Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 11 Aug 2021 13:25:21 GMT
From:      Mateusz Guzik <mjg@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 463aa33ff662 - stable/12 - pf: switch rule counters to pf_counter_u64
Message-ID:  <202108111325.17BDPLNt004928@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by mjg:

URL: https://cgit.FreeBSD.org/src/commit/?id=463aa33ff66280385dcc34d51233b14f33a69403

commit 463aa33ff66280385dcc34d51233b14f33a69403
Author:     Mateusz Guzik <mjg@FreeBSD.org>
AuthorDate: 2021-07-22 14:45:14 +0000
Commit:     Mateusz Guzik <mjg@FreeBSD.org>
CommitDate: 2021-08-11 12:22:27 +0000

    pf: switch rule counters to pf_counter_u64
    
    Reviewed by:    kp
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    
    (cherry picked from commit 02cf67ccf6538b14677672640e405f7f94044dc3)
---
 sys/net/pfvar.h           |  19 ++++++-
 sys/netpfil/pf/pf.c       |  80 +++++++++++++++++++++------
 sys/netpfil/pf/pf_ioctl.c | 137 +++++++++++++++++++++++++++++++---------------
 sys/netpfil/pf/pf_lb.c    |   2 +-
 sys/netpfil/pf/pf_norm.c  |  18 +++---
 sys/netpfil/pf/pf_nv.c    |   8 +--
 sys/netpfil/pf/pf_nv.h    |   2 +-
 7 files changed, 185 insertions(+), 81 deletions(-)

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index e8cf8b1e6019..624456149162 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -583,9 +583,9 @@ struct pf_krule {
 	TAILQ_ENTRY(pf_krule)	 entries;
 	struct pf_kpool		 rpool;
 
-	counter_u64_t		 evaluations;
-	counter_u64_t		 packets[2];
-	counter_u64_t		 bytes[2];
+	struct pf_counter_u64	 evaluations;
+	struct pf_counter_u64	 packets[2];
+	struct pf_counter_u64	 bytes[2];
 
 	struct pfi_kkif		*kif;
 	struct pf_kanchor	*anchor;
@@ -659,6 +659,11 @@ struct pf_krule {
 		struct pf_addr		addr;
 		u_int16_t		port;
 	}			divert;
+
+#ifdef PF_WANT_32_TO_64_COUNTER
+	LIST_ENTRY(pf_krule)	 allrulelist;
+	bool			 allrulelinked;
+#endif
 };
 
 struct pf_ksrc_node {
@@ -1859,6 +1864,14 @@ VNET_DECLARE(size_t, pf_allkifcount);
 #define V_pf_allkifcount     VNET(pf_allkifcount)
 VNET_DECLARE(struct pfi_kkif *, pf_kifmarker);
 #define V_pf_kifmarker     VNET(pf_kifmarker)
+
+LIST_HEAD(allrulelist_head, pf_krule);
+VNET_DECLARE(struct allrulelist_head, pf_allrulelist);
+#define V_pf_allrulelist     VNET(pf_allrulelist)
+VNET_DECLARE(size_t, pf_allrulecount);
+#define V_pf_allrulecount     VNET(pf_allrulecount)
+VNET_DECLARE(struct pf_krule *, pf_rulemarker);
+#define V_pf_rulemarker     VNET(pf_rulemarker)
 #endif
 
 void				 pf_initialize(void);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 3dcea7e59bd0..0c485189ec16 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -158,6 +158,10 @@ VNET_DEFINE_STATIC(uint32_t, pf_purge_idx);
 #ifdef PF_WANT_32_TO_64_COUNTER
 VNET_DEFINE_STATIC(uint32_t, pf_counter_periodic_iter);
 #define	V_pf_counter_periodic_iter	VNET(pf_counter_periodic_iter)
+
+VNET_DEFINE(struct allrulelist_head, pf_allrulelist);
+VNET_DEFINE(size_t, pf_allrulecount);
+VNET_DEFINE(struct pf_krule *, pf_rulemarker);
 #endif
 
 /*
@@ -1570,6 +1574,45 @@ pf_kif_counter_u64_periodic(void)
 	}
 }
 
+static void
+pf_rule_counter_u64_periodic(void)
+{
+	struct pf_krule *rule;
+	size_t r, run;
+
+	PF_RULES_RASSERT();
+
+	if (__predict_false(V_pf_allrulecount == 0)) {
+		return;
+	}
+
+	if ((V_pf_counter_periodic_iter % (pf_purge_thread_period * 10 * 300)) != 0) {
+		return;
+	}
+
+	run = V_pf_allrulecount / 10;
+	if (run < 5)
+		run = 5;
+
+	for (r = 0; r < run; r++) {
+		rule = LIST_NEXT(V_pf_rulemarker, allrulelist);
+		if (rule == NULL) {
+			LIST_REMOVE(V_pf_rulemarker, allrulelist);
+			LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist);
+			break;
+		}
+
+		LIST_REMOVE(V_pf_rulemarker, allrulelist);
+		LIST_INSERT_AFTER(rule, V_pf_rulemarker, allrulelist);
+
+		pf_counter_u64_periodic(&rule->evaluations);
+		for (int i = 0; i < 2; i++) {
+			pf_counter_u64_periodic(&rule->packets[i]);
+			pf_counter_u64_periodic(&rule->bytes[i]);
+		}
+	}
+}
+
 static void
 pf_counter_u64_periodic_main(void)
 {
@@ -1581,6 +1624,7 @@ pf_counter_u64_periodic_main(void)
 	pf_counter_u64_critical_enter();
 	pf_status_counter_u64_periodic();
 	pf_kif_counter_u64_periodic();
+	pf_rule_counter_u64_periodic();
 	pf_counter_u64_critical_exit();
 	PF_RULES_RUNLOCK();
 }
@@ -3643,7 +3687,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
 	}
 
 	while (r != NULL) {
-		counter_u64_add(r->evaluations, 1);
+		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
 			r = r->skip[PF_SKIP_IFP].ptr;
 		else if (r->direction && r->direction != direction)
@@ -3712,8 +3756,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
 				rtableid = r->rtableid;
 			if (r->anchor == NULL) {
 				if (r->action == PF_MATCH) {
-					counter_u64_add(r->packets[direction == PF_OUT], 1);
-					counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len);
+					pf_counter_u64_add(&r->packets[direction == PF_OUT], 1);
+					pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len);
 					pf_rule_to_actions(r, &pd->act);
 					if (r->log)
 						PFLOG_PACKET(kif, m, af,
@@ -4085,7 +4129,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
 	while (r != NULL) {
-		counter_u64_add(r->evaluations, 1);
+		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
 			r = r->skip[PF_SKIP_IFP].ptr;
 		else if (r->direction && r->direction != direction)
@@ -4126,8 +4170,8 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
 		else {
 			if (r->anchor == NULL) {
 				if (r->action == PF_MATCH) {
-					counter_u64_add(r->packets[direction == PF_OUT], 1);
-					counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len);
+					pf_counter_u64_add(&r->packets[direction == PF_OUT], 1);
+					pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len);
 					pf_rule_to_actions(r, &pd->act);
 					if (r->log)
 						PFLOG_PACKET(kif, m, af,
@@ -6518,17 +6562,17 @@ done:
 
 	if (action == PF_PASS || r->action == PF_DROP) {
 		dirndx = (dir == PF_OUT);
-		counter_u64_add(r->packets[dirndx], 1);
-		counter_u64_add(r->bytes[dirndx], pd.tot_len);
+		pf_counter_u64_add(&r->packets[dirndx], 1);
+		pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len);
 		if (a != NULL) {
-			counter_u64_add(a->packets[dirndx], 1);
-			counter_u64_add(a->bytes[dirndx], pd.tot_len);
+			pf_counter_u64_add(&a->packets[dirndx], 1);
+			pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len);
 		}
 		if (s != NULL) {
 			if (s->nat_rule.ptr != NULL) {
-				counter_u64_add(s->nat_rule.ptr->packets[dirndx],
+				pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx],
 				    1);
-				counter_u64_add(s->nat_rule.ptr->bytes[dirndx],
+				pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx],
 				    pd.tot_len);
 			}
 			if (s->src_node != NULL) {
@@ -6926,17 +6970,17 @@ done:
 
 	if (action == PF_PASS || r->action == PF_DROP) {
 		dirndx = (dir == PF_OUT);
-		counter_u64_add(r->packets[dirndx], 1);
-		counter_u64_add(r->bytes[dirndx], pd.tot_len);
+		pf_counter_u64_add(&r->packets[dirndx], 1);
+		pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len);
 		if (a != NULL) {
-			counter_u64_add(a->packets[dirndx], 1);
-			counter_u64_add(a->bytes[dirndx], pd.tot_len);
+			pf_counter_u64_add(&a->packets[dirndx], 1);
+			pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len);
 		}
 		if (s != NULL) {
 			if (s->nat_rule.ptr != NULL) {
-				counter_u64_add(s->nat_rule.ptr->packets[dirndx],
+				pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx],
 				    1);
-				counter_u64_add(s->nat_rule.ptr->bytes[dirndx],
+				pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx],
 				    pd.tot_len);
 			}
 			if (s->src_node != NULL) {
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index e02fff4f88f6..81b50c237252 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -310,10 +310,10 @@ pfattach_vnet(void)
 	V_pf_default_rule.nr = -1;
 	V_pf_default_rule.rtableid = -1;
 
-	V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK);
+	pf_counter_u64_init(&V_pf_default_rule.evaluations, M_WAITOK);
 	for (int i = 0; i < 2; i++) {
-		V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK);
-		V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK);
+		pf_counter_u64_init(&V_pf_default_rule.packets[i], M_WAITOK);
+		pf_counter_u64_init(&V_pf_default_rule.bytes[i], M_WAITOK);
 	}
 	V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK);
 	V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK);
@@ -321,8 +321,12 @@ pfattach_vnet(void)
 
 #ifdef PF_WANT_32_TO_64_COUNTER
 	V_pf_kifmarker = malloc(sizeof(*V_pf_kifmarker), PFI_MTYPE, M_WAITOK | M_ZERO);
+	V_pf_rulemarker = malloc(sizeof(*V_pf_rulemarker), M_PFRULE, M_WAITOK | M_ZERO);
 	PF_RULES_WLOCK();
 	LIST_INSERT_HEAD(&V_pf_allkiflist, V_pf_kifmarker, pfik_allkiflist);
+	LIST_INSERT_HEAD(&V_pf_allrulelist, &V_pf_default_rule, allrulelist);
+	V_pf_allrulecount++;
+	LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist);
 	PF_RULES_WUNLOCK();
 #endif
 
@@ -1116,16 +1120,16 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
 			while ((tail != NULL) && ! pf_krule_compare(tail, rule))
 				tail = TAILQ_NEXT(tail, entries);
 			if (tail != NULL) {
-				counter_u64_add(rule->evaluations,
-				    counter_u64_fetch(tail->evaluations));
-				counter_u64_add(rule->packets[0],
-				    counter_u64_fetch(tail->packets[0]));
-				counter_u64_add(rule->packets[1],
-				    counter_u64_fetch(tail->packets[1]));
-				counter_u64_add(rule->bytes[0],
-				    counter_u64_fetch(tail->bytes[0]));
-				counter_u64_add(rule->bytes[1],
-				    counter_u64_fetch(tail->bytes[1]));
+				pf_counter_u64_add(&rule->evaluations,
+				    pf_counter_u64_fetch(&tail->evaluations));
+				pf_counter_u64_add(&rule->packets[0],
+				    pf_counter_u64_fetch(&tail->packets[0]));
+				pf_counter_u64_add(&rule->packets[1],
+				    pf_counter_u64_fetch(&tail->packets[1]));
+				pf_counter_u64_add(&rule->bytes[0],
+				    pf_counter_u64_fetch(&tail->bytes[0]));
+				pf_counter_u64_add(&rule->bytes[1],
+				    pf_counter_u64_fetch(&tail->bytes[1]));
 			}
 		}
 	}
@@ -1506,13 +1510,29 @@ pf_altq_get_nth_active(u_int32_t n)
 void
 pf_krule_free(struct pf_krule *rule)
 {
+#ifdef PF_WANT_32_TO_64_COUNTER
+	bool wowned;
+#endif
+
 	if (rule == NULL)
 		return;
 
-	counter_u64_free(rule->evaluations);
+#ifdef PF_WANT_32_TO_64_COUNTER
+	if (rule->allrulelinked) {
+		wowned = PF_RULES_WOWNED();
+		if (!wowned)
+			PF_RULES_WLOCK();
+		LIST_REMOVE(rule, allrulelist);
+		V_pf_allrulecount--;
+		if (!wowned)
+			PF_RULES_WUNLOCK();
+	}
+#endif
+
+	pf_counter_u64_deinit(&rule->evaluations);
 	for (int i = 0; i < 2; i++) {
-		counter_u64_free(rule->packets[i]);
-		counter_u64_free(rule->bytes[i]);
+		pf_counter_u64_deinit(&rule->packets[i]);
+		pf_counter_u64_deinit(&rule->bytes[i]);
 	}
 	counter_u64_free(rule->states_cur);
 	counter_u64_free(rule->states_tot);
@@ -1574,7 +1594,7 @@ pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
 }
 
 static void
-pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
+pf_krule_to_rule(struct pf_krule *krule, struct pf_rule *rule)
 {
 
 	bzero(rule, sizeof(*rule));
@@ -1601,10 +1621,10 @@ pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
 
 	pf_kpool_to_pool(&krule->rpool, &rule->rpool);
 
-	rule->evaluations = counter_u64_fetch(krule->evaluations);
+	rule->evaluations = pf_counter_u64_fetch(&krule->evaluations);
 	for (int i = 0; i < 2; i++) {
-		rule->packets[i] = counter_u64_fetch(krule->packets[i]);
-		rule->bytes[i] = counter_u64_fetch(krule->bytes[i]);
+		rule->packets[i] = pf_counter_u64_fetch(&krule->packets[i]);
+		rule->bytes[i] = pf_counter_u64_fetch(&krule->bytes[i]);
 	}
 
 	/* kif, anchor, overload_tbl are not copied over. */
@@ -1958,10 +1978,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 
 	if (rule->ifname[0])
 		kif = pf_kkif_create(M_WAITOK);
-	rule->evaluations = counter_u64_alloc(M_WAITOK);
+	pf_counter_u64_init(&rule->evaluations, M_WAITOK);
 	for (int i = 0; i < 2; i++) {
-		rule->packets[i] = counter_u64_alloc(M_WAITOK);
-		rule->bytes[i] = counter_u64_alloc(M_WAITOK);
+		pf_counter_u64_init(&rule->packets[i], M_WAITOK);
+		pf_counter_u64_init(&rule->bytes[i], M_WAITOK);
 	}
 	rule->states_cur = counter_u64_alloc(M_WAITOK);
 	rule->states_tot = counter_u64_alloc(M_WAITOK);
@@ -1971,6 +1991,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 	TAILQ_INIT(&rule->rpool.list);
 
 	PF_RULES_WLOCK();
+#ifdef PF_WANT_32_TO_64_COUNTER
+	LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist);
+	MPASS(!rule->allrulelinked);
+	rule->allrulelinked = true;
+	V_pf_allrulecount++;
+#endif
 	ruleset = pf_find_kruleset(anchor);
 	if (ruleset == NULL)
 		ERROUT(EINVAL);
@@ -2074,10 +2100,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
 	}
 
 	rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
-	counter_u64_zero(rule->evaluations);
+	pf_counter_u64_zero(&rule->evaluations);
 	for (int i = 0; i < 2; i++) {
-		counter_u64_zero(rule->packets[i]);
-		counter_u64_zero(rule->bytes[i]);
+		pf_counter_u64_zero(&rule->packets[i]);
+		pf_counter_u64_zero(&rule->bytes[i]);
 	}
 	TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
 	    rule, entries);
@@ -2428,10 +2454,10 @@ DIOCADDRULENV_error:
 		pf_addr_copyout(&pr->rule.dst.addr);
 
 		if (pr->action == PF_GET_CLR_CNTR) {
-			counter_u64_zero(rule->evaluations);
+			pf_counter_u64_zero(&rule->evaluations);
 			for (int i = 0; i < 2; i++) {
-				counter_u64_zero(rule->packets[i]);
-				counter_u64_zero(rule->bytes[i]);
+				pf_counter_u64_zero(&rule->packets[i]);
+				pf_counter_u64_zero(&rule->bytes[i]);
 			}
 			counter_u64_zero(rule->states_tot);
 		}
@@ -2550,10 +2576,10 @@ DIOCADDRULENV_error:
 		}
 
 		if (clear_counter) {
-			counter_u64_zero(rule->evaluations);
+			pf_counter_u64_zero(&rule->evaluations);
 			for (int i = 0; i < 2; i++) {
-				counter_u64_zero(rule->packets[i]);
-				counter_u64_zero(rule->bytes[i]);
+				pf_counter_u64_zero(&rule->packets[i]);
+				pf_counter_u64_zero(&rule->bytes[i]);
 			}
 			counter_u64_zero(rule->states_tot);
 		}
@@ -2599,12 +2625,10 @@ DIOCGETRULENV_error:
 
 			if (newrule->ifname[0])
 				kif = pf_kkif_create(M_WAITOK);
-			newrule->evaluations = counter_u64_alloc(M_WAITOK);
+			pf_counter_u64_init(&newrule->evaluations, M_WAITOK);
 			for (int i = 0; i < 2; i++) {
-				newrule->packets[i] =
-				    counter_u64_alloc(M_WAITOK);
-				newrule->bytes[i] =
-				    counter_u64_alloc(M_WAITOK);
+				pf_counter_u64_init(&newrule->packets[i], M_WAITOK);
+				pf_counter_u64_init(&newrule->bytes[i], M_WAITOK);
 			}
 			newrule->states_cur = counter_u64_alloc(M_WAITOK);
 			newrule->states_tot = counter_u64_alloc(M_WAITOK);
@@ -2617,6 +2641,14 @@ DIOCGETRULENV_error:
 #define	ERROUT(x)	{ error = (x); goto DIOCCHANGERULE_error; }
 
 		PF_RULES_WLOCK();
+#ifdef PF_WANT_32_TO_64_COUNTER
+		if (newrule != NULL) {
+			LIST_INSERT_HEAD(&V_pf_allrulelist, newrule, allrulelist);
+			newrule->allrulelinked = true;
+			V_pf_allrulecount++;
+		}
+#endif
+
 		if (!(pcr->action == PF_CHANGE_REMOVE ||
 		    pcr->action == PF_CHANGE_GET_TICKET) &&
 		    pcr->pool_ticket != V_ticket_pabuf)
@@ -3198,10 +3230,10 @@ DIOCGETSTATESV2_full:
 		PF_RULES_WLOCK();
 		TAILQ_FOREACH(rule,
 		    ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
-			counter_u64_zero(rule->evaluations);
+			pf_counter_u64_zero(&rule->evaluations);
 			for (int i = 0; i < 2; i++) {
-				counter_u64_zero(rule->packets[i]);
-				counter_u64_zero(rule->bytes[i]);
+				pf_counter_u64_zero(&rule->packets[i]);
+				pf_counter_u64_zero(&rule->bytes[i]);
 			}
 		}
 		PF_RULES_WUNLOCK();
@@ -5611,18 +5643,33 @@ pf_unload_vnet(void)
 #ifdef PF_WANT_32_TO_64_COUNTER
 	PF_RULES_WLOCK();
 	LIST_REMOVE(V_pf_kifmarker, pfik_allkiflist);
-	PF_RULES_WUNLOCK();
-	free(V_pf_kifmarker, PFI_MTYPE);
 
 	MPASS(LIST_EMPTY(&V_pf_allkiflist));
 	MPASS(V_pf_allkifcount == 0);
+
+	LIST_REMOVE(&V_pf_default_rule, allrulelist);
+	V_pf_allrulecount--;
+	LIST_REMOVE(V_pf_rulemarker, allrulelist);
+
+	/*
+	 * There are known pf rule leaks when running the test suite.
+	 */
+#ifdef notyet
+	MPASS(LIST_EMPTY(&V_pf_allrulelist));
+	MPASS(V_pf_allrulecount == 0);
+#endif
+
+	PF_RULES_WUNLOCK();
+
+	free(V_pf_kifmarker, PFI_MTYPE);
+	free(V_pf_rulemarker, M_PFRULE);
 #endif
 
 	/* Free counters last as we updated them during shutdown. */
-	counter_u64_free(V_pf_default_rule.evaluations);
+	pf_counter_u64_deinit(&V_pf_default_rule.evaluations);
 	for (int i = 0; i < 2; i++) {
-		counter_u64_free(V_pf_default_rule.packets[i]);
-		counter_u64_free(V_pf_default_rule.bytes[i]);
+		pf_counter_u64_deinit(&V_pf_default_rule.packets[i]);
+		pf_counter_u64_deinit(&V_pf_default_rule.bytes[i]);
 	}
 	counter_u64_free(V_pf_default_rule.states_cur);
 	counter_u64_free(V_pf_default_rule.states_tot);
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index b7079c47308a..24ff907cdc61 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -149,7 +149,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
 			dst = &r->dst;
 		}
 
-		counter_u64_add(r->evaluations, 1);
+		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
 			r = r->skip[PF_SKIP_IFP].ptr;
 		else if (r->direction && r->direction != direction)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 8ffa690ac36f..19d3a268e4f8 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1035,7 +1035,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
 	while (r != NULL) {
-		counter_u64_add(r->evaluations, 1);
+		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
 			r = r->skip[PF_SKIP_IFP].ptr;
 		else if (r->direction && r->direction != dir)
@@ -1062,8 +1062,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
 	if (r == NULL || r->action == PF_NOSCRUB)
 		return (PF_PASS);
 
-	counter_u64_add(r->packets[dir == PF_OUT], 1);
-	counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
+	pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
+	pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
 
 	/* Check for illegal packets */
 	if (hlen < (int)sizeof(struct ip)) {
@@ -1178,7 +1178,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
 	while (r != NULL) {
-		counter_u64_add(r->evaluations, 1);
+		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
 			r = r->skip[PF_SKIP_IFP].ptr;
 		else if (r->direction && r->direction != dir)
@@ -1204,8 +1204,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
 	if (r == NULL || r->action == PF_NOSCRUB)
 		return (PF_PASS);
 
-	counter_u64_add(r->packets[dir == PF_OUT], 1);
-	counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
+	pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
+	pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
 
 	/* Check for illegal packets */
 	if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len)
@@ -1355,7 +1355,7 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
 
 	r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
 	while (r != NULL) {
-		counter_u64_add(r->evaluations, 1);
+		pf_counter_u64_add(&r->evaluations, 1);
 		if (pfi_kkif_match(r->kif, kif) == r->ifnot)
 			r = r->skip[PF_SKIP_IFP].ptr;
 		else if (r->direction && r->direction != dir)
@@ -1389,8 +1389,8 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
 	if (rm == NULL || rm->action == PF_NOSCRUB)
 		return (PF_PASS);
 
-	counter_u64_add(r->packets[dir == PF_OUT], 1);
-	counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
+	pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
+	pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
 
 	if (rm->rule_flag & PFRULE_REASSEMBLE_TCP)
 		pd->flags |= PFDESC_TCP_NORM;
diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c
index c0a17cd876ae..d1eca90e0ee5 100644
--- a/sys/netpfil/pf/pf_nv.c
+++ b/sys/netpfil/pf/pf_nv.c
@@ -655,7 +655,7 @@ error:
 }
 
 nvlist_t *
-pf_krule_to_nvrule(const struct pf_krule *rule)
+pf_krule_to_nvrule(struct pf_krule *rule)
 {
 	nvlist_t *nvl, *tmp;
 
@@ -698,12 +698,12 @@ pf_krule_to_nvrule(const struct pf_krule *rule)
 	nvlist_destroy(tmp);
 
 	nvlist_add_number(nvl, "evaluations",
-	    counter_u64_fetch(rule->evaluations));
+	    pf_counter_u64_fetch(&rule->evaluations));
 	for (int i = 0; i < 2; i++) {
 		nvlist_append_number_array(nvl, "packets",
-		    counter_u64_fetch(rule->packets[i]));
+		    pf_counter_u64_fetch(&rule->packets[i]));
 		nvlist_append_number_array(nvl, "bytes",
-		    counter_u64_fetch(rule->bytes[i]));
+		    pf_counter_u64_fetch(&rule->bytes[i]));
 	}
 
 	nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint);
diff --git a/sys/netpfil/pf/pf_nv.h b/sys/netpfil/pf/pf_nv.h
index 2abb5a2401e2..f1cdc52aad6b 100644
--- a/sys/netpfil/pf/pf_nv.h
+++ b/sys/netpfil/pf/pf_nv.h
@@ -78,7 +78,7 @@ int	pf_nvstring(const nvlist_t *, const char *, char *, size_t);
 
 int		 pf_check_rule_addr(const struct pf_rule_addr *);
 
-nvlist_t	*pf_krule_to_nvrule(const struct pf_krule *);
+nvlist_t	*pf_krule_to_nvrule(struct pf_krule *);
 int		 pf_nvrule_to_krule(const nvlist_t *, struct pf_krule *);
 int		 pf_nvstate_kill_to_kstate_kill(const nvlist_t *,
 		    struct pf_kstate_kill *);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108111325.17BDPLNt004928>