diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2024-11-18 10:06:41 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2024-11-18 10:06:46 +0000 |
| commit | 83641335f96cf7eb590c07eb911a8117ec363fd0 (patch) | |
| tree | 5dcca7fc51d5f53fd48b07dbe5e5ce772fb3b241 | |
| parent | 43778a593f92dc09cedee69b47b6486dd579900b (diff) | |
pf: clean up pflow sockets on jail removal
pflow opens sockets in the kernel to transmit netflow information.
If this is done in a (vnet) jail these sockets end up preventing the removal of
the jail. The VNET_SYSUNINIT() vnet_pflowdetach() function doesn't get called,
but that's the function that would remove the sockets.
Install a callback on the PR_METHOD_REMOVE jail callback and close the sockets
there. This ensures that the jail can get cleaned up.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D47545
| -rw-r--r-- | sys/netpfil/pf/pflow.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/sys/netpfil/pf/pflow.c b/sys/netpfil/pf/pflow.c index 5ce1369d9f14..36b528290306 100644 --- a/sys/netpfil/pf/pflow.c +++ b/sys/netpfil/pf/pflow.c @@ -26,6 +26,7 @@ #include <sys/callout.h> #include <sys/endian.h> #include <sys/interrupt.h> +#include <sys/jail.h> #include <sys/kernel.h> #include <sys/malloc.h> #include <sys/module.h> @@ -184,15 +185,28 @@ vnet_pflowattach(void) VNET_SYSINIT(vnet_pflowattach, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY, vnet_pflowattach, NULL); -static void -vnet_pflowdetach(void) +static int +pflow_jail_remove(void *obj, void *data __unused) { +#ifdef VIMAGE + const struct prison *pr = obj; +#endif struct pflow_softc *sc; + CURVNET_SET(pr->pr_vnet); CK_LIST_FOREACH(sc, &V_pflowif_list, sc_next) { pflow_destroy(sc->sc_id, false); } + CURVNET_RESTORE(); + + return (0); +} +static void +vnet_pflowdetach(void) +{ + + /* Should have been done by pflow_jail_remove() */ MPASS(CK_LIST_EMPTY(&V_pflowif_list)); delete_unrhdr(V_pflow_unr); mtx_destroy(&V_pflowif_list_mtx); @@ -1776,6 +1790,8 @@ static const struct nlhdr_parser *all_parsers[] = { &set_parser, }; +static unsigned pflow_do_osd_jail_slot; + static int pflow_init(void) { @@ -1784,6 +1800,11 @@ pflow_init(void) NL_VERIFY_PARSERS(all_parsers); + static osd_method_t methods[PR_MAXMETHOD] = { + [PR_METHOD_REMOVE] = pflow_jail_remove, + }; + pflow_do_osd_jail_slot = osd_jail_register(NULL, methods); + family_id = genl_register_family(PFLOWNL_FAMILY_NAME, 0, 2, PFLOWNL_CMD_MAX); MPASS(family_id != 0); ret = genl_register_cmds(PFLOWNL_FAMILY_NAME, pflow_cmds, NL_ARRAY_LEN(pflow_cmds)); @@ -1794,6 +1815,7 @@ pflow_init(void) static void pflow_uninit(void) { + osd_jail_deregister(pflow_do_osd_jail_slot); genl_unregister_family(PFLOWNL_FAMILY_NAME); } |