Merge lp:~christof-mroz/hipl/hipfw-esp-speedup into lp:hipl

How much is the speed up?

> How much is the speed up?

See the branch description for iperf results (using VMs so far):
https://code.launchpad.net/~christof-mroz/hipl/hipfw-esp-speedup

 review needs-fixing

On Tue, Mar 22, 2011 at 04:37:59PM +0000, Christof Mroz wrote:
> Christof Mroz has proposed merging lp:~christof-mroz/hipl/hipfw-esp-speedup into lp:hipl with lp:~christof-mroz/hipl/hipfw-timeout as a prerequisite.
>
> --- firewall/conntrack.c 2011-03-22 16:37:54 +0000
> +++ firewall/conntrack.c 2011-03-22 16:37:54 +0000
> @@ -340,23 +346,154 @@
>
> + * Set up or remove iptables rules to bypass userspace processing of the
> + * SPI/destination pairs as specified by @a esp_tuple and @a dest.
> + * This can greatly improve firewall throughput.
> + *
> + * @param esp_tuple Determines the SPI.
> + * @param dest The corresponding destination address to bypass. May be
> + * a IPv6-mapped IPv4 address.
> + * @param insert Insert new rule if true, remove existing if false.
> + * @return 0 if rules were modified, non-zero otherwise.

The function returns -1, not non-zero - positive numbers are non-zero as
well, so I suggest being doubly clear here...

> + * @note This interferes, in one way or another, with userspace_ipsec,
> + * Relay, LSI, midauth, lightweight-update and esp_prot. Care was
> + * taken to not break these features though.

nit: relay

> +static int hip_fw_manage_esp_rule(const struct esp_tuple *const esp_tuple,
> + const struct in6_addr *const dest, bool insert)
> +{
> +
> + if (IN6_IS_ADDR_V4MAPPED(dest)) {
> + char daddr[INET_ADDRSTRLEN];
> + struct in_addr dest4;
> +
> + IPV6_TO_IPV4_MAP(dest, &dest4);
> + HIP_IFEL(!inet_ntop(AF_INET, &dest4, daddr, sizeof(daddr)), -1,
> + "inet_ntop: %s\n", strerror(errno));
> + } else {
> + char daddr[INET6_ADDRSTRLEN];
> + HIP_IFEL(!inet_ntop(AF_INET6, dest, daddr, sizeof(daddr)), -1,
> + "inet_ntop: %s\n", strerror(errno));
> +
> + }
> +
> +out_err:
> + return err == EXIT_SUCCESS ? 0 : -1;
> +}

I'd solve this without goto/HIP_IFEL and just return directly.

> +/**
> + * Set up or remove iptables rules to bypass userspace processing of all
> + * SPI/destination pairs associated with @a esp_tuple.
> + *
> + * @param esp_tuple Determines the SPI and all destination addresses.
> + * @param insert Insert rules if true, remove existing if false.
> + *
> + * @see hip_fw_manage_esp_rule

hip_fw_manage_esp_rule() ?

I'm not sure, just asking...

> +void hip_fw_manage_esp_tuple(const struct esp_tuple *const esp_tuple, const bool insert)

nit: break such long lines

> @@ -448,7 +588,7 @@
> * @param data the connection-related data to be inserted
> * @see remove_connection
> */
> -static void insert_new_connection(const struct hip_data *data)
> +static void insert_new_connection(const struct hip_data *data, struct hip_fw_context *ctx)

ditto

> @@ -1983,6 +2108,173 @@
>
> /**
> + * Parse one line of iptables -nvL formatted output, and extract
> + * packet count, SPI and destination IP if successful.
> + * This takes into account all kinds of rules that can are created by
> + * hip_fw_manage_esp_rule().

can are?

> + * @param spi Out: receives the SPI.
> + * @param spi Out: rece...

Hi Christof!

Thanks for
- splitting the original merge proposal into smaller chunks
- providing hard numbers to show that we really want theses changes

I don't have a test setup, so I couldn't test this feature. Code comments only.

> === modified file 'firewall/conntrack.c'
> --- firewall/conntrack.c 2011-03-22 16:37:54 +0000
> +++ firewall/conntrack.c 2011-03-22 16:37:54 +0000
> @@ -340,23 +346,154 @@
> }
>
> /**
> - * Insert an address into a list of addresses. If same address exists already,
> - * the update_id is replaced with the new value.
> - *
> - * @param addr_list the address list
> - * @param addr the address to be added
> - * @param upd_id update id
> - *
> - * @return the address list
> - */
> -static struct slist *update_esp_address(struct slist *addr_list,
> - const struct in6_addr *addr,
> - const uint32_t *upd_id)
> -{
> - struct esp_address *esp_addr = get_esp_address(addr_list, addr);
> + * Set up or remove iptables rules to bypass userspace processing of the
> + * SPI/destination pairs as specified by @a esp_tuple and @a dest.
> + * This can greatly improve firewall throughput.
> + *
> + * @param esp_tuple Determines the SPI.
> + * @param dest The corresponding destination address to bypass. May be
> + * a IPv6-mapped IPv4 address.
> + * @param insert Insert new rule if true, remove existing if false.
> + * @return 0 if rules were modified, non-zero otherwise.
> + *
> + * @note This feature may be turned off completely by the -u command line option.
> + * It is also automatically deactivated for connections that demand
> + * more advanced connection tracking.
> + * In these cases, -1 is returned even though there was not even an
> + * attempt to modify rules.
> + *
> + * @note This interferes, in one way or another, with userspace_ipsec,
> + * Relay, LSI, midauth, lightweight-update and esp_prot. Care was
> + * taken to not break these features though.
> + *
> + * @see update_esp_address()
> + * @see free_esp_tuple()
> + * @see ::esp_speedup
> + */
> +static int hip_fw_manage_esp_rule(const struct esp_tuple *const esp_tuple,
> + const struct in6_addr *const dest, bool insert)

[M] 'const bool insert' for const correctness

> +/**
> + * Insert a destination address into an esp_tuple. If same address exists already,
> + * the update_id is replaced with the new value instead.
> + *
> + * @param esp_tuple the esp tuple
> + * @param addr the address to be added
> + * @param upd_id update id
> + */
> +static void update_esp_address(struct esp_tuple *esp_tuple,
> + const struct in6_addr *addr,
> + const uint32_t *upd_id)

[M] const correctness

> @@ -367,7 +504,7 @@
> *esp_addr->update_id = *upd_id;
> }
> HIP_DEBUG("update_esp_address: found and updated\n");
> - return addr_list;
> + return;
> }
> esp_addr = malloc(sizeof(struct esp_address));
> memcpy(&esp_addr->dst_addr, addr, sizeof(struct in6_addr));

[H] not you...

On Sun, Mar 27, 2011 at 09:54:13PM +0000, Stefan Götz wrote:
>
> > === modified file 'firewall/conntrack.c'
> > --- firewall/conntrack.c 2011-03-22 16:37:54 +0000
> > +++ firewall/conntrack.c 2011-03-22 16:37:54 +0000
> > @@ -340,23 +346,154 @@
> >
> > +static int hip_fw_manage_esp_rule(const struct esp_tuple *const esp_tuple,
> > + const struct in6_addr *const dest, bool insert)
>
> [M] 'const bool insert' for const correctness

What's the point of adding const to a non-pointer value passed
to a function?

> > @@ -448,7 +588,7 @@
> > * @param data the connection-related data to be inserted
>
> [M] the 'ctx' parameter is not documented

Christof, does your code pass 'make alltests'? This should likely
be caught by 'make doxygen', which is a part of 'make alltests'.

Apparently we should create some sort of checklist to run through
before submitting merge proposals...

Diego

On Sun, 27 Mar 2011 21:54:13 +0000
Stefan Götz <email address hidden> wrote:

> > + * @return true if rule was valid and output was
> > written,
> > + * false otherwise
>
> [L] Again, when is a rule 'valid'?

Explaining the input format in detail would be reciting the
implementation, I think. It already states that rules set up by
hip_fw_manage_esp_rule() are covered, which is the important info.

> > + * @param now We consider this the current time.
> > + * @return Number of rules that were identified with an
> > esp tuple.
> > + * Not necessarily the number of tuples updated.
> > + *
> > + * @note This function doesn't clear the packet counters itself.
>
> [M] Reading and zeroing the packet counters should be done atomically
> with a single command line invocation. Otherwise, a packet might
> arrive in between and the ESP rule would be deleted even though it
> was still active.

Good point. Didn't find a way to zero out individual rules though.

> > + *
> > + * @todo De-uglify this. You may be tempted to statically link in
> > libiptc,
> > + * and I'd generally approve of it because while it was
> > never meant
> > + * to be used publicly, quite some projects have relied on
> > it without
> > + * burning their fingers too badly for a long time now. But
> > on the
> > + * other hand, there's the impending nftables release that
> > will render
> > + * all your hard work obsolete anyway. I'd rather suggest
> > waiting for
> > + * a post-alpha release of libnl_nft before wasting your
> > time...
> > + * --cmroz, oct 2010
>
> [M] I find this confusing. First, the @todo says that this
> functionality should not be implemented as is but via libiptc
> instead. Then it says the implementation should stay the way it is.
> So is this really a @todo? Or is the @todo the update to libnl_nft?

The TODO applies to "de-uglify this", everything else is just a hint. Would you degrade it to a @note?

Alternatively, we could also discuss the issue right now and get rid of that paragraph altogether. Controlling iptables via shell may not be pretty, but using libiptc instead would blow up the code considerably in most cases, without real benefit. The only counterexample (that I know of), where libiptc could atually simplify matters, would be the ESP speedups introduced in this branch.

But pulling in a new lib because of that? Sounds like overkill.
Also, I bet there are many scripts out there that depend on the current output format, so the netfilter team will be careful not to change it unnecessarily.

Some months later, I'm not so sure anymore that iptables will be obsoleted in the near future.

> > + */
> > +static unsigned int detect_esp_rule_activity(const char *const cmd,
> > + const time_t now)
> > +{
> > +
> > + unsigned int ret = 0;
> > + bool chain_ok = false;
> > + char bfr[256];
> > + FILE *p;
> > +
> > + if (!(p = popen(cmd, "r"))) {
> > + HIP_ERROR("popen(\"%s\"): %s\n", cmd, strerror(errno));
> > + return 0;
> > + }
> > +
> > + ...

Hi Diego!

>> > +static int hip_fw_manage_esp_rule(const struct esp_tuple *const esp_tuple,
>> > +                                  const struct in6_addr *const dest, bool insert)
>>
>> [M] 'const bool insert' for const correctness
>
> What's the point of adding const to a non-pointer value passed
> to a function?

doc/HACKING encourages const correctness, including the case of
function parameters (regardless of whether they are pointers or not).
The given code violates this policy. That's why I remarked on it.
Maybe I misunderstood your question?

Stefan

Hi Christof!

On Mon, Mar 28, 2011 at 3:46 PM, Christof Mroz <email address hidden> wrote:
> On Sun, 27 Mar 2011 21:54:13 +0000
> Stefan Götz <email address hidden> wrote:
>
>> > + * @return true if rule was valid and output was
>> > written,
>> > + * false otherwise
>>
>> [L] Again, when is a rule 'valid'?
>
> Explaining the input format in detail would be reciting the
> implementation, I think. It already states that rules set up by
> hip_fw_manage_esp_rule() are covered, which is the important info.

Yes, I agree. What I meant was: it is not obvious, that 'rule' == 'input'. Consequently, you can give this function perfectly valid output from 'iptables -nvL' and that function would still return false - simply because not all output lines from 'iptables -nvL' are rules. That, however does not become clear from the documentation. Why I'm such a PITA about documentation here is that it's fairly difficult to correctly interpret the documentation without having read the source code in this case. Something like '@return true if @a input could be parsed as an ESP rule and the output parameters were set to the according values, false otherwise' is all I need to understand this better.

>> [M] Reading and zeroing the packet counters should be done atomically
>> with a single command line invocation. Otherwise, a packet might
>> arrive in between and the ESP rule would be deleted even though it
>> was still active.
>
> Good point. Didn't find a way to zero out individual rules though.

Yepp, it's not possible for individual rules, but you can combine the '-L' option for iptables with the '-Z' option for a particular chain to read and reset the counters atomically.

>> [M] I find this confusing. First, the @todo says that this
>> functionality should not be implemented as is but via libiptc
>> instead. Then it says the implementation should stay the way it is.
>> So is this really a @todo? Or is the @todo the update to libnl_nft?
>
> The TODO applies to "de-uglify this", everything else is just a hint. Would you degrade it to a @note?
>
> Alternatively, we could also discuss the issue right now and get rid of that paragraph altogether. Controlling iptables via shell may not be pretty, but using libiptc instead would blow up the code considerably in most cases, without real benefit. The only counterexample (that I know of), where libiptc could atually simplify matters, would be the ESP speedups introduced in this branch.
>
> But pulling in a new lib because of that? Sounds like overkill.
> Also, I bet there are many scripts out there that depend on the current output format, so the netfilter team will be careful not to change it unnecessarily.
>
> Some months later, I'm not so sure anymore that iptables will be obsoleted in the near future.

Okay, now I have all the information :-) This should go into a @note in order to justify your decision for parsing iptables output so every other developer doesn't have to scratch their heads as to why this route was chosen. I don't think we need 'to do' anything about this code at all.

>> > + if (strncmp(bfr, "Chain", 5) == 0) {
>> > + chain_ok =...

Hi Christof!

> === modified file 'firewall/conntrack.c'
> +static void update_esp_address(struct esp_tuple *esp_tuple,

[M] would 'struct esp_tuple *const esp_tuple' work for better const correctness?

> /**
> + * Parse one line of iptables -nvL formatted output, and extract
> + * packet count, SPI and destination IP if it is valid and packet count is
> + * not zero.

[L] What is the acceptable/supported format? 'iptables -nvL' output might differ based on version or translation. Examples would be sufficient.

[M] The functions hip_fw_manage_esp_tuple() and system_printf() are not covered by unit tests.

 review abstain

I'm fine with the merge proposal now, some minor comments below.
All you need to pass now is Stefan's review :)

On Mon, Mar 28, 2011 at 02:06:47PM +0000, Christof Mroz wrote:
> Christof Mroz has proposed merging lp:~christof-mroz/hipl/hipfw-esp-speedup into lp:hipl with lp:~christof-mroz/hipl/hipfw-timeout as a prerequisite.
>
> --- firewall/conntrack.c 2011-03-28 14:06:39 +0000
> +++ firewall/conntrack.c 2011-03-28 14:06:40 +0000
> @@ -1984,6 +2114,174 @@
>
> + if ((str_spi = strstr(input, "spi:"))) {
> + // non-UDP
> + if (sscanf(str_spi, "spi:%u", spi) < 1) {
> + HIP_ERROR("Unexpected iptables output (spi): '%s'\n", input);
> + return false;
> + }
> + } else if ((str_spi = strstr(input, u32_prefix))) {
> + // UDP
> + // spi follows u32_prefix string as a hex number
> + // (always host byte order)
> + if (sscanf(&str_spi[sizeof(u32_prefix) - 1], "%x", spi) < 1) {
> + HIP_ERROR("Unexpected iptables output (u32 match): '%s'\n", input);
> + return false;
> + }
> + } else {
> + // no SPI specified, so it's no ESP rule
> + return false;
> + }
> +
> + // grab packet count and destination IP.
> + if (sscanf(input, formats[0], packet_count, ip) < 2) {
> + // retry with alternative format before we give up
> + if (sscanf(input, formats[1], packet_count, ip) < 2) {
> + HIP_ERROR("Unexpected iptables output (number of colums): '%s'\n", input);
> + return false;
> + }
> + }

All the inner if-conditions could be folded into the outer if-conditions.

> + while (fgets(bfr, sizeof(bfr), p)) {
> + if (strncmp(bfr, "Chain", 5) == 0) {
> + chain_ok = (strncmp(bfr, "Chain HIPFW-INPUT", 17) == 0) ||
> + (strncmp(bfr, "Chain HIPFW-OUTPUT", 18) == 0) ||
> + (strncmp(bfr, "Chain HIPFW-FORWARD", 19) == 0);

nit: The () are unnecessary.

> --- firewall/pisa.c 2011-01-14 15:53:02 +0000
> +++ firewall/pisa.c 2011-03-28 14:06:40 +0000
> @@ -311,6 +311,12 @@
> if (t) {
> t->connection->pisa_state = PISA_STATE_ALLOW;
> HIP_INFO("PISA accepted the connection.\n");
> +
> + struct slist *lst = t->esp_tuples;
> + while (lst) {
> + hip_fw_manage_esp_tuple(lst->data, true);
> + lst = lst->next;
> + }
> } else {
> HIP_ERROR("Connection not found.\n");
> }
> @@ -329,6 +335,15 @@
> if (t) {
> t->connection->pisa_state = PISA_STATE_DISALLOW;
> + HIP_INFO("PISA removed the connection.\n");
> +
> + struct slist *lst = t->esp_tuples;
> + while (lst) {
> + hip_fw_manage_esp_tuple(lst->data, false);
> + lst = lst->next;
> + }
> + } else {
> + HIP_ERROR("Connection not found.\n");
> }
> }

This might be worth moving into its own function to avoid the
code duplication.

Diego

On Mon, Mar 28, 2011 at 03:50:51PM +0000, Stefan Götz wrote:
>
> >> > +static int hip_fw_manage_esp_rule(const struct esp_tuple *const esp_tuple,
> >> > +                                  const struct in6_addr *const dest, bool insert)
> >>
> >> [M] 'const bool insert' for const correctness
> >
> > What's the point of adding const to a non-pointer value passed
> > to a function?
>
> doc/HACKING encourages const correctness, including the case of
> function parameters (regardless of whether they are pointers or not).
> The given code violates this policy. That's why I remarked on it.

Yes, of course.

> Maybe I misunderstood your question?

I'm wondering aloud if it makes sense to enforce const correctness for
values passed to a function as ints. Modifying such values will not
have side effects since they are only used in the function.

So I'm wondering if it makes sense to demand const correctness for such
values or if it's just a pointless bother for the programmer.

Note that I don't have an answer, I'm wondering and I'm interested in
hearing opinions.

Diego

> I'm wondering aloud if it makes sense to enforce const correctness for
> values passed to a function as ints.  Modifying such values will not
> have side effects since they are only used in the function.

1) True, a modified function argument has no side effect outside the function.

2) This is not about external side effects. This is about keeping a
variable value constant within its scope if it is *intended* not to
change. By extension of your argument (and to annoy you a bit), we
don't need to mark global constants as 'const' anymore because these
'const's are a bother to everyone as long as they either painstakingly
check that these intended constants are never modified during runtime.
Or because such a modification has no side effects outside the running
process anyway.

> Note that I don't have an answer, I'm wondering and I'm interested in
> hearing opinions.

My opinion, I guess, is clear :) When an L-Value (variable/argument)
can be const, it should be const. I think it is good programming
practice and a good policy to let the compiler help where it can.

Stefan

On Mon, 28 Mar 2011 18:11:00 +0200, Stefan Götz
<email address hidden> wrote:

>>> [L] Again, when is a rule 'valid'?
>>
>> Explaining the input format in detail would be reciting the
>> implementation, I think. It already states that rules set up by
>> hip_fw_manage_esp_rule() are covered, which is the important info.
>
> Yes, I agree. What I meant was: it is not obvious, that 'rule' ==
> 'input'.

Ah I see what you meant in the last comment now.

> Something like '@return true if @a input could be parsed as an ESP
> rule and the output parameters were set to the according values, false
> otherwise'

Thanks, I'll plagiarize that.

On Mon, 28 Mar 2011 19:03:34 +0200, Diego Biurrun <email address hidden> wrote:

> I'm fine with the merge proposal now, some minor comments below.
> All you need to pass now is Stefan's review :)

Hooray! On to the final boss.

>> + // grab packet count and destination IP.
>> + if (sscanf(input, formats[0], packet_count, ip) < 2) {
>> + // retry with alternative format before we give up
>> + if (sscanf(input, formats[1], packet_count, ip) < 2) {
>> + HIP_ERROR("Unexpected iptables output (number of colums):
>> '%s'\n", input);
>> + return false;
>> + }
>> + }
>
> All the inner if-conditions could be folded into the outer if-conditions.

It's more readable this way IMO.

>> --- firewall/pisa.c 2011-01-14 15:53:02 +0000
>> +++ firewall/pisa.c 2011-03-28 14:06:40 +0000
>> @@ -311,6 +311,12 @@
>> if (t) {
>> t->connection->pisa_state = PISA_STATE_ALLOW;
>> HIP_INFO("PISA accepted the connection.\n");
>> +
>> + struct slist *lst = t->esp_tuples;
>> + while (lst) {
>> + hip_fw_manage_esp_tuple(lst->data, true);
>> + lst = lst->next;
>> + }
>> } else {
>> HIP_ERROR("Connection not found.\n");
>> }
>> @@ -329,6 +335,15 @@
>> if (t) {
>> t->connection->pisa_state = PISA_STATE_DISALLOW;
>> + HIP_INFO("PISA removed the connection.\n");
>> +
>> + struct slist *lst = t->esp_tuples;
>> + while (lst) {
>> + hip_fw_manage_esp_tuple(lst->data, false);
>> + lst = lst->next;
>> + }
>> + } else {
>> + HIP_ERROR("Connection not found.\n");
>> }
>> }
>
> This might be worth moving into its own function to avoid the
> code duplication.

OK, Good idea.

On Tue, Mar 29, 2011 at 07:30:58PM +0000, Christof Mroz wrote:
> On Mon, 28 Mar 2011 19:03:34 +0200, Diego Biurrun <email address hidden> wrote:
>
> > I'm fine with the merge proposal now, some minor comments below.
> > All you need to pass now is Stefan's review :)
>
> Hooray! On to the final boss.

:)

> >> + // grab packet count and destination IP.
> >> + if (sscanf(input, formats[0], packet_count, ip) < 2) {
> >> + // retry with alternative format before we give up
> >> + if (sscanf(input, formats[1], packet_count, ip) < 2) {
> >> + HIP_ERROR("Unexpected iptables output (number of colums):
> >> '%s'\n", input);
> >> + return false;
> >> + }
> >> + }
> >
> > All the inner if-conditions could be folded into the outer if-conditions.
>
> It's more readable this way IMO.

I disagree, you also get rid of one level of indentation and semantically
it's one big condition, not two where something might also happen if the
second is not fulfilled. Use your own judgement...

Diego