More pf work

Fri Dec 17 14:02:18 PST 2010

Am 16.12.2010 20:49, schrieb Jan Lentfer:
I updated my branch again. This is something that actually does work to
a certain degree, pfctl is updated also, I tested nat, rdr, filtering
and altq with fairq.
http://gitweb.dragonflybsd.org/~lentferj/dragonfly.git/shortlog/refs/heads/pf44

I do still get an reproducable panic after running it on my router for
about 5 Minutes:
This panic is now fixed thanks to the support of Alex Hornung. I have 
also fixed a problem with NAT'ed UDP packets. I have this running on my 
own DSL Router now including filtering, redirection, NAT and queuing 
(ALTQ w/ fairq). All seems to work fine so far so I would say this is 
due for public testing.

Be warned that you need to compile PF into the kernel at the moment. 
Module does not work atm. So, if you are running pf as a module and want 
to test this, please add

device          pf
device          pfsync
device          pflog
to your kernel config and recompile the kernel after fetching my branch.

The problem with kernel building I have is this:

With 4.4 OpenBSD made pf directly depend on if_pfsync.c.

In pf_ioctl.c

       case DIOCGETSTATES: {
               struct pfioc_states     *ps = (struct pfioc_states *)addr;
               struct pf_state         *state;
               struct pfsync_state     *p, *pstore;
               u_int32_t                nr = 0;
               if (ps->ps_len == 0) {
                       nr = pf_status.states;
                       ps->ps_len = sizeof(struct pfsync_state) * nr;
                       break;
               }
               pstore = kmalloc(sizeof(*pstore), M_TEMP, M_WAITOK);

               p = ps->ps_states;

               state = TAILQ_FIRST(&state_list);
               while (state) {
                       if (state->timeout != PFTM_UNLINKED) {
                               if ((nr+1) * sizeof(*p) > 
(unsigned)ps->ps_len)
                                       break;
                               pfsync_state_export(pstore, state);
                               error = copyout(pstore, p, sizeof(*p));
                               if (error) {
                                       kfree(pstore, M_TEMP);
                                       goto fail;
                               }
                               p++;
                               nr++;
                       }
                       state = TAILQ_NEXT(state, entry_list);
               }

               ps->ps_len = sizeof(struct pfsync_state) * nr;

               kfree(pstore, M_TEMP);
               break;
       }
pfsync_state_export() is a function from if_pfsync.c.  So it only works if I

1) put pfsync_state_export() in #ifdef NPFSYNC .. #endif
This leads to being able to compile pf.ko w/o pfsync but pfctl -s state 
shows garbled shit, because DIOCGETSTATES isn't actually giving any 
useful data (there was a patch like that in OpenBSD sources that they 
reverted again).

2) enable device pfsync in GENERIC Kernel Configs so it is available by 
default

3) enable, build and link if_pfsync.c with pf.ko by default
This seems to work fine just that I always get a panic on kldunload in 
modevent() of if_pfsync.c

Any suggestions on this?

Jan