git: f9baaca0f847 - stable/13 - pf: Support killing floating states by interface

[Kristof Provost]

The branch stable/13 has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=f9baaca0f847698b27f86a527438eaf18b9cb92b

commit f9baaca0f847698b27f86a527438eaf18b9cb92b
Author:     Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-05-13 07:51:28 +0000
Commit:     Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-05-27 07:08:29 +0000

    pf: Support killing floating states by interface
    
    Floating states get assigned to interface 'all' (V_pfi_all), so when we
    try to flush all states for an interface states originally created
    through this interface are not flushed. Only if-bound states can be
    flushed in this way.
    
    Given that we track the original interface we can check if the state's
    interface is 'all', and if so compare to the orig_if instead.
    
    MFC after:      1 week
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
    Differential Revision:  https://reviews.freebsd.org/D30246
    
    (cherry picked from commit b62489cc92edbec318fb6c57cdc02b5e3cfa3a67)
---
 sys/netpfil/pf/pf_ioctl.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
index 678cfbb7aa63..849662a23aa5 100644
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -2446,10 +2446,14 @@ pf_killstates_row(struct pf_kstate_kill *psk, struct pf_idhash *ih)
 	int			 idx, killed = 0;
 	unsigned int		 dir;
 	u_int16_t		 srcport, dstport;
+	struct pfi_kkif		*kif;
 
 relock_DIOCKILLSTATES:
 	PF_HASHROW_LOCK(ih);
 	LIST_FOREACH(s, &ih->states, entry) {
+		/* For floating states look at the original kif. */
+		kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
+
 		sk = s->key[PF_SK_WIRE];
 		if (s->direction == PF_OUT) {
 			srcaddr = &sk->addr[1];
@@ -2498,7 +2502,7 @@ relock_DIOCKILLSTATES:
 			continue;
 
 		if (psk->psk_ifname[0] && strcmp(psk->psk_ifname,
-		    s->kif->pfik_name))
+		    kif->pfik_name))
 			continue;
 
 		if (psk->psk_kill_match) {
@@ -5662,6 +5666,7 @@ pf_clear_states(const struct pf_kstate_kill *kill)
 {
 	struct pf_state_key_cmp	 match_key;
 	struct pf_state	*s;
+	struct pfi_kkif	*kif;
 	int		 idx;
 	unsigned int	 killed = 0, dir;
 
@@ -5671,9 +5676,12 @@ pf_clear_states(const struct pf_kstate_kill *kill)
 relock_DIOCCLRSTATES:
 		PF_HASHROW_LOCK(ih);
 		LIST_FOREACH(s, &ih->states, entry) {
+			/* For floating states look at the original kif. */
+			kif = s->kif == V_pfi_all ? s->orig_kif : s->kif;
+
 			if (kill->psk_ifname[0] &&
 			    strcmp(kill->psk_ifname,
-			    s->kif->pfik_name))
+			    kif->pfik_name))
 				continue;
 
 			if (kill->psk_kill_match) {