Date: Sun, 13 Jan 2019 05:30:26 +0000 (UTC) From: Kristof Provost <kp@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r342989 - head/sbin/pfctl Message-ID: <201901130530.x0D5UQjG037073@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kp Date: Sun Jan 13 05:30:26 2019 New Revision: 342989 URL: https://svnweb.freebsd.org/changeset/base/342989 Log: pfctl: Fix 'set skip' handling for groups When we skip on a group the kernel will automatically skip on the member interfaces. We still need to update our own cache though, or we risk overruling the kernel afterwards. This manifested as 'set skip' working initially, then not working when the rules were reloaded. PR: 229241 MFC after: 1 week Modified: head/sbin/pfctl/pfctl.c Modified: head/sbin/pfctl/pfctl.c ============================================================================== --- head/sbin/pfctl/pfctl.c Sun Jan 13 04:51:24 2019 (r342988) +++ head/sbin/pfctl/pfctl.c Sun Jan 13 05:30:26 2019 (r342989) @@ -1977,6 +1977,7 @@ int pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how) { struct pfioc_iface pi; + struct node_host *h = NULL, *n = NULL; if ((loadopt & PFCTL_FLAG_OPTION) == 0) return (0); @@ -1984,6 +1985,12 @@ pfctl_set_interface_flags(struct pfctl *pf, char *ifna bzero(&pi, sizeof(pi)); pi.pfiio_flags = flags; + + /* Make sure our cache matches the kernel. If we set or clear the flag + * for a group this applies to all members. */ + h = ifa_grouplookup(ifname, 0); + for (n = h; n != NULL; n = n->next) + pfctl_set_interface_flags(pf, n->ifname, flags, how); if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >= sizeof(pi.pfiio_name))
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201901130530.x0D5UQjG037073>