diff options
author | glebius <glebius@FreeBSD.org> | 2014-03-11 15:43:06 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2014-03-11 15:43:06 +0000 |
commit | 71d3a4f585b759a3740834be41625b7dc0e5fb24 (patch) | |
tree | 21738f0e36adc0d336cb80148b7c296cd41323bf /sys/net/pfvar.h | |
parent | cbdb898ddfc732494e2b5679eac39b0b74443173 (diff) | |
download | FreeBSD-src-71d3a4f585b759a3740834be41625b7dc0e5fb24.zip FreeBSD-src-71d3a4f585b759a3740834be41625b7dc0e5fb24.tar.gz |
Merge r261882, r261898, r261937, r262760, r262799:
Once pf became not covered by a single mutex, many counters in it became
race prone. Some just gather statistics, but some are later used in
different calculations.
A real problem was the race provoked underflow of the states_cur counter
on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this
value is used in pf_state_expires() and any state created by this rule
is immediately expired.
Thus, make fields states_cur, states_tot and src_nodes of struct
pf_rule be counter(9)s.
Diffstat (limited to 'sys/net/pfvar.h')
-rw-r--r-- | sys/net/pfvar.h | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index c59ba60..8751af8 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -35,6 +35,7 @@ #include <sys/param.h> #include <sys/queue.h> +#include <sys/counter.h> #include <sys/refcount.h> #include <sys/tree.h> @@ -588,13 +589,9 @@ struct pf_rule { int rtableid; u_int32_t timeout[PFTM_MAX]; - u_int32_t states_cur; - u_int32_t states_tot; u_int32_t max_states; - u_int32_t src_nodes; u_int32_t max_src_nodes; u_int32_t max_src_states; - u_int32_t spare1; /* netgraph */ u_int32_t max_src_conn; struct { u_int32_t limit; @@ -608,6 +605,10 @@ struct pf_rule { uid_t cuid; pid_t cpid; + counter_u64_t states_cur; + counter_u64_t states_tot; + counter_u64_t src_nodes; + u_int16_t return_icmp; u_int16_t return_icmp6; u_int16_t max_mss; @@ -655,6 +656,10 @@ struct pf_rule { struct pf_addr addr; u_int16_t port; } divert; + + uint64_t u_states_cur; + uint64_t u_states_tot; + uint64_t u_src_nodes; }; /* rule flags */ |