ae (Andrey V. Elsukov)
User

Projects

User Details

User Since
Jun 4 2014, 7:25 AM (189 w, 20 h)

Recent Activity

Wed, Jan 10

ae accepted D13834: Make use of mallocarray in sys/netpfil/ipfw.

This looks like noop for me, so I have no objection.

Wed, Jan 10, 11:24 PM

Mon, Jan 8

ae updated the diff for D13785: Add ability to specify several community strings in snmpd.config for bsndmp(1).
  • bump MIB version
  • return error code from string_save()
  • fix comment wording
  • add the check for community string uniqueness. It is ambiguous if we would have several the same community strings with different access rights.
Mon, Jan 8, 7:50 PM

Sat, Jan 6

ae added reviewers for D13785: Add ability to specify several community strings in snmpd.config for bsndmp(1): harti, trociny, ngie.
Sat, Jan 6, 8:56 PM
ae created D13785: Add ability to specify several community strings in snmpd.config for bsndmp(1).
Sat, Jan 6, 8:54 PM
ae added a comment to D13715: netpfil: Introduce PFIL_FWD.

Can you please update the patch with additional context according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

Sat, Jan 6, 4:54 PM · network

Wed, Jan 3

ae added reviewers for D13719: Fix CVE-2010-4670, CVE-2010-4671, CVE-2010-4669, CVE-2011-2393: markj, melifaro.
Wed, Jan 3, 1:04 PM
ae added a comment to D13719: Fix CVE-2010-4670, CVE-2010-4671, CVE-2010-4669, CVE-2011-2393.

Can you please update the diff according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface

Wed, Jan 3, 12:31 PM
ae committed rS327518: MFC r327140:.
MFC r327140:
Wed, Jan 3, 12:19 PM

Fri, Dec 29

ae committed rS327337: MFC r326876:.
MFC r326876:
Fri, Dec 29, 10:47 AM

Sun, Dec 24

ae committed rS327142: MFC r326898:.
MFC r326898:
Sun, Dec 24, 2:06 AM
ae committed rS327141: MFC r326898:.
MFC r326898:
Sun, Dec 24, 2:05 AM
ae committed rS327140: Fix rule number truncation, use uint16_t type to specify rulenum..
Fix rule number truncation, use uint16_t type to specify rulenum.
Sun, Dec 24, 1:55 AM

Thu, Dec 21

ae committed rS327061: MFC r326847:.
MFC r326847:
Thu, Dec 21, 2:09 PM

Dec 16 2017

ae committed rS326898: Fix possible memory leak..
Fix possible memory leak.
Dec 16 2017, 2:36 PM

Dec 15 2017

ae committed rS326876: Follow the RFC6980 and silently ignore following IPv6 NDP messages.
Follow the RFC6980 and silently ignore following IPv6 NDP messages
Dec 15 2017, 12:37 PM

Dec 14 2017

ae committed rS326847: Fix mbuf leak when TCPMD5_OUTPUT() method returns error..
Fix mbuf leak when TCPMD5_OUTPUT() method returns error.
Dec 14 2017, 12:54 PM
ae accepted D13417: Plug an ifaddr leak when changing a route's src.

From quick look, it seems ifa_rtrequest does not release this reference and the change is correct.

Dec 14 2017, 12:05 PM

Dec 13 2017

ae added a comment to D13417: Plug an ifaddr leak when changing a route's src.

It would be nice if you describe why this leak happens, i.e. where leaked reference was acquired.

Dec 13 2017, 9:13 AM

Dec 11 2017

ae committed rS326766: MFC r326510:.
MFC r326510:
Dec 11 2017, 12:39 PM

Dec 8 2017

ae committed rS326682: MFC r326422:.
MFC r326422:
Dec 8 2017, 8:17 AM

Dec 5 2017

ae added inline comments to D13368: Avoid calling CURVNET_[SET|RESTORE] up to twice per packet.
Dec 5 2017, 7:32 AM

Dec 4 2017

ae committed rS326510: Fix format string warning with enabled DEBUGGING..
Fix format string warning with enabled DEBUGGING.
Dec 4 2017, 9:17 AM

Dec 1 2017

ae committed rS326422: Do better cleaning in key_destroy() for VIMAGE case..
Do better cleaning in key_destroy() for VIMAGE case.
Dec 1 2017, 10:00 AM

Nov 30 2017

ae committed rS326388: MFC r326086:.
MFC r326086:
Nov 30 2017, 7:43 AM

Nov 28 2017

ae added a comment to D13017: Add IPSec tests in tunnel mode.

Kristof and Olivier, can you test this patch?

Nov 28 2017, 6:35 AM

Nov 26 2017

ae added a comment to D13239: Add support for ABORT action in ipfw.

I'm not familiar with SCTP, from other side seems good to me, except some style issues.

Nov 26 2017, 2:33 PM

Nov 24 2017

ae committed rS326142: MFC r325960:.
MFC r325960:
Nov 24 2017, 4:42 AM

Nov 23 2017

ae committed rS326118: Modify ipfw's dynamic states KPI..
Modify ipfw's dynamic states KPI.
Nov 23 2017, 8:02 AM
ae closed D11657: Modify ipfw's dynamic states KPI.
Nov 23 2017, 8:02 AM
ae committed rS326117: Check that address family of state matches address family of packet..
Check that address family of state matches address family of packet.
Nov 23 2017, 7:05 AM
ae committed rS326116: Move ipfw_send_pkt() from ip_fw_dynamic.c into ip_fw2.c..
Move ipfw_send_pkt() from ip_fw_dynamic.c into ip_fw2.c.
Nov 23 2017, 6:05 AM
ae committed rS326115: Rework rule ranges matching. Use comparison rule id with UINT32_MAX to.
Rework rule ranges matching. Use comparison rule id with UINT32_MAX to
Nov 23 2017, 5:56 AM

Nov 22 2017

ae committed rS326086: Add ipfw_add_protected_rule() function that creates rule with 65535.
Add ipfw_add_protected_rule() function that creates rule with 65535
Nov 22 2017, 5:49 AM

Nov 17 2017

ae committed rS325962: Add comment for accidentally committed unrelated change in r325960..
Add comment for accidentally committed unrelated change in r325960.
Nov 17 2017, 11:25 PM
ae committed rS325960: Unconditionally enable support for O_IPSEC opcode..
Unconditionally enable support for O_IPSEC opcode.
Nov 17 2017, 10:40 PM

Nov 10 2017

ae committed rS325639: MFC r325355:.
MFC r325355:
Nov 10 2017, 11:19 AM

Nov 3 2017

ae committed rS325355: Use correct pointer in key_updateaddresses() when updating NAT-T config..
Use correct pointer in key_updateaddresses() when updating NAT-T config.
Nov 3 2017, 11:33 AM

Nov 2 2017

ae added a comment to D12770: ipsec: Use the same keysize values for HMAC as prior to r324017.

If it restores the old behavior, I have no objection

Nov 2 2017, 9:40 AM

Oct 31 2017

ae committed rS325230: MFC r324947:.
MFC r324947:
Oct 31 2017, 11:10 AM
ae committed rS325229: MFC r324947:.
MFC r324947:
Oct 31 2017, 10:33 AM

Oct 30 2017

ae added a comment to D12685: Make ipfw dynamic states lockless on fast path.

I have not plan to merge this into stable/10.
Also I'm not sure about committing this as is, because I'm not sure ConcurrencyKit is supported on all platforms.
Probably I will modify ip_fw_dynamic.c to be KPI compatible with this code, and then make it conditionally buildable.
Also CK is not merged into stable/11 yet, but cognet@ said that he will merge it into stable/11 if it will become needed.

Oct 30 2017, 2:51 PM
ae added inline comments to D12770: ipsec: Use the same keysize values for HMAC as prior to r324017.
Oct 30 2017, 12:03 PM
ae added reviewers for D12770: ipsec: Use the same keysize values for HMAC as prior to r324017: gnn, bz, jhb, jmg.
Oct 30 2017, 8:09 AM
ae added inline comments to D12770: ipsec: Use the same keysize values for HMAC as prior to r324017.
Oct 30 2017, 8:04 AM

Oct 26 2017

ae added a comment to D12685: Make ipfw dynamic states lockless on fast path.

Also now you can try your 5000000 flows test :)
You can set

sysctl net.inet.ip.fw.dyn_max=5000000
sysctl net.inet.ip.fw.dyn_buckets=5000000
Oct 26 2017, 8:13 PM

Oct 25 2017

ae added a comment to D12770: ipsec: Use the same keysize values for HMAC as prior to r324017.
r324972 with D12770fbsd 11.1OKNOK: netstat display "packets dropped; no transform" on destination
Oct 25 2017, 10:22 PM
ae accepted D12779: Evaluate packet size after the firewall had its chance in the ip6 fast path.
Oct 25 2017, 11:42 AM
ae added inline comments to D12779: Evaluate packet size after the firewall had its chance in the ip6 fast path.
Oct 25 2017, 8:07 AM

Oct 24 2017

ae committed rS324947: Add IPv6 support for O_TCPDATALEN opcode..
Add IPv6 support for O_TCPDATALEN opcode.
Oct 24 2017, 8:39 AM

Oct 23 2017

ae updated the diff for D12685: Make ipfw dynamic states lockless on fast path.
  • Fix build with VIMAGE and remove mismerged chunks.
  • Replace ip_fw_dynamic in sys/conf/files.
Oct 23 2017, 8:12 PM
ae accepted D10680: IPSec performance increase in single flow mode by making crypto(9) multi thread.
Oct 23 2017, 11:58 AM

Oct 20 2017

ae updated the summary of D12685: Make ipfw dynamic states lockless on fast path.
Oct 20 2017, 2:07 PM
ae updated the diff for D12685: Make ipfw dynamic states lockless on fast path.
  • Switch the default hash algorithm to jenkins hash.
Oct 20 2017, 2:05 PM
ae added inline comments to D12685: Make ipfw dynamic states lockless on fast path.
Oct 20 2017, 9:32 AM
ae updated the diff for D12685: Make ipfw dynamic states lockless on fast path.

Some whitespace fixes and blank lines.
In dyn_export_data() fix typo in bytes counter calculation

Oct 20 2017, 9:19 AM
ae added a comment to D12685: Make ipfw dynamic states lockless on fast path.

The ipfw_send_pkt() function was not changed, it just moved from ip_fw_dynamic.c into ip_fw2.c. I can remove keep-alive related functionality from this function if you prefer this.
The new dynamic states implementation uses own keep-alive functions that are in ip_fw_dynamic2.c (is is hidden in phabricator and should be expanded via "Show File Contents").
I am planning to rework ipfw_send_pkt() to use some deferred sending (e.g. taskq). I don't like the fact that we are reentering the firewall when we sending RST. This produces high stack usage.

Oct 20 2017, 9:02 AM
ae committed rS324791: MFC r324592:.
MFC r324592:
Oct 20 2017, 7:42 AM
ae committed rS324790: MFC r324593:.
MFC r324593:
Oct 20 2017, 7:40 AM
ae added a comment to D10680: IPSec performance increase in single flow mode by making crypto(9) multi thread.

Thanks for testing! Actually you get a far better improvement than I observed!
Just curious, which hardware have you used for the test?

Oct 20 2017, 7:32 AM

Oct 19 2017

ae added a comment to D10680: IPSec performance increase in single flow mode by making crypto(9) multi thread.

I finally played a bit with this patch. I used if_ipsec(4) tunnel between two hosts and iperf TCP test. With disabled async_crypto I have ~720Mbit/s, with enabled async_crypto it is 5.2Gbit/s.

Oct 19 2017, 2:20 PM
ae added a reviewer for D10680: IPSec performance increase in single flow mode by making crypto(9) multi thread: olivier_cochard.me.
Oct 19 2017, 2:20 PM

Oct 18 2017

ae added a reviewer for D12685: Make ipfw dynamic states lockless on fast path: julian.
Oct 18 2017, 9:59 AM

Oct 17 2017

ae added a reviewer for D12685: Make ipfw dynamic states lockless on fast path: oleg.
Oct 17 2017, 7:07 AM

Oct 16 2017

ae updated the summary of D12685: Make ipfw dynamic states lockless on fast path.
Oct 16 2017, 2:53 PM
ae updated the diff for D12685: Make ipfw dynamic states lockless on fast path.
  • Restore support for 'check-state :any'.
Oct 16 2017, 11:01 AM
ae created D12685: Make ipfw dynamic states lockless on fast path.
Oct 16 2017, 10:36 AM

Oct 13 2017

ae committed rS324593: Fix regression in handling O_FORWARD_IP opcode after r279948..
Fix regression in handling O_FORWARD_IP opcode after r279948.
Oct 13 2017, 11:12 AM
ae committed rS324592: Return 'errno' value from the table_do_modify_record(), it is expected.
Return 'errno' value from the table_do_modify_record(), it is expected
Oct 13 2017, 11:01 AM

Oct 12 2017

ae added a comment to D12639: Enable VIMAGE by default.
In D12639#262598, @bz wrote:

Hence my comment on the proposed commit message (get more people testing and see if it can stay on for 12). If a lot of people find they'll lose 20% the next days this will not go in, or if they find in two months, this can be reverted quite easily if the overhead can't be removed.

Oct 12 2017, 12:11 PM

Oct 10 2017

ae added inline comments to D12586: improve inp locking in getsockopt, setsockopt, and related functions.
Oct 10 2017, 10:13 AM

Oct 9 2017

ae committed rS324426: MFC r324098:.
MFC r324098:
Oct 9 2017, 8:50 AM

Oct 4 2017

ae added a comment to D12586: improve inp locking in getsockopt, setsockopt, and related functions.

Probably you need to modify netipsec/ipsec_pcb.c too.

Oct 4 2017, 7:06 AM

Sep 29 2017

ae committed rS324098: Some mbuf related fixes in icmp_error().
Some mbuf related fixes in icmp_error()
Sep 29 2017, 6:25 AM

Sep 27 2017

ae added inline comments to D12457: Complete INADDR_HASH lock protection.
Sep 27 2017, 5:28 AM
ae committed rS324047: MFC r323839:.
MFC r323839:
Sep 27 2017, 1:48 AM
ae committed rS324046: MFC r323836:.
MFC r323836:
Sep 27 2017, 1:46 AM

Sep 24 2017

ae accepted D12469: g_resize_provider_event: Do not invoke orphan method twice.
Sep 24 2017, 8:28 AM

Sep 20 2017

ae committed rS323839: Use in_localip() function instead of unlocked access to addresses hash.
Use in_localip() function instead of unlocked access to addresses hash
Sep 20 2017, 10:35 PM
ae committed rS323836: Do not acquire IPFW_WLOCK when a named object is created and destroyed..
Do not acquire IPFW_WLOCK when a named object is created and destroyed.
Sep 20 2017, 10:00 PM

Sep 19 2017

ae added a comment to D12336: Give example of deleting partitions and partitioning scheme.

It would be good to note also about the error when you can not modify partition table until it will be recovered.
This is frequent problem when GPT is marked as CORRUPT.

Sep 19 2017, 2:39 PM

Sep 14 2017

ae added a comment to D12367: do not spoil a geom label if it can not be modified via its underlying provider.

I'm not sure about GPT volume labels. What will be if you do something like this?

MD=`mdconfig -s 100m`
gpart create -s GPT $MD
gpart add -t freebsd-ufs $MD
for i in `seq 0 100`; do
    gpart modify -i 0 -l LABEL$i $MD
done
Sep 14 2017, 1:39 PM

Sep 12 2017

ae accepted D12336: Give example of deleting partitions and partitioning scheme.
Sep 12 2017, 10:21 AM

Sep 6 2017

ae committed rS323216: MFC r323086:.
MFC r323086:
Sep 6 2017, 10:21 AM

Sep 1 2017

ae committed rS323086: Fix possible double releasing for SA reference..
Fix possible double releasing for SA reference.
Sep 1 2017, 11:51 AM

Aug 28 2017

ae committed rS322966: MFC r322750:.
MFC r322750:
Aug 28 2017, 10:02 AM

Aug 25 2017

ae committed rS322886: Add melifaro@ to the calendar.freebsd.
Add melifaro@ to the calendar.freebsd
Aug 25 2017, 11:25 AM

Aug 23 2017

ae committed rS322808: MFC r322310:.
MFC r322310:
Aug 23 2017, 8:56 AM

Aug 21 2017

ae committed rS322751: Remove stale comments..
Remove stale comments.
Aug 21 2017, 1:54 PM
ae committed rS322750: Fix the regression introduced in r275710..
Fix the regression introduced in r275710.
Aug 21 2017, 1:52 PM
ae committed rS322744: MFC r284152:.
MFC r284152:
Aug 21 2017, 10:07 AM
ae committed rS322741: MFC r321779:.
MFC r321779:
Aug 21 2017, 9:03 AM

Aug 17 2017

ae added a comment to D12040: direct vlan handling in ixgbe.

Perhaps a rename of the new files to reflect the technology/enhancement you are proposing? Most people won't associate Yandex with VLANs. Regardless, to really benefit FreeBSD in general, you should probably include patches to other drivers as well, since VLANs are not specific to Intel devices.

Aug 17 2017, 7:19 PM
ae accepted D12066: fix bsdlabel end sector calculation.
Aug 17 2017, 6:55 PM
ae added a reviewer for D10680: IPSec performance increase in single flow mode by making crypto(9) multi thread: jhb.
Aug 17 2017, 1:53 PM

Aug 16 2017

ae added a comment to D12040: direct vlan handling in ixgbe.
In D12040#249735, @oleg wrote:

Why not? I'm going to use ck library in ipfw, and put related code here to reduce diffs.

perhaps you can avoid ck/atomic: protect yndx_vlan_set() call with IXGBE_RX_LOCK()

Aug 16 2017, 2:22 PM
ae added a comment to D12040: direct vlan handling in ixgbe.
In D12040#249728, @oleg wrote:
  1. Why is ck library used and not atomic(9) ?
Aug 16 2017, 12:59 PM
ae committed rS322576: MFC r322328:.
MFC r322328:
Aug 16 2017, 12:01 PM
ae added a comment to D11370: Rework vlan(4) locking..

Great. For my own curiosity, are your direct vlan handling patches posted anywhere?

Aug 16 2017, 9:15 AM
ae created D12041: direct vlan handling in mlx5en.
Aug 16 2017, 9:15 AM
ae created D12040: direct vlan handling in ixgbe.
Aug 16 2017, 9:11 AM