From nobody Wed Mar  2 16:00:45 2022
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 3B65619E0836;
	Wed,  2 Mar 2022 16:00:47 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4K7zNt1TZhz3N3w;
	Wed,  2 Mar 2022 16:00:46 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1646236846;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zyTGCotVWy4YTp8+YvwA/EO1dlQCDP6ds4M0ASxyC7U=;
	b=m3Tek7DIKa1IyX4ValKmqu/nr3+oRQcBF7aJyezHXVb1JG9K8h/Azwa4Zol3Bsj2m9hBc7
	IGUqCxv9IURDdImfAotBWKsYLFfqGncr8GgGPp5dl+FTMUb5nFpQ//kGv8cGuVBiXAipkZ
	1tMBhfQ9JgoUxtk3kE5jSzIVh30IZZF8ZGHoptxsSSdrBJG6QxB7qD3Tp/iGQJBRDqGEhs
	5JZtvJjHvsnSEelkqkuJrKwMqshmBRRoT6OWqQb+1js3ytsUPlwa3MRihUnj0rkNMlhVwG
	ajigH2xpMNxXFpXtD15IPgYAFmj5lOa8rI1wpvZNUgRttYjqbcQsbctUQpe8dg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D938A261CA;
	Wed,  2 Mar 2022 16:00:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 222G0job091055;
	Wed, 2 Mar 2022 16:00:45 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 222G0jUf091054;
	Wed, 2 Mar 2022 16:00:45 GMT
	(envelope-from git)
Date: Wed, 2 Mar 2022 16:00:45 GMT
Message-Id: <202203021600.222G0jUf091054@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: 6b7c2680039b - main - pf: Only hook the Ethernet pfil hook when we have rules
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-all@freebsd.org
X-BeenThere: dev-commits-src-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 6b7c2680039b4e1b1d571bf4f443d99878a7fbc0
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1646236846;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zyTGCotVWy4YTp8+YvwA/EO1dlQCDP6ds4M0ASxyC7U=;
	b=JGEFuuy8HG34p5EO4VyeXBjGZpVTVlo3jiLdDf7aXcoXgjxkRunK0qTTysPAA/cAwsUrFE
	3XZBxyEkTpj9JrCxcxAgVltGSjAiVxq4YuTdcqUkLjtOWMZyFypMQjOW1Uv2zicXoIB1Ll
	Ydk4HxpbcJWwZ1q2/GMdddOKhlMNSzszoIGEIDmxjM/EoRUBl7bjjFJKbVmr1gggN/YER8
	pSXTu4mVNiqlqr26g8oJvK+PShnBA1BWNtbGYeFLkF1aKGMbAQ34xFjLSFyas2cjZD1du0
	HtvLOsZU+pcG11OSJcNYxpB5voUTpnQWPvCi5OAawqGSTK/MRDlTItL01FmGZg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1646236846; a=rsa-sha256; cv=none;
	b=Q7wMPqGjbvH/Cah00GNdBtwOrPZILm7llUIQFu4QT2Sv5bIOquls1BwcLK+9VK6JmUKV6O
	InECi+uAptaA/N0m6IeYcFAN90L2E0L8wGEBShUx9pXTxjei6ldJbZcL4XfMjijHllDAXM
	1xSnq6hA/I9GYtjW5c1JmCpamVqcKupC/k+MLEymNn9bE7wqj2B4zcAiVo+chA1yXWak+F
	8U2pp8JYZSwQYpngMdnatrcBr8eg0zMwa0dHcA4wrqdia/zZAV+bozzKxtenEaRBFMLEK/
	cKCrNFy2++CI2iYqgCv9D20lQ5cN77HW7ugdtgHBM24fFFc6Tqln7zVBZZc+AA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=6b7c2680039b4e1b1d571bf4f443d99878a7fbc0

commit 6b7c2680039b4e1b1d571bf4f443d99878a7fbc0
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2021-02-16 12:42:31 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-02 16:00:04 +0000

    pf: Only hook the Ethernet pfil hook when we have rules
    
    Avoid the overhead of the Ethernet pfil hooks if we don't have any
    Ethernet rules.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D31742
---
 sys/netpfil/pf/pf_ioctl.c | 59 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 53 insertions(+), 6 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index b2537720bb7e..b116d6e91a7b 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -240,7 +240,9 @@ static pfil_return_t pf_check6_out(struct mbuf **m, struct ifnet *ifp,
     int flags, void *ruleset __unused, struct inpcb *inp);
 #endif
 
+static void		hook_pf_eth(void);
 static void		hook_pf(void);
+static void		dehook_pf_eth(void);
 static void		dehook_pf(void);
 static int		shutdown_pf(void);
 static int		pf_load(void);
@@ -254,6 +256,8 @@ static struct cdevsw pf_cdevsw = {
 
 volatile VNET_DEFINE_STATIC(int, pf_pfil_hooked);
 #define V_pf_pfil_hooked	VNET(pf_pfil_hooked)
+volatile VNET_DEFINE_STATIC(int, pf_pfil_eth_hooked);
+#define V_pf_pfil_eth_hooked	VNET(pf_pfil_eth_hooked)
 
 /*
  * We need a flag that is neither hooked nor running to know when
@@ -372,6 +376,7 @@ pfattach_vnet(void)
 	V_pf_status.debug = PF_DEBUG_URGENT;
 
 	V_pf_pfil_hooked = 0;
+	V_pf_pfil_eth_hooked = 0;
 
 	/* XXX do our best to avoid a conflict */
 	V_pf_status.hostid = arc4random();
@@ -2470,6 +2475,8 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			int cpu;
 
 			hook_pf();
+			if (! TAILQ_EMPTY(&V_pf_keth->rules))
+				hook_pf_eth();
 			V_pf_status.running = 1;
 			V_pf_status.since = time_second;
 
@@ -2487,6 +2494,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		else {
 			V_pf_status.running = 0;
 			dehook_pf();
+			dehook_pf_eth();
 			V_pf_status.since = time_second;
 			DPFPRINTF(PF_DEBUG_MISC, ("pf: stopped\n"));
 		}
@@ -5027,6 +5035,13 @@ DIOCCHANGEADDR_error:
 			}
 		}
 		PF_RULES_WUNLOCK();
+
+		/* Only hook into EtherNet taffic if we've got rules for it. */
+		if (! TAILQ_EMPTY(&V_pf_keth->rules))
+			hook_pf_eth();
+		else
+			dehook_pf_eth();
+
 		free(ioes, M_TEMP);
 		break;
 	}
@@ -6076,13 +6091,13 @@ VNET_DEFINE_STATIC(pfil_hook_t, pf_ip6_out_hook);
 #endif
 
 static void
-hook_pf(void)
+hook_pf_eth(void)
 {
 	struct pfil_hook_args pha;
 	struct pfil_link_args pla;
 	int ret __diagused;
 
-	if (V_pf_pfil_hooked)
+	if (V_pf_pfil_eth_hooked)
 		return;
 
 	pha.pa_version = PFIL_VERSION;
@@ -6099,7 +6114,8 @@ hook_pf(void)
 	pla.pa_flags = PFIL_IN | PFIL_HEADPTR | PFIL_HOOKPTR;
 	pla.pa_head = V_link_pfil_head;
 	pla.pa_hook = V_pf_eth_in_hook;
-	(void)pfil_link(&pla);
+	ret = pfil_link(&pla);
+	MPASS(ret == 0);
 	pha.pa_func = pf_eth_check_out;
 	pha.pa_flags = PFIL_OUT;
 	pha.pa_rulname = "eth-out";
@@ -6107,7 +6123,27 @@ hook_pf(void)
 	pla.pa_flags = PFIL_OUT | PFIL_HEADPTR | PFIL_HOOKPTR;
 	pla.pa_head = V_link_pfil_head;
 	pla.pa_hook = V_pf_eth_out_hook;
-	(void)pfil_link(&pla);
+	ret = pfil_link(&pla);
+	MPASS(ret == 0);
+
+	V_pf_pfil_eth_hooked = 1;
+}
+
+static void
+hook_pf(void)
+{
+	struct pfil_hook_args pha;
+	struct pfil_link_args pla;
+	int ret;
+
+	if (V_pf_pfil_hooked)
+		return;
+
+	pha.pa_version = PFIL_VERSION;
+	pha.pa_modname = "pf";
+	pha.pa_ruleset = NULL;
+
+	pla.pa_version = PFIL_VERSION;
 
 #ifdef INET
 	pha.pa_type = PFIL_TYPE_IP4;
@@ -6156,15 +6192,25 @@ hook_pf(void)
 }
 
 static void
-dehook_pf(void)
+dehook_pf_eth(void)
 {
 
-	if (V_pf_pfil_hooked == 0)
+	if (V_pf_pfil_eth_hooked == 0)
 		return;
 
 	pfil_remove_hook(V_pf_eth_in_hook);
 	pfil_remove_hook(V_pf_eth_out_hook);
 
+	V_pf_pfil_eth_hooked = 0;
+}
+
+static void
+dehook_pf(void)
+{
+
+	if (V_pf_pfil_hooked == 0)
+		return;
+
 #ifdef INET
 	pfil_remove_hook(V_pf_ip4_in_hook);
 	pfil_remove_hook(V_pf_ip4_out_hook);
@@ -6231,6 +6277,7 @@ pf_unload_vnet(void)
 	V_pf_vnet_active = 0;
 	V_pf_status.running = 0;
 	dehook_pf();
+	dehook_pf_eth();
 
 	PF_RULES_WLOCK();
 	pf_syncookies_cleanup();