From owner-svn-src-head@freebsd.org Thu Dec 24 21:19:00 2015 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E429A50682; Thu, 24 Dec 2015 21:19:00 +0000 (UTC) (envelope-from gnn@freebsd.org) Received: from smtp.hungerhost.com (smtp.hungerhost.com [216.38.51.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1C5CA15E8; Thu, 24 Dec 2015 21:18:59 +0000 (UTC) (envelope-from gnn@freebsd.org) Received: from pool-108-54-164-204.nycmny.fios.verizon.net ([108.54.164.204]:50944 helo=[192.168.1.12]) by vps.hungerhost.com with esmtpsa (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.86) (envelope-from ) id 1aCDHh-0000gu-NJ; Thu, 24 Dec 2015 16:18:53 -0500 From: "George Neville-Neil" To: "Cy Schubert" Cc: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r290383 - in head/sys: net netinet Date: Thu, 24 Dec 2015 16:18:52 -0500 Message-ID: <98F16C2B-3904-438D-912B-85C17ACFBDEA@freebsd.org> In-Reply-To: <201512201802.tBKI2jpx051586@slippy.cwsent.com> References: <201512201802.tBKI2jpx051586@slippy.cwsent.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed X-Mailer: MailMate (1.9.3r5187) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - vps.hungerhost.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - freebsd.org X-Get-Message-Sender-Via: vps.hungerhost.com: authenticated_id: gnn@neville-neil.com X-Authenticated-Sender: vps.hungerhost.com: gnn@neville-neil.com X-Source: X-Source-Args: X-Source-Dir: X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Dec 2015 21:19:00 -0000 On 20 Dec 2015, at 13:02, Cy Schubert wrote: > Cy Schubert writes: >> In message <201511050726.tA57QXlu074213@repo.freebsd.org>, "George V. >> Neville-N >> eil" writes: >>> Author: gnn >>> Date: Thu Nov 5 07:26:32 2015 >>> New Revision: 290383 >>> URL: https://svnweb.freebsd.org/changeset/base/290383 >>> >>> Log: >>> Replace the fastforward path with tryforward which does not require >>> a >>> sysctl and will always be on. The former split between default and >>> fast forwarding is removed by this commit while preserving the >>> ability >>> to use all network stack features. >>> >>> Differential Revision: https://reviews.freebsd.org/D4042 >>> Reviewed by: ae, melifaro, olivier, rwatson >>> MFC after: 1 month >>> Sponsored by: Rubicon Communications (Netgate) >>> >>> Modified: >>> head/sys/net/if_arcsubr.c >>> head/sys/net/if_ethersubr.c >>> head/sys/net/if_fddisubr.c >>> head/sys/net/if_fwsubr.c >>> head/sys/net/if_iso88025subr.c >>> head/sys/netinet/in_var.h >>> head/sys/netinet/ip_fastfwd.c >>> head/sys/netinet/ip_input.c >>> >>> Modified: head/sys/net/if_arcsubr.c >>> =========================================================================== >> == >>> = >>> --- head/sys/net/if_arcsubr.c Thu Nov 5 04:16:03 2015 (r29038 >> 2) >>> +++ head/sys/net/if_arcsubr.c Thu Nov 5 07:26:32 2015 (r29038 >> 3) >>> @@ -550,15 +550,11 @@ arc_input(struct ifnet *ifp, struct mbuf >>> #ifdef INET >>> case ARCTYPE_IP: >>> m_adj(m, ARC_HDRNEWLEN); >>> - if ((m = ip_fastforward(m)) == NULL) >>> - return; >>> isr = NETISR_IP; >>> break; >>> >>> case ARCTYPE_IP_OLD: >>> m_adj(m, ARC_HDRLEN); >>> - if ((m = ip_fastforward(m)) == NULL) >>> - return; >>> isr = NETISR_IP; >>> break; >>> >>> >>> Modified: head/sys/net/if_ethersubr.c >>> =========================================================================== >> == >>> = >>> --- head/sys/net/if_ethersubr.c Thu Nov 5 04:16:03 2015 (r29038 >>> 2) >>> +++ head/sys/net/if_ethersubr.c Thu Nov 5 07:26:32 2015 (r29038 >>> 3) >>> @@ -722,8 +722,6 @@ ether_demux(struct ifnet *ifp, struct mb >>> switch (ether_type) { >>> #ifdef INET >>> case ETHERTYPE_IP: >>> - if ((m = ip_fastforward(m)) == NULL) >>> - return; >>> isr = NETISR_IP; >>> break; >>> >>> >>> Modified: head/sys/net/if_fddisubr.c >>> =========================================================================== >> == >>> = >>> --- head/sys/net/if_fddisubr.c Thu Nov 5 04:16:03 2015 (r29038 >>> 2) >>> +++ head/sys/net/if_fddisubr.c Thu Nov 5 07:26:32 2015 (r29038 >>> 3) >>> @@ -429,8 +429,6 @@ fddi_input(ifp, m) >>> switch (type) { >>> #ifdef INET >>> case ETHERTYPE_IP: >>> - if ((m = ip_fastforward(m)) == NULL) >>> - return; >>> isr = NETISR_IP; >>> break; >>> >>> >>> Modified: head/sys/net/if_fwsubr.c >>> =========================================================================== >> == >>> = >>> --- head/sys/net/if_fwsubr.c Thu Nov 5 04:16:03 2015 (r29038 >> 2) >>> +++ head/sys/net/if_fwsubr.c Thu Nov 5 07:26:32 2015 (r29038 >> 3) >>> @@ -605,8 +605,6 @@ firewire_input(struct ifnet *ifp, struct >>> switch (type) { >>> #ifdef INET >>> case ETHERTYPE_IP: >>> - if ((m = ip_fastforward(m)) == NULL) >>> - return; >>> isr = NETISR_IP; >>> break; >>> >>> >>> Modified: head/sys/net/if_iso88025subr.c >>> =========================================================================== >> == >>> = >>> --- head/sys/net/if_iso88025subr.c Thu Nov 5 04:16:03 2015 (r29038 >>> 2) >>> +++ head/sys/net/if_iso88025subr.c Thu Nov 5 07:26:32 2015 (r29038 >>> 3) >>> @@ -519,8 +519,6 @@ iso88025_input(ifp, m) >>> #ifdef INET >>> case ETHERTYPE_IP: >>> th->iso88025_shost[0] &= ~(TR_RII); >>> - if ((m = ip_fastforward(m)) == NULL) >>> - return; >>> isr = NETISR_IP; >>> break; >>> >>> >>> Modified: head/sys/netinet/in_var.h >>> =========================================================================== >> == >>> = >>> --- head/sys/netinet/in_var.h Thu Nov 5 04:16:03 2015 (r29038 >> 2) >>> +++ head/sys/netinet/in_var.h Thu Nov 5 07:26:32 2015 (r29038 >> 3) >>> @@ -380,7 +380,7 @@ int in_scrubprefix(struct in_ifaddr *, u >>> void ip_input(struct mbuf *); >>> void ip_direct_input(struct mbuf *); >>> void in_ifadown(struct ifaddr *ifa, int); >>> -struct mbuf *ip_fastforward(struct mbuf *); >>> +struct mbuf *ip_tryforward(struct mbuf *); >>> void *in_domifattach(struct ifnet *); >>> void in_domifdetach(struct ifnet *, void *); >>> >>> >>> Modified: head/sys/netinet/ip_fastfwd.c >>> =========================================================================== >> == >>> = >>> --- head/sys/netinet/ip_fastfwd.c Thu Nov 5 04:16:03 2015 (r29038 >>> 2) >>> +++ head/sys/netinet/ip_fastfwd.c Thu Nov 5 07:26:32 2015 (r29038 >>> 3) >>> @@ -108,12 +108,6 @@ __FBSDID("$FreeBSD$"); >>> >>> #include >>> >>> -static VNET_DEFINE(int, ipfastforward_active); >>> -#define V_ipfastforward_active VNET(ipfastforward_active) >>> - >>> -SYSCTL_INT(_net_inet_ip, OID_AUTO, fastforwarding, CTLFLAG_VNET | >>> CTLFLAG_ >> RW >>> , >>> - &VNET_NAME(ipfastforward_active), 0, "Enable fast IP >>> forwarding"); >>> - >>> static struct sockaddr_in * >>> ip_findroute(struct route *ro, struct in_addr dest, struct mbuf *m) >>> { >>> @@ -158,7 +152,7 @@ ip_findroute(struct route *ro, struct in >>> * to ip_input for full processing. >>> */ >>> struct mbuf * >>> -ip_fastforward(struct mbuf *m) >>> +ip_tryforward(struct mbuf *m) >>> { >>> struct ip *ip; >>> struct mbuf *m0 = NULL; >>> @@ -166,119 +160,20 @@ ip_fastforward(struct mbuf *m) >>> struct sockaddr_in *dst = NULL; >>> struct ifnet *ifp; >>> struct in_addr odest, dest; >>> - uint16_t sum, ip_len, ip_off; >>> + uint16_t ip_len, ip_off; >>> int error = 0; >>> - int hlen, mtu; >>> + int mtu; >>> struct m_tag *fwd_tag = NULL; >>> >>> /* >>> * Are we active and forwarding packets? >>> */ >>> - if (!V_ipfastforward_active || !V_ipforwarding) >>> - return m; >>> >>> M_ASSERTVALID(m); >>> M_ASSERTPKTHDR(m); >>> >>> bzero(&ro, sizeof(ro)); >>> >>> - /* >>> - * Step 1: check for packet drop conditions (and sanity checks) >>> - */ >>> - >>> - /* >>> - * Is entire packet big enough? >>> - */ >>> - if (m->m_pkthdr.len < sizeof(struct ip)) { >>> - IPSTAT_INC(ips_tooshort); >>> - goto drop; >>> - } >>> - >>> - /* >>> - * Is first mbuf large enough for ip header and is header present? >>> - */ >>> - if (m->m_len < sizeof (struct ip) && >>> - (m = m_pullup(m, sizeof (struct ip))) == NULL) { >>> - IPSTAT_INC(ips_toosmall); >>> - return NULL; /* mbuf already free'd */ >>> - } >>> - >>> - ip = mtod(m, struct ip *); >>> - >>> - /* >>> - * Is it IPv4? >>> - */ >>> - if (ip->ip_v != IPVERSION) { >>> - IPSTAT_INC(ips_badvers); >>> - goto drop; >>> - } >>> - >>> - /* >>> - * Is IP header length correct and is it in first mbuf? >>> - */ >>> - hlen = ip->ip_hl << 2; >>> - if (hlen < sizeof(struct ip)) { /* minimum header length */ >>> - IPSTAT_INC(ips_badhlen); >>> - goto drop; >>> - } >>> - if (hlen > m->m_len) { >>> - if ((m = m_pullup(m, hlen)) == NULL) { >>> - IPSTAT_INC(ips_badhlen); >>> - return NULL; /* mbuf already free'd */ >>> - } >>> - ip = mtod(m, struct ip *); >>> - } >>> - >>> - /* >>> - * Checksum correct? >>> - */ >>> - if (m->m_pkthdr.csum_flags & CSUM_IP_CHECKED) >>> - sum = !(m->m_pkthdr.csum_flags & CSUM_IP_VALID); >>> - else { >>> - if (hlen == sizeof(struct ip)) >>> - sum = in_cksum_hdr(ip); >>> - else >>> - sum = in_cksum(m, hlen); >>> - } >>> - if (sum) { >>> - IPSTAT_INC(ips_badsum); >>> - goto drop; >>> - } >>> - >>> - /* >>> - * Remember that we have checked the IP header and found it valid. >>> - */ >>> - m->m_pkthdr.csum_flags |= (CSUM_IP_CHECKED | CSUM_IP_VALID); >>> - >>> - ip_len = ntohs(ip->ip_len); >>> - >>> - /* >>> - * Is IP length longer than packet we have got? >>> - */ >>> - if (m->m_pkthdr.len < ip_len) { >>> - IPSTAT_INC(ips_tooshort); >>> - goto drop; >>> - } >>> - >>> - /* >>> - * Is packet longer than IP header tells us? If yes, truncate >>> packet. >>> - */ >>> - if (m->m_pkthdr.len > ip_len) { >>> - if (m->m_len == m->m_pkthdr.len) { >>> - m->m_len = ip_len; >>> - m->m_pkthdr.len = ip_len; >>> - } else >>> - m_adj(m, ip_len - m->m_pkthdr.len); >>> - } >>> - >>> - /* >>> - * Is packet from or to 127/8? >>> - */ >>> - if ((ntohl(ip->ip_dst.s_addr) >> IN_CLASSA_NSHIFT) == >>> IN_LOOPBACKNET || >>> - (ntohl(ip->ip_src.s_addr) >> IN_CLASSA_NSHIFT) == >>> IN_LOOPBACKNET) { >>> - IPSTAT_INC(ips_badaddr); >>> - goto drop; >>> - } >>> >>> #ifdef ALTQ >>> /* >>> @@ -289,12 +184,10 @@ ip_fastforward(struct mbuf *m) >>> #endif >>> >>> /* >>> - * Step 2: fallback conditions to normal ip_input path processing >>> - */ >>> - >>> - /* >>> * Only IP packets without options >>> */ >>> + ip = mtod(m, struct ip *); >>> + >>> if (ip->ip_hl != (sizeof(struct ip) >> 2)) { >>> if (V_ip_doopts == 1) >>> return m; >>> >>> Modified: head/sys/netinet/ip_input.c >>> =========================================================================== >> == >>> = >>> --- head/sys/netinet/ip_input.c Thu Nov 5 04:16:03 2015 (r29038 >>> 2) >>> +++ head/sys/netinet/ip_input.c Thu Nov 5 07:26:32 2015 (r29038 >>> 3) >>> @@ -79,6 +79,8 @@ __FBSDID("$FreeBSD$"); >>> #include >>> #ifdef IPSEC >>> #include >>> +#include >>> +#include >>> #endif /* IPSEC */ >>> #include >>> >>> @@ -500,12 +502,22 @@ tooshort: >>> m_adj(m, ip_len - m->m_pkthdr.len); >>> } >>> >>> + /* Try to forward the packet, but if we fail continue */ >>> #ifdef IPSEC >>> + /* For now we do not handle IPSEC in tryforward. */ >>> + if (!key_havesp(IPSEC_DIR_INBOUND) && >>> !key_havesp(IPSEC_DIR_OUTBOUND) & >>> & >>> + (V_ipforwarding == 1)) >>> + if (ip_tryforward(m) == NULL) >>> + return; >>> /* >>> * Bypass packet filtering for packets previously handled by IPsec. >>> */ >>> if (ip_ipsec_filtertunnel(m)) >>> goto passin; >>> +#else >>> + if (V_ipforwarding == 1) >>> + if (ip_tryforward(m) == NULL) >>> + return; >>> #endif /* IPSEC */ >>> >>> /* >>> >>> >> >> Hi George, >> >> Sorry for the lateness of this reply, I finally got some time off for >> Christmas and have time to myself to boot. >> >> This breaks ipfilter's ipnat. I want to let you know before anyone >> MFCs >> this. > > A fix to ipfilter has been committed to head and will be MFCed in a > week. > Let me know when that's done. Thanks! Best, George