#
27d00700 |
| 24-Feb-2023 |
riastradh <riastradh@NetBSD.org> |
npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.
Discussed on tech-kern: https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html
Requested by rmind@: https://github.com/rmind/npf/pull
npf: Eliminate __HAVE_ATOMIC_AS_MEMBAR conditionals.
Discussed on tech-kern: https://mail-index.netbsd.org/tech-kern/2023/02/23/msg028729.html
Requested by rmind@: https://github.com/rmind/npf/pull/127#issuecomment-1399573125
show more ...
|
#
40c18090 |
| 23-Jan-2023 |
riastradh <riastradh@NetBSD.org> |
npf(9): Drop table lock around copyout.
It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock.
We need t_lock in order to iterate over the list of entries. However, during c
npf(9): Drop table lock around copyout.
It is forbidden to hold a spin lock around copyout, and t_lock is a spin lock.
We need t_lock in order to iterate over the list of entries. However, during copyout itself, we only need to ensure that the object we're copying out isn't freed by npf_table_remove or npf_table_gc.
Fortunately, the only caller of npf_table_list, npf_table_remove, and npf_table_gc is npfctl_table, and it serializes all of them by the npf config lock. So we can safely drop t_lock across copyout.
PR kern/57136 PR kern/57181
show more ...
|
#
975e4bd1 |
| 22-Jan-2023 |
riastradh <riastradh@NetBSD.org> |
npf(9): Another comment tweak to match upstream.
No functional change.
|
#
f164d731 |
| 22-Jan-2023 |
riastradh <riastradh@NetBSD.org> |
npf(9): Use __HAVE_ATOMIC_AS_MEMBAR around refcnt consistently.
|
#
1e11a48f |
| 09-Apr-2022 |
riastradh <riastradh@NetBSD.org> |
sys: Use membar_release/acquire around reference drop.
This just goes through my recent reference count membar audit and changes membar_exit to membar_release and membar_enter to membar_acquire -- t
sys: Use membar_release/acquire around reference drop.
This just goes through my recent reference count membar audit and changes membar_exit to membar_release and membar_enter to membar_acquire -- this should make everything cheaper on most CPUs without hurting correctness, because membar_acquire is generally cheaper than membar_enter.
show more ...
|
#
3eb56af6 |
| 12-Mar-2022 |
riastradh <riastradh@NetBSD.org> |
sys: Membar audit around reference count releases.
If two threads are using an object that is freed when the reference count goes to zero, we need to ensure that all memory operations related to the
sys: Membar audit around reference count releases.
If two threads are using an object that is freed when the reference count goes to zero, we need to ensure that all memory operations related to the object happen before freeing the object.
Using an atomic_dec_uint_nv(&refcnt) == 0 ensures that only one thread takes responsibility for freeing, but it's not enough to ensure that the other thread's memory operations happen before the freeing.
Consider:
Thread A Thread B obj->foo = 42; obj->baz = 73; mumble(&obj->bar); grumble(&obj->quux); /* membar_exit(); */ /* membar_exit(); */ atomic_dec -- not last atomic_dec -- last /* membar_enter(); */ KASSERT(invariant(obj->foo, obj->bar)); free_stuff(obj);
The memory barriers ensure that
obj->foo = 42; mumble(&obj->bar);
in thread A happens before
KASSERT(invariant(obj->foo, obj->bar)); free_stuff(obj);
in thread B. Without them, this ordering is not guaranteed.
So in general it is necessary to do
membar_exit(); if (atomic_dec_uint_nv(&obj->refcnt) != 0) return; membar_enter();
to release a reference, for the `last one out hit the lights' style of reference counting. (This is in contrast to the style where one thread blocks new references and then waits under a lock for existing ones to drain with a condvar -- no membar needed thanks to mutex(9).)
I searched for atomic_dec to find all these. Obviously we ought to have a better abstraction for this because there's so much copypasta. This is a stop-gap measure to fix actual bugs until we have that. It would be nice if an abstraction could gracefully handle the different styles of reference counting in use -- some years ago I drafted an API for this, but making it cover everything got a little out of hand (particularly with struct vnode::v_usecount) and I ended up setting it aside to work on psref/localcount instead for better scalability.
I got bored of adding #ifdef __HAVE_ATOMIC_AS_MEMBAR everywhere, so I only put it on things that look performance-critical on 5sec review. We should really adopt membar_enter_preatomic/membar_exit_postatomic or something (except they are applicable only to atomic r/m/w, not to atomic_load/store_*, making the naming annoying) and get rid of all the ifdefs.
show more ...
|
#
43ce6352 |
| 25-Jan-2021 |
christos <christos@NetBSD.org> |
s/npf_config_lock/npf->config_lock/ in the comments
|
#
d6939920 |
| 30-May-2020 |
rmind <rmind@NetBSD.org> |
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction' setti
Major NPF improvements (merge from upstream):
- Switch to the C11-style atomic primitives using atomic_loadstore(9).
- npfkern: introduce the 'state.key.interface' and 'state.key.direction' settings. Users can now choose whether the connection state should be strictly per-interface or global at the configuration level. Keep NAT logic to be always per-interface, though.
- npfkern: rewrite the G/C worker logic and make it self-tuning.
- npfkern and libnpf: multiple bug fixes; add param exporting; introduce more parameters. Remove npf_nvlist_{copyin,copyout}() functions and refactor npfctl_load_nvlist() with others; add npfctl_run_op() to have a single entry point for operations. Introduce npf_flow_t and clean up some code.
- npfctl: lots of fixes for the 'npfctl show' logic; make 'npfctl list' more informative; misc usability improvements and more user-friendly error messages.
- Amend and improve the manual pages.
show more ...
|
#
1065c38d |
| 21-Aug-2019 |
rmind <rmind@NetBSD.org> |
npfkern/libnpf: Add support for the table replace/swap operation. Contributed by Timshel Knoll-Miller.
|
#
7e3fb338 |
| 23-Jul-2019 |
rmind <rmind@NetBSD.org> |
NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up
NPF improvements: - Add support for dynamic NETMAP algorithm (stateful net-to-net). - Add most of the support for the dynamic NAT rules; a little bit more userland work is needed to finish this up and enable. - Replace 'stateful-ends' with more permissive 'stateful-all'. - Add various tunable parameters and document them, see npf-params(7). - Reduce the memory usage of the connection state table (conndb). - Portmap rewrite: use memory more efficiently, handle addresses dynamically. - Bug fix: add splsoftnet()/splx() around the thmap writers and comment. - npftest: clean up and simplify; fix some memleaks to make ASAN happy.
show more ...
|
#
1dc50224 |
| 20-Jun-2019 |
christos <christos@NetBSD.org> |
Add error checking for previous memory allocation failure.
|
#
a86782b8 |
| 20-Jun-2019 |
christos <christos@NetBSD.org> |
PR/54314: Frank Kardel: LOCKDEBUG: Mutex error: assert_sleepable,70: spin lock held when loading NPF
|
#
4c02f958 |
| 12-Jun-2019 |
christos <christos@NetBSD.org> |
Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from
http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:
Convert the mutex to spin-lock at IPL_NET (but it is ex
Avoid LOCKDEBUG pserialize panic by implementing suggestion #1 from
http://mail-index.netbsd.org/current-users/2019/02/24/msg035220.html:
Convert the mutex to spin-lock at IPL_NET (but it is excessive) and convert the memory allocations in that code path to KM_NOSLEEP.
show more ...
|
#
6f4ca96c |
| 19-Jan-2019 |
rmind <rmind@NetBSD.org> |
Major NPF improvements: - Convert NPF connection table to thmap. State lookup is now lock-free. - Improve connection state G/C: it is now incremental and tunable. - Add support for dynamic NAT addre
Major NPF improvements: - Convert NPF connection table to thmap. State lookup is now lock-free. - Improve connection state G/C: it is now incremental and tunable. - Add support for dynamic NAT address. Translation addresses can now be selected from a pool of addresses. There are two selection algorithms, "ip-hash" and "round-robin" (see the man page). - Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf to dynamically choose an IP from the interface address(es). - Add support for the NETMAP algorithm with static NAT for net-to-net translation (it is equivalent to iptables NETMAP logic). - Convert 'ipset' tables to use thmap; the table lookup is now lock-free. - Misc improvements, bug fixes and more unit tests. - Bump NPF_VERSION (will also bump libnpf).
show more ...
|
#
94550a6d |
| 29-Sep-2018 |
rmind <rmind@NetBSD.org> |
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some
NPF: Major rework -- migrate NPF to the libnv library. - This conversion significantly simplifies the code and moves NPF to a binary serialisation format (replacing the XML-like format). - Fix some memory/reference leaks and possibly use-after-free bugs. - Bump NPF_VERSION as this change makes libnpf incompatible with the previous versions. Also, different serialisation format means NPF connection/config saving and loading is not compatible with the previous versions either.
Thanks to christos@ for extra testing.
show more ...
|
#
8ad5ea64 |
| 10-Mar-2017 |
christos <christos@NetBSD.org> |
fix MIN/MAX confusion.
|
#
739852ea |
| 02-Jan-2017 |
rmind <rmind@NetBSD.org> |
NPF: implement dynamic handling of interface addresses (the kernel part).
|
#
0473fe8b |
| 26-Dec-2016 |
christos <christos@NetBSD.org> |
Sync NPF with the version on github: backport standalone NPF changes, which allow us to create and run separate NPF instances. Minor fixes. (from rmind@)
|
#
35b8e76d |
| 09-Dec-2016 |
christos <christos@NetBSD.org> |
This patches ditches the ptree(3) library, because it is broken (you can get missing entries!). Instead, as a temporary solution, we switch to a simple linear scan of the hash tables for the longest
This patches ditches the ptree(3) library, because it is broken (you can get missing entries!). Instead, as a temporary solution, we switch to a simple linear scan of the hash tables for the longest-prefix-match (lpm.c lpm.h) algorithm. In fact, with few unique prefixes in the set, on modern hardware this simple algorithm is pretty fast anyway!
show more ...
|
#
17a35ea0 |
| 20-Apr-2016 |
christos <christos@NetBSD.org> |
/32 and /128 are valid netmasks.
|
#
38a14297 |
| 11-Aug-2014 |
rmind <rmind@NetBSD.org> |
NPF: finish up the rework of npfctl_save() mechanism.
|
#
820aad11 |
| 06-Feb-2014 |
rmind <rmind@NetBSD.org> |
Add support for CDB based NPF tables.
|
#
8175af84 |
| 22-Nov-2013 |
rmind <rmind@NetBSD.org> |
Add npf_tableset_syncdict() to sync the table IDs in the proplib dictionary, as they can change on reload now. Also, fix table name checking in npfctl.
|
#
def81fff |
| 12-Nov-2013 |
rmind <rmind@NetBSD.org> |
NPF: add support for table naming and remove NPF_TABLE_SLOTS (there is just an arbitrary sanity limit of NPF_MAX_TABLES currently set to 128).
Few misc fixes. Bump NPF_VERSION.
|
#
85aa89df |
| 19-May-2013 |
rmind <rmind@NetBSD.org> |
- Add NPF table flushing functionality. - Fix line numbering for npfctl debug command.
|