svn commit: r301840 - in projects/vnet/sys: net netpfil/pf
Bjoern A. Zeeb
bz at FreeBSD.org
Sun Jun 12 15:37:37 UTC 2016
Author: bz
Date: Sun Jun 12 15:37:35 2016
New Revision: 301840
URL: https://svnweb.freebsd.org/changeset/base/301840
Log:
Make pf starting to think VNETs some more. Now it at least attaches,
starts, probably shuts down parts, and doesn't crash that much anymore.
Sponsored by: The FreeBSD Foundation
Modified:
projects/vnet/sys/net/pfvar.h
projects/vnet/sys/netpfil/pf/pf.c
projects/vnet/sys/netpfil/pf/pf_if.c
projects/vnet/sys/netpfil/pf/pf_ioctl.c
Modified: projects/vnet/sys/net/pfvar.h
==============================================================================
--- projects/vnet/sys/net/pfvar.h Sun Jun 12 11:45:45 2016 (r301839)
+++ projects/vnet/sys/net/pfvar.h Sun Jun 12 15:37:35 2016 (r301840)
@@ -1655,7 +1655,9 @@ VNET_DECLARE(struct pfi_kif *, pfi_all
#define V_pfi_all VNET(pfi_all)
void pfi_initialize(void);
+void pfi_initialize_vnet(void);
void pfi_cleanup(void);
+void pfi_cleanup_vnet(void);
void pfi_kif_ref(struct pfi_kif *);
void pfi_kif_unref(struct pfi_kif *);
struct pfi_kif *pfi_kif_find(const char *);
Modified: projects/vnet/sys/netpfil/pf/pf.c
==============================================================================
--- projects/vnet/sys/netpfil/pf/pf.c Sun Jun 12 11:45:45 2016 (r301839)
+++ projects/vnet/sys/netpfil/pf/pf.c Sun Jun 12 15:37:35 2016 (r301840)
@@ -1420,16 +1420,22 @@ pf_intr(void *v)
}
void
-pf_purge_thread(void *v)
+pf_purge_thread(void *unused __unused)
{
+ VNET_ITERATOR_DECL(vnet_iter);
u_int idx = 0;
- CURVNET_SET((struct vnet *)v);
-
for (;;) {
PF_RULES_RLOCK();
rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftm", hz / 10);
+ PF_RULES_RUNLOCK();
+
+ VNET_LIST_RLOCK();
+ VNET_FOREACH(vnet_iter) {
+ CURVNET_SET(vnet_iter);
+#if 0
+ /* XXX-BZ cleanup needs to happen elsewhere. */
if (V_pf_end_threads) {
/*
* To cleanse up all kifs and rules we need
@@ -1462,9 +1468,9 @@ pf_purge_thread(void *v)
V_pf_end_threads++;
PF_RULES_RUNLOCK();
wakeup(pf_purge_thread);
- kproc_exit(0);
+ //kproc_exit(0);
}
- PF_RULES_RUNLOCK();
+#endif
/* Process 1/interval fraction of the state table every run. */
idx = pf_purge_expired_states(idx, pf_hashmask /
@@ -1482,9 +1488,11 @@ pf_purge_thread(void *v)
pf_purge_unlinked_rules();
pfi_kif_purge();
}
+ CURVNET_RESTORE();
+ }
+ VNET_LIST_RUNLOCK();
}
/* not reached */
- CURVNET_RESTORE();
}
u_int32_t
Modified: projects/vnet/sys/netpfil/pf/pf_if.c
==============================================================================
--- projects/vnet/sys/netpfil/pf/pf_if.c Sun Jun 12 11:45:45 2016 (r301839)
+++ projects/vnet/sys/netpfil/pf/pf_if.c Sun Jun 12 15:37:35 2016 (r301840)
@@ -108,7 +108,7 @@ MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unl
MTX_DEF);
void
-pfi_initialize(void)
+pfi_initialize_vnet(void)
{
struct ifg_group *ifg;
struct ifnet *ifp;
@@ -129,6 +129,11 @@ pfi_initialize(void)
TAILQ_FOREACH(ifp, &V_ifnet, if_link)
pfi_attach_ifnet(ifp);
IFNET_RUNLOCK();
+}
+
+void
+pfi_initialize(void)
+{
pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event,
pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY);
@@ -145,17 +150,10 @@ pfi_initialize(void)
}
void
-pfi_cleanup(void)
+pfi_cleanup_vnet(void)
{
struct pfi_kif *p;
- EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie);
- EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie);
- EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie);
- EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie);
- EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie);
- EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie);
-
V_pfi_all = NULL;
while ((p = RB_MIN(pfi_ifhead, &V_pfi_ifs))) {
RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
@@ -170,6 +168,18 @@ pfi_cleanup(void)
free(V_pfi_buffer, PFI_MTYPE);
}
+void
+pfi_cleanup(void)
+{
+
+ EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie);
+ EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie);
+ EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie);
+ EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie);
+ EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie);
+ EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie);
+}
+
struct pfi_kif *
pfi_kif_find(const char *kif_name)
{
Modified: projects/vnet/sys/netpfil/pf/pf_ioctl.c
==============================================================================
--- projects/vnet/sys/netpfil/pf/pf_ioctl.c Sun Jun 12 11:45:45 2016 (r301839)
+++ projects/vnet/sys/netpfil/pf/pf_ioctl.c Sun Jun 12 15:37:35 2016 (r301840)
@@ -204,17 +204,14 @@ pfsync_defer_t *pfsync_defer_ptr = NUL
/* pflog */
pflog_packet_t *pflog_packet_ptr = NULL;
-static int
-pfattach(void)
+static void
+pfattach_vnet(void)
{
u_int32_t *my_timeout = V_pf_default_rule.timeout;
- int error;
- if (IS_DEFAULT_VNET(curvnet))
- pf_mtag_initialize();
pf_initialize();
pfr_initialize();
- pfi_initialize();
+ pfi_initialize_vnet();
pf_normalize_init();
V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
@@ -276,14 +273,24 @@ pfattach(void)
for (int i = 0; i < SCNT_MAX; i++)
V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK);
- if ((error = kproc_create(pf_purge_thread, curvnet, NULL, 0, 0,
- "pf purge")) != 0)
- /* XXXGL: leaked all above. */
- return (error);
- if ((error = swi_add(NULL, "pf send", pf_intr, curvnet, SWI_NET,
- INTR_MPSAFE, &V_pf_swi_cookie)) != 0)
+ if (swi_add(NULL, "pf send", pf_intr, curvnet, SWI_NET,
+ INTR_MPSAFE, &V_pf_swi_cookie) != 0)
/* XXXGL: leaked all above. */
+ return;
+}
+
+static int
+pfattach(void)
+{
+ int error;
+
+ pf_mtag_initialize();
+
+ error = kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pf purge");
+ if (error != 0) {
+ pf_mtag_cleanup();
return (error);
+ }
return (0);
}
@@ -3691,24 +3698,32 @@ dehook_pf(void)
return (0);
}
-static int
-pf_load(void)
+static void
+pf_load_vnet(void)
{
- int error;
-
VNET_ITERATOR_DECL(vnet_iter);
VNET_LIST_RLOCK();
VNET_FOREACH(vnet_iter) {
CURVNET_SET(vnet_iter);
V_pf_pfil_hooked = 0;
+#if 0
V_pf_end_threads = 0;
+#endif
TAILQ_INIT(&V_pf_tags);
TAILQ_INIT(&V_pf_qids);
CURVNET_RESTORE();
}
VNET_LIST_RUNLOCK();
+ pfattach_vnet();
+}
+
+static int
+pf_load(void)
+{
+ int error;
+
rw_init(&pf_rules_lock, "pf rulesets");
sx_init(&pf_ioctl_lock, "pf ioctl");
@@ -3719,10 +3734,10 @@ pf_load(void)
return (0);
}
-static int
-pf_unload(void)
+static void
+pf_unload_vnet()
{
- int error = 0;
+ int error;
V_pf_status.running = 0;
swi_remove(V_pf_swi_cookie);
@@ -3734,23 +3749,34 @@ pf_unload(void)
* a message like 'No such process'.
*/
printf("%s : pfil unregisteration fail\n", __FUNCTION__);
- return error;
+ return;
}
PF_RULES_WLOCK();
shutdown_pf();
+#if 0
V_pf_end_threads = 1;
while (V_pf_end_threads < 2) {
wakeup_one(pf_purge_thread);
rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftmo", 0);
}
+#endif
PF_RULES_WUNLOCK();
pf_normalize_cleanup();
- pfi_cleanup();
+ pfi_cleanup_vnet();
pfr_cleanup();
pf_osfp_flush();
pf_cleanup();
if (IS_DEFAULT_VNET(curvnet))
pf_mtag_cleanup();
+}
+
+static int
+pf_unload(void)
+{
+ int error = 0;
+
+ pfi_cleanup();
+
destroy_dev(pf_dev);
rw_destroy(&pf_rules_lock);
sx_destroy(&pf_ioctl_lock);
@@ -3758,6 +3784,25 @@ pf_unload(void)
return (error);
}
+static void
+vnet_pf_init(void *unused __unused)
+{
+
+ pf_load_vnet();
+}
+VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
+ vnet_pf_init, NULL);
+
+static void
+vnet_pf_uninit(const void *unused __unused)
+{
+
+ pf_unload_vnet();
+}
+VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
+ vnet_pf_uninit, NULL);
+
+
static int
pf_modevent(module_t mod, int type, void *data)
{
@@ -3790,5 +3835,5 @@ static moduledata_t pf_mod = {
0
};
-DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_FIRST);
+DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND);
MODULE_VERSION(pf, PF_MODVER);
More information about the svn-src-projects
mailing list