From owner-freebsd-arch@freebsd.org Mon Mar 29 15:16:50 2021 Return-Path: Delivered-To: freebsd-arch@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 49F2257A6EE; Mon, 29 Mar 2021 15:16:50 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4F8GQ96cZTz3nvW; Mon, 29 Mar 2021 15:16:49 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.66.148.124]) by shaw.ca with ESMTPA id QtdGlpLzf2SWTQtdHlPeLf; Mon, 29 Mar 2021 09:16:47 -0600 X-Authority-Analysis: v=2.4 cv=fdJod2cF c=1 sm=1 tr=0 ts=6061ef5f a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=xqWC_Br6kY4A:10 a=8nJEP1OIZ-IA:10 a=dESyimp9J3IA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=XSbsiAr4RLdZVirN8WEA:9 a=wPNLvfGTeEIA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 a=RBBcRewTFc8P4JkPnay6:22 Received: from slippy.cwsent.com (slippy [IPv6:fc00:1:1:1::5b]) by spqr.komquats.com (Postfix) with ESMTPS id 80AC518A; Mon, 29 Mar 2021 08:16:45 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.16.1/8.16.1) with ESMTP id 12TFGjTi004433; Mon, 29 Mar 2021 08:16:45 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <202103291516.12TFGjTi004433@slippy.cwsent.com> X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: "Kristof Provost" cc: "Cy Schubert" , "FreeBSD pf" , freebsd-arch@freebsd.org Subject: Re: [RFC] pf ioctl changes In-reply-to: <18DC1EA9-ABFC-4A06-8710-A3068370EC52@FreeBSD.org> References: <24E09373-EBCD-4ED1-8B59-A44E687F287E@FreeBSD.org> <202103291403.12TE3Y2H094131@slippy.cwsent.com> <18DC1EA9-ABFC-4A06-8710-A3068370EC52@FreeBSD.org> Comments: In-reply-to "Kristof Provost" message dated "Mon, 29 Mar 2021 16:55:29 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Date: Mon, 29 Mar 2021 08:16:45 -0700 X-CMAE-Envelope: MS4xfLa1KfqDIepTI3eJZkcB2BRJ9L3xywlsyfx5NBlF8+0/8A8cllRBWXLjC0TG1yEbtQ9Hbu/kbaJWLRbSZa5/CpR7jnd8x4Yoprc4kXljsWfbahB2UmNq +TpQdvwyrHuuUS1UAKbqwBFgF79NdGlKWqIYdDQXJecPfRfKQCaJu3bLK+YE8ygRu9J/GdwsoJ++bs8zu/JEvjFNXIeIlM44tHFLE50/eNS+zkiH9Gur6nBI 6pNrLdDZRa9a+PeVF6st51DzERV2J+7XxoFvwJiDREY= X-Rspamd-Queue-Id: 4F8GQ96cZTz3nvW X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; none X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Mar 2021 15:16:50 -0000 In message <18DC1EA9-ABFC-4A06-8710-A3068370EC52@FreeBSD.org>, "Kristof Provost " writes: > On 29 Mar 2021, at 16:03, Cy Schubert wrote: > > In message <24E09373-EBCD-4ED1-8B59-A44E687F287E@FreeBSD.org>, > > "Kristof > > Provost > > " writes: > >> Hi, > >> > >> There are several patches in the pipeline that require changes in > >> pf’s > >> interface between kernel and userspace. > >> In the past these have been handled in multiple ways. Either by > >> simply > >> making the change, breaking binary compatibility, or by introducing a > >> v2 > >> ioctl (e.g. DIOCADDALTQV1). > >> > >> While one is better than the other neither is wholly satisfying. New > >> versions of calls constitute a maintenance burden after all. > >> > >> I’d like to change the ioctl interface to use nvlists, which > >> would > >> make such extensions much easier, because fields can be optional. > >> That is, if userspace doesn’t supply the > >> ‘shinynewfeature’ field > >> the kernel can assume the default value and things just work. > >> Similarly, > >> if the kernel supplies a ’shinynewfeature’ which userspace > >> doesn’t > >> know about it’s simply ignored. > >> > >> The rough plan is to introduce nvlist versions of the get/add rules > >> calls for now. Others will follow as the need presents itself. > >> As these are new ioctls it is safe to MFC them to stable/12 and > >> stable/13. > >> The old interface will remain supported in those branches, but > >> I’d > >> like to remove it from main (and thus FreeBSD 14). > >> > >> As part of this effort I may end up splitting off the ioctl interface > >> code from pfctl into libpfctl, which should make reuse of that code > >> easier. > >> > >> I hope to post preliminary patches in the coming week. > >> > >> Thoughts? Objections? > > > > Kernel and userland should be, I'd say must be, kept in sync. We have > > many > > examples of userland and kernel not being in sync over the years. For > > ipfilter, I've made incompatible changes to data structures requiring > > userand and kernel be in sync. These are few and far between. > > > > I've gotten away with this because there is no third party software > > that > > relies on the ipfilter kernel interfaces. I could be wrong but I doubt > > there may be third party software requiring pf ABI compatibility. But > > if > > there is then verstioned library interfaces are required. > > > > Given that the advice is to keep kernel and userland in sync there > > probably > > is no requirement for an UPDATING entry but that would be your call. > > > There are out-of-tree users of the pf ioctl interface. > security/expiretable[1] for example. > security/snort2pfcd appears to as well. > sysutils/pfstat and sysutils/pftop use the ioctl interface as well, > although not the three specific calls of immediate interest. This complicates things. IMO you'll probably need versioned function calls for at least 13-STABLE EOL. Or, versioning the data structures passed into the kernel such that the new fields are at the tail of the existing structures. > > I’m trying to work out how many examples there are, because one way or > the other they’re going to have to cope with changes. > > So, I’d prefer to not just change the definitions of structs, even if > we’ve done that in the past. struct pf_rule contains a few > peculiarities from historical mistakes that I hope to correct now. Technical debt is difficult to eliminate. We either fix it, paying it off in one lump sum or we pay it off through aggravation and design limitations, with interest, over time. Given that pf uses ioctl, versioned function calls won't help. A new ioctl may be the only answer. If you do choose this, add an identifier and version number to the head of each new struct to future proof pf. > > Best regards, > Kristof > > [1] Perhaps not the greatest example, because its use of struct pf_state > was incorrect, so it couldn’t actually have worked correctly before it > stopped building. See PR #253547 for details. -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org The need of the many outweighs the greed of the few.