Wed, Mar 14
Sat, Mar 3
I have no specific views on what the value should be. The remark mostly comes from the desire to avoid having the kernel enforce policy. It's only a small extra step here for more flexibility.
I think I'd make net.inet.carp.dscp be an integer, with a default value of (the value of) IPTOS_LOWDELAY.
Fri, Mar 2
Would it make sense to set the DSCP value to the value configured in 'net.inet.carp.dscp' rather than a hardcoded value?
Tue, Feb 27
Fixed default setting of new sysctl in man page.
Jan 31 2018
Now I'm confused. This isn't about loop detection. This is about detecting if a PFIL_OUT packet is being forwarded or output.
Jan 30 2018
I'm against the last proposal. It is not costless to tag each forwarded packet and then remove the tag. This will seriously hit the performance.
Jan 29 2018
(Apologies; last comment on this matter)
I guess the "cost should be relatively low" comment is kind of wrong. OUT hooks that care about whether it's forwarded or not will take a hit if it's not forwarded and the tag is not present, but I have no idea how heavy this would be- I have no notion of how heavily used mbuf tags are. =)
Jan 27 2018
I'm not sure I see how this would create confusion. This merely presents more information about the packet, and where the netpfil hook being called from.
While i have not much time lately to spend on this, i still think this is the wrong way of doing things since it just creates confusion.
pf(4) has already knows about mbuf_tag(9) and uses it. I would strongly suggest using them until a proper _FWD hook comes to life and allows removing all the 'hacks' in pf(4) and possibly elsewhere.
Jan 26 2018
Having had time to review it again, I think it looks good. This iteration exposes it as a flag to describes the path the packet's taken, rather than exposing it as the direction the packet is going in and having places where it was necessary to then mask that fact by flipping dir back to OUT where paths didn't yet know about FWD
Sorry, removal of manpages was unintentional- caches, grrrr.
Based around a suggestion from Kyle Evans (who also did all of the work), introduce a flags variable to the pfil callbacks. Keep using PFIL_OUT for forwarded packets, but set the PFIL_FWD flag for them. This allows pf to work out if a packet is being forwarded or not, with essentially no changes to other netpfil consumers.
Jan 6 2018
More context. No changes to the diff.
While this is needed i do not agree that the modifications on the stack and packet filters should be so hackish.
Can you please update the patch with additional context according to https://wiki.freebsd.org/Phabricator#Create_a_Revision_via_Web_Interface
Dec 31 2017
Dec 18 2017
Dec 14 2017
- The old Berkeley DB is deprecated and the file
is no more present in the package. The related lines in the guide have been removed. The new example uses an MDB database.
(The error I was having during configuration was about another issue: a clean installation of FreeBSD, openldap-server and MDB perfectly works without `DB_CONFIG.example')
- Links have been updated about packages and ports. A link to this article is used, which seems very straightforward with respect to the corresponding handbook page.
- Parts about Certificates have all been revisited, being now more similar to the old Tom Rhodes text; with respect to the previous diff, they have been shrunk as much as possible, according to @remko suggestions. A separated space, also as much concise as possible, has been placed to provide basic information to the user as regards the Certificates creation.
Nov 18 2017
In general, we are getting better and better. Please keep up with that, it is much appreciated!
@remko Thank you for your suggestions.
This is a new diff, which is now based on the last revision of the chapter (50922). This even includes some final modifications I had made before uploading the diff in the bug report, where I had already fixed some typos/errors/bad phrases.
I followed all your advices, except two:
Nov 17 2017
More updates :) please look into them and poke me whenever I can assist you :)
Nov 13 2017
When running head at r325049, my home firewall would often hit an LOR in iflib_timer() when it jumped to the hung label. This happened twice a day.
Oct 31 2017
I think you'll get a lot less pushback if you serialize the multicast stuff in the stack, rather than the driver framework. This will allow you to put warnings / asserts into all the ioctl entry points above the drivers, so as to lock in the "you can't hold a lock while calling into a driver" rule.
OK, let me take a look at creating some in-kernel interface for this.
I think an interface like mjg described is the best approach.
I don't know if I understand. jexec uses exactly the same syscall, jail_attach to achieve the same effect. Putting ifconfig and route inside a jail allows even more actions to be taken by the in-jail admin.
Also, there is no obvious other way to achieve this with current API.
I see two other options: additional API to manage jails and vnet without attaching process to the jail, or finding a way to avoid duplicated interface names but adding some sort of unique id(?).
jail_attach() is not the correct approach, because it makes the actions of the administrator on the host visible within the jail.
../dev/usb/usb_util.c:usb_pause_mtx(struct mtx *mtx, int timo)
Oct 29 2017
Guys, since there was a discussion over how the patch does what it does, can I get one more approval before I commit this, Just In Case™?