#
0f9e9ec2 |
| 13-May-2024 |
jsg <jsg@openbsd.org> |
remove prototypes with no matching function ok mpi@
|
#
740063f5 |
| 31-Jul-2023 |
dlg <dlg@openbsd.org> |
don't let pfsync send an insert message for a state pfsync just inserted
sthen@ upgraded and ended up with a lot of pfsync traffic which was mostly made up of the two firewalls telling each other to
don't let pfsync send an insert message for a state pfsync just inserted
sthen@ upgraded and ended up with a lot of pfsync traffic which was mostly made up of the two firewalls telling each other to insert the same state over and over again.
this has each of the paths that insert states (actual pf, ioctls, and pfsync) identify themselves so pfsync can enter them into its own state machine in the right place. when pfsync inserts a state into pf, it knows it should just swallow the state silently without sending out another insert for it.
ok sthen@ sashan@
show more ...
|
#
cc90b7e6 |
| 06-Jul-2023 |
dlg <dlg@openbsd.org> |
big update to pfsync to try and clean up locking in particular.
moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for
big update to pfsync to try and clean up locking in particular.
moving pf forward has been a real struggle, and pfsync has been a constant source of pain. we have been papering over the problems for a while now, but it reached the point that it needed a fundamental restructure, which is what this diff is.
the big headliner changes in this diff are:
- pfsync specific locks
this is the whole reason for this diff.
rather than rely on NET_LOCK or KERNEL_LOCK or whatever, pfsync now has it's own locks to protect it's internal data structures. this is important because pfsync runs a bunch of timeouts and tasks to push pfsync packets out on the wire, or when it's handling requests generated by incoming pfsync packets, both of which happen outside pf itself running. having pfsync specific locks around pfsync data structures makes the mutations of these data structures a lot more explicit and auditable.
- partitioning
to enable future parallelisation of the network stack, this rewrite includes support for pfsync to partition states into different "slices". these slices run independently, ie, the states collected by one slice are serialised into a separate packet to the states collected and serialised by another slice.
states are mapped to pfsync slices based on the pf state hash, which is the same hash that the rest of the network stack and multiq hardware uses.
- no more pfsync called from netisr
pfsync used to be called from netisr to try and bundle packets, but now that there's multiple pfsync slices this doesnt make sense. instead it uses tasks in softnet tqs.
- improved bulk transfer handling
there's shiny new state machines around both the bulk transmit and receive handling. pfsync used to do horrible things to carp demotion counters, but now it is very predictable and returns the counters back where they started.
- better tdb handling
the tdb handling was pretty hairy, but hrvoje has kicked this around a lot with ipsec and sasyncd and we've found and fixed a bunch of issues as a result of that testing.
- mpsafe pf state purges
this was committed previously, but because the locks pfsync relied on weren't clear this just caused a ton of bugs. as part of this diff it's now reliable, and moves a big chunk of work out from under KERNEL_LOCK, which in turn improves the responsiveness and throughput of a firewall even if you're not using pfsync.
there's a bunch of other little changes along the way, but the above are the big ones.
hrvoje has done performance testing with this diff and notes a big improvement when pfsync is not in use. performance when pfsync is enabled is about the same, but im hoping the slices means we can scale along with pf as it improves.
lots (months) of testing by me and hrvoje on pfsync boxes tests and ok sashan@ deraadt@ says this is a good time to put it in
show more ...
|
#
3c2c1cfa |
| 11-Nov-2022 |
dlg <dlg@openbsd.org> |
rename pfsync_up() to pfsync_is_up()
foo_up() where foo is a network driver is usually a function that configures and brings an interface up into a running state. this small tweak just makes the cod
rename pfsync_up() to pfsync_is_up()
foo_up() where foo is a network driver is usually a function that configures and brings an interface up into a running state. this small tweak just makes the code a bit easier for me to read.
show more ...
|
#
e004f9b1 |
| 06-Nov-2022 |
dlg <dlg@openbsd.org> |
move pfsync_state_import in if_pfsync.c to pf_state_import in pf.c
this is straightening the deck chairs. the state import and export code are used by both the pf ioctls and pfsync, but the export c
move pfsync_state_import in if_pfsync.c to pf_state_import in pf.c
this is straightening the deck chairs. the state import and export code are used by both the pf ioctls and pfsync, but the export code is in pf.c and the import code is in if_pfsync. if pfsync was disabled then the ioctl stuff wouldnt link.
moving the import code to pf.c makes it more symmetrical(?) and robust.
tweaks and ok from kn@ sashan@
show more ...
|
#
52ade9e7 |
| 07-Jul-2021 |
sashan <sashan@openbsd.org> |
pfsync_undefer() must be called outside of PF_LOCK
OK @bluhm
|
#
678831be |
| 10-Mar-2021 |
jsg <jsg@openbsd.org> |
spelling
ok gnezdo@ semarie@ mpi@
|
#
2d1fcc79 |
| 04-Feb-2021 |
sashan <sashan@openbsd.org> |
make if_pfsync.c a better friend with PF_LOCK
The code delivered in this change is currently disabled. Brave souls may enable the code by adding -DWITH_PF_LOCK when building customized kernel. Big t
make if_pfsync.c a better friend with PF_LOCK
The code delivered in this change is currently disabled. Brave souls may enable the code by adding -DWITH_PF_LOCK when building customized kernel. Big thanks goes to Hrvoje@ for providing test equipment and testing.
As soon as we enter the next release cycle, the WITH_PF_LOCK will be defined as default option for MP kernels.
OK dlg@
show more ...
|
#
ddb22b95 |
| 11-Sep-2018 |
sashan <sashan@openbsd.org> |
- moving state look up outside of PF_LOCK()
this change adds a pf_state_lock rw-lock, which protects consistency of state table in PF. The code delivered in this change is guarded by 'WITH_PF_LOCK',
- moving state look up outside of PF_LOCK()
this change adds a pf_state_lock rw-lock, which protects consistency of state table in PF. The code delivered in this change is guarded by 'WITH_PF_LOCK', which is still undefined. People, who are willing to experiment and want to run it must do two things:
- compile kernel with -DWITH_PF_LOCK - bump NET_TASKQ from 1 to ... sky is the limit, (just select some sensible value for number of tasks your system is able to handle)
OK bluhm@
show more ...
|
#
459fa0fe |
| 14-Apr-2017 |
bluhm <bluhm@openbsd.org> |
Pass down the address family through the pr_input calls. This allows to simplify code used for both IPv4 and IPv6. OK mikeb@ deraadt@
|
#
4a633b67 |
| 20-Feb-2017 |
jca <jca@openbsd.org> |
pfsync(4) percpu counters
ok florian@
|
#
96be3d96 |
| 29-Jan-2017 |
bluhm <bluhm@openbsd.org> |
Change the IPv4 pr_input function to the way IPv6 is implemented, to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_inp
Change the IPv4 pr_input function to the way IPv6 is implemented, to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_input functions cannot be called anyway, so remove them. OK visa@ mpi@
show more ...
|
#
8f50be26 |
| 25-Jan-2017 |
bluhm <bluhm@openbsd.org> |
Since raw_input() and route_input() are gone from pr_input, we can make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@
Since raw_input() and route_input() are gone from pr_input, we can make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@ millert@
show more ...
|
#
24d7e143 |
| 20-Jan-2017 |
claudio <claudio@openbsd.org> |
Stop using pfsockaddr_union outside of pf so that we can remove its usage inside pf later on. pfsync can use the one from ip_ipsp.h and bridge can have its own version for now. OK mpi@ phessler@
|
#
377da2e0 |
| 24-Jan-2015 |
deraadt <deraadt@openbsd.org> |
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here a
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
show more ...
|
#
a0e69eb0 |
| 24-Oct-2013 |
deraadt <deraadt@openbsd.org> |
Move obvious kernel prototypes (and structure's with kernel pointers, obviously only used in the kernel) behind #ifdef _KERNEL
|
#
b277cddf |
| 29-Jun-2012 |
mikeb <mikeb@openbsd.org> |
add ESN-related bits missed in the previous commit
|
#
6b4cbaf1 |
| 29-Jun-2012 |
mikeb <mikeb@openbsd.org> |
Add support for the Extended (64-bit) Sequence Number as defined in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it.
Replay check was rewritten to implement algori
Add support for the Extended (64-bit) Sequence Number as defined in RFC4302 and RFC4303. Right now only software crypto engine is capable of doing it.
Replay check was rewritten to implement algorithm described in the Appendix A of RFC4303 and the window size was increased to 64.
Tested against OpenBSD, Linux (strongswan) and Windows.
No objection from the usual suspects.
show more ...
|
#
715f5bf1 |
| 29-Nov-2010 |
dlg <dlg@openbsd.org> |
get rid of struct pfsync_pkt. it was used to store data on the stack to pass to all the submessage handlers, but only the flags part of it was ever used. just pass the flags directly instead.
|
#
05d65ec4 |
| 09-Jul-2010 |
reyk <reyk@openbsd.org> |
Add support for using IPsec in multiple rdomains.
This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process
Add support for using IPsec in multiple rdomains.
This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain.
ok claudio@ naddy@
show more ...
|
#
6d841e4a |
| 12-Jan-2010 |
dlg <dlg@openbsd.org> |
factor m_pulldown out of the message handlers up into pfsync_input now that it knows how big the messages are.
rework the message handlers to use the pfsync_subheader.len value to iterate over the m
factor m_pulldown out of the message handlers up into pfsync_input now that it knows how big the messages are.
rework the message handlers to use the pfsync_subheader.len value to iterate over the message regions.
deprecate the EOF subheader since trying to pulldown a 0 byte buffer is fail.
ok mcbride@ sperreault@
show more ...
|
#
4efe3db7 |
| 10-Jan-2010 |
dlg <dlg@openbsd.org> |
replace a pad in the pfsync subheader with a length field. it stores the length of its message in dwords. multiply that by the count of the messages to figure out how to skip to the next subheader.
replace a pad in the pfsync subheader with a length field. it stores the length of its message in dwords. multiply that by the count of the messages to figure out how to skip to the next subheader.
"old" code still thinks the len field is a pad, which it doesnt look at, so new messages with a filled in len are still parsed correctly by "old" code.
input and ok mcbride@ sounds good! Simon Perreault
show more ...
|
#
ccb5db17 |
| 09-Nov-2009 |
dlg <dlg@openbsd.org> |
bump pfsync protocol version
requested by deraadt@
|
#
7d3e2ec5 |
| 03-Nov-2009 |
claudio <claudio@openbsd.org> |
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
show more ...
|
#
f994b649 |
| 14-Jun-2009 |
dlg <dlg@openbsd.org> |
enable support for deferring the packet that creates a state so that your sync peers are able to get the states before the replies. previously there was a race where the reply could hit a partner fir
enable support for deferring the packet that creates a state so that your sync peers are able to get the states before the replies. previously there was a race where the reply could hit a partner firewall before it had the state for it, which caused the reply to get processed by the ruleset which probably would drop it.
this behaviour is off by default because it does delay packets, which is only wanted in active-active firewalls or when an upstream router is slow to learn that you're moved the active member of the pfsync cluster. it also uses memory keeping the packets in the kernel.
use "ifconfig pfsync0 defer" to enable it, "ifconfig pfsync0 -defer" to disable.
tested by sthen@ who loves it. he's got manpage changes coming up for me.
show more ...
|