Use the better -Fs modifies to pf to kill the states by interface. Also kill both sides on an interface when -k needs to be used

4 files changed, 5 insertions, 7 deletions

diff --git a/usr/local/sbin/ovpn-linkdown b/usr/local/sbin/ovpn-linkdown
index 4780b4f..708d507 100755
--- a/usr/local/sbin/ovpn-linkdown
+++ b/usr/local/sbin/ovpn-linkdown
@@ -1,5 +1,5 @@
 #!/bin/sh
-/sbin/pfctl -i $1 -k 0.0.0.0/0
+/sbin/pfctl -i $1 -Fs
 # delete the node just in case mpd cannot do that
 /bin/rm -f /var/etc/nameserver_$1
 /bin/rm -f /tmp/$1_router
diff --git a/usr/local/sbin/ppp-linkdown b/usr/local/sbin/ppp-linkdown
index 2ab0b6b..69f9f88 100755
--- a/usr/local/sbin/ppp-linkdown
+++ b/usr/local/sbin/ppp-linkdown
@@ -16,7 +16,7 @@ if [ "$3" != "" ]; then
 	pfctl -K ${LOCAL_IP}
 fi
 
-/sbin/pfctl -i $1 -k 0.0.0.0/0
+/sbin/pfctl -i $1 -Fs
 if [ -f "/tmp/${1}_defaultgw" ]; then
 	route delete default ${OLD_ROUTER}
 fi
diff --git a/usr/local/sbin/ppp-linkup b/usr/local/sbin/ppp-linkup
index 50308b1..1e9fdaa 100755
--- a/usr/local/sbin/ppp-linkup
+++ b/usr/local/sbin/ppp-linkup
@@ -6,6 +6,7 @@ if [ "$2" == "inet" ]; then
 	if [ "${OLD_ROUTER}" != "" ]; then
 		echo "Removing states to old router ${OLD_ROUTER}" | logger -t ppp-linkup
 		/sbin/pfctl -i $1 -k 0.0.0.0/0 -k ${OLD_ROUTER}/32
+		/sbin/pfctl -i $1 -k ${OLD_ROUTER}/32 -k 0.0.0.0/0
 	fi
 
 	# let the configuration system know that the ipv4 has changed.
diff --git a/usr/local/sbin/vpn-linkdown b/usr/local/sbin/vpn-linkdown
index 0549b1f..b6d033c 100755
--- a/usr/local/sbin/vpn-linkdown
+++ b/usr/local/sbin/vpn-linkdown
@@ -2,8 +2,5 @@
 
 # record logout
 /usr/bin/logger -p local3.info "logout,$1,$4,$5"
-/sbin/pfctl -i $1 -b 0.0.0.0/32 -b $4/32
-/sbin/pfctl -i $1 -k $4/32
-/sbin/pfctl -i $1 -k 0.0.0.0/32 $4/32
-/sbin/pfctl -i $1 -K $4/32
-/sbin/pfctl -i $1 -K 0.0.0.0/32 -K $4/32
+/sbin/pfctl -i $1 -Fs
+/sbin/pfctl -K $4/32