git: 2522a90dcd41 - stable/12 - pf: batch critical section for several counters
Mateusz Guzik
mjg at FreeBSD.org
Wed Aug 11 13:25:23 UTC 2021
The branch stable/12 has been updated by mjg:
URL: https://cgit.FreeBSD.org/src/commit/?id=2522a90dcd41c9c8326525fa23876bb2acc7d51a
commit 2522a90dcd41c9c8326525fa23876bb2acc7d51a
Author: Mateusz Guzik <mjg at FreeBSD.org>
AuthorDate: 2021-07-24 07:47:40 +0000
Commit: Mateusz Guzik <mjg at FreeBSD.org>
CommitDate: 2021-08-11 12:23:20 +0000
pf: batch critical section for several counters
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 87c010e6e364e96e2c1546b3c2bbcbef1dcd422f)
---
sys/netpfil/pf/pf.c | 48 +++++++++++++++++++++++++++--------------------
sys/netpfil/pf/pf_ioctl.c | 12 +++++++-----
sys/netpfil/pf/pf_norm.c | 18 ++++++++++++------
3 files changed, 47 insertions(+), 31 deletions(-)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 0c485189ec16..f1b1890f50c5 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3756,8 +3756,10 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
rtableid = r->rtableid;
if (r->anchor == NULL) {
if (r->action == PF_MATCH) {
- pf_counter_u64_add(&r->packets[direction == PF_OUT], 1);
- pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
@@ -4170,8 +4172,10 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
else {
if (r->anchor == NULL) {
if (r->action == PF_MATCH) {
- pf_counter_u64_add(&r->packets[direction == PF_OUT], 1);
- pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_exit();
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
@@ -6555,24 +6559,25 @@ done:
(s == NULL));
}
- pf_counter_u64_add(&kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS],
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS],
pd.tot_len);
- pf_counter_u64_add(&kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS],
+ pf_counter_u64_add_protected(&kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS],
1);
if (action == PF_PASS || r->action == PF_DROP) {
dirndx = (dir == PF_OUT);
- pf_counter_u64_add(&r->packets[dirndx], 1);
- pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add_protected(&r->packets[dirndx], 1);
+ pf_counter_u64_add_protected(&r->bytes[dirndx], pd.tot_len);
if (a != NULL) {
- pf_counter_u64_add(&a->packets[dirndx], 1);
- pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add_protected(&a->packets[dirndx], 1);
+ pf_counter_u64_add_protected(&a->bytes[dirndx], pd.tot_len);
}
if (s != NULL) {
if (s->nat_rule.ptr != NULL) {
- pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx],
+ pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx],
1);
- pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx],
+ pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx],
pd.tot_len);
}
if (s->src_node != NULL) {
@@ -6610,6 +6615,7 @@ done:
pd.af, pd.tot_len, dir == PF_OUT,
r->action == PF_PASS, tr->dst.neg);
}
+ pf_counter_u64_critical_exit();
switch (action) {
case PF_SYNPROXY_DROP:
@@ -6963,24 +6969,25 @@ done:
&pd, (s == NULL));
}
- pf_counter_u64_add(&kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS],
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS],
pd.tot_len);
- pf_counter_u64_add(&kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS],
+ pf_counter_u64_add_protected(&kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS],
1);
if (action == PF_PASS || r->action == PF_DROP) {
dirndx = (dir == PF_OUT);
- pf_counter_u64_add(&r->packets[dirndx], 1);
- pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add_protected(&r->packets[dirndx], 1);
+ pf_counter_u64_add_protected(&r->bytes[dirndx], pd.tot_len);
if (a != NULL) {
- pf_counter_u64_add(&a->packets[dirndx], 1);
- pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add_protected(&a->packets[dirndx], 1);
+ pf_counter_u64_add_protected(&a->bytes[dirndx], pd.tot_len);
}
if (s != NULL) {
if (s->nat_rule.ptr != NULL) {
- pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx],
+ pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx],
1);
- pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx],
+ pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx],
pd.tot_len);
}
if (s->src_node != NULL) {
@@ -7016,6 +7023,7 @@ done:
pd.af, pd.tot_len, dir == PF_OUT,
r->action == PF_PASS, tr->dst.neg);
}
+ pf_counter_u64_critical_exit();
switch (action) {
case PF_SYNPROXY_DROP:
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 81b50c237252..4f1786b36a30 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1120,16 +1120,18 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
while ((tail != NULL) && ! pf_krule_compare(tail, rule))
tail = TAILQ_NEXT(tail, entries);
if (tail != NULL) {
- pf_counter_u64_add(&rule->evaluations,
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&rule->evaluations,
pf_counter_u64_fetch(&tail->evaluations));
- pf_counter_u64_add(&rule->packets[0],
+ pf_counter_u64_add_protected(&rule->packets[0],
pf_counter_u64_fetch(&tail->packets[0]));
- pf_counter_u64_add(&rule->packets[1],
+ pf_counter_u64_add_protected(&rule->packets[1],
pf_counter_u64_fetch(&tail->packets[1]));
- pf_counter_u64_add(&rule->bytes[0],
+ pf_counter_u64_add_protected(&rule->bytes[0],
pf_counter_u64_fetch(&tail->bytes[0]));
- pf_counter_u64_add(&rule->bytes[1],
+ pf_counter_u64_add_protected(&rule->bytes[1],
pf_counter_u64_fetch(&tail->bytes[1]));
+ pf_counter_u64_critical_exit();
}
}
}
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 19d3a268e4f8..40e4b1bae2f9 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1062,8 +1062,10 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS);
- pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
- pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_exit();
/* Check for illegal packets */
if (hlen < (int)sizeof(struct ip)) {
@@ -1204,8 +1206,10 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS);
- pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
- pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_exit();
/* Check for illegal packets */
if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len)
@@ -1389,8 +1393,10 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
if (rm == NULL || rm->action == PF_NOSCRUB)
return (PF_PASS);
- pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
- pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_enter();
+ pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1);
+ pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_critical_exit();
if (rm->rule_flag & PFRULE_REASSEMBLE_TCP)
pd->flags |= PFDESC_TCP_NORM;
More information about the dev-commits-src-all
mailing list