- User Since
- Sep 28 2014, 7:22 PM (207 w, 2 d)
Mon, Sep 10
Sat, Sep 1
OpenBSD use M_FLOWID_VALID to indicate if the flowid is set. FreeBSD does it slightly differently, and uses a separate field, usually accessed via M_HASHTYPE_SET(), M_HASHTYPE_GET(), M_HASHTYPE_ISHASH(), ... macros.
Tue, Aug 28
Thu, Aug 23
Aug 18 2018
It'd be really awesome if you could also see about writing some basic tests (both as pfctl parser tests, to check we can now set higher bitrates for shaping, and as a basic test that shaping actually happens), but that's certainly not blocking.
Two minor remarks, at first glance. I've not dug into it at great depth, but your approach looks good and I've not seen any big problems.
Aug 11 2018
You're right that the ternary operator is now redundant. I wonder if it wouldn't be better to just get rid of ssidmax and use IEEE80211_NWID_LEN everywhere in its place:
Aug 7 2018
Patches (almost) always go into CURRENT first, before they can be merged back into stable/11 and stable/10.
No, that's okay. I've got the patch and can commit it once we've established it fixes your problem (and doesn't cause any new ones).
This change is probably also required for pf_test6(). OpenBSD unified pf_test() and pf_test6(), but we haven't done that yet.
I don't think the comparison is quite correct, in that the '== 0' will make it do the reverse of what you what you intend.
Aug 3 2018
I don't know enough about the build system to comment on the makefile changes, but it builds as expected, and I have no objection to moving the pf.os file.
Jun 30 2018
Looks good. Thanks for this. Let's get it in before 12.
Jun 27 2018
Jun 20 2018
I'm not sure if I object to this change or not, but it's worth noting that SSIDs are not necessarily UTF-8 strings. Unless the SSIDEncoding is set it is 0-32 octets. Having 0 bytes in the middle of the SSID is valid (though I'd be very surprised if that actually worked on more than a handful of devices). If SSIDEncoding is set it is indeed a UTF-8 string.
For additional fun Microsoft got this wrong and several Windows versions interpret the SSID as being Latin1 encoded.
Jun 9 2018
I'd prefer the sysctl to reject values that are out of range.
What do you think about this: https://people.freebsd.org/~kp/patches/D14536.patch ?
May 20 2018
Looks good at first glance.
I like the move of the sys/rmlock.h include into pfvar.h, so the header becomes more self-contained (i.e. you don't need extra includes to make your include of pfvar.h work). I'm running test builds for that, because I thought it broke when I tried. Perhaps I messed something else up though.
Apr 11 2018
Well, as I said, I have no views on what the value should be. I defaulted to keeping the old value, but if you've got a good reason to change it that's fine by me.
Apr 9 2018
Good catch, I missed it in the first two cases because that used to be a fixed 65k value. Now that it's user configurable it needs the check too.
Fix static / extern mismatch
Add missing WOULD_OVERFLOW checks.
Apr 8 2018
Apr 6 2018
Committed as r332101
Committed as r332102
Apr 1 2018
What problem does this fix?
Mar 26 2018
Mar 19 2018
Keep the old hooks so other pfil users don't need to change. Allow pf to use the new style of hook, with the flags argument.
Mar 18 2018
Looks sane to me.
Mar 16 2018
Mar 6 2018
Mar 3 2018
I have no specific views on what the value should be. The remark mostly comes from the desire to avoid having the kernel enforce policy. It's only a small extra step here for more flexibility.
I think I'd make net.inet.carp.dscp be an integer, with a default value of (the value of) IPTOS_LOWDELAY.
Mar 2 2018
Would it make sense to set the DSCP value to the value configured in 'net.inet.carp.dscp' rather than a hardcoded value?
Feb 3 2018
Feb 2 2018
Jan 31 2018
Now I'm confused. This isn't about loop detection. This is about detecting if a PFIL_OUT packet is being forwarded or output.
Jan 27 2018
I'm not sure I see how this would create confusion. This merely presents more information about the packet, and where the netpfil hook being called from.
Jan 26 2018
Based around a suggestion from Kyle Evans (who also did all of the work), introduce a flags variable to the pfil callbacks. Keep using PFIL_OUT for forwarded packets, but set the PFIL_FWD flag for them. This allows pf to work out if a packet is being forwarded or not, with essentially no changes to other netpfil consumers.
Jan 11 2018
Jan 10 2018
ae@ is probably the best person to talk to about ipfw, so you may want to cc him too.
Jan 6 2018
More context. No changes to the diff.
Use the OpenBSD mallocarray implementation.
Add __alloc_size attributes.
Jan 4 2018
Update malloc.9 man page.
I have to admit I initially wanted to call it calloc(), but it turns out ZFS already has calloc(size_t, size_t) in sys/cddl/compat/opensolaris/sys/kmem.h, so that failed to build.
Removed incorrect __alloc_size attribute.
Dec 31 2017
Nov 30 2017
aes_cbc_128_hmac_sha1:v4 -> passed [1.642s] aes_cbc_128_hmac_sha1:v6 -> passed [1.619s] aes_cbc_256_hmac_sha2_256:v4 -> passed [1.617s] aes_cbc_256_hmac_sha2_256:v6 -> passed [1.680s] aes_gcm_128:v4 -> passed [1.605s] aes_gcm_128:v6 -> passed [1.616s] aes_gcm_256:v4 -> passed [1.844s] aes_gcm_256:v6 -> passed [1.793s] aesni_aes_cbc_128_hmac_sha1:v4 -> passed [1.579s] aesni_aes_cbc_128_hmac_sha1:v6 -> passed [1.742s] aesni_aes_cbc_256_hmac_sha2_256:v4 -> passed [1.601s] aesni_aes_cbc_256_hmac_sha2_256:v6 -> passed [1.611s] aesni_aes_gcm_128:v4 -> passed [1.602s] aesni_aes_gcm_128:v6 -> expected_failure: PR 201447: atf-check failed; see the output of the test for details [12.928s] aesni_aes_gcm_256:v4 -> passed [1.835s] aesni_aes_gcm_256:v6 -> expected_failure: PR 201447: atf-check failed; see the output of the test for details [12.773s] empty:v4 -> passed [1.577s] empty:v6 -> passed [1.593s]
Nov 28 2017
I'll try again once I see a commit go by that looks like it'd fix that. Do feel free to remind me if I manage to miss it (or forget).
It looks like something's still wrong:
Nov 22 2017
Well, I suppose this is good, in that it shows why these tests are useful:
Nov 18 2017
Nov 11 2017
Oh, also: if some of the tests are known to fail we should mark them as such until the issue is fixed.
How to add the case of with and without AESNI without rewriting all these tests?
Nov 3 2017
I suspect this will also address PR 222647.
Oct 25 2017
Oct 24 2017
Oct 23 2017
This is similar to how I fixed this problem for pf.
Oct 14 2017
Similar results for v6:
With a larger file (102400 bytes) the difference indeed shrinks:
I found some crusty old hardware to run a test on. This is nginx serving its default index page (612 bytes of data).
Test client is wrk. I played around with the number of connections and threads briefly, but didn't see a major difference (in the non-vimage performance, I've not compared vimage there).
Oct 12 2017
Oct 11 2017
Oct 6 2017
Sorry, I missed that remark.
Oct 5 2017
This should address all of the review remarks.
Oct 3 2017
Sep 21 2017
This builds on r323390, right?
Sep 8 2017
While looking at this I also noticed that this file is (mostly) intended with spaces. FreeBSD style is to use tabs.
Aug 12 2017
Aug 9 2017
Aug 6 2017
Aug 3 2017
I've done a bit more testing, and these debug traces tell the story:
Jul 31 2017
Hmm, good question. I thought I understood the failure flow fully, but now I'm not so sure.