git: 6983b986e194 - main - pf: allow defer timeout to be configured
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 20 Jun 2023 09:46:06 UTC
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6983b986e194d409344c0d3b1540610648df4d25 commit 6983b986e194d409344c0d3b1540610648df4d25 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2023-06-19 14:37:19 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2023-06-20 09:20:26 +0000 pf: allow defer timeout to be configured Add the net.pfsync.defer_delay sysctl to allow the defer timeout (i.e. how long pf holds onto packets waiting for the peer to ack the new state) to be changed. This is intended to make testing of the defer code more robust, by allowing longer timeouts to mitigate scheduling/measurement jitter. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/netpfil/pf/if_pfsync.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c index 67f986e6abd2..61f2dcba1767 100644 --- a/sys/netpfil/pf/if_pfsync.c +++ b/sys/netpfil/pf/if_pfsync.c @@ -281,6 +281,8 @@ struct pfsync_softc { #define PFSYNC_BUNLOCK(sc) mtx_unlock(&(sc)->sc_bulk_mtx) #define PFSYNC_BLOCK_ASSERT(sc) mtx_assert(&(sc)->sc_bulk_mtx, MA_OWNED) +#define PFSYNC_DEFER_TIMEOUT 20 + static const char pfsyncname[] = "pfsync"; static MALLOC_DEFINE(M_PFSYNC, pfsyncname, "pfsync(4) data"); VNET_DEFINE_STATIC(struct pfsync_softc *, pfsyncif) = NULL; @@ -293,6 +295,8 @@ VNET_DEFINE_STATIC(struct pfsyncstats, pfsyncstats); #define V_pfsyncstats VNET(pfsyncstats) VNET_DEFINE_STATIC(int, pfsync_carp_adj) = CARP_MAXSKEW; #define V_pfsync_carp_adj VNET(pfsync_carp_adj) +VNET_DEFINE_STATIC(unsigned int, pfsync_defer_tmo) = PFSYNC_DEFER_TIMEOUT; +#define V_pfsync_defer_tmo VNET(pfsync_defer_tmo) static void pfsync_timeout(void *); static void pfsync_push(struct pfsync_bucket *); @@ -317,6 +321,8 @@ SYSCTL_INT(_net_pfsync, OID_AUTO, carp_demotion_factor, CTLFLAG_VNET | CTLFLAG_R &VNET_NAME(pfsync_carp_adj), 0, "pfsync's CARP demotion factor adjustment"); SYSCTL_ULONG(_net_pfsync, OID_AUTO, pfsync_buckets, CTLFLAG_RDTUN, &pfsync_buckets, 0, "Number of pfsync hash buckets"); +SYSCTL_UINT(_net_pfsync, OID_AUTO, defer_delay, CTLFLAG_VNET | CTLFLAG_RW, + &VNET_NAME(pfsync_defer_tmo), 0, "Deferred packet timeout (in ms)"); static int pfsync_clone_create(struct if_clone *, int, caddr_t); static void pfsync_clone_destroy(struct ifnet *); @@ -358,7 +364,6 @@ static struct pfsync_bucket *pfsync_get_bucket(struct pfsync_softc *, struct pf_kstate *); #define PFSYNC_MAX_BULKTRIES 12 -#define PFSYNC_DEFER_TIMEOUT ((20 * hz) / 1000) VNET_DEFINE(struct if_clone *, pfsync_cloner); #define V_pfsync_cloner VNET(pfsync_cloner) @@ -1882,7 +1887,8 @@ pfsync_defer(struct pf_kstate *st, struct mbuf *m) TAILQ_INSERT_TAIL(&b->b_deferrals, pd, pd_entry); callout_init_mtx(&pd->pd_tmo, &b->b_mtx, CALLOUT_RETURNUNLOCKED); - callout_reset(&pd->pd_tmo, PFSYNC_DEFER_TIMEOUT, pfsync_defer_tmo, pd); + callout_reset(&pd->pd_tmo, (V_pfsync_defer_tmo * hz) / 1000, + pfsync_defer_tmo, pd); pfsync_push(b); PFSYNC_BUCKET_UNLOCK(b);