diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index 9f504237b4ee..f50afa7c78ef 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -642,6 +642,7 @@ _pfctl_clear_states(int dev, const struct pfctl_kill *kill, nvlist_add_number(nvl, "proto", kill->proto); pfctl_nv_add_rule_addr(nvl, "src", &kill->src); pfctl_nv_add_rule_addr(nvl, "dst", &kill->dst); + pfctl_nv_add_rule_addr(nvl, "rt_addr", &kill->rt_addr); nvlist_add_string(nvl, "ifname", kill->ifname); nvlist_add_string(nvl, "label", kill->label); diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index aa7f0ffd8fad..5c8b2108d937 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -191,6 +191,7 @@ struct pfctl_kill { int proto; struct pf_rule_addr src; struct pf_rule_addr dst; + struct pf_rule_addr rt_addr; char ifname[IFNAMSIZ]; char label[PF_RULE_LABEL_SIZE]; }; diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index f12489d9493a..f3905f850c5a 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -45,7 +45,7 @@ .Op Fl K Ar host | network .Xo .Oo Fl k -.Ar host | network | label | id +.Ar host | network | label | id | gateway .Oc Xc .Op Fl o Ar level .Op Fl p Ar device @@ -256,14 +256,15 @@ option may be specified, which will kill all the source tracking entries from the first host/network to the second. .It Xo .Fl k -.Ar host | network | label | id +.Ar host | network | label | id | gateway .Xc Kill all of the state entries matching the specified .Ar host , .Ar network , .Ar label , +.Ar id , or -.Ar id . +.Ar gateway. .Pp For example, to kill all of the state entries originating from .Dq host : @@ -317,6 +318,19 @@ To kill a state with ID 4823e84500000018 created from a backup firewall with hostid 00000002 use: .Pp .Dl # pfctl -k id -k 4823e84500000018/2 +.Pp +It is also possible to kill states created from a rule with the route-to/reply-to +parameter set to route the connection through a particular gateway. +Note that rules routing via the default routing table (not via a route-to +rule) will have their rt_addr set as 0.0.0.0 or ::. +To kill all states using a gateway of 192.168.0.1 use: +.Pp +.Dl # pfctl -k gateway -k 192.168.0.1 +.Pp +A network prefix length can also be specified. +To kill all states using a gateway in 192.168.0.0/24: +.Pp +.Dl # pfctl -k gateway -k 192.168.0.0/24 .It Fl m Merge in explicitly given options without resetting those which are omitted. diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 487dfb480cdc..96f3b4740d90 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -83,6 +83,7 @@ int pfctl_clear_iface_states(int, const char *, int); void pfctl_addrprefix(char *, struct pf_addr *); int pfctl_kill_src_nodes(int, const char *, int); int pfctl_net_kill_states(int, const char *, int); +int pfctl_gateway_kill_states(int, const char *, int); int pfctl_label_kill_states(int, const char *, int); int pfctl_id_kill_states(int, const char *, int); void pfctl_init_options(struct pfctl *); @@ -246,7 +247,7 @@ usage(void) fprintf(stderr, "usage: %s [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n" "\t[-f file] [-i interface] [-K host | network]\n" - "\t[-k host | network | label | id] [-o level] [-p device]\n" + "\t[-k host | network | gateway | label | id] [-o level] [-p device]\n" "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n", __progname); @@ -744,6 +745,67 @@ pfctl_net_kill_states(int dev, const char *iface, int opts) return (0); } +int +pfctl_gateway_kill_states(int dev, const char *iface, int opts) +{ + struct pfctl_kill kill; + struct addrinfo *res, *resp; + struct sockaddr last_src; + unsigned int newkilled; + int killed = 0; + int ret_ga; + + if (state_killers != 2 || (strlen(state_kill[1]) == 0)) { + warnx("no gateway specified"); + usage(); + } + + memset(&kill, 0, sizeof(kill)); + memset(&kill.rt_addr.addr.v.a.mask, 0xff, + sizeof(kill.rt_addr.addr.v.a.mask)); + memset(&last_src, 0xff, sizeof(last_src)); + if (iface != NULL && strlcpy(kill.ifname, iface, + sizeof(kill.ifname)) >= sizeof(kill.ifname)) + errx(1, "invalid interface: %s", iface); + + pfctl_addrprefix(state_kill[1], &kill.rt_addr.addr.v.a.mask); + + if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, &res))) { + errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); + /* NOTREACHED */ + } + for (resp = res; resp; resp = resp->ai_next) { + if (resp->ai_addr == NULL) + continue; + /* We get lots of duplicates. Catch the easy ones */ + if (memcmp(&last_src, resp->ai_addr, sizeof(last_src)) == 0) + continue; + last_src = *(struct sockaddr *)resp->ai_addr; + + kill.af = resp->ai_family; + + if (kill.af == AF_INET) + kill.rt_addr.addr.v.a.addr.v4 = + ((struct sockaddr_in *)resp->ai_addr)->sin_addr; + else if (kill.af == AF_INET6) + kill.rt_addr.addr.v.a.addr.v6 = + ((struct sockaddr_in6 *)resp->ai_addr)-> + sin6_addr; + else + errx(1, "Unknown address family %d", kill.af); + + if (pfctl_kill_states(dev, &kill, &newkilled)) + err(1, "DIOCKILLSTATES"); + killed += newkilled; + } + + freeaddrinfo(res); + + if ((opts & PF_OPT_QUIET) == 0) + fprintf(stderr, "killed %d states\n", killed); + return (0); +} + int pfctl_label_kill_states(int dev, const char *iface, int opts) { @@ -2455,6 +2517,8 @@ main(int argc, char *argv[]) pfctl_label_kill_states(dev, ifaceopt, opts); else if (!strcmp(state_kill[0], "id")) pfctl_id_kill_states(dev, ifaceopt, opts); + else if (!strcmp(state_kill[0], "gateway")) + pfctl_gateway_kill_states(dev, ifaceopt, opts); else pfctl_net_kill_states(dev, ifaceopt, opts); } diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index e71ef8f426e4..2fb132203908 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -28,7 +28,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 5, 2018 +.Dd May 7, 2021 .Dt PF 4 .Os .Sh NAME diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 6c044fa8b449..b010f0fb3d80 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1081,6 +1081,7 @@ struct pf_kstate_kill { int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; + struct pf_rule_addr psk_rt_addr; char psk_ifname[IFNAMSIZ]; char psk_label[PF_RULE_LABEL_SIZE]; u_int psk_killed; diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c index 1340d9eec008..27ed468497da 100644 --- a/sys/netpfil/pf/pf_ioctl.c +++ b/sys/netpfil/pf/pf_ioctl.c @@ -2458,6 +2458,10 @@ pf_nvstate_kill_to_kstate_kill(const nvlist_t *nvl, return (EINVAL); PFNV_CHK(pf_nvrule_addr_to_rule_addr(nvlist_get_nvlist(nvl, "dst"), &kill->psk_dst)); + if (nvlist_exists_nvlist(nvl, "rt_addr")) { + PFNV_CHK(pf_nvrule_addr_to_rule_addr( + nvlist_get_nvlist(nvl, "rt_addr"), &kill->psk_rt_addr)); + } PFNV_CHK(pf_nvstring(nvl, "ifname", kill->psk_ifname, sizeof(kill->psk_ifname))); @@ -2679,6 +2683,12 @@ pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih) &psk->psk_dst.addr.v.a.mask, dstaddr, sk->af)) continue; + if (! PF_MATCHA(psk->psk_rt_addr.neg, + &psk->psk_rt_addr.addr.v.a.addr, + &psk->psk_rt_addr.addr.v.a.mask, + &s->rt_addr, sk->af)) + continue; + if (psk->psk_src.port_op != 0 && ! pf_match_port(psk->psk_src.port_op, psk->psk_src.port[0], psk->psk_src.port[1], srcport))