Date: Sat, 7 Jan 2012 11:01:35 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r229770 - in stable/9/sys: contrib/pf/net modules/pfsync Message-ID: <201201071101.q07B1ZOZ036871@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Sat Jan 7 11:01:35 2012 New Revision: 229770 URL: http://svn.freebsd.org/changeset/base/229770 Log: Merge from head/ 228732,228811,228813-228816,228855: r228732 | glebius | 2011-12-20 16:34:16 +0400 (вт, 20 дек 2011) | 3 lines - Cover pfsync callouts deletion with PF_LOCK(). - Cover setting up interface between pf and pfsync with PF_LOCK(). r228811 | glebius | 2011-12-22 22:31:47 +0400 (чт, 22 дек 2011) | 3 lines In FreeBSD we always have bpf(4) API, either real or stub. No need in detecting presense of 'device bpf'. r228813 | glebius | 2011-12-22 22:51:35 +0400 (чт, 22 дек 2011) | 2 lines We really mean MTU of the real interface here, not of our pseudo. r228814 | glebius | 2011-12-22 22:56:27 +0400 (чт, 22 дек 2011) | 16 lines Merge couple more fixes from OpenBSD to bulk processing: revision 1.118 date: 2009/03/23 06:19:59; author: dlg; state: Exp; lines: +8 -6 wait an appropriate amount of time before giving up on a bulk update, rather than giving up after a hardcoded 5 seconds (which is generally much too short an interval for a bulk update). pointed out by david@, eyeballed by mcbride@ revision 1.171 date: 2011/10/31 22:02:52; author: mikeb; state: Exp; lines: +2 -1 Don't forget to cancel bulk update failure timeout when destroying an interface. Problem report and fix from Erik Lax, thanks! Start a brief note of revisions merged from OpenBSD. r228815 | glebius | 2011-12-22 23:05:58 +0400 (чт, 22 дек 2011) | 12 lines Merge from OpenBSD: revision 1.120 date: 2009/04/04 13:09:29; author: dlg; state: Exp; lines: +5 -5 use time_uptime instead of time_second internally. time_uptime isnt affected by adjusting the clock. revision 1.175 date: 2011/11/25 12:52:10; author: dlg; state: Exp; lines: +3 -3 use time_uptime to set state creation values as time_second can be skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against. r228816 | glebius | 2011-12-22 23:09:55 +0400 (чт, 22 дек 2011) | 11 lines Merge from OpenBSD: revision 1.122 date: 2009/05/13 01:01:34; author: dlg; state: Exp; lines: +6 -4 only keep track of the number of updates on tcp connections. state sync on all the other protocols is simply pushing the timeouts along which has a resolution of 1 second, so it isnt going to be hurt by pfsync taking up to a second to send it over. keep track of updates on tcp still though, their windows need constant attention. Modified: stable/9/sys/contrib/pf/net/if_pfsync.c stable/9/sys/modules/pfsync/Makefile Directory Properties: stable/9/sys/ (props changed) stable/9/sys/contrib/pf/ (props changed) Modified: stable/9/sys/contrib/pf/net/if_pfsync.c ============================================================================== --- stable/9/sys/contrib/pf/net/if_pfsync.c Sat Jan 7 10:49:04 2012 (r229769) +++ stable/9/sys/contrib/pf/net/if_pfsync.c Sat Jan 7 11:01:35 2012 (r229770) @@ -42,20 +42,22 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +/* + * Revisions picked from OpenBSD after revision 1.110 import: + * 1.118, 1.124, 1.148, 1.149, 1.151, 1.171 - fixes to bulk updates + * 1.120, 1.175 - use monotonic time_uptime + * 1.122 - reduce number of updates for non-TCP sessions + */ + #ifdef __FreeBSD__ #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_bpf.h" #include "opt_pf.h" #include <sys/cdefs.h> __FBSDID("$FreeBSD$"); -#ifdef DEV_BPF -#define NBPFILTER DEV_BPF -#else -#define NBPFILTER 0 -#endif +#define NBPFILTER 1 #ifdef DEV_PFSYNC #define NPFSYNC DEV_PFSYNC @@ -539,9 +541,14 @@ pfsync_clone_destroy(struct ifnet *ifp) #ifdef __FreeBSD__ EVENTHANDLER_DEREGISTER(ifnet_departure_event, sc->sc_detachtag); + PF_LOCK(); #endif - timeout_del(&sc->sc_bulk_tmo); /* XXX: need PF_LOCK() before */ + timeout_del(&sc->sc_bulkfail_tmo); + timeout_del(&sc->sc_bulk_tmo); timeout_del(&sc->sc_tmo); +#ifdef __FreeBSD__ + PF_UNLOCK(); +#endif #if NCARP > 0 #ifdef notyet #ifdef __FreeBSD__ @@ -662,7 +669,7 @@ pfsync_state_export(struct pfsync_state /* copy from state */ strlcpy(sp->ifname, st->kif->pfik_name, sizeof(sp->ifname)); bcopy(&st->rt_addr, &sp->rt_addr, sizeof(sp->rt_addr)); - sp->creation = htonl(time_second - st->creation); + sp->creation = htonl(time_uptime - st->creation); sp->expire = pf_state_expires(st); if (sp->expire <= time_second) sp->expire = htonl(0); @@ -813,7 +820,7 @@ pfsync_state_import(struct pfsync_state /* copy to state */ bcopy(&sp->rt_addr, &st->rt_addr, sizeof(st->rt_addr)); - st->creation = time_second - ntohl(sp->creation); + st->creation = time_uptime - ntohl(sp->creation); st->expire = time_second; if (sp->expire) { /* XXX No adaptive scaling. */ @@ -836,7 +843,7 @@ pfsync_state_import(struct pfsync_state st->anchor.ptr = NULL; st->rt_kif = NULL; - st->pfsync_time = time_second; + st->pfsync_time = time_uptime; st->sync_state = PFSYNC_S_NONE; /* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */ @@ -1328,7 +1335,7 @@ pfsync_in_upd(struct pfsync_pkt *pkt, st pf_state_peer_ntoh(&sp->dst, &st->dst); st->expire = ntohl(sp->expire) + time_second; st->timeout = sp->timeout; - st->pfsync_time = time_second; + st->pfsync_time = time_uptime; } #ifdef __FreeBSD__ PF_UNLOCK(); @@ -1438,7 +1445,7 @@ pfsync_in_upd_c(struct pfsync_pkt *pkt, pf_state_peer_ntoh(&up->dst, &st->dst); st->expire = ntohl(up->expire) + time_second; st->timeout = up->timeout; - st->pfsync_time = time_second; + st->pfsync_time = time_uptime; } #ifdef __FreeBSD__ PF_UNLOCK(); @@ -1608,14 +1615,16 @@ pfsync_in_bus(struct pfsync_pkt *pkt, st switch (bus->status) { case PFSYNC_BUS_START: #ifdef __FreeBSD__ - callout_reset(&sc->sc_bulkfail_tmo, 5 * hz, pfsync_bulk_fail, - V_pfsyncif); + callout_reset(&sc->sc_bulkfail_tmo, 4 * hz + + V_pf_pool_limits[PF_LIMIT_STATES].limit / + ((sc->sc_sync_if->if_mtu - PFSYNC_MINPKT) / + sizeof(struct pfsync_state)), + pfsync_bulk_fail, V_pfsyncif); #else - timeout_add_sec(&sc->sc_bulkfail_tmo, 5); /* XXX magic */ -#endif -#ifdef XXX + timeout_add(&sc->sc_bulkfail_tmo, 4 * hz + pf_pool_limits[PF_LIMIT_STATES].limit / - (PFSYNC_BULKPACKETS * sc->sc_maxcount)); + ((sc->sc_if.if_mtu - PFSYNC_MINPKT) / + sizeof(struct pfsync_state))); #endif #ifdef __FreeBSD__ if (V_pf_status.debug >= PF_DEBUG_MISC) @@ -2606,9 +2615,11 @@ pfsync_update_state(struct pf_state *st) case PFSYNC_S_INS: /* we're already handling it */ - st->sync_updates++; - if (st->sync_updates >= sc->sc_maxupdates) - sync = 1; + if (st->key[PF_SK_WIRE]->proto == IPPROTO_TCP) { + st->sync_updates++; + if (st->sync_updates >= sc->sc_maxupdates) + sync = 1; + } break; case PFSYNC_S_IACK: @@ -2623,7 +2634,7 @@ pfsync_update_state(struct pf_state *st) st->sync_state); } - if (sync || (time_second - st->pfsync_time) < 2) { + if (sync || (time_uptime - st->pfsync_time) < 2) { pfsync_upds++; #ifdef __FreeBSD__ pfsync_sendout(); @@ -2665,7 +2676,7 @@ pfsync_request_update(u_int32_t creatori nlen += sizeof(struct pfsync_subheader); #ifdef __FreeBSD__ - if (sc->sc_len + nlen > sc->sc_ifp->if_mtu) { + if (sc->sc_len + nlen > sc->sc_sync_if->if_mtu) { #else if (sc->sc_len + nlen > sc->sc_if.if_mtu) { #endif @@ -3290,16 +3301,17 @@ void pfsyncintr(void *arg) { struct pfsync_softc *sc = arg; - struct mbuf *m; + struct mbuf *m, *n; CURVNET_SET(sc->sc_ifp->if_vnet); pfsync_ints++; - for (;;) { - IF_DEQUEUE(&sc->sc_ifp->if_snd, m); - if (m == 0) - break; + IF_DEQUEUE_ALL(&sc->sc_ifp->if_snd, m); + for (; m != NULL; m = n) { + + n = m->m_nextpkt; + m->m_nextpkt = NULL; if (ip_output(m, NULL, NULL, IP_RAWOUTPUT, &sc->sc_imo, NULL) == 0) V_pfsyncstats.pfsyncs_opackets++; @@ -3391,6 +3403,7 @@ vnet_pfsync_init(const void *unused) if (error) panic("%s: swi_add %d", __func__, error); + PF_LOCK(); pfsync_state_import_ptr = pfsync_state_import; pfsync_up_ptr = pfsync_up; pfsync_insert_state_ptr = pfsync_insert_state; @@ -3399,6 +3412,7 @@ vnet_pfsync_init(const void *unused) pfsync_clear_states_ptr = pfsync_clear_states; pfsync_state_in_use_ptr = pfsync_state_in_use; pfsync_defer_ptr = pfsync_defer; + PF_UNLOCK(); return (0); } @@ -3409,6 +3423,7 @@ vnet_pfsync_uninit(const void *unused) swi_remove(pfsync_swi.pfsync_swi_cookie); + PF_LOCK(); pfsync_state_import_ptr = NULL; pfsync_up_ptr = NULL; pfsync_insert_state_ptr = NULL; @@ -3417,6 +3432,7 @@ vnet_pfsync_uninit(const void *unused) pfsync_clear_states_ptr = NULL; pfsync_state_in_use_ptr = NULL; pfsync_defer_ptr = NULL; + PF_UNLOCK(); if_clone_detach(&pfsync_cloner); Modified: stable/9/sys/modules/pfsync/Makefile ============================================================================== --- stable/9/sys/modules/pfsync/Makefile Sat Jan 7 10:49:04 2012 (r229769) +++ stable/9/sys/modules/pfsync/Makefile Sat Jan 7 11:01:35 2012 (r229770) @@ -6,7 +6,7 @@ KMOD= pfsync SRCS= if_pfsync.c \ - opt_pf.h opt_inet.h opt_inet6.h opt_bpf.h + opt_pf.h opt_inet.h opt_inet6.h CFLAGS+= -I${.CURDIR}/../../contrib/pf SRCS+= bus_if.h device_if.h @@ -24,9 +24,6 @@ opt_inet6.h: echo "#define INET6 1" > ${.TARGET} .endif -opt_bpf.h: - echo "#define DEV_BPF 1" > ${.TARGET} - .if defined(VIMAGE) opt_global.h: echo "#define VIMAGE 1" >> ${.TARGET}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201071101.q07B1ZOZ036871>