From 2cef62886dc7c33ca01f70ca712845da1e55b470 Mon Sep 17 00:00:00 2001 From: "Alexander V. Chernikov" Date: Fri, 15 Sep 2023 12:06:59 +0200 Subject: pf: convert state retrieval to netlink Use netlink to export pf's state table. The primary motivation is to improve how we deal with very large state stables. With the previous implementation we had to build the entire list (both in the kernel and in userspace) before we could start processing. With netlink we start to get data in userspace while the kernel is still generating more. This reduces peak memory consumption (which can get to the GB range once we hit millions of states). Netlink also makes future extension easier, in that we can easily add fields to the state export without breaking userspace. In that regard it's similar to an nvlist-based approach, except that it also deals with transport to userspace and that it performs significantly better than nvlists. Testing has failed to measure a performance difference between the previous struct-copy based ioctl and the netlink approach. Differential Revision: https://reviews.freebsd.org/D38888 --- include/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/Makefile b/include/Makefile index 736a47854534..5a3cb66eb3e3 100644 --- a/include/Makefile +++ b/include/Makefile @@ -215,7 +215,8 @@ IPFILTERDIR= ${INCLUDEDIR}/netinet .PATH: ${SRCTOP}/sys/netpfil/pf PF= pf.h \ pf_altq.h \ - pf_mtag.h + pf_mtag.h \ + pf_nl.h PFPACKAGE= pf PFDIR= ${INCLUDEDIR}/netpfil/pf -- cgit v1.2.3