Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 7 Jan 2012 11:01:35 +0000 (UTC)
From:      Gleb Smirnoff <glebius@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r229770 - in stable/9/sys: contrib/pf/net modules/pfsync
Message-ID:  <201201071101.q07B1ZOZ036871@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: glebius
Date: Sat Jan  7 11:01:35 2012
New Revision: 229770
URL: http://svn.freebsd.org/changeset/base/229770

Log:
  Merge from head/ 228732,228811,228813-228816,228855:
  
    r228732 | glebius | 2011-12-20 16:34:16 +0400 (вт, 20 дек 2011) | 3 lines
  
    - Cover pfsync callouts deletion with PF_LOCK().
    - Cover setting up interface between pf and pfsync with PF_LOCK().
  
    r228811 | glebius | 2011-12-22 22:31:47 +0400 (чт, 22 дек 2011) | 3 lines
  
    In FreeBSD we always have bpf(4) API, either real or stub. No need
    in detecting presense of 'device bpf'.
  
    r228813 | glebius | 2011-12-22 22:51:35 +0400 (чт, 22 дек 2011) | 2 lines
  
    We really mean MTU of the real interface here, not of our pseudo.
  
    r228814 | glebius | 2011-12-22 22:56:27 +0400 (чт, 22 дек 2011) | 16 lines
  
    Merge couple more fixes from OpenBSD to bulk processing:
  
      revision 1.118
      date: 2009/03/23 06:19:59;  author: dlg;  state: Exp;  lines: +8 -6
      wait an appropriate amount of time before giving up on a bulk update,
      rather than giving up after a hardcoded 5 seconds (which is generally much
      too short an interval for a bulk update).
      pointed out by david@, eyeballed by mcbride@
  
      revision 1.171
      date: 2011/10/31 22:02:52;  author: mikeb;  state: Exp;  lines: +2 -1
      Don't forget to cancel bulk update failure timeout when destroying an
      interface.  Problem report and fix from Erik Lax, thanks!
  
    Start a brief note of revisions merged from OpenBSD.
  
    r228815 | glebius | 2011-12-22 23:05:58 +0400 (чт, 22 дек 2011) | 12 lines
  
    Merge from OpenBSD:
      revision 1.120
      date: 2009/04/04 13:09:29;  author: dlg;  state: Exp;  lines: +5 -5
      use time_uptime instead of time_second internally. time_uptime isnt
      affected by adjusting the clock.
  
      revision 1.175
      date: 2011/11/25 12:52:10;  author: dlg;  state: Exp;  lines: +3 -3
      use time_uptime to set state creation values as time_second can be
      skewed at runtime by things like date(1) and ntpd. time_uptime is
      monotonic and therefore more useful to compare against.
  
    r228816 | glebius | 2011-12-22 23:09:55 +0400 (чт, 22 дек 2011) | 11 lines
  
    Merge from OpenBSD:
      revision 1.122
      date: 2009/05/13 01:01:34;  author: dlg;  state: Exp;  lines: +6 -4
      only keep track of the number of updates on tcp connections. state sync on
      all the other protocols is simply pushing the timeouts along which has a
      resolution of 1 second, so it isnt going to be hurt by pfsync taking up
      to a second to send it over.
  
      keep track of updates on tcp still though, their windows need constant
      attention.

Modified:
  stable/9/sys/contrib/pf/net/if_pfsync.c
  stable/9/sys/modules/pfsync/Makefile
Directory Properties:
  stable/9/sys/   (props changed)
  stable/9/sys/contrib/pf/   (props changed)

Modified: stable/9/sys/contrib/pf/net/if_pfsync.c
==============================================================================
--- stable/9/sys/contrib/pf/net/if_pfsync.c	Sat Jan  7 10:49:04 2012	(r229769)
+++ stable/9/sys/contrib/pf/net/if_pfsync.c	Sat Jan  7 11:01:35 2012	(r229770)
@@ -42,20 +42,22 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+/*
+ * Revisions picked from OpenBSD after revision 1.110 import:
+ * 1.118, 1.124, 1.148, 1.149, 1.151, 1.171 - fixes to bulk updates
+ * 1.120, 1.175 - use monotonic time_uptime
+ * 1.122 - reduce number of updates for non-TCP sessions
+ */
+
 #ifdef __FreeBSD__
 #include "opt_inet.h"
 #include "opt_inet6.h"
-#include "opt_bpf.h"
 #include "opt_pf.h"
 
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
-#ifdef DEV_BPF
-#define	NBPFILTER	DEV_BPF
-#else
-#define	NBPFILTER	0
-#endif
+#define	NBPFILTER	1
 
 #ifdef DEV_PFSYNC
 #define	NPFSYNC		DEV_PFSYNC
@@ -539,9 +541,14 @@ pfsync_clone_destroy(struct ifnet *ifp)
 
 #ifdef __FreeBSD__
 	EVENTHANDLER_DEREGISTER(ifnet_departure_event, sc->sc_detachtag);
+	PF_LOCK();
 #endif
-	timeout_del(&sc->sc_bulk_tmo);	/* XXX: need PF_LOCK() before */
+	timeout_del(&sc->sc_bulkfail_tmo);
+	timeout_del(&sc->sc_bulk_tmo);
 	timeout_del(&sc->sc_tmo);
+#ifdef __FreeBSD__
+	PF_UNLOCK();
+#endif
 #if NCARP > 0
 #ifdef notyet
 #ifdef __FreeBSD__
@@ -662,7 +669,7 @@ pfsync_state_export(struct pfsync_state 
 	/* copy from state */
 	strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname));
 	bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr));
-	sp->creation = htonl(time_second - st->creation);
+	sp->creation = htonl(time_uptime - st->creation);
 	sp->expire = pf_state_expires(st);
 	if (sp->expire <= time_second)
 		sp->expire = htonl(0);
@@ -813,7 +820,7 @@ pfsync_state_import(struct pfsync_state 
 
 	/* copy to state */
 	bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr));
-	st->creation = time_second - ntohl(sp->creation);
+	st->creation = time_uptime - ntohl(sp->creation);
 	st->expire = time_second;
 	if (sp->expire) {
 		/* XXX No adaptive scaling. */
@@ -836,7 +843,7 @@ pfsync_state_import(struct pfsync_state 
 	st->anchor.ptr = NULL;
 	st->rt_kif = NULL;
 
-	st->pfsync_time = time_second;
+	st->pfsync_time = time_uptime;
 	st->sync_state = PFSYNC_S_NONE;
 
 	/* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
@@ -1328,7 +1335,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, st
 		pf_state_peer_ntoh(&sp->dst, &st->dst);
 		st->expire = ntohl(sp->expire) + time_second;
 		st->timeout = sp->timeout;
-		st->pfsync_time = time_second;
+		st->pfsync_time = time_uptime;
 	}
 #ifdef __FreeBSD__
 	PF_UNLOCK();
@@ -1438,7 +1445,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, 
 		pf_state_peer_ntoh(&up->dst, &st->dst);
 		st->expire = ntohl(up->expire) + time_second;
 		st->timeout = up->timeout;
-		st->pfsync_time = time_second;
+		st->pfsync_time = time_uptime;
 	}
 #ifdef __FreeBSD__
 	PF_UNLOCK();
@@ -1608,14 +1615,16 @@ pfsync_in_bus(struct pfsync_pkt *pkt, st
 	switch (bus->status) {
 	case PFSYNC_BUS_START:
 #ifdef __FreeBSD__
-		callout_reset(&sc->sc_bulkfail_tmo, 5 * hz, pfsync_bulk_fail,
-		    V_pfsyncif);
+		callout_reset(&sc->sc_bulkfail_tmo, 4 * hz +
+		    V_pf_pool_limits[PF_LIMIT_STATES].limit /
+		    ((sc->sc_sync_if->if_mtu - PFSYNC_MINPKT) /
+		    sizeof(struct pfsync_state)),
+		    pfsync_bulk_fail, V_pfsyncif);
 #else
-		timeout_add_sec(&sc->sc_bulkfail_tmo, 5); /* XXX magic */
-#endif
-#ifdef XXX
+		timeout_add(&sc->sc_bulkfail_tmo, 4 * hz +
 		    pf_pool_limits[PF_LIMIT_STATES].limit /
-		    (PFSYNC_BULKPACKETS * sc->sc_maxcount));
+		    ((sc->sc_if.if_mtu - PFSYNC_MINPKT) /
+		    sizeof(struct pfsync_state)));
 #endif
 #ifdef __FreeBSD__
 		if (V_pf_status.debug >= PF_DEBUG_MISC)
@@ -2606,9 +2615,11 @@ pfsync_update_state(struct pf_state *st)
 	case PFSYNC_S_INS:
 		/* we're already handling it */
 
-		st->sync_updates++;
-		if (st->sync_updates >= sc->sc_maxupdates)
-			sync = 1;
+		if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) {
+			st->sync_updates++;
+			if (st->sync_updates >= sc->sc_maxupdates)
+				sync = 1;
+		}
 		break;
 
 	case PFSYNC_S_IACK:
@@ -2623,7 +2634,7 @@ pfsync_update_state(struct pf_state *st)
 		    st->sync_state);
 	}
 
-	if (sync || (time_second - st->pfsync_time) < 2) {
+	if (sync || (time_uptime - st->pfsync_time) < 2) {
 		pfsync_upds++;
 #ifdef __FreeBSD__
 		pfsync_sendout();
@@ -2665,7 +2676,7 @@ pfsync_request_update(u_int32_t creatori
 		nlen += sizeof(struct pfsync_subheader);
 
 #ifdef __FreeBSD__
-	if (sc->sc_len + nlen > sc->sc_ifp->if_mtu) {
+	if (sc->sc_len + nlen > sc->sc_sync_if->if_mtu) {
 #else
 	if (sc->sc_len + nlen > sc->sc_if.if_mtu) {
 #endif
@@ -3290,16 +3301,17 @@ void
 pfsyncintr(void *arg)
 {
 	struct pfsync_softc *sc = arg;
-	struct mbuf *m;
+	struct mbuf *m, *n;
 
 	CURVNET_SET(sc->sc_ifp->if_vnet);
 	pfsync_ints++;
 
-	for (;;) {
-		IF_DEQUEUE(&sc->sc_ifp->if_snd, m);
-		if (m == 0)
-			break;
+	IF_DEQUEUE_ALL(&sc->sc_ifp->if_snd, m);
 
+	for (; m != NULL; m = n) {
+
+		n = m->m_nextpkt;
+		m->m_nextpkt = NULL;
 		if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL)
 		    == 0)
 			V_pfsyncstats.pfsyncs_opackets++;
@@ -3391,6 +3403,7 @@ vnet_pfsync_init(const void *unused)
 	if (error)
 		panic("%s: swi_add %d", __func__, error);
 
+	PF_LOCK();
 	pfsync_state_import_ptr = pfsync_state_import;
 	pfsync_up_ptr = pfsync_up;
 	pfsync_insert_state_ptr = pfsync_insert_state;
@@ -3399,6 +3412,7 @@ vnet_pfsync_init(const void *unused)
 	pfsync_clear_states_ptr = pfsync_clear_states;
 	pfsync_state_in_use_ptr = pfsync_state_in_use;
 	pfsync_defer_ptr = pfsync_defer;
+	PF_UNLOCK();
 
 	return (0);
 }
@@ -3409,6 +3423,7 @@ vnet_pfsync_uninit(const void *unused)
 
 	swi_remove(pfsync_swi.pfsync_swi_cookie);
 
+	PF_LOCK();
 	pfsync_state_import_ptr = NULL;
 	pfsync_up_ptr = NULL;
 	pfsync_insert_state_ptr = NULL;
@@ -3417,6 +3432,7 @@ vnet_pfsync_uninit(const void *unused)
 	pfsync_clear_states_ptr = NULL;
 	pfsync_state_in_use_ptr = NULL;
 	pfsync_defer_ptr = NULL;
+	PF_UNLOCK();
 
 	if_clone_detach(&pfsync_cloner);
 

Modified: stable/9/sys/modules/pfsync/Makefile
==============================================================================
--- stable/9/sys/modules/pfsync/Makefile	Sat Jan  7 10:49:04 2012	(r229769)
+++ stable/9/sys/modules/pfsync/Makefile	Sat Jan  7 11:01:35 2012	(r229770)
@@ -6,7 +6,7 @@
 
 KMOD=	pfsync
 SRCS=	if_pfsync.c \
-	opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h
+	opt_pf.h opt_inet.h opt_inet6.h
 
 CFLAGS+= -I${.CURDIR}/../../contrib/pf
 SRCS+=	bus_if.h device_if.h
@@ -24,9 +24,6 @@ opt_inet6.h:
 	echo "#define INET6 1" > ${.TARGET}
 .endif
 
-opt_bpf.h:
-	echo "#define DEV_BPF 1" > ${.TARGET}
-
 .if defined(VIMAGE)
 opt_global.h:
 	echo "#define VIMAGE 1" >> ${.TARGET}



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201071101.q07B1ZOZ036871>