initial import from svn. Compiles with the new code NETMAP_API 11

Author: Luigi Rizzo

BSDmakefile

@@ -0,0 +1,3 @@
+# forward to use gmake
+all $(.TARGETS) :
+	gmake MAKE=gmake $(.TARGETS)

Makefile

@@ -0,0 +1,37 @@
+#
+# This is a gnu makefile to build ipfw in userspace.
+# Usage:
+#
+#	make NETMAP_INC=/some/place/with/netmap-release/sys
+#
+# build with make NETMAP_INC=/place/with/netmap/sys
+
+SUBDIRS= ipfw dummynet
+.PHONY:	ipfw kipfw
+
+include Makefile.inc
+all: ipfw kipfw
+
+ipfw: $(OBJDIR)
+	$(MSG) Building userspace ...
+	@(cd ipfw && $(MAKE) $(MAKECMDGOALS) )
+
+$(OBJDIR):
+	-@mkdir $(OBJDIR)
+
+kipfw: $(OBJDIR)
+	$(MSG) Building datapath ...
+	@(cd $(OBJDIR) && $(MAKE) -f ../Makefile.kipfw && cp kipfw ..)
+
+clean:
+	-@rm -rf $(OBJDIR) kipfw
+	@(cd ipfw && $(MAKE) clean )
+
+tgz:
+	@$(MAKE) clean
+	(cd ..; tar cvzf /tmp/ipfw-user.tgz --exclude .svn ipfw-user)
+
+# compute diffs wrt FreeBSD head tree in BSD_HEAD
+diffs:
+	-@diff -urp --exclude Makefile $(BSD_HEAD)/sbin/ipfw ipfw
+	-@diff -urp --exclude Makefile $(BSD_HEAD)/sys sys

Makefile.inc

@@ -0,0 +1,28 @@
+#
+# this is a gnu makefile
+
+BSD_HEAD ?= /home/luigi/FreeBSD/head
+NETMAP_INC ?= ../netmap-release/sys
+
+OBJDIR=objs
+OSARCH := $(shell uname)
+OSARCH := $(findstring $(OSARCH),FreeBSD Linux Darwin)
+ifeq ($(OSARCH),)
+    OSARCH := Windows
+endif
+
+ifeq ($V,) # no echo
+    MSG=@echo
+    HIDE=@
+else
+    MSG=@\#
+    HIDE=
+endif
+
+# ipfw and kipfw are built in subdirs so the paths for
+# headers refer to one directory up
+INCDIRS += -I ../$(OBJDIR)/include_e -DEMULATE_SYSCTL
+INCDIRS += -I ../sys -I ../extra/sys -I ../extra/sys/contrib/pf
+.c.o:
+	$(MSG) "   CC $<"
+	$(HIDE) $(CC) $(CFLAGS) -c $< -o $@

Makefile.kipfw

@@ -0,0 +1,165 @@
+# gnu Makefile to build a userland version of the 
+# kernel code for ipfw+dummynet
+#
+# The kernel code is compiled with appropriate flags to make
+# it see a kernel-like environment.
+# The userland emulation code is compiler with regular flags.
+
+# M is the current directory, used in recursive builds
+# so we allow it to be overridden
+include ../Makefile.inc
+VPATH = ../extra:../sys/netpfil/ipfw:../sys/netinet:../sys/net
+M ?= $(shell pwd)
+OBJPATH = $(M)/../$(OBJDIR)
+
+ifeq ($(OSARCH),Darwin)
+	CFLAGS2 += -D__BSD_VISIBLE
+	EFILES_.	+= libutil.h
+	EFILES_sys	+= condvar.h priv.h _lock.h rmlock.h
+	EFILES_machine	+= in_cksum.h
+	EFILES_netinet	+= ip_carp.h pim.h sctp.h
+	EFILES_net	+= netisr.h vnet.h
+endif
+
+ifeq ($(OSARCH),Linux)
+	CFLAGS2		+= -D__BSD_VISIBLE
+	CFLAGS2		+= -include ../extra/linux_defs.h
+	CFLAGS2		+= -Wno-unused-but-set-variable
+	EFILES_.	+= libutil.h
+	EFILES_sys	+= condvar.h priv.h _lock.h rmlock.h
+	EFILES_sys	+= lock.h ucred.h # taskqueue.h
+	EFILES_sys	+= sockio.h
+	EFILES_machine	+= in_cksum.h
+	EFILES_netinet	+= in_pcb.h ip_carp.h pim.h sctp.h tcp_var.h
+	EFILES_net	+= if_types.h bpf.h netisr.h vnet.h
+	EFILES_linux	+= module.h
+endif
+
+ifeq ($(OSARCH),Windows)
+	CFLAGS2		+= -D__BSD_VISIBLE
+#	CFLAGS2		+= -include ../extra/linux_defs.h
+	CFLAGS2		+= -Wno-unused-but-set-variable
+#	EFILES_.	+= libutil.h
+#	EFILES_sys	+= condvar.h priv.h _lock.h rmlock.h
+#	EFILES_sys	+= lock.h ucred.h # taskqueue.h
+#	EFILES_sys	+= sockio.h
+#	EFILES_machine	+= in_cksum.h
+#	EFILES_netinet	+= in_pcb.h ip_carp.h pim.h sctp.h tcp_var.h
+#	EFILES_net	+= if_types.h bpf.h netisr.h vnet.h
+#	EFILES_linux	+= module.h
+	EFILES_sys	+= sockio.h
+	EFILES_net	+= ethernet.h
+	EFILES_sys	+= condvar.h priv.h socketvar.h ucred.h
+	EFILES_net	+= vnet.h
+	EFILES_netinet	+= in_pcb.h ip_carp.h pim.h sctp.h tcp_var.h
+endif
+
+NETMAP_FLAGS = -DWITH_NETMAP -I$(NETMAP_INC)
+
+E_CFLAGS += $(INCDIRS)
+E_CFLAGS += -include $(M)/../extra/glue.h		# headers
+E_CFLAGS += -include $(M)/../extra/missing.h		# headers
+E_CFLAGS += -O2 -Wall -Werror -fno-strict-aliasing
+E_CFLAGS += -g
+E_CFLAGS += -DKERNEL_SIDE	# build the kernel side of the firewall
+E_CFLAGS += -DUSERSPACE	# communicate through userspace
+E_CFLAGS += $(EFLAGS) $(NETMAP_FLAGS)
+E_CFLAGS += -DINET
+E_CFLAGS += -DIPFIREWALL_DEFAULT_TO_ACCEPT
+E_CFLAGS += -D_BSD_SOURCE 
+# many of the kernel headers need _KERNEL
+E_CFLAGS += -D_KERNEL
+E_CFLAGS += $(CFLAGS2)
+
+#ipfw + dummynet section, other parts are not compiled in
+SRCS_IPFW	 = ip_fw2.c ip_fw_pfil.c ip_fw_sockopt.c
+SRCS_IPFW	+= ip_fw_dynamic.c ip_fw_table.c
+SRCS_IPFW	+= ip_fw_log.c
+SRCS_IPFW	+= ip_dummynet.c ip_dn_io.c ip_dn_glue.c
+SRCS_IPFW	+= dn_heap.c
+SRCS_IPFW	+= dn_sched_fifo.c dn_sched_wf2q.c
+SRCS_IPFW	+= dn_sched_rr.c dn_sched_qfq.c
+SRCS_IPFW	+= dn_sched_prio.c
+SRCS_NET	 = radix.c
+SRCS_NETINET	 = in_cksum.c
+# Module glue and functions missing in linux
+IPFW_SRCS	= $(SRCS_IPFW) $(SRCS_NET) $(SRCS_NETINET)
+IPFW_SRCS += ipfw2_mod.c # bsd_compat.c
+
+IPFW_SRCS += missing.c session.c netmap_io.c
+IPFW_CFLAGS= -DINET
+
+E_CFLAGS += -Dradix
+MOD := kipfw
+
+LIBS= -lpthread
+CFLAGS = $(E_CFLAGS)
+
+IPFW_OBJS= $(IPFW_SRCS:%.c=%.o)
+
+all: include_e $(MOD)
+
+# entries to create empty files
+EFILES_.	+= opt_inet.h opt_ipsec.h opt_ipdivert.h
+EFILES_.	+= opt_inet6.h opt_ipfw.h opt_mpath.h
+EFILES_.	+= opt_mbuf_stress_test.h opt_param.h
+EFILES_.	+= timeconv.h
+
+EFILES_altq	+= if_altq.h
+
+EFILES_net	+= if_var.h route.h if_clone.h
+EFILES_netpfil/pf	+= pf_mtag.h
+EFILES_netinet	+= in_var.h ip_var.h udp_var.h
+EFILES_netinet6	+= ip6_var.h
+EFILES_sys	+= proc.h sockopt.h sysctl.h
+# new
+EFILES_sys	+= mutex.h _mutex.h _rwlock.h rwlock.h
+EFILES_sys	+= eventhandler.h
+EFILES_sys	+= jail.h ktr.h
+
+#EFILES += sys/_lock.h sys/_rwlock.h sys/rwlock.h sys/rmlock.h sys/_mutex.h sys/mutex.h
+#EFILES += sys/condvar.h sys/eventhandler.h # sys/domain.h
+#EFILES += sys/limits.h sys/lock.h sys/mutex.h sys/priv.h
+#EFILES += sys/proc.h sys/rwlock.h sys/socket.h sys/socketvar.h
+#EFILES += sys/sysctl.h sys/time.h sys/ucred.h
+
+
+#EFILES += vm/uma_int.h vm/vm_int.h vm/uma_dbg.h
+#EFILES += vm/vm_dbg.h vm/vm_page.h vm/vm.h
+#EFILES += sys/rwlock.h sys/sysctl.h
+
+# first make a list of directories from variable names
+EDIRS= $(subst EFILES_,,$(filter EFILES_%,$(.VARIABLES)))
+# then prepend the directory name to individual files.
+#       $(empty) serves to interpret the following space literally,
+#       and the ":  = " substitution packs spaces into one.
+EFILES = $(foreach i,$(EDIRS),$(subst $(empty) , $(i)/, $(EFILES_$(i):  = )))
+
+include_e:
+	-@echo "Building $(OBJPATH)/include_e ..."
+	-$(HIDE) rm -rf $(OBJPATH)/include_e opt_*
+	-$(HIDE) mkdir -p $(OBJPATH)/include_e
+	-$(HIDE) (cd $(OBJPATH)/include_e; mkdir -p $(EDIRS); touch $(EFILES) )
+
+
+$(IPFW_OBJS) : ../extra/glue.h
+
+ip_fw2.o ip_dummynet.o: # EFLAGS= -include missing.h
+
+radix.o:#	CFLAGS += -U_KERNEL
+
+# session.o:	CFLAGS = -O2
+nm_util.o:	CFLAGS = -O2 -Wall -Werror $(NETMAP_FLAGS)
+
+$(MOD): $(IPFW_OBJS)
+	$(MSG) "   LD $@"
+	$(HIDE)$(CC) -o $@ $^ $(LIBS)
+
+clean:
+	-rm -f *.o $(DN) $(MOD)
+	-rm -rf include_e
+
+diff:
+	@-(for i in $(SRCS_IPFW) ; do diff -ubw $(BSD_HEAD)/sys/netpfil/ipfw/$$i .; done)
+	@-(for i in $(SRCS_NET) ; do diff -ubw $(BSD_HEAD)/sys/net/$$i . ; done)
+	@-(for i in $(SRCS_NETINET) ; do diff -ubw $(BSD_HEAD)/sys/netinet/$$i .; done)

README

@@ -0,0 +1,76 @@
+# README FILE FOR IPFW-USER ON TOP OF NETMAP
+
+This directory contains a version of ipfw and dummynet that can
+run in userland, using NETMAP as the backend for packet I/O.
+This permits a throughput about 10 times higher than the
+corresponding in-kernel version. I have measured about 6.5 Mpps
+for plain filtering, and 2.2 Mpps going through a pipe.
+Some optimizations are possible when running on netmap pipes,
+or other netmap ports that support zero copy.
+
+To build the code simply run
+	make NETMAP_INC=/some/where/with/netmap-release/sys
+
+pointing to the netmap 'sys' directory
+(the makefile uses gmake underneath)
+
+The base version comes from FreeBSD-HEAD -r '{2012-08-03}'
+(and subsequently updated in late 2013)
+with small modifications listed below
+
+	netinet/ipfw
+	    ip_dn_io.c
+		support for on-stack mbufs
+	    ip_fw2.c
+		some conditional compilation for functions not
+		available in userspace
+	    ip_fw_log.c
+		revise snprintf, SNPARGS (MAC)
+
+
+sbin/ipfw and the kernel counterpart communicate throuugh a
+TCP socket (localhost:5555) carrying the raw data that would
+normally be carried on seg/getsockopt.
+
+For testing purposes, opening a telnet session to port 5556 and
+typing some bytes will start a fake 'infinite source' so you can
+check how fast your ruleset works.
+
+	gmake
+	dummynet/ipfw & # preferably in another window
+	telnet localhost 5556 # type some bytes to start 'traffic'
+
+	sh -c "while true; do ipfw/ipfw show; ipfw/ipfw zero; sleep 1; done"
+
+(on an i7-3400 I get about 15 Mpps)
+
+Real packet I/O is possible using netmap info.iet.unipi.it/~luigi/netmap/
+You can use a couple of VALE switches (part of netmap) to connect
+a source and sink to the userspace firewall, as follows
+
+                s       f               f       d    
+   [pkt-gen]-->--[valeA]-->--[kipfw]-->--[valeB]-->--[pkt-gen]
+
+The commands to run (in separate windows) are
+
+	# preliminarly, load the netmap module
+	sudo kldload netmap.ko
+
+	# connect the firewall to two vale switches
+	./kipfw valeA:f valeB:f &
+
+	# configure ipfw/dummynet
+	ipfw/ipfw show	# or other
+
+	# start the sink
+	pkt-gen -i valeB:d -f rx
+
+	# start an infinite source
+	pkt-gen -i valeA:s -f tx
+
+	# plain again with the firewall and enjoy
+	ipfw/ipfw show  # or other
+
+On my i7-3400 I get about 6.5 Mpps with a single rule, and about 2.2 Mpps
+when going through a dummynet pipe. This is for a single process handling
+the traffic.