Run sysctl net.inet.ip.forwarding without net lock.

The places in packet processing where ip_forwarding is evaluated
have been consolidated.  The remaining pieces in pf test, ip input,
and icmp input do not need consistent information.  If the integer
value is changed by another CPU, it is harmless.
The sysctl syscall sets the value atomically, so add atomic read
in network processing and remove the net lock in sysctl IPCTL_FORWARDING.

OK claudio@ mvs@

3 files changed, 18 insertions, 8 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index f22c31900be..fb278db3b14 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1201 2024/07/04 12:50:08 bluhm Exp $ */
+/*	$OpenBSD: pf.c,v 1.1202 2024/07/12 09:25:27 bluhm Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -7966,7 +7966,7 @@ done:
 			if (pd.dir == PF_IN) {
 				int flags = IP_REDIRECT;
 
-				switch (ip_forwarding) {
+				switch (atomic_load_int(&ip_forwarding)) {
 				case 2:
 					SET(flags, IP_FORWARDING_IPSEC);
 					/* FALLTHROUGH */
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index a283bc2f8ce..baaa9a210fd 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_icmp.c,v 1.194 2024/06/20 19:25:04 bluhm Exp $	*/
+/*	$OpenBSD: ip_icmp.c,v 1.195 2024/07/12 09:25:27 bluhm Exp $	*/
 /*	$NetBSD: ip_icmp.c,v 1.19 1996/02/13 23:42:22 christos Exp $	*/
 
 /*
@@ -589,7 +589,8 @@ reflect:
 		struct sockaddr_in ssrc;
 		struct rtentry *newrt = NULL;
 
-		if (icmp_rediraccept == 0 || ip_forwarding != 0)
+		if (icmp_rediraccept == 0 ||
+		    atomic_load_int(&ip_forwarding) != 0)
 			goto freeit;
 		if (code > 3)
 			goto badcode;
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 21221c149d7..8797a26b025 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.397 2024/07/02 18:33:47 bluhm Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.398 2024/07/12 09:25:27 bluhm Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -83,8 +83,15 @@
 #include <netinet/ip_carp.h>
 #endif
 
+/*
+ * Locks used to protect global variables in this file:
+ *	I	immutable after creation
+ *	a	atomic operations
+ *	N	net lock
+ */
+
 /* values controllable via sysctl */
-int	ip_forwarding = 0;
+int	ip_forwarding = 0;			/* [a] */
 int	ipmforwarding = 0;
 int	ipmultipath = 0;
 int	ip_sendredirects = 1;
@@ -108,7 +115,6 @@ const struct sysctl_bounded_args ipctl_vars[] = {
 #ifdef MROUTING
 	{ IPCTL_MRTPROTO, &ip_mrtproto, SYSCTL_INT_READONLY },
 #endif
-	{ IPCTL_FORWARDING, &ip_forwarding, 0, 2 },
 	{ IPCTL_SENDREDIRECTS, &ip_sendredirects, 0, 1 },
 	{ IPCTL_DEFTTL, &ip_defttl, 0, 255 },
 	{ IPCTL_DIRECTEDBCAST, &ip_directedbcast, 0, 1 },
@@ -465,7 +471,7 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 		SET(flags, IP_REDIRECT);
 #endif
 
-	switch (ip_forwarding) {
+	switch (atomic_load_int(&ip_forwarding)) {
 	case 2:
 		SET(flags, IP_FORWARDING_IPSEC);
 		/* FALLTHROUGH */
@@ -1792,6 +1798,9 @@ ip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 			atomic_inc_long(&rtgeneration);
 		NET_UNLOCK();
 		return (error);
+	case IPCTL_FORWARDING:
+		return (sysctl_int_bounded(oldp, oldlenp, newp, newlen,
+		    &ip_forwarding, 0, 2));
 	default:
 		NET_LOCK();
 		error = sysctl_bounded_arr(ipctl_vars, nitems(ipctl_vars),