I'm agree with the change, but I have doubts that we have fixed all places in the kernel, where zone id is checked and properly initialized. Usually we keep zone id embedded in the address. Do you have some tests to check this code?

If you know that the problem occurs only with BPF, bpfwrite() invokes if_output() already in epoch section.

Does this mean that you concluded in the IETF mailing list to drop this support?

What happens ifp->if_softc will become NULL just after this 'if (sc == NULL)' check? It looks like epair_remove_ifp_from_draining(ifp) also uses if_softc field.

Committed in https://svnweb.freebsd.org/changeset/base/349267
Forgot to specify phabricator URL...

In D20616#445619, @kristof wrote:

Only if the firewall needs to read/write actual packet data. Protocol headers (TCP, IP, etc.) are always stored in a normal mbuf at the start of a packet's mbuf chain. Unmapped mbufs only hold payload data that is stored in a socket buffer, so most of the filters I can think of off the top of my head as well as things like NAT should only operate on the normal mbuf holding the headers.

Okay, thanks. That should indeed just work. The 'pf_check_proto_cksum()' flow, assuming there's no hardware assist, might break. I suspect that hardware which uses unmapped mbufs is always going to have checksum offload, so that's probably not an issue either.

I think it would be good to have this committed into 11.3 release. So you will be able to see how many users will complain that they need this support, if any.

LGTM.

Can you also update ixv driver? We discovered problems with ixv+VLANs on some KVM hosts with the stock driver, but the driver 1.5.15 from Intel's site works well.

• s/bpf_epoch_buffer/bpf_program_buffer/g
• update some comments
• add copyright line
• add refcount to bpf_d and use it in bpfwrite

move bpf_updated() into bpf_setf() to reduce BPF_LOCK() flipping

There is at least one problem that with this patch becomes easy reproducible. With default optimize_writers=0 bpt_mtap() can catch several packets in the time between bpf_setif() and bpf_setf(), because empty filter means "accept all" by bpf_filter(). Maybe it is time to remove optimize_writers variable and use this behavior by default? I.e. by default link new bpf_if into writers only list, and re-link it into readers list when application sets filter? Or change its value to be 1 by default?

In D19886#431575, @hselasky wrote:

FYI: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=237329

I have no objection. This subsystem is currently broken, but nobody wants to fix it. So, if you tested this patch and it helps to solve your problem, I'm ok, since description looks reasonable.

In D20163#434567, @jhb wrote:

FWIW, my limited testing of IPsec doesn't use if_ipsec, but instead I used setkey. I think having the rc.d scripts for 'ipsec_enable' autoloading ipsec.ko is reasonable.

I think there are too few users of if_ipsec, to make assumption that all users who use IPsec will use ifconfig(8). AFAIR, it is not the problem, you can just add symlink if_ipsec.ko -> ipsec.ko. But you also need some tweaks that will load ipsec,ko when ipsec_enable is "YES".