From d997d144bba865ef0ed7b48a44b6e682be357f26 Mon Sep 17 00:00:00 2001
From: mvs <mvs@openbsd.org>
Date: Mon, 20 Dec 2021 15:59:09 +0000
Subject: [PATCH] Use per-CPU counters for tunnel descriptor block (TDB)
 statistics. 'tdb_data' struct became unused and was removed.

Tested by Hrvoje Popovski.
ok bluhm@
---
 sys/net/pfkeyv2_convert.c  | 21 ++++++++-------
 sys/netinet/ip_ah.c        |  4 +--
 sys/netinet/ip_esp.c       |  4 +--
 sys/netinet/ip_ipcomp.c    |  4 +--
 sys/netinet/ip_ipsp.c      |  7 ++++-
 sys/netinet/ip_ipsp.h      | 54 +++++++++++++++++++++++---------------
 sys/netinet/ip_output.c    |  4 +--
 sys/netinet/ipsec_input.c  | 11 ++++----
 sys/netinet/ipsec_output.c |  7 +++--
 sys/netinet6/ip6_output.c  |  6 ++---
 10 files changed, 70 insertions(+), 52 deletions(-)

diff --git a/sys/net/pfkeyv2_convert.c b/sys/net/pfkeyv2_convert.c
index 2d648d5a7eb..61feeb9e4b3 100644
--- a/sys/net/pfkeyv2_convert.c
+++ b/sys/net/pfkeyv2_convert.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkeyv2_convert.c,v 1.77 2021/12/11 16:33:46 bluhm Exp $	*/
+/*	$OpenBSD: pfkeyv2_convert.c,v 1.78 2021/12/20 15:59:09 mvs Exp $	*/
 /*
  * The author of this code is Angelos D. Keromytis (angelos@keromytis.org)
  *
@@ -963,18 +963,21 @@ export_satype(void **p, struct tdb *tdb)
 void
 export_counter(void **p, struct tdb *tdb)
 {
+	uint64_t counters[tdb_ncounters];
 	struct sadb_x_counter *scnt = (struct sadb_x_counter *)*p;
 
+	counters_read(tdb->tdb_counters, counters, tdb_ncounters);
+
 	scnt->sadb_x_counter_len = sizeof(struct sadb_x_counter) /
 	    sizeof(uint64_t);
 	scnt->sadb_x_counter_pad = 0;
-	scnt->sadb_x_counter_ipackets = tdb->tdb_ipackets;
-	scnt->sadb_x_counter_opackets = tdb->tdb_opackets;
-	scnt->sadb_x_counter_ibytes = tdb->tdb_ibytes;
-	scnt->sadb_x_counter_obytes = tdb->tdb_obytes;
-	scnt->sadb_x_counter_idrops = tdb->tdb_idrops;
-	scnt->sadb_x_counter_odrops = tdb->tdb_odrops;
-	scnt->sadb_x_counter_idecompbytes = tdb->tdb_idecompbytes;
-	scnt->sadb_x_counter_ouncompbytes = tdb->tdb_ouncompbytes;
+	scnt->sadb_x_counter_ipackets = counters[tdb_ipackets];
+	scnt->sadb_x_counter_opackets = counters[tdb_opackets];
+	scnt->sadb_x_counter_ibytes = counters[tdb_ibytes];
+	scnt->sadb_x_counter_obytes = counters[tdb_obytes];
+	scnt->sadb_x_counter_idrops = counters[tdb_idrops];
+	scnt->sadb_x_counter_odrops = counters[tdb_odrops];
+	scnt->sadb_x_counter_idecompbytes = counters[tdb_idecompbytes];
+	scnt->sadb_x_counter_ouncompbytes = counters[tdb_ouncompbytes];
 	*p += sizeof(struct sadb_x_counter);
 }
diff --git a/sys/netinet/ip_ah.c b/sys/netinet/ip_ah.c
index 63ef3eb5edf..0580f385206 100644
--- a/sys/netinet/ip_ah.c
+++ b/sys/netinet/ip_ah.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ah.c,v 1.169 2021/12/11 16:33:46 bluhm Exp $ */
+/*	$OpenBSD: ip_ah.c,v 1.170 2021/12/20 15:59:09 mvs Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -608,7 +608,7 @@ ah_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
 	/* Update the counters. */
 	ibytes = (m->m_pkthdr.len - skip - hl * sizeof(u_int32_t));
 	tdb->tdb_cur_bytes += ibytes;
-	tdb->tdb_ibytes += ibytes;
+	tdbstat_add(tdb, tdb_ibytes, ibytes);
 	ahstat_add(ahs_ibytes, ibytes);
 
 	/* Hard expiration. */
diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index 1aa4d4b58e8..4d368e9af77 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp.c,v 1.189 2021/12/11 16:33:47 bluhm Exp $ */
+/*	$OpenBSD: ip_esp.c,v 1.190 2021/12/20 15:59:09 mvs Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -420,7 +420,7 @@ esp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
 
 	/* Update the counters */
 	tdb->tdb_cur_bytes += plen;
-	tdb->tdb_ibytes += plen;
+	tdbstat_add(tdb, tdb_ibytes, plen);
 	espstat_add(esps_ibytes, plen);
 
 	/* Hard expiration */
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c
index 65026466d48..0026fe2da12 100644
--- a/sys/netinet/ip_ipcomp.c
+++ b/sys/netinet/ip_ipcomp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipcomp.c,v 1.89 2021/12/11 16:33:47 bluhm Exp $ */
+/* $OpenBSD: ip_ipcomp.c,v 1.90 2021/12/20 15:59:09 mvs Exp $ */
 
 /*
  * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org)
@@ -193,7 +193,7 @@ ipcomp_input(struct mbuf **mp, struct tdb *tdb, int skip, int protoff)
 	/* update the counters */
 	ibytes = m->m_pkthdr.len - (skip + hlen);
 	tdb->tdb_cur_bytes += ibytes;
-	tdb->tdb_ibytes += ibytes;
+	tdbstat_add(tdb, tdb_ibytes, ibytes);
 	ipcompstat_add(ipcomps_ibytes, ibytes);
 
 	/* Hard expiration */
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index f7b4a9c5742..66baca79efc 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.266 2021/12/19 23:30:08 bluhm Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.267 2021/12/20 15:59:09 mvs Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -1050,6 +1050,9 @@ tdb_alloc(u_int rdomain)
 	tdbp->tdb_rdomain = rdomain;
 	tdbp->tdb_rdomain_post = rdomain;
 
+	/* Initialize counters. */
+	tdbp->tdb_counters = counters_alloc(tdb_ncounters);
+
 	/* Initialize timeouts. */
 	timeout_set_proc(&tdbp->tdb_timer_tmo, tdb_timeout, tdbp);
 	timeout_set_proc(&tdbp->tdb_first_tmo, tdb_firstuse, tdbp);
@@ -1088,6 +1091,8 @@ tdb_free(struct tdb *tdbp)
 	}
 #endif
 
+	counters_free(tdbp->tdb_counters, tdb_ncounters);
+
 	KASSERT(tdbp->tdb_onext == NULL);
 	KASSERT(tdbp->tdb_inext == NULL);
 
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index d4d3c955975..1a165b668d0 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.232 2021/12/19 23:30:08 bluhm Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.233 2021/12/20 15:59:10 mvs Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -136,17 +136,6 @@ struct ipsecstat {
 	uint64_t	ipsec_exctdb;		/* TDBs with hardlimit excess */
 };
 
-struct tdb_data {
-	uint64_t	tdd_ipackets;		/* Input IPsec packets */
-	uint64_t	tdd_opackets;		/* Output IPsec packets */
-	uint64_t	tdd_ibytes;		/* Input bytes */
-	uint64_t	tdd_obytes;		/* Output bytes */
-	uint64_t	tdd_idrops;		/* Dropped on input */
-	uint64_t	tdd_odrops;		/* Dropped on output */
-	uint64_t	tdd_idecompbytes;	/* Input bytes, decompressed */
-	uint64_t	tdd_ouncompbytes;	/* Output bytes, uncompressed */
-};
-
 #ifdef _KERNEL
 
 #include <sys/timeout.h>
@@ -401,7 +390,8 @@ struct tdb {				/* tunnel descriptor block */
 	u_int64_t	tdb_last_used;	/* When was this SA last used */
 	u_int64_t	tdb_last_marked;/* Last SKIPCRYPTO status change */
 
-	struct tdb_data	tdb_data;	/* stats about this TDB */
+	struct cpumem   *tdb_counters;  /* stats about this TDB */
+
 	u_int64_t	tdb_cryptoid;	/* Crypto session ID */
 
 	u_int32_t	tdb_spi;	/* [I] SPI */
@@ -447,15 +437,37 @@ struct tdb {				/* tunnel descriptor block */
 	TAILQ_HEAD(tdb_policy_head, ipsec_policy) tdb_policy_head; /* [p] */
 	TAILQ_ENTRY(tdb)	tdb_sync_entry;
 };
-#define tdb_ipackets		tdb_data.tdd_ipackets
-#define tdb_opackets		tdb_data.tdd_opackets
-#define tdb_ibytes		tdb_data.tdd_ibytes
-#define tdb_obytes		tdb_data.tdd_obytes
-#define tdb_idrops		tdb_data.tdd_idrops
-#define tdb_odrops		tdb_data.tdd_odrops
-#define tdb_idecompbytes	tdb_data.tdd_idecompbytes
-#define tdb_ouncompbytes	tdb_data.tdd_ouncompbytes
 
+enum tdb_counters {
+	tdb_ipackets,           /* Input IPsec packets */
+	tdb_opackets,           /* Output IPsec packets */
+	tdb_ibytes,             /* Input bytes */
+	tdb_obytes,             /* Output bytes */
+	tdb_idrops,             /* Dropped on input */
+	tdb_odrops,             /* Dropped on output */
+	tdb_idecompbytes,       /* Input bytes, decompressed */
+	tdb_ouncompbytes,       /* Output bytes, uncompressed */
+	tdb_ncounters
+};
+
+static inline void
+tdbstat_inc(struct tdb *tdb, enum tdb_counters c)
+{
+	counters_inc(tdb->tdb_counters, c);
+}
+
+static inline void
+tdbstat_add(struct tdb *tdb, enum tdb_counters c, uint64_t v)
+{
+	counters_add(tdb->tdb_counters, c, v);
+}
+
+static inline void
+tdbstat_pkt(struct tdb *tdb, enum tdb_counters pc, enum tdb_counters bc,
+    uint64_t bytes)
+{
+	counters_pkt(tdb->tdb_counters, pc, bc, bytes);
+}
 
 struct tdb_ident {
 	u_int32_t spi;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index a8f240a887f..de87ad3aac1 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.377 2021/12/03 17:18:34 bluhm Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.378 2021/12/20 15:59:10 mvs Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -662,7 +662,7 @@ ip_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route *ro, int fwd)
 	error = ipsp_process_packet(m, tdb, AF_INET, 0);
 	if (error) {
 		ipsecstat_inc(ipsec_odrops);
-		tdb->tdb_odrops++;
+		tdbstat_inc(tdb, tdb_odrops);
 	}
 	if (ip_mtudisc && error == EMSGSIZE)
 		ip_output_ipsec_pmtu_update(tdb, ro, dst, rtableid, 0);
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 4a6c15215be..1a4621f1be7 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.198 2021/12/20 15:23:32 bluhm Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.199 2021/12/20 15:59:10 mvs Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -340,8 +340,7 @@ ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto,
 		}
 	}
 
-	tdbp->tdb_ipackets++;
-	tdbp->tdb_ibytes += m->m_pkthdr.len;
+	tdbstat_pkt(tdbp, tdb_ipackets, tdb_ibytes, m->m_pkthdr.len);
 
 	/*
 	 * Call appropriate transform and return -- callback takes care of
@@ -350,7 +349,7 @@ ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto,
 	prot = (*(tdbp->tdb_xform->xf_input))(mp, tdbp, skip, protoff);
 	if (prot == IPPROTO_DONE) {
 		ipsecstat_inc(ipsec_idrops);
-		tdbp->tdb_idrops++;
+		tdbstat_inc(tdbp, tdb_idrops);
 	}
 	tdb_unref(tdbp);
 	return prot;
@@ -359,7 +358,7 @@ ipsec_common_input(struct mbuf **mp, int skip, int protoff, int af, int sproto,
 	m_freemp(mp);
 	ipsecstat_inc(ipsec_idrops);
 	if (tdbp != NULL)
-		tdbp->tdb_idrops++;
+		tdbstat_inc(tdbp, tdb_idrops);
 	tdb_unref(tdbp);
 	return IPPROTO_DONE;
 }
@@ -537,7 +536,7 @@ ipsec_common_input_cb(struct mbuf **mp, struct tdb *tdbp, int skip, int protoff)
 		m->m_flags |= M_TUNNEL;
 
 	ipsecstat_add(ipsec_idecompbytes, m->m_pkthdr.len);
-	tdbp->tdb_idecompbytes += m->m_pkthdr.len;
+	tdbstat_add(tdbp, tdb_idecompbytes, m->m_pkthdr.len);
 
 #if NBPFILTER > 0
 	encif = enc_getif(tdbp->tdb_rdomain_post, tdbp->tdb_tap);
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 7d863f1657a..33b6244ec3b 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_output.c,v 1.94 2021/12/11 16:33:47 bluhm Exp $ */
+/*	$OpenBSD: ipsec_output.c,v 1.95 2021/12/20 15:59:10 mvs Exp $ */
 /*
  * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
  *
@@ -367,7 +367,7 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int af, int tunalready)
 	}
 
 	ipsecstat_add(ipsec_ouncompbytes, m->m_pkthdr.len);
-	tdb->tdb_ouncompbytes += m->m_pkthdr.len;
+	tdbstat_add(tdb, tdb_ouncompbytes, m->m_pkthdr.len);
 
 	/* Non expansion policy for IPCOMP */
 	if (tdb->tdb_sproto == IPPROTO_IPCOMP) {
@@ -507,8 +507,7 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb)
 	m_tag_prepend(m, mtag);
 
 	ipsecstat_pkt(ipsec_opackets, ipsec_obytes, m->m_pkthdr.len);
-	tdb->tdb_opackets++;
-	tdb->tdb_obytes += m->m_pkthdr.len;
+	tdbstat_pkt(tdb, tdb_opackets, tdb_obytes, m->m_pkthdr.len);
 
 	/* If there's another (bundled) TDB to apply, do so. */
 	tdbo = tdb_ref(tdb->tdb_onext);
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index ac28becd3e9..c7f2fec20bb 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.263 2021/12/03 17:18:34 bluhm Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.264 2021/12/20 15:59:10 mvs Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -2875,7 +2875,7 @@ ip6_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route_in6 *ro,
 		    rtableid, transportmode);
 		if (error) {
 			ipsecstat_inc(ipsec_odrops);
-			tdb->tdb_odrops++;
+			tdbstat_inc(tdb, tdb_odrops);
 			m_freem(m);
 			return error;
 		}
@@ -2897,7 +2897,7 @@ ip6_output_ipsec_send(struct tdb *tdb, struct mbuf *m, struct route_in6 *ro,
 	error = ipsp_process_packet(m, tdb, AF_INET6, tunalready);
 	if (error) {
 		ipsecstat_inc(ipsec_odrops);
-		tdb->tdb_odrops++;
+		tdbstat_inc(tdb, tdb_odrops);
 	}
 	if (ip_mtudisc && error == EMSGSIZE)
 		ip6_output_ipsec_pmtu_update(tdb, ro, &dst, ifidx, rtableid, 0);
-- 
2.20.1