pf: Support killing floating states by interface

Floating states get assigned to interface 'all' (V_pfi_all), so when we
try to flush all states for an interface states originally created
through this interface are not flushed. Only if-bound states can be
flushed in this way.

Given that we track the original interface we can check if the state's
interface is 'all', and if so compare to the orig_if instead.

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D30246

sys/netpfil/pf/pf_ioctl.c

@@ -2828,10 +2828,14 @@ pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih)
 	int			 idx, killed = 0;
 	unsigned int		 dir;
 	u_int16_t		 srcport, dstport;
+	struct pfi_kkif		*kif;
 
 relock_DIOCKILLSTATES:
 	PF_HASHROW_LOCK(ih);
 	LIST_FOREACH(s, &ih->states, entry) {
+		/* For floating states look at the original kif. */
+		kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
+
 		sk = s->key[PF_SK_WIRE];
 		if (s->direction == PF_OUT) {
 			srcaddr = &sk->addr[1];
@@ -2880,7 +2884,7 @@ pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih)
 			continue;
 
 		if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
-		    s->kif->pfik_name))
+		    kif->pfik_name))
 			continue;
 
 		if (psk->psk_kill_match) {
@@ -5662,6 +5666,7 @@ pf_clear_states(const struct pf_kstate_kill *kill)
 {
 	struct pf_state_key_cmp	 match_key;
 	struct pf_state	*s;
+	struct pfi_kkif	*kif;
 	int		 idx;
 	unsigned int	 killed = 0, dir;
 
@@ -5671,9 +5676,12 @@ pf_clear_states(const struct pf_kstate_kill *kill)
 relock_DIOCCLRSTATES:
 		PF_HASHROW_LOCK(ih);
 		LIST_FOREACH(s, &ih->states, entry) {
+			/* For floating states look at the original kif. */
+			kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
+
 			if (kill->psk_ifname[0] &&
 			    strcmp(kill->psk_ifname,
-			    s->kif->pfik_name))
+			    kif->pfik_name))
 				continue;
 
 			if (kill->psk_kill_match) {