K 10
svn:author
V 5
luigi
K 8
svn:date
V 27
2009-12-21T17:55:10.450818Z
K 7
svn:log
V 1395
partial code to reduce contention on the ipfw lock
and especially remove some O(N) sections of code
with the write lock held from userland.

1. introduce a IPFW_UH_LOCK to arbitrate requests from
   the upper half of the kernel. Some things, such as 'ipfw show'
   can be done holding this lock in read mode, whereas insert and
   delete require IPFW_UH_WLOCK.

2. introduce a mapping structure to keep rules together. This replaces
   the 'next' chain currently used in ipfw rules. At the moment
   the map is a simple array (sorted by rule number and then rule_id),
   so we can find a rule quickly instead of having to scan the list.

3. when an expensive operation (such as insert or delete) is done
   by userland, we grab IPFW_UH_WLOCK, create a new copy of the map
   without blocking the bottom half of the kernel, then acquire
   IPFW_WLOCK and quickly update pointers to the map and related info.
   After dropping IPFW_LOCK we can then continue the cleanup protected
   by IPFW_UH_LOCK.

4. do not pass pointers to rules through dummynet, netgraph, divert etc,
   but rather pass a <rulenum,id> pair that lets us do a lookup quickly.

All the above does not change the ABI.

5. a similar type of protection should be applied to references from
   dynamic rules to their parent (not done yet, will require changes
   to the structure of dynamic rules which are known to userland too).

END