Re: removing expired once rules in pf_purge_thread()

2016-09-03 Thread Mike Belopuhov
On 3 September 2016 at 18:03, Alexandr Nedvedicky wrote: > Hello, > > there was still one more glitch catched by mikeb: > > I have to sanitize pointer when copying rule to userland. > > The other thing pointed out by mike is the Expired time should > be printed

Re: removing expired once rules in pf_purge_thread()

2016-09-03 Thread Alexandr Nedvedicky
Hello, there was still one more glitch catched by mikeb: I have to sanitize pointer when copying rule to userland. The other thing pointed out by mike is the Expired time should be printed for expired rules only in debug mode output (pfctl -sr -g) Incremental patch is as follows:

Re: removing expired once rules in pf_purge_thread()

2016-09-03 Thread Alexandr Nedvedicky
Hello, > >updated version is below. > > > >comments? O.K.? > > One comment, otherwise ok. > > Could you assert the lock is held otherwise, this might save > effort if/when this code is refactored: > > else > rw_assert_wrlock(_consistency_lock); sure. also mikeb came to

Re: removing expired once rules in pf_purge_thread()

2016-09-03 Thread Martin Pieuchot
On 08/30/16 02:32, Alexandr Nedvedicky wrote: Hello, mikeb has just pointed out the patch fell under the desk asking me to resend it. henning@ and mikeb@ showed some interest to change handling of once rules to the same way as PF has it on Solaris. Just to refresh the audience on once option

Re: removing expired once rules in pf_purge_thread()

2016-08-30 Thread Alexandr Nedvedicky
Hello, On Tue, Aug 30, 2016 at 10:53:56AM +1000, David Gwynne wrote: > > > On 17 Dec 2015, at 13:30, Richard Procter > > wrote: > > > > > > Hi Sasha, > > > > On Fri, 18 Dec 2015, Alexandr Nedvedicky wrote: > > > >>> Right. I'll just note though that the patch

Re: removing expired once rules in pf_purge_thread()

2016-08-29 Thread David Gwynne
> On 17 Dec 2015, at 13:30, Richard Procter wrote: > > > Hi Sasha, > > On Fri, 18 Dec 2015, Alexandr Nedvedicky wrote: > >>> Right. I'll just note though that the patch as it stands allows >>> multiple winners [...] Whether that's a realistic issue, I don't

Re: removing expired once rules in pf_purge_thread()

2016-08-29 Thread Alexandr Nedvedicky
Hello, mikeb has just pointed out the patch fell under the desk asking me to resend it. > henning@ and mikeb@ showed some interest to change handling of once rules to > the same way as PF has it on Solaris. Just to refresh the audience on once > option offered by PF: > > onceCreates a

Re: removing expired once rules in pf_purge_thread()

2015-12-18 Thread Alexandr Nedvedicky
Hello Richard, > > What has to be granted is there is one 'winner' only, which puts the > > rule to garbage collector list. The pragmatic approach wins here. > > Right. I'll just note though that the patch as it stands allows multiple > winners: consider the window between testing

Re: removing expired once rules in pf_purge_thread()

2015-12-18 Thread Richard Procter
Hi Sasha, On Fri, 18 Dec 2015, Alexandr Nedvedicky wrote: > > Right. I'll just note though that the patch as it stands allows > > multiple winners [...] Whether that's a realistic issue, I don't know. > > I have though been bitten by enough edge cases like this to be very > > wary of them.

Re: removing expired once rules in pf_purge_thread()

2015-12-16 Thread Martin Pieuchot
On 16/12/15(Wed) 10:19, Alexandr Nedvedicky wrote: > On Wed, Dec 16, 2015 at 02:48:49PM +1300, Richard Procter wrote: > > > > On Tue, 15 Dec 2015, Mike Belopuhov wrote: > > > > > >Yet another possibility is to drop 'once' rules as too complex to > > > >implement for multiprocessor but I

Re: removing expired once rules in pf_purge_thread()

2015-12-16 Thread Mike Belopuhov
On Wed, Dec 16, 2015 at 02:31 +0100, Alexandr Nedvedicky wrote: > Hello, > > > It just occurred to me that another possibility would be a match-only > > rule that matches one but doesn't involve any purging machinery. Right > > now we install ftp-proxy rules as having maximum number of states

Re: removing expired once rules in pf_purge_thread()

2015-12-16 Thread Alexandr Nedvedicky
hello, > > > It just occurred to me that another possibility would be a match-only > > > rule that matches one but doesn't involve any purging machinery. Right > > > now we install ftp-proxy rules as having maximum number of states equal > > > to 1, however there's a time window between the

Re: removing expired once rules in pf_purge_thread()

2015-12-16 Thread Alexandr Nedvedicky
Hello, On Wed, Dec 16, 2015 at 02:48:49PM +1300, Richard Procter wrote: > > On Tue, 15 Dec 2015, Mike Belopuhov wrote: > > > >Yet another possibility is to drop 'once' rules as too complex to > > >implement for multiprocessor but I have no idea if this is viable. > > > > It is. And I

Re: removing expired once rules in pf_purge_thread()

2015-12-15 Thread Mike Belopuhov
On 15 December 2015 at 15:36, Alexandr Nedvedicky wrote: > Hello, > >> > >> >Another possibility would be to require 'once' rules to be 'quick'. >> >This closes the candidacy window and makes its serialisation, to >> >preclude multiple matches, more

Re: removing expired once rules in pf_purge_thread()

2015-12-15 Thread Alexandr Nedvedicky
Hello, > It just occurred to me that another possibility would be a match-only > rule that matches one but doesn't involve any purging machinery. Right > now we install ftp-proxy rules as having maximum number of states equal > to 1, however there's a time window between the moment the state is

Re: removing expired once rules in pf_purge_thread()

2015-12-15 Thread Richard Procter
On Tue, 15 Dec 2015, Mike Belopuhov wrote: > >Yet another possibility is to drop 'once' rules as too complex to > >implement for multiprocessor but I have no idea if this is viable. > > It is. And I have said that before with an authority of the implementor > of "once" rules: since we

Re: removing expired once rules in pf_purge_thread()

2015-12-15 Thread Mike Belopuhov
On 13 December 2015 at 18:56, Richard Procter wrote: > > If I understand this patch: > > Rule removal requires the consistency lock but to acquire it one must be > able to sleep. pf_test_rule() cannot sleep as it executes in a (soft) > interrupt handler, so it passes

Re: removing expired once rules in pf_purge_thread()

2015-12-15 Thread Alexandr Nedvedicky
Hello, > > > >Another possibility would be to require 'once' rules to be 'quick'. > >This closes the candidacy window and makes its serialisation, to > >preclude multiple matches, more feasible. > > > >Yet another possibility is to drop 'once' rules as too complex to > >

Re: removing expired once rules in pf_purge_thread()

2015-12-13 Thread Richard Procter
If I understand this patch: Rule removal requires the consistency lock but to acquire it one must be able to sleep. pf_test_rule() cannot sleep as it executes in a (soft) interrupt handler, so it passes the expired rule to a thread which can. However, the code to remove a 'once' rule may wish

removing expired once rules in pf_purge_thread()

2015-12-05 Thread Alexandr Nedvedicky
Hello, henning@ and mikeb@ showed some interest to change handling of once rules to the same way as PF has it on Solaris. Just to refresh the audience on once option offered by PF: onceCreates a one shot rule that will remove itself from an active ruleset after the first