Page MenuHomeFreeBSD
Feed Advanced Search

Yesterday

kp committed rGa983cea4e9a8: pf: fix reply-to after rdr and dummynet (authored by kp).
pf: fix reply-to after rdr and dummynet
Thu, Mar 28, 4:08 PM

Mon, Mar 25

kp committed rGcaccf6d3c008: pfsync: cope with multiple pending plus messages (authored by kp).
pfsync: cope with multiple pending plus messages
Mon, Mar 25, 4:45 AM
kp committed rG81debbd60e57: pfsync: fix use of invalidated stack variable (authored by kp).
pfsync: fix use of invalidated stack variable
Mon, Mar 25, 4:45 AM
kp committed rGa1ecbc570117: pf: fix use-after-free (authored by kp).
pf: fix use-after-free
Mon, Mar 25, 4:45 AM

Sun, Mar 24

kp added inline comments to D44488: pf: if a new RDR state connect be created, modulate src port.
Sun, Mar 24, 7:46 AM
kp added inline comments to D44488: pf: if a new RDR state connect be created, modulate src port.
Sun, Mar 24, 7:01 AM
kp added a comment to D44488: pf: if a new RDR state connect be created, modulate src port.

This also really needs a test case.

Sun, Mar 24, 6:50 AM
kp added a comment to D43504: netinet: add a probe point for IP stats counters.

I think what I will test is:

  1. SDT probes compiled out entirely
  2. This (D43504) patch with our current SDT mechanism
  3. D43504 + D44483 together

Does that sound appropriate?

@olivier : Do you have the time to do the same sort of test on your low-end pps routing setup?

Sun, Mar 24, 5:19 AM

Sat, Mar 23

kp accepted D44476: icmp: hide icmp_bandlimit_uninit() under VIMAGE.
Sat, Mar 23, 6:01 AM
kp added a comment to D44476: icmp: hide icmp_bandlimit_uninit() under VIMAGE.
In D44476#1014446, @kp wrote:

When we build without VIMAGE VNET_SYSUNINIT translates to SYSUNINIT, so this patch means we leak V_icmp_rates[i].cr_rate on shutdown.
That's not exactly a critical problem, but this is technically wrong.

I don't agree with that. We don't deallocate memory on shutdown in general case. We do not have a matching SYSUNINIT for every SYSINIT that mallocs. Keeping a function to deallocate memory on shutdown is the actual waste of memory - it grows kernel text, which is wired.

Sat, Mar 23, 5:25 AM
kp added inline comments to D42350: kyua: add jail execution environment.
Sat, Mar 23, 3:42 AM
kp accepted D44478: icmp: improve ICMP limit jitter.
Sat, Mar 23, 3:38 AM
kp accepted D44477: icmp: when logging ICMP ratelimiting message use correct jitter value.
Sat, Mar 23, 3:38 AM
kp added a comment to D44476: icmp: hide icmp_bandlimit_uninit() under VIMAGE.

When we build without VIMAGE VNET_SYSUNINIT translates to SYSUNINIT, so this patch means we leak V_icmp_rates[i].cr_rate on shutdown.

Sat, Mar 23, 3:37 AM
kp accepted D44475: icmp: do not store per-VNET identical array of strings.
Sat, Mar 23, 1:20 AM

Fri, Mar 22

kp committed rG88f557a2a9c3: libpfctl: fix incorrect labels copy (authored by kp).
libpfctl: fix incorrect labels copy
Fri, Mar 22, 8:38 AM
kp committed rGe08b44339b65: if_ovpn tests: test large packets in IPv6 tunnel (authored by kp).
if_ovpn tests: test large packets in IPv6 tunnel
Fri, Mar 22, 8:38 AM
kp added a comment to D43504: netinet: add a probe point for IP stats counters.

To put it lightly, I'd really like to see this patch performance tested.

Fri, Mar 22, 3:17 AM

Thu, Mar 21

kp added a comment to D43504: netinet: add a probe point for IP stats counters.

I'd like to land this patch. Absent anyone raising objections I intend to do so in two weeks or so.

Thu, Mar 21, 3:23 AM

Tue, Mar 19

kp closed D44368: pf: convert DIOCSETSTATUSIF to netlink.
Tue, Mar 19, 3:31 PM
kp committed rG470a2b334661: pf: convert DIOCSETSTATUSIF to netlink (authored by kp).
pf: convert DIOCSETSTATUSIF to netlink
Tue, Mar 19, 3:31 PM
kp closed D44366: pf: fix dummynet + route-to.
Tue, Mar 19, 3:31 PM
kp committed rGc6f111635790: pf: fix dummynet + route-to (authored by kp).
pf: fix dummynet + route-to
Tue, Mar 19, 3:31 PM
kp closed D44365: pf: avoid passing through dummynet multiple times.
Tue, Mar 19, 3:31 PM
kp committed rG0ea0c026557b: pf: avoid passing through dummynet multiple times (authored by kp).
pf: avoid passing through dummynet multiple times
Tue, Mar 19, 3:30 PM

Fri, Mar 15

kp requested review of D44368: pf: convert DIOCSETSTATUSIF to netlink.
Fri, Mar 15, 6:23 AM
kp requested review of D44366: pf: fix dummynet + route-to.
Fri, Mar 15, 2:12 AM
kp requested review of D44365: pf: avoid passing through dummynet multiple times.
Fri, Mar 15, 2:12 AM

Tue, Mar 12

kp accepted D44307: if_tuntap: simplify storage of per-vnet cloners.
Tue, Mar 12, 10:04 PM
kp committed R11:57043127470c: net/libpfctl: update 13.2 library (authored by kp).
net/libpfctl: update 13.2 library
Tue, Mar 12, 5:13 PM

Fri, Mar 8

kp committed rG14bbf0943308: netlink: fix casts (authored by kp).
netlink: fix casts
Fri, Mar 8, 9:12 AM

Fri, Mar 1

kp committed rGfb995824b9df: pf tests: IPv6 versions of the route-to/reply-to if-bound tests (authored by kp).
pf tests: IPv6 versions of the route-to/reply-to if-bound tests
Fri, Mar 1, 12:20 PM
kp committed rG6460322a0a51: pf: support if-bound with reply-to (authored by kp).
pf: support if-bound with reply-to
Fri, Mar 1, 12:20 PM

Wed, Feb 28

kp committed rG706d465dae6a: pf: convert kill/clear state to use netlink (authored by kp).
pf: convert kill/clear state to use netlink
Wed, Feb 28, 10:28 PM
kp committed rGdfed87b5ce9c: netlink: add bool type support (authored by kp).
netlink: add bool type support
Wed, Feb 28, 10:28 PM
kp committed rG48f33b55b014: netlink: fix casts (authored by kp).
netlink: fix casts
Wed, Feb 28, 10:28 PM
kp closed D44090: pf: convert kill/clear state to use netlink.
Wed, Feb 28, 10:28 PM
kp closed D44088: netlink: fix casts.
Wed, Feb 28, 10:27 PM
kp closed D44089: netlink: add bool type support.
Wed, Feb 28, 10:27 PM

Feb 27 2024

kp committed R11:0a5b676fc982: net/libpfctl: add 13.3 library (authored by kp).
net/libpfctl: add 13.3 library
Feb 27 2024, 6:40 PM
kp added a comment to D44088: netlink: fix casts.

Will this be MFCed to stable branches ? I see sys/netlink/route/nexthop.c is consuming the fixed function nlattr_get_uint8():

sys/netlink/route/nexthop.c:	{ .type = NHAF_FAMILY, .off = _OUT(nhaf_family), .cb = nlattr_get_uint8 },
Feb 27 2024, 4:08 PM
kp committed rG9566d9272600: pf: fix packet-to-big for route-to as well (authored by kp).
pf: fix packet-to-big for route-to as well
Feb 27 2024, 3:26 PM

Feb 26 2024

kp added a comment to D44089: netlink: add bool type support.

I’ a bit unsure about this one - as having pointer to bool may introduce

Feb 26 2024, 8:12 PM
kp requested review of D44090: pf: convert kill/clear state to use netlink.
Feb 26 2024, 6:46 PM
kp requested review of D44088: netlink: fix casts.
Feb 26 2024, 6:46 PM
kp requested review of D44089: netlink: add bool type support.
Feb 26 2024, 6:46 PM

Feb 24 2024

kp committed rGbe2c6fba9d83: pfsync: Fix offset calculation (authored by vegeta_tuxpowered.net).
pfsync: Fix offset calculation
Feb 24 2024, 6:49 PM

Feb 15 2024

kp committed rG50edc6307198: pfsync: Fix offset calculation (authored by vegeta_tuxpowered.net).
pfsync: Fix offset calculation
Feb 15 2024, 12:55 PM
kp closed D43862: pfsync: Fix offset calculation.
Feb 15 2024, 12:55 PM

Feb 13 2024

kp committed rG17167f757e0a: pf: uncomment counter asserts after mem leak fix (authored by igor.ostapenko_pm.me).
pf: uncomment counter asserts after mem leak fix
Feb 13 2024, 9:36 PM
kp committed rGd18b1958ade2: pf: uncomment counter asserts after mem leak fix (authored by igor.ostapenko_pm.me).
pf: uncomment counter asserts after mem leak fix
Feb 13 2024, 9:35 PM
kp added a comment to D43866: pf: Fix match_rules memory leak.
In D43866#1000864, @kp wrote:

I failed to apply this patch, and I think it's because you already fixed this problem in https://cgit.freebsd.org/src/commit/?id=4d19eceaefb7106d761bc9504bb0da737ae0d674

Or am I missing something else?

This is absolutely embarrassing but I can explain myself :)

I've seen memory leaking on my systems running FreeBSD 14.0 , looked at the code for releng/14.0, found the leak, patched it… I forgot that I've worked on it already before, and the commit is not in release/14.0. I see it in stable/14, though. I'm abandoning this revision.

Feb 13 2024, 9:29 PM
kp added a comment to D43866: pf: Fix match_rules memory leak.

I failed to apply this patch, and I think it's because you already fixed this problem in https://cgit.freebsd.org/src/commit/?id=4d19eceaefb7106d761bc9504bb0da737ae0d674

Feb 13 2024, 8:47 PM

Feb 10 2024

kp committed rG8ecb74942506: ichsmb: add Cedar Fork PCI id (authored by kp).
ichsmb: add Cedar Fork PCI id
Feb 10 2024, 1:17 AM

Feb 6 2024

kp committed rG04c68025ea1d: pf: add a probe point to BOUND_IFACE (authored by kp).
pf: add a probe point to BOUND_IFACE
Feb 6 2024, 5:50 PM
kp committed rG58a26743145a: pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx… (authored by vegeta_tuxpowered.net).
pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx…
Feb 6 2024, 4:26 PM
kp added a reverting change for rG6d4a140acfdf: pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx…: rG8a16fd431d83: Revert "pf: Ensure that st->kif is obtained in a way which respects the r….
Feb 6 2024, 4:26 PM
kp committed rG8a16fd431d83: Revert "pf: Ensure that st->kif is obtained in a way which respects the r… (authored by kp).
Revert "pf: Ensure that st->kif is obtained in a way which respects the r…
Feb 6 2024, 4:26 PM
kp added a reverting change for D43741: pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex: rG8a16fd431d83: Revert "pf: Ensure that st->kif is obtained in a way which respects the r….
Feb 6 2024, 4:25 PM

Feb 5 2024

kp committed rG6d4a140acfdf: pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx… (authored by igor.ostapenko_pm.me).
pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx…
Feb 5 2024, 9:20 PM
kp closed D43741: pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex.
Feb 5 2024, 9:19 PM
kp accepted D43741: pf: Ensure that st->kif is obtained in a way which respects the r->rpool->mtx mutex.

Thanks for catching that.

Feb 5 2024, 9:17 PM

Feb 4 2024

kp updated the diff for D43712: vmxnet3: make descriptor count checks more robust.
  • add assert
  • remove unneeded changes
Feb 4 2024, 5:47 PM
kp added inline comments to D43712: vmxnet3: make descriptor count checks more robust.
Feb 4 2024, 5:45 PM

Feb 2 2024

kp added a comment to D43712: vmxnet3: make descriptor count checks more robust.

Specifically because we've seen users report panics like this one:

Feb 2 2024, 5:30 PM
kp added reviewers for D43712: vmxnet3: make descriptor count checks more robust: bryanv, pkelsey.
Feb 2 2024, 5:29 PM
kp requested review of D43712: vmxnet3: make descriptor count checks more robust.
Feb 2 2024, 5:03 PM
kp committed rG306d3fb23d7c: libpfct: fix incorrect array check (authored by kp).
libpfct: fix incorrect array check
Feb 2 2024, 4:56 PM
kp committed rG777a4702c591: pf: implement addrule via netlink (authored by kp).
pf: implement addrule via netlink
Feb 2 2024, 4:56 PM
kp committed rGb8ef285f6cc6: pf: ensure dummynet gets the correct direction after route-to (authored by kp).
pf: ensure dummynet gets the correct direction after route-to
Feb 2 2024, 4:56 PM

Feb 1 2024

kp added a comment to D43504: netinet: add a probe point for IP stats counters.
In D43504#994028, @kp wrote:

I'll wait for the performance impact tests

Feb 1 2024, 10:26 PM
kp accepted D43704: pflowctl: add missing break to case 's'.

I have exactly the same commit in my queue right now.

Feb 1 2024, 9:55 PM

Jan 30 2024

kp committed rG9d784da3a7af: pf: uncomment counter asserts after mem leak fix (authored by igor.ostapenko_pm.me).
pf: uncomment counter asserts after mem leak fix
Jan 30 2024, 10:00 PM
kp closed D43657: pf: uncomment counter asserts after mem leak fix.
Jan 30 2024, 9:59 PM

Jan 29 2024

kp committed rG31828075e456: pf: bind route-to states to their route-to interface (authored by kp).
pf: bind route-to states to their route-to interface
Jan 29 2024, 1:53 PM
kp committed rGffeab76b6855: pfil: PFIL_PASS never frees the mbuf (authored by kp).
pfil: PFIL_PASS never frees the mbuf
Jan 29 2024, 1:53 PM
kp closed D43589: pf: bind route-to states to their route-to interface.
Jan 29 2024, 1:53 PM
kp closed D43617: pfil: PFIL_PASS never frees the mbuf.
Jan 29 2024, 1:53 PM

Jan 27 2024

kp updated the diff for D43589: pf: bind route-to states to their route-to interface.
  • improve test (ping 3x, to ensure that subsequent packets make it)
  • when matching states also look at the original interface This is required because the expected outbound interface before we match the state is the original interface, but for inbound packets it will be the route-to'd interface (which we've now bound the state to)
Jan 27 2024, 10:32 AM

Jan 26 2024

kp requested review of D43617: pfil: PFIL_PASS never frees the mbuf.
Jan 26 2024, 2:45 PM
kp abandoned D43589: pf: bind route-to states to their route-to interface.

This is wrong, as I'd have seen immediately if I'd had the test send more than 1 ping.
When the second outbound ping arrives pf looks for the state on epair_one, but we've created it for epair_two, so we don't find the state and reject the packet (or more accurately, try to create a new state for it and fail because such a state already exists).

Jan 26 2024, 10:05 AM

Jan 25 2024

kp committed rGe95025ed9388: pflow: show socket status in verbose mode (authored by kp).
pflow: show socket status in verbose mode
Jan 25 2024, 5:09 PM
kp requested review of D43589: pf: bind route-to states to their route-to interface.
Jan 25 2024, 1:05 PM

Jan 24 2024

kp added a comment to D43504: netinet: add a probe point for IP stats counters.

Then why not change icps_tooshort to icmps_tooshort? I guess the other protocols have a proper prefix.

Jan 24 2024, 10:53 PM
kp committed rG8b82f36f8903: pflowctl: fix usage message (authored by kp).
pflowctl: fix usage message
Jan 24 2024, 7:38 PM
kp committed rGf1c0030bb05c: pf: only check MTU for IPv6 packets when forwarding (authored by kp).
pf: only check MTU for IPv6 packets when forwarding
Jan 24 2024, 6:09 PM
kp added a comment to D43504: netinet: add a probe point for IP stats counters.

Why no mib:::icps_foo? Not perfectly, but for TCP it would be mib:::tcps_foo...

Jan 24 2024, 7:19 AM

Jan 23 2024

kp added a comment to D43504: netinet: add a probe point for IP stats counters.
In D43504#991958, @kp wrote:

I'd expect that to have no measurable impact, but I've not tested that to confirm.

I added Olivier to the reviewers. Hopefully he can test this in his packet forwarding setup with slow machines.
I'm really not eager to have an extra instruction all over the place on every counter increment. Did you consider adding SDT probes for just the error counters, and changing the INC function to an ERR_INC or something similar? That way the happy path does not pay any cost, while the errors are still instrumented.

I didn't think of that specifically, no.

Jan 23 2024, 7:33 PM
kp added a comment to D43504: netinet: add a probe point for IP stats counters.

The real intent behind the "function" field is that the kernel will automatically populate it with the C function containing the same probe. The idea being that you have the same provider:::name probe in two C functions, dtrace will let you enable just one of the two probes if you specify the function name. Currently that's not implemented on FreeBSD but my preference would be to avoid using it. The same applies to the "module" identifier, which on FreeBSD does get autopopulated. There are some existing probes which violate this rule. Really it's a bug that the SDT macros let you specify them at all but it's hard to fix at this point.

I don't really see the downside of having the "module" be part of the probe name. You can list probes matching a glob, so something like dtrace -ln 'mib:::icmp-*' would work too.

Jan 23 2024, 5:50 PM
kp committed rG380b7eb30947: sysctl.8: fix format typo (authored by igor.ostapenko_pm.me).
sysctl.8: fix format typo
Jan 23 2024, 3:41 PM
kp updated the diff for D43504: netinet: add a probe point for IP stats counters.

Include icmp6, udp and tcp counters.

Jan 23 2024, 3:38 PM
kp added a comment to D43504: netinet: add a probe point for IP stats counters.

I'm wondering why we use icmp, ip, and ip6 as module and count as functions. I think in the Solaris implementation module and function are unspecified. Using a name different from what is used by Solaris is fine for me. So I really like the direction this patch is taking.

Jan 23 2024, 10:28 AM

Jan 22 2024

kp updated the diff for D43504: netinet: add a probe point for IP stats counters.

Have separate probes for each field.

Jan 22 2024, 8:00 PM
kp committed rG63a5fe834354: pflow: limit to no more than 128 flow exporters (authored by kp).
pflow: limit to no more than 128 flow exporters
Jan 22 2024, 6:20 PM
kp committed rG484e977f2441: pflow: observation domain is an unsigned integer (authored by kp).
pflow: observation domain is an unsigned integer
Jan 22 2024, 6:20 PM
kp committed rG57c50d6b3673: pf tests: test ICMP6 packet too big with binat (authored by kp).
pf tests: test ICMP6 packet too big with binat
Jan 22 2024, 12:53 PM
kp committed rG54c62e3e5d8c: pf: work around icmp6 packet-too-big not being sent when binat-ing (authored by kp).
pf: work around icmp6 packet-too-big not being sent when binat-ing
Jan 22 2024, 12:53 PM
kp closed D43500: pf tests: test ICMP6 packet too big with binat.
Jan 22 2024, 12:53 PM
kp closed D43499: pf: work around icmp6 packet-too-big not being sent when binat-ing.
Jan 22 2024, 12:53 PM

Jan 20 2024

kp committed rGc3d7bb5aca77: netipsec: fix LINT-NOINET build (authored by kp).
netipsec: fix LINT-NOINET build
Jan 20 2024, 9:23 PM