ipf_stack_destroy error messages when halting zones
Halting a zone with ipfilter running dumps the message "ipf: ipf_stack_destroy: ipldetach failed" to the console. This seems to happen even if there are no rules in ipf.conf or ipnat.conf. So:
- Is this actually an error? Looking at ipf/solaris.c, it definitely looks like it.
- If this is an error, does it matter since the zone is halting?
- If it doesn't matter, can we suppress the message in this case?
This is happening in ipldetach() when the function returns -1.
There are three places that can happen, but I debugged that this is
happening at the 3rd spot, this block of code:
if (ifs->ifs_hook4_physical_in || ifs->ifs_hook4_physical_out ||
ifs->ifs_hook4_nic_events || ifs->ifs_hook4_loopback_in ||
ifs->ifs_hook4_loopback_out || ifs->ifs_hook6_nic_events ||
ifs->ifs_hook6_physical_in || ifs->ifs_hook6_physical_out ||
ifs->ifs_hook6_loopback_in || ifs->ifs_hook6_loopback_out)
This block is checking to see if any of the UNDO_HOOK macros above failed.
Looking at that macro definition we see it does the following:
ifs->_b = (net_hook_unregister(ifs->_f, \\
_e, ifs->_h) != 0);
This is what is setting the value of each flag that the 3rd check is failing on.
net_hook_unregister() eventually works its way into hook_unregister(). This
function could fail to unregister the hook in a number of spots. It looks like
we don't necessarily have to fail if it returned ENXIO. I need to do more debugging
to track this to the next level.
The hooks were torn down when the zone's exclusive stack was torn down. This happens in the code path
ip_stack_finis -> ipv4_hook_destroy -> net_family_unregister
When the ipfilter stack is torn down in the following code
ipf_stack_destroy _> ipldetach
The UNDO_HOOK macro fails because net_hook_unregister can ENXIO if the hooks are already torn down. This leaves the flags in the struct still set to true which causes the final test right before we would return 0 to fail, leading us to return -1.
Updated by Electric Monk almost 7 years ago
- Status changed from New to Closed
commit c67987612cd8324e1f3d1b5110086552d19a2d89 Author: Jerry Jelinek <email@example.com> Date: 2014-12-11T02:00:28.000Z 5200 ipf_stack_destroy error messages when halting zones Reviewed by: Robert Mustacchi <firstname.lastname@example.org> Reviewed by: Igor Kozhukhov <email@example.com> Reviewed by: Dan McDonald <firstname.lastname@example.org> Reviewed by: Darren Reed <email@example.com> Approved by: Richard Lowe <firstname.lastname@example.org>