Page MenuHomeFreeBSD

pf: delay taking the rules lock in pf_test()
ClosedPublic

Authored by kp on Jul 15 2025, 3:34 PM.
Tags
None
Referenced Files
Unknown Object (File)
Tue, Oct 14, 11:40 AM
Unknown Object (File)
Tue, Oct 14, 11:40 AM
Unknown Object (File)
Tue, Oct 14, 11:40 AM
Unknown Object (File)
Mon, Oct 13, 9:33 PM
Unknown Object (File)
Fri, Sep 26, 12:59 AM
Unknown Object (File)
Thu, Sep 18, 6:57 AM
Unknown Object (File)
Sep 17 2025, 7:26 AM
Unknown Object (File)
Sep 14 2025, 11:04 AM

Details

Summary

We don't need the rules lock to protect the mbuf, or even the kif. If an
interface is removed (which is the only way for a kif to go away) we're not
going to receive traffic on it.

We can't delay taking the lock more, because pf_setup_pdesc() calls the
normalisation code, which iterates the scrub rules. If we ever get rid of those
(as OpenBSD has) it should be possible to delay taking the rules lock until we
actually need to iterate of the rules. That is, we might be able to avoid taking
it at all if we match an existing state.

Sponsored by: Rubicon Communications, LLC ("Netgate")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable