Teach about a -G parameter to pfctl -i ifname -Fs -G gateway to kill …

…all states with the gateway set to help #1629

patches/RELENG_8_3/killifstates.RELENG_8.diff

@@ -1,3 +1,98 @@
+diff --git a/contrib/pf/pfctl/pfctl.c b/contrib/pf/pfctl/pfctl.c
+index a1d8d7a..4142755 100644
+--- a/contrib/pf/pfctl/pfctl.c
++++ b/contrib/pf/pfctl/pfctl.c
+@@ -119,6 +119,8 @@ int		 src_node_killers;
+ char		*src_node_kill[2];
+ int		 state_killers;
+ char		*state_kill[2];
++int		 if_kill;
++char		*if_gw_kill;
+ int		 loadopt;
+ int		 altqsupport;
+
+@@ -382,14 +384,51 @@ pfctl_clear_states(int dev, const char *iface, int opts)
+ 	struct pfioc_state_kill psk;
+
+ 	memset(&psk, 0, sizeof(psk));
++
+ 	if (iface != NULL && strlcpy(psk.psk_ifname, iface,
+ 	    sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
+ 		errx(1, "invalid interface: %s", iface);
+
+-	if (ioctl(dev, DIOCCLRSTATES, &psk))
+-		err(1, "DIOCCLRSTATES");
+-	if ((opts & PF_OPT_QUIET) == 0)
+-		fprintf(stderr, "%d states cleared\n", psk.psk_af);
++	if (if_kill) {
++		struct addrinfo *res, *resp;
++		u_int killed;
++		int ret_ga;
++
++		if ((ret_ga = getaddrinfo(if_gw_kill, NULL, NULL, &res))) {
++			errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
++			/* NOTREACHED */
++		}
++		killed = 0;
++		for (resp = res; resp; resp = resp->ai_next) {
++			if (resp->ai_addr == NULL)
++				continue;
++
++			psk.psk_af = resp->ai_family;
++
++			if (psk.psk_af == AF_INET)
++				psk.psk_src.addr.v.a.addr.v4 =
++				    ((struct sockaddr_in *)resp->ai_addr)->sin_addr;
++			else if (psk.psk_af == AF_INET6)
++				psk.psk_src.addr.v.a.addr.v6 =
++				    ((struct sockaddr_in6 *)resp->ai_addr)->
++				    sin6_addr;
++			else
++				errx(1, "Unknown address family %d", psk.psk_af);
++
++			if (ioctl(dev, DIOCCLRSTATES, &psk))
++				err(1, "DIOCCLRSTATES");
++			if ((opts & PF_OPT_QUIET) == 0)
++				killed += psk.psk_af;
++		}
++		if ((opts & PF_OPT_QUIET) == 0)
++			fprintf(stderr, "%d states cleared\n", killed);
++	} else {
++		if (ioctl(dev, DIOCCLRSTATES, &psk))
++			err(1, "DIOCCLRSTATES");
++		if ((opts & PF_OPT_QUIET) == 0)
++			fprintf(stderr, "%d states cleared\n", psk.psk_af);
++	}
++
+ 	return (0);
+ }
+
+@@ -1980,7 +2019,7 @@ main(int argc, char *argv[])
+ 		usage();
+
+ 	while ((ch = getopt(argc, argv,
+-	    "a:AdD:eqf:F:ghi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
++	    "a:AdD:eqf:F:gG:hi:k:K:mnNOo::Pp:rRs:t:T:vx:z")) != -1) {
+ 		switch (ch) {
+ 		case 'a':
+ 			anchoropt = optarg;
+@@ -2049,6 +2088,16 @@ main(int argc, char *argv[])
+ 		case 'g':
+ 			opts |= PF_OPT_DEBUG;
+ 			break;
++		case 'G':
++			if (if_kill) {
++				warnx("can only specify -b twice");
++				usage();
++				/* NOTREACHED */
++			}
++			if_gw_kill = optarg;
++			if_kill++;
++			mode = O_RDWR;
++			break;
+ 		case 'A':
+ 			loadopt |= PFCTL_FLAG_ALTQ;
+ 			break;
 diff --git a/sys/contrib/pf/net/if_pfsync.c b/sys/contrib/pf/net/if_pfsync.c
 index a729afd..dfdc532 100644
 --- a/sys/contrib/pf/net/if_pfsync.c
@@ -145,3 +240,24 @@ index 7383677..38c7e6b 100644
  	RB_REMOVE(pf_state_tree_id, &tree_id, cur);
  #if NPFSYNC
  	if (cur->creatorid == pf_status.hostid)
+diff --git a/sys/contrib/pf/net/pf_ioctl.c b/sys/contrib/pf/net/pf_ioctl.c
+index 979a14f..5f649f3 100644
+--- a/sys/contrib/pf/net/pf_ioctl.c
++++ b/sys/contrib/pf/net/pf_ioctl.c
+@@ -1957,6 +1957,16 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
+ #endif
+ 				pf_unlink_state(state);
+ 				killed++;
++			} else if (state->af == psk->psk_af && !PF_AZERO(&psk->psk_src.addr.v.a.addr, psk->psk_af) &&
++			    !PF_AZERO(&state->rt_addr, state->af) && PF_AEQ(&psk->psk_src.addr.v.a.addr, &state->rt_addr, state->af)) {
++				if (state->proto == IPPROTO_TCP)
++					state->src.state = PF_TCPS_PROXY_DST; /* XXX: Hack to send a RST back to the host */
++#if NPFSYNC
++				/* don't send out individual delete messages */
++				state->sync_flags = PFSTATE_NOSYNC;
++#endif
++				pf_unlink_state(state);
++				killed++;
+ 			}
+ 		}
+ 		psk->psk_af = killed;