kristof (Kristof Provost)
User

Projects

User Details

User Since
Sep 28 2014, 7:22 PM (194 w, 6 d)

Recent Activity

Wed, Jun 20

kristof added a comment to D15922: Added ssid values to render UTF-8 encoded characters in ifconfig(8).

I'm not sure if I object to this change or not, but it's worth noting that SSIDs are not necessarily UTF-8 strings. Unless the SSIDEncoding is set it is 0-32 octets. Having 0 bytes in the middle of the SSID is valid (though I'd be very surprised if that actually worked on more than a handful of devices). If SSIDEncoding is set it is indeed a UTF-8 string.
For additional fun Microsoft got this wrong and several Windows versions interpret the SSID as being Latin1 encoded.

Wed, Jun 20, 8:17 AM

Sat, Jun 9

kristof added a comment to D14536: Set DSCP bits in ip_carp.

I'd prefer the sysctl to reject values that are out of range.
What do you think about this: https://people.freebsd.org/~kp/patches/D14536.patch ?

Sat, Jun 9, 8:31 PM · network

May 20 2018

kristof added a comment to D15502: pf: Replace rwlock on PF_RULES_LOCK with rmlock.

Looks good at first glance.
I like the move of the sys/rmlock.h include into pfvar.h, so the header becomes more self-contained (i.e. you don't need extra includes to make your include of pfvar.h work). I'm running test builds for that, because I thought it broke when I tried. Perhaps I messed something else up though.

May 20 2018, 4:20 PM

Apr 11 2018

kristof added a comment to D14536: Set DSCP bits in ip_carp.

Sorry I thought I had already replied to this. I have issues with keeping that as the default value as it has been deprecated since 1998. As such it's not really a sane default and not compatible with much modern routing gear. The setting I choose comes directly our of the RFC for this type of traffic.

Well, as I said, I have no views on what the value should be. I defaulted to keeping the old value, but if you've got a good reason to change it that's fine by me.

Apr 11 2018, 3:22 PM · network

Apr 9 2018

kristof added a comment to D15018: pf: Limit ioctl to a reasonable and tuneable number of elements.
In D15018#316088, @cem wrote:

Looks good in general. It seems that some cases use WOULD_OVERFLOW as a secondary check and some don't. Is there any reason for that?

Good catch, I missed it in the first two cases because that used to be a fixed 65k value. Now that it's user configurable it needs the check too.

Apr 9 2018, 7:42 AM
kristof updated the diff for D15018: pf: Limit ioctl to a reasonable and tuneable number of elements.

Fix static / extern mismatch

Apr 9 2018, 7:40 AM
kristof updated the diff for D15018: pf: Limit ioctl to a reasonable and tuneable number of elements.

Add missing WOULD_OVERFLOW checks.

Apr 9 2018, 7:39 AM

Apr 8 2018

kristof created D15018: pf: Limit ioctl to a reasonable and tuneable number of elements.
Apr 8 2018, 9:08 PM

Apr 6 2018

kristof abandoned D14860: pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES.

Committed as r332101

Apr 6 2018, 3:07 PM
kristof abandoned D14861: pf tests: Basic ioctl validation tests.

Committed as r332102

Apr 6 2018, 3:07 PM

Apr 1 2018

kristof added a comment to D14920: Fix locking for the bpf TX path.

What problem does this fix?

Apr 1 2018, 7:44 PM

Mar 26 2018

kristof added a dependent revision for D14860: pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES: D14861: pf tests: Basic ioctl validation tests.
Mar 26 2018, 9:52 PM
kristof added a dependency for D14861: pf tests: Basic ioctl validation tests: D14860: pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES.
Mar 26 2018, 9:52 PM
kristof created D14861: pf tests: Basic ioctl validation tests.
Mar 26 2018, 9:51 PM
kristof created D14860: pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES.
Mar 26 2018, 9:50 PM

Mar 19 2018

kristof updated the diff for D13715: netpfil: Introduce PFIL_FWD flag.

Keep the old hooks so other pfil users don't need to change. Allow pf to use the new style of hook, with the flags argument.

Mar 19 2018, 9:12 AM · network

Mar 18 2018

kristof accepted D14726: Convert bpf(9) counters to counter(9)..

Looks sane to me.

Mar 18 2018, 11:23 AM

Mar 16 2018

kristof added inline comments to D14710: Show SSID maximum string length in ifconfig scan.
Mar 16 2018, 2:22 PM
kristof added inline comments to D14710: Show SSID maximum string length in ifconfig scan.
Mar 16 2018, 2:21 PM

Mar 6 2018

kristof accepted D14593: Define ethernet type 0x88A8 as ETHERTYPE_QINQ.
Mar 6 2018, 11:48 AM

Mar 3 2018

kristof added a reviewer for D14536: Set DSCP bits in ip_carp: glebius.

I have no specific views on what the value should be. The remark mostly comes from the desire to avoid having the kernel enforce policy. It's only a small extra step here for more flexibility.
I think I'd make net.inet.carp.dscp be an integer, with a default value of (the value of) IPTOS_LOWDELAY.

Mar 3 2018, 9:46 AM · network

Mar 2 2018

kristof added a comment to D14536: Set DSCP bits in ip_carp.

Would it make sense to set the DSCP value to the value configured in 'net.inet.carp.dscp' rather than a hardcoded value?

Mar 2 2018, 2:37 PM · network

Feb 3 2018

kristof accepted D14158: Rework ip6_get_prevhdr() to be able use it safely .
Feb 3 2018, 11:23 PM

Feb 2 2018

kristof added a comment to D11137: PF: implement RFC 4787 REQ 1 and 3 (full cone NAT).

Any news about pushing this change to head ?

Feb 2 2018, 1:41 PM

Jan 31 2018

kristof added a comment to D13715: netpfil: Introduce PFIL_FWD flag.
In D13715#296796, @ae wrote:

I think someone from pfSense or openSense already reworked PF to work "inplace" like ipfw does, i.e. it returns mbuf back to the function from where pfil was invoked.

Jan 31 2018, 10:36 PM · network
kristof added a comment to D13715: netpfil: Introduce PFIL_FWD flag.
In D13715#296702, @eri wrote:
In D13715#295449, @eri wrote:

While i have not much time lately to spend on this, i still think this is the wrong way of doing things since it just creates confusion.

I'm not sure I see how this would create confusion. This merely presents more information about the packet, and where the netpfil hook being called from.

pf(4) already has a loop detection mechanism that i created to support divert(9) and dummunet(9), not sure if the later ever made it into FreeBSD.

Now I'm confused. This isn't about loop detection. This is about detecting if a PFIL_OUT packet is being forwarded or output.

Jan 31 2018, 5:58 AM · network

Jan 27 2018

kristof accepted D14083: pfctl(8): Fix two wrong conditions..

Good catch.

Jan 27 2018, 10:46 PM
kristof added a comment to D13715: netpfil: Introduce PFIL_FWD flag.
In D13715#295449, @eri wrote:

While i have not much time lately to spend on this, i still think this is the wrong way of doing things since it just creates confusion.

I'm not sure I see how this would create confusion. This merely presents more information about the packet, and where the netpfil hook being called from.

Jan 27 2018, 5:14 AM · network

Jan 26 2018

kristof updated the diff for D13715: netpfil: Introduce PFIL_FWD flag.

Based around a suggestion from Kyle Evans (who also did all of the work), introduce a flags variable to the pfil callbacks. Keep using PFIL_OUT for forwarded packets, but set the PFIL_FWD flag for them. This allows pf to work out if a packet is being forwarded or not, with essentially no changes to other netpfil consumers.

Jan 26 2018, 12:51 AM · network
kristof accepted D14051: Remove K&R stuff: never use it in new code..
Jan 26 2018, 12:00 AM

Jan 11 2018

kristof added a comment to D13766: Introduce mallocarray() in the kernel.
In D13766#290617, @erj wrote:

Is this going to be MFC'd into stable/10 and/or stable/11?

Jan 11 2018, 10:11 PM

Jan 10 2018

kristof accepted D13834: Make use of mallocarray in sys/netpfil/ipfw.

ae@ is probably the best person to talk to about ipfw, so you may want to cc him too.

Jan 10 2018, 8:40 PM

Jan 6 2018

kristof added a comment to D13715: netpfil: Introduce PFIL_FWD flag.
In D13715#288702, @eri wrote:

While this is needed i do not agree that the modifications on the stack and packet filters should be so hackish.

Jan 6 2018, 8:20 PM · network
kristof updated the diff for D13715: netpfil: Introduce PFIL_FWD flag.

More context. No changes to the diff.

Jan 6 2018, 8:17 PM · network
kristof updated the diff for D13766: Introduce mallocarray() in the kernel.

Use the OpenBSD mallocarray implementation.

Jan 6 2018, 3:11 PM
kristof updated the diff for D13766: Introduce mallocarray() in the kernel.

Add __alloc_size attributes.

Jan 6 2018, 10:48 AM
kristof added inline comments to D13766: Introduce mallocarray() in the kernel.
Jan 6 2018, 10:34 AM

Jan 4 2018

kristof updated the diff for D13766: Introduce mallocarray() in the kernel.

Update malloc.9 man page.

Jan 4 2018, 8:50 PM
kristof added inline comments to D13766: Introduce mallocarray() in the kernel.
Jan 4 2018, 4:38 PM
kristof added a comment to D13766: Introduce mallocarray() in the kernel.

I have to admit I initially wanted to call it calloc(), but it turns out ZFS already has calloc(size_t, size_t) in sys/cddl/compat/opensolaris/sys/kmem.h, so that failed to build.

Jan 4 2018, 4:34 PM
kristof updated the diff for D13766: Introduce mallocarray() in the kernel.

Removed incorrect __alloc_size attribute.

Jan 4 2018, 1:18 PM
kristof created D13766: Introduce mallocarray() in the kernel.
Jan 4 2018, 1:08 PM

Dec 31 2017

kristof created D13715: netpfil: Introduce PFIL_FWD flag.
Dec 31 2017, 4:38 PM · network

Nov 30 2017

kristof added a comment to D13017: Add IPSec tests in tunnel mode.
aes_cbc_128_hmac_sha1:v4  ->  passed  [1.642s]
aes_cbc_128_hmac_sha1:v6  ->  passed  [1.619s]
aes_cbc_256_hmac_sha2_256:v4  ->  passed  [1.617s]
aes_cbc_256_hmac_sha2_256:v6  ->  passed  [1.680s]
aes_gcm_128:v4  ->  passed  [1.605s]
aes_gcm_128:v6  ->  passed  [1.616s]
aes_gcm_256:v4  ->  passed  [1.844s]
aes_gcm_256:v6  ->  passed  [1.793s]
aesni_aes_cbc_128_hmac_sha1:v4  ->  passed  [1.579s]
aesni_aes_cbc_128_hmac_sha1:v6  ->  passed  [1.742s]
aesni_aes_cbc_256_hmac_sha2_256:v4  ->  passed  [1.601s]
aesni_aes_cbc_256_hmac_sha2_256:v6  ->  passed  [1.611s]
aesni_aes_gcm_128:v4  ->  passed  [1.602s]
aesni_aes_gcm_128:v6  ->  expected_failure: PR 201447: atf-check failed; see the output of the test for details  [12.928s]
aesni_aes_gcm_256:v4  ->  passed  [1.835s]
aesni_aes_gcm_256:v6  ->  expected_failure: PR 201447: atf-check failed; see the output of the test for details  [12.773s]
empty:v4  ->  passed  [1.577s]
empty:v6  ->  passed  [1.593s]
Nov 30 2017, 4:01 PM

Nov 28 2017

kristof added a comment to D13017: Add IPSec tests in tunnel mode.

I'll try again once I see a commit go by that looks like it'd fix that. Do feel free to remind me if I manage to miss it (or forget).

Nov 28 2017, 4:56 PM
kristof added a comment to D13017: Add IPSec tests in tunnel mode.

It looks like something's still wrong:

Nov 28 2017, 11:28 AM

Nov 22 2017

kristof added a comment to D13017: Add IPSec tests in tunnel mode.

Well, I suppose this is good, in that it shows why these tests are useful:

Nov 22 2017, 10:12 PM

Nov 18 2017

kristof added inline comments to D13017: Add IPSec tests in tunnel mode.
Nov 18 2017, 10:21 AM

Nov 11 2017

kristof added a comment to D13017: Add IPSec tests in tunnel mode.

Oh, also: if some of the tests are known to fail we should mark them as such until the issue is fixed.
See 'atf_expect_fail'

Nov 11 2017, 1:56 AM
kristof added a comment to D13017: Add IPSec tests in tunnel mode.

How to add the case of with and without AESNI without rewriting all these tests?

Nov 11 2017, 1:47 AM

Nov 3 2017

kristof added a comment to D12747: loopback route needs RTF_PINNED flag.

I suspect this will also address PR 222647.

Nov 3 2017, 10:22 PM

Oct 25 2017

kristof updated the diff for D12779: Evaluate packet size after the firewall had its chance in the ip6 fast path.
Oct 25 2017, 10:53 AM
kristof added inline comments to D12779: Evaluate packet size after the firewall had its chance in the ip6 fast path.
Oct 25 2017, 8:38 AM

Oct 24 2017

kristof created D12779: Evaluate packet size after the firewall had its chance in the ip6 fast path.
Oct 24 2017, 7:50 PM

Oct 23 2017

kristof added a comment to D12771: epair: Fix panic on unload.

This is similar to how I fixed this problem for pf.

Oct 23 2017, 8:31 PM
kristof created D12771: epair: Fix panic on unload.
Oct 23 2017, 8:29 PM

Oct 14 2017

kristof added a comment to D12639: Enable VIMAGE by default.

Similar results for v6:

Oct 14 2017, 1:40 PM
kristof added a comment to D12639: Enable VIMAGE by default.

With a larger file (102400 bytes) the difference indeed shrinks:

Oct 14 2017, 12:38 PM
kristof added a comment to D12639: Enable VIMAGE by default.

I found some crusty old hardware to run a test on. This is nginx serving its default index page (612 bytes of data).
Test client is wrk. I played around with the number of connections and threads briefly, but didn't see a major difference (in the non-vimage performance, I've not compared vimage there).

Oct 14 2017, 10:11 AM

Oct 12 2017

kristof added a comment to D12639: Enable VIMAGE by default.
In D12639#262598, @bz wrote:

@jtl I am not aware of anyone done a end-host, e.g., webserver kind of performance measurement. No one wanted to volunteer so far.

Oct 12 2017, 12:19 PM

Oct 11 2017

kristof accepted D12639: Enable VIMAGE by default.

Thumbs up. Let's do this.

Oct 11 2017, 9:31 PM

Oct 6 2017

kristof updated the diff for D12580: pf: Basic automated test using VIMAGE.

Sorry, I missed that remark.

Oct 6 2017, 7:36 PM
kristof updated the diff for D12581: pf: Very basic forwarding test.
Oct 6 2017, 6:50 PM

Oct 5 2017

kristof updated the diff for D12581: pf: Very basic forwarding test.
Oct 5 2017, 6:10 PM
kristof added inline comments to D12580: pf: Basic automated test using VIMAGE.
Oct 5 2017, 6:09 PM
kristof updated the diff for D12580: pf: Basic automated test using VIMAGE.

This should address all of the review remarks.

Oct 5 2017, 6:07 PM
kristof abandoned D9429: bridge: Release bridge lock when calling iflladdr_event handler.
Oct 5 2017, 6:00 PM

Oct 3 2017

kristof added inline comments to D12581: pf: Very basic forwarding test.
Oct 3 2017, 9:46 PM
kristof created D12581: pf: Very basic forwarding test.
Oct 3 2017, 8:28 PM
kristof created D12580: pf: Basic automated test using VIMAGE.
Oct 3 2017, 8:26 PM

Sep 21 2017

kristof added a comment to D12433: bsdinstall(8) hardening menu: Utilize new kern.randompid=1 behaviour.

This builds on r323390, right?

Sep 21 2017, 2:00 PM

Sep 8 2017

kristof added a comment to D11401: Kernel pf tests.

I've made a change which I'm testing currently, running pkg with the -r
flag instead of chrooting. Will commit if it works.

Yes, that's even better.

Sep 8 2017, 9:02 PM
kristof added a comment to D11401: Kernel pf tests.

While looking at this I also noticed that this file is (mostly) intended with spaces. FreeBSD style is to use tabs.

Sep 8 2017, 1:33 PM
kristof added inline comments to D11401: Kernel pf tests.
Sep 8 2017, 11:48 AM

Aug 12 2017

kristof added a comment to D12011: Correct multicast address used in pfsync(4).
In D12011#248956, @bcr wrote:

Adding Kristof for confirming that this is the actual address in the code.

Aug 12 2017, 8:42 PM

Aug 9 2017

kristof closed D3272: Add ALTQ(9) CoDel algorithm support.

yes please!

Aug 9 2017, 8:01 AM

Aug 6 2017

kristof updated the summary of D11782: bpf: Fix incorrect cleanup.
Aug 6 2017, 9:33 AM · network

Aug 3 2017

kristof added a comment to D11782: bpf: Fix incorrect cleanup.

I've done a bit more testing, and these debug traces tell the story:

Aug 3 2017, 8:05 PM · network

Jul 31 2017

kristof added a comment to D11782: bpf: Fix incorrect cleanup.

Hmm, good question. I thought I understood the failure flow fully, but now I'm not so sure.

Jul 31 2017, 8:02 PM · network

Jul 30 2017

kristof added a comment to D11782: bpf: Fix incorrect cleanup.
In D11782#244283, @bz wrote:

Is this a consequence of https://svnweb.freebsd.org/base?view=revision&revision=297816 or independent of it?

Jul 30 2017, 8:35 PM · network
kristof created D11782: bpf: Fix incorrect cleanup.
Jul 30 2017, 12:01 PM · network

Jul 22 2017

kristof added a comment to D11629: Handle WITH/WITHOUT_PF in libsysdecode.

I've fixed that style remark and commit it. Thanks for the review!

Jul 22 2017, 12:54 PM

Jul 21 2017

kristof updated the diff for D11629: Handle WITH/WITHOUT_PF in libsysdecode.

Update patch after mkioctls was changed.

Jul 21 2017, 9:42 AM

Jul 18 2017

kristof added a comment to D11629: Handle WITH/WITHOUT_PF in libsysdecode.

Ideally, yes, but it looks like the headers from sys/net (pfvar.h and if_pfsync.h) do get installed, so including those files leads to build failures.

Jul 18 2017, 9:20 PM
kristof added a comment to D11629: Handle WITH/WITHOUT_PF in libsysdecode.

If WITHOUT_PF is set we don't install pf.h (from sys/netpfil/pf), which means the generated file won't compile.
I suppose we could install it, but it's a little odd having pf.h installed if the user explicitly asked not to have pf.

Jul 18 2017, 8:50 PM

Jul 17 2017

kristof created D11629: Handle WITH/WITHOUT_PF in libsysdecode.
Jul 17 2017, 7:12 PM

Jul 13 2017

kristof added a comment to D11322: Tests for pfctl.

I ran into issues with 'install world' with this patch. I think you also want the following:

Jul 13 2017, 10:19 AM · GSoC Students

Jul 12 2017

kristof added a comment to D11322: Tests for pfctl.

I think you're also missing the connection in the pfctl makefile. I've been looking at sbin/mdconfig as an example and it has this:

Jul 12 2017, 8:45 PM · GSoC Students

Jul 10 2017

kristof added a comment to D11322: Tests for pfctl.

This also appears to be missing the integration with the other tests. It can only be used by running it directly from the tests/sbin/pfctl directory.

Jul 10 2017, 1:33 PM · GSoC Students

Jul 9 2017

kristof added inline comments to D11322: Tests for pfctl.
Jul 9 2017, 9:10 AM · GSoC Students

Jul 8 2017

kristof added a comment to D11322: Tests for pfctl.

Cleaned-up version, with improved test descriptions.

Jul 8 2017, 9:10 AM · GSoC Students

Jul 1 2017

kristof added a comment to D11401: Kernel pf tests.

We're intermingling two sets of changes here.

Jul 1 2017, 12:55 PM

Jun 28 2017

kristof added a comment to D11322: Tests for pfctl.

It'd also be good to include the changes required to hook up the sbin/pfctl/Kyuafile to the tests Kyuafile.
Your GitHub repo has a symlink to get recursive behaviour out of Kyua, but there's basically no other symlinks in the repo, so let's avoid that. I'd add a simple include Kyuafile, like ./contrib/atf/Kyuafile does.

Jun 28 2017, 8:14 PM · GSoC Students

Jun 25 2017

kristof added a comment to D11322: Tests for pfctl.

It might also be worth seeing if you can add a couple of tests for ALTQ.
That's also interesting to consider because ALTQ is an optional feature and might not be available in the running kernel.
That'd mean you'd have to have test metadata to figure out if you can sensibly run the test on this system or not (presumably kyua understands the concept of a skipped test).

Jun 25 2017, 1:49 PM · GSoC Students

Jun 21 2017

kristof updated the diff for D11137: PF: implement RFC 4787 REQ 1 and 3 (full cone NAT).

Damjan has updated the patch to fix the style issues and address a panic with non-udp traffic.

Jun 21 2017, 8:56 PM

Jun 10 2017

kristof created D11137: PF: implement RFC 4787 REQ 1 and 3 (full cone NAT).
Jun 10 2017, 5:26 PM

May 11 2017

kristof accepted D10678: Fix panic in persistent hardware MAC storage.

I've just done a quick test. The box no longer panics with this patch.

May 11 2017, 6:33 AM
kristof added a comment to D10678: Fix panic in persistent hardware MAC storage.

I think this is correct, but I think you should skip the {}. The rest of the function does not use them for single-line if statements either.

May 11 2017, 6:20 AM

May 3 2017

kristof abandoned D7528: Merge ifgroup and interface name namespaces.
May 3 2017, 8:21 PM
kristof created D10592: pf: Fix vnet initialisation.
May 3 2017, 8:20 PM