Required modification for round robin napt with ip address prefixes
Steven Crangle
Steven at stream-technologies.com
Wed Mar 14 17:30:07 UTC 2018
Hi,
I was looking for some advice on the type of locking required to stop a box panicking that utilises both napt and ip address prefixes.
My colleague made a post a while ago, and we ended up getting distracted fixing other panics that showed up. But we've now returned to try and figure out the issue.
The relevant code is in pf_lb.c : 424
Currently, I've tried adding a PF_RULES_WLOCK() around the sections of code in the round robin code path that call pfr_pool_get(). In order to do this I had to add in a few Macros so that I could upgrade the already held read lock to a write lock. I then wasn't sure whether to return (1), or keep trying to obtain the write lock. The latter results in a crashed box (guessing it could never obtain the lock), and I'm unsure of the implications of returning a failure code so frequently from that code path, I'd imagine it would result in napt not working correctly.
The second solution suggested the use of atomics, which I'm going to try next. I just wanted to confirm that the correct area to look at would be within pfr_pool_get() ? I can see that pidx is being modified within there, and counter also seems to be being used.
I also might well be looking in completely the wrong direction!
Thanks for any help
Steven
More information about the freebsd-pf
mailing list