FreeBSD source tree https://cgit-dev.freebsd.org/src-test/atom?h=main 2020-12-23T17:03:47Z 2020-12-23T17:03:47Z Michael Tuexen tuexen@FreeBSD.org 2020-12-23T17:03:47Z urn:sha1:0ec2ce0d32735e14708653ea08da055816f3f817 Thanks to Tolya Korniltsev for drawing my attention to this part of the code by reporting an issue for the userland stack. 2020-12-19T22:04:46Z Andrew Gallatin gallatin@FreeBSD.org 2020-12-19T22:04:46Z urn:sha1:a034518ac8793059220af22e6ab25f84c5a6ddb8 In order to efficiently serve web traffic on a NUMA machine, one must avoid as many NUMA domain crossings as possible. With SO_REUSEPORT_LB, a number of workers can share a listen socket. However, even if a worker sets affinity to a core or set of cores on a NUMA domain, it will receive connections associated with all NUMA domains in the system. This will lead to cross-domain traffic when the server writes to the socket or calls sendfile(), and memory is allocated on the server's local NUMA node, but transmitted on the NUMA node associated with the TCP connection. Similarly, when the server reads from the socket, he will likely be reading memory allocated on the NUMA domain associated with the TCP connection. This change provides a new socket ioctl, TCP_REUSPORT_LB_NUMA. A server can now tell the kernel to filter traffic so that only incoming connections associated with the desired NUMA domain are given to the server. (Of course, in the case where there are no servers sharing the listen socket on some domain, then as a fallback, traffic will be hashed as normal to all servers sharing the listen socket regardless of domain). This allows a server to deal only with traffic that is local to its NUMA domain, and avoids cross-domain traffic in most cases. This patch, and a corresponding small patch to nginx to use TCP_REUSPORT_LB_NUMA allows us to serve 190Gb/s of kTLS encrypted https media content from dual-socket Xeons with only 13% (as measured by pcm.x) cross domain traffic on the memory controller. Reviewed by: jhb, bz (earlier version), bcr (man page) Tested by: gonzo Sponsored by: Netfix Differential Revision: https://reviews.freebsd.org/D21636 2020-12-13T23:51:51Z Michael Tuexen tuexen@FreeBSD.org 2020-12-13T23:51:51Z urn:sha1:0066de1c4b72e9283e2098f4db6aea77832ea0ad collision. This avouds an out-of-bounce access in case the peer can break the cookie signature. Thanks to Felix Wilhelm from Google for reporting the issue. MFC after: 1 week 2020-12-12T22:23:45Z Michael Tuexen tuexen@FreeBSD.org 2020-12-12T22:23:45Z urn:sha1:aa6db9a045345e45a95dc9765780e38273b62767 a restart. This fixes a use-after-free scenario, which was reported by Felix Wilhelm from Google in case a peer is able to modify the cookie. However, this can also be triggered by an assciation restart under some specific conditions. MFC after: 1 week 2020-12-04T11:29:27Z Richard Scheffenegger rscheff@FreeBSD.org 2020-12-04T11:29:27Z urn:sha1:0e1d7c25c5ab4014eb5ddd7676a1b64041a57d17 PRR improves loss recovery and avoids RTOs in a wide range of scenarios (ACK thinning) over regular SACK loss recovery. PRR is disabled by default, enable by net.inet.tcp.do_prr = 1. Performance may be impeded by token bucket rate policers at the bottleneck, where net.inet.tcp.do_prr_conservate = 1 should be enabled in addition. Submitted by: Aris Angelogiannopoulos Sponsored by: NetApp, Inc. Differential Revision: https://reviews.freebsd.org/D18892 2020-11-29T19:43:33Z Alexander V. Chernikov melifaro@FreeBSD.org 2020-11-29T19:43:33Z urn:sha1:d1d941c5b910e075495cb06b92a99d3a3e7a3d6c ROUTE_MPATH is the new config option controlling new multipath routing implementation. Remove the last pieces of RADIX_MPATH-related code and the config option. Reviewed by: glebius Differential Revision: https://reviews.freebsd.org/D27244 2020-11-29T13:41:49Z Alexander V. Chernikov melifaro@FreeBSD.org 2020-11-29T13:41:49Z urn:sha1:b712e3e343c1437d28c90e9da28e7339426ba8e2 No functional changes. * Make lookup path of fib<4|6>_lookup_debugnet() separate functions (fib<46>_lookup_rt()). These will be used in the control plane code requiring unlocked radix operations and actual prefix pointer. * Make lookup part of fib<4|6>_check_urpf() separate functions. This change simplifies the switch to alternative lookup implementations, which helps algorithmic lookups introduction. * While here, use static initializers for IPv4/IPv6 keys Differential Revision: https://reviews.freebsd.org/D27405 2020-11-23T10:13:56Z Michael Tuexen tuexen@FreeBSD.org 2020-11-23T10:13:56Z urn:sha1:75fcd27ac28333bc204947400f21f7a3ac81fb28 Reported by: lstewart@ MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D27148 2020-11-22T20:21:10Z Alexander V. Chernikov melifaro@FreeBSD.org 2020-11-22T20:21:10Z urn:sha1:7511a638255051fa0bf18a945cb04bfa513c9242 * Make rib_walk() order of arguments consistent with the rest of RIB api * Add rib_walk_ext() allowing to exec callback before/after iteration. * Rename rt_foreach_fib_walk_del -> rib_foreach_table_walk_del * Rename rt_forach_fib_walk -> rib_foreach_table_walk * Move rib_foreach_table_walk{_del} to route/route_helpers.c * Slightly refactor rib_foreach_table_walk{_del} to make the implementation consistent and prepare for upcoming iterator optimizations. Differential Revision: https://reviews.freebsd.org/D27219 2020-11-20T13:00:28Z Michael Tuexen tuexen@FreeBSD.org 2020-11-20T13:00:28Z urn:sha1:47384244f90374f5e27eb749cfe0edabf93c62e5 with to == NULL for SYN segments. So don't assume tp != NULL. Thanks to jhb@ for reporting and suggesting a fix. PR: 250499 MFC after: 1 week XMFC-with: r367530 Sponsored by: Netflix, Inc.