Improve the safety of pf IOCTLs, taking into account that some paths can sleep.

- Introduces a rw_lock in pfioctl so that we can have concurrent readers
  but only one process performing updates at a time;

- Separates state expiry into "unlink" and "free" parts; anyone can unlink
  a state/src node from the RB trees at any time, but a state can only be
  freed whilst the write lock is held;

- Converts state_updates into list state_list containing all states,
  regardless of whether they are "linked" or "unlinked";

- Introduces a new PFTM_UNLINKED state that is used on the "unlinked" states
  to signal that they can be freed;

- Converts pf_purge_expired_state to an "unlink" state routine, which only
  unlinks the state from the RB trees.  Freeing the state/src nodes is left
  to the purge thread, which runs whilst holding a write lock, such that all
  "next" references remain valid;

- Converts pfsync_bulk_update and DIOCGETSTATES to walk state_list rather
  than the RB trees;

- Converts the purge thread to use the new state_list and perform a partial
  purge every second, with the target rate a full state table walk every
  PFTM_INTERVAL seconds.

seen by mcbride, henning, dhartmei pre-3.8, but too intrusive for then

0 files changed, 0 insertions, 0 deletions