On 8 April 2015 at 19:16, Mike Belopuhov <m...@belopuhov.com> wrote:
> On Sun, Apr 05, 2015 at 12:06 +0200, Alexandr Nedvedicky wrote:
>> Hello,
>>
>> while testing PBR on Solaris we found out the pfi_kif instances
>> are not removed from pfi_ifs table. We took a look at crashdump
>> and have seen pfik_route counter at those object is still
>> non-zero, while all rules were gone.
>>
>> looking at sources we can see the 'pfik_route' (PFI_KIF_REF_ROUTE)
>> reference is being grabbed in pfr_create_kentry():
>>
>> 840 case PFRKE_ROUTE:
>> 841 if (ad->pfra_ifname[0])
>> 842 ke->pfrke_rkif = pfi_kif_get(ad->pfra_ifname);
>> 843 if (ke->pfrke_rkif)
>> 844 pfi_kif_ref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE);
>> 845 break;
>> 846 default:
>> 847 panic("unknown pfrke_type %d", ke->pfrke_type);
>> 848 break;
>>
>> however we have not found any matching pfi_kif_ref() command, which
>> would remove the reference created by pfr_create_kentry(). It seems
>> to us the call to
>>
>> pfi_kif_unref(ke->pfrke_rkif, PFI_KIF_REF_ROUTE)
>>
>> is missing at pfr_destroy_kentry(). We created patch against OpenBSD CURRENT.
>> We have no OpenBSD boxes around, where we could verify our fix.
>>
>> also for your info: IPF in Solaris is on its death row. PF in 11.3
>> release will be available as optional firewall. We hope to make PF
>> default (and only firewall) in Solaris 12. You've made excellent job,
>> your PF is crystal-clear design.
>>
>> kind regards
>> sasha
>>
[snip]
>
> Hi,
>
> Your analysis is correct. I'd drop the switch statement here for
> simplicity though.
>
> Anyone's willing to OK?
Committed, thanks!
