Page MenuHomeFreeBSD

kp (Kristof Provost)
Troubleshooter

Projects

User Details

User Since
Sep 28 2014, 7:22 PM (398 w, 2 d)

Recent Activity

Yesterday

kp committed R10:386b1a033c4d: pf: allocate krule->timestamp in pf_krule_alloc() (authored by kp).
pf: allocate krule->timestamp in pf_krule_alloc()
Tue, May 17, 2:01 PM

Sat, May 14

kp committed R10:08135bd1fa6e: epair: unbind prior to returning to userspace (authored by kp).
epair: unbind prior to returning to userspace
Sat, May 14, 9:28 PM
kp committed R10:7660a72217b7: epair: fix set but not used warning (authored by kp).
epair: fix set but not used warning
Sat, May 14, 9:28 PM
kp committed R10:f4e4c5c4c22f: in_rss: fix set but not used warning (authored by kp).
in_rss: fix set but not used warning
Sat, May 14, 9:27 PM
kp committed R10:7389c8b3edbc: in_rss: fix set but not used warning (authored by kp).
in_rss: fix set but not used warning
Sat, May 14, 9:05 PM
kp accepted D35178: Add end to end tests for dhclient.
Sat, May 14, 9:09 AM

Fri, May 13

kp committed R10:9573cc35555e: rtsock: fix a stack overflow (authored by takahiro.kurosawa_gmail.com).
rtsock: fix a stack overflow
Fri, May 13, 8:07 PM
kp closed D35188: rtsock: fix buffer overrun (sockaddr misuse).
Fri, May 13, 8:06 PM
kp accepted D35188: rtsock: fix buffer overrun (sockaddr misuse).

Good catch!

Fri, May 13, 5:16 PM

Thu, May 12

kp committed R10:009e8f0a1099: pf: fix pf_rule_to_actions() (authored by kp).
pf: fix pf_rule_to_actions()
Thu, May 12, 7:59 PM
kp committed R10:1977d9a37b88: pf tests: factor out common dummynet check (authored by kp).
pf tests: factor out common dummynet check
Thu, May 12, 7:59 PM
kp committed R10:920c3410872c: pf tests: test dummynet on route-to'd packets (authored by kp).
pf tests: test dummynet on route-to'd packets
Thu, May 12, 7:59 PM
kp closed D35161: pf tests: test dummynet on route-to'd packets.
Thu, May 12, 7:59 PM
kp closed D35160: pf tests: factor out common dummynet check.
Thu, May 12, 7:59 PM
kp closed D35159: pf: tag dummynet'd route-to packets with their real destination.
Thu, May 12, 7:58 PM
kp committed R10:a908f8f0dc62: pf: tag dummynet'd route-to packets with their real destination (authored by kp).
pf: tag dummynet'd route-to packets with their real destination
Thu, May 12, 7:58 PM
kp committed R10:37c452292132: pf: also apply dummynet to route-to/dup-to packets (authored by kp).
pf: also apply dummynet to route-to/dup-to packets
Thu, May 12, 7:58 PM
kp closed D35158: pf: also apply dummynet to route-to/dup-to packets.
Thu, May 12, 7:58 PM
kp added a comment to D35178: Add end to end tests for dhclient.

Mostly LGTM too.

Thu, May 12, 7:17 AM

Wed, May 11

kp added a comment to D35067: if_ovpn: basic test case.

Can we include the command(s) used to generate the certs somewhere, maybe a comment in the test?

Wed, May 11, 2:43 PM
kp updated the diff for D35159: pf: tag dummynet'd route-to packets with their real destination.
  • add NET_EPOCH_ASSERT
  • return 'int' for errors rather than 'bool'
Wed, May 11, 8:48 AM
kp updated the diff for D35158: pf: also apply dummynet to route-to/dup-to packets.

Change return type to int, to clarify that this is an error return.

Wed, May 11, 8:48 AM
kp added a comment to D35158: pf: also apply dummynet to route-to/dup-to packets.

The new function is bool, to tell if the packet was consumed. Let's call this modern FreeBSD style. You also pass a pointer to pointer, so function can NULL-ify to express same fact of consumed mbuf. This matches classic OpenBSD/pf style. In one case you use FreeBSD style and in two cases OpenBSD.

IMHO, the new function should be used consistently using either return value or the pointer. Personally I prefer FreeBSD style over OpenBSD/pf.

Wed, May 11, 8:47 AM
kp added inline comments to D35159: pf: tag dummynet'd route-to packets with their real destination.
Wed, May 11, 7:58 AM

Tue, May 10

kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.
  • Separate counters for allocation failures
  • Use array for counters for simplified init and cleanup
Tue, May 10, 6:33 PM
kp added inline comments to D34340: ovpn: Introduce OpenVPN DCO support.
Tue, May 10, 6:33 PM
kp updated the diff for D35067: if_ovpn: basic test case.

Improve logging

Tue, May 10, 4:31 PM
kp requested review of D35161: pf tests: test dummynet on route-to'd packets.
Tue, May 10, 8:53 AM
kp requested review of D35160: pf tests: factor out common dummynet check.
Tue, May 10, 8:53 AM
kp requested review of D35159: pf: tag dummynet'd route-to packets with their real destination.
Tue, May 10, 8:53 AM
kp requested review of D35158: pf: also apply dummynet to route-to/dup-to packets.
Tue, May 10, 8:53 AM

Sat, May 7

kp committed R10:cbbce42345c5: epair: unbind prior to returning to userspace (authored by kp).
epair: unbind prior to returning to userspace
Sat, May 7, 7:58 PM
kp committed R10:017e7d039087: in_rss: fix set but not used warning (authored by kp).
in_rss: fix set but not used warning
Sat, May 7, 7:58 PM
kp committed R10:a6b0c8d04d2a: epair: fix set but not used warning (authored by kp).
epair: fix set but not used warning
Sat, May 7, 7:58 PM
kp added a comment to D35144: [ifconfig] Prevent extensive cycles spent on sorting IP adresses.
In D35144#796757, @se wrote:

I see 3 alternatives to the current approach:

  1. Use a better algorithm with lower time complexity
  2. Insert addresses at their correct position in ip address order (possibly also in a different data structure, e.g. a balanced tree)
  3. Sort for display, keep the sorted list and set a flag (cleared when another address is added) to skip sorting if not necessary

The sorting is relatively slow since there is a complex comparison function defining the desired order and the data to be sorted is in a linked list, not an array.

I strongly suspect the sorting is slow because the sorting algorithm is incorrectly implemented, and it's doing a *lot* more work than it needs to do. I recommend investigating that first, because making the sorting faster is a lot less controversial than not sorting in certain circumstances.

Sat, May 7, 5:41 PM
kp added a comment to D35144: [ifconfig] Prevent extensive cycles spent on sorting IP adresses.

Isn't there room for improving sortifaddrs() so it works well on machines with many addresses? It's not ideal to only sort some of the time, and it really shouldn't take all that long to sort 4000 elements.

Sat, May 7, 1:32 PM

Fri, May 6

kp committed R10:4d48dd689062: pf: don't reject dummynet-ed packets (authored by kp).
pf: don't reject dummynet-ed packets
Fri, May 6, 3:43 PM
kp committed R10:c530c80ef22e: pf: fix reverse direction dummynet (authored by kp).
pf: fix reverse direction dummynet
Fri, May 6, 3:43 PM
kp committed R10:9501fc936f3b: pf: dummynet fix (authored by kp).
pf: dummynet fix
Fri, May 6, 3:43 PM
kp closed D34704: if: avoid interface destroy race.
Fri, May 6, 11:56 AM
kp committed R10:868bf82153e8: if: avoid interface destroy race (authored by kp).
if: avoid interface destroy race
Fri, May 6, 11:56 AM
kp added a comment to D34704: if: avoid interface destroy race.
In D34704#786704, @zec wrote:

This change builds on top if_index globalization (91f44749c6feb50f39af8805dd803e860f0418f1) which I strongly objected to, and which glebius agreed to back out as outlined in https://github.com/glebius/FreeBSD/commits/backout-ifindex, but that never happened. Hence, pls. don't proceed with this until if_index is reverted back to per-VNET state.

Fri, May 6, 10:49 AM

Thu, May 5

kp committed R10:27407a6adc79: pf: clear PF_TAG_DUMMYNET for dummynet fast path (authored by kp).
pf: clear PF_TAG_DUMMYNET for dummynet fast path
Thu, May 5, 8:17 AM

Wed, May 4

kp committed R10:03f6d8361af1: libpfctl: grow request buffer on ENOSPC (authored by kp).
libpfctl: grow request buffer on ENOSPC
Wed, May 4, 12:52 PM
kp committed R10:407f7397d69e: pfctl: fix recursive printing of rules (authored by Matteo Riondato <matteo@FreeBSD.org>).
pfctl: fix recursive printing of rules
Wed, May 4, 12:51 PM
kp committed R10:7f55abdaa92c: libpfctl: grow request buffer on ENOSPC (authored by kp).
libpfctl: grow request buffer on ENOSPC
Wed, May 4, 12:51 PM
kp committed R10:eed3a36c5475: pfctl: fix recursive printing of rules (authored by Matteo Riondato <matteo@FreeBSD.org>).
pfctl: fix recursive printing of rules
Wed, May 4, 12:51 PM

Fri, Apr 29

kp added inline comments to D34340: ovpn: Introduce OpenVPN DCO support.
Fri, Apr 29, 7:59 AM

Thu, Apr 28

kp requested review of D35091: if_ovpn: test timeout on clients.
Thu, Apr 28, 3:21 PM
kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.

Update copyright.
Work started in 2021, so 2021-2022 is more appropriate.

Thu, Apr 28, 3:20 PM
kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.

Clear checksum flags from the mbuf. We don't do any checksum verification, and
the checksum flags for the outer layer IP(v6)/tcp|udp packets are no longer
meaningful.

Thu, Apr 28, 12:26 PM

Wed, Apr 27

kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.
  • Don't reset the timeout callout for every packet
  • Ensure softc and peer don't get deleted while crypto operations are running.
Wed, Apr 27, 3:07 PM
kp added inline comments to D35067: if_ovpn: basic test case.
Wed, Apr 27, 3:06 PM
kp updated the diff for D35067: if_ovpn: basic test case.

Long-lived keys

Wed, Apr 27, 3:05 PM
kp committed R10:a99ef04e0659: pf: counter argument to pfr_pool_get() may never be NULL (authored by kp).
pf: counter argument to pfr_pool_get() may never be NULL
Wed, Apr 27, 12:51 PM
kp committed R10:397ccb080dca: pf: remove pointless NULL check (authored by kp).
pf: remove pointless NULL check
Wed, Apr 27, 12:51 PM
kp committed R10:160e2dbfb48d: pfsync: NULL check before dereference (authored by kp).
pfsync: NULL check before dereference
Wed, Apr 27, 12:51 PM
kp committed R10:7dc9b36d44b0: callout: fix using shared rmlocks (authored by kp).
callout: fix using shared rmlocks
Wed, Apr 27, 12:51 PM
kp committed R10:a618bb0f676c: pf: counter argument to pfr_pool_get() may never be NULL (authored by kp).
pf: counter argument to pfr_pool_get() may never be NULL
Wed, Apr 27, 12:51 PM
kp committed R10:5bc3ab86d619: pf: remove pointless NULL check (authored by kp).
pf: remove pointless NULL check
Wed, Apr 27, 12:51 PM
kp committed R10:f3b722fed330: pfsync: NULL check before dereference (authored by kp).
pfsync: NULL check before dereference
Wed, Apr 27, 12:51 PM
kp committed R10:8bd26421b6b5: callout: fix using shared rmlocks (authored by kp).
callout: fix using shared rmlocks
Wed, Apr 27, 12:51 PM
kp added inline comments to D34340: ovpn: Introduce OpenVPN DCO support.
Wed, Apr 27, 7:13 AM

Tue, Apr 26

kp added inline comments to D34340: ovpn: Introduce OpenVPN DCO support.
Tue, Apr 26, 4:00 PM
kp added a comment to D34340: ovpn: Introduce OpenVPN DCO support.

I've posted a first simple test case in D35067.

Tue, Apr 26, 3:55 PM
kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.

Review remarks

Tue, Apr 26, 3:55 PM
kp added inline comments to D34340: ovpn: Introduce OpenVPN DCO support.
Tue, Apr 26, 3:54 PM
kp requested review of D35067: if_ovpn: basic test case.
Tue, Apr 26, 3:53 PM
kp added a comment to D34340: ovpn: Introduce OpenVPN DCO support.

(In progress, I owe you a few more fixes.)

Tue, Apr 26, 2:21 PM
kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.

Review remarks

Tue, Apr 26, 2:17 PM

Mon, Apr 25

kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.
  • review remarks
Mon, Apr 25, 8:42 AM

Sat, Apr 23

kp committed R9:e165010632a4: Document __FreeBSD_version 1400057 (authored by kp).
Document __FreeBSD_version 1400057
Sat, Apr 23, 7:10 AM

Fri, Apr 22

kp committed R10:e68b35e40881: Bump __FreeBSD_version for udp_tun_func_t() prototype change (authored by kp).
Bump __FreeBSD_version for udp_tun_func_t() prototype change
Fri, Apr 22, 6:07 PM
kp added a comment to D34340: ovpn: Introduce OpenVPN DCO support.

Do you have some plan to add a man page and some regression tests in a follow up?

Fri, Apr 22, 5:58 PM
kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.
  • review remarks
Fri, Apr 22, 5:56 PM
kp closed D34970: pf: Add per-rule timestamps for rule and eth_rule.
Fri, Apr 22, 5:55 PM
kp committed R10:0abcc1d2d33a: pf: Add per-rule timestamps for rule and eth_rule (authored by linnemannr_gmail.com).
pf: Add per-rule timestamps for rule and eth_rule
Fri, Apr 22, 5:55 PM
kp committed R10:797b94504f4f: udp6: allow udp_tun_func_t() to indicate it did not eat the packet (authored by kp).
udp6: allow udp_tun_func_t() to indicate it did not eat the packet
Fri, Apr 22, 3:10 PM
kp updated the diff for D34970: pf: Add per-rule timestamps for rule and eth_rule.
  • fix crash (The default rule V_pf_default_rule is initialised separately, and did not have timestamp allocated)
  • Only print the date, not the timestamp for users
  • If the rule was never hit show 'N/A'
Fri, Apr 22, 12:04 PM
kp commandeered D34970: pf: Add per-rule timestamps for rule and eth_rule.

I'm going to propose a tweaked version.

Fri, Apr 22, 12:00 PM

Thu, Apr 21

kp added inline comments to D34970: pf: Add per-rule timestamps for rule and eth_rule.
Thu, Apr 21, 8:38 PM
kp added inline comments to D34970: pf: Add per-rule timestamps for rule and eth_rule.
Thu, Apr 21, 7:54 PM
kp added a comment to D34340: ovpn: Introduce OpenVPN DCO support.

For those following along at home, this is getting pretty close to done, so if you want to review it now is a good time. It's probably going to land soon.

Thu, Apr 21, 6:05 PM
kp committed R10:efc64d02a62f: pf: counter argument to pfr_pool_get() may never be NULL (authored by kp).
pf: counter argument to pfr_pool_get() may never be NULL
Thu, Apr 21, 4:18 PM
kp committed R10:430203506351: pfsync: NULL check before dereference (authored by kp).
pfsync: NULL check before dereference
Thu, Apr 21, 4:17 PM
kp committed R10:ed6287c14168: pf: remove pointless NULL check (authored by kp).
pf: remove pointless NULL check
Thu, Apr 21, 4:17 PM
kp added a comment to D29554: pf: change pf_route so pf only runs when packets enter and leave the stack..

Thanks for your fast reply. It might be a bug fix, but it's also a breaking change ;-). What would you recommend to simulate this behavior as we can't use "route-to" anymore (because it doesn't create the correct state)?

Thu, Apr 21, 3:10 PM
kp added a comment to D29554: pf: change pf_route so pf only runs when packets enter and leave the stack..

Hey @kp
We've recently upgraded from FBSD 12.2 to FBSD 12.3, which contains this change. First of all: This was a breaking change for us and our rulesets didn't work anymore like before. This took us multiple hours of debugging to find the reason why. We then finally found out, that the problem is with all rules where we use route-to. Which then finally led us to this commit. After that we've found the following discussion on the mailing list: https://groups.google.com/g/bsdmailinglist/c/uMusHsnkY5s
For us it's not understandable and quite frustrating that a breaking change doesn't get announced in the relnotes or at least in the UPDATING file.

Now to the problem we have: We run pf in "block all" mode. We have an IPsec VPN (StrongSwan) that receives pakets via enc0 and pf passes them in and add's a tag (DCOUT) on the packet. Then the packet would go out on lagg0.100 but get's rerouted to lagg0.200 via a pass out rule with route-to. The route-to rule contains "flags any no state", so we do not interfere with the state table. As the last rule we have a "pass out on lagg0.200 all tagged DCOUT" which creates the correct state and passes out the paket. Due to the new behavior due to that change the last rule isn't matched anymore and the state is never setup correctly, which leds to the answer pakets being blocked by the default "block all" ruleset. Our question now is: How we can we restore the old behavior - without patching our FBSD base with reverting the change - without having to rework the whole ruleset?

Thanks and looking forward for you reply.

Thu, Apr 21, 11:55 AM
kp committed R10:c90f8cb899a7: pfctl tests: fix Ethernet output expectations (authored by kp).
pfctl tests: fix Ethernet output expectations
Thu, Apr 21, 8:26 AM
kp updated the diff for D34340: ovpn: Introduce OpenVPN DCO support.
  • fix send_ping, where we can't do a route lookup, because it's not an IP packet. Send directly to the correct peer.
  • Don't bring the link down when the last peer disconnects
  • fully remove peers when they time out, don't only notify userspace about it
  • cope with not having keys, which can happen if userspace decides to delete them
Thu, Apr 21, 8:01 AM

Wed, Apr 20

kp added inline comments to D34970: pf: Add per-rule timestamps for rule and eth_rule.
Wed, Apr 20, 4:22 PM
kp committed R10:a879e40ca2a9: callout: fix using shared rmlocks (authored by kp).
callout: fix using shared rmlocks
Wed, Apr 20, 11:18 AM
kp closed D34959: callout: fix using shared rmlocks.
Wed, Apr 20, 11:18 AM
kp closed D34918: pfctl: always print 'l3' source/destination.
Wed, Apr 20, 11:07 AM
kp committed R10:a16732d670fa: pfctl: always print 'l3' source/destination (authored by kp).
pfctl: always print 'l3' source/destination
Wed, Apr 20, 11:06 AM
kp closed D34917: pf: allow the use of tables in ethernet rules.
Wed, Apr 20, 11:06 AM
kp committed R10:812839e5aaaf: pf: allow the use of tables in ethernet rules (authored by kp).
pf: allow the use of tables in ethernet rules
Wed, Apr 20, 11:06 AM
kp closed D34908: libpfctl: grow request buffer on ENOSPC.
Wed, Apr 20, 9:43 AM
kp committed R10:7ed19f5c7780: libpfctl: grow request buffer on ENOSPC (authored by kp).
libpfctl: grow request buffer on ENOSPC
Wed, Apr 20, 9:43 AM
kp added a reviewer for D34970: pf: Add per-rule timestamps for rule and eth_rule: pfsense.
Wed, Apr 20, 9:11 AM