From owner-svn-src-stable@freebsd.org Tue Nov 10 12:13:19 2020 Return-Path: Delivered-To: svn-src-stable@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8A7D02EE4A0; Tue, 10 Nov 2020 12:13:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CVmwb3VFFz3pX0; Tue, 10 Nov 2020 12:13:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 6B19422B47; Tue, 10 Nov 2020 12:13:19 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0AACDJPP001281; Tue, 10 Nov 2020 12:13:19 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0AACDIS2001278; Tue, 10 Nov 2020 12:13:18 GMT (envelope-from ae@FreeBSD.org) Message-Id: <202011101213.0AACDIS2001278@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Tue, 10 Nov 2020 12:13:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r367553 - in stable/12: share/dtrace sys/netpfil/ipfw X-SVN-Group: stable-12 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: in stable/12: share/dtrace sys/netpfil/ipfw X-SVN-Commit-Revision: 367553 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2020 12:13:19 -0000 Author: ae Date: Tue Nov 10 12:13:18 2020 New Revision: 367553 URL: https://svnweb.freebsd.org/changeset/base/367553 Log: MFC r366908 (modified for stable/12 KBI): Add dtrace SDT probe ipfw:::rule-matched. It helps to reduce complexity with debugging of large ipfw rulesets. Also define several constants and translators, that can by used by dtrace scripts with this probe. Obtained from: Yandex LLC Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D26879 Added: stable/12/share/dtrace/ipfw.d - copied, changed from r366908, head/share/dtrace/ipfw.d Modified: stable/12/share/dtrace/Makefile stable/12/sys/netpfil/ipfw/ip_fw2.c Directory Properties: stable/12/ (props changed) Modified: stable/12/share/dtrace/Makefile ============================================================================== --- stable/12/share/dtrace/Makefile Tue Nov 10 11:32:01 2020 (r367552) +++ stable/12/share/dtrace/Makefile Tue Nov 10 12:13:18 2020 (r367553) @@ -21,7 +21,7 @@ SCRIPTS= blocking \ SCRIPTSDIR= ${SHAREDIR}/dtrace -DSRCS= mbuf.d +DSRCS= mbuf.d ipfw.d FILES= ${DSRCS} FILESDIR= /usr/lib/dtrace Copied and modified: stable/12/share/dtrace/ipfw.d (from r366908, head/share/dtrace/ipfw.d) ============================================================================== --- head/share/dtrace/ipfw.d Wed Oct 21 15:01:33 2020 (r366908, copy source) +++ stable/12/share/dtrace/ipfw.d Tue Nov 10 12:13:18 2020 (r367553) @@ -68,29 +68,17 @@ inline string ipfw_retcodes[int ret] = /* ip_fw_args flags */ #pragma D binding "1.0" IPFW_ARGS_ETHER -inline int IPFW_ARGS_ETHER = 0x00010000; /* valid ethernet header */ +inline int IPFW_ARGS_ETHER = 0x0001; /* valid ethernet header */ #pragma D binding "1.0" IPFW_ARGS_NH4 -inline int IPFW_ARGS_NH4 = 0x00020000; /* IPv4 next hop in hopstore */ +inline int IPFW_ARGS_NH4 = 0x0002; /* IPv4 next hop in hopstore */ #pragma D binding "1.0" IPFW_ARGS_NH6 -inline int IPFW_ARGS_NH6 = 0x00040000; /* IPv6 next hop in hopstore */ +inline int IPFW_ARGS_NH6 = 0x0004; /* IPv6 next hop in hopstore */ #pragma D binding "1.0" IPFW_ARGS_NH4PTR -inline int IPFW_ARGS_NH4PTR = 0x00080000; /* IPv4 next hop in next_hop */ +inline int IPFW_ARGS_NH4PTR = 0x0008; /* IPv4 next hop in next_hop */ #pragma D binding "1.0" IPFW_ARGS_NH6PTR -inline int IPFW_ARGS_NH6PTR = 0x00100000; /* IPv6 next hop in next_hop6 */ +inline int IPFW_ARGS_NH6PTR = 0x0010; /* IPv6 next hop in next_hop6 */ #pragma D binding "1.0" IPFW_ARGS_REF -inline int IPFW_ARGS_REF = 0x00200000; /* valid ipfw_rule_ref */ -#pragma D binding "1.0" IPFW_ARGS_IN -inline int IPFW_ARGS_IN = 0x00400000; /* called on input */ -#pragma D binding "1.0" IPFW_ARGS_OUT -inline int IPFW_ARGS_OUT = 0x00800000; /* called on output */ -#pragma D binding "1.0" IPFW_ARGS_IP4 -inline int IPFW_ARGS_IP4 = 0x01000000; /* belongs to v4 ISR */ -#pragma D binding "1.0" IPFW_ARGS_IP6 -inline int IPFW_ARGS_IP6 = 0x02000000; /* belongs to v6 ISR */ -#pragma D binding "1.0" IPFW_ARGS_DROP -inline int IPFW_ARGS_DROP = 0x04000000; /* drop it (dummynet) */ -#pragma D binding "1.0" IPFW_ARGS_LENMASK -inline int IPFW_ARGS_LENMASK = 0x0000ffff; /* length of data in *mem */ +inline int IPFW_ARGS_REF = 0x0020; /* valid ipfw_rule_ref */ /* ipfw_rule_ref.info */ #pragma D binding "1.0" IPFW_INFO_MASK @@ -147,17 +135,13 @@ typedef struct ipfw_match_info { #pragma D binding "1.0" translator translator ipfw_match_info_t < struct ip_fw_args *p > { flags = p->flags; - m = (p->flags & IPFW_ARGS_LENMASK) ? NULL : p->m; - mem = (p->flags & IPFW_ARGS_LENMASK) ? p->mem : NULL; + m = p->m; + mem = NULL; inp = p->inp; - ifp = p->ifp; + ifp = p->oif; /* Initialize IP pointer corresponding to addr_type */ - ipp = (p->flags & IPFW_ARGS_IP4) ? - (p->flags & IPFW_ARGS_LENMASK) ? (struct ip *)p->mem : - (p->m != NULL) ? (struct ip *)p->m->m_data : NULL : NULL; - ip6p = (p->flags & IPFW_ARGS_IP6) ? - (p->flags & IPFW_ARGS_LENMASK) ? (struct ip6_hdr *)p->mem : - (p->m != NULL) ? (struct ip6_hdr *)p->m->m_data : NULL : NULL; + ipp = (p->m != NULL) ? (struct ip *)p->m->m_data : NULL; + ip6p = (p->m != NULL) ? (struct ip6_hdr *)p->m->m_data : NULL; /* fill f_id fields */ addr_type = p->f_id.addr_type; Modified: stable/12/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- stable/12/sys/netpfil/ipfw/ip_fw2.c Tue Nov 10 11:32:01 2020 (r367552) +++ stable/12/sys/netpfil/ipfw/ip_fw2.c Tue Nov 10 12:13:18 2020 (r367553) @@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include #include @@ -105,6 +106,18 @@ __FBSDID("$FreeBSD$"); #include #endif +#define IPFW_PROBE(probe, arg0, arg1, arg2, arg3, arg4, arg5) \ + SDT_PROBE6(ipfw, , , probe, arg0, arg1, arg2, arg3, arg4, arg5) + +SDT_PROVIDER_DEFINE(ipfw); +SDT_PROBE_DEFINE6(ipfw, , , rule__matched, + "int", /* retval */ + "int", /* af */ + "void *", /* src addr */ + "void *", /* dst addr */ + "struct ip_fw_args *", /* args */ + "struct ip_fw *" /* rule */); + /* * static variables followed by global ones. * All ipfw global variables are here. @@ -3188,6 +3201,13 @@ do { \ struct ip_fw *rule = chain->map[f_pos]; /* Update statistics */ IPFW_INC_RULE_COUNTER(rule, pktlen); + IPFW_PROBE(rule__matched, retval, + is_ipv4 ? AF_INET : AF_INET6, + is_ipv4 ? (uintptr_t)&src_ip : + (uintptr_t)&args->f_id.src_ip6, + is_ipv4 ? (uintptr_t)&dst_ip : + (uintptr_t)&args->f_id.dst_ip6, + args, rule); } else { retval = IP_FW_DENY; printf("ipfw: ouch!, skip past end of rules, denying packet\n");