The branch stable/13 has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=c9731a3f464fd49efbd39c44e262dd069034894e
commit c9731a3f464fd49efbd39c44e262dd069034894e Author: Mateusz Guzik <[email protected]> AuthorDate: 2021-07-22 14:45:14 +0000 Commit: Mateusz Guzik <[email protected]> CommitDate: 2021-08-11 13:37:55 +0000 pf: switch rule counters to pf_counter_u64 Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 02cf67ccf6538b14677672640e405f7f94044dc3) --- sys/net/pfvar.h | 19 ++++++- sys/netpfil/pf/pf.c | 80 +++++++++++++++++++++------ sys/netpfil/pf/pf_ioctl.c | 137 +++++++++++++++++++++++++++++++--------------- sys/netpfil/pf/pf_lb.c | 2 +- sys/netpfil/pf/pf_norm.c | 18 +++--- sys/netpfil/pf/pf_nv.c | 8 +-- sys/netpfil/pf/pf_nv.h | 2 +- 7 files changed, 185 insertions(+), 81 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 7afc8b895b80..76e3834372e3 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -583,9 +583,9 @@ struct pf_krule { TAILQ_ENTRY(pf_krule) entries; struct pf_kpool rpool; - counter_u64_t evaluations; - counter_u64_t packets[2]; - counter_u64_t bytes[2]; + struct pf_counter_u64 evaluations; + struct pf_counter_u64 packets[2]; + struct pf_counter_u64 bytes[2]; struct pfi_kkif *kif; struct pf_kanchor *anchor; @@ -659,6 +659,11 @@ struct pf_krule { struct pf_addr addr; u_int16_t port; } divert; + +#ifdef PF_WANT_32_TO_64_COUNTER + LIST_ENTRY(pf_krule) allrulelist; + bool allrulelinked; +#endif }; struct pf_ksrc_node { @@ -1858,6 +1863,14 @@ VNET_DECLARE(size_t, pf_allkifcount); #define V_pf_allkifcount VNET(pf_allkifcount) VNET_DECLARE(struct pfi_kkif *, pf_kifmarker); #define V_pf_kifmarker VNET(pf_kifmarker) + +LIST_HEAD(allrulelist_head, pf_krule); +VNET_DECLARE(struct allrulelist_head, pf_allrulelist); +#define V_pf_allrulelist VNET(pf_allrulelist) +VNET_DECLARE(size_t, pf_allrulecount); +#define V_pf_allrulecount VNET(pf_allrulecount) +VNET_DECLARE(struct pf_krule *, pf_rulemarker); +#define V_pf_rulemarker VNET(pf_rulemarker) #endif void pf_initialize(void); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index f3d82549edff..6e154b620a80 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -157,6 +157,10 @@ VNET_DEFINE_STATIC(uint32_t, pf_purge_idx); #ifdef PF_WANT_32_TO_64_COUNTER VNET_DEFINE_STATIC(uint32_t, pf_counter_periodic_iter); #define V_pf_counter_periodic_iter VNET(pf_counter_periodic_iter) + +VNET_DEFINE(struct allrulelist_head, pf_allrulelist); +VNET_DEFINE(size_t, pf_allrulecount); +VNET_DEFINE(struct pf_krule *, pf_rulemarker); #endif /* @@ -1574,6 +1578,45 @@ pf_kif_counter_u64_periodic(void) } } +static void +pf_rule_counter_u64_periodic(void) +{ + struct pf_krule *rule; + size_t r, run; + + PF_RULES_RASSERT(); + + if (__predict_false(V_pf_allrulecount == 0)) { + return; + } + + if ((V_pf_counter_periodic_iter % (pf_purge_thread_period * 10 * 300)) != 0) { + return; + } + + run = V_pf_allrulecount / 10; + if (run < 5) + run = 5; + + for (r = 0; r < run; r++) { + rule = LIST_NEXT(V_pf_rulemarker, allrulelist); + if (rule == NULL) { + LIST_REMOVE(V_pf_rulemarker, allrulelist); + LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist); + break; + } + + LIST_REMOVE(V_pf_rulemarker, allrulelist); + LIST_INSERT_AFTER(rule, V_pf_rulemarker, allrulelist); + + pf_counter_u64_periodic(&rule->evaluations); + for (int i = 0; i < 2; i++) { + pf_counter_u64_periodic(&rule->packets[i]); + pf_counter_u64_periodic(&rule->bytes[i]); + } + } +} + static void pf_counter_u64_periodic_main(void) { @@ -1585,6 +1628,7 @@ pf_counter_u64_periodic_main(void) pf_counter_u64_critical_enter(); pf_status_counter_u64_periodic(); pf_kif_counter_u64_periodic(); + pf_rule_counter_u64_periodic(); pf_counter_u64_critical_exit(); PF_RULES_RUNLOCK(); } @@ -3642,7 +3686,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, } while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) @@ -3711,8 +3755,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, rtableid = r->rtableid; if (r->anchor == NULL) { if (r->action == PF_MATCH) { - counter_u64_add(r->packets[direction == PF_OUT], 1); - counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[direction == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, @@ -4084,7 +4128,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) @@ -4125,8 +4169,8 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, else { if (r->anchor == NULL) { if (r->action == PF_MATCH) { - counter_u64_add(r->packets[direction == PF_OUT], 1); - counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[direction == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, @@ -6431,17 +6475,17 @@ done: if (action == PF_PASS || r->action == PF_DROP) { dirndx = (dir == PF_OUT); - counter_u64_add(r->packets[dirndx], 1); - counter_u64_add(r->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&r->packets[dirndx], 1); + pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len); if (a != NULL) { - counter_u64_add(a->packets[dirndx], 1); - counter_u64_add(a->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&a->packets[dirndx], 1); + pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len); } if (s != NULL) { if (s->nat_rule.ptr != NULL) { - counter_u64_add(s->nat_rule.ptr->packets[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx], 1); - counter_u64_add(s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx], pd.tot_len); } if (s->src_node != NULL) { @@ -6836,17 +6880,17 @@ done: if (action == PF_PASS || r->action == PF_DROP) { dirndx = (dir == PF_OUT); - counter_u64_add(r->packets[dirndx], 1); - counter_u64_add(r->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&r->packets[dirndx], 1); + pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len); if (a != NULL) { - counter_u64_add(a->packets[dirndx], 1); - counter_u64_add(a->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&a->packets[dirndx], 1); + pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len); } if (s != NULL) { if (s->nat_rule.ptr != NULL) { - counter_u64_add(s->nat_rule.ptr->packets[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx], 1); - counter_u64_add(s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx], pd.tot_len); } if (s->src_node != NULL) { diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index a0d877263235..7fece0facde6 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -324,10 +324,10 @@ pfattach_vnet(void) V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; - V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&V_pf_default_rule.evaluations, M_WAITOK); for (int i = 0; i < 2; i++) { - V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK); - V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&V_pf_default_rule.packets[i], M_WAITOK); + pf_counter_u64_init(&V_pf_default_rule.bytes[i], M_WAITOK); } V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK); V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK); @@ -335,8 +335,12 @@ pfattach_vnet(void) #ifdef PF_WANT_32_TO_64_COUNTER V_pf_kifmarker = malloc(sizeof(*V_pf_kifmarker), PFI_MTYPE, M_WAITOK | M_ZERO); + V_pf_rulemarker = malloc(sizeof(*V_pf_rulemarker), M_PFRULE, M_WAITOK | M_ZERO); PF_RULES_WLOCK(); LIST_INSERT_HEAD(&V_pf_allkiflist, V_pf_kifmarker, pfik_allkiflist); + LIST_INSERT_HEAD(&V_pf_allrulelist, &V_pf_default_rule, allrulelist); + V_pf_allrulecount++; + LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist); PF_RULES_WUNLOCK(); #endif @@ -1130,16 +1134,16 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) while ((tail != NULL) && ! pf_krule_compare(tail, rule)) tail = TAILQ_NEXT(tail, entries); if (tail != NULL) { - counter_u64_add(rule->evaluations, - counter_u64_fetch(tail->evaluations)); - counter_u64_add(rule->packets[0], - counter_u64_fetch(tail->packets[0])); - counter_u64_add(rule->packets[1], - counter_u64_fetch(tail->packets[1])); - counter_u64_add(rule->bytes[0], - counter_u64_fetch(tail->bytes[0])); - counter_u64_add(rule->bytes[1], - counter_u64_fetch(tail->bytes[1])); + pf_counter_u64_add(&rule->evaluations, + pf_counter_u64_fetch(&tail->evaluations)); + pf_counter_u64_add(&rule->packets[0], + pf_counter_u64_fetch(&tail->packets[0])); + pf_counter_u64_add(&rule->packets[1], + pf_counter_u64_fetch(&tail->packets[1])); + pf_counter_u64_add(&rule->bytes[0], + pf_counter_u64_fetch(&tail->bytes[0])); + pf_counter_u64_add(&rule->bytes[1], + pf_counter_u64_fetch(&tail->bytes[1])); } } } @@ -1519,13 +1523,29 @@ pf_altq_get_nth_active(u_int32_t n) void pf_krule_free(struct pf_krule *rule) { +#ifdef PF_WANT_32_TO_64_COUNTER + bool wowned; +#endif + if (rule == NULL) return; - counter_u64_free(rule->evaluations); +#ifdef PF_WANT_32_TO_64_COUNTER + if (rule->allrulelinked) { + wowned = PF_RULES_WOWNED(); + if (!wowned) + PF_RULES_WLOCK(); + LIST_REMOVE(rule, allrulelist); + V_pf_allrulecount--; + if (!wowned) + PF_RULES_WUNLOCK(); + } +#endif + + pf_counter_u64_deinit(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_free(rule->packets[i]); - counter_u64_free(rule->bytes[i]); + pf_counter_u64_deinit(&rule->packets[i]); + pf_counter_u64_deinit(&rule->bytes[i]); } counter_u64_free(rule->states_cur); counter_u64_free(rule->states_tot); @@ -1590,7 +1610,7 @@ pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool) } static void -pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule) +pf_krule_to_rule(struct pf_krule *krule, struct pf_rule *rule) { bzero(rule, sizeof(*rule)); @@ -1617,10 +1637,10 @@ pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule) pf_kpool_to_pool(&krule->rpool, &rule->rpool); - rule->evaluations = counter_u64_fetch(krule->evaluations); + rule->evaluations = pf_counter_u64_fetch(&krule->evaluations); for (int i = 0; i < 2; i++) { - rule->packets[i] = counter_u64_fetch(krule->packets[i]); - rule->bytes[i] = counter_u64_fetch(krule->bytes[i]); + rule->packets[i] = pf_counter_u64_fetch(&krule->packets[i]); + rule->bytes[i] = pf_counter_u64_fetch(&krule->bytes[i]); } /* kif, anchor, overload_tbl are not copied over. */ @@ -1997,10 +2017,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, if (rule->ifname[0]) kif = pf_kkif_create(M_WAITOK); - rule->evaluations = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&rule->evaluations, M_WAITOK); for (int i = 0; i < 2; i++) { - rule->packets[i] = counter_u64_alloc(M_WAITOK); - rule->bytes[i] = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&rule->packets[i], M_WAITOK); + pf_counter_u64_init(&rule->bytes[i], M_WAITOK); } rule->states_cur = counter_u64_alloc(M_WAITOK); rule->states_tot = counter_u64_alloc(M_WAITOK); @@ -2010,6 +2030,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, TAILQ_INIT(&rule->rpool.list); PF_RULES_WLOCK(); +#ifdef PF_WANT_32_TO_64_COUNTER + LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist); + MPASS(!rule->allrulelinked); + rule->allrulelinked = true; + V_pf_allrulecount++; +#endif ruleset = pf_find_kruleset(anchor); if (ruleset == NULL) ERROUT(EINVAL); @@ -2113,10 +2139,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, } rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); @@ -2459,10 +2485,10 @@ DIOCADDRULENV_error: pf_addr_copyout(&pr->rule.dst.addr); if (pr->action == PF_GET_CLR_CNTR) { - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } counter_u64_zero(rule->states_tot); } @@ -2581,10 +2607,10 @@ DIOCADDRULENV_error: } if (clear_counter) { - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } counter_u64_zero(rule->states_tot); } @@ -2632,12 +2658,10 @@ DIOCGETRULENV_error: if (newrule->ifname[0]) kif = pf_kkif_create(M_WAITOK); - newrule->evaluations = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&newrule->evaluations, M_WAITOK); for (int i = 0; i < 2; i++) { - newrule->packets[i] = - counter_u64_alloc(M_WAITOK); - newrule->bytes[i] = - counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&newrule->packets[i], M_WAITOK); + pf_counter_u64_init(&newrule->bytes[i], M_WAITOK); } newrule->states_cur = counter_u64_alloc(M_WAITOK); newrule->states_tot = counter_u64_alloc(M_WAITOK); @@ -2649,6 +2673,14 @@ DIOCGETRULENV_error: #define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; } PF_RULES_WLOCK(); +#ifdef PF_WANT_32_TO_64_COUNTER + if (newrule != NULL) { + LIST_INSERT_HEAD(&V_pf_allrulelist, newrule, allrulelist); + newrule->allrulelinked = true; + V_pf_allrulecount++; + } +#endif + if (!(pcr->action == PF_CHANGE_REMOVE || pcr->action == PF_CHANGE_GET_TICKET) && pcr->pool_ticket != V_ticket_pabuf) @@ -3229,10 +3261,10 @@ DIOCGETSTATESV2_full: PF_RULES_WLOCK(); TAILQ_FOREACH(rule, ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) { - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } } PF_RULES_WUNLOCK(); @@ -5613,18 +5645,33 @@ pf_unload_vnet(void) #ifdef PF_WANT_32_TO_64_COUNTER PF_RULES_WLOCK(); LIST_REMOVE(V_pf_kifmarker, pfik_allkiflist); - PF_RULES_WUNLOCK(); - free(V_pf_kifmarker, PFI_MTYPE); MPASS(LIST_EMPTY(&V_pf_allkiflist)); MPASS(V_pf_allkifcount == 0); + + LIST_REMOVE(&V_pf_default_rule, allrulelist); + V_pf_allrulecount--; + LIST_REMOVE(V_pf_rulemarker, allrulelist); + + /* + * There are known pf rule leaks when running the test suite. + */ +#ifdef notyet + MPASS(LIST_EMPTY(&V_pf_allrulelist)); + MPASS(V_pf_allrulecount == 0); +#endif + + PF_RULES_WUNLOCK(); + + free(V_pf_kifmarker, PFI_MTYPE); + free(V_pf_rulemarker, M_PFRULE); #endif /* Free counters last as we updated them during shutdown. */ - counter_u64_free(V_pf_default_rule.evaluations); + pf_counter_u64_deinit(&V_pf_default_rule.evaluations); for (int i = 0; i < 2; i++) { - counter_u64_free(V_pf_default_rule.packets[i]); - counter_u64_free(V_pf_default_rule.bytes[i]); + pf_counter_u64_deinit(&V_pf_default_rule.packets[i]); + pf_counter_u64_deinit(&V_pf_default_rule.bytes[i]); } counter_u64_free(V_pf_default_rule.states_cur); counter_u64_free(V_pf_default_rule.states_tot); diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 000ee69d9ae9..3da27c7df26d 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -149,7 +149,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, dst = &r->dst; } - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 3df4e06f15b6..388e2bca77b6 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1039,7 +1039,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != dir) @@ -1066,8 +1066,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason if (r == NULL || r->action == PF_NOSCRUB) return (PF_PASS); - counter_u64_add(r->packets[dir == PF_OUT], 1); - counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); /* Check for illegal packets */ if (hlen < (int)sizeof(struct ip)) { @@ -1181,7 +1181,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != dir) @@ -1207,8 +1207,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, if (r == NULL || r->action == PF_NOSCRUB) return (PF_PASS); - counter_u64_add(r->packets[dir == PF_OUT], 1); - counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); /* Check for illegal packets */ if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) @@ -1334,7 +1334,7 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != dir) @@ -1368,8 +1368,8 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff, if (rm == NULL || rm->action == PF_NOSCRUB) return (PF_PASS); - counter_u64_add(r->packets[dir == PF_OUT], 1); - counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); if (rm->rule_flag & PFRULE_REASSEMBLE_TCP) pd->flags |= PFDESC_TCP_NORM; diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c index c0a17cd876ae..d1eca90e0ee5 100644 --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -655,7 +655,7 @@ error: } nvlist_t * -pf_krule_to_nvrule(const struct pf_krule *rule) +pf_krule_to_nvrule(struct pf_krule *rule) { nvlist_t *nvl, *tmp; @@ -698,12 +698,12 @@ pf_krule_to_nvrule(const struct pf_krule *rule) nvlist_destroy(tmp); nvlist_add_number(nvl, "evaluations", - counter_u64_fetch(rule->evaluations)); + pf_counter_u64_fetch(&rule->evaluations)); for (int i = 0; i < 2; i++) { nvlist_append_number_array(nvl, "packets", - counter_u64_fetch(rule->packets[i])); + pf_counter_u64_fetch(&rule->packets[i])); nvlist_append_number_array(nvl, "bytes", - counter_u64_fetch(rule->bytes[i])); + pf_counter_u64_fetch(&rule->bytes[i])); } nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint); diff --git a/sys/netpfil/pf/pf_nv.h b/sys/netpfil/pf/pf_nv.h index 2abb5a2401e2..f1cdc52aad6b 100644 --- a/sys/netpfil/pf/pf_nv.h +++ b/sys/netpfil/pf/pf_nv.h @@ -78,7 +78,7 @@ int pf_nvstring(const nvlist_t *, const char *, char *, size_t); int pf_check_rule_addr(const struct pf_rule_addr *); -nvlist_t *pf_krule_to_nvrule(const struct pf_krule *); +nvlist_t *pf_krule_to_nvrule(struct pf_krule *); int pf_nvrule_to_krule(const nvlist_t *, struct pf_krule *); int pf_nvstate_kill_to_kstate_kill(const nvlist_t *, struct pf_kstate_kill *); _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
