git: 6983b986e194 - main - pf: allow defer timeout to be configured

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Tue, 20 Jun 2023 09:46:06 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=6983b986e194d409344c0d3b1540610648df4d25

commit 6983b986e194d409344c0d3b1540610648df4d25
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2023-06-19 14:37:19 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2023-06-20 09:20:26 +0000

    pf: allow defer timeout to be configured
    
    Add the net.pfsync.defer_delay sysctl to allow the defer timeout (i.e.
    how long pf holds onto packets waiting for the peer to ack the new
    state) to be changed.
    
    This is intended to make testing of the defer code more robust, by
    allowing longer timeouts to mitigate scheduling/measurement jitter.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/if_pfsync.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
index 67f986e6abd2..61f2dcba1767 100644
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -281,6 +281,8 @@ struct pfsync_softc {
 #define	PFSYNC_BUNLOCK(sc)	mtx_unlock(&(sc)->sc_bulk_mtx)
 #define	PFSYNC_BLOCK_ASSERT(sc)	mtx_assert(&(sc)->sc_bulk_mtx, MA_OWNED)
 
+#define PFSYNC_DEFER_TIMEOUT	20
+
 static const char pfsyncname[] = "pfsync";
 static MALLOC_DEFINE(M_PFSYNC, pfsyncname, "pfsync(4) data");
 VNET_DEFINE_STATIC(struct pfsync_softc	*, pfsyncif) = NULL;
@@ -293,6 +295,8 @@ VNET_DEFINE_STATIC(struct pfsyncstats, pfsyncstats);
 #define	V_pfsyncstats		VNET(pfsyncstats)
 VNET_DEFINE_STATIC(int, pfsync_carp_adj) = CARP_MAXSKEW;
 #define	V_pfsync_carp_adj	VNET(pfsync_carp_adj)
+VNET_DEFINE_STATIC(unsigned int, pfsync_defer_tmo) = PFSYNC_DEFER_TIMEOUT;
+#define	V_pfsync_defer_tmo	VNET(pfsync_defer_tmo)
 
 static void	pfsync_timeout(void *);
 static void	pfsync_push(struct pfsync_bucket *);
@@ -317,6 +321,8 @@ SYSCTL_INT(_net_pfsync, OID_AUTO, carp_demotion_factor, CTLFLAG_VNET | CTLFLAG_R
     &VNET_NAME(pfsync_carp_adj), 0, "pfsync's CARP demotion factor adjustment");
 SYSCTL_ULONG(_net_pfsync, OID_AUTO, pfsync_buckets, CTLFLAG_RDTUN,
     &pfsync_buckets, 0, "Number of pfsync hash buckets");
+SYSCTL_UINT(_net_pfsync, OID_AUTO, defer_delay, CTLFLAG_VNET | CTLFLAG_RW,
+    &VNET_NAME(pfsync_defer_tmo), 0, "Deferred packet timeout (in ms)");
 
 static int	pfsync_clone_create(struct if_clone *, int, caddr_t);
 static void	pfsync_clone_destroy(struct ifnet *);
@@ -358,7 +364,6 @@ static struct pfsync_bucket	*pfsync_get_bucket(struct pfsync_softc *,
 		    struct pf_kstate *);
 
 #define PFSYNC_MAX_BULKTRIES	12
-#define PFSYNC_DEFER_TIMEOUT	((20 * hz) / 1000)
 
 VNET_DEFINE(struct if_clone *, pfsync_cloner);
 #define	V_pfsync_cloner	VNET(pfsync_cloner)
@@ -1882,7 +1887,8 @@ pfsync_defer(struct pf_kstate *st, struct mbuf *m)
 
 	TAILQ_INSERT_TAIL(&b->b_deferrals, pd, pd_entry);
 	callout_init_mtx(&pd->pd_tmo, &b->b_mtx, CALLOUT_RETURNUNLOCKED);
-	callout_reset(&pd->pd_tmo, PFSYNC_DEFER_TIMEOUT, pfsync_defer_tmo, pd);
+	callout_reset(&pd->pd_tmo, (V_pfsync_defer_tmo * hz) / 1000,
+	    pfsync_defer_tmo, pd);
 
 	pfsync_push(b);
 	PFSYNC_BUCKET_UNLOCK(b);