Contributed by pitrh on from the packets unlocked dept.
I'd like to thank Reyk for hackroom and showing us a Christmas market. It was also my pleasure to meet Mr. Henning in person. Speaking of Henning, let's switch to PF hacking.
mpi@ came with patch (sent to priv. list only currently), which adds a new lock for PF. It's called PF big lock. The big PF lock essentially establishes a safe playground for PF hackers. The lock currently covers all pf_test() function. The pf_test() function parts will be gradually unlocked as the work will progress.
To make PF big lock safe few more details must be sorted out. The first of them is to avoid recursive calls to pf_test(). The pf_test() could get entered recursively, when packet hits block rule with return-* action. This is no longer the case as ip*_send() functions got introduced (committed change has been discussed privately). Packets sent on behalf of kernel are dispatched using softnet task queue now. We still have to sort out pf_route*() functions. The other thing we need to sort out with respect to PF big lock is reference counting for statekey, which gets attached to mbuf. Patch has been sent to hackers, waiting for OK too. The plan is to commit reference counting sometimes next year after CVS will be unlocked.There is one more patch at tech@ waiting for OK. It brings OpenBSD and Solaris PF closer to each other by one tiny little step. That's all from sashan, hope to see you next time.
Thanks for the report and the work that went into this, Sasha! We look forward to seeing this and more hit the tree soon!
(Comments are closed)