svn commit: r367553 - in stable/12: share/dtrace sys/netpfil/ipfw

Tue Nov 10 12:13:19 UTC 2020

Author: ae
Date: Tue Nov 10 12:13:18 2020
New Revision: 367553
URL: https://svnweb.freebsd.org/changeset/base/367553

Log:
  MFC r366908 (modified for stable/12 KBI):
    Add dtrace SDT probe ipfw:::rule-matched.
  
    It helps to reduce complexity with debugging of large ipfw rulesets.
    Also define several constants and translators, that can by used by
    dtrace scripts with this probe.
  
    Obtained from:	Yandex LLC
    Sponsored by:	Yandex LLC
    Differential Revision:	https://reviews.freebsd.org/D26879

Added:
  stable/12/share/dtrace/ipfw.d
     - copied, changed from r366908, head/share/dtrace/ipfw.d
Modified:
  stable/12/share/dtrace/Makefile
  stable/12/sys/netpfil/ipfw/ip_fw2.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/share/dtrace/Makefile
==============================================================================

--- stable/12/share/dtrace/Makefile	Tue Nov 10 11:32:01 2020	(r367552)
+++ stable/12/share/dtrace/Makefile	Tue Nov 10 12:13:18 2020	(r367553)
@@ -21,7 +21,7 @@ SCRIPTS=	blocking \
 
 SCRIPTSDIR= ${SHAREDIR}/dtrace
 
-DSRCS=		mbuf.d
+DSRCS=		mbuf.d ipfw.d
 
 FILES=		${DSRCS}
 FILESDIR=	/usr/lib/dtrace

Copied and modified: stable/12/share/dtrace/ipfw.d (from r366908, head/share/dtrace/ipfw.d)
==============================================================================
--- head/share/dtrace/ipfw.d	Wed Oct 21 15:01:33 2020	(r366908, copy source)
+++ stable/12/share/dtrace/ipfw.d	Tue Nov 10 12:13:18 2020	(r367553)
@@ -68,29 +68,17 @@ inline string ipfw_retcodes[int ret] =
 
 /* ip_fw_args flags */
 #pragma D binding "1.0" IPFW_ARGS_ETHER
-inline int IPFW_ARGS_ETHER =	0x00010000; /* valid ethernet header */
+inline int IPFW_ARGS_ETHER =	0x0001; /* valid ethernet header */
 #pragma D binding "1.0" IPFW_ARGS_NH4
-inline int IPFW_ARGS_NH4 =	0x00020000; /* IPv4 next hop in hopstore */
+inline int IPFW_ARGS_NH4 =	0x0002; /* IPv4 next hop in hopstore */
 #pragma D binding "1.0" IPFW_ARGS_NH6
-inline int IPFW_ARGS_NH6 =	0x00040000; /* IPv6 next hop in hopstore */
+inline int IPFW_ARGS_NH6 =	0x0004; /* IPv6 next hop in hopstore */
 #pragma D binding "1.0" IPFW_ARGS_NH4PTR
-inline int IPFW_ARGS_NH4PTR =	0x00080000; /* IPv4 next hop in next_hop */
+inline int IPFW_ARGS_NH4PTR =	0x0008; /* IPv4 next hop in next_hop */
 #pragma D binding "1.0" IPFW_ARGS_NH6PTR
-inline int IPFW_ARGS_NH6PTR =	0x00100000; /* IPv6 next hop in next_hop6 */
+inline int IPFW_ARGS_NH6PTR =	0x0010; /* IPv6 next hop in next_hop6 */
 #pragma D binding "1.0" IPFW_ARGS_REF
-inline int IPFW_ARGS_REF =	0x00200000; /* valid ipfw_rule_ref	*/
-#pragma D binding "1.0" IPFW_ARGS_IN
-inline int IPFW_ARGS_IN =	0x00400000; /* called on input */
-#pragma D binding "1.0" IPFW_ARGS_OUT	
-inline int IPFW_ARGS_OUT =	0x00800000; /* called on output */
-#pragma D binding "1.0" IPFW_ARGS_IP4
-inline int IPFW_ARGS_IP4 =	0x01000000; /* belongs to v4 ISR */
-#pragma D binding "1.0" IPFW_ARGS_IP6
-inline int IPFW_ARGS_IP6 =	0x02000000; /* belongs to v6 ISR */
-#pragma D binding "1.0" IPFW_ARGS_DROP
-inline int IPFW_ARGS_DROP =	0x04000000; /* drop it (dummynet) */
-#pragma D binding "1.0" IPFW_ARGS_LENMASK
-inline int IPFW_ARGS_LENMASK =	0x0000ffff; /* length of data in *mem */
+inline int IPFW_ARGS_REF =	0x0020; /* valid ipfw_rule_ref	*/
 
 /* ipfw_rule_ref.info */
 #pragma D binding "1.0" IPFW_INFO_MASK
@@ -147,17 +135,13 @@ typedef struct ipfw_match_info {
 #pragma D binding "1.0" translator
 translator ipfw_match_info_t < struct ip_fw_args *p > {
 	flags =		p->flags;
-	m =		(p->flags & IPFW_ARGS_LENMASK) ? NULL : p->m;
-	mem =		(p->flags & IPFW_ARGS_LENMASK) ? p->mem : NULL;
+	m =		p->m;
+	mem =		NULL;
 	inp =		p->inp;
-	ifp =		p->ifp;
+	ifp =		p->oif;
 	/* Initialize IP pointer corresponding to addr_type */
-	ipp =		(p->flags & IPFW_ARGS_IP4) ?
-	    (p->flags & IPFW_ARGS_LENMASK) ? (struct ip *)p->mem :
-	    (p->m != NULL) ? (struct ip *)p->m->m_data : NULL : NULL;
-	ip6p =		(p->flags & IPFW_ARGS_IP6) ?
-	    (p->flags & IPFW_ARGS_LENMASK) ? (struct ip6_hdr *)p->mem :
-	    (p->m != NULL) ? (struct ip6_hdr *)p->m->m_data : NULL : NULL;
+	ipp =		(p->m != NULL) ? (struct ip *)p->m->m_data : NULL;
+	ip6p =		(p->m != NULL) ? (struct ip6_hdr *)p->m->m_data : NULL;
 
 	/* fill f_id fields */
 	addr_type =	p->f_id.addr_type;

Modified: stable/12/sys/netpfil/ipfw/ip_fw2.c
==============================================================================
--- stable/12/sys/netpfil/ipfw/ip_fw2.c	Tue Nov 10 11:32:01 2020	(r367552)
+++ stable/12/sys/netpfil/ipfw/ip_fw2.c	Tue Nov 10 12:13:18 2020	(r367553)
@@ -55,6 +55,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/proc.h>
 #include <sys/rwlock.h>
 #include <sys/rmlock.h>
+#include <sys/sdt.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
@@ -105,6 +106,18 @@ __FBSDID("$FreeBSD$");
 #include <security/mac/mac_framework.h>
 #endif
 
+#define	IPFW_PROBE(probe, arg0, arg1, arg2, arg3, arg4, arg5)		\
+    SDT_PROBE6(ipfw, , , probe, arg0, arg1, arg2, arg3, arg4, arg5)
+
+SDT_PROVIDER_DEFINE(ipfw);
+SDT_PROBE_DEFINE6(ipfw, , , rule__matched,
+    "int",			/* retval */
+    "int",			/* af */
+    "void *",			/* src addr */
+    "void *",			/* dst addr */
+    "struct ip_fw_args *",	/* args */
+    "struct ip_fw *"		/* rule */);
+
 /*
  * static variables followed by global ones.
  * All ipfw global variables are here.
@@ -3188,6 +3201,13 @@ do {						\
 		struct ip_fw *rule = chain->map[f_pos];
 		/* Update statistics */
 		IPFW_INC_RULE_COUNTER(rule, pktlen);
+		IPFW_PROBE(rule__matched, retval,
+		    is_ipv4 ? AF_INET : AF_INET6,
+		    is_ipv4 ? (uintptr_t)&src_ip :
+		        (uintptr_t)&args->f_id.src_ip6,
+		    is_ipv4 ? (uintptr_t)&dst_ip :
+		        (uintptr_t)&args->f_id.dst_ip6,
+		    args, rule);
 	} else {
 		retval = IP_FW_DENY;
 		printf("ipfw: ouch!, skip past end of rules, denying packet\n");
