On 04/07/17(Tue) 13:12, Hrvoje Popovski wrote:
> [...]
> and i'm to quick ..
>
> here's panic when killing isakmpd on other box
My bad, 'locked' should be initialized for every iteration of the
loop...
Index: net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1036
diff -u -p -r1.1036 pf.c
--- net/pf.c 3 Jul 2017 08:11:21 -0000 1.1036
+++ net/pf.c 4 Jul 2017 11:24:19 -0000
@@ -1206,11 +1206,27 @@ pf_purge_thread(void *v)
KERNEL_UNLOCK();
- NET_LOCK(s);
for (;;) {
- rwsleep(pf_purge_thread, &netlock, PWAIT, "pftm", 1 * hz);
+#ifdef IPSEC
+ int locked = 0;
+ /*
+ * At least pfsync can send traffic.
+ *
+ * IPsec is not ready to run without KERNEL_LOCK(). So all
+ * the traffic on your machine is punished if you have IPsec
+ * enabled.
+ */
+ extern int ipsec_in_use;
+ if (ipsec_in_use) {
+ KERNEL_LOCK();
+ locked = 1;
+ }
+#endif /* IPSEC */
+ tsleep(pf_purge_thread, PWAIT, "pftm", 1 * hz);
+
+ NET_LOCK(s);
PF_LOCK();
/* process a fraction of the state table every second */
pf_purge_expired_states(1 + (pf_status.states
@@ -1229,8 +1245,13 @@ pf_purge_thread(void *v)
pf_purge_expired_fragments();
nloops = 0;
}
+ NET_UNLOCK(s);
+
+#ifdef IPSEC
+ if (locked)
+ KERNEL_UNLOCK();
+#endif /* IPSEC */
}
- NET_UNLOCK(s);
}
int32_t
