Date: Tue, 10 Nov 2020 12:13:18 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r367553 - in stable/12: share/dtrace sys/netpfil/ipfw Message-ID: <202011101213.0AACDIS2001278@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Tue Nov 10 12:13:18 2020 New Revision: 367553 URL: https://svnweb.freebsd.org/changeset/base/367553 Log: MFC r366908 (modified for stable/12 KBI): Add dtrace SDT probe ipfw:::rule-matched. It helps to reduce complexity with debugging of large ipfw rulesets. Also define several constants and translators, that can by used by dtrace scripts with this probe. Obtained from: Yandex LLC Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D26879 Added: stable/12/share/dtrace/ipfw.d - copied, changed from r366908, head/share/dtrace/ipfw.d Modified: stable/12/share/dtrace/Makefile stable/12/sys/netpfil/ipfw/ip_fw2.c Directory Properties: stable/12/ (props changed) Modified: stable/12/share/dtrace/Makefile ============================================================================== --- stable/12/share/dtrace/Makefile Tue Nov 10 11:32:01 2020 (r367552) +++ stable/12/share/dtrace/Makefile Tue Nov 10 12:13:18 2020 (r367553) @@ -21,7 +21,7 @@ SCRIPTS= blocking \ SCRIPTSDIR= ${SHAREDIR}/dtrace -DSRCS= mbuf.d +DSRCS= mbuf.d ipfw.d FILES= ${DSRCS} FILESDIR= /usr/lib/dtrace Copied and modified: stable/12/share/dtrace/ipfw.d (from r366908, head/share/dtrace/ipfw.d) ============================================================================== --- head/share/dtrace/ipfw.d Wed Oct 21 15:01:33 2020 (r366908, copy source) +++ stable/12/share/dtrace/ipfw.d Tue Nov 10 12:13:18 2020 (r367553) @@ -68,29 +68,17 @@ inline string ipfw_retcodes[int ret] = /* ip_fw_args flags */ #pragma D binding "1.0" IPFW_ARGS_ETHER -inline int IPFW_ARGS_ETHER = 0x00010000; /* valid ethernet header */ +inline int IPFW_ARGS_ETHER = 0x0001; /* valid ethernet header */ #pragma D binding "1.0" IPFW_ARGS_NH4 -inline int IPFW_ARGS_NH4 = 0x00020000; /* IPv4 next hop in hopstore */ +inline int IPFW_ARGS_NH4 = 0x0002; /* IPv4 next hop in hopstore */ #pragma D binding "1.0" IPFW_ARGS_NH6 -inline int IPFW_ARGS_NH6 = 0x00040000; /* IPv6 next hop in hopstore */ +inline int IPFW_ARGS_NH6 = 0x0004; /* IPv6 next hop in hopstore */ #pragma D binding "1.0" IPFW_ARGS_NH4PTR -inline int IPFW_ARGS_NH4PTR = 0x00080000; /* IPv4 next hop in next_hop */ +inline int IPFW_ARGS_NH4PTR = 0x0008; /* IPv4 next hop in next_hop */ #pragma D binding "1.0" IPFW_ARGS_NH6PTR -inline int IPFW_ARGS_NH6PTR = 0x00100000; /* IPv6 next hop in next_hop6 */ +inline int IPFW_ARGS_NH6PTR = 0x0010; /* IPv6 next hop in next_hop6 */ #pragma D binding "1.0" IPFW_ARGS_REF -inline int IPFW_ARGS_REF = 0x00200000; /* valid ipfw_rule_ref */ -#pragma D binding "1.0" IPFW_ARGS_IN -inline int IPFW_ARGS_IN = 0x00400000; /* called on input */ -#pragma D binding "1.0" IPFW_ARGS_OUT -inline int IPFW_ARGS_OUT = 0x00800000; /* called on output */ -#pragma D binding "1.0" IPFW_ARGS_IP4 -inline int IPFW_ARGS_IP4 = 0x01000000; /* belongs to v4 ISR */ -#pragma D binding "1.0" IPFW_ARGS_IP6 -inline int IPFW_ARGS_IP6 = 0x02000000; /* belongs to v6 ISR */ -#pragma D binding "1.0" IPFW_ARGS_DROP -inline int IPFW_ARGS_DROP = 0x04000000; /* drop it (dummynet) */ -#pragma D binding "1.0" IPFW_ARGS_LENMASK -inline int IPFW_ARGS_LENMASK = 0x0000ffff; /* length of data in *mem */ +inline int IPFW_ARGS_REF = 0x0020; /* valid ipfw_rule_ref */ /* ipfw_rule_ref.info */ #pragma D binding "1.0" IPFW_INFO_MASK @@ -147,17 +135,13 @@ typedef struct ipfw_match_info { #pragma D binding "1.0" translator translator ipfw_match_info_t < struct ip_fw_args *p > { flags = p->flags; - m = (p->flags & IPFW_ARGS_LENMASK) ? NULL : p->m; - mem = (p->flags & IPFW_ARGS_LENMASK) ? p->mem : NULL; + m = p->m; + mem = NULL; inp = p->inp; - ifp = p->ifp; + ifp = p->oif; /* Initialize IP pointer corresponding to addr_type */ - ipp = (p->flags & IPFW_ARGS_IP4) ? - (p->flags & IPFW_ARGS_LENMASK) ? (struct ip *)p->mem : - (p->m != NULL) ? (struct ip *)p->m->m_data : NULL : NULL; - ip6p = (p->flags & IPFW_ARGS_IP6) ? - (p->flags & IPFW_ARGS_LENMASK) ? (struct ip6_hdr *)p->mem : - (p->m != NULL) ? (struct ip6_hdr *)p->m->m_data : NULL : NULL; + ipp = (p->m != NULL) ? (struct ip *)p->m->m_data : NULL; + ip6p = (p->m != NULL) ? (struct ip6_hdr *)p->m->m_data : NULL; /* fill f_id fields */ addr_type = p->f_id.addr_type; Modified: stable/12/sys/netpfil/ipfw/ip_fw2.c ============================================================================== --- stable/12/sys/netpfil/ipfw/ip_fw2.c Tue Nov 10 11:32:01 2020 (r367552) +++ stable/12/sys/netpfil/ipfw/ip_fw2.c Tue Nov 10 12:13:18 2020 (r367553) @@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$"); #include <sys/proc.h> #include <sys/rwlock.h> #include <sys/rmlock.h> +#include <sys/sdt.h> #include <sys/socket.h> #include <sys/socketvar.h> #include <sys/sysctl.h> @@ -105,6 +106,18 @@ __FBSDID("$FreeBSD$"); #include <security/mac/mac_framework.h> #endif +#define IPFW_PROBE(probe, arg0, arg1, arg2, arg3, arg4, arg5) \ + SDT_PROBE6(ipfw, , , probe, arg0, arg1, arg2, arg3, arg4, arg5) + +SDT_PROVIDER_DEFINE(ipfw); +SDT_PROBE_DEFINE6(ipfw, , , rule__matched, + "int", /* retval */ + "int", /* af */ + "void *", /* src addr */ + "void *", /* dst addr */ + "struct ip_fw_args *", /* args */ + "struct ip_fw *" /* rule */); + /* * static variables followed by global ones. * All ipfw global variables are here. @@ -3188,6 +3201,13 @@ do { \ struct ip_fw *rule = chain->map[f_pos]; /* Update statistics */ IPFW_INC_RULE_COUNTER(rule, pktlen); + IPFW_PROBE(rule__matched, retval, + is_ipv4 ? AF_INET : AF_INET6, + is_ipv4 ? (uintptr_t)&src_ip : + (uintptr_t)&args->f_id.src_ip6, + is_ipv4 ? (uintptr_t)&dst_ip : + (uintptr_t)&args->f_id.dst_ip6, + args, rule); } else { retval = IP_FW_DENY; printf("ipfw: ouch!, skip past end of rules, denying packet\n");
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202011101213.0AACDIS2001278>