pf: remove DIOCGETSTATESNV
ClosedPublic
Actions

Authored by kp on Jul 7 2021, 7:52 PM.

Details

Reviewers

Group Reviewers

network
pfsense

Commits

rGb701c27bf05f: pf: remove DIOCGETSTATESNV
rG830afa2979ab: pf: remove DIOCGETSTATESNV
rGb69019c14cd8: pf: remove DIOCGETSTATESNV

Summary

While nvlists are very useful in maximising flexibility for future
extensions their performance is simply unacceptably bad for the
getstates feature, where we can easily want to export a million states
or more.

The DIOCGETSTATESNV call has been MFCd, but has not hit a release on any
branch, so we can still remove it everywhere.

MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

kp created this revision.Jul 7 2021, 7:52 PM

Herald added subscribers: melifaro, farrokhi, ae, imp. · View Herald TranscriptJul 7 2021, 7:52 PM

kp requested review of this revision.Jul 7 2021, 7:52 PM

Harbormaster completed remote builds in B40376: Diff 91947.Jul 7 2021, 7:52 PM

kp added a parent revision: D31098: libpfctl: migrate to DIOCGETSTATESV2.Jul 7 2021, 7:52 PM

I don't know if it can be straight up removed in stable branches. Normally the expectation is that userspace can work with newer kernel, which is now broken.

Assuming it's not too much trouble, I think the thing to do first is to extend pfctl to support both interfaces and prefer the new one. Said binary compat can be then removed after few weeks.

In D31099#699643, @mjg wrote:

I don't know if it can be straight up removed in stable branches. Normally the expectation is that userspace can work with newer kernel, which is now broken.

Assuming it's not too much trouble, I think the thing to do first is to extend pfctl to support both interfaces and prefer the new one. Said binary compat can be then removed after few weeks.

My plan was to push the preceding patches (i.e. adding and moving to the new call in libpfctl) first, and this one a week later. That'd give main and stable/X users some time to build a new kernel and userspace before we remove the old call. That achieves having the new kernel support old userspace, with a short transition period (so we don't end up with DIOCGETSTATESNV in a release and we have to support is forever).

that makes sense

This revision is now accepted and ready to land.Jul 7 2021, 8:33 PM

In D31099#699666, @kp wrote:

My plan was to push the preceding patches (i.e. adding and moving to the new call in libpfctl) first, and this one a week later. That'd give main and stable/X users some time to build a new kernel and userspace before we remove the old call. That achieves having the new kernel support old userspace, with a short transition period (so we don't end up with DIOCGETSTATESNV in a release and we have to support is forever).

A week is much to short for stable users.
Expect a month at least between updates.

In D31099#699780, @donner wrote:

In D31099#699666, @kp wrote:

My plan was to push the preceding patches (i.e. adding and moving to the new call in libpfctl) first, and this one a week later. That'd give main and stable/X users some time to build a new kernel and userspace before we remove the old call. That achieves having the new kernel support old userspace, with a short transition period (so we don't end up with DIOCGETSTATESNV in a release and we have to support is forever).

A week is much to short for stable users.
Expect a month at least between updates.