svn commit: r327433 - in head/sys: net netpfil/pf

Kristof Provost kp at FreeBSD.org
Sun Dec 31 10:01:33 UTC 2017 

Author: kp
Date: Sun Dec 31 10:01:31 2017
New Revision: 327433
URL: https://svnweb.freebsd.org/changeset/base/327433

Log:
  pf: Clean all fragments on shutdown
  
  When pf is unloaded, or a vnet jail using pf is stopped we need to
  ensure we clean up all fragments, not just the expired ones.

Modified:
  head/sys/net/pfvar.h
  head/sys/netpfil/pf/pf.c
  head/sys/netpfil/pf/pf_norm.c

Modified: head/sys/net/pfvar.h
==============================================================================
--- head/sys/net/pfvar.h	Sun Dec 31 09:24:41 2017	(r327432)
+++ head/sys/net/pfvar.h	Sun Dec 31 10:01:31 2017	(r327433)
@@ -1619,6 +1619,7 @@ int	pf_normalize_tcp_stateful(struct mbuf *, int, stru
 u_int32_t
 	pf_state_expires(const struct pf_state *);
 void	pf_purge_expired_fragments(void);
+void	pf_purge_fragments(uint32_t);
 int	pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
 	    int);
 int	pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);

Modified: head/sys/netpfil/pf/pf.c
==============================================================================
--- head/sys/netpfil/pf/pf.c	Sun Dec 31 09:24:41 2017	(r327432)
+++ head/sys/netpfil/pf/pf.c	Sun Dec 31 10:01:31 2017	(r327433)
@@ -1498,7 +1498,7 @@ pf_unload_vnet_purge(void)
 	 * Now purge everything.
 	 */
 	pf_purge_expired_states(0, pf_hashmask);
-	pf_purge_expired_fragments();
+	pf_purge_fragments(UINT_MAX);
 	pf_purge_expired_src_nodes();
 
 	/*

Modified: head/sys/netpfil/pf/pf_norm.c
==============================================================================
--- head/sys/netpfil/pf/pf_norm.c	Sun Dec 31 09:24:41 2017	(r327432)
+++ head/sys/netpfil/pf/pf_norm.c	Sun Dec 31 10:01:31 2017	(r327433)
@@ -219,9 +219,16 @@ pf_frag_compare(struct pf_fragment *a, struct pf_fragm
 void
 pf_purge_expired_fragments(void)
 {
+	u_int32_t	expire = time_uptime -
+			    V_pf_default_rule.timeout[PFTM_FRAG];
+
+	pf_purge_fragments(expire);
+}
+
+void
+pf_purge_fragments(uint32_t expire)
+{
 	struct pf_fragment	*frag;
-	u_int32_t		 expire = time_uptime -
-				    V_pf_default_rule.timeout[PFTM_FRAG];
 
 	PF_FRAG_LOCK();
 	while ((frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) != NULL) {

More information about the svn-src-all mailing list