summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2012-07-07 15:20:15 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2012-07-07 15:20:15 +0000
commitc883ff0d8795f045f38189eab0f8275594faa39c (patch)
tree5662185f5a7a8c386a19c48fec61de36a5f05b7b /sys
parent704c34ad31cae4641303185d9333ce8059047d19 (diff)
restore DIOCKILLSTATE semantics to what they were before the NAT rewrite.
when you kill states by IP, it is not all that clear which IP we're talking about - before or after rewriting? the old semantics were to always look at the "original" IP, i. e. before rewriting. ever since the NAT rewrite we were unconditionally looking at the wire side state key, which is the original address for PF_IN states, but not for PF_OUT. So look at the SK_STACK state key in the PF_OUT case. should fix "authpf doesn't remove NAT states" seen on misc a while ago ok & testing & half of the analysis bob (he sez beck)
Diffstat (limited to 'sys')
-rw-r--r--sys/net/pf_ioctl.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 7e89346e96f..3470d110881 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.250 2012/04/03 15:09:03 mikeb Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.251 2012/07/07 15:20:14 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -1346,14 +1346,15 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
for (s = RB_MIN(pf_state_tree_id, &tree_id); s;
s = nexts) {
nexts = RB_NEXT(pf_state_tree_id, &tree_id, s);
- sk = s->key[PF_SK_WIRE];
if (s->direction == PF_OUT) {
+ sk = s->key[PF_SK_STACK];
srcaddr = &sk->addr[1];
dstaddr = &sk->addr[0];
srcport = sk->port[0];
dstport = sk->port[0];
} else {
+ sk = s->key[PF_SK_WIRE];
srcaddr = &sk->addr[0];
dstaddr = &sk->addr[1];
srcport = sk->port[0];