More pf work
Jan Lentfer
Jan.Lentfer at web.de
Fri Dec 17 14:02:18 PST 2010
Am 16.12.2010 20:49, schrieb Jan Lentfer:
I updated my branch again. This is something that actually does work to
a certain degree, pfctl is updated also, I tested nat, rdr, filtering
and altq with fairq.
http://gitweb.dragonflybsd.org/~lentferj/dragonfly.git/shortlog/refs/heads/pf44
I do still get an reproducable panic after running it on my router for
about 5 Minutes:
This panic is now fixed thanks to the support of Alex Hornung. I have
also fixed a problem with NAT'ed UDP packets. I have this running on my
own DSL Router now including filtering, redirection, NAT and queuing
(ALTQ w/ fairq). All seems to work fine so far so I would say this is
due for public testing.
Be warned that you need to compile PF into the kernel at the moment.
Module does not work atm. So, if you are running pf as a module and want
to test this, please add
device pf
device pfsync
device pflog
to your kernel config and recompile the kernel after fetching my branch.
The problem with kernel building I have is this:
With 4.4 OpenBSD made pf directly depend on if_pfsync.c.
In pf_ioctl.c
case DIOCGETSTATES: {
struct pfioc_states *ps = (struct pfioc_states *)addr;
struct pf_state *state;
struct pfsync_state *p, *pstore;
u_int32_t nr = 0;
if (ps->ps_len == 0) {
nr = pf_status.states;
ps->ps_len = sizeof(struct pfsync_state) * nr;
break;
}
pstore = kmalloc(sizeof(*pstore), M_TEMP, M_WAITOK);
p = ps->ps_states;
state = TAILQ_FIRST(&state_list);
while (state) {
if (state->timeout != PFTM_UNLINKED) {
if ((nr+1) * sizeof(*p) >
(unsigned)ps->ps_len)
break;
pfsync_state_export(pstore, state);
error = copyout(pstore, p, sizeof(*p));
if (error) {
kfree(pstore, M_TEMP);
goto fail;
}
p++;
nr++;
}
state = TAILQ_NEXT(state, entry_list);
}
ps->ps_len = sizeof(struct pfsync_state) * nr;
kfree(pstore, M_TEMP);
break;
}
pfsync_state_export() is a function from if_pfsync.c. So it only works if I
1) put pfsync_state_export() in #ifdef NPFSYNC .. #endif
This leads to being able to compile pf.ko w/o pfsync but pfctl -s state
shows garbled shit, because DIOCGETSTATES isn't actually giving any
useful data (there was a patch like that in OpenBSD sources that they
reverted again).
2) enable device pfsync in GENERIC Kernel Configs so it is available by
default
3) enable, build and link if_pfsync.c with pf.ko by default
This seems to work fine just that I always get a panic on kldunload in
modevent() of if_pfsync.c
Any suggestions on this?
Jan
More information about the Kernel
mailing list