Remove net lock from DIOCGETRULESET and DIOCGETRULESETS

Both walk the list of rulesets aka. anchors, to yield a total count and
specific anchor name, respectively.  Same access, different copy out.

pf_anchor_global are contained within pf_ioctl.c and pf_ruleset.c and
fully protected by the pf lock, as is pf_main_ruleset and its pf.c usage.

Rely on and assert for pf lock alone.  'pfctl -sr' on 60k unique rules gets
noticably faster, around 2.1s instead of 3.5s.

OK sashan

1 files changed, 5 insertions, 1 deletions

diff --git a/sys/net/pf.c b/sys/net/pf.c
index 8af5155866a..56739a2e8fc 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1174 2023/04/28 14:08:34 phessler Exp $ */
+/*	$OpenBSD: pf.c,v 1.1175 2023/05/03 10:32:47 kn Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1370,6 +1370,8 @@ pf_state_import(const struct pfsync_state *sp, int flags)
 	int error = ENOMEM;
 	int n = 0;
 
+	PF_ASSERT_LOCKED();
+
 	if (sp->creatorid == 0) {
 		DPFPRINTF(LOG_NOTICE, "%s: invalid creator id: %08x", __func__,
 		    ntohl(sp->creatorid));
@@ -4270,6 +4272,8 @@ pf_test_rule(struct pf_pdesc *pd, struct pf_rule **rm, struct pf_state **sm,
 	struct pf_test_ctx	 ctx;
 	int			 rv;
 
+	PF_ASSERT_LOCKED();
+
 	memset(&ctx, 0, sizeof(ctx));
 	ctx.pd = pd;
 	ctx.rm = rm;