From 8f563bb423ab8a1c06a191b5fc772a260b042360 Mon Sep 17 00:00:00 2001 From: Ermal Date: Thu, 31 Jan 2013 22:04:07 +0000 Subject: Use the better -Fs modifies to pf to kill the states by interface. Also kill both sides on an interface when -k needs to be used --- etc/inc/filter.inc | 2 +- etc/inc/interfaces.inc | 2 +- sbin/dhclient-script | 1 + usr/local/sbin/ovpn-linkdown | 2 +- usr/local/sbin/ppp-linkdown | 2 +- usr/local/sbin/ppp-linkup | 1 + usr/local/sbin/vpn-linkdown | 7 ++----- 7 files changed, 8 insertions(+), 9 deletions(-) diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index dc9fb7b..39f3ea7 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -143,7 +143,7 @@ function filter_delete_states_for_down_gateways() { $gwiface = $gateway['interface']; else $gwiface = get_real_interface($gateway['friendlyiface']); - $cmd = "/sbin/pfctl -i {$gwiface} -k 0.0.0.0/0"; + $cmd = "/sbin/pfctl -i {$gwiface} -Fs"; mwexec($cmd); } } diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index da8f99c..ce773ce 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -1235,7 +1235,7 @@ function interface_bring_down($interface = "wan", $destroy = false, $ifacecfg = // log_error("Checking for old router states: {$g['tmp_path']}/{$realif}_router = {$old_router}"); if (!empty($old_router)) { log_error("Clearing states to old gateway {$old_router}."); - mwexec("/sbin/pfctl -i {$realif} -k 0.0.0.0/0"); + mwexec("/sbin/pfctl -i {$realif} -Fs"); } /* remove interface up file if it exists */ diff --git a/sbin/dhclient-script b/sbin/dhclient-script index dda92a9..272bb77 100755 --- a/sbin/dhclient-script +++ b/sbin/dhclient-script @@ -83,6 +83,7 @@ delete_old_states() { if [ "${OLD_ROUTER}" != "${new_routers}" ]; then $LOGGER "Removing states through old gateway '${OLD_ROUTER}' (new gateway '${new_routers}')" /sbin/pfctl -i $interface -k 0.0.0.0/0 -k ${OLD_ROUTER}/32 + /sbin/pfctl -i $interface -k ${OLD_ROUTER}/32 -k 0.0.0.0/0 fi fi } diff --git a/usr/local/sbin/ovpn-linkdown b/usr/local/sbin/ovpn-linkdown index 4780b4f..708d507 100755 --- a/usr/local/sbin/ovpn-linkdown +++ b/usr/local/sbin/ovpn-linkdown @@ -1,5 +1,5 @@ #!/bin/sh -/sbin/pfctl -i $1 -k 0.0.0.0/0 +/sbin/pfctl -i $1 -Fs # delete the node just in case mpd cannot do that /bin/rm -f /var/etc/nameserver_$1 /bin/rm -f /tmp/$1_router diff --git a/usr/local/sbin/ppp-linkdown b/usr/local/sbin/ppp-linkdown index 2ab0b6b..69f9f88 100755 --- a/usr/local/sbin/ppp-linkdown +++ b/usr/local/sbin/ppp-linkdown @@ -16,7 +16,7 @@ if [ "$3" != "" ]; then pfctl -K ${LOCAL_IP} fi -/sbin/pfctl -i $1 -k 0.0.0.0/0 +/sbin/pfctl -i $1 -Fs if [ -f "/tmp/${1}_defaultgw" ]; then route delete default ${OLD_ROUTER} fi diff --git a/usr/local/sbin/ppp-linkup b/usr/local/sbin/ppp-linkup index 50308b1..1e9fdaa 100755 --- a/usr/local/sbin/ppp-linkup +++ b/usr/local/sbin/ppp-linkup @@ -6,6 +6,7 @@ if [ "$2" == "inet" ]; then if [ "${OLD_ROUTER}" != "" ]; then echo "Removing states to old router ${OLD_ROUTER}" | logger -t ppp-linkup /sbin/pfctl -i $1 -k 0.0.0.0/0 -k ${OLD_ROUTER}/32 + /sbin/pfctl -i $1 -k ${OLD_ROUTER}/32 -k 0.0.0.0/0 fi # let the configuration system know that the ipv4 has changed. diff --git a/usr/local/sbin/vpn-linkdown b/usr/local/sbin/vpn-linkdown index 0549b1f..b6d033c 100755 --- a/usr/local/sbin/vpn-linkdown +++ b/usr/local/sbin/vpn-linkdown @@ -2,8 +2,5 @@ # record logout /usr/bin/logger -p local3.info "logout,$1,$4,$5" -/sbin/pfctl -i $1 -b 0.0.0.0/32 -b $4/32 -/sbin/pfctl -i $1 -k $4/32 -/sbin/pfctl -i $1 -k 0.0.0.0/32 $4/32 -/sbin/pfctl -i $1 -K $4/32 -/sbin/pfctl -i $1 -K 0.0.0.0/32 -K $4/32 +/sbin/pfctl -i $1 -Fs +/sbin/pfctl -K $4/32 -- cgit v1.1