Index: sys/net/pfvar.h =================================================================== --- sys/net/pfvar.h +++ sys/net/pfvar.h @@ -738,8 +738,8 @@ struct pfi_kif *rt_kif; struct pf_src_node *src_node; struct pf_src_node *nat_src_node; - u_int64_t packets[2]; - u_int64_t bytes[2]; + counter_u64_t packets[2]; + counter_u64_t bytes[2]; u_int32_t creation; u_int32_t expire; u_int32_t pfsync_time; Index: sys/netpfil/pf/if_pfsync.c =================================================================== --- sys/netpfil/pf/if_pfsync.c +++ sys/netpfil/pf/if_pfsync.c @@ -507,6 +507,13 @@ if ((st = uma_zalloc(V_pf_state_z, M_NOWAIT | M_ZERO)) == NULL) goto cleanup; + for (int i = 0; i < 2; i++) { + st->packets[i] = counter_u64_alloc(M_NOWAIT); + st->bytes[i] = counter_u64_alloc(M_NOWAIT); + if (st->packets[i] == NULL || st->bytes[i] == NULL) + goto cleanup; + } + if ((skw = uma_zalloc(V_pf_state_key_z, M_NOWAIT)) == NULL) goto cleanup; @@ -616,6 +623,12 @@ cleanup_state: /* pf_state_insert() frees the state keys. */ if (st) { + for (int i = 0; i < 2; i++) { + if (st->packets[i] != NULL) + counter_u64_free(st->packets[i]); + if (st->bytes[i] != NULL) + counter_u64_free(st->bytes[i]); + } if (st->dst.scrub) uma_zfree(V_pf_state_scrub_z, st->dst.scrub); if (st->src.scrub) Index: sys/netpfil/pf/pf.c =================================================================== --- sys/netpfil/pf/pf.c +++ sys/netpfil/pf/pf.c @@ -1712,6 +1712,13 @@ KASSERT(cur->timeout == PFTM_UNLINKED, ("%s: timeout %u", __func__, cur->timeout)); + for (int i = 0; i < 2; i++) { + if (cur->bytes[i] != NULL) + counter_u64_free(cur->bytes[i]); + if (cur->packets[i] != NULL) + counter_u64_free(cur->packets[i]); + } + pf_normalize_tcp_cleanup(cur); uma_zfree(V_pf_state_z, cur); counter_u64_add(V_pf_status.fcounters[FCNT_STATE_REMOVALS], 1); @@ -3651,6 +3658,16 @@ REASON_SET(&reason, PFRES_MEMORY); goto csfailed; } + for (int i = 0; i < 2; i++) { + s->bytes[i] = counter_u64_alloc(M_NOWAIT); + s->packets[i] = counter_u64_alloc(M_NOWAIT); + + if (s->bytes[i] == NULL || s->packets[i] == NULL) { + pf_free_state(s); + REASON_SET(&reason, PFRES_MEMORY); + goto csfailed; + } + } s->rule.ptr = r; s->nat_rule.ptr = nr; s->anchor.ptr = a; @@ -4210,8 +4227,9 @@ pf_print_flags(th->th_flags); printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, - pd->p_len, ackskew, (unsigned long long)(*state)->packets[0], - (unsigned long long)(*state)->packets[1], + pd->p_len, ackskew, + (unsigned long long)counter_u64_fetch((*state)->packets[0]), + (unsigned long long)counter_u64_fetch((*state)->packets[1]), pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); } @@ -4266,8 +4284,8 @@ printf(" seq=%u (%u) ack=%u len=%u ackskew=%d " "pkts=%llu:%llu dir=%s,%s\n", seq, orig_seq, ack, pd->p_len, ackskew, - (unsigned long long)(*state)->packets[0], - (unsigned long long)(*state)->packets[1], + (unsigned long long)counter_u64_fetch((*state)->packets[0]), + (unsigned long long)counter_u64_fetch((*state)->packets[1]), pd->dir == PF_IN ? "in" : "out", pd->dir == (*state)->direction ? "fwd" : "rev"); printf("pf: State failure on: %c %c %c %c | %c %c\n", @@ -6126,8 +6144,8 @@ s->nat_src_node->bytes[dirndx] += pd.tot_len; } dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; + counter_u64_add(s->packets[dirndx], 1); + counter_u64_add(s->bytes[dirndx], pd.tot_len); } tr = r; nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; @@ -6522,8 +6540,8 @@ s->nat_src_node->bytes[dirndx] += pd.tot_len; } dirndx = (dir == s->direction) ? 0 : 1; - s->packets[dirndx]++; - s->bytes[dirndx] += pd.tot_len; + counter_u64_add(s->packets[dirndx], 1); + counter_u64_add(s->bytes[dirndx], pd.tot_len); } tr = r; nr = (s != NULL) ? s->nat_rule.ptr : pd.nat_rule; Index: sys/netpfil/pf/pf_ioctl.c =================================================================== --- sys/netpfil/pf/pf_ioctl.c +++ sys/netpfil/pf/pf_ioctl.c @@ -3974,10 +3974,12 @@ else sp->nat_rule = htonl(st->nat_rule.ptr->nr); - pf_state_counter_hton(st->packets[0], sp->packets[0]); - pf_state_counter_hton(st->packets[1], sp->packets[1]); - pf_state_counter_hton(st->bytes[0], sp->bytes[0]); - pf_state_counter_hton(st->bytes[1], sp->bytes[1]); + pf_state_counter_hton(counter_u64_fetch(st->packets[0]), + sp->packets[0]); + pf_state_counter_hton(counter_u64_fetch(st->packets[1]), + sp->packets[1]); + pf_state_counter_hton(counter_u64_fetch(st->bytes[0]), sp->bytes[0]); + pf_state_counter_hton(counter_u64_fetch(st->bytes[1]), sp->bytes[1]); }