Date: Sun, 12 Jun 2016 15:37:35 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r301840 - in projects/vnet/sys: net netpfil/pf Message-ID: <201606121537.u5CFbZW1033316@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Sun Jun 12 15:37:35 2016 New Revision: 301840 URL: https://svnweb.freebsd.org/changeset/base/301840 Log: Make pf starting to think VNETs some more. Now it at least attaches, starts, probably shuts down parts, and doesn't crash that much anymore. Sponsored by: The FreeBSD Foundation Modified: projects/vnet/sys/net/pfvar.h projects/vnet/sys/netpfil/pf/pf.c projects/vnet/sys/netpfil/pf/pf_if.c projects/vnet/sys/netpfil/pf/pf_ioctl.c Modified: projects/vnet/sys/net/pfvar.h ============================================================================== --- projects/vnet/sys/net/pfvar.h Sun Jun 12 11:45:45 2016 (r301839) +++ projects/vnet/sys/net/pfvar.h Sun Jun 12 15:37:35 2016 (r301840) @@ -1655,7 +1655,9 @@ VNET_DECLARE(struct pfi_kif *, pfi_all #define V_pfi_all VNET(pfi_all) void pfi_initialize(void); +void pfi_initialize_vnet(void); void pfi_cleanup(void); +void pfi_cleanup_vnet(void); void pfi_kif_ref(struct pfi_kif *); void pfi_kif_unref(struct pfi_kif *); struct pfi_kif *pfi_kif_find(const char *); Modified: projects/vnet/sys/netpfil/pf/pf.c ============================================================================== --- projects/vnet/sys/netpfil/pf/pf.c Sun Jun 12 11:45:45 2016 (r301839) +++ projects/vnet/sys/netpfil/pf/pf.c Sun Jun 12 15:37:35 2016 (r301840) @@ -1420,16 +1420,22 @@ pf_intr(void *v) } void -pf_purge_thread(void *v) +pf_purge_thread(void *unused __unused) { + VNET_ITERATOR_DECL(vnet_iter); u_int idx = 0; - CURVNET_SET((struct vnet *)v); - for (;;) { PF_RULES_RLOCK(); rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftm", hz / 10); + PF_RULES_RUNLOCK(); + + VNET_LIST_RLOCK(); + VNET_FOREACH(vnet_iter) { + CURVNET_SET(vnet_iter); +#if 0 + /* XXX-BZ cleanup needs to happen elsewhere. */ if (V_pf_end_threads) { /* * To cleanse up all kifs and rules we need @@ -1462,9 +1468,9 @@ pf_purge_thread(void *v) V_pf_end_threads++; PF_RULES_RUNLOCK(); wakeup(pf_purge_thread); - kproc_exit(0); + //kproc_exit(0); } - PF_RULES_RUNLOCK(); +#endif /* Process 1/interval fraction of the state table every run. */ idx = pf_purge_expired_states(idx, pf_hashmask / @@ -1482,9 +1488,11 @@ pf_purge_thread(void *v) pf_purge_unlinked_rules(); pfi_kif_purge(); } + CURVNET_RESTORE(); + } + VNET_LIST_RUNLOCK(); } /* not reached */ - CURVNET_RESTORE(); } u_int32_t Modified: projects/vnet/sys/netpfil/pf/pf_if.c ============================================================================== --- projects/vnet/sys/netpfil/pf/pf_if.c Sun Jun 12 11:45:45 2016 (r301839) +++ projects/vnet/sys/netpfil/pf/pf_if.c Sun Jun 12 15:37:35 2016 (r301840) @@ -108,7 +108,7 @@ MTX_SYSINIT(pfi_unlnkdkifs_mtx, &pfi_unl MTX_DEF); void -pfi_initialize(void) +pfi_initialize_vnet(void) { struct ifg_group *ifg; struct ifnet *ifp; @@ -129,6 +129,11 @@ pfi_initialize(void) TAILQ_FOREACH(ifp, &V_ifnet, if_link) pfi_attach_ifnet(ifp); IFNET_RUNLOCK(); +} + +void +pfi_initialize(void) +{ pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event, pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); @@ -145,17 +150,10 @@ pfi_initialize(void) } void -pfi_cleanup(void) +pfi_cleanup_vnet(void) { struct pfi_kif *p; - EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie); - EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie); - EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie); - EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie); - EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie); - EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); - V_pfi_all = NULL; while ((p = RB_MIN(pfi_ifhead, &V_pfi_ifs))) { RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p); @@ -170,6 +168,18 @@ pfi_cleanup(void) free(V_pfi_buffer, PFI_MTYPE); } +void +pfi_cleanup(void) +{ + + EVENTHANDLER_DEREGISTER(ifnet_arrival_event, pfi_attach_cookie); + EVENTHANDLER_DEREGISTER(ifnet_departure_event, pfi_detach_cookie); + EVENTHANDLER_DEREGISTER(group_attach_event, pfi_attach_group_cookie); + EVENTHANDLER_DEREGISTER(group_change_event, pfi_change_group_cookie); + EVENTHANDLER_DEREGISTER(group_detach_event, pfi_detach_group_cookie); + EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie); +} + struct pfi_kif * pfi_kif_find(const char *kif_name) { Modified: projects/vnet/sys/netpfil/pf/pf_ioctl.c ============================================================================== --- projects/vnet/sys/netpfil/pf/pf_ioctl.c Sun Jun 12 11:45:45 2016 (r301839) +++ projects/vnet/sys/netpfil/pf/pf_ioctl.c Sun Jun 12 15:37:35 2016 (r301840) @@ -204,17 +204,14 @@ pfsync_defer_t *pfsync_defer_ptr = NUL /* pflog */ pflog_packet_t *pflog_packet_ptr = NULL; -static int -pfattach(void) +static void +pfattach_vnet(void) { u_int32_t *my_timeout = V_pf_default_rule.timeout; - int error; - if (IS_DEFAULT_VNET(curvnet)) - pf_mtag_initialize(); pf_initialize(); pfr_initialize(); - pfi_initialize(); + pfi_initialize_vnet(); pf_normalize_init(); V_pf_limits[PF_LIMIT_STATES].limit = PFSTATE_HIWAT; @@ -276,14 +273,24 @@ pfattach(void) for (int i = 0; i < SCNT_MAX; i++) V_pf_status.scounters[i] = counter_u64_alloc(M_WAITOK); - if ((error = kproc_create(pf_purge_thread, curvnet, NULL, 0, 0, - "pf purge")) != 0) - /* XXXGL: leaked all above. */ - return (error); - if ((error = swi_add(NULL, "pf send", pf_intr, curvnet, SWI_NET, - INTR_MPSAFE, &V_pf_swi_cookie)) != 0) + if (swi_add(NULL, "pf send", pf_intr, curvnet, SWI_NET, + INTR_MPSAFE, &V_pf_swi_cookie) != 0) /* XXXGL: leaked all above. */ + return; +} + +static int +pfattach(void) +{ + int error; + + pf_mtag_initialize(); + + error = kproc_create(pf_purge_thread, NULL, NULL, 0, 0, "pf purge"); + if (error != 0) { + pf_mtag_cleanup(); return (error); + } return (0); } @@ -3691,24 +3698,32 @@ dehook_pf(void) return (0); } -static int -pf_load(void) +static void +pf_load_vnet(void) { - int error; - VNET_ITERATOR_DECL(vnet_iter); VNET_LIST_RLOCK(); VNET_FOREACH(vnet_iter) { CURVNET_SET(vnet_iter); V_pf_pfil_hooked = 0; +#if 0 V_pf_end_threads = 0; +#endif TAILQ_INIT(&V_pf_tags); TAILQ_INIT(&V_pf_qids); CURVNET_RESTORE(); } VNET_LIST_RUNLOCK(); + pfattach_vnet(); +} + +static int +pf_load(void) +{ + int error; + rw_init(&pf_rules_lock, "pf rulesets"); sx_init(&pf_ioctl_lock, "pf ioctl"); @@ -3719,10 +3734,10 @@ pf_load(void) return (0); } -static int -pf_unload(void) +static void +pf_unload_vnet() { - int error = 0; + int error; V_pf_status.running = 0; swi_remove(V_pf_swi_cookie); @@ -3734,23 +3749,34 @@ pf_unload(void) * a message like 'No such process'. */ printf("%s : pfil unregisteration fail\n", __FUNCTION__); - return error; + return; } PF_RULES_WLOCK(); shutdown_pf(); +#if 0 V_pf_end_threads = 1; while (V_pf_end_threads < 2) { wakeup_one(pf_purge_thread); rw_sleep(pf_purge_thread, &pf_rules_lock, 0, "pftmo", 0); } +#endif PF_RULES_WUNLOCK(); pf_normalize_cleanup(); - pfi_cleanup(); + pfi_cleanup_vnet(); pfr_cleanup(); pf_osfp_flush(); pf_cleanup(); if (IS_DEFAULT_VNET(curvnet)) pf_mtag_cleanup(); +} + +static int +pf_unload(void) +{ + int error = 0; + + pfi_cleanup(); + destroy_dev(pf_dev); rw_destroy(&pf_rules_lock); sx_destroy(&pf_ioctl_lock); @@ -3758,6 +3784,25 @@ pf_unload(void) return (error); } +static void +vnet_pf_init(void *unused __unused) +{ + + pf_load_vnet(); +} +VNET_SYSINIT(vnet_pf_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD, + vnet_pf_init, NULL); + +static void +vnet_pf_uninit(const void *unused __unused) +{ + + pf_unload_vnet(); +} +VNET_SYSUNINIT(vnet_pf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD, + vnet_pf_uninit, NULL); + + static int pf_modevent(module_t mod, int type, void *data) { @@ -3790,5 +3835,5 @@ static moduledata_t pf_mod = { 0 }; -DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_FIRST); +DECLARE_MODULE(pf, pf_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_SECOND); MODULE_VERSION(pf, PF_MODVER);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201606121537.u5CFbZW1033316>