Page MenuHomeFreeBSD

Add ipfw SDT probe.
ClosedPublic

Authored by ae on Oct 20 2020, 2:41 PM.

Details

Summary

This patch adds SDT probe to ipfw_chk() function. It helps to reduce complexity with debugging large ipfw rulesets.

Some examples.

  1. Find the rule that accepts or blocks packets from some IP address.
ipfw:::rule-matched 
/inet_ntop(args[1], args[2]) == "10.9.8.3"/
{
        a = xlate <ipfw_match_info_t>(args[4]);

        printf("Rule %d matched ret code %s (%d): %s %d -> %s %d proto %d",
            args[5]->rulenum, ipfw_retcodes[args[0]], args[0],
            inet_ntop(args[1], args[2]), a.src_port,
            inet_ntop(args[1], args[3]), a.dst_port, a.proto);
}
  1. Trace some IPv6 tcp packets
ipfw:::rule-matched 
/args[1] == AF_INET6 && args[4]->f_id.proto == IPPROTO_TCP /
{
        a = xlate <ipfw_match_info_t>(args[4]);

        printf("Rule %d matched ret code %s (%d): %s %d -> %s %d proto %d %s %s",
            args[5]->rulenum, ipfw_retcodes[args[0]], args[0],
            inet_ntop(args[1], args[2]), a.src_port,
            inet_ntop(args[1], args[3]), a.dst_port, a.proto,
            (a.flags & IPFW_ARGS_IN) ? "in recv": "out xmit",
            stringof(a.ifp->if_xname));
}
  1. Print info from IPv6 header from packet matched by rule 1015
ipfw:::rule-matched 
/args[1] == AF_INET6 && args[5]->rulenum == 1015/
{
	a = xlate <ipfw_match_info_t>(args[4]);
	ip6 = xlate <ipv6info_t>(a.ip6p);

	printf("Rule %d matched ret code %s: %s -> %s proto %d plen %d %s %s",
	    args[5]->rulenum, ipfw_retcodes[args[0]],
	    inet_ntop(args[1], args[2]),
	    inet_ntop(args[1], args[3]), a.proto,
	    ip6.ipv6_plen,
	    (a.flags & IPFW_ARGS_IN) ? "in recv": "out xmit",
	    stringof(a.ifp->if_xname));
}

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

ae requested review of this revision.Oct 20 2020, 2:42 PM
gnn requested changes to this revision.Oct 20 2020, 2:46 PM

I like the idea of this change but I believe that a new file should be created in netpfil/ipfw to contain the code that's been put into in_kdtrace.[ch] in this review.

This revision now requires changes to proceed.Oct 20 2020, 2:46 PM
ae added a reviewer: melifaro.
In D26879#599390, @gnn wrote:

I like the idea of this change but I believe that a new file should be created in netpfil/ipfw to contain the code that's been put into in_kdtrace.[ch] in this review.

AFAIR, if probe definitions is not built in the kernel, they wont work when ipfw is used as kernel module.

In D26879#599395, @ae wrote:
In D26879#599390, @gnn wrote:

I like the idea of this change but I believe that a new file should be created in netpfil/ipfw to contain the code that's been put into in_kdtrace.[ch] in this review.

AFAIR, if probe definitions is not built in the kernel, they wont work when ipfw is used as kernel module.

That shouldn't be true. Did you test that recently? I'm not sure if it'll work for standalone module builds since KDTRACE_HOOKS might not be defined.

That shouldn't be true. Did you test that recently? I'm not sure if it'll work for standalone module builds since KDTRACE_HOOKS might not be defined.

When I reworked SDT probe registration several years ago, the only restriction was that SDT probes had to be located in the same kld module as the SDT provider. I don't remember why anymore, but for some reason it wasn't possible to clean up SDT probes separately and instead it had to be done all at once when the provider was unloaded. If a kld module provided probes for a provider located in a different module, then if that module were subsequently unloaded the global memory for those probes would be freed but the provider would still reference them, leading to a likely use-after-free.

That shouldn't be true. Did you test that recently? I'm not sure if it'll work for standalone module builds since KDTRACE_HOOKS might not be defined.

When I reworked SDT probe registration several years ago, the only restriction was that SDT probes had to be located in the same kld module as the SDT provider.

Even that constraint is gone now. Different KLDs can add probes for the same provider.

ae edited the summary of this revision. (Show Details)

Move provider and probe definitions into ipfw2.c

In D26879#599390, @gnn wrote:

I like the idea of this change but I believe that a new file should be created in netpfil/ipfw to contain the code that's been put into in_kdtrace.[ch] in this review.

I've did some tests, it seems it working now.

Thanks for the update, please proceed.

This revision is now accepted and ready to land.Oct 21 2020, 2:49 PM
This revision was automatically updated to reflect the committed changes.