From owner-svn-src-all@FreeBSD.ORG Mon Aug 25 15:40:39 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 265727AF; Mon, 25 Aug 2014 15:40:39 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EA13E395C; Mon, 25 Aug 2014 15:40:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s7PFechg066286; Mon, 25 Aug 2014 15:40:38 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s7PFec3t066282; Mon, 25 Aug 2014 15:40:38 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201408251540.s7PFec3t066282@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Mon, 25 Aug 2014 15:40:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r270574 - in stable/10/sys: net netpfil/pf X-SVN-Group: stable-10 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2014 15:40:39 -0000 Author: glebius Date: Mon Aug 25 15:40:37 2014 New Revision: 270574 URL: http://svnweb.freebsd.org/changeset/base/270574 Log: Merge r269998 from head: - Count global pf(4) statistics in counter(9). - Do not count global number of states and of src_nodes, use uma_zone_get_cur() to obtain values. - Struct pf_status becomes merely an ioctl API structure, and moves to netpfil/pf/pf.h with its constants. - V_pf_status is now of type struct pf_kstatus. Submitted by: Kajetan Staszkiewicz Sponsored by: InnoGames GmbH Modified: stable/10/sys/net/pfvar.h stable/10/sys/netpfil/pf/pf.c stable/10/sys/netpfil/pf/pf.h stable/10/sys/netpfil/pf/pf_ioctl.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/net/pfvar.h ============================================================================== --- stable/10/sys/net/pfvar.h Mon Aug 25 15:15:59 2014 (r270573) +++ stable/10/sys/net/pfvar.h Mon Aug 25 15:40:37 2014 (r270574) @@ -1123,27 +1123,6 @@ struct pf_pdesc { #define PF_DPORT_RANGE 0x01 /* Dest port uses range */ #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ -/* Counters for other things we want to keep track of */ -#define LCNT_STATES 0 /* states */ -#define LCNT_SRCSTATES 1 /* max-src-states */ -#define LCNT_SRCNODES 2 /* max-src-nodes */ -#define LCNT_SRCCONN 3 /* max-src-conn */ -#define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ -#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ -#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ -#define LCNT_MAX 7 /* total+1 */ - -#define LCNT_NAMES { \ - "max states per rule", \ - "max-src-states", \ - "max-src-nodes", \ - "max-src-conn", \ - "max-src-conn-rate", \ - "overload table insertion", \ - "overload flush states", \ - NULL \ -} - /* UDP state enumeration */ #define PFUDPS_NO_TRAFFIC 0 #define PFUDPS_SINGLE 1 @@ -1172,16 +1151,6 @@ struct pf_pdesc { NULL \ } -#define FCNT_STATE_SEARCH 0 -#define FCNT_STATE_INSERT 1 -#define FCNT_STATE_REMOVALS 2 -#define FCNT_MAX 3 - -#define SCNT_SRC_NODE_SEARCH 0 -#define SCNT_SRC_NODE_INSERT 1 -#define SCNT_SRC_NODE_REMOVALS 2 -#define SCNT_MAX 3 - #define ACTION_SET(a, x) \ do { \ if ((a) != NULL) \ @@ -1193,24 +1162,22 @@ struct pf_pdesc { if ((a) != NULL) \ *(a) = (x); \ if (x < PFRES_MAX) \ - V_pf_status.counters[x]++; \ + counter_u64_add(V_pf_status.counters[x], 1); \ } while (0) -struct pf_status { - u_int64_t counters[PFRES_MAX]; - u_int64_t lcounters[LCNT_MAX]; /* limit counters */ - u_int64_t fcounters[FCNT_MAX]; - u_int64_t scounters[SCNT_MAX]; - u_int64_t pcounters[2][2][3]; - u_int64_t bcounters[2][2]; - u_int32_t running; - u_int32_t states; - u_int32_t src_nodes; - u_int32_t since; - u_int32_t debug; - u_int32_t hostid; +struct pf_kstatus { + counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */ + counter_u64_t lcounters[LCNT_MAX]; /* limit counters */ + counter_u64_t fcounters[FCNT_MAX]; /* state operation counters */ + counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */ + uint32_t states; + uint32_t src_nodes; + uint32_t running; + uint32_t since; + uint32_t debug; + uint32_t hostid; char ifname[IFNAMSIZ]; - u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; + uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; }; struct pf_divert { @@ -1706,8 +1673,8 @@ int pf_match_tag(struct mbuf *, struct int pf_tag_packet(struct mbuf *, struct pf_pdesc *, int); void pf_qid2qname(u_int32_t, char *); -VNET_DECLARE(struct pf_status, pf_status); -#define V_pf_status VNET(pf_status) +VNET_DECLARE(struct pf_kstatus, pf_status); +#define V_pf_status VNET(pf_status) struct pf_limit { uma_zone_t zone; Modified: stable/10/sys/netpfil/pf/pf.c ============================================================================== --- stable/10/sys/netpfil/pf/pf.c Mon Aug 25 15:15:59 2014 (r270573) +++ stable/10/sys/netpfil/pf/pf.c Mon Aug 25 15:40:37 2014 (r270574) @@ -109,7 +109,7 @@ VNET_DEFINE(struct pf_altqqueue, pf_alt VNET_DEFINE(struct pf_palist, pf_pabuf); VNET_DEFINE(struct pf_altqqueue *, pf_altqs_active); VNET_DEFINE(struct pf_altqqueue *, pf_altqs_inactive); -VNET_DEFINE(struct pf_status, pf_status); +VNET_DEFINE(struct pf_kstatus, pf_status); VNET_DEFINE(u_int32_t, ticket_altqs_active); VNET_DEFINE(u_int32_t, ticket_altqs_inactive); @@ -470,13 +470,13 @@ pf_src_connlimit(struct pf_state **state if ((*state)->rule.ptr->max_src_conn && (*state)->rule.ptr->max_src_conn < (*state)->src_node->conn) { - V_pf_status.lcounters[LCNT_SRCCONN]++; + counter_u64_add(V_pf_status.lcounters[LCNT_SRCCONN], 1); bad++; } if ((*state)->rule.ptr->max_src_conn_rate.limit && pf_check_threshold(&(*state)->src_node->conn_rate)) { - V_pf_status.lcounters[LCNT_SRCCONNRATE]++; + counter_u64_add(V_pf_status.lcounters[LCNT_SRCCONNRATE], 1); bad++; } @@ -524,7 +524,7 @@ pf_overload_task(void *v, int pending) bzero(&p, sizeof(p)); SLIST_FOREACH(pfoe, &queue, next) { - V_pf_status.lcounters[LCNT_OVERLOAD_TABLE]++; + counter_u64_add(V_pf_status.lcounters[LCNT_OVERLOAD_TABLE], 1); if (V_pf_status.debug >= PF_DEBUG_MISC) { printf("%s: blocking address ", __func__); pf_print_host(&pfoe->addr, 0, pfoe->af); @@ -560,7 +560,8 @@ pf_overload_task(void *v, int pending) SLIST_REMOVE(&queue, pfoe, pf_overload_entry, next); free(pfoe, M_PFTEMP); } else - V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++; + counter_u64_add( + V_pf_status.lcounters[LCNT_OVERLOAD_FLUSH], 1); /* If nothing to flush, return. */ if (SLIST_EMPTY(&queue)) { @@ -610,7 +611,7 @@ pf_find_src_node(struct pf_addr *src, st struct pf_srchash *sh; struct pf_src_node *n; - V_pf_status.scounters[SCNT_SRC_NODE_SEARCH]++; + counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_SEARCH], 1); sh = &V_pf_srchash[pf_hashsrc(src, af)]; PF_HASHROW_LOCK(sh); @@ -646,7 +647,8 @@ pf_insert_src_node(struct pf_src_node ** counter_u64_fetch(rule->src_nodes) < rule->max_src_nodes) (*sn) = uma_zalloc(V_pf_sources_z, M_NOWAIT | M_ZERO); else - V_pf_status.lcounters[LCNT_SRCNODES]++; + counter_u64_add(V_pf_status.lcounters[LCNT_SRCNODES], + 1); if ((*sn) == NULL) { PF_HASHROW_UNLOCK(sh); return (-1); @@ -665,12 +667,12 @@ pf_insert_src_node(struct pf_src_node ** if ((*sn)->rule.ptr != NULL) counter_u64_add((*sn)->rule.ptr->src_nodes, 1); PF_HASHROW_UNLOCK(sh); - V_pf_status.scounters[SCNT_SRC_NODE_INSERT]++; - V_pf_status.src_nodes++; + counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_INSERT], 1); } else { if (rule->max_src_states && (*sn)->states >= rule->max_src_states) { - V_pf_status.lcounters[LCNT_SRCSTATES]++; + counter_u64_add(V_pf_status.lcounters[LCNT_SRCSTATES], + 1); return (-1); } } @@ -689,8 +691,7 @@ pf_unlink_src_node_locked(struct pf_src_ LIST_REMOVE(src, entry); if (src->rule.ptr) counter_u64_add(src->rule.ptr->src_nodes, -1); - V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS]++; - V_pf_status.src_nodes--; + counter_u64_add(V_pf_status.scounters[SCNT_SRC_NODE_REMOVALS], 1); } void @@ -1206,7 +1207,7 @@ pf_state_insert(struct pfi_kif *kif, str /* One for keys, one for ID hash. */ refcount_init(&s->refs, 2); - V_pf_status.fcounters[FCNT_STATE_INSERT]++; + counter_u64_add(V_pf_status.fcounters[FCNT_STATE_INSERT], 1); if (pfsync_insert_state_ptr != NULL) pfsync_insert_state_ptr(s); @@ -1223,7 +1224,7 @@ pf_find_state_byid(uint64_t id, uint32_t struct pf_idhash *ih; struct pf_state *s; - V_pf_status.fcounters[FCNT_STATE_SEARCH]++; + counter_u64_add(V_pf_status.fcounters[FCNT_STATE_SEARCH], 1); ih = &V_pf_idhash[(be64toh(id) % (V_pf_hashmask + 1))]; @@ -1250,7 +1251,7 @@ pf_find_state(struct pfi_kif *kif, struc struct pf_state *s; int idx; - V_pf_status.fcounters[FCNT_STATE_SEARCH]++; + counter_u64_add(V_pf_status.fcounters[FCNT_STATE_SEARCH], 1); kh = &V_pf_keyhash[pf_hashkey((struct pf_state_key *)key)]; @@ -1294,7 +1295,7 @@ pf_find_state_all(struct pf_state_key_cm struct pf_state *s, *ret = NULL; int idx, inout = 0; - V_pf_status.fcounters[FCNT_STATE_SEARCH]++; + counter_u64_add(V_pf_status.fcounters[FCNT_STATE_SEARCH], 1); kh = &V_pf_keyhash[pf_hashkey((struct pf_state_key *)key)]; @@ -1522,6 +1523,8 @@ pf_purge_expired_src_nodes() } pf_free_src_nodes(&freelist); + + V_pf_status.src_nodes = uma_zone_get_cur(V_pf_sources_z); } static void @@ -1616,7 +1619,7 @@ pf_free_state(struct pf_state *cur) pf_normalize_tcp_cleanup(cur); uma_zfree(V_pf_state_z, cur); - V_pf_status.fcounters[FCNT_STATE_REMOVALS]++; + counter_u64_add(V_pf_status.fcounters[FCNT_STATE_REMOVALS], 1); } /* @@ -3457,7 +3460,7 @@ pf_create_state(struct pf_rule *r, struc /* check maximums */ if (r->max_states && (counter_u64_fetch(r->states_cur) >= r->max_states)) { - V_pf_status.lcounters[LCNT_STATES]++; + counter_u64_add(V_pf_status.lcounters[LCNT_STATES], 1); REASON_SET(&reason, PFRES_MAXSTATES); return (PF_DROP); } Modified: stable/10/sys/netpfil/pf/pf.h ============================================================================== --- stable/10/sys/netpfil/pf/pf.h Mon Aug 25 15:15:59 2014 (r270573) +++ stable/10/sys/netpfil/pf/pf.h Mon Aug 25 15:40:37 2014 (r270574) @@ -146,7 +146,57 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE NULL \ } +/* Counters for other things we want to keep track of */ +#define LCNT_STATES 0 /* states */ +#define LCNT_SRCSTATES 1 /* max-src-states */ +#define LCNT_SRCNODES 2 /* max-src-nodes */ +#define LCNT_SRCCONN 3 /* max-src-conn */ +#define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ +#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ +#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ +#define LCNT_MAX 7 /* total+1 */ + +#define LCNT_NAMES { \ + "max states per rule", \ + "max-src-states", \ + "max-src-nodes", \ + "max-src-conn", \ + "max-src-conn-rate", \ + "overload table insertion", \ + "overload flush states", \ + NULL \ +} + +/* state operation counters */ +#define FCNT_STATE_SEARCH 0 +#define FCNT_STATE_INSERT 1 +#define FCNT_STATE_REMOVALS 2 +#define FCNT_MAX 3 + +/* src_node operation counters */ +#define SCNT_SRC_NODE_SEARCH 0 +#define SCNT_SRC_NODE_INSERT 1 +#define SCNT_SRC_NODE_REMOVALS 2 +#define SCNT_MAX 3 + #define PF_TABLE_NAME_SIZE 32 #define PF_QNAME_SIZE 64 +struct pf_status { + uint64_t counters[PFRES_MAX]; + uint64_t lcounters[LCNT_MAX]; + uint64_t fcounters[FCNT_MAX]; + uint64_t scounters[SCNT_MAX]; + uint64_t pcounters[2][2][3]; + uint64_t bcounters[2][2]; + uint32_t running; + uint32_t states; + uint32_t src_nodes; + uint32_t since; + uint32_t debug; + uint32_t hostid; + char ifname[IFNAMSIZ]; + uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; +}; + #endif /* _NET_PF_H_ */ Modified: stable/10/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- stable/10/sys/netpfil/pf/pf_ioctl.c Mon Aug 25 15:15:59 2014 (r270573) +++ stable/10/sys/netpfil/pf/pf_ioctl.c Mon Aug 25 15:40:37 2014 (r270574) @@ -261,6 +261,15 @@ pfattach(void) /* XXX do our best to avoid a conflict */ V_pf_status.hostid = arc4random(); + for (int i = 0; i < PFRES_MAX; i++) + V_pf_status.counters[i] = counter_u64_alloc(M_WAITOK); + for (int i = 0; i < LCNT_MAX; i++) + V_pf_status.lcounters[i] = counter_u64_alloc(M_WAITOK); + for (int i = 0; i < FCNT_MAX; i++) + V_pf_status.fcounters[i] = counter_u64_alloc(M_WAITOK); + for (int i = 0; i < SCNT_MAX; i++) + V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK); + if ((error = kproc_create(pf_purge_thread, curvnet, NULL, 0, 0, "pf purge")) != 0) /* XXXGL: leaked all above. */ @@ -1781,8 +1790,32 @@ DIOCGETSTATES_full: case DIOCGETSTATUS: { struct pf_status *s = (struct pf_status *)addr; + PF_RULES_RLOCK(); - bcopy(&V_pf_status, s, sizeof(struct pf_status)); + s->running = V_pf_status.running; + s->since = V_pf_status.since; + s->debug = V_pf_status.debug; + s->hostid = V_pf_status.hostid; + s->states = V_pf_status.states; + s->src_nodes = V_pf_status.src_nodes; + + for (int i = 0; i < PFRES_MAX; i++) + s->counters[i] = + counter_u64_fetch(V_pf_status.counters[i]); + for (int i = 0; i < LCNT_MAX; i++) + s->lcounters[i] = + counter_u64_fetch(V_pf_status.lcounters[i]); + for (int i = 0; i < FCNT_MAX; i++) + s->fcounters[i] = + counter_u64_fetch(V_pf_status.fcounters[i]); + for (int i = 0; i < SCNT_MAX; i++) + s->scounters[i] = + counter_u64_fetch(V_pf_status.scounters[i]); + + bcopy(V_pf_status.ifname, s->ifname, IFNAMSIZ); + bcopy(V_pf_status.pf_chksum, s->pf_chksum, + PF_MD5_DIGEST_LENGTH); + pfi_update_status(s->ifname, s); PF_RULES_RUNLOCK(); break; @@ -1803,9 +1836,12 @@ DIOCGETSTATES_full: case DIOCCLRSTATUS: { PF_RULES_WLOCK(); - bzero(V_pf_status.counters, sizeof(V_pf_status.counters)); - bzero(V_pf_status.fcounters, sizeof(V_pf_status.fcounters)); - bzero(V_pf_status.scounters, sizeof(V_pf_status.scounters)); + for (int i = 0; i < PFRES_MAX; i++) + counter_u64_zero(V_pf_status.counters[i]); + for (int i = 0; i < FCNT_MAX; i++) + counter_u64_zero(V_pf_status.fcounters[i]); + for (int i = 0; i < SCNT_MAX; i++) + counter_u64_zero(V_pf_status.scounters[i]); V_pf_status.since = time_second; if (*V_pf_status.ifname) pfi_update_status(V_pf_status.ifname, NULL); @@ -3151,7 +3187,6 @@ DIOCCHANGEADDR_error: pf_clear_srcnodes(NULL); pf_purge_expired_src_nodes(); - V_pf_status.src_nodes = 0; break; } @@ -3449,6 +3484,15 @@ shutdown_pf(void) counter_u64_free(V_pf_default_rule.states_tot); counter_u64_free(V_pf_default_rule.src_nodes); + for (int i = 0; i < PFRES_MAX; i++) + counter_u64_free(V_pf_status.counters[i]); + for (int i = 0; i < LCNT_MAX; i++) + counter_u64_free(V_pf_status.lcounters[i]); + for (int i = 0; i < FCNT_MAX; i++) + counter_u64_free(V_pf_status.fcounters[i]); + for (int i = 0; i < SCNT_MAX; i++) + counter_u64_free(V_pf_status.scounters[i]); + do { if ((error = pf_begin_rules(&t[0], PF_RULESET_SCRUB, &nn)) != 0) {