d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pfctl: Fix 'set skip' handling for groups

Browse Source 
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache though, or we risk
overruling the kernel afterwards.

This manifested as 'set skip' working initially, then not working when
the rules were reloaded.

PR:		229241
MFC after:	1 week
This commit is contained in:
kp 2019-01-13 05:30:26 +00:00
parent 101bdaba8d
commit dff9d64e7b
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
sbin/pfctl/pfctl.c
View File

@ -1977,6 +1977,7 @@ int
pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
{
struct pfioc_iface pi;
struct node_host *h = NULL, *n = NULL;
if ((loadopt & PFCTL_FLAG_OPTION) == 0)
return (0);
@ -1985,6 +1986,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
pi.pfiio_flags = flags;
/* Make sure our cache matches the kernel. If we set or clear the flag
* for a group this applies to all members. */
h = ifa_grouplookup(ifname, 0);
for (n = h; n != NULL; n = n->next)
pfctl_set_interface_flags(pf, n->ifname, flags, how);
if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
sizeof(pi.pfiio_name))
errx(1, "pfctl_set_interface_flags: strlcpy");