Date: Wed, 11 Aug 2021 13:25:21 GMT From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: 463aa33ff662 - stable/12 - pf: switch rule counters to pf_counter_u64 Message-ID: <202108111325.17BDPLNt004928@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/12 has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=463aa33ff66280385dcc34d51233b14f33a69403 commit 463aa33ff66280385dcc34d51233b14f33a69403 Author: Mateusz Guzik <mjg@FreeBSD.org> AuthorDate: 2021-07-22 14:45:14 +0000 Commit: Mateusz Guzik <mjg@FreeBSD.org> CommitDate: 2021-08-11 12:22:27 +0000 pf: switch rule counters to pf_counter_u64 Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 02cf67ccf6538b14677672640e405f7f94044dc3) --- sys/net/pfvar.h | 19 ++++++- sys/netpfil/pf/pf.c | 80 +++++++++++++++++++++------ sys/netpfil/pf/pf_ioctl.c | 137 +++++++++++++++++++++++++++++++--------------- sys/netpfil/pf/pf_lb.c | 2 +- sys/netpfil/pf/pf_norm.c | 18 +++--- sys/netpfil/pf/pf_nv.c | 8 +-- sys/netpfil/pf/pf_nv.h | 2 +- 7 files changed, 185 insertions(+), 81 deletions(-) diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index e8cf8b1e6019..624456149162 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -583,9 +583,9 @@ struct pf_krule { TAILQ_ENTRY(pf_krule) entries; struct pf_kpool rpool; - counter_u64_t evaluations; - counter_u64_t packets[2]; - counter_u64_t bytes[2]; + struct pf_counter_u64 evaluations; + struct pf_counter_u64 packets[2]; + struct pf_counter_u64 bytes[2]; struct pfi_kkif *kif; struct pf_kanchor *anchor; @@ -659,6 +659,11 @@ struct pf_krule { struct pf_addr addr; u_int16_t port; } divert; + +#ifdef PF_WANT_32_TO_64_COUNTER + LIST_ENTRY(pf_krule) allrulelist; + bool allrulelinked; +#endif }; struct pf_ksrc_node { @@ -1859,6 +1864,14 @@ VNET_DECLARE(size_t, pf_allkifcount); #define V_pf_allkifcount VNET(pf_allkifcount) VNET_DECLARE(struct pfi_kkif *, pf_kifmarker); #define V_pf_kifmarker VNET(pf_kifmarker) + +LIST_HEAD(allrulelist_head, pf_krule); +VNET_DECLARE(struct allrulelist_head, pf_allrulelist); +#define V_pf_allrulelist VNET(pf_allrulelist) +VNET_DECLARE(size_t, pf_allrulecount); +#define V_pf_allrulecount VNET(pf_allrulecount) +VNET_DECLARE(struct pf_krule *, pf_rulemarker); +#define V_pf_rulemarker VNET(pf_rulemarker) #endif void pf_initialize(void); diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 3dcea7e59bd0..0c485189ec16 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -158,6 +158,10 @@ VNET_DEFINE_STATIC(uint32_t, pf_purge_idx); #ifdef PF_WANT_32_TO_64_COUNTER VNET_DEFINE_STATIC(uint32_t, pf_counter_periodic_iter); #define V_pf_counter_periodic_iter VNET(pf_counter_periodic_iter) + +VNET_DEFINE(struct allrulelist_head, pf_allrulelist); +VNET_DEFINE(size_t, pf_allrulecount); +VNET_DEFINE(struct pf_krule *, pf_rulemarker); #endif /* @@ -1570,6 +1574,45 @@ pf_kif_counter_u64_periodic(void) } } +static void +pf_rule_counter_u64_periodic(void) +{ + struct pf_krule *rule; + size_t r, run; + + PF_RULES_RASSERT(); + + if (__predict_false(V_pf_allrulecount == 0)) { + return; + } + + if ((V_pf_counter_periodic_iter % (pf_purge_thread_period * 10 * 300)) != 0) { + return; + } + + run = V_pf_allrulecount / 10; + if (run < 5) + run = 5; + + for (r = 0; r < run; r++) { + rule = LIST_NEXT(V_pf_rulemarker, allrulelist); + if (rule == NULL) { + LIST_REMOVE(V_pf_rulemarker, allrulelist); + LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist); + break; + } + + LIST_REMOVE(V_pf_rulemarker, allrulelist); + LIST_INSERT_AFTER(rule, V_pf_rulemarker, allrulelist); + + pf_counter_u64_periodic(&rule->evaluations); + for (int i = 0; i < 2; i++) { + pf_counter_u64_periodic(&rule->packets[i]); + pf_counter_u64_periodic(&rule->bytes[i]); + } + } +} + static void pf_counter_u64_periodic_main(void) { @@ -1581,6 +1624,7 @@ pf_counter_u64_periodic_main(void) pf_counter_u64_critical_enter(); pf_status_counter_u64_periodic(); pf_kif_counter_u64_periodic(); + pf_rule_counter_u64_periodic(); pf_counter_u64_critical_exit(); PF_RULES_RUNLOCK(); } @@ -3643,7 +3687,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, } while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) @@ -3712,8 +3756,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, rtableid = r->rtableid; if (r->anchor == NULL) { if (r->action == PF_MATCH) { - counter_u64_add(r->packets[direction == PF_OUT], 1); - counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[direction == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, @@ -4085,7 +4129,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) @@ -4126,8 +4170,8 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, else { if (r->anchor == NULL) { if (r->action == PF_MATCH) { - counter_u64_add(r->packets[direction == PF_OUT], 1); - counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[direction == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, @@ -6518,17 +6562,17 @@ done: if (action == PF_PASS || r->action == PF_DROP) { dirndx = (dir == PF_OUT); - counter_u64_add(r->packets[dirndx], 1); - counter_u64_add(r->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&r->packets[dirndx], 1); + pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len); if (a != NULL) { - counter_u64_add(a->packets[dirndx], 1); - counter_u64_add(a->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&a->packets[dirndx], 1); + pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len); } if (s != NULL) { if (s->nat_rule.ptr != NULL) { - counter_u64_add(s->nat_rule.ptr->packets[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx], 1); - counter_u64_add(s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx], pd.tot_len); } if (s->src_node != NULL) { @@ -6926,17 +6970,17 @@ done: if (action == PF_PASS || r->action == PF_DROP) { dirndx = (dir == PF_OUT); - counter_u64_add(r->packets[dirndx], 1); - counter_u64_add(r->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&r->packets[dirndx], 1); + pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len); if (a != NULL) { - counter_u64_add(a->packets[dirndx], 1); - counter_u64_add(a->bytes[dirndx], pd.tot_len); + pf_counter_u64_add(&a->packets[dirndx], 1); + pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len); } if (s != NULL) { if (s->nat_rule.ptr != NULL) { - counter_u64_add(s->nat_rule.ptr->packets[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx], 1); - counter_u64_add(s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx], pd.tot_len); } if (s->src_node != NULL) { diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index e02fff4f88f6..81b50c237252 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -310,10 +310,10 @@ pfattach_vnet(void) V_pf_default_rule.nr = -1; V_pf_default_rule.rtableid = -1; - V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&V_pf_default_rule.evaluations, M_WAITOK); for (int i = 0; i < 2; i++) { - V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK); - V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&V_pf_default_rule.packets[i], M_WAITOK); + pf_counter_u64_init(&V_pf_default_rule.bytes[i], M_WAITOK); } V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK); V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK); @@ -321,8 +321,12 @@ pfattach_vnet(void) #ifdef PF_WANT_32_TO_64_COUNTER V_pf_kifmarker = malloc(sizeof(*V_pf_kifmarker), PFI_MTYPE, M_WAITOK | M_ZERO); + V_pf_rulemarker = malloc(sizeof(*V_pf_rulemarker), M_PFRULE, M_WAITOK | M_ZERO); PF_RULES_WLOCK(); LIST_INSERT_HEAD(&V_pf_allkiflist, V_pf_kifmarker, pfik_allkiflist); + LIST_INSERT_HEAD(&V_pf_allrulelist, &V_pf_default_rule, allrulelist); + V_pf_allrulecount++; + LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist); PF_RULES_WUNLOCK(); #endif @@ -1116,16 +1120,16 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) while ((tail != NULL) && ! pf_krule_compare(tail, rule)) tail = TAILQ_NEXT(tail, entries); if (tail != NULL) { - counter_u64_add(rule->evaluations, - counter_u64_fetch(tail->evaluations)); - counter_u64_add(rule->packets[0], - counter_u64_fetch(tail->packets[0])); - counter_u64_add(rule->packets[1], - counter_u64_fetch(tail->packets[1])); - counter_u64_add(rule->bytes[0], - counter_u64_fetch(tail->bytes[0])); - counter_u64_add(rule->bytes[1], - counter_u64_fetch(tail->bytes[1])); + pf_counter_u64_add(&rule->evaluations, + pf_counter_u64_fetch(&tail->evaluations)); + pf_counter_u64_add(&rule->packets[0], + pf_counter_u64_fetch(&tail->packets[0])); + pf_counter_u64_add(&rule->packets[1], + pf_counter_u64_fetch(&tail->packets[1])); + pf_counter_u64_add(&rule->bytes[0], + pf_counter_u64_fetch(&tail->bytes[0])); + pf_counter_u64_add(&rule->bytes[1], + pf_counter_u64_fetch(&tail->bytes[1])); } } } @@ -1506,13 +1510,29 @@ pf_altq_get_nth_active(u_int32_t n) void pf_krule_free(struct pf_krule *rule) { +#ifdef PF_WANT_32_TO_64_COUNTER + bool wowned; +#endif + if (rule == NULL) return; - counter_u64_free(rule->evaluations); +#ifdef PF_WANT_32_TO_64_COUNTER + if (rule->allrulelinked) { + wowned = PF_RULES_WOWNED(); + if (!wowned) + PF_RULES_WLOCK(); + LIST_REMOVE(rule, allrulelist); + V_pf_allrulecount--; + if (!wowned) + PF_RULES_WUNLOCK(); + } +#endif + + pf_counter_u64_deinit(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_free(rule->packets[i]); - counter_u64_free(rule->bytes[i]); + pf_counter_u64_deinit(&rule->packets[i]); + pf_counter_u64_deinit(&rule->bytes[i]); } counter_u64_free(rule->states_cur); counter_u64_free(rule->states_tot); @@ -1574,7 +1594,7 @@ pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool) } static void -pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule) +pf_krule_to_rule(struct pf_krule *krule, struct pf_rule *rule) { bzero(rule, sizeof(*rule)); @@ -1601,10 +1621,10 @@ pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule) pf_kpool_to_pool(&krule->rpool, &rule->rpool); - rule->evaluations = counter_u64_fetch(krule->evaluations); + rule->evaluations = pf_counter_u64_fetch(&krule->evaluations); for (int i = 0; i < 2; i++) { - rule->packets[i] = counter_u64_fetch(krule->packets[i]); - rule->bytes[i] = counter_u64_fetch(krule->bytes[i]); + rule->packets[i] = pf_counter_u64_fetch(&krule->packets[i]); + rule->bytes[i] = pf_counter_u64_fetch(&krule->bytes[i]); } /* kif, anchor, overload_tbl are not copied over. */ @@ -1958,10 +1978,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, if (rule->ifname[0]) kif = pf_kkif_create(M_WAITOK); - rule->evaluations = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&rule->evaluations, M_WAITOK); for (int i = 0; i < 2; i++) { - rule->packets[i] = counter_u64_alloc(M_WAITOK); - rule->bytes[i] = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&rule->packets[i], M_WAITOK); + pf_counter_u64_init(&rule->bytes[i], M_WAITOK); } rule->states_cur = counter_u64_alloc(M_WAITOK); rule->states_tot = counter_u64_alloc(M_WAITOK); @@ -1971,6 +1991,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, TAILQ_INIT(&rule->rpool.list); PF_RULES_WLOCK(); +#ifdef PF_WANT_32_TO_64_COUNTER + LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist); + MPASS(!rule->allrulelinked); + rule->allrulelinked = true; + V_pf_allrulecount++; +#endif ruleset = pf_find_kruleset(anchor); if (ruleset == NULL) ERROUT(EINVAL); @@ -2074,10 +2100,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket, } rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list); - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr, rule, entries); @@ -2428,10 +2454,10 @@ DIOCADDRULENV_error: pf_addr_copyout(&pr->rule.dst.addr); if (pr->action == PF_GET_CLR_CNTR) { - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } counter_u64_zero(rule->states_tot); } @@ -2550,10 +2576,10 @@ DIOCADDRULENV_error: } if (clear_counter) { - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } counter_u64_zero(rule->states_tot); } @@ -2599,12 +2625,10 @@ DIOCGETRULENV_error: if (newrule->ifname[0]) kif = pf_kkif_create(M_WAITOK); - newrule->evaluations = counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&newrule->evaluations, M_WAITOK); for (int i = 0; i < 2; i++) { - newrule->packets[i] = - counter_u64_alloc(M_WAITOK); - newrule->bytes[i] = - counter_u64_alloc(M_WAITOK); + pf_counter_u64_init(&newrule->packets[i], M_WAITOK); + pf_counter_u64_init(&newrule->bytes[i], M_WAITOK); } newrule->states_cur = counter_u64_alloc(M_WAITOK); newrule->states_tot = counter_u64_alloc(M_WAITOK); @@ -2617,6 +2641,14 @@ DIOCGETRULENV_error: #define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; } PF_RULES_WLOCK(); +#ifdef PF_WANT_32_TO_64_COUNTER + if (newrule != NULL) { + LIST_INSERT_HEAD(&V_pf_allrulelist, newrule, allrulelist); + newrule->allrulelinked = true; + V_pf_allrulecount++; + } +#endif + if (!(pcr->action == PF_CHANGE_REMOVE || pcr->action == PF_CHANGE_GET_TICKET) && pcr->pool_ticket != V_ticket_pabuf) @@ -3198,10 +3230,10 @@ DIOCGETSTATESV2_full: PF_RULES_WLOCK(); TAILQ_FOREACH(rule, ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) { - counter_u64_zero(rule->evaluations); + pf_counter_u64_zero(&rule->evaluations); for (int i = 0; i < 2; i++) { - counter_u64_zero(rule->packets[i]); - counter_u64_zero(rule->bytes[i]); + pf_counter_u64_zero(&rule->packets[i]); + pf_counter_u64_zero(&rule->bytes[i]); } } PF_RULES_WUNLOCK(); @@ -5611,18 +5643,33 @@ pf_unload_vnet(void) #ifdef PF_WANT_32_TO_64_COUNTER PF_RULES_WLOCK(); LIST_REMOVE(V_pf_kifmarker, pfik_allkiflist); - PF_RULES_WUNLOCK(); - free(V_pf_kifmarker, PFI_MTYPE); MPASS(LIST_EMPTY(&V_pf_allkiflist)); MPASS(V_pf_allkifcount == 0); + + LIST_REMOVE(&V_pf_default_rule, allrulelist); + V_pf_allrulecount--; + LIST_REMOVE(V_pf_rulemarker, allrulelist); + + /* + * There are known pf rule leaks when running the test suite. + */ +#ifdef notyet + MPASS(LIST_EMPTY(&V_pf_allrulelist)); + MPASS(V_pf_allrulecount == 0); +#endif + + PF_RULES_WUNLOCK(); + + free(V_pf_kifmarker, PFI_MTYPE); + free(V_pf_rulemarker, M_PFRULE); #endif /* Free counters last as we updated them during shutdown. */ - counter_u64_free(V_pf_default_rule.evaluations); + pf_counter_u64_deinit(&V_pf_default_rule.evaluations); for (int i = 0; i < 2; i++) { - counter_u64_free(V_pf_default_rule.packets[i]); - counter_u64_free(V_pf_default_rule.bytes[i]); + pf_counter_u64_deinit(&V_pf_default_rule.packets[i]); + pf_counter_u64_deinit(&V_pf_default_rule.bytes[i]); } counter_u64_free(V_pf_default_rule.states_cur); counter_u64_free(V_pf_default_rule.states_tot); diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index b7079c47308a..24ff907cdc61 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -149,7 +149,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off, dst = &r->dst; } - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != direction) diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 8ffa690ac36f..19d3a268e4f8 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1035,7 +1035,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != dir) @@ -1062,8 +1062,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason if (r == NULL || r->action == PF_NOSCRUB) return (PF_PASS); - counter_u64_add(r->packets[dir == PF_OUT], 1); - counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); /* Check for illegal packets */ if (hlen < (int)sizeof(struct ip)) { @@ -1178,7 +1178,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != dir) @@ -1204,8 +1204,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, if (r == NULL || r->action == PF_NOSCRUB) return (PF_PASS); - counter_u64_add(r->packets[dir == PF_OUT], 1); - counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); /* Check for illegal packets */ if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) @@ -1355,7 +1355,7 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff, r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr); while (r != NULL) { - counter_u64_add(r->evaluations, 1); + pf_counter_u64_add(&r->evaluations, 1); if (pfi_kkif_match(r->kif, kif) == r->ifnot) r = r->skip[PF_SKIP_IFP].ptr; else if (r->direction && r->direction != dir) @@ -1389,8 +1389,8 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff, if (rm == NULL || rm->action == PF_NOSCRUB) return (PF_PASS); - counter_u64_add(r->packets[dir == PF_OUT], 1); - counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); if (rm->rule_flag & PFRULE_REASSEMBLE_TCP) pd->flags |= PFDESC_TCP_NORM; diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c index c0a17cd876ae..d1eca90e0ee5 100644 --- a/sys/netpfil/pf/pf_nv.c +++ b/sys/netpfil/pf/pf_nv.c @@ -655,7 +655,7 @@ error: } nvlist_t * -pf_krule_to_nvrule(const struct pf_krule *rule) +pf_krule_to_nvrule(struct pf_krule *rule) { nvlist_t *nvl, *tmp; @@ -698,12 +698,12 @@ pf_krule_to_nvrule(const struct pf_krule *rule) nvlist_destroy(tmp); nvlist_add_number(nvl, "evaluations", - counter_u64_fetch(rule->evaluations)); + pf_counter_u64_fetch(&rule->evaluations)); for (int i = 0; i < 2; i++) { nvlist_append_number_array(nvl, "packets", - counter_u64_fetch(rule->packets[i])); + pf_counter_u64_fetch(&rule->packets[i])); nvlist_append_number_array(nvl, "bytes", - counter_u64_fetch(rule->bytes[i])); + pf_counter_u64_fetch(&rule->bytes[i])); } nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint); diff --git a/sys/netpfil/pf/pf_nv.h b/sys/netpfil/pf/pf_nv.h index 2abb5a2401e2..f1cdc52aad6b 100644 --- a/sys/netpfil/pf/pf_nv.h +++ b/sys/netpfil/pf/pf_nv.h @@ -78,7 +78,7 @@ int pf_nvstring(const nvlist_t *, const char *, char *, size_t); int pf_check_rule_addr(const struct pf_rule_addr *); -nvlist_t *pf_krule_to_nvrule(const struct pf_krule *); +nvlist_t *pf_krule_to_nvrule(struct pf_krule *); int pf_nvrule_to_krule(const nvlist_t *, struct pf_krule *); int pf_nvstate_kill_to_kstate_kill(const nvlist_t *, struct pf_kstate_kill *);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108111325.17BDPLNt004928>