network - Fix PF mis-handling and other bugs
* The mbuf subsystem does NOT clear pkthdr.pf.* fields on mbuf allocation.
PF was assuming that pf.flags was being cleared. Instead move the
PF_TAG_GENERATED flag from pf.flags to fw_flags and call it PF_MBUF_TAGGED.
The fw_flags field is cleared by the mbuf subsystem.
Then clear pf.flags whenever we set PF_MBUF_TAGGED or determine that it
has not been set.
This fixes a serious bug where the PF filters start missing packets,
increasing from system boot. This is because more and more packets in
the objcache wind up with non-zero pf.flags which cause PF to pass
the packet unconditionally.
For example NAT packets would wind up in the normal protocol stack which
would of course would get confused and generate a RST.
* Move the 'cur' static pointer in pf_purge_expired_states() up a bit
so pf_free_state() can access it and rename it 'purge_cur'.
Adjust pf_free_state() to iterate purge_cur when it matches the state
being destroyed.
* Protect the pf_purge_thread() with pf_token, it was depending on the MP
lock before which definitely does not do the job.
* Flag the pfil hook as being MPSAFE.
Reported-by: "Jan Lentfer" <Jan.Lentfer@web.de>
projects / dragonfly.git / commit