Page MenuHomeFreeBSD
Differential D29557

pf: Introduce nvlist variant of DIOCADDRULE
ClosedPublic
Actions

Authored by kp on Apr 2 2021, 6:54 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Feb 24, 3:05 PM
Unknown Object (File)
Tue, Feb 24, 9:19 AM
Unknown Object (File)
Tue, Feb 24, 9:19 AM
Unknown Object (File)
Sun, Feb 22, 9:19 AM
Unknown Object (File)
Fri, Feb 20, 2:20 PM
Unknown Object (File)
Mon, Feb 16, 2:03 AM
Unknown Object (File)
Thu, Feb 12, 10:51 AM
Unknown Object (File)
Sun, Feb 8, 11:32 AM
View All Files
Subscribers
ae
donner
farrokhi
glebius
imp
markj
melifaro
takahiro.kurosawa_gmail.com

Details

Reviewers
markj
Group Reviewers
network
Commits
rGf9b057eaf625: pf: Introduce nvlist variant of DIOCADDRULE
rG8ffd90c5b5b5: pf: Introduce nvlist variant of DIOCADDRULE
rG5c62eded5a11: pf: Introduce nvlist variant of DIOCADDRULE
Summary

This will make future extensions of the API much easier.
The intent is to remove support for DIOCADDRULE in FreeBSD 14.

MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kp created this revision.Apr 2 2021, 6:54 PM
Herald added subscribers: melifaro, farrokhi, ae, imp. · View Herald TranscriptApr 2 2021, 6:54 PM
kp requested review of this revision.Apr 2 2021, 6:54 PM
kp added a parent revision: D29556: libnv: Allow use in non-sleepable contexts.
kp added a child revision: D29558: pfctl: Move to DIOCADDRULENV.
Harbormaster completed remote builds in B38279: Diff 86759.Apr 2 2021, 6:55 PM
kp mentioned this in D29468: pf: Implement the NAT source port selection of MAP-E Customer Edge.Apr 2 2021, 6:59 PM
markj added a subscriber: markj.Apr 2 2021, 10:06 PM
markj added inline comments.
sys/netpfil/pf/pf_ioctl.c
96

Why not include it via a system path?

2345

malloc(M_WAITOK) won't fail.

2352

Do nvl and nvlpacked get freed anywhere?

kp updated this revision to Diff 86785.Apr 3 2021, 12:27 PM
  • Free nvl/nvlpacked
  • Don't check for failure on M_WAITOK
Harbormaster completed remote builds in B38295: Diff 86785.Apr 3 2021, 12:27 PM
markj accepted this revision.Apr 3 2021, 3:37 PM

Seems ok to me for what it's worth. My comments are mostly nits.

sys/netpfil/pf/pf_ioctl.c
1630

They're equivalent, but it looks like the last parameter should be sizeof(*paddr).

1728

I think there's nothing checking that the supplied array has exactly two elements. Should the checking be more strict, so that an array of length 1 is rejected? There are a few examples of this.

sys/netpfil/pf/pf_nv.c
37

Same thing here with respect to the include path.

This revision is now accepted and ready to land.Apr 3 2021, 3:37 PM
kp updated this revision to Diff 86832.Apr 5 2021, 11:36 AM
  • Require the number of array elements to be exactly the maximum number
  • Explicitly check the nvlist error state
This revision now requires review to proceed.Apr 5 2021, 11:36 AM
Harbormaster completed remote builds in B38321: Diff 86832.Apr 5 2021, 11:36 AM
glebius added a subscriber: glebius.Apr 5 2021, 3:29 PM
glebius added inline comments.
sys/netpfil/pf/pf_ioctl.c
1697

Better use uint8_t in the new code.

1802

Don't we leak rule here?

2025

Better use uint32_t in new code. More of this applies to new files pf_nv.h and pf_nv.c

kp updated this revision to Diff 86887.Apr 6 2021, 8:34 AM
  • Use 'unit*' rather than 'u_int*'.
  • Fix potential rule leak
takahiro.kurosawa_gmail.com added a subscriber: takahiro.kurosawa_gmail.com.Apr 6 2021, 10:04 AM
donner added a subscriber: donner.Apr 7 2021, 5:11 PM
donner added inline comments.
sys/netpfil/pf/pf.h
193

Component "size" is unused. I do not see any use case for it. Can it be dropped?

kp marked an inline comment as done.Apr 7 2021, 7:01 PM
kp added inline comments.
sys/netpfil/pf/pf.h
193

It's not used here, but it is required for get operations (e.g. D29559). For those userspace must supply a larger buffer than required for just the request, so that the kernel can put the reply in the data buffer.

In that case len will be the length of the request data, but we will have provided size bytes of space for the kernel to put the response into.

kp updated this revision to Diff 87023.Apr 8 2021, 12:19 PM
kp marked an inline comment as done.

Rebase (remove rt_listid)

Harbormaster completed remote builds in B38403: Diff 87023.Apr 8 2021, 12:19 PM
This revision was not accepted when it landed; it landed in state Needs Review.Apr 10 2021, 9:17 AM
Closed by commit rG5c62eded5a11: pf: Introduce nvlist variant of DIOCADDRULE (authored by kp). · Explain Why
This revision was automatically updated to reflect the committed changes.
kp added a commit: rG5c62eded5a11: pf: Introduce nvlist variant of DIOCADDRULE.
kp added a commit: rG8ffd90c5b5b5: pf: Introduce nvlist variant of DIOCADDRULE.May 7 2021, 3:26 PM
kp added a commit: rGf9b057eaf625: pf: Introduce nvlist variant of DIOCADDRULE.May 7 2021, 3:29 PM

Revision Contents
Changeset List

PathSize
sys/
conf/
1 line
modules/
pf/
2 lines
net/
1 line
netpfil/
pf/
6 lines
647 lines
53 lines
127 lines

Diff 87184

View Options

sys/conf/files

Loading...
View Options

sys/modules/pf/Makefile

Loading...
View Options

sys/net/pfvar.h

Loading...
View Options

sys/netpfil/pf/pf.h

Loading...
View Options

sys/netpfil/pf/pf_ioctl.c

Loading...
View Options

sys/netpfil/pf/pf_nv.h

Loading...
View Options

sys/netpfil/pf/pf_nv.c

Loading...