From owner-freebsd-pf@FreeBSD.ORG  Sun Feb 22 23:54:29 2015
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 02D4E64C;
 Sun, 22 Feb 2015 23:54:29 +0000 (UTC)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20])
 (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 7F57B933;
 Sun, 22 Feb 2015 23:54:28 +0000 (UTC)
Received: from moby.local ([88.66.138.174]) by mail.gmx.com (mrgmx101) with
 ESMTPSA (Nemesis) id 0LezI3-1Xkox21WcJ-00qgCo; Mon, 23 Feb 2015 00:54:19
 +0100
Message-ID: <54EA6C1B.60701@gmx.com>
Date: Mon, 23 Feb 2015 00:54:03 +0100
From: Nikos Vassiliadis <nvass@gmx.com>
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Gleb Smirnoff <glebius@FreeBSD.org>, Craig Rodrigues <rodrigc@FreeBSD.org>
Subject: Re: svn commit: r276747 - head/sys/netpfil/pf
References: <201501060903.t06934qp081875@svn.freebsd.org>
 <20150122012709.GM15484@FreeBSD.org> <54C16715.6060701@gmx.com>
 <20150122222314.GO15484@FreeBSD.org>
 <CAG=rPVc2YLB-3ZyxDZTxDpkt6R8E_Sf1U+WWwKrFB2dxTXGENQ@mail.gmail.com>
 <20150215190100.GQ15484@FreeBSD.org>
 <CAG=rPVfK-Qmh7E_+-Mmo8kTrDWq=++yVCzHNaQ=5pQh7aSaESQ@mail.gmail.com>
 <CAG=rPVd8VkPLHDQqBZPWmFA93+R26qUAwQGT2YUpxYJ8hZFJHA@mail.gmail.com>
 <20150216012528.GA15484@FreeBSD.org>
 <CAG=rPVck2VbsDcGxnBv7B3NEQyoqtY2_nHUES_V5T9FyQ1qjiQ@mail.gmail.com>
 <20150216074656.GE15484@FreeBSD.org>
In-Reply-To: <20150216074656.GE15484@FreeBSD.org>
Content-Type: multipart/mixed; boundary="------------060104020605000009090808"
X-Provags-ID: V03:K0:xSeuf4gTgF06F9vUVRDAjNqFocwpWj0A2DgTu4YnBObUftd/uOF
 YYZPscskYQwYtkjDb+vuUY47HcGiuJOmzr/use8NhdcHMoROv5G8/WdYm+B0V4mu1poaJPh
 pyVVno/p1Xu4LgOrMqGGMMBMIwJVOxeQ7sZCGx12fOehFuAnVMeibmCkH7G2CZ27+cb2Cmw
 qhvmUYCiIjkE/lx4auBoA==
X-UI-Out-Filterresults: notjunk:1;
Cc: "freebsd-virtualization@freebsd.org" <freebsd-virtualization@freebsd.org>,
 freebsd-pf@freebsd.org
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Feb 2015 23:54:29 -0000

This is a multi-part message in MIME format.
--------------060104020605000009090808
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit

Hi,

Please review this. It is mostly the changes from project/pf plus
VNET_(SYSINIT,UNINIT) and pf_(load,unload).

Unloading the module is almost there, it works for GENERIC.
We need to fix the event handlers registration in order to
unload with a VIMAGE kernel. I will continue with this.

Phabricator:
https://reviews.freebsd.org/D1944

Best regards,
Nikos

--------------060104020605000009090808
Content-Type: text/plain; charset=us-ascii;
 name="pf.patch.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="pf.patch.txt"

Index: sys/net/pfvar.h
===================================================================
--- sys/net/pfvar.h	(revision 279103)
+++ sys/net/pfvar.h	(working copy)
@@ -1495,7 +1495,7 @@ VNET_DECLARE(struct pf_altqqueue *,	 pf_altqs_inac
 VNET_DECLARE(struct pf_rulequeue, pf_unlinked_rules);
 #define	V_pf_unlinked_rules	VNET(pf_unlinked_rules)
 
-void				 pf_initialize(void);
+void				 pf_vnet_initialize(void);
 void				 pf_mtag_initialize(void);
 void				 pf_mtag_cleanup(void);
 void				 pf_cleanup(void);
@@ -1592,7 +1592,7 @@ int	pf_match_addr_range(struct pf_addr *, struct p
 	    struct pf_addr *, sa_family_t);
 int	pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
 
-void	pf_normalize_init(void);
+void	pf_vnet_normalize_init(void);
 void	pf_normalize_cleanup(void);
 int	pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
 	    struct pf_pdesc *);
@@ -1650,7 +1650,7 @@ MALLOC_DECLARE(PFI_MTYPE);
 VNET_DECLARE(struct pfi_kif *,		 pfi_all);
 #define	V_pfi_all	 		 VNET(pfi_all)
 
-void		 pfi_initialize(void);
+void		 pfi_vnet_initialize(void);
 void		 pfi_cleanup(void);
 void		 pfi_kif_ref(struct pfi_kif *);
 void		 pfi_kif_unref(struct pfi_kif *);
Index: sys/netpfil/pf/pf.c
===================================================================
--- sys/netpfil/pf/pf.c	(revision 279103)
+++ sys/netpfil/pf/pf.c	(working copy)
@@ -151,6 +151,7 @@ static VNET_DEFINE(struct pf_send_head, pf_sendque
 #define	V_pf_sendqueue	VNET(pf_sendqueue)
 
 static struct mtx pf_sendqueue_mtx;
+MTX_SYSINIT(pf_sendqueue_mtx, &pf_sendqueue_mtx, "pf send queue", MTX_DEF);
 #define	PF_SENDQ_LOCK()		mtx_lock(&pf_sendqueue_mtx)
 #define	PF_SENDQ_UNLOCK()	mtx_unlock(&pf_sendqueue_mtx)
 
@@ -172,11 +173,16 @@ static VNET_DEFINE(struct task, pf_overloadtask);
 #define	V_pf_overloadtask	VNET(pf_overloadtask)
 
 static struct mtx pf_overloadqueue_mtx;
+MTX_SYSINIT(pf_overloadqueue_mtx, &pf_overloadqueue_mtx,
+    "pf overload/flush queue", MTX_DEF);
+
 #define	PF_OVERLOADQ_LOCK()	mtx_lock(&pf_overloadqueue_mtx)
 #define	PF_OVERLOADQ_UNLOCK()	mtx_unlock(&pf_overloadqueue_mtx)
 
 VNET_DEFINE(struct pf_rulequeue, pf_unlinked_rules);
 struct mtx pf_unlnkdrules_mtx;
+MTX_SYSINIT(pf_unlnkdrules_mtx, &pf_unlnkdrules_mtx, "pf unlinked rules",
+    MTX_DEF);
 
 static VNET_DEFINE(uma_zone_t,	pf_sources_z);
 #define	V_pf_sources_z	VNET(pf_sources_z)
@@ -767,7 +773,7 @@ pf_mtag_initialize()
 
 /* Per-vnet data storage structures initialization. */
 void
-pf_initialize()
+pf_vnet_initialize()
 {
 	struct pf_keyhash	*kh;
 	struct pf_idhash	*ih;
@@ -827,13 +833,9 @@ void
 	STAILQ_INIT(&V_pf_sendqueue);
 	SLIST_INIT(&V_pf_overloadqueue);
 	TASK_INIT(&V_pf_overloadtask, 0, pf_overload_task, curvnet);
-	mtx_init(&pf_sendqueue_mtx, "pf send queue", NULL, MTX_DEF);
-	mtx_init(&pf_overloadqueue_mtx, "pf overload/flush queue", NULL,
-	    MTX_DEF);
 
 	/* Unlinked, but may be referenced rules. */
 	TAILQ_INIT(&V_pf_unlinked_rules);
-	mtx_init(&pf_unlnkdrules_mtx, "pf unlinked rules", NULL, MTX_DEF);
 }
 
 void
@@ -876,10 +878,6 @@ pf_cleanup()
 		free(pfse, M_PFTEMP);
 	}
 
-	mtx_destroy(&pf_sendqueue_mtx);
-	mtx_destroy(&pf_overloadqueue_mtx);
-	mtx_destroy(&pf_unlnkdrules_mtx);
-
 	uma_zdestroy(V_pf_sources_z);
 	uma_zdestroy(V_pf_state_z);
 	uma_zdestroy(V_pf_state_key_z);
Index: sys/netpfil/pf/pf_if.c
===================================================================
--- sys/netpfil/pf/pf_if.c	(revision 279103)
+++ sys/netpfil/pf/pf_if.c	(working copy)
@@ -103,9 +103,11 @@ LIST_HEAD(pfi_list, pfi_kif);
 static VNET_DEFINE(struct pfi_list, pfi_unlinked_kifs);
 #define	V_pfi_unlinked_kifs	VNET(pfi_unlinked_kifs)
 static struct mtx pfi_unlnkdkifs_mtx;
+MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unlnkdkifs_mtx, "pf unlinked interfaces",
+    MTX_DEF);
 
 void
-pfi_initialize(void)
+pfi_vnet_initialize(void)
 {
 	struct ifg_group *ifg;
 	struct ifnet *ifp;
@@ -115,8 +117,6 @@ void
 	V_pfi_buffer = malloc(V_pfi_buffer_max * sizeof(*V_pfi_buffer),
 	    PFI_MTYPE, M_WAITOK);
 
-	mtx_init(&pfi_unlnkdkifs_mtx, "pf unlinked interfaces", NULL, MTX_DEF);
-
 	kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
 	PF_RULES_WLOCK();
 	V_pfi_all = pfi_kif_attach(kif, IFG_ALL);
@@ -166,8 +166,6 @@ pfi_cleanup(void)
 		free(p, PFI_MTYPE);
 	}
 
-	mtx_destroy(&pfi_unlnkdkifs_mtx);
-
 	free(V_pfi_buffer, PFI_MTYPE);
 }
 
Index: sys/netpfil/pf/pf_ioctl.c
===================================================================
--- sys/netpfil/pf/pf_ioctl.c	(revision 279103)
+++ sys/netpfil/pf/pf_ioctl.c	(working copy)
@@ -87,7 +87,8 @@ __FBSDID("$FreeBSD$");
 #include <altq/altq.h>
 #endif
 
-static int		 pfattach(void);
+static int		 pf_vnet_init(void);
+static int		 pf_vnet_uninit(void);
 static struct pf_pool	*pf_get_pool(char *, u_int32_t, u_int8_t, u_int32_t,
 			    u_int8_t, u_int8_t, u_int8_t);
 
@@ -205,17 +206,15 @@ pfsync_defer_t			*pfsync_defer_ptr = NULL;
 pflog_packet_t			*pflog_packet_ptr = NULL;
 
 static int
-pfattach(void)
+pf_vnet_init(void)
 {
 	u_int32_t *my_timeout = V_pf_default_rule.timeout;
 	int error;
 
-	if (IS_DEFAULT_VNET(curvnet))
-		pf_mtag_initialize();
-	pf_initialize();
+	pf_vnet_initialize();
 	pfr_initialize();
-	pfi_initialize();
-	pf_normalize_init();
+	pfi_vnet_initialize();
+	pf_vnet_normalize_init();
 
 	V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT;
 	V_pf_limits[PF_LIMIT_SRC_NODES].limit = PFSNODE_HIWAT;
@@ -287,7 +286,55 @@ static int
 
 	return (0);
 }
+VNET_SYSINIT(pf_vnet_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY - 255,
+    pf_vnet_init, NULL);
 
+static int
+pf_vnet_uninit(void)
+{
+	int error = 0;
+	int number_of_vnets = 0;
+	VNET_ITERATOR_DECL(vnet_iter);
+
+	V_pf_status.running = 0;
+	swi_remove(V_pf_swi_cookie);
+	error = dehook_pf();
+	if (error) {
+		/*
+		 * Should not happen!
+		 * XXX Due to error code ESRCH, kldunload will show
+		 * a message like 'No such process'.
+		 */
+		printf("%s : pfil unregisteration fail\n", __FUNCTION__);
+		return error;
+	}
+	PF_RULES_WLOCK();
+	shutdown_pf();
+	pf_normalize_cleanup();
+	pfi_cleanup();
+	pfr_cleanup();
+	pf_osfp_flush();
+	pf_cleanup();
+
+	/*
+	 * For the last VNET we perform the final cleanup
+	 */
+	VNET_FOREACH(vnet_iter)
+		number_of_vnets++;
+	if (number_of_vnets == 1)
+		pf_mtag_cleanup();
+	PF_RULES_WUNLOCK();
+	if (number_of_vnets == 1) {
+		destroy_dev(pf_dev);
+		rw_destroy(&pf_rules_lock);
+		sx_destroy(&pf_ioctl_lock);
+	}
+
+	return (error);
+}
+VNET_SYSUNINIT(pf_vnet_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY - 255,
+    pf_vnet_uninit, NULL);
+
 static struct pf_pool *
 pf_get_pool(char *anchor, u_int32_t ticket, u_int8_t rule_action,
     u_int32_t rule_number, u_int8_t r_last, u_int8_t active,
@@ -3715,27 +3762,11 @@ dehook_pf(void)
 static int
 pf_load(void)
 {
-	int error;
 
-	VNET_ITERATOR_DECL(vnet_iter);
-
-	VNET_LIST_RLOCK();
-	VNET_FOREACH(vnet_iter) {
-		CURVNET_SET(vnet_iter);
-		V_pf_pfil_hooked = 0;
-		V_pf_end_threads = 0;
-		TAILQ_INIT(&V_pf_tags);
-		TAILQ_INIT(&V_pf_qids);
-		CURVNET_RESTORE();
-	}
-	VNET_LIST_RUNLOCK();
-
 	rw_init(&pf_rules_lock, "pf rulesets");
 	sx_init(&pf_ioctl_lock, "pf ioctl");
-
 	pf_dev = make_dev(&pf_cdevsw, 0, 0, 0, 0600, PF_NAME);
-	if ((error = pfattach()) != 0)
-		return (error);
+	pf_mtag_initialize();
 
 	return (0);
 }
@@ -3743,40 +3774,16 @@ pf_load(void)
 static int
 pf_unload(void)
 {
-	int error = 0;
 
-	V_pf_status.running = 0;
-	swi_remove(V_pf_swi_cookie);
-	error = dehook_pf();
-	if (error) {
-		/*
-		 * Should not happen!
-		 * XXX Due to error code ESRCH, kldunload will show
-		 * a message like 'No such process'.
-		 */
-		printf("%s : pfil unregisteration fail\n", __FUNCTION__);
-		return error;
-	}
+	V_pf_end_threads = 1;
 	PF_RULES_WLOCK();
-	shutdown_pf();
-	V_pf_end_threads = 1;
 	while (V_pf_end_threads < 2) {
 		wakeup_one(pf_purge_thread);
 		rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftmo", 0);
 	}
-	pf_normalize_cleanup();
-	pfi_cleanup();
-	pfr_cleanup();
-	pf_osfp_flush();
-	pf_cleanup();
-	if (IS_DEFAULT_VNET(curvnet))
-		pf_mtag_cleanup();
 	PF_RULES_WUNLOCK();
-	destroy_dev(pf_dev);
-	rw_destroy(&pf_rules_lock);
-	sx_destroy(&pf_ioctl_lock);
 
-	return (error);
+	return (0);
 }
 
 static int
Index: sys/netpfil/pf/pf_norm.c
===================================================================
--- sys/netpfil/pf/pf_norm.c	(revision 279103)
+++ sys/netpfil/pf/pf_norm.c	(working copy)
@@ -34,6 +34,7 @@ __FBSDID("$FreeBSD$");
 #include "opt_pf.h"
 
 #include <sys/param.h>
+#include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mbuf.h>
 #include <sys/mutex.h>
@@ -107,6 +108,7 @@ struct pf_fragment_tag {
 };
 
 static struct mtx pf_frag_mtx;
+MTX_SYSINIT(pf_frag_mtx, &pf_frag_mtx, "pf fragments", MTX_DEF);
 #define PF_FRAG_LOCK()		mtx_lock(&pf_frag_mtx)
 #define PF_FRAG_UNLOCK()	mtx_unlock(&pf_frag_mtx)
 #define PF_FRAG_ASSERT()	mtx_assert(&pf_frag_mtx, MA_OWNED)
@@ -180,7 +182,7 @@ pf_ip2key(struct ip *ip, int dir, struct pf_fragme
 #endif	/* INET */
 
 void
-pf_normalize_init(void)
+pf_vnet_normalize_init(void)
 {
 
 	V_pf_frag_z = uma_zcreate("pf frags", sizeof(struct pf_fragment),
@@ -196,8 +198,6 @@ void
 	uma_zone_set_max(V_pf_frent_z, PFFRAG_FRENT_HIWAT);
 	uma_zone_set_warning(V_pf_frent_z, "PF frag entries limit reached");
 
-	mtx_init(&pf_frag_mtx, "pf fragments", NULL, MTX_DEF);
-
 	TAILQ_INIT(&V_pf_fragqueue);
 	TAILQ_INIT(&V_pf_cachequeue);
 }
@@ -209,8 +209,6 @@ pf_normalize_cleanup(void)
 	uma_zdestroy(V_pf_state_scrub_z);
 	uma_zdestroy(V_pf_frent_z);
 	uma_zdestroy(V_pf_frag_z);
-
-	mtx_destroy(&pf_frag_mtx);
 }
 
 static int

--------------060104020605000009090808--