6677460 ipfilter automatic flushing of state table entries needs to work the same as it does for NAT

6566976 state limit check works when limit is reached only
6566982 state limit is not check when inserting states via IOCTL

2 files changed, 5 insertions, 7 deletions

diff --git a/usr/src/cmd/ipf/tools/ipf.c b/usr/src/cmd/ipf/tools/ipf.c
index a9621ef7df..e81389b342 100644
--- a/usr/src/cmd/ipf/tools/ipf.c
+++ b/usr/src/cmd/ipf/tools/ipf.c
@@ -3,12 +3,10 @@
  *
  * See the IPFILTER.LICENCE file for details on licencing.
  *
- * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #ifdef	__FreeBSD__
 # ifndef __FreeBSD_cc_version
 #  include <osreldate.h>
@@ -350,9 +348,9 @@ char	*arg;
 		return;
 	if (!strcmp(arg, "s") || !strcmp(arg, "S")) {
 		if (*arg == 'S')
-			fl = 0;
+			fl = FLUSH_TABLE_ALL;
 		else
-			fl = 1;
+			fl = FLUSH_TABLE_CLOSING;
 		rem = fl;
 
 		closedevice();
diff --git a/usr/src/cmd/ipf/tools/ipnat.c b/usr/src/cmd/ipf/tools/ipnat.c
index 83b2a416c3..4a9a37a4a9 100644
--- a/usr/src/cmd/ipf/tools/ipnat.c
+++ b/usr/src/cmd/ipf/tools/ipnat.c
@@ -397,7 +397,7 @@ int fd, opts;
 	int n = 0;
 
 	if (opts & OPT_FLUSH) {
-		n = 0;
+		n = FLUSH_TABLE_ALL;
 		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
 			perror("ioctl(SIOCFLNAT)");
 		else
@@ -405,7 +405,7 @@ int fd, opts;
 	}
 
 	if (opts & OPT_CLEAR) {
-		n = 1;
+		n = FLUSH_LIST;
 		if (!(opts & OPT_DONOTHING) && ioctl(fd, SIOCIPFFL, &n) == -1)
 			perror("ioctl(SIOCCNATL)");
 		else