Make sure pflog is attached after pf is initializaed so we can

borrow pf's lock, and also make sure pflog goes after pf is gone
in order to avoid callouts in VNETs to an already freed instance.

Reported by:    Ivan Klymenko, Johan Hendriks  on current@ today
Obtained from:  projects/vnet
Sponsored by:   The FreeBSD Foundation
MFC after:      13 days
Approved by:	re (gjb)
This commit is contained in:
Bjoern A. Zeeb
2016-06-23 22:31:10 +00:00
parent a8e8c57443
commit 7d7751a071
+7 -2
View File
@@ -268,7 +268,7 @@ vnet_pflog_init(const void *unused __unused)
pflogattach(1);
}
VNET_SYSINIT(vnet_pflog_init, SI_SUB_PSEUDO, SI_ORDER_ANY,
VNET_SYSINIT(vnet_pflog_init, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY,
vnet_pflog_init, NULL);
static void
@@ -277,6 +277,10 @@ vnet_pflog_uninit(const void *unused __unused)
if_clone_detach(V_pflog_cloner);
}
/*
* Detach after pf is gone; otherwise we might touch pflog memory
* from within pf after freeing pflog.
*/
VNET_SYSUNINIT(vnet_pflog_uninit, SI_SUB_INIT_IF, SI_ORDER_SECOND,
vnet_pflog_uninit, NULL);
@@ -308,6 +312,7 @@ static moduledata_t pflog_mod = { pflogname, pflog_modevent, 0 };
#define PFLOG_MODVER 1
DECLARE_MODULE(pflog, pflog_mod, SI_SUB_PSEUDO, SI_ORDER_ANY);
/* Do not run before pf is initialized as we depend on its locks. */
DECLARE_MODULE(pflog, pflog_mod, SI_SUB_PROTO_FIREWALL, SI_ORDER_ANY);
MODULE_VERSION(pflog, PFLOG_MODVER);
MODULE_DEPEND(pflog, pf, PF_MODVER, PF_MODVER, PF_MODVER);