From nobody Sun Jan 09 00:44:02 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id D3C5C193138D; Sun, 9 Jan 2022 00:44:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4JWdW640Cjz3BrD; Sun, 9 Jan 2022 00:44:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 68CFC574; Sun, 9 Jan 2022 00:44:02 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 2090i2xq047492; Sun, 9 Jan 2022 00:44:02 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 2090i2gV047491; Sun, 9 Jan 2022 00:44:02 GMT (envelope-from git) Date: Sun, 9 Jan 2022 00:44:02 GMT Message-Id: <202201090044.2090i2gV047491@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Cy Schubert Subject: git: 3145d2ebc4f3 - stable/13 - ipfilter: Make LARGE_NAT a tunable. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 3145d2ebc4f3772e14829eea3d0365f291cac70d Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1641689042; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=FY+VmxbstV8q12L7xkwnw9o/7RAQ3Z0xo4Jo8/F30Ao=; b=hLDuhrfV4HtYVGsMSRby/JTp5SxqhJbRF8zmMbKlqAEgkE5oi0c1Yd1g3GyrJ2O7k51nXa IS4x4wP/vKTM3hcnKrXyC+7vUMq2WA+PuaIyjaYcOo+RHIfoxSaIpbpGGsgb5TMLjFOqMN PLMaCxbvBl5b8NWk6CRtFpWkqv02f2FtTPeeR7tn2tS48gsc7K4MHPD6iDxDHwq8AGwfFJ 0xBOeWe635zHFiTsZbvdyUsakO5An6+TtkK/kP/qmE01/xmQ7883ChDLjNH+Ih9IE8WrHZ cBaXFqzkuQgeaQJmUJuNmuxLjXchRdVr13JyyuiQ0lSBFv7w5/0Fmxx8EtTP+Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1641689042; a=rsa-sha256; cv=none; b=SnXZRAqV+XNouac+X+4JZ4pWQ16ZEKcvN9nm3Qq4u5bMzIAvTipN9Y4BtCOIYdAH1s9D7b n1J7fm4f+Da3D0lz9OmxXIgTKGFBYdydNTa6+DuTrH0AEd81+alGg/pdMdKNkAnu6834Cu gG3MhL0b5sRQqnBDmSMwgL1pak7D3rWNRciapxgZlcmBlm9cEtYROuysJH4gWocvlNFfHv axtNFAGj2H2lj4XHxXBh+xbYVrtUxrayzaa3nW242sYi1OVJ4T8VCxLRRJE+hASCK0q/97 xniD/nQCf9nSf0Mi324BgimBgauVvV3342P+2Uzb+cmBt8QVgyfdfzKruqYsKw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=3145d2ebc4f3772e14829eea3d0365f291cac70d commit 3145d2ebc4f3772e14829eea3d0365f291cac70d Author: Cy Schubert AuthorDate: 2021-02-16 15:44:07 +0000 Commit: Cy Schubert CommitDate: 2022-01-09 00:43:38 +0000 ipfilter: Make LARGE_NAT a tunable. LARGE_NAT is a C macro that increases NAT_SIZE from 127 to 2047, RDR_SIZE from 127 to 2047, HOSTMAP_SIZE from 2047 to 8191, NAT_TABLE_MAX from 30000 to 180000, and NAT_TABLE_SZ from 2047 to 16383. These values can be altered at runtime using the ipf -T command however some adminstrators of large firewalls rebuild the kernel to enable LARGE_NAT at boot. This revision adds the tunable net.inet.ipf.large_nat which allows an administrator to set this option at boot instead of build time. Setting the LARGE_NAT macro to 1 is unaffected allowing build-time users to continue using the old way. (cherry picked from commit a805ffbcbce85872e71d825fd405a4a30e2ab4bc) --- sys/contrib/ipfilter/netinet/fil.c | 5 +++ sys/contrib/ipfilter/netinet/ip_fil.h | 2 + sys/contrib/ipfilter/netinet/ip_fil_freebsd.c | 7 ++++ sys/contrib/ipfilter/netinet/ip_nat.c | 28 +++++++------ sys/contrib/ipfilter/netinet/ip_nat.h | 60 +++++++++++++-------------- sys/contrib/ipfilter/netinet/mlfk_ipl.c | 7 +++- 6 files changed, 65 insertions(+), 44 deletions(-) diff --git a/sys/contrib/ipfilter/netinet/fil.c b/sys/contrib/ipfilter/netinet/fil.c index 701cde740359..36fab549ae43 100644 --- a/sys/contrib/ipfilter/netinet/fil.c +++ b/sys/contrib/ipfilter/netinet/fil.c @@ -9330,6 +9330,11 @@ ipf_main_soft_create(arg) softc->ipf_icmpminfragmtu = 68; softc->ipf_flags = IPF_LOGGING; +#ifdef LARGE_NAT + softc->ipf_large_nat = 1; +#endif + ipf_fbsd_kenv_get(softc); + return softc; } diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index be8e023ac0ba..a01bd28e7270 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -1551,6 +1551,7 @@ typedef struct ipf_main_softc_s { u_int ipf_icmptimeout; u_int ipf_icmpacktimeout; u_int ipf_iptimeout; + u_int ipf_large_nat; u_long ipf_ticks; u_long ipf_userifqs; u_long ipf_rb_no_mem; @@ -1657,6 +1658,7 @@ extern int ipf_pfil_hook(void); extern int ipf_pfil_unhook(void); extern void ipf_event_reg(void); extern void ipf_event_dereg(void); +extern void ipf_fbsd_kenv_get(ipf_main_softc_t *); # endif # if defined(INSTANCES) diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c index 15381dfcc572..7e0ac4bc2927 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c +++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c @@ -1488,3 +1488,10 @@ ipf_pcksum6(m, ip6, off, len) #endif } #endif + +void +ipf_fbsd_kenv_get(ipf_main_softc_t *softc) +{ + TUNABLE_INT_FETCH("net.inet.ipf.large_nat", + &softc->ipf_large_nat); +} diff --git a/sys/contrib/ipfilter/netinet/ip_nat.c b/sys/contrib/ipfilter/netinet/ip_nat.c index 6b48543d6119..0475a4386079 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.c +++ b/sys/contrib/ipfilter/netinet/ip_nat.c @@ -321,11 +321,19 @@ ipf_nat_soft_create(softc) softn->ipf_nat_list_tail = &softn->ipf_nat_list; - softn->ipf_nat_table_max = NAT_TABLE_MAX; - softn->ipf_nat_table_sz = NAT_TABLE_SZ; - softn->ipf_nat_maprules_sz = NAT_SIZE; - softn->ipf_nat_rdrrules_sz = RDR_SIZE; - softn->ipf_nat_hostmap_sz = HOSTMAP_SIZE; + if (softc->ipf_large_nat) { + softn->ipf_nat_table_max = NAT_TABLE_MAX_LARGE; + softn->ipf_nat_table_sz = NAT_TABLE_SZ_LARGE; + softn->ipf_nat_maprules_sz = NAT_SIZE_LARGE; + softn->ipf_nat_rdrrules_sz = RDR_SIZE_LARGE; + softn->ipf_nat_hostmap_sz = HOSTMAP_SIZE_LARGE; + } else { + softn->ipf_nat_table_max = NAT_TABLE_MAX_NORMAL; + softn->ipf_nat_table_sz = NAT_TABLE_SZ_NORMAL; + softn->ipf_nat_maprules_sz = NAT_SIZE_NORMAL; + softn->ipf_nat_rdrrules_sz = RDR_SIZE_NORMAL; + softn->ipf_nat_hostmap_sz = HOSTMAP_SIZE_NORMAL; + } softn->ipf_nat_doflush = 0; #ifdef IPFILTER_LOG softn->ipf_nat_logging = 1; @@ -492,10 +500,8 @@ ipf_nat_soft_init(softc, arg) for (i = 0, tq = softn->ipf_nat_tcptq; i < IPF_TCP_NSTATES; i++, tq++) { if (tq->ifq_ttl < softn->ipf_nat_deficmpage) tq->ifq_ttl = softn->ipf_nat_deficmpage; -#ifdef LARGE_NAT - else if (tq->ifq_ttl > softn->ipf_nat_defage) + else if (tq->ifq_ttl > softn->ipf_nat_defage && softc->ipf_large_nat) tq->ifq_ttl = softn->ipf_nat_defage; -#endif } /* @@ -6139,10 +6145,8 @@ ipf_nat_log(softc, softn, nat, action) u_int action; { #ifdef IPFILTER_LOG -# ifndef LARGE_NAT struct ipnat *np; int rulen; -# endif struct natlog natl; void *items[1]; size_t sizes[1]; @@ -6178,8 +6182,7 @@ ipf_nat_log(softc, softn, nat, action) bcopy(nat->nat_ifnames[1], natl.nl_ifnames[1], sizeof(nat->nat_ifnames[1])); -# ifndef LARGE_NAT - if (nat->nat_ptr != NULL) { + if (softc->ipf_large_nat && nat->nat_ptr != NULL) { for (rulen = 0, np = softn->ipf_nat_list; np != NULL; np = np->in_next, rulen++) if (np == nat->nat_ptr) { @@ -6187,7 +6190,6 @@ ipf_nat_log(softc, softn, nat, action) break; } } -# endif items[0] = &natl; sizes[0] = sizeof(natl); types[0] = 0; diff --git a/sys/contrib/ipfilter/netinet/ip_nat.h b/sys/contrib/ipfilter/netinet/ip_nat.h index bcec72f21f8b..aac8c326aa05 100644 --- a/sys/contrib/ipfilter/netinet/ip_nat.h +++ b/sys/contrib/ipfilter/netinet/ip_nat.h @@ -34,44 +34,44 @@ * appropriate sizes. The figures below were used for * a setup with 1000-2000 networks to NAT. */ -#ifndef NAT_SIZE -# ifdef LARGE_NAT -# define NAT_SIZE 2047 -# else -# define NAT_SIZE 127 -# endif +#ifdef NAT_SIZE +# define NAT_SIZE_LARGE NAT_SIZE +# define NAT_SIZE_NORMAL NAT_SIZE +#else +# define NAT_SIZE_LARGE 2047 +# define NAT_SIZE_NORMAL 127 #endif -#ifndef RDR_SIZE -# ifdef LARGE_NAT -# define RDR_SIZE 2047 -# else -# define RDR_SIZE 127 -# endif +#ifdef RDR_SIZE +# define RDR_SIZE_LARGE RDR_SIZE +# define RDR_SIZE_NORMAL RDR_SIZE +#else +# define RDR_SIZE_LARGE 2047 +# define RDR_SIZE_NORMAL 127 #endif -#ifndef HOSTMAP_SIZE -# ifdef LARGE_NAT -# define HOSTMAP_SIZE 8191 -# else -# define HOSTMAP_SIZE 2047 -# endif +#ifdef HOSTMAP_SIZE +# define HOSTMAP_SIZE_LARGE HOSTMAP_SIZE +# define HOSTMAP_SIZE_NORMAL HOSTMAP_SIZE +#else +# define HOSTMAP_SIZE_LARGE 8191 +# define HOSTMAP_SIZE_NORMAL 2047 #endif -#ifndef NAT_TABLE_MAX /* * This is newly introduced and for the sake of "least surprise", the numbers * present aren't what we'd normally use for creating a proper hash table. */ -# ifdef LARGE_NAT -# define NAT_TABLE_MAX 180000 -# else -# define NAT_TABLE_MAX 30000 -# endif +#ifdef NAT_TABLE_MAX +# define NAT_TABLE_MAX_LARGE NAT_TABLE_MAX +# define NAT_TABLE_MAX_NORMAL NAT_TABLE_MAX +#else +# define NAT_TABLE_MAX_LARGE 180000 +# define NAT_TABLE_MAX_NORMAL 30000 #endif -#ifndef NAT_TABLE_SZ -# ifdef LARGE_NAT -# define NAT_TABLE_SZ 16383 -# else -# define NAT_TABLE_SZ 2047 -# endif +#ifdef NAT_TABLE_SZ +# define NAT_TABLE_SZ_LARGE NAT_TABLE_SZ +# define NAT_TABLE_SZ_NORMAL NAT_TABLE_SZ +#else +# define NAT_TABLE_SZ_LARGE 16383 +# define NAT_TABLE_SZ_NORMAL 2047 #endif #ifndef APR_LABELLEN #define APR_LABELLEN 16 diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c index 57b6ce541be9..8d9cb780b9e8 100644 --- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c +++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c @@ -80,6 +80,11 @@ static int ipfread(dev_t, struct uio *, int); static int ipfwrite(dev_t, struct uio *, int); #endif +#ifdef LARGE_NAT +#define IPF_LARGE_NAT 1 +#else +#define IPF_LARGE_NAT 0 +#endif SYSCTL_DECL(_net_inet); #define SYSCTL_IPF(parent, nbr, name, access, ptr, val, descr) \ @@ -132,6 +137,7 @@ SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_running, CTLFLAG_RD, &VNET_NAME(ipfmain.ipf_running), 0, "IPF is running"); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_chksrc, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_chksrc), 0, ""); SYSCTL_IPF(_net_inet_ipf, OID_AUTO, fr_minttl, CTLFLAG_RW, &VNET_NAME(ipfmain.ipf_minttl), 0, ""); +SYSCTL_IPF(_net_inet_ipf, OID_AUTO, large_nat, CTLFLAG_RD, &VNET_NAME(ipfmain.ipf_large_nat), 0, "large_nat"); #define CDEV_MAJOR 79 #include @@ -644,4 +650,3 @@ ipf_fbsd_sysctl_destroy(void) } return 0; } -