- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
Feb 5 2018
Feb 2 2018
Feb 1 2018
Jan 31 2018
In D13715#296744, @kristof wrote:I'd like to fix the issue where pf can't reliably figure out if it should call ip6_forward() or ip6_output(). I'd like to do so without negatively affecting the general forwarding performance (with or without pf).
Jan 30 2018
I'm against the last proposal. It is not costless to tag each forwarded packet and then remove the tag. This will seriously hit the performance.
Jan 29 2018
Jan 24 2018
Jan 22 2018
I think the description that you gave in IRC was better :)
I.e. a !WRITABLE mbuf is reflected by ICMP code.Even M_WRITEABLE mbufs are reflected but m_unshare is called only for !M_WRITEABLE
ones. Here's the stack showing the reflection and the problem I'm trying to fix:
I think the description that you gave in IRC was better :)
I.e. a !WRITABLE mbuf is reflected by ICMP code.
Jan 19 2018
Jan 10 2018
This looks like noop for me, so I have no objection.
Jan 8 2018
- bump MIB version
- return error code from string_save()
- fix comment wording
- add the check for community string uniqueness. It is ambiguous if we would have several the same community strings with different access rights.
Jan 6 2018
Can you please update the patch with additional context according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface
Jan 3 2018
Can you please update the diff according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface
Dec 29 2017
Dec 24 2017
Dec 21 2017
Dec 16 2017
Dec 15 2017
Dec 14 2017
From quick look, it seems ifa_rtrequest does not release this reference and the change is correct.
Dec 13 2017
It would be nice if you describe why this leak happens, i.e. where leaked reference was acquired.
Dec 11 2017
Dec 8 2017
Dec 5 2017
Dec 4 2017
Dec 1 2017
Nov 30 2017
Nov 28 2017
Kristof and Olivier, can you test this patch?
Nov 26 2017
I'm not familiar with SCTP, from other side seems good to me, except some style issues.
Nov 24 2017
Nov 23 2017
Nov 22 2017
Nov 17 2017
Nov 10 2017
Nov 3 2017
Nov 2 2017
If it restores the old behavior, I have no objection
Oct 31 2017
Oct 30 2017
I have not plan to merge this into stable/10.
Also I'm not sure about committing this as is, because I'm not sure ConcurrencyKit is supported on all platforms.
Probably I will modify ip_fw_dynamic.c to be KPI compatible with this code, and then make it conditionally buildable.
Also CK is not merged into stable/11 yet, but cognet@ said that he will merge it into stable/11 if it will become needed.
Oct 26 2017
Also now you can try your 5000000 flows test :)
You can set
sysctl net.inet.ip.fw.dyn_max=5000000 sysctl net.inet.ip.fw.dyn_buckets=5000000
Oct 25 2017
In D12770#265547, @olivier wrote:
r324972 with D12770 fbsd 11.1 OK NOK: netstat display "packets dropped; no transform" on destination
Oct 24 2017
Oct 23 2017
- Fix build with VIMAGE and remove mismerged chunks.
- Replace ip_fw_dynamic in sys/conf/files.
Oct 20 2017
- Switch the default hash algorithm to jenkins hash.
Some whitespace fixes and blank lines.
In dyn_export_data() fix typo in bytes counter calculation
The ipfw_send_pkt() function was not changed, it just moved from ip_fw_dynamic.c into ip_fw2.c. I can remove keep-alive related functionality from this function if you prefer this.
The new dynamic states implementation uses own keep-alive functions that are in ip_fw_dynamic2.c (is is hidden in phabricator and should be expanded via "Show File Contents").
I am planning to rework ipfw_send_pkt() to use some deferred sending (e.g. taskq). I don't like the fact that we are reentering the firewall when we sending RST. This produces high stack usage.
In D10680#264145, @emeric.poupon_stormshield.eu wrote:Thanks for testing! Actually you get a far better improvement than I observed!
Just curious, which hardware have you used for the test?
Oct 19 2017
I finally played a bit with this patch. I used if_ipsec(4) tunnel between two hosts and iperf TCP test. With disabled async_crypto I have ~720Mbit/s, with enabled async_crypto it is 5.2Gbit/s.
Oct 18 2017
Oct 17 2017
Oct 16 2017
- Restore support for 'check-state :any'.
Oct 13 2017
Oct 12 2017
In D12639#262598, @bz wrote:Hence my comment on the proposed commit message (get more people testing and see if it can stay on for 12). If a lot of people find they'll lose 20% the next days this will not go in, or if they find in two months, this can be reverted quite easily if the overhead can't be removed.
Oct 10 2017
Oct 9 2017
Oct 4 2017
Probably you need to modify netipsec/ipsec_pcb.c too.