Re: git: 2cef62886dc7 - main - pf: convert state retrieval to netlink
- In reply to: Shawn Webb : "Re: git: 2cef62886dc7 - main - pf: convert state retrieval to netlink"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 16 Oct 2023 07:37:51 UTC
On 15 Oct 2023, at 22:11, Shawn Webb wrote:
> On Tue, Oct 10, 2023 at 09:50:34AM +0000, Kristof Provost wrote:
>> The branch main has been updated by kp:
>>
>> URL: https://cgit.FreeBSD.org/src/commit/?id=2cef62886dc7c33ca01f70ca712845da1e55b470
>>
>> commit 2cef62886dc7c33ca01f70ca712845da1e55b470
>> Author: Alexander V. Chernikov <melifaro@FreeBSD.org>
>> AuthorDate: 2023-09-15 10:06:59 +0000
>> Commit: Kristof Provost <kp@FreeBSD.org>
>> CommitDate: 2023-10-10 09:48:21 +0000
>>
>> pf: convert state retrieval to netlink
>>
>> Use netlink to export pf's state table.
>>
>> The primary motivation is to improve how we deal with very large state
>> stables. With the previous implementation we had to build the entire
>> list (both in the kernel and in userspace) before we could start
>> processing. With netlink we start to get data in userspace while the
>> kernel is still generating more. This reduces peak memory consumption
>> (which can get to the GB range once we hit millions of states).
>>
>> Netlink also makes future extension easier, in that we can easily add
>> fields to the state export without breaking userspace. In that regard
>> it's similar to an nvlist-based approach, except that it also deals
>> with transport to userspace and that it performs significantly better
>> than nvlists. Testing has failed to measure a performance difference
>> between the previous struct-copy based ioctl and the netlink approach.
>>
>> Differential Revision: https://reviews.freebsd.org/D38888
>> ---
>> include/Makefile | 3 +-
>> lib/libpfctl/libpfctl.c | 214 +++++++++++++++++----------------
>> sys/conf/files | 1 +
>> sys/modules/pf/Makefile | 2 +-
>> sys/netpfil/pf/pf_ioctl.c | 5 +
>> sys/netpfil/pf/pf_nl.c | 292 ++++++++++++++++++++++++++++++++++++++++++++++
>> sys/netpfil/pf/pf_nl.h | 105 +++++++++++++++++
>> 7 files changed, 522 insertions(+), 100 deletions(-)
>
>> diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
>> index db8f481a1567..42c2aa9bfb01 100644
>> --- a/sys/netpfil/pf/pf_ioctl.c
>> +++ b/sys/netpfil/pf/pf_ioctl.c
>> @@ -83,6 +83,7 @@
>> #include <netinet/ip_var.h>
>> #include <netinet6/ip6_var.h>
>> #include <netinet/ip_icmp.h>
>> +#include <netpfil/pf/pf_nl.h>
>> #include <netpfil/pf/pf_nv.h>
>>
>> #ifdef INET6
>> @@ -6648,6 +6649,8 @@ pf_unload(void)
>> }
>> sx_xunlock(&pf_end_lock);
>>
>> + pf_nl_unregister();
>> +
>> if (pf_dev != NULL)
>> destroy_dev(pf_dev);
>>
>> @@ -6683,6 +6686,7 @@ pf_modevent(module_t mod, int type, void *data)
>> switch(type) {
>> case MOD_LOAD:
>> error = pf_load();
>> + pf_nl_register();
>> break;
>> case MOD_UNLOAD:
>> /* Handled in SYSUNINIT(pf_unload) to ensure it's done after
>> @@ -6703,4 +6707,5 @@ static moduledata_t pf_mod = {
>> };
>>
>> DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
>> +MODULE_DEPEND(pf, netlink, 1, 1, 1);
>> MODULE_VERSION(pf, PF_MODVER);
>
> Hey Kristof,
>
> This causes a hard dependency on the netlink kernel module, which may
> not be available in some configurations.
>
> For safety reasons, HardenedBSD prevents loading of netlink.ko by
> default. The code is too new and too complex, with already a
> not-so-nice security history, to be trusted.
>
> A lot (all?) of the other netlink integration code respects the
> potential unavailability of netlink (or netlink.ko). Would it be
> possible to do the same in pf?
>
No.
I’m not maintaining multiple configuration paths for pf. There’s currently fallback paths to support old binaries, but I intend to remove that code as soon as possible. Having configuration paths that are untested, practically untestable and unmaintained is not a situation we want to maintain either.
Kristof