git: ipfw: Implement state based "redirect", i.e. without using libalias.
sephe at crater.dragonflybsd.org
Sun Oct 15 00:27:50 PDT 2017
Author: Sepherosa Ziehau <sephe at dragonflybsd.org>
Date: Sat Sep 30 14:39:48 2017 +0800
ipfw: Implement state based "redirect", i.e. without using libalias.
Redirection creates two states, i.e. one before the translation (xlat0)
and one after the translation (xlat1). If the hash of the translated
packet indicates that it is owned by a remote CPU:
- If the packet triggers the state pair creation, the 'xlat1' will be
piggybacked by the translated packet, which will be forwarded to the
remote CPU for further evalution. And the 'xlat1' will be installed
on the remote CPU before the evalution of the translated packet.
- Else only the translated packet will be forwarded to the remote CPU
for further evalution.
The 'xlat1' is called the slave state, which will be deleted only when
the 'xlat0' (the master state) is deleted. The state pair is always
deleted on the CPU owning the 'xlat1'; the 'xlat0' will be forwarded
The reference counting of the state pair is maintained independently
in each state, the memory of the state pair will be freed only after
the sum of the counter in each state reaches 0. This avoids expensive
per-packet atomic ops.
As far as I have tested, this implementation of "redirect" does _not_
introduce any noticeable performance reduction, latency increasing or
This commit makes most of the necessary bits for NAT ready too.
Summary of changes:
sbin/ipfw/ipfw.8 | 61 ++-
sbin/ipfw/ipfw2.c | 102 ++++-
sys/net/if_ethersubr.c | 3 +-
sys/net/ipfw/ip_fw2.c | 1107 +++++++++++++++++++++++++++++++++++++++++------
sys/net/ipfw/ip_fw2.h | 64 ++-
sys/netinet/ip_output.c | 6 +
sys/sys/mbuf.h | 3 +
7 files changed, 1162 insertions(+), 184 deletions(-)
DragonFly BSD source repository
More information about the Commits