diff options
author | Renato Botelho <garga@FreeBSD.org> | 2013-06-24 11:40:22 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2013-06-24 11:40:58 -0300 |
commit | efe42b5a05dfc7c718b04fb00391f251d846a2f2 (patch) | |
tree | dfcdd1044263201a69c11e94c023cae1a4fc69bf /etc/rc.kill_states | |
parent | 63b69d3427d893736171292e347eb571c819b8a5 (diff) | |
download | pfsense-efe42b5a05dfc7c718b04fb00391f251d846a2f2.zip pfsense-efe42b5a05dfc7c718b04fb00391f251d846a2f2.tar.gz |
Fix #2887, based on NAT states that will be killed, also kill firewall states for same source and destination
Diffstat (limited to 'etc/rc.kill_states')
-rwxr-xr-x | etc/rc.kill_states | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/etc/rc.kill_states b/etc/rc.kill_states index d7e92d6..6be7ed7 100755 --- a/etc/rc.kill_states +++ b/etc/rc.kill_states @@ -63,6 +63,24 @@ if (!empty($local_ip)) { if (!isset($config['system']['kill_states'])) { if (!empty($local_ip)) { log_error("rc.kill_states: Removing states for IP {$local_ip}/{$subnet_bits}"); + $nat_states = exec_command("/sbin/pfctl -i {$interface} -ss | " . + "/usr/bin/egrep '\-> +{$local_ip}:[0-9]+ +\->'"); + + $cleared_states = array(); + foreach(explode("\n", $nat_states) as $nat_state) { + if (preg_match_all('/([\d\.]+):[\d]+[\s->]+/i', $nat_state, $matches, PREG_SET_ORDER) != 3) + continue; + + $src = $matches[0][1]; + $dst = $matches[2][1]; + + if (empty($src) || empty($dst) || in_array("{$src},{$dst}", $cleared_states)) + continue; + + $cleared_states[] = "{$src},{$dst}"; + mwexec("/sbin/pfctl -k {$src} -k {$dst}", true); + } + mwexec("/sbin/pfctl -k 0.0.0.0/0 -k {$local_ip}/{$subnet_bits}", true); mwexec("/sbin/pfctl -k {$local_ip}/{$subnet_bits}", true); mwexec("/sbin/pfctl -K {$local_ip}/{$subnet_bits}", true); |