Resolve ipfilter kld unload issues related to VNET jails.

When the ipfilter kld is loaded, used within VNET jail, and unloaded,
then subsequent loading, use, and unloading of another packet filters
will cause the subsequently loaded netpfil kld's to panic.

The scenario is as follows:

cd /usr/tests/sys/netpfil/common

kldunload ipl
kldunload pfsync
kldunload ipfw

kyua test pass_block

kldload ipl
kyua test pass_block
kldunload ipl

kldload pfsync
kyua test pass_block
kldunload pfsync
-- page fault panic occurs here --

Reported by:	"Ahsan Barkati" <ahsanbarkati@g.....com> via kp@
Discussed with:	kp@
Tested by:	kp@
MFC after:	3 days

2 files changed, 19 insertions, 11 deletions

diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
index 9084802d23ac..ef03cf678ed7 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
@@ -100,7 +100,10 @@ VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
 # include <sys/conf.h>
 #  include <net/pfil.h>
 
-static eventhandler_tag ipf_arrivetag, ipf_departtag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_arrivetag);
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_departtag);
+#define	V_ipf_arrivetag		VNET(ipf_arrivetag)
+#define	V_ipf_departtag		VNET(ipf_departtag)
 #if 0
 /*
  * Disable the "cloner" event handler;  we are getting interface
@@ -110,7 +113,8 @@ static eventhandler_tag ipf_arrivetag, ipf_departtag;
  * If it turns out to be needed, well need a dedicated event handler
  * for it to deal with the ifc and the correct vnet.
  */
-static eventhandler_tag ipf_clonetag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_clonetag);
+#define	V_ipf_clonetag		VNET(ipf_clonetag)
 #endif
 
 static void ipf_ifevent(void *arg, struct ifnet *ifp);
@@ -1383,14 +1387,14 @@ int ipf_pfil_hook(void) {
 void
 ipf_event_reg(void)
 {
-	ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
+	V_ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
 					       ipf_ifevent, NULL, \
 					       EVENTHANDLER_PRI_ANY);
-	ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
+	V_ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
 					       ipf_ifevent, NULL, \
 					       EVENTHANDLER_PRI_ANY);
 #if 0
-	ipf_clonetag  = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
+	V_ipf_clonetag  = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
 					       NULL, EVENTHANDLER_PRI_ANY);
 #endif
 }
@@ -1398,15 +1402,15 @@ ipf_event_reg(void)
 void
 ipf_event_dereg(void)
 {
-	if (ipf_arrivetag != NULL) {
-		EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
+	if (V_ipf_arrivetag != NULL) {
+		EVENTHANDLER_DEREGISTER(ifnet_arrival_event, V_ipf_arrivetag);
 	}
-	if (ipf_departtag != NULL) {
-		EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
+	if (V_ipf_departtag != NULL) {
+		EVENTHANDLER_DEREGISTER(ifnet_departure_event, V_ipf_departtag);
 	}
 #if 0
-	if (ipf_clonetag != NULL) {
-		EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
+	if (V_ipf_clonetag != NULL) {
+		EVENTHANDLER_DEREGISTER(if_clone_event, V_ipf_clonetag);
 	}
 #endif
 }
diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
index a82a529572ec..9c320ee65c5e 100644
--- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
@@ -283,6 +283,10 @@ vnet_ipf_uninit(void)
 		V_ipfmain.ipf_running = -2;
 
 		ipf_destroy_all(&V_ipfmain);
+		if (!IS_DEFAULT_VNET(curvnet)) {
+			ipf_event_dereg();
+			(void)ipf_pfil_unhook();
+		}
 	}
 }
 VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,