K 10
svn:author
V 7
glebius
K 8
svn:date
V 27
2012-04-24T13:13:42.263682Z
K 7
svn:log
V 967
States and source nodes reference rules, so when state or source node is
expired a rule may potentially be deleted. In the new locking scheme this
is a problem, since we don't have writer lock on rules in packet processing,
and we don't like any additional atomic operations in forwarding path.

To cope with that, pf_rm_rule() was split into two pieces - pf_unlink_rule(),
that removes a rule from the ruleset, and pf_free_rule() that does actual
freeing.

Freeing of once used rules is performed solely by the pf expiry thread. It
now performs naive mark-and-sweep algorithm, based on states and source
nodes expiry run.

We still account number of states per rule and number of source nodes,
since they are important to drive adaptive expiry and 'max-src-conn'
rules. When we get rid of pf giant lock, these increments/decrements
should be reconsidered and probably made atomic.

Also:
- Migrate from PF_LOCK() to PF_RULES_WLOCK() in all rule manipulating ioctls.

END