From nobody Thu Sep 19 20:21:22 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4X8n3Q6F5Jz5XKvZ; Thu, 19 Sep 2024 20:21:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4X8n3Q1nBdz4Wtd; Thu, 19 Sep 2024 20:21:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726777282; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n/h4bu0Lzhyr4nejljS7wRS/I1yd8Q98n25Vt+3Iob8=; b=q1OZpLcHineRoIuCUtr4vL0203W0n4QlPs6TY49H+1bFkEsqC5Xh9M6aeCFqdrKsLRYbCx LzcgvRpyOK0bXA9qnOn1YQQj1jIX/hh244k30USB5DU+itgiRAAkrEJZyACkcoxS3gixVB Cas9k+pHqg1ZadaD7J2WjtpXHVF8QHoPgXMmMhVdeE+f69JgQ+AbaEBHcaNJnXm4Nf1wer AWbwze6DE1vWEvydnLba4fVW6NpHR5s3doI/Py925fsmzxKqSyKEXOFxqFQG7MKSR0dpWt Q90Wm2PHXJVYPQQcD0uOQv0+39nDNKegH7MVAMryGgAzOC6r7oCnxRNK8d4R9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1726777282; a=rsa-sha256; cv=none; b=opCw3uM4NkFH+9MO7K2/BI4Lo6G1Lp4Zx7V8MMWMMc+8pqT02ByedSO9WWaUMPEBZFLvWp VzcIyuohKHX9E5fsBN282HNWX1m3oXw3YC1zKEalVOPMMFYRTDVSGq/GkPupS/unDPNZij 8qJ4gfAM9lQG++l+kDUM21pXUEYG0GbOvuvzuzCbi7Wtq2U070yfdbQ3zmaQPguf0WC1A7 /Qy63+cer4lDgnNVvziIPPs2F0Qvy7GLtfIulgXvOCV/KHZoNEZvC0egUBF0z12fTmmKo3 b/d4TXHx1ZRbgWAglurBSQ2ym8CeAzmUMBk1F4WK++zBh3/0p5bXe8kBdgLrQw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1726777282; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=n/h4bu0Lzhyr4nejljS7wRS/I1yd8Q98n25Vt+3Iob8=; b=wGqRtuxgXogTfYwDArMSBXgdGJpwqZWJPweA3GiB8l2uG3zEn/cLtSavrVE9vISHLiaIr+ Ts3hEVbUtyFbN3XjiaGy45g3gqCQh/wNRCP1F7Rrxi46lQbaa5qVnsR59pcJ5MuVH2nk5F 56qr50PbW0OttTAdV3VxdQNAMKgbsmA1IjlRi/oEpv08YkUDOSsGqsP4MTCR9VDTeDzh/+ t7dsr7bkKHfUB9BnP0z8s8zrZQlq9FIMPD3lF2prUZU4fqzW+Jo7DzuW29rpakuF52giqX EEwzvItCrj/DVM3cbKQUsNXN7Q9ajlqdDHusJZZgdz8RDbxyAOU35KaOw3SmuA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4X8n3Q14BNzKvJ; Thu, 19 Sep 2024 20:21:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 48JKLMT6046549; Thu, 19 Sep 2024 20:21:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 48JKLM4V046546; Thu, 19 Sep 2024 20:21:22 GMT (envelope-from git) Date: Thu, 19 Sep 2024 20:21:22 GMT Message-Id: <202409192021.48JKLM4V046546@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 1fd02d1e1522 - main - pf: factor out rule counter update code List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1fd02d1e1522fdcbb31f07edcab8aacf477111a0 Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=1fd02d1e1522fdcbb31f07edcab8aacf477111a0 commit 1fd02d1e1522fdcbb31f07edcab8aacf477111a0 Author: Kristof Provost AuthorDate: 2024-09-04 12:39:09 +0000 Commit: Kristof Provost CommitDate: 2024-09-19 20:20:14 +0000 pf: factor out rule counter update code Break out rule counter update code into a separate function, makes the behaviour consistent between IPv4 and IPv6. From martin.pelikan@gmail.com Obtained from: OpenBSD, mcbride , ce38da5678 Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D46590 --- sys/netpfil/pf/pf.c | 213 ++++++++++++++++++++++------------------------------ 1 file changed, 89 insertions(+), 124 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 4d0cee4d0c4a..2544045c5bbb 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -376,6 +376,10 @@ static struct pf_kstate *pf_find_state(struct pfi_kkif *, const struct pf_state_key_cmp *, u_int); static int pf_src_connlimit(struct pf_kstate **); static int pf_match_rcvif(struct mbuf *, struct pf_krule *); +static void pf_counters_inc(int, + struct pf_pdesc *, struct pfi_kkif *, + struct pf_kstate *, struct pf_krule *, + struct pf_krule *); static void pf_overload_task(void *v, int pending); static u_short pf_insert_src_node(struct pf_ksrc_node **, struct pf_krule *, struct pf_addr *, sa_family_t); @@ -8849,6 +8853,85 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf *m, return (0); } +static void +pf_counters_inc(int action, struct pf_pdesc *pd, + struct pfi_kkif *kif, struct pf_kstate *s, + struct pf_krule *r, struct pf_krule *a) +{ + struct pf_krule *tr, *nr; + int dir = pd->dir; + int dirndx; + + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected( + &kif->pfik_bytes[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS], + pd->tot_len); + pf_counter_u64_add_protected( + &kif->pfik_packets[pd->af == AF_INET6][dir == PF_OUT][action != PF_PASS], + 1); + + if (action == PF_PASS || r->action == PF_DROP) { + dirndx = (dir == PF_OUT); + pf_counter_u64_add_protected(&r->packets[dirndx], 1); + pf_counter_u64_add_protected(&r->bytes[dirndx], pd->tot_len); + pf_update_timestamp(r); + + if (a != NULL) { + pf_counter_u64_add_protected(&a->packets[dirndx], 1); + pf_counter_u64_add_protected(&a->bytes[dirndx], pd->tot_len); + } + if (s != NULL) { + struct pf_krule_item *ri; + + if (s->nat_rule.ptr != NULL) { + pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx], + 1); + pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx], + pd->tot_len); + } + if (s->src_node != NULL) { + counter_u64_add(s->src_node->packets[dirndx], + 1); + counter_u64_add(s->src_node->bytes[dirndx], + pd->tot_len); + } + if (s->nat_src_node != NULL) { + counter_u64_add(s->nat_src_node->packets[dirndx], + 1); + counter_u64_add(s->nat_src_node->bytes[dirndx], + pd->tot_len); + } + dirndx = (dir == s->direction) ? 0 : 1; + s->packets[dirndx]++; + s->bytes[dirndx] += pd->tot_len; + + SLIST_FOREACH(ri, &s->match_rules, entry) { + pf_counter_u64_add_protected(&ri->r->packets[dirndx], 1); + pf_counter_u64_add_protected(&ri->r->bytes[dirndx], pd->tot_len); + } + } + tr = r; + nr = (s != NULL) ? s->nat_rule.ptr : pd->nat_rule; + if (nr != NULL && r == &V_pf_default_rule) + tr = nr; + if (tr->src.addr.type == PF_ADDR_TABLE) + pfr_update_stats(tr->src.addr.p.tbl, + (s == NULL) ? pd->src : + &s->key[(s->direction == PF_IN)]-> + addr[(s->direction == PF_OUT)], + pd->af, pd->tot_len, dir == PF_OUT, + r->action == PF_PASS, tr->src.neg); + if (tr->dst.addr.type == PF_ADDR_TABLE) + pfr_update_stats(tr->dst.addr.p.tbl, + (s == NULL) ? pd->dst : + &s->key[(s->direction == PF_IN)]-> + addr[(s->direction == PF_IN)], + pd->af, pd->tot_len, dir == PF_OUT, + r->action == PF_PASS, tr->dst.neg); + } + pf_counter_u64_critical_exit(); +} + #ifdef INET int pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, @@ -8859,11 +8942,11 @@ pf_test(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct mbuf *m = *m0; struct ip *h = NULL; struct m_tag *mtag; - struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; + struct pf_krule *a = NULL, *r = &V_pf_default_rule; struct pf_kstate *s = NULL; struct pf_kruleset *ruleset = NULL; struct pf_pdesc pd; - int off, hdrlen, dirndx, use_2nd_queue = 0; + int off, hdrlen, use_2nd_queue = 0; uint16_t tag; uint8_t rt; @@ -9257,71 +9340,7 @@ done: } } - pf_counter_u64_critical_enter(); - pf_counter_u64_add_protected(&kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS], - pd.tot_len); - pf_counter_u64_add_protected(&kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS], - 1); - - if (action == PF_PASS || r->action == PF_DROP) { - dirndx = (dir == PF_OUT); - pf_counter_u64_add_protected(&r->packets[dirndx], 1); - pf_counter_u64_add_protected(&r->bytes[dirndx], pd.tot_len); - pf_update_timestamp(r); - - if (a != NULL) { - pf_counter_u64_add_protected(&a->packets[dirndx], 1); - pf_counter_u64_add_protected(&a->bytes[dirndx], pd.tot_len); - } - if (s != NULL) { - struct pf_krule_item *ri; - - if (s->nat_rule.ptr != NULL) { - pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx], - 1); - pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx], - pd.tot_len); - } - if (s->src_node != NULL) { - counter_u64_add(s->src_node->packets[dirndx], - 1); - counter_u64_add(s->src_node->bytes[dirndx], - pd.tot_len); - } - if (s->nat_src_node != NULL) { - counter_u64_add(s->nat_src_node->packets[dirndx], - 1); - counter_u64_add(s->nat_src_node->bytes[dirndx], - pd.tot_len); - } - dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; - SLIST_FOREACH(ri, &s->match_rules, entry) { - pf_counter_u64_add_protected(&ri->r->packets[dirndx], 1); - pf_counter_u64_add_protected(&ri->r->bytes[dirndx], pd.tot_len); - } - } - tr = r; - nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; - if (nr != NULL && r == &V_pf_default_rule) - tr = nr; - if (tr->src.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->src.addr.p.tbl, - (s == NULL) ? pd.src : - &s->key[(s->direction == PF_IN)]-> - addr[(s->direction == PF_OUT)], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->src.neg); - if (tr->dst.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->dst.addr.p.tbl, - (s == NULL) ? pd.dst : - &s->key[(s->direction == PF_IN)]-> - addr[(s->direction == PF_IN)], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->dst.neg); - } - pf_counter_u64_critical_exit(); + pf_counters_inc(action, &pd, kif, s, r, a); switch (action) { case PF_SYNPROXY_DROP: @@ -9376,11 +9395,11 @@ pf_test6(int dir, int pflags, struct ifnet *ifp, struct mbuf **m0, struct inpcb struct mbuf *m = *m0, *n = NULL; struct m_tag *mtag; struct ip6_hdr *h = NULL; - struct pf_krule *a = NULL, *r = &V_pf_default_rule, *tr, *nr; + struct pf_krule *a = NULL, *r = &V_pf_default_rule; struct pf_kstate *s = NULL; struct pf_kruleset *ruleset = NULL; struct pf_pdesc pd; - int off, hdrlen, dirndx, use_2nd_queue = 0; + int off, hdrlen, use_2nd_queue = 0; uint16_t tag; uint8_t rt; @@ -9726,61 +9745,7 @@ done: } } - pf_counter_u64_critical_enter(); - pf_counter_u64_add_protected(&kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS], - pd.tot_len); - pf_counter_u64_add_protected(&kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS], - 1); - - if (action == PF_PASS || r->action == PF_DROP) { - dirndx = (dir == PF_OUT); - pf_counter_u64_add_protected(&r->packets[dirndx], 1); - pf_counter_u64_add_protected(&r->bytes[dirndx], pd.tot_len); - if (a != NULL) { - pf_counter_u64_add_protected(&a->packets[dirndx], 1); - pf_counter_u64_add_protected(&a->bytes[dirndx], pd.tot_len); - } - if (s != NULL) { - if (s->nat_rule.ptr != NULL) { - pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx], - 1); - pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx], - pd.tot_len); - } - if (s->src_node != NULL) { - counter_u64_add(s->src_node->packets[dirndx], - 1); - counter_u64_add(s->src_node->bytes[dirndx], - pd.tot_len); - } - if (s->nat_src_node != NULL) { - counter_u64_add(s->nat_src_node->packets[dirndx], - 1); - counter_u64_add(s->nat_src_node->bytes[dirndx], - pd.tot_len); - } - dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; - } - tr = r; - nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; - if (nr != NULL && r == &V_pf_default_rule) - tr = nr; - if (tr->src.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->src.addr.p.tbl, - (s == NULL) ? pd.src : - &s->key[(s->direction == PF_IN)]->addr[0], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->src.neg); - if (tr->dst.addr.type == PF_ADDR_TABLE) - pfr_update_stats(tr->dst.addr.p.tbl, - (s == NULL) ? pd.dst : - &s->key[(s->direction == PF_IN)]->addr[1], - pd.af, pd.tot_len, dir == PF_OUT, - r->action == PF_PASS, tr->dst.neg); - } - pf_counter_u64_critical_exit(); + pf_counters_inc(action, &pd, kif, s, r, a); switch (action) { case PF_SYNPROXY_DROP: