Page MenuHomeFreeBSD

lutz_donnerhacke.de (Lutz Donnerhacke)
User

Projects

User Details

User Since
Sep 26 2019, 9:24 AM (26 w, 2 d)

Recent Activity

Thu, Mar 26

lutz_donnerhacke.de added inline comments to D24192: ipfw: add dst-mac/src-mac shorthands to do filtering based on source/destination MAC.
Thu, Mar 26, 2:28 PM · network

Wed, Mar 25

lutz_donnerhacke.de added a comment to D24179: ixl: Permit 802.1ad frames to pass though the chip.

Patch does work with 12-STABLE, too. (removing the NEEDGIANT flag)

Wed, Mar 25, 9:31 AM

Tue, Mar 24

lutz_donnerhacke.de updated the test plan for D24179: ixl: Permit 802.1ad frames to pass though the chip.
Tue, Mar 24, 10:54 PM
lutz_donnerhacke.de added reviewers for D24179: ixl: Permit 802.1ad frames to pass though the chip: network, bz.
Tue, Mar 24, 10:52 PM
lutz_donnerhacke.de created D24179: ixl: Permit 802.1ad frames to pass though the chip.
Tue, Mar 24, 10:50 PM

Sat, Mar 21

lutz_donnerhacke.de updated the diff for D21965: usr.sbin/ngctl: Generate more compact GraphWiz output.

Fixed spacing for "if (" statements.
Running the whole source through indent(1) would make a much larger patch.

Sat, Mar 21, 8:27 PM

Mon, Mar 16

lutz_donnerhacke.de added a comment to D24011: ipfw: Support {w:x:y::z}:port (bracketed) IPv6 addresses in the fwd command.

That would be my approach https://reviews.freebsd.org/differential/diff/69565/
I'd further eliminate the temporary storage "struct sockaddr_storage result", and copy directly from the gai result into the action (with memcpy).

Mon, Mar 16, 10:46 AM · network
lutz_donnerhacke.de requested changes to D23577: divert: Add socket options for divert socket's send and receive buffers.
Mon, Mar 16, 9:40 AM
lutz_donnerhacke.de added a comment to D23577: divert: Add socket options for divert socket's send and receive buffers.

I tried to use the already existing socket infrastructure to change the socket buffer values ...

Mon, Mar 16, 9:31 AM

Sat, Mar 14

lutz_donnerhacke.de added inline comments to D24021: ipfw: Add me4 as to refer to an host's IPv4 address in add_src() and add_dst()..
Sat, Mar 14, 9:39 PM · network

Wed, Mar 11

lutz_donnerhacke.de added a comment to D24021: ipfw: Add me4 as to refer to an host's IPv4 address in add_src() and add_dst()..

Does this mean that for a current dual stack IPFW rule like:

allow tcp from any to me 443

It will only match for IPv4 packets, as "me" is only working with IPv4 addresses under the hood with the current behavior?
This is not the current behavior I'm observing since my web server answers IPv6 requests perfectly fine with my above rule.

Wed, Mar 11, 7:50 PM · network
lutz_donnerhacke.de accepted D24021: ipfw: Add me4 as to refer to an host's IPv4 address in add_src() and add_dst()..

Good catch.

Wed, Mar 11, 1:28 PM · network

Tue, Mar 10

lutz_donnerhacke.de added a comment to D23971: [bhyve][virtio-net] Add MTU advice support.

I have no idea why someone thinks a network device should have a minimum MTU of 1280, that is simply the IPv6 value, ethernet is very happy to transfer 64 byte packets. There should be some implementation detail of the in kernel vt driver that can at least go that small, and perhaps smaller as you do not have the collision detection minimum wire time that ethernet has(had).

Tue, Mar 10, 7:41 PM
lutz_donnerhacke.de added a comment to D24011: ipfw: Support {w:x:y::z}:port (bracketed) IPv6 addresses in the fwd command.

How about detecting the port separator first? (i.e. repeatly call strpbrk)

Tue, Mar 10, 7:57 AM · network
lutz_donnerhacke.de added a comment to D24011: ipfw: Support {w:x:y::z}:port (bracketed) IPv6 addresses in the fwd command.

How about detecting the port separator first? (i.e. repeatly call strpbrk)
Then you can easily distinguish between the cases

  • starts with '[' -> numeric IPb6
  • contains ':' -> numeric IPv6
  • contains no letters -> numeric IPv4
  • use gai()
Tue, Mar 10, 6:07 AM · network

Sat, Mar 7

lutz_donnerhacke.de added a comment to D21965: usr.sbin/ngctl: Generate more compact GraphWiz output.

Ping?

Sat, Mar 7, 9:54 PM
lutz_donnerhacke.de added a comment to D22140: netgraph/ng_tag: Variable length data can not be set for all length.

Ping?

Sat, Mar 7, 9:54 PM
lutz_donnerhacke.de added a comment to D21968: netgraph/ng_source: Allow ng_source to inject into any netgraph network.

Ping?

Sat, Mar 7, 9:52 PM
lutz_donnerhacke.de added a comment to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

@melifaro Are your concerns resolved?

Sat, Mar 7, 9:50 PM
lutz_donnerhacke.de added a comment to D23329: Make ICMP redirect processing depend on routing daemon.

@hrs Are your concerns resolved?

Sat, Mar 7, 9:47 PM
lutz_donnerhacke.de added a reviewer for D23727: netgraph/ng_one2many: Clarification in comments about copy mode: network.
Sat, Mar 7, 9:45 PM
lutz_donnerhacke.de added a comment to D22076: netgraph/ng_vlan_rotate: IEEE 802.1ad VLAN manipulation netgraph node type (new type).

@brueffer Are your concerns resolved?

Sat, Mar 7, 9:44 PM
lutz_donnerhacke.de updated the diff for D22110: netgraph/ng_car: Add color marking code.

Widen the range of priority classes.

Sat, Mar 7, 9:41 PM
lutz_donnerhacke.de added a comment to D23981: ipfw: Add support for NAT on different routing tables.

I'm sorry, but I do not see anything functionally connected with the new fib number.
This patch only stores and retrieves the number but does not consider it in its natting process itself.
So the whole fib processing is done in the ipfw ruleset, it has nothing to do with libalias.
What do I miss?

Sat, Mar 7, 10:56 AM · network

Thu, Mar 5

lutz_donnerhacke.de added a comment to D23963: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning.

Is it really useful to have multiple uplinks?

Thu, Mar 5, 9:14 PM
lutz_donnerhacke.de updated the diff for D22110: netgraph/ng_car: Add color marking code.

Updated to revision 358668.

Thu, Mar 5, 9:40 AM

Wed, Mar 4

lutz_donnerhacke.de added a reviewer for D23963: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning: network.
Wed, Mar 4, 9:20 PM
lutz_donnerhacke.de created D23963: netgraph/ng_bridge: Introduce "uplink" ports without MAC learning.
Wed, Mar 4, 9:18 PM
lutz_donnerhacke.de updated the diff for D23954: netgraph/ng_car: Fix spelling.

The man page needs an update, too.

Wed, Mar 4, 11:29 AM
lutz_donnerhacke.de retitled D23954: netgraph/ng_car: Fix spelling from ng_car: Fix spelling to netgraph/ng_car: Fix spelling.
Wed, Mar 4, 11:27 AM
lutz_donnerhacke.de created D23954: netgraph/ng_car: Fix spelling.
Wed, Mar 4, 11:26 AM

Tue, Mar 3

lutz_donnerhacke.de added a comment to D23721: ng_one2many: Don't duplicate packets with m_dup() when receiving and re-transmitting.

This can make sense in certain setups. However, since originally node provided writable copies to each of "many" hooks, we can't change that. This can be configured as a node option, if sysadmin is sure that nodes downstream of "many" hooks are fine with read only mbufs.

Tue, Mar 3, 8:09 AM

Sun, Mar 1

lutz_donnerhacke.de updated the diff for D23850: netgraph: Allow larger messages in communication between kernel and user-space.

Store the current parameters of socket initialization in per socket data structures.
This way control and data sockets are allowed to have different buffer sizes (in theory).
And the buffer size of the socket in question is available for fragmentation handling, even if the sysctl values are changed.

Sun, Mar 1, 11:43 PM
lutz_donnerhacke.de added a comment to D22076: netgraph/ng_vlan_rotate: IEEE 802.1ad VLAN manipulation netgraph node type (new type).

We are going to hard production now.
Any interest in reviewing it?

Sun, Mar 1, 9:08 PM
lutz_donnerhacke.de updated the diff for D22076: netgraph/ng_vlan_rotate: IEEE 802.1ad VLAN manipulation netgraph node type (new type).

Updated to revision 358500.

Sun, Mar 1, 9:05 PM
lutz_donnerhacke.de added a comment to D23727: netgraph/ng_one2many: Clarification in comments about copy mode.

I thought about one "alternative": a copy-on-write mode for mbufs. However, this means modifications to the mbuf code.

Sun, Mar 1, 11:07 AM

Sat, Feb 29

lutz_donnerhacke.de added inline comments to D23888: ipfw: Allow resolving of IPv6 DNS AAAA records in IPv6 table lookups.
Sat, Feb 29, 8:23 PM · network

Fri, Feb 28

lutz_donnerhacke.de requested changes to D22915: ipfw: Handle count > 1 in commit_rules().

However, I believe IP_FW_XADD will call commit_rules() via add_rules() (which is called via do_get3()), so I'm uploading an updated patch removing that code.

Fri, Feb 28, 8:24 PM · network
lutz_donnerhacke.de added a comment to D22915: ipfw: Handle count > 1 in commit_rules().

There is no implemented use case for count != 1.

Fri, Feb 28, 10:18 AM · network

Feb 27 2020

lutz_donnerhacke.de updated the diff for D23850: netgraph: Allow larger messages in communication between kernel and user-space.

Allow the documented version to differ from the real structure. Document only the guaranteed elements.

Feb 27 2020, 9:41 PM
lutz_donnerhacke.de updated the diff for D23850: netgraph: Allow larger messages in communication between kernel and user-space.

Using libnetgraph is sufficient, no explicit test for version numbers necessary.

Feb 27 2020, 9:35 PM
lutz_donnerhacke.de retitled D23850: netgraph: Allow larger messages in communication between kernel and user-space from netgraph: Allow larger messages in communitcation outside of the kernel to netgraph: Allow larger messages in communication between kernel and user-space.
Feb 27 2020, 2:40 PM
lutz_donnerhacke.de updated the diff for D23850: netgraph: Allow larger messages in communication between kernel and user-space.

Added two more occurences of direct use of NG_VERSION: libexec/pppoed/pppoed.c usr.sbin/ppp/ether.c

Feb 27 2020, 1:45 PM
lutz_donnerhacke.de added a comment to D23850: netgraph: Allow larger messages in communication between kernel and user-space.

The idea is to allow a split of large messages into smaller ones over size limited links. In kernel this is never necessary.

Feb 27 2020, 1:04 PM
lutz_donnerhacke.de added a reviewer for D23850: netgraph: Allow larger messages in communication between kernel and user-space: network.
Feb 27 2020, 12:42 PM
lutz_donnerhacke.de added inline comments to D23850: netgraph: Allow larger messages in communication between kernel and user-space.
Feb 27 2020, 12:41 PM
lutz_donnerhacke.de created D23850: netgraph: Allow larger messages in communication between kernel and user-space.
Feb 27 2020, 12:35 PM

Feb 26 2020

lutz_donnerhacke.de updated the diff for D23329: Make ICMP redirect processing depend on routing daemon.

Change to the correct idiom for enabled state.

Feb 26 2020, 9:33 PM
lutz_donnerhacke.de updated the diff for D23840: netgraph/ng_base: Allow larger BINARY2ASCII conversions.

Updated to revision 358355.

Feb 26 2020, 8:09 PM
lutz_donnerhacke.de updated the diff for D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

Updated to revision 358355.

Feb 26 2020, 8:09 PM
lutz_donnerhacke.de accepted D23450: libalias: Allow setting alias port ranges.
Feb 26 2020, 5:36 PM
lutz_donnerhacke.de added a comment to D23840: netgraph/ng_base: Allow larger BINARY2ASCII conversions.

That are the numbers for 400 CPE connecting per line for 12 lines and 900 active clients (dhclient ngethxxx).

  Type name   Number of living nodes
  ---------   ----------------------
        car     452
      patch      12
        tag      13
   one2many      13
     bridge       2
        bpf       1
        tee      13
vlan_rotate       1
       vlan    4865
     eiface    9600
     socket       2
Feb 26 2020, 4:48 PM
lutz_donnerhacke.de added inline comments to D23840: netgraph/ng_base: Allow larger BINARY2ASCII conversions.
Feb 26 2020, 4:37 PM
lutz_donnerhacke.de added inline comments to D23840: netgraph/ng_base: Allow larger BINARY2ASCII conversions.
Feb 26 2020, 4:36 PM
lutz_donnerhacke.de added a reviewer for D23840: netgraph/ng_base: Allow larger BINARY2ASCII conversions: network.
Feb 26 2020, 12:50 PM
lutz_donnerhacke.de created D23840: netgraph/ng_base: Allow larger BINARY2ASCII conversions.
Feb 26 2020, 12:48 PM
lutz_donnerhacke.de added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Feb 26 2020, 9:57 AM

Feb 25 2020

lutz_donnerhacke.de added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Feb 25 2020, 9:57 AM
lutz_donnerhacke.de updated the diff for D23329: Make ICMP redirect processing depend on routing daemon.

Declare temporary variable as local.

Feb 25 2020, 9:51 AM

Feb 24 2020

lutz_donnerhacke.de created D23814: netgraph.h: Wrong path in the man page.
Feb 24 2020, 11:09 AM
lutz_donnerhacke.de added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Feb 24 2020, 9:36 AM
lutz_donnerhacke.de updated the diff for D23329: Make ICMP redirect processing depend on routing daemon.

Switch to a more effienct processing of rc.files

Feb 24 2020, 9:33 AM

Feb 21 2020

lutz_donnerhacke.de added inline comments to D23732: Fix poor performance of ftp(1) due to small SO_SNDBUF and SO_RCVBUF.
Feb 21 2020, 9:44 AM

Feb 20 2020

lutz_donnerhacke.de updated the diff for D22076: netgraph/ng_vlan_rotate: IEEE 802.1ad VLAN manipulation netgraph node type (new type).

Updated to revision 358170.

Feb 20 2020, 4:24 PM
lutz_donnerhacke.de created D23773: netgraph/ng_bpf: Fixing example in man page.
Feb 20 2020, 12:38 PM
lutz_donnerhacke.de added a comment to D23760: Fix IPv6 checksums when exthdrs are present..

I'm 1/2 joking, but what would you think about not supporting extension headers at all? They are the worst part of IPv6 and make everything complicated and add lots of hairy cases. What benefit are they?
(I'm legitimately curious)

Feb 20 2020, 11:03 AM

Feb 19 2020

lutz_donnerhacke.de added a comment to D23695: Allow ND entries creation for all routes without gateway..
In D23695#521734, @hrs wrote:

If we can assume an interface route also implies an on-link prefix, just installing an on-link prefix list entry upon installing an interface route is more reasonable to me than looking up the routing table because the current code uses the prefix list to determine if an address is a neighbor or not.

Feb 19 2020, 8:09 AM

Feb 18 2020

lutz_donnerhacke.de added a comment to D23695: Allow ND entries creation for all routes without gateway..
In D23695#521458, @hrs wrote:

I have no strong objection to allow a prefix route with no gateway, but I think the case pointed out in Bug 194485 can be solved by just adding an address with the delegated prefix on the interface (EUI-64 always works as the interface id). Is there any specific reason for DHCP-PD (or another use case) to have an interface route?

Feb 18 2020, 7:46 AM

Feb 17 2020

lutz_donnerhacke.de added inline comments to D23732: Fix poor performance of ftp(1) due to small SO_SNDBUF and SO_RCVBUF.
Feb 17 2020, 8:13 PM
lutz_donnerhacke.de added a reviewer for D23727: netgraph/ng_one2many: Clarification in comments about copy mode: neel_neelc.org.
Feb 17 2020, 2:59 PM
lutz_donnerhacke.de created D23727: netgraph/ng_one2many: Clarification in comments about copy mode.
Feb 17 2020, 2:58 PM
lutz_donnerhacke.de added inline comments to D23726: Make RSS kernels compile again.
Feb 17 2020, 11:53 AM
lutz_donnerhacke.de added a comment to D23721: ng_one2many: Don't duplicate packets with m_dup() when receiving and re-transmitting.

You make a good point.
I decided to call m_dup() one time and then call m_copypacket() on the copy made my m_dup(), so if the original packet gets modified, the copies made by m_copypacket() aren't affected.
I'm not sure if the NG_FREE_M(mcpy) is the right thing to do, or if it will cause problems with the copy. I didn't want to cause a memory leak, but don't want to remove the data and cause a null dereference in the copies either.

Feb 17 2020, 8:38 AM

Feb 16 2020

lutz_donnerhacke.de added a reviewer for D23721: ng_one2many: Don't duplicate packets with m_dup() when receiving and re-transmitting: lutz_donnerhacke.de.

According to the man page "m_copypacket" makes a read-only version of the packet (by virtually setting some pointers to the same area of memory.
On contrary "m_dup" does copy also the content, so each version can be modified differently afterwards.

Feb 16 2020, 11:10 PM
lutz_donnerhacke.de updated the diff for D22076: netgraph/ng_vlan_rotate: IEEE 802.1ad VLAN manipulation netgraph node type (new type).

rebase to r358008.

Feb 16 2020, 10:58 PM

Feb 15 2020

lutz_donnerhacke.de requested changes to D23577: divert: Add socket options for divert socket's send and receive buffers.

Naturely, using setsockopt() for SO_SNDBUF/SO_RCVBUF.

Feb 15 2020, 2:14 PM
lutz_donnerhacke.de added a comment to D23577: divert: Add socket options for divert socket's send and receive buffers.

Can you please explain, what the issue is with the sysctl itself?

Sysctls are great tools and very handy, so our sysctl tree grows quick and already bloated and needs increasing amounts of memory. I don't think we should add new one just because it's easy and we can do it, without any practical use case.

Feb 15 2020, 1:16 PM

Feb 14 2020

lutz_donnerhacke.de updated the diff for D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

Fix a lot of errors.
Renaming the struct and fields.
id numbers are not longer generic ints, but uint16_t.
Fix locking.
Document creation of new nat instances in a more readable way.
Alloc memory only if outside of any locks.

Feb 14 2020, 4:27 PM

Feb 13 2020

lutz_donnerhacke.de added inline comments to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.
Feb 13 2020, 3:55 PM
lutz_donnerhacke.de added inline comments to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.
Feb 13 2020, 3:18 PM
lutz_donnerhacke.de updated the diff for D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

Chance to a simple table based approach.
Remove the whole caching framework incl. special opcode extensions.
Keep the table small (dynamically allocated).
Move local managment structures from global into local file.
No need for externally visible tunables anymore, no man page changes.
Not yet fully tested (only module loading/unloading, rule creating, deletion).

Feb 13 2020, 1:05 PM
lutz_donnerhacke.de added a comment to D23329: Make ICMP redirect processing depend on routing daemon.

If somebody has some spare time to land this, it would be fine.
I do not have any commit rights.

Feb 13 2020, 8:45 AM
lutz_donnerhacke.de accepted D23461: netgraph: Add RFC 6598/Carrier Grade NAT support to ng_nat.
Feb 13 2020, 8:05 AM
lutz_donnerhacke.de added a comment to D23450: libalias: Allow setting alias port ranges.

In general, I'm pleased with the renaming from the generic "alias" to "range".

Feb 13 2020, 8:01 AM

Feb 12 2020

lutz_donnerhacke.de updated the diff for D23329: Make ICMP redirect processing depend on routing daemon.

considering routed as a common case, not a special handling

Feb 12 2020, 7:57 PM
lutz_donnerhacke.de added a comment to D23577: divert: Add socket options for divert socket's send and receive buffers.

divert(4) sockets can be used not only with natd(8), so the changes looks reasonable for me.

divert sockets can be used with other software but present exactly same significant overhead.
Do you have an example when suggested change improves performance really?

Feb 12 2020, 7:35 PM
lutz_donnerhacke.de added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Feb 12 2020, 7:23 PM
lutz_donnerhacke.de added a comment to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

Well, we already allocate 2 such arrays for the rule index, so 512k won't drastically increase the footprint.

Feb 12 2020, 7:17 PM
lutz_donnerhacke.de added a comment to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

General comment: I'd prefer not to add non-resizable hashes. It should be system job, not user, to resize the hash. Unfortunately, there is no existing generic resizable hash primitive in the kernel code currently.
Speaking of this particular case, I would suggest doing it slightly differently.
We know that nat numbers are limited to 65k. Given that, we can simply allocate 65k array of pointers on the first addition of the nat rule, w/o bothering about hash efficiency, resizing, etc.

Feb 12 2020, 4:40 PM
lutz_donnerhacke.de added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Feb 12 2020, 4:31 PM
lutz_donnerhacke.de added a comment to D23329: Make ICMP redirect processing depend on routing daemon.

Is there anything missing?

Feb 12 2020, 12:10 PM
lutz_donnerhacke.de updated the diff for D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

Rebase to r357812

Feb 12 2020, 11:42 AM
lutz_donnerhacke.de updated the diff for D22076: netgraph/ng_vlan_rotate: IEEE 802.1ad VLAN manipulation netgraph node type (new type).

Rebase to r357812

Feb 12 2020, 11:35 AM
lutz_donnerhacke.de added inline comments to D23577: divert: Add socket options for divert socket's send and receive buffers.
Feb 12 2020, 11:22 AM
lutz_donnerhacke.de added a comment to D23577: divert: Add socket options for divert socket's send and receive buffers.

As a side node perfomance is gained from collapsing

ipfw -q add 100 divert natd ip from any to any in via wan0
ipfw -q add 1000 divert natd ip from any to any out via wan0

to

ipfw -q add 100 divert natd ip from any to any via wan0
Feb 12 2020, 8:57 AM
lutz_donnerhacke.de added a comment to D23450: libalias: Allow setting alias port ranges.

Thanks for your feedback.
I'm thinking about switching the NAT port range to something like 2000-2999 instead of 2000 3000 for consistency with the rest of IPFW. Would this be okay?

Feb 12 2020, 8:43 AM

Feb 11 2020

lutz_donnerhacke.de updated the summary of D23586: ipfw_nat: Perfomance of accessing multiple nat tables.
Feb 11 2020, 8:40 PM
lutz_donnerhacke.de added a comment to D23450: libalias: Allow setting alias port ranges.

I'm still not satisfied with the "upper bound", which is inconsistent between "config port range" and "matching port range" in the ipfw rule set. It does not allow to specify the highest port (but this is a minor issue).

Feb 11 2020, 8:37 PM
lutz_donnerhacke.de added a comment to D23091: netgraph/ng_nat: Prevent crash by malformated packets.

@eugen_grosbein.net are your concerns handled?

Feb 11 2020, 8:26 PM
lutz_donnerhacke.de added a comment to D23091: netgraph/ng_nat: Prevent crash by malformated packets.

Thank you. Somebody need to land this.

Feb 11 2020, 8:18 PM