From d2e2ff9f362354e221fb61fcd787bfe645fb63e1 Mon Sep 17 00:00:00 2001
From: cy <cy@FreeBSD.org>
Date: Wed, 7 Aug 2019 01:03:35 +0000
Subject: [PATCH 1/2] MFC r350567:

Returning an uninitialized error is a bad thing.
---
 sys/contrib/ipfilter/netinet/mlfk_ipl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
index 34a9644bbdc9..a82a529572ec 100644
--- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
@@ -310,7 +310,7 @@ ipf_modunload()
 
 	printf("%s unloaded\n", ipfilter_version);
 
-	return error;
+	return (0);
 }
 
 

From 31085aec4f785f967f4ff9869bc299db2c07e85c Mon Sep 17 00:00:00 2001
From: cy <cy@FreeBSD.org>
Date: Wed, 7 Aug 2019 01:08:57 +0000
Subject: [PATCH 2/2] MFC r350568:

Resolve ipfilter kld unload issues related to VNET jails.

When the ipfilter kld is loaded, used within VNET jail, and unloaded,
then subsequent loading, use, and unloading of another packet filters
will cause the subsequently loaded netpfil kld's to panic.

The scenario is as follows:

cd /usr/tests/sys/netpfil/common

kldunload ipl
kldunload pfsync
kldunload ipfw

kyua test pass_block

kldload ipl
kyua test pass_block
kldunload ipl

kldload pfsync
kyua test pass_block
kldunload pfsync
-- page fault panic occurs here --

Reported by:	"Ahsan Barkati" <ahsanbarkati@g.....com> via kp@
Discussed with:	kp@
Tested by:	kp@
---
 sys/contrib/ipfilter/netinet/ip_fil_freebsd.c | 26 +++++++++++--------
 sys/contrib/ipfilter/netinet/mlfk_ipl.c       |  4 +++
 2 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
index ff8f782955da..618937259b81 100644
--- a/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
+++ b/sys/contrib/ipfilter/netinet/ip_fil_freebsd.c
@@ -98,7 +98,10 @@ VNET_DEFINE(ipf_main_softc_t, ipfmain) = {
 # include <sys/conf.h>
 #  include <net/pfil.h>
 
-static eventhandler_tag ipf_arrivetag, ipf_departtag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_arrivetag);
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_departtag);
+#define	V_ipf_arrivetag		VNET(ipf_arrivetag)
+#define	V_ipf_departtag		VNET(ipf_departtag)
 #if 0
 /*
  * Disable the "cloner" event handler;  we are getting interface
@@ -108,7 +111,8 @@ static eventhandler_tag ipf_arrivetag, ipf_departtag;
  * If it turns out to be needed, well need a dedicated event handler
  * for it to deal with the ifc and the correct vnet.
  */
-static eventhandler_tag ipf_clonetag;
+VNET_DEFINE_STATIC(eventhandler_tag, ipf_clonetag);
+#define	V_ipf_clonetag		VNET(ipf_clonetag)
 #endif
 
 static void ipf_ifevent(void *arg, struct ifnet *ifp);
@@ -1384,14 +1388,14 @@ int ipf_pfil_hook(void) {
 void
 ipf_event_reg(void)
 {
-	ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
+	V_ipf_arrivetag = EVENTHANDLER_REGISTER(ifnet_arrival_event, \
 					       ipf_ifevent, NULL, \
 					       EVENTHANDLER_PRI_ANY);
-	ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
+	V_ipf_departtag = EVENTHANDLER_REGISTER(ifnet_departure_event, \
 					       ipf_ifevent, NULL, \
 					       EVENTHANDLER_PRI_ANY);
 #if 0
-	ipf_clonetag  = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
+	V_ipf_clonetag  = EVENTHANDLER_REGISTER(if_clone_event, ipf_ifevent, \
 					       NULL, EVENTHANDLER_PRI_ANY);
 #endif
 }
@@ -1399,15 +1403,15 @@ ipf_event_reg(void)
 void
 ipf_event_dereg(void)
 {
-	if (ipf_arrivetag != NULL) {
-		EVENTHANDLER_DEREGISTER(ifnet_arrival_event, ipf_arrivetag);
+	if (V_ipf_arrivetag != NULL) {
+		EVENTHANDLER_DEREGISTER(ifnet_arrival_event, V_ipf_arrivetag);
 	}
-	if (ipf_departtag != NULL) {
-		EVENTHANDLER_DEREGISTER(ifnet_departure_event, ipf_departtag);
+	if (V_ipf_departtag != NULL) {
+		EVENTHANDLER_DEREGISTER(ifnet_departure_event, V_ipf_departtag);
 	}
 #if 0
-	if (ipf_clonetag != NULL) {
-		EVENTHANDLER_DEREGISTER(if_clone_event, ipf_clonetag);
+	if (V_ipf_clonetag != NULL) {
+		EVENTHANDLER_DEREGISTER(if_clone_event, V_ipf_clonetag);
 	}
 #endif
 }
diff --git a/sys/contrib/ipfilter/netinet/mlfk_ipl.c b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
index a82a529572ec..9c320ee65c5e 100644
--- a/sys/contrib/ipfilter/netinet/mlfk_ipl.c
+++ b/sys/contrib/ipfilter/netinet/mlfk_ipl.c
@@ -283,6 +283,10 @@ vnet_ipf_uninit(void)
 		V_ipfmain.ipf_running = -2;
 
 		ipf_destroy_all(&V_ipfmain);
+		if (!IS_DEFAULT_VNET(curvnet)) {
+			ipf_event_dereg();
+			(void)ipf_pfil_unhook();
+		}
 	}
 }
 VNET_SYSUNINIT(vnet_ipf_uninit, SI_SUB_PROTO_FIREWALL, SI_ORDER_THIRD,