Merge r261882, r261898, r261937, r262760, r262799:

  Once pf became not covered by a single mutex, many counters in it became
  race prone. Some just gather statistics, but some are later used in
  different calculations.

  A real problem was the race provoked underflow of the states_cur counter
  on a rule. Once it goes below zero, it wraps to UINT32_MAX. Later this
  value is used in pf_state_expires() and any state created by this rule
  is immediately expired.

  Thus, make fields states_cur, states_tot and src_nodes of struct
  pf_rule be counter(9)s.

1 files changed, 9 insertions, 4 deletions

diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index c59ba60..8751af8 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -35,6 +35,7 @@
 
 #include <sys/param.h>
 #include <sys/queue.h>
+#include <sys/counter.h>
 #include <sys/refcount.h>
 #include <sys/tree.h>
 
@@ -588,13 +589,9 @@ struct pf_rule {
 
 	int			 rtableid;
 	u_int32_t		 timeout[PFTM_MAX];
-	u_int32_t		 states_cur;
-	u_int32_t		 states_tot;
 	u_int32_t		 max_states;
-	u_int32_t		 src_nodes;
 	u_int32_t		 max_src_nodes;
 	u_int32_t		 max_src_states;
-	u_int32_t		 spare1;			/* netgraph */
 	u_int32_t		 max_src_conn;
 	struct {
 		u_int32_t		limit;
@@ -608,6 +605,10 @@ struct pf_rule {
 	uid_t			 cuid;
 	pid_t			 cpid;
 
+	counter_u64_t		 states_cur;
+	counter_u64_t		 states_tot;
+	counter_u64_t		 src_nodes;
+
 	u_int16_t		 return_icmp;
 	u_int16_t		 return_icmp6;
 	u_int16_t		 max_mss;
@@ -655,6 +656,10 @@ struct pf_rule {
 		struct pf_addr		addr;
 		u_int16_t		port;
 	}			divert;
+
+	uint64_t		 u_states_cur;
+	uint64_t		 u_states_tot;
+	uint64_t		 u_src_nodes;
 };
 
 /* rule flags */