git: 96bd22f2bd80 - main - pf: fix anchor/ethernet anchor cleanup

Mon, 11 Aug 2025 12:27:43 -0700 

The branch main has been updated by kp:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=96bd22f2bd80f9c991a41fc45ef032f256cae170

commit 96bd22f2bd80f9c991a41fc45ef032f256cae170
Author:     Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-08-11 12:14:18 +0000
Commit:     Kristof Provost <k...@freebsd.org>
CommitDate: 2025-08-11 19:27:09 +0000

    pf: fix anchor/ethernet anchor cleanup
    
    Don't mess with reference counts, but use RB_FOREACH_SAFE() so we can safely
    delete even wildcard anchors.
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sys/netpfil/pf/pf_ioctl.c | 23 ++++++-----------------
 1 file changed, 6 insertions(+), 17 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index b6f5d74b5b42..e5da05a958f6 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -6444,19 +6444,14 @@ shutdown_pf(void)
        int error = 0;
        u_int32_t t[5];
        char nn = '\0';
-       struct pf_kanchor *anchor;
-       struct pf_keth_anchor *eth_anchor;
+       struct pf_kanchor *anchor, *tmp_anchor;
+       struct pf_keth_anchor *eth_anchor, *tmp_eth_anchor;
        int rs_num;
 
        do {
                /* Unlink rules of all user defined anchors */
-               RB_FOREACH(anchor, pf_kanchor_global, &V_pf_anchors) {
-                       /* Wildcard based anchors may not have a respective
-                        * explicit anchor rule or they may be left empty
-                        * without rules. It leads to anchor.refcnt=0, and the
-                        * rest of the logic does not expect it. */
-                       if (anchor->refcnt == 0)
-                               anchor->refcnt = 1;
+               RB_FOREACH_SAFE(anchor, pf_kanchor_global, &V_pf_anchors,
+                   tmp_anchor) {
                        for (rs_num = 0; rs_num < PF_RULESET_MAX; ++rs_num) {
                                if ((error = pf_begin_rules(&t[rs_num], rs_num,
                                    anchor->path)) != 0) {
@@ -6474,14 +6469,8 @@ shutdown_pf(void)
                }
 
                /* Unlink rules of all user defined ether anchors */
-               RB_FOREACH(eth_anchor, pf_keth_anchor_global,
-                   &V_pf_keth_anchors) {
-                       /* Wildcard based anchors may not have a respective
-                        * explicit anchor rule or they may be left empty
-                        * without rules. It leads to anchor.refcnt=0, and the
-                        * rest of the logic does not expect it. */
-                       if (eth_anchor->refcnt == 0)
-                               eth_anchor->refcnt = 1;
+               RB_FOREACH_SAFE(eth_anchor, pf_keth_anchor_global,
+                   &V_pf_keth_anchors, tmp_eth_anchor) {
                        if ((error = pf_begin_eth(&t[0], eth_anchor->path))
                            != 0) {
                                DPFPRINTF(PF_DEBUG_MISC, "%s: eth "

Reply via email to