Page MenuHomeFreeBSD

pf|ipfw|netinet6?: shared IP forwarding
Needs ReviewPublic

Authored by franco_opnsense.org on Dec 21 2016, 8:33 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jul 20, 4:17 PM
Unknown Object (File)
Wed, Jul 17, 8:35 PM
Unknown Object (File)
Mon, Jul 15, 12:00 AM
Unknown Object (File)
Fri, Jul 12, 4:45 AM
Unknown Object (File)
Fri, Jul 12, 4:45 AM
Unknown Object (File)
Fri, Jul 5, 11:09 PM
Unknown Object (File)
Thu, Jul 4, 10:33 AM
Unknown Object (File)
Mon, Jul 1, 6:17 PM

Details

Reviewers
melifaro
ae
Group Reviewers
network
transport
Summary

This complements the if_output calls in the pf(4) code that escape further
processing by deferring the forwarding execution to the network stack
using on/off style sysctls for both IPv4 and IPv6.

Also see: https://lists.freebsd.org/pipermail/freebsd-current/2016-November/063815.html

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 57957
Build 54845: arc lint + arc unit

Event Timeline

franco_opnsense.org retitled this revision from to netinet[6]: KPI for opaque fwd_tag handling for PFIL consumers.
franco_opnsense.org updated this object.
franco_opnsense.org edited the test plan for this revision. (Show Details)
sys/netinet/ip_output.c
1580

I think return error code is better than magic value. How about (ENOBUFS)?

1585

I think it would be good add KASSERT(dst->sin_family == AF_INET) for consistency.

1596

"Values in return statements should be enclosed in parentheses." (c) style(9) :-)

1606

ENOENT/ESRCH

sys/netinet6/ip6_output.c
680–681

This check looks incorrect.

750

and this.

3416

We can return EINVAL here due to wrong sin6_scope_id in dst. Or return ENXIO like sa6_embedscope() does.

ae edited edge metadata.

Looks good to me.

This revision is now accepted and ready to land.Dec 21 2016, 12:22 PM
ae requested changes to this revision.Dec 21 2016, 12:45 PM
ae edited edge metadata.

Forgot to mention, you also need to update ip_fastfwd.c and ip6_fastfwd.c :)

This revision now requires changes to proceed.Dec 21 2016, 12:45 PM

Also it there are few another places where M_IP[6]_NEXTHOP flag is used.

franco_opnsense.org edited edge metadata.
franco_opnsense.org marked 7 inline comments as done.
  • complete conversion
sys/netinet/ip_input.c
608 ↗(On Diff #23175)

This is an equivalent transformation, but maybe the second call can be omitted, as it doesn't read data and we are kind of enforcing consistency now with the functions itself?

sys/netinet6/ip6_fastfwd.c
256

error here, should be else if

260

Logic was very intertwined, ended up copying this block to make it easier to follow.

sys/netinet6/ip6_forward.c
367–368

convoluted logic, worked around it...

sys/netinet6/ip6_input.c
785 ↗(On Diff #23175)

ip6_get_fwdtag() could also be omitted here.

franco_opnsense.org added inline comments.
sys/netinet6/ip6_forward.c
368

what do do here? dst was tained cannot abort like before

sys/netinet/ip_input.c
608 ↗(On Diff #23175)

I think IP_HAS_NEXTHOP() is enough to check.

sys/netinet6/ip6_forward.c
368

goto freecopy;

sys/netinet6/ip6_input.c
785 ↗(On Diff #23175)

yes

sys/netinet6/ip6_forward.c
368

and m_freem(m)

  • omit empty reads for ip[6]_get_fwdtag
  • error out safely on failure
franco_opnsense.org added inline comments.
sys/netinet6/ip6_forward.c
368

better safe than sorry: one for freecopy, one for bad

ae edited edge metadata.
This revision is now accepted and ready to land.Dec 21 2016, 2:45 PM

Can't this be made part of a single API where the protocol family is passed so it can be reused and extended easily?
Imagine layer2 forwarding can use this as well.....

In D8877#183862, @eri wrote:

Can't this be made part of a single API where the protocol family is passed so it can be reused and extended easily?
Imagine layer2 forwarding can use this as well.....

When it will appear, we can just add link_[get,set,flush]_fwdtag() functions. Internally this can be implemented as call to generic functions with AF argument. But currently such implementation just has the best readability, than one function with bunch of #ifdefs, IMHO. Also currently we don't have NEXTHOP flag for layer2.

franco_opnsense.org edited edge metadata.
franco_opnsense.org marked an inline comment as done.
  • correctly build against GENERIC
This revision now requires review to proceed.Dec 26 2016, 10:21 AM

what's the fate of this patch?

This revision is now accepted and ready to land.Dec 9 2021, 9:51 PM
In D8877#754326, @mjg wrote:

what's the fate of this patch?

There's an updated patch for stable/13 available here https://github.com/opnsense/src/commit/e3c5dc9e31 + https://github.com/opnsense/src/commit/730eb40ce9 with several extensions and fixes since 2016. The concept seems to work for the bulk of OPNsense users -- it's enabled by default there for a number of years now.

I think that @ae wanted to add versioning to the forward tags to avoid kernel module breakage of some sort for out of tree stuff but in my previous day job capacity I wasn't able to spend more time on it.

All this really needs now is a src committer. I can rebase this on main and break it down into multiple pieces if required.

Update the downstream code and adapt for main

This revision now requires review to proceed.May 29 2024, 6:51 PM
franco_opnsense.org retitled this revision from netinet[6]: KPI for opaque fwd_tag handling for PFIL consumers to pf|ipfw|netinet6?: shared IP forwarding.May 29 2024, 6:55 PM
franco_opnsense.org edited the summary of this revision. (Show Details)