Re: svn commit: r260394 - in head/sys: dev/firewire net
On 07.01.2014 19:59, Alexander V. Chernikov wrote: Author: melifaro Date: Tue Jan 7 15:59:33 2014 New Revision: 260394 URL: http://svnweb.freebsd.org/changeset/base/260394 Log: Teach every SIOCGIFSTATUS provider to fill in ifs-ascii anyway. Remove old bits of data concat for 'ascii' field. Remove special SIOCGIFSTATUS handling from if.c (which Coverity yells at). Reported by:Coverity Coverity CID: 1147174 Actually this is CID 1017861. MFC after: 2 weeks Modified: head/sys/dev/firewire/if_fwe.c head/sys/net/if.c head/sys/net/if_tap.c head/sys/net/if_tun.c Modified: head/sys/dev/firewire/if_fwe.c == --- head/sys/dev/firewire/if_fwe.cTue Jan 7 14:03:42 2014 (r260393) +++ head/sys/dev/firewire/if_fwe.cTue Jan 7 15:59:33 2014 (r260394) @@ -403,7 +403,7 @@ fwe_ioctl(struct ifnet *ifp, u_long cmd, { struct fwe_softc *fwe = ((struct fwe_eth_softc *)ifp-if_softc)-fwe; struct ifstat *ifs = NULL; - int s, error, len; + int s, error; switch (cmd) { case SIOCSIFFLAGS: @@ -434,12 +434,8 @@ fwe_ioctl(struct ifnet *ifp, u_long cmd, case SIOCGIFSTATUS: s = splimp(); ifs = (struct ifstat *)data; - len = strlen(ifs-ascii); - if (len sizeof(ifs-ascii)) - snprintf(ifs-ascii + len, - sizeof(ifs-ascii) - len, - \tch %d dma %d\n, - fwe-stream_ch, fwe-dma_ch); + snprintf(ifs-ascii, sizeof(ifs-ascii), + \tch %d dma %d\n, fwe-stream_ch, fwe-dma_ch); splx(s); break; case SIOCSIFCAP: Modified: head/sys/net/if.c == --- head/sys/net/if.c Tue Jan 7 14:03:42 2014(r260393) +++ head/sys/net/if.c Tue Jan 7 15:59:33 2014(r260394) @@ -2088,7 +2088,6 @@ static int ifhwioctl(u_long cmd, struct ifnet *ifp, caddr_t data, struct thread *td) { struct ifreq *ifr; - struct ifstat *ifs; int error = 0; int new_flags, temp_flags; size_t namelen, onamelen; @@ -2425,9 +2424,6 @@ ifhwioctl(u_long cmd, struct ifnet *ifp, break; case SIOCGIFSTATUS: - ifs = (struct ifstat *)data; - ifs-ascii[0] = '\0'; - case SIOCGIFPSRCADDR: case SIOCGIFPDSTADDR: case SIOCGIFMEDIA: Modified: head/sys/net/if_tap.c == --- head/sys/net/if_tap.c Tue Jan 7 14:03:42 2014(r260393) +++ head/sys/net/if_tap.c Tue Jan 7 15:59:33 2014(r260394) @@ -636,12 +636,12 @@ tapifioctl(struct ifnet *ifp, u_long cmd case SIOCGIFSTATUS: ifs = (struct ifstat *)data; - dummy = strlen(ifs-ascii); mtx_lock(tp-tap_mtx); - if (tp-tap_pid != 0 dummy sizeof(ifs-ascii)) - snprintf(ifs-ascii + dummy, - sizeof(ifs-ascii) - dummy, + if (tp-tap_pid != 0) + snprintf(ifs-ascii, sizeof(ifs-ascii), \tOpened by PID %d\n, tp-tap_pid); + else + ifs-ascii[0] = '\0'; mtx_unlock(tp-tap_mtx); break; Modified: head/sys/net/if_tun.c == --- head/sys/net/if_tun.c Tue Jan 7 14:03:42 2014(r260393) +++ head/sys/net/if_tun.c Tue Jan 7 15:59:33 2014(r260394) @@ -546,8 +546,10 @@ tunifioctl(struct ifnet *ifp, u_long cmd ifs = (struct ifstat *)data; mtx_lock(tp-tun_mtx); if (tp-tun_pid) - sprintf(ifs-ascii + strlen(ifs-ascii), + snprintf(ifs-ascii, sizeof(ifs-ascii), \tOpened by PID %d\n, tp-tun_pid); + else + ifs-ascii[0] = '\0'; mtx_unlock(tp-tun_mtx); break; case SIOCSIFADDR: ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r260398 - head/sys/net
Author: melifaro Date: Tue Jan 7 19:00:40 2014 New Revision: 260398 URL: http://svnweb.freebsd.org/changeset/base/260398 Log: Remove dead code. Reported by: Coverity Coverity CID: 1018057 MFC after:2 weeks Modified: head/sys/net/if.c Modified: head/sys/net/if.c == --- head/sys/net/if.c Tue Jan 7 18:53:14 2014(r260397) +++ head/sys/net/if.c Tue Jan 7 19:00:40 2014(r260398) @@ -283,8 +283,6 @@ retry: } /* Catch if_index overflow. */ - if (idx 1) - return (ENOSPC); if (idx = V_if_indexlim) { if_grow(); goto retry; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r260379 - head/sys/net
Author: melifaro Date: Mon Jan 6 22:36:20 2014 New Revision: 260379 URL: http://svnweb.freebsd.org/changeset/base/260379 Log: Partially fix IPv4 interface routes deletion in RADIX_MPATH. Noticed by: Nikolay Denev ndenev at gmail.com MFC after:1 month Modified: head/sys/net/radix_mpath.c head/sys/net/route.c Modified: head/sys/net/radix_mpath.c == --- head/sys/net/radix_mpath.c Mon Jan 6 19:14:46 2014(r260378) +++ head/sys/net/radix_mpath.c Mon Jan 6 22:36:20 2014(r260379) @@ -112,11 +112,16 @@ rt_mpath_matchgate(struct rtentry *rt, s if (rt-rt_gateway-sa_family == AF_LINK) { if (!memcmp(rt-rt_ifa-ifa_addr, gate, gate-sa_len)) break; - } else { - if (rt-rt_gateway-sa_len == gate-sa_len - !memcmp(rt-rt_gateway, gate, gate-sa_len)) - break; } + + /* +* Check for other options: +* 1) Routes with 'real' IPv4/IPv6 gateway +* 2) Loopback host routes (another AF_LINK/sockadd_dl check) +* */ + if (rt-rt_gateway-sa_len == gate-sa_len + !memcmp(rt-rt_gateway, gate, gate-sa_len)) + break; } while ((rn = rn_mpath_next(rn)) != NULL); return (struct rtentry *)rn; Modified: head/sys/net/route.c == --- head/sys/net/route.cMon Jan 6 19:14:46 2014(r260378) +++ head/sys/net/route.cMon Jan 6 22:36:20 2014(r260379) @@ -1547,10 +1547,10 @@ rtinit1(struct ifaddr *ifa, int cmd, int /* this table doesn't exist but others might */ continue; RADIX_NODE_HEAD_RLOCK(rnh); + rn = rnh-rnh_lookup(dst, netmask, rnh); #ifdef RADIX_MPATH if (rn_mpath_capable(rnh)) { - rn = rnh-rnh_matchaddr(dst, rnh); if (rn == NULL) error = ESRCH; else { @@ -1564,13 +1564,11 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ rt = rt_mpath_matchgate(rt, ifa-ifa_addr); - if (!rt) + if (rt == NULL) error = ESRCH; } } - else #endif - rn = rnh-rnh_lookup(dst, netmask, rnh); error = (rn == NULL || (rn-rn_flags RNF_ROOT) || RNTORT(rn)-rt_ifa != ifa); ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r260295 - head/sys/net
Author: melifaro Date: Sat Jan 4 22:25:26 2014 New Revision: 260295 URL: http://svnweb.freebsd.org/changeset/base/260295 Log: Change semantics for rnh_lookup() function: now it performs exact match search, regardless of netmask existance. This simplifies most of rnh_lookup() consumers. Fix panic triggered by deleting non-existent host route. PR: kern/185092 Submitted by: Nikolay Denev ndenev at gmail.com MFC after:1 month Modified: head/sys/net/radix.c head/sys/net/radix.h head/sys/net/radix_mpath.c head/sys/net/route.c head/sys/net/rtsock.c Modified: head/sys/net/radix.c == --- head/sys/net/radix.cSat Jan 4 22:14:59 2014(r260294) +++ head/sys/net/radix.cSat Jan 4 22:25:26 2014(r260295) @@ -208,24 +208,50 @@ rn_refines(void *m_arg, void *n_arg) return (!masks_are_equal); } +/* + * Search for exact match in given @head. + * Assume host bits are cleared in @v_arg if @m_arg is not NULL + * Note that prefixes with /32 or /128 masks are treated differently + * from host routes. + */ struct radix_node * rn_lookup(void *v_arg, void *m_arg, struct radix_node_head *head) { struct radix_node *x; - caddr_t netmask = 0; + caddr_t netmask; - if (m_arg) { + if (m_arg != NULL) { + /* +* Most common case: search exact prefix/mask +*/ x = rn_addmask(m_arg, head-rnh_masks, 1, head-rnh_treetop-rn_offset); - if (x == 0) - return (0); + if (x == NULL) + return (NULL); netmask = x-rn_key; - } - x = rn_match(v_arg, head); - if (x netmask) { - while (x x-rn_mask != netmask) + + x = rn_match(v_arg, head); + + while (x != NULL x-rn_mask != netmask) x = x-rn_dupedkey; + + return (x); } + + /* +* Search for host address. +*/ + if ((x = rn_match(v_arg, head)) == NULL) + return (NULL); + + /* Check if found key is the same */ + if (LEN(x-rn_key) != LEN(v_arg) || bcmp(x-rn_key, v_arg, LEN(v_arg))) + return (NULL); + + /* Check if this is not host route */ + if (x-rn_mask != NULL) + return (NULL); + return (x); } @@ -247,6 +273,9 @@ rn_satisfies_leaf(char *trial, struct ra return (1); } +/* + * Search for longest-prefix match in given @head + */ struct radix_node * rn_match(void *v_arg, struct radix_node_head *head) { Modified: head/sys/net/radix.h == --- head/sys/net/radix.hSat Jan 4 22:14:59 2014(r260294) +++ head/sys/net/radix.hSat Jan 4 22:25:26 2014(r260295) @@ -112,9 +112,9 @@ struct radix_node_head { struct radix_node_head *head, struct radix_node nodes[]); struct radix_node *(*rnh_deladdr) /* remove based on sockaddr */ (void *v, void *mask, struct radix_node_head *head); - struct radix_node *(*rnh_matchaddr)/* locate based on sockaddr */ + struct radix_node *(*rnh_matchaddr)/* longest match for sockaddr */ (void *v, struct radix_node_head *head); - struct radix_node *(*rnh_lookup) /* locate based on sockaddr */ + struct radix_node *(*rnh_lookup) /*exact match for sockaddr*/ (void *v, void *mask, struct radix_node_head *head); int (*rnh_walktree) /* traverse tree */ (struct radix_node_head *head, walktree_f_t *f, void *w); Modified: head/sys/net/radix_mpath.c == --- head/sys/net/radix_mpath.c Sat Jan 4 22:14:59 2014(r260294) +++ head/sys/net/radix_mpath.c Sat Jan 4 22:25:26 2014(r260295) @@ -151,6 +151,7 @@ rt_mpath_deldup(struct rtentry *headrt, /* * check if we have the same key/mask/gateway on the table already. + * Assume @rt rt_key host bits are cleared according to @netmask */ int rt_mpath_conflict(struct radix_node_head *rnh, struct rtentry *rt, @@ -158,76 +159,13 @@ rt_mpath_conflict(struct radix_node_head { struct radix_node *rn, *rn1; struct rtentry *rt1; - char *p, *q, *eq; - int same, l, skip; rn = (struct radix_node *)rt; rn1 = rnh-rnh_lookup(rt_key(rt), netmask, rnh); if (!rn1 || rn1-rn_flags RNF_ROOT) - return 0; - - /* -* unlike other functions we have in this file, we have to check -* all key/mask/gateway as rnh_lookup can match less specific entry. -*/ - rt1 = (struct rtentry *)rn1; - - /* compare key. */ - if
svn commit: r260228 - head/sys/net
Author: melifaro Date: Fri Jan 3 14:33:25 2014 New Revision: 260228 URL: http://svnweb.freebsd.org/changeset/base/260228 Log: Remove useless register variable modifiers. Do some more style(9). MFC after:2 weeks Modified: head/sys/net/radix.c Modified: head/sys/net/radix.c == --- head/sys/net/radix.cFri Jan 3 14:30:24 2014(r260227) +++ head/sys/net/radix.cFri Jan 3 14:33:25 2014(r260228) @@ -148,12 +148,10 @@ static intrn_satisfies_leaf(char *trial * Search a node in the tree matching the key. */ static struct radix_node * -rn_search(v_arg, head) - void *v_arg; - struct radix_node *head; +rn_search(void *v_arg, struct radix_node *head) { - register struct radix_node *x; - register caddr_t v; + struct radix_node *x; + caddr_t v; for (x = head, v = v_arg; x-rn_bit = 0;) { if (x-rn_bmask v[x-rn_offset]) @@ -169,12 +167,10 @@ rn_search(v_arg, head) * XXX note this function is used only once. */ static struct radix_node * -rn_search_m(v_arg, head, m_arg) - struct radix_node *head; - void *v_arg, *m_arg; +rn_search_m(void *v_arg, struct radix_node *head, void *m_arg) { - register struct radix_node *x; - register caddr_t v = v_arg, m = m_arg; + struct radix_node *x; + caddr_t v = v_arg, m = m_arg; for (x = head; x-rn_bit = 0;) { if ((x-rn_bmask m[x-rn_offset]) @@ -183,15 +179,14 @@ rn_search_m(v_arg, head, m_arg) else x = x-rn_left; } - return x; + return (x); } int -rn_refines(m_arg, n_arg) - void *m_arg, *n_arg; +rn_refines(void *m_arg, void *n_arg) { - register caddr_t m = m_arg, n = n_arg; - register caddr_t lim, lim2 = lim = n + LEN(n); + caddr_t m = m_arg, n = n_arg; + caddr_t lim, lim2 = lim = n + LEN(n); int longer = LEN(n++) - LEN(m++); int masks_are_equal = 1; @@ -199,26 +194,24 @@ rn_refines(m_arg, n_arg) lim -= longer; while (n lim) { if (*n ~(*m)) - return 0; + return (0); if (*n++ != *m++) masks_are_equal = 0; } while (n lim2) if (*n++) - return 0; + return (0); if (masks_are_equal (longer 0)) for (lim2 = m - longer; m lim2; ) if (*m++) - return 1; + return (1); return (!masks_are_equal); } struct radix_node * -rn_lookup(v_arg, m_arg, head) - void *v_arg, *m_arg; - struct radix_node_head *head; +rn_lookup(void *v_arg, void *m_arg, struct radix_node_head *head) { - register struct radix_node *x; + struct radix_node *x; caddr_t netmask = 0; if (m_arg) { @@ -233,16 +226,13 @@ rn_lookup(v_arg, m_arg, head) while (x x-rn_mask != netmask) x = x-rn_dupedkey; } - return x; + return (x); } static int -rn_satisfies_leaf(trial, leaf, skip) - char *trial; - register struct radix_node *leaf; - int skip; +rn_satisfies_leaf(char *trial, struct radix_node *leaf, int skip) { - register char *cp = trial, *cp2 = leaf-rn_key, *cp3 = leaf-rn_mask; + char *cp = trial, *cp2 = leaf-rn_key, *cp3 = leaf-rn_mask; char *cplim; int length = min(LEN(cp), LEN(cp2)); @@ -253,22 +243,20 @@ rn_satisfies_leaf(trial, leaf, skip) cplim = cp + length; cp3 += skip; cp2 += skip; for (cp += skip; cp cplim; cp++, cp2++, cp3++) if ((*cp ^ *cp2) *cp3) - return 0; - return 1; + return (0); + return (1); } struct radix_node * -rn_match(v_arg, head) - void *v_arg; - struct radix_node_head *head; +rn_match(void *v_arg, struct radix_node_head *head) { caddr_t v = v_arg; - register struct radix_node *t = head-rnh_treetop, *x; - register caddr_t cp = v, cp2; + struct radix_node *t = head-rnh_treetop, *x; + caddr_t cp = v, cp2; caddr_t cplim; struct radix_node *saved_t, *top = t; int off = t-rn_offset, vlen = LEN(cp), matched_off; - register int test, b, rn_bit; + int test, b, rn_bit; /* * Open code rn_search(v, top) to avoid overhead of extra @@ -306,7 +294,7 @@ rn_match(v_arg, head) */ if (t-rn_flags RNF_ROOT) t = t-rn_dupedkey; - return t; + return (t); on1: test = (*cp ^ *cp2) 0xff; /* find first bit that differs */ for (b = 7; (test = 1) 0;) @@ -327,13 +315,13 @@ on1: */ if (t-rn_flags RNF_NORMAL) {
svn commit: r260247 - head/sys/netpfil/ipfw
Author: melifaro Date: Fri Jan 3 23:11:26 2014 New Revision: 260247 URL: http://svnweb.freebsd.org/changeset/base/260247 Log: Use rnh_matchaddr instead of rnh_lookup for longest-prefix match. rnh_lookup is effectively the same as rnh_matchaddr if called with empy network mask. MFC after:2 weeks Modified: head/sys/netpfil/ipfw/ip_fw_table.c Modified: head/sys/netpfil/ipfw/ip_fw_table.c == --- head/sys/netpfil/ipfw/ip_fw_table.c Fri Jan 3 22:56:23 2014 (r260246) +++ head/sys/netpfil/ipfw/ip_fw_table.c Fri Jan 3 23:11:26 2014 (r260247) @@ -542,7 +542,7 @@ ipfw_lookup_table(struct ip_fw_chain *ch return (0); KEY_LEN(sa) = KEY_LEN_INET; sa.sin_addr.s_addr = addr; - ent = (struct table_entry *)(rnh-rnh_lookup(sa, NULL, rnh)); + ent = (struct table_entry *)(rnh-rnh_matchaddr(sa, rnh)); if (ent != NULL) { *val = ent-value; return (1); @@ -568,7 +568,7 @@ ipfw_lookup_table_extended(struct ip_fw_ case IPFW_TABLE_CIDR: KEY_LEN(sa6) = KEY_LEN_INET6; memcpy(sa6.sin6_addr, paddr, sizeof(struct in6_addr)); - xent = (struct table_xentry *)(rnh-rnh_lookup(sa6, NULL, rnh)); + xent = (struct table_xentry *)(rnh-rnh_matchaddr(sa6, rnh)); break; case IPFW_TABLE_INTERFACE: @@ -576,7 +576,7 @@ ipfw_lookup_table_extended(struct ip_fw_ strlcpy(iface.ifname, (char *)paddr, IF_NAMESIZE) + 1; /* Assume direct match */ /* FIXME: Add interface pattern matching */ - xent = (struct table_xentry *)(rnh-rnh_lookup(iface, NULL, rnh)); + xent = (struct table_xentry *)(rnh-rnh_matchaddr(iface, rnh)); break; default: ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r260124 - head/usr.bin/netstat
Author: melifaro Date: Tue Dec 31 12:11:48 2013 New Revision: 260124 URL: http://svnweb.freebsd.org/changeset/base/260124 Log: Explicitly free rt_tables to please Coverity. Reported by: Coverity Coverity CID: 1147174 MFC after:2 weeks Modified: head/usr.bin/netstat/route.c Modified: head/usr.bin/netstat/route.c == --- head/usr.bin/netstat/route.cTue Dec 31 11:54:37 2013 (r260123) +++ head/usr.bin/netstat/route.cTue Dec 31 12:11:48 2013 (r260124) @@ -426,7 +426,7 @@ p_rtable_kvm(int fibnum, int af) if (kread((u_long)(rtree), (char *)(rt_tables) + fibnum * af_size, af_size) != 0) - return; + err(EX_OSERR, error retrieving radix pointers); for (fam = 0; fam = AF_MAX; fam++) { int tmpfib; @@ -462,6 +462,8 @@ p_rtable_kvm(int fibnum, int af) p_rtree_kvm(head.rnh_treetop); } } + + free(rt_tables); } /* ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r259645 - head/usr.bin/netstat
Author: melifaro Date: Fri Dec 20 12:08:36 2013 New Revision: 259645 URL: http://svnweb.freebsd.org/changeset/base/259645 Log: Further split kvm(3) and sysctl interfaces for route table printing. MFC after:4 weeks Sponsored by: Yandex LLC Modified: head/usr.bin/netstat/route.c Modified: head/usr.bin/netstat/route.c == --- head/usr.bin/netstat/route.cFri Dec 20 10:57:47 2013 (r259644) +++ head/usr.bin/netstat/route.cFri Dec 20 12:08:36 2013 (r259645) @@ -139,7 +139,6 @@ int do_rtent = 0; struct rtentry rtentry; struct radix_node rnode; struct radix_mask rmask; -struct radix_node_head **rt_tables; intNewTree = 1; @@ -149,16 +148,17 @@ static struct sockaddr *kgetsa(struct so static void size_cols(int ef, struct radix_node *rn); static void size_cols_tree(struct radix_node *rn); static void size_cols_rtentry(struct rtentry *rt); -static void p_tree(struct radix_node *); -static void p_rtnode(void); -static void ntreestuff(int fibnum, int af); -static void np_rtentry(struct rt_msghdr *); +static void p_rtnode_kvm(void); +static void p_rtable_sysctl(int, int); +static void p_rtable_kvm(int, int ); +static void p_rtree_kvm(struct radix_node *); +static void p_rtentry_sysctl(struct rt_msghdr *); static void p_sockaddr(struct sockaddr *, struct sockaddr *, int, int); static const char *fmt_sockaddr(struct sockaddr *sa, struct sockaddr *mask, int flags); static void p_flags(int, const char *); static const char *fmt_flags(int f); -static void p_rtentry(struct rtentry *); +static void p_rtentry_kvm(struct rtentry *); static void domask(char *, in_addr_t, u_long); /* @@ -167,10 +167,8 @@ static void domask(char *, in_addr_t, u_ void routepr(int fibnum, int af) { - struct radix_node_head **rnhp, *rnh, head; - u_long rtree; size_t intsize; - int fam, numfibs; + int numfibs; intsize = sizeof(int); if (fibnum == -1 @@ -194,60 +192,12 @@ routepr(int fibnum, int af) printf(\n); if (Aflag == 0 live != 0 NewTree) - ntreestuff(fibnum, af); - else { - kresolve_list(rl); - if ((rtree = rl[N_RTREE].n_value) == 0) { - printf(rt_tables: symbol not in namelist\n); - return; - } - - rt_tables = calloc(numfibs * (AF_MAX + 1), - sizeof(struct radix_node_head *)); - if (rt_tables == NULL) - err(EX_OSERR, memory allocation failed); - - if (kread((u_long)(rtree), (char *)(rt_tables), (numfibs * - (AF_MAX+1) * sizeof(struct radix_node_head *))) != 0) - return; - for (fam = 0; fam = AF_MAX; fam++) { - int tmpfib; - - switch (fam) { - case AF_INET6: - case AF_INET: - tmpfib = fibnum; - break; - default: - tmpfib = 0; - } - rnhp = (struct radix_node_head **)*rt_tables; - /* Calculate the in-kernel address. */ - rnhp += tmpfib * (AF_MAX+1) + fam; - /* Read the in kernel rhn pointer. */ - if (kget(rnhp, rnh) != 0) - continue; - if (rnh == NULL) - continue; - /* Read the rnh data. */ - if (kget(rnh, head) != 0) - continue; - if (fam == AF_UNSPEC) { - if (Aflag af == 0) { - printf(Netmasks:\n); - p_tree(head.rnh_treetop); - } - } else if (af == AF_UNSPEC || af == fam) { - size_cols(fam, head.rnh_treetop); - pr_family(fam); - do_rtent = 1; - pr_rthdr(fam); - p_tree(head.rnh_treetop); - } - } - } + p_rtable_sysctl(fibnum, af); + else + p_rtable_kvm(fibnum, af); } + /* * Print address family header before a section of the routing table. */ @@ -451,8 +401,75 @@ kgetsa(struct sockaddr *dst) return (pt_u.u_sa); } +/* + * Print kernel routing tables for given fib + * using debugging kvm(3) interface. + */ +static void +p_rtable_kvm(int fibnum, int af) +{ + struct radix_node_head **rnhp, *rnh, head; + struct radix_node_head **rt_tables; + u_long rtree; + int fam, af_size;
svn commit: r259638 - head/usr.bin/netstat
Author: melifaro Date: Fri Dec 20 00:17:26 2013 New Revision: 259638 URL: http://svnweb.freebsd.org/changeset/base/259638 Log: Use more fine-grained kvm(3) symbol lookup: routing code retrieves only necessary symbols needed per subsystem. Main kvm(3) init is now delayed as much as possbile. This finally fixes performance issues reported in kern/167204. Some non-working code (ng_socket.ko symbol addresses calculation) removed. Some global variables eliminated. PR: kern/167204 MFC after:4 weeks Modified: head/usr.bin/netstat/if.c head/usr.bin/netstat/main.c head/usr.bin/netstat/mroute.c head/usr.bin/netstat/mroute6.c head/usr.bin/netstat/netgraph.c head/usr.bin/netstat/netstat.h head/usr.bin/netstat/route.c Modified: head/usr.bin/netstat/if.c == --- head/usr.bin/netstat/if.c Fri Dec 20 00:09:14 2013(r259637) +++ head/usr.bin/netstat/if.c Fri Dec 20 00:17:26 2013(r259638) @@ -223,7 +223,7 @@ next_ifma(struct ifmaddrs *ifma, const c * Print a description of the network interfaces. */ void -intpr(int interval, void (*pfunc)(char *)) +intpr(int interval, void (*pfunc)(char *), int af) { struct ifaddrs *ifap, *ifa; struct ifmaddrs *ifmap, *ifma; Modified: head/usr.bin/netstat/main.c == --- head/usr.bin/netstat/main.c Fri Dec 20 00:09:14 2013(r259637) +++ head/usr.bin/netstat/main.c Fri Dec 20 00:17:26 2013(r259638) @@ -319,7 +319,6 @@ int gflag; /* show group (multicast) ro inthflag; /* show counters in human readable format */ intiflag; /* show interfaces */ intLflag; /* show size of listen queues */ -intMflag; /* read statistics from core */ intmflag; /* show memory stats */ intnoutputs = 0; /* how much outputs before we exit */ intnumeric_addr; /* show addresses numerically */ @@ -425,7 +424,6 @@ main(int argc, char *argv[]) Lflag = 1; break; case 'M': - Mflag = 1; memf = optarg; break; case 'm': @@ -554,40 +552,40 @@ main(int argc, char *argv[]) * used for the queries, which is slower. */ #endif - kread(0, NULL, 0); if (iflag !sflag) { - intpr(interval, NULL); + intpr(interval, NULL, af); exit(0); } if (rflag) { if (sflag) - rt_stats(nl[N_RTSTAT].n_value, nl[N_RTTRASH].n_value); + rt_stats(); else - routepr(nl[N_RTREE].n_value, fib); + routepr(fib, af); exit(0); } + if (gflag) { if (sflag) { if (af == AF_INET || af == AF_UNSPEC) - mrt_stats(nl[N_MRTSTAT].n_value); + mrt_stats(); #ifdef INET6 if (af == AF_INET6 || af == AF_UNSPEC) - mrt6_stats(nl[N_MRT6STAT].n_value); + mrt6_stats(); #endif } else { if (af == AF_INET || af == AF_UNSPEC) - mroutepr(nl[N_MFCHASHTBL].n_value, -nl[N_MFCTABLESIZE].n_value, -nl[N_VIFTABLE].n_value); + mroutepr(); #ifdef INET6 if (af == AF_INET6 || af == AF_UNSPEC) - mroute6pr(nl[N_MF6CTABLE].n_value, - nl[N_MIF6TABLE].n_value); + mroute6pr(); #endif } exit(0); } + /* Load all necessary kvm symbols */ + kresolve_list(nl); + if (tp) { printproto(tp, tp-pr_name); exit(0); @@ -640,7 +638,7 @@ printproto(struct protox *tp, const char if (sflag) { if (iflag) { if (tp-pr_istats) - intpr(interval, tp-pr_istats); + intpr(interval, tp-pr_istats, af); else if (pflag) printf(%s: no per-interface stats routine\n, tp-pr_name); @@ -703,7 +701,23 @@ kvmd_init(void) return (-1); } - if (kvm_nlist(kvmd, nl) 0) { + return (0); +} + +/* + * Resolve symbol list, return 0 on success. + */ +int +kresolve_list(struct nlist *_nl) +{ + + if ((kvmd == NULL) (kvmd_init() != 0)) + return (-1); + + if (_nl[0].n_type != 0) +
svn commit: r259562 - head/usr.bin/netstat
Author: melifaro Date: Wed Dec 18 18:25:27 2013 New Revision: 259562 URL: http://svnweb.freebsd.org/changeset/base/259562 Log: Switch netstat -rn to use standard API for retrieving list of routes instead of peeking inside in-kernel radix via kget. This permits us to change kernel structures without breaking userland. Additionally, this change provide more reliable and faster output. `Refs` and `Use` fields available in IPv4 by default (and via -W for other families) were removed. `Refs` is radix-specific thing which is not informative for users. `Use` field value is handy sometimes, but a) current API does not support it and b) I'm not sure we will support per-rte pcpu counters in near future. Old method of retrieving data is still supported (either by defining NewTree=0 or running netstat with -A). However, Refs/Use fields are hidden. Sponsored by: Yandex LLC MFC after:4 weeks PR: kern/167204 Modified: head/usr.bin/netstat/route.c Modified: head/usr.bin/netstat/route.c == --- head/usr.bin/netstat/route.cWed Dec 18 17:03:43 2013 (r259561) +++ head/usr.bin/netstat/route.cWed Dec 18 18:25:27 2013 (r259562) @@ -58,6 +58,7 @@ __FBSDID($FreeBSD$); #include sys/sysctl.h #include arpa/inet.h +#include ifaddrs.h #include libutil.h #include netdb.h #include stdint.h @@ -113,13 +114,20 @@ typedef union { static sa_u pt_u; +struct ifmap_entry { + char ifname[IFNAMSIZ]; +}; + +static struct ifmap_entry *ifmap; +static int ifmap_size; + intdo_rtent = 0; struct rtentry rtentry; struct radix_node rnode; struct radix_mask rmask; struct radix_node_head **rt_tables; -intNewTree = 0; +intNewTree = 1; struct timespec uptime; @@ -129,7 +137,7 @@ static void size_cols_tree(struct radix_ static void size_cols_rtentry(struct rtentry *rt); static void p_tree(struct radix_node *); static void p_rtnode(void); -static void ntreestuff(void); +static void ntreestuff(int fibnum, int af); static void np_rtentry(struct rt_msghdr *); static void p_sockaddr(struct sockaddr *, struct sockaddr *, int, int); static const char *fmt_sockaddr(struct sockaddr *sa, struct sockaddr *mask, @@ -175,7 +183,7 @@ routepr(u_long rtree, int fibnum) printf(\n); if (Aflag == 0 NewTree) - ntreestuff(); + ntreestuff(fibnum, af); else { if (rtree == 0) { printf(rt_tables: symbol not in namelist\n); @@ -288,7 +296,7 @@ static int wid_if; static int wid_expire; static void -size_cols(int ef __unused, struct radix_node *rn) +size_cols(int ef, struct radix_node *rn) { wid_dst = WID_DST_DEFAULT(ef); wid_gw = WID_GW_DEFAULT(ef); @@ -299,7 +307,7 @@ size_cols(int ef __unused, struct radix_ wid_if = WID_IF_DEFAULT(ef); wid_expire = 6; - if (Wflag) + if (Wflag rn != NULL) size_cols_tree(rn); } @@ -397,27 +405,14 @@ pr_rthdr(int af1) if (Aflag) printf(%-8.8s ,Address); - if (af1 == AF_INET || Wflag) { - if (Wflag) { - printf(%-*.*s %-*.*s %-*.*s %*.*s %*.*s %*.*s %*.*s %*s\n, - wid_dst,wid_dst,Destination, - wid_gw, wid_gw, Gateway, - wid_flags, wid_flags, Flags, - wid_refs, wid_refs, Refs, - wid_use,wid_use,Use, - wid_mtu,wid_mtu,Mtu, - wid_if, wid_if, Netif, - wid_expire, Expire); - } else { - printf(%-*.*s %-*.*s %-*.*s %*.*s %*.*s %*.*s %*s\n, - wid_dst,wid_dst,Destination, - wid_gw, wid_gw, Gateway, - wid_flags, wid_flags, Flags, - wid_refs, wid_refs, Refs, - wid_use,wid_use,Use, - wid_if, wid_if, Netif, - wid_expire, Expire); - } + if (Wflag) { + printf(%-*.*s %-*.*s %-*.*s %*.*s %*.*s %*s\n, + wid_dst,wid_dst,Destination, + wid_gw, wid_gw, Gateway, + wid_flags, wid_flags, Flags, + wid_mtu,wid_mtu,Mtu, + wid_if, wid_if, Netif, + wid_expire, Expire); } else {
svn commit: r259566 - head/usr.bin/netstat
Author: melifaro Date: Wed Dec 18 20:04:04 2013 New Revision: 259566 URL: http://svnweb.freebsd.org/changeset/base/259566 Log: Restore corefiles handling via kvm(3). Found by: John-Mark Gurney jmg at funkthat.com MFC after:4 weeks Modified: head/usr.bin/netstat/main.c head/usr.bin/netstat/netstat.h head/usr.bin/netstat/route.c Modified: head/usr.bin/netstat/main.c == --- head/usr.bin/netstat/main.c Wed Dec 18 19:25:40 2013(r259565) +++ head/usr.bin/netstat/main.c Wed Dec 18 20:04:04 2013(r259566) @@ -319,6 +319,7 @@ int gflag; /* show group (multicast) ro inthflag; /* show counters in human readable format */ intiflag; /* show interfaces */ intLflag; /* show size of listen queues */ +intMflag; /* read statistics from core */ intmflag; /* show memory stats */ intnoutputs = 0; /* how much outputs before we exit */ intnumeric_addr; /* show addresses numerically */ @@ -424,6 +425,7 @@ main(int argc, char *argv[]) Lflag = 1; break; case 'M': + Mflag = 1; memf = optarg; break; case 'm': Modified: head/usr.bin/netstat/netstat.h == --- head/usr.bin/netstat/netstat.h Wed Dec 18 19:25:40 2013 (r259565) +++ head/usr.bin/netstat/netstat.h Wed Dec 18 20:04:04 2013 (r259566) @@ -40,6 +40,7 @@ extern intgflag; /* show group (multica extern int hflag; /* show counters in human readable format */ extern int iflag; /* show interfaces */ extern int Lflag; /* show size of listen queues */ +extern int Mflag; /* read statistics from core */ extern int mflag; /* show memory stats */ extern int noutputs; /* how much outputs before we exit */ extern int numeric_addr; /* show addresses numerically */ Modified: head/usr.bin/netstat/route.c == --- head/usr.bin/netstat/route.cWed Dec 18 19:25:40 2013 (r259565) +++ head/usr.bin/netstat/route.cWed Dec 18 20:04:04 2013 (r259566) @@ -182,7 +182,7 @@ routepr(u_long rtree, int fibnum) printf( (fib: %d), fibnum); printf(\n); - if (Aflag == 0 NewTree) + if (Aflag == 0 Mflag == 0 NewTree) ntreestuff(fibnum, af); else { if (rtree == 0) { ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r259562 - head/usr.bin/netstat
On 18.12.2013 22:45, John-Mark Gurney wrote: Alexander V. Chernikov wrote this message on Wed, Dec 18, 2013 at 18:25 +: Author: melifaro Date: Wed Dec 18 18:25:27 2013 New Revision: 259562 URL: http://svnweb.freebsd.org/changeset/base/259562 Log: Switch netstat -rn to use standard API for retrieving list of routes instead of peeking inside in-kernel radix via kget. This permits us to change kernel structures without breaking userland. Additionally, this change provide more reliable and faster output. `Refs` and `Use` fields available in IPv4 by default (and via -W for other families) were removed. `Refs` is radix-specific thing which is not informative for users. `Use` field value is handy sometimes, but a) current API does not support it and b) I'm not sure we will support per-rte pcpu counters in near future. Old method of retrieving data is still supported (either by defining NewTree=0 or running netstat with -A). However, Refs/Use fields are hidden. Sponsored by: Yandex LLC MFC after: 4 weeks PR:kern/167204 How will this impact the use of netstat -rn -M vmcore -N kernel ? Will this change make it not usable, or will you still automatically use Well. It will probably break in (maybe, near) future. it when they are specified? However, it should work now (fixed in r259566). ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r259568 - in head: sbin/ipfw sys/netpfil/ipfw
Author: melifaro Date: Wed Dec 18 20:17:05 2013 New Revision: 259568 URL: http://svnweb.freebsd.org/changeset/base/259568 Log: Add net.inet.ip.fw.dyn_keep_states sysctl which re-links dynamic states to default rule instead of flushing on rule deletion. This can be useful while performing ruleset reload (think about `atomic` reload via changing sets). Currently it is turned off by default. MFC after:2 weeks Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw.8 head/sys/netpfil/ipfw/ip_fw_dynamic.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Wed Dec 18 20:11:01 2013(r259567) +++ head/sbin/ipfw/ipfw.8 Wed Dec 18 20:17:05 2013(r259568) @@ -2933,6 +2933,11 @@ and must be strictly lower than 5 seconds, the period of repetition of keepalives. The firewall enforces that. +.It Va net.inet.ip.fw.dyn_keep_states: No 0 +Keep dynamic states on rule/set deletion. +States are relinked to default rule (65535). +This can be handly for ruleset reload. +Turned off by default. .It Va net.inet.ip.fw.enable : No 1 Enables the firewall. Setting this variable to 0 lets you run your machine without Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c == --- head/sys/netpfil/ipfw/ip_fw_dynamic.c Wed Dec 18 20:11:01 2013 (r259567) +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c Wed Dec 18 20:17:05 2013 (r259568) @@ -106,7 +106,8 @@ __FBSDID($FreeBSD$); * * Each dynamic rule holds a pointer to the parent ipfw rule so * we know what action to perform. Dynamic rules are removed when - * the parent rule is deleted. XXX we should make them survive. + * the parent rule is deleted. This can be changed by dyn_keep_states + * sysctl. * * There are some limitations with dynamic rules -- we do not * obey the 'randomized match', and we do not do multiple @@ -141,6 +142,10 @@ static VNET_DEFINE(uma_zone_t, ipfw_dyn_ #defineIPFW_BUCK_UNLOCK(i) mtx_unlock(V_ipfw_dyn_v[(i)].mtx) #defineIPFW_BUCK_ASSERT(i) mtx_assert(V_ipfw_dyn_v[(i)].mtx, MA_OWNED) + +static VNET_DEFINE(int, dyn_keep_states); +#defineV_dyn_keep_states VNET(dyn_keep_states) + /* * Timeouts for various events in handing dynamic rules. */ @@ -234,6 +239,9 @@ SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AU SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_keepalive, CTLFLAG_RW, VNET_NAME(dyn_keepalive), 0, Enable keepalives for dyn. rules); +SYSCTL_VNET_UINT(_net_inet_ip_fw, OID_AUTO, dyn_keep_states, +CTLFLAG_RW, VNET_NAME(dyn_keep_states), 0, +Do not flush dynamic states on rule deletion); SYSEND @@ -307,6 +315,7 @@ print_dyn_rule_flags(struct ipfw_flow_id print_dyn_rule_flags(id, dtype, LOG_DEBUG, prefix, postfix) #define TIME_LEQ(a,b) ((int)((a)-(b)) = 0) +#define TIME_LE(a,b) ((int)((a)-(b)) 0) /* * Lookup a dynamic rule, locked version. @@ -1100,6 +1109,20 @@ check_dyn_rules(struct ip_fw_chain *chai if ((TIME_LEQ(q-expire, time_uptime)) || ((rule != NULL) (q-rule == rule)) || ((set != RESVD_SET) (q-rule-set == set))) { + if (TIME_LE(time_uptime, q-expire) + q-dyn_type == O_KEEP_STATE + V_dyn_keep_states != 0) { + /* +* Do not delete state if +* it is not expired and +* dyn_keep_states is ON. +* However we need to re-link it +* to any other stable rule +*/ + q-rule = chain-default_rule; + NEXT_RULE(); + } + /* Unlink q from current list */ q_next = q-next; if (q == V_ipfw_dyn_v[i].head) ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r259528 - head/sys/net
Author: melifaro Date: Tue Dec 17 22:16:27 2013 New Revision: 259528 URL: http://svnweb.freebsd.org/changeset/base/259528 Log: Simplify contiguous mask checking. Suggested by: glebius MFC after:2 weeks Modified: head/sys/net/radix.c Modified: head/sys/net/radix.c == --- head/sys/net/radix.cTue Dec 17 21:41:23 2013(r259527) +++ head/sys/net/radix.cTue Dec 17 22:16:27 2013(r259528) @@ -484,13 +484,13 @@ on1: struct radix_node * rn_addmask(void *n_arg, struct radix_node_head *maskhead, int search, int skip) { - caddr_t netmask = (caddr_t)n_arg; - register struct radix_node *x; - register caddr_t cp, cplim; - register int b = 0, mlen, j; + unsigned char *netmask = n_arg; + unsigned char *cp, *cplim; + struct radix_node *x; + int b = 0, mlen, j; int maskduplicated, isnormal; struct radix_node *saved_x; - char addmask_key[RADIX_MAX_KEY_LEN]; + unsigned char addmask_key[RADIX_MAX_KEY_LEN]; if ((mlen = LEN(netmask)) RADIX_MAX_KEY_LEN) mlen = RADIX_MAX_KEY_LEN; @@ -532,20 +532,18 @@ rn_addmask(void *n_arg, struct radix_nod * Calculate index of mask, and check for normalcy. * First find the first byte with a 0 bit, then if there are * more bits left (remember we already trimmed the trailing 0's), -* the pattern must be one of those in normal_chars[], or we have +* the bits should be contiguous, otherwise we have got * a non-contiguous mask. */ +#defineCONTIG(_c) (((~(_c) + 1) (_c)) == (unsigned char)(~(_c) + 1)) cplim = netmask + mlen; isnormal = 1; for (cp = netmask + skip; (cp cplim) *(u_char *)cp == 0xff;) cp++; if (cp != cplim) { - static char normal_chars[] = { - 0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff}; - for (j = 0x80; (j *cp) != 0; j = 1) b++; - if (*cp != normal_chars[b] || cp != (cplim - 1)) + if (!CONTIG(*cp) || cp != (cplim - 1)) isnormal = 0; } b += (cp - netmask) 3; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r258708 - in head: sbin/ipfw sys/netpfil/ipfw
Author: melifaro Date: Thu Nov 28 10:28:28 2013 New Revision: 258708 URL: http://svnweb.freebsd.org/changeset/base/258708 Log: Check ipfw table numbers in both user and kernel space before rule addition. Found by: Saychik Pavel u...@localka.net MFC after:2 weeks Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw2.c head/sbin/ipfw/ipfw2.h head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Thu Nov 28 10:04:53 2013(r258707) +++ head/sbin/ipfw/ipfw2.c Thu Nov 28 10:28:28 2013(r258708) @@ -60,6 +60,8 @@ int resvd_set_number = RESVD_SET; int ipfw_socket = -1; +uint32_t ipfw_tables_max = 0; /* Number of tables supported by kernel */ + #ifndef s6_addr32 #define s6_addr32 __u6_addr.__u6_addr32 #endif @@ -2203,6 +2205,7 @@ fill_ip(ipfw_insn_ip *cmd, char *av, int { int len = 0; uint32_t *d = ((ipfw_insn_u32 *)cmd)-d; + uint32_t tables_max; cmd-o.len = ~F_LEN_MASK; /* zero len */ @@ -2221,6 +2224,10 @@ fill_ip(ipfw_insn_ip *cmd, char *av, int *p++ = '\0'; cmd-o.opcode = O_IP_DST_LOOKUP; cmd-o.arg1 = strtoul(av + 6, NULL, 0); + tables_max = ipfw_get_tables_max(); + if (cmd-o.arg1 tables_max) + errx(EX_USAGE, The table number exceeds the maximum + allowed value (%u), tables_max - 1); if (p) { cmd-o.len |= F_INSN_SIZE(ipfw_insn_u32); d[0] = strtoul(p, NULL, 0); @@ -4119,6 +4126,33 @@ static void table_list(uint16_t num, int static void table_fill_xentry(char *arg, ipfw_table_xentry *xent); /* + * Retrieve maximum number of tables supported by ipfw(4) module. + */ +uint32_t +ipfw_get_tables_max() +{ + size_t len; + uint32_t tables_max; + + if (ipfw_tables_max != 0) + return (ipfw_tables_max); + + len = sizeof(tables_max); + if (sysctlbyname(net.inet.ip.fw.tables_max, tables_max, len, + NULL, 0) == -1) { + if (co.test_only) + tables_max = 128; /* Old conservative default */ + else + errx(1, Can't determine maximum number of ipfw tables. +Perhaps you forgot to load ipfw module?); + } + + ipfw_tables_max = tables_max; + + return (ipfw_tables_max); +} + +/* * This one handles all table-related commands * ipfw table N add addr[/masklen] [value] * ipfw table N delete addr[/masklen] @@ -4131,19 +4165,10 @@ ipfw_table_handler(int ac, char *av[]) ipfw_table_xentry xent; int do_add; int is_all; - size_t len; uint32_t a; uint32_t tables_max; - len = sizeof(tables_max); - if (sysctlbyname(net.inet.ip.fw.tables_max, tables_max, len, - NULL, 0) == -1) { - if (co.test_only) - tables_max = 128; /* Old conservative default */ - else - errx(1, Can't determine maximum number of ipfw tables. -Perhaps you forgot to load ipfw module?); - } + tables_max = ipfw_get_tables_max(); memset(xent, 0, sizeof(xent)); Modified: head/sbin/ipfw/ipfw2.h == --- head/sbin/ipfw/ipfw2.h Thu Nov 28 10:04:53 2013(r258707) +++ head/sbin/ipfw/ipfw2.h Thu Nov 28 10:28:28 2013(r258708) @@ -228,6 +228,8 @@ char const *match_value(struct _s_x *p, int do_cmd(int optname, void *optval, uintptr_t optlen); +uint32_t ipfw_get_tables_max(void); + struct in6_addr; void n2mask(struct in6_addr *mask, int n); int contigmask(uint8_t *p, int len); Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c == --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Thu Nov 28 10:04:53 2013 (r258707) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Thu Nov 28 10:28:28 2013 (r258708) @@ -653,7 +653,7 @@ check_ipfw_struct(struct ip_fw *rule, in case O_IP_SRC_LOOKUP: case O_IP_DST_LOOKUP: - if (cmd-arg1 = IPFW_TABLES_MAX) { + if (cmd-arg1 = V_fw_tables_max) { printf(ipfw: invalid table number %d\n, cmd-arg1); return (EINVAL); ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r258711 - head/sys/netpfil/ipfw
Author: melifaro Date: Thu Nov 28 15:28:51 2013 New Revision: 258711 URL: http://svnweb.freebsd.org/changeset/base/258711 Log: Simplify O_NAT opcode handling. MFC after:2 weeks Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Thu Nov 28 14:24:26 2013 (r258710) +++ head/sys/netpfil/ipfw/ip_fw2.c Thu Nov 28 15:28:51 2013 (r258711) @@ -2413,38 +2413,35 @@ do { \ } case O_NAT: + l = 0; /* exit inner loop */ + done = 1; /* exit outer loop */ if (!IPFW_NAT_LOADED) { retval = IP_FW_DENY; - } else { - struct cfg_nat *t; - int nat_id; + break; + } - set_match(args, f_pos, chain); - /* Check if this is 'global' nat rule */ - if (cmd-arg1 == 0) { - retval = ipfw_nat_ptr(args, NULL, m); - l = 0; - done = 1; - break; - } - t = ((ipfw_insn_nat *)cmd)-nat; - if (t == NULL) { + struct cfg_nat *t; + int nat_id; + + set_match(args, f_pos, chain); + /* Check if this is 'global' nat rule */ + if (cmd-arg1 == 0) { + retval = ipfw_nat_ptr(args, NULL, m); + break; + } + t = ((ipfw_insn_nat *)cmd)-nat; + if (t == NULL) { nat_id = IP_FW_ARG_TABLEARG(cmd-arg1); t = (*lookup_nat_ptr)(chain-nat, nat_id); if (t == NULL) { retval = IP_FW_DENY; - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ break; } if (cmd-arg1 != IP_FW_TABLEARG) ((ipfw_insn_nat *)cmd)-nat = t; - } - retval = ipfw_nat_ptr(args, t, m); } - l = 0; /* exit inner loop */ - done = 1; /* exit outer loop */ + retval = ipfw_nat_ptr(args, t, m); break; case O_REASS: { ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r258677 - head/sbin/ipfw
Author: melifaro Date: Wed Nov 27 10:10:25 2013 New Revision: 258677 URL: http://svnweb.freebsd.org/changeset/base/258677 Log: Fix key lookup in ipfw(8) broken since r232865. Print warning for IPv4 address strings which are valid in inet_aton() but not valid in inet_pton(). (1) Found by: Özkan KIRIK ozkan.ki...@gmail.com Submitted by: Ian Smith smi...@nimnet.asn.au (1) MFC after:2 weeks Sponsored by: Yandex LLC Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Wed Nov 27 08:39:48 2013(r258676) +++ head/sbin/ipfw/ipfw2.c Wed Nov 27 10:10:25 2013(r258677) @@ -4274,13 +4274,24 @@ table_fill_xentry(char *arg, ipfw_table_ addrlen = sizeof(struct in6_addr); } else { /* Port or any other key */ - key = strtol(arg, p, 10); /* Skip non-base 10 entries like 'fa1' */ - if (p != arg) { + key = strtol(arg, p, 10); + if (*p == '\0') { pkey = (uint32_t *)paddr; *pkey = htonl(key); type = IPFW_TABLE_CIDR; + masklen = 32; addrlen = sizeof(uint32_t); + } else if ((p != arg) (*p == '.')) { + /* +* Warn on IPv4 address strings +* which are valid for inet_aton() but not +* in inet_pton(). +* +* Typical examples: '10.5' or '10.0.0.05' +*/ + errx(EX_DATAERR, + Invalid IPv4 address: %s, arg); } } } ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r258328 - head/sys/net
On 19.11.2013 02:58, George V. Neville-Neil wrote: Author: gnn Date: Mon Nov 18 22:58:14 2013 New Revision: 258328 URL: http://svnweb.freebsd.org/changeset/base/258328 Log: Allow ethernet drivers to pass in packets connected via the nextpkt pointer. Handling packets in this way allows drivers to amortize work during packet reception. Great! First, but important step in kernel batching :) Submitted by: Vijay Singh Sponsored by:NetApp Modified: head/sys/net/if_ethersubr.c Modified: head/sys/net/if_ethersubr.c == --- head/sys/net/if_ethersubr.c Mon Nov 18 22:55:50 2013(r258327) +++ head/sys/net/if_ethersubr.c Mon Nov 18 22:58:14 2013(r258328) @@ -708,13 +708,25 @@ static void ether_input(struct ifnet *ifp, struct mbuf *m) { + struct mbuf *mn; + /* -* We will rely on rcvif being set properly in the deferred context, -* so assert it is correct here. +* The drivers are allowed to pass in a chain of packets linked with +* m_nextpkt. We split them up into separate packets here and pass +* them up. This allows the drivers to amortize the receive lock. */ - KASSERT(m-m_pkthdr.rcvif == ifp, (%s: ifnet mismatch, __func__)); + while (m) { + mn = m-m_nextpkt; + m-m_nextpkt = NULL; - netisr_dispatch(NETISR_ETHER, m); + /* +* We will rely on rcvif being set properly in the deferred context, +* so assert it is correct here. +*/ + KASSERT(m-m_pkthdr.rcvif == ifp, (%s: ifnet mismatch, __func__)); + netisr_dispatch(NETISR_ETHER, m); + m = mn; + } } /* ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r257389 - stable/9/sys/net
Author: melifaro Date: Wed Oct 30 16:08:27 2013 New Revision: 257389 URL: http://svnweb.freebsd.org/changeset/base/257389 Log: MFC r256624: Fix long-standing issue with incorrect radix mask calculation. Usual symptoms are messages like rn_delete: inconsistent annotation rn_addmask: mask impossibly already in tree routing daemon constantly deleting IPv6 default route or inability to flush/delete particular prefix in ipfw table. Changes: * Assume 32 bytes as maximum radix key length * Remove rn_init() * Statically allocate rn_ones/rn_zeroes * Make separate mask tree for each normal tree instead of system global one * Remove optimization on masks reusage and key zeroying * Change rn_addmask() arguments to accept tree pointer (no users in base) MFC changes: * keep rn_init() * create global mask tree, protected with mutex, for old rn_addmask users (currently 0 in base) * Add new rn_addmask_r() function (rn_addmask in head) with additional argument to accept tree pointer PR: kern/182851, kern/169206, kern/135476, kern/134531 Found by: Slawa Olhovchenkov s...@zxy.spb.ru Reviewed by: glebius (previous versions) Sponsored by: Yandex LLC Modified: stable/9/sys/net/radix.c stable/9/sys/net/radix.h Directory Properties: stable/9/sys/ (props changed) stable/9/sys/net/ (props changed) Modified: stable/9/sys/net/radix.c == --- stable/9/sys/net/radix.cWed Oct 30 15:46:50 2013(r257388) +++ stable/9/sys/net/radix.cWed Oct 30 16:08:27 2013(r257389) @@ -66,27 +66,27 @@ static struct radix_node *rn_search(void *, struct radix_node *), *rn_search_m(void *, struct radix_node *, void *); -static int max_keylen; -static struct radix_mask *rn_mkfreelist; -static struct radix_node_head *mask_rnhead; +static void rn_detachhead_internal(void **head); +static int rn_inithead_internal(void **head, int off); + +#defineRADIX_MAX_KEY_LEN 32 + +static char rn_zeros[RADIX_MAX_KEY_LEN]; +static char rn_ones[RADIX_MAX_KEY_LEN] = { + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, +}; + /* - * Work area -- the following point to 3 buffers of size max_keylen, - * allocated in this order in a block of memory malloc'ed by rn_init. - * rn_zeros, rn_ones are set in rn_init and used in readonly afterwards. - * addmask_key is used in rn_addmask in rw mode and not thread-safe. + * XXX: Compat stuff for old rn_addmask() users */ -static char *rn_zeros, *rn_ones, *addmask_key; - -#define MKGet(m) { \ - if (rn_mkfreelist) {\ - m = rn_mkfreelist; \ - rn_mkfreelist = (m)-rm_mklist; \ - } else \ - R_Malloc(m, struct radix_mask *, sizeof (struct radix_mask)); } - -#define MKFree(m) { (m)-rm_mklist = rn_mkfreelist; rn_mkfreelist = (m);} +static struct radix_node_head *mask_rnhead_compat; +#ifdef _KERNEL +static struct mtx mask_mtx; +#endif -#define rn_masktop (mask_rnhead-rnh_treetop) static int rn_lexobetter(void *m_arg, void *n_arg); static struct radix_mask * @@ -230,7 +230,8 @@ rn_lookup(v_arg, m_arg, head) caddr_t netmask = 0; if (m_arg) { - x = rn_addmask(m_arg, 1, head-rnh_treetop-rn_offset); + x = rn_addmask_r(m_arg, head-rnh_masks, 1, + head-rnh_treetop-rn_offset); if (x == 0) return (0); netmask = x-rn_key; @@ -489,53 +490,47 @@ on1: } struct radix_node * -rn_addmask(n_arg, search, skip) - int search, skip; - void *n_arg; +rn_addmask_r(void *arg, struct radix_node_head *maskhead, int search, int skip) { - caddr_t netmask = (caddr_t)n_arg; + caddr_t netmask = (caddr_t)arg; register struct radix_node *x; register caddr_t cp, cplim; register int b = 0, mlen, j; - int maskduplicated, m0, isnormal; + int maskduplicated, isnormal; struct radix_node *saved_x; - static int last_zeroed = 0; + char addmask_key[RADIX_MAX_KEY_LEN]; - if ((mlen = LEN(netmask)) max_keylen) - mlen = max_keylen; + if ((mlen = LEN(netmask)) RADIX_MAX_KEY_LEN) + mlen = RADIX_MAX_KEY_LEN; if (skip == 0) skip = 1; if (mlen = skip) - return (mask_rnhead-rnh_nodes); + return (maskhead-rnh_nodes); + + bzero(addmask_key, RADIX_MAX_KEY_LEN); if (skip 1) bcopy(rn_ones + 1, addmask_key + 1, skip - 1); - if ((m0 = mlen) skip) - bcopy(netmask + skip, addmask_key +
svn commit: r257323 - stable/9/sys/netgraph
Author: melifaro Date: Tue Oct 29 09:57:00 2013 New Revision: 257323 URL: http://svnweb.freebsd.org/changeset/base/257323 Log: Merge r256550. Improve locking model used to protect netgraph topology: use rwlocks instead of mutexes on node traversal. Reviewed by: glebius Tested by:Eugene Grosbein egrosb...@rdtc.ru Sponsored by: Yandex LLC Modified: stable/9/sys/netgraph/ng_base.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netgraph/ng_base.c == --- stable/9/sys/netgraph/ng_base.c Tue Oct 29 09:52:15 2013 (r257322) +++ stable/9/sys/netgraph/ng_base.c Tue Oct 29 09:57:00 2013 (r257323) @@ -74,7 +74,12 @@ MODULE_VERSION(netgraph, NG_ABI_VERSION); /* Mutex to protect topology events. */ -static struct mtx ng_topo_mtx; +static struct rwlock ng_topo_lock; +#defineTOPOLOGY_RLOCK()rw_rlock(ng_topo_lock) +#defineTOPOLOGY_RUNLOCK() rw_runlock(ng_topo_lock) +#defineTOPOLOGY_WLOCK()rw_wlock(ng_topo_lock) +#defineTOPOLOGY_WUNLOCK() rw_wunlock(ng_topo_lock) +#defineTOPOLOGY_NOTOWNED() rw_assert(ng_topo_lock, RA_UNLOCKED) #ifdef NETGRAPH_DEBUG static struct mtx ng_nodelist_mtx; /* protects global node/hook lists */ @@ -1162,7 +1167,7 @@ ng_destroy_hook(hook_p hook) * Protect divorce process with mutex, to avoid races on * simultaneous disconnect. */ - mtx_lock(ng_topo_mtx); + TOPOLOGY_WLOCK(); hook-hk_flags |= HK_INVALID; @@ -1182,17 +1187,17 @@ ng_destroy_hook(hook_p hook) * If it's already divorced from a node, * just free it. */ - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); } else { - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); ng_rmhook_self(peer); /* Send it a surprise */ } NG_HOOK_UNREF(peer);/* account for peer link */ NG_HOOK_UNREF(hook);/* account for peer link */ } else - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); - mtx_assert(ng_topo_mtx, MA_NOTOWNED); + TOPOLOGY_NOTOWNED(); /* * Remove the hook from the node's list to avoid possible recursion @@ -1233,9 +1238,9 @@ ng_bypass(hook_p hook1, hook_p hook2) TRAP_ERROR(); return (EINVAL); } - mtx_lock(ng_topo_mtx); + TOPOLOGY_WLOCK(); if (NG_HOOK_NOT_VALID(hook1) || NG_HOOK_NOT_VALID(hook2)) { - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); return (EINVAL); } hook1-hk_peer-hk_peer = hook2-hk_peer; @@ -1243,7 +1248,7 @@ ng_bypass(hook_p hook1, hook_p hook2) hook1-hk_peer = ng_deadhook; hook2-hk_peer = ng_deadhook; - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); NG_HOOK_UNREF(hook1); NG_HOOK_UNREF(hook2); @@ -1440,15 +1445,15 @@ ng_con_part2(node_p node, item_p item, h /* * Acquire topo mutex to avoid race with ng_destroy_hook(). */ - mtx_lock(ng_topo_mtx); + TOPOLOGY_RLOCK(); peer = hook-hk_peer; if (peer == ng_deadhook) { - mtx_unlock(ng_topo_mtx); + TOPOLOGY_RUNLOCK(); printf(failed in ng_con_part2(B)\n); ng_destroy_hook(hook); ERROUT(ENOENT); } - mtx_unlock(ng_topo_mtx); + TOPOLOGY_RUNLOCK(); if ((error = ng_send_fn2(peer-hk_node, peer, item, ng_con_part3, NULL, 0, NG_REUSE_ITEM))) { @@ -1793,14 +1798,14 @@ ng_path2noderef(node_p here, const char /* We have a segment, so look for a hook by that name */ hook = ng_findhook(node, segment); - mtx_lock(ng_topo_mtx); + TOPOLOGY_WLOCK(); /* Can't get there from here... */ if (hook == NULL || NG_HOOK_PEER(hook) == NULL || NG_HOOK_NOT_VALID(hook) || NG_HOOK_NOT_VALID(NG_HOOK_PEER(hook))) { TRAP_ERROR(); NG_NODE_UNREF(node); - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); return (ENOENT); } @@ -1817,7 +1822,7 @@ ng_path2noderef(node_p here, const char NG_NODE_UNREF(oldnode); /* XXX another race */ if (NG_NODE_NOT_VALID(node)) { NG_NODE_UNREF(node);/* XXX more races */ - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); TRAP_ERROR();
svn commit: r257330 - stable/10/sys/net
Author: melifaro Date: Tue Oct 29 12:53:23 2013 New Revision: 257330 URL: http://svnweb.freebsd.org/changeset/base/257330 Log: MFC r256624: Fix long-standing issue with incorrect radix mask calculation. Usual symptoms are messages like rn_delete: inconsistent annotation rn_addmask: mask impossibly already in tree routing daemon constantly deleting IPv6 default route or inability to flush/delete particular prefix in ipfw table. Changes: * Assume 32 bytes as maximum radix key length * Remove rn_init() * Statically allocate rn_ones/rn_zeroes * Make separate mask tree for each normal tree instead of system global one * Remove optimization on masks reusage and key zeroying * Change rn_addmask() arguments to accept tree pointer (no users in base) MFC changes: * keep rn_init() * create global mask tree, protected with mutex, for old rn_addmask users (currently 0 in base) * Add new rn_addmask_r() function (rn_addmask in head) with additional argument to accept tree pointer PR: kern/182851, kern/169206, kern/135476, kern/134531 Found by: Slawa Olhovchenkov s...@zxy.spb.ru Reviewed by: glebius (previous versions) Sponsored by: Yandex LLC Approved by: re (glebius) Modified: stable/10/sys/net/radix.c stable/10/sys/net/radix.h Modified: stable/10/sys/net/radix.c == --- stable/10/sys/net/radix.c Tue Oct 29 12:34:11 2013(r257329) +++ stable/10/sys/net/radix.c Tue Oct 29 12:53:23 2013(r257330) @@ -66,27 +66,27 @@ static struct radix_node *rn_search(void *, struct radix_node *), *rn_search_m(void *, struct radix_node *, void *); -static int max_keylen; -static struct radix_mask *rn_mkfreelist; -static struct radix_node_head *mask_rnhead; +static void rn_detachhead_internal(void **head); +static int rn_inithead_internal(void **head, int off); + +#defineRADIX_MAX_KEY_LEN 32 + +static char rn_zeros[RADIX_MAX_KEY_LEN]; +static char rn_ones[RADIX_MAX_KEY_LEN] = { + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, +}; + /* - * Work area -- the following point to 3 buffers of size max_keylen, - * allocated in this order in a block of memory malloc'ed by rn_init. - * rn_zeros, rn_ones are set in rn_init and used in readonly afterwards. - * addmask_key is used in rn_addmask in rw mode and not thread-safe. + * XXX: Compat stuff for old rn_addmask() users */ -static char *rn_zeros, *rn_ones, *addmask_key; - -#define MKGet(m) { \ - if (rn_mkfreelist) {\ - m = rn_mkfreelist; \ - rn_mkfreelist = (m)-rm_mklist; \ - } else \ - R_Malloc(m, struct radix_mask *, sizeof (struct radix_mask)); } - -#define MKFree(m) { (m)-rm_mklist = rn_mkfreelist; rn_mkfreelist = (m);} +static struct radix_node_head *mask_rnhead_compat; +#ifdef _KERNEL +static struct mtx mask_mtx; +#endif -#define rn_masktop (mask_rnhead-rnh_treetop) static int rn_lexobetter(void *m_arg, void *n_arg); static struct radix_mask * @@ -230,7 +230,8 @@ rn_lookup(v_arg, m_arg, head) caddr_t netmask = 0; if (m_arg) { - x = rn_addmask(m_arg, 1, head-rnh_treetop-rn_offset); + x = rn_addmask_r(m_arg, head-rnh_masks, 1, + head-rnh_treetop-rn_offset); if (x == 0) return (0); netmask = x-rn_key; @@ -489,53 +490,47 @@ on1: } struct radix_node * -rn_addmask(n_arg, search, skip) - int search, skip; - void *n_arg; +rn_addmask_r(void *arg, struct radix_node_head *maskhead, int search, int skip) { - caddr_t netmask = (caddr_t)n_arg; + caddr_t netmask = (caddr_t)arg; register struct radix_node *x; register caddr_t cp, cplim; register int b = 0, mlen, j; - int maskduplicated, m0, isnormal; + int maskduplicated, isnormal; struct radix_node *saved_x; - static int last_zeroed = 0; + char addmask_key[RADIX_MAX_KEY_LEN]; - if ((mlen = LEN(netmask)) max_keylen) - mlen = max_keylen; + if ((mlen = LEN(netmask)) RADIX_MAX_KEY_LEN) + mlen = RADIX_MAX_KEY_LEN; if (skip == 0) skip = 1; if (mlen = skip) - return (mask_rnhead-rnh_nodes); + return (maskhead-rnh_nodes); + + bzero(addmask_key, RADIX_MAX_KEY_LEN); if (skip 1) bcopy(rn_ones + 1, addmask_key + 1, skip - 1); - if ((m0 = mlen) skip) - bcopy(netmask + skip, addmask_key + skip, mlen - skip); + bcopy(netmask + skip, addmask_key +
svn commit: r256617 - head/sys/net
Author: melifaro Date: Wed Oct 16 10:33:20 2013 New Revision: 256617 URL: http://svnweb.freebsd.org/changeset/base/256617 Log: Remove unused fields from radix_node_head. Sponsored by: Yandex LLC Modified: head/sys/net/radix.h Modified: head/sys/net/radix.h == --- head/sys/net/radix.hWed Oct 16 10:26:34 2013(r256616) +++ head/sys/net/radix.hWed Oct 16 10:33:20 2013(r256617) @@ -107,24 +107,15 @@ struct radix_node_head { struct radix_node *rnh_treetop; u_int rnh_gen;/* generation counter */ int rnh_multipath; /* multipath capable ? */ - int rnh_addrsize; /* permit, but not require fixed keys */ - int rnh_pktsize;/* permit, but not require fixed keys */ struct radix_node *(*rnh_addaddr) /* add based on sockaddr */ (void *v, void *mask, struct radix_node_head *head, struct radix_node nodes[]); - struct radix_node *(*rnh_addpkt) /* add based on packet hdr */ - (void *v, void *mask, -struct radix_node_head *head, struct radix_node nodes[]); struct radix_node *(*rnh_deladdr) /* remove based on sockaddr */ (void *v, void *mask, struct radix_node_head *head); - struct radix_node *(*rnh_delpkt) /* remove based on packet hdr */ - (void *v, void *mask, struct radix_node_head *head); struct radix_node *(*rnh_matchaddr)/* locate based on sockaddr */ (void *v, struct radix_node_head *head); struct radix_node *(*rnh_lookup) /* locate based on sockaddr */ (void *v, void *mask, struct radix_node_head *head); - struct radix_node *(*rnh_matchpkt) /* locate based on packet hdr */ - (void *v, struct radix_node_head *head); int (*rnh_walktree) /* traverse tree */ (struct radix_node_head *head, walktree_f_t *f, void *w); int (*rnh_walktree_from)/* traverse tree below a */ ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r256618 - head/share/man/man9
Author: melifaro Date: Wed Oct 16 10:36:42 2013 New Revision: 256618 URL: http://svnweb.freebsd.org/changeset/base/256618 Log: Reflect r248070 (RTM_PINNED) changes in documentation. Pointed by: pluknet MFC after:2 weeks Modified: head/share/man/man9/rtentry.9 Modified: head/share/man/man9/rtentry.9 == --- head/share/man/man9/rtentry.9 Wed Oct 16 10:33:20 2013 (r256617) +++ head/share/man/man9/rtentry.9 Wed Oct 16 10:36:42 2013 (r256618) @@ -28,7 +28,7 @@ .\ .\ $FreeBSD$ .\ -.Dd December 11, 2008 +.Dd October 16, 2013 .Dt RTENTRY 9 .Os .Sh NAME @@ -154,8 +154,7 @@ Protocol-specific. .It Dv RTF_PRCLONING This flag is obsolete and simply ignored by facility. .It Dv RTF_PINNED -(Reserved for future use to indicate routes which are not to be -modified by a routing protocol.) +Indicates that this route is immutable to a routing protocol. .It Dv RTF_LOCAL Indicates that the destination of this route is an address configured as belonging to this system. ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r256624 - head/sys/net
Author: melifaro Date: Wed Oct 16 12:18:44 2013 New Revision: 256624 URL: http://svnweb.freebsd.org/changeset/base/256624 Log: Fix long-standing issue with incorrect radix mask calculation. Usual symptoms are messages like rn_delete: inconsistent annotation rn_addmask: mask impossibly already in tree or inability to flush/delete particular prefix in ipfw table. Changes: * Assume 32 bytes as maximum radix key length * Remove rn_init() * Statically allocate rn_ones/rn_zeroes * Make separate mask tree for each normal tree instead of system global one * Remove optimization on masks reusage and key zeroying * Change rn_addmask() arguments to accept tree pointer (no users in base) PR: kern/182851, kern/169206, kern/135476, kern/134531 Found by: Slawa Olhovchenkov s...@zxy.spb.ru MFC after:2 weeks Reviewed by: glebius Sponsored by: Yandex LLC Modified: head/sys/net/radix.c head/sys/net/radix.h head/sys/net/route.c Modified: head/sys/net/radix.c == --- head/sys/net/radix.cWed Oct 16 12:15:33 2013(r256623) +++ head/sys/net/radix.cWed Oct 16 12:18:44 2013(r256624) @@ -66,27 +66,19 @@ static struct radix_node *rn_search(void *, struct radix_node *), *rn_search_m(void *, struct radix_node *, void *); -static int max_keylen; -static struct radix_mask *rn_mkfreelist; -static struct radix_node_head *mask_rnhead; -/* - * Work area -- the following point to 3 buffers of size max_keylen, - * allocated in this order in a block of memory malloc'ed by rn_init. - * rn_zeros, rn_ones are set in rn_init and used in readonly afterwards. - * addmask_key is used in rn_addmask in rw mode and not thread-safe. - */ -static char *rn_zeros, *rn_ones, *addmask_key; +static void rn_detachhead_internal(void **head); +static int rn_inithead_internal(void **head, int off); + +#defineRADIX_MAX_KEY_LEN 32 -#define MKGet(m) { \ - if (rn_mkfreelist) {\ - m = rn_mkfreelist; \ - rn_mkfreelist = (m)-rm_mklist; \ - } else \ - R_Malloc(m, struct radix_mask *, sizeof (struct radix_mask)); } - -#define MKFree(m) { (m)-rm_mklist = rn_mkfreelist; rn_mkfreelist = (m);} +static char rn_zeros[RADIX_MAX_KEY_LEN]; +static char rn_ones[RADIX_MAX_KEY_LEN] = { + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, +}; -#define rn_masktop (mask_rnhead-rnh_treetop) static int rn_lexobetter(void *m_arg, void *n_arg); static struct radix_mask * @@ -230,7 +222,8 @@ rn_lookup(v_arg, m_arg, head) caddr_t netmask = 0; if (m_arg) { - x = rn_addmask(m_arg, 1, head-rnh_treetop-rn_offset); + x = rn_addmask(m_arg, head-rnh_masks, 1, + head-rnh_treetop-rn_offset); if (x == 0) return (0); netmask = x-rn_key; @@ -489,53 +482,47 @@ on1: } struct radix_node * -rn_addmask(n_arg, search, skip) - int search, skip; - void *n_arg; +rn_addmask(void *n_arg, struct radix_node_head *maskhead, int search, int skip) { caddr_t netmask = (caddr_t)n_arg; register struct radix_node *x; register caddr_t cp, cplim; register int b = 0, mlen, j; - int maskduplicated, m0, isnormal; + int maskduplicated, isnormal; struct radix_node *saved_x; - static int last_zeroed = 0; + char addmask_key[RADIX_MAX_KEY_LEN]; - if ((mlen = LEN(netmask)) max_keylen) - mlen = max_keylen; + if ((mlen = LEN(netmask)) RADIX_MAX_KEY_LEN) + mlen = RADIX_MAX_KEY_LEN; if (skip == 0) skip = 1; if (mlen = skip) - return (mask_rnhead-rnh_nodes); + return (maskhead-rnh_nodes); + + bzero(addmask_key, RADIX_MAX_KEY_LEN); if (skip 1) bcopy(rn_ones + 1, addmask_key + 1, skip - 1); - if ((m0 = mlen) skip) - bcopy(netmask + skip, addmask_key + skip, mlen - skip); + bcopy(netmask + skip, addmask_key + skip, mlen - skip); /* * Trim trailing zeroes. */ for (cp = addmask_key + mlen; (cp addmask_key) cp[-1] == 0;) cp--; mlen = cp - addmask_key; - if (mlen = skip) { - if (m0 = last_zeroed) - last_zeroed = mlen; - return (mask_rnhead-rnh_nodes); - } - if (m0 last_zeroed) - bzero(addmask_key + m0, last_zeroed - m0); - *addmask_key = last_zeroed = mlen; - x = rn_search(addmask_key,
svn commit: r256550 - head/sys/netgraph
Author: melifaro Date: Tue Oct 15 17:44:35 2013 New Revision: 256550 URL: http://svnweb.freebsd.org/changeset/base/256550 Log: Improve locking model used to protect netgraph topology: use rwlocks instead of mutexes on node traversal. Reviewed by: glebius Tested by:Eugene Grosbein egrosb...@rdtc.ru MFC after:2 weeks Sponsored by: Yandex LLC Modified: head/sys/netgraph/ng_base.c Modified: head/sys/netgraph/ng_base.c == --- head/sys/netgraph/ng_base.c Tue Oct 15 17:33:30 2013(r256549) +++ head/sys/netgraph/ng_base.c Tue Oct 15 17:44:35 2013(r256550) @@ -74,7 +74,12 @@ MODULE_VERSION(netgraph, NG_ABI_VERSION); /* Mutex to protect topology events. */ -static struct mtx ng_topo_mtx; +static struct rwlock ng_topo_lock; +#defineTOPOLOGY_RLOCK()rw_rlock(ng_topo_lock) +#defineTOPOLOGY_RUNLOCK() rw_runlock(ng_topo_lock) +#defineTOPOLOGY_WLOCK()rw_wlock(ng_topo_lock) +#defineTOPOLOGY_WUNLOCK() rw_wunlock(ng_topo_lock) +#defineTOPOLOGY_NOTOWNED() rw_assert(ng_topo_lock, RA_UNLOCKED) #ifdef NETGRAPH_DEBUG static struct mtx ng_nodelist_mtx; /* protects global node/hook lists */ @@ -1162,7 +1167,7 @@ ng_destroy_hook(hook_p hook) * Protect divorce process with mutex, to avoid races on * simultaneous disconnect. */ - mtx_lock(ng_topo_mtx); + TOPOLOGY_WLOCK(); hook-hk_flags |= HK_INVALID; @@ -1182,17 +1187,17 @@ ng_destroy_hook(hook_p hook) * If it's already divorced from a node, * just free it. */ - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); } else { - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); ng_rmhook_self(peer); /* Send it a surprise */ } NG_HOOK_UNREF(peer);/* account for peer link */ NG_HOOK_UNREF(hook);/* account for peer link */ } else - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); - mtx_assert(ng_topo_mtx, MA_NOTOWNED); + TOPOLOGY_NOTOWNED(); /* * Remove the hook from the node's list to avoid possible recursion @@ -1233,9 +1238,9 @@ ng_bypass(hook_p hook1, hook_p hook2) TRAP_ERROR(); return (EINVAL); } - mtx_lock(ng_topo_mtx); + TOPOLOGY_WLOCK(); if (NG_HOOK_NOT_VALID(hook1) || NG_HOOK_NOT_VALID(hook2)) { - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); return (EINVAL); } hook1-hk_peer-hk_peer = hook2-hk_peer; @@ -1243,7 +1248,7 @@ ng_bypass(hook_p hook1, hook_p hook2) hook1-hk_peer = ng_deadhook; hook2-hk_peer = ng_deadhook; - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); NG_HOOK_UNREF(hook1); NG_HOOK_UNREF(hook2); @@ -1440,15 +1445,15 @@ ng_con_part2(node_p node, item_p item, h /* * Acquire topo mutex to avoid race with ng_destroy_hook(). */ - mtx_lock(ng_topo_mtx); + TOPOLOGY_RLOCK(); peer = hook-hk_peer; if (peer == ng_deadhook) { - mtx_unlock(ng_topo_mtx); + TOPOLOGY_RUNLOCK(); printf(failed in ng_con_part2(B)\n); ng_destroy_hook(hook); ERROUT(ENOENT); } - mtx_unlock(ng_topo_mtx); + TOPOLOGY_RUNLOCK(); if ((error = ng_send_fn2(peer-hk_node, peer, item, ng_con_part3, NULL, 0, NG_REUSE_ITEM))) { @@ -1793,14 +1798,14 @@ ng_path2noderef(node_p here, const char /* We have a segment, so look for a hook by that name */ hook = ng_findhook(node, segment); - mtx_lock(ng_topo_mtx); + TOPOLOGY_WLOCK(); /* Can't get there from here... */ if (hook == NULL || NG_HOOK_PEER(hook) == NULL || NG_HOOK_NOT_VALID(hook) || NG_HOOK_NOT_VALID(NG_HOOK_PEER(hook))) { TRAP_ERROR(); NG_NODE_UNREF(node); - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); return (ENOENT); } @@ -1817,7 +1822,7 @@ ng_path2noderef(node_p here, const char NG_NODE_UNREF(oldnode); /* XXX another race */ if (NG_NODE_NOT_VALID(node)) { NG_NODE_UNREF(node);/* XXX more races */ - mtx_unlock(ng_topo_mtx); + TOPOLOGY_WUNLOCK(); TRAP_ERROR(); return (ENXIO); } @@ -1830,11 +1835,11 @@
Re: svn commit: r256066 - head/sys/dev/virtio/network
On 05.10.2013 22:07, Bryan Venteicher wrote: Author: bryanv Date: Sat Oct 5 18:07:24 2013 New Revision: 256066 URL: http://svnweb.freebsd.org/changeset/base/256066 Log: Do not hold the vtnet Rx queue lock when calling up into the stack Do you measure performance penalty for this? This matches other similar drivers and avoids various LOR warnings. We're currently trying to eliminate such things in other drivers like ixgbe, maybe there can be some other way to eliminate possible LORs? Approved by:re (marius) Modified: head/sys/dev/virtio/network/if_vtnet.c Modified: head/sys/dev/virtio/network/if_vtnet.c == --- head/sys/dev/virtio/network/if_vtnet.cSat Oct 5 16:22:33 2013 (r256065) +++ head/sys/dev/virtio/network/if_vtnet.cSat Oct 5 18:07:24 2013 (r256066) @@ -1700,9 +1700,9 @@ vtnet_rxq_input(struct vtnet_rxq *rxq, s rxq-vtnrx_stats.vrxs_ipackets++; rxq-vtnrx_stats.vrxs_ibytes += m-m_pkthdr.len; - /* VTNET_RXQ_UNLOCK(rxq); */ + VTNET_RXQ_UNLOCK(rxq); (*ifp-if_input)(ifp, m); - /* VTNET_RXQ_LOCK(rxq); */ + VTNET_RXQ_LOCK(rxq); } static int @@ -1782,6 +1782,10 @@ vtnet_rxq_eof(struct vtnet_rxq *rxq) m_adj(m, adjsz); vtnet_rxq_input(rxq, m, hdr); + + /* Must recheck after dropping the Rx lock. */ + if ((ifp-if_drv_flags IFF_DRV_RUNNING) == 0) + break; } if (deq 0) signature.asc Description: OpenPGP digital signature
Re: svn commit: r253841 - head/sys/netinet6
On 01.08.2013 20:18, Rui Paulo wrote: On 1 Aug 2013, at 07:23, Gleb Smirnoff gleb...@freebsd.org wrote: On Wed, Jul 31, 2013 at 04:24:50PM +, Hiroki Sato wrote: H Author: hrs H Date: Wed Jul 31 16:24:49 2013 H New Revision: 253841 H URL: http://svnweb.freebsd.org/changeset/base/253841 H H Log: H Allocate in6_ifextra (ifp-if_afdata[AF_INET6]) only for IPv6-capable H interfaces. This eliminates unnecessary IPv6 processing for non-IPv6 H interfaces. H H MFC after: 3 days H H Modified: H head/sys/netinet6/in6.c H head/sys/netinet6/in6_ifattach.c H head/sys/netinet6/nd6.c H H Modified: head/sys/netinet6/in6.c H == H --- head/sys/netinet6/in6.c Wed Jul 31 15:55:01 2013(r253840) H +++ head/sys/netinet6/in6.c Wed Jul 31 16:24:49 2013(r253841) H @@ -2746,6 +2746,13 @@ in6_domifattach(struct ifnet *ifp) H { H struct in6_ifextra *ext; H H + /* There are not IPv6-capable interfaces. */ H + switch (ifp-if_type) { H + case IFT_PFLOG: H + case IFT_PFSYNC: H + case IFT_USB: H + return (NULL); H + } All three should just disappear as interfaces :) What? Why? Because thay aren't really interfaces. All they need is BPF. There is a cleaner approach described here: http://lists.freebsd.org/pipermail/freebsd-net/2012-December/034031.html -- Rui Paulo ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r253262 - in head: lib/libc/gen sys/net
On 12.07.2013 16:36, Hiroki Sato wrote: Author: hrs Date: Fri Jul 12 12:36:12 2013 New Revision: 253262 URL: http://svnweb.freebsd.org/changeset/base/253262 Log: Add a leaf node CTL_NET.PF_ROUTE.0.AF.NET_RT_DUMP.0.FIB. This returns routing table with the specified FIB number, not td-td_proc-p_fibnum. Thanks! I had plans to do the same :) Modified: head/lib/libc/gen/sysctl.3 head/sys/net/rtsock.c Modified: head/lib/libc/gen/sysctl.3 == --- head/lib/libc/gen/sysctl.3 Fri Jul 12 12:18:07 2013(r253261) +++ head/lib/libc/gen/sysctl.3 Fri Jul 12 12:36:12 2013(r253262) @@ -28,7 +28,7 @@ .\ @(#)sysctl.38.4 (Berkeley) 5/9/95 .\ $FreeBSD$ .\ -.Dd February 11, 2012 +.Dd May 17, 2013 .Dt SYSCTL 3 .Os .Sh NAME @@ -547,14 +547,14 @@ The length of each message is contained The third level name is a protocol number, which is currently always 0. The fourth level name is an address family, which may be set to 0 to select all address families. -The fifth and sixth level names are as follows: -.Bl -column Fifth level nameXX Sixth level is:XXX -offset indent -.It Sy Fifth level name Sixth level is: -.It NET_RT_FLAGS rtflags -.It NET_RT_DUMP None -.It NET_RT_IFLIST0 or if_index -.It NET_RT_IFMALIST 0 or if_index -.It NET_RT_IFLISTL 0 or if_index +The fifth, sixth, and seventh level names are as follows: +.Bl -column Fifth level Sixth level -offset indent +.It Sy Fifth level Sixth level Seventh level +.It NET_RT_FLAGS rtflags None +.It NET_RT_DUMP NoneNone or fib number +.It NET_RT_IFLIST0 or if_index None +.It NET_RT_IFMALIST 0 or if_index None +.It NET_RT_IFLISTL 0 or if_index None .El .Pp The Modified: head/sys/net/rtsock.c == --- head/sys/net/rtsock.c Fri Jul 12 12:18:07 2013(r253261) +++ head/sys/net/rtsock.c Fri Jul 12 12:36:12 2013(r253262) @@ -1905,6 +1905,7 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS) u_int namelen = arg2; struct radix_node_head *rnh = NULL; /* silence compiler. */ int i, lim, error = EINVAL; + int fib = 0; u_char af; struct walkarg w; @@ -1912,7 +1913,17 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS) namelen--; if (req-newptr) return (EPERM); - if (namelen != 3) + if (name[1] == NET_RT_DUMP) { + if (namelen == 3) + fib = req-td-td_proc-p_fibnum; + else if (namelen == 4) + fib = (name[3] == -1) ? + req-td-td_proc-p_fibnum : name[3]; + else + return ((namelen 3) ? EISDIR : ENOTDIR); + if (fib 0 || fib= rt_numfibs) + return (EINVAL); + } else if (namelen != 3) return ((namelen 3) ? EISDIR : ENOTDIR); af = name[0]; if (af AF_MAX) @@ -1951,7 +1962,7 @@ sysctl_rtsock(SYSCTL_HANDLER_ARGS) * take care of routing entries */ for (error = 0; error == 0 i= lim; i++) { - rnh = rt_tables_get_rnh(req-td-td_proc-p_fibnum, i); + rnh = rt_tables_get_rnh(fib, i); if (rnh != NULL) { RADIX_NODE_HEAD_RLOCK(rnh); error = rnh-rnh_walktree(rnh, ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r250813 - head/sys/netinet6
Author: melifaro Date: Sun May 19 19:19:01 2013 New Revision: 250813 URL: http://svnweb.freebsd.org/changeset/base/250813 Log: Finish r85740 : Make IPv6 netmask has address family set. This pleases routing daemons like bird. MFC after:2 weeks Modified: head/sys/netinet6/in6.c Modified: head/sys/netinet6/in6.c == --- head/sys/netinet6/in6.c Sun May 19 17:14:36 2013(r250812) +++ head/sys/netinet6/in6.c Sun May 19 19:19:01 2013(r250813) @@ -1140,6 +1140,7 @@ in6_update_ifa(struct ifnet *ifp, struct ia-ia_ifa.ifa_addr = (struct sockaddr *)ia-ia_addr; ia-ia_addr.sin6_family = AF_INET6; ia-ia_addr.sin6_len = sizeof(ia-ia_addr); + ia-ia_prefixmask.sin6_family = AF_INET6; ia-ia6_createtime = time_second; if ((ifp-if_flags (IFF_POINTOPOINT | IFF_LOOPBACK)) != 0) { /* ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r250815 - head/sys/netinet6
Author: melifaro Date: Sun May 19 19:42:46 2013 New Revision: 250815 URL: http://svnweb.freebsd.org/changeset/base/250815 Log: Really fix netmask address family this time. MFC with: r250813 Modified: head/sys/netinet6/in6.c Modified: head/sys/netinet6/in6.c == --- head/sys/netinet6/in6.c Sun May 19 19:19:58 2013(r250814) +++ head/sys/netinet6/in6.c Sun May 19 19:42:46 2013(r250815) @@ -1140,7 +1140,6 @@ in6_update_ifa(struct ifnet *ifp, struct ia-ia_ifa.ifa_addr = (struct sockaddr *)ia-ia_addr; ia-ia_addr.sin6_family = AF_INET6; ia-ia_addr.sin6_len = sizeof(ia-ia_addr); - ia-ia_prefixmask.sin6_family = AF_INET6; ia-ia6_createtime = time_second; if ((ifp-if_flags (IFF_POINTOPOINT | IFF_LOOPBACK)) != 0) { /* @@ -1187,6 +1186,7 @@ in6_update_ifa(struct ifnet *ifp, struct goto unlink; } ia-ia_prefixmask = ifra-ifra_prefixmask; + ia-ia_prefixmask.sin6_family = AF_INET6; } /* ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r250764 - head/sys/net
Author: melifaro Date: Sat May 18 07:10:22 2013 New Revision: 250764 URL: http://svnweb.freebsd.org/changeset/base/250764 Log: Fix rte leak introduced in r248070. MFC after:2 weeks Modified: head/sys/net/route.c Modified: head/sys/net/route.c == --- head/sys/net/route.cSat May 18 07:03:06 2013(r250763) +++ head/sys/net/route.cSat May 18 07:10:22 2013(r250764) @@ -1566,7 +1566,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int info.rti_ifa = NULL; info.rti_flags = RTF_RNH_LOCKED; - error = rtrequest1_fib(RTM_DELETE, info, rt, fibnum); + error = rtrequest1_fib(RTM_DELETE, info, NULL, fibnum); if (error == 0) { info.rti_ifa = ifa; info.rti_flags = flags | RTF_RNH_LOCKED | ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r250766 - head/sys/net
Author: melifaro Date: Sat May 18 08:14:21 2013 New Revision: 250766 URL: http://svnweb.freebsd.org/changeset/base/250766 Log: Use separate function to update mbuf checksum flags instead of duplicating the same code in different places. MFC after:2 weeks Modified: head/sys/net/if_ethersubr.c Modified: head/sys/net/if_ethersubr.c == --- head/sys/net/if_ethersubr.c Sat May 18 07:16:20 2013(r250765) +++ head/sys/net/if_ethersubr.c Sat May 18 08:14:21 2013(r250766) @@ -141,6 +141,22 @@ static MALLOC_DEFINE(M_ARPCOM, arpcom, #define senderr(e) do { error = (e); goto bad;} while (0) +static void +update_mbuf_csumflags(struct mbuf *src, struct mbuf *dst) +{ + int csum_flags = 0; + + if (src-m_pkthdr.csum_flags CSUM_IP) + csum_flags |= (CSUM_IP_CHECKED|CSUM_IP_VALID); + if (src-m_pkthdr.csum_flags CSUM_DELAY_DATA) + csum_flags |= (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); + if (src-m_pkthdr.csum_flags CSUM_SCTP) + csum_flags |= CSUM_SCTP_VALID; + dst-m_pkthdr.csum_flags |= csum_flags; + if (csum_flags CSUM_DATA_VALID) + dst-m_pkthdr.csum_data = 0x; +} + /* * Ethernet output routine. * Encapsulate a packet of type family for the local net. @@ -300,15 +316,7 @@ ether_output(struct ifnet *ifp, struct m } if (lle != NULL (lle-la_flags LLE_IFADDR)) { - int csum_flags = 0; - if (m-m_pkthdr.csum_flags CSUM_IP) - csum_flags |= (CSUM_IP_CHECKED|CSUM_IP_VALID); - if (m-m_pkthdr.csum_flags CSUM_DELAY_DATA) - csum_flags |= (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); - if (m-m_pkthdr.csum_flags CSUM_SCTP) - csum_flags |= CSUM_SCTP_VALID; - m-m_pkthdr.csum_flags |= csum_flags; - m-m_pkthdr.csum_data = 0x; + update_mbuf_csumflags(m, m); return (if_simloop(ifp, m, dst-sa_family, 0)); } @@ -341,15 +349,6 @@ ether_output(struct ifnet *ifp, struct m */ if ((ifp-if_flags IFF_SIMPLEX) loop_copy ((t = pf_find_mtag(m)) == NULL || !t-routed)) { - int csum_flags = 0; - - if (m-m_pkthdr.csum_flags CSUM_IP) - csum_flags |= (CSUM_IP_CHECKED|CSUM_IP_VALID); - if (m-m_pkthdr.csum_flags CSUM_DELAY_DATA) - csum_flags |= (CSUM_DATA_VALID|CSUM_PSEUDO_HDR); - if (m-m_pkthdr.csum_flags CSUM_SCTP) - csum_flags |= CSUM_SCTP_VALID; - if (m-m_flags M_BCAST) { struct mbuf *n; @@ -366,17 +365,13 @@ ether_output(struct ifnet *ifp, struct m * See PR kern/105943 for a proposed general solution. */ if ((n = m_dup(m, M_NOWAIT)) != NULL) { - n-m_pkthdr.csum_flags |= csum_flags; - if (csum_flags CSUM_DATA_VALID) - n-m_pkthdr.csum_data = 0x; + update_mbuf_csumflags(m, n); (void)if_simloop(ifp, n, dst-sa_family, hlen); } else ifp-if_iqdrops++; } else if (bcmp(eh-ether_dhost, eh-ether_shost, ETHER_ADDR_LEN) == 0) { - m-m_pkthdr.csum_flags |= csum_flags; - if (csum_flags CSUM_DATA_VALID) - m-m_pkthdr.csum_data = 0x; + update_mbuf_csumflags(m, m); (void) if_simloop(ifp, m, dst-sa_family, hlen); return (0); /* XXX */ } ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r250759 - head/sbin/ipfw
Author: melifaro Date: Sat May 18 04:49:00 2013 New Revision: 250759 URL: http://svnweb.freebsd.org/changeset/base/250759 Log: Fix ipfw(8) sets of ipv6 addresses handling. Conditionally use stack buffer instead of calling strdup(). PR: bin/104921 MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Fri May 17 23:14:18 2013(r250758) +++ head/sbin/ipfw/ipfw2.c Sat May 18 04:49:00 2013(r250759) @@ -2779,13 +2779,19 @@ static ipfw_insn * add_src(ipfw_insn *cmd, char *av, u_char proto, int cblen) { struct in6_addr a; - char *host, *ch; + char *host, *ch, buf[INET6_ADDRSTRLEN]; ipfw_insn *ret = NULL; + int len; - if ((host = strdup(av)) == NULL) - return NULL; - if ((ch = strrchr(host, '/')) != NULL) - *ch = '\0'; + /* Copy first address in set if needed */ + if ((ch = strpbrk(av, /,)) != NULL) { + len = ch - av; + strlcpy(buf, av, sizeof(buf)); + if (len sizeof(buf)) + buf[len] = '\0'; + host = buf; + } else + host = av; if (proto == IPPROTO_IPV6 || strcmp(av, me6) == 0 || inet_pton(AF_INET6, host, a) == 1) @@ -2797,7 +2803,6 @@ add_src(ipfw_insn *cmd, char *av, u_char if (ret == NULL strcmp(av, any) != 0) ret = cmd; - free(host); return ret; } @@ -2805,13 +2810,19 @@ static ipfw_insn * add_dst(ipfw_insn *cmd, char *av, u_char proto, int cblen) { struct in6_addr a; - char *host, *ch; + char *host, *ch, buf[INET6_ADDRSTRLEN]; ipfw_insn *ret = NULL; + int len; - if ((host = strdup(av)) == NULL) - return NULL; - if ((ch = strrchr(host, '/')) != NULL) - *ch = '\0'; + /* Copy first address in set if needed */ + if ((ch = strpbrk(av, /,)) != NULL) { + len = ch - av; + strlcpy(buf, av, sizeof(buf)); + if (len sizeof(buf)) + buf[len] = '\0'; + host = buf; + } else + host = av; if (proto == IPPROTO_IPV6 || strcmp(av, me6) == 0 || inet_pton(AF_INET6, host, a) == 1) @@ -2823,7 +2834,6 @@ add_dst(ipfw_insn *cmd, char *av, u_char if (ret == NULL strcmp(av, any) != 0) ret = cmd; - free(host); return ret; } ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r250760 - stable/9/sys/netpfil/ipfw
Author: melifaro Date: Sat May 18 05:31:17 2013 New Revision: 250760 URL: http://svnweb.freebsd.org/changeset/base/250760 Log: Merge r244633, r250246. Use unified IP_FW_ARG_TABLEARG() macro for most tablearg checks. Log real value instead of IP_FW_TABLEARG (65535) in ipfw_log(). Use unified method for accessing / updating cached rule pointers. Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c stable/9/sys/netpfil/ipfw/ip_fw_log.c stable/9/sys/netpfil/ipfw/ip_fw_private.h Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c == --- stable/9/sys/netpfil/ipfw/ip_fw2.c Sat May 18 04:49:00 2013 (r250759) +++ stable/9/sys/netpfil/ipfw/ip_fw2.c Sat May 18 05:31:17 2013 (r250760) @@ -782,6 +782,38 @@ set_match(struct ip_fw_args *args, int s } /* + * Helper function to enable cached rule lookups using + * x_next and next_rule fields in ipfw rule. + */ +static int +jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, +int tablearg, int jump_backwards) +{ + int f_pos; + + /* If possible use cached f_pos (in f-next_rule), +* whose version is written in f-next_rule +* (horrible hacks to avoid changing the ABI). +*/ + if (num != IP_FW_TABLEARG (uintptr_t)f-x_next == chain-id) + f_pos = (uintptr_t)f-next_rule; + else { + int i = IP_FW_ARG_TABLEARG(num); + /* make sure we do not jump backward */ + if (jump_backwards == 0 i = f-rulenum) + i = f-rulenum + 1; + f_pos = ipfw_find_rule(chain, i, 0); + /* update the cache */ + if (num != IP_FW_TABLEARG) { + f-next_rule = (void *)(uintptr_t)f_pos; + f-x_next = (void *)(uintptr_t)chain-id; + } + } + + return (f_pos); +} + +/* * The main check routine for the firewall. * * All arguments are in args so we can modify them and return them @@ -1842,8 +1874,7 @@ do { \ case O_TAG: { struct m_tag *mtag; - uint32_t tag = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + uint32_t tag = IP_FW_ARG_TABLEARG(cmd-arg1); /* Packet is already tagged with this tag? */ mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL); @@ -1922,8 +1953,7 @@ do { \ case O_TAGGED: { struct m_tag *mtag; - uint32_t tag = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + uint32_t tag = IP_FW_ARG_TABLEARG(cmd-arg1); if (cmdlen == 1) { match = m_tag_locate(m, MTAG_IPFW, @@ -2062,8 +2092,7 @@ do { \ case O_PIPE: case O_QUEUE: set_match(args, f_pos, chain); - args-rule.info = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + args-rule.info = IP_FW_ARG_TABLEARG(cmd-arg1); if (cmd-opcode == O_PIPE) args-rule.info |= IPFW_IS_PIPE; if (V_fw_one_pass) @@ -2083,8 +2112,7 @@ do { \ retval = (cmd-opcode == O_DIVERT) ? IP_FW_DIVERT : IP_FW_TEE; set_match(args, f_pos, chain); - args-rule.info = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + args-rule.info = IP_FW_ARG_TABLEARG(cmd-arg1); break; case O_COUNT: @@ -2098,28 +2126,7 @@ do { \ f-pcnt++; /* update stats */ f-bcnt += pktlen; f-timestamp = time_uptime; - /* If possible use cached f_pos (in f-next_rule), -* whose version is written in f-next_rule -* (horrible hacks to avoid changing the ABI). -*/ - if (cmd-arg1
svn commit: r250761 - stable/9/sys/netpfil/ipfw
Author: melifaro Date: Sat May 18 05:40:59 2013 New Revision: 250761 URL: http://svnweb.freebsd.org/changeset/base/250761 Log: MFC r243711. Use common macros for working with rule/dynamic counters. This is done as preparation to introduce per-cpu ipfw counters. Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c stable/9/sys/netpfil/ipfw/ip_fw_private.h stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c == --- stable/9/sys/netpfil/ipfw/ip_fw2.c Sat May 18 05:31:17 2013 (r250760) +++ stable/9/sys/netpfil/ipfw/ip_fw2.c Sat May 18 05:40:59 2013 (r250761) @@ -2056,8 +2056,7 @@ do { \ * the parent rule by setting * f, cmd, l and clearing cmdlen. */ - q-pcnt++; - q-bcnt += pktlen; + IPFW_INC_DYN_COUNTER(q, pktlen); /* XXX we would like to have f_pos * readily accessible in the dynamic * rule, instead of having to @@ -2116,16 +2115,12 @@ do { \ break; case O_COUNT: - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); l = 0; /* exit inner loop */ break; case O_SKIPTO: - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); f_pos = jump_fast(chain, f, cmd-arg1, tablearg, 0); /* * Skip disabled rules, and re-enter @@ -2201,9 +2196,7 @@ do { \ break; } - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); stack = (uint16_t *)(mtag + 1); /* @@ -2337,9 +2330,7 @@ do { \ case O_SETFIB: { uint32_t fib; - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); fib = IP_FW_ARG_TABLEARG(cmd-arg1); if (fib = rt_numfibs) fib = 0; @@ -2387,8 +2378,7 @@ do { \ case O_REASS: { int ip_off; - f-pcnt++; - f-bcnt += pktlen; + IPFW_INC_RULE_COUNTER(f, pktlen); l = 0; /* in any case exit inner loop */ ip_off = ntohs(ip-ip_off); @@ -2457,9 +2447,7 @@ do { \ if (done) { struct ip_fw *rule = chain-map[f_pos]; /* Update statistics */ - rule-pcnt++; - rule-bcnt += pktlen; - rule-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(rule, pktlen); } else { retval = IP_FW_DENY; printf(ipfw: ouch!, skip past end of rules, denying packet\n); Modified: stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c == --- stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Sat May 18 05:31:17 2013 (r250760) +++ stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Sat May 18 05:40:59 2013 (r250761) @@ -594,7 +594,7 @@ add_dyn_rule(struct ipfw_flow_id *id, in r-expire = time_uptime + V_dyn_syn_lifetime; r-rule = rule; r-dyn_type =
svn commit: r250762 - in stable/9: sbin/ipfw sys/netinet sys/netpfil/ipfw
Author: melifaro Date: Sat May 18 05:48:46 2013 New Revision: 250762 URL: http://svnweb.freebsd.org/changeset/base/250762 Log: MFC r248552, r248971 Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 Fix ipfw rule validation partially broken by r248552. Modified: stable/9/sbin/ipfw/ipfw.8 stable/9/sbin/ipfw/ipfw2.c stable/9/sbin/ipfw/ipfw2.h stable/9/sys/netinet/ip_fw.h stable/9/sys/netpfil/ipfw/ip_fw2.c stable/9/sys/netpfil/ipfw/ip_fw_log.c stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Directory Properties: stable/9/sbin/ (props changed) stable/9/sbin/ipfw/ (props changed) stable/9/sys/ (props changed) Modified: stable/9/sbin/ipfw/ipfw.8 == --- stable/9/sbin/ipfw/ipfw.8 Sat May 18 05:40:59 2013(r250761) +++ stable/9/sbin/ipfw/ipfw.8 Sat May 18 05:48:46 2013(r250762) @@ -948,6 +948,61 @@ Processing continues at the next rule. It is possible to use the .Cm tablearg keyword with a setfib. If tablearg value is not within compiled FIB range packet fib is set to 0. +.It Cm setdscp Ar DSCP | number | tablearg +Set specified DiffServ codepoint for an IPv4/IPv6 packet. +Processing continues at the next rule. +Supported values are: +.Pp +.Cm CS0 +.Pq Dv 00 , +.Cm CS1 +.Pq Dv 001000 , +.Cm CS2 +.Pq Dv 01 , +.Cm CS3 +.Pq Dv 011000 , +.Cm CS4 +.Pq Dv 10 , +.Cm CS5 +.Pq Dv 101000 , +.Cm CS6 +.Pq Dv 11 , +.Cm CS7 +.Pq Dv 111000 , +.Cm AF11 +.Pq Dv 001010 , +.Cm AF12 +.Pq Dv 001100 , +.Cm AF13 +.Pq Dv 001110 , +.Cm AF21 +.Pq Dv 010010 , +.Cm AF22 +.Pq Dv 010100 , +.Cm AF23 +.Pq Dv 010110 , +.Cm AF31 +.Pq Dv 011010 , +.Cm AF32 +.Pq Dv 011100 , +.Cm AF33 +.Pq Dv 00 , +.Cm AF41 +.Pq Dv 100010 , +.Cm AF42 +.Pq Dv 100100 , +.Cm AF43 +.Pq Dv 100110 , +.Cm EF +.Pq Dv 101110 , +.Cm BE +.Pq Dv 00 . +Additionally, DSCP value can be specified by number (0..64). +It is also possible to use the +.Cm tablearg +keyword with setdscp. +If the tablearg value is not within the 0..64 range, lower 6 bits of supplied +value are used. .It Cm reass Queue and reassemble ip fragments. If the packet is not fragmented, counters are updated and processing continues with the next rule. @@ -1436,6 +1491,17 @@ The supported IP types of service are: The absence of a particular type may be denoted with a .Ql \! . +.It Cm dscp spec Ns Op , Ns Ar spec +Matches IPv4/IPv6 packets whose +.Cm DS +field value is contained in +.Ar spec +mask. +Multiple values can be specified via +the comma separated list. +Value can be one of keywords used in +.Cm setdscp +action or exact number. .It Cm ipttl Ar ttl-list Matches IPv4 packets whose time to live is included in .Ar ttl-list , @@ -2944,6 +3010,23 @@ configured on but coming in on .Li fxp1 would be dropped. +.Pp +The +.Cm setdscp +option could be used to (re)mark user traffic, +by adding the following to the appropriate place in ruleset: +.Pp +.Dl ipfw add setdscp be ip from any to any dscp af11,af21 +.Pp +This rule drops all incoming packets that appear to be coming from another +directly connected system but on the wrong interface. +For example, a packet with a source address of +.Li 192.168.0.0/24 , +configured on +.Li fxp0 , +but coming in on +.Li fxp1 +would be dropped. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: Modified: stable/9/sbin/ipfw/ipfw2.c == --- stable/9/sbin/ipfw/ipfw2.c Sat May 18 05:40:59 2013(r250761) +++ stable/9/sbin/ipfw/ipfw2.c Sat May 18 05:48:46 2013(r250762) @@ -167,6 +167,32 @@ static struct _s_x f_iptos[] = { { NULL, 0 } }; +static struct _s_x f_ipdscp[] = { + { af11, IPTOS_DSCP_AF11 2 }, /* 001010 */ + { af12, IPTOS_DSCP_AF12 2 }, /* 001100 */ + { af13, IPTOS_DSCP_AF13 2 }, /* 001110 */ + { af21, IPTOS_DSCP_AF21 2 }, /* 010010 */ + { af22, IPTOS_DSCP_AF22 2 }, /* 010100 */ + { af23, IPTOS_DSCP_AF23 2 }, /* 010110 */ + { af31, IPTOS_DSCP_AF31 2 }, /* 011010 */ + { af32, IPTOS_DSCP_AF32 2 }, /* 011100 */ + { af33, IPTOS_DSCP_AF33 2 }, /* 00 */ + {
svn commit: r250246 - head/sys/netpfil/ipfw
Author: melifaro Date: Sat May 4 18:24:30 2013 New Revision: 250246 URL: http://svnweb.freebsd.org/changeset/base/250246 Log: Use unified method for accessing / updating cached rule pointers. MFC after:2 weeks Modified: head/sys/netpfil/ipfw/ip_fw2.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Sat May 4 17:21:44 2013 (r250245) +++ head/sys/netpfil/ipfw/ip_fw2.c Sat May 4 18:24:30 2013 (r250246) @@ -780,6 +780,38 @@ set_match(struct ip_fw_args *args, int s } /* + * Helper function to enable cached rule lookups using + * x_next and next_rule fields in ipfw rule. + */ +static int +jump_fast(struct ip_fw_chain *chain, struct ip_fw *f, int num, +int tablearg, int jump_backwards) +{ + int f_pos; + + /* If possible use cached f_pos (in f-next_rule), +* whose version is written in f-next_rule +* (horrible hacks to avoid changing the ABI). +*/ + if (num != IP_FW_TABLEARG (uintptr_t)f-x_next == chain-id) + f_pos = (uintptr_t)f-next_rule; + else { + int i = IP_FW_ARG_TABLEARG(num); + /* make sure we do not jump backward */ + if (jump_backwards == 0 i = f-rulenum) + i = f-rulenum + 1; + f_pos = ipfw_find_rule(chain, i, 0); + /* update the cache */ + if (num != IP_FW_TABLEARG) { + f-next_rule = (void *)(uintptr_t)f_pos; + f-x_next = (void *)(uintptr_t)chain-id; + } + } + + return (f_pos); +} + +/* * The main check routine for the firewall. * * All arguments are in args so we can modify them and return them @@ -2123,27 +2155,7 @@ do { \ case O_SKIPTO: IPFW_INC_RULE_COUNTER(f, pktlen); - /* If possible use cached f_pos (in f-next_rule), -* whose version is written in f-next_rule -* (horrible hacks to avoid changing the ABI). -*/ - if (cmd-arg1 != IP_FW_TABLEARG - (uintptr_t)f-x_next == chain-id) { - f_pos = (uintptr_t)f-next_rule; - } else { - int i = IP_FW_ARG_TABLEARG(cmd-arg1); - /* make sure we do not jump backward */ - if (i = f-rulenum) - i = f-rulenum + 1; - f_pos = ipfw_find_rule(chain, i, 0); - /* update the cache */ - if (cmd-arg1 != IP_FW_TABLEARG) { - f-next_rule = - (void *)(uintptr_t)f_pos; - f-x_next = - (void *)(uintptr_t)chain-id; - } - } + f_pos = jump_fast(chain, f, cmd-arg1, tablearg, 0); /* * Skip disabled rules, and re-enter * the inner loop with the correct @@ -2232,25 +2244,8 @@ do { \ if (IS_CALL) { stack[mtag-m_tag_id] = f-rulenum; mtag-m_tag_id++; - if (cmd-arg1 != IP_FW_TABLEARG - (uintptr_t)f-x_next == chain-id) { - f_pos = (uintptr_t)f-next_rule; - } else { - jmpto = IP_FW_ARG_TABLEARG( - cmd-arg1); - f_pos = ipfw_find_rule(chain, - jmpto, 0); - /* update the cache */ - if (cmd-arg1 != - IP_FW_TABLEARG) { - f-next_rule = - (void *)(uintptr_t) - f_pos; - f-x_next = - (void *)(uintptr_t) - chain-id; -
Re: svn commit: r249848 - head/sys/netinet
On 24.04.2013 22:30, Randall Stewart wrote: Author: rrs Date: Wed Apr 24 18:30:32 2013 New Revision: 249848 URL: http://svnweb.freebsd.org/changeset/base/249848 Log: This fixes the issue with the randomly changing default route. What it was is there are two places in ip_output.c where we do a goto again. One place was fine, it copies out the new address and then resets dst = ro-rt_dst; But the other place does *not* do that, which means earlier when we found the gateway, we have dst pointing there aka dst = ro-rt_gateway is done.. then we do a goto again.. bam now we clobber the default route. The fix is just to move the again so we are always doing dst = ro-rt_dst; in the again loop. Wow. Great job! Thanks! PR: 174749,157796 MFC after: 1 week Modified: head/sys/netinet/ip_output.c Modified: head/sys/netinet/ip_output.c == --- head/sys/netinet/ip_output.cWed Apr 24 18:00:28 2013 (r249847) +++ head/sys/netinet/ip_output.cWed Apr 24 18:30:32 2013 (r249848) @@ -196,8 +196,8 @@ ip_output(struct mbuf *m, struct mbuf *o hlen = ip-ip_hl 2; } - dst = (struct sockaddr_in *)ro-ro_dst; again: + dst = (struct sockaddr_in *)ro-ro_dst; ia = NULL; /* * If there is a cached route, ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r249506 - head/sys/net
On 15.04.2013 17:00, Gleb Smirnoff wrote: Author: glebius Date: Mon Apr 15 13:00:42 2013 New Revision: 249506 URL: http://svnweb.freebsd.org/changeset/base/249506 Log: Switch lagg(4) statistics to counter(9). The lagg(4) is often used to bond high speed links, so basic per-packet += on statistics cause cache misses and statistics loss. Lagg is probably the only interface where we really do not need to account (most) per-packet traffic. It is probably better to import statistics from underlying interfaces with callout. Additionally, this approach allows us not to use lagg RX path at all skipping lock (reference patch to ixgbe in the -net@ follows). Perfect solution would be to convert ifnet(9) to counters(9), but this requires much more work, and unfortunately ABI change, so temporarily patch lagg(4) manually. We store counters in the softc, and once per second push their values to legacy ifnet counters. Sponsored by: Nginx, Inc. Modified: head/sys/net/if_lagg.c head/sys/net/if_lagg.h Modified: head/sys/net/if_lagg.c == --- head/sys/net/if_lagg.cMon Apr 15 12:16:24 2013(r249505) +++ head/sys/net/if_lagg.cMon Apr 15 13:00:42 2013(r249506) @@ -153,6 +153,8 @@ static struct mbuf *lagg_lacp_input(stru struct mbuf *); static void lagg_lacp_lladdr(struct lagg_softc *); +static void lagg_callout(void *); + /* lagg protocol table */ static const struct { int ti_proto; @@ -278,6 +280,11 @@ lagg_clone_create(struct if_clone *ifc, return (ENOSPC); } + sc-sc_ipackets = counter_u64_alloc(M_WAITOK); + sc-sc_opackets = counter_u64_alloc(M_WAITOK); + sc-sc_ibytes = counter_u64_alloc(M_WAITOK); + sc-sc_obytes = counter_u64_alloc(M_WAITOK); + sysctl_ctx_init(sc-ctx); snprintf(num, sizeof(num), %u, unit); sc-use_flowid = def_use_flowid; @@ -307,6 +314,7 @@ lagg_clone_create(struct if_clone *ifc, LAGG_LOCK_INIT(sc); SLIST_INIT(sc-sc_ports); TASK_INIT(sc-sc_lladdr_task, 0, lagg_port_setlladdr, sc); + callout_init_rw(sc-sc_callout, sc-sc_mtx, CALLOUT_SHAREDLOCK); /* Initialise pseudo media types */ ifmedia_init(sc-sc_media, 0, lagg_media_change, @@ -338,6 +346,8 @@ lagg_clone_create(struct if_clone *ifc, SLIST_INSERT_HEAD(lagg_list, sc, sc_entries); mtx_unlock(lagg_list_mtx); + callout_reset(sc-sc_callout, hz, lagg_callout, sc); + return (0); } @@ -369,6 +379,12 @@ lagg_clone_destroy(struct ifnet *ifp) ether_ifdetach(ifp); if_free(ifp); + callout_drain(sc-sc_callout); + counter_u64_free(sc-sc_ipackets); + counter_u64_free(sc-sc_opackets); + counter_u64_free(sc-sc_ibytes); + counter_u64_free(sc-sc_obytes); + mtx_lock(lagg_list_mtx); SLIST_REMOVE(lagg_list, sc, lagg_softc, sc_entries); mtx_unlock(lagg_list_mtx); @@ -1243,9 +1259,9 @@ lagg_transmit(struct ifnet *ifp, struct LAGG_RUNLOCK(sc); if (error == 0) { - ifp-if_opackets++; + counter_u64_add(sc-sc_opackets, 1); + counter_u64_add(sc-sc_obytes, len); ifp-if_omcasts += mcast; - ifp-if_obytes += len; } else ifp-if_oerrors++; @@ -1281,8 +1297,8 @@ lagg_input(struct ifnet *ifp, struct mbu m = (*sc-sc_input)(sc, lp, m); if (m != NULL) { - scifp-if_ipackets++; - scifp-if_ibytes += m-m_pkthdr.len; + counter_u64_add(sc-sc_ipackets, 1); + counter_u64_add(sc-sc_ibytes, m-m_pkthdr.len); if (scifp-if_flags IFF_MONITOR) { m_freem(m); @@ -1892,3 +1908,17 @@ lagg_lacp_input(struct lagg_softc *sc, s m-m_pkthdr.rcvif = ifp; return (m); } + +static void +lagg_callout(void *arg) +{ + struct lagg_softc *sc = (struct lagg_softc *)arg; + struct ifnet *ifp = sc-sc_ifp; + + ifp-if_ipackets = counter_u64_fetch(sc-sc_ipackets); + ifp-if_opackets = counter_u64_fetch(sc-sc_opackets); + ifp-if_ibytes = counter_u64_fetch(sc-sc_ibytes); + ifp-if_obytes = counter_u64_fetch(sc-sc_obytes); + + callout_reset(sc-sc_callout, hz, lagg_callout, sc); +} Modified: head/sys/net/if_lagg.h == --- head/sys/net/if_lagg.hMon Apr 15 12:16:24 2013(r249505) +++ head/sys/net/if_lagg.hMon Apr 15 13:00:42 2013(r249506) @@ -21,8 +21,6 @@ #ifndef _NET_LAGG_H #define _NET_LAGG_H -#include sys/sysctl.h - /* * Global definitions */ @@ -137,6 +135,9 @@ struct lagg_reqflags { #define SIOCSLAGGHASH_IOW('i', 146, struct lagg_reqflags) #ifdef _KERNEL + +#include
svn commit: r248971 - head/sys/netpfil/ipfw
Author: melifaro Date: Mon Apr 1 11:28:52 2013 New Revision: 248971 URL: http://svnweb.freebsd.org/changeset/base/248971 Log: Fix ipfw rule validation partially broken by r248552. Pointed by: avg MFC with: r248552 Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c == --- head/sys/netpfil/ipfw/ip_fw_sockopt.c Mon Apr 1 10:45:35 2013 (r248970) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.c Mon Apr 1 11:28:52 2013 (r248971) @@ -672,10 +672,6 @@ check_ipfw_struct(struct ip_fw *rule, in case O_IPID: case O_IPTTL: case O_IPLEN: - case O_DSCP: - if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) - goto bad_size; - break; case O_TCPDATALEN: case O_TCPWIN: case O_TAGGED: @@ -683,6 +679,11 @@ check_ipfw_struct(struct ip_fw *rule, in goto bad_size; break; + case O_DSCP: + if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) + goto bad_size; + break; + case O_MAC_TYPE: case O_IP_SRCPORT: case O_IP_DSTPORT: /* XXX artificial limit, 30 port pairs */ ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r248552 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw
On 01.04.2013 00:50, Andriy Gapon wrote: on 20/03/2013 12:35 Alexander V. Chernikov said the following: Author: melifaro Date: Wed Mar 20 10:35:33 2013 New Revision: 248552 URL: http://svnweb.freebsd.org/changeset/base/248552 Log: Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). [snip] Modified: head/sys/netpfil/ipfw/ip_fw_sockopt.c == --- head/sys/netpfil/ipfw/ip_fw_sockopt.cWed Mar 20 09:56:20 2013 (r248551) +++ head/sys/netpfil/ipfw/ip_fw_sockopt.cWed Mar 20 10:35:33 2013 (r248552) @@ -671,6 +671,10 @@ check_ipfw_struct(struct ip_fw *rule, in case O_IPID: case O_IPTTL: case O_IPLEN: +case O_DSCP: +if (cmdlen != F_INSN_SIZE(ipfw_insn_u32) + 1) +goto bad_size; +break; case O_TCPDATALEN: case O_TCPWIN: case O_TAGGED: Could you please double-check this part of the change? Handling of the new O_DSCP opcode is inserted in the middle of the long fall-through list of cases and thus it modifies behavior of the preceding cases. The commit message does not say anything about that. Yes, my fault. I've changed O_DSCP token to accept bitmask instead of single variable and forgot to properly update given part. Fixed in r248971. I've just done my bi-monthly release/upgrade and ipfw now chokes on my ruleset. There is the following message in system log: kernel: ipfw: opcode 0 size 8 wrong Offending rule seems to be: allow ip from any to any via tun* Reverting this commit fixes the problem. Thank you. -- WBR, Alexander ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248942 - stable/8/sys/net
Author: melifaro Date: Sun Mar 31 10:17:39 2013 New Revision: 248942 URL: http://svnweb.freebsd.org/changeset/base/248942 Log: Merge r248070. Fix long-standing issue with interface routes being unprotected: Use RTM_PINNED flag to mark route as immutable. Forbid deleting immutable routes without special rtrequest1_fib() flag. Adding interface address with prefix already in route table is handled by atomically deleting old prefix and adding interface one. Modified: stable/8/sys/net/if.c stable/8/sys/net/route.c stable/8/sys/net/route.h Directory Properties: stable/8/sys/ (props changed) stable/8/sys/net/ (props changed) Modified: stable/8/sys/net/if.c == --- stable/8/sys/net/if.c Sun Mar 31 08:54:04 2013(r248941) +++ stable/8/sys/net/if.c Sun Mar 31 10:17:39 2013(r248942) @@ -1412,7 +1412,8 @@ if_rtdel(struct radix_node *rn, void *ar return (0); err = rtrequest_fib(RTM_DELETE, rt_key(rt), rt-rt_gateway, - rt_mask(rt), rt-rt_flags|RTF_RNH_LOCKED, + rt_mask(rt), + rt-rt_flags|RTF_RNH_LOCKED|RTF_PINNED, (struct rtentry **) NULL, rt-rt_fibnum); if (err) { log(LOG_WARNING, if_rtdel: error %d\n, err); Modified: stable/8/sys/net/route.c == --- stable/8/sys/net/route.cSun Mar 31 08:54:04 2013(r248941) +++ stable/8/sys/net/route.cSun Mar 31 10:17:39 2013(r248942) @@ -1112,6 +1112,14 @@ rtrequest1_fib(int req, struct rt_addrin error = 0; } #endif + if ((flags RTF_PINNED) == 0) { + /* Check if target route can be deleted */ + rt = (struct rtentry *)rnh-rnh_lookup(dst, + netmask, rnh); + if ((rt != NULL) (rt-rt_flags RTF_PINNED)) + senderr(EADDRINUSE); + } + /* * Remove the item from the tree and return it. * Complain if it is not there and do no more processing. @@ -1439,6 +1447,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int int didwork = 0; int a_failure = 0; static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK}; + struct radix_node_head *rnh; if (flags RTF_HOST) { dst = ifa-ifa_dstaddr; @@ -1497,7 +1506,6 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ for ( fibnum = startfib; fibnum = endfib; fibnum++) { if (cmd == RTM_DELETE) { - struct radix_node_head *rnh; struct radix_node *rn; /* * Look up an rtentry that is in the routing tree and @@ -1547,7 +1555,8 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ bzero((caddr_t)info, sizeof(info)); info.rti_ifa = ifa; - info.rti_flags = flags | (ifa-ifa_flags ~IFA_RTSELF); + info.rti_flags = flags | + (ifa-ifa_flags ~IFA_RTSELF) | RTF_PINNED; info.rti_info[RTAX_DST] = dst; /* * doing this for compatibility reasons @@ -1559,6 +1568,33 @@ rtinit1(struct ifaddr *ifa, int cmd, int info.rti_info[RTAX_GATEWAY] = ifa-ifa_addr; info.rti_info[RTAX_NETMASK] = netmask; error = rtrequest1_fib(cmd, info, rt, fibnum); + + if ((error == EEXIST) (cmd == RTM_ADD)) { + /* +* Interface route addition failed. +* Atomically delete current prefix generating +* RTM_DELETE message, and retry adding +* interface prefix. +*/ + rnh = rt_tables_get_rnh(fibnum, dst-sa_family); + RADIX_NODE_HEAD_LOCK(rnh); + + /* Delete old prefix */ + info.rti_ifa = NULL; + info.rti_flags = RTF_RNH_LOCKED; + + error = rtrequest1_fib(RTM_DELETE, info, rt, fibnum); + if (error == 0) { + info.rti_ifa = ifa; + info.rti_flags = flags | RTF_RNH_LOCKED | + (ifa-ifa_flags ~IFA_RTSELF) | RTF_PINNED; + error = rtrequest1_fib(cmd, info, rt, fibnum); + } + + RADIX_NODE_HEAD_UNLOCK(rnh); + } + + if (error == 0 rt != NULL) { /*
svn commit: r248943 - stable/8/sys/net
Author: melifaro Date: Sun Mar 31 10:20:29 2013 New Revision: 248943 URL: http://svnweb.freebsd.org/changeset/base/248943 Log: MFC r247842. Write lock is not required for findcompare operation. Modified: stable/8/sys/net/route.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/net/ (props changed) Modified: stable/8/sys/net/route.c == --- stable/8/sys/net/route.cSun Mar 31 10:17:39 2013(r248942) +++ stable/8/sys/net/route.cSun Mar 31 10:20:29 2013(r248943) @@ -1515,7 +1515,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int if (rnh == NULL) /* this table doesn't exist but others might */ continue; - RADIX_NODE_HEAD_LOCK(rnh); + RADIX_NODE_HEAD_RLOCK(rnh); #ifdef RADIX_MPATH if (rn_mpath_capable(rnh)) { @@ -1544,7 +1544,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int (rn-rn_flags RNF_ROOT) || RNTORT(rn)-rt_ifa != ifa || !sa_equal((struct sockaddr *)rn-rn_key, dst)); - RADIX_NODE_HEAD_UNLOCK(rnh); + RADIX_NODE_HEAD_RUNLOCK(rnh); if (error) { /* this is only an error if bad on ALL tables */ continue; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248895 - stable/9/sys/net
Author: melifaro Date: Fri Mar 29 16:24:20 2013 New Revision: 248895 URL: http://svnweb.freebsd.org/changeset/base/248895 Log: Merge 248070. Fix long-standing issue with interface routes being unprotected: Use RTM_PINNED flag to mark route as immutable. Forbid deleting immutable routes without special rtrequest1_fib() flag. Adding interface address with prefix already in route table is handled by atomically deleting old prefix and adding interface one. Modified: stable/9/sys/net/if.c stable/9/sys/net/route.c stable/9/sys/net/route.h Directory Properties: stable/9/sys/ (props changed) stable/9/sys/net/ (props changed) Modified: stable/9/sys/net/if.c == --- stable/9/sys/net/if.c Fri Mar 29 16:16:50 2013(r248894) +++ stable/9/sys/net/if.c Fri Mar 29 16:24:20 2013(r248895) @@ -1379,7 +1379,8 @@ if_rtdel(struct radix_node *rn, void *ar return (0); err = rtrequest_fib(RTM_DELETE, rt_key(rt), rt-rt_gateway, - rt_mask(rt), rt-rt_flags|RTF_RNH_LOCKED, + rt_mask(rt), + rt-rt_flags|RTF_RNH_LOCKED|RTF_PINNED, (struct rtentry **) NULL, rt-rt_fibnum); if (err) { log(LOG_WARNING, if_rtdel: error %d\n, err); Modified: stable/9/sys/net/route.c == --- stable/9/sys/net/route.cFri Mar 29 16:16:50 2013(r248894) +++ stable/9/sys/net/route.cFri Mar 29 16:24:20 2013(r248895) @@ -1112,6 +1112,14 @@ rtrequest1_fib(int req, struct rt_addrin error = 0; } #endif + if ((flags RTF_PINNED) == 0) { + /* Check if target route can be deleted */ + rt = (struct rtentry *)rnh-rnh_lookup(dst, + netmask, rnh); + if ((rt != NULL) (rt-rt_flags RTF_PINNED)) + senderr(EADDRINUSE); + } + /* * Remove the item from the tree and return it. * Complain if it is not there and do no more processing. @@ -1435,6 +1443,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int int didwork = 0; int a_failure = 0; static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK}; + struct radix_node_head *rnh; if (flags RTF_HOST) { dst = ifa-ifa_dstaddr; @@ -1493,7 +1502,6 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ for ( fibnum = startfib; fibnum = endfib; fibnum++) { if (cmd == RTM_DELETE) { - struct radix_node_head *rnh; struct radix_node *rn; /* * Look up an rtentry that is in the routing tree and @@ -1543,7 +1551,8 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ bzero((caddr_t)info, sizeof(info)); info.rti_ifa = ifa; - info.rti_flags = flags | (ifa-ifa_flags ~IFA_RTSELF); + info.rti_flags = flags | + (ifa-ifa_flags ~IFA_RTSELF) | RTF_PINNED; info.rti_info[RTAX_DST] = dst; /* * doing this for compatibility reasons @@ -1555,6 +1564,33 @@ rtinit1(struct ifaddr *ifa, int cmd, int info.rti_info[RTAX_GATEWAY] = ifa-ifa_addr; info.rti_info[RTAX_NETMASK] = netmask; error = rtrequest1_fib(cmd, info, rt, fibnum); + + if ((error == EEXIST) (cmd == RTM_ADD)) { + /* +* Interface route addition failed. +* Atomically delete current prefix generating +* RTM_DELETE message, and retry adding +* interface prefix. +*/ + rnh = rt_tables_get_rnh(fibnum, dst-sa_family); + RADIX_NODE_HEAD_LOCK(rnh); + + /* Delete old prefix */ + info.rti_ifa = NULL; + info.rti_flags = RTF_RNH_LOCKED; + + error = rtrequest1_fib(RTM_DELETE, info, rt, fibnum); + if (error == 0) { + info.rti_ifa = ifa; + info.rti_flags = flags | RTF_RNH_LOCKED | + (ifa-ifa_flags ~IFA_RTSELF) | RTF_PINNED; + error = rtrequest1_fib(cmd, info, rt, fibnum); + } + + RADIX_NODE_HEAD_UNLOCK(rnh); + } + + if (error == 0 rt != NULL) { /*
svn commit: r248743 - stable/9/sys/net
Author: melifaro Date: Tue Mar 26 18:57:25 2013 New Revision: 248743 URL: http://svnweb.freebsd.org/changeset/base/248743 Log: Permit changing MTU in 6to4 relay. This behavior is recommended by RFC 4213 clause 3.2. Sometimes fragmentation is the least evil. For example, some Linux IPVS kernels forwards ICMPv6 checksums to real servers incorrectly. Modified: stable/9/sys/net/if_stf.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/net/ (props changed) Modified: stable/9/sys/net/if_stf.c == --- stable/9/sys/net/if_stf.c Tue Mar 26 18:46:40 2013(r248742) +++ stable/9/sys/net/if_stf.c Tue Mar 26 18:57:25 2013(r248743) @@ -799,7 +799,7 @@ stf_rtrequest(cmd, rt, info) struct rt_addrinfo *info; { RT_LOCK_ASSERT(rt); - rt-rt_rmx.rmx_mtu = IPV6_MMTU; + rt-rt_rmx.rmx_mtu = rt-rt_ifp-if_mtu; } static int @@ -812,7 +812,7 @@ stf_ioctl(ifp, cmd, data) struct ifreq *ifr; struct sockaddr_in6 *sin6; struct in_addr addr; - int error; + int error, mtu; error = 0; switch (cmd) { @@ -846,6 +846,18 @@ stf_ioctl(ifp, cmd, data) error = EAFNOSUPPORT; break; + case SIOCGIFMTU: + break; + + case SIOCSIFMTU: + ifr = (struct ifreq *)data; + mtu = ifr-ifr_mtu; + /* RFC 4213 3.2 ideal world MTU */ + if (mtu IPV6_MINMTU || mtu IF_MAXMTU - 20) + return (EINVAL); + ifp-if_mtu = mtu; + break; + default: error = EINVAL; break; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r248743 - stable/9/sys/net
On 26.03.2013 22:57, Alexander V. Chernikov wrote: Author: melifaro Date: Tue Mar 26 18:57:25 2013 New Revision: 248743 URL: http://svnweb.freebsd.org/changeset/base/248743 Log: Merge r238492. Permit changing MTU in 6to4 relay. This behavior is recommended by RFC 4213 clause 3.2. Sometimes fragmentation is the least evil. For example, some Linux IPVS kernels forwards ICMPv6 checksums to real servers incorrectly. Modified: stable/9/sys/net/if_stf.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/net/ (props changed) Modified: stable/9/sys/net/if_stf.c == --- stable/9/sys/net/if_stf.c Tue Mar 26 18:46:40 2013(r248742) +++ stable/9/sys/net/if_stf.c Tue Mar 26 18:57:25 2013(r248743) @@ -799,7 +799,7 @@ stf_rtrequest(cmd, rt, info) struct rt_addrinfo *info; { RT_LOCK_ASSERT(rt); - rt-rt_rmx.rmx_mtu = IPV6_MMTU; + rt-rt_rmx.rmx_mtu = rt-rt_ifp-if_mtu; } static int @@ -812,7 +812,7 @@ stf_ioctl(ifp, cmd, data) struct ifreq *ifr; struct sockaddr_in6 *sin6; struct in_addr addr; - int error; + int error, mtu; error = 0; switch (cmd) { @@ -846,6 +846,18 @@ stf_ioctl(ifp, cmd, data) error = EAFNOSUPPORT; break; + case SIOCGIFMTU: + break; + + case SIOCSIFMTU: + ifr = (struct ifreq *)data; + mtu = ifr-ifr_mtu; + /* RFC 4213 3.2 ideal world MTU */ + if (mtu IPV6_MINMTU || mtu IF_MAXMTU - 20) + return (EINVAL); + ifp-if_mtu = mtu; + break; + default: error = EINVAL; break; -- WBR, Alexander ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248705 - head/sys/dev/ipmi
Author: melifaro Date: Mon Mar 25 14:30:34 2013 New Revision: 248705 URL: http://svnweb.freebsd.org/changeset/base/248705 Log: Unlock IPMI sc while performing requests via KCS and SMIC interfaces. It is already done in SSIF interface code. This reduces contention/spinning reported by many users. PR: kern/172166 Submitted by: Eric van Gyzen eric at vangyzen.net MFC after:2 weeks Modified: head/sys/dev/ipmi/ipmi_kcs.c head/sys/dev/ipmi/ipmi_smic.c Modified: head/sys/dev/ipmi/ipmi_kcs.c == --- head/sys/dev/ipmi/ipmi_kcs.cMon Mar 25 13:58:17 2013 (r248704) +++ head/sys/dev/ipmi/ipmi_kcs.cMon Mar 25 14:30:34 2013 (r248705) @@ -456,6 +456,7 @@ kcs_loop(void *arg) IPMI_LOCK(sc); while ((req = ipmi_dequeue_request(sc)) != NULL) { + IPMI_UNLOCK(sc); ok = 0; for (i = 0; i 3 !ok; i++) ok = kcs_polled_request(sc, req); @@ -463,6 +464,7 @@ kcs_loop(void *arg) req-ir_error = 0; else req-ir_error = EIO; + IPMI_LOCK(sc); ipmi_complete_request(sc, req); } IPMI_UNLOCK(sc); Modified: head/sys/dev/ipmi/ipmi_smic.c == --- head/sys/dev/ipmi/ipmi_smic.c Mon Mar 25 13:58:17 2013 (r248704) +++ head/sys/dev/ipmi/ipmi_smic.c Mon Mar 25 14:30:34 2013 (r248705) @@ -362,6 +362,7 @@ smic_loop(void *arg) IPMI_LOCK(sc); while ((req = ipmi_dequeue_request(sc)) != NULL) { + IPMI_UNLOCK(sc); ok = 0; for (i = 0; i 3 !ok; i++) ok = smic_polled_request(sc, req); @@ -369,6 +370,7 @@ smic_loop(void *arg) req-ir_error = 0; else req-ir_error = EIO; + IPMI_LOCK(sc); ipmi_complete_request(sc, req); } IPMI_UNLOCK(sc); ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248546 - stable/9/sys/net
Author: melifaro Date: Wed Mar 20 07:20:00 2013 New Revision: 248546 URL: http://svnweb.freebsd.org/changeset/base/248546 Log: Merge r247842. Write lock is not required for findcompare operation. Modified: stable/9/sys/net/route.c Directory Properties: stable/9/sys/ (props changed) stable/9/sys/net/ (props changed) Modified: stable/9/sys/net/route.c == --- stable/9/sys/net/route.cWed Mar 20 06:35:03 2013(r248545) +++ stable/9/sys/net/route.cWed Mar 20 07:20:00 2013(r248546) @@ -1503,7 +1503,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int if (rnh == NULL) /* this table doesn't exist but others might */ continue; - RADIX_NODE_HEAD_LOCK(rnh); + RADIX_NODE_HEAD_RLOCK(rnh); #ifdef RADIX_MPATH if (rn_mpath_capable(rnh)) { @@ -1532,7 +1532,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int (rn-rn_flags RNF_ROOT) || RNTORT(rn)-rt_ifa != ifa || !sa_equal((struct sockaddr *)rn-rn_key, dst)); - RADIX_NODE_HEAD_UNLOCK(rnh); + RADIX_NODE_HEAD_RUNLOCK(rnh); if (error) { /* this is only an error if bad on ALL tables */ continue; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248552 - in head: sbin/ipfw sys/netinet sys/netpfil/ipfw
Author: melifaro Date: Wed Mar 20 10:35:33 2013 New Revision: 248552 URL: http://svnweb.freebsd.org/changeset/base/248552 Log: Add ipfw support for setting/matching DiffServ codepoints (DSCP). Setting DSCP support is done via O_SETDSCP which works for both IPv4 and IPv6 packets. Fast checksum recalculation (RFC 1624) is done for IPv4. Dscp can be specified by name (AFXY, CSX, BE, EF), by value (0..63) or via tablearg. Matching DSCP is done via another opcode (O_DSCP) which accepts several classes at once (af11,af22,be). Classes are stored in bitmask (2 u32 words). Many people made their variants of this patch, the ones I'm aware of are (in alphabetic order): Dmitrii Tejblum Marcelo Araujo Roman Bogorodskiy (novel) Sergey Matveichuk (sem) Sergey Ryabin PR: kern/102471, kern/121122 MFC after:2 weeks Modified: head/sbin/ipfw/ipfw.8 head/sbin/ipfw/ipfw2.c head/sbin/ipfw/ipfw2.h head/sys/netinet/ip_fw.h head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_log.c head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sbin/ipfw/ipfw.8 == --- head/sbin/ipfw/ipfw.8 Wed Mar 20 09:56:20 2013(r248551) +++ head/sbin/ipfw/ipfw.8 Wed Mar 20 10:35:33 2013(r248552) @@ -960,6 +960,61 @@ It is possible to use the keyword with setfib. If the tablearg value is not within the compiled range of fibs, the packet's fib is set to 0. +.It Cm setdscp Ar DSCP | number | tablearg +Set specified DiffServ codepoint for an IPv4/IPv6 packet. +Processing continues at the next rule. +Supported values are: +.Pp +.Cm CS0 +.Pq Dv 00 , +.Cm CS1 +.Pq Dv 001000 , +.Cm CS2 +.Pq Dv 01 , +.Cm CS3 +.Pq Dv 011000 , +.Cm CS4 +.Pq Dv 10 , +.Cm CS5 +.Pq Dv 101000 , +.Cm CS6 +.Pq Dv 11 , +.Cm CS7 +.Pq Dv 111000 , +.Cm AF11 +.Pq Dv 001010 , +.Cm AF12 +.Pq Dv 001100 , +.Cm AF13 +.Pq Dv 001110 , +.Cm AF21 +.Pq Dv 010010 , +.Cm AF22 +.Pq Dv 010100 , +.Cm AF23 +.Pq Dv 010110 , +.Cm AF31 +.Pq Dv 011010 , +.Cm AF32 +.Pq Dv 011100 , +.Cm AF33 +.Pq Dv 00 , +.Cm AF41 +.Pq Dv 100010 , +.Cm AF42 +.Pq Dv 100100 , +.Cm AF43 +.Pq Dv 100110 , +.Cm EF +.Pq Dv 101110 , +.Cm BE +.Pq Dv 00 . +Additionally, DSCP value can be specified by number (0..64). +It is also possible to use the +.Cm tablearg +keyword with setdscp. +If the tablearg value is not within the 0..64 range, lower 6 bits of supplied +value are used. .It Cm reass Queue and reassemble IP fragments. If the packet is not fragmented, counters are updated and @@ -1454,6 +1509,17 @@ The supported IP types of service are: The absence of a particular type may be denoted with a .Ql \! . +.It Cm dscp spec Ns Op , Ns Ar spec +Matches IPv4/IPv6 packets whose +.Cm DS +field value is contained in +.Ar spec +mask. +Multiple values can be specified via +the comma separated list. +Value can be one of keywords used in +.Cm setdscp +action or exact number. .It Cm ipttl Ar ttl-list Matches IPv4 packets whose time to live is included in .Ar ttl-list , @@ -2976,6 +3042,23 @@ configured on but coming in on .Li fxp1 would be dropped. +.Pp +The +.Cm setdscp +option could be used to (re)mark user traffic, +by adding the following to the appropriate place in ruleset: +.Pp +.Dl ipfw add setdscp be ip from any to any dscp af11,af21 +.Pp +This rule drops all incoming packets that appear to be coming from another +directly connected system but on the wrong interface. +For example, a packet with a source address of +.Li 192.168.0.0/24 , +configured on +.Li fxp0 , +but coming in on +.Li fxp1 +would be dropped. .Ss DYNAMIC RULES In order to protect a site from flood attacks involving fake TCP packets, it is safer to use dynamic rules: Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Wed Mar 20 09:56:20 2013(r248551) +++ head/sbin/ipfw/ipfw2.c Wed Mar 20 10:35:33 2013(r248552) @@ -167,6 +167,32 @@ static struct _s_x f_iptos[] = { { NULL, 0 } }; +static struct _s_x f_ipdscp[] = { + { af11, IPTOS_DSCP_AF11 2 }, /* 001010 */ + { af12, IPTOS_DSCP_AF12 2 }, /* 001100 */ + { af13, IPTOS_DSCP_AF13 2 }, /* 001110 */ + { af21, IPTOS_DSCP_AF21 2 }, /* 010010 */ + { af22, IPTOS_DSCP_AF22 2 }, /* 010100 */ + { af23, IPTOS_DSCP_AF23 2 }, /* 010110 */ + { af31, IPTOS_DSCP_AF31 2 }, /* 011010 */ + { af32, IPTOS_DSCP_AF32 2 }, /* 011100 */ + { af33, IPTOS_DSCP_AF33 2 }, /* 00 */ + { af41, IPTOS_DSCP_AF41 2 }, /* 100010 */ + { af42, IPTOS_DSCP_AF42 2 }, /* 100100 */ + { af43, IPTOS_DSCP_AF43 2 }, /* 100110 */ + { be, IPTOS_DSCP_CS0 2 }, /* 00 */ + { ef, IPTOS_DSCP_EF 2 }, /* 101110 */ + { cs0, IPTOS_DSCP_CS0 2 }, /* 00 */ +
svn commit: r248553 - head/sbin/ipfw
Author: melifaro Date: Wed Mar 20 10:36:38 2013 New Revision: 248553 URL: http://svnweb.freebsd.org/changeset/base/248553 Log: Remove unused variable. Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Wed Mar 20 10:35:33 2013(r248552) +++ head/sbin/ipfw/ipfw2.c Wed Mar 20 10:36:38 2013(r248553) @@ -4122,10 +4122,9 @@ ipfw_table_handler(int ac, char *av[]) int do_add; int is_all; size_t len; - uint32_t a, mask; + uint32_t a; uint32_t tables_max; - mask = 0; // XXX uninitialized ? len = sizeof(tables_max); if (sysctlbyname(net.inet.ip.fw.tables_max, tables_max, len, NULL, 0) == -1) { ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248497 - stable/9/sys/netpfil/ipfw
Author: melifaro Date: Tue Mar 19 12:42:14 2013 New Revision: 248497 URL: http://svnweb.freebsd.org/changeset/base/248497 Log: MFC r247626. Fix callout expiring dynamic rules. PR: kern/175530 Submitted by: Vladimir Spiridenkov v...@gtn.ru Modified: stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c == --- stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Tue Mar 19 12:35:33 2013 (r248496) +++ stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Tue Mar 19 12:42:14 2013 (r248497) @@ -982,8 +982,8 @@ ipfw_dyn_tick(void * vnetx) chain = V_layer3_chain; - /* Run keepalive checks every keepalive_interval iff ka is enabled */ - if ((V_dyn_keepalive_last + V_dyn_keepalive_interval = time_uptime) + /* Run keepalive checks every keepalive_period iff ka is enabled */ + if ((V_dyn_keepalive_last + V_dyn_keepalive_period = time_uptime) (V_dyn_keepalive != 0)) { V_dyn_keepalive_last = time_uptime; check_ka = 1; @@ -1322,7 +1322,7 @@ ipfw_dyn_init(struct ip_fw_chain *chain) V_dyn_keepalive_interval = 20; V_dyn_keepalive_period = 5; V_dyn_keepalive = 1;/* do send keepalives */ - V_dyn_keepalive = time_uptime; + V_dyn_keepalive_last = time_uptime; V_dyn_max = 4096; /* max # of dynamic rules */ ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248505 - stable/9/sbin/ipfw
Author: melifaro Date: Tue Mar 19 13:29:01 2013 New Revision: 248505 URL: http://svnweb.freebsd.org/changeset/base/248505 Log: Merge r247666, r247712, r247811. Fix ipfw table argument parsing/printing. Fix style. PR: kern/175909 Submitted by: Daniel Hagerty h...@linnaean.org Implement buffer size checking in ipfw(8) add cmd. PR: bin/65961 Submitted by: Eugene Grosbein eu...@grosbein.pp.ru Do not suddenly fail on some rulesets if -n (syntax check only) is specified and ipfw(4) module is not loaded. Modified: stable/9/sbin/ipfw/ipfw2.c stable/9/sbin/ipfw/ipfw2.h stable/9/sbin/ipfw/ipv6.c Directory Properties: stable/9/sbin/ (props changed) stable/9/sbin/ipfw/ (props changed) Modified: stable/9/sbin/ipfw/ipfw2.c == --- stable/9/sbin/ipfw/ipfw2.c Tue Mar 19 13:21:39 2013(r248504) +++ stable/9/sbin/ipfw/ipfw2.c Tue Mar 19 13:29:01 2013(r248505) @@ -64,6 +64,22 @@ int ipfw_socket = -1; #define s6_addr32 __u6_addr.__u6_addr32 #endif +#defineCHECK_LENGTH(v, len) do { \ + if ((v) (len))\ + errx(EX_DATAERR, Rule too long); \ + } while (0) +/* + * Check if we have enough space in cmd buffer. Note that since + * first 8? u32 words are reserved by reserved header, full cmd + * buffer can't be used, so we need to protect from buffer overrun + * only. At the beginnig, cblen is less than actual buffer size by + * size of ipfw_insn_u32 instruction + 1 u32 work. This eliminates need + * for checking small instructions fitting in given range. + * We also (ab)use the fact that ipfw_insn is always the first field + * for any custom instruction. + */ +#defineCHECK_CMDLENCHECK_LENGTH(cblen, F_LEN((ipfw_insn *)cmd)) + #define GET_UINT_ARG(arg, min, max, tok, s_x) do { \ if (!av[0]) \ errx(EX_USAGE, %s: missing argument, match_value(s_x, tok)); \ @@ -653,7 +669,7 @@ strtoport(char *s, char **end, int base, * Fill the body of the command with the list of port ranges. */ static int -fill_newports(ipfw_insn_u16 *cmd, char *av, int proto) +fill_newports(ipfw_insn_u16 *cmd, char *av, int proto, int cblen) { uint16_t a, b, *p = cmd-ports; int i = 0; @@ -664,6 +680,8 @@ fill_newports(ipfw_insn_u16 *cmd, char * if (s == av)/* empty or invalid argument */ return (0); + CHECK_LENGTH(cblen, i + 2); + switch (*s) { case '-': /* a range */ av = s + 1; @@ -2067,7 +2085,7 @@ lookup_host (char *host, struct in_addr * We can have multiple comma-separated address/mask entries. */ static void -fill_ip(ipfw_insn_ip *cmd, char *av) +fill_ip(ipfw_insn_ip *cmd, char *av, int cblen) { int len = 0; uint32_t *d = ((ipfw_insn_u32 *)cmd)-d; @@ -2107,6 +2125,8 @@ fill_ip(ipfw_insn_ip *cmd, char *av) int masklen; char md, nd = '\0'; + CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn) + 2 + len); + if (p) { md = *p; *p++ = '\0'; @@ -2365,11 +2385,13 @@ ipfw_delete(char *av[]) * patterns which match interfaces. */ static void -fill_iface(ipfw_insn_if *cmd, char *arg) +fill_iface(ipfw_insn_if *cmd, char *arg, int cblen) { cmd-name[0] = '\0'; cmd-o.len |= F_INSN_SIZE(ipfw_insn_if); + CHECK_CMDLEN; + /* Parse the interface or address */ if (strcmp(arg, any) == 0) cmd-o.len = 0; /* effectively ignore this command */ @@ -2440,8 +2462,10 @@ get_mac_addr_mask(const char *p, uint8_t * the new command in case it has been clobbered before. */ static ipfw_insn * -next_cmd(ipfw_insn *cmd) +next_cmd(ipfw_insn *cmd, int *len) { + *len -= F_LEN(cmd); + CHECK_LENGTH(*len, 0); cmd += F_LEN(cmd); bzero(cmd, sizeof(*cmd)); return cmd; @@ -2451,7 +2475,7 @@ next_cmd(ipfw_insn *cmd) * Takes arguments and copies them into a comment */ static void -fill_comment(ipfw_insn *cmd, char **av) +fill_comment(ipfw_insn *cmd, char **av, int cblen) { int i, l; char *p = (char *)(cmd + 1); @@ -2469,6 +2493,8 @@ fill_comment(ipfw_insn *cmd, char **av) comment too long (max 80 chars)); l = 1 + (l+3)/4; cmd-len = (cmd-len (F_NOT | F_OR)) | l; + CHECK_CMDLEN; + for (i = 0; av[i] != NULL; i++) { strcpy(p, av[i]); p += strlen(av[i]); @@ -2494,7 +2520,7 @@ fill_cmd(ipfw_insn *cmd, enum ipfw_opcod * two microinstructions, and returns the pointer to the last one. */ static ipfw_insn * -add_mac(ipfw_insn *cmd, char *av[]) +add_mac(ipfw_insn
svn commit: r248506 - stable/9/usr.bin/netstat
Author: melifaro Date: Tue Mar 19 13:36:19 2013 New Revision: 248506 URL: http://svnweb.freebsd.org/changeset/base/248506 Log: Merge r248112. Document netstat -Q flags meaning. Modified: stable/9/usr.bin/netstat/netstat.1 Directory Properties: stable/9/usr.bin/ (props changed) stable/9/usr.bin/netstat/ (props changed) Modified: stable/9/usr.bin/netstat/netstat.1 == --- stable/9/usr.bin/netstat/netstat.1 Tue Mar 19 13:29:01 2013 (r248505) +++ stable/9/usr.bin/netstat/netstat.1 Tue Mar 19 13:36:19 2013 (r248506) @@ -28,7 +28,7 @@ .\@(#)netstat.1 8.8 (Berkeley) 4/18/94 .\ $FreeBSD$ .\ -.Dd February 22, 2010 +.Dd March 10, 2013 .Dt NETSTAT 1 .Os .Sh NAME @@ -301,6 +301,11 @@ is repeated, counters with a value of ze Show .Xr netisr 9 statistics. +The flags field shows available ISR handlers: +.Bl -column .Li W .Dv NETISR_SNP_FLAGS_DRAINEDCPU +.It Li C Ta Dv NETISR_SNP_FLAGS_M2CPUID Ta Able to map mbuf to cpu id +.It Li D Ta Dv NETISR_SNP_FLAGS_DRAINEDCPU Ta Has queue drain handler +.It Li F Ta Dv NETISR_SNP_FLAGS_M2FLOW Ta Able to map mbuf to flow id .El .Pp Some options have the general meaning: ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248112 - head/usr.bin/netstat
Author: melifaro Date: Sat Mar 9 20:01:35 2013 New Revision: 248112 URL: http://svnweb.freebsd.org/changeset/base/248112 Log: Document netstat -Q flags meaning. MFC after:1 week Modified: head/usr.bin/netstat/netstat.1 Modified: head/usr.bin/netstat/netstat.1 == --- head/usr.bin/netstat/netstat.1 Sat Mar 9 18:40:37 2013 (r248111) +++ head/usr.bin/netstat/netstat.1 Sat Mar 9 20:01:35 2013 (r248112) @@ -28,7 +28,7 @@ .\@(#)netstat.1 8.8 (Berkeley) 4/18/94 .\ $FreeBSD$ .\ -.Dd February 22, 2010 +.Dd March 10, 2013 .Dt NETSTAT 1 .Os .Sh NAME @@ -301,6 +301,11 @@ is repeated, counters with a value of ze Show .Xr netisr 9 statistics. +The flags field shows available ISR handlers: +.Bl -column .Li W .Dv NETISR_SNP_FLAGS_DRAINEDCPU +.It Li C Ta Dv NETISR_SNP_FLAGS_M2CPUID Ta Able to map mbuf to cpu id +.It Li D Ta Dv NETISR_SNP_FLAGS_DRAINEDCPU Ta Has queue drain handler +.It Li F Ta Dv NETISR_SNP_FLAGS_M2FLOW Ta Able to map mbuf to flow id .El .Pp Some options have the general meaning: ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r248070 - head/sys/net
Author: melifaro Date: Fri Mar 8 20:33:50 2013 New Revision: 248070 URL: http://svnweb.freebsd.org/changeset/base/248070 Log: Fix long-standing issue with interface routes being unprotected: Use RTM_PINNED flag to mark route as immutable. Forbid deleting immutable routes without special rtrequest1_fib() flag. Adding interface address with prefix already in route table is handled by atomically deleting old prefix and adding interface one. Discussed with: andre, eri MFC after:3 weeks Modified: head/sys/net/if.c head/sys/net/route.c head/sys/net/route.h Modified: head/sys/net/if.c == --- head/sys/net/if.c Fri Mar 8 20:23:55 2013(r248069) +++ head/sys/net/if.c Fri Mar 8 20:33:50 2013(r248070) @@ -1357,7 +1357,8 @@ if_rtdel(struct radix_node *rn, void *ar return (0); err = rtrequest_fib(RTM_DELETE, rt_key(rt), rt-rt_gateway, - rt_mask(rt), rt-rt_flags|RTF_RNH_LOCKED, + rt_mask(rt), + rt-rt_flags|RTF_RNH_LOCKED|RTF_PINNED, (struct rtentry **) NULL, rt-rt_fibnum); if (err) { log(LOG_WARNING, if_rtdel: error %d\n, err); Modified: head/sys/net/route.c == --- head/sys/net/route.cFri Mar 8 20:23:55 2013(r248069) +++ head/sys/net/route.cFri Mar 8 20:33:50 2013(r248070) @@ -1112,6 +1112,14 @@ rtrequest1_fib(int req, struct rt_addrin error = 0; } #endif + if ((flags RTF_PINNED) == 0) { + /* Check if target route can be deleted */ + rt = (struct rtentry *)rnh-rnh_lookup(dst, + netmask, rnh); + if ((rt != NULL) (rt-rt_flags RTF_PINNED)) + senderr(EADDRINUSE); + } + /* * Remove the item from the tree and return it. * Complain if it is not there and do no more processing. @@ -1430,6 +1438,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int int didwork = 0; int a_failure = 0; static struct sockaddr_dl null_sdl = {sizeof(null_sdl), AF_LINK}; + struct radix_node_head *rnh; if (flags RTF_HOST) { dst = ifa-ifa_dstaddr; @@ -1488,7 +1497,6 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ for ( fibnum = startfib; fibnum = endfib; fibnum++) { if (cmd == RTM_DELETE) { - struct radix_node_head *rnh; struct radix_node *rn; /* * Look up an rtentry that is in the routing tree and @@ -1538,7 +1546,8 @@ rtinit1(struct ifaddr *ifa, int cmd, int */ bzero((caddr_t)info, sizeof(info)); info.rti_ifa = ifa; - info.rti_flags = flags | (ifa-ifa_flags ~IFA_RTSELF); + info.rti_flags = flags | + (ifa-ifa_flags ~IFA_RTSELF) | RTF_PINNED; info.rti_info[RTAX_DST] = dst; /* * doing this for compatibility reasons @@ -1550,6 +1559,33 @@ rtinit1(struct ifaddr *ifa, int cmd, int info.rti_info[RTAX_GATEWAY] = ifa-ifa_addr; info.rti_info[RTAX_NETMASK] = netmask; error = rtrequest1_fib(cmd, info, rt, fibnum); + + if ((error == EEXIST) (cmd == RTM_ADD)) { + /* +* Interface route addition failed. +* Atomically delete current prefix generating +* RTM_DELETE message, and retry adding +* interface prefix. +*/ + rnh = rt_tables_get_rnh(fibnum, dst-sa_family); + RADIX_NODE_HEAD_LOCK(rnh); + + /* Delete old prefix */ + info.rti_ifa = NULL; + info.rti_flags = RTF_RNH_LOCKED; + + error = rtrequest1_fib(RTM_DELETE, info, rt, fibnum); + if (error == 0) { + info.rti_ifa = ifa; + info.rti_flags = flags | RTF_RNH_LOCKED | + (ifa-ifa_flags ~IFA_RTSELF) | RTF_PINNED; + error = rtrequest1_fib(cmd, info, rt, fibnum); + } + + RADIX_NODE_HEAD_UNLOCK(rnh); + } + + if (error == 0 rt != NULL) { /* * notify any listening routing agents of the change Modified: head/sys/net/route.h
svn commit: r247842 - head/sys/net
Author: melifaro Date: Tue Mar 5 13:38:45 2013 New Revision: 247842 URL: http://svnweb.freebsd.org/changeset/base/247842 Log: Write lock is not required for findcompare operation. MFC after:2 weeks Modified: head/sys/net/route.c Modified: head/sys/net/route.c == --- head/sys/net/route.cTue Mar 5 13:31:06 2013(r247841) +++ head/sys/net/route.cTue Mar 5 13:38:45 2013(r247842) @@ -1498,7 +1498,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int if (rnh == NULL) /* this table doesn't exist but others might */ continue; - RADIX_NODE_HEAD_LOCK(rnh); + RADIX_NODE_HEAD_RLOCK(rnh); #ifdef RADIX_MPATH if (rn_mpath_capable(rnh)) { @@ -1527,7 +1527,7 @@ rtinit1(struct ifaddr *ifa, int cmd, int (rn-rn_flags RNF_ROOT) || RNTORT(rn)-rt_ifa != ifa || !sa_equal((struct sockaddr *)rn-rn_key, dst)); - RADIX_NODE_HEAD_UNLOCK(rnh); + RADIX_NODE_HEAD_RUNLOCK(rnh); if (error) { /* this is only an error if bad on ALL tables */ continue; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r247811 - head/sbin/ipfw
Author: melifaro Date: Mon Mar 4 19:01:38 2013 New Revision: 247811 URL: http://svnweb.freebsd.org/changeset/base/247811 Log: Do not suddenly fail on some rulesets if -n (syntax check only) is specified and ipfw(4) module is not loaded. MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Mon Mar 4 18:51:53 2013(r247810) +++ head/sbin/ipfw/ipfw2.c Mon Mar 4 19:01:38 2013(r247811) @@ -3083,9 +3083,14 @@ chkarg: } else { len = sizeof(c-max_log); if (sysctlbyname(net.inet.ip.fw.verbose_limit, - c-max_log, len, NULL, 0) == -1) + c-max_log, len, NULL, 0) == -1) { + if (co.test_only) { + c-max_log = 0; + break; + } errx(1, sysctlbyname(\%s\), net.inet.ip.fw.verbose_limit); + } } } break; @@ -3986,9 +3991,13 @@ ipfw_table_handler(int ac, char *av[]) mask = 0; // XXX uninitialized ? len = sizeof(tables_max); if (sysctlbyname(net.inet.ip.fw.tables_max, tables_max, len, - NULL, 0) == -1) - errx(1, Can't determine maximum number of ipfw tables. - Perhaps you forgot to load ipfw module?); + NULL, 0) == -1) { + if (co.test_only) + tables_max = 128; /* Old conservative default */ + else + errx(1, Can't determine maximum number of ipfw tables. +Perhaps you forgot to load ipfw module?); + } memset(xent, 0, sizeof(xent)); ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r247712 - head/sbin/ipfw
Author: melifaro Date: Sun Mar 3 14:05:03 2013 New Revision: 247712 URL: http://svnweb.freebsd.org/changeset/base/247712 Log: Implement buffer size checking in ipfw(8) add cmd. PR: bin/65961 Submitted by: Eugene Grosbein eu...@grosbein.pp.ru MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.c head/sbin/ipfw/ipfw2.h head/sbin/ipfw/ipv6.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Sun Mar 3 13:53:58 2013(r247711) +++ head/sbin/ipfw/ipfw2.c Sun Mar 3 14:05:03 2013(r247712) @@ -64,6 +64,22 @@ int ipfw_socket = -1; #define s6_addr32 __u6_addr.__u6_addr32 #endif +#defineCHECK_LENGTH(v, len) do { \ + if ((v) (len))\ + errx(EX_DATAERR, Rule too long); \ + } while (0) +/* + * Check if we have enough space in cmd buffer. Note that since + * first 8? u32 words are reserved by reserved header, full cmd + * buffer can't be used, so we need to protect from buffer overrun + * only. At the beginnig, cblen is less than actual buffer size by + * size of ipfw_insn_u32 instruction + 1 u32 work. This eliminates need + * for checking small instructions fitting in given range. + * We also (ab)use the fact that ipfw_insn is always the first field + * for any custom instruction. + */ +#defineCHECK_CMDLENCHECK_LENGTH(cblen, F_LEN((ipfw_insn *)cmd)) + #define GET_UINT_ARG(arg, min, max, tok, s_x) do { \ if (!av[0]) \ errx(EX_USAGE, %s: missing argument, match_value(s_x, tok)); \ @@ -653,7 +669,7 @@ strtoport(char *s, char **end, int base, * Fill the body of the command with the list of port ranges. */ static int -fill_newports(ipfw_insn_u16 *cmd, char *av, int proto) +fill_newports(ipfw_insn_u16 *cmd, char *av, int proto, int cblen) { uint16_t a, b, *p = cmd-ports; int i = 0; @@ -664,6 +680,8 @@ fill_newports(ipfw_insn_u16 *cmd, char * if (s == av)/* empty or invalid argument */ return (0); + CHECK_LENGTH(cblen, i + 2); + switch (*s) { case '-': /* a range */ av = s + 1; @@ -2068,7 +2086,7 @@ lookup_host (char *host, struct in_addr * We can have multiple comma-separated address/mask entries. */ static void -fill_ip(ipfw_insn_ip *cmd, char *av) +fill_ip(ipfw_insn_ip *cmd, char *av, int cblen) { int len = 0; uint32_t *d = ((ipfw_insn_u32 *)cmd)-d; @@ -2108,6 +2126,8 @@ fill_ip(ipfw_insn_ip *cmd, char *av) int masklen; char md, nd = '\0'; + CHECK_LENGTH(cblen, F_INSN_SIZE(ipfw_insn) + 2 + len); + if (p) { md = *p; *p++ = '\0'; @@ -2366,11 +2386,13 @@ ipfw_delete(char *av[]) * patterns which match interfaces. */ static void -fill_iface(ipfw_insn_if *cmd, char *arg) +fill_iface(ipfw_insn_if *cmd, char *arg, int cblen) { cmd-name[0] = '\0'; cmd-o.len |= F_INSN_SIZE(ipfw_insn_if); + CHECK_CMDLEN; + /* Parse the interface or address */ if (strcmp(arg, any) == 0) cmd-o.len = 0; /* effectively ignore this command */ @@ -2441,8 +2463,10 @@ get_mac_addr_mask(const char *p, uint8_t * the new command in case it has been clobbered before. */ static ipfw_insn * -next_cmd(ipfw_insn *cmd) +next_cmd(ipfw_insn *cmd, int *len) { + *len -= F_LEN(cmd); + CHECK_LENGTH(*len, 0); cmd += F_LEN(cmd); bzero(cmd, sizeof(*cmd)); return cmd; @@ -2452,7 +2476,7 @@ next_cmd(ipfw_insn *cmd) * Takes arguments and copies them into a comment */ static void -fill_comment(ipfw_insn *cmd, char **av) +fill_comment(ipfw_insn *cmd, char **av, int cblen) { int i, l; char *p = (char *)(cmd + 1); @@ -2470,6 +2494,8 @@ fill_comment(ipfw_insn *cmd, char **av) comment too long (max 80 chars)); l = 1 + (l+3)/4; cmd-len = (cmd-len (F_NOT | F_OR)) | l; + CHECK_CMDLEN; + for (i = 0; av[i] != NULL; i++) { strcpy(p, av[i]); p += strlen(av[i]); @@ -2495,7 +2521,7 @@ fill_cmd(ipfw_insn *cmd, enum ipfw_opcod * two microinstructions, and returns the pointer to the last one. */ static ipfw_insn * -add_mac(ipfw_insn *cmd, char *av[]) +add_mac(ipfw_insn *cmd, char *av[], int cblen) { ipfw_insn_mac *mac; @@ -2504,6 +2530,7 @@ add_mac(ipfw_insn *cmd, char *av[]) cmd-opcode = O_MACADDR2; cmd-len = (cmd-len (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac); + CHECK_CMDLEN; mac = (ipfw_insn_mac *)cmd; get_mac_addr_mask(av[0], mac-addr, mac-mask); /* dst */ @@ -2513,12 +2540,13 @@
svn commit: r247732 - in stable/8/sys: kern net security/mac
Author: melifaro Date: Sun Mar 3 21:48:40 2013 New Revision: 247732 URL: http://svnweb.freebsd.org/changeset/base/247732 Log: Merge * r233937 - Improve BPF locking model * r233938 - Improve performace for writer-only BPF users * r233946 - Fix build * r235744 - Fix (new) panic on attaching to non-existent interface * r235745 - Fix old panic when BPF consumer attaches to destroying interface * r235746 - Call bpf_jitter() before acquiring BPF global lock * r235747 - Make most BPF ioctls() SMP-safe. * r236231 - Fix BPF_JITTER code broken by r235746. * r236261 - Save the previous filter right before we set new one. * r236262 - Fix style(9) nits, reduce unnecessary type castings. * r236559 - Fix panic introduced by r235745 * r236806 - Fix typo introduced in r236559. r233937 - Improve BPF locking model. Interface locks and descriptor locks are converted from mutex(9) to rwlock(9). This greately improves performance: in most common case we need to acquire 1 reader lock instead of 2 mutexes. - Remove filter(descriptor) (reader) lock in bpf_mtap[2] This was suggested by glebius@. We protect filter by requesting interface writer lock on filter change. - Cover struct bpf_if under BPF_INTERNAL define. This permits including bpf.h without including rwlock stuff. However, this is is temporary solution, struct bpf_if should be made opaque for any external caller. r233938 - Improve performace for writer-only BPF users. Linux and Solaris (at least OpenSolaris) has PF_PACKET socket families to send raw ethernet frames. The only FreeBSD interface that can be used to send raw frames is BPF. As a result, many programs like cdpd, lldpd, various dhcp stuff uses BPF only to send data. This leads us to the situation when software like cdpd, being run on high-traffic-volume interface significantly reduces overall performance since we have to acquire additional locks for every packet. Here we add sysctl that changes BPF behavior in the following way: If program came and opens BPF socket without explicitly specifyin read filter we assume it to be write-only and add it to special writer-only per-interface list. This makes bpf_peers_present() return 0, so no additional overhead is introduced. After filter is supplied, descriptor is added to original per-interface list permitting packets to be captured. Unfortunately, pcap_open_live() sets catch-all filter itself for the purpose of setting snap length. Fortunately, most programs explicitly sets (event catch-all) filter after that. tcpdump(1) is a good example. So a bit hackis approach is taken: we upgrade description only after second BIOCSETF is received. Sysctl is named net.bpf.optimize_writers and is turned off by default. - While here, document all sysctl variables in bpf.4 r233946 Fix build broken by r233938. r235744 Fix panic on attaching to non-existent interface (introduced by r233937, pointed by hrs@) Fix panic on tcpdump being attached to interface being removed (introduced by r233937, pointed by hrs@ and adrian@) Protect most of bpf_setf() by BPF global lock Add several forgotten assertions (thanks to adrian@) Document current locking model inside bpf.c Document EVENTHANDLER(9) usage inside BPF. r235745 Fix old panic when BPF consumer attaches to destroying interface. 'flags' field is added to the end of bpf_if structure. Currently the only flag is BPFIF_FLAG_DYING which is set on bpf detach and checked by bpf_attachd() Problem can be easily triggered on SMP stable/[89] by the following command (sort of): 'while true; do ifconfig vlan222 create vlan 222 vlandev em0 up ; \ tcpdump -pi vlan222 ; ifconfig vlan222 destroy ; done' Fix possible use-after-free when BPF detaches itself from interface, freeing bpf_bif memory, while interface is still UP and there can be routes via this interface. Freeing is now delayed till ifnet_departure_event is received via eventhandler(9) api. Convert bpfd rwlock back to mutex due lack of performance gain (currently checking if packet matches filter is done without holding bpfd lock and we have to acquire write lock if packet matches) r235746 Call bpf_jitter() before acquiring BPF global lock due to malloc() being used inside bpf_jitter. Eliminate bpf_buffer_alloc() and allocate BPF buffers on descriptor creation and BIOCSBLEN ioctl. This permits us not to allocate buffers inside bpf_attachd() which is protected by global lock. r235747 Make most BPF ioctls() SMP-safe. r236559 Fix panic introduced by r235745. Panic occurs after first packet traverse renamed interface. Add several comments on locking r236231 Fix BPF_JITTER code broken by r235746. r236261
svn commit: r247626 - head/sys/netpfil/ipfw
Author: melifaro Date: Sat Mar 2 14:47:10 2013 New Revision: 247626 URL: http://svnweb.freebsd.org/changeset/base/247626 Log: Fix callout expiring dynamic rules. PR: kern/175530 Submitted by: Vladimir Spiridenkov v...@gtn.ru MFC after:2 weeks Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c == --- head/sys/netpfil/ipfw/ip_fw_dynamic.c Sat Mar 2 14:39:48 2013 (r247625) +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c Sat Mar 2 14:47:10 2013 (r247626) @@ -980,8 +980,8 @@ ipfw_dyn_tick(void * vnetx) chain = V_layer3_chain; - /* Run keepalive checks every keepalive_interval iff ka is enabled */ - if ((V_dyn_keepalive_last + V_dyn_keepalive_interval = time_uptime) + /* Run keepalive checks every keepalive_period iff ka is enabled */ + if ((V_dyn_keepalive_last + V_dyn_keepalive_period = time_uptime) (V_dyn_keepalive != 0)) { V_dyn_keepalive_last = time_uptime; check_ka = 1; @@ -1320,7 +1320,7 @@ ipfw_dyn_init(struct ip_fw_chain *chain) V_dyn_keepalive_interval = 20; V_dyn_keepalive_period = 5; V_dyn_keepalive = 1;/* do send keepalives */ - V_dyn_keepalive = time_uptime; + V_dyn_keepalive_last = time_uptime; V_dyn_max = 4096; /* max # of dynamic rules */ ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r247629 - in stable/9/sys: kern net security/mac
Author: melifaro Date: Sat Mar 2 15:11:20 2013 New Revision: 247629 URL: http://svnweb.freebsd.org/changeset/base/247629 Log: Merge * r233937 - Improve BPF locking model * r233938 - Improve performace for writer-only BPF users * r233946 - Fix build * r235744 - Fix (new) panic on attaching to non-existent interface * r235745 - Fix old panic when BPF consumer attaches to destroying interface * r235746 - Call bpf_jitter() before acquiring BPF global lock * r235747 - Make most BPF ioctls() SMP-safe. * r236231 - Fix BPF_JITTER code broken by r235746. * r236251 - Fix shim for BIOCSETF to drop all packets buffered on the descriptor. * r236261 - Save the previous filter right before we set new one. * r236262 - Fix style(9) nits, reduce unnecessary type castings. * r236559 - Fix panic introduced by r235745 * r236806 - Fix typo introduced in r236559. r233937 - Improve BPF locking model. Interface locks and descriptor locks are converted from mutex(9) to rwlock(9). This greately improves performance: in most common case we need to acquire 1 reader lock instead of 2 mutexes. - Remove filter(descriptor) (reader) lock in bpf_mtap[2] This was suggested by glebius@. We protect filter by requesting interface writer lock on filter change. - Cover struct bpf_if under BPF_INTERNAL define. This permits including bpf.h without including rwlock stuff. However, this is is temporary solution, struct bpf_if should be made opaque for any external caller. r233938 - Improve performace for writer-only BPF users. Linux and Solaris (at least OpenSolaris) has PF_PACKET socket families to send raw ethernet frames. The only FreeBSD interface that can be used to send raw frames is BPF. As a result, many programs like cdpd, lldpd, various dhcp stuff uses BPF only to send data. This leads us to the situation when software like cdpd, being run on high-traffic-volume interface significantly reduces overall performance since we have to acquire additional locks for every packet. Here we add sysctl that changes BPF behavior in the following way: If program came and opens BPF socket without explicitly specifyin read filter we assume it to be write-only and add it to special writer-only per-interface list. This makes bpf_peers_present() return 0, so no additional overhead is introduced. After filter is supplied, descriptor is added to original per-interface list permitting packets to be captured. Unfortunately, pcap_open_live() sets catch-all filter itself for the purpose of setting snap length. Fortunately, most programs explicitly sets (event catch-all) filter after that. tcpdump(1) is a good example. So a bit hackis approach is taken: we upgrade description only after second BIOCSETF is received. Sysctl is named net.bpf.optimize_writers and is turned off by default. - While here, document all sysctl variables in bpf.4 r233946 Fix build broken by r233938. r235744 Fix panic on attaching to non-existent interface (introduced by r233937, pointed by hrs@) Fix panic on tcpdump being attached to interface being removed (introduced by r233937, pointed by hrs@ and adrian@) Protect most of bpf_setf() by BPF global lock Add several forgotten assertions (thanks to adrian@) Document current locking model inside bpf.c Document EVENTHANDLER(9) usage inside BPF. r235745 Fix old panic when BPF consumer attaches to destroying interface. 'flags' field is added to the end of bpf_if structure. Currently the only flag is BPFIF_FLAG_DYING which is set on bpf detach and checked by bpf_attachd() Problem can be easily triggered on SMP stable/[89] by the following command (sort of): 'while true; do ifconfig vlan222 create vlan 222 vlandev em0 up ; \ tcpdump -pi vlan222 ; ifconfig vlan222 destroy ; done' Fix possible use-after-free when BPF detaches itself from interface, freeing bpf_bif memory, while interface is still UP and there can be routes via this interface. Freeing is now delayed till ifnet_departure_event is received via eventhandler(9) api. Convert bpfd rwlock back to mutex due lack of performance gain (currently checking if packet matches filter is done without holding bpfd lock and we have to acquire write lock if packet matches) r235746 Call bpf_jitter() before acquiring BPF global lock due to malloc() being used inside bpf_jitter. Eliminate bpf_buffer_alloc() and allocate BPF buffers on descriptor creation and BIOCSBLEN ioctl. This permits us not to allocate buffers inside bpf_attachd() which is protected by global lock. r235747 Make most BPF ioctls() SMP-safe. r236559 Fix panic introduced by r235745. Panic occurs after first packet traverse renamed interface. Add several
svn commit: r247666 - head/sbin/ipfw
Author: melifaro Date: Sat Mar 2 18:51:26 2013 New Revision: 247666 URL: http://svnweb.freebsd.org/changeset/base/247666 Log: Fix ipfw table argument parsing/printing. Fix style. PR: kern/175909 Submitted by: Daniel Hagerty h...@linnaean.org MFC after:2 weeks Modified: head/sbin/ipfw/ipfw2.c Modified: head/sbin/ipfw/ipfw2.c == --- head/sbin/ipfw/ipfw2.c Sat Mar 2 18:40:04 2013(r247665) +++ head/sbin/ipfw/ipfw2.c Sat Mar 2 18:51:26 2013(r247666) @@ -3912,6 +3912,7 @@ ipfw_flush(int force) static void table_list(uint16_t num, int need_header); +static void table_fill_xentry(char *arg, ipfw_table_xentry *xent); /* * This one handles all table-related commands @@ -3927,8 +3928,7 @@ ipfw_table_handler(int ac, char *av[]) int do_add; int is_all; size_t len; - char *p; - uint32_t a, type, mask, addrlen; + uint32_t a, mask; uint32_t tables_max; mask = 0; // XXX uninitialized ? @@ -3965,57 +3965,8 @@ ipfw_table_handler(int ac, char *av[]) ac--; av++; if (!ac) errx(EX_USAGE, address required); - /* -* Let's try to guess type by agrument. -* Possible types: -* 1) IPv4[/mask] -* 2) IPv6[/mask] -* 3) interface name -* 4) port ? -*/ - type = 0; - if (ishexnumber(*av[0])) { - /* Remove / if exists */ - if ((p = strchr(*av, '/')) != NULL) { - *p = '\0'; - mask = atoi(p + 1); - } - - if (inet_pton(AF_INET, *av, xent.k.addr6) == 1) { - type = IPFW_TABLE_CIDR; - if ((p != NULL) (mask 32)) - errx(EX_DATAERR, bad IPv4 mask width: %s, p + 1); - xent.masklen = p ? mask : 32; - addrlen = sizeof(struct in_addr); - } else if (inet_pton(AF_INET6, *av, xent.k.addr6) == 1) { - type = IPFW_TABLE_CIDR; - if ((p != NULL) (mask 128)) - errx(EX_DATAERR, bad IPv6 mask width: %s, p + 1); - xent.masklen = p ? mask : 128; - addrlen = sizeof(struct in6_addr); - } - } - - if ((type == 0) (strchr(*av, '.') == NULL)) { - /* Assume interface name. Copy significant data only */ - mask = MIN(strlen(*av), IF_NAMESIZE - 1); - memcpy(xent.k.iface, *av, mask); - /* Set mask to exact match */ - xent.masklen = 8 * IF_NAMESIZE; - type = IPFW_TABLE_INTERFACE; - addrlen = IF_NAMESIZE; - } - if (type == 0) { - if (lookup_host(*av, (struct in_addr *)xent.k.addr6) != 0) - errx(EX_NOHOST, hostname ``%s'' unknown, *av); - xent.masklen = 32; - type = IPFW_TABLE_CIDR; - addrlen = sizeof(struct in_addr); - } - - xent.type = type; - xent.len = offsetof(ipfw_table_xentry, k) + addrlen; + table_fill_xentry(*av, xent); ac--; av++; if (do_add ac) { @@ -4065,6 +4016,93 @@ ipfw_table_handler(int ac, char *av[]) } static void +table_fill_xentry(char *arg, ipfw_table_xentry *xent) +{ + int addrlen, mask, masklen, type; + struct in6_addr *paddr; + uint32_t *pkey; + char *p; + uint32_t key; + + mask = 0; + type = 0; + addrlen = 0; + masklen = 0; + + /* +* Let's try to guess type by agrument. +* Possible types: +* 1) IPv4[/mask] +* 2) IPv6[/mask] +* 3) interface name +* 4) port, uid/gid or other u32 key (base 10 format) +* 5) hostname +*/ + paddr = xent-k.addr6; + if (ishexnumber(*arg) != 0 || *arg == ':') { + /* Remove / if exists */ + if ((p = strchr(arg, '/')) != NULL) { + *p = '\0'; + mask = atoi(p + 1); + } + + if (inet_pton(AF_INET, arg, paddr) == 1) { + if (p != NULL mask 32) + errx(EX_DATAERR, bad IPv4 mask width: %s, + p + 1); + + type = IPFW_TABLE_CIDR; + masklen =
svn commit: r247036 - head/usr.bin/systat
Author: melifaro Date: Wed Feb 20 13:47:05 2013 New Revision: 247036 URL: http://svnweb.freebsd.org/changeset/base/247036 Log: Add interface name filtering via 'match' cmd. Add 'pps' cmd for switching beetween interface packets/bytes statistics. Submitted by: vsevolod MFC after:2 weeks Modified: head/usr.bin/systat/ifcmds.c head/usr.bin/systat/ifstat.c head/usr.bin/systat/systat.1 Modified: head/usr.bin/systat/ifcmds.c == --- head/usr.bin/systat/ifcmds.cWed Feb 20 12:59:21 2013 (r247035) +++ head/usr.bin/systat/ifcmds.cWed Feb 20 13:47:05 2013 (r247036) @@ -28,11 +28,19 @@ * $FreeBSD$ */ +#include sys/types.h + #include systat.h #include extern.h #include convtbl.h +#include stdlib.h +#include string.h + int curscale = SC_AUTO; +char *matchline = NULL; +int showpps = 0; +int needsort = 0; int ifcmd(const char *cmd, const char *args) @@ -48,6 +56,24 @@ ifcmd(const char *cmd, const char *args) addstr(what scale? ); addstr(get_helplist()); } - } + } else if (prefix(cmd, match)) { + if (args != NULL *args != '\0' memcmp(args, *, 2) != 0) { + /* We got a valid match line */ + if (matchline != NULL) { + free(matchline); + } + needsort = 1; + matchline = strdup(args); + } else { + /* Empty or * pattern, turn filtering off */ + if (matchline != NULL) { + free(matchline); + } + needsort = 1; + matchline = NULL; + } + } else if (prefix(cmd, pps)) + showpps = !showpps; + return (1); } Modified: head/usr.bin/systat/ifstat.c == --- head/usr.bin/systat/ifstat.cWed Feb 20 12:59:21 2013 (r247035) +++ head/usr.bin/systat/ifstat.cWed Feb 20 13:47:05 2013 (r247036) @@ -38,6 +38,7 @@ #include string.h #include err.h #include errno.h +#include fnmatch.h #include systat.h #include extern.h @@ -71,12 +72,22 @@ struct if_stat { u_long if_out_curtraffic; u_long if_in_traffic_peak; u_long if_out_traffic_peak; + u_long if_in_curpps; + u_long if_out_curpps; + u_long if_in_pps_peak; + u_long if_out_pps_peak; u_int if_row; /* Index into ifmib sysctl */ u_int if_ypos;/* 0 if not being displayed */ u_int display; + u_int match; }; -extern u_int curscale; +extern int curscale; +extern char *matchline; +extern int showpps; +extern int needsort; + +static int needclear = 0; static void right_align_string(struct if_stat *); static void getifmibdata(const int, struct ifmibdata *); @@ -96,34 +107,48 @@ static u_int getifnum(void); #define STARTING_ROW (TOPLINE + 1) #define ROW_SPACING(3) -#define CLEAR_LINE(y, x) do {\ - wmove(wnd, y, x); \ - wclrtoeol(wnd); \ -} while (0) - -#define IN_col2(ifp-if_in_curtraffic) -#define OUT_col2 (ifp-if_out_curtraffic) -#define IN_col3(ifp-if_in_traffic_peak) -#define OUT_col3 (ifp-if_out_traffic_peak) -#define IN_col4(ifp-if_mib.ifmd_data.ifi_ibytes) -#define OUT_col4 (ifp-if_mib.ifmd_data.ifi_obytes) +#define IN_col2(showpps ? ifp-if_in_curpps : ifp-if_in_curtraffic) +#define OUT_col2 (showpps ? ifp-if_out_curpps : ifp-if_out_curtraffic) +#define IN_col3(showpps ? \ + ifp-if_in_pps_peak : ifp-if_in_traffic_peak) +#define OUT_col3 (showpps ? \ + ifp-if_out_pps_peak : ifp-if_out_traffic_peak) +#define IN_col4(showpps ? \ + ifp-if_mib.ifmd_data.ifi_ipackets : ifp-if_mib.ifmd_data.ifi_ibytes) +#define OUT_col4 (showpps ? \ + ifp-if_mib.ifmd_data.ifi_opackets : ifp-if_mib.ifmd_data.ifi_obytes) #define EMPTY_COLUMN #define CLEAR_COLUMN(y, x) mvprintw((y), (x), %20s, EMPTY_COLUMN); #define DOPUTRATE(c, r, d) do {\ CLEAR_COLUMN(r, c); \ - mvprintw(r, (c), %10.3f %s%s , \ -convert(d##_##c, curscale),\ -get_string(d##_##c, curscale), \ -/s); \ + if
svn commit: r247037 - head/usr.bin/systat
Author: melifaro Date: Wed Feb 20 14:19:09 2013 New Revision: 247037 URL: http://svnweb.freebsd.org/changeset/base/247037 Log: Fix several new old style issues. Pointed by: ae, pluknet, zont MFC with: r247036 Modified: head/usr.bin/systat/ifcmds.c head/usr.bin/systat/ifstat.c head/usr.bin/systat/systat.1 Modified: head/usr.bin/systat/ifcmds.c == --- head/usr.bin/systat/ifcmds.cWed Feb 20 13:47:05 2013 (r247036) +++ head/usr.bin/systat/ifcmds.cWed Feb 20 14:19:09 2013 (r247037) @@ -59,16 +59,14 @@ ifcmd(const char *cmd, const char *args) } else if (prefix(cmd, match)) { if (args != NULL *args != '\0' memcmp(args, *, 2) != 0) { /* We got a valid match line */ - if (matchline != NULL) { + if (matchline != NULL) free(matchline); - } needsort = 1; matchline = strdup(args); } else { /* Empty or * pattern, turn filtering off */ - if (matchline != NULL) { + if (matchline != NULL) free(matchline); - } needsort = 1; matchline = NULL; } Modified: head/usr.bin/systat/ifstat.c == --- head/usr.bin/systat/ifstat.cWed Feb 20 13:47:05 2013 (r247036) +++ head/usr.bin/systat/ifstat.cWed Feb 20 14:19:09 2013 (r247037) @@ -230,7 +230,7 @@ initifstat(void) n = getifnum(); if (n = 0) - return -1; + return (-1); SLIST_INIT(curlist); @@ -254,7 +254,7 @@ initifstat(void) sort_interface_list(); - return 1; + return (1); } void @@ -372,9 +372,9 @@ check_match(const char *ifname) char *p = matchline, *c, t; int match = 0, mlen; - if (matchline == NULL) { - return 0; - } + if (matchline == NULL) + return (0); + /* Strip leading whitespaces */ while (*p == ' ') p ++; @@ -387,7 +387,7 @@ check_match(const char *ifname) *p = '\0'; if (fnmatch(c, ifname, FNM_CASEFOLD) == 0) { *p = t; - return 1; + return (1); } *p = t; c = p + strspn(p, ;,); @@ -397,7 +397,7 @@ check_match(const char *ifname) } } - return match; + return (match); } /* @@ -447,7 +447,7 @@ getifnum(void) if (sysctl(name, 5, (void *)data, (size_t *)datalen, (void *)NULL, (size_t)0) != 0) IFSTAT_ERR(1, sysctl error); - return data; + return (data); } static void @@ -485,5 +485,5 @@ cmdifstat(const char *cmd, const char *a } } - return retval; + return (retval); } Modified: head/usr.bin/systat/systat.1 == --- head/usr.bin/systat/systat.1Wed Feb 20 13:47:05 2013 (r247036) +++ head/usr.bin/systat/systat.1Wed Feb 20 14:19:09 2013 (r247037) @@ -28,7 +28,7 @@ .\@(#)systat.18.2 (Berkeley) 12/30/93 .\ $FreeBSD$ .\ -.Dd September 17, 2012 +.Dd February 20, 2013 .Dt SYSTAT 1 .Os .Sh NAME ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r244633 - head/sys/netpfil/ipfw
Author: melifaro Date: Sun Dec 23 16:28:18 2012 New Revision: 244633 URL: http://svnweb.freebsd.org/changeset/base/244633 Log: Use unified IP_FW_ARG_TABLEARG() macro for most tablearg checks. Log real value instead of IP_FW_TABLEARG (65535) in ipfw_log(). Noticed by: Vitaliy Tokarenko rph...@ukr.net MFC after:2 weeks Modified: head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_dynamic.c head/sys/netpfil/ipfw/ip_fw_log.c head/sys/netpfil/ipfw/ip_fw_private.h Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Sun Dec 23 16:11:43 2012 (r244632) +++ head/sys/netpfil/ipfw/ip_fw2.c Sun Dec 23 16:28:18 2012 (r244633) @@ -1850,8 +1850,7 @@ do { \ case O_TAG: { struct m_tag *mtag; - uint32_t tag = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + uint32_t tag = IP_FW_ARG_TABLEARG(cmd-arg1); /* Packet is already tagged with this tag? */ mtag = m_tag_locate(m, MTAG_IPFW, tag, NULL); @@ -1930,8 +1929,7 @@ do { \ case O_TAGGED: { struct m_tag *mtag; - uint32_t tag = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + uint32_t tag = IP_FW_ARG_TABLEARG(cmd-arg1); if (cmdlen == 1) { match = m_tag_locate(m, MTAG_IPFW, @@ -2069,8 +2067,7 @@ do { \ case O_PIPE: case O_QUEUE: set_match(args, f_pos, chain); - args-rule.info = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + args-rule.info = IP_FW_ARG_TABLEARG(cmd-arg1); if (cmd-opcode == O_PIPE) args-rule.info |= IPFW_IS_PIPE; if (V_fw_one_pass) @@ -2090,8 +2087,7 @@ do { \ retval = (cmd-opcode == O_DIVERT) ? IP_FW_DIVERT : IP_FW_TEE; set_match(args, f_pos, chain); - args-rule.info = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + args-rule.info = IP_FW_ARG_TABLEARG(cmd-arg1); break; case O_COUNT: @@ -2109,8 +2105,7 @@ do { \ (uintptr_t)f-x_next == chain-id) { f_pos = (uintptr_t)f-next_rule; } else { - int i = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; + int i = IP_FW_ARG_TABLEARG(cmd-arg1); /* make sure we do not jump backward */ if (i = f-rulenum) i = f-rulenum + 1; @@ -2215,9 +2210,8 @@ do { \ (uintptr_t)f-x_next == chain-id) { f_pos = (uintptr_t)f-next_rule; } else { - jmpto = (cmd-arg1 == - IP_FW_TABLEARG) ? tablearg: - cmd-arg1; + jmpto = IP_FW_ARG_TABLEARG( + cmd-arg1); f_pos = ipfw_find_rule(chain, jmpto, 0); /* update the cache */ @@ -2337,8 +2331,7 @@ do { \ case O_NETGRAPH: case O_NGTEE: set_match(args, f_pos, chain); - args-rule.info = (cmd-arg1 == IP_FW_TABLEARG) ? - tablearg : cmd-arg1; +
svn commit: r244634 - head/sys/netpfil/ipfw
Author: melifaro Date: Sun Dec 23 18:35:42 2012 New Revision: 244634 URL: http://svnweb.freebsd.org/changeset/base/244634 Log: Add parentheses to IP_FW_ARG_TABLEARG() definition. Suggested by: glebius MFC with: r244633 Modified: head/sys/netpfil/ipfw/ip_fw_private.h Modified: head/sys/netpfil/ipfw/ip_fw_private.h == --- head/sys/netpfil/ipfw/ip_fw_private.h Sun Dec 23 16:28:18 2012 (r244633) +++ head/sys/netpfil/ipfw/ip_fw_private.h Sun Dec 23 18:35:42 2012 (r244634) @@ -259,7 +259,7 @@ struct sockopt; /* used by tcp_var.h */ (_cntr)-bcnt = 0; \ } while (0) -#defineIP_FW_ARG_TABLEARG(a) ((a) == IP_FW_TABLEARG) ? tablearg : (a) +#defineIP_FW_ARG_TABLEARG(a) (((a) == IP_FW_TABLEARG) ? tablearg : (a)) /* * The lock is heavily used by ip_fw2.c (the main file) and ip_fw_nat.c * so the variable and the macros must be here. ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r244569 - stable/9/sys/netpfil/ipfw
Author: melifaro Date: Fri Dec 21 22:48:12 2012 New Revision: 244569 URL: http://svnweb.freebsd.org/changeset/base/244569 Log: Merge r241908, r242632 Remove unnecessary chain read lock in ipfw nat 'global' code. Document case when ipfw chain lock must be held while calling ipfw_nat(). Modified: stable/9/sys/netpfil/ipfw/ip_fw_nat.c stable/9/sys/netpfil/ipfw/ip_fw_private.h Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netpfil/ipfw/ip_fw_nat.c == --- stable/9/sys/netpfil/ipfw/ip_fw_nat.c Fri Dec 21 22:20:59 2012 (r244568) +++ stable/9/sys/netpfil/ipfw/ip_fw_nat.c Fri Dec 21 22:48:12 2012 (r244569) @@ -202,6 +202,13 @@ add_redir_spool_cfg(char *buf, struct cf } } +/* + * ipfw_nat - perform mbuf header translation. + * + * Note V_layer3_chain has to be locked while calling ipfw_nat() in + * 'global' operation mode (t == NULL). + * + */ static int ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) { @@ -269,7 +276,7 @@ ipfw_nat(struct ip_fw_args *args, struct found = 0; chain = V_layer3_chain; - IPFW_RLOCK(chain); + IPFW_RLOCK_ASSERT(chain); /* Check every nat entry... */ LIST_FOREACH(t, chain-nat, _next) { if ((t-mode PKT_ALIAS_SKIP_GLOBAL) != 0) @@ -282,7 +289,6 @@ ipfw_nat(struct ip_fw_args *args, struct break; } } - IPFW_RUNLOCK(chain); if (found != 1) { /* No instance found, return ignore */ args-m = mcl; Modified: stable/9/sys/netpfil/ipfw/ip_fw_private.h == --- stable/9/sys/netpfil/ipfw/ip_fw_private.h Fri Dec 21 22:20:59 2012 (r244568) +++ stable/9/sys/netpfil/ipfw/ip_fw_private.h Fri Dec 21 22:48:12 2012 (r244569) @@ -251,6 +251,7 @@ struct sockopt; /* used by tcp_var.h */ rw_destroy((_chain)-uh_lock); \ } while (0) +#defineIPFW_RLOCK_ASSERT(_chain) rw_assert((_chain)-rwmtx, RA_RLOCKED) #defineIPFW_WLOCK_ASSERT(_chain) rw_assert((_chain)-rwmtx, RA_WLOCKED) #define IPFW_RLOCK(p) rw_rlock((p)-rwmtx) ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r244571 - stable/9/sys/netpfil/ipfw
Author: melifaro Date: Fri Dec 21 23:47:22 2012 New Revision: 244571 URL: http://svnweb.freebsd.org/changeset/base/244571 Log: Merge r238978(approved by luigi), r242631, r242834, r243707 replace inet_ntoa_r with the more standard inet_ntop(). As discussed on -current, inet_ntoa_r() is non standard, has different arguments in userspace and kernel, and almost unused (no clients in userspace, only net/flowtable.c, net/if_llatbl.c, netinet/in_pcb.c, netinet/tcp_subr.c in the kernel) Use unified print_dyn_rule_flags() function for debugging messages instead of hand-made printfs in every place. Simplify sending keepalives. Prepare ipfw_tick() to be used by other consumers. Make ipfw dynamic states operations SMP-ready. * Global IPFW_DYN_LOCK() is changed to per-bucket mutex. * State expiration is done in ipfw_tick every second. * No expiration is done on forwarding path. * hash table resize is done automatically and does not flush all states. * Dynamic UMA zone is now allocated per each VNET * State limiting is now done via UMA(9) api. Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c stable/9/sys/netpfil/ipfw/ip_fw_log.c stable/9/sys/netpfil/ipfw/ip_fw_private.h stable/9/sys/netpfil/ipfw/ip_fw_sockopt.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netpfil/ipfw/ip_fw2.c == --- stable/9/sys/netpfil/ipfw/ip_fw2.c Fri Dec 21 23:12:34 2012 (r244570) +++ stable/9/sys/netpfil/ipfw/ip_fw2.c Fri Dec 21 23:47:22 2012 (r244571) @@ -2038,7 +2038,7 @@ do { \ f-rulenum, f-id); cmd = ACTION_PTR(f); l = f-cmd_len - f-act_ofs; - ipfw_dyn_unlock(); + ipfw_dyn_unlock(q); cmdlen = 0; match = 1; break; @@ -2523,7 +2523,6 @@ ipfw_init(void) { int error = 0; - ipfw_dyn_attach(); /* * Only print out this stuff the first time around, * when called from the sysinit code. @@ -2577,7 +2576,6 @@ ipfw_destroy(void) { ipfw_log_bpf(0); /* uninit */ - ipfw_dyn_detach(); printf(IP firewall unloaded\n); } @@ -2635,7 +2633,7 @@ vnet_ipfw_init(const void *unused) chain-id = rule-id = 1; IPFW_LOCK_INIT(chain); - ipfw_dyn_init(); + ipfw_dyn_init(chain); /* First set up some values that are compile time options */ V_ipfw_vnet_ready = 1; /* Open for business */ Modified: stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c == --- stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Dec 21 23:12:34 2012 (r244570) +++ stable/9/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Dec 21 23:47:22 2012 (r244571) @@ -95,7 +95,7 @@ __FBSDID($FreeBSD$); * The lifetime of dynamic rules is regulated by dyn_*_lifetime, * measured in seconds and depending on the flags. * - * The total number of dynamic rules is stored in dyn_count. + * The total number of dynamic rules is equal to UMA zone items count. * The max number of dynamic rules is dyn_max. When we reach * the maximum number of rules we do not create anymore. This is * done to avoid consuming too much memory, but also too much @@ -111,37 +111,33 @@ __FBSDID($FreeBSD$); * passes through the firewall. XXX check the latter!!! */ +struct ipfw_dyn_bucket { + struct mtx mtx;/* Bucket protecting lock */ + ipfw_dyn_rule *head; /* Pointer to first rule */ +}; + /* * Static variables followed by global ones */ -static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); -static VNET_DEFINE(u_int32_t, dyn_buckets); +static VNET_DEFINE(struct ipfw_dyn_bucket *, ipfw_dyn_v); +static VNET_DEFINE(u_int32_t, dyn_buckets_max); static VNET_DEFINE(u_int32_t, curr_dyn_buckets); static VNET_DEFINE(struct callout, ipfw_timeout); #defineV_ipfw_dyn_vVNET(ipfw_dyn_v) -#defineV_dyn_buckets VNET(dyn_buckets) +#defineV_dyn_buckets_max VNET(dyn_buckets_max) #defineV_curr_dyn_buckets VNET(curr_dyn_buckets) #define V_ipfw_timeout VNET(ipfw_timeout) -static uma_zone_t ipfw_dyn_rule_zone; -#ifndef __FreeBSD__ -DEFINE_SPINLOCK(ipfw_dyn_mtx); -#else -static struct mtx ipfw_dyn_mtx;/* mutex guarding dynamic rules */ -#endif +static VNET_DEFINE(uma_zone_t, ipfw_dyn_rule_zone); +#defineV_ipfw_dyn_rule_zoneVNET(ipfw_dyn_rule_zone) -#define
svn commit: r243983 - in stable/9: share/man/man4 sys/netgraph/netflow
Author: melifaro Date: Fri Dec 7 13:03:23 2012 New Revision: 243983 URL: http://svnweb.freebsd.org/changeset/base/243983 Log: MFC r241446,r241501 Add NG_NETFLOW_V9INFO_TYPE command to be able to request netflowv9-specific data. Submitted by: Dmitry Luhtionov dmitryluhtionov at gmail.com Modified: stable/9/share/man/man4/ng_netflow.4 stable/9/sys/netgraph/netflow/netflow_v9.c stable/9/sys/netgraph/netflow/ng_netflow.c stable/9/sys/netgraph/netflow/ng_netflow.h Directory Properties: stable/9/share/ (props changed) stable/9/share/man/ (props changed) stable/9/share/man/man4/ (props changed) stable/9/sys/ (props changed) Modified: stable/9/share/man/man4/ng_netflow.4 == --- stable/9/share/man/man4/ng_netflow.4Fri Dec 7 13:00:41 2012 (r243982) +++ stable/9/share/man/man4/ng_netflow.4Fri Dec 7 13:03:23 2012 (r243983) @@ -229,6 +229,9 @@ not directly from See also .Sx BUGS section. +.It Dv NGM_NETFLOW_V9INFO +Returns some NetFlow v9 related values in a +.Vt struct ng_netflow_v9info . .El .Sh ASCII CONTROL MESSAGES Most binary control messages have an Modified: stable/9/sys/netgraph/netflow/netflow_v9.c == --- stable/9/sys/netgraph/netflow/netflow_v9.c Fri Dec 7 13:00:41 2012 (r243982) +++ stable/9/sys/netgraph/netflow/netflow_v9.c Fri Dec 7 13:03:23 2012 (r243983) @@ -480,3 +480,14 @@ ng_netflow_v9_cache_flush(priv_p priv) for (i = 0; i priv-flowsets_count; i++) free(priv-v9_flowsets[i], M_NETFLOW_GENERAL); } + +/* Get a snapshot of NetFlow v9 settings */ +void +ng_netflow_copyv9info(priv_p priv, struct ng_netflow_v9info *i) +{ + + i-templ_time = priv-templ_time; + i-templ_packets = priv-templ_packets; + i-mtu = priv-mtu; +} + Modified: stable/9/sys/netgraph/netflow/ng_netflow.c == --- stable/9/sys/netgraph/netflow/ng_netflow.c Fri Dec 7 13:00:41 2012 (r243982) +++ stable/9/sys/netgraph/netflow/ng_netflow.c Fri Dec 7 13:03:23 2012 (r243983) @@ -138,6 +138,14 @@ static const struct ng_parse_type ng_net ng_netflow_setmtu_type_fields }; +/* Parse type for struct ng_netflow_v9info */ +static const struct ng_parse_struct_field ng_netflow_v9info_type_fields[] + = NG_NETFLOW_V9INFO_TYPE; +static const struct ng_parse_type ng_netflow_v9info_type = { + ng_parse_struct_type, + ng_netflow_v9info_type_fields +}; + /* List of commands and how to convert arguments to/from ASCII */ static const struct ng_cmdlist ng_netflow_cmds[] = { { @@ -196,6 +204,13 @@ static const struct ng_cmdlist ng_netflo ng_netflow_setmtu_type, NULL }, + { +NGM_NETFLOW_COOKIE, +NGM_NETFLOW_V9INFO, +v9info, +NULL, +ng_netflow_v9info_type + }, { 0 } }; @@ -526,6 +541,17 @@ ng_netflow_rcvmsg (node_p node, item_p i break; } + case NGM_NETFLOW_V9INFO: + { + struct ng_netflow_v9info *i; + + NG_MKRESPONSE(resp, msg, sizeof(struct ng_netflow_v9info), + M_NOWAIT); + i = (struct ng_netflow_v9info *)resp-data; + ng_netflow_copyv9info(priv, i); + + break; + } default: ERROUT(EINVAL); /* unknown command */ break; Modified: stable/9/sys/netgraph/netflow/ng_netflow.h == --- stable/9/sys/netgraph/netflow/ng_netflow.h Fri Dec 7 13:00:41 2012 (r243982) +++ stable/9/sys/netgraph/netflow/ng_netflow.h Fri Dec 7 13:03:23 2012 (r243983) @@ -34,6 +34,7 @@ #define NG_NETFLOW_NODE_TYPE netflow #define NGM_NETFLOW_COOKIE 1309868867 +#define NGM_NETFLOW_V9_COOKIE 1349865386 #defineNG_NETFLOW_MAXIFACESUSHRT_MAX @@ -58,6 +59,7 @@ enum { NGM_NETFLOW_SETCONFIG = 7,/* set flow generation options */ NGM_NETFLOW_SETTEMPLATE= 8,/* set v9 flow template periodic */ NGM_NETFLOW_SETMTU = 9,/* set outgoing interface MTU */ +NGM_NETFLOW_V9INFO = 10|NGM_READONLY|NGM_HASREPLY, /* get v9 info */ }; /* This structure is returned by the NGM_NETFLOW_INFO message */ @@ -141,6 +143,13 @@ struct ngnf_show_header { uint32_tnentries; /* number of records in response */ }; +/* This structure is used in NGM_NETFLOW_V9INFO message */ +struct ng_netflow_v9info { + uint16_ttempl_packets; /* v9 template packets */ + uint16_ttempl_time; /* v9 template time */ +
svn commit: r243991 - stable/9/share/man/man4
Author: melifaro Date: Fri Dec 7 20:55:24 2012 New Revision: 243991 URL: http://svnweb.freebsd.org/changeset/base/243991 Log: Merge r241882. Provide example for newly-added NG_NETFLOW_V9INFO_TYPE Submitted by: Dmitry Luhtionov dmitryluhtionov at gmail.com Modified: stable/9/share/man/man4/ng_netflow.4 Directory Properties: stable/9/share/ (props changed) stable/9/share/man/ (props changed) stable/9/share/man/man4/ (props changed) Modified: stable/9/share/man/man4/ng_netflow.4 == --- stable/9/share/man/man4/ng_netflow.4Fri Dec 7 20:09:27 2012 (r243990) +++ stable/9/share/man/man4/ng_netflow.4Fri Dec 7 20:55:24 2012 (r243991) @@ -258,6 +258,8 @@ commands are: .Qq Li settemplate { time = %u packets = %u } .It Dv NGM_NETFLOW_SETMTU .Qq Li setmtu { mtu = %u } +.It Dv NGM_NETFLOW_V9INFO +.Qq Li v9info .El .Sh SHUTDOWN This node shuts down upon receipt of a ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r243957 - stable/8/usr.bin/systat
Author: melifaro Date: Thu Dec 6 19:43:48 2012 New Revision: 243957 URL: http://svnweb.freebsd.org/changeset/base/243957 Log: Fix merge of r240605 (done in r243684). Spotted by: Terry Kennedyte...@tmk.com Modified: stable/8/usr.bin/systat/keyboard.c Modified: stable/8/usr.bin/systat/keyboard.c == --- stable/8/usr.bin/systat/keyboard.c Thu Dec 6 19:00:37 2012 (r243956) +++ stable/8/usr.bin/systat/keyboard.c Thu Dec 6 19:43:48 2012 (r243957) @@ -57,7 +57,6 @@ static int keyboard_dispatch(int ch); int keyboard(void) { - char line[80]; int ch, n; struct timeval last, intvl, now, tm; fd_set rfds; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r243799 - head/sys/net
Author: melifaro Date: Sun Dec 2 21:43:37 2012 New Revision: 243799 URL: http://svnweb.freebsd.org/changeset/base/243799 Log: Fix bpf_if structure leak introduced in r235745. Move all such structures to delayed-free lists and delete all matching on interface departure event. MFC after:1 week Modified: head/sys/net/bpf.c Modified: head/sys/net/bpf.c == --- head/sys/net/bpf.c Sun Dec 2 21:32:45 2012(r243798) +++ head/sys/net/bpf.c Sun Dec 2 21:43:37 2012(r243799) @@ -141,7 +141,7 @@ struct bpf_dltlist32 { * structures registered by different layers in the stack (i.e., 802.11 * frames, ethernet frames, etc). */ -static LIST_HEAD(, bpf_if) bpf_iflist; +static LIST_HEAD(, bpf_if) bpf_iflist, bpf_freelist; static struct mtx bpf_mtx;/* bpf global lock */ static int bpf_bpfd_cnt; @@ -2491,52 +2491,51 @@ bpfattach2(struct ifnet *ifp, u_int dlt, void bpfdetach(struct ifnet *ifp) { - struct bpf_if *bp; + struct bpf_if *bp, *bp_temp; struct bpf_d*d; -#ifdef INVARIANTS int ndetached; ndetached = 0; -#endif BPF_LOCK(); /* Find all bpf_if struct's which reference ifp and detach them. */ - do { - LIST_FOREACH(bp, bpf_iflist, bif_next) { - if (ifp == bp-bif_ifp) - break; - } - if (bp != NULL) - LIST_REMOVE(bp, bif_next); + LIST_FOREACH_SAFE(bp, bpf_iflist, bif_next, bp_temp) { + if (ifp != bp-bif_ifp) + continue; - if (bp != NULL) { -#ifdef INVARIANTS - ndetached++; -#endif - while ((d = LIST_FIRST(bp-bif_dlist)) != NULL) { - bpf_detachd_locked(d); - BPFD_LOCK(d); - bpf_wakeup(d); - BPFD_UNLOCK(d); - } - /* Free writer-only descriptors */ - while ((d = LIST_FIRST(bp-bif_wlist)) != NULL) { - bpf_detachd_locked(d); - BPFD_LOCK(d); - bpf_wakeup(d); - BPFD_UNLOCK(d); - } + LIST_REMOVE(bp, bif_next); + /* Add to to-be-freed list */ + LIST_INSERT_HEAD(bpf_freelist, bp, bif_next); - /* -* Delay freing bp till interface is detached -* and all routes through this interface are removed. -* Mark bp as detached to restrict new consumers. -*/ - BPFIF_WLOCK(bp); - bp-flags |= BPFIF_FLAG_DYING; - BPFIF_WUNLOCK(bp); + ndetached++; + /* +* Delay freeing bp till interface is detached +* and all routes through this interface are removed. +* Mark bp as detached to restrict new consumers. +*/ + BPFIF_WLOCK(bp); + bp-flags |= BPFIF_FLAG_DYING; + BPFIF_WUNLOCK(bp); + + CTR4(KTR_NET, %s: sheduling free for encap %d (%p) for if %p, + __func__, bp-bif_dlt, bp, ifp); + + /* Free common descriptors */ + while ((d = LIST_FIRST(bp-bif_dlist)) != NULL) { + bpf_detachd_locked(d); + BPFD_LOCK(d); + bpf_wakeup(d); + BPFD_UNLOCK(d); } - } while (bp != NULL); + + /* Free writer-only descriptors */ + while ((d = LIST_FIRST(bp-bif_wlist)) != NULL) { + bpf_detachd_locked(d); + BPFD_LOCK(d); + bpf_wakeup(d); + BPFD_UNLOCK(d); + } + } BPF_UNLOCK(); #ifdef INVARIANTS @@ -2548,32 +2547,46 @@ bpfdetach(struct ifnet *ifp) /* * Interface departure handler. * Note departure event does not guarantee interface is going down. + * Interface renaming is currently done via departure/arrival event set. + * + * Departure handled is called after all routes pointing to + * given interface are removed and interface is in down state + * restricting any packets to be sent/received. We assume it is now safe + * to free data allocated by BPF. */ static void bpf_ifdetach(void *arg __unused, struct ifnet *ifp) { - struct bpf_if *bp; + struct bpf_if *bp, *bp_temp; + int nmatched = 0; BPF_LOCK(); - if ((bp = ifp-if_bpf) == NULL) { - BPF_UNLOCK(); - return; - } + /* +
svn commit: r243707 - head/sys/netpfil/ipfw
Author: melifaro Date: Fri Nov 30 16:33:22 2012 New Revision: 243707 URL: http://svnweb.freebsd.org/changeset/base/243707 Log: Make ipfw dynamic states operations SMP-ready. * Global IPFW_DYN_LOCK() is changed to per-bucket mutex. * State expiration is done in ipfw_tick every second. * No expiration is done on forwarding path. * hash table resize is done automatically and does not flush all states. * Dynamic UMA zone is now allocated per each VNET * State limiting is now done via UMA(9) api. Discussed with: ipfw MFC after:3 weeks Sponsored by: Yandex LLC Modified: head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_dynamic.c head/sys/netpfil/ipfw/ip_fw_private.h head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 30 16:18:26 2012 (r243706) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 30 16:33:22 2012 (r243707) @@ -2046,7 +2046,7 @@ do { \ f-rulenum, f-id); cmd = ACTION_PTR(f); l = f-cmd_len - f-act_ofs; - ipfw_dyn_unlock(); + ipfw_dyn_unlock(q); cmdlen = 0; match = 1; break; @@ -2525,7 +2525,6 @@ ipfw_init(void) { int error = 0; - ipfw_dyn_attach(); /* * Only print out this stuff the first time around, * when called from the sysinit code. @@ -2579,7 +2578,6 @@ ipfw_destroy(void) { ipfw_log_bpf(0); /* uninit */ - ipfw_dyn_detach(); printf(IP firewall unloaded\n); } @@ -2637,7 +2635,7 @@ vnet_ipfw_init(const void *unused) chain-id = rule-id = 1; IPFW_LOCK_INIT(chain); - ipfw_dyn_init(); + ipfw_dyn_init(chain); /* First set up some values that are compile time options */ V_ipfw_vnet_ready = 1; /* Open for business */ Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c == --- head/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Nov 30 16:18:26 2012 (r243706) +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Nov 30 16:33:22 2012 (r243707) @@ -95,7 +95,7 @@ __FBSDID($FreeBSD$); * The lifetime of dynamic rules is regulated by dyn_*_lifetime, * measured in seconds and depending on the flags. * - * The total number of dynamic rules is stored in dyn_count. + * The total number of dynamic rules is equal to UMA zone items count. * The max number of dynamic rules is dyn_max. When we reach * the maximum number of rules we do not create anymore. This is * done to avoid consuming too much memory, but also too much @@ -111,37 +111,33 @@ __FBSDID($FreeBSD$); * passes through the firewall. XXX check the latter!!! */ +struct ipfw_dyn_bucket { + struct mtx mtx;/* Bucket protecting lock */ + ipfw_dyn_rule *head; /* Pointer to first rule */ +}; + /* * Static variables followed by global ones */ -static VNET_DEFINE(ipfw_dyn_rule **, ipfw_dyn_v); -static VNET_DEFINE(u_int32_t, dyn_buckets); +static VNET_DEFINE(struct ipfw_dyn_bucket *, ipfw_dyn_v); +static VNET_DEFINE(u_int32_t, dyn_buckets_max); static VNET_DEFINE(u_int32_t, curr_dyn_buckets); static VNET_DEFINE(struct callout, ipfw_timeout); #defineV_ipfw_dyn_vVNET(ipfw_dyn_v) -#defineV_dyn_buckets VNET(dyn_buckets) +#defineV_dyn_buckets_max VNET(dyn_buckets_max) #defineV_curr_dyn_buckets VNET(curr_dyn_buckets) #define V_ipfw_timeout VNET(ipfw_timeout) -static uma_zone_t ipfw_dyn_rule_zone; -#ifndef __FreeBSD__ -DEFINE_SPINLOCK(ipfw_dyn_mtx); -#else -static struct mtx ipfw_dyn_mtx;/* mutex guarding dynamic rules */ -#endif - -#defineIPFW_DYN_LOCK_INIT() \ - mtx_init(ipfw_dyn_mtx, IPFW dynamic rules, NULL, MTX_DEF) -#defineIPFW_DYN_LOCK_DESTROY() mtx_destroy(ipfw_dyn_mtx) -#defineIPFW_DYN_LOCK() mtx_lock(ipfw_dyn_mtx) -#defineIPFW_DYN_UNLOCK() mtx_unlock(ipfw_dyn_mtx) -#defineIPFW_DYN_LOCK_ASSERT() mtx_assert(ipfw_dyn_mtx, MA_OWNED) +static VNET_DEFINE(uma_zone_t, ipfw_dyn_rule_zone); +#defineV_ipfw_dyn_rule_zoneVNET(ipfw_dyn_rule_zone) -void -ipfw_dyn_unlock(void) -{ - IPFW_DYN_UNLOCK(); -} +#defineIPFW_BUCK_LOCK_INIT(b) \ + mtx_init((b)-mtx, IPFW dynamic bucket, NULL, MTX_DEF) +#defineIPFW_BUCK_LOCK_DESTROY(b) \ + mtx_destroy((b)-mtx) +#define
svn commit: r243711 - head/sys/netpfil/ipfw
Author: melifaro Date: Fri Nov 30 19:36:55 2012 New Revision: 243711 URL: http://svnweb.freebsd.org/changeset/base/243711 Log: Use common macros for working with rule/dynamic counters. This is done as preparation to introduce per-cpu ipfw counters. MFC after:3 weeks Modified: head/sys/netpfil/ipfw/ip_fw2.c head/sys/netpfil/ipfw/ip_fw_dynamic.c head/sys/netpfil/ipfw/ip_fw_private.h head/sys/netpfil/ipfw/ip_fw_sockopt.c Modified: head/sys/netpfil/ipfw/ip_fw2.c == --- head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 30 19:36:20 2012 (r243710) +++ head/sys/netpfil/ipfw/ip_fw2.c Fri Nov 30 19:36:55 2012 (r243711) @@ -2034,8 +2034,7 @@ do { \ * the parent rule by setting * f, cmd, l and clearing cmdlen. */ - q-pcnt++; - q-bcnt += pktlen; + IPFW_INC_DYN_COUNTER(q, pktlen); /* XXX we would like to have f_pos * readily accessible in the dynamic * rule, instead of having to @@ -2096,16 +2095,12 @@ do { \ break; case O_COUNT: - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); l = 0; /* exit inner loop */ break; case O_SKIPTO: - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); /* If possible use cached f_pos (in f-next_rule), * whose version is written in f-next_rule * (horrible hacks to avoid changing the ABI). @@ -2202,9 +2197,7 @@ do { \ break; } - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); stack = (uint16_t *)(mtag + 1); /* @@ -2357,9 +2350,7 @@ do { \ case O_SETFIB: { uint32_t fib; - f-pcnt++; /* update stats */ - f-bcnt += pktlen; - f-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(f, pktlen); fib = (cmd-arg1 == IP_FW_TABLEARG) ? tablearg: cmd-arg1; if (fib = rt_numfibs) @@ -2409,8 +2400,7 @@ do { \ case O_REASS: { int ip_off; - f-pcnt++; - f-bcnt += pktlen; + IPFW_INC_RULE_COUNTER(f, pktlen); l = 0; /* in any case exit inner loop */ ip_off = ntohs(ip-ip_off); @@ -2473,9 +2463,7 @@ do { \ if (done) { struct ip_fw *rule = chain-map[f_pos]; /* Update statistics */ - rule-pcnt++; - rule-bcnt += pktlen; - rule-timestamp = time_uptime; + IPFW_INC_RULE_COUNTER(rule, pktlen); } else { retval = IP_FW_DENY; printf(ipfw: ouch!, skip past end of rules, denying packet\n); Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c == --- head/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Nov 30 19:36:20 2012 (r243710) +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Nov 30 19:36:55 2012 (r243711) @@ -594,7 +594,7 @@ add_dyn_rule(struct ipfw_flow_id *id, in r-expire = time_uptime + V_dyn_syn_lifetime; r-rule = rule; r-dyn_type = dyn_type; -
svn commit: r243684 - stable/8/usr.bin/systat
Author: melifaro Date: Fri Nov 30 00:13:31 2012 New Revision: 243684 URL: http://svnweb.freebsd.org/changeset/base/243684 Log: Merge r226396, r240605 Make systat(1) accept fractional number of seconds. Make old alarm(3)-based code use select(2). Ability to specify small intervals can be very handy while debugging traffic microbursts. Note that locale-aware strtod(3) is used to parse delay which is slightly different from ping. Fix whitespace inconsistencies in systat(1). Approved by: ed (r226396) Modified: stable/8/usr.bin/systat/cmds.c stable/8/usr.bin/systat/cmdtab.c stable/8/usr.bin/systat/devs.c stable/8/usr.bin/systat/extern.h stable/8/usr.bin/systat/fetch.c stable/8/usr.bin/systat/icmp.c stable/8/usr.bin/systat/icmp6.c stable/8/usr.bin/systat/ifcmds.c stable/8/usr.bin/systat/ifstat.c stable/8/usr.bin/systat/ip.c stable/8/usr.bin/systat/ip6.c stable/8/usr.bin/systat/keyboard.c stable/8/usr.bin/systat/main.c stable/8/usr.bin/systat/mode.c stable/8/usr.bin/systat/mode.h stable/8/usr.bin/systat/netstat.c stable/8/usr.bin/systat/systat.1 stable/8/usr.bin/systat/systat.h stable/8/usr.bin/systat/tcp.c stable/8/usr.bin/systat/vmstat.c Directory Properties: stable/8/usr.bin/ (props changed) stable/8/usr.bin/systat/ (props changed) Modified: stable/8/usr.bin/systat/cmds.c == --- stable/8/usr.bin/systat/cmds.c Thu Nov 29 21:26:57 2012 (r243683) +++ stable/8/usr.bin/systat/cmds.c Fri Nov 30 00:13:31 2012 (r243684) @@ -39,6 +39,8 @@ __FBSDID($FreeBSD$); static const char sccsid[] = @(#)cmds.c 8.2 (Berkeley) 4/29/95; #endif +#include sys/param.h + #include ctype.h #include signal.h #include stdlib.h @@ -51,32 +53,31 @@ static const char sccsid[] = @(#)cmds.c void command(const char *cmd) { -struct cmdtab *p; -char *cp, *tmpstr, *tmpstr1; - int interval, omask; + struct cmdtab *p; + char *cp, *tmpstr, *tmpstr1; + double t; tmpstr = tmpstr1 = strdup(cmd); - omask = sigblock(sigmask(SIGALRM)); -for (cp = tmpstr1; *cp !isspace(*cp); cp++) -; -if (*cp) -*cp++ = '\0'; + for (cp = tmpstr1; *cp !isspace(*cp); cp++) + ; + if (*cp) + *cp++ = '\0'; if (*tmpstr1 == '\0') return; for (; *cp isspace(*cp); cp++) ; -if (strcmp(tmpstr1, quit) == 0 || strcmp(tmpstr1, q) == 0) -die(0); + if (strcmp(tmpstr1, quit) == 0 || strcmp(tmpstr1, q) == 0) + die(0); if (strcmp(tmpstr1, load) == 0) { load(); goto done; } -if (strcmp(tmpstr1, stop) == 0) { -alarm(0); -mvaddstr(CMDLINE, 0, Refresh disabled.); -clrtoeol(); + if (strcmp(tmpstr1, stop) == 0) { + delay = 0; + mvaddstr(CMDLINE, 0, Refresh disabled.); + clrtoeol(); goto done; -} + } if (strcmp(tmpstr1, help) == 0) { int _col, _len; @@ -92,31 +93,34 @@ command(const char *cmd) clrtoeol(); goto done; } - interval = atoi(tmpstr1); -if (interval = 0 - (strcmp(tmpstr1, start) == 0 || strcmp(tmpstr1, interval) == 0)) { - interval = *cp ? atoi(cp) : naptime; -if (interval = 0) { - error(%d: bad interval., interval); - goto done; -} + t = strtod(tmpstr1, NULL) * 100.0; + if (t 0 t (double)UINT_MAX) + delay = (unsigned int)t; + if ((t = 0 || t (double)UINT_MAX) + (strcmp(tmpstr1, start) == 0 || + strcmp(tmpstr1, interval) == 0)) { + if (*cp != '\0') { + t = strtod(cp, NULL) * 100.0; + if (t = 0 || t = (double)UINT_MAX) { + error(%d: bad interval., (int)t); + goto done; + } + } } - if (interval 0) { -alarm(0); -naptime = interval; -display(0); -status(); + if (t 0) { + delay = (unsigned int)t; + display(); + status(); goto done; -} + } p = lookup(tmpstr1); if (p == (struct cmdtab *)-1) { error(%s: Ambiguous command., tmpstr1); goto done; } -if (p) { -if (curcmd == p) + if (p) { + if (curcmd == p) goto done; -alarm(0); (*curcmd-c_close)(wnd); curcmd-c_flags =
svn commit: r243629 - in stable/8/sys: netinet netinet6
Author: melifaro Date: Tue Nov 27 20:16:37 2012 New Revision: 243629 URL: http://svnweb.freebsd.org/changeset/base/243629 Log: MFC r241406, r241502, r241884. Do not check if found IPv4 rte is dynamic if net.inet.icmp.drop_redirect is enabled. This eliminates one mtx_lock() per each routing lookup thus improving performance in several cases (routing to directly connected interface or routing to default gateway). Icmp redirects should not be used to provide routing direction nowadays, even for end hosts. Routers should not use them too (and this is explicitly restricted in IPv6, see RFC 4861, clause 8.2). Current commit changes rnh_machaddr function to 'stock' rn_match (and back) for every AF_INET routing table in given VNET instance on drop_redirect sysctl change. Eliminate code checking if found IPv6 rte is dynamic. IPv6 redirects are using (different) ND-based approach described in RFC 4861. This change is similar to r241406 which conditionally skips the same check in IPv4. Cleanup documentation: cloning route support has been removed in r186119. This change is part of bigger patch eliminating rte locking. Sponsored by: Yandex LLC Modified: stable/8/sys/netinet/in_rmx.c stable/8/sys/netinet/in_var.h stable/8/sys/netinet/ip_icmp.c stable/8/sys/netinet/ip_var.h stable/8/sys/netinet6/in6_rmx.c Directory Properties: stable/8/sys/ (props changed) stable/8/sys/netinet/ (props changed) stable/8/sys/netinet6/ (props changed) Modified: stable/8/sys/netinet/in_rmx.c == --- stable/8/sys/netinet/in_rmx.c Tue Nov 27 20:16:01 2012 (r243628) +++ stable/8/sys/netinet/in_rmx.c Tue Nov 27 20:16:37 2012 (r243629) @@ -27,19 +27,6 @@ * SUCH DAMAGE. */ -/* - * This code does two things necessary for the enhanced TCP metrics to - * function in a useful manner: - * 1) It marks all non-host routes as `cloning', thus ensuring that - * every actual reference to such a route actually gets turned - * into a reference to a host route to the specific destination - * requested. - * 2) When such routes lose all their references, it arranges for them - * to be deleted in some random collection of circumstances, so that - * a large quantity of stale routing data is not kept in kernel memory - * indefinitely. See in_rtqtimo() below for the exact mechanism. - */ - #include sys/cdefs.h __FBSDID($FreeBSD$); @@ -58,6 +45,8 @@ __FBSDID($FreeBSD$); #include netinet/in.h #include netinet/in_var.h +#include netinet/ip.h +#include netinet/ip_icmp.h #include netinet/ip_var.h extern int in_inithead(void **head, int off); @@ -340,6 +329,13 @@ in_rtqdrain(void) VNET_LIST_RUNLOCK_NOSLEEP(); } +void +in_setmatchfunc(struct radix_node_head *rnh, int val) +{ + + rnh-rnh_matchaddr = (val != 0) ? rn_match : in_matroute; +} + static int _in_rt_was_here; /* * Initialize our routing tree. @@ -365,7 +361,7 @@ in_inithead(void **head, int off) rnh = *head; rnh-rnh_addaddr = in_addroute; - rnh-rnh_matchaddr = in_matroute; + in_setmatchfunc(rnh, V_drop_redirect); rnh-rnh_close = in_clsroute; if (_in_rt_was_here == 0 ) { callout_init(V_rtq_timer, CALLOUT_MPSAFE); Modified: stable/8/sys/netinet/in_var.h == --- stable/8/sys/netinet/in_var.h Tue Nov 27 20:16:01 2012 (r243628) +++ stable/8/sys/netinet/in_var.h Tue Nov 27 20:16:37 2012 (r243629) @@ -423,6 +423,7 @@ inm_acquire_locked(struct in_multi *inm) struct rtentry; struct route; struct ip_moptions; +struct radix_node_head; intimo_multi_filter(const struct ip_moptions *, const struct ifnet *, const struct sockaddr *, const struct sockaddr *); @@ -461,6 +462,7 @@ void in_rtredirect(struct sockaddr *, s struct sockaddr *, int, struct sockaddr *, u_int); int in_rtrequest(int, struct sockaddr *, struct sockaddr *, struct sockaddr *, int, struct rtentry **, u_int); +void in_setmatchfunc(struct radix_node_head *, int); #if 0 int in_rt_getifa(struct rt_addrinfo *, u_int fibnum); Modified: stable/8/sys/netinet/ip_icmp.c == --- stable/8/sys/netinet/ip_icmp.c Tue Nov 27 20:16:01 2012 (r243628) +++ stable/8/sys/netinet/ip_icmp.c Tue Nov 27 20:16:37 2012 (r243629) @@ -92,11 +92,7 @@ SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUT VNET_NAME(icmpmaskfake), 0, Fake reply to ICMP Address Mask Request packets.); -static VNET_DEFINE(int, drop_redirect) = 0; -#defineV_drop_redirect VNET(drop_redirect) -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, - VNET_NAME(drop_redirect), 0, -
svn commit: r242834 - head/sys/netpfil/ipfw
Author: melifaro Date: Fri Nov 9 18:23:38 2012 New Revision: 242834 URL: http://svnweb.freebsd.org/changeset/base/242834 Log: Simplify sending keepalives. Prepare ipfw_tick() to be used by other consumers. Reviewed by: ae(basically) MFC after:2 weeks Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c == --- head/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Nov 9 18:02:25 2012 (r242833) +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c Fri Nov 9 18:23:38 2012 (r242834) @@ -971,6 +971,31 @@ ipfw_send_pkt(struct mbuf *replyto, stru } /* + * Queue keepalive packets for given dynamic rule + */ +static struct mbuf ** +ipfw_dyn_send_ka(struct mbuf **mtailp, ipfw_dyn_rule *q) +{ + struct mbuf *m_rev, *m_fwd; + + m_rev = (q-state ACK_REV) ? NULL : + ipfw_send_pkt(NULL, (q-id), q-ack_rev - 1, q-ack_fwd, TH_SYN); + m_fwd = (q-state ACK_FWD) ? NULL : + ipfw_send_pkt(NULL, (q-id), q-ack_fwd - 1, q-ack_rev, 0); + + if (m_rev != NULL) { + *mtailp = m_rev; + mtailp = (*mtailp)-m_nextpkt; + } + if (m_fwd != NULL) { + *mtailp = m_fwd; + mtailp = (*mtailp)-m_nextpkt; + } + + return (mtailp); +} + +/* * This procedure is only used to handle keepalives. It is invoked * every dyn_keepalive_period */ @@ -978,9 +1003,7 @@ static void ipfw_tick(void * vnetx) { struct mbuf *m0, *m, *mnext, **mtailp; -#ifdef INET6 - struct mbuf *m6, **m6_tailp; -#endif + struct ip *h; int i; ipfw_dyn_rule *q; #ifdef VIMAGE @@ -999,15 +1022,14 @@ ipfw_tick(void * vnetx) */ m0 = NULL; mtailp = m0; -#ifdef INET6 - m6 = NULL; - m6_tailp = m6; -#endif IPFW_DYN_LOCK(); for (i = 0 ; i V_curr_dyn_buckets ; i++) { for (q = V_ipfw_dyn_v[i] ; q ; q = q-next ) { if (q-dyn_type == O_LIMIT_PARENT) continue; + if (TIME_LEQ(q-expire, time_uptime)) + continue; /* too late, rule expired */ + if (q-id.proto != IPPROTO_TCP) continue; if ( (q-state BOTH_SYN) != BOTH_SYN) @@ -1015,55 +1037,24 @@ ipfw_tick(void * vnetx) if (TIME_LEQ(time_uptime + V_dyn_keepalive_interval, q-expire)) continue; /* too early */ - if (TIME_LEQ(q-expire, time_uptime)) - continue; /* too late, rule expired */ - m = (q-state ACK_REV) ? NULL : - ipfw_send_pkt(NULL, (q-id), q-ack_rev - 1, - q-ack_fwd, TH_SYN); - mnext = (q-state ACK_FWD) ? NULL : - ipfw_send_pkt(NULL, (q-id), q-ack_fwd - 1, - q-ack_rev, 0); - - switch (q-id.addr_type) { - case 4: - if (m != NULL) { - *mtailp = m; - mtailp = (*mtailp)-m_nextpkt; - } - if (mnext != NULL) { - *mtailp = mnext; - mtailp = (*mtailp)-m_nextpkt; - } - break; -#ifdef INET6 - case 6: - if (m != NULL) { - *m6_tailp = m; - m6_tailp = (*m6_tailp)-m_nextpkt; - } - if (mnext != NULL) { - *m6_tailp = mnext; - m6_tailp = (*m6_tailp)-m_nextpkt; - } - break; -#endif - } + mtailp = ipfw_dyn_send_ka(mtailp, q); } } IPFW_DYN_UNLOCK(); + + /* Send keepalive packets if any */ for (m = m0; m != NULL; m = mnext) { mnext = m-m_nextpkt; m-m_nextpkt = NULL; - ip_output(m, NULL, NULL, 0, NULL, NULL); - } + h = mtod(m, struct ip *); + if (h-ip_v == 4) + ip_output(m, NULL, NULL, 0, NULL, NULL); #ifdef INET6 - for (m = m6; m != NULL; m = mnext) { - mnext = m-m_nextpkt; - m-m_nextpkt = NULL; - ip6_output(m, NULL, NULL, 0, NULL, NULL, NULL); - } + else +
svn commit: r242631 - head/sys/netpfil/ipfw
Author: melifaro Date: Mon Nov 5 22:30:56 2012 New Revision: 242631 URL: http://svnweb.freebsd.org/changeset/base/242631 Log: Use unified print_dyn_rule_flags() function for debugging messages instead of hand-made printfs in every place. MFC after:1 week Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c Modified: head/sys/netpfil/ipfw/ip_fw_dynamic.c == --- head/sys/netpfil/ipfw/ip_fw_dynamic.c Mon Nov 5 21:55:22 2012 (r242630) +++ head/sys/netpfil/ipfw/ip_fw_dynamic.c Mon Nov 5 22:30:56 2012 (r242631) @@ -258,8 +258,12 @@ hash_packet(struct ipfw_flow_id *id) return i; } -static __inline void -unlink_dyn_rule_print(struct ipfw_flow_id *id) +/** + * Print customizable flow id description via log(9) facility. + */ +static void +print_dyn_rule_flags(struct ipfw_flow_id *id, int dyn_type, int log_flags, +char *prefix, char *postfix) { struct in_addr da; #ifdef INET6 @@ -280,10 +284,14 @@ unlink_dyn_rule_print(struct ipfw_flow_i da.s_addr = htonl(id-dst_ip); inet_ntop(AF_INET, da, dst, sizeof(dst)); } - printf(ipfw: unlink entry %s %d - %s %d, %d left\n, - src, id-src_port, dst, id-dst_port, V_dyn_count - 1); + log(log_flags, ipfw: %s type %d %s %d - %s %d, %d %s\n, + prefix, dyn_type, src, id-src_port, dst, + id-dst_port, V_dyn_count, postfix); } +#defineprint_dyn_rule(id, dtype, prefix, postfix) \ + print_dyn_rule_flags(id, dtype, LOG_DEBUG, prefix, postfix) + /** * unlink a dynamic rule from a chain. prev is a pointer to * the previous one, q is a pointer to the rule to delete, @@ -296,12 +304,12 @@ unlink_dyn_rule_print(struct ipfw_flow_i /* remove a refcount to the parent */ \ if (q-dyn_type == O_LIMIT) \ q-parent-count--; \ - DEB(unlink_dyn_rule_print(q-id);) \ + V_dyn_count--; \ + DEB(print_dyn_rule(q-id, q-dyn_type, unlink entry, left);) \ if (prev != NULL) \ prev-next = q = q-next; \ else\ head = q = q-next; \ - V_dyn_count--; \ uma_zfree(ipfw_dyn_rule_zone, old_q); } #define TIME_LEQ(a,b) ((int)((a)-(b)) = 0) @@ -639,32 +647,7 @@ add_dyn_rule(struct ipfw_flow_id *id, u_ r-next = V_ipfw_dyn_v[i]; V_ipfw_dyn_v[i] = r; V_dyn_count++; - DEB({ - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN]; - char dst[INET6_ADDRSTRLEN]; -#else - char src[INET_ADDRSTRLEN]; - char dst[INET_ADDRSTRLEN]; -#endif - -#ifdef INET6 - if (IS_IP6_FLOW_ID((r-id))) { - ip6_sprintf(src, r-id.src_ip6); - ip6_sprintf(dst, r-id.dst_ip6); - } else -#endif - { - da.s_addr = htonl(r-id.src_ip); - inet_ntop(AF_INET, da, src, sizeof(src)); - da.s_addr = htonl(r-id.dst_ip); - inet_ntop(AF_INET, da, dst, sizeof(dst)); - } - printf(ipfw: add dyn entry ty %d %s %d - %s %d, total %d\n, - dyn_type, src, r-id.src_port, dst, r-id.dst_port, - V_dyn_count); - }) + DEB(print_dyn_rule(id, dyn_type, add dyn entry, total);) return r; } @@ -701,7 +684,8 @@ lookup_dyn_parent(struct ipfw_flow_id *p ) ) { q-expire = time_uptime + V_dyn_short_lifetime; - DEB(printf(ipfw: lookup_dyn_parent found 0x%p\n,q);) + DEB(print_dyn_rule(pkt, q-dyn_type, + lookup_dyn_parent found, );) return q; } } @@ -720,38 +704,11 @@ ipfw_install_state(struct ip_fw *rule, i { static int last_log; ipfw_dyn_rule *q; - struct in_addr da; -#ifdef INET6 - char src[INET6_ADDRSTRLEN + 2], dst[INET6_ADDRSTRLEN + 2]; -#else - char src[INET_ADDRSTRLEN], dst[INET_ADDRSTRLEN]; -#endif - src[0] = '\0'; - dst[0] = '\0'; + DEB(print_dyn_rule(args-f_id, cmd-o.opcode, install_state, );) IPFW_DYN_LOCK(); - DEB( -#ifdef INET6 - if (IS_IP6_FLOW_ID((args-f_id))) { - ip6_sprintf(src, args-f_id.src_ip6); - ip6_sprintf(dst,
svn commit: r242632 - head/sys/netpfil/ipfw
Author: melifaro Date: Mon Nov 5 22:54:00 2012 New Revision: 242632 URL: http://svnweb.freebsd.org/changeset/base/242632 Log: Add assertion to enforce 'nat global' locking requierements changed by r241908. Suggested by: adrian, glebius MFC after:3 days Modified: head/sys/netpfil/ipfw/ip_fw_nat.c head/sys/netpfil/ipfw/ip_fw_private.h Modified: head/sys/netpfil/ipfw/ip_fw_nat.c == --- head/sys/netpfil/ipfw/ip_fw_nat.c Mon Nov 5 22:30:56 2012 (r242631) +++ head/sys/netpfil/ipfw/ip_fw_nat.c Mon Nov 5 22:54:00 2012 (r242632) @@ -276,6 +276,7 @@ ipfw_nat(struct ip_fw_args *args, struct found = 0; chain = V_layer3_chain; + IPFW_RLOCK_ASSERT(chain); /* Check every nat entry... */ LIST_FOREACH(t, chain-nat, _next) { if ((t-mode PKT_ALIAS_SKIP_GLOBAL) != 0) Modified: head/sys/netpfil/ipfw/ip_fw_private.h == --- head/sys/netpfil/ipfw/ip_fw_private.h Mon Nov 5 22:30:56 2012 (r242631) +++ head/sys/netpfil/ipfw/ip_fw_private.h Mon Nov 5 22:54:00 2012 (r242632) @@ -251,6 +251,7 @@ struct sockopt; /* used by tcp_var.h */ rw_destroy((_chain)-uh_lock); \ } while (0) +#defineIPFW_RLOCK_ASSERT(_chain) rw_assert((_chain)-rwmtx, RA_RLOCKED) #defineIPFW_WLOCK_ASSERT(_chain) rw_assert((_chain)-rwmtx, RA_WLOCKED) #define IPFW_RLOCK(p) rw_rlock((p)-rwmtx) ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r242640 - stable/9/sys/netinet
Author: melifaro Date: Tue Nov 6 00:49:52 2012 New Revision: 242640 URL: http://svnweb.freebsd.org/changeset/base/242640 Log: MFC r241406. Do not check if found IPv4 rte is dynamic if net.inet.icmp.drop_redirect is enabled. This eliminates one mtx_lock() per each routing lookup thus improving performance in several cases (routing to directly connected interface or routing to default gateway). Icmp redirects should not be used to provide routing direction nowadays, even for end hosts. Routers should not use them too (and this is explicitly restricted in IPv6, see RFC 4861, clause 8.2). Current commit changes rnh_machaddr function to 'stock' rn_match (and back) for every AF_INET routing table in given VNET instance on drop_redirect sysctl change. This change is part of bigger patch eliminating rte locking. Sponsored by: Yandex LLC Modified: stable/9/sys/netinet/in_rmx.c stable/9/sys/netinet/in_var.h stable/9/sys/netinet/ip_icmp.c stable/9/sys/netinet/ip_var.h Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet/in_rmx.c == --- stable/9/sys/netinet/in_rmx.c Tue Nov 6 00:41:59 2012 (r242639) +++ stable/9/sys/netinet/in_rmx.c Tue Nov 6 00:49:52 2012 (r242640) @@ -58,6 +58,8 @@ __FBSDID($FreeBSD$); #include netinet/in.h #include netinet/in_var.h +#include netinet/ip.h +#include netinet/ip_icmp.h #include netinet/ip_var.h extern int in_inithead(void **head, int off); @@ -340,6 +342,13 @@ in_rtqdrain(void) VNET_LIST_RUNLOCK_NOSLEEP(); } +void +in_setmatchfunc(struct radix_node_head *rnh, int val) +{ + + rnh-rnh_matchaddr = (val != 0) ? rn_match : in_matroute; +} + static int _in_rt_was_here; /* * Initialize our routing tree. @@ -365,7 +374,7 @@ in_inithead(void **head, int off) rnh = *head; rnh-rnh_addaddr = in_addroute; - rnh-rnh_matchaddr = in_matroute; + in_setmatchfunc(rnh, V_drop_redirect); rnh-rnh_close = in_clsroute; if (_in_rt_was_here == 0 ) { callout_init(V_rtq_timer, CALLOUT_MPSAFE); Modified: stable/9/sys/netinet/in_var.h == --- stable/9/sys/netinet/in_var.h Tue Nov 6 00:41:59 2012 (r242639) +++ stable/9/sys/netinet/in_var.h Tue Nov 6 00:49:52 2012 (r242640) @@ -422,6 +422,7 @@ inm_acquire_locked(struct in_multi *inm) struct rtentry; struct route; struct ip_moptions; +struct radix_node_head; intimo_multi_filter(const struct ip_moptions *, const struct ifnet *, const struct sockaddr *, const struct sockaddr *); @@ -460,6 +461,7 @@ void in_rtredirect(struct sockaddr *, s struct sockaddr *, int, struct sockaddr *, u_int); int in_rtrequest(int, struct sockaddr *, struct sockaddr *, struct sockaddr *, int, struct rtentry **, u_int); +void in_setmatchfunc(struct radix_node_head *, int); #if 0 int in_rt_getifa(struct rt_addrinfo *, u_int fibnum); Modified: stable/9/sys/netinet/ip_icmp.c == --- stable/9/sys/netinet/ip_icmp.c Tue Nov 6 00:41:59 2012 (r242639) +++ stable/9/sys/netinet/ip_icmp.c Tue Nov 6 00:49:52 2012 (r242640) @@ -108,11 +108,7 @@ SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUT VNET_NAME(icmpmaskfake), 0, Fake reply to ICMP Address Mask Request packets.); -static VNET_DEFINE(int, drop_redirect) = 0; -#defineV_drop_redirect VNET(drop_redirect) -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, - VNET_NAME(drop_redirect), 0, - Ignore ICMP redirects); +VNET_DEFINE(int, drop_redirect) = 0; static VNET_DEFINE(int, log_redirect) = 0; #defineV_log_redirect VNET(log_redirect) @@ -157,6 +153,39 @@ static voidicmp_send(struct mbuf *, str extern struct protosw inetsw[]; +static int +sysctl_net_icmp_drop_redir(SYSCTL_HANDLER_ARGS) +{ + int error, new; + int i; + struct radix_node_head *rnh; + + new = V_drop_redirect; + error = sysctl_handle_int(oidp, new, 0, req); + if (error == 0 req-newptr) { + new = (new != 0) ? 1 : 0; + + if (new == V_drop_redirect) + return (0); + + for (i = 0; i rt_numfibs; i++) { + if ((rnh = rt_tables_get_rnh(i, AF_INET)) == NULL) + continue; + RADIX_NODE_HEAD_LOCK(rnh); + in_setmatchfunc(rnh, new); + RADIX_NODE_HEAD_UNLOCK(rnh); + } + + V_drop_redirect = new; + } + + return (error); +} + +SYSCTL_VNET_PROC(_net_inet_icmp, OID_AUTO,
svn commit: r242646 - in stable/9/sys: netinet netinet6
Author: melifaro Date: Tue Nov 6 01:18:53 2012 New Revision: 242646 URL: http://svnweb.freebsd.org/changeset/base/242646 Log: MFC r241502, r241884 Cleanup documentation: cloning route support has been removed in r186119. Eliminate code checking if found IPv6 rte is dynamic. IPv6 redirects are using (different) ND-based approach described in RFC 4861. This change is similar to r241406 which conditionally skips the same check in IPv4. This change is part of bigger patch eliminating rte locking. Sponsored by: Yandex LLC. Modified: stable/9/sys/netinet/in_rmx.c stable/9/sys/netinet6/in6_rmx.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/netinet/in_rmx.c == --- stable/9/sys/netinet/in_rmx.c Tue Nov 6 01:04:46 2012 (r242645) +++ stable/9/sys/netinet/in_rmx.c Tue Nov 6 01:18:53 2012 (r242646) @@ -27,19 +27,6 @@ * SUCH DAMAGE. */ -/* - * This code does two things necessary for the enhanced TCP metrics to - * function in a useful manner: - * 1) It marks all non-host routes as `cloning', thus ensuring that - * every actual reference to such a route actually gets turned - * into a reference to a host route to the specific destination - * requested. - * 2) When such routes lose all their references, it arranges for them - * to be deleted in some random collection of circumstances, so that - * a large quantity of stale routing data is not kept in kernel memory - * indefinitely. See in_rtqtimo() below for the exact mechanism. - */ - #include sys/cdefs.h __FBSDID($FreeBSD$); Modified: stable/9/sys/netinet6/in6_rmx.c == --- stable/9/sys/netinet6/in6_rmx.c Tue Nov 6 01:04:46 2012 (r242645) +++ stable/9/sys/netinet6/in6_rmx.c Tue Nov 6 01:18:53 2012 (r242646) @@ -59,19 +59,6 @@ * */ -/* - * This code does two things necessary for the enhanced TCP metrics to - * function in a useful manner: - * 1) It marks all non-host routes as `cloning', thus ensuring that - * every actual reference to such a route actually gets turned - * into a reference to a host route to the specific destination - * requested. - * 2) When such routes lose all their references, it arranges for them - * to be deleted in some random collection of circumstances, so that - * a large quantity of stale routing data is not kept in kernel memory - * indefinitely. See in6_rtqtimo() below for the exact mechanism. - */ - #include sys/cdefs.h __FBSDID($FreeBSD$); @@ -111,8 +98,6 @@ extern int in6_inithead(void **head, int extern int in6_detachhead(void **head, int off); #endif -#define RTPRF_OURS RTF_PROTO3 /* set on routes we manage */ - /* * Do what we need to do when inserting a route. */ @@ -183,42 +168,8 @@ in6_addroute(void *v_arg, void *n_arg, s return (ret); } -/* - * This code is the inverse of in6_clsroute: on first reference, if we - * were managing the route, stop doing so and set the expiration timer - * back off again. - */ -static struct radix_node * -in6_matroute(void *v_arg, struct radix_node_head *head) -{ - struct radix_node *rn = rn_match(v_arg, head); - struct rtentry *rt = (struct rtentry *)rn; - - if (rt) { - RT_LOCK(rt); - if (rt-rt_flags RTPRF_OURS) { - rt-rt_flags = ~RTPRF_OURS; - rt-rt_rmx.rmx_expire = 0; - } - RT_UNLOCK(rt); - } - return rn; -} - SYSCTL_DECL(_net_inet6_ip6); -static VNET_DEFINE(int, rtq_reallyold6) = 60*60; - /* one hour is ``really old'' */ -#defineV_rtq_reallyold6VNET(rtq_reallyold6) -SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_RTEXPIRE, rtexpire, CTLFLAG_RW, -VNET_NAME(rtq_reallyold6) , 0, ); - -static VNET_DEFINE(int, rtq_minreallyold6) = 10; - /* never automatically crank down to less */ -#defineV_rtq_minreallyold6 VNET(rtq_minreallyold6) -SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_RTMINEXPIRE, rtminexpire, CTLFLAG_RW, -VNET_NAME(rtq_minreallyold6) , 0, ); - static VNET_DEFINE(int, rtq_toomany6) = 128; /* 128 cached routes is ``too many'' */ #defineV_rtq_toomany6 VNET(rtq_toomany6) @@ -236,122 +187,6 @@ struct rtqk_arg { }; /* - * Get rid of old routes. When draining, this deletes everything, even when - * the timeout is not expired yet. When updating, this makes sure that - * nothing has a timeout longer than the current value of rtq_reallyold6. - */ -static int -in6_rtqkill(struct radix_node *rn, void *rock) -{ - struct rtqk_arg *ap = rock; - struct rtentry *rt = (struct rtentry *)rn; - int err; - - RADIX_NODE_HEAD_WLOCK_ASSERT(ap-rnh); - - if (rt-rt_flags RTPRF_OURS)
svn commit: r241882 - head/share/man/man4
Author: melifaro Date: Mon Oct 22 12:22:56 2012 New Revision: 241882 URL: http://svn.freebsd.org/changeset/base/241882 Log: Provide example for newly-added NG_NETFLOW_V9INFO_TYPE Submitted by: Dmitry Luhtionov dmitryluhtionov at gmail.com MFC with: r241446 Modified: head/share/man/man4/ng_netflow.4 Modified: head/share/man/man4/ng_netflow.4 == --- head/share/man/man4/ng_netflow.4Mon Oct 22 12:05:14 2012 (r241881) +++ head/share/man/man4/ng_netflow.4Mon Oct 22 12:22:56 2012 (r241882) @@ -286,6 +286,8 @@ commands are: .Qq Li settemplate { time = %u packets = %u } .It Dv NGM_NETFLOW_SETMTU .Qq Li setmtu { mtu = %u } +.It Dv NGM_NETFLOW_V9INFO +.Qq Li v9info .El .Sh SHUTDOWN This node shuts down upon receipt of a ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r241883 - stable/9/sbin/ipfw
Author: melifaro Date: Mon Oct 22 12:39:57 2012 New Revision: 241883 URL: http://svn.freebsd.org/changeset/base/241883 Log: Merge r240892,r240893 Permit table to be used as IPv6 address. Whitespace fixes Reported by: Serhiy Popov sergius...@ukr.net Modified: stable/9/sbin/ipfw/ipv6.c Directory Properties: stable/9/sbin/ (props changed) stable/9/sbin/ipfw/ (props changed) Modified: stable/9/sbin/ipfw/ipv6.c == --- stable/9/sbin/ipfw/ipv6.c Mon Oct 22 12:22:56 2012(r241882) +++ stable/9/sbin/ipfw/ipv6.c Mon Oct 22 12:39:57 2012(r241883) @@ -336,24 +336,40 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) * Note d[1] points to struct in6_add r mask6 of cmd */ - cmd-o.len = ~F_LEN_MASK; /* zero len */ + cmd-o.len = ~F_LEN_MASK; /* zero len */ - if (strcmp(av, any) == 0) - return (1); + if (strcmp(av, any) == 0) + return (1); - if (strcmp(av, me) == 0) {/* Set the data for me opt*/ - cmd-o.len |= F_INSN_SIZE(ipfw_insn); - return (1); - } + if (strcmp(av, me) == 0) {/* Set the data for me opt*/ + cmd-o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } + + if (strcmp(av, me6) == 0) { /* Set the data for me opt*/ + cmd-o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } - if (strcmp(av, me6) == 0) { /* Set the data for me opt*/ - cmd-o.len |= F_INSN_SIZE(ipfw_insn); - return (1); - } + if (strncmp(av, table(, 6) == 0) { + char *p = strchr(av + 6, ','); + uint32_t *dm = ((ipfw_insn_u32 *)cmd)-d; + + if (p) + *p++ = '\0'; + cmd-o.opcode = O_IP_DST_LOOKUP; + cmd-o.arg1 = strtoul(av + 6, NULL, 0); + if (p) { + cmd-o.len |= F_INSN_SIZE(ipfw_insn_u32); + dm[0] = strtoul(p, NULL, 0); + } else + cmd-o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } - av = strdup(av); - while (av) { + av = strdup(av); + while (av) { /* * After the address we can have '/' indicating a mask, * or ',' indicating another address follows. @@ -469,7 +485,11 @@ add_srcip6(ipfw_insn *cmd, char *av) { fill_ip6((ipfw_insn_ip6 *)cmd, av); - if (F_LEN(cmd) == 0) { /* any */ + if (cmd-opcode == O_IP_DST_SET)/* set */ + cmd-opcode = O_IP_SRC_SET; + else if (cmd-opcode == O_IP_DST_LOOKUP)/* table */ + cmd-opcode = O_IP_SRC_LOOKUP; + else if (F_LEN(cmd) == 0) { /* any */ } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* me */ cmd-opcode = O_IP6_SRC_ME; } else if (F_LEN(cmd) == @@ -487,7 +507,11 @@ add_dstip6(ipfw_insn *cmd, char *av) { fill_ip6((ipfw_insn_ip6 *)cmd, av); - if (F_LEN(cmd) == 0) { /* any */ + if (cmd-opcode == O_IP_DST_SET)/* set */ + ; + else if (cmd-opcode == O_IP_DST_LOOKUP)/* table */ + ; + else if (F_LEN(cmd) == 0) { /* any */ } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* me */ cmd-opcode = O_IP6_DST_ME; } else if (F_LEN(cmd) == ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r241884 - head/sys/netinet6
Author: melifaro Date: Mon Oct 22 12:54:52 2012 New Revision: 241884 URL: http://svn.freebsd.org/changeset/base/241884 Log: Eliminate code checking if found IPv6 rte is dynamic. IPv6 redirects are using (different) ND-based approach described in RFC 4861. This change is similar to r241406 which conditionally skips the same check in IPv4. This change is part of bigger patch eliminating rte locking. Sponsored by: Yandex LLC. OK'd by: hrs MFC after:2 weeks Modified: head/sys/netinet6/in6_rmx.c Modified: head/sys/netinet6/in6_rmx.c == --- head/sys/netinet6/in6_rmx.c Mon Oct 22 12:39:57 2012(r241883) +++ head/sys/netinet6/in6_rmx.c Mon Oct 22 12:54:52 2012(r241884) @@ -98,8 +98,6 @@ extern intin6_inithead(void **head, int extern int in6_detachhead(void **head, int off); #endif -#define RTPRF_OURS RTF_PROTO3 /* set on routes we manage */ - /* * Do what we need to do when inserting a route. */ @@ -170,42 +168,8 @@ in6_addroute(void *v_arg, void *n_arg, s return (ret); } -/* - * This code is the inverse of in6_clsroute: on first reference, if we - * were managing the route, stop doing so and set the expiration timer - * back off again. - */ -static struct radix_node * -in6_matroute(void *v_arg, struct radix_node_head *head) -{ - struct radix_node *rn = rn_match(v_arg, head); - struct rtentry *rt = (struct rtentry *)rn; - - if (rt) { - RT_LOCK(rt); - if (rt-rt_flags RTPRF_OURS) { - rt-rt_flags = ~RTPRF_OURS; - rt-rt_rmx.rmx_expire = 0; - } - RT_UNLOCK(rt); - } - return rn; -} - SYSCTL_DECL(_net_inet6_ip6); -static VNET_DEFINE(int, rtq_reallyold6) = 60*60; - /* one hour is ``really old'' */ -#defineV_rtq_reallyold6VNET(rtq_reallyold6) -SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_RTEXPIRE, rtexpire, CTLFLAG_RW, -VNET_NAME(rtq_reallyold6) , 0, ); - -static VNET_DEFINE(int, rtq_minreallyold6) = 10; - /* never automatically crank down to less */ -#defineV_rtq_minreallyold6 VNET(rtq_minreallyold6) -SYSCTL_VNET_INT(_net_inet6_ip6, IPV6CTL_RTMINEXPIRE, rtminexpire, CTLFLAG_RW, -VNET_NAME(rtq_minreallyold6) , 0, ); - static VNET_DEFINE(int, rtq_toomany6) = 128; /* 128 cached routes is ``too many'' */ #defineV_rtq_toomany6 VNET(rtq_toomany6) @@ -223,122 +187,6 @@ struct rtqk_arg { }; /* - * Get rid of old routes. When draining, this deletes everything, even when - * the timeout is not expired yet. When updating, this makes sure that - * nothing has a timeout longer than the current value of rtq_reallyold6. - */ -static int -in6_rtqkill(struct radix_node *rn, void *rock) -{ - struct rtqk_arg *ap = rock; - struct rtentry *rt = (struct rtentry *)rn; - int err; - - RADIX_NODE_HEAD_WLOCK_ASSERT(ap-rnh); - - if (rt-rt_flags RTPRF_OURS) { - ap-found++; - - if (ap-draining || rt-rt_rmx.rmx_expire = time_uptime) { - if (rt-rt_refcnt 0) - panic(rtqkill route really not free); - - err = in6_rtrequest(RTM_DELETE, - (struct sockaddr *)rt_key(rt), - rt-rt_gateway, rt_mask(rt), - rt-rt_flags|RTF_RNH_LOCKED, 0, - rt-rt_fibnum); - if (err) { - log(LOG_WARNING, in6_rtqkill: error %d, err); - } else { - ap-killed++; - } - } else { - if (ap-updating - (rt-rt_rmx.rmx_expire - time_uptime - V_rtq_reallyold6)) { - rt-rt_rmx.rmx_expire = time_uptime - + V_rtq_reallyold6; - } - ap-nextstop = lmin(ap-nextstop, - rt-rt_rmx.rmx_expire); - } - } - - return 0; -} - -#define RTQ_TIMEOUT60*10 /* run no less than once every ten minutes */ -static VNET_DEFINE(int, rtq_timeout6) = RTQ_TIMEOUT; -static VNET_DEFINE(struct callout, rtq_timer6); - -#defineV_rtq_timeout6 VNET(rtq_timeout6) -#defineV_rtq_timer6VNET(rtq_timer6) - -static void -in6_rtqtimo_one(struct radix_node_head *rnh) -{ - struct rtqk_arg arg; - static time_t last_adjusted_timeout = 0; - - arg.found = arg.killed = 0; - arg.rnh = rnh; - arg.nextstop = time_uptime + V_rtq_timeout6; - arg.draining = arg.updating = 0; -
Re: svn commit: r241888 - in head: share/man/man9 sys/net
On 22.10.2012 19:17, Gleb Smirnoff wrote: On Mon, Oct 22, 2012 at 02:10:17PM +, Alexander V. Chernikov wrote: A Author: melifaro A Date: Mon Oct 22 14:10:17 2012 A New Revision: 241888 A URL: http://svn.freebsd.org/changeset/base/241888 A A Log: A Make PFIL use per-VNET lock instead of per-AF lock. Since most used packet A filters (ipfw and PF) use the same ruleset with the same lock for both A AF_INET and AF_INET6 there is no need in more fine-grade locking. A However, it is possible to request personal lock by specifying A PFIL_FLAG_PRIVATE_LOCK flag in pfil_head structure (see pfil.9 for A more details). A A Export PFIL lock via rw_lock(9)/rm_lock(9)-like API permitting pfil consumers A to use this lock instead of own lock. This help reducing locks on main A traffic path. A A pfil_assert() is currently not implemented due to absense of rm_assert(). A Waiting for some kind of r234648 to be merged in HEAD. A A This change is part of bigger patch reducing routing locking. A A Sponsored by: Yandex LLC A Reviewed by:glebius, ae I didn't review that, we have only discussed that. Ah, ok. So commit message should be read as s/Reviewed by:/Discussed with:/ -- WBR, Alexander ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r241908 - head/sys/netpfil/ipfw
Author: melifaro Date: Mon Oct 22 19:22:31 2012 New Revision: 241908 URL: http://svn.freebsd.org/changeset/base/241908 Log: Remove unnecessary chain read lock in ipfw nat 'global' code. Document case when ipfw chain lock must be held while calling ipfw_nat(). MFC after:2 weeks Modified: head/sys/netpfil/ipfw/ip_fw_nat.c Modified: head/sys/netpfil/ipfw/ip_fw_nat.c == --- head/sys/netpfil/ipfw/ip_fw_nat.c Mon Oct 22 19:06:00 2012 (r241907) +++ head/sys/netpfil/ipfw/ip_fw_nat.c Mon Oct 22 19:22:31 2012 (r241908) @@ -202,6 +202,13 @@ add_redir_spool_cfg(char *buf, struct cf } } +/* + * ipfw_nat - perform mbuf header translation. + * + * Note V_layer3_chain has to be locked while calling ipfw_nat() in + * 'global' operation mode (t == NULL). + * + */ static int ipfw_nat(struct ip_fw_args *args, struct cfg_nat *t, struct mbuf *m) { @@ -269,7 +276,6 @@ ipfw_nat(struct ip_fw_args *args, struct found = 0; chain = V_layer3_chain; - IPFW_RLOCK(chain); /* Check every nat entry... */ LIST_FOREACH(t, chain-nat, _next) { if ((t-mode PKT_ALIAS_SKIP_GLOBAL) != 0) @@ -282,7 +288,6 @@ ipfw_nat(struct ip_fw_args *args, struct break; } } - IPFW_RUNLOCK(chain); if (found != 1) { /* No instance found, return ignore */ args-m = mcl; ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r241501 - head/share/man/man4
Author: melifaro Date: Sat Oct 13 09:25:29 2012 New Revision: 241501 URL: http://svn.freebsd.org/changeset/base/241501 Log: Add forgotten documentation for new NGM_NETFLOW_V9INFO message. Submitted by: Dmitry Luhtionov dmitryluhtionov at gmail.com MFC with: r241446 Modified: head/share/man/man4/ng_netflow.4 Modified: head/share/man/man4/ng_netflow.4 == --- head/share/man/man4/ng_netflow.4Sat Oct 13 06:27:34 2012 (r241500) +++ head/share/man/man4/ng_netflow.4Sat Oct 13 09:25:29 2012 (r241501) @@ -257,6 +257,9 @@ not directly from See also .Sx BUGS section. +.It Dv NGM_NETFLOW_V9INFO +Returns some NetFlow v9 related values in a +.Vt struct ng_netflow_v9info . .El .Sh ASCII CONTROL MESSAGES Most binary control messages have an ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r241502 - in head/sys: netinet netinet6
Author: melifaro Date: Sat Oct 13 09:31:01 2012 New Revision: 241502 URL: http://svn.freebsd.org/changeset/base/241502 Log: Cleanup documentation: cloning route support has been removed in r186119. MFC after:2 weeks Modified: head/sys/netinet/in_rmx.c head/sys/netinet6/in6_rmx.c Modified: head/sys/netinet/in_rmx.c == --- head/sys/netinet/in_rmx.c Sat Oct 13 09:25:29 2012(r241501) +++ head/sys/netinet/in_rmx.c Sat Oct 13 09:31:01 2012(r241502) @@ -27,19 +27,6 @@ * SUCH DAMAGE. */ -/* - * This code does two things necessary for the enhanced TCP metrics to - * function in a useful manner: - * 1) It marks all non-host routes as `cloning', thus ensuring that - * every actual reference to such a route actually gets turned - * into a reference to a host route to the specific destination - * requested. - * 2) When such routes lose all their references, it arranges for them - * to be deleted in some random collection of circumstances, so that - * a large quantity of stale routing data is not kept in kernel memory - * indefinitely. See in_rtqtimo() below for the exact mechanism. - */ - #include sys/cdefs.h __FBSDID($FreeBSD$); Modified: head/sys/netinet6/in6_rmx.c == --- head/sys/netinet6/in6_rmx.c Sat Oct 13 09:25:29 2012(r241501) +++ head/sys/netinet6/in6_rmx.c Sat Oct 13 09:31:01 2012(r241502) @@ -59,19 +59,6 @@ * */ -/* - * This code does two things necessary for the enhanced TCP metrics to - * function in a useful manner: - * 1) It marks all non-host routes as `cloning', thus ensuring that - * every actual reference to such a route actually gets turned - * into a reference to a host route to the specific destination - * requested. - * 2) When such routes lose all their references, it arranges for them - * to be deleted in some random collection of circumstances, so that - * a large quantity of stale routing data is not kept in kernel memory - * indefinitely. See in6_rtqtimo() below for the exact mechanism. - */ - #include sys/cdefs.h __FBSDID($FreeBSD$); ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r241446 - head/sys/netgraph/netflow
Author: melifaro Date: Thu Oct 11 16:15:18 2012 New Revision: 241446 URL: http://svn.freebsd.org/changeset/base/241446 Log: Add NG_NETFLOW_V9INFO_TYPE command to be able to request netflowv9-specific data. Submitted by: Dmitry Luhtionov dmitryluhtionov at gmail.com MFC after:2 weeks Modified: head/sys/netgraph/netflow/netflow_v9.c head/sys/netgraph/netflow/ng_netflow.c head/sys/netgraph/netflow/ng_netflow.h Modified: head/sys/netgraph/netflow/netflow_v9.c == --- head/sys/netgraph/netflow/netflow_v9.c Thu Oct 11 15:49:42 2012 (r241445) +++ head/sys/netgraph/netflow/netflow_v9.c Thu Oct 11 16:15:18 2012 (r241446) @@ -480,3 +480,14 @@ ng_netflow_v9_cache_flush(priv_p priv) for (i = 0; i priv-flowsets_count; i++) free(priv-v9_flowsets[i], M_NETFLOW_GENERAL); } + +/* Get a snapshot of NetFlow v9 settings */ +void +ng_netflow_copyv9info(priv_p priv, struct ng_netflow_v9info *i) +{ + + i-templ_time = priv-templ_time; + i-templ_packets = priv-templ_packets; + i-mtu = priv-mtu; +} + Modified: head/sys/netgraph/netflow/ng_netflow.c == --- head/sys/netgraph/netflow/ng_netflow.c Thu Oct 11 15:49:42 2012 (r241445) +++ head/sys/netgraph/netflow/ng_netflow.c Thu Oct 11 16:15:18 2012 (r241446) @@ -138,6 +138,14 @@ static const struct ng_parse_type ng_net ng_netflow_setmtu_type_fields }; +/* Parse type for struct ng_netflow_v9info */ +static const struct ng_parse_struct_field ng_netflow_v9info_type_fields[] + = NG_NETFLOW_V9INFO_TYPE; +static const struct ng_parse_type ng_netflow_v9info_type = { + ng_parse_struct_type, + ng_netflow_v9info_type_fields +}; + /* List of commands and how to convert arguments to/from ASCII */ static const struct ng_cmdlist ng_netflow_cmds[] = { { @@ -196,6 +204,13 @@ static const struct ng_cmdlist ng_netflo ng_netflow_setmtu_type, NULL }, + { +NGM_NETFLOW_COOKIE, +NGM_NETFLOW_V9INFO, +v9info, +NULL, +ng_netflow_v9info_type + }, { 0 } }; @@ -526,6 +541,17 @@ ng_netflow_rcvmsg (node_p node, item_p i break; } + case NGM_NETFLOW_V9INFO: + { + struct ng_netflow_v9info *i; + + NG_MKRESPONSE(resp, msg, sizeof(struct ng_netflow_v9info), + M_NOWAIT); + i = (struct ng_netflow_v9info *)resp-data; + ng_netflow_copyv9info(priv, i); + + break; + } default: ERROUT(EINVAL); /* unknown command */ break; Modified: head/sys/netgraph/netflow/ng_netflow.h == --- head/sys/netgraph/netflow/ng_netflow.h Thu Oct 11 15:49:42 2012 (r241445) +++ head/sys/netgraph/netflow/ng_netflow.h Thu Oct 11 16:15:18 2012 (r241446) @@ -34,6 +34,7 @@ #define NG_NETFLOW_NODE_TYPE netflow #define NGM_NETFLOW_COOKIE 1309868867 +#define NGM_NETFLOW_V9_COOKIE 1349865386 #defineNG_NETFLOW_MAXIFACESUSHRT_MAX @@ -58,6 +59,7 @@ enum { NGM_NETFLOW_SETCONFIG = 7,/* set flow generation options */ NGM_NETFLOW_SETTEMPLATE= 8,/* set v9 flow template periodic */ NGM_NETFLOW_SETMTU = 9,/* set outgoing interface MTU */ +NGM_NETFLOW_V9INFO = 10|NGM_READONLY|NGM_HASREPLY, /* get v9 info */ }; /* This structure is returned by the NGM_NETFLOW_INFO message */ @@ -147,6 +149,13 @@ struct ngnf_show_header { uint32_tnentries; /* number of records in response */ }; +/* This structure is used in NGM_NETFLOW_V9INFO message */ +struct ng_netflow_v9info { + uint16_ttempl_packets; /* v9 template packets */ + uint16_ttempl_time; /* v9 template time */ + uint16_tmtu;/* v9 MTU */ +}; + /* XXXGL * Somewhere flow_rec6 is casted to flow_rec, and flow6_entry_data is * casted to flow_entry_data. After casting, fle-r.fib is accessed. @@ -347,6 +356,14 @@ struct flow6_entry { { NULL }\ } +/* Parse the v9info structure */ +#defineNG_NETFLOW_V9INFO_TYPE {\ + { v9 template packets,ng_parse_uint16_type },\ + { v9 template time, ng_parse_uint16_type },\ + { v9 MTU, ng_parse_uint16_type },\ + { NULL }\ +} + /* Private hook data */ struct ng_netflow_iface { hook_p hook; /* NULL when disconnected */ @@ -422,6 +439,7 @@ struct netflow {
svn commit: r241406 - head/sys/netinet
Author: melifaro Date: Wed Oct 10 19:06:11 2012 New Revision: 241406 URL: http://svn.freebsd.org/changeset/base/241406 Log: Do not check if found IPv4 rte is dynamic if net.inet.icmp.drop_redirect is enabled. This eliminates one mtx_lock() per each routing lookup thus improving performance in several cases (routing to directly connected interface or routing to default gateway). Icmp redirects should not be used to provide routing direction nowadays, even for end hosts. Routers should not use them too (and this is explicitly restricted in IPv6, see RFC 4861, clause 8.2). Current commit changes rnh_machaddr function to 'stock' rn_match (and back) for every AF_INET routing table in given VNET instance on drop_redirect sysctl change. This change is part of bigger patch eliminating rte locking. Sponsored by: Yandex LLC MFC after:2 weeks Modified: head/sys/netinet/in_rmx.c head/sys/netinet/in_var.h head/sys/netinet/ip_icmp.c head/sys/netinet/ip_var.h Modified: head/sys/netinet/in_rmx.c == --- head/sys/netinet/in_rmx.c Wed Oct 10 18:34:15 2012(r241405) +++ head/sys/netinet/in_rmx.c Wed Oct 10 19:06:11 2012(r241406) @@ -58,6 +58,8 @@ __FBSDID($FreeBSD$); #include netinet/in.h #include netinet/in_var.h +#include netinet/ip.h +#include netinet/ip_icmp.h #include netinet/ip_var.h extern int in_inithead(void **head, int off); @@ -340,6 +342,13 @@ in_rtqdrain(void) VNET_LIST_RUNLOCK_NOSLEEP(); } +void +in_setmatchfunc(struct radix_node_head *rnh, int val) +{ + + rnh-rnh_matchaddr = (val != 0) ? rn_match : in_matroute; +} + static int _in_rt_was_here; /* * Initialize our routing tree. @@ -365,7 +374,7 @@ in_inithead(void **head, int off) rnh = *head; rnh-rnh_addaddr = in_addroute; - rnh-rnh_matchaddr = in_matroute; + in_setmatchfunc(rnh, V_drop_redirect); rnh-rnh_close = in_clsroute; if (_in_rt_was_here == 0 ) { callout_init(V_rtq_timer, CALLOUT_MPSAFE); Modified: head/sys/netinet/in_var.h == --- head/sys/netinet/in_var.h Wed Oct 10 18:34:15 2012(r241405) +++ head/sys/netinet/in_var.h Wed Oct 10 19:06:11 2012(r241406) @@ -424,6 +424,7 @@ inm_acquire_locked(struct in_multi *inm) struct rtentry; struct route; struct ip_moptions; +struct radix_node_head; intimo_multi_filter(const struct ip_moptions *, const struct ifnet *, const struct sockaddr *, const struct sockaddr *); @@ -464,6 +465,7 @@ void in_rtredirect(struct sockaddr *, s struct sockaddr *, int, struct sockaddr *, u_int); int in_rtrequest(int, struct sockaddr *, struct sockaddr *, struct sockaddr *, int, struct rtentry **, u_int); +void in_setmatchfunc(struct radix_node_head *, int); #if 0 int in_rt_getifa(struct rt_addrinfo *, u_int fibnum); Modified: head/sys/netinet/ip_icmp.c == --- head/sys/netinet/ip_icmp.c Wed Oct 10 18:34:15 2012(r241405) +++ head/sys/netinet/ip_icmp.c Wed Oct 10 19:06:11 2012(r241406) @@ -108,11 +108,7 @@ SYSCTL_VNET_UINT(_net_inet_icmp, OID_AUT VNET_NAME(icmpmaskfake), 0, Fake reply to ICMP Address Mask Request packets.); -static VNET_DEFINE(int, drop_redirect) = 0; -#defineV_drop_redirect VNET(drop_redirect) -SYSCTL_VNET_INT(_net_inet_icmp, OID_AUTO, drop_redirect, CTLFLAG_RW, - VNET_NAME(drop_redirect), 0, - Ignore ICMP redirects); +VNET_DEFINE(int, drop_redirect) = 0; static VNET_DEFINE(int, log_redirect) = 0; #defineV_log_redirect VNET(log_redirect) @@ -157,6 +153,39 @@ static voidicmp_send(struct mbuf *, str extern struct protosw inetsw[]; +static int +sysctl_net_icmp_drop_redir(SYSCTL_HANDLER_ARGS) +{ + int error, new; + int i; + struct radix_node_head *rnh; + + new = V_drop_redirect; + error = sysctl_handle_int(oidp, new, 0, req); + if (error == 0 req-newptr) { + new = (new != 0) ? 1 : 0; + + if (new == V_drop_redirect) + return (0); + + for (i = 0; i rt_numfibs; i++) { + if ((rnh = rt_tables_get_rnh(i, AF_INET)) == NULL) + continue; + RADIX_NODE_HEAD_LOCK(rnh); + in_setmatchfunc(rnh, new); + RADIX_NODE_HEAD_UNLOCK(rnh); + } + + V_drop_redirect = new; + } + + return (error); +} + +SYSCTL_VNET_PROC(_net_inet_icmp, OID_AUTO, drop_redirect, +CTLTYPE_INT|CTLFLAG_RW, 0, 0, +sysctl_net_icmp_drop_redir, I, Ignore ICMP redirects); + /* * Kernel module interface for
svn commit: r241213 - stable/9/usr.bin/systat
Author: melifaro Date: Thu Oct 4 22:56:15 2012 New Revision: 241213 URL: http://svn.freebsd.org/changeset/base/241213 Log: Merge r240605. Make systat(1) accept fractional number of seconds. Make old alarm(3)-based code use select(2). Modified: stable/9/usr.bin/systat/cmds.c stable/9/usr.bin/systat/extern.h stable/9/usr.bin/systat/icmp.c stable/9/usr.bin/systat/icmp6.c stable/9/usr.bin/systat/ip.c stable/9/usr.bin/systat/ip6.c stable/9/usr.bin/systat/keyboard.c stable/9/usr.bin/systat/main.c stable/9/usr.bin/systat/systat.1 stable/9/usr.bin/systat/tcp.c Directory Properties: stable/9/usr.bin/ (props changed) stable/9/usr.bin/systat/ (props changed) Modified: stable/9/usr.bin/systat/cmds.c == --- stable/9/usr.bin/systat/cmds.c Thu Oct 4 22:41:00 2012 (r241212) +++ stable/9/usr.bin/systat/cmds.c Thu Oct 4 22:56:15 2012 (r241213) @@ -35,6 +35,8 @@ __FBSDID($FreeBSD$); static const char sccsid[] = @(#)cmds.c 8.2 (Berkeley) 4/29/95; #endif +#include sys/param.h + #include ctype.h #include signal.h #include stdlib.h @@ -49,10 +51,9 @@ command(const char *cmd) { struct cmdtab *p; char *cp, *tmpstr, *tmpstr1; - int interval, omask; + double t; tmpstr = tmpstr1 = strdup(cmd); - omask = sigblock(sigmask(SIGALRM)); for (cp = tmpstr1; *cp !isspace(*cp); cp++) ; if (*cp) @@ -68,7 +69,7 @@ command(const char *cmd) goto done; } if (strcmp(tmpstr1, stop) == 0) { - alarm(0); + delay = 0; mvaddstr(CMDLINE, 0, Refresh disabled.); clrtoeol(); goto done; @@ -88,19 +89,23 @@ command(const char *cmd) clrtoeol(); goto done; } - interval = atoi(tmpstr1); - if (interval = 0 - (strcmp(tmpstr1, start) == 0 || strcmp(tmpstr1, interval) == 0)) { - interval = *cp ? atoi(cp) : naptime; - if (interval = 0) { - error(%d: bad interval., interval); - goto done; + t = strtod(tmpstr1, NULL) * 100.0; + if (t 0 t (double)UINT_MAX) + delay = (unsigned int)t; + if ((t = 0 || t (double)UINT_MAX) + (strcmp(tmpstr1, start) == 0 || + strcmp(tmpstr1, interval) == 0)) { + if (*cp != '\0') { + t = strtod(cp, NULL) * 100.0; + if (t = 0 || t = (double)UINT_MAX) { + error(%d: bad interval., (int)t); + goto done; + } } } - if (interval 0) { - alarm(0); - naptime = interval; - display(0); + if (t 0) { + delay = (unsigned int)t; + display(); status(); goto done; } @@ -112,7 +117,6 @@ command(const char *cmd) if (p) { if (curcmd == p) goto done; - alarm(0); (*curcmd-c_close)(wnd); curcmd-c_flags = ~CF_INIT; wnd = (*p-c_open)(); @@ -133,14 +137,13 @@ command(const char *cmd) } curcmd = p; labels(); - display(0); + display(); status(); goto done; } if (curcmd-c_cmd == 0 || !(*curcmd-c_cmd)(tmpstr1, cp)) error(%s: Unknown command., tmpstr1); done: - sigsetmask(omask); free(tmpstr); } @@ -177,7 +180,7 @@ status(void) { error(Showing %s, refresh every %d seconds., - curcmd-c_name, naptime); + curcmd-c_name, delay / 100); } int Modified: stable/9/usr.bin/systat/extern.h == --- stable/9/usr.bin/systat/extern.hThu Oct 4 22:41:00 2012 (r241212) +++ stable/9/usr.bin/systat/extern.hThu Oct 4 22:56:15 2012 (r241213) @@ -49,11 +49,12 @@ extern int CMDLINE; extern int dk_ndrive; extern int hz, stathz; extern double hertz; /* sampling frequency for cp_time and dk_time */ -extern int naptime, col; +extern int col; extern int nhosts; extern int nports; extern int protos; extern int verbose; +extern unsigned intdelay; struct inpcb; @@ -87,7 +88,7 @@ intcmdnetstat(const char *, const char struct cmdtab *lookup(const char *); voidcommand(const char *); voiddie(int); -voiddisplay(int); +voiddisplay(void); int dkinit(void); int dkcmd(char *, char *); voiderror(const char *fmt, ...) __printflike(1, 2); Modified: stable/9/usr.bin/systat/icmp.c
svn commit: r241094 - stable/9/sys/ofed/drivers/infiniband/ulp/ipoib
Author: melifaro Date: Mon Oct 1 10:54:04 2012 New Revision: 241094 URL: http://svn.freebsd.org/changeset/base/241094 Log: Merge r240082. Remove unneeded ipfw headers introduced in r213447 from Infiniband code. Modified: stable/9/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h == --- stable/9/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h Mon Oct 1 10:52:10 2012(r241093) +++ stable/9/sys/ofed/drivers/infiniband/ulp/ipoib/ipoib.h Mon Oct 1 10:54:04 2012(r241094) @@ -67,8 +67,6 @@ #include netinet/in_var.h #include netinet/if_ether.h #include netinet/ip_var.h -#include netinet/ip_fw.h -#include netinet/ipfw/ip_fw_private.h #endif #ifdef INET6 #include netinet6/nd6.h ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r240892 - head/sbin/ipfw
Author: melifaro Date: Mon Sep 24 17:31:08 2012 New Revision: 240892 URL: http://svn.freebsd.org/changeset/base/240892 Log: Permit table to be used as IPv6 address. Reported by: Serhiy Popov sergius...@ukr.net MFC after:2 weeks Modified: head/sbin/ipfw/ipv6.c Modified: head/sbin/ipfw/ipv6.c == --- head/sbin/ipfw/ipv6.c Mon Sep 24 17:13:33 2012(r240891) +++ head/sbin/ipfw/ipv6.c Mon Sep 24 17:31:08 2012(r240892) @@ -352,6 +352,22 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) return (1); } + if (strncmp(av, table(, 6) == 0) { + char *p = strchr(av + 6, ','); + uint32_t *dm = ((ipfw_insn_u32 *)cmd)-d; + + if (p) + *p++ = '\0'; + cmd-o.opcode = O_IP_DST_LOOKUP; + cmd-o.arg1 = strtoul(av + 6, NULL, 0); + if (p) { + cmd-o.len |= F_INSN_SIZE(ipfw_insn_u32); + dm[0] = strtoul(p, NULL, 0); + } else + cmd-o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } + av = strdup(av); while (av) { /* @@ -469,7 +485,11 @@ add_srcip6(ipfw_insn *cmd, char *av) { fill_ip6((ipfw_insn_ip6 *)cmd, av); - if (F_LEN(cmd) == 0) { /* any */ + if (cmd-opcode == O_IP_DST_SET)/* set */ + cmd-opcode = O_IP_SRC_SET; + else if (cmd-opcode == O_IP_DST_LOOKUP)/* table */ + cmd-opcode = O_IP_SRC_LOOKUP; + else if (F_LEN(cmd) == 0) { /* any */ } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* me */ cmd-opcode = O_IP6_SRC_ME; } else if (F_LEN(cmd) == @@ -487,7 +507,11 @@ add_dstip6(ipfw_insn *cmd, char *av) { fill_ip6((ipfw_insn_ip6 *)cmd, av); - if (F_LEN(cmd) == 0) { /* any */ + if (cmd-opcode == O_IP_DST_SET)/* set */ + ; + else if (cmd-opcode == O_IP_DST_LOOKUP)/* table */ + ; + else if (F_LEN(cmd) == 0) { /* any */ } else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* me */ cmd-opcode = O_IP6_DST_ME; } else if (F_LEN(cmd) == ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r240893 - head/sbin/ipfw
Author: melifaro Date: Mon Sep 24 17:34:30 2012 New Revision: 240893 URL: http://svn.freebsd.org/changeset/base/240893 Log: Whitespace fixes MFC after:2 weeks Modified: head/sbin/ipfw/ipv6.c Modified: head/sbin/ipfw/ipv6.c == --- head/sbin/ipfw/ipv6.c Mon Sep 24 17:31:08 2012(r240892) +++ head/sbin/ipfw/ipv6.c Mon Sep 24 17:34:30 2012(r240893) @@ -336,21 +336,21 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) * Note d[1] points to struct in6_add r mask6 of cmd */ - cmd-o.len = ~F_LEN_MASK; /* zero len */ + cmd-o.len = ~F_LEN_MASK; /* zero len */ - if (strcmp(av, any) == 0) - return (1); + if (strcmp(av, any) == 0) + return (1); - if (strcmp(av, me) == 0) {/* Set the data for me opt*/ - cmd-o.len |= F_INSN_SIZE(ipfw_insn); - return (1); - } + if (strcmp(av, me) == 0) {/* Set the data for me opt*/ + cmd-o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } - if (strcmp(av, me6) == 0) { /* Set the data for me opt*/ - cmd-o.len |= F_INSN_SIZE(ipfw_insn); - return (1); - } + if (strcmp(av, me6) == 0) { /* Set the data for me opt*/ + cmd-o.len |= F_INSN_SIZE(ipfw_insn); + return (1); + } if (strncmp(av, table(, 6) == 0) { char *p = strchr(av + 6, ','); @@ -368,8 +368,8 @@ fill_ip6(ipfw_insn_ip6 *cmd, char *av) return (1); } - av = strdup(av); - while (av) { + av = strdup(av); + while (av) { /* * After the address we can have '/' indicating a mask, * or ',' indicating another address follows. ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r240605 - head/usr.bin/systat
Author: melifaro Date: Mon Sep 17 13:36:47 2012 New Revision: 240605 URL: http://svn.freebsd.org/changeset/base/240605 Log: Make systat(1) accept fractional number of seconds. Make old alarm(3)-based code use select(2). MFC after:2 weeks Modified: head/usr.bin/systat/cmds.c head/usr.bin/systat/extern.h head/usr.bin/systat/icmp.c head/usr.bin/systat/icmp6.c head/usr.bin/systat/ip.c head/usr.bin/systat/ip6.c head/usr.bin/systat/keyboard.c head/usr.bin/systat/main.c head/usr.bin/systat/systat.1 head/usr.bin/systat/tcp.c Modified: head/usr.bin/systat/cmds.c == --- head/usr.bin/systat/cmds.c Mon Sep 17 13:06:47 2012(r240604) +++ head/usr.bin/systat/cmds.c Mon Sep 17 13:36:47 2012(r240605) @@ -35,6 +35,8 @@ __FBSDID($FreeBSD$); static const char sccsid[] = @(#)cmds.c 8.2 (Berkeley) 4/29/95; #endif +#include sys/param.h + #include ctype.h #include signal.h #include stdlib.h @@ -49,10 +51,9 @@ command(const char *cmd) { struct cmdtab *p; char *cp, *tmpstr, *tmpstr1; - int interval, omask; + double t; tmpstr = tmpstr1 = strdup(cmd); - omask = sigblock(sigmask(SIGALRM)); for (cp = tmpstr1; *cp !isspace(*cp); cp++) ; if (*cp) @@ -68,7 +69,7 @@ command(const char *cmd) goto done; } if (strcmp(tmpstr1, stop) == 0) { - alarm(0); + delay = 0; mvaddstr(CMDLINE, 0, Refresh disabled.); clrtoeol(); goto done; @@ -88,19 +89,23 @@ command(const char *cmd) clrtoeol(); goto done; } - interval = atoi(tmpstr1); - if (interval = 0 - (strcmp(tmpstr1, start) == 0 || strcmp(tmpstr1, interval) == 0)) { - interval = *cp ? atoi(cp) : naptime; - if (interval = 0) { - error(%d: bad interval., interval); - goto done; + t = strtod(tmpstr1, NULL) * 100.0; + if (t 0 t (double)UINT_MAX) + delay = (unsigned int)t; + if ((t = 0 || t (double)UINT_MAX) + (strcmp(tmpstr1, start) == 0 || + strcmp(tmpstr1, interval) == 0)) { + if (*cp != '\0') { + t = strtod(cp, NULL) * 100.0; + if (t = 0 || t = (double)UINT_MAX) { + error(%d: bad interval., (int)t); + goto done; + } } } - if (interval 0) { - alarm(0); - naptime = interval; - display(0); + if (t 0) { + delay = (unsigned int)t; + display(); status(); goto done; } @@ -112,7 +117,6 @@ command(const char *cmd) if (p) { if (curcmd == p) goto done; - alarm(0); (*curcmd-c_close)(wnd); curcmd-c_flags = ~CF_INIT; wnd = (*p-c_open)(); @@ -133,14 +137,13 @@ command(const char *cmd) } curcmd = p; labels(); - display(0); + display(); status(); goto done; } if (curcmd-c_cmd == 0 || !(*curcmd-c_cmd)(tmpstr1, cp)) error(%s: Unknown command., tmpstr1); done: - sigsetmask(omask); free(tmpstr); } @@ -177,7 +180,7 @@ status(void) { error(Showing %s, refresh every %d seconds., - curcmd-c_name, naptime); + curcmd-c_name, delay / 100); } int Modified: head/usr.bin/systat/extern.h == --- head/usr.bin/systat/extern.hMon Sep 17 13:06:47 2012 (r240604) +++ head/usr.bin/systat/extern.hMon Sep 17 13:36:47 2012 (r240605) @@ -49,11 +49,12 @@ extern int CMDLINE; extern int dk_ndrive; extern int hz, stathz; extern double hertz; /* sampling frequency for cp_time and dk_time */ -extern int naptime, col; +extern int col; extern int nhosts; extern int nports; extern int protos; extern int verbose; +extern unsigned intdelay; struct inpcb; @@ -87,7 +88,7 @@ intcmdnetstat(const char *, const char struct cmdtab *lookup(const char *); voidcommand(const char *); voiddie(int); -voiddisplay(int); +voiddisplay(void); int dkinit(void); int dkcmd(char *, char *); voiderror(const char *fmt, ...) __printflike(1, 2); Modified: head/usr.bin/systat/icmp.c == --- head/usr.bin/systat/icmp.c Mon Sep 17 13:06:47 2012(r240604) +++ head/usr.bin/systat/icmp.c Mon Sep 17
Re: svn commit: r240605 - head/usr.bin/systat
On 17.09.2012 17:36, Alexander V. Chernikov wrote: Author: melifaro Date: Mon Sep 17 13:36:47 2012 New Revision: 240605 URL: http://svn.freebsd.org/changeset/base/240605 Log: Make systat(1) accept fractional number of seconds. Make old alarm(3)-based code use select(2). Ability to specify small intervals can be very handy while debugging traffic microbursts. Note that locale-aware strtod(3) is used to parse delay which is slightly different from ping. MFC after: 2 weeks ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r240561 - head/share/man/man9
Author: melifaro Date: Sun Sep 16 13:13:02 2012 New Revision: 240561 URL: http://svn.freebsd.org/changeset/base/240561 Log: Add section describing existing filtering points. Document byteorder behavior in AF_INET[6] hooks in new section. MFC after:2 weeks Modified: head/share/man/man9/pfil.9 Modified: head/share/man/man9/pfil.9 == --- head/share/man/man9/pfil.9 Sun Sep 16 12:08:06 2012(r240560) +++ head/share/man/man9/pfil.9 Sun Sep 16 13:13:02 2012(r240561) @@ -28,7 +28,7 @@ .\ .\ $FreeBSD$ .\ -.Dd September 29, 2004 +.Dd September 16, 2012 .Dt PFIL 9 .Os .Sh NAME @@ -122,6 +122,18 @@ The filter returns an error (errno) if t if the processing is to continue. If the packet processing is to stop, it is the responsibility of the filter to free the packet. +.Sh FILTERING POINTS +Currently, filtering points are implemented for the following link types: +.Pp +.Bl -tag -width AF_INET6 -offset XXX -compact +.It AF_INET +.It AF_INET6 +IPv4 and IPv6 packets. Note that packet header is already +.Cm converted to host format. +Host format has to be preserved in case of header modifications. +.It AF_LINK +Link-layer packets. +.El .Sh RETURN VALUES If successful, .Fn pfil_head_get @@ -187,23 +199,6 @@ The function is only safe for internal use. .Pp -.Fx -implements only hooks for -.Dv AF_INET -and -.Dv AF_INET6 . -Packets diverted through these hooks have data in -host byte order contrary to the above statements. -.Pp -The -.Xr if_bridge 4 -diverts -.Dv AF_INET -and -.Dv AF_INET6 -traffic according to its sysctl settings, but contrary to the above -statements, the data is provided in host byte order. -.Pp When a .Vt pfil_head is being modified, no traffic is diverted ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r238619 - in stable/8/sys: conf modules/netgraph/netflow netgraph/netflow
Author: melifaro Date: Thu Jul 19 11:43:31 2012 New Revision: 238619 URL: http://svn.freebsd.org/changeset/base/238619 Log: MFC r219182, r219229, r220769, r223706, r223787, r223822, r232921, r237162, r237163, r237164, r237226, r237227 Merge netflow v9 support (kernel side) r219182 - Add support for NetFlow version 9 into ng_netflow(4) node. r219229 - Unbreak the build for no options INET6. r220769 - ng_netflow_cache_init() can be void. r223706 - Fix double free. r223787 - Eliminate flow6_hash_entry in favor of flow_hash_entry r223822 - Add missing unlocks. r232921 - Use rt_numfibs variable instead of compile-time RT_NUMFIBS. r237162 - Fix improper L4 header handling for IPv6 packets passed via DLT_RAW. r237163 - Set netflow v9 observation domain value to fib number instead of node id r237164 - Use time_uptime instead of getnanotime for accouting integer number of seconds. r237226 - Simplify IP pointer recovery in case of mbuf reallocation. r237227 - Make radix lookup on src and dst flow addresses optional No objection from: glebius Approved by:ae(mentor) Added: stable/8/sys/netgraph/netflow/netflow_v9.c - copied, changed from r219182, head/sys/netgraph/netflow/netflow_v9.c stable/8/sys/netgraph/netflow/netflow_v9.h - copied unchanged from r219182, head/sys/netgraph/netflow/netflow_v9.h Modified: stable/8/sys/conf/files stable/8/sys/modules/netgraph/netflow/Makefile stable/8/sys/netgraph/netflow/netflow.c stable/8/sys/netgraph/netflow/netflow.h stable/8/sys/netgraph/netflow/ng_netflow.c stable/8/sys/netgraph/netflow/ng_netflow.h Directory Properties: stable/8/sys/ (props changed) Modified: stable/8/sys/conf/files == --- stable/8/sys/conf/files Thu Jul 19 11:18:41 2012(r238618) +++ stable/8/sys/conf/files Thu Jul 19 11:43:31 2012(r238619) @@ -2533,6 +2533,7 @@ netgraph/bluetooth/socket/ng_btsocket_l2 netgraph/bluetooth/socket/ng_btsocket_rfcomm.c optional netgraph_bluetooth_socket netgraph/bluetooth/socket/ng_btsocket_sco.c optional netgraph_bluetooth_socket netgraph/netflow/netflow.c optional netgraph_netflow +netgraph/netflow/netflow_v9.c optional netgraph_netflow netgraph/netflow/ng_netflow.c optional netgraph_netflow netgraph/ng_UI.c optional netgraph_UI netgraph/ng_async.coptional netgraph_async Modified: stable/8/sys/modules/netgraph/netflow/Makefile == --- stable/8/sys/modules/netgraph/netflow/Makefile Thu Jul 19 11:18:41 2012(r238618) +++ stable/8/sys/modules/netgraph/netflow/Makefile Thu Jul 19 11:43:31 2012(r238619) @@ -3,9 +3,20 @@ # Author: Gleb Smirnoff gleb...@freebsd.org # +.include bsd.own.mk + .PATH: ${.CURDIR}/../../../netgraph/netflow KMOD= ng_netflow -SRCS= ng_netflow.c netflow.c +SRCS= ng_netflow.c netflow.c netflow_v9.c opt_inet6.h opt_route.h + +.if !defined(KERNBUILDDIR) + +.if ${MK_INET6_SUPPORT} != no +opt_inet6.h: + echo #define INET6 1 ${.TARGET} +.endif + +.endif .include bsd.kmod.mk Modified: stable/8/sys/netgraph/netflow/netflow.c == --- stable/8/sys/netgraph/netflow/netflow.c Thu Jul 19 11:18:41 2012 (r238618) +++ stable/8/sys/netgraph/netflow/netflow.c Thu Jul 19 11:43:31 2012 (r238619) @@ -1,4 +1,5 @@ /*- + * Copyright (c) 2010-2011 Alexander V. Chernikov melif...@ipfw.ru * Copyright (c) 2004-2005 Gleb Smirnoff gleb...@freebsd.org * Copyright (c) 2001-2003 Roman V. Palagin rom...@unshadow.net * All rights reserved. @@ -30,6 +31,8 @@ static const char rcs_id[] = @(#) $FreeBSD$; +#include opt_inet6.h +#include opt_route.h #include sys/param.h #include sys/kernel.h #include sys/limits.h @@ -37,14 +40,18 @@ static const char rcs_id[] = #include sys/syslog.h #include sys/systm.h #include sys/socket.h +#include sys/endian.h #include machine/atomic.h +#include machine/stdarg.h #include net/if.h #include net/route.h +#include net/ethernet.h #include netinet/in.h #include netinet/in_systm.h #include netinet/ip.h +#include netinet/ip6.h #include netinet/tcp.h #include netinet/udp.h @@ -52,6 +59,7 @@ static const char rcs_id[] = #include netgraph/netgraph.h #include netgraph/netflow/netflow.h +#include netgraph/netflow/netflow_v9.h #include netgraph/netflow/ng_netflow.h #defineNBUCKETS(65536) /* must be power of 2 */ @@ -83,25 +91,30 @@ static const char rcs_id[] = */ #defineSMALL(fle) (fle-f.packets = 4) -/* - * Cisco uses milliseconds for uptime. Bad idea, since it overflows - * every 48+ days. But we will do same to keep compatibility. This macro - * does overflowable multiplication to 1000. - */ -#defineMILLIUPTIME(t) (((t) 9) + /* 512
svn commit: r238620 - stable/8/usr.sbin/flowctl
Author: melifaro Date: Thu Jul 19 13:00:31 2012 New Revision: 238620 URL: http://svn.freebsd.org/changeset/base/238620 Log: MFC r223788, r223790, r223824 236808 Merge netflow v9 support (user side) r223788 - Rewrite the flowctl utility to add it support for displaying both IPv4 and IPv4 flows. r223790 - Update manual page. Mention IPv6 support, .. r223824 - Conditionally compile in the IPv4/IPv6 address family support. r236808 - Add human option to print IPv4/IPv6 flows in human-readable format. Additionally, implement compatibility code for syntax changes introduced in r223788. Flowctl supports specifying node both as absolute path (new style) and as node name without colon (old style). No objection from: glebius Approved by:ae(mentor) Modified: stable/8/usr.sbin/flowctl/Makefile stable/8/usr.sbin/flowctl/flowctl.8 stable/8/usr.sbin/flowctl/flowctl.c Directory Properties: stable/8/usr.sbin/ (props changed) stable/8/usr.sbin/flowctl/ (props changed) Modified: stable/8/usr.sbin/flowctl/Makefile == --- stable/8/usr.sbin/flowctl/Makefile Thu Jul 19 11:43:31 2012 (r238619) +++ stable/8/usr.sbin/flowctl/Makefile Thu Jul 19 13:00:31 2012 (r238620) @@ -2,6 +2,8 @@ # $FreeBSD$ # +.include bsd.own.mk + PROG= flowctl MAN= flowctl.8 @@ -9,4 +11,11 @@ WARNS?= 2 DPADD= ${LIBNETGRAPH} LDADD= -lnetgraph +.if ${MK_INET6_SUPPORT} != no +CFLAGS+= -DINET6 +.endif +.if ${MK_INET_SUPPORT} != no +CFLAGS+= -DINET +.endif + .include bsd.prog.mk Modified: stable/8/usr.sbin/flowctl/flowctl.8 == --- stable/8/usr.sbin/flowctl/flowctl.8 Thu Jul 19 11:43:31 2012 (r238619) +++ stable/8/usr.sbin/flowctl/flowctl.8 Thu Jul 19 13:00:31 2012 (r238620) @@ -24,7 +24,7 @@ .\ .\ $FreeBSD$ .\ -.Dd March 23, 2005 +.Dd June 8, 2012 .Dt FLOWCTL 8 .Os .Sh NAME @@ -35,7 +35,7 @@ control utility .Sh SYNOPSIS .Nm .Op Fl d Ar level -.Ar node command +.Ar path command .Sh DESCRIPTION The .Nm @@ -56,16 +56,23 @@ Currently, supports only one command. .Pp .Bl -tag -width .Cm show -.It Cm show +.It Cm show Oo Cm ipv4|ipv6 Oc Op Cm human|verbose This command is the analog of the .Dq show ip cache flow command of a Cisco router. It dumps the contents of the flow cache in Cisco-like format. +Specifing either +.Cm ipv4 +or +.Cm ipv6 +would extract only IPv4 or IPv6 flows respectively. It has optional parameter .Cm verbose , which is analog of the .Dq show ip cache verbose flow -command. +command. Additionally, +.Cm human +parameter can be specify to show selected flows in human-readable format. .El .Sh EXIT STATUS .Ex -std Modified: stable/8/usr.sbin/flowctl/flowctl.c == --- stable/8/usr.sbin/flowctl/flowctl.c Thu Jul 19 11:43:31 2012 (r238619) +++ stable/8/usr.sbin/flowctl/flowctl.c Thu Jul 19 13:00:31 2012 (r238620) @@ -46,29 +46,61 @@ static const char rcs_id[] = #include stdio.h #include stdlib.h #include string.h +#include sysexits.h #include unistd.h #include netgraph.h #include netgraph/netflow/ng_netflow.h -#defineCISCO_SH_FLOW_HEADERSrcIf SrcIPaddressDstIf DstIPaddressPr SrcP DstP Pkts\n +#defineCISCO_SH_FLOW_HEADERSrcIf SrcIPaddress \ +DstIf DstIPaddressPr SrcP DstP Pkts\n #defineCISCO_SH_FLOW %-13s %-15s %-13s %-15s %2u %4.4x %4.4x %6lu\n -#defineCISCO_SH_VERB_FLOW_HEADER SrcIf SrcIPaddressDstIf DstIPaddressPr TOS Flgs Pkts\n \ +/* human-readable IPv4 header */ +#defineCISCO_SH_FLOW_HHEADER SrcIf SrcIPaddress \ +DstIf DstIPaddressProto SrcPort DstPort Pkts\n +#defineCISCO_SH_FLOW_H %-13s %-15s %-13s %-15s %5u %8d %8d %8lu\n + +#defineCISCO_SH_FLOW6_HEADER SrcIf SrcIPaddress \ +DstIf DstIPaddress Pr SrcP DstP Pkts\n +#defineCISCO_SH_FLOW6 %-13s %-30s %-13s %-30s %2u %4.4x %4.4x %6lu\n + +/* Human-readable IPv6 headers */ +#defineCISCO_SH_FLOW6_HHEADER SrcIf SrcIPaddress \ +DstIf DstIPaddress Proto SrcPort DstPort Pkts\n +#defineCISCO_SH_FLOW6_H%-13s %-36s %-13s %-36s %5u %8d %8d %8lu\n + +#defineCISCO_SH_VERB_FLOW_HEADER SrcIf SrcIPaddress \ +DstIf DstIPaddressPr TOS Flgs Pkts\n \ Port Msk ASPort Msk ASNextHop B/Pk Active\n #defineCISCO_SH_VERB_FLOW %-14s %-15s %-14s %-15s %2u %3x %4x %6lu\n \ %4.4x /%-2u %-5u %4.4x /%-2u %-5u %-15s %9u %8u\n\n -static int flow_cache_print(struct ngnf_flows
Re: svn commit: r238620 - stable/8/usr.sbin/flowctl
On 19.07.2012 17:44, Doug Barton wrote: On 07/19/2012 06:00, Alexander V. Chernikov wrote: Author: melifaro Date: Thu Jul 19 13:00:31 2012 New Revision: 238620 URL: http://svn.freebsd.org/changeset/base/238620 Log: MFC r223788, r223790, r223824 236808 Merge netflow v9 support (user side) Seems to have broken the build. Did you 'make universe' these changes? New flowctl requires updated netflow headers introduced in r238619. 'cp -p /usr/src/sys/netgraph/netflow/*.h /usr/include/netgraph/netflow' should help. Can you please show exact error messages and arch ? Doug -- WBR, Alexander ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org