Merge branch 'clear-conn-states' into main

Author: dlon

CHANGELOG.md

@@ -13,6 +13,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 * **Security**: in case of vulnerabilities.
 
 ## [unreleased]
+### Added
+- Add function for clearing states related to an interface.
 
 ## [0.4.5] - 2022-12-28
 - Add support for Timex ICMP rules.

src/ffi/mod.rs

@@ -41,6 +41,8 @@ ioctl!(readwrite pf_add_rule with b'D', 4; pfvar::pfioc_rule);
 ioctl!(readwrite pf_get_rules with b'D', 6; pfvar::pfioc_rule);
 // DIOCGETRULE
 ioctl!(readwrite pf_get_rule with b'D', 7; pfvar::pfioc_rule);
+// DIOCCLRSTATES
+ioctl!(readwrite pf_clear_states with b'D', 18; pfvar::pfioc_state_kill);
 // DIOCGETSTATUS
 ioctl!(readwrite pf_get_status with b'D', 21; pfvar::pf_status);
 // DIOCGETSTATES

src/lib.rs

@@ -311,6 +311,18 @@ impl PfCtl {
         }
     }
 
+    /// Clear states belonging to a given interface
+    /// Returns total number of removed states upon success
+    pub fn clear_interface_states(&mut self, interface: Interface) -> Result<u32> {
+        let mut pfioc_state_kill = unsafe { mem::zeroed::<ffi::pfvar::pfioc_state_kill>() };
+        interface
+            .try_copy_to(&mut pfioc_state_kill.psk_ifname)
+            .chain_err(|| ErrorKind::InvalidArgument("Incompatible interface name"))?;
+        ioctl_guard!(ffi::pf_clear_states(self.fd(), &mut pfioc_state_kill))?;
+        // psk_af holds the number of killed states
+        Ok(pfioc_state_kill.psk_af as u32)
+    }
+
     /// Get all states created by stateful rules
     fn get_states(&mut self) -> Result<Vec<ffi::pfvar::pfsync_state>> {
         let num_states = self.get_num_states()?;