shoudn't match as well.

However, this rule correctly matches on two interfaces indeed:

ipfw add allow ip from any to any recv em0 out xmit em1

"out" is optional here. So, something needs to be fixed with my patch.

Optionally use m->m_pkthdr.rcvif for iif on output packets.

Style - no functional change.

1439 ↗(On Diff #54949)

It seems you forgot about ETHER_VLAN_ENCAP_LEN :-)
I think you can use difference between eh and ip pointers.

  • Use existing difference between ip and eh pointers to calculate
This revision was not accepted when it landed; it landed in state Needs Review.Mar 14 2019, 10:52 PM
This revision was automatically updated to reflect the committed changes.