From nobody Sun Oct 15 20:11:39 2023 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4S7rxD2B50z4xLl1 for ; Sun, 15 Oct 2023 20:11:44 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4S7rxC3lYjz4p14 for ; Sun, 15 Oct 2023 20:11:43 +0000 (UTC) (envelope-from shawn.webb@hardenedbsd.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=hardenedbsd.org header.s=google header.b=DBkufF9d; spf=pass (mx1.freebsd.org: domain of shawn.webb@hardenedbsd.org designates 2607:f8b0:4864:20::d30 as permitted sender) smtp.mailfrom=shawn.webb@hardenedbsd.org; dmarc=none Received: by mail-io1-xd30.google.com with SMTP id ca18e2360f4ac-7a5a746e355so89298839f.0 for ; Sun, 15 Oct 2023 13:11:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd.org; s=google; t=1697400702; x=1698005502; darn=freebsd.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=gv30Sx75bBnrEyNg5W6Gc410dxaQstu6Fb8/WMBiG+s=; b=DBkufF9di0VRonSINYtlgLHVJPsaOVK9NLYL99CTOsJMxnhBISWoDZiEtF7rpHO1AL QMXX4imTJ8SXsvLt/CcNDvwilwxqwuMgIEWGQ++rQOotaI2CLHB1vz1KYIm11acnfvQL j9XN7mAnDeNh6T0MsMdpMay3/s1byk5uuoVyvTfEnAzAX3dvwVffa3b9Q4wNLx9Jtsfv fE3caeLWsIr3l0raew1nRijv6dBJjY+bGr9T/mvOYPsEAHsel1KgyAu4kbXBuv1dulNl PLF8NhCVI0f7PzNNi3KrN3Rv6IL1QnLYvHA4ge0cbK/htPGE7V88HAJdBsc1TRDd/7j7 gNGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697400702; x=1698005502; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gv30Sx75bBnrEyNg5W6Gc410dxaQstu6Fb8/WMBiG+s=; b=D/trLrj437HlJ1uT53vyMIX67M5BF0jl8wAD7deIK3yPmF/EkZgx4T6JjGBQt6tPO1 WWQCJukHmKjcnkICW0NaLvV+qnr2SXTqJwAGODPkkOx25RscUNQD2H5ODyHf1rUWLEPC NDWgmmpTqyYgiHFTGHYf6pgK5+NGdXPqY4stEDu4ciMgC2qoMhsxorBL2bukxbpfTQo0 zw80A09k+756zAzLEl3G2+Cib8KUuMHtULO9j3CQNIo6JylfEC4VkC4spEgCDkSrf5Dd 4q2oIrhu1P1nw4c0vJREjyC7jUWeHAVnjRwJa9p8ndkiKY+TOIGTov/vGq9930+90WpO rEeA== X-Gm-Message-State: AOJu0YwQHrLB7tFnX0fckLZJqhaaYfl53zz5AGZFDEg/AkIOoN1OkNQ2 OfWzI+CA5jszCiojApfxWmCVUA== X-Google-Smtp-Source: AGHT+IE14Tr0NbC4aJq9p/c/8SQoRZ1eCP53syIYLzgWghG/6Vjj+q+05oHWLO14AfdQajzzdQaq/Q== X-Received: by 2002:a05:6602:154:b0:795:d33:861f with SMTP id v20-20020a056602015400b007950d33861fmr3817747iot.6.1697400702093; Sun, 15 Oct 2023 13:11:42 -0700 (PDT) Received: from mutt-hbsd (c-73-153-118-59.hsd1.co.comcast.net. [73.153.118.59]) by smtp.gmail.com with ESMTPSA id u8-20020a02cb88000000b004564b193674sm890663jap.160.2023.10.15.13.11.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 15 Oct 2023 13:11:39 -0700 (PDT) Date: Sun, 15 Oct 2023 16:11:39 -0400 From: Shawn Webb To: Kristof Provost Cc: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: Re: git: 2cef62886dc7 - main - pf: convert state retrieval to netlink Message-ID: <20231015201139.zt7mfyss4ua2bkn3@mutt-hbsd> X-Operating-System: FreeBSD mutt-hbsd 15.0-CURRENT-HBSD FreeBSD 15.0-CURRENT-HBSD X-PGP-Key: https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/blob/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc References: <202310100950.39A9oYuc029996@gitrepo.freebsd.org> List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ri7nrzjoeqv4izka" Content-Disposition: inline In-Reply-To: <202310100950.39A9oYuc029996@gitrepo.freebsd.org> X-Spamd-Bar: ----- X-Spamd-Result: default: False [-5.10 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MID_RHS_NOT_FQDN(0.50)[]; R_DKIM_ALLOW(-0.20)[hardenedbsd.org:s=google]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; MLMMJ_DEST(0.00)[dev-commits-src-main@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d30:from]; TO_DN_SOME(0.00)[]; DKIM_TRACE(0.00)[hardenedbsd.org:+]; PREVIOUSLY_DELIVERED(0.00)[dev-commits-src-main@freebsd.org]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[4]; DMARC_NA(0.00)[hardenedbsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4S7rxC3lYjz4p14 --ri7nrzjoeqv4izka Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 10, 2023 at 09:50:34AM +0000, Kristof Provost wrote: > The branch main has been updated by kp: >=20 > URL: https://cgit.FreeBSD.org/src/commit/?id=3D2cef62886dc7c33ca01f70ca71= 2845da1e55b470 >=20 > commit 2cef62886dc7c33ca01f70ca712845da1e55b470 > Author: Alexander V. Chernikov > AuthorDate: 2023-09-15 10:06:59 +0000 > Commit: Kristof Provost > CommitDate: 2023-10-10 09:48:21 +0000 >=20 > pf: convert state retrieval to netlink > =20 > Use netlink to export pf's state table. > =20 > The primary motivation is to improve how we deal with very large state > stables. With the previous implementation we had to build the entire > list (both in the kernel and in userspace) before we could start > processing. With netlink we start to get data in userspace while the > kernel is still generating more. This reduces peak memory consumption > (which can get to the GB range once we hit millions of states). > =20 > Netlink also makes future extension easier, in that we can easily add > fields to the state export without breaking userspace. In that regard > it's similar to an nvlist-based approach, except that it also deals > with transport to userspace and that it performs significantly better > than nvlists. Testing has failed to measure a performance difference > between the previous struct-copy based ioctl and the netlink approach. > =20 > Differential Revision: https://reviews.freebsd.org/D38888 > --- > include/Makefile | 3 +- > lib/libpfctl/libpfctl.c | 214 +++++++++++++++++---------------- > sys/conf/files | 1 + > sys/modules/pf/Makefile | 2 +- > sys/netpfil/pf/pf_ioctl.c | 5 + > sys/netpfil/pf/pf_nl.c | 292 ++++++++++++++++++++++++++++++++++++++++= ++++++ > sys/netpfil/pf/pf_nl.h | 105 +++++++++++++++++ > 7 files changed, 522 insertions(+), 100 deletions(-) > diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c > index db8f481a1567..42c2aa9bfb01 100644 > --- a/sys/netpfil/pf/pf_ioctl.c > +++ b/sys/netpfil/pf/pf_ioctl.c > @@ -83,6 +83,7 @@ > #include > #include > #include > +#include > #include > =20 > #ifdef INET6 > @@ -6648,6 +6649,8 @@ pf_unload(void) > } > sx_xunlock(&pf_end_lock); > =20 > + pf_nl_unregister(); > + > if (pf_dev !=3D NULL) > destroy_dev(pf_dev); > =20 > @@ -6683,6 +6686,7 @@ pf_modevent(module_t mod, int type, void *data) > switch(type) { > case MOD_LOAD: > error =3D pf_load(); > + pf_nl_register(); > break; > case MOD_UNLOAD: > /* Handled in SYSUNINIT(pf_unload) to ensure it's done after > @@ -6703,4 +6707,5 @@ static moduledata_t pf_mod =3D { > }; > =20 > DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND); > +MODULE_DEPEND(pf, netlink, 1, 1, 1); > MODULE_VERSION(pf, PF_MODVER); Hey Kristof, This causes a hard dependency on the netlink kernel module, which may not be available in some configurations. For safety reasons, HardenedBSD prevents loading of netlink.ko by default. The code is too new and too complex, with already a not-so-nice security history, to be trusted. A lot (all?) of the other netlink integration code respects the potential unavailability of netlink (or netlink.ko). Would it be possible to do the same in pf? Thanks, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --ri7nrzjoeqv4izka Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmUsR3UACgkQ/y5nonf4 4fq7yA/+IZAb8B02qAvO/oPfGMk4UO67EjXnpA5y3Qp67K37NTQ/ZIKroZR1OSp0 8GHCVeXC552hxv62JQV097NICKBxEWel9FKOFTGbyv+JlIp4hJR+3O6mMC68E5TU i20PqCuZp1E9dixsQxd7mEvJgFld8MahuqZDh424799M5J1mdgprdIvp3taS7S5R yhaJZ9buJ1iwFBSJDo4QoDI0tQcxEqMbaHEf5ZPyZV4ReRtV7BmG1SMotZ4QwTgy GVAslKnCVfVuiX+pJdfrr1QfV5s0njCbHSgGaN5tQDkS+/dBCSi9DcwfW30OJIOP yITioPPnw/5xBnbft6tHAYFSYaXHhG29JPUzCy4WHSBZQ3PnxnTxhjGMvYiL8/Jl oklvRG2JJ1x1gtYmQmGm+UkCb6lt6JBBAxD7nG988Fxp5pu/tzYk2WTdGr9Pag7Z NwfVRkqVcOuvBjR+Zj6NoktLxAiHF4hg2oLBVvHZInhfZtKe+FiIFyfJXSSeniXg 0x0+xU3dmkLFCiWe+hdP7MNBPxn08Nnq3JAwleBw/ZqXID+IE+LZXIYveJM5yTKK OQs99jPYkpsbCy9AVdnk7YKjC5fxIQvmEKCwLXOTz2xHWUXg0u8qF+ykSHVlCyD6 +uv/+IetAlVBTB3OurPbo67B/3h9oPnxYnx+7RBz1VTa/XMPWQI= =eoPf -----END PGP SIGNATURE----- --ri7nrzjoeqv4izka--