From nobody Wed Jul 16 11:57:38 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bhvgk3BD0z62R2q;
	Wed, 16 Jul 2025 11:57:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bhvgk2Ptfz3qsm;
	Wed, 16 Jul 2025 11:57:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1752667058;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jxOrwnv8comwdU7kijiyhYImu2FlsDax1rqdHAvPoXY=;
	b=JkCRy09EzuPOEeF+VYFA2+Wtxi8bwAnaIG41OqeQo4mS4Uzes8SHLDUZUmI7UBPZXpx+VG
	WAWhUCQjN4qNsiOOoOGP5NqmPzpCU+k75Dx0ZgA4GsGAjKTIvvy52Olt3u2/vYSCudCR98
	0+H5tdkH+t4YfWaKlHFbQmy4QTq6spVxWmp3c9lQ0txgvrYHSFwKWUijLPv3fhvdOBmoLP
	zk/xHS63+wwBFH89BkFd4JBwmBfEp+KKLCK06dVCvloPqAfNpHqr1CFYxRoWcxd2JDT+ev
	jDfJImBRy00xO3o7LIr8FgpU/SsZcTi72yuleps4IOFtZwHvCNDXbm5vh3/iIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1752667058;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=jxOrwnv8comwdU7kijiyhYImu2FlsDax1rqdHAvPoXY=;
	b=WHlGBrFM4SH9XQm1OPbaVGr0Bfh5JNo0ChOaiUNg18SvlBW9Kp9oDAGR29SEYnfQDYdis2
	Jv8w6uioqWug0+KlddeVkvksHlEhRH/88/GbsIWRXmZAIsO9yz+9bWDdpcPOk5bmp3Zc1W
	9fw3zYRKt/AI4lJ/Csbkt755LhZOLY+fzA1ne/ahA4qj/2dwtZviOfFw4IlaSw7z9xHjgs
	1GkAhpGYx9Zv9cqSjbpDpVMxbifkjpZ1PsVD6Hn/hs5cFY+mvTPfFLZm+GSrG9oYuS3qN1
	i5VimGReVTfcExeT+iKs0aSY3i1babhT+TJLYkKv1B5EophVECLRXgxtqw1qiQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1752667058; a=rsa-sha256; cv=none;
	b=T3LZ0tvijy/CrcOuiWdIv3z4x630WO7muYXmGdMjKFIj6kLGH9d8VoW+wrybiv3TmIno07
	VLmPxgyDT7cIMSepGZWezKE2K172hc2eyO/+7+S358BWniE44v9JZ70h2hYYcBHySLX9tp
	mryNFl7YRv2f0fkzVAl8v7bfqdXgj7b8HWVyBZikp2eWmWwkaSPTMaT1MPVEn0laqBVMPL
	C5OUxB+typAX9MOz7KU5zoiuJuCeNG/DjkaspLS7qtLyvrNLDWuRx/0Rn+ui+QP4MICXZC
	QtLmdbdCzy4snN/BYm061u/gbYFGKF0Lm7HHyxBFpqZ0OX8uUTrMR7pWvmns9w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bhvgk1vH7z1NCL;
	Wed, 16 Jul 2025 11:57:38 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56GBvcLu047482;
	Wed, 16 Jul 2025 11:57:38 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56GBvc6S047479;
	Wed, 16 Jul 2025 11:57:38 GMT
	(envelope-from git)
Date: Wed, 16 Jul 2025 11:57:38 GMT
Message-Id: <202507161157.56GBvc6S047479@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Kristof Provost <kp@FreeBSD.org>
Subject: git: d00f66feaa17 - main - pf: delay taking the rules lock
  in pf_test()
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kp
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: d00f66feaa174de17f7df3647028d80c018a2fcc
Auto-Submitted: auto-generated

The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=d00f66feaa174de17f7df3647028d80c018a2fcc

commit d00f66feaa174de17f7df3647028d80c018a2fcc
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2025-07-13 14:04:19 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2025-07-16 11:33:51 +0000

    pf: delay taking the rules lock in pf_test()
    
    We don't need the rules lock to protect the mbuf, or even the kif. If an
    interface is removed (which is the only way for a kif to go away) we're not
    going to receive traffic on it.
    
    We can't delay taking the lock more, because pf_setup_pdesc() calls the
    normalisation code, which iterates the scrub rules. If we ever get rid of those
    (as OpenBSD has) it should be possible to delay taking the rules lock until we
    actually need to iterate of the rules. That is, we might be able to avoid taking
    it at all if we match an existing state.
    
    Reviewed by:    glebius
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D51329
---
 sys/netpfil/pf/pf.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 264830fcf534..ad42f1cccd33 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -10064,6 +10064,8 @@ pf_setup_pdesc(sa_family_t af, int dir, struct pf_pdesc *pd, struct mbuf **m0,
 	pd->didx = (dir == PF_IN) ? 1 : 0;
 	pd->af = pd->naf = af;
 
+	PF_RULES_ASSERT();
+
 	TAILQ_INIT(&pd->sctp_multihome_jobs);
 	if (default_actions != NULL)
 		memcpy(&pd->act, default_actions, sizeof(pd->act));
@@ -10477,35 +10479,30 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
 	PF_RULES_RLOCK_TRACKER;
 	KASSERT(dir == PF_IN || dir == PF_OUT, ("%s: bad direction %d\n", __func__, dir));
 	M_ASSERTPKTHDR(*m0);
+	NET_EPOCH_ASSERT();
 
 	if (!V_pf_status.running)
 		return (PF_PASS);
 
-	PF_RULES_RLOCK();
-
 	kif = (struct pfi_kkif *)ifp->if_pf_kif;
 
 	if (__predict_false(kif == NULL)) {
 		DPFPRINTF(PF_DEBUG_URGENT,
 		    ("%s: kif == NULL, if_xname %s\n",
 		    __func__, ifp->if_xname));
-		PF_RULES_RUNLOCK();
 		return (PF_DROP);
 	}
 	if (kif->pfik_flags & PFI_IFLAG_SKIP) {
-		PF_RULES_RUNLOCK();
 		return (PF_PASS);
 	}
 
 	if ((*m0)->m_flags & M_SKIP_FIREWALL) {
-		PF_RULES_RUNLOCK();
 		return (PF_PASS);
 	}
 
 	if (__predict_false(! M_WRITABLE(*m0))) {
 		*m0 = m_unshare(*m0, M_NOWAIT);
 		if (*m0 == NULL) {
-			PF_RULES_RUNLOCK();
 			return (PF_DROP);
 		}
 	}
@@ -10518,12 +10515,10 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
 		ifp = ifnet_byindexgen(pd.pf_mtag->if_index,
 		    pd.pf_mtag->if_idxgen);
 		if (ifp == NULL || ifp->if_flags & IFF_DYING) {
-			PF_RULES_RUNLOCK();
 			m_freem(*m0);
 			*m0 = NULL;
 			return (PF_PASS);
 		}
-		PF_RULES_RUNLOCK();
 		(ifp->if_output)(ifp, *m0, sintosa(&pd.pf_mtag->dst), NULL);
 		*m0 = NULL;
 		return (PF_PASS);
@@ -10538,11 +10533,12 @@ pf_test(sa_family_t af, int dir, int pflags, struct ifnet *ifp, struct mbuf **m0
 		/* But only once. We may see the packet multiple times (e.g.
 		 * PFIL_IN/PFIL_OUT). */
 		pf_dummynet_flag_remove(pd.m, pd.pf_mtag);
-		PF_RULES_RUNLOCK();
 
 		return (PF_PASS);
 	}
 
+	PF_RULES_RLOCK();
+
 	if (pf_setup_pdesc(af, dir, &pd, m0, &action, &reason,
 		kif, default_actions) == -1) {
 		if (action != PF_PASS)