Date: Sun, 15 Oct 2023 16:11:39 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Kristof Provost <kp@FreeBSD.org> Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 2cef62886dc7 - main - pf: convert state retrieval to netlink Message-ID: <20231015201139.zt7mfyss4ua2bkn3@mutt-hbsd> In-Reply-To: <202310100950.39A9oYuc029996@gitrepo.freebsd.org> References: <202310100950.39A9oYuc029996@gitrepo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ri7nrzjoeqv4izka Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 10, 2023 at 09:50:34AM +0000, Kristof Provost wrote: > The branch main has been updated by kp: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D2cef62886dc7c33ca01f70ca71= 2845da1e55b470 >=20 > commit 2cef62886dc7c33ca01f70ca712845da1e55b470 > Author: Alexander V. Chernikov <melifaro@FreeBSD.org> > AuthorDate: 2023-09-15 10:06:59 +0000 > Commit: Kristof Provost <kp@FreeBSD.org> > CommitDate: 2023-10-10 09:48:21 +0000 >=20 > pf: convert state retrieval to netlink > =20 > Use netlink to export pf's state table. > =20 > The primary motivation is to improve how we deal with very large state > stables. With the previous implementation we had to build the entire > list (both in the kernel and in userspace) before we could start > processing. With netlink we start to get data in userspace while the > kernel is still generating more. This reduces peak memory consumption > (which can get to the GB range once we hit millions of states). > =20 > Netlink also makes future extension easier, in that we can easily add > fields to the state export without breaking userspace. In that regard > it's similar to an nvlist-based approach, except that it also deals > with transport to userspace and that it performs significantly better > than nvlists. Testing has failed to measure a performance difference > between the previous struct-copy based ioctl and the netlink approach. > =20 > Differential Revision: https://reviews.freebsd.org/D38888 > --- > include/Makefile | 3 +- > lib/libpfctl/libpfctl.c | 214 +++++++++++++++++---------------- > sys/conf/files | 1 + > sys/modules/pf/Makefile | 2 +- > sys/netpfil/pf/pf_ioctl.c | 5 + > sys/netpfil/pf/pf_nl.c | 292 ++++++++++++++++++++++++++++++++++++++++= ++++++ > sys/netpfil/pf/pf_nl.h | 105 +++++++++++++++++ > 7 files changed, 522 insertions(+), 100 deletions(-) > diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c > index db8f481a1567..42c2aa9bfb01 100644 > --- a/sys/netpfil/pf/pf_ioctl.c > +++ b/sys/netpfil/pf/pf_ioctl.c > @@ -83,6 +83,7 @@ > #include <netinet/ip_var.h> > #include <netinet6/ip6_var.h> > #include <netinet/ip_icmp.h> > +#include <netpfil/pf/pf_nl.h> > #include <netpfil/pf/pf_nv.h> > =20 > #ifdef INET6 > @@ -6648,6 +6649,8 @@ pf_unload(void) > } > sx_xunlock(&pf_end_lock); > =20 > + pf_nl_unregister(); > + > if (pf_dev !=3D NULL) > destroy_dev(pf_dev); > =20 > @@ -6683,6 +6686,7 @@ pf_modevent(module_t mod, int type, void *data) > switch(type) { > case MOD_LOAD: > error =3D pf_load(); > + pf_nl_register(); > break; > case MOD_UNLOAD: > /* Handled in SYSUNINIT(pf_unload) to ensure it's done after > @@ -6703,4 +6707,5 @@ static moduledata_t pf_mod =3D { > }; > =20 > DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND); > +MODULE_DEPEND(pf, netlink, 1, 1, 1); > MODULE_VERSION(pf, PF_MODVER); Hey Kristof, This causes a hard dependency on the netlink kernel module, which may not be available in some configurations. For safety reasons, HardenedBSD prevents loading of netlink.ko by default. The code is too new and too complex, with already a not-so-nice security history, to be trusted. A lot (all?) of the other netlink integration code respects the potential unavailability of netlink (or netlink.ko). Would it be possible to do the same in pf? Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --ri7nrzjoeqv4izka Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmUsR3UACgkQ/y5nonf4 4fq7yA/+IZAb8B02qAvO/oPfGMk4UO67EjXnpA5y3Qp67K37NTQ/ZIKroZR1OSp0 8GHCVeXC552hxv62JQV097NICKBxEWel9FKOFTGbyv+JlIp4hJR+3O6mMC68E5TU i20PqCuZp1E9dixsQxd7mEvJgFld8MahuqZDh424799M5J1mdgprdIvp3taS7S5R yhaJZ9buJ1iwFBSJDo4QoDI0tQcxEqMbaHEf5ZPyZV4ReRtV7BmG1SMotZ4QwTgy GVAslKnCVfVuiX+pJdfrr1QfV5s0njCbHSgGaN5tQDkS+/dBCSi9DcwfW30OJIOP yITioPPnw/5xBnbft6tHAYFSYaXHhG29JPUzCy4WHSBZQ3PnxnTxhjGMvYiL8/Jl oklvRG2JJ1x1gtYmQmGm+UkCb6lt6JBBAxD7nG988Fxp5pu/tzYk2WTdGr9Pag7Z NwfVRkqVcOuvBjR+Zj6NoktLxAiHF4hg2oLBVvHZInhfZtKe+FiIFyfJXSSeniXg 0x0+xU3dmkLFCiWe+hdP7MNBPxn08Nnq3JAwleBw/ZqXID+IE+LZXIYveJM5yTKK OQs99jPYkpsbCy9AVdnk7YKjC5fxIQvmEKCwLXOTz2xHWUXg0u8qF+ykSHVlCyD6 +uv/+IetAlVBTB3OurPbo67B/3h9oPnxYnx+7RBz1VTa/XMPWQI= =eoPf -----END PGP SIGNATURE----- --ri7nrzjoeqv4izka--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20231015201139.zt7mfyss4ua2bkn3>