svn commit: r276747 - head/sys/netpfil/pf
Nikos Vassiliadis
nvass at gmx.com
Sun Feb 22 23:54:29 UTC 2015
Hi,
Please review this. It is mostly the changes from project/pf plus
VNET_(SYSINIT,UNINIT) and pf_(load,unload).
Unloading the module is almost there, it works for GENERIC.
We need to fix the event handlers registration in order to
unload with a VIMAGE kernel. I will continue with this.
Phabricator:
https://reviews.freebsd.org/D1944
Best regards,
Nikos
-------------- next part --------------
Index: sys/net/pfvar.h
===================================================================
--- sys/net/pfvar.h (revision 279103)
+++ sys/net/pfvar.h (working copy)
@@ -1495,7 +1495,7 @@ VNET_DECLARE(struct pf_altqqueue *, pf_altqs_inac
VNET_DECLARE(struct pf_rulequeue, pf_unlinked_rules);
#define V_pf_unlinked_rules VNET(pf_unlinked_rules)
-void pf_initialize(void);
+void pf_vnet_initialize(void);
void pf_mtag_initialize(void);
void pf_mtag_cleanup(void);
void pf_cleanup(void);
@@ -1592,7 +1592,7 @@ int pf_match_addr_range(struct pf_addr *, struct p
struct pf_addr *, sa_family_t);
int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
-void pf_normalize_init(void);
+void pf_vnet_normalize_init(void);
void pf_normalize_cleanup(void);
int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
struct pf_pdesc *);
@@ -1650,7 +1650,7 @@ MALLOC_DECLARE(PFI_MTYPE);
VNET_DECLARE(struct pfi_kif *, pfi_all);
#define V_pfi_all VNET(pfi_all)
-void pfi_initialize(void);
+void pfi_vnet_initialize(void);
void pfi_cleanup(void);
void pfi_kif_ref(struct pfi_kif *);
void pfi_kif_unref(struct pfi_kif *);
Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c (revision 279103)
+++ sys/netpfil/pf/pf.c (working copy)
@@ -151,6 +151,7 @@ static VNET_DEFINE(struct pf_send_head, pf_sendque
#define V_pf_sendqueue VNET(pf_sendqueue)
static struct mtx pf_sendqueue_mtx;
+MTX_SYSINIT(pf_sendqueue_mtx, &pf_sendqueue_mtx, "pf send queue", MTX_DEF);
#define PF_SENDQ_LOCK() mtx_lock(&pf_sendqueue_mtx)
#define PF_SENDQ_UNLOCK() mtx_unlock(&pf_sendqueue_mtx)
@@ -172,11 +173,16 @@ static VNET_DEFINE(struct task, pf_overloadtask);
#define V_pf_overloadtask VNET(pf_overloadtask)
static struct mtx pf_overloadqueue_mtx;
+MTX_SYSINIT(pf_overloadqueue_mtx, &pf_overloadqueue_mtx,
+ "pf overload/flush queue", MTX_DEF);
+
#define PF_OVERLOADQ_LOCK() mtx_lock(&pf_overloadqueue_mtx)
#define PF_OVERLOADQ_UNLOCK() mtx_unlock(&pf_overloadqueue_mtx)
VNET_DEFINE(struct pf_rulequeue, pf_unlinked_rules);
struct mtx pf_unlnkdrules_mtx;
+MTX_SYSINIT(pf_unlnkdrules_mtx, &pf_unlnkdrules_mtx, "pf unlinked rules",
+ MTX_DEF);
static VNET_DEFINE(uma_zone_t, pf_sources_z);
#define V_pf_sources_z VNET(pf_sources_z)
@@ -767,7 +773,7 @@ pf_mtag_initialize()
/* Per-vnet data storage structures initialization. */
void
-pf_initialize()
+pf_vnet_initialize()
{
struct pf_keyhash *kh;
struct pf_idhash *ih;
@@ -827,13 +833,9 @@ void
STAILQ_INIT(&V_pf_sendqueue);
SLIST_INIT(&V_pf_overloadqueue);
TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, curvnet);
- mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
- mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL,
- MTX_DEF);
/* Unlinked, but may be referenced rules. */
TAILQ_INIT(&V_pf_unlinked_rules);
- mtx_init(&pf_unlnkdrules_mtx, "pf unlinked rules", NULL, MTX_DEF);
}
void
@@ -876,10 +878,6 @@ pf_cleanup()
free(pfse, M_PFTEMP);
}
- mtx_destroy(&pf_sendqueue_mtx);
- mtx_destroy(&pf_overloadqueue_mtx);
- mtx_destroy(&pf_unlnkdrules_mtx);
-
uma_zdestroy(V_pf_sources_z);
uma_zdestroy(V_pf_state_z);
uma_zdestroy(V_pf_state_key_z);
Index: sys/netpfil/pf/pf_if.c
===================================================================
--- sys/netpfil/pf/pf_if.c (revision 279103)
+++ sys/netpfil/pf/pf_if.c (working copy)
@@ -103,9 +103,11 @@ LIST_HEAD(pfi_list, pfi_kif);
static VNET_DEFINE(struct pfi_list, pfi_unlinked_kifs);
#define V_pfi_unlinked_kifs VNET(pfi_unlinked_kifs)
static struct mtx pfi_unlnkdkifs_mtx;
+MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unlnkdkifs_mtx, "pf unlinked interfaces",
+ MTX_DEF);
void
-pfi_initialize(void)
+pfi_vnet_initialize(void)
{
struct ifg_group *ifg;
struct ifnet *ifp;
@@ -115,8 +117,6 @@ void
V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer),
PFI_MTYPE, M_WAITOK);
- mtx_init(&pfi_unlnkdkifs_mtx, "pf unlinked interfaces", NULL, MTX_DEF);
-
kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
PF_RULES_WLOCK();
V_pfi_all = pfi_kif_attach(kif, IFG_ALL);
@@ -166,8 +166,6 @@ pfi_cleanup(void)
free(p, PFI_MTYPE);
}
- mtx_destroy(&pfi_unlnkdkifs_mtx);
-
free(V_pfi_buffer, PFI_MTYPE);
}
Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c (revision 279103)
+++ sys/netpfil/pf/pf_ioctl.c (working copy)
@@ -87,7 +87,8 @@ __FBSDID("$FreeBSD$");
#include <altq/altq.h>
#endif
-static int pfattach(void);
+static int pf_vnet_init(void);
+static int pf_vnet_uninit(void);
static struct pf_pool *pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
u_int8_t, u_int8_t, u_int8_t);
@@ -205,17 +206,15 @@ pfsync_defer_t *pfsync_defer_ptr = NULL;
pflog_packet_t *pflog_packet_ptr = NULL;
static int
-pfattach(void)
+pf_vnet_init(void)
{
u_int32_t *my_timeout = V_pf_default_rule.timeout;
int error;
- if (IS_DEFAULT_VNET(curvnet))
- pf_mtag_initialize();
- pf_initialize();
+ pf_vnet_initialize();
pfr_initialize();
- pfi_initialize();
- pf_normalize_init();
+ pfi_vnet_initialize();
+ pf_vnet_normalize_init();
V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
@@ -287,7 +286,55 @@ static int
return (0);
}
+VNET_SYSINIT(pf_vnet_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY - 255,
+ pf_vnet_init, NULL);
+static int
+pf_vnet_uninit(void)
+{
+ int error = 0;
+ int number_of_vnets = 0;
+ VNET_ITERATOR_DECL(vnet_iter);
+
+ V_pf_status.running = 0;
+ swi_remove(V_pf_swi_cookie);
+ error = dehook_pf();
+ if (error) {
+ /*
+ * Should not happen!
+ * XXX Due to error code ESRCH, kldunload will show
+ * a message like 'No such process'.
+ */
+ printf("%s : pfil unregisteration fail\n", __FUNCTION__);
+ return error;
+ }
+ PF_RULES_WLOCK();
+ shutdown_pf();
+ pf_normalize_cleanup();
+ pfi_cleanup();
+ pfr_cleanup();
+ pf_osfp_flush();
+ pf_cleanup();
+
+ /*
+ * For the last VNET we perform the final cleanup
+ */
+ VNET_FOREACH(vnet_iter)
+ number_of_vnets++;
+ if (number_of_vnets == 1)
+ pf_mtag_cleanup();
+ PF_RULES_WUNLOCK();
+ if (number_of_vnets == 1) {
+ destroy_dev(pf_dev);
+ rw_destroy(&pf_rules_lock);
+ sx_destroy(&pf_ioctl_lock);
+ }
+
+ return (error);
+}
+VNET_SYSUNINIT(pf_vnet_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY - 255,
+ pf_vnet_uninit, NULL);
+
static struct pf_pool *
pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
@@ -3715,27 +3762,11 @@ dehook_pf(void)
static int
pf_load(void)
{
- int error;
- VNET_ITERATOR_DECL(vnet_iter);
-
- VNET_LIST_RLOCK();
- VNET_FOREACH(vnet_iter) {
- CURVNET_SET(vnet_iter);
- V_pf_pfil_hooked = 0;
- V_pf_end_threads = 0;
- TAILQ_INIT(&V_pf_tags);
- TAILQ_INIT(&V_pf_qids);
- CURVNET_RESTORE();
- }
- VNET_LIST_RUNLOCK();
-
rw_init(&pf_rules_lock, "pf rulesets");
sx_init(&pf_ioctl_lock, "pf ioctl");
-
pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
- if ((error = pfattach()) != 0)
- return (error);
+ pf_mtag_initialize();
return (0);
}
@@ -3743,40 +3774,16 @@ pf_load(void)
static int
pf_unload(void)
{
- int error = 0;
- V_pf_status.running = 0;
- swi_remove(V_pf_swi_cookie);
- error = dehook_pf();
- if (error) {
- /*
- * Should not happen!
- * XXX Due to error code ESRCH, kldunload will show
- * a message like 'No such process'.
- */
- printf("%s : pfil unregisteration fail\n", __FUNCTION__);
- return error;
- }
+ V_pf_end_threads = 1;
PF_RULES_WLOCK();
- shutdown_pf();
- V_pf_end_threads = 1;
while (V_pf_end_threads < 2) {
wakeup_one(pf_purge_thread);
rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftmo", 0);
}
- pf_normalize_cleanup();
- pfi_cleanup();
- pfr_cleanup();
- pf_osfp_flush();
- pf_cleanup();
- if (IS_DEFAULT_VNET(curvnet))
- pf_mtag_cleanup();
PF_RULES_WUNLOCK();
- destroy_dev(pf_dev);
- rw_destroy(&pf_rules_lock);
- sx_destroy(&pf_ioctl_lock);
- return (error);
+ return (0);
}
static int
Index: sys/netpfil/pf/pf_norm.c
===================================================================
--- sys/netpfil/pf/pf_norm.c (revision 279103)
+++ sys/netpfil/pf/pf_norm.c (working copy)
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$");
#include "opt_pf.h"
#include <sys/param.h>
+#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mbuf.h>
#include <sys/mutex.h>
@@ -107,6 +108,7 @@ struct pf_fragment_tag {
};
static struct mtx pf_frag_mtx;
+MTX_SYSINIT(pf_frag_mtx, &pf_frag_mtx, "pf fragments", MTX_DEF);
#define PF_FRAG_LOCK() mtx_lock(&pf_frag_mtx)
#define PF_FRAG_UNLOCK() mtx_unlock(&pf_frag_mtx)
#define PF_FRAG_ASSERT() mtx_assert(&pf_frag_mtx, MA_OWNED)
@@ -180,7 +182,7 @@ pf_ip2key(struct ip *ip, int dir, struct pf_fragme
#endif /* INET */
void
-pf_normalize_init(void)
+pf_vnet_normalize_init(void)
{
V_pf_frag_z = uma_zcreate("pf frags", sizeof(struct pf_fragment),
@@ -196,8 +198,6 @@ void
uma_zone_set_max(V_pf_frent_z, PFFRAG_FRENT_HIWAT);
uma_zone_set_warning(V_pf_frent_z, "PF frag entries limit reached");
- mtx_init(&pf_frag_mtx, "pf fragments", NULL, MTX_DEF);
-
TAILQ_INIT(&V_pf_fragqueue);
TAILQ_INIT(&V_pf_cachequeue);
}
@@ -209,8 +209,6 @@ pf_normalize_cleanup(void)
uma_zdestroy(V_pf_state_scrub_z);
uma_zdestroy(V_pf_frent_z);
uma_zdestroy(V_pf_frag_z);
-
- mtx_destroy(&pf_frag_mtx);
}
static int
More information about the freebsd-pf
mailing list