diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2013-06-24 11:40:22 -0300 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2013-06-24 11:40:22 -0300 |
| commit | d13b7363304390736fa4686b4544319f26bdba92 (patch) | |
| tree | f7a263b8bd8cda4fceabbd9f42e21b985b5c8c1d /etc/rc.kill_states | |
| parent | e06263e11269f15010e5a76ff5334b37c94be0ef (diff) | |
| download | pfsense-d13b7363304390736fa4686b4544319f26bdba92.zip pfsense-d13b7363304390736fa4686b4544319f26bdba92.tar.gz | |
Fix #2887, based on NAT states that will be killed, also kill firewall states for same source and destination
Diffstat (limited to 'etc/rc.kill_states')
| -rwxr-xr-x | etc/rc.kill_states | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/etc/rc.kill_states b/etc/rc.kill_states index d7e92d6..6be7ed7 100755 --- a/etc/rc.kill_states +++ b/etc/rc.kill_states @@ -63,6 +63,24 @@ if (!empty($local_ip)) { if (!isset($config['system']['kill_states'])) { if (!empty($local_ip)) { log_error("rc.kill_states: Removing states for IP {$local_ip}/{$subnet_bits}"); + $nat_states = exec_command("/sbin/pfctl -i {$interface} -ss | " . + "/usr/bin/egrep '\-> +{$local_ip}:[0-9]+ +\->'"); + + $cleared_states = array(); + foreach(explode("\n", $nat_states) as $nat_state) { + if (preg_match_all('/([\d\.]+):[\d]+[\s->]+/i', $nat_state, $matches, PREG_SET_ORDER) != 3) + continue; + + $src = $matches[0][1]; + $dst = $matches[2][1]; + + if (empty($src) || empty($dst) || in_array("{$src},{$dst}", $cleared_states)) + continue; + + $cleared_states[] = "{$src},{$dst}"; + mwexec("/sbin/pfctl -k {$src} -k {$dst}", true); + } + mwexec("/sbin/pfctl -k 0.0.0.0/0 -k {$local_ip}/{$subnet_bits}", true); mwexec("/sbin/pfctl -k {$local_ip}/{$subnet_bits}", true); mwexec("/sbin/pfctl -K {$local_ip}/{$subnet_bits}", true); |
