rdr pass for proto tcp sometimes creates states with expire time zero and so breaking connections

Konstantin Belousov kib at freebsd.org
Sat Feb 2 18:42:17 UTC 2019


On Sat, Feb 02, 2019 at 11:26:45AM +0100, Andreas Longwitz wrote:
> Hello,
> 
> > Lets switch to IPI method for fetch, similar to clear.
> > I do not think that the cost of fetch is too important comparing with
> > the race.
> > 
> > diff --git a/sys/i386/include/counter.h b/sys/i386/include/counter.h
> > index 7fd26d2a960..278f89123a4 100644
> > --- a/sys/i386/include/counter.h
> > +++ b/sys/i386/include/counter.h
> > @@ -72,7 +72,12 @@ counter_64_inc_8b(uint64_t *p, int64_t inc)
> >  }
> >  
> >  #ifdef IN_SUBR_COUNTER_C
> > -static inline uint64_t
> > +struct counter_u64_fetch_cx8_arg {
> > +	uint64_t res;
> > +	uint64_t *p;
> > +};
> > +
> > +static uint64_t
> >  counter_u64_read_one_8b(uint64_t *p)
> >  {
> >  	uint32_t res_lo, res_high;
> > @@ -87,9 +92,22 @@ counter_u64_read_one_8b(uint64_t *p)
> >  	return (res_lo + ((uint64_t)res_high << 32));
> >  }
> >  
> > +static void
> > +counter_u64_fetch_cx8_one(void *arg1)
> > +{
> > +	struct counter_u64_fetch_cx8_arg *arg;
> > +	uint64_t val;
> > +
> > +	arg = arg1;
> > +	val = counter_u64_read_one_8b((uint64_t *)((char *)arg->p +
> > +	    UMA_PCPU_ALLOC_SIZE * PCPU_GET(cpuid)));
> > +	atomic_add_64(&arg->res, val);
> > +}
> > +
> >  static inline uint64_t
> >  counter_u64_fetch_inline(uint64_t *p)
> >  {
> > +	struct counter_u64_fetch_cx8_arg arg;
> >  	uint64_t res;
> >  	int i;
> >  
> > @@ -108,9 +126,10 @@ counter_u64_fetch_inline(uint64_t *p)
> >  		}
> >  		critical_exit();
> >  	} else {
> > -		CPU_FOREACH(i)
> > -			res += counter_u64_read_one_8b((uint64_t *)((char *)p +
> > -			    UMA_PCPU_ALLOC_SIZE * i));
> > +		arg.p = p;
> > +		arg.res = 0;
> > +		smp_rendezvous(NULL, counter_u64_fetch_cx8_one, NULL, &arg);
> > +		res = arg.res;
> >  	}
> >  	return (res);
> >  }
> 
> 
> I have integrated this i386 counter(9) patch and using original pf.c to
> some of my test servers and everything runs fine. Today I have added my
> main firewall machine and will report in two weeks the result. I suppose
> running counter_u64_fetch() in parallel to counter_u64_add() is not a
> problem anymore.
Ok, thanks, I will commit the patch shortly.  I do not see a point in waiting
for two more weeks, sure report me if anything goes wrong.


More information about the freebsd-pf mailing list