The branch main has been updated by mjg:
URL:
https://cgit.FreeBSD.org/src/commit/?id=93f8c38c0371139fbe444b645ef36ae0d92d400a
commit 93f8c38c0371139fbe444b645ef36ae0d92d400a
Author: Mateusz Guzik <m...@freebsd.org>
AuthorDate: 2022-02-25 17:56:45 +0000
Commit: Mateusz Guzik <m...@freebsd.org>
CommitDate: 2022-03-28 11:44:46 +0000
pf: add pf_config_lock
For now only protects rule creation/destruction, but will allow
gradually reducing the scope of rules lock when changing the
rules.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 5 +++++
sys/netpfil/pf/pf.c | 5 +++++
sys/netpfil/pf/pf_ioctl.c | 3 +++
3 files changed, 13 insertions(+)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 5ae069694187..66cb6a4ba051 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -357,6 +357,11 @@ extern struct mtx_padalign pf_unlnkdrules_mtx;
#define PF_UNLNKDRULES_UNLOCK() mtx_unlock(&pf_unlnkdrules_mtx)
#define PF_UNLNKDRULES_ASSERT() mtx_assert(&pf_unlnkdrules_mtx,
MA_OWNED)
+extern struct sx pf_config_lock;
+#define PF_CONFIG_LOCK() sx_xlock(&pf_config_lock)
+#define PF_CONFIG_UNLOCK() sx_xunlock(&pf_config_lock)
+#define PF_CONFIG_ASSERT() sx_assert(&pf_config_lock, SA_XLOCKED)
+
extern struct rmlock pf_rules_lock;
#define PF_RULES_RLOCK_TRACKER struct rm_priotracker _pf_rules_tracker
#define PF_RULES_RLOCK() rm_rlock(&pf_rules_lock,
&_pf_rules_tracker)
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
index 0a479c8a77e8..027d48c82688 100644
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -236,6 +236,9 @@ struct mtx_padalign pf_unlnkdrules_mtx;
MTX_SYSINIT(pf_unlnkdrules_mtx, &pf_unlnkdrules_mtx, "pf unlinked rules",
MTX_DEF);
+struct sx pf_config_lock;
+SX_SYSINIT(pf_config_lock, &pf_config_lock, "pf config");
+
struct mtx_padalign pf_table_stats_lock;
MTX_SYSINIT(pf_table_stats_lock, &pf_table_stats_lock, "pf table stats",
MTX_DEF);
@@ -2201,12 +2204,14 @@ pf_purge_unlinked_rules()
PF_UNLNKDRULES_UNLOCK();
if (!TAILQ_EMPTY(&tmpq)) {
+ PF_CONFIG_LOCK();
PF_RULES_WLOCK();
TAILQ_FOREACH_SAFE(r, &tmpq, entries, r1) {
TAILQ_REMOVE(&tmpq, r, entries);
pf_free_rule(r);
}
PF_RULES_WUNLOCK();
+ PF_CONFIG_UNLOCK();
}
}
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 45f14fc92f7b..117ee0d04c53 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2088,6 +2088,7 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
rule->cpid = td->td_proc ? td->td_proc->p_pid : 0;
TAILQ_INIT(&rule->rpool.list);
+ PF_CONFIG_LOCK();
PF_RULES_WLOCK();
#ifdef PF_WANT_32_TO_64_COUNTER
LIST_INSERT_HEAD(&V_pf_allrulelist, rule, allrulelist);
@@ -2203,12 +2204,14 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
ruleset->rules[rs_num].inactive.rcount++;
PF_RULES_WUNLOCK();
+ PF_CONFIG_UNLOCK();
return (0);
#undef ERROUT
errout:
PF_RULES_WUNLOCK();
+ PF_CONFIG_UNLOCK();
errout_unlocked:
pf_kkif_free(kif);
pf_krule_free(rule);
