Increment rule counters only after successful state insertion

Do rule counter increments after state has been successfully
installed.  This has an additional benefit of making error
handling a bit simpler.

OK mpi, bluhm

1 files changed, 4 insertions, 17 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 1069f647888..a2f7441273a 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.919 2015/06/16 11:09:39 mpi Exp $ */
+/*	$OpenBSD: pf.c,v 1.920 2015/06/22 15:58:23 mikeb Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -275,16 +275,6 @@ struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
 			mrm->r->states_cur++;			\
 	} while (0)
 
-#define STATE_DEC_COUNTERS(s)					\
-	do {							\
-		struct pf_rule_item *mrm;			\
-		if (s->anchor.ptr != NULL)			\
-			s->anchor.ptr->states_cur--;		\
-		s->rule.ptr->states_cur--;			\
-		SLIST_FOREACH(mrm, &s->match_rules, entry)	\
-			mrm->r->states_cur--;			\
-	} while (0)
-
 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
 static __inline int pf_state_compare_key(struct pf_state_key *,
 	struct pf_state_key *);
@@ -3467,7 +3457,6 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
 	s->anchor.ptr = a;
 	s->natrule.ptr = nr;
 	memcpy(&s->match_rules, rules, sizeof(s->match_rules));
-	STATE_INC_COUNTERS(s);
 	if (r->allow_opts)
 		s->state_flags |= PFSTATE_ALLOWOPTS;
 	if (r->rule_flag & PFRULE_STATESLOPPY)
@@ -3594,6 +3583,8 @@ pf_create_state(struct pf_pdesc *pd, struct pf_rule *r, struct pf_rule *a,
 	} else
 		*sm = s;
 
+	STATE_INC_COUNTERS(s);
+
 	if (tag > 0) {
 		pf_tag_ref(tag);
 		s->tag = tag;
@@ -3624,17 +3615,13 @@ csfailed:
 	if (s) {
 		pf_normalize_tcp_cleanup(s);	/* safe even w/o init */
 		pf_src_tree_remove_state(s);
+		pool_put(&pf_state_pl, s);
 	}
 
 	for (i = 0; i < PF_SN_MAX; i++)
 		if (sns[i] != NULL)
 			pf_remove_src_node(sns[i]);
 
-	if (s) {
-		STATE_DEC_COUNTERS(s);
-		pool_put(&pf_state_pl, s);
-	}
-
 	return (PF_DROP);
 }