| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.
This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).
There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.
There is no performance cost on 64-bit (__LP64__) platforms.
With input from visa@, dlg@, and tedu@.
Several bugs squashed by visa@.
ok kettenis@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this follows what's been done for detach and link state hooks, and
makes handling of hooks generally more robust.
address hooks are a bit different to detach/link state hooks in
that there's only a few things that register hooks (carp, pf, vxlan),
but a lot of places to run the hooks (lots of ipv4 and ipv6 address
configuration).
an address hook cookie was in struct pfi_kif, which is part of the
pf abi. rather than break pfctl -sI, this maintains the void * used
for the cookie and uses it to store a task, which is then used as
intended with the new api.
|
| |
|
|
|
|
|
| |
Src-node should use the reference counter since it might live longer
than its table entry, rule or the associated states.
OK sashan
|
| |
|
|
|
|
| |
These are just unhelpful case conversion.
OK sashan henning
|
| |
|
|
|
| |
magic constant to panic() calls.
ok benno@ henning@ tb@
|
| |
|
|
| |
set flags from the group. ok phessler benno
|
| | |
|
| |
|
|
| |
bzero -> memset and (very few) bcopy -> memcpy/memmove
|
| |
|
|
| |
ok henning
|
| |
|
|
| |
ok visa@
|
| |
|
|
| |
rectification.
|
| |
|
|
| |
ok bluhm@
|
| |
|
|
| |
ok bluhm@
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
| |
|
|
| |
ok phessler@ henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the code is refactored so the IFQ macros call newly implemented ifq
functions. the ifq code is split so each discipline (priq and hfsc
in our case) is an opaque set of operations that the common ifq
code can call. the common code does the locking, accounting (ifq_len
manipulation), and freeing of the mbuf if the disciplines enqueue
function rejects it. theyre kind of like bufqs in the block layer
with their fifo and nscan disciplines.
the new api also supports atomic switching of disciplines at runtime.
the hfsc setup in pf_ioctl.c has been tweaked to build a complete
hfsc_if structure which it attaches to the send queue in a single
operation, rather than attaching to the interface up front and
building up a list of queues.
the send queue is now mutexed, which raises the expectation that
packets can be enqueued or purged on one cpu while another cpu is
dequeueing them in a driver for transmission. a lot of drivers use
IFQ_POLL to peek at an mbuf and attempt to fit it on the ring before
committing to it with a later IFQ_DEQUEUE operation. if the mbuf
gets freed in between the POLL and DEQUEUE operations, fireworks
will ensue.
to avoid this, the ifq api introduces ifq_deq_begin, ifq_deq_rollback,
and ifq_deq_commit. ifq_deq_begin allows a driver to take the ifq
mutex and get a reference to the mbuf they wish to try and tx. if
there's space, they can ifq_deq_commit it to remove the mbuf and
release the mutex. if there's no space, ifq_deq_rollback simply
releases the mutex. this api was developed to make updating the
drivers using IFQ_POLL easy, instead of having to do significant
semantic changes to avoid POLL that we cannot test on all the
hardware.
the common code has been tested pretty hard, and all the driver
modifications are straightforward except for de(4). if that breaks
it can be dealt with later.
ok mpi@ jmatthew@
|
| |
|
|
|
|
|
| |
If interface was specified in the packet only if-bound states
attached to this interface must be purged.
ok mpi, looked at by sasha@
|
| |
|
|
|
|
|
|
|
|
|
| |
Drop the explicit pool backend allocator here and add PR_WAITOK to the
flags passed to pool_init(9).
The pfi_addr_pl and pf_rule_pl can get used in interrupt context though.
So simply drop the explicit pool backend allocator without adding PR_WAITOK
to the flags passed to pool_init(9).
ok mikeb@
|
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
| |
ok mikeb@, krw@, bluhm@, tedu@
|
| | |
|
| | |
|
| |
|
|
| |
after discussions with beck deraadt kettenis.
|
| | |
|
| |
|
|
|
|
| |
pfi_kif_get annotates the kif with a flag indicating it is the "any" match
pfi_kif_match obeys that flag
ok benno
|
| |
|
|
| |
OK mikeb@
|
| |
|
|
| |
ok henning
|
| |
|
|
|
|
|
| |
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
| |
|
|
| |
ok bluhm@
|
| |
|
|
| |
Reported by naddy@
|
| |
|
|
|
|
|
| |
structure rather than doing various M_WAITOK allocations during
the *attach() functions, we always rely on them anyway.
ok mikeb@, uebayasi@
|
| | |
|
| |
|
|
|
|
| |
lo' must not match a group 'local'. diff from sthen who is not around for a
few days, ok me and mpf. I can't find the mail of the guy who initially
ran into this problem, sorry for that, thanks for reporting!
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Feedback from various people, ok henning@
Previously if an interface type (without number), e.g. "set skip on vlan"
or "set skip on em" was used, it would have the undocumented behaviour of
matching any interface of that type.
Now it will only match an interface which is a member of the named group.
This results in some changed behaviour:
If you currently use "set skip" with a physical interface type (e.g.
"set skip on ix") you will need to add the interface to a group of that
name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0.
Interfaces cloned at runtime (e.g. lo, trunk, vlan, pppoe, carp, gif,
mpe and others) default to being in a group named after the interface type,
so for these interfaces there will be no change in behaviour unless you
have deliberately changed groups, e.g. 'ifconfig carp456 -group carp'.
|
| |
|
|
|
|
|
|
|
| |
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
| |
|
|
|
|
|
| |
definition of DPFPRINTF(), and log priorities from syslog.h. Old debug
levels will still work for now, but will eventually be phased out.
discussed with henning, ok dlg
|
| |
|
|
|
|
|
|
|
|
|
| |
actions. Allow interfaces to be specified in special table entries for
the routing actions. Lists of addresses can now only be done using tables,
which pfctl will generate automatically from the existing syntax.
Functionally, this deprecates the use of multiple tables or dynamic
interfaces in a single nat or rdr rule.
ok henning dlg claudio
|
| |
|
|
|
|
|
|
|
| |
the resized buffer.
From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@.
As was the previous commit where I didn't mention Pawel.
'should be olright' henning@
|
| |
|
|
|
|
|
| |
not the other way. At least partial fix for interfaces with >64
aliases. From Max Laier via Marc Balmer.
'seems right' sthen@ ok markus@
|
| |
|
|
|
|
|
| |
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild
of userland tools that use struct pfi_kif.
ok henning deraadt
|
| |
|
|
|
|
|
|
|
|
| |
whether we're called from the interrupt context to the functions
performing allocations.
Looked at by mpf@ and henning@, tested by mpf@ and Antti Harri,
the pr originator.
ok tedu
|
| |
|
|
|
|
| |
because it conflicted with the change he did in pf_if.c earlier.
He finally woke up to ok (well, ``yes'', really) this version now.
|
| |
|
|
| |
PR_WAITOK | PR_LIMITFAIL. from discussion with art. ok ryan claudio thib
|
| | |
|
| |
|
|
|
|
|
| |
This prevents a null-deref when empty groups are used in set loginterface.
Fixes PR 5628 as reported by Andreas Bihlmaier.
Bad mpf :(
OK henning@
|
cheloha
dlg
yasuoka
kn
nayden
henning
bluhm
deraadt
mpi
krw
mikeb
kettenis
sashan
jsg
tedu
pelikan
haesbaert
gsoares
sthen
mcbride
mk
mpf