Hello, would it make sense to commit a poor man's solution below, before pfsync(4) will get to shape? The idea is to grab PF_LOCK, just before we pass the data to PF for further processing.
regards
sasha
--------8<---------------8<---------------8<------------------8<--------
--- src/sys/net/if_pfsync.c Fri Jun 09 09:40:12 2017 +0200
+++ src/sys/net/if_pfsync.c Fri Jun 09 10:49:44 2017 +0200
@@ -657,6 +657,7 @@ pfsync_input(struct mbuf **mp, int *offp
struct pfsync_header *ph;
struct pfsync_subheader subh;
int offset, noff, len, count, mlen, flags = 0;
+ int e;
pfsyncstat_inc(pfsyncs_ipackets);
@@ -733,8 +734,11 @@ pfsync_input(struct mbuf **mp, int *offp
return IPPROTO_DONE;
}
- if (pfsync_acts[subh.action].in(n->m_data + noff,
- mlen, count, flags) != 0)
+ PF_LOCK();
+ e = pfsync_acts[subh.action].in(n->m_data + noff, mlen, count,
+ flags);
+ PF_UNLOCK();
+ if (e != 0)
goto done;
offset += mlen * count;
--------8<---------------8<---------------8<------------------8<--------
