Hello,
pf DIOCKILLSTATES ioctl has the following path in sys/net/pf_ioctl.c
for finding exact state matches:
if (psk->psk_af && psk->psk_proto &&
psk->psk_src.port_op == PF_OP_EQ &&
psk->psk_dst.port_op == PF_OP_EQ) {
When I call ioctl that takes this path, it never finds matching
states. If I set either psk_af or psk_proto to 0, the slow path, which
iterates over all states, finds and kills the two matching ones.
I believe this is because key.hash is never set before calling
RBT_FIND, so pf_state_compare_key is not able to find any matches.
I don't think this affects pfctl as of 7.8 because
pfctl_net_kill_states doesn't set psk_proto and pfctl_key_kill_states
doesn't set psk_af, so both always take the slow path. The latter
could probably be optimized to take the fast path after this bug is
fixed.
-Max
