d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFC r342989

Browse Source 
pfctl: Fix 'set skip' handling for groups

When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache though, or we risk
overruling the kernel afterwards.

This manifested as 'set skip' working initially, then not working when
the rules were reloaded.

PR:		229241
This commit is contained in:
Kristof Provost 2019-01-20 22:01:41 +00:00
parent 23b2af1ad0
commit 46657c3818
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sbin/pfctl/pfctl.c
View File

@ -1972,6 +1972,7 @@ int
pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how) pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
{ {
struct pfioc_iface pi; struct pfioc_iface pi;
struct node_host *h = NULL, *n = NULL;
if ((loadopt & PFCTL_FLAG_OPTION) == 0) if ((loadopt & PFCTL_FLAG_OPTION) == 0)
return (0); return (0);
@ -1980,6 +1981,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
pi.pfiio_flags = flags; pi.pfiio_flags = flags;
/* Make sure our cache matches the kernel. If we set or clear the flag
* for a group this applies to all members. */
h = ifa_grouplookup(ifname, 0);
for (n = h; n != NULL; n = n->next)
pfctl_set_interface_flags(pf, n->ifname, flags, how);
if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >= if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
sizeof(pi.pfiio_name)) sizeof(pi.pfiio_name))
errx(1, "pfctl_set_interface_flags: strlcpy"); errx(1, "pfctl_set_interface_flags: strlcpy");