git: 93f8c38c0371 - main - pf: add pf_config_lock
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 28 Mar 2022 11:47:30 UTC
The branch main has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=93f8c38c0371139fbe444b645ef36ae0d92d400a commit 93f8c38c0371139fbe444b645ef36ae0d92d400a Author: Mateusz Guzik <mjg@FreeBSD.org> AuthorDate: 2022-02-25 17:56:45 +0000 Commit: Mateusz Guzik <mjg@FreeBSD.org> CommitDate: 2022-03-28 11:44:46 +0000 pf: add pf_config_lock For now only protects rule creation/destruction, but will allow gradually reducing the scope of rules lock when changing the rules. Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/pfvar.h | 5 +++++ sys/netpfil/pf/pf.c | 5 +++++ sys/netpfil/pf/pf_ioctl.c | 3 +++ 3 files changed, 13 insertions(+) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 5ae069694187..66cb6a4ba051 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -357,6 +357,11 @@ extern struct mtx_padalign pf_unlnkdrules_mtx; #define PF_UNLNKDRULES_UNLOCK() mtx_unlock(&pf_unlnkdrules_mtx) #define PF_UNLNKDRULES_ASSERT() mtx_assert(&pf_unlnkdrules_mtx, MA_OWNED) +extern struct sx pf_config_lock; +#define PF_CONFIG_LOCK() sx_xlock(&pf_config_lock) +#define PF_CONFIG_UNLOCK() sx_xunlock(&pf_config_lock) +#define PF_CONFIG_ASSERT() sx_assert(&pf_config_lock, SA_XLOCKED) + extern struct rmlock pf_rules_lock; #define PF_RULES_RLOCK_TRACKER struct rm_priotracker _pf_rules_tracker #define PF_RULES_RLOCK() rm_rlock(&pf_rules_lock, &_pf_rules_tracker) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 0a479c8a77e8..027d48c82688 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -236,6 +236,9 @@ struct mtx_padalign pf_unlnkdrules_mtx; MTX_SYSINIT(pf_unlnkdrules_mtx, &pf_unlnkdrules_mtx, "pf unlinked rules", MTX_DEF); +struct sx pf_config_lock; +SX_SYSINIT(pf_config_lock, &pf_config_lock, "pf config"); + struct mtx_padalign pf_table_stats_lock; MTX_SYSINIT(pf_table_stats_lock, &pf_table_stats_lock, "pf table stats", MTX_DEF); @@ -2201,12 +2204,14 @@ pf_purge_unlinked_rules() PF_UNLNKDRULES_UNLOCK(); if (!TAILQ_EMPTY(&tmpq)) { + PF_CONFIG_LOCK(); PF_RULES_WLOCK(); TAILQ_FOREACH_SAFE(r, &tmpq, entries, r1) { TAILQ_REMOVE(&tmpq, r, entries); pf_free_rule(r); } PF_RULES_WUNLOCK(); + PF_CONFIG_UNLOCK(); } } diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 45f14fc92f7b..117ee0d04c53 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2088,6 +2088,7 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, rule->cpid = td->td_proc ? td->td_proc->p_pid : 0; TAILQ_INIT(&rule->rpool.list); + PF_CONFIG_LOCK(); PF_RULES_WLOCK(); #ifdef PF_WANT_32_TO_64_COUNTER LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist); @@ -2203,12 +2204,14 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, ruleset->rules[rs_num].inactive.rcount++; PF_RULES_WUNLOCK(); + PF_CONFIG_UNLOCK(); return (0); #undef ERROUT errout: PF_RULES_WUNLOCK(); + PF_CONFIG_UNLOCK(); errout_unlocked: pf_kkif_free(kif); pf_krule_free(rule);