Re: svn commit: r238277 - in head: etc/defaults etc/rc.d sbin/ipfw share/man/man5 sys/netinet/ipfw
Hiroki, On Tue, Jul 10, 2012 at 05:30:02AM +0900, Hiroki Sato wrote: H Given that we add a new API to H enumerate the interfaces including bpf-only providers with fake H ifnets, which providers/utilities should be converted to use it? IMO H usbusN would be a reasonable target but others still need a real H ifnet. In my understanding, the advantage of using a fake ifnet is H just to prevent it from appearing as an interface. Is it correct? IMO, neither ipfwlog0 nor pflog0 nor pfsync0 need 'struct ifnet'. They are pure providers for tcpdump only. (pfsync0 also consumes if_ioctl to configure itself, but this can be axed and configuring should be done via /dev/pf as all other parts of pf.) As soon as Alexander comes with API that makes it possible to create BPF dumping points in kernel that aren't tied to 'struct ifnet', I'd be happy to remove pfsync/pflog/ipfwlog as interfaces. -- Totus tuus, Glebius. ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
svn commit: r238277 - in head: etc/defaults etc/rc.d sbin/ipfw share/man/man5 sys/netinet/ipfw
Author: hrs
Date: Mon Jul 9 07:16:19 2012
New Revision: 238277
URL: http://svn.freebsd.org/changeset/base/238277
Log:
Make ipfw0 logging pseudo-interface clonable. It can be created automatically
by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8)
after a boot.
Discussed on: freebsd-ipfw@
Modified:
head/etc/defaults/rc.conf
head/etc/rc.d/ipfw
head/sbin/ipfw/ipfw.8
head/share/man/man5/rc.conf.5
head/sys/netinet/ipfw/ip_fw_log.c
Modified: head/etc/defaults/rc.conf
==
--- head/etc/defaults/rc.conf Mon Jul 9 06:41:18 2012(r238276)
+++ head/etc/defaults/rc.conf Mon Jul 9 07:16:19 2012(r238277)
@@ -123,6 +123,7 @@ firewall_script=/etc/rc.firewall # Whi
firewall_type=UNKNOWN# Firewall type (see /etc/rc.firewall)
firewall_quiet=NO# Set to YES to suppress rule display
firewall_logging=NO # Set to YES to enable events logging
+firewall_logif=NO# Set to YES to create logging-pseudo interface
firewall_flags= # Flags passed to ipfw when type is a file
firewall_coscripts= # List of executables/scripts to run after
# firewall starts/stops
Modified: head/etc/rc.d/ipfw
==
--- head/etc/rc.d/ipfw Mon Jul 9 06:41:18 2012(r238276)
+++ head/etc/rc.d/ipfw Mon Jul 9 07:16:19 2012(r238277)
@@ -57,6 +57,10 @@ ipfw_start()
echo 'Firewall logging enabled.'
sysctl net.inet.ip.fw.verbose=1 /dev/null
fi
+ if checkyesno firewall_logif; then
+ ifconfig ipfw0 create
+ echo 'Firewall logging pseudo-interface (ipfw0) created.'
+ fi
}
ipfw_poststart()
Modified: head/sbin/ipfw/ipfw.8
==
--- head/sbin/ipfw/ipfw.8 Mon Jul 9 06:41:18 2012(r238276)
+++ head/sbin/ipfw/ipfw.8 Mon Jul 9 07:16:19 2012(r238277)
@@ -1,7 +1,7 @@
.\
.\ $FreeBSD$
.\
-.Dd July 3, 2012
+.Dd July 9, 2012
.Dt IPFW 8
.Os
.Sh NAME
@@ -560,7 +560,22 @@ is set to 0 (default), one can use
.Xr bpf 4
attached to the
.Li ipfw0
-pseudo interface. There is no overhead if no
+pseudo interface.
+This pseudo interface can be created after a boot
+manually by using the following command:
+.Bd -literal -offset indent
+# ifconfig ipfw0 create
+.Ed
+.Pp
+Or, automatically at boot time by adding the following
+line to the
+.Xr rc.conf 5
+file:
+.Bd -literal -offset indent
+firewall_logif=YES
+.Ed
+.Pp
+There is no overhead if no
.Xr bpf 4
is attached to the pseudo interface.
.Pp
Modified: head/share/man/man5/rc.conf.5
==
--- head/share/man/man5/rc.conf.5 Mon Jul 9 06:41:18 2012
(r238276)
+++ head/share/man/man5/rc.conf.5 Mon Jul 9 07:16:19 2012
(r238277)
@@ -24,7 +24,7 @@
.\
.\ $FreeBSD$
.\
-.Dd May 6, 2012
+.Dd July 9, 2012
.Dt RC.CONF 5
.Os
.Sh NAME
@@ -501,6 +501,16 @@ to enable firewall event logging.
This is equivalent to the
.Dv IPFIREWALL_VERBOSE
kernel option.
+.It Va firewall_logif
+.Pq Vt bool
+Set to
+.Dq Li YES
+to create pseudo interface
+.Li ipfw0
+for logging.
+For more details, see
+.Xr ipfw 8
+manual page.
.It Va firewall_flags
.Pq Vt str
Flags passed to
Modified: head/sys/netinet/ipfw/ip_fw_log.c
==
--- head/sys/netinet/ipfw/ip_fw_log.c Mon Jul 9 06:41:18 2012
(r238276)
+++ head/sys/netinet/ipfw/ip_fw_log.c Mon Jul 9 07:16:19 2012
(r238277)
@@ -44,8 +44,11 @@ __FBSDID($FreeBSD$);
#include sys/socket.h
#include sys/sysctl.h
#include sys/syslog.h
+#include sys/lock.h
+#include sys/rwlock.h
#include net/ethernet.h /* for ETHERTYPE_IP */
#include net/if.h
+#include net/if_clone.h
#include net/vnet.h
#include net/if_types.h /* for IFT_ETHER */
#include net/bpf.h /* for BPF */
@@ -90,6 +93,15 @@ ipfw_log_bpf(int onoff)
}
#else /* !WITHOUT_BPF */
static struct ifnet *log_if; /* hook to attach to bpf */
+static struct rwlock log_if_lock;
+#defineLOGIF_LOCK_INIT(x) rw_init(log_if_lock, ipfw log_if
lock)
+#defineLOGIF_LOCK_DESTROY(x) rw_destroy(log_if_lock)
+#defineLOGIF_RLOCK(x) rw_rlock(log_if_lock)
+#defineLOGIF_RUNLOCK(x)rw_runlock(log_if_lock)
+#defineLOGIF_WLOCK(x) rw_wlock(log_if_lock)
+#defineLOGIF_WUNLOCK(x)rw_wunlock(log_if_lock)
+
+#defineIPFWNAMEipfw
/* we use this dummy function for all ifnet callbacks */
static int
@@ -116,37 +128,105 @@ ipfw_log_start(struct ifnet* ifp)
static const u_char ipfwbroadcastaddr[6] =
{ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
+static int
Re: svn commit: r238277 - in head: etc/defaults etc/rc.d sbin/ipfw share/man/man5 sys/netinet/ipfw
On 09.07.2012 11:16, Hiroki Sato wrote: Author: hrs Date: Mon Jul 9 07:16:19 2012 New Revision: 238277 URL: http://svn.freebsd.org/changeset/base/238277 Log: Make ipfw0 logging pseudo-interface clonable. It can be created automatically by $firewall_logif rc.conf(5) variable at boot time or manually by ifconfig(8) after a boot. Discussed on:freebsd-ipfw@ Em, well, I thought discussed means some kind of consensus? There was an alternative implementation proposed in -ipfw with no comments from you side. Additionally, there can be other (still not discussed) solutions like making this interface as loadable module (like pf do). ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r238277 - in head: etc/defaults etc/rc.d sbin/ipfw share/man/man5 sys/netinet/ipfw
Alexander V. Chernikov melif...@freebsd.org wrote in 4ffa894d.9050...@freebsd.org: me On 09.07.2012 11:16, Hiroki Sato wrote: me Author: hrs me Date: Mon Jul 9 07:16:19 2012 me New Revision: 238277 me URL: http://svn.freebsd.org/changeset/base/238277 me me Log: me Make ipfw0 logging pseudo-interface clonable. It can be created me automatically me by $firewall_logif rc.conf(5) variable at boot time or manually by me ifconfig(8) me after a boot. me me Discussed on: freebsd-ipfw@ me Em, well, I thought discussed means some kind of consensus? me There was an alternative implementation proposed in -ipfw with no me comments from you side. Additionally, there can be other (still not me discussed) solutions like making this interface as loadable module me (like pf do). I meant there was no strong objection. I am sorry for not commenting your implementation, but at least for ipfw0 it is difficult to decouple ifnet and bpf because the primary consumer is tcpdump(8), which depends on NET_RT_IFLIST to find the target. Probably your solution can be used for usbdump(8). The reason why I committed the patch now is there are reports that these pseudo interfaces made some applications confused and/or caused some performance degradation on 9.0R, and wanted to fix it in some way. I am still open for more sophisticated implementation and have no objection to replace mine with it. Do you have an idea about converting it with a loadable module? -- Hiroki pgpRpchTh0luF.pgp Description: PGP signature
Re: svn commit: r238277 - in head: etc/defaults etc/rc.d sbin/ipfw share/man/man5 sys/netinet/ipfw
On 09.07.2012 12:08, Hiroki Sato wrote: Alexander V. Chernikovmelif...@freebsd.org wrote in4ffa894d.9050...@freebsd.org: I meant there was no strong objection. I am sorry for not commenting your implementation, but at least for ipfw0 it is difficult to decouple ifnet and bpf because the primary consumer is tcpdump(8), which depends on NET_RT_IFLIST to find the target. Probably your tcpdump -i still works with interface name supplied. solution can be used for usbdump(8). The reason why I committed the patch now is there are reports that these pseudo interfaces made some applications confused and/or caused some performance degradation on 9.0R, and wanted to fix it in some way. Do you plan to take this to 9.1 ? I am still open for more sophisticated implementation and have no objection to replace mine with it. Do you have an idea about converting it with a loadable module? Personally I think that the right way is to add userkernel interface for requesting interface list since this is the most major stopper for doing BPF-only providers. However this should be discussed with rpaulo@ and delphij@ (so most probably this skips 9.1). And, as fallback solution we can probably add separate ipfwlog module which is quite easy but much less clean. -- Hiroki ___ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to svn-src-all-unsubscr...@freebsd.org
Re: svn commit: r238277 - in head: etc/defaults etc/rc.d sbin/ipfw share/man/man5 sys/netinet/ipfw
Alexander V. Chernikov melif...@freebsd.org wrote in 4ffa9723.5000...@freebsd.org: me On 09.07.2012 12:08, Hiroki Sato wrote: me Alexander V. Chernikovmelif...@freebsd.org wrote me in4ffa894d.9050...@freebsd.org: me meI meant there was no strong objection. I am sorry for not commenting meyour implementation, but at least for ipfw0 it is difficult to medecouple ifnet and bpf because the primary consumer is tcpdump(8), mewhich depends on NET_RT_IFLIST to find the target. Probably your me tcpdump -i still works with interface name supplied. mesolution can be used for usbdump(8). The reason why I committed the mepatch now is there are reports that these pseudo interfaces made some meapplications confused and/or caused some performance degradation on me9.0R, and wanted to fix it in some way. me Do you plan to take this to 9.1 ? Originally I thought of it but I think it was too late. It should be polished in -CURRENT for a while also in terms of how to hide the interfaces. meI am still open for more sophisticated implementation and have no meobjection to replace mine with it. Do you have an idea about meconverting it with a loadable module? me Personally I think that the right way is to add userkernel interface me for requesting interface list since this is the most major stopper for me doing BPF-only providers. However this should be discussed with me rpaulo@ and delphij@ (so most probably this skips 9.1). Adding a sysctl to list all of the struct bpf_if including ones with a fake ifp? Hm, my goal was just to hide usbusN and ipfw0 *by default* but there was no problem with having ipfw0 with an ifnet. I thought having ifnet was tolerable if its consumer was tcpdump-like one because there are a lot of packet dump utilities which obtain interface names from the system's network interface list. Hiding the interface is rather confusing from user's perspective. I do not stick to the committed code and have no objection about adding a new API if it is useful. Well, please let me check if I understand your idea correctly. Given that we add a new API to enumerate the interfaces including bpf-only providers with fake ifnets, which providers/utilities should be converted to use it? IMO usbusN would be a reasonable target but others still need a real ifnet. In my understanding, the advantage of using a fake ifnet is just to prevent it from appearing as an interface. Is it correct? me And, as fallback solution we can probably add separate ipfwlog module me which is quite easy but much less clean. I think whether having it as a kernel module or not is orthogonal to hiding the interface. If we support multiple instances of the pseudo interface (typical in a system with vnet), cloning capability is needed in any way. -- Hiroki pgp6BTQLuYxbh.pgp Description: PGP signature
