pf: Fix panic on vnet jail shutdown with synproxy

When shutting down a vnet jail pf_shutdown() clears the remaining states, which through pf_clear_states() calls pf_unlink_state(). For synproxy states pf_unlink_state() will send a TCP RST, which eventually tries to schedule the pf swi in pf_send(). This means we can't remove the software interrupt until after pf_shutdown(). MFC after: 1 week
2018-07-14 09:11:32 +00:00 · 2018-07-14 09:11:32 +00:00 · 3e603d1ffa
commit 3e603d1ffa
parent d59db438cb
1 changed files with 2 additions and 1 deletions
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -3951,7 +3951,6 @@ pf_unload_vnet(void)

 	V_pf_vnet_active = 0;
 	V_pf_status.running = 0;
-	swi_remove(V_pf_swi_cookie);
 	error = dehook_pf();
 	if (error) {
 		/*
@ -3967,6 +3966,8 @@ pf_unload_vnet(void)
 	shutdown_pf();
 	PF_RULES_WUNLOCK();

+	swi_remove(V_pf_swi_cookie);
+
 	pf_unload_vnet_purge();

 	pf_normalize_cleanup();