Page MenuHomeFreeBSD

melifaro (Alexander V. Chernikov)
User

Projects

User Details

User Since
May 27 2014, 9:32 AM (300 w, 2 d)

Recent Activity

Tue, Feb 18

melifaro accepted D23740: ip6_output: improve extension header handling.

LGTM.
It looks like the next step could potentially be isolation the whole if (opt){} and all its consequences into a separate function, filling in exthdr?

Tue, Feb 18, 12:43 PM
melifaro accepted D23647: TCP Ratelimit code update.
Tue, Feb 18, 12:31 PM
melifaro added a comment to D23695: Allow ND entries creation for all routes without gateway..
In D23695#521458, @hrs wrote:

I have no strong objection to allow a prefix route with no gateway, but I think the case pointed out in Bug 194485 can be solved by just adding an address with the delegated prefix on the interface (EUI-64 always works as the interface id). Is there any specific reason for DHCP-PD (or another use case) to have an interface route?

Thank you for looking into this!

Tue, Feb 18, 10:30 AM

Mon, Feb 17

melifaro accepted D22003: Add lle_event handler to ARP.
Mon, Feb 17, 7:53 PM

Sun, Feb 16

melifaro added inline comments to D23097: Revert VNET change and expand VNET structure..
Sun, Feb 16, 6:36 PM
melifaro added a comment to D23718: Mark more nodes as CTLFLAG_MPSAFE or CTLFLAG_NEEDGIANT (M of N).

Generic comment: maybe it would be better to commit all non-leaf nodes CTLFLAG_MPSAFE changes and let the reviews look into the real cases where CTLFLAG_NEEDGIANT is necessary?

Sun, Feb 16, 5:32 PM
melifaro accepted D23697: bridge: Basic test case.
Sun, Feb 16, 10:43 AM

Sat, Feb 15

melifaro accepted D23697: bridge: Basic test case.

LGTM. Please see some minor comment inline.

Sat, Feb 15, 5:53 PM
melifaro updated the summary of D23695: Allow ND entries creation for all routes without gateway..
Sat, Feb 15, 4:16 PM
melifaro updated the diff for D23695: Allow ND entries creation for all routes without gateway..

Add test for checking valid ND operation.

Sat, Feb 15, 4:09 PM
melifaro committed rS357967: Make ping6(1) return code consistent with the man page..
Make ping6(1) return code consistent with the man page.
Sat, Feb 15, 3:40 PM
melifaro created D23695: Allow ND entries creation for all routes without gateway..
Sat, Feb 15, 2:38 PM

Fri, Feb 14

melifaro added a comment to D23468: Property-based filters for syslogd.

Looks like a nice feature to have. Please see some comments inline.

Fri, Feb 14, 4:45 PM
melifaro added a comment to D15488: If reading the routing table fails, retry up to 10 times.

I have come to the state that if your running into this problem you probably should not be using netstat -rn to look at route tables but rather use the proper tool that talks with your routing daemon, adding a "bang on the kernel" repeat inside of netstat is probably a poor solution.

Well, I'm not sure.
First of all, there _are_ cases where you have to fetch the data, regardless of its size - troubleshooting can be one of those.

And when trouble shooting netstat -rn general works ok, it gets the error only while the route table is growing rapidly and is very easy for the user to retry the command, SHOULD they be using it.

Please consider scripts that call netstat as a use case.

Thirdly, we're going pretty good towards providing the structured output for all utilities and net stat may actually be the only way to provide that - nor bird or quagga/FRR are able to do so.

Again, yoiu do not really want to be running netstat -rn on a system that has this issue.

JFYI: routing daemons performs routing table sync on regular basis, as async mechanism does not actually guarantee message delivery. They do this on regular intervals, for example bird default is 60 seconds. Please take a look at the bird code to handle this (IIRC frr and openbgpd does the same): krt-sock.c

Saying that the only base tool we have to read the routing table shouldn't be used doesn't look really positive.

The conditions under which it should not be used are fairly retrictive, it is not as if this is a global stamp of "Oh, its broke, dont use that

Sorry, I'm afraid I disagree. We should make the tool work instead of telling users not to use it.

Currently the kernel<>user land interaction protocol is far from being optimal, but _that_ is the problem we should be targetting.

Certainly, come up with a fix for that interface that a) does not have this problem, and b) does not kill at least 1 core while it runs

Meanwhile I don't see a reason why we shouldn't just fix the tool to do its job properly.

I do not see this as a fix, this is a "hammer the box tell it gives me results" solution.

Yes, it adds some CPU overhead, yes it may delay the convergence - but let's the customer decide whether he's ok with this or not

Some CPU? I think you need to look closer at what this does when BGP is trying to converge on 500k+ routes during a flap

Fri, Feb 14, 2:04 PM
melifaro closed D23316: Add basic tests for IPDIVERT write functionality..
Fri, Feb 14, 9:36 AM
melifaro committed rS357905: Add basic IPDIVERT tests..
Add basic IPDIVERT tests.
Fri, Feb 14, 9:36 AM

Thu, Feb 13

melifaro accepted D21812: ipfw(8): When checking for IPv4 in add_src() and add_dat(), don't assume !IPv6 is IPv4.
Thu, Feb 13, 6:49 PM
melifaro added a comment to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

This implementation certainly looks better, both eliminating old hacks and improving performance.
Some comments inline.

Thu, Feb 13, 3:05 PM

Wed, Feb 12

melifaro committed rS357843: * Fix flaking lle tests by filtering out non-relevant rtsock messages..
* Fix flaking lle tests by filtering out non-relevant rtsock messages.
Wed, Feb 12, 9:16 PM
melifaro accepted D23329: Make ICMP redirect processing depend on routing daemon.
Wed, Feb 12, 8:20 PM
melifaro added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Wed, Feb 12, 7:51 PM
melifaro added a comment to D22003: Add lle_event handler to ARP.

Looks like a really good change, unifying IPv4/IPv6 lltable behaviour.

Wed, Feb 12, 6:26 PM
melifaro added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Wed, Feb 12, 5:05 PM
melifaro added a comment to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

General comment: I'd prefer not to add non-resizable hashes. It should be system job, not user, to resize the hash. Unfortunately, there is no existing generic resizable hash primitive in the kernel code currently.
Speaking of this particular case, I would suggest doing it slightly differently.
We know that nat numbers are limited to 65k. Given that, we can simply allocate 65k array of pointers on the first addition of the nat rule, w/o bothering about hash efficiency, resizing, etc.

This approach has serious consequences:

  • It takes an non-trivial amount of kernel memory. I tend to avoid this.

Well, we already allocate 2 such arrays for the rule index, so 512k won't drastically increase the footprint.
Anyway, I think even the dynamic-sized array capped by max instance number could be implemented relatively easily.

  • It causes a significant performance hit in all cases where the full scan of all instances is required (i.e. dealiasing via "global" or "ipfw show"). This is the reason, why I tried to keep the hash table as small as possible.

No. You still keep the list.

  • Most use cases for the non-experienced user (or embedded devices) involves only a single NAT instance at all. I don't want to burden them with performance issues of large CGN providers.

Not sure how this is applicable, as the array option does not have any configurable options.

Futhermore the benefit of the patch is only realized for tablearg selection of NAT instances. All other cases do access the NAT instances either by caching or by full scan.

Wed, Feb 12, 5:02 PM
melifaro added inline comments to D23450: libalias: Allow setting alias port ranges.
Wed, Feb 12, 4:30 PM
melifaro added a comment to D23586: ipfw_nat: Perfomance of accessing multiple nat tables.

General comment: I'd prefer not to add non-resizable hashes. It should be system job, not user, to resize the hash. Unfortunately, there is no existing generic resizable hash primitive in the kernel code currently.

Wed, Feb 12, 4:06 PM
melifaro added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Wed, Feb 12, 3:51 PM
melifaro added inline comments to D23647: TCP Ratelimit code update.
Wed, Feb 12, 3:46 PM

Wed, Jan 29

melifaro committed rS357263: Plug parent iface refcount leak on <ifname>.X vlan creation..
Plug parent iface refcount leak on <ifname>.X vlan creation.
Wed, Jan 29, 6:41 PM
melifaro added inline comments to D23408: epoch support for taskqueues.
Wed, Jan 29, 9:48 AM
melifaro added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Wed, Jan 29, 9:04 AM
melifaro added a reviewer for D23329: Make ICMP redirect processing depend on routing daemon: olivier.
Wed, Jan 29, 9:04 AM

Jan 28 2020

melifaro added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Jan 28 2020, 1:44 PM
melifaro added a comment to D23348: Widen EPOCH(9) usage in network drivers (as a pre-step for D23347).

There have been multiple discussions on the certain aspects on the recent network-epoch changes:

Jan 28 2020, 1:21 PM

Jan 27 2020

melifaro added inline comments to D23329: Make ICMP redirect processing depend on routing daemon.
Jan 27 2020, 3:39 PM
melifaro updated the diff for D23316: Add basic tests for IPDIVERT write functionality..

Fix netinet6/divert.sh
Update pre-test logic to skip tests if the divert module is not loaded.

Jan 27 2020, 3:08 PM
melifaro added a comment to D23316: Add basic tests for IPDIVERT write functionality..
In D23316#512732, @kp wrote:

While other test cases haven't done this yet, but I'd like to see the new tests can restore the system as much as they can, if it doesn't bring too much complexity:

  1. Can ipfw and ipdivert be unloaded safely after test?

Unloading the IPFW module seems like a bad idea. The netpfil/common tests rely on the module being loaded to run IPFW tests.
I believe the module is loaded because the test/build scripts explicitly load it, just like pf.

  1. Can net.inet.ip.fw.default_to_accept be set to the original value after the test has complete?

Similarly, here. The default is set because otherwise merely loading IPFW kills all network connectivity. Happily this setting only applies to IPFW, so it's very unlikely to affect anything other than the firewall.
I'd suggest that this test should check if the values are set as expected (and the expected modules are loaded) and skip if they are not.

Yeah, this looks like a better approach. There will be no side effects within test itself and there will be much less potential clashes with other tests due to the modules loading/unloading.

Jan 27 2020, 3:02 PM

Jan 26 2020

melifaro committed rS357144: Fix NOINET6 build after r357038..
Fix NOINET6 build after r357038.
Jan 26 2020, 11:54 AM

Jan 24 2020

melifaro added a comment to D21812: ipfw(8): When checking for IPv4 in add_src() and add_dat(), don't assume !IPv6 is IPv4.

Could you please consider avoiding putting the diffs without the context next time?

Jan 24 2020, 8:50 PM
melifaro closed D22877: libalias: Add support for RFC 6598/Carrier Grade NAT subnets.
Jan 24 2020, 8:36 PM
melifaro committed rS357092: Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw..
Add support for RFC 6598/Carrier Grade NAT subnets. to libalias and ipfw.
Jan 24 2020, 8:36 PM
melifaro accepted D22877: libalias: Add support for RFC 6598/Carrier Grade NAT subnets.
Jan 24 2020, 8:21 PM

Jan 23 2020

melifaro added a comment to D22877: libalias: Add support for RFC 6598/Carrier Grade NAT subnets.

Nevermind, I think I'll skip the tests if this can be committed anyways.
UPDATE: Maybe I'll try writing tests.
UPDATE 2: Actually, I'll skip it.
The problem is that my interface name may not be yours when plugging into ipfw. There may be inactive NICs, or NICs that are LAN-only. And I can't assume a fixed IP address either.

Yes, that's a common problem for these kind of tests. The typical solution used is (a) - using virtual interfaces such as epair /w VNET and (b) - using IPv4 documentation prefixes. This makes it easy to setup & teardown a testing environment.

I'll commit this change, however I highly encourage you on trying to write the tests for this. I did a bunch of similar tests yesterday: D23316.

For instance, my desktop uses Realtek NICs while my home server has Broadcom. You may have Intel or Atheros NICs.
So I'll skip writing tests.

That's a bad one to write as a comment! :-)

Jan 23 2020, 12:03 PM
melifaro committed rS357039: Bring indentation back to normal after r357038..
Bring indentation back to normal after r357038.
Jan 23 2020, 9:47 AM
melifaro abandoned D22988: Bring back redirect route expiration..

This change got reviewed and committed in D23047 and D23075.
Closing.

Jan 23 2020, 9:35 AM
melifaro committed rS357038: Fix epoch-related panic in ipdivert, ensuring in_broadcast() is called.
Fix epoch-related panic in ipdivert, ensuring in_broadcast() is called
Jan 23 2020, 9:14 AM
melifaro closed D23317: Fix epoch-related panic in ipdivert & refactor div_output..
Jan 23 2020, 9:14 AM

Jan 22 2020

melifaro updated the summary of D23317: Fix epoch-related panic in ipdivert & refactor div_output..
Jan 22 2020, 3:03 PM
melifaro created D23317: Fix epoch-related panic in ipdivert & refactor div_output..
Jan 22 2020, 2:45 PM
melifaro updated the summary of D23316: Add basic tests for IPDIVERT write functionality..
Jan 22 2020, 2:36 PM
melifaro created D23316: Add basic tests for IPDIVERT write functionality..
Jan 22 2020, 2:32 PM
melifaro closed D23075: Bring back redirect route expiration..
Jan 22 2020, 1:53 PM
melifaro committed rS356984: Bring back redirect route expiration..
Bring back redirect route expiration.
Jan 22 2020, 1:53 PM

Jan 21 2020

melifaro added inline comments to D23075: Bring back redirect route expiration..
Jan 21 2020, 10:21 PM
melifaro updated the summary of D23297: Enforce compatibility of 'struct sctp_net_route' and 'struct route'..
Jan 21 2020, 1:21 PM
melifaro created D23297: Enforce compatibility of 'struct sctp_net_route' and 'struct route'..
Jan 21 2020, 1:20 PM
melifaro committed rS356939: Document requirements for the 'struct route' variations..
Document requirements for the 'struct route' variations.
Jan 21 2020, 12:00 PM
melifaro added a comment to D22877: libalias: Add support for RFC 6598/Carrier Grade NAT subnets.

Sure, will do.

Thank you!

Also, do you think it would be possible to write some auto-test with atf-sh, testing this functionality?

It may be possible, but I don't think it's too trivial. You will have to emulate clients. Those can be done with Jails, or loopback interfaces.
Testing from Jails may be a slight bit harder, as you would have to create and tear down the Jails, and loopback interfaces mean the client needs to be directed to use the loopback NAT instead of the default NIC.

In fact, we already have most of the heavy-lifting done, with vnet wrappers & epair.
netinet6/exthdr.sh can be a good example.
I spent 30 minutes today to add an IPv4 redirect test here: D23075.

Jan 21 2020, 10:40 AM
melifaro updated the diff for D23075: Bring back redirect route expiration..

Fix forgotten variable declaration in expire_callout().

Jan 21 2020, 10:18 AM
melifaro updated the diff for D23075: Bring back redirect route expiration..

Add redirect test for IPv4.
Add a bit more wording on host/network redirects.

Jan 21 2020, 10:09 AM
melifaro accepted D23242: Enter network epoch for network interrupts.
Jan 21 2020, 8:39 AM
melifaro abandoned D14920: Fix locking for the bpf TX path.
Jan 21 2020, 8:05 AM

Jan 20 2020

melifaro abandoned D5009: Convert fastworwarding output path to the new routing KPI..

Committed as r309257.

Jan 20 2020, 10:57 PM
melifaro abandoned D4794: Remove per-ifa outgoing packet accounting from ip[6]_output..

Dropping this revision in favour of a larger upcoming change.

Jan 20 2020, 10:53 PM
melifaro updated the diff for D23075: Bring back redirect route expiration..

Update review to address comments.

Jan 20 2020, 10:44 PM
melifaro added inline comments to D23075: Bring back redirect route expiration..
Jan 20 2020, 10:39 PM

Jan 19 2020

melifaro added a comment to D22877: libalias: Add support for RFC 6598/Carrier Grade NAT subnets.

LGTM. Thank you for submitting the patch!

Jan 19 2020, 9:03 PM

Jan 10 2020

melifaro added inline comments to D23075: Bring back redirect route expiration..
Jan 10 2020, 1:31 PM
melifaro added inline comments to D23075: Bring back redirect route expiration..
Jan 10 2020, 1:13 PM
melifaro committed rS356596: Include human-readable list of rtm flags along with bitmask in error messages.
Include human-readable list of rtm flags along with bitmask in error messages
Jan 10 2020, 8:55 AM

Jan 9 2020

melifaro added inline comments to D23114: Document two new conventions:.
Jan 9 2020, 11:17 PM
melifaro updated the diff for D23075: Bring back redirect route expiration..

Add forgotten tests.

Jan 9 2020, 6:31 PM
melifaro updated the diff for D23075: Bring back redirect route expiration..

Update the diff to reflect the committed pre-requisites.

Jan 9 2020, 6:10 PM
melifaro closed D23047: Add fibnum, family and vnet pointer to each rib head..
Jan 9 2020, 5:21 PM
melifaro committed rS356559: Add fibnum, family and vnet pointer to each rib head..
Add fibnum, family and vnet pointer to each rib head.
Jan 9 2020, 5:21 PM
melifaro added a comment to D23047: Add fibnum, family and vnet pointer to each rib head..
In D23047#506342, @bz wrote:

Thank you so much for splitting this out. It really helps a lot! спасибо большой!

Thank you for reviewing this!

I assume this will not be MFCed due to KPI change?

Well, actually I thought of MFC'ing the version which would keep dom_rtattach() and other functions the same, while filling in rib_family and rib_fibnum directly in the vnet_route_init() after call to the dom_rtattach().
Do you have any concerns about this?

Jan 9 2020, 1:24 PM

Jan 7 2020

melifaro added a comment to D22988: Bring back redirect route expiration..
In D22988#504244, @bz wrote:

Just to be sure we're on the same page and I understand it correctly:
(a) - review1 means adding rib_fibnum, rib_family, rib_vnet to struct rib_head, along with changes in dom_rtattach(), rt_table_init() and so on, while
(b) - review2 is the same review w/o these changes, right?

da!

Raised D23047 for the former.

Raised D23075 for the latter. However, diffs w/o context are a bit harder to review.

Jan 7 2020, 10:34 PM
melifaro updated the summary of D23075: Bring back redirect route expiration..
Jan 7 2020, 10:33 PM
melifaro created D23075: Bring back redirect route expiration..
Jan 7 2020, 10:31 PM
melifaro abandoned D23074: Bring back redirect route expiration..

Wrong commit was used to generate this revision.

Jan 7 2020, 10:27 PM
melifaro created D23074: Bring back redirect route expiration..
Jan 7 2020, 10:26 PM
melifaro closed D22974: Fix rtsock route message generation for interface addresses..
Jan 7 2020, 9:16 PM
melifaro committed rS356473: Fix rtsock route message generation for interface addresses..
Fix rtsock route message generation for interface addresses.
Jan 7 2020, 9:16 PM
melifaro updated the diff for D23051: Allow address lookups in rn_match()..

Use internal __containerof() macro.

Jan 7 2020, 8:15 PM

Jan 6 2020

melifaro updated the summary of D23051: Allow address lookups in rn_match()..
Jan 6 2020, 9:46 AM
melifaro created D23051: Allow address lookups in rn_match()..
Jan 6 2020, 9:45 AM
melifaro added a comment to D22988: Bring back redirect route expiration..
In D22988#504244, @bz wrote:

Just to be sure we're on the same page and I understand it correctly:
(a) - review1 means adding rib_fibnum, rib_family, rib_vnet to struct rib_head, along with changes in dom_rtattach(), rt_table_init() and so on, while
(b) - review2 is the same review w/o these changes, right?

da!

Raised D23047 for the former.

It would make the change history much more clear and also make it easier to review things.

Sure. Would be happy to do it.

PS: I am happy some of the FIB KPI gets cleaned up again, i.e. in6_rtredirect() going away. I hated adding them based on the IPv4 model when I did the initial IPv6 FIB work.

More changes will come soon :-)

:-)

Jan 6 2020, 12:06 AM
melifaro updated the diff for D23047: Add fibnum, family and vnet pointer to each rib head..

Remove forgotten fields from rib_head.

Jan 6 2020, 12:06 AM
melifaro updated the summary of D23047: Add fibnum, family and vnet pointer to each rib head..
Jan 6 2020, 12:03 AM
melifaro created D23047: Add fibnum, family and vnet pointer to each rib head..
Jan 6 2020, 12:01 AM

Jan 2 2020

melifaro added a comment to D22988: Bring back redirect route expiration..
In D22988#504231, @bz wrote:

I have a very annoying question: how much extra work would it be to split this up into: (a) adding rib_fibnum, rib_family and rib_vnet fields and changing the KPI for them by adding them to the current calls and then (b) adding the new functionality (and changing the support function logic beyond just passing the extra fields around)?

Just to be sure we're on the same page and I understand it correctly:
(a) - review1 means adding rib_fibnum, rib_family, rib_vnet to struct rib_head, along with changes in dom_rtattach(), rt_table_init() and so on, while
(b) - review2 is the same review w/o these changes, right?

Jan 2 2020, 10:01 PM
melifaro added a comment to D22988: Bring back redirect route expiration..

Is it possible to default the "redirect" settings to an "automatic mode" where redirects are disabled if a certain, hardcoded size of the routing table is crossed?
Normally the admin can not know all implementation details on each sysctl setting. So unless the setting was not modified by hand, the system is expected to choose the "best" path for the workload. Traversing the large routing table every 10 minutes causes a performance glitch which is very hard to find.

Jan 2 2020, 12:58 PM
melifaro updated the diff for D22988: Bring back redirect route expiration..

Add python code to generate IPv6 redirect.

Jan 2 2020, 10:08 AM
melifaro updated the diff for D22988: Bring back redirect route expiration..

Remove unrelevant changes, add forgotten license header.

Jan 2 2020, 9:24 AM
melifaro closed D22980: Plug loopback ifaddr refcount leak..
Jan 2 2020, 9:09 AM
melifaro committed rS356268: Plug loopback idaddr refcount leak..
Plug loopback idaddr refcount leak.
Jan 2 2020, 9:09 AM

Jan 1 2020

melifaro added a comment to D22988: Bring back redirect route expiration..

Missing rtedirect.py is here. Phabricator refuses to add python files to the diff due to the lack of pep8 binary installed on phabric server..

Jan 1 2020, 11:02 PM
melifaro created P349 redirect.py.
Jan 1 2020, 11:01 PM
melifaro updated the diff for D22988: Bring back redirect route expiration..

Add ND redirect test, fix panic in redirect handling code.

Jan 1 2020, 11:00 PM
melifaro updated the test plan for D22988: Bring back redirect route expiration..
Jan 1 2020, 2:37 PM