Re: DIOCGETRULE is slow for large rulesets (1/3)

David Gwynne Tue, 25 Apr 2023 18:18:19 -0700

> On 26 Apr 2023, at 08:25, Alexandr Nedvedicky <sas...@fastmail.net> wrote:
> 
> Hello,
> 
> below is diff which renames ruleset member `ticket` to `version`.
> the reason for this is to keep things clean. The word `ticket`
> will be used to identify transaction, while newly introduced `version`
> identifies change of particular pf object (ruleset).
> 
> diff below is simple find/replace. It changes `ticket` to `version`
> at pf_ruleset used by kernel I don't want to drag this change to
> pfctl.
> 
> OK?

ok.

> 
> thanks and
> regards
> sashan
> 
> --------8<---------------8<---------------8<------------------8<--------
> diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
> index 1141069dcf6..7ea22050506 100644
> --- a/sys/net/pf_ioctl.c
> +++ b/sys/net/pf_ioctl.c
> @@ -522,7 +522,7 @@ pf_qid_unref(u_int16_t qid)
> }
> 
> int
> -pf_begin_rules(u_int32_t *ticket, const char *anchor)
> +pf_begin_rules(u_int32_t *version, const char *anchor)
> {
> struct pf_ruleset *rs;
> struct pf_rule *rule;
> @@ -533,20 +533,20 @@ pf_begin_rules(u_int32_t *ticket, const char *anchor)
> pf_rm_rule(rs->rules.inactive.ptr, rule);
> rs->rules.inactive.rcount--;
> }
> - *ticket = ++rs->rules.inactive.ticket;
> + *version = ++rs->rules.inactive.version;
> rs->rules.inactive.open = 1;
> return (0);
> }
> 
> void
> -pf_rollback_rules(u_int32_t ticket, char *anchor)
> +pf_rollback_rules(u_int32_t version, char *anchor)
> {
> struct pf_ruleset *rs;
> struct pf_rule *rule;
> 
> rs = pf_find_ruleset(anchor);
> if (rs == NULL || !rs->rules.inactive.open ||
> -    rs->rules.inactive.ticket != ticket)
> +    rs->rules.inactive.version != version)
> return;
> while ((rule = TAILQ_FIRST(rs->rules.inactive.ptr)) != NULL) {
> pf_rm_rule(rs->rules.inactive.ptr, rule);
> @@ -825,7 +825,7 @@ pf_hash_rule(MD5_CTX *ctx, struct pf_rule *rule)
> }
> 
> int
> -pf_commit_rules(u_int32_t ticket, char *anchor)
> +pf_commit_rules(u_int32_t version, char *anchor)
> {
> struct pf_ruleset *rs;
> struct pf_rule *rule;
> @@ -834,7 +834,7 @@ pf_commit_rules(u_int32_t ticket, char *anchor)
> 
> rs = pf_find_ruleset(anchor);
> if (rs == NULL || !rs->rules.inactive.open ||
> -    ticket != rs->rules.inactive.ticket)
> +    version != rs->rules.inactive.version)
> return (EBUSY);
> 
> if (rs == &pf_main_ruleset)
> @@ -849,7 +849,7 @@ pf_commit_rules(u_int32_t ticket, char *anchor)
> rs->rules.inactive.ptr = old_rules;
> rs->rules.inactive.rcount = old_rcount;
> 
> - rs->rules.active.ticket = rs->rules.inactive.ticket;
> + rs->rules.active.version = rs->rules.inactive.version;
> pf_calc_skip_steps(rs->rules.active.ptr);
> 
> 
> @@ -1191,7 +1191,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> 
> NET_LOCK();
> PF_LOCK();
> - pq->ticket = pf_main_ruleset.rules.active.ticket;
> + pq->ticket = pf_main_ruleset.rules.active.version;
> 
> /* save state to not run over them all each time? */
> qs = TAILQ_FIRST(pf_queues_active);
> @@ -1212,7 +1212,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> 
> NET_LOCK();
> PF_LOCK();
> - if (pq->ticket != pf_main_ruleset.rules.active.ticket) {
> + if (pq->ticket != pf_main_ruleset.rules.active.version) {
> error = EBUSY;
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1243,7 +1243,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> 
> NET_LOCK();
> PF_LOCK();
> - if (pq->ticket != pf_main_ruleset.rules.active.ticket) {
> + if (pq->ticket != pf_main_ruleset.rules.active.version) {
> error = EBUSY;
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1290,7 +1290,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> 
> NET_LOCK();
> PF_LOCK();
> - if (q->ticket != pf_main_ruleset.rules.inactive.ticket) {
> + if (q->ticket != pf_main_ruleset.rules.inactive.version) {
> error = EBUSY;
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1386,7 +1386,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> pf_rule_free(rule);
> goto fail;
> }
> - if (pr->ticket != ruleset->rules.inactive.ticket) {
> + if (pr->ticket != ruleset->rules.inactive.version) {
> error = EBUSY;
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1464,7 +1464,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> pr->nr = tail->nr + 1;
> else
> pr->nr = 0;
> - pr->ticket = ruleset->rules.active.ticket;
> + pr->ticket = ruleset->rules.active.version;
> PF_UNLOCK();
> NET_UNLOCK();
> break;
> @@ -1486,7 +1486,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> NET_UNLOCK();
> goto fail;
> }
> - if (pr->ticket != ruleset->rules.active.ticket) {
> + if (pr->ticket != ruleset->rules.active.version) {
> error = EBUSY;
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1560,7 +1560,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> if (ruleset == NULL)
> error = EINVAL;
> else
> - pcr->ticket = ++ruleset->rules.active.ticket;
> + pcr->ticket = ++ruleset->rules.active.version;
> 
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1610,7 +1610,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> goto fail;
> }
> 
> - if (pcr->ticket != ruleset->rules.active.ticket) {
> + if (pcr->ticket != ruleset->rules.active.version) {
> error = EINVAL;
> PF_UNLOCK();
> NET_UNLOCK();
> @@ -1707,7 +1707,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> TAILQ_FOREACH(oldrule, ruleset->rules.active.ptr, entries)
> oldrule->nr = nr++;
> 
> - ruleset->rules.active.ticket++;
> + ruleset->rules.active.version++;
> 
> pf_calc_skip_steps(ruleset->rules.active.ptr);
> pf_remove_if_empty_ruleset(ruleset);
> @@ -2646,7 +2646,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, 
> struct proc *p)
> rs = pf_find_ruleset(ioe->anchor);
> if (rs == NULL ||
>    !rs->rules.inactive.open ||
> -    rs->rules.inactive.ticket !=
> +    rs->rules.inactive.version !=
>    ioe->ticket) {
> PF_UNLOCK();
> NET_UNLOCK();
> diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
> index 3a7ff6b295c..cf1e34c36b4 100644
> --- a/sys/net/pfvar.h
> +++ b/sys/net/pfvar.h
> @@ -822,7 +822,7 @@ struct pf_ruleset {
> struct {
> struct pf_rulequeue *ptr;
> u_int32_t rcount;
> - u_int32_t ticket;
> + u_int32_t version;
> int open;
> } active, inactive;
> } rules;
>
Re: DIOCGETRULE is slow for large rulesets (1/3)

Reply via email to
