Commit Graph

280 Commits

Author SHA1 Message Date
Alexander V. Chernikov
552eb491ab Bump default dynamic limit to 16k entries.
Print better log message when limit is hit.

PR:		193300
Submitted by:	me at nileshgr.com
2014-10-24 13:57:15 +00:00
Alexander V. Chernikov
9e3a53fd35 Rename log2 to tal_log2.
Submitted by:	luigi
2014-10-22 21:20:37 +00:00
Luigi Rizzo
03be41e6a4 remove/fix old code for building ipfw and dummynet in userspace 2014-10-22 05:21:36 +00:00
Hans Petter Selasky
f0188618f2 Fix multiple incorrect SYSCTL arguments in the kernel:
- Wrong integer type was specified.

- Wrong or missing "access" specifier. The "access" specifier
sometimes included the SYSCTL type, which it should not, except for
procedural SYSCTL nodes.

- Logical OR where binary OR was expected.

- Properly assert the "access" argument passed to all SYSCTL macros,
using the CTASSERT macro. This applies to both static- and dynamically
created SYSCTLs.

- Properly assert the the data type for both static and dynamic
SYSCTLs. In the case of static SYSCTLs we only assert that the data
pointed to by the SYSCTL data pointer has the correct size, hence
there is no easy way to assert types in the C language outside a
C-function.

- Rewrote some code which doesn't pass a constant "access" specifier
when creating dynamic SYSCTL nodes, which is now a requirement.

- Updated "EXAMPLES" section in SYSCTL manual page.

MFC after:	3 days
Sponsored by:	Mellanox Technologies
2014-10-21 07:31:21 +00:00
Alexander V. Chernikov
54b38fcf03 Use copyout() directly instead of updating various fields
before/after each sooptcopyout() call.

Found by:	luigi
Sponsored by:	Yandex LLC
2014-10-20 11:21:07 +00:00
Alexander V. Chernikov
4040f4ecd6 Perform more checks on the number of tables supplied by user. 2014-10-19 11:15:19 +00:00
Dag-Erling Smørgrav
99e9de871a Add a complete implementation of MurmurHash3. Tweak both implementations
so they match the established idiom.  Document them in hash(9).

MFC after:	1 month
MFC with:	r272906
2014-10-18 22:15:11 +00:00
Alexander V. Chernikov
0d90989bef Use IPFW_RULE_CNTR_SIZE macro instead of non-relevant ip_fw_cntr structure.
Found by:	luigi
2014-10-18 17:23:41 +00:00
Alexander V. Chernikov
2930362fb1 Fix matching default rule on clear/show commands.
Found by:	Oleg Ginzburg
2014-10-13 13:49:28 +00:00
Alexander V. Chernikov
956f6d3a3c Fix KASSERT typo. 2014-10-11 15:04:50 +00:00
Alexander V. Chernikov
3fd16a3a72 Remove redundant if_notifier declaration. 2014-10-10 20:37:06 +00:00
George V. Neville-Neil
1d2baefc13 Change the PF hash from Jenkins to Murmur3. In forwarding tests
this showed a conservative 3% incrase in PPS.

Differential Revision:	https://reviews.freebsd.org/D461
Submitted by:	des
Reviewed by:	emaste
MFC after:	1 month
2014-10-10 19:26:26 +00:00
Alexander V. Chernikov
5f8ad2bd82 Fix KASSERT argument type. 2014-10-10 18:57:12 +00:00
Alexander V. Chernikov
d699ee2dc9 Fix NOINET6 build for ipfw. 2014-10-10 18:31:35 +00:00
Alexander V. Chernikov
9fe15d0612 Partially fix build on !amd64
Pointed by:	bz
2014-10-10 17:24:56 +00:00
Alexander V. Chernikov
a13a821641 Merge projects/ipfw to HEAD.
Main user-visible changes are related to tables:

* Tables are now identified by names, not numbers.
 There can be up to 65k tables with up to 63-byte long names.
* Tables are now set-aware (default off), so you can switch/move
 them atomically with rules.
* More functionality is supported (swap, lock, limits, user-level lookup,
 batched add/del) by generic table code.
* New table types are added (flow) so you can match multiple packet fields at once.
* Ability to add different type of lookup algorithms for particular
 table type has been added.
* New table algorithms are added (cidr:hash, iface:array, number:array and
 flow:hash) to make certain types of lookup more effective.
* Table value are now capable of holding multiple data fields for
  different tablearg users

Performance changes:
* Main ipfw lock was converted to rmlock
* Rule counters were separated from rule itself and made per-cpu.
* Radix table entries fits into 128 bytes
* struct ip_fw is now more compact so more rules will fit into 64 bytes
* interface tables uses array of existing ifindexes for faster match

ABI changes:
All functionality supported by old ipfw(8) remains functional.
 Old & new binaries can work together with the following restrictions:
* Tables named other than ^\d+$ are shown as table(65535) in
 ruleset in old binaries

Internal changes:.
Changing table ids to numbers resulted in format modification for
 most sockopt codes. Old sopt format was compact, but very hard to
 extend (no versioning, inability to add more opcodes), so
* All relevant opcodes were converted to TLV-based versioned IP_FW3-based codes.
* The remaining opcodes were also converted to be able to eliminate
 all older opcodes at once
* All IP_FW3 handlers uses special API instead of calling sooptcopy*
 directly to ease adding another communication methods
* struct ip_fw is now different for kernel and userland
* tablearg value has been changed to 0 to ease future extensions
* table "values" are now indexes in special value array which
 holds extended data for given index
* Batched add/delete has been added to tables code
* Most changes has been done to permit batched rule addition.
* interface tracking API has been added (started on demand)
 to permit effective interface tables operations
* O(1) skipto cache, currently turned off by default at
 compile-time (eats 512K).

* Several steps has been made towards making libipfw:
  * most of new functions were separated into "parse/prepare/show
    and actuall-do-stuff" pieces (already merged).
  * there are separate functions for parsing text string into "struct ip_fw"
    and printing "struct ip_fw" to supplied buffer (already merged).
* Probably some more less significant/forgotten features

MFC after:	1 month
Sponsored by:	Yandex LLC
2014-10-09 19:32:35 +00:00
Alexander V. Chernikov
f9ab623bf2 Bump ipfw module version. 2014-10-09 16:12:01 +00:00
Alexander V. Chernikov
779b53d008 Sync to HEAD@r272825. 2014-10-09 15:35:28 +00:00
Alexander V. Chernikov
4c060d851c Fix core on table destroy inroduced by table values code.
Rename @ti array copy to 'ti_copy'.
2014-10-09 14:33:20 +00:00
Alexander V. Chernikov
ce575f539f * Wire large user buffer before processing GET request.
* Fix incorrect size calculation for IP_FW_XGET request.
2014-10-09 12:37:53 +00:00
Alexander V. Chernikov
be8bc45790 Add IP_FW_DUMP_SOPTCODES sopt to be able to determine
which opcodes are currently available in kernel.
2014-10-08 11:12:14 +00:00
Alexander V. Chernikov
eadf3b965c Fix possible crash when old value pointer is not updated after array resize. 2014-10-07 18:22:05 +00:00
Alexander V. Chernikov
79e86902e9 Notify table algo aboute runtime data change on table flush. 2014-10-07 16:46:11 +00:00
Alexander V. Chernikov
8ebca97f5e * Fix crash in interface tracker due to using old "linked" field.
* Ensure we're flushing entries without any locks held.
* Free memory in (rare) case when interface tracker fails to register ifp.
* Add KASSERT on table values refcounts.
2014-10-07 10:54:53 +00:00
Alexander V. Chernikov
bbd5a84297 Improve r272609 (O_TCPOPTS).
MFC after:	3 dayes
2014-10-06 12:29:06 +00:00
Alexander V. Chernikov
a5fedf11fc Sync to HEAD@r272609. 2014-10-06 11:29:50 +00:00
Alexander V. Chernikov
3615981425 Fix O_TCPOPTS processing.
Obtained from:	luigi
2014-10-06 11:15:11 +00:00
Alexander V. Chernikov
d4e1b51578 Fix build with gcc. 2014-10-04 13:57:14 +00:00
Alexander V. Chernikov
e530ca7333 Please GCC by specifying proper cast. 2014-10-04 13:46:10 +00:00
Alexander V. Chernikov
e3cadfdb32 Bump max rule size to 512 opcodes. 2014-10-04 12:46:26 +00:00
Alexander V. Chernikov
1ce4b35740 Sync to HEAD@r272516. 2014-10-04 12:42:37 +00:00
Alexander V. Chernikov
60805b89df Add "ipfw_ctl3" FEATURE to indicate presence of new ipfw interface. 2014-10-04 12:10:32 +00:00
Alexander V. Chernikov
ccba94b8fc Switch ipfw to use rmlock for runtime locking. 2014-10-04 11:40:35 +00:00
Alexander V. Chernikov
be3cc1b567 Bump max rule size to 512 opcodes. 2014-10-04 10:15:49 +00:00
Alexander V. Chernikov
f8350f3a23 Make linear_skipto turned off by default. 2014-10-03 15:54:51 +00:00
Alexander V. Chernikov
31f0d081d8 Remove lock init from radix.c.
Radix has never managed its locking itself.
The only consumer using radix with embeded rwlock
is system routing table. Move per-AF lock inits there.
2014-10-01 14:39:06 +00:00
Gleb Smirnoff
495a22b595 Use rn_detachhead() instead of direct free(9) for radix tables.
Sponsored by:	Nginx, Inc.
2014-10-01 13:35:41 +00:00
Sean Bruno
488c0a7ca8 Fix NULL pointer deref in ipfw when using dummynet at layer 2.
Drop packet if pkg->ifp is NULL, which is the case here.

ref. https://github.com/HardenedBSD/hardenedBSD
commit 4eef3881c64f6e3aa38eebbeaf27a947a5d47dd7

PR 193861 --  DUMMYNET LAYER2: kernel panic

in this case a kernel panic occurs. Hence, when we do not get an interface,
we just drop the packet in question.

PR:		193681
Submitted by:	David Carlier <david.carlier@hardenedbsd.org>
Obtained from:	Hardened BSD
MFC after:	2 weeks
Relnotes:	yes
2014-09-25 02:26:05 +00:00
Alexander V. Chernikov
b1d105bc68 Add pre-alfa version of DXR lookup module.
It does build but (currently) does not work.

This change is not intended to be merged along with other ipfw changes.
2014-09-21 18:15:09 +00:00
Gleb Smirnoff
2a6009bfa6 Mechanically convert to if_inc_counter(). 2014-09-19 09:19:29 +00:00
Gleb Smirnoff
56b61ca27a Remove ifq_drops from struct ifqueue. Now queue drops are accounted in
struct ifnet if_oqdrops.

Some netgraph modules used ifqueue w/o ifnet. Accounting of queue drops
is simply removed from them. There were no API to read this statistic.

Sponsored by:	Netflix
Sponsored by:	Nginx, Inc.
2014-09-19 09:01:19 +00:00
Gleb Smirnoff
450cecf0a0 - Provide a sleepable lock to protect against ioctl() vs ioctl() races.
- Use the new lock to protect against simultaneous DIOCSTART and/or
  DIOCSTOP ioctls.

Reported & tested by:	jmallett
Sponsored by:		Nginx, Inc.
2014-09-12 08:39:15 +00:00
Alexander V. Chernikov
d6164b77f8 Make ipfw_nat module use IP_FW3 codes.
Kernel changes:
* Split kernel/userland nat structures eliminating IPFW_INTERNAL hack.
* Add IP_FW_NAT44_* codes resemblin old ones.
* Assume that instances can be named (no kernel support currently).
* Use both UH+WLOCK locks for all configuration changes.
* Provide full ABI support for old sockopts.

Userland changes:
* Use IP_FW_NAT44_* codes for nat operations.
* Remove undocumented ability to show ranges of nat "log" entries.
2014-09-07 18:30:29 +00:00
Alexander V. Chernikov
1a33e79969 Change copyrights to the proper one. 2014-09-05 14:19:02 +00:00
Alexander V. Chernikov
c9daea0b86 Sync to HEAD@r271160. 2014-09-05 13:52:39 +00:00
Alexander V. Chernikov
6b988f3a27 * Use modular opcode handling inside ipfw_ctl3() instead of static switch.
* Provide hints for subsystem initializers if they are called for
  the first/last time.
* Convert every IP_FW3 opcode user to use new sopt API.
2014-09-05 11:11:15 +00:00
Alexander V. Chernikov
e822d9364e Be consistent and use same arguments for ctl3 opcodes.
Move legacy IP_FW_TABLE_XGETSIZE handling to separate function.
2014-09-03 21:57:06 +00:00
Gleb Smirnoff
bf7dcda366 Clean up unused CSUM_FRAGMENT.
Sponsored by:	Nginx, Inc.
2014-09-03 08:30:18 +00:00
Alexander V. Chernikov
fb4b37a357 * Fix crash due to forgotten value refcouting in ipfw_link_table_values()
* Fix argument order in rollback_toperation_state()
* Make flush_table() use operation state API to ease checks.
2014-09-02 20:46:18 +00:00
Alexander V. Chernikov
71af39bf34 Add more comments on newly-added functions.
Add back opstate handler function.
2014-09-02 14:27:12 +00:00