Page MenuHomeFreeBSD
Differential D54292

pf: Avoid taking the pf rules write lock in a couple of ioctls
ClosedPublic
Actions

Authored by markj on Dec 18 2025, 6:13 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Jan 16, 5:29 AM
Unknown Object (File)
Wed, Jan 14, 9:53 AM
Unknown Object (File)
Tue, Jan 13, 10:01 PM
Unknown Object (File)
Tue, Jan 13, 2:34 PM
Unknown Object (File)
Thu, Jan 8, 5:22 AM
Unknown Object (File)
Wed, Jan 7, 12:31 AM
Unknown Object (File)
Tue, Jan 6, 12:09 AM
Unknown Object (File)
Sat, Jan 3, 7:39 PM
View All 19 Files
Subscribers
farrokhi
glebius
imp
melifaro
vegeta_tuxpowered.net

Details

Reviewers
kp
allanjude
Commits
rGc25259a40e3f: pf: Avoid taking the pf rules write lock in a couple of ioctls
rGae96ff302f8a: pf: Avoid taking the pf rules write lock in a couple of ioctls
Summary

The DIOCGETRULES ioctl handlers has taken the write lock ever since
fine-grained locking was merged to pf, but I believe it's unneeded. Use
the read lock instead.

DIOCGETRULENV takes the write lock as well but I believe this is only
required when clearing rule counters. (It might not be required even
then, on platforms where counter increment is done atomically.) Acquire
the read lock if that is not the case.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Dec 18 2025, 6:13 PM
Herald added subscribers: vegeta_tuxpowered.net, glebius, melifaro and 2 others. · View Herald TranscriptDec 18 2025, 6:13 PM
markj requested review of this revision.Dec 18 2025, 6:13 PM
Harbormaster completed remote builds in B69378: Diff 168334.Dec 18 2025, 6:13 PM
allanjude accepted this revision.Dec 18 2025, 8:04 PM
This revision is now accepted and ready to land.Dec 18 2025, 8:04 PM
kp accepted this revision.Dec 19 2025, 1:18 PM

DIOCGETRULENV takes the write lock as well but I believe this is only
required when clearing rule counters. (It might not be required even
then, on platforms where counter increment is done atomically.) Acquire
the read lock if that is not the case.

I believe the intent behind the write lock is to enable a userspace pattern of repeated fetch+clear without missing counts. If we'd take the read lock to retrieve the counters we could be incrementing them while this is going on, before we clear them again. That'd mean we'd miss packets/bytes/evaluations.

markj added a comment.Dec 19 2025, 1:53 PM
In D54292#1241041, @kp wrote:

DIOCGETRULENV takes the write lock as well but I believe this is only
required when clearing rule counters. (It might not be required even
then, on platforms where counter increment is done atomically.) Acquire
the read lock if that is not the case.

I believe the intent behind the write lock is to enable a userspace pattern of repeated fetch+clear without missing counts. If we'd take the read lock to retrieve the counters we could be incrementing them while this is going on, before we clear them again. That'd mean we'd miss packets/bytes/evaluations.

Ah, that makes sense.

Closed by commit rGae96ff302f8a: pf: Avoid taking the pf rules write lock in a couple of ioctls (authored by markj). · Explain WhyDec 19 2025, 2:13 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGae96ff302f8a: pf: Avoid taking the pf rules write lock in a couple of ioctls.
markj added a commit: rGc25259a40e3f: pf: Avoid taking the pf rules write lock in a couple of ioctls.Tue, Jan 6, 3:57 PM

Revision Contents
Changeset List

PathSize
sys/
netpfil/
pf/
91 lines
2 lines
2 lines

Diff 168410

View Options

sys/netpfil/pf/pf_ioctl.c

Loading...
View Options

sys/netpfil/pf/pf_nv.h

Loading...
View Options

sys/netpfil/pf/pf_nv.c

Loading...