[prev in list] [next in list] [prev in thread] [next in thread]
List: illumos-developer
Subject: Re: [developer] ipfilter
From: Cy Schubert <Cy.Schubert () cschubert ! com>
Date: 2018-12-23 16:56:33
Message-ID: 201812231656.wBNGuX5N062670 () slippy ! cwsent ! com
[Download RAW message or body]
In message <CAJcJ1p4gY=UxH_jhNpFdiU4nX7afs0-b+tKqxVLMFQGc8NmDTQ@mail.gma
il.com>
, Jason King writes:
> Comparing the illumos-joyent ipf code with illumos-gate, the big
> differences are adding hooks for the VND and viona drivers so that ipf can
> filter ethernet frames from HVM instances (there's a few other mino=
> r bits,
We don't have VND or viona drivers in FreeBSD but filtering Ethernet
frames would be useful.
> but those are much smaller). That'd need to be brought forward for=
> any
> updates, though assuming the newer versions are still using nethooks (I=E2=
> =80=99m
> not sure what the term is for them on FBSD, but I believe the illumos hook
> framework was modeled after it, so they should be at least somewhat
> similar), I don't think that'd be a huge deal.
>
> There is also what I'm assuming is illumos specific code (though no=
> t unique
> to SmartOS) that deals with netstacks =E2=80=94 basically at device attach =
> time, a
> callback is registered by ipf that will create a new ipf_stack_t instance
> for each network stack (effectively a new zone these days).
We have VIMAGE in FreeBSD, same thing. The implementation would likely
be quite different. VIMAGE is implemented as a set of macros that alter
variable names depending on whether a kernel is built with or without
the VIMAGE option. A person would have to look to determine whether or
not the code is compatible.
> In addition,
> there are a second set of nethooks that are registered =E2=80=94 so there=
> 's a set
> for the global zone, and then ones for the non-global zone (this is what
> allows the global zone to assign rules that have precedence over anything
> set inside the zone). Thankfully most of that is also fairly
> self-contained.
There is no facility in the VIMAGE code in the FreeBSD ipfilter to do
that.
>
> Bug fixes are always welcome (if it gets rid of some of the K&R style
> declarations too that'd be a nice bonus :P). I can certainly help =
> with
> applying the illumos (and SmartOS) specific bits to any updates (I'=
> m
> probably the most recent person to have the joy of touching that code).
>
> I'd also be interested to know if any of the updates included any
> performance improvements =E2=80=94 I know we've sometimes seen some=
> issues with ipf
> at higher speeds, though we've not yet spent the time to pinpoint t=
> he cause.
The only performance related issue that has been reported and fixed is
a NAT issue. Over a period of time NAT slowed down and eventually
stopped working. It was a nasty bug that was fixed this spring.
Much of ipfilter has been rewritten from 4 to 5. Many of the bugs you
experience in ipfilter 4 are fixed. I closed a lot of FreeBSD PRs
(problem reports) because the rewritten code addressed the issues. The
NAT issue I reference above was new in ipfilter 5 and was the only
performance related bug reported. In order to fix the bug a good number
of DTrace probes were added (I added others to help resolve other bugs
too). The DTrace probes were handy to help users right-size certain NAT
tables to improve performance.
Let me repeat. The reason for this thread was to give me a feel for
whether or not to remove the Solaris specific code from IPF 5 that is
in FreeBSD as I'm ripping out DG/UX, HP-UX, Tru64, IRIX, and other long
extinct operating systems from IPF 5.
As this thread has shown, there is a great deal of interest in ipfilter
here so, the SOLARIS #ifdefs will remain in what I'm doing in FreeBSD
in order to share the code with you. I'm not ready to start working to
upgrade ipfiter in illumos yet. I can give you what I have, and someone
here work on it, or I can tackle that problem later as time permits.
Either works for me.
--
Cheers,
Cy Schubert <Cy.Schubert@cschubert.com>
FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
>
>
>
> From: Adam =C5=A0tevko <adam.stevko@gmail.com> <adam.stevko@gmail.com>
> Reply: illumos-developer <developer@lists.illumos.org>
> <developer@lists.illumos.org>
> Date: December 22, 2018 at 5:49:48 PM
> To: illumos-developer <developer@lists.illumos.org>
> <developer@lists.illumos.org>
> Cc: Cy Schubert <cy.schubert@cschubert.com> <cy.schubert@cschubert.com>
> Subject: Re: [developer] ipfilter
>
> Hi,
> thanks for your effort in updating ipf! I am pretty sure that many people
> are happy to see this. However, before updating, try to pull changes from
> illumos-gate. AFAIK Joyent folks contributed features, which allow to
> manipulate non-global zone rulesets from the global zone. I am not sure if
> you have already done this, just mentioning this for your reference.
>
> Cheers,
> Adam
>
> On Sun, Dec 23, 2018 at 12:12 AM Cy Schubert <Cy.Schubert@cschubert.com>
> wrote:
>
> > In message <20181222225223.GA1825@mail.messagingengine.com>, Gary Mills
> > writes:
> > > On Sat, Dec 22, 2018 at 08:51:48AM -0800, Cy Schubert wrote:
> > > >
> > > > My question is, is there interest in the possible update of ipfilter =
> in
> > > > illumos to 5.1.2, including the numerous fixes I've committed to
> > > > FreeBSD? (With many more uncommitted fixes currently in my git tree.)
> > > > If yes, I'll leave the Solaris specific code in ipfilter with the
> > > > intention of approaching you here at some point in the future of
> > > > updating your ipfilter to 5.1.2.
> > >
> > > I'm interested. I use ipfilter now under OI. My main system has two
> > > ethernet interfaces. One is connected to my cable modem. The other
> > > goes to my private network. Ipfilter functions as a NAT router to the
> > > private network. I also use ipf to block certain insecure ports.
> > >
> > > The version of ipfilter that comes with illumos is adequate for my
> > > needs, but updates are always welcome.
> >
> > I think this is all I need. I will not remove the Solaris #ifdefs
> > during the house cleaning. At the end of the process I'll offer the
> > updated ipfilter, which includes many fixes committed to FreeBSD, to
> > illumos.
> >
> >
> > --
> > Cheers,
> > Cy Schubert <Cy.Schubert@cschubert.com>
> > FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org
> >
> > The need of the many outweighs the greed of the few.
> >
> >
> >
> >
> >
> >
> > ------------------------------------------
> > illumos: illumos-developer
> > Permalink:
> > https://illumos.topicbox.com/groups/developer/Tc43ff8b5b29b2985-M55cc2154=
> b9f22297be2e313f
> > Delivery options:
> > https://illumos.topicbox.com/groups/developer/subscription
> >
------------------------------------------
illumos: illumos-developer
Permalink: https://illumos.topicbox.com/groups/developer/Tcf7574286fa291a0-M5e86adc964cb9ab295c657b2
Delivery options: https://illumos.topicbox.com/groups/developer/subscription
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic