Page MenuHomeFreeBSD

pf: Fix timestamps and connection rate in source node export
ClosedPublic

Authored by vegeta_tuxpowered.net on Oct 28 2024, 10:16 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Jan 21, 3:16 PM
Unknown Object (File)
Dec 9 2024, 2:05 AM
Unknown Object (File)
Dec 3 2024, 9:55 PM
Unknown Object (File)
Nov 21 2024, 9:22 PM
Unknown Object (File)
Nov 8 2024, 11:17 PM
Unknown Object (File)
Nov 2 2024, 11:03 PM
Unknown Object (File)
Nov 2 2024, 11:31 AM
Unknown Object (File)
Nov 2 2024, 9:11 AM

Details

Summary

When copying struct pf_ksrc_node into a netlink message some fields
change their meaning. In kernel creation and expire fields are storing
number of seconds since boot.

Add conversion to number of seconds relative to moment of exporting the
source node via netlink, as this is what pfctl expects. Add conversion
of connection rate count.

Sponsored by: InnoGames GmbH

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

Good catch, although I think we need to fix nlattr_add_pf_threshold() as well.

It might be slightly better to save time_uptime to a separate variable first, because we don't want it to change in between calculations.

I'm going to make you commit this one yourself, once it's ready.

vegeta_tuxpowered.net retitled this revision from pf: Fix timestamps in source node export to userspace to pf: Fix timestamps and connection rate in source node export.
vegeta_tuxpowered.net edited the summary of this revision. (Show Details)

This code suffers from very old OpenBSD idea of (ab)using the same data structure for in-kernel storage and communication with userspace over ioctl. There is no need for struct pf_threshold *t, as pfctl only displays its count and seconds properties. Instead of having a separate function nlattr_add_pf_threshold() with all its PF_TH_… variables we could just add new variables PF_SN_CONN_RATE_RATE and PF_SN_CONN_RATE_SECONDS directly into the source node. And rename PF_SN_CREATION to PF_SN_AGE since it's the age of the SN, calculated during the export, not its creation time, as stored in kernel.

This code suffers from very old OpenBSD idea of (ab)using the same data structure for in-kernel storage and communication with userspace over ioctl.

Sigh. Tell me about it....
Most of the work in converting internal counters to using counter_u64 was splitting the type definitions between kernel an userspace. (Hence abominations like struct pfi_kkif, with an extra 'k' for 'kernel'),

There is no need for struct pf_threshold *t, as pfctl only displays its count and seconds properties. Instead of having a separate function nlattr_add_pf_threshold() with all its PF_TH_… variables we could just add new variables PF_SN_CONN_RATE_RATE and PF_SN_CONN_RATE_SECONDS directly into the source node. And rename PF_SN_CREATION to PF_SN_AGE since it's the age of the SN, calculated during the export, not its creation time, as stored in kernel.

Good point, although given that I've already exported the information that way I'd keep it like that. There's relatively little cost to exporting more information via netlink (I did some benchmarking when we converted the state export), and I don't want to deal with compatibility issues by renaming types or removing them. It's pretty unlikely that anything other than pfctl uses it, but it's a good habit to get into anyway.

Same deal as D47679, send me the format-patch. Probably the last ones we'll do this dance for.

This revision is now accepted and ready to land.Nov 20 2024, 9:15 AM