From a5c02d8adebb07e4437ea481941bceb99fb9460a Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 26 Jul 2022 19:52:02 +0200
Subject: [PATCH] interfaces: migrate cleanup from interface_bring_down() #5862

Since we already kill routes in nameserver registrations we can
also take on the arp/pfctl magic moving the "router" file check
to its native utility.

It's debatable if we even need the pfctl or arp flush here.

To be continued...
---
 src/etc/inc/interfaces.inc                    | 54 ++++---------------
 src/opnsense/scripts/interfaces/nameserver.sh | 18 ++++++-
 2 files changed, 27 insertions(+), 45 deletions(-)

diff --git a/src/etc/inc/interfaces.inc b/src/etc/inc/interfaces.inc
index 7a400377b..69ae3bbb5 100644
--- a/src/etc/inc/interfaces.inc
+++ b/src/etc/inc/interfaces.inc
@@ -800,7 +800,7 @@ function interface_vip_bring_down($vip)
     }
 }
 
-function interface_bring_down($interface = "wan", $ifacecfg = false)
+function interface_bring_down($interface = 'wan', $ifacecfg = false)
 {
     global $config;
 
@@ -812,7 +812,7 @@ function interface_bring_down($interface = "wan", $ifacecfg = false)
         $realif = get_real_interface($interface);
         $realifv6 = get_real_interface($interface, "inet6");
         $ifcfg = $config['interfaces'][$interface];
-        $ppps = isset($config['ppps']['ppp']) ? $config['ppps']['ppp'] : array();
+        $ppps = isset($config['ppps']['ppp']) ? $config['ppps']['ppp'] : [];
     } else {
         $ifcfg = $ifacecfg['ifcfg'];
         $ppps = $ifacecfg['ppps'];
@@ -849,7 +849,7 @@ function interface_bring_down($interface = "wan", $ifacecfg = false)
     $track6 = link_interface_to_track6($interface);
     if (count($track6)) {
         /* bring down radvd and dhcp6 on these interfaces */
-        plugins_configure('dhcp', false, array('inet6', $track6));
+        plugins_configure('dhcp', false, ['inet6', $track6]);
     }
 
     switch ($ifcfg['ipaddrv6']) {
@@ -890,51 +890,17 @@ function interface_bring_down($interface = "wan", $ifacecfg = false)
             break;
     }
 
-    $pfctlflush = array();
-    $arpflush = array();
-
-    if (does_interface_exist($realif)) {
-        $arpflush[$realif] = 1;
-
-        if (!empty(trim(@file_get_contents("/tmp/{$realif}_router")))) {
-            $pfctlflush[$realif] = 1;
-        }
-
-        list ($ip4) = interfaces_primary_address($interface);
-        if (!empty($ip4)) {
-            mwexecf('/sbin/ifconfig %s delete %s', array($realif, $ip4));
-        }
+    list ($ip4) = interfaces_primary_address($interface);
+    if (!empty($ip4)) {
+        mwexecf('/sbin/ifconfig %s delete %s', [$realif, $ip4]);
     }
 
-    if (does_interface_exist($realifv6)) {
-        /*
-         * XXX So we flush ARP on IPv6 here!  But why?
-         *
-         * Either we want to flush NDP or both ARP
-         * and NDP, but then the same goes for IPv4.
-         */
-        $arpflush[$realifv6] = 1;
-
-        if (!empty(trim(@file_get_contents("/tmp/{$realifv6}_routerv6")))) {
-            $pfctlflush[$realifv6] = 1;
-        }
-
-        list ($ip6) = interfaces_primary_address6($interface);
-        if (!empty($ip6)) {
-            mwexecf('/sbin/ifconfig %s inet6 %s delete', array($realifv6, $ip6));
-        }
+    list ($ip6) = interfaces_primary_address6($interface);
+    if (!empty($ip6)) {
+        mwexecf('/sbin/ifconfig %s inet6 %s delete', [$realifv6, $ip6]);
     }
 
-    foreach (array_keys($arpflush) as $dev) {
-        mwexecf('/usr/sbin/arp -d -i %s -a', $dev);
-    }
-
-    foreach (array_keys($pfctlflush) as $dev) {
-        log_error("Clearing states for stale {$interface} route on {$dev}");
-        mwexecf('/sbin/pfctl -i %s -Fs', $dev);
-    }
-
-    /* clear stale state files associated with this interface */
+    /* clear stale state associated with this interface */
     mwexecf('/usr/local/sbin/ifctl -4c -i %s', $realif);
     mwexecf('/usr/local/sbin/ifctl -6c -i %s', $realifv6);
 }
diff --git a/src/opnsense/scripts/interfaces/nameserver.sh b/src/opnsense/scripts/interfaces/nameserver.sh
index 5832b8693..9dde65f0d 100755
--- a/src/opnsense/scripts/interfaces/nameserver.sh
+++ b/src/opnsense/scripts/interfaces/nameserver.sh
@@ -105,15 +105,31 @@ if [ "${DO_COMMAND}" = "-c" ]; then
 		exit 1
 	fi
 
-	# iterate through possible files
+	HAVE_ROUTE=
+
+	# iterate through possible files for cleanup
 	for MD in nameserver prefix router searchdomain; do
 		for IFC in ${IF} ${IF}:slaac; do
 			FILE="/tmp/${IFC}_${MD}${EX}"
+			if [ ! -f ${FILE} ]; then
+				continue
+			fi
+			if [ "${MD}" = "router" ]; then
+				HAVE_ROUTE=1
+			fi
 			flush_routes
 			rm -f ${FILE}
 		done
 	done
 
+        # legacy behaviour originating from interface_bring_down()
+	/usr/sbin/arp -d -i ${IF} -a
+
+	# XXX maybe we do not have to kill states at all
+	if [ -n "${HAVE_ROUTE}" ]; then
+		/sbin/pfctl -i ${IF} -Fs
+	fi
+
 	exit 0
 elif [ "${DO_COMMAND}" = "-l" ]; then
 	if [ -z "${IF}" ]; then