From nobody Sun Oct 15 20:11:39 2023 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S7rxD2rwJz4xLl2 for ; Sun, 15 Oct 2023 20:11:44 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S7rxC3lcGz4nvD for ; Sun, 15 Oct 2023 20:11:43 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=DBkufF9d; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::d34 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org; dmarc=none Received: by mail-io1-xd34.google.com with SMTP id ca18e2360f4ac-79fd60f40ebso88548039f.1 for ; Sun, 15 Oct 2023 13:11:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1697400702; x=1698005502; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=gv30Sx75bBnrEyNg5W6Gc410dxaQstu6Fb8/WMBiG+s=; b=DBkufF9di0VRonSINYtlgLHVJPsaOVK9NLYL99CTOsJMxnhBISWoDZiEtF7rpHO1AL QMXX4imTJ8SXsvLt/CcNDvwilwxqwuMgIEWGQ++rQOotaI2CLHB1vz1KYIm11acnfvQL j9XN7mAnDeNh6T0MsMdpMay3/s1byk5uuoVyvTfEnAzAX3dvwVffa3b9Q4wNLx9Jtsfv fE3caeLWsIr3l0raew1nRijv6dBJjY+bGr9T/mvOYPsEAHsel1KgyAu4kbXBuv1dulNl PLF8NhCVI0f7PzNNi3KrN3Rv6IL1QnLYvHA4ge0cbK/htPGE7V88HAJdBsc1TRDd/7j7 gNGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697400702; x=1698005502; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gv30Sx75bBnrEyNg5W6Gc410dxaQstu6Fb8/WMBiG+s=; b=xPzyl+OgRptquPdAKm7VNr4vuL9OmdhD9YECpKekke9r3ImGREDIoEstXnJr8+mMOv TZLUu0zbiTBo6fCS4Rut+HDzl8jrO+THq15jiFsc67fPRKvHp3EefCbNYcEQyvWdjFjL n4TfBDExspUkYpPVr9hZqFs7ZCq5xkc48B+I3DOOdiLDLotXxjSnRQQPiGWMjaI0XTcY bdV2GUwexzPkMCjyW+xBRD0xMxSIfeiCgYs8UYlat3b8kmEkcRq3Lwl21REhZYtO2HZP CltfK/4BcCXpenpWLVcj2j9HkKZaWlLHPln8hbqTElL2a9wxubMUoZc97mNfMSoPSvc9 a6tQ== X-Gm-Message-State: AOJu0YwUCWYY6QzkjqqlsuUWPWCb9Rgd+vNGqKTtw6g39CqMevPnw+uI jGccuV9uIgMBXYuXjhkO+R4Fk2v5YM5G39ce7MQ= X-Google-Smtp-Source: AGHT+IE14Tr0NbC4aJq9p/c/8SQoRZ1eCP53syIYLzgWghG/6Vjj+q+05oHWLO14AfdQajzzdQaq/Q== X-Received: by 2002:a05:6602:154:b0:795:d33:861f with SMTP id v20-20020a056602015400b007950d33861fmr3817747iot.6.1697400702093; Sun, 15 Oct 2023 13:11:42 -0700 (PDT) Received: from mutt-hbsd (c-73-153-118-59.hsd1.co.comcast.net. [73.153.118.59]) by smtp.gmail.com with ESMTPSA id u8-20020a02cb88000000b004564b193674sm890663jap.160.2023.10.15.13.11.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 13:11:39 -0700 (PDT) Date: Sun, 15 Oct 2023 16:11:39 -0400 From: Shawn Webb To: Kristof Provost Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 2cef62886dc7 - main - pf: convert state retrieval to netlink Message-ID: <20231015201139.zt7mfyss4ua2bkn3@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <202310100950.39A9oYuc029996@gitrepo.freebsd.org> List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ri7nrzjoeqv4izka" Content-Disposition: inline In-Reply-To: <202310100950.39A9oYuc029996@gitrepo.freebsd.org> X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; MLMMJ_DEST(0.00)[dev-commits-src-all@freebsd.org]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; FROM_EQ_ENVFROM(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d34:from]; RCVD_TLS_LAST(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; RCPT_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[hardenedbsd.org]; PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-all@freebsd.org]; RCVD_COUNT_TWO(0.00)[2]; ARC_NA(0.00)[] X-Rspamd-Queue-Id: 4S7rxC3lcGz4nvD --ri7nrzjoeqv4izka Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 10, 2023 at 09:50:34AM +0000, Kristof Provost wrote: > The branch main has been updated by kp: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D2cef62886dc7c33ca01f70ca71= 2845da1e55b470 >=20 > commit 2cef62886dc7c33ca01f70ca712845da1e55b470 > Author: Alexander V. Chernikov > AuthorDate: 2023-09-15 10:06:59 +0000 > Commit: Kristof Provost > CommitDate: 2023-10-10 09:48:21 +0000 >=20 > pf: convert state retrieval to netlink > =20 > Use netlink to export pf's state table. > =20 > The primary motivation is to improve how we deal with very large state > stables. With the previous implementation we had to build the entire > list (both in the kernel and in userspace) before we could start > processing. With netlink we start to get data in userspace while the > kernel is still generating more. This reduces peak memory consumption > (which can get to the GB range once we hit millions of states). > =20 > Netlink also makes future extension easier, in that we can easily add > fields to the state export without breaking userspace. In that regard > it's similar to an nvlist-based approach, except that it also deals > with transport to userspace and that it performs significantly better > than nvlists. Testing has failed to measure a performance difference > between the previous struct-copy based ioctl and the netlink approach. > =20 > Differential Revision: https://reviews.freebsd.org/D38888 > --- > include/Makefile | 3 +- > lib/libpfctl/libpfctl.c | 214 +++++++++++++++++---------------- > sys/conf/files | 1 + > sys/modules/pf/Makefile | 2 +- > sys/netpfil/pf/pf_ioctl.c | 5 + > sys/netpfil/pf/pf_nl.c | 292 ++++++++++++++++++++++++++++++++++++++++= ++++++ > sys/netpfil/pf/pf_nl.h | 105 +++++++++++++++++ > 7 files changed, 522 insertions(+), 100 deletions(-) > diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c > index db8f481a1567..42c2aa9bfb01 100644 > --- a/sys/netpfil/pf/pf_ioctl.c > +++ b/sys/netpfil/pf/pf_ioctl.c > @@ -83,6 +83,7 @@ > #include > #include > #include > +#include > #include > =20 > #ifdef INET6 > @@ -6648,6 +6649,8 @@ pf_unload(void) > } > sx_xunlock(&pf_end_lock); > =20 > + pf_nl_unregister(); > + > if (pf_dev !=3D NULL) > destroy_dev(pf_dev); > =20 > @@ -6683,6 +6686,7 @@ pf_modevent(module_t mod, int type, void *data) > switch(type) { > case MOD_LOAD: > error =3D pf_load(); > + pf_nl_register(); > break; > case MOD_UNLOAD: > /* Handled in SYSUNINIT(pf_unload) to ensure it's done after > @@ -6703,4 +6707,5 @@ static moduledata_t pf_mod =3D { > }; > =20 > DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND); > +MODULE_DEPEND(pf, netlink, 1, 1, 1); > MODULE_VERSION(pf, PF_MODVER); Hey Kristof, This causes a hard dependency on the netlink kernel module, which may not be available in some configurations. For safety reasons, HardenedBSD prevents loading of netlink.ko by default. The code is too new and too complex, with already a not-so-nice security history, to be trusted. A lot (all?) of the other netlink integration code respects the potential unavailability of netlink (or netlink.ko). Would it be possible to do the same in pf? Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --ri7nrzjoeqv4izka Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmUsR3UACgkQ/y5nonf4 4fq7yA/+IZAb8B02qAvO/oPfGMk4UO67EjXnpA5y3Qp67K37NTQ/ZIKroZR1OSp0 8GHCVeXC552hxv62JQV097NICKBxEWel9FKOFTGbyv+JlIp4hJR+3O6mMC68E5TU i20PqCuZp1E9dixsQxd7mEvJgFld8MahuqZDh424799M5J1mdgprdIvp3taS7S5R yhaJZ9buJ1iwFBSJDo4QoDI0tQcxEqMbaHEf5ZPyZV4ReRtV7BmG1SMotZ4QwTgy GVAslKnCVfVuiX+pJdfrr1QfV5s0njCbHSgGaN5tQDkS+/dBCSi9DcwfW30OJIOP yITioPPnw/5xBnbft6tHAYFSYaXHhG29JPUzCy4WHSBZQ3PnxnTxhjGMvYiL8/Jl oklvRG2JJ1x1gtYmQmGm+UkCb6lt6JBBAxD7nG988Fxp5pu/tzYk2WTdGr9Pag7Z NwfVRkqVcOuvBjR+Zj6NoktLxAiHF4hg2oLBVvHZInhfZtKe+FiIFyfJXSSeniXg 0x0+xU3dmkLFCiWe+hdP7MNBPxn08Nnq3JAwleBw/ZqXID+IE+LZXIYveJM5yTKK OQs99jPYkpsbCy9AVdnk7YKjC5fxIQvmEKCwLXOTz2xHWUXg0u8qF+ykSHVlCyD6 +uv/+IetAlVBTB3OurPbo67B/3h9oPnxYnx+7RBz1VTa/XMPWQI= =eoPf -----END PGP SIGNATURE----- --ri7nrzjoeqv4izka--