DragonFly BSD
DragonFly kernel List (threaded) for 2010-12
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: More pf work


From: Jan Lentfer <Jan.Lentfer@xxxxxx>
Date: Fri, 17 Dec 2010 23:02:18 +0100

Am 16.12.2010 20:49, schrieb Jan Lentfer:
I updated my branch again. This is something that actually does work to
a certain degree, pfctl is updated also, I tested nat, rdr, filtering
and altq with fairq.

http://gitweb.dragonflybsd.org/~lentferj/dragonfly.git/shortlog/refs/heads/pf44


I do still get an reproducable panic after running it on my router for about 5 Minutes:

This panic is now fixed thanks to the support of Alex Hornung. I have also fixed a problem with NAT'ed UDP packets. I have this running on my own DSL Router now including filtering, redirection, NAT and queuing (ALTQ w/ fairq). All seems to work fine so far so I would say this is due for public testing.


Be warned that you need to compile PF into the kernel at the moment. Module does not work atm. So, if you are running pf as a module and want to test this, please add

device          pf
device          pfsync
device          pflog

to your kernel config and recompile the kernel after fetching my branch.

The problem with kernel building I have is this:

With 4.4 OpenBSD made pf directly depend on if_pfsync.c.

In pf_ioctl.c


case DIOCGETSTATES: { struct pfioc_states *ps = (struct pfioc_states *)addr; struct pf_state *state; struct pfsync_state *p, *pstore; u_int32_t nr = 0;

               if (ps->ps_len == 0) {
                       nr = pf_status.states;
                       ps->ps_len = sizeof(struct pfsync_state) * nr;
                       break;
               }

pstore = kmalloc(sizeof(*pstore), M_TEMP, M_WAITOK);

p = ps->ps_states;

state = TAILQ_FIRST(&state_list);
while (state) {
if (state->timeout != PFTM_UNLINKED) {
if ((nr+1) * sizeof(*p) > (unsigned)ps->ps_len)
break;
pfsync_state_export(pstore, state);
error = copyout(pstore, p, sizeof(*p));
if (error) {
kfree(pstore, M_TEMP);
goto fail;
}
p++;
nr++;
}
state = TAILQ_NEXT(state, entry_list);
}


ps->ps_len = sizeof(struct pfsync_state) * nr;

               kfree(pstore, M_TEMP);
               break;
       }


pfsync_state_export() is a function from if_pfsync.c. So it only works if I


1) put pfsync_state_export() in #ifdef NPFSYNC .. #endif
This leads to being able to compile pf.ko w/o pfsync but pfctl -s state shows garbled shit, because DIOCGETSTATES isn't actually giving any useful data (there was a patch like that in OpenBSD sources that they reverted again).


2) enable device pfsync in GENERIC Kernel Configs so it is available by default

3) enable, build and link if_pfsync.c with pf.ko by default
This seems to work fine just that I always get a panic on kldunload in modevent() of if_pfsync.c



Any suggestions on this?


Jan




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]