add a mutex to struct pf_state and init it.

nothing is protected by it yet but it will allow us to provide
consistent updates to individual states without relying on a global
lock. getting that right between the packet processing in pf itself,
pfsync, the pf purge code, the ioctl paths, etc is not worth the
required contortions.

while pf_state does grow, it doesn't use more cachelines on machines
where we will want to run in parallel with a lot of states.

stolen from and ok sashan@

diff --git a/sys/net/pf.c b/sys/net/pf.c
index d936112..37351ef 100644 (file)
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pf.c,v 1.1150 2022/11/11 11:47:12 dlg Exp $ */
+/*     $OpenBSD: pf.c,v 1.1151 2022/11/11 15:02:31 dlg Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1464,6 +1464,7 @@ pf_state_import(const struct pfsync_state *sp, int flags)
        st->sync_state = PFSYNC_S_NONE;
 
        refcnt_init(&st->refcnt);
+       mtx_init(&st->mtx, IPL_NET);
 
        /* XXX when we have anchors, use STATE_INC_COUNTERS */
        r->states_cur++;
@@ -4357,6 +4358,7 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
         * pf_state_inserts() grabs reference for pfsync!
         */
        refcnt_init(&s->refcnt);
+       mtx_init(&s->mtx, IPL_NET);
 
        switch (pd->proto) {
        case IPPROTO_TCP:

diff --git a/sys/net/pfvar_priv.h b/sys/net/pfvar_priv.h
index 8516a41..746b6fe 100644 (file)
--- a/sys/net/pfvar_priv.h
+++ b/sys/net/pfvar_priv.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pfvar_priv.h,v 1.18 2022/11/11 12:50:45 dlg Exp $     */
+/*     $OpenBSD: pfvar_priv.h,v 1.19 2022/11/11 15:02:31 dlg Exp $     */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -43,6 +43,7 @@
 /*
  * Protection/ownership of pf_state members:
  *     I       immutable after creation
+ *     M       pf_state mtx
  *     P       PF_STATE_LOCK
  *     S       pfsync mutex
  *     L       pf_state_list
@@ -70,6 +71,8 @@ struct pf_state {
        struct pf_sn_head        src_nodes;     /* [I] */
        struct pf_state_key     *key[2];        /* [ddresses stack and wire  */
        struct pfi_kif          *kif;           /* [I] */
+       struct mutex             mtx;
+       pf_refcnt_t              refcnt;
        u_int64_t                packets[2];
        u_int64_t                bytes[2];
        int32_t                  creation;      /* [I] */
@@ -90,7 +93,6 @@ struct pf_state {
        u_int16_t                max_mss;       /* [I] */
        u_int16_t                if_index_in;   /* [I] */
        u_int16_t                if_index_out;  /* [I] */
-       pf_refcnt_t              refcnt;
        u_int16_t                delay;         /* [I] */
        u_int8_t                 rt;            /* [I] */
        u_int8_t                 snapped;       /* [S] */