VIMAGE + PF crashes - possible solutions

Gleb Smirnoff glebius at FreeBSD.org
Wed Oct 16 07:28:40 UTC 2013


On Wed, Oct 16, 2013 at 09:16:43AM +0200, Martin Matuska wrote:
M> Hi, I have encountered the same mtag panic Craig had with VIMAGE + PF
M> and have reported this in a PR 182964:
M> http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/182964
M> 
M> Here are two possible solutions I would like to discuss, both make the
M> panic go away:
M> 
M> 1.) de-virtualize the variable as Marco suggested, this solution is a
M> more intrusive change to pf.c
M> http://people.freebsd.org/~mm/patches/pf_mtag.patch
M> 
M> 2.) add vnet context to struct m_tag, this is less intrusive to pf.c and
M> the uma zone remains virtualized:
M> http://people.freebsd.org/~mm/patches/pf_mtag.2.patch
M> 
M> Which of the approaches should we take or is this to be solved in a
M> completely different way?

As I already said, both patches look incorrect. The correct way
is to separate things we want to be global, and things that we want
to be V. Then, put the latter on SYSINIT_VNET().

There is work in progress on that by Nikos. Unfortunately, he is now
very busy with real life and his hacking is on hiatus. You can find
his WIP patches in attachments. Although they aren't finished, the
way is correct.

I also checked in some of his code into projects/pf:

http://svnweb.freebsd.org/base?view=revision&revision=251993

-- 
Totus tuus, Glebius.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pf.diff
Type: text/x-diff
Size: 17592 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20131016/dd82b180/attachment.diff>
-------------- next part --------------
Index: sys/net/pfvar.h
===================================================================
--- sys/net/pfvar.h	(revision 252856)
+++ sys/net/pfvar.h	(working copy)
@@ -1701,6 +1701,11 @@ VNET_DECLARE(struct pf_rulequeue, pf_unlinked_rule
 
 void				 pf_initialize(void);
 void				 pf_cleanup(void);
+void				 pf_overloadqueue_mtx_init(void);
+void				 pf_sendqueue_mtx_init(void);
+void				 pfi_unlnkdkifs_mtx_init(void);
+void				 pf_unlnkdrules_mtx_init(void);
+void				 pf_frag_mtx_init(void);
 
 struct pf_mtag			*pf_get_mtag(struct mbuf *);
 
Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c	(revision 252856)
+++ sys/netpfil/pf/pf.c	(working copy)
@@ -755,16 +755,34 @@ pf_initialize()
 	STAILQ_INIT(&V_pf_sendqueue);
 	SLIST_INIT(&V_pf_overloadqueue);
 	TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, &V_pf_overloadqueue);
-	mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
-	mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL,
-	    MTX_DEF);
 
 	/* Unlinked, but may be referenced rules. */
 	TAILQ_INIT(&V_pf_unlinked_rules);
+}
+
+void
+pf_unlnkdrules_mtx_init()
+{
+
 	mtx_init(&pf_unlnkdrules_mtx, "pf unlinked rules", NULL, MTX_DEF);
 }
 
 void
+pf_overloadqueue_mtx_init()
+{
+
+	mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL,
+	    MTX_DEF);
+}
+
+void
+pf_sendqueue_mtx_init()
+{
+
+	mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
+}
+
+void
 pf_cleanup()
 {
 	struct pf_keyhash	*kh;
Index: sys/netpfil/pf/pf_if.c
===================================================================
--- sys/netpfil/pf/pf_if.c	(revision 252856)
+++ sys/netpfil/pf/pf_if.c	(working copy)
@@ -100,6 +100,13 @@ static VNET_DEFINE(struct pfi_list, pfi_unlinked_k
 static struct mtx pfi_unlnkdkifs_mtx;
 
 void
+pfi_unlnkdkifs_mtx_init()
+{
+
+	mtx_init(&pfi_unlnkdkifs_mtx, "pf unlinked interfaces", NULL, MTX_DEF);
+}
+
+void
 pfi_initialize(void)
 {
 	struct ifg_group *ifg;
@@ -110,8 +117,6 @@ pfi_initialize(void)
 	V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer),
 	    PFI_MTYPE, M_WAITOK);
 
-	mtx_init(&pfi_unlnkdkifs_mtx, "pf unlinked interfaces", NULL, MTX_DEF);
-
 	kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
 	PF_RULES_WLOCK();
 	V_pfi_all = pfi_kif_attach(kif, IFG_ALL);
Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c	(revision 252856)
+++ sys/netpfil/pf/pf_ioctl.c	(working copy)
@@ -3629,28 +3629,31 @@ dehook_pf(void)
 }
 
 static int
-pf_load(void)
+vnet_pf_init(void)
 {
 	int error;
 
-	VNET_ITERATOR_DECL(vnet_iter);
+	TAILQ_INIT(&V_pf_tags);
+	TAILQ_INIT(&V_pf_qids);
 
-	VNET_LIST_RLOCK();
-	VNET_FOREACH(vnet_iter) {
-		CURVNET_SET(vnet_iter);
-		V_pf_pfil_hooked = 0;
-		V_pf_end_threads = 0;
-		TAILQ_INIT(&V_pf_tags);
-		TAILQ_INIT(&V_pf_qids);
-		CURVNET_RESTORE();
-	}
-	VNET_LIST_RUNLOCK();
+	if ((error = pfattach()) != 0)
+		return (error);
 
+	return (0);
+} 
+
+static int
+pf_load(void)
+{
+
 	rw_init(&pf_rules_lock, "pf rulesets");
+	pf_sendqueue_mtx_init();
+	pf_overloadqueue_mtx_init();
+	pf_unlnkdrules_mtx_init();
+	pfi_unlnkdkifs_mtx_init();
+	pf_frag_mtx_init();
 
 	pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
-	if ((error = pfattach()) != 0)
-		return (error);
 
 	return (0);
 }
@@ -3727,3 +3730,5 @@ static moduledata_t pf_mod = {
 
 DECLARE_MODULE(pf, pf_mod, SI_SUB_PSEUDO, SI_ORDER_FIRST);
 MODULE_VERSION(pf, PF_MODVER);
+
+VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY - 255, vnet_pf_init, NULL);
Index: sys/netpfil/pf/pf_norm.c
===================================================================
--- sys/netpfil/pf/pf_norm.c	(revision 252856)
+++ sys/netpfil/pf/pf_norm.c	(working copy)
@@ -163,8 +163,6 @@ pf_normalize_init(void)
 	uma_zone_set_max(V_pf_frent_z, PFFRAG_FRENT_HIWAT);
 	uma_zone_set_warning(V_pf_frent_z, "PF frag entries limit reached");
 
-	mtx_init(&pf_frag_mtx, "pf fragments", NULL, MTX_DEF);
-
 	TAILQ_INIT(&V_pf_fragqueue);
 	TAILQ_INIT(&V_pf_cachequeue);
 }
@@ -180,6 +178,13 @@ pf_normalize_cleanup(void)
 	mtx_destroy(&pf_frag_mtx);
 }
 
+void
+pf_frag_mtx_init()
+{
+
+	mtx_init(&pf_frag_mtx, "pf fragments", NULL, MTX_DEF);
+}
+
 static int
 pf_frag_compare(struct pf_fragment *a, struct pf_fragment *b)
 {
-------------- next part --------------
Index: sys/net/pfvar.h
===================================================================
--- sys/net/pfvar.h	(revision 252114)
+++ sys/net/pfvar.h	(working copy)
@@ -227,6 +227,17 @@ extern struct rwlock pf_rules_lock;
 #define	PF_RULES_RASSERT()	rw_assert(&pf_rules_lock, RA_RLOCKED)
 #define	PF_RULES_WASSERT()	rw_assert(&pf_rules_lock, RA_WLOCKED)
 
+extern struct mtx pf_sendqueue_mtx;
+#define PF_SENDQ_LOCK()		mtx_lock(&pf_sendqueue_mtx)
+#define PF_SENDQ_UNLOCK()	mtx_unlock(&pf_sendqueue_mtx)
+
+extern struct mtx pf_overloadqueue_mtx;
+#define PF_OVERLOADQ_LOCK()	mtx_lock(&pf_overloadqueue_mtx)
+#define PF_OVERLOADQ_UNLOCK()	mtx_unlock(&pf_overloadqueue_mtx)
+
+extern struct mtx pfi_unlnkdkifs_mtx;
+extern struct mtx pf_frag_mtx;
+
 #define	PF_MODVER	1
 #define	PFLOG_MODVER	1
 #define	PFSYNC_MODVER	1
Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c	(revision 252114)
+++ sys/netpfil/pf/pf.c	(working copy)
@@ -157,9 +157,7 @@ STAILQ_HEAD(pf_send_head, pf_send_entry);
 static VNET_DEFINE(struct pf_send_head, pf_sendqueue);
 #define	V_pf_sendqueue	VNET(pf_sendqueue)
 
-static struct mtx pf_sendqueue_mtx;
-#define	PF_SENDQ_LOCK()		mtx_lock(&pf_sendqueue_mtx)
-#define	PF_SENDQ_UNLOCK()	mtx_unlock(&pf_sendqueue_mtx)
+struct mtx pf_sendqueue_mtx;
 
 /*
  * Queue for pf_overload_task() tasks.
@@ -178,9 +176,7 @@ static VNET_DEFINE(struct pf_overload_head, pf_ove
 static VNET_DEFINE(struct task, pf_overloadtask);
 #define	V_pf_overloadtask	VNET(pf_overloadtask)
 
-static struct mtx pf_overloadqueue_mtx;
-#define	PF_OVERLOADQ_LOCK()	mtx_lock(&pf_overloadqueue_mtx)
-#define	PF_OVERLOADQ_UNLOCK()	mtx_unlock(&pf_overloadqueue_mtx)
+struct mtx pf_overloadqueue_mtx;
 
 VNET_DEFINE(struct pf_rulequeue, pf_unlinked_rules);
 struct mtx pf_unlnkdrules_mtx;
@@ -755,13 +751,9 @@ pf_initialize()
 	STAILQ_INIT(&V_pf_sendqueue);
 	SLIST_INIT(&V_pf_overloadqueue);
 	TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, &V_pf_overloadqueue);
-	mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
-	mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL,
-	    MTX_DEF);
 
 	/* Unlinked, but may be referenced rules. */
 	TAILQ_INIT(&V_pf_unlinked_rules);
-	mtx_init(&pf_unlnkdrules_mtx, "pf unlinked rules", NULL, MTX_DEF);
 }
 
 void
Index: sys/netpfil/pf/pf_if.c
===================================================================
--- sys/netpfil/pf/pf_if.c	(revision 252114)
+++ sys/netpfil/pf/pf_if.c	(working copy)
@@ -97,7 +97,7 @@ MALLOC_DEFINE(PFI_MTYPE, "pf_ifnet", "pf(4) interf
 LIST_HEAD(pfi_list, pfi_kif);
 static VNET_DEFINE(struct pfi_list, pfi_unlinked_kifs);
 #define	V_pfi_unlinked_kifs	VNET(pfi_unlinked_kifs)
-static struct mtx pfi_unlnkdkifs_mtx;
+struct mtx pfi_unlnkdkifs_mtx;
 
 void
 pfi_initialize(void)
@@ -110,8 +110,6 @@ pfi_initialize(void)
 	V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer),
 	    PFI_MTYPE, M_WAITOK);
 
-	mtx_init(&pfi_unlnkdkifs_mtx, "pf unlinked interfaces", NULL, MTX_DEF);
-
 	kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
 	PF_RULES_WLOCK();
 	V_pfi_all = pfi_kif_attach(kif, IFG_ALL);
Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c	(revision 252114)
+++ sys/netpfil/pf/pf_ioctl.c	(working copy)
@@ -3629,28 +3629,32 @@ dehook_pf(void)
 }
 
 static int
-pf_load(void)
+vnet_pf_init(void)
 {
 	int error;
 
-	VNET_ITERATOR_DECL(vnet_iter);
+	V_pf_pfil_hooked = 0;
+	TAILQ_INIT(&V_pf_tags);
+	TAILQ_INIT(&V_pf_qids);
 
-	VNET_LIST_RLOCK();
-	VNET_FOREACH(vnet_iter) {
-		CURVNET_SET(vnet_iter);
-		V_pf_pfil_hooked = 0;
-		V_pf_end_threads = 0;
-		TAILQ_INIT(&V_pf_tags);
-		TAILQ_INIT(&V_pf_qids);
-		CURVNET_RESTORE();
-	}
-	VNET_LIST_RUNLOCK();
+	if ((error = pfattach()) != 0)
+		return (error);
 
+	return (0);
+} 
+
+static int
+pf_load(void)
+{
+
 	rw_init(&pf_rules_lock, "pf rulesets");
-
 	pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
-	if ((error = pfattach()) != 0)
-		return (error);
+	mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
+	mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL,
+	    MTX_DEF);
+	mtx_init(&pf_unlnkdrules_mtx, "pf unlinked rules", NULL, MTX_DEF);
+	mtx_init(&pfi_unlnkdkifs_mtx, "pf unlinked interfaces", NULL, MTX_DEF);
+	mtx_init(&pf_frag_mtx, "pf fragments", NULL, MTX_DEF);
 
 	return (0);
 }
@@ -3727,3 +3731,5 @@ static moduledata_t pf_mod = {
 
 DECLARE_MODULE(pf, pf_mod, SI_SUB_PSEUDO, SI_ORDER_FIRST);
 MODULE_VERSION(pf, PF_MODVER);
+
+VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY - 255, vnet_pf_init, NULL);
Index: sys/netpfil/pf/pf_norm.c
===================================================================
--- sys/netpfil/pf/pf_norm.c	(revision 252114)
+++ sys/netpfil/pf/pf_norm.c	(working copy)
@@ -92,7 +92,7 @@ struct pf_fragment {
 	LIST_HEAD(, pf_frent) fr_queue;
 };
 
-static struct mtx pf_frag_mtx;
+struct mtx pf_frag_mtx;
 #define PF_FRAG_LOCK()		mtx_lock(&pf_frag_mtx)
 #define PF_FRAG_UNLOCK()	mtx_unlock(&pf_frag_mtx)
 #define PF_FRAG_ASSERT()	mtx_assert(&pf_frag_mtx, MA_OWNED)
@@ -163,8 +163,6 @@ pf_normalize_init(void)
 	uma_zone_set_max(V_pf_frent_z, PFFRAG_FRENT_HIWAT);
 	uma_zone_set_warning(V_pf_frent_z, "PF frag entries limit reached");
 
-	mtx_init(&pf_frag_mtx, "pf fragments", NULL, MTX_DEF);
-
 	TAILQ_INIT(&V_pf_fragqueue);
 	TAILQ_INIT(&V_pf_cachequeue);
 }
-------------- next part --------------
Index: sys/net/pfvar.h
===================================================================
--- sys/net/pfvar.h	(revision 251794)
+++ sys/net/pfvar.h	(working copy)
@@ -1659,19 +1659,17 @@ struct pf_idhash {
 	struct mtx			lock;
 };
 
+extern u_long		pf_hashmask;
+extern u_long		pf_srchashmask;
 #define	PF_HASHSIZ	(32768)
 VNET_DECLARE(struct pf_keyhash *, pf_keyhash);
 VNET_DECLARE(struct pf_idhash *, pf_idhash);
-VNET_DECLARE(u_long, pf_hashmask);
 #define V_pf_keyhash	VNET(pf_keyhash)
 #define	V_pf_idhash	VNET(pf_idhash)
-#define	V_pf_hashmask	VNET(pf_hashmask)
 VNET_DECLARE(struct pf_srchash *, pf_srchash);
-VNET_DECLARE(u_long, pf_srchashmask);
 #define	V_pf_srchash	VNET(pf_srchash)
-#define V_pf_srchashmask VNET(pf_srchashmask)
 
-#define PF_IDHASH(s)	(be64toh((s)->id) % (V_pf_hashmask + 1))
+#define PF_IDHASH(s)	(be64toh((s)->id) % (pf_hashmask + 1))
 
 VNET_DECLARE(void *, pf_swi_cookie);
 #define V_pf_swi_cookie	VNET(pf_swi_cookie)
Index: sys/netpfil/pf/if_pfsync.c
===================================================================
--- sys/netpfil/pf/if_pfsync.c	(revision 251794)
+++ sys/netpfil/pf/if_pfsync.c	(working copy)
@@ -683,7 +683,7 @@ pfsync_in_clr(struct pfsync_pkt *pkt, struct mbuf
 		    pfi_kif_find(clr[i].ifname) == NULL)
 			continue;
 
-		for (int i = 0; i <= V_pf_hashmask; i++) {
+		for (int i = 0; i <= pf_hashmask; i++) {
 			struct pf_idhash *ih = &V_pf_idhash[i];
 			struct pf_state *s;
 relock:
@@ -2045,7 +2045,7 @@ pfsync_bulk_update(void *arg)
 	else
 		i = sc->sc_bulk_hashid;
 
-	for (; i <= V_pf_hashmask; i++) {
+	for (; i <= pf_hashmask; i++) {
 		struct pf_idhash *ih = &V_pf_idhash[i];
 
 		if (s != NULL)
Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c	(revision 251794)
+++ sys/netpfil/pf/pf.c	(working copy)
@@ -353,21 +353,19 @@ VNET_DEFINE(struct pf_limit, pf_limits[PF_LIMIT_MA
 static MALLOC_DEFINE(M_PFHASH, "pf_hash", "pf(4) hash header structures");
 VNET_DEFINE(struct pf_keyhash *, pf_keyhash);
 VNET_DEFINE(struct pf_idhash *, pf_idhash);
-VNET_DEFINE(u_long, pf_hashmask);
 VNET_DEFINE(struct pf_srchash *, pf_srchash);
-VNET_DEFINE(u_long, pf_srchashmask);
 
 SYSCTL_NODE(_net, OID_AUTO, pf, CTLFLAG_RW, 0, "pf(4)");
 
-VNET_DEFINE(u_long, pf_hashsize);
-#define	V_pf_hashsize	VNET(pf_hashsize)
-SYSCTL_VNET_UINT(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN,
-    &VNET_NAME(pf_hashsize), 0, "Size of pf(4) states hashtable");
+u_long	pf_hashmask;
+u_long	pf_srchashmask;
+static u_long	pf_hashsize;
+static u_long	pf_srchashsize;
 
-VNET_DEFINE(u_long, pf_srchashsize);
-#define	V_pf_srchashsize	VNET(pf_srchashsize)
-SYSCTL_VNET_UINT(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
-    &VNET_NAME(pf_srchashsize), 0, "Size of pf(4) source nodes hashtable");
+SYSCTL_UINT(_net_pf, OID_AUTO, states_hashsize, CTLFLAG_RDTUN,
+    &pf_hashsize, 0, "Size of pf(4) states hashtable");
+SYSCTL_UINT(_net_pf, OID_AUTO, source_nodes_hashsize, CTLFLAG_RDTUN,
+    &pf_srchashsize, 0, "Size of pf(4) source nodes hashtable");
 
 VNET_DEFINE(void *, pf_swi_cookie);
 
@@ -383,7 +381,7 @@ pf_hashkey(struct pf_state_key *sk)
 	    sizeof(struct pf_state_key_cmp)/sizeof(uint32_t),
 	    V_pf_hashseed);
 
-	return (h & V_pf_hashmask);
+	return (h & pf_hashmask);
 }
 
 static __inline uint32_t
@@ -404,7 +402,7 @@ pf_hashsrc(struct pf_addr *addr, sa_family_t af)
 		panic("%s: unknown address family %u", __func__, af);
 	}
 
-	return (h & V_pf_srchashmask);
+	return (h & pf_srchashmask);
 }
 
 #ifdef INET6
@@ -566,7 +564,7 @@ pf_overload_task(void *c, int pending)
 	if (SLIST_EMPTY(&queue))
 		return;
 
-	for (int i = 0; i <= V_pf_hashmask; i++) {
+	for (int i = 0; i <= pf_hashmask; i++) {
 		struct pf_idhash *ih = &V_pf_idhash[i];
 		struct pf_state_key *sk;
 		struct pf_state *s;
@@ -698,12 +696,12 @@ pf_initialize()
 	struct pf_srchash	*sh;
 	u_int i;
 
-	TUNABLE_ULONG_FETCH("net.pf.states_hashsize", &V_pf_hashsize);
-	if (V_pf_hashsize == 0 || !powerof2(V_pf_hashsize))
-		V_pf_hashsize = PF_HASHSIZ;
-	TUNABLE_ULONG_FETCH("net.pf.source_nodes_hashsize", &V_pf_srchashsize);
-	if (V_pf_srchashsize == 0 || !powerof2(V_pf_srchashsize))
-		V_pf_srchashsize = PF_HASHSIZ / 4;
+	TUNABLE_ULONG_FETCH("net.pf.states_hashsize", &pf_hashsize);
+	if (pf_hashsize == 0 || !powerof2(pf_hashsize))
+		pf_hashsize = PF_HASHSIZ;
+	TUNABLE_ULONG_FETCH("net.pf.source_nodes_hashsize", &pf_srchashsize);
+	if (pf_srchashsize == 0 || !powerof2(pf_srchashsize))
+		pf_srchashsize = PF_HASHSIZ / 4;
 
 	V_pf_hashseed = arc4random();
 
@@ -717,12 +715,12 @@ pf_initialize()
 	V_pf_state_key_z = uma_zcreate("pf state keys",
 	    sizeof(struct pf_state_key), pf_state_key_ctor, NULL, NULL, NULL,
 	    UMA_ALIGN_PTR, 0);
-	V_pf_keyhash = malloc(V_pf_hashsize * sizeof(struct pf_keyhash),
+	V_pf_keyhash = malloc(pf_hashsize * sizeof(struct pf_keyhash),
 	    M_PFHASH, M_WAITOK | M_ZERO);
-	V_pf_idhash = malloc(V_pf_hashsize * sizeof(struct pf_idhash),
+	V_pf_idhash = malloc(pf_hashsize * sizeof(struct pf_idhash),
 	    M_PFHASH, M_WAITOK | M_ZERO);
-	V_pf_hashmask = V_pf_hashsize - 1;
-	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask;
+	pf_hashmask = pf_hashsize - 1;
+	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask;
 	    i++, kh++, ih++) {
 		mtx_init(&kh->lock, "pf_keyhash", NULL, MTX_DEF | MTX_DUPOK);
 		mtx_init(&ih->lock, "pf_idhash", NULL, MTX_DEF);
@@ -735,10 +733,10 @@ pf_initialize()
 	V_pf_limits[PF_LIMIT_SRC_NODES].zone = V_pf_sources_z;
 	uma_zone_set_max(V_pf_sources_z, PFSNODE_HIWAT);
 	uma_zone_set_warning(V_pf_sources_z, "PF source nodes limit reached");
-	V_pf_srchash = malloc(V_pf_srchashsize * sizeof(struct pf_srchash),
+	V_pf_srchash = malloc(pf_srchashsize * sizeof(struct pf_srchash),
 	  M_PFHASH, M_WAITOK|M_ZERO);
-	V_pf_srchashmask = V_pf_srchashsize - 1;
-	for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++)
+	pf_srchashmask = pf_srchashsize - 1;
+	for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++)
 		mtx_init(&sh->lock, "pf_srchash", NULL, MTX_DEF);
 
 	/* ALTQ */
@@ -775,7 +773,7 @@ pf_cleanup()
 	struct pf_send_entry	*pfse, *next;
 	u_int i;
 
-	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= V_pf_hashmask;
+	for (i = 0, kh = V_pf_keyhash, ih = V_pf_idhash; i <= pf_hashmask;
 	    i++, kh++, ih++) {
 		KASSERT(LIST_EMPTY(&kh->keys), ("%s: key hash not empty",
 		    __func__));
@@ -787,7 +785,7 @@ pf_cleanup()
 	free(V_pf_keyhash, M_PFHASH);
 	free(V_pf_idhash, M_PFHASH);
 
-	for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) {
+	for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) {
 		KASSERT(LIST_EMPTY(&sh->nodes),
 		    ("%s: source node hash not empty", __func__));
 		mtx_destroy(&sh->lock);
@@ -1177,7 +1175,7 @@ pf_find_state_byid(uint64_t id, uint32_t creatorid
 
 	V_pf_status.fcounters[FCNT_STATE_SEARCH]++;
 
-	ih = &V_pf_idhash[(be64toh(id) % (V_pf_hashmask + 1))];
+	ih = &V_pf_idhash[(be64toh(id) % (pf_hashmask + 1))];
 
 	PF_HASHROW_LOCK(ih);
 	LIST_FOREACH(s, &ih->states, entry)
@@ -1373,7 +1371,7 @@ pf_purge_thread(void *v)
 			/*
 			 * Now purge everything.
 			 */
-			pf_purge_expired_states(0, V_pf_hashmask);
+			pf_purge_expired_states(0, pf_hashmask);
 			pf_purge_expired_fragments();
 			pf_purge_expired_src_nodes();
 
@@ -1396,7 +1394,7 @@ pf_purge_thread(void *v)
 		PF_RULES_RUNLOCK();
 
 		/* Process 1/interval fraction of the state table every run. */
-		idx = pf_purge_expired_states(idx, V_pf_hashmask /
+		idx = pf_purge_expired_states(idx, pf_hashmask /
 			    (V_pf_default_rule.timeout[PFTM_INTERVAL] * 10));
 
 		/* Purge other expired types every PFTM_INTERVAL seconds. */
@@ -1462,7 +1460,7 @@ pf_purge_expired_src_nodes()
 	struct pf_src_node	*cur, *next;
 	int i;
 
-	for (i = 0, sh = V_pf_srchash; i <= V_pf_srchashmask; i++, sh++) {
+	for (i = 0, sh = V_pf_srchash; i <= pf_srchashmask; i++, sh++) {
 	    PF_HASHROW_LOCK(sh);
 	    LIST_FOREACH_SAFE(cur, &sh->nodes, entry, next)
 		if (cur->states <= 0 && cur->expire <= time_uptime) {
@@ -1614,7 +1612,7 @@ relock:
 		PF_HASHROW_UNLOCK(ih);
 
 		/* Return when we hit end of hash. */
-		if (++i > V_pf_hashmask) {
+		if (++i > pf_hashmask) {
 			V_pf_status.states = uma_zone_get_cur(V_pf_state_z);
 			return (0);
 		}
Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c	(revision 251794)
+++ sys/netpfil/pf/pf_ioctl.c	(working copy)
@@ -1577,7 +1577,7 @@ DIOCCHANGERULE_error:
 		struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr;
 		u_int			 i, killed = 0;
 
-		for (i = 0; i <= V_pf_hashmask; i++) {
+		for (i = 0; i <= pf_hashmask; i++) {
 			struct pf_idhash *ih = &V_pf_idhash[i];
 
 relock_DIOCCLRSTATES:
@@ -1622,7 +1622,7 @@ relock_DIOCCLRSTATES:
 			break;
 		}
 
-		for (i = 0; i <= V_pf_hashmask; i++) {
+		for (i = 0; i <= pf_hashmask; i++) {
 			struct pf_idhash *ih = &V_pf_idhash[i];
 
 relock_DIOCKILLSTATES:
@@ -1726,7 +1726,7 @@ relock_DIOCKILLSTATES:
 		p = pstore = malloc(ps->ps_len, M_TEMP, M_WAITOK);
 		nr = 0;
 
-		for (i = 0; i <= V_pf_hashmask; i++) {
+		for (i = 0; i <= pf_hashmask; i++) {
 			struct pf_idhash *ih = &V_pf_idhash[i];
 
 			PF_HASHROW_LOCK(ih);
@@ -3078,7 +3078,7 @@ DIOCCHANGEADDR_error:
 		uint32_t		 i, nr = 0;
 
 		if (psn->psn_len == 0) {
-			for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask;
+			for (i = 0, sh = V_pf_srchash; i < pf_srchashmask;
 			    i++, sh++) {
 				PF_HASHROW_LOCK(sh);
 				LIST_FOREACH(n, &sh->nodes, entry)
@@ -3090,7 +3090,7 @@ DIOCCHANGEADDR_error:
 		}
 
 		p = pstore = malloc(psn->psn_len, M_TEMP, M_WAITOK);
-		for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask;
+		for (i = 0, sh = V_pf_srchash; i < pf_srchashmask;
 		    i++, sh++) {
 		    PF_HASHROW_LOCK(sh);
 		    LIST_FOREACH(n, &sh->nodes, entry) {
@@ -3147,7 +3147,7 @@ DIOCCHANGEADDR_error:
 		struct pf_src_node	*sn;
 		u_int			i, killed = 0;
 
-		for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask;
+		for (i = 0, sh = V_pf_srchash; i < pf_srchashmask;
 		    i++, sh++) {
 		    /*
 		     * XXXGL: we don't ever acquire sources hash lock
@@ -3331,7 +3331,7 @@ pf_clear_states(void)
 	struct pf_state	*s;
 	u_int i;
 
-	for (i = 0; i <= V_pf_hashmask; i++) {
+	for (i = 0; i <= pf_hashmask; i++) {
 		struct pf_idhash *ih = &V_pf_idhash[i];
 relock:
 		PF_HASHROW_LOCK(ih);
@@ -3366,7 +3366,7 @@ pf_clear_srcnodes(struct pf_src_node *n)
 	struct pf_state *s;
 	int i;
 
-	for (i = 0; i <= V_pf_hashmask; i++) {
+	for (i = 0; i <= pf_hashmask; i++) {
 		struct pf_idhash *ih = &V_pf_idhash[i];
 
 		PF_HASHROW_LOCK(ih);
@@ -3382,7 +3382,7 @@ pf_clear_srcnodes(struct pf_src_node *n)
 	if (n == NULL) {
 		struct pf_srchash *sh;
 
-		for (i = 0, sh = V_pf_srchash; i < V_pf_srchashmask;
+		for (i = 0, sh = V_pf_srchash; i < pf_srchashmask;
 		    i++, sh++) {
 			PF_HASHROW_LOCK(sh);
 			LIST_FOREACH(n, &sh->nodes, entry) {


More information about the freebsd-pf mailing list