The branch main has been updated by mjg:
URL:
https://cgit.FreeBSD.org/src/commit/?id=1a3e98a5b87670760af9a480884b46615dc138c2
commit 1a3e98a5b87670760af9a480884b46615dc138c2
Author: Mateusz Guzik <m...@freebsd.org>
AuthorDate: 2022-02-25 17:50:56 +0000
Commit: Mateusz Guzik <m...@freebsd.org>
CommitDate: 2022-03-28 11:44:52 +0000
pf: pre-compute rule hash
Makes it cheaper to compare rules when "keep_counters" is set.
This also sets up keeping them in a RB tree.
Reviewed by: kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sys/net/pfvar.h | 1 +
sys/netpfil/pf/pf_ioctl.c | 29 ++++++++++++++++-------------
2 files changed, 17 insertions(+), 13 deletions(-)
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 66cb6a4ba051..b83a6d90f8d6 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -769,6 +769,7 @@ struct pf_krule {
struct pf_addr addr;
u_int16_t port;
} divert;
+ u_int8_t md5sum[PF_MD5_DIGEST_LENGTH];
#ifdef PF_WANT_32_TO_64_COUNTER
LIST_ENTRY(pf_krule) allrulelist;
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 117ee0d04c53..724ca9b700db 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -123,7 +123,8 @@ static void pf_qid_unref(uint16_t);
static int pf_begin_rules(u_int32_t *, int, const char *);
static int pf_rollback_rules(u_int32_t, int, char *);
static int pf_setup_pfsync_matching(struct pf_kruleset *);
-static void pf_hash_rule(MD5_CTX *, struct pf_krule *);
+static void pf_hash_rule_rolling(MD5_CTX *, struct pf_krule *);
+static void pf_hash_rule(struct pf_krule *);
static void pf_hash_rule_addr(MD5_CTX *, struct pf_rule_addr *);
static int pf_commit_rules(u_int32_t, int, char *);
static int pf_addr_setup(struct pf_kruleset *,
@@ -1223,7 +1224,7 @@ pf_hash_rule_addr(MD5_CTX *ctx, struct pf_rule_addr *pfr)
}
static void
-pf_hash_rule(MD5_CTX *ctx, struct pf_krule *rule)
+pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule)
{
u_int16_t x;
u_int32_t y;
@@ -1264,20 +1265,21 @@ pf_hash_rule(MD5_CTX *ctx, struct pf_krule *rule)
PF_MD5_UPD_STR(rule, anchor->path);
}
+static void
+pf_hash_rule(struct pf_krule *rule)
+{
+ MD5_CTX ctx;
+
+ MD5Init(&ctx);
+ pf_hash_rule_rolling(&ctx, rule);
+ MD5Final(rule->md5sum, &ctx);
+}
+
static bool
pf_krule_compare(struct pf_krule *a, struct pf_krule *b)
{
- MD5_CTX ctx[2];
- u_int8_t digest[2][PF_MD5_DIGEST_LENGTH];
-
- MD5Init(&ctx[0]);
- MD5Init(&ctx[1]);
- pf_hash_rule(&ctx[0], a);
- pf_hash_rule(&ctx[1], b);
- MD5Final(digest[0], &ctx[0]);
- MD5Final(digest[1], &ctx[1]);
- return (memcmp(digest[0], digest[1], PF_MD5_DIGEST_LENGTH) == 0);
+ return (memcmp(a->md5sum, b->md5sum, PF_MD5_DIGEST_LENGTH) == 0);
}
static int
@@ -1394,7 +1396,7 @@ pf_setup_pfsync_matching(struct pf_kruleset *rs)
TAILQ_FOREACH(rule, rs->rules[rs_cnt].inactive.ptr,
entries) {
- pf_hash_rule(&ctx, rule);
+ pf_hash_rule_rolling(&ctx, rule);
(rs->rules[rs_cnt].inactive.ptr_array)[rule->nr] = rule;
}
}
@@ -2204,6 +2206,7 @@ pf_ioctl_addrule(struct pf_krule *rule, uint32_t ticket,
ruleset->rules[rs_num].inactive.rcount++;
PF_RULES_WUNLOCK();
+ pf_hash_rule(rule);
PF_CONFIG_UNLOCK();
return (0);
