Page MenuHomeFreeBSD
Feed Advanced Search

Nov 1 2021

eri added inline comments to D32750: pf: Introduce ridentifier.
Nov 1 2021, 1:58 AM

Oct 30 2021

eri requested changes to D32750: pf: Introduce ridentifier.
Oct 30 2021, 10:17 PM

Oct 5 2021

eri added a comment to D31904: pf: support dummynet.

How about some attribution here to where this code is coming from!
Especially since there is a black history behind, I hope to never revive!

Oct 5 2021, 1:27 AM

May 13 2021

eri requested changes to D30246: pf: Support killing floating states by interface.

This kind of breaks the assumption of floating states, 'it will apply in any interface any direction'.
These states can be killed through src/dst options, or potentially you can do this in a daemon managing states in userland and killing states by id.

May 13 2021, 3:26 PM
eri requested changes to D30245: pf: Track the original kif for floating states.

Why can't you move the interface 'all' to be a flag and just always track the interface the packet came in originally?

May 13 2021, 3:22 PM
eri accepted D30247: pf tests: Test the ability to kill floating states by interface.
May 13 2021, 3:17 PM
eri added inline comments to D30242: pf: Add DIOCGETSTATENV.
May 13 2021, 3:16 PM

Apr 16 2021

eri requested changes to D29795: pf: Refactor state killing.
Apr 16 2021, 7:29 PM

Apr 14 2021

eri added a comment to D29669: pf: Kill connections by schedule.

You can add me to these reviews @kp !
I have implemented originally all of this without thinking of generic way of reusability.
The intention is to have some metadata tagged on states and rules to easy perfom operation and/or reporting.
The model can be improved by having a better tagging model then just stash new fields in the structure, but porting first the patches and later on collapsing them can be a path forward, as long as the ABI is not impacted too much.

Apr 14 2021, 4:41 PM

Dec 13 2020

eri committed R9:14822315917e: Insert myself to the contributors list. (authored by eri).
Insert myself to the contributors list.
Dec 13 2020, 6:15 PM
eri committed R9:ddfea3d23c34: Make known to the world that i am a FreeBSD commiter. (authored by eri).
Make known to the world that i am a FreeBSD commiter.
Dec 13 2020, 5:48 PM
eri committed R9:7986ed9fcd92: Add myself to the documentation infrastructure. (authored by eri).
Add myself to the documentation infrastructure.
Dec 13 2020, 5:48 PM

Dec 5 2018

eri added a comment to D18373: pfsync: Performance improvement.

Not a blocker but:

  • It would also be nice to have measure if the other side can keep up with the blast of state updates now?
  • Even better, provide the same bucket mechanism on reception so it can be distributed on the various cores
Dec 5 2018, 5:09 PM
eri added a comment to D18373: pfsync: Performance improvement.

Can you please measure the latency of syncing states with this change against previous latency?

Dec 5 2018, 5:05 PM

Nov 26 2018

eri accepted D17994: pfsync: Insert static trace points.

Can you add some text to the manual pages for documenting the feature? Possibly linking to some example?

Nov 26 2018, 1:10 AM

Nov 16 2018

eri added a comment to D17992: pfsync: Reduce contention on PFSYNC_LOCK().

What needs to be considered here is the assumption of pfsync is that a state created in pf will be synched at shortest possible cycle to the cluster member.
By defering that assumption is relaxed so figuring out baselines of before and after this change would make this more easy to reason about.

Nov 16 2018, 8:04 PM

Oct 30 2018

eri accepted D17734: pf: Limit the fragment entry queue length to 64 per bucket..
Oct 30 2018, 5:48 PM
eri accepted D17733: pf: Split the fragment reassembly queue into smaller parts.
Oct 30 2018, 5:47 PM
eri accepted D17732: pf: Count holes rather than fragments for reassembly.
Oct 30 2018, 5:46 PM

Oct 14 2018

eri accepted D17508: pfctl tests: Basic test case for PR 231323.

Continue the great work you are doing on providing test cases for pf.

Oct 14 2018, 4:08 PM
eri accepted D17507: pfctl: Dup strings.

Looks good.

Oct 14 2018, 4:07 PM

Jan 31 2018

eri added a comment to D13715: netpfil: Introduce PFIL_FWD flag.
In D13715#295452, @kristof wrote:
In D13715#295449, @eri wrote:

While i have not much time lately to spend on this, i still think this is the wrong way of doing things since it just creates confusion.

I'm not sure I see how this would create confusion. This merely presents more information about the packet, and where the netpfil hook being called from.

Jan 31 2018, 4:35 AM · network

Jan 27 2018

eri added a comment to D13715: netpfil: Introduce PFIL_FWD flag.

While i have not much time lately to spend on this, i still think this is the wrong way of doing things since it just creates confusion.
pf(4) has already knows about mbuf_tag(9) and uses it. I would strongly suggest using them until a proper _FWD hook comes to life and allows removing all the 'hacks' in pf(4) and possibly elsewhere.

Jan 27 2018, 2:54 AM · network

Jan 6 2018

eri added a comment to D13715: netpfil: Introduce PFIL_FWD flag.

While this is needed i do not agree that the modifications on the stack and packet filters should be so hackish.

Jan 6 2018, 6:58 PM · network

Mar 28 2017

eri added a comment to D10154: Use PFIL's rmlock instead of IPFW's static rules rmlock.

Just curious, do you have any comparison/profiling data if this improves anything?

Mar 28 2017, 12:51 AM

Mar 24 2017

eri committed rS315877: Correct handling of ALTQ with epair(4) interfaces but presenting that ALTQ(9)….
Correct handling of ALTQ with epair(4) interfaces but presenting that ALTQ(9)…
Mar 24 2017, 12:55 AM

Mar 17 2017

eri accepted D10040: pf: Fix memory leak on vnet shutdown or unload.

Good catch.

Mar 17 2017, 10:02 PM
eri requested changes to D10025: pf: Fix panic on unload.

I would rather remove the pf_unload and pf_load to empty stubs and do their operation in pf_vnet_[un]init wiht DEFAULT_VNET wrapping than this.

Mar 17 2017, 10:01 PM

Mar 16 2017

eri added a comment to D10025: pf: Fix panic on unload.

It feels a lot like a hack.
Shouldn't the proper VNET accessor be called on creation and teardown?

Mar 16 2017, 5:18 PM

Mar 6 2017

eri committed rS314722: The patch provides the same socket option as Linux IP_ORIGDSTADDR..
The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Mar 6 2017, 4:02 AM
eri closed D9235: Provide IP_ORIGDSTADDR socket option by committing rS314722: The patch provides the same socket option as Linux IP_ORIGDSTADDR..
Mar 6 2017, 4:02 AM

Mar 5 2017

eri added a comment to D9721: Add netisr queue for deferred IPsec processing to reduce kernel stack requirements.
In D9721#204349, @ae wrote:

oh hm, one ipsec flow? so ok. So, can you also dump out the NIC statistics so we can see if the NIC is seeing all the traffic on one RX ring, or whether it's being load balanced between multiple RX rings.

Adrian, please, note that this netisr queue is for outbound traffic. It queues packets that are going to be encrypted. And these packets are ordered by SPI value, so for one flow there is no parallelism. Also there are no parallelism in the crypto(9) subsystem, so you wont get any benefits from many isr threads, they all will be blocked on the crypto thread.

Mar 5 2017, 5:05 AM

Feb 21 2017

eri updated the diff for D9235: Provide IP_ORIGDSTADDR socket option.

Include documentation (man pages) though someone should give a review to those changes.

Feb 21 2017, 12:02 AM

Feb 20 2017

eri abandoned D2986: IPSEC SPD searching is slow perform it only once during forwarding.
Feb 20 2017, 11:44 PM · network
eri abandoned D2990: Allow aesni(4) module to be loaded on all VMs.
Feb 20 2017, 11:44 PM
eri abandoned D3019: Reduce overhead of IPSEC on socket creation and destruction.
Feb 20 2017, 11:43 PM · network
eri abandoned D3045: IPSEC forwarding performance improvement.
Feb 20 2017, 11:43 PM · network
eri updated the diff for D9235: Provide IP_ORIGDSTADDR socket option.

Update considering comments.

Feb 20 2017, 11:42 PM

Feb 15 2017

eri added a comment to D3133: Fixes on Bridge+CARP crashes/freezes.
In D3133#198459, @ae wrote:

Also can you describe the cause of hang? From the patch it is not obviously to me.

Feb 15 2017, 6:30 PM · network

Feb 14 2017

eri added a comment to D9235: Provide IP_ORIGDSTADDR socket option.

Completed review tasks.

Feb 14 2017, 3:48 AM
eri updated the diff for D9235: Provide IP_ORIGDSTADDR socket option.

Update diff to include all remarks

Feb 14 2017, 3:44 AM
eri added a reviewer for D3133: Fixes on Bridge+CARP crashes/freezes: ae.
Feb 14 2017, 1:24 AM · network
eri added a reviewer for D5017: More than 65K connection from single application: ae.
Feb 14 2017, 1:23 AM · network
eri added a reviewer for D9235: Provide IP_ORIGDSTADDR socket option: ae.
Feb 14 2017, 1:23 AM

Feb 12 2017

eri committed rS313675: Committed without approval from mentor..
Committed without approval from mentor.
Feb 12 2017, 6:57 AM

Feb 10 2017

eri committed rS313530: Use proper value for socket option on IPv6.
Use proper value for socket option on IPv6
Feb 10 2017, 6:20 AM
eri committed rS313529: Fix build after r313524.
Fix build after r313524
Feb 10 2017, 6:02 AM
eri committed rS313528: Revert r313527.
Revert r313527
Feb 10 2017, 5:58 AM
eri committed rS313527: Correct missed variable name..
Correct missed variable name.
Feb 10 2017, 5:51 AM
eri committed rS313524: The patch provides the same socket option as Linux IP_ORIGDSTADDR..
The patch provides the same socket option as Linux IP_ORIGDSTADDR.
Feb 10 2017, 5:16 AM
eri added a comment to D5017: More than 65K connection from single application.

Just some information to pkesley@ comment.

Feb 10 2017, 3:20 AM · network

Feb 9 2017

eri added a comment to D9235: Provide IP_ORIGDSTADDR socket option.

Just looking for an OK here this is not rocket science!

Feb 9 2017, 6:31 AM
eri added a reviewer for D5017: More than 65K connection from single application: julian.
Feb 9 2017, 6:29 AM · network

Feb 5 2017

eri added inline comments to D5017: More than 65K connection from single application.
Feb 5 2017, 10:00 PM · network
eri added a comment to D5017: More than 65K connection from single application.

So i go and commit this in one week if no objections are raised.

Feb 5 2017, 9:08 PM · network
eri added a reviewer for D9235: Provide IP_ORIGDSTADDR socket option: gnn.
Feb 5 2017, 9:07 PM

Feb 1 2017

eri added a comment to D5017: More than 65K connection from single application.

Anyone has objections so this can go in?

Feb 1 2017, 1:04 AM · network

Jan 19 2017

eri updated the diff for D3133: Fixes on Bridge+CARP crashes/freezes.

Update to include context.

Jan 19 2017, 5:38 AM · network
eri updated the diff for D5017: More than 65K connection from single application.

Busy with other things.
Updating this to include context.

Jan 19 2017, 5:12 AM · network
eri updated the diff for D9235: Provide IP_ORIGDSTADDR socket option.

Update patch to include context as well.

Jan 19 2017, 5:08 AM
eri updated the diff for D9235: Provide IP_ORIGDSTADDR socket option.

Updated as per comments.

Jan 19 2017, 4:50 AM

Jan 18 2017

eri retitled D9235: Provide IP_ORIGDSTADDR socket option from to Provide IP_ORIGDSTADDR socket option.
Jan 18 2017, 9:54 PM

Dec 22 2016

eri added a comment to D8877: pf|ipfw|netinet6?: shared IP forwarding.

Can't this be made part of a single API where the protocol family is passed so it can be reused and extended easily?
Imagine layer2 forwarding can use this as well.....

Dec 22 2016, 3:52 AM

Oct 23 2016

eri added a comment to D8109: ipfw: prepare ipfw for cooperation inside the pfil hook.

I understand and i still think this is _completely_ useless from what you have submitted.

Oct 23 2016, 8:16 PM
eri added a comment to D8109: ipfw: prepare ipfw for cooperation inside the pfil hook.

This is not the way this should proceed.

Oct 23 2016, 9:53 AM

Oct 1 2016

eri requested changes to D8109: ipfw: prepare ipfw for cooperation inside the pfil hook.

You need to do more than this.
This change is not correct per se.

Oct 1 2016, 4:49 PM

Jan 28 2016

eri added a comment to D5017: More than 65K connection from single application.
In D5017#108466, @ae wrote:

Can you link your patch with /head branch, so all context will be available?

Jan 28 2016, 9:13 AM · network

Jan 27 2016

eri added a comment to D5017: More than 65K connection from single application.

just make sure you test the RSS/PCBGROUPS options too. :)

-a

Jan 27 2016, 8:57 AM · network

Jan 25 2016

eri added a comment to D5017: More than 65K connection from single application.

Any update on the following?

Jan 25 2016, 1:16 PM · network
eri updated subscribers of D5017: More than 65K connection from single application.
Jan 25 2016, 1:16 PM · network

Jan 21 2016

eri added a comment to D5017: More than 65K connection from single application.
In D5017#106574, @gnn wrote:

I'm a bit confused by this proposal. No protocol I know of has a port field larger than 16 bits. How and where might this be applied?

Jan 21 2016, 5:27 PM · network
eri updated D5017: More than 65K connection from single application.
Jan 21 2016, 3:52 PM · network
eri retitled D5017: More than 65K connection from single application from to More than 65K connection from single application.
Jan 21 2016, 2:20 PM · network

Oct 28 2015

eri added a comment to D3993: Optimize the case where we have IPSEC enabled but do not have security policies..

I know this has been committed but please check my remarks.

Oct 28 2015, 6:38 PM

Oct 2 2015

eri added a comment to D3779: pf: Fix TSO issues.

The easiest way to do this is check if you have an inp and check that the proto is TCP from that and skip cksum update.
Otherwise you will end up with complex code as this which is easier to understand and maintain.
It certainly is not documented properly but this makes it even more.

Oct 2 2015, 6:15 PM
eri added a reviewer for D3779: pf: Fix TSO issues: eri.
Oct 2 2015, 6:08 PM

Sep 28 2015

eri added a comment to D3737: Replace the fastforward path with tryforward which does not require a sysctl and will always be on. The former split between default and fast forwarding is removed by this commit while preserving the ability to use all network stack features..

The problem with IPSec is that this might leak traffic that otherwise would be used by ipsec.
Probably even looped traffic might leak with this scenarios from proxies....

Sep 28 2015, 10:53 AM

Sep 27 2015

eri added a comment to D3737: Replace the fastforward path with tryforward which does not require a sysctl and will always be on. The former split between default and fast forwarding is removed by this commit while preserving the ability to use all network stack features..

This still breaks IPSEC scenarios at least.

Sep 27 2015, 2:38 PM

Sep 24 2015

eri added a comment to D3019: Reduce overhead of IPSEC on socket creation and destruction.

See my replies!

Sep 24 2015, 5:12 PM · network

Aug 31 2015

eri updated the diff for D3503: Reloading of rules should not impact normal packet processing.

Reduce the diff to only rule handling for now.

Aug 31 2015, 10:35 AM · network
eri accepted D3534: pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set.

I would have put this in pf_refragment6 function call but lets put this in and see later on to improve it further.

Aug 31 2015, 10:07 AM
eri added a comment to D3503: Reloading of rules should not impact normal packet processing.

Yeah i noticed this and am working on fixing it.
Mostly this is from the relaxed requirement to accept rules without existing interface name!

Aug 31 2015, 9:19 AM · network
eri added a comment to D3534: pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set.

Did this behavior started after implementing the re fragmentation functinality?

Aug 31 2015, 6:32 AM
eri added a reviewer for D3534: pf: Fix misdetection of forwarding when net.link.bridge.pfil_bridge is set: eri.
Aug 31 2015, 6:31 AM

Aug 30 2015

eri added a comment to D3045: IPSEC forwarding performance improvement.

While that is not an open available link but clearly the target is different.
That patch is about IPSec not impacting forwarding path when its not in use at all
while this patch is about avoiding a routing lookup when IPSec is in use more in relation with the commit in FreeBSD removing redundant routing table lookups in forwarding path.

Aug 30 2015, 12:01 PM · network
eri added a comment to D3045: IPSEC forwarding performance improvement.

Sure gnn@ i can write Obtained from eri at al.
What have you been smoking lately? Can you clarify where this obtained from should contain and you reasoning behind?

Aug 30 2015, 10:58 AM · network

Aug 27 2015

eri accepted D3466: pf: Remove support for 'scrub fragment crop|drop-ovl'.
Aug 27 2015, 8:29 PM
eri added a reviewer for D3503: Reloading of rules should not impact normal packet processing: gnn.
Aug 27 2015, 12:45 PM · network
eri retitled D3503: Reloading of rules should not impact normal packet processing from to Reloading of rules should not impact normal packet processing.
Aug 27 2015, 12:39 PM · network

Aug 25 2015

eri added a reviewer for D3466: pf: Remove support for 'scrub fragment crop|drop-ovl': eri.
Aug 25 2015, 5:42 PM
eri added a comment to D3466: pf: Remove support for 'scrub fragment crop|drop-ovl'.

It looks good in general, though I do not like automatic conversion in such case.
Just put in the commit as part of release notes and people need to be fully aware of the change.
Whoever used these options i am certain had their reasons so they should be aware of the change.

Aug 25 2015, 5:42 PM
eri requested changes to D3435: pf: Handle if_groups with the same name as interfaces.

I do not think this is the root cause for this, it just hides another issue.
I think that the result of RB_INSERT should be checked when a group/iface is created should be tested.
If that returns NULL the result should be null.

Aug 25 2015, 5:26 PM
eri added a reviewer for D3435: pf: Handle if_groups with the same name as interfaces: eri.
Aug 25 2015, 5:14 PM

Aug 7 2015

eri added a comment to D3272: Add ALTQ(9) CoDel algorithm support.

One thing not mentioned in this review is that the codel queue type can be used on any other scheduler like PRIQ, CBQ, HFSC, FAIRQ.
It is quite flexible at that.

Aug 7 2015, 5:56 PM
eri added a comment to D3272: Add ALTQ(9) CoDel algorithm support.

This can go in.
I am working on restructuring all this to be a bit more modern and not so...hackish.

Aug 7 2015, 5:51 PM

Aug 4 2015

eri added a comment to D3045: IPSEC forwarding performance improvement.

I do not see why the receiving of the ICMP_UNREACH is impacted by this?

Aug 4 2015, 3:34 PM · network

Aug 3 2015

eri added a comment to D3272: Add ALTQ(9) CoDel algorithm support.

Can you please put my copyright in the codel files since it was forgotten addition when i did the port?

Aug 3 2015, 6:51 AM

Jul 30 2015

eri committed rS286095: Correct IPSec SA statistic keeping.
Correct IPSec SA statistic keeping
Jul 30 2015, 8:56 PM
eri closed D3239: Correct IPSec SA statistic keeping by committing rS286095: Correct IPSec SA statistic keeping.
Jul 30 2015, 8:56 PM · network
eri added a comment to D3022: ip_output normalization and fixes.

Yea Andrey will do for IPv6.

Jul 30 2015, 10:41 AM · network