pf: clean up syncookie callout on vnet shutdown

Ensure that we cancel any outstanding callouts for syncookies when we terminate the vnet. MFC after: 1 week Sponsored by: Modirum MDPay
2021-07-20 21:03:08 +02:00 · 2021-07-20 21:03:08 +02:00 · 32271c4d38
commit 32271c4d38
parent 84db87b8da
3 changed files with 8 additions and 0 deletions
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@ -1852,6 +1852,7 @@ void		 pf_send_tcp(const struct pf_krule *, sa_family_t,
 			    u_int16_t);

 void			 pf_syncookies_init(void);
+void			 pf_syncookies_cleanup(void);
 int			 pf_get_syncookies(struct pfioc_nv *);
 int			 pf_set_syncookies(struct pfioc_nv *);
 int			 pf_synflood_check(struct pf_pdesc *);
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -5573,6 +5573,7 @@ pf_unload_vnet(void)
 	dehook_pf();

 	PF_RULES_WLOCK();
+	pf_syncookies_cleanup();
 	shutdown_pf();
 	PF_RULES_WUNLOCK();

--- a/sys/netpfil/pf/pf_syncookies.c
+++ b/sys/netpfil/pf/pf_syncookies.c
@ -127,6 +127,12 @@ pf_syncookies_init(void)
 	PF_RULES_WUNLOCK();
 }

+void
+pf_syncookies_cleanup(void)
+{
+	callout_stop(&V_pf_syncookie_status.keytimeout);
+}
+
 int
 pf_get_syncookies(struct pfioc_nv *nv)
 {