In D13715#296744, @kristof wrote:

I'd like to fix the issue where pf can't reliably figure out if it should call ip6_forward() or ip6_output(). I'd like to do so without negatively affecting the general forwarding performance (with or without pf).

I'm against the last proposal. It is not costless to tag each forwarded packet and then remove the tag. This will seriously hit the performance.

I think the description that you gave in IRC was better :)
I.e. a !WRITABLE mbuf is reflected by ICMP code.

Even M_WRITEABLE mbufs are reflected but m_unshare is called only for !M_WRITEABLE
ones. Here's the stack showing the reflection and the problem I'm trying to fix:

I think the description that you gave in IRC was better :)
I.e. a !WRITABLE mbuf is reflected by ICMP code.

This looks like noop for me, so I have no objection.

• bump MIB version
• return error code from string_save()
• fix comment wording
• add the check for community string uniqueness. It is ambiguous if we would have several the same community strings with different access rights.

Can you please update the patch with additional context according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

Can you please update the diff according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

From quick look, it seems ifa_rtrequest does not release this reference and the change is correct.

It would be nice if you describe why this leak happens, i.e. where leaked reference was acquired.

Kristof and Olivier, can you test this patch?

I'm not familiar with SCTP, from other side seems good to me, except some style issues.

If it restores the old behavior, I have no objection

I have not plan to merge this into stable/10.
Also I'm not sure about committing this as is, because I'm not sure ConcurrencyKit is supported on all platforms.
Probably I will modify ip_fw_dynamic.c to be KPI compatible with this code, and then make it conditionally buildable.
Also CK is not merged into stable/11 yet, but cognet@ said that he will merge it into stable/11 if it will become needed.

Also now you can try your 5000000 flows test :)
You can set

sysctl net.inet.ip.fw.dyn_max=5000000
sysctl net.inet.ip.fw.dyn_buckets=5000000

In D12770#265547, @olivier wrote:

r324972 with D12770

fbsd 11.1

OK

NOK: netstat display "packets dropped; no transform" on destination

• Fix build with VIMAGE and remove mismerged chunks.
• Replace ip_fw_dynamic in sys/conf/files.

• Switch the default hash algorithm to jenkins hash.

Some whitespace fixes and blank lines.
In dyn_export_data() fix typo in bytes counter calculation

The ipfw_send_pkt() function was not changed, it just moved from ip_fw_dynamic.c into ip_fw2.c. I can remove keep-alive related functionality from this function if you prefer this.
The new dynamic states implementation uses own keep-alive functions that are in ip_fw_dynamic2.c (is is hidden in phabricator and should be expanded via "Show File Contents").
I am planning to rework ipfw_send_pkt() to use some deferred sending (e.g. taskq). I don't like the fact that we are reentering the firewall when we sending RST. This produces high stack usage.

In D10680#264145, @emeric.poupon_stormshield.eu wrote:

Thanks for testing! Actually you get a far better improvement than I observed!
Just curious, which hardware have you used for the test?

I finally played a bit with this patch. I used if_ipsec(4) tunnel between two hosts and iperf TCP test. With disabled async_crypto I have ~720Mbit/s, with enabled async_crypto it is 5.2Gbit/s.

• Restore support for 'check-state :any'.

In D12639#262598, @bz wrote:

Hence my comment on the proposed commit message (get more people testing and see if it can stay on for 12). If a lot of people find they'll lose 20% the next days this will not go in, or if they find in two months, this can be reverted quite easily if the overhead can't be removed.

Probably you need to modify netipsec/ipsec_pcb.c too.