Date: Thu, 20 May 2021 11:54:53 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: b62489cc92ed - main - pf: Support killing floating states by interface Message-ID: <202105201154.14KBsrXX056910@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b62489cc92edbec318fb6c57cdc02b5e3cfa3a67 commit b62489cc92edbec318fb6c57cdc02b5e3cfa3a67 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2021-05-13 07:51:28 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2021-05-20 10:49:27 +0000 pf: Support killing floating states by interface Floating states get assigned to interface 'all' (V_pfi_all), so when we try to flush all states for an interface states originally created through this interface are not flushed. Only if-bound states can be flushed in this way. Given that we track the original interface we can check if the state's interface is 'all', and if so compare to the orig_if instead. MFC after: 1 week Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D30246 --- sys/netpfil/pf/pf_ioctl.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 62c1f35c3c3f..91a175caa74f 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2828,10 +2828,14 @@ pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih) int idx, killed = 0; unsigned int dir; u_int16_t srcport, dstport; + struct pfi_kkif *kif; relock_DIOCKILLSTATES: PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { + /* For floating states look at the original kif. */ + kif = s->kif == V_pfi_all ? s->orig_kif : s->kif; + sk = s->key[PF_SK_WIRE]; if (s->direction == PF_OUT) { srcaddr = &sk->addr[1]; @@ -2880,7 +2884,7 @@ relock_DIOCKILLSTATES: continue; if (psk->psk_ifname[0] && strcmp(psk->psk_ifname, - s->kif->pfik_name)) + kif->pfik_name)) continue; if (psk->psk_kill_match) { @@ -5662,6 +5666,7 @@ pf_clear_states(const struct pf_kstate_kill *kill) { struct pf_state_key_cmp match_key; struct pf_state *s; + struct pfi_kkif *kif; int idx; unsigned int killed = 0, dir; @@ -5671,9 +5676,12 @@ pf_clear_states(const struct pf_kstate_kill *kill) relock_DIOCCLRSTATES: PF_HASHROW_LOCK(ih); LIST_FOREACH(s, &ih->states, entry) { + /* For floating states look at the original kif. */ + kif = s->kif == V_pfi_all ? s->orig_kif : s->kif; + if (kill->psk_ifname[0] && strcmp(kill->psk_ifname, - s->kif->pfik_name)) + kif->pfik_name)) continue; if (kill->psk_kill_match) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202105201154.14KBsrXX056910>