diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2019-01-13 05:30:26 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2019-01-13 05:30:26 +0000 |
| commit | b1f3ab005130e293f435f3f523d836056daf8634 (patch) | |
| tree | fc1a6a1e7e887f4b097f6b32968a57c9ef78a4ca /sbin/pfctl | |
| parent | 2da4e52d79e8b1799931e5823b00bd4d614edbf0 (diff) | |
| download | src-test-b1f3ab005130e293f435f3f523d836056daf8634.tar.gz src-test-b1f3ab005130e293f435f3f523d836056daf8634.zip | |
pfctl: Fix 'set skip' handling for groups
When we skip on a group the kernel will automatically skip on the member
interfaces. We still need to update our own cache though, or we risk
overruling the kernel afterwards.
This manifested as 'set skip' working initially, then not working when
the rules were reloaded.
PR: 229241
MFC after: 1 week
Notes
Notes:
svn path=/head/; revision=342989
Diffstat (limited to 'sbin/pfctl')
| -rw-r--r-- | sbin/pfctl/pfctl.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 63298d7449cce..4e00bf2462a6c 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1977,6 +1977,7 @@ int pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how) { struct pfioc_iface pi; + struct node_host *h = NULL, *n = NULL; if ((loadopt & PFCTL_FLAG_OPTION) == 0) return (0); @@ -1985,6 +1986,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how) pi.pfiio_flags = flags; + /* Make sure our cache matches the kernel. If we set or clear the flag + * for a group this applies to all members. */ + h = ifa_grouplookup(ifname, 0); + for (n = h; n != NULL; n = n->next) + pfctl_set_interface_flags(pf, n->ifname, flags, how); + if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >= sizeof(pi.pfiio_name)) errx(1, "pfctl_set_interface_flags: strlcpy"); |