! ! P4 CH=183469 applied to stable/8 SVN tree: ! ! Force pf to vnet0 for now to permit loading of pf and pflog ! and allow the usage in the base system while trying VIMAGE. ! You should not leak /dev/pf into jails for now or they might ! change your rules;-) ! ! Note: only tested with a VIMAGE development branch rather than ! stable/8 or HEAD. Let me know about panics with a backtrace. ! Index: sys/contrib/pf/net/pf_ioctl.c =================================================================== --- sys/contrib/pf/net/pf_ioctl.c (revision 212287) +++ sys/contrib/pf/net/pf_ioctl.c (working copy) @@ -141,7 +141,7 @@ __FBSDID("$FreeBSD$"); #ifdef __FreeBSD__ void init_zone_var(void); void cleanup_pf_zone(void); -int pfattach(void); +static int pfattach(void); #else void pfattach(int); void pf_thread_create(void *); @@ -289,7 +289,7 @@ cleanup_pf_zone(void) UMA_DESTROY(pfi_addr_pl); } -int +static int pfattach(void) { u_int32_t *my_timeout = pf_default_rule.timeout; @@ -1401,9 +1401,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int f error = EEXIST; else { #ifdef __FreeBSD__ + CURVNET_SET(vnet0); PF_UNLOCK(); error = hook_pf(); PF_LOCK(); + CURVNET_RESTORE(); if (error) { DPFPRINTF(PF_DEBUG_MISC, ("pf: pfil registeration fail\n")); @@ -1426,9 +1428,11 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int f else { pf_status.running = 0; #ifdef __FreeBSD__ + CURVNET_SET(vnet0); PF_UNLOCK(); error = dehook_pf(); PF_LOCK(); + CURVNET_RESTORE(); if (error) { pf_status.running = 1; DPFPRINTF(PF_DEBUG_MISC, @@ -3713,8 +3717,10 @@ pf_check6_in(void *arg, struct mbuf **m, struct if * order to support scoped addresses. In order to support stateful * filtering we have change this to lo0 as it is the case in IPv4. */ + CURVNET_SET(vnet0); chk = pf_test6(PF_IN, (*m)->m_flags & M_LOOP ? V_loif : ifp, m, NULL, inp); + CURVNET_RESTORE(); if (chk && *m) { m_freem(*m); *m = NULL; @@ -3836,7 +3842,9 @@ pf_unload(void) PF_LOCK(); pf_status.running = 0; PF_UNLOCK(); + CURVNET_SET(vnet0); error = dehook_pf(); + CURVNET_RESTORE(); if (error) { /* * Should not happen! Index: sys/contrib/pf/net/pf_if.c =================================================================== --- sys/contrib/pf/net/pf_if.c (revision 212287) +++ sys/contrib/pf/net/pf_if.c (working copy) @@ -143,12 +143,14 @@ pfi_initialize(void) struct ifg_group *ifg; struct ifnet *ifp; + CURVNET_SET(vnet0); IFNET_RLOCK(); TAILQ_FOREACH(ifg, &V_ifg_head, ifg_next) pfi_attach_ifgroup(ifg); TAILQ_FOREACH(ifp, &V_ifnet, if_link) pfi_attach_ifnet(ifp); IFNET_RUNLOCK(); + CURVNET_RESTORE(); pfi_attach_cookie = EVENTHANDLER_REGISTER(ifnet_arrival_event, pfi_attach_ifnet_event, NULL, EVENTHANDLER_PRI_ANY); Index: sys/contrib/pf/net/if_pflog.c =================================================================== --- sys/contrib/pf/net/if_pflog.c (revision 212287) +++ sys/contrib/pf/net/if_pflog.c (working copy) @@ -407,17 +407,25 @@ pflog_modevent(module_t mod, int type, void *data) switch (type) { case MOD_LOAD: + { + CURVNET_SET(vnet0); pflogattach(1); + CURVNET_RESTORE(); PF_LOCK(); pflog_packet_ptr = pflog_packet; PF_UNLOCK(); break; + } case MOD_UNLOAD: + { PF_LOCK(); pflog_packet_ptr = NULL; PF_UNLOCK(); + CURVNET_SET(vnet0); if_clone_detach(&pflog_cloner); + CURVNET_RESTORE(); break; + } default: error = EINVAL; break; Index: sys/contrib/pf/net/pf.c =================================================================== --- sys/contrib/pf/net/pf.c (revision 212287) +++ sys/contrib/pf/net/pf.c (working copy) @@ -1964,6 +1964,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t a h->ip_hl = sizeof(*h) >> 2; h->ip_tos = IPTOS_LOWDELAY; #ifdef __FreeBSD__ + CURVNET_SET(vnet0); h->ip_off = V_path_mtu_discovery ? IP_DF : 0; h->ip_len = len; #else @@ -1972,6 +1973,7 @@ pf_send_tcp(const struct pf_rule *r, sa_family_t a #endif h->ip_ttl = ttl ? ttl : V_ip_defttl; h->ip_sum = 0; + CURVNET_RESTORE(); if (eh == NULL) { #ifdef __FreeBSD__ PF_UNLOCK(); @@ -2990,21 +2992,27 @@ pf_socket_lookup(int direction, struct pf_pdesc *p return (1); } #endif + CURVNET_SET(vnet0); switch (pd->proto) { case IPPROTO_TCP: - if (pd->hdr.tcp == NULL) + if (pd->hdr.tcp == NULL) { + CURVNET_RESTORE(); return (-1); + } sport = pd->hdr.tcp->th_sport; dport = pd->hdr.tcp->th_dport; #ifdef __FreeBSD__ pi = &V_tcbinfo; + CURVNET_RESTORE(); #else tb = &tcbtable; #endif break; case IPPROTO_UDP: - if (pd->hdr.udp == NULL) + if (pd->hdr.udp == NULL) { + CURVNET_RESTORE(); return (-1); + } sport = pd->hdr.udp->uh_sport; dport = pd->hdr.udp->uh_dport; #ifdef __FreeBSD__ @@ -3014,8 +3022,10 @@ pf_socket_lookup(int direction, struct pf_pdesc *p #endif break; default: + CURVNET_RESTORE(); return (-1); } + CURVNET_RESTORE(); if (direction == PF_IN) { saddr = pd->src; daddr = pd->dst; @@ -3140,7 +3150,7 @@ pf_get_mss(struct mbuf *m, int off, u_int16_t th_o int hlen; u_int8_t hdr[60]; u_int8_t *opt, optlen; - u_int16_t mss = V_tcp_mssdflt; + u_int16_t mss; hlen = th_off << 2; /* hlen <= sizeof(hdr) */ if (hlen <= sizeof(struct tcphdr)) @@ -3149,6 +3159,9 @@ pf_get_mss(struct mbuf *m, int off, u_int16_t th_o return (0); opt = hdr + sizeof(struct tcphdr); hlen -= sizeof(struct tcphdr); + CURVNET_SET(vnet0); + mss = V_tcp_mssdflt; + CURVNET_RESTORE(); while (hlen >= TCPOLEN_MAXSEG) { switch (*opt) { case TCPOPT_EOL: @@ -3185,7 +3198,7 @@ pf_calc_mss(struct pf_addr *addr, sa_family_t af, #endif /* INET6 */ struct rtentry *rt = NULL; int hlen = 0; /* make the compiler happy */ - u_int16_t mss = V_tcp_mssdflt; + u_int16_t mss; switch (af) { #ifdef INET @@ -3231,11 +3244,14 @@ pf_calc_mss(struct pf_addr *addr, sa_family_t af, #endif /* INET6 */ } + CURVNET_SET(vnet0); if (rt && rt->rt_ifp) { mss = rt->rt_ifp->if_mtu - hlen - sizeof(struct tcphdr); mss = max(V_tcp_mssdflt, mss); RTFREE(rt); - } + } else + mss = V_tcp_mssdflt; + CURVNET_RESTORE(); mss = min(mss, offer); mss = max(mss, 64); /* sanity - at least max opt space */ return (mss); @@ -3289,7 +3305,7 @@ pf_test_tcp(struct pf_rule **rm, struct pf_state * u_short reason; int rewrite = 0; int tag = -1, rtableid = -1; - u_int16_t mss = V_tcp_mssdflt; + u_int16_t mss; int asd = 0; int match = 0;