git: 02cf67ccf653 - main - pf: switch rule counters to pf_counter_u64
Mateusz Guzik
mjg at FreeBSD.org
Sun Jul 25 08:25:02 UTC 2021
The branch main has been updated by mjg:
URL: https://cgit.FreeBSD.org/src/commit/?id=02cf67ccf6538b14677672640e405f7f94044dc3
commit 02cf67ccf6538b14677672640e405f7f94044dc3
Author: Mateusz Guzik <mjg at FreeBSD.org>
AuthorDate: 2021-07-22 14:45:14 +0000
Commit: Mateusz Guzik <mjg at FreeBSD.org>
CommitDate: 2021-07-25 08:22:17 +0000
pf: switch rule counters to pf_counter_u64
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 19 ++++++-
sys/netpfil/pf/pf.c | 80 +++++++++++++++++++++------
sys/netpfil/pf/pf_ioctl.c | 137 +++++++++++++++++++++++++++++++---------------
sys/netpfil/pf/pf_lb.c | 2 +-
sys/netpfil/pf/pf_norm.c | 18 +++---
sys/netpfil/pf/pf_nv.c | 8 +--
sys/netpfil/pf/pf_nv.h | 2 +-
7 files changed, 185 insertions(+), 81 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 7895ea84cf46..e13b3b61c1a3 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -586,9 +586,9 @@ struct pf_krule {
TAILQ_ENTRY(pf_krule) entries;
struct pf_kpool rpool;
- counter_u64_t evaluations;
- counter_u64_t packets[2];
- counter_u64_t bytes[2];
+ struct pf_counter_u64 evaluations;
+ struct pf_counter_u64 packets[2];
+ struct pf_counter_u64 bytes[2];
struct pfi_kkif *kif;
struct pf_kanchor *anchor;
@@ -662,6 +662,11 @@ struct pf_krule {
struct pf_addr addr;
u_int16_t port;
} divert;
+
+#ifdef PF_WANT_32_TO_64_COUNTER
+ LIST_ENTRY(pf_krule) allrulelist;
+ bool allrulelinked;
+#endif
};
struct pf_ksrc_node {
@@ -1862,6 +1867,14 @@ VNET_DECLARE(size_t, pf_allkifcount);
#define V_pf_allkifcount VNET(pf_allkifcount)
VNET_DECLARE(struct pfi_kkif *, pf_kifmarker);
#define V_pf_kifmarker VNET(pf_kifmarker)
+
+LIST_HEAD(allrulelist_head, pf_krule);
+VNET_DECLARE(struct allrulelist_head, pf_allrulelist);
+#define V_pf_allrulelist VNET(pf_allrulelist)
+VNET_DECLARE(size_t, pf_allrulecount);
+#define V_pf_allrulecount VNET(pf_allrulecount)
+VNET_DECLARE(struct pf_krule *, pf_rulemarker);
+#define V_pf_rulemarker VNET(pf_rulemarker)
#endif
void pf_initialize(void);
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index c41566f808b6..7eb2b5e669ca 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -157,6 +157,10 @@ VNET_DEFINE_STATIC(uint32_t, pf_purge_idx);
#ifdef PF_WANT_32_TO_64_COUNTER
VNET_DEFINE_STATIC(uint32_t, pf_counter_periodic_iter);
#define V_pf_counter_periodic_iter VNET(pf_counter_periodic_iter)
+
+VNET_DEFINE(struct allrulelist_head, pf_allrulelist);
+VNET_DEFINE(size_t, pf_allrulecount);
+VNET_DEFINE(struct pf_krule *, pf_rulemarker);
#endif
/*
@@ -1574,6 +1578,45 @@ pf_kif_counter_u64_periodic(void)
}
}
+static void
+pf_rule_counter_u64_periodic(void)
+{
+ struct pf_krule *rule;
+ size_t r, run;
+
+ PF_RULES_RASSERT();
+
+ if (__predict_false(V_pf_allrulecount == 0)) {
+ return;
+ }
+
+ if ((V_pf_counter_periodic_iter % (pf_purge_thread_period * 10 * 300)) != 0) {
+ return;
+ }
+
+ run = V_pf_allrulecount / 10;
+ if (run < 5)
+ run = 5;
+
+ for (r = 0; r < run; r++) {
+ rule = LIST_NEXT(V_pf_rulemarker, allrulelist);
+ if (rule == NULL) {
+ LIST_REMOVE(V_pf_rulemarker, allrulelist);
+ LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist);
+ break;
+ }
+
+ LIST_REMOVE(V_pf_rulemarker, allrulelist);
+ LIST_INSERT_AFTER(rule, V_pf_rulemarker, allrulelist);
+
+ pf_counter_u64_periodic(&rule->evaluations);
+ for (int i = 0; i < 2; i++) {
+ pf_counter_u64_periodic(&rule->packets[i]);
+ pf_counter_u64_periodic(&rule->bytes[i]);
+ }
+ }
+}
+
static void
pf_counter_u64_periodic_main(void)
{
@@ -1585,6 +1628,7 @@ pf_counter_u64_periodic_main(void)
pf_counter_u64_critical_enter();
pf_status_counter_u64_periodic();
pf_kif_counter_u64_periodic();
+ pf_rule_counter_u64_periodic();
pf_counter_u64_critical_exit();
PF_RULES_RUNLOCK();
}
@@ -3663,7 +3707,7 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
}
while (r != NULL) {
- counter_u64_add(r->evaluations, 1);
+ pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
@@ -3732,8 +3776,8 @@ pf_test_rule(struct pf_krule **rm, struct pf_kstate **sm, int direction,
rtableid = r->rtableid;
if (r->anchor == NULL) {
if (r->action == PF_MATCH) {
- counter_u64_add(r->packets[direction == PF_OUT], 1);
- counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_add(&r->packets[direction == PF_OUT], 1);
+ pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len);
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
@@ -4105,7 +4149,7 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_FILTER].active.ptr);
while (r != NULL) {
- counter_u64_add(r->evaluations, 1);
+ pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
@@ -4146,8 +4190,8 @@ pf_test_fragment(struct pf_krule **rm, int direction, struct pfi_kkif *kif,
else {
if (r->anchor == NULL) {
if (r->action == PF_MATCH) {
- counter_u64_add(r->packets[direction == PF_OUT], 1);
- counter_u64_add(r->bytes[direction == PF_OUT], pd->tot_len);
+ pf_counter_u64_add(&r->packets[direction == PF_OUT], 1);
+ pf_counter_u64_add(&r->bytes[direction == PF_OUT], pd->tot_len);
pf_rule_to_actions(r, &pd->act);
if (r->log)
PFLOG_PACKET(kif, m, af,
@@ -6452,17 +6496,17 @@ done:
if (action == PF_PASS || r->action == PF_DROP) {
dirndx = (dir == PF_OUT);
- counter_u64_add(r->packets[dirndx], 1);
- counter_u64_add(r->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add(&r->packets[dirndx], 1);
+ pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len);
if (a != NULL) {
- counter_u64_add(a->packets[dirndx], 1);
- counter_u64_add(a->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add(&a->packets[dirndx], 1);
+ pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len);
}
if (s != NULL) {
if (s->nat_rule.ptr != NULL) {
- counter_u64_add(s->nat_rule.ptr->packets[dirndx],
+ pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx],
1);
- counter_u64_add(s->nat_rule.ptr->bytes[dirndx],
+ pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx],
pd.tot_len);
}
if (s->src_node != NULL) {
@@ -6857,17 +6901,17 @@ done:
if (action == PF_PASS || r->action == PF_DROP) {
dirndx = (dir == PF_OUT);
- counter_u64_add(r->packets[dirndx], 1);
- counter_u64_add(r->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add(&r->packets[dirndx], 1);
+ pf_counter_u64_add(&r->bytes[dirndx], pd.tot_len);
if (a != NULL) {
- counter_u64_add(a->packets[dirndx], 1);
- counter_u64_add(a->bytes[dirndx], pd.tot_len);
+ pf_counter_u64_add(&a->packets[dirndx], 1);
+ pf_counter_u64_add(&a->bytes[dirndx], pd.tot_len);
}
if (s != NULL) {
if (s->nat_rule.ptr != NULL) {
- counter_u64_add(s->nat_rule.ptr->packets[dirndx],
+ pf_counter_u64_add(&s->nat_rule.ptr->packets[dirndx],
1);
- counter_u64_add(s->nat_rule.ptr->bytes[dirndx],
+ pf_counter_u64_add(&s->nat_rule.ptr->bytes[dirndx],
pd.tot_len);
}
if (s->src_node != NULL) {
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index f9df5d691cc9..8fe1798ff7c3 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -310,10 +310,10 @@ pfattach_vnet(void)
V_pf_default_rule.nr = -1;
V_pf_default_rule.rtableid = -1;
- V_pf_default_rule.evaluations = counter_u64_alloc(M_WAITOK);
+ pf_counter_u64_init(&V_pf_default_rule.evaluations, M_WAITOK);
for (int i = 0; i < 2; i++) {
- V_pf_default_rule.packets[i] = counter_u64_alloc(M_WAITOK);
- V_pf_default_rule.bytes[i] = counter_u64_alloc(M_WAITOK);
+ pf_counter_u64_init(&V_pf_default_rule.packets[i], M_WAITOK);
+ pf_counter_u64_init(&V_pf_default_rule.bytes[i], M_WAITOK);
}
V_pf_default_rule.states_cur = counter_u64_alloc(M_WAITOK);
V_pf_default_rule.states_tot = counter_u64_alloc(M_WAITOK);
@@ -321,8 +321,12 @@ pfattach_vnet(void)
#ifdef PF_WANT_32_TO_64_COUNTER
V_pf_kifmarker = malloc(sizeof(*V_pf_kifmarker), PFI_MTYPE, M_WAITOK | M_ZERO);
+ V_pf_rulemarker = malloc(sizeof(*V_pf_rulemarker), M_PFRULE, M_WAITOK | M_ZERO);
PF_RULES_WLOCK();
LIST_INSERT_HEAD(&V_pf_allkiflist, V_pf_kifmarker, pfik_allkiflist);
+ LIST_INSERT_HEAD(&V_pf_allrulelist, &V_pf_default_rule, allrulelist);
+ V_pf_allrulecount++;
+ LIST_INSERT_HEAD(&V_pf_allrulelist, V_pf_rulemarker, allrulelist);
PF_RULES_WUNLOCK();
#endif
@@ -1116,16 +1120,16 @@ pf_commit_rules(u_int32_t ticket, int rs_num, char *anchor)
while ((tail != NULL) && ! pf_krule_compare(tail, rule))
tail = TAILQ_NEXT(tail, entries);
if (tail != NULL) {
- counter_u64_add(rule->evaluations,
- counter_u64_fetch(tail->evaluations));
- counter_u64_add(rule->packets[0],
- counter_u64_fetch(tail->packets[0]));
- counter_u64_add(rule->packets[1],
- counter_u64_fetch(tail->packets[1]));
- counter_u64_add(rule->bytes[0],
- counter_u64_fetch(tail->bytes[0]));
- counter_u64_add(rule->bytes[1],
- counter_u64_fetch(tail->bytes[1]));
+ pf_counter_u64_add(&rule->evaluations,
+ pf_counter_u64_fetch(&tail->evaluations));
+ pf_counter_u64_add(&rule->packets[0],
+ pf_counter_u64_fetch(&tail->packets[0]));
+ pf_counter_u64_add(&rule->packets[1],
+ pf_counter_u64_fetch(&tail->packets[1]));
+ pf_counter_u64_add(&rule->bytes[0],
+ pf_counter_u64_fetch(&tail->bytes[0]));
+ pf_counter_u64_add(&rule->bytes[1],
+ pf_counter_u64_fetch(&tail->bytes[1]));
}
}
}
@@ -1505,13 +1509,29 @@ pf_altq_get_nth_active(u_int32_t n)
void
pf_krule_free(struct pf_krule *rule)
{
+#ifdef PF_WANT_32_TO_64_COUNTER
+ bool wowned;
+#endif
+
if (rule == NULL)
return;
- counter_u64_free(rule->evaluations);
+#ifdef PF_WANT_32_TO_64_COUNTER
+ if (rule->allrulelinked) {
+ wowned = PF_RULES_WOWNED();
+ if (!wowned)
+ PF_RULES_WLOCK();
+ LIST_REMOVE(rule, allrulelist);
+ V_pf_allrulecount--;
+ if (!wowned)
+ PF_RULES_WUNLOCK();
+ }
+#endif
+
+ pf_counter_u64_deinit(&rule->evaluations);
for (int i = 0; i < 2; i++) {
- counter_u64_free(rule->packets[i]);
- counter_u64_free(rule->bytes[i]);
+ pf_counter_u64_deinit(&rule->packets[i]);
+ pf_counter_u64_deinit(&rule->bytes[i]);
}
counter_u64_free(rule->states_cur);
counter_u64_free(rule->states_tot);
@@ -1573,7 +1593,7 @@ pf_pool_to_kpool(const struct pf_pool *pool, struct pf_kpool *kpool)
}
static void
-pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
+pf_krule_to_rule(struct pf_krule *krule, struct pf_rule *rule)
{
bzero(rule, sizeof(*rule));
@@ -1600,10 +1620,10 @@ pf_krule_to_rule(const struct pf_krule *krule, struct pf_rule *rule)
pf_kpool_to_pool(&krule->rpool, &rule->rpool);
- rule->evaluations = counter_u64_fetch(krule->evaluations);
+ rule->evaluations = pf_counter_u64_fetch(&krule->evaluations);
for (int i = 0; i < 2; i++) {
- rule->packets[i] = counter_u64_fetch(krule->packets[i]);
- rule->bytes[i] = counter_u64_fetch(krule->bytes[i]);
+ rule->packets[i] = pf_counter_u64_fetch(&krule->packets[i]);
+ rule->bytes[i] = pf_counter_u64_fetch(&krule->bytes[i]);
}
/* kif, anchor, overload_tbl are not copied over. */
@@ -1819,10 +1839,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
if (rule->ifname[0])
kif = pf_kkif_create(M_WAITOK);
- rule->evaluations = counter_u64_alloc(M_WAITOK);
+ pf_counter_u64_init(&rule->evaluations, M_WAITOK);
for (int i = 0; i < 2; i++) {
- rule->packets[i] = counter_u64_alloc(M_WAITOK);
- rule->bytes[i] = counter_u64_alloc(M_WAITOK);
+ pf_counter_u64_init(&rule->packets[i], M_WAITOK);
+ pf_counter_u64_init(&rule->bytes[i], M_WAITOK);
}
rule->states_cur = counter_u64_alloc(M_WAITOK);
rule->states_tot = counter_u64_alloc(M_WAITOK);
@@ -1832,6 +1852,12 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
TAILQ_INIT(&rule->rpool.list);
PF_RULES_WLOCK();
+#ifdef PF_WANT_32_TO_64_COUNTER
+ LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist);
+ MPASS(!rule->allrulelinked);
+ rule->allrulelinked = true;
+ V_pf_allrulecount++;
+#endif
ruleset = pf_find_kruleset(anchor);
if (ruleset == NULL)
ERROUT(EINVAL);
@@ -1935,10 +1961,10 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
}
rule->rpool.cur = TAILQ_FIRST(&rule->rpool.list);
- counter_u64_zero(rule->evaluations);
+ pf_counter_u64_zero(&rule->evaluations);
for (int i = 0; i < 2; i++) {
- counter_u64_zero(rule->packets[i]);
- counter_u64_zero(rule->bytes[i]);
+ pf_counter_u64_zero(&rule->packets[i]);
+ pf_counter_u64_zero(&rule->bytes[i]);
}
TAILQ_INSERT_TAIL(ruleset->rules[rs_num].inactive.ptr,
rule, entries);
@@ -2419,10 +2445,10 @@ DIOCADDRULENV_error:
pf_addr_copyout(&pr->rule.dst.addr);
if (pr->action == PF_GET_CLR_CNTR) {
- counter_u64_zero(rule->evaluations);
+ pf_counter_u64_zero(&rule->evaluations);
for (int i = 0; i < 2; i++) {
- counter_u64_zero(rule->packets[i]);
- counter_u64_zero(rule->bytes[i]);
+ pf_counter_u64_zero(&rule->packets[i]);
+ pf_counter_u64_zero(&rule->bytes[i]);
}
counter_u64_zero(rule->states_tot);
}
@@ -2541,10 +2567,10 @@ DIOCADDRULENV_error:
}
if (clear_counter) {
- counter_u64_zero(rule->evaluations);
+ pf_counter_u64_zero(&rule->evaluations);
for (int i = 0; i < 2; i++) {
- counter_u64_zero(rule->packets[i]);
- counter_u64_zero(rule->bytes[i]);
+ pf_counter_u64_zero(&rule->packets[i]);
+ pf_counter_u64_zero(&rule->bytes[i]);
}
counter_u64_zero(rule->states_tot);
}
@@ -2590,12 +2616,10 @@ DIOCGETRULENV_error:
if (newrule->ifname[0])
kif = pf_kkif_create(M_WAITOK);
- newrule->evaluations = counter_u64_alloc(M_WAITOK);
+ pf_counter_u64_init(&newrule->evaluations, M_WAITOK);
for (int i = 0; i < 2; i++) {
- newrule->packets[i] =
- counter_u64_alloc(M_WAITOK);
- newrule->bytes[i] =
- counter_u64_alloc(M_WAITOK);
+ pf_counter_u64_init(&newrule->packets[i], M_WAITOK);
+ pf_counter_u64_init(&newrule->bytes[i], M_WAITOK);
}
newrule->states_cur = counter_u64_alloc(M_WAITOK);
newrule->states_tot = counter_u64_alloc(M_WAITOK);
@@ -2607,6 +2631,14 @@ DIOCGETRULENV_error:
#define ERROUT(x) { error = (x); goto DIOCCHANGERULE_error; }
PF_RULES_WLOCK();
+#ifdef PF_WANT_32_TO_64_COUNTER
+ if (newrule != NULL) {
+ LIST_INSERT_HEAD(&V_pf_allrulelist, newrule, allrulelist);
+ newrule->allrulelinked = true;
+ V_pf_allrulecount++;
+ }
+#endif
+
if (!(pcr->action == PF_CHANGE_REMOVE ||
pcr->action == PF_CHANGE_GET_TICKET) &&
pcr->pool_ticket != V_ticket_pabuf)
@@ -3165,10 +3197,10 @@ DIOCGETSTATESV2_full:
PF_RULES_WLOCK();
TAILQ_FOREACH(rule,
ruleset->rules[PF_RULESET_FILTER].active.ptr, entries) {
- counter_u64_zero(rule->evaluations);
+ pf_counter_u64_zero(&rule->evaluations);
for (int i = 0; i < 2; i++) {
- counter_u64_zero(rule->packets[i]);
- counter_u64_zero(rule->bytes[i]);
+ pf_counter_u64_zero(&rule->packets[i]);
+ pf_counter_u64_zero(&rule->bytes[i]);
}
}
PF_RULES_WUNLOCK();
@@ -5610,18 +5642,33 @@ pf_unload_vnet(void)
#ifdef PF_WANT_32_TO_64_COUNTER
PF_RULES_WLOCK();
LIST_REMOVE(V_pf_kifmarker, pfik_allkiflist);
- PF_RULES_WUNLOCK();
- free(V_pf_kifmarker, PFI_MTYPE);
MPASS(LIST_EMPTY(&V_pf_allkiflist));
MPASS(V_pf_allkifcount == 0);
+
+ LIST_REMOVE(&V_pf_default_rule, allrulelist);
+ V_pf_allrulecount--;
+ LIST_REMOVE(V_pf_rulemarker, allrulelist);
+
+ /*
+ * There are known pf rule leaks when running the test suite.
+ */
+#ifdef notyet
+ MPASS(LIST_EMPTY(&V_pf_allrulelist));
+ MPASS(V_pf_allrulecount == 0);
+#endif
+
+ PF_RULES_WUNLOCK();
+
+ free(V_pf_kifmarker, PFI_MTYPE);
+ free(V_pf_rulemarker, M_PFRULE);
#endif
/* Free counters last as we updated them during shutdown. */
- counter_u64_free(V_pf_default_rule.evaluations);
+ pf_counter_u64_deinit(&V_pf_default_rule.evaluations);
for (int i = 0; i < 2; i++) {
- counter_u64_free(V_pf_default_rule.packets[i]);
- counter_u64_free(V_pf_default_rule.bytes[i]);
+ pf_counter_u64_deinit(&V_pf_default_rule.packets[i]);
+ pf_counter_u64_deinit(&V_pf_default_rule.bytes[i]);
}
counter_u64_free(V_pf_default_rule.states_cur);
counter_u64_free(V_pf_default_rule.states_tot);
diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c
index 000ee69d9ae9..3da27c7df26d 100644
--- a/sys/netpfil/pf/pf_lb.c
+++ b/sys/netpfil/pf/pf_lb.c
@@ -149,7 +149,7 @@ pf_match_translation(struct pf_pdesc *pd, struct mbuf *m, int off,
dst = &r->dst;
}
- counter_u64_add(r->evaluations, 1);
+ pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != direction)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
index 3df4e06f15b6..388e2bca77b6 100644
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1039,7 +1039,7 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
- counter_u64_add(r->evaluations, 1);
+ pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
@@ -1066,8 +1066,8 @@ pf_normalize_ip(struct mbuf **m0, int dir, struct pfi_kkif *kif, u_short *reason
if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS);
- counter_u64_add(r->packets[dir == PF_OUT], 1);
- counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
+ pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
/* Check for illegal packets */
if (hlen < (int)sizeof(struct ip)) {
@@ -1181,7 +1181,7 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
- counter_u64_add(r->evaluations, 1);
+ pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
@@ -1207,8 +1207,8 @@ pf_normalize_ip6(struct mbuf **m0, int dir, struct pfi_kkif *kif,
if (r == NULL || r->action == PF_NOSCRUB)
return (PF_PASS);
- counter_u64_add(r->packets[dir == PF_OUT], 1);
- counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
+ pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
/* Check for illegal packets */
if (sizeof(struct ip6_hdr) + IPV6_MAXPACKET < m->m_pkthdr.len)
@@ -1334,7 +1334,7 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
r = TAILQ_FIRST(pf_main_ruleset.rules[PF_RULESET_SCRUB].active.ptr);
while (r != NULL) {
- counter_u64_add(r->evaluations, 1);
+ pf_counter_u64_add(&r->evaluations, 1);
if (pfi_kkif_match(r->kif, kif) == r->ifnot)
r = r->skip[PF_SKIP_IFP].ptr;
else if (r->direction && r->direction != dir)
@@ -1368,8 +1368,8 @@ pf_normalize_tcp(int dir, struct pfi_kkif *kif, struct mbuf *m, int ipoff,
if (rm == NULL || rm->action == PF_NOSCRUB)
return (PF_PASS);
- counter_u64_add(r->packets[dir == PF_OUT], 1);
- counter_u64_add(r->bytes[dir == PF_OUT], pd->tot_len);
+ pf_counter_u64_add(&r->packets[dir == PF_OUT], 1);
+ pf_counter_u64_add(&r->bytes[dir == PF_OUT], pd->tot_len);
if (rm->rule_flag & PFRULE_REASSEMBLE_TCP)
pd->flags |= PFDESC_TCP_NORM;
diff --git a/sys/netpfil/pf/pf_nv.c b/sys/netpfil/pf/pf_nv.c
index c0a17cd876ae..d1eca90e0ee5 100644
--- a/sys/netpfil/pf/pf_nv.c
+++ b/sys/netpfil/pf/pf_nv.c
@@ -655,7 +655,7 @@ error:
}
nvlist_t *
-pf_krule_to_nvrule(const struct pf_krule *rule)
+pf_krule_to_nvrule(struct pf_krule *rule)
{
nvlist_t *nvl, *tmp;
@@ -698,12 +698,12 @@ pf_krule_to_nvrule(const struct pf_krule *rule)
nvlist_destroy(tmp);
nvlist_add_number(nvl, "evaluations",
- counter_u64_fetch(rule->evaluations));
+ pf_counter_u64_fetch(&rule->evaluations));
for (int i = 0; i < 2; i++) {
nvlist_append_number_array(nvl, "packets",
- counter_u64_fetch(rule->packets[i]));
+ pf_counter_u64_fetch(&rule->packets[i]));
nvlist_append_number_array(nvl, "bytes",
- counter_u64_fetch(rule->bytes[i]));
+ pf_counter_u64_fetch(&rule->bytes[i]));
}
nvlist_add_number(nvl, "os_fingerprint", rule->os_fingerprint);
diff --git a/sys/netpfil/pf/pf_nv.h b/sys/netpfil/pf/pf_nv.h
index f3610407dae1..8a46aae326a6 100644
--- a/sys/netpfil/pf/pf_nv.h
+++ b/sys/netpfil/pf/pf_nv.h
@@ -77,7 +77,7 @@ int pf_nvstring(const nvlist_t *, const char *, char *, size_t);
int pf_check_rule_addr(const struct pf_rule_addr *);
-nvlist_t *pf_krule_to_nvrule(const struct pf_krule *);
+nvlist_t *pf_krule_to_nvrule(struct pf_krule *);
int pf_nvrule_to_krule(const nvlist_t *, struct pf_krule *);
int pf_nvstate_kill_to_kstate_kill(const nvlist_t *,
struct pf_kstate_kill *);
More information about the dev-commits-src-all
mailing list