svn commit: r327433 - in head/sys: net netpfil/pf

Sun, 31 Dec 2017 02:02:10 -0800 

Author: kp
Date: Sun Dec 31 10:01:31 2017
New Revision: 327433
URL: https://svnweb.freebsd.org/changeset/base/327433

Log:
  pf: Clean all fragments on shutdown
  
  When pf is unloaded, or a vnet jail using pf is stopped we need to
  ensure we clean up all fragments, not just the expired ones.

Modified:
  head/sys/net/pfvar.h
  head/sys/netpfil/pf/pf.c
  head/sys/netpfil/pf/pf_norm.c

Modified: head/sys/net/pfvar.h
==============================================================================
--- head/sys/net/pfvar.h        Sun Dec 31 09:24:41 2017        (r327432)
+++ head/sys/net/pfvar.h        Sun Dec 31 10:01:31 2017        (r327433)
@@ -1619,6 +1619,7 @@ int       pf_normalize_tcp_stateful(struct mbuf *, int, 
stru
 u_int32_t
        pf_state_expires(const struct pf_state *);
 void   pf_purge_expired_fragments(void);
+void   pf_purge_fragments(uint32_t);
 int    pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
            int);
 int    pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);

Modified: head/sys/netpfil/pf/pf.c
==============================================================================
--- head/sys/netpfil/pf/pf.c    Sun Dec 31 09:24:41 2017        (r327432)
+++ head/sys/netpfil/pf/pf.c    Sun Dec 31 10:01:31 2017        (r327433)
@@ -1498,7 +1498,7 @@ pf_unload_vnet_purge(void)
         * Now purge everything.
         */
        pf_purge_expired_states(0, pf_hashmask);
-       pf_purge_expired_fragments();
+       pf_purge_fragments(UINT_MAX);
        pf_purge_expired_src_nodes();
 
        /*

Modified: head/sys/netpfil/pf/pf_norm.c
==============================================================================
--- head/sys/netpfil/pf/pf_norm.c       Sun Dec 31 09:24:41 2017        
(r327432)
+++ head/sys/netpfil/pf/pf_norm.c       Sun Dec 31 10:01:31 2017        
(r327433)
@@ -219,9 +219,16 @@ pf_frag_compare(struct pf_fragment *a, struct pf_fragm
 void
 pf_purge_expired_fragments(void)
 {
+       u_int32_t       expire = time_uptime -
+                           V_pf_default_rule.timeout[PFTM_FRAG];
+
+       pf_purge_fragments(expire);
+}
+
+void
+pf_purge_fragments(uint32_t expire)
+{
        struct pf_fragment      *frag;
-       u_int32_t                expire = time_uptime -
-                                   V_pf_default_rule.timeout[PFTM_FRAG];
 
        PF_FRAG_LOCK();
        while ((frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) != NULL) {
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to