So the second process seems to be removing the first one's rules. But it
doesn't kill the process. And I suspect the first process' state entries
are not removed, either. Just the rules are gone, which means _further_
connections from userA are blocked. Those that he established before
userB logs in (assuming keep state) continue to work, right?
Can you try the patch below, and repeat the previous test?
Daniel
Index: authpf.c
===================================================================
RCS file: /cvs/src/usr.sbin/authpf/authpf.c,v
retrieving revision 1.64
diff -u -r1.64 authpf.c
--- authpf.c 3 Jul 2003 21:09:13 -0000 1.64
+++ authpf.c 7 Jul 2003 18:40:39 -0000
@@ -546,7 +546,7 @@
pid = strtoul(prs.name, &s, 10);
if (!prs.name[0] || errno || *s)
return (1);
- if (kill(pid, 0)) {
+ if (kill(pid, 0) && errno != EPERM) {
int i;
for (i = 0; i < PF_RULESET_MAX; ++i) {
@@ -699,6 +699,7 @@
syslog(LOG_ERR, "DIOCKILLSTATES failed (%m)");
/* Kill all states to ipsrc */
+ psk.psk_af = AF_INET;
memset(&psk.psk_src, 0, sizeof(psk.psk_src));
psk.psk_dst.addr.v.a.addr.v4 = target;
memset(&psk.psk_dst.addr.v.a.mask, 0xff,
