From owner-freebsd-net@FreeBSD.ORG  Mon Jun 10 15:01:36 2013
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 by hub.freebsd.org (Postfix) with ESMTP id E105CEA9;
 Mon, 10 Jun 2013 15:01:36 +0000 (UTC)
 (envelope-from rizzo.unipi@gmail.com)
Received: from mail-lb0-f171.google.com (mail-lb0-f171.google.com
 [209.85.217.171])
 by mx1.freebsd.org (Postfix) with ESMTP id CDC671D57;
 Mon, 10 Jun 2013 15:01:35 +0000 (UTC)
Received: by mail-lb0-f171.google.com with SMTP id 13so3175036lba.16
 for <multiple recipients>; Mon, 10 Jun 2013 08:01:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date
 :x-google-sender-auth:message-id:subject:from:to:cc:content-type;
 bh=TkAzaGnQ6XPK2bhrnUGfI2WXJV2/Uyin4bnJH/ffcH4=;
 b=0mJu5c0VnApIAPm3CE10laTnHQ4dgW7HTaU+bcWKTT4gatKYYezR7W2bQIpFi97T90
 uZJZuGm+Ar0Wo3UzJcfs46YenWD3DzEYqONLnCJKEItHc8YRrovJg+YrXPTxBbZ1ced+
 fZ84Gm1lnh6pbgSjgaAnN129fNBwkUHpsOFB4H9TdQsqbVLAL/3Q8qhc1bjkkhE347f4
 HsJqs7mNSvpj8mIweIPP8w3mP2UdNsPLLV49zVNLwvFwRB6gOby7HizlHCmyWqpu1U3y
 WqTTu73gpal5T+Pisz/+frrwO2QzHtamA1mNfmTli/FF2vdrU/9cEnX7YvDBgubEVLiq
 Y0Gw==
MIME-Version: 1.0
X-Received: by 10.152.4.101 with SMTP id j5mr5177446laj.67.1370876488944; Mon,
 10 Jun 2013 08:01:28 -0700 (PDT)
Sender: rizzo.unipi@gmail.com
Received: by 10.114.174.227 with HTTP; Mon, 10 Jun 2013 08:01:28 -0700 (PDT)
In-Reply-To: <CAPBZQG3X4da93rvORyF169yWUokS5V_HhazN-wMeiJEDvDB-4Q@mail.gmail.com>
References: <CAPBZQG32iyzkec4PG+qay9bKfd0GiffKyRBapLkATKvHr7cVww@mail.gmail.com>
 <20120131110204.GA95472@onelab2.iet.unipi.it>
 <20120208133559.GK13554@FreeBSD.org>
 <CAPBZQG0edS3sru=D_iGMsNDC5EA8H=A=wwRUDOGZi9DtU5-CkQ@mail.gmail.com>
 <20120208140921.GM13554@glebius.int.ru> <4F344CE4.301@freebsd.org>
 <CAPBZQG3X4da93rvORyF169yWUokS5V_HhazN-wMeiJEDvDB-4Q@mail.gmail.com>
Date: Mon, 10 Jun 2013 17:01:28 +0200
X-Google-Sender-Auth: UynPmGxCz0DkLZtzZyOr0Rx40Po
Message-ID: <CA+hQ2+gnY64x_2uk0FUD+LL7Wm9i+UtQU-pxhW5KsEkb44mfeQ@mail.gmail.com>
Subject: Re: [PATCH] multiple instances of ipfw(4)
From: Luigi Rizzo <rizzo@iet.unipi.it>
To: =?ISO-8859-1?Q?Ermal_Lu=E7i?= <eri@freebsd.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.14
Cc: freebsd-net <freebsd-net@freebsd.org>, freebsd-hackers@freebsd.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2013 15:01:37 -0000

On Mon, Jun 10, 2013 at 3:30 PM, Ermal Lu=E7i <eri@freebsd.org> wrote:

> Hello,
>
> reviving this old thread since i had time to bring the patch to FreeBSD 1=
0
> and unified the whole controlling under ipfw(8) binary.
>
> For reminder, the patch located at [1] provides multiple instances for
> ipfw(4).
> Basically you can control which interfaces belong to which context/rulese=
t
> to make maintaining easier.
>
>
...



> Any objections on pushing this into FreeBSD?
>
>
> [1]
>
> https://github.com/pfsense/pfsense-tools/blob/master/patches/RELENG_10_0/=
CP_multi_instance_ipfw.diff
>
>
>

if i understand well, this has no runtime overhead as the ifp has
the index of the context it refers to ?
Or you need an additional IPFW_CTX_RLOCK() ?

Comments on the control/config path:
- in ipfw_ctl(), handling IP_FW_CTX_GET i am worried that you might
  overflow the temporary buffer when building the list. You compute
  the length under rlock, release the lock, malloc(), then fill the
  list without checking if the total size is still correct.
  This kind of code is terribly boring to write, but essentially
  you need a bound check in the second loop and possibly
  retry if you notice that you need more memory.
  "ipfw show" addresses the problem by failing and requesting the
  user application to pass a larger buffer.

- similarly, how do you guarantee that deleting a context while
  a packet is under processing does not cause dereferencing a
  NULL pointer ?

cheers
luigi

while=20
> --
> Ermal
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>



--=20
-----------------------------------------+-------------------------------
 Prof. Luigi RIZZO, rizzo@iet.unipi.it  . Dip. di Ing. dell'Informazione
 http://www.iet.unipi.it/~luigi/        . Universita` di Pisa
 TEL      +39-050-2211611               . via Diotisalvi 2
 Mobile   +39-338-6809875               . 56122 PISA (Italy)
-----------------------------------------+-------------------------------