From owner-freebsd-pf@FreeBSD.ORG Fri Jun 8 19:18:57 2012 Return-Path: Delivered-To: pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 7DB99106564A; Fri, 8 Jun 2012 19:18:57 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from cell.glebius.int.ru (glebius.int.ru [81.19.64.117]) by mx1.freebsd.org (Postfix) with ESMTP id DAD588FC12; Fri, 8 Jun 2012 19:18:56 +0000 (UTC) Received: from cell.glebius.int.ru (localhost [127.0.0.1]) by cell.glebius.int.ru (8.14.5/8.14.5) with ESMTP id q58JInGY033782; Fri, 8 Jun 2012 23:18:49 +0400 (MSK) (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by cell.glebius.int.ru (8.14.5/8.14.5/Submit) id q58JInkj033781; Fri, 8 Jun 2012 23:18:49 +0400 (MSK) (envelope-from glebius@FreeBSD.org) X-Authentication-Warning: cell.glebius.int.ru: glebius set sender to glebius@FreeBSD.org using -f Date: Fri, 8 Jun 2012 23:18:49 +0400 From: Gleb Smirnoff To: Ermal Lu?i Message-ID: <20120608191849.GD28613@FreeBSD.org> References: <20120608061737.GA28197@glebius.int.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: pf@FreeBSD.org Subject: Re: [CFT] SMP-friendly pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jun 2012 19:18:57 -0000 Ermal, On Fri, Jun 08, 2012 at 12:39:43PM +0200, Ermal Lu?i wrote: E> On Fri, Jun 8, 2012 at 8:17 AM, Gleb Smirnoff wrote: E> As i already asked in private wihtout a documentation/schema E> describing how you protect the various elements in pf(4) this is very E> hard to review. As I already replied, one should read commit logs as well as some details there are in the email you were replying to. E> - What do you do to allow correctness on statistics? Nothing. Statistics are not precise in the SMP-friendly pf. This is an issue for all counters in our networking stack - counters on ifnets, in ipfw, many others. Using atomic operations to keep them precise is too expensive. We need some solution to make cheap and precise counters. I think this should pcpu data. I already did made some tests proving the effectiveness of this approach. However, to get this to a commitable state I need help from some seniour kernel developers. Anyway cheap+precise counters should be discussed in separate thread. E> - What do you with tables protection, are they under same lock as rules...? Yes, and this was mentioned in the mail you are replying to. E> - How is if-bound versus floating states maintained? Nothing changed for them. Should there be something tricky? E> - What is protecting scrub ruleset? E> - What is protecting nat ruleset? Same lock as rules. I suppose that is quite clear from my mail. E> - How you solved synproxy ? Is it scalable? You know how I solved it, you even commented on that commit: http://lists.freebsd.org/pipermail/svn-src-projects/2012-April/005056.html Can you please explain your concerns on scalability of the approach taken? E> - Do you think you have introduced possiblity of security issues with E> taskqueues you introduce? Can you please explain what security issues do you see in taskqueue? E> There are many how? in this implementation that are difficult to see E> without you telling! I am open to questions. -- Totus tuus, Glebius.