diff options
author | Henning Brauer <henning@cvs.openbsd.org> | 2012-07-07 15:20:15 +0000 |
---|---|---|
committer | Henning Brauer <henning@cvs.openbsd.org> | 2012-07-07 15:20:15 +0000 |
commit | c883ff0d8795f045f38189eab0f8275594faa39c (patch) | |
tree | 5662185f5a7a8c386a19c48fec61de36a5f05b7b /sys | |
parent | 704c34ad31cae4641303185d9333ce8059047d19 (diff) |
restore DIOCKILLSTATE semantics to what they were before the NAT rewrite.
when you kill states by IP, it is not all that clear which IP we're talking
about - before or after rewriting?
the old semantics were to always look at the "original" IP, i. e. before
rewriting. ever since the NAT rewrite we were unconditionally looking
at the wire side state key, which is the original address for PF_IN states,
but not for PF_OUT. So look at the SK_STACK state key in the PF_OUT case.
should fix "authpf doesn't remove NAT states" seen on misc a while ago
ok & testing & half of the analysis bob (he sez beck)
Diffstat (limited to 'sys')
-rw-r--r-- | sys/net/pf_ioctl.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 7e89346e96f..3470d110881 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.250 2012/04/03 15:09:03 mikeb Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.251 2012/07/07 15:20:14 henning Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1346,14 +1346,15 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) for (s = RB_MIN(pf_state_tree_id, &tree_id); s; s = nexts) { nexts = RB_NEXT(pf_state_tree_id, &tree_id, s); - sk = s->key[PF_SK_WIRE]; if (s->direction == PF_OUT) { + sk = s->key[PF_SK_STACK]; srcaddr = &sk->addr[1]; dstaddr = &sk->addr[0]; srcport = sk->port[0]; dstport = sk->port[0]; } else { + sk = s->key[PF_SK_WIRE]; srcaddr = &sk->addr[0]; dstaddr = &sk->addr[1]; srcport = sk->port[0]; |