pf: create a kif for flags

If userspace tries to set flags (e.g. 'set skip on <ifspec>') and <ifspec> doesn't exist we should create a kif so that we apply the flags when the <ifspec> does turn up. Otherwise we'd end up in surprising situations where the rules say the interface should be skipped, but it's not until the rules get re-applied. Reviewed by: Lutz Donnerhacke <lutz_donnerhacke.de> MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D26742
2020-10-12 12:39:37 +00:00 · 2020-10-12 12:39:37 +00:00 · c9449e4fb8
commit c9449e4fb8
parent 253e820a4d
1 changed files with 17 additions and 3 deletions
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@ -801,9 +801,16 @@ int
 pfi_set_flags(const char *name, int flags)
 {
 	struct epoch_tracker et;
-	struct pfi_kif	*p;
+	struct pfi_kif	*p, *kif;
+
+	kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT);
+	if (kif == NULL)
+		return (ENOMEM);

 	NET_EPOCH_ENTER(et);
+
+	kif = pfi_kif_attach(kif, name);
+
 	RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) {
 		if (pfi_skip_if(name, p))
 			continue;
@ -817,13 +824,20 @@ int
 pfi_clear_flags(const char *name, int flags)
 {
 	struct epoch_tracker et;
-	struct pfi_kif	*p;
+	struct pfi_kif *p, *tmp;

 	NET_EPOCH_ENTER(et);
-	RB_FOREACH(p, pfi_ifhead, &V_pfi_ifs) {
+	RB_FOREACH_SAFE(p, pfi_ifhead, &V_pfi_ifs, tmp) {
 		if (pfi_skip_if(name, p))
 			continue;
 		p->pfik_flags &= ~flags;
+
+		if (p->pfik_ifp == NULL && p->pfik_group == NULL &&
+		    p->pfik_flags == 0) {
+			/* Delete this kif. */
+			RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
+			free(p, PFI_MTYPE);
+		}
 	}
 	NET_EPOCH_EXIT(et);
 	return (0);