| #
defdcdd5 |
| 22-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: add hybrid 32- an 64- bit counters
Numerous counters got migrated from straight uint64_t to the counter(9)
API. Unfortunately the implementation comes with a significiant
performance hit on some
pf: add hybrid 32- an 64- bit counters
Numerous counters got migrated from straight uint64_t to the counter(9)
API. Unfortunately the implementation comes with a significiant
performance hit on some platforms and cannot be easily fixed.
Work around the problem by implementing a pf-specific variant.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
d9cc6ea2 |
| 23-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: hide struct pf_kstatus behind ifdef _KERNEL
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
32271c4d |
| 20-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: clean up syncookie callout on vnet shutdown
Ensure that we cancel any outstanding callouts for syncookies when we
terminate the vnet.
MFC after: 1 week
Sponsored by: Modirum MDPay
|
| #
907257d6 |
| 19-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: embed a pointer to the lock in struct pf_kstate
This shaves calculation which in particular helps on arm.
Note using the & hack instead would still be more work.
Reviewed by: kp
Sponsored by:
pf: embed a pointer to the lock in struct pf_kstate
This shaves calculation which in particular helps on arm.
Note using the & hack instead would still be more work.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
231e83d3 |
| 26-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: syncookie ioctl interface
Kernel side implementation to allow switching between on and off modes,
and allow this configuration to be retrieved.
MFC after: 1 week
Sponsored by: Modirum MDPay
Dif
pf: syncookie ioctl interface
Kernel side implementation to allow switching between on and off modes,
and allow this configuration to be retrieved.
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31139
show more ...
|
| #
8e1864ed |
| 20-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: syncookie support
Import OpenBSD's syncookie support for pf. This feature help pf resist
TCP SYN floods by only creating states once the remote host completes
the TCP handshake rather than when
pf: syncookie support
Import OpenBSD's syncookie support for pf. This feature help pf resist
TCP SYN floods by only creating states once the remote host completes
the TCP handshake rather than when the initial SYN packet is received.
This is accomplished by using the initial sequence numbers to encode a
cookie (hence the name) in the SYN+ACK response and verifying this on
receipt of the client ACK.
Reviewed by: kbowling
Obtained from: OpenBSD
MFC after: 1 week
Sponsored by: Modirum MDPay
Differential Revision: https://reviews.freebsd.org/D31138
show more ...
|
| #
9009d36a |
| 19-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: shrink struct pf_kstate
Makes room for a pointer.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
f9aa757d |
| 19-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: add a comment to pf_kstate concerning compat with pf_state_cmp
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
ef950daa |
| 02-Mar-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: match keyword support
Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.
For the av
pf: match keyword support
Support the 'match' keyword.
Note that support is limited to adding queuing information, so without
ALTQ support in the kernel setting match rules is pointless.
For the avoidance of doubt: this is NOT full support for the match
keyword as found in OpenBSD's pf. That could potentially be built on top
of this, but this commit is NOT that.
MFC after: 2 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31115
show more ...
|
| #
c6bf20a2 |
| 06-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: add DIOCGETSTATESV2
Add a new version of the DIOCGETSTATES call, which extends the struct to
include the original interface information.
MFC after: 1 week
Sponsored by: Rubicon Communications,
pf: add DIOCGETSTATESV2
Add a new version of the DIOCGETSTATES call, which extends the struct to
include the original interface information.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31097
show more ...
|
| #
19d6e29b |
| 08-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: add pf_find_state_all_exists
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
211cddf9 |
| 06-Jul-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: rename pf_state to pf_kstate
Indicate that this is a kernel-only structure, and make it easier to
distinguish from others used to communicate with userspace.
Reviewed by: mjg
MFC after: 1 week
pf: rename pf_state to pf_kstate
Indicate that this is a kernel-only structure, and make it easier to
distinguish from others used to communicate with userspace.
Reviewed by: mjg
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D31096
show more ...
|
| #
f649cff5 |
| 05-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: padalign global locks found in pf.c
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
dc1ab04e |
| 02-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: allow table stats clearing and reading with ruleset rlock
Instead serialize against these operations with a dedicated lock.
Prior to the change, When pushing 17 mln pps of traffic, calling
DIOC
pf: allow table stats clearing and reading with ruleset rlock
Instead serialize against these operations with a dedicated lock.
Prior to the change, When pushing 17 mln pps of traffic, calling
DIOCRGETTSTATS in a loop would restrict throughput to about 7 mln. With
the change there is no slowdown.
Reviewed by: kp (previous version)
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
f92c21a2 |
| 02-Jul-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: depessimize table handling
Creating tables and zeroing their counters induces excessive IPIs (14
per table), which in turns kills single- and multi-threaded performance.
Work around the problem
pf: depessimize table handling
Creating tables and zeroing their counters induces excessive IPIs (14
per table), which in turns kills single- and multi-threaded performance.
Work around the problem by extending per-CPU counters with a general
counter populated on "zeroing" requests -- it stores the currently found
sum. Then requests to report the current value are the sum of per-CPU
counters subtracted by the saved value.
Sample timings when loading a config with 100k tables on a 104-way box:
stock:
pfctl -f tables100000.conf 0.39s user 69.37s system 99% cpu 1:09.76 total
pfctl -f tables100000.conf 0.40s user 68.14s system 99% cpu 1:08.54 total
patched:
pfctl -f tables100000.conf 0.35s user 6.41s system 99% cpu 6.771 total
pfctl -f tables100000.conf 0.48s user 6.47s system 99% cpu 6.949 total
Reviewed by: kp (previous version)
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
55cc305d |
| 28-Jun-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: revert: Use counter(9) for pf_state byte/packet tracking
stats are not shared and consequently per-CPU counters only waste
memory.
No slowdown was measured when passing over 20M pps.
Reviewed
pf: revert: Use counter(9) for pf_state byte/packet tracking
stats are not shared and consequently per-CPU counters only waste
memory.
No slowdown was measured when passing over 20M pps.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
803dfe3d |
| 28-Jun-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: deduplicate V_pf_state_z handling with pfsync
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
e6dd0e2e |
| 28-Jun-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: assert that sizeof(struct pf_state) <= 312
To prevent accidentally going over a threshold which makes UMA fit only
12 objects per page instead of 13.
Reviewed by: kp
Sponsored by: Rubicon Commu
pf: assert that sizeof(struct pf_state) <= 312
To prevent accidentally going over a threshold which makes UMA fit only
12 objects per page instead of 13.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
show more ...
|
| #
d09388d0 |
| 28-Jun-2021 |
Mateusz Guzik <mjg@FreeBSD.org> |
pf: add pf_release_staten and use it in pf_unlink_state
Saves one atomic op.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| #
d38630f6 |
| 04-Jun-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: store L4 headers in pf_pdesc
Rather than pointers to the headers store full copies. This brings us
slightly closer to what OpenBSD does, and also makes more sense than
storing pointers to stack
pf: store L4 headers in pf_pdesc
Rather than pointers to the headers store full copies. This brings us
slightly closer to what OpenBSD does, and also makes more sense than
storing pointers to stack variable copies of the headers.
Reviewed by: donner, scottl
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30719
show more ...
|
| #
ec7b47fc |
| 31-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Move provider declaration to pf.h
This simplifies life a bit, by not requiring us to repease the
declaration for every file where we want static probe points.
It also makes the gcc6 build happy.
|
| #
d0fdf2b2 |
| 12-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Track the original kif for floating states
Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').
MFC after: 1 week
Spons
pf: Track the original kif for floating states
Track (and display) the interface that created a state, even if it's a
floating state (and thus uses virtual interface 'all').
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30245
show more ...
|
| #
0592a4c8 |
| 05-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Add DIOCGETSTATESNV
Add DIOCGETSTATESNV, an nvlist-based alternative to DIOCGETSTATES.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: http
pf: Add DIOCGETSTATESNV
Add DIOCGETSTATESNV, an nvlist-based alternative to DIOCGETSTATES.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30243
show more ...
|
| #
1732afaa |
| 05-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Add DIOCGETSTATENV
Add DIOCGETSTATENV, an nvlist-based alternative to DIOCGETSTATE.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://review
pf: Add DIOCGETSTATENV
Add DIOCGETSTATENV, an nvlist-based alternative to DIOCGETSTATE.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30242
show more ...
|
| #
93abcf17 |
| 03-May-2021 |
Kristof Provost <kp@FreeBSD.org> |
pf: Support killing 'matching' states
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.
See also https://redmine.pfsen
pf: Support killing 'matching' states
Optionally also kill states that match (i.e. are the NATed state or
opposite direction state entry for) the state we're killing.
See also https://redmine.pfsense.org/issues/8555
Submitted by: Steven Brown
Reviewed by: bcr (man page)
Obtained from: https://github.com/pfsense/FreeBSD-src/pull/11/
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D30092
show more ...
|