svn commit: r350668 - in stable: 11/sys/contrib/ipfilter/netinet 12/sys/contrib/ipfilter/netinet
Cy Schubert
cy at FreeBSD.org
Wed Aug 7 01:08:58 UTC 2019
Author: cy
Date: Wed Aug 7 01:08:57 2019
New Revision: 350668
URL: https://svnweb.freebsd.org/changeset/base/350668
Log:
MFC r350568:
Resolve ipfilter kld unload issues related to VNET jails.
When the ipfilter kld is loaded, used within VNET jail, and unloaded,
then subsequent loading, use, and unloading of another packet filters
will cause the subsequently loaded netpfil kld's to panic.
The scenario is as follows:
cd /usr/tests/sys/netpfil/common
kldunload ipl
kldunload pfsync
kldunload ipfw
kyua test pass_block
kldload ipl
kyua test pass_block
kldunload ipl
kldload pfsync
kyua test pass_block
kldunload pfsync
-- page fault panic occurs here --
Reported by: "Ahsan Barkati" <ahsanbarkati at g.....com> via kp@
Discussed with: kp@
Tested by: kp@
Modified:
stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c
Directory Properties:
stable/11/ (props changed)
Changes in other areas also in this revision:
Modified:
stable/12/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
stable/12/sys/contrib/ipfilter/netinet/mlfk_ipl.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c Wed Aug 7 01:03:35 2019 (r350667)
+++ stable/11/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c Wed Aug 7 01:08:57 2019 (r350668)
@@ -98,7 +98,10 @@ VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
# include <sys/conf.h>
# include <net/pfil.h>
-static eventhandler_tag ipf_arrivetag, ipf_departtag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_arrivetag);
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_departtag);
+#define V_ipf_arrivetag VNET(ipf_arrivetag)
+#define V_ipf_departtag VNET(ipf_departtag)
#if 0
/*
* Disable the "cloner" event handler; we are getting interface
@@ -108,7 +111,8 @@ static eventhandler_tag ipf_arrivetag, ipf_departtag;
* If it turns out to be needed, well need a dedicated event handler
* for it to deal with the ifc and the correct vnet.
*/
-static eventhandler_tag ipf_clonetag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_clonetag);
+#define V_ipf_clonetag VNET(ipf_clonetag)
#endif
static void ipf_ifevent(void *arg, struct ifnet *ifp);
@@ -1384,14 +1388,14 @@ int ipf_pfil_hook(void) {
void
ipf_event_reg(void)
{
- ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
+ V_ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
ipf_ifevent, NULL, \
EVENTHANDLER_PRI_ANY);
- ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
+ V_ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
ipf_ifevent, NULL, \
EVENTHANDLER_PRI_ANY);
#if 0
- ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
+ V_ipf_clonetag = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
NULL, EVENTHANDLER_PRI_ANY);
#endif
}
@@ -1399,15 +1403,15 @@ ipf_event_reg(void)
void
ipf_event_dereg(void)
{
- if (ipf_arrivetag != NULL) {
- EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
+ if (V_ipf_arrivetag != NULL) {
+ EVENTHANDLER_DEREGISTER(ifnet_arrival_event, V_ipf_arrivetag);
}
- if (ipf_departtag != NULL) {
- EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
+ if (V_ipf_departtag != NULL) {
+ EVENTHANDLER_DEREGISTER(ifnet_departure_event, V_ipf_departtag);
}
#if 0
- if (ipf_clonetag != NULL) {
- EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
+ if (V_ipf_clonetag != NULL) {
+ EVENTHANDLER_DEREGISTER(if_clone_event, V_ipf_clonetag);
}
#endif
}
Modified: stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c
==============================================================================
--- stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c Wed Aug 7 01:03:35 2019 (r350667)
+++ stable/11/sys/contrib/ipfilter/netinet/mlfk_ipl.c Wed Aug 7 01:08:57 2019 (r350668)
@@ -280,6 +280,10 @@ vnet_ipf_uninit(void)
V_ipfmain.ipf_running = -2;
ipf_destroy_all(&V_ipfmain);
+ if (!IS_DEFAULT_VNET(curvnet)) {
+ ipf_event_dereg();
+ (void)ipf_pfil_unhook();
+ }
}
}
VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,
More information about the svn-src-stable
mailing list