The branch stable/12 has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b8c1a98438c0b6b36063a5a17a2fd625738bb9e0
commit b8c1a98438c0b6b36063a5a17a2fd625738bb9e0 Author: Kristof Provost <[email protected]> AuthorDate: 2021-05-13 07:51:28 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2021-05-27 07:09:21 +0000 pf: Support killing floating states by interface Floating states get assigned to interface 'all' (V_pfi_all), so when we try to flush all states for an interface states originally created through this interface are not flushed. Only if-bound states can be flushed in this way. Given that we track the original interface we can check if the state's interface is 'all', and if so compare to the orig_if instead. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30246 (cherry picked from commit b62489cc92edbec318fb6c57cdc02b5e3cfa3a67) --- sys/netpfil/pf/pf_ioctl.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 4f7767773037..42429972fe53 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2447,10 +2447,14 @@ pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih) int idx, killed = 0; unsigned int dir; u_int16_t srcport, dstport; + struct pfi_kkif *kif; relock_DIOCKILLSTATES: PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { + /* For floating states look at the original kif. */ + kif = s->kif == V_pfi_all ? s->orig_kif : s->kif; + sk = s->key[PF_SK_WIRE]; if (s->direction == PF_OUT) { srcaddr = &sk->addr[1]; @@ -2499,7 +2503,7 @@ relock_DIOCKILLSTATES: continue; if (psk->psk_ifname[0] && strcmp(psk->psk_ifname, - s->kif->pfik_name)) + kif->pfik_name)) continue; if (psk->psk_kill_match) { @@ -5677,6 +5681,7 @@ pf_clear_states(const struct pf_kstate_kill *kill) { struct pf_state_key_cmp match_key; struct pf_state *s; + struct pfi_kkif *kif; int idx; unsigned int killed = 0, dir; @@ -5686,9 +5691,12 @@ pf_clear_states(const struct pf_kstate_kill *kill) relock_DIOCCLRSTATES: PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { + /* For floating states look at the original kif. */ + kif = s->kif == V_pfi_all ? s->orig_kif : s->kif; + if (kill->psk_ifname[0] && strcmp(kill->psk_ifname, - s->kif->pfik_name)) + kif->pfik_name)) continue; if (kill->psk_kill_match) { _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/dev-commits-src-all To unsubscribe, send any mail to "[email protected]"
