1 files changed, 22 insertions, 17 deletions

diff --git a/sys/netpfil/pf/pf_ruleset.c b/sys/netpfil/pf/pf_ruleset.c
index 2e5165a9900c..4e16eaa76f9d 100644
--- a/sys/netpfil/pf/pf_ruleset.c
+++ b/sys/netpfil/pf/pf_ruleset.c
@@ -59,11 +59,8 @@
 #error "Kernel only file. Please use sbin/pfctl/pf_ruleset.c instead."
 #endif
 
-#define DPFPRINTF(format, x...)				\
-	if (V_pf_status.debug >= PF_DEBUG_NOISY)	\
-		printf(format , ##x)
-#define rs_malloc(x)		malloc(x, M_TEMP, M_NOWAIT|M_ZERO)
-#define rs_free(x)		free(x, M_TEMP)
+#define rs_malloc(x)		malloc(x, M_PF, M_NOWAIT|M_ZERO)
+#define rs_free(x)		free(x, M_PF)
 
 VNET_DEFINE(struct pf_kanchor_global,	pf_anchors);
 VNET_DEFINE(struct pf_kanchor,		pf_main_anchor);
@@ -241,7 +238,7 @@ pf_create_kanchor(struct pf_kanchor *parent, const char *aname)
 	   ((parent != NULL) && (strlen(parent->path) >= PF_ANCHOR_MAXPATH)))
 		return (NULL);
 
-	anchor = rs_malloc(sizeof(*anchor));
+	anchor = uma_zalloc(V_pf_anchor_z, M_NOWAIT | M_ZERO);
 	if (anchor == NULL)
 		return (NULL);
 
@@ -262,7 +259,7 @@ pf_create_kanchor(struct pf_kanchor *parent, const char *aname)
 		printf("%s: RB_INSERT1 "
 		    "'%s' '%s' collides with '%s' '%s'\n", __func__,
 		    anchor->path, anchor->name, dup->path, dup->name);
-		rs_free(anchor);
+		uma_zfree(V_pf_anchor_z, anchor);
 		return (NULL);
 	}
 
@@ -276,7 +273,7 @@ pf_create_kanchor(struct pf_kanchor *parent, const char *aname)
 			    anchor->name, dup->path, dup->name);
 			RB_REMOVE(pf_kanchor_global, &V_pf_anchors,
 			    anchor);
-			rs_free(anchor);
+			uma_zfree(V_pf_anchor_z, anchor);
 			return (NULL);
 		}
 	}
@@ -349,11 +346,17 @@ pf_remove_if_empty_kruleset(struct pf_kruleset *ruleset)
 			    !TAILQ_EMPTY(ruleset->rules[i].inactive.ptr) ||
 			    ruleset->rules[i].inactive.open)
 				return;
+		for (int i = 0; i < PF_RULESET_MAX; i++) {
+			pf_rule_tree_free(ruleset->rules[i].active.tree);
+			ruleset->rules[i].active.tree = NULL;
+			pf_rule_tree_free(ruleset->rules[i].inactive.tree);
+			ruleset->rules[i].inactive.tree = NULL;
+		}
 		RB_REMOVE(pf_kanchor_global, &V_pf_anchors, ruleset->anchor);
 		if ((parent = ruleset->anchor->parent) != NULL)
 			RB_REMOVE(pf_kanchor_node, &parent->children,
 			    ruleset->anchor);
-		rs_free(ruleset->anchor);
+		uma_zfree(V_pf_anchor_z, ruleset->anchor);
 		if (parent == NULL)
 			return;
 		ruleset = &parent->ruleset;
@@ -386,7 +389,8 @@ pf_kanchor_setup(struct pf_krule *r, const struct pf_kruleset *s,
 			strlcpy(path, s->anchor->path, MAXPATHLEN);
 		while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
 			if (!path[0]) {
-				DPFPRINTF("%s: .. beyond root\n", __func__);
+				DPFPRINTF(PF_DEBUG_NOISY, "%s: .. beyond root",
+				    __func__);
 				rs_free(path);
 				return (1);
 			}
@@ -408,7 +412,7 @@ pf_kanchor_setup(struct pf_krule *r, const struct pf_kruleset *s,
 	ruleset = pf_find_or_create_kruleset(path);
 	rs_free(path);
 	if (ruleset == NULL || ruleset == &pf_main_ruleset) {
-		DPFPRINTF("%s: ruleset\n", __func__);
+		DPFPRINTF(PF_DEBUG_NOISY, "%s: ruleset", __func__);
 		return (1);
 	}
 	r->anchor = ruleset->anchor;
@@ -615,7 +619,7 @@ pf_find_or_create_keth_ruleset(const char *path)
 			rs_free(p);
 			return (NULL);
 		}
-		anchor = (struct pf_keth_anchor *)rs_malloc(sizeof(*anchor));
+		anchor = uma_zalloc(V_pf_eth_anchor_z, M_NOWAIT | M_ZERO);
 		if (anchor == NULL) {
 			rs_free(p);
 			return (NULL);
@@ -633,7 +637,7 @@ pf_find_or_create_keth_ruleset(const char *path)
 			printf("%s: RB_INSERT1 "
 			    "'%s' '%s' collides with '%s' '%s'\n", __func__,
 			    anchor->path, anchor->name, dup->path, dup->name);
-			rs_free(anchor);
+			uma_zfree(V_pf_eth_anchor_z, anchor);
 			rs_free(p);
 			return (NULL);
 		}
@@ -647,7 +651,7 @@ pf_find_or_create_keth_ruleset(const char *path)
 				    anchor->name, dup->path, dup->name);
 				RB_REMOVE(pf_keth_anchor_global, &V_pf_keth_anchors,
 				    anchor);
-				rs_free(anchor);
+				uma_zfree(V_pf_eth_anchor_z, anchor);
 				rs_free(p);
 				return (NULL);
 			}
@@ -690,7 +694,8 @@ pf_keth_anchor_setup(struct pf_keth_rule *r, const struct pf_keth_ruleset *s,
 			strlcpy(path, s->anchor->path, MAXPATHLEN);
 		while (name[0] == '.' && name[1] == '.' && name[2] == '/') {
 			if (!path[0]) {
-				DPFPRINTF("%s: .. beyond root\n", __func__);
+				DPFPRINTF(PF_DEBUG_NOISY, "%s: .. beyond root",
+				    __func__);
 				rs_free(path);
 				return (1);
 			}
@@ -712,7 +717,7 @@ pf_keth_anchor_setup(struct pf_keth_rule *r, const struct pf_keth_ruleset *s,
 	ruleset = pf_find_or_create_keth_ruleset(path);
 	rs_free(path);
 	if (ruleset == NULL || ruleset->anchor == NULL) {
-		DPFPRINTF("%s: ruleset\n", __func__);
+		DPFPRINTF(PF_DEBUG_NOISY, "%s: ruleset", __func__);
 		return (1);
 	}
 	r->anchor = ruleset->anchor;
@@ -755,7 +760,7 @@ pf_remove_if_empty_keth_ruleset(struct pf_keth_ruleset *ruleset)
 		if ((parent = ruleset->anchor->parent) != NULL)
 			RB_REMOVE(pf_keth_anchor_node, &parent->children,
 			    ruleset->anchor);
-		rs_free(ruleset->anchor);
+		uma_zfree(V_pf_eth_anchor_z, ruleset->anchor);
 		if (parent == NULL)
 			return;
 		ruleset = &parent->ruleset;