From nobody Tue Aug 5 22:28:11 2025 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxSk41Dzlz63nl5; Tue, 05 Aug 2025 22:28:12 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4bxSk34nzzz4LRg; Tue, 05 Aug 2025 22:28:11 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754432891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0sGTPLPgKjNIYkvXKw3hJqgARFHsnmnSj+AXX3TWCYo=; b=sLxNLo6p84Jnt1wLXqekLNmmFy1U7eEf+BcaDDkEElkQ7HqScBHOFL1PKaMGWcZMDxJSbB Vm+7fcQ3XDMRp23V/+b5WIKlKNBfXWzy3nKCJ3jHrEh5bSTUWqx4EYlzugKvJBGd9T0g5/ ArHUxZbIOlJZQn1m7JQImds/iXbEX3hUaY6j3CwttkOaIfYChbjEK0LdNJrIcClECjbl09 6/4dzggOirARyWuHfUC/opKrKbUH4CJ9KpgD3rTspICFIHmI0dNhBcCydAeTFRkLPh7kh8 eeLXSecpcy2o6H5Drobqicj62M+BPyPVegMJ44MoUqIRMiJ3wOi3ZSH1UtLQSg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1754432891; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=0sGTPLPgKjNIYkvXKw3hJqgARFHsnmnSj+AXX3TWCYo=; b=oYD3zeqgDoP7uriD3Su+qB7XqdJeNlOPxB6bDPlpDshOVGmDy0n4sX01LnBcjnW6vAk7AD rHU1841+NUoo2wDX1GpHx3nWQrmqb5jrKSGzkGWEAoTQq2sYb4X8jlDvDDuFNVzEWFLZPr uNStaIxGiu9AHIErp0kulIB63OMya2F5GQrmxgo24Z3Z8brHTdMurjaRffIs7lv99XvTgb GtwAM4y8Y5ivbzV5NsEz8NdbfCDh71D/GHb0Nbw54XNcOi9MEJDnA6mHRjoT+h6D2MzHwz brYaMup/q4GwwhWGuUsYSExdyYbwJhxrzIttU6WzWKIzKE4vLBDvTJSCSnnvPg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754432891; a=rsa-sha256; cv=none; b=w64JSpoyxok/pN7ixBTxDx/+fonqrnj19HGzjSjwioBZzsvgRt2VbSnc7aN6YlmSYUtJlm s/6wb1/UAi0mWLDrUWcPNv6YRU0gU8e9aNseNmryl0q7+mWYqA/L+E6XR46YQfdeDW+Bl+ zhkojc8Ca7zl77t7//NpcvmF4o6p7zLGj79TPLzEHheDF14QLddieDPgFRYtwbXcuwfcCW 0auv8WsifqjNlKkLgyXh0qIXZSUSAjzeqBRyDBbUAykrVEby6b9gkoQxfVSAFSZs3AYrXh XLeRtCTIfQmFdmGnizXqZKEsqHGyWD9VEQxVZ1UTZdocMXYzvFq5qROtnPFpMg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bxSk34PhPztwB; Tue, 05 Aug 2025 22:28:11 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 575MSBAn014424; Tue, 5 Aug 2025 22:28:11 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 575MSBHu014421; Tue, 5 Aug 2025 22:28:11 GMT (envelope-from git) Date: Tue, 5 Aug 2025 22:28:11 GMT Message-Id: <202508052228.575MSBHu014421@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 029532e77b92 - main - pf: also allocate ethernet anchors from a UMA zone List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 029532e77b92d0c74976e3e3fc79a0ca5e0e3dc0 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=029532e77b92d0c74976e3e3fc79a0ca5e0e3dc0 commit 029532e77b92d0c74976e3e3fc79a0ca5e0e3dc0 Author: Kristof Provost AuthorDate: 2025-07-30 15:22:36 +0000 Commit: Kristof Provost CommitDate: 2025-08-05 22:27:15 +0000 pf: also allocate ethernet anchors from a UMA zone As per the previous commit, ensure we can't endlessly allocate ethernet anchors. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.c | 1 + sys/net/pfvar.h | 2 ++ sys/netpfil/pf/pf.c | 7 +++++++ sys/netpfil/pf/pf.h | 3 ++- sys/netpfil/pf/pf_ioctl.c | 1 + sys/netpfil/pf/pf_norm.c | 1 + sys/netpfil/pf/pf_ruleset.c | 8 ++++---- 7 files changed, 18 insertions(+), 5 deletions(-) diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index a96eed7fc94a..ae772395e0ef 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -184,6 +184,7 @@ static const struct { { "frags", PF_LIMIT_FRAGS }, { "table-entries", PF_LIMIT_TABLE_ENTRIES }, { "anchors", PF_LIMIT_ANCHORS }, + { "eth-anchors", PF_LIMIT_ETH_ANCHORS }, { NULL, 0 } }; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index c933ff395992..c397f0b67896 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -2340,6 +2340,8 @@ VNET_DECLARE(uma_zone_t, pf_state_scrub_z); #define V_pf_state_scrub_z VNET(pf_state_scrub_z) VNET_DECLARE(uma_zone_t, pf_anchor_z); #define V_pf_anchor_z VNET(pf_anchor_z) +VNET_DECLARE(uma_zone_t, pf_eth_anchor_z); +#define V_pf_eth_anchor_z VNET(pf_eth_anchor_z) extern void pf_purge_thread(void *); extern void pf_unload_vnet_purge(void); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 408d0d3c96e3..19702fde7d22 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -1262,6 +1262,13 @@ pf_initialize(void) uma_zone_set_max(V_pf_anchor_z, PF_ANCHOR_HIWAT); uma_zone_set_warning(V_pf_anchor_z, "PF anchor limit reached"); + V_pf_eth_anchor_z = uma_zcreate("pf Ethernet anchors", + sizeof(struct pf_keth_anchor), NULL, NULL, NULL, NULL, + UMA_ALIGN_PTR, 0); + V_pf_limits[PF_LIMIT_ETH_ANCHORS].zone = V_pf_eth_anchor_z; + uma_zone_set_max(V_pf_eth_anchor_z, PF_ANCHOR_HIWAT); + uma_zone_set_warning(V_pf_eth_anchor_z, "PF Ethernet anchor limit reached"); + /* ALTQ */ TAILQ_INIT(&V_pf_altqs[0]); TAILQ_INIT(&V_pf_altqs[1]); diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h index a41443fb9404..51b3fd6390e1 100644 --- a/sys/netpfil/pf/pf.h +++ b/sys/netpfil/pf/pf.h @@ -120,7 +120,8 @@ enum { enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, - PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_ANCHORS, PF_LIMIT_MAX }; + PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_ANCHORS, PF_LIMIT_ETH_ANCHORS, + PF_LIMIT_MAX }; #define PF_POOL_IDMASK 0x0f enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 935747d9f58a..b6f5d74b5b42 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -332,6 +332,7 @@ pfattach_vnet(void) V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT; V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT; V_pf_limits[PF_LIMIT_ANCHORS].limit = PF_ANCHOR_HIWAT; + V_pf_limits[PF_LIMIT_ETH_ANCHORS].limit = PF_ANCHOR_HIWAT; RB_INIT(&V_pf_anchors); pf_init_kruleset(&pf_main_ruleset); diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 2b822dca55b5..a684d778ab42 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -119,6 +119,7 @@ VNET_DEFINE_STATIC(uma_zone_t, pf_frnode_z); VNET_DEFINE_STATIC(uma_zone_t, pf_frag_z); #define V_pf_frag_z VNET(pf_frag_z) VNET_DEFINE(uma_zone_t, pf_anchor_z); +VNET_DEFINE(uma_zone_t, pf_eth_anchor_z); TAILQ_HEAD(pf_fragqueue, pf_fragment); TAILQ_HEAD(pf_cachequeue, pf_fragment); diff --git a/sys/netpfil/pf/pf_ruleset.c b/sys/netpfil/pf/pf_ruleset.c index 7f21b3f8fc47..039908a53126 100644 --- a/sys/netpfil/pf/pf_ruleset.c +++ b/sys/netpfil/pf/pf_ruleset.c @@ -613,7 +613,7 @@ pf_find_or_create_keth_ruleset(const char *path) rs_free(p); return (NULL); } - anchor = (struct pf_keth_anchor *)rs_malloc(sizeof(*anchor)); + anchor = uma_zalloc(V_pf_eth_anchor_z, M_NOWAIT | M_ZERO); if (anchor == NULL) { rs_free(p); return (NULL); @@ -631,7 +631,7 @@ pf_find_or_create_keth_ruleset(const char *path) printf("%s: RB_INSERT1 " "'%s' '%s' collides with '%s' '%s'\n", __func__, anchor->path, anchor->name, dup->path, dup->name); - rs_free(anchor); + uma_zfree(V_pf_eth_anchor_z, anchor); rs_free(p); return (NULL); } @@ -645,7 +645,7 @@ pf_find_or_create_keth_ruleset(const char *path) anchor->name, dup->path, dup->name); RB_REMOVE(pf_keth_anchor_global, &V_pf_keth_anchors, anchor); - rs_free(anchor); + uma_zfree(V_pf_eth_anchor_z, anchor); rs_free(p); return (NULL); } @@ -754,7 +754,7 @@ pf_remove_if_empty_keth_ruleset(struct pf_keth_ruleset *ruleset) if ((parent = ruleset->anchor->parent) != NULL) RB_REMOVE(pf_keth_anchor_node, &parent->children, ruleset->anchor); - rs_free(ruleset->anchor); + uma_zfree(V_pf_eth_anchor_z, ruleset->anchor); if (parent == NULL) return; ruleset = &parent->ruleset;