ifnet: Make ifnet and ifindex2ifnet MPSAFE - Accessing to these two global variables from non-netisr threads uses ifnet lock. This kind of accessing is from - Accessing to ifindex2ifnet from netisrs are lockless MPSAFE. - Netisrs no longer access ifnet, instead they access ifnet array as of this commit, which is lockless MPSAFE. Rules for accessing ifnet and ifindex2ifnet is commented near the declaration of the related global variables/functions in net/if_var.h.
pf - clear M_HASH in a few more places, cleanups, structure size change! * Clear the M_HASH flag in a few more places where headers get rewritten. * bzero the key before populating it. Shouldn't be necessary but add as a safety for possible future use cases. * Add more fields to struct pfsync_state. This requires pfvar.h to be reinstalled, the pf module and the pfctl program to be rebuilt. (suggest buildworld + buildkernel). pickup_mode and cpuid added. Also added reserved fields so future additions can be made without changing the structure size again. * Other minor cleanups. * WARNING ON RDR, PASS IN / PASS OUT combinations. RDR rules create state on the input path. Further packets on the input path match the RDR state on input, but the *return* packet path will match the RDR state on output. This means that if you have a PASS OUT rule that matches the RDR input path on the output side of the translation, it will also create state, and if you have a PASS IN rule that matches the RDR return packet path, it will also create state on the input path for that packet. PF users must be sure that if such rules exist, they are either specified to not create keep state, use the default keep state (which allows pickups and sloppy tcp tests), or explicitly specify keep state with sloppy tcp tests. This is because these PASS rules will only see one side of the TCP connection because the RDR state will suck up the other side.
kernel - Fix pf-based NAT * NAT may not always be able to select a translated addr/port that is compatible with the source addr/port. In this situation return packets from the translated target won't be able to find the state structure. This occurs if static-port is used or if the port range is insufficent for PF to be able to find a hash-compatible addr/port. This also occurs for UDP because the toeplitz hash does not appear to include a port (so there's nothing PF NAT can do to make it hash-compatible). * In situations where PF believes a translation is not hash-compatible, the pf_state_key will be placed on a global RBTREE instead of the cpu-localized RBTREE. This tree is checked and modified with a separate lock (shared when doing lookups, exclusive when doing adjustments). The nominal pf_find_state*() code will now check the global RBTREE if the state cannot be found in the localized tree. * Modifications to the pf_state structure are now exclusively locked to handle the case where a state structure might be used by multiple cpu's at the same time. This can only occur for translations such as NAT. * The TCP code is not allowed to destroy state on connection reuse unless the state is cpu-local. If it is not cpu-local the TCP code will mark the state for an immediate purge (within the next second). * Add a TSO flag check to pf_route(), which is called via NAT. Locally originated packets may have been built with TSO. For PF NAT, we can only assume that the target interface will be compatible and allow the packet through (not try to fragment it, which won't work well anyway for TCP packets).
pf - make the bulk of PF concurrent under normal operation * state and ip fragment tables are now per-cpu. * packet paths acquire pf_token shared instead of exclusive. Packet processing runs concurrently. * Any dynamic rules updates will run synchronously for now. * State expiration from the pfpurge thread runs synchronously for now. More work can be done here. * ioctl (and also pfsync) paths acquire pf_token exclusively. That is, primarily pfctl commands. This includes rules updates and state scans. More work can be done here.
if: Multiple TX queue support step 1 of many; introduce ifaltq subqueue Put the plain queue information, e.g. queue header and tail, serializer, packet staging scoreboard and ifnet.if_start schedule netmsg etc. into its own structure (subqueue). ifaltq structure could have multiple of subqueues based on the count that drivers can specify. Subqueue's enqueue, dequeue, purging and states updating are protected by the subqueue's serializer, so for hardwares supporting multiple TX queues, contention on queuing operation could be greatly reduced. The subqueue is passed to if_start to let the driver know which hardware TX queue to work on. Only the related driver's TX queue serializer will be held, so for hardwares supporting multiple TX queues, contention on driver's TX queue serializer could be greatly reduced. Bunch of ifsq_ prefixed functions are added, which is used to perform various operations on subqueues. Commonly used ifq_ prefixed functions are still kept mainly for the drivers which do not support multiple TX queues (well, these functions also ease the netif/ convertion in this step :). All of the pseudo network devices under sys/net are converted to use the new subqueue operation. netproto/802_11 is converted too. igb(4) is converted to use the new subqueue operation, the rest of the network drivers are only changed for the if_start interface modification. For ALTQs which have packet scheduler enabled, only the first subqueue is used (*). (*) Whether we should utilize multiple TX queues if ALTQ's packet scheduler is enabled is quite questionable. Mainly because hardware's multiple TX queue packet dequeue mechanism could have negative impact on ALTQ's packet scheduler's decision.
pf: Update packetfilter to OpenBSD 4.4 * As correct pf function depends directly on pfsync now compile if_pfsyn.c into pf.ko. pflog is already part of pf.ko. * Activate pfsync function by default. It's not a kernel option anymore, but pfsync is very unlikley to work. Anyway our ifconfig is missing all pfsync related options. I will try to make pfsync working again after upgrading to pf from OpenBSD 4.5 as pfsync changes completley then and is not compatible anymore with prior versions. * Also make the module unloading sane in if_pflog.c Thanks to Alex Hornung and Aggelos Economopoulos for debugging.