Author: kp
Date: Sun Jan 20 22:01:39 2019
New Revision: 343228
URL: https://svnweb.freebsd.org/changeset/base/343228
Log:
MFC r342989
pfctl: Fix 'set skip' handling for groups
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache though, or we risk
overruling the kernel afterwards.
This manifested as 'set skip' working initially, then not working when
the rules were reloaded.
PR: 229241
Modified:
stable/12/sbin/pfctl/pfctl.c
Directory Properties:
stable/12/ (props changed)
Modified: stable/12/sbin/pfctl/pfctl.c
==============================================================================
--- stable/12/sbin/pfctl/pfctl.c Sun Jan 20 21:49:13 2019
(r343227)
+++ stable/12/sbin/pfctl/pfctl.c Sun Jan 20 22:01:39 2019
(r343228)
@@ -1977,6 +1977,7 @@ int
pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
{
struct pfioc_iface pi;
+ struct node_host *h = NULL, *n = NULL;
if ((loadopt & PFCTL_FLAG_OPTION) == 0)
return (0);
@@ -1984,6 +1985,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifna
bzero(&pi, sizeof(pi));
pi.pfiio_flags = flags;
+
+ /* Make sure our cache matches the kernel. If we set or clear the flag
+ * for a group this applies to all members. */
+ h = ifa_grouplookup(ifname, 0);
+ for (n = h; n != NULL; n = n->next)
+ pfctl_set_interface_flags(pf, n->ifname, flags, how);
if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
sizeof(pi.pfiio_name))
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
