Date: Wed, 11 Aug 2021 15:22:47 GMT From: Mateusz Guzik <mjg@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: bf60d2826768 - stable/13 - pf: batch critical section for several counters Message-ID: <202108111522.17BFMlbY064393@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/13 has been updated by mjg: URL: https://cgit.FreeBSD.org/src/commit/?id=bf60d2826768ca4ab125ba770b14b04d303dea2f commit bf60d2826768ca4ab125ba770b14b04d303dea2f Author: Mateusz Guzik <mjg@FreeBSD.org> AuthorDate: 2021-07-24 07:47:40 +0000 Commit: Mateusz Guzik <mjg@FreeBSD.org> CommitDate: 2021-08-11 13:37:56 +0000 pf: batch critical section for several counters Reviewed by: kp Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 87c010e6e364e96e2c1546b3c2bbcbef1dcd422f) --- sys/netpfil/pf/pf.c | 48 +++++++++++++++++++++++++++-------------------- sys/netpfil/pf/pf_ioctl.c | 12 +++++++----- sys/netpfil/pf/pf_norm.c | 18 ++++++++++++------ 3 files changed, 47 insertions(+), 31 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 6e154b620a80..633346eee21c 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -3755,8 +3755,10 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction, rtableid = r->rtableid; if (r->anchor == NULL) { if (r->action == PF_MATCH) { - pf_counter_u64_add(&r->packets[direction == PF_OUT], 1); - pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_critical_exit(); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, @@ -4169,8 +4171,10 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif, else { if (r->anchor == NULL) { if (r->action == PF_MATCH) { - pf_counter_u64_add(&r->packets[direction == PF_OUT], 1); - pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&r->packets[direction == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[direction == PF_OUT], pd->tot_len); + pf_counter_u64_critical_exit(); pf_rule_to_actions(r, &pd->act); if (r->log) PFLOG_PACKET(kif, m, af, @@ -6468,24 +6472,25 @@ done: (s == NULL)); } - pf_counter_u64_add(&kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS], + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&kif->pfik_bytes[0][dir == PF_OUT][action != PF_PASS], pd.tot_len); - pf_counter_u64_add(&kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS], + pf_counter_u64_add_protected(&kif->pfik_packets[0][dir == PF_OUT][action != PF_PASS], 1); if (action == PF_PASS || r->action == PF_DROP) { dirndx = (dir == PF_OUT); - pf_counter_u64_add(&r->packets[dirndx], 1); - pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len); + pf_counter_u64_add_protected(&r->packets[dirndx], 1); + pf_counter_u64_add_protected(&r->bytes[dirndx], pd.tot_len); if (a != NULL) { - pf_counter_u64_add(&a->packets[dirndx], 1); - pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len); + pf_counter_u64_add_protected(&a->packets[dirndx], 1); + pf_counter_u64_add_protected(&a->bytes[dirndx], pd.tot_len); } if (s != NULL) { if (s->nat_rule.ptr != NULL) { - pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx], + pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx], 1); - pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx], pd.tot_len); } if (s->src_node != NULL) { @@ -6523,6 +6528,7 @@ done: pd.af, pd.tot_len, dir == PF_OUT, r->action == PF_PASS, tr->dst.neg); } + pf_counter_u64_critical_exit(); switch (action) { case PF_SYNPROXY_DROP: @@ -6873,24 +6879,25 @@ done: &pd, (s == NULL)); } - pf_counter_u64_add(&kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS], + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&kif->pfik_bytes[1][dir == PF_OUT][action != PF_PASS], pd.tot_len); - pf_counter_u64_add(&kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS], + pf_counter_u64_add_protected(&kif->pfik_packets[1][dir == PF_OUT][action != PF_PASS], 1); if (action == PF_PASS || r->action == PF_DROP) { dirndx = (dir == PF_OUT); - pf_counter_u64_add(&r->packets[dirndx], 1); - pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len); + pf_counter_u64_add_protected(&r->packets[dirndx], 1); + pf_counter_u64_add_protected(&r->bytes[dirndx], pd.tot_len); if (a != NULL) { - pf_counter_u64_add(&a->packets[dirndx], 1); - pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len); + pf_counter_u64_add_protected(&a->packets[dirndx], 1); + pf_counter_u64_add_protected(&a->bytes[dirndx], pd.tot_len); } if (s != NULL) { if (s->nat_rule.ptr != NULL) { - pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx], + pf_counter_u64_add_protected(&s->nat_rule.ptr->packets[dirndx], 1); - pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx], + pf_counter_u64_add_protected(&s->nat_rule.ptr->bytes[dirndx], pd.tot_len); } if (s->src_node != NULL) { @@ -6926,6 +6933,7 @@ done: pd.af, pd.tot_len, dir == PF_OUT, r->action == PF_PASS, tr->dst.neg); } + pf_counter_u64_critical_exit(); switch (action) { case PF_SYNPROXY_DROP: diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 7fece0facde6..ebb30604ebf1 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -1134,16 +1134,18 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor) while ((tail != NULL) && ! pf_krule_compare(tail, rule)) tail = TAILQ_NEXT(tail, entries); if (tail != NULL) { - pf_counter_u64_add(&rule->evaluations, + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&rule->evaluations, pf_counter_u64_fetch(&tail->evaluations)); - pf_counter_u64_add(&rule->packets[0], + pf_counter_u64_add_protected(&rule->packets[0], pf_counter_u64_fetch(&tail->packets[0])); - pf_counter_u64_add(&rule->packets[1], + pf_counter_u64_add_protected(&rule->packets[1], pf_counter_u64_fetch(&tail->packets[1])); - pf_counter_u64_add(&rule->bytes[0], + pf_counter_u64_add_protected(&rule->bytes[0], pf_counter_u64_fetch(&tail->bytes[0])); - pf_counter_u64_add(&rule->bytes[1], + pf_counter_u64_add_protected(&rule->bytes[1], pf_counter_u64_fetch(&tail->bytes[1])); + pf_counter_u64_critical_exit(); } } } diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index 388e2bca77b6..e9674d21ec5a 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -1066,8 +1066,10 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason if (r == NULL || r->action == PF_NOSCRUB) return (PF_PASS); - pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); - pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_critical_exit(); /* Check for illegal packets */ if (hlen < (int)sizeof(struct ip)) { @@ -1207,8 +1209,10 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif, if (r == NULL || r->action == PF_NOSCRUB) return (PF_PASS); - pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); - pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_critical_exit(); /* Check for illegal packets */ if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len) @@ -1368,8 +1372,10 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff, if (rm == NULL || rm->action == PF_NOSCRUB) return (PF_PASS); - pf_counter_u64_add(&r->packets[dir == PF_OUT], 1); - pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_critical_enter(); + pf_counter_u64_add_protected(&r->packets[dir == PF_OUT], 1); + pf_counter_u64_add_protected(&r->bytes[dir == PF_OUT], pd->tot_len); + pf_counter_u64_critical_exit(); if (rm->rule_flag & PFRULE_REASSEMBLE_TCP) pd->flags |= PFDESC_TCP_NORM;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202108111522.17BFMlbY064393>