svn commit: r241966 - user/andre/tcp_workqueue/sys/net
Ermal Luçi
eri at freebsd.org
Wed Oct 24 12:35:58 UTC 2012
Hello Andre,
i have since forever wanted to merge this but never got to it.
https://github.com/bsdperimeter/pfsense-tools/blob/master/patches/RELENG_9_0/pfil.RELENG_9.diff
This has been used in pfsense quite sucessfully. It allows to reorder
the pfil hooks based on names of registered hooks using sysctl.
On Tue, Oct 23, 2012 at 9:31 PM, Andre Oppermann <andre at freebsd.org> wrote:
> On 23.10.2012 21:26, Andre Oppermann wrote:
>>
>> Author: andre
>> Date: Tue Oct 23 19:26:49 2012
>> New Revision: 241966
>> URL: http://svn.freebsd.org/changeset/base/241966
>>
>> Log:
>> Extend PFIL hooks with explicit hook ordering and reinjecting of
>> packets into the chain after a particular hook.
>>
>> Add pfil_add_hook_order() taking a numerical value between 0-255
>> to specify the relative position of this hook in the list of all
>> hooks. Lower numbers have higher ordering (ie. will run first).
>> Within a particular order value the last added will be the first
>> to run. Three fixed positions are defined:
>> PFIL_ORDER_FIRST 0
>> PFIL_ORDER_DEFAULT 200
>> PFIL_ORDER_LAST 255
>>
>> Previously the order was non-deterministic and dependent on the
>> ordering of the add hook calls. The last added would always
>> become the first to run.
>>
>> Non-ordering aware pfil consumers using the pfil_add_hook() call
>> get PFIL_ORDER_DEFAULT assigned resulting in the previous ordering.
>>
>> The ordering is determined at hookup time by the pfil consumer
>> and no tool for later manual re-ordering is provided. Most well
>> known pfil consumers are expected to have a predetermined preferred
>> position in the order. A tool or sysctl reporting the order of
>> hooked pfil consumers will be provided later.
>>
>> Add pfil_run_inject() taking an opaque cookie value obtained with
>> pfil_get_cookie() after the hook is added. Processing of the hook
>> chain skips all hooks until after the one with the same cookie.
>> The cookie is valid as long as this hook remains hooked. If no
>> cookie is found processing is started with the first hook again.
>> If the cookie is invalid processing of all hooks is effectively
>> skipped.
>>
>> With this pfil hooks consumers can dequeue packets for further
>> processing and later re-inject them with the next hook.
>
>
> Besides the obvious ordering solution to the exiting pfil consumers
> my idea is to explore converting most of ether_input/output and IPsec
> processing to pfil hooks. This will need some further definitions
> for the default PFIL_ORDER points but that'll happen when there's
> some practical experimenting with running it.
>
> --
> Andre
>
--
Ermal
More information about the svn-src-user
mailing list