pf: Clean all fragments on shutdown

When pf is unloaded, or a vnet jail using pf is stopped we need to ensure we clean up all fragments, not just the expired ones.
svn path=/head/; revision=327433
2025-01-18 15:30:21 +00:00 · 2017-12-31 10:01:31 +00:00 · 2017-12-31 10:01:31 +00:00 · 5d0020d6d7 · 2020-12-20 02:59:44 +00:00
commit 5d0020d6d7
parent d5d7606c0c
3 changed files with 11 additions and 3 deletions
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@ -1619,6 +1619,7 @@ int	pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
 u_int32_t
 	pf_state_expires(const struct pf_state *);
 void	pf_purge_expired_fragments(void);
+void	pf_purge_fragments(uint32_t);
 int	pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
 	    int);
 int	pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *);
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@ -1498,7 +1498,7 @@ pf_unload_vnet_purge(void)
 	 * Now purge everything.
 	 */
 	pf_purge_expired_states(0, pf_hashmask);
-	pf_purge_expired_fragments();
+	pf_purge_fragments(UINT_MAX);
 	pf_purge_expired_src_nodes();

 	/*
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@ -218,10 +218,17 @@ pf_frag_compare(struct pf_fragment *a, struct pf_fragment *b)

 void
 pf_purge_expired_fragments(void)
+{
+	u_int32_t	expire = time_uptime -
+			    V_pf_default_rule.timeout[PFTM_FRAG];
+
+	pf_purge_fragments(expire);
+}
+
+void
+pf_purge_fragments(uint32_t expire)
 {
 	struct pf_fragment	*frag;
-	u_int32_t		 expire = time_uptime -
-				    V_pf_default_rule.timeout[PFTM_FRAG];

 	PF_FRAG_LOCK();
 	while ((frag = TAILQ_LAST(&V_pf_fragqueue, pf_fragqueue)) != NULL) {