The branch main has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=b6196537b0125c50f25bd64ed60e1cdd635ecd34
commit b6196537b0125c50f25bd64ed60e1cdd635ecd34 Author: Mateusz Guzik <[email protected]> AuthorDate: 2024-06-20 17:48:52 +0000 Commit: Mateusz Guzik <[email protected]> CommitDate: 2024-06-20 17:55:43 +0000 pf: fix the "keepcounters" to stop truncating to 32-bit The machinery to support 64-bit counters even on 32-bit kernels had a bug where it would unitentionally truncate the value back to 32-bits when transferring to a new counter. This resulted in buggy be behavior on 64-bit kernels as well. Sponsored by: Rubicon Communications, LLC ("Netgate") --- sys/net/pfvar.h | 15 +++++++++++++++ sys/netpfil/pf/pf_ioctl.c | 10 +++++----- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index d6d01c9b5970..62c367fe6a29 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -127,6 +127,14 @@ pf_counter_u64_critical_exit(void) critical_exit(); } +static inline void +pf_counter_u64_rollup_protected(struct pf_counter_u64 *pfcu64, uint64_t n) +{ + + MPASS(curthread->td_critnest > 0); + pfcu64->pfcu64_value += n; +} + static inline void pf_counter_u64_add_protected(struct pf_counter_u64 *pfcu64, uint32_t n) { @@ -250,6 +258,13 @@ pf_counter_u64_critical_exit(void) } +static inline void +pf_counter_u64_rollup_protected(struct pf_counter_u64 *pfcu64, uint64_t n) +{ + + counter_u64_add(pfcu64->counter, n); +} + static inline void pf_counter_u64_add_protected(struct pf_counter_u64 *pfcu64, uint32_t n) { diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index f801afd9da80..2cb6923e1e69 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1408,15 +1408,15 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) continue; } pf_counter_u64_critical_enter(); - pf_counter_u64_add_protected(&rule->evaluations, + pf_counter_u64_rollup_protected(&rule->evaluations, pf_counter_u64_fetch(&old_rule->evaluations)); - pf_counter_u64_add_protected(&rule->packets[0], + pf_counter_u64_rollup_protected(&rule->packets[0], pf_counter_u64_fetch(&old_rule->packets[0])); - pf_counter_u64_add_protected(&rule->packets[1], + pf_counter_u64_rollup_protected(&rule->packets[1], pf_counter_u64_fetch(&old_rule->packets[1])); - pf_counter_u64_add_protected(&rule->bytes[0], + pf_counter_u64_rollup_protected(&rule->bytes[0], pf_counter_u64_fetch(&old_rule->bytes[0])); - pf_counter_u64_add_protected(&rule->bytes[1], + pf_counter_u64_rollup_protected(&rule->bytes[1], pf_counter_u64_fetch(&old_rule->bytes[1])); pf_counter_u64_critical_exit(); }
