From 2a08eb329d34dbab9c8d2c46e0a242364325e19b Mon Sep 17 00:00:00 2001 From: Ryan Thomas McBride Date: Mon, 20 Nov 2006 14:25:12 +0000 Subject: ioctl to explicitly remove source tracking nodes, diff from Berk D. Demir ok henning dhartmei --- sys/net/pf_ioctl.c | 41 ++++++++++++++++++++++++++++++++++++++++- sys/net/pfvar.h | 10 +++++++++- 2 files changed, 49 insertions(+), 2 deletions(-) (limited to 'sys') diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 6fa1b199cb8..f41f6a93102 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.171 2006/10/27 13:56:51 mcbride Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.172 2006/11/20 14:25:11 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -2771,6 +2771,45 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) break; } + case DIOCKILLSRCNODES: { + struct pf_src_node *sn; + struct pf_state *s; + struct pfioc_src_node_kill *psnk = \ + (struct pfioc_src_node_kill *) addr; + int killed = 0; + + RB_FOREACH(sn, pf_src_tree, &tree_src_tracking) { + if (PF_MATCHA(psnk->psnk_src.neg, \ + &psnk->psnk_src.addr.v.a.addr, \ + &psnk->psnk_src.addr.v.a.mask, \ + &sn->addr, sn->af) && + PF_MATCHA(psnk->psnk_dst.neg, \ + &psnk->psnk_dst.addr.v.a.addr, \ + &psnk->psnk_dst.addr.v.a.mask, \ + &sn->raddr, sn->af)) { + /* Handle state to src_node linkage */ + if (sn->states != 0) { + RB_FOREACH(s, pf_state_tree_id, + &tree_id) { + if (s->src_node == sn) + s->src_node = NULL; + if (s->nat_src_node == sn) + s->nat_src_node = NULL; + } + sn->states = 0; + } + sn->expire = 1; + killed++; + } + } + + if (killed > 0) + pf_purge_expired_src_nodes(1); + + psnk->psnk_af = killed; + break; + } + case DIOCSETHOSTID: { u_int32_t *hostid = (u_int32_t *)addr; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 67fb7badec4..3ca96a61b30 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.240 2006/10/27 13:56:51 mcbride Exp $ */ +/* $OpenBSD: pfvar.h,v 1.241 2006/11/20 14:25:11 mcbride Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1228,6 +1228,13 @@ struct pfioc_state { struct pf_state state; }; +struct pfioc_src_node_kill { + /* XXX returns the number of src nodes killed in psnk_af */ + sa_family_t psnk_af; + struct pf_rule_addr psnk_src; + struct pf_rule_addr psnk_dst; +}; + struct pfioc_state_kill { /* XXX returns the number of states killed in psk_af */ sa_family_t psk_af; @@ -1415,6 +1422,7 @@ struct pfioc_iface { #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) +#define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill) #ifdef _KERNEL RB_HEAD(pf_src_tree, pf_src_node); -- cgit v1.2.3