git: 271f14695564 - main - pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 17 Jul 2024 15:35:13 UTC
The branch main has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=271f146955641857c93705b5b1916b8004e5623c
commit 271f146955641857c93705b5b1916b8004e5623c
Author: Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2024-07-17 13:52:13 +0000
Commit: Kristof Provost <kp@FreeBSD.org>
CommitDate: 2024-07-17 14:00:49 +0000
pf: vnet-ify pf_hashsize, pf_hashmask, pf_srchashsize and V_pf_srchashmask
These variables are tunables, so in principle they never change at runtime.
That would mean they don't need to be tracked per-vnet.
However, they both can be decreased (back to their default values) if the
memory allocations for their respective tables fail, and these allocations are
per-vnet. That is, it's possible for a few vnets to be started and have the
tuned size for the hash and srchash tables only to have later vnets fail the
initial allocation and fall back to smaller allocations. That would confuse
the previously created vnets (because their actual table size and size/mask
variables would no longer match).
Avoid this by turning these into per-vnet variables.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 8 +++--
sys/netpfil/pf/if_pfsync.c | 12 +++++---
sys/netpfil/pf/pf.c | 74 ++++++++++++++++++++++++----------------------
sys/netpfil/pf/pf_ioctl.c | 22 +++++++-------
sys/netpfil/pf/pf_nl.c | 4 +--
5 files changed, 64 insertions(+), 56 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index aa6dd52a7e69..b38a1bebcc1f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -2125,8 +2125,10 @@ struct pf_idhash {
};
extern u_long pf_ioctl_maxcount;
-extern u_long pf_hashmask;
-extern u_long pf_srchashmask;
+VNET_DECLARE(u_long, pf_hashmask);
+#define V_pf_hashmask VNET(pf_hashmask)
+VNET_DECLARE(u_long, pf_srchashmask);
+#define V_pf_srchashmask VNET(pf_srchashmask)
#define PF_HASHSIZ (131072)
#define PF_SRCHASHSIZ (PF_HASHSIZ/4)
VNET_DECLARE(struct pf_keyhash *, pf_keyhash);
@@ -2136,7 +2138,7 @@ VNET_DECLARE(struct pf_idhash *, pf_idhash);
VNET_DECLARE(struct pf_srchash *, pf_srchash);
#define V_pf_srchash VNET(pf_srchash)
-#define PF_IDHASH(s) (be64toh((s)->id) % (pf_hashmask + 1))
+#define PF_IDHASH(s) (be64toh((s)->id) % (V_pf_hashmask + 1))
VNET_DECLARE(void *, pf_swi_cookie);
#define V_pf_swi_cookie VNET(pf_swi_cookie)
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 67011d16c788..82a42c874a8f 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -979,7 +979,7 @@ pfsync_in_clr(struct mbuf *m, int offset, int count, int flags, int action)
pfi_kkif_find(clr[i].ifname) == NULL)
continue;
- for (int i = 0; i <= pf_hashmask; i++) {
+ for (int i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
struct pf_kstate *s;
relock:
@@ -2080,7 +2080,11 @@ pfsync_defer_tmo(void *arg)
struct pfsync_softc *sc = pd->pd_sc;
struct mbuf *m = pd->pd_m;
struct pf_kstate *st = pd->pd_st;
- struct pfsync_bucket *b = pfsync_get_bucket(sc, st);
+ struct pfsync_bucket *b;
+
+ CURVNET_SET(sc->sc_ifp->if_vnet);
+
+ b = pfsync_get_bucket(sc, st);
PFSYNC_BUCKET_LOCK_ASSERT(b);
@@ -2093,11 +2097,11 @@ pfsync_defer_tmo(void *arg)
if (sc->sc_sync_if == NULL) {
pf_release_state(st);
m_freem(m);
+ CURVNET_RESTORE();
return;
}
NET_EPOCH_ENTER(et);
- CURVNET_SET(sc->sc_sync_if->if_vnet);
pfsync_tx(sc, m);
@@ -2483,7 +2487,7 @@ pfsync_bulk_update(void *arg)
else
i = sc->sc_bulk_hashid;
- for (; i <= pf_hashmask; i++) {
+ for (; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
if (s != NULL)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 764d2fa54179..dfa87b515cd1 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -486,16 +486,18 @@ VNET_DEFINE(struct pf_srchash *, pf_srchash);
SYSCTL_NODE(_net, OID_AUTO, pf, CTLFLAG_RW | CTLFLAG_MPSAFE, 0,
"pf(4)");
-u_long pf_hashmask;
-u_long pf_srchashmask;
-static u_long pf_hashsize;
-static u_long pf_srchashsize;
+VNET_DEFINE(u_long, pf_hashmask);
+VNET_DEFINE(u_long, pf_srchashmask);
+VNET_DEFINE_STATIC(u_long, pf_hashsize);
+#define V_pf_hashsize VNET(pf_hashsize)
+VNET_DEFINE_STATIC(u_long, pf_srchashsize);
+#define V_pf_srchashsize VNET(pf_srchashsize)
u_long pf_ioctl_maxcount = 65535;
-SYSCTL_ULONG(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN,
- &pf_hashsize, 0, "Size of pf(4) states hashtable");
-SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
- &pf_srchashsize, 0, "Size of pf(4) source nodes hashtable");
+SYSCTL_ULONG(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_VNET | CTLFLAG_RDTUN,
+ &VNET_NAME(pf_hashsize), 0, "Size of pf(4) states hashtable");
+SYSCTL_ULONG(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_VNET | CTLFLAG_RDTUN,
+ &VNET_NAME(pf_srchashsize), 0, "Size of pf(4) source nodes hashtable");
SYSCTL_ULONG(_net_pf, OID_AUTO, request_maxcount, CTLFLAG_RWTUN,
&pf_ioctl_maxcount, 0, "Maximum number of tables, addresses, ... in a single ioctl() call");
@@ -662,7 +664,7 @@ pf_hashkey(const struct pf_state_key *sk)
sizeof(struct pf_state_key_cmp)/sizeof(uint32_t),
V_pf_hashseed);
- return (h & pf_hashmask);
+ return (h & V_pf_hashmask);
}
static __inline uint32_t
@@ -683,7 +685,7 @@ pf_hashsrc(struct pf_addr *addr, sa_family_t af)
panic("%s: unknown address family %u", __func__, af);
}
- return (h & pf_srchashmask);
+ return (h & V_pf_srchashmask);
}
#ifdef ALTQ
@@ -885,7 +887,7 @@ pf_overload_task(void *v, int pending)
return;
}
- for (int i = 0; i <= pf_hashmask; i++) {
+ for (int i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
struct pf_state_key *sk;
struct pf_kstate *s;
@@ -1075,10 +1077,10 @@ pf_initialize(void)
struct pf_srchash *sh;
u_int i;
- if (pf_hashsize == 0 || !powerof2(pf_hashsize))
- pf_hashsize = PF_HASHSIZ;
- if (pf_srchashsize == 0 || !powerof2(pf_srchashsize))
- pf_srchashsize = PF_SRCHASHSIZ;
+ if (V_pf_hashsize == 0 || !powerof2(V_pf_hashsize))
+ V_pf_hashsize = PF_HASHSIZ;
+ if (V_pf_srchashsize == 0 || !powerof2(V_pf_srchashsize))
+ V_pf_srchashsize = PF_SRCHASHSIZ;
V_pf_hashseed = arc4random();
@@ -1093,26 +1095,26 @@ pf_initialize(void)
sizeof(struct pf_state_key), pf_state_key_ctor, NULL, NULL, NULL,
UMA_ALIGN_PTR, 0);
- V_pf_keyhash = mallocarray(pf_hashsize, sizeof(struct pf_keyhash),
+ V_pf_keyhash = mallocarray(V_pf_hashsize, sizeof(struct pf_keyhash),
M_PFHASH, M_NOWAIT | M_ZERO);
- V_pf_idhash = mallocarray(pf_hashsize, sizeof(struct pf_idhash),
+ V_pf_idhash = mallocarray(V_pf_hashsize, sizeof(struct pf_idhash),
M_PFHASH, M_NOWAIT | M_ZERO);
if (V_pf_keyhash == NULL || V_pf_idhash == NULL) {
printf("pf: Unable to allocate memory for "
- "state_hashsize %lu.\n", pf_hashsize);
+ "state_hashsize %lu.\n", V_pf_hashsize);
free(V_pf_keyhash, M_PFHASH);
free(V_pf_idhash, M_PFHASH);
- pf_hashsize = PF_HASHSIZ;
- V_pf_keyhash = mallocarray(pf_hashsize,
+ V_pf_hashsize = PF_HASHSIZ;
+ V_pf_keyhash = mallocarray(V_pf_hashsize,
sizeof(struct pf_keyhash), M_PFHASH, M_WAITOK | M_ZERO);
- V_pf_idhash = mallocarray(pf_hashsize,
+ V_pf_idhash = mallocarray(V_pf_hashsize,
sizeof(struct pf_idhash), M_PFHASH, M_WAITOK | M_ZERO);
}
- pf_hashmask = pf_hashsize - 1;
- for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask;
+ V_pf_hashmask = V_pf_hashsize - 1;
+ for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask;
i++, kh++, ih++) {
mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK);
mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF);
@@ -1126,19 +1128,19 @@ pf_initialize(void)
uma_zone_set_max(V_pf_sources_z, PFSNODE_HIWAT);
uma_zone_set_warning(V_pf_sources_z, "PF source nodes limit reached");
- V_pf_srchash = mallocarray(pf_srchashsize,
+ V_pf_srchash = mallocarray(V_pf_srchashsize,
sizeof(struct pf_srchash), M_PFHASH, M_NOWAIT | M_ZERO);
if (V_pf_srchash == NULL) {
printf("pf: Unable to allocate memory for "
- "source_hashsize %lu.\n", pf_srchashsize);
+ "source_hashsize %lu.\n", V_pf_srchashsize);
- pf_srchashsize = PF_SRCHASHSIZ;
- V_pf_srchash = mallocarray(pf_srchashsize,
+ V_pf_srchashsize = PF_SRCHASHSIZ;
+ V_pf_srchash = mallocarray(V_pf_srchashsize,
sizeof(struct pf_srchash), M_PFHASH, M_WAITOK | M_ZERO);
}
- pf_srchashmask = pf_srchashsize - 1;
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++)
+ V_pf_srchashmask = V_pf_srchashsize - 1;
+ for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++)
mtx_init(&sh->lock, "pf_srchash", NULL, MTX_DEF);
/* ALTQ */
@@ -1177,7 +1179,7 @@ pf_cleanup(void)
struct pf_send_entry *pfse, *next;
u_int i;
- for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask;
+ for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask;
i++, kh++, ih++) {
KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty",
__func__));
@@ -1189,7 +1191,7 @@ pf_cleanup(void)
free(V_pf_keyhash, M_PFHASH);
free(V_pf_idhash, M_PFHASH);
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) {
+ for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) {
KASSERT(LIST_EMPTY(&sh->nodes),
("%s: source node hash not empty", __func__));
mtx_destroy(&sh->lock);
@@ -1589,7 +1591,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid)
pf_counter_u64_add(&V_pf_status.fcounters[FCNT_STATE_SEARCH], 1);
- ih = &V_pf_idhash[(be64toh(id) % (pf_hashmask + 1))];
+ ih = &V_pf_idhash[(be64toh(id) % (V_pf_hashmask + 1))];
PF_HASHROW_LOCK(ih);
LIST_FOREACH(s, &ih->states, entry)
@@ -1981,7 +1983,7 @@ pf_purge_thread(void *unused __unused)
* table every run.
*/
V_pf_purge_idx =
- pf_purge_expired_states(V_pf_purge_idx, pf_hashmask /
+ pf_purge_expired_states(V_pf_purge_idx, V_pf_hashmask /
(V_pf_default_rule.timeout[PFTM_INTERVAL] * 10));
/*
@@ -2026,7 +2028,7 @@ pf_unload_vnet_purge(void)
/*
* Now purge everything.
*/
- pf_purge_expired_states(0, pf_hashmask);
+ pf_purge_expired_states(0, V_pf_hashmask);
pf_purge_fragments(UINT_MAX);
pf_purge_expired_src_nodes();
@@ -2086,7 +2088,7 @@ pf_purge_expired_src_nodes(void)
int i;
LIST_INIT(&freelist);
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) {
+ for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) {
PF_HASHROW_LOCK(sh);
LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next)
if (cur->states == 0 && cur->expire <= time_uptime) {
@@ -2261,7 +2263,7 @@ relock:
SDT_PROBE2(pf, purge, state, rowcount, i, count);
/* Return when we hit end of hash. */
- if (++i > pf_hashmask) {
+ if (++i > V_pf_hashmask) {
V_pf_status.states = uma_zone_get_cur(V_pf_state_z);
return (0);
}
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 2df6bcd30533..f5a216666076 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -3778,7 +3778,7 @@ DIOCCHANGERULE_error:
sizeof(struct pfsync_state_1301), M_TEMP, M_WAITOK | M_ZERO);
nr = 0;
- for (i = 0; i <= pf_hashmask; i++) {
+ for (i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
DIOCGETSTATES_retry:
@@ -3857,7 +3857,7 @@ DIOCGETSTATES_full:
sizeof(struct pf_state_export), M_TEMP, M_WAITOK | M_ZERO);
nr = 0;
- for (i = 0; i <= pf_hashmask; i++) {
+ for (i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
DIOCGETSTATESV2_retry:
@@ -5363,7 +5363,7 @@ DIOCCHANGEADDR_error:
struct pf_src_node *p, *pstore;
uint32_t i, nr = 0;
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
+ for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask;
i++, sh++) {
PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry)
@@ -5382,7 +5382,7 @@ DIOCCHANGEADDR_error:
nr = 0;
p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK | M_ZERO);
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
+ for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask;
i++, sh++) {
PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry) {
@@ -5854,7 +5854,7 @@ pf_clear_all_states(void)
u_int i;
NET_EPOCH_ENTER(et);
- for (i = 0; i <= pf_hashmask; i++) {
+ for (i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
relock:
PF_HASHROW_LOCK(ih);
@@ -5891,7 +5891,7 @@ pf_clear_srcnodes(struct pf_ksrc_node *n)
struct pf_kstate *s;
int i;
- for (i = 0; i <= pf_hashmask; i++) {
+ for (i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
PF_HASHROW_LOCK(ih);
@@ -5907,7 +5907,7 @@ pf_clear_srcnodes(struct pf_ksrc_node *n)
if (n == NULL) {
struct pf_srchash *sh;
- for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask;
+ for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask;
i++, sh++) {
PF_HASHROW_LOCK(sh);
LIST_FOREACH(n, &sh->nodes, entry) {
@@ -5929,7 +5929,7 @@ pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
struct pf_ksrc_node_list kill;
LIST_INIT(&kill);
- for (int i = 0; i <= pf_srchashmask; i++) {
+ for (int i = 0; i <= V_pf_srchashmask; i++) {
struct pf_srchash *sh = &V_pf_srchash[i];
struct pf_ksrc_node *sn, *tmp;
@@ -5950,7 +5950,7 @@ pf_kill_srcnodes(struct pfioc_src_node_kill *psnk)
PF_HASHROW_UNLOCK(sh);
}
- for (int i = 0; i <= pf_hashmask; i++) {
+ for (int i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
struct pf_kstate *s;
@@ -6013,7 +6013,7 @@ pf_clear_states(const struct pf_kstate_kill *kill)
NET_EPOCH_ASSERT();
- for (unsigned int i = 0; i <= pf_hashmask; i++) {
+ for (unsigned int i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
relock_DIOCCLRSTATES:
@@ -6088,7 +6088,7 @@ pf_killstates(struct pf_kstate_kill *kill, unsigned int *killed)
return;
}
- for (unsigned int i = 0; i <= pf_hashmask; i++)
+ for (unsigned int i = 0; i <= V_pf_hashmask; i++)
*killed += pf_killstates_row(kill, &V_pf_idhash[i]);
}
diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c
index e855815dd73b..6c98a50d8e06 100644
--- a/sys/netpfil/pf/pf_nl.c
+++ b/sys/netpfil/pf/pf_nl.c
@@ -231,7 +231,7 @@ handle_dumpstates(struct nlpcb *nlp, struct nl_parsed_state *attrs,
hdr->nlmsg_flags |= NLM_F_MULTI;
- for (int i = 0; i <= pf_hashmask; i++) {
+ for (int i = 0; i <= V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
struct pf_kstate *s;
@@ -346,7 +346,7 @@ pf_handle_getcreators(struct nlmsghdr *hdr, struct nl_pstate *npt)
bzero(creators, sizeof(creators));
- for (int i = 0; i < pf_hashmask; i++) {
+ for (int i = 0; i < V_pf_hashmask; i++) {
struct pf_idhash *ih = &V_pf_idhash[i];
struct pf_kstate *s;