| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Notes:
svn path=/head/; revision=257176
|
|
|
|
|
|
|
| |
confusion with the pfil_head chain locking macros.
Notes:
svn path=/head/; revision=254774
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The linked list of pfil hooks is changed to "chain" and this term
is applied consistently. The head_list remains with "list" term.
Add KASSERT to vnet_pfil_uninit().
Update and extend comments.
Reviewed by: eri (previous version)
Notes:
svn path=/head/; revision=254773
|
|
|
|
|
|
|
|
|
|
| |
this API, it is only safe for internal use and even the pfil(9)
man page says so in the BUGS section.
Reviewed by: eri
Notes:
svn path=/head/; revision=254771
|
|
|
|
| |
Notes:
svn path=/head/; revision=254770
|
|
|
|
|
|
|
|
|
| |
spelled out occurrences with it.
Reviewed by: eri
Notes:
svn path=/head/; revision=254769
|
|
|
|
| |
Notes:
svn path=/head/; revision=248490
|
|
|
|
|
|
|
|
|
|
|
|
| |
Instead, add protocol specific mbuf flags M_IP_NEXTHOP and
M_IP6_NEXTHOP. Use them to indicate that the mbuf's chain
contains the PACKET_TAG_IPFORWARD tag. And do a tag lookup
only when this flag is set.
Suggested by: andre
Notes:
svn path=/head/; revision=242463
|
|
|
|
|
|
|
|
|
|
|
|
| |
on the related functionality in the runtime via the sysctl variable
net.pfil.forward. It is turned off by default.
Sponsored by: Yandex LLC
Discussed with: net@
MFC after: 2 weeks
Notes:
svn path=/head/; revision=242079
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
filters (ipfw and PF) use the same ruleset with the same lock for both
AF_INET and AF_INET6 there is no need in more fine-grade locking.
However, it is possible to request personal lock by specifying
PFIL_FLAG_PRIVATE_LOCK flag in pfil_head structure (see pfil.9 for
more details).
Export PFIL lock via rw_lock(9)/rm_lock(9)-like API permitting pfil consumers
to use this lock instead of own lock. This help reducing locks on main
traffic path.
pfil_assert() is currently not implemented due to absense of rm_assert().
Waiting for some kind of r234648 to be merged in HEAD.
This change is part of bigger patch reducing routing locking.
Sponsored by: Yandex LLC
Reviewed by: glebius, ae
OK'd by: silence on net@
MFC after: 3 weeks
Notes:
svn path=/head/; revision=241888
|
|
|
|
|
|
|
|
|
| |
bits).
MFC after: 3 days (not VNET bits)
Notes:
svn path=/head/; revision=198233
|
|
|
|
|
|
|
| |
MFC after: 3 days
Notes:
svn path=/head/; revision=198198
|
|
|
|
|
|
|
|
|
|
|
| |
packet filters. ALso allows ipfw to be enabled on on ejail and disabled
on another. In 8.0 it's a global setting.
Sitting aroung in tree waiting to commit for: 2 months
MFC after: 2 months
Notes:
svn path=/head/; revision=197952
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
unregistration, and execution:
- Add some brackets for clarity and trim a bit of vertical whitespace.
- Remove comments that may not contribute to clarity, such as "Lock"
before acquiring a lock and "Get memory" before allocating memory.
- During hook registration, don't drop pfil_list_lock between checking
for a duplicate and registering the hook, as this leaves a race
condition by failing to enforce the "no duplicate hooks" invariant.
- Don't lock the hook during registration, since it's not yet in use.
- Document assumption that hooks will be quiesced before being
unregistered.
- Don't write-lock hooks during removal because they are assumed
quiesced.
- Rename "done" label to "locked_error" to be clear that it's an error
path on the way out of hook execution.
MFC after: pretty soon
Notes:
svn path=/head/; revision=186187
|
|
|
|
|
|
|
|
|
|
|
|
| |
This has the benefit that rmlocks have proper support for reader recursion
(in contrast to rwlock(9) which could potential lead to writer stravation).
It also means a significant performance gain, eventhough only visible in
microbenchmarks at the moment.
Discussed on: -arch, -net
Notes:
svn path=/head/; revision=173904
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
filtering mechanisms to use the new rwlock(9) locking API:
- Drop the variables stored in the phil_head structure which were specific to
conditions and the home rolled read/write locking mechanism.
- Drop some includes which were used for condition variables
- Drop the inline functions, and convert them to macros. Also, move these
macros into pfil.h
- Move pfil list locking macros intp phil.h as well
- Rename ph_busy_count to ph_nhooks. This variable will represent the number
of IN/OUT hooks registered with the pfil head structure
- Define PFIL_HOOKED macro which evaluates to true if there are any
hooks to be ran by pfil_run_hooks
- In the IP/IP6 stacks, change the ph_busy_count comparison to use the new
PFIL_HOOKED macro.
- Drop optimization in pfil_run_hooks which checks to see if there are any
hooks to be ran, and returns if not. This check is already performed by the
IP stacks when they call:
if (!PFIL_HOOKED(ph))
goto skip_hooks;
- Drop in assertion which makes sure that the number of hooks never drops
below 0 for good measure. This in theory should never happen, and if it
does than there are problems somewhere
- Drop special logic around PFIL_WAITOK because rw_wlock(9) does not sleep
- Drop variables which support home rolled read/write locking mechanism from
the IPFW firewall chain structure.
- Swap out the read/write firewall chain lock internal to use the rwlock(9)
API instead of our home rolled version
- Convert the inlined functions to macros
Reviewed by: mlaier, andre, glebius
Thanks to: jhb for the new locking API
Notes:
svn path=/head/; revision=155201
|
|
|
|
|
|
|
|
|
| |
PR: kern/81128
Submitted by: Joost Bekkers
MFC-after: 2 weeks
Notes:
svn path=/head/; revision=146550
|
|
|
|
| |
Notes:
svn path=/head/; revision=139823
|
|
|
|
|
|
|
|
|
|
|
|
| |
We return ENOBUF to indicate the problem, which is an errno that should be
handled well everywhere.
Requested & Submitted by: green
Silently okay'ed by: The rest of the firewall gang
MFC after: 3 days
Notes:
svn path=/head/; revision=136258
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
passing along socket information. This is required to work around a LOR with
the socket code which results in an easy reproducible hard lockup with
debug.mpsafenet=1. This commit does *not* fix the LOR, but enables us to do
so later. The missing piece is to turn the filter locking into a leaf lock
and will follow in a seperate (later) commit.
This will hopefully be MT5'ed in order to fix the problem for RELENG_5 in
forseeable future.
Suggested by: rwatson
A lot of work by: csjp (he'd be even more helpful w/o mentor-reviews ;)
Reviewed by: rwatson, csjp
Tested by: -pf, -ipfw, LINT, csjp and myself
MFC after: 3 days
LOR IDs: 14 - 17 (not fixed yet)
Notes:
svn path=/head/; revision=135920
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A thread must hold mp while calling cv_signal(), cv_broadcast(), or
cv_broadcastpri() even though it isn't passed as an argument.
and is right with this claim.
While here remove a "\" from the macro -> __inline conversion.
Found by: csjp
MFC after: 4 days
Notes:
svn path=/head/; revision=135588
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
o revamp IPv4+IPv6+bridge usage to match API changes
o remove pfil_head instances from protosw entries (no longer used)
o add locking
o bump FreeBSD version for 3rd party modules
Heavy lifting by: "Max Laier" <max@love2party.net>
Supported by: FreeBSD Foundation
Obtained from: NetBSD (bits of pfil.h and pfil.c)
Notes:
svn path=/head/; revision=120386
|
|
|
|
|
|
|
| |
Approved by: trb
Notes:
svn path=/head/; revision=111119
|
|
|
|
|
|
|
| |
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
Notes:
svn path=/head/; revision=109623
|
|
|
|
| |
Notes:
svn path=/head/; revision=92725
|
|
|
|
|
|
|
|
|
|
| |
fondling implementation details.
Created with: sed(1)
Reviewed by: md5(1)
Notes:
svn path=/head/; revision=71999
|
|
|
|
|
|
|
|
| |
Created with: /usr/bin/sed
Reviewed by: /sbin/md5
Notes:
svn path=/head/; revision=71959
|
|
|
|
| |
Notes:
svn path=/head/; revision=67882
|
|
Notes:
svn path=/head/; revision=60317
|