From 334fc5822becf3294a389630137d2332e42fda7d Mon Sep 17 00:00:00 2001 From: "Bjoern A. Zeeb" Date: Wed, 8 Jan 2020 23:30:26 +0000 Subject: [PATCH] vnet: virtualise more network stack sysctls. Virtualise tcp_always_keepalive, TCP and UDP log_in_vain. All three are set in the netoptions startup script, which we would love to run for VNETs as well [1]. While virtualising the log_in_vain sysctls seems pointles at first for as long as the kernel message buffer is not virtualised, it at least allows an administrator to debug the base system or an individual jail if needed without turning the logging on for all jails running on a system. PR: 243193 [1] MFC after: 2 weeks --- sys/dev/cxgbe/tom/t4_tom.c | 2 +- sys/netinet/tcp_input.c | 10 +++++----- sys/netinet/tcp_stacks/bbr.c | 8 ++++---- sys/netinet/tcp_stacks/rack.c | 8 ++++---- sys/netinet/tcp_subr.c | 2 +- sys/netinet/tcp_timer.c | 9 +++++---- sys/netinet/tcp_timer.h | 3 ++- sys/netinet/tcp_var.h | 3 ++- sys/netinet/udp_usrreq.c | 8 ++++---- sys/netinet/udp_var.h | 3 ++- sys/netinet6/udp6_usrreq.c | 2 +- 11 files changed, 31 insertions(+), 27 deletions(-) diff --git a/sys/dev/cxgbe/tom/t4_tom.c b/sys/dev/cxgbe/tom/t4_tom.c index 4ef667ac536..7967cb18516 100644 --- a/sys/dev/cxgbe/tom/t4_tom.c +++ b/sys/dev/cxgbe/tom/t4_tom.c @@ -1146,7 +1146,7 @@ init_conn_params(struct vi_info *vi , struct offload_settings *s, cp->nagle = tp->t_flags & TF_NODELAY ? 0 : 1; /* TCP Keepalive. */ - if (tcp_always_keepalive || so_options_get(so) & SO_KEEPALIVE) + if (V_tcp_always_keepalive || so_options_get(so) & SO_KEEPALIVE) cp->keepalive = 1; else cp->keepalive = 0; diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index e3a4cf1d46f..e8a281878cf 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -132,9 +132,9 @@ __FBSDID("$FreeBSD$"); const int tcprexmtthresh = 3; -int tcp_log_in_vain = 0; -SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_RW, - &tcp_log_in_vain, 0, +VNET_DEFINE(int, tcp_log_in_vain) = 0; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_in_vain, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(tcp_log_in_vain), 0, "Log all incoming TCP segments to closed ports"); VNET_DEFINE(int, blackhole) = 0; @@ -892,8 +892,8 @@ findpcb: * Log communication attempts to ports that are not * in use. */ - if ((tcp_log_in_vain == 1 && (thflags & TH_SYN)) || - tcp_log_in_vain == 2) { + if ((V_tcp_log_in_vain == 1 && (thflags & TH_SYN)) || + V_tcp_log_in_vain == 2) { if ((s = tcp_log_vain(NULL, th, (void *)ip, ip6))) log(LOG_INFO, "%s; %s: Connection attempt " "to closed port\n", s, __func__); diff --git a/sys/netinet/tcp_stacks/bbr.c b/sys/netinet/tcp_stacks/bbr.c index c28b0aee05e..2e6e803d42a 100644 --- a/sys/netinet/tcp_stacks/bbr.c +++ b/sys/netinet/tcp_stacks/bbr.c @@ -835,7 +835,7 @@ bbr_start_hpts_timer(struct tcp_bbr *bbr, struct tcpcb *tp, uint32_t cts, int32_ */ if ((hpts_timeout == 0) && (slot == 0)) { - if ((tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && + if ((V_tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && (tp->t_state <= TCPS_CLOSING)) { /* * Ok we have no timer (persists, rack, tlp, rxt or @@ -998,7 +998,7 @@ bbr_timer_audit(struct tcpcb *tp, struct tcp_bbr *bbr, uint32_t cts, struct sock * (and the hptsi timer). */ return; - } else if (((tcp_always_keepalive || + } else if (((V_tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && (tp->t_state <= TCPS_CLOSING)) && (tmr_up == PACE_TMR_KEEP) && @@ -4919,7 +4919,7 @@ bbr_timeout_keepalive(struct tcpcb *tp, struct tcp_bbr *bbr, uint32_t cts) TCPSTAT_INC(tcps_keeptimeo); if (tp->t_state < TCPS_ESTABLISHED) goto dropit; - if ((tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && + if ((V_tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && tp->t_state <= TCPS_CLOSING) { if (ticks - tp->t_rcvtime >= TP_KEEPIDLE(tp) + TP_MAXIDLE(tp)) goto dropit; @@ -11790,7 +11790,7 @@ bbr_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so, ((bbr->r_ctl.rc_hpts_flags & PACE_TMR_MASK) == 0) && (SEQ_GT(tp->snd_max, tp->snd_una) || (tp->t_flags & TF_DELACK) || - ((tcp_always_keepalive || bbr->rc_inp->inp_socket->so_options & SO_KEEPALIVE) && + ((V_tcp_always_keepalive || bbr->rc_inp->inp_socket->so_options & SO_KEEPALIVE) && (tp->t_state <= TCPS_CLOSING)))) { /* * We could not send (probably in the hpts but diff --git a/sys/netinet/tcp_stacks/rack.c b/sys/netinet/tcp_stacks/rack.c index fbe9b9e1322..17054d5d7a9 100644 --- a/sys/netinet/tcp_stacks/rack.c +++ b/sys/netinet/tcp_stacks/rack.c @@ -2450,7 +2450,7 @@ rack_start_hpts_timer(struct tcp_rack *rack, struct tcpcb *tp, uint32_t cts, */ if ((hpts_timeout == 0) && (slot == 0)) { - if ((tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && + if ((V_tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && (tp->t_state <= TCPS_CLOSING)) { /* * Ok we have no timer (persists, rack, tlp, rxt or @@ -3022,7 +3022,7 @@ rack_timeout_keepalive(struct tcpcb *tp, struct tcp_rack *rack, uint32_t cts) TCPSTAT_INC(tcps_keeptimeo); if (tp->t_state < TCPS_ESTABLISHED) goto dropit; - if ((tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && + if ((V_tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && tp->t_state <= TCPS_CLOSING) { if (ticks - tp->t_rcvtime >= TP_KEEPIDLE(tp) + TP_MAXIDLE(tp)) goto dropit; @@ -7576,7 +7576,7 @@ rack_timer_audit(struct tcpcb *tp, struct tcp_rack *rack, struct sockbuf *sb) * of nothing outstanding and the RXT up (and the hptsi timer). */ return; - } else if (((tcp_always_keepalive || + } else if (((V_tcp_always_keepalive || rack->rc_inp->inp_socket->so_options & SO_KEEPALIVE) && (tp->t_state <= TCPS_CLOSING)) && (tmr_up == PACE_TMR_KEEP) && @@ -7867,7 +7867,7 @@ rack_do_segment_nounlock(struct mbuf *m, struct tcphdr *th, struct socket *so, ((rack->r_ctl.rc_hpts_flags & PACE_TMR_MASK) == 0) && (SEQ_GT(tp->snd_max, tp->snd_una) || (tp->t_flags & TF_DELACK) || - ((tcp_always_keepalive || rack->rc_inp->inp_socket->so_options & SO_KEEPALIVE) && + ((V_tcp_always_keepalive || rack->rc_inp->inp_socket->so_options & SO_KEEPALIVE) && (tp->t_state <= TCPS_CLOSING)))) { /* We could not send (probably in the hpts but stopped the timer earlier)? */ if ((tp->snd_max == tp->snd_una) && diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 8534f74d905..1cd1e95f23e 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -3283,7 +3283,7 @@ tcp_log_vain(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr, { /* Is logging enabled? */ - if (tcp_log_in_vain == 0) + if (V_tcp_log_in_vain == 0) return (NULL); return (tcp_log_addr(inc, th, ip4hdr, ip6hdr)); diff --git a/sys/netinet/tcp_timer.c b/sys/netinet/tcp_timer.c index 5c1c658b7d1..195a5e775ad 100644 --- a/sys/netinet/tcp_timer.c +++ b/sys/netinet/tcp_timer.c @@ -125,9 +125,10 @@ SYSCTL_PROC(_net_inet_tcp, OID_AUTO, rexmit_slop, CTLTYPE_INT|CTLFLAG_RW, &tcp_rexmit_slop, 0, sysctl_msec_to_ticks, "I", "Retransmission Timer Slop"); -int tcp_always_keepalive = 1; -SYSCTL_INT(_net_inet_tcp, OID_AUTO, always_keepalive, CTLFLAG_RW, - &tcp_always_keepalive , 0, "Assume SO_KEEPALIVE on all TCP connections"); +VNET_DEFINE(int, tcp_always_keepalive) = 1; +SYSCTL_INT(_net_inet_tcp, OID_AUTO, always_keepalive, CTLFLAG_VNET|CTLFLAG_RW, + &VNET_NAME(tcp_always_keepalive) , 0, + "Assume SO_KEEPALIVE on all TCP connections"); int tcp_fast_finwait2_recycle = 0; SYSCTL_INT(_net_inet_tcp, OID_AUTO, fast_finwait2_recycle, CTLFLAG_RW, @@ -431,7 +432,7 @@ tcp_timer_keep(void *xtp) TCPSTAT_INC(tcps_keeptimeo); if (tp->t_state < TCPS_ESTABLISHED) goto dropit; - if ((tcp_always_keepalive || + if ((V_tcp_always_keepalive || inp->inp_socket->so_options & SO_KEEPALIVE) && tp->t_state <= TCPS_CLOSING) { if (ticks - tp->t_rcvtime >= TP_KEEPIDLE(tp) + TP_MAXIDLE(tp)) diff --git a/sys/netinet/tcp_timer.h b/sys/netinet/tcp_timer.h index 3e985bdfb82..fe3616c2664 100644 --- a/sys/netinet/tcp_timer.h +++ b/sys/netinet/tcp_timer.h @@ -203,10 +203,11 @@ extern int tcp_backoff[]; extern int tcp_totbackoff; extern int tcp_rexmit_drop_options; -extern int tcp_always_keepalive; extern int tcp_finwait2_timeout; extern int tcp_fast_finwait2_recycle; +VNET_DECLARE(int, tcp_always_keepalive); +#define V_tcp_always_keepalive VNET(tcp_always_keepalive) VNET_DECLARE(int, tcp_pmtud_blackhole_detect); #define V_tcp_pmtud_blackhole_detect VNET(tcp_pmtud_blackhole_detect) VNET_DECLARE(int, tcp_pmtud_blackhole_mss); diff --git a/sys/netinet/tcp_var.h b/sys/netinet/tcp_var.h index 6f526cbc31e..7539dcb7ffa 100644 --- a/sys/netinet/tcp_var.h +++ b/sys/netinet/tcp_var.h @@ -767,7 +767,8 @@ SYSCTL_DECL(_net_inet_tcp_sack); MALLOC_DECLARE(M_TCPLOG); #endif -extern int tcp_log_in_vain; +VNET_DECLARE(int, tcp_log_in_vain); +#define V_tcp_log_in_vain VNET(tcp_log_in_vain) /* * Global TCP tunables shared between different stacks. diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 1517eeb7ed4..d97cadceff0 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -116,9 +116,9 @@ VNET_DEFINE(int, udp_cksum) = 1; SYSCTL_INT(_net_inet_udp, UDPCTL_CHECKSUM, checksum, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(udp_cksum), 0, "compute udp checksum"); -int udp_log_in_vain = 0; -SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_RW, - &udp_log_in_vain, 0, "Log all incoming UDP packets"); +VNET_DEFINE(int, udp_log_in_vain) = 0; +SYSCTL_INT(_net_inet_udp, OID_AUTO, log_in_vain, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(udp_log_in_vain), 0, "Log all incoming UDP packets"); VNET_DEFINE(int, udp_blackhole) = 0; SYSCTL_INT(_net_inet_udp, OID_AUTO, blackhole, CTLFLAG_VNET | CTLFLAG_RW, @@ -686,7 +686,7 @@ udp_input(struct mbuf **mp, int *offp, int proto) ip->ip_dst, uh->uh_dport, INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, ifp, m); if (inp == NULL) { - if (udp_log_in_vain) { + if (V_udp_log_in_vain) { char src[INET_ADDRSTRLEN]; char dst[INET_ADDRSTRLEN]; diff --git a/sys/netinet/udp_var.h b/sys/netinet/udp_var.h index 4ebf7531797..965bd490fdf 100644 --- a/sys/netinet/udp_var.h +++ b/sys/netinet/udp_var.h @@ -149,9 +149,10 @@ extern u_long udp_sendspace; extern u_long udp_recvspace; VNET_DECLARE(int, udp_cksum); VNET_DECLARE(int, udp_blackhole); +VNET_DECLARE(int, udp_log_in_vain); #define V_udp_cksum VNET(udp_cksum) #define V_udp_blackhole VNET(udp_blackhole) -extern int udp_log_in_vain; +#define V_udp_log_in_vain VNET(udp_log_in_vain) static __inline struct inpcbinfo * udp_get_inpcbinfo(int protocol) diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 689fe9632ad..283b284b6ec 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -481,7 +481,7 @@ udp6_input(struct mbuf **mp, int *offp, int proto) INPLOOKUP_WILDCARD | INPLOOKUP_RLOCKPCB, m->m_pkthdr.rcvif, m); if (inp == NULL) { - if (udp_log_in_vain) { + if (V_udp_log_in_vain) { char ip6bufs[INET6_ADDRSTRLEN]; char ip6bufd[INET6_ADDRSTRLEN];