svn commit: r343229 - stable/11/sbin/pfctl
Kristof Provost
kp at FreeBSD.org
Sun Jan 20 22:01:42 UTC 2019
Author: kp
Date: Sun Jan 20 22:01:41 2019
New Revision: 343229
URL: https://svnweb.freebsd.org/changeset/base/343229
Log:
MFC r342989
pfctl: Fix 'set skip' handling for groups
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache though, or we risk
overruling the kernel afterwards.
This manifested as 'set skip' working initially, then not working when
the rules were reloaded.
PR: 229241
Modified:
stable/11/sbin/pfctl/pfctl.c
Directory Properties:
stable/11/ (props changed)
Modified: stable/11/sbin/pfctl/pfctl.c
==============================================================================
--- stable/11/sbin/pfctl/pfctl.c Sun Jan 20 22:01:39 2019 (r343228)
+++ stable/11/sbin/pfctl/pfctl.c Sun Jan 20 22:01:41 2019 (r343229)
@@ -1972,6 +1972,7 @@ int
pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
{
struct pfioc_iface pi;
+ struct node_host *h = NULL, *n = NULL;
if ((loadopt & PFCTL_FLAG_OPTION) == 0)
return (0);
@@ -1979,6 +1980,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifna
bzero(&pi, sizeof(pi));
pi.pfiio_flags = flags;
+
+ /* Make sure our cache matches the kernel. If we set or clear the flag
+ * for a group this applies to all members. */
+ h = ifa_grouplookup(ifname, 0);
+ for (n = h; n != NULL; n = n->next)
+ pfctl_set_interface_flags(pf, n->ifname, flags, how);
if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
sizeof(pi.pfiio_name))
More information about the svn-src-stable-11
mailing list