Page MenuHomeFreeBSD

kp (Kristof Provost)
Troubleshooter

Projects (6)

User Details

User Since
Sep 28 2014, 7:22 PM (532 w, 5 d)

Recent Activity

Mon, Dec 9

kp added a comment to D47953: pf: Force logging if pf_create_state() fails.

Does this need an MFC tag too?

Mon, Dec 9, 10:25 AM
kp committed rG5b59b0c61e29: pfctl: add -T `reset` to touch pfras_tzero only for non-zero entries (authored by Leonid Evdokimov <leon+freebsd@darkk.net.ru>).
pfctl: add -T `reset` to touch pfras_tzero only for non-zero entries
Mon, Dec 9, 9:40 AM

Wed, Dec 4

kp accepted D47906: pf: Don't pfsync states with unrecoverable routing information.

LGTM. Approved regardless of how you choose to deal with the remarks I've raised.

Wed, Dec 4, 10:53 PM
kp committed rGf966ef3a6770: pf: fold if (s != NULL) and if (s) into one block (authored by kp).
pf: fold if (s != NULL) and if (s) into one block
Wed, Dec 4, 1:23 PM

Tue, Dec 3

kp committed rGc22c98798456: pf: fix potential NULL dereference in SCTP multihome handling (authored by kp).
pf: fix potential NULL dereference in SCTP multihome handling
Tue, Dec 3, 7:29 PM
kp committed rGdaad0b650135: LINT: Remove DTrace support, but leave the commented out option (authored by kp).
LINT: Remove DTrace support, but leave the commented out option
Tue, Dec 3, 4:03 PM

Mon, Dec 2

kp committed rG2f915345634e: LINT: Remove DTrace support (authored by kp).
LINT: Remove DTrace support
Mon, Dec 2, 7:39 PM
kp committed rG928864a93594: fix build with LOCK_PROFILING but without KDTRACE_HOOKS (authored by kp).
fix build with LOCK_PROFILING but without KDTRACE_HOOKS
Mon, Dec 2, 7:39 PM
kp closed D47821: LINT: Remove DTrace support.
Mon, Dec 2, 7:39 PM
kp closed D47822: fix build with LOCK_PROFILING but without KDTRACE_HOOKS.
Mon, Dec 2, 7:39 PM

Fri, Nov 29

kp added inline comments to D47822: fix build with LOCK_PROFILING but without KDTRACE_HOOKS.
Fri, Nov 29, 5:36 PM
kp accepted D47827: Draft: pf: Move route-to information to pf_rule_actions.

Approved.

Fri, Nov 29, 1:39 PM
kp updated the diff for D47822: fix build with LOCK_PROFILING but without KDTRACE_HOOKS.

Review remarks

Fri, Nov 29, 12:59 PM
kp accepted D47827: Draft: pf: Move route-to information to pf_rule_actions.

Approved (without the 'draft' in the commit header line, of course).

Fri, Nov 29, 12:38 PM

Thu, Nov 28

kp updated the diff for D47822: fix build with LOCK_PROFILING but without KDTRACE_HOOKS.

review remarks

Thu, Nov 28, 5:22 PM
kp added a comment to D47827: Draft: pf: Move route-to information to pf_rule_actions.

I need to have a closer look again tomorrow, but this looks like a good idea.
It expects to be applied on top of D47770, right?

Thu, Nov 28, 4:24 PM
kp updated the diff for D47783: pf: partially import OpenBSD's NAT rewrite.

rename PF_RT_RPOOL/PF_RT_NAT

Thu, Nov 28, 3:54 PM
kp accepted D47770: pf: Fix source node locking.

Still approved :)

Thu, Nov 28, 3:48 PM
kp added a comment to D47106: add TH_AE capabilities to ppp and pf.

@kp can you please review the PF-related changes in this Diff?

Thu, Nov 28, 3:47 PM
kp accepted D47770: pf: Fix source node locking.

Approved.

Thu, Nov 28, 2:15 PM
kp added inline comments to D47822: fix build with LOCK_PROFILING but without KDTRACE_HOOKS.
Thu, Nov 28, 1:55 PM
kp added inline comments to D47783: pf: partially import OpenBSD's NAT rewrite.
Thu, Nov 28, 10:26 AM
kp added inline comments to D47788: pf: extra route lookup in pf_route(6)().
Thu, Nov 28, 9:33 AM
kp added inline comments to D47783: pf: partially import OpenBSD's NAT rewrite.
Thu, Nov 28, 8:01 AM
kp added inline comments to D47788: pf: extra route lookup in pf_route(6)().
Thu, Nov 28, 7:56 AM

Wed, Nov 27

kp added a reviewer for D47821: LINT: Remove DTrace support: DTrace.
Wed, Nov 27, 8:40 PM
kp requested review of D47822: fix build with LOCK_PROFILING but without KDTRACE_HOOKS.
Wed, Nov 27, 8:39 PM
kp requested review of D47821: LINT: Remove DTrace support.
Wed, Nov 27, 8:38 PM
kp requested review of D47803: pf: update pd->tot_len after reassembly.
Wed, Nov 27, 4:44 PM
kp requested review of D47805: pf tests: check packet reassembly with nat64.
Wed, Nov 27, 4:44 PM
kp requested review of D47804: pf: handle fragmentation for nat64.
Wed, Nov 27, 4:44 PM
kp requested review of D47802: pf tests: verify that we preserve the hop limit/TTL for ICMP errors.
Wed, Nov 27, 4:44 PM
kp requested review of D47799: pf: add forgotten fixup for icmp6 id's when translating.
Wed, Nov 27, 4:44 PM
kp requested review of D47801: pf: fix if-bound with nat64.
Wed, Nov 27, 4:44 PM
kp requested review of D47800: pfctl: print_rule: rename opts -> ropts.
Wed, Nov 27, 4:43 PM
kp requested review of D47798: pf tests: verify that ICMP destination unreachable makes it through NAT64.
Wed, Nov 27, 4:43 PM
kp requested review of D47795: pfctl: basic nat64 parser test.
Wed, Nov 27, 4:43 PM
kp requested review of D47797: pf tests: verify that ICMP port unreachable makes it through NAT64.
Wed, Nov 27, 4:43 PM
kp requested review of D47796: pf tests: verify that TCP RST makes it through NAT64.
Wed, Nov 27, 4:43 PM
kp requested review of D47794: pf tests: add an SCTP test case for nat64.
Wed, Nov 27, 4:43 PM
kp requested review of D47793: pf tests: add a UDP test case for nat64.
Wed, Nov 27, 4:42 PM
kp requested review of D47792: pf tests: add a TCP test case for nat64.
Wed, Nov 27, 4:42 PM
kp requested review of D47791: pf tests: basic nat64 test case.
Wed, Nov 27, 4:42 PM
kp requested review of D47790: pfctl: change for af-to / NAT64 support..
Wed, Nov 27, 4:42 PM
kp requested review of D47789: pf: support nat64 for SCTP.
Wed, Nov 27, 4:42 PM
kp requested review of D47788: pf: extra route lookup in pf_route(6)().
Wed, Nov 27, 4:42 PM
kp requested review of D47787: pf: fix state export in the face of NAT64.
Wed, Nov 27, 4:41 PM
kp requested review of D47786: pf: nat64.
Wed, Nov 27, 4:41 PM
kp requested review of D47785: in: add in_mask2len().
Wed, Nov 27, 4:41 PM
kp requested review of D47784: pf: add post-NAT src/dst address/port to pf_pdesc.
Wed, Nov 27, 4:41 PM
kp requested review of D47783: pf: partially import OpenBSD's NAT rewrite.
Wed, Nov 27, 4:41 PM
kp committed rG93c80b79ad65: pf: fix potential state key leak (authored by kp).
pf: fix potential state key leak
Wed, Nov 27, 1:25 PM
kp committed rGb4b2e420195a: pf: fix potential state key leak (authored by kp).
pf: fix potential state key leak
Wed, Nov 27, 1:25 PM
kp added a comment to D47770: pf: Fix source node locking.

Okay, mostly cosmetic issues. I'd like to give Tom a chance to comment on the udp endpoint thing too, but we can fix the open remarks while we wait for that.

Wed, Nov 27, 1:06 PM
kp added inline comments to D47770: pf: Fix source node locking.
Wed, Nov 27, 10:56 AM
kp added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

I changed the summary.

Please do try to *explain* the problem. "Fixes a regression" does not do this.

Wed, Nov 27, 10:33 AM
kp added a comment to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().
In D47658#1086724, @kp wrote:

The entire backtrace would have been nice.

Just let me know what you need? Just "bt" or more?

Let's start with the full backtrace, yes.

Wed, Nov 27, 10:32 AM
kp added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

D47658 is on hold as I struggle to understand why the code discussed there is not covered by existing tests and how to actually trigger it (it should easily panic after all but the code is never hit).

Wed, Nov 27, 10:21 AM
kp added a comment to D47777: pf: NAT rule logs its own NAT action, not PF_PASS.

Shall we finish D47658 before we move on to other issues?

Wed, Nov 27, 9:43 AM

Tue, Nov 26

kp updated subscribers of D47770: pf: Fix source node locking.
Tue, Nov 26, 7:10 PM
kp accepted D47758: pf: Use a single pointer to state in pf_src_connlimit().

Approved.

Tue, Nov 26, 5:23 PM
kp committed rG56b7685ae328: pf: handle IPv6 fragmentation for route-to (authored by kp).
pf: handle IPv6 fragmentation for route-to
Tue, Nov 26, 2:08 PM
kp closed D47684: pf: handle IPv6 fragmentation for route-to.
Tue, Nov 26, 2:08 PM

Sun, Nov 24

kp committed rGa46c121db4a5: netpfil tests: make dummynet tests more robust (authored by kp).
netpfil tests: make dummynet tests more robust
Sun, Nov 24, 8:35 AM

Fri, Nov 22

kp committed rGe0bf7bc3b2ba: pf: reduce indentation level in pf_dummynet_route() (authored by kp).
pf: reduce indentation level in pf_dummynet_route()
Fri, Nov 22, 11:34 PM
kp updated the diff for D47684: pf: handle IPv6 fragmentation for route-to.

Change the approach. Tell pf_refragment6() what interface to use. If unspecified
fall back to the previous ip6_forward/ip6_output calls.
This is basically the same approach OpenBSD took for this issue, and it's a
smaller change than splitting pf_refragment6() into two functions.

Fri, Nov 22, 5:02 PM
kp accepted D47697: pf: Set cleared time when zeroing stats for table addresses.

I'd love to see https://cgit.freebsd.org/src/tree/tests/sys/netpfil/pf/table.sh#n119 extended to also check for this.

Fri, Nov 22, 12:27 PM
kp committed rG6463b6b59152: pfctl: clear statistic for specified addresses (authored by kp).
pfctl: clear statistic for specified addresses
Fri, Nov 22, 12:27 PM

Thu, Nov 21

kp added a comment to D47698: pfctl: clear statistic for the address.

I have the same patch (along with a test case) running a final test build now.

Thu, Nov 21, 10:28 PM

Wed, Nov 20

kp committed rGe27970ae8fff: netinet: handle blackhole routes (authored by kp).
netinet: handle blackhole routes
Wed, Nov 20, 5:01 PM
kp closed D47529: netinet: handle blackhole routes.
Wed, Nov 20, 5:01 PM
kp requested review of D47684: pf: handle IPv6 fragmentation for route-to.
Wed, Nov 20, 4:16 PM
kp committed rG4b65481ac68a: pf: fix build without DTrace (authored by kp).
pf: fix build without DTrace
Wed, Nov 20, 1:23 PM
kp committed rG81f7ad324dd0: pf: add missing unlock (authored by kp).
pf: add missing unlock
Wed, Nov 20, 12:36 PM
kp accepted D47321: pf: Fix timestamps and connection rate in source node export.

Same deal as D47679, send me the format-patch. Probably the last ones we'll do this dance for.

Wed, Nov 20, 9:15 AM
kp committed rG438ca68cef3c: netinet: default mib counter probe points off (authored by kp).
netinet: default mib counter probe points off
Wed, Nov 20, 9:10 AM
kp closed D47657: netinet: default mib counter probe points off.
Wed, Nov 20, 9:10 AM
kp added a comment to D47321: pf: Fix timestamps and connection rate in source node export.

This code suffers from very old OpenBSD idea of (ab)using the same data structure for in-kernel storage and communication with userspace over ioctl.

Wed, Nov 20, 9:07 AM
kp added a comment to D47679: pf: Fix timestamps and connection rate in source node export to userspace.

More a note to self: looking at structure pf_src_node, the only other field we don't set is *kif, but given that it's a pointer that's not really something we can do in the ioctl. I'll make a note of it to revisit this once the netlink migration is complete. We ought to be able to return the interface name then.

Wed, Nov 20, 9:02 AM
kp accepted D47679: pf: Fix timestamps and connection rate in source node export to userspace.

Good catch. Given that it also needs to be fixed on stable/14 you should add an 'MFC after' tag to the commit message.

Wed, Nov 20, 8:59 AM

Tue, Nov 19

kp added a reviewer for D47668: jail: Add meta and env parameters: Jails.
Tue, Nov 19, 10:44 AM

Mon, Nov 18

kp added a comment to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().

Sure. For context:

<snip>
The entire backtrace would have been nice.
Still, that's not the most important thing right now. Concentrate on the test case, which will mean we can trivially reproduce backtraces and we can circle back to improving the commit message once we have both the test case and an actual fix.

Mon, Nov 18, 6:04 PM
kp committed rG5eee34fa0351: pf tests: check counters on anchors (authored by kp).
pf tests: check counters on anchors
Mon, Nov 18, 5:59 PM
kp closed D47545: pf: clean up pflow sockets on jail removal.
Mon, Nov 18, 11:23 AM
kp committed rG83641335f96c: pf: clean up pflow sockets on jail removal (authored by kp).
pf: clean up pflow sockets on jail removal
Mon, Nov 18, 11:23 AM
kp added a comment to D47658: pf: prevent SCTP-based NULL dereference in pfi_kkif_match().

The backtrace appears to have gotten mangled here.
Also, a gdb backtrace would be more useful as it'll decode to line numbers rather than to addresses.

Mon, Nov 18, 10:26 AM
kp abandoned D46809: pf: start using ip_af_t.
Mon, Nov 18, 10:08 AM
kp abandoned D46683: Introduce ip_af_t.
Mon, Nov 18, 10:08 AM
kp requested review of D47657: netinet: default mib counter probe points off.
Mon, Nov 18, 9:47 AM
kp added a comment to D47543: pf: close nc file descriptors in killstates test.

So regardless of why I already stated this is a technical issue that is by no means "pointless", what do you suggest to improve this particular test to make it more robust? Uncontrolled creation of processes that inherit file descriptors isn't exactly clean design but I can see why you do not want to apply this mere bandaid with that larger issue at hand. I'm happy to do the work since a lot of people were asking for test cases and here I am offering work on test cases to get started. :)

As for wider discussions about how to test let's just focus on this particular test case. Kyua is not a magic remedy for the problems the testing framework has like a lack of test coverage e.g. in the pflog department. Running atf-sh as "unsupported" and having a test pass just fine is no reason to not pursue this, especially since it says "you may get unexpected failures" and we talk about a passing test case. I appreciate the heads up but I still believe allowing test to run in a zero-config fashion from any running system is an actual benefit to the problem of not having enough people work on test cases. It really does not matter how you might see it differently because the test case needs work first.

Mon, Nov 18, 9:02 AM
kp added inline comments to D47529: netinet: handle blackhole routes.
Mon, Nov 18, 8:48 AM

Fri, Nov 15

kp updated the diff for D47529: netinet: handle blackhole routes.

Update the counter in ip_forward(), so we only set 'cantroute' in the forwarding case.
Extend the tests to test both slow and fast path forwarding.

Fri, Nov 15, 4:20 PM

Thu, Nov 14

kp added a comment to D47543: pf: close nc file descriptors in killstates test.

Thanks, just to be clear you imply the change is wrong even though the test still works?

Thu, Nov 14, 5:52 PM
kp added a comment to D47543: pf: close nc file descriptors in killstates test.

Consider running tests from the src tree using atf-sh (I'm using devel/atf but the base one also works with the full path I think):

sh -c 'echo $(atf-sh /usr/src/tests/sys/netpfil/pf/killstate.sh match)'

This hangs until you kill the stray nc processes. It works fine for the build of tests where nothing is forked into the background which seems to be the general issue. Another way would be to kill the nc processes when the test body ends (not in the cleanup as that would still cause it to hang), but a single line approach is likely easier although if you run the test a number of times these processes just keep building up in the system. I'm happy to improve this in any other way.

That's kind of expected to not work. We don't run tests that way. We always run them via kyua because it does a lot of setup work for us. This starts the process midway, and stops before it's entirely done.

Thu, Nov 14, 4:15 PM
kp added inline comments to D47529: netinet: handle blackhole routes.
Thu, Nov 14, 3:03 PM

Nov 13 2024

kp committed rGac5e30a8073f: pf: add probe points to pf_route(6)() (authored by kp).
pf: add probe points to pf_route(6)()
Nov 13 2024, 8:32 PM
kp requested review of D47545: pf: clean up pflow sockets on jail removal.
Nov 13 2024, 8:29 PM
kp added a comment to D47543: pf: close nc file descriptors in killstates test.

What do you mean by "On an atf-sh script capture"?

Nov 13 2024, 8:19 PM
kp closed D47495: pf: fix potential state key leak.
Nov 13 2024, 10:36 AM
kp committed rG3b337076ba61: pf: remove stale no_df tests from fragemtation_*.sh (authored by franco_opnsense.org).
pf: remove stale no_df tests from fragemtation_*.sh
Nov 13 2024, 10:35 AM