diff options
| author |   mcbride <mcbride@openbsd.org> | 2006-11-20 14:25:11 +0000 |
|---|---|---|
| committer | mcbride <mcbride@openbsd.org> | 2006-11-20 14:25:11 +0000 |
| commit | bb00d60b9ad5e5d491af5af7f62f3495515ad9af (patch) | |
| tree | 5d38171b0d27ca1f224f735c5e8375e3b3064d9a | |
| parent | vprint() should be defined if DIAGNOSTIC || DEBUG. Noticed by (and (diff) | |
| download | wireguard-openbsd-bb00d60b9ad5e5d491af5af7f62f3495515ad9af.tar.xz wireguard-openbsd-bb00d60b9ad5e5d491af5af7f62f3495515ad9af.zip | |
ioctl to explicitly remove source tracking nodes,
diff from Berk D. Demir <bdd@mindcast.org>
ok henning dhartmei
| -rw-r--r-- | sys/net/pf_ioctl.c | 41 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 10 |
2 files changed, 49 insertions, 2 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 6fa1b199cb8..f41f6a93102 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.171 2006/10/27 13:56:51 mcbride Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.172 2006/11/20 14:25:11 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2771,6 +2771,45 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } + case DIOCKILLSRCNODES: { + struct pf_src_node *sn; + struct pf_state *s; + struct pfioc_src_node_kill *psnk = \ + (struct pfioc_src_node_kill *) addr; + int killed = 0; + + RB_FOREACH(sn, pf_src_tree, &tree_src_tracking) { + if (PF_MATCHA(psnk->psnk_src.neg, \ + &psnk->psnk_src.addr.v.a.addr, \ + &psnk->psnk_src.addr.v.a.mask, \ + &sn->addr, sn->af) && + PF_MATCHA(psnk->psnk_dst.neg, \ + &psnk->psnk_dst.addr.v.a.addr, \ + &psnk->psnk_dst.addr.v.a.mask, \ + &sn->raddr, sn->af)) { + /* Handle state to src_node linkage */ + if (sn->states != 0) { + RB_FOREACH(s, pf_state_tree_id, + &tree_id) { + if (s->src_node == sn) + s->src_node = NULL; + if (s->nat_src_node == sn) + s->nat_src_node = NULL; + } + sn->states = 0; + } + sn->expire = 1; + killed++; + } + } + + if (killed > 0) + pf_purge_expired_src_nodes(1); + + psnk->psnk_af = killed; + break; + } + case DIOCSETHOSTID: { u_int32_t *hostid = (u_int32_t *)addr; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 67fb7badec4..3ca96a61b30 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.240 2006/10/27 13:56:51 mcbride Exp $ */ +/* $OpenBSD: pfvar.h,v 1.241 2006/11/20 14:25:11 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1228,6 +1228,13 @@ struct pfioc_state { struct pf_state state; }; +struct pfioc_src_node_kill { + /* XXX returns the number of src nodes killed in psnk_af */ + sa_family_t psnk_af; + struct pf_rule_addr psnk_src; + struct pf_rule_addr psnk_dst; +}; + struct pfioc_state_kill { /* XXX returns the number of states killed in psk_af */ sa_family_t psk_af; @@ -1415,6 +1422,7 @@ struct pfioc_iface { #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) +#define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill) #ifdef _KERNEL RB_HEAD(pf_src_tree, pf_src_node); |