From: Vitaliy Makkoveev <mvs@openbsd.org>
Subject: ipsec: move `encdebug' out of netlock
To: Alexander Bluhm <bluhm@openbsd.org>, tech@openbsd.org
Date: Wed, 14 May 2025 00:38:22 +0300

Tha last one from `ipsecctl_vars'. Widely used in the DPRINTF() macros,
but disabled by default.

Do we really need to enforce load `encdebug' value each time?

Index: sys/net/pfkeyv2_parsemessage.c
===================================================================
RCS file: /cvs/src/sys/net/pfkeyv2_parsemessage.c,v
retrieving revision 1.63
diff -u -p -r1.63 pfkeyv2_parsemessage.c
--- sys/net/pfkeyv2_parsemessage.c	23 Jul 2024 20:04:51 -0000	1.63
+++ sys/net/pfkeyv2_parsemessage.c	13 May 2025 21:32:36 -0000
@@ -86,7 +86,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ip_ah.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ah.c,v
retrieving revision 1.175
diff -u -p -r1.175 ip_ah.c
--- sys/netinet/ip_ah.c	2 Mar 2025 21:28:32 -0000	1.175
+++ sys/netinet/ip_ah.c	13 May 2025 21:32:36 -0000
@@ -73,7 +73,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ip_esp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_esp.c,v
retrieving revision 1.197
diff -u -p -r1.197 ip_esp.c
--- sys/netinet/ip_esp.c	2 Mar 2025 21:28:32 -0000	1.197
+++ sys/netinet/ip_esp.c	13 May 2025 21:32:36 -0000
@@ -72,7 +72,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ip_ipcomp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipcomp.c,v
retrieving revision 1.93
diff -u -p -r1.93 ip_ipcomp.c
--- sys/netinet/ip_ipcomp.c	2 Mar 2025 21:28:32 -0000	1.93
+++ sys/netinet/ip_ipcomp.c	13 May 2025 21:32:36 -0000
@@ -59,7 +59,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ip_ipip.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipip.c,v
retrieving revision 1.106
diff -u -p -r1.106 ip_ipip.c
--- sys/netinet/ip_ipip.c	2 Mar 2025 21:28:32 -0000	1.106
+++ sys/netinet/ip_ipip.c	13 May 2025 21:32:36 -0000
@@ -80,7 +80,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ip_ipsp.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.c,v
retrieving revision 1.279
diff -u -p -r1.279 ip_ipsp.c
--- sys/netinet/ip_ipsp.c	13 May 2025 17:27:53 -0000	1.279
+++ sys/netinet/ip_ipsp.c	13 May 2025 21:32:36 -0000
@@ -83,7 +83,7 @@ void tdb_hashstats(void);
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ip_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.408
diff -u -p -r1.408 ip_output.c
--- sys/netinet/ip_output.c	21 Apr 2025 09:54:53 -0000	1.408
+++ sys/netinet/ip_output.c	13 May 2025 21:32:36 -0000
@@ -68,7 +68,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug)				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet/ipsec_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_input.c,v
retrieving revision 1.214
diff -u -p -r1.214 ipsec_input.c
--- sys/netinet/ipsec_input.c	13 May 2025 20:06:10 -0000	1.214
+++ sys/netinet/ipsec_input.c	13 May 2025 21:32:36 -0000
@@ -96,7 +96,7 @@ void ipsec_common_ctlinput(u_int, int, s
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
@@ -105,7 +105,7 @@ void ipsec_common_ctlinput(u_int, int, s
 #endif
 
 /* sysctl variables */
-int encdebug = 0;
+int encdebug = 0;						/* [a] */
 int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;	/* [a] */
 int ipsec_require_pfs = IPSEC_DEFAULT_PFS;			/* [a] */
 int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;	/* [a] */
@@ -172,11 +172,8 @@ int ipsec_def_enc = IPSEC_ENC_AES;		/* [
 int ipsec_def_auth = IPSEC_AUTH_HMAC_SHA1;	/* [a] */
 int ipsec_def_comp = IPSEC_COMP_DEFLATE;	/* [a] */
 
-const struct sysctl_bounded_args ipsecctl_vars_locked[] = {
-	{ IPSEC_ENCDEBUG, &encdebug, 0, 1 },
-};
-
 const struct sysctl_bounded_args ipsecctl_vars[] = {
+	{ IPSEC_ENCDEBUG, &encdebug, 0, 1 },
 	{ IPSEC_EXPIRE_ACQUIRE, &ipsec_expire_acquire, 0, INT_MAX },
 	{ IPSEC_EMBRYONIC_SA_TIMEOUT, &ipsec_keep_invalid, 0, INT_MAX },
 	{ IPSEC_REQUIRE_PFS, &ipsec_require_pfs, 0, 1 },
@@ -638,8 +635,6 @@ int
 ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
     size_t newlen)
 {
-	int error;
-
 	switch (name[0]) {
 	case IPCTL_IPSEC_ENC_ALGORITHM:
 	case IPCTL_IPSEC_AUTH_ALGORITHM:
@@ -648,13 +643,6 @@ ipsec_sysctl(int *name, u_int namelen, v
 		    newp, newlen));
 	case IPCTL_IPSEC_STATS:
 		return (ipsec_sysctl_ipsecstat(oldp, oldlenp, newp));
-	case IPSEC_ENCDEBUG:
-		NET_LOCK();
-		error = sysctl_bounded_arr(ipsecctl_vars_locked,
-		    nitems(ipsecctl_vars_locked), name, namelen,
-		    oldp, oldlenp, newp, newlen);
-		NET_UNLOCK();
-		return (error);
 	default:
 		return (sysctl_bounded_arr(ipsecctl_vars, nitems(ipsecctl_vars),
 		    name, namelen, oldp, oldlenp, newp, newlen));
Index: sys/netinet/ipsec_output.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_output.c,v
retrieving revision 1.100
diff -u -p -r1.100 ipsec_output.c
--- sys/netinet/ipsec_output.c	14 Feb 2025 13:14:13 -0000	1.100
+++ sys/netinet/ipsec_output.c	13 May 2025 21:32:36 -0000
@@ -54,7 +54,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else
Index: sys/netinet6/ip6_output.c
===================================================================
RCS file: /cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.298
diff -u -p -r1.298 ip6_output.c
--- sys/netinet6/ip6_output.c	21 Apr 2025 09:54:53 -0000	1.298
+++ sys/netinet6/ip6_output.c	13 May 2025 21:32:36 -0000
@@ -109,7 +109,7 @@
 #ifdef ENCDEBUG
 #define DPRINTF(fmt, args...)						\
 	do {								\
-		if (encdebug)						\
+		if (atomic_load_int(&encdebug))				\
 			printf("%s: " fmt "\n", __func__, ## args);	\
 	} while (0)
 #else