From 24b5fdc42e3d91428446c21fbe3f898dd16b89de Mon Sep 17 00:00:00 2001 From: Stephan de Wit Date: Thu, 19 Oct 2023 11:34:23 +0200 Subject: [PATCH] interfaces: do not flush states on clear flushed states are propagated to pfsync, which means a machine in backup state is still vulnerable to any event that hooks into the interface_bring_down logic on the primary machine. --- src/opnsense/scripts/interfaces/ifctl.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/opnsense/scripts/interfaces/ifctl.sh b/src/opnsense/scripts/interfaces/ifctl.sh index b64cc9cdc..77f5aefbf 100755 --- a/src/opnsense/scripts/interfaces/ifctl.sh +++ b/src/opnsense/scripts/interfaces/ifctl.sh @@ -138,11 +138,6 @@ if [ "${DO_COMMAND}" = "-c" ]; then # legacy behaviour originating from interface_bring_down() /usr/sbin/arp -d -i ${IF} -a - # XXX maybe we do not have to kill states at all - if [ -n "${HAVE_ROUTE}" ]; then - /sbin/pfctl -i ${IF} -Fs - fi - exit 0 elif [ "${DO_COMMAND}" = "-O" ]; then if [ -z "${IF}" ]; then