summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-12-18 19:40:42 +0000
committerDaniel Hartmeier <dhartmei@cvs.openbsd.org>2002-12-18 19:40:42 +0000
commit1b33c38cd3170b6cdfd4fabac6582b6177177605 (patch)
treef7cf8354676118fac3304133795fdfd26f5b6b1b
parent29d2e9a7f2313652b63884678ea2b63bd7170c38 (diff)
Store translation rule pointer in state entries, so pfctl -vsn can print
evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@
Diffstat
-rw-r--r--sbin/pfctl/pfctl.c74
-rw-r--r--sbin/pfctl/pfctl_parser.c20
-rw-r--r--sbin/pfctl/pfctl_parser.h8
-rw-r--r--sys/net/pf.c40
-rw-r--r--sys/net/pf_ioctl.c16
-rw-r--r--sys/net/pfvar.h3
6 files changed, 110 insertions, 51 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 7a506d07aa4..43a7d8cb972 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.108 2002/12/18 16:28:40 dhartmei Exp $ */
+/* $OpenBSD: pfctl.c,v 1.109 2002/12/18 19:40:41 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -65,8 +65,9 @@ int pfctl_clear_states(int, int);
int pfctl_kill_states(int, int);
int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int);
void pfctl_clear_pool(struct pf_pool *);
+void pfctl_print_rule_counters(struct pf_rule *, int);
int pfctl_show_rules(int, int, int);
-int pfctl_show_nat(int);
+int pfctl_show_nat(int, int);
int pfctl_show_altq(int);
int pfctl_show_states(int, u_int8_t, int);
int pfctl_show_status(int);
@@ -453,6 +454,33 @@ pfctl_clear_pool(struct pf_pool *pool)
}
}
+void
+pfctl_print_rule_counters(struct pf_rule *rule, int opts)
+{
+ if (opts & PF_OPT_VERBOSE2) {
+ const char *t[PF_SKIP_COUNT] = { "a", "i", "d", "f",
+ "p", "sa", "sp", "da", "dp" };
+ int i;
+
+ printf("[ Skip steps: ");
+ for (i = 0; i < PF_SKIP_COUNT; ++i) {
+ if (rule->skip[i].nr == rule->nr + 1)
+ continue;
+ printf("%s=", t[i]);
+ if (rule->skip[i].nr == -1)
+ printf("end ");
+ else if (rule->skip[i].nr != rule->nr + 1)
+ printf("%u ", rule->skip[i].nr);
+ }
+ printf("]\n");
+ }
+ if (opts & PF_OPT_VERBOSE)
+ printf("[ Evaluations: %-8llu Packets: %-8llu "
+ "Bytes: %-10llu States: %-6u]\n\n",
+ rule->evaluations, rule->packets,
+ rule->bytes, rule->states);
+}
+
int
pfctl_show_rules(int dev, int opts, int format)
{
@@ -494,32 +522,7 @@ pfctl_show_rules(int dev, int opts, int format)
break;
default:
print_rule(&pr.rule, opts & PF_OPT_VERBOSE2);
- if (opts & PF_OPT_VERBOSE2) {
- const char *t[PF_SKIP_COUNT] = { "a",
- "i", "d", "f", "p", "sa", "sp",
- "da", "dp" };
- int i;
-
- printf("[ Skip steps: ");
- for (i = 0; i < PF_SKIP_COUNT; ++i) {
- if (pr.rule.skip[i].nr ==
- pr.rule.nr + 1)
- continue;
- printf("%s=", t[i]);
- if (pr.rule.skip[i].nr == -1)
- printf("end ");
- else if (pr.rule.skip[i].nr !=
- pr.rule.nr + 1)
- printf("%u ",
- pr.rule.skip[i].nr);
- }
- printf("]\n");
- }
- if (opts & PF_OPT_VERBOSE)
- printf("[ Evaluations: %-8llu Packets: %-8llu "
- "Bytes: %-10llu States: %-6u]\n\n",
- pr.rule.evaluations, pr.rule.packets,
- pr.rule.bytes, pr.rule.states);
+ pfctl_print_rule_counters(&pr.rule, opts);
}
pfctl_clear_pool(&pr.rule.rpool);
}
@@ -557,7 +560,7 @@ pfctl_show_altq(int dev)
}
int
-pfctl_show_nat(int dev)
+pfctl_show_nat(int dev, int opts)
{
struct pfioc_rule pr;
u_int32_t mnr, nr;
@@ -580,7 +583,8 @@ pfctl_show_nat(int dev)
if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
pr.ticket, PF_NAT) != 0)
return (-1);
- print_nat(&pr.rule);
+ print_nat(&pr.rule, opts & PF_OPT_VERBOSE2);
+ pfctl_print_rule_counters(&pr.rule, opts);
pfctl_clear_pool(&pr.rule.rpool);
}
pr.rule.action = PF_RDR;
@@ -598,7 +602,8 @@ pfctl_show_nat(int dev)
if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
pr.ticket, PF_RDR) != 0)
return (-1);
- print_rdr(&pr.rule);
+ print_rdr(&pr.rule, opts & PF_OPT_VERBOSE2);
+ pfctl_print_rule_counters(&pr.rule, opts);
pfctl_clear_pool(&pr.rule.rpool);
}
pr.rule.action = PF_BINAT;
@@ -613,7 +618,8 @@ pfctl_show_nat(int dev)
warn("DIOCGETRULE");
return (-1);
}
- print_binat(&pr.rule);
+ print_binat(&pr.rule, opts & PF_OPT_VERBOSE2);
+ pfctl_print_rule_counters(&pr.rule, opts);
}
return (0);
}
@@ -1298,7 +1304,7 @@ main(int argc, char *argv[])
pfctl_show_rules(dev, opts, 1);
break;
case 'n':
- pfctl_show_nat(dev);
+ pfctl_show_nat(dev, opts);
break;
case 'q':
pfctl_show_altq(dev);
@@ -1317,7 +1323,7 @@ main(int argc, char *argv[])
break;
case 'a':
pfctl_show_rules(dev, opts, 0);
- pfctl_show_nat(dev);
+ pfctl_show_nat(dev, opts);
pfctl_show_altq(dev);
pfctl_show_states(dev, 0, opts);
pfctl_show_status(dev);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index aeb65573d51..521a7d95526 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.122 2002/12/17 12:36:59 mcbride Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.123 2002/12/18 19:40:41 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -401,15 +401,15 @@ print_rule(struct pf_rule *r, int verbose)
switch (r->action) {
case PF_NAT:
case PF_NONAT:
- print_nat(r);
+ print_nat(r, verbose);
break;
case PF_BINAT:
case PF_NOBINAT:
- print_binat(r);
+ print_binat(r, verbose);
break;
case PF_RDR:
case PF_NORDR:
- print_rdr(r);
+ print_rdr(r, verbose);
break;
default:
case PF_PASS:
@@ -496,8 +496,10 @@ print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,
}
void
-print_nat(struct pf_rule *n)
+print_nat(struct pf_rule *n, int verbose)
{
+ if (verbose)
+ printf("@%d ", n->nr);
if (n->anchorname[0])
printf("nat-anchor %s ", n->anchorname);
else {
@@ -535,8 +537,10 @@ print_nat(struct pf_rule *n)
}
void
-print_binat(struct pf_rule *b)
+print_binat(struct pf_rule *b, int verbose)
{
+ if (verbose)
+ printf("@%d ", b->nr);
if (b->anchorname[0])
printf("binat-anchor %s ", b->anchorname);
else {
@@ -586,8 +590,10 @@ print_binat(struct pf_rule *b)
}
void
-print_rdr(struct pf_rule *r)
+print_rdr(struct pf_rule *r, int verbose)
{
+ if (verbose)
+ printf("@%d ", r->nr);
if (r->anchorname[0])
printf("rdr-anchor %s ", r->anchorname);
else {
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index a58239c387a..4dedd1516b1 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.h,v 1.35 2002/12/18 14:14:09 mcbride Exp $ */
+/* $OpenBSD: pfctl_parser.h,v 1.36 2002/12/18 19:40:41 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -78,9 +78,9 @@ int parse_flags(char *);
void print_filter(struct pf_rule *, int);
void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
void print_rule(struct pf_rule *, int);
-void print_nat(struct pf_rule *);
-void print_binat(struct pf_rule *);
-void print_rdr(struct pf_rule *);
+void print_nat(struct pf_rule *, int);
+void print_binat(struct pf_rule *, int);
+void print_rdr(struct pf_rule *, int);
void print_status(struct pf_status *);
struct icmptypeent {
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 8fd60b07c85..b129bb52590 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf.c,v 1.276 2002/12/18 18:35:30 dhartmei Exp $ */
+/* $OpenBSD: pf.c,v 1.277 2002/12/18 19:40:41 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -477,6 +477,8 @@ pf_purge_expired_states(void)
#endif
if (cur->state->rule.ptr != NULL)
cur->state->rule.ptr->states--;
+ if (cur->state->nat_rule != NULL)
+ cur->state->nat_rule->states--;
pool_put(&pf_state_pl, cur->state);
pool_put(&pf_tree_pl, cur);
pool_put(&pf_tree_pl, peer);
@@ -1928,6 +1930,12 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp,
rs->states++;
s->rule.ptr = rs;
+ if (nat != NULL)
+ s->nat_rule = nat;
+ else if (rdr != NULL)
+ s->nat_rule = rdr;
+ if (s->nat_rule != NULL)
+ s->nat_rule->states++;
s->allow_opts = *rm && (*rm)->allow_opts;
s->log = *rm && ((*rm)->log & 2);
s->proto = IPPROTO_TCP;
@@ -2167,6 +2175,12 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp,
rs->states++;
s->rule.ptr = rs;
+ if (nat != NULL)
+ s->nat_rule = nat;
+ else if (rdr != NULL)
+ s->nat_rule = rdr;
+ if (s->nat_rule != NULL)
+ s->nat_rule->states++;
s->allow_opts = *rm && (*rm)->allow_opts;
s->log = *rm && ((*rm)->log & 2);
s->proto = IPPROTO_UDP;
@@ -2407,6 +2421,12 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp,
rs->states++;
s->rule.ptr = rs;
+ if (nat != NULL)
+ s->nat_rule = nat;
+ else if (rdr != NULL)
+ s->nat_rule = rdr;
+ if (s->nat_rule != NULL)
+ s->nat_rule->states++;
s->allow_opts = *rm && (*rm)->allow_opts;
s->log = *rm && ((*rm)->log & 2);
s->proto = pd->proto;
@@ -2594,6 +2614,12 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp,
rs->states++;
s->rule.ptr = rs;
+ if (nat != NULL)
+ s->nat_rule = nat;
+ else if (rdr != NULL)
+ s->nat_rule = rdr;
+ if (s->nat_rule != NULL)
+ s->nat_rule->states++;
s->allow_opts = *rm && (*rm)->allow_opts;
s->log = *rm && ((*rm)->log & 2);
s->proto = pd->proto;
@@ -3007,6 +3033,10 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp,
(*state)->rule.ptr->packets++;
(*state)->rule.ptr->bytes += pd->tot_len;
}
+ if ((*state)->nat_rule != NULL) {
+ (*state)->nat_rule->packets++;
+ (*state)->nat_rule->bytes += pd->tot_len;
+ }
return (PF_PASS);
}
@@ -3074,6 +3104,10 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp,
(*state)->rule.ptr->packets++;
(*state)->rule.ptr->bytes += pd->tot_len;
}
+ if ((*state)->nat_rule != NULL) {
+ (*state)->nat_rule->packets++;
+ (*state)->nat_rule->bytes += pd->tot_len;
+ }
return (PF_PASS);
}
@@ -3650,6 +3684,10 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp,
(*state)->rule.ptr->packets++;
(*state)->rule.ptr->bytes += pd->tot_len;
}
+ if ((*state)->nat_rule != NULL) {
+ (*state)->nat_rule->packets++;
+ (*state)->nat_rule->bytes += pd->tot_len;
+ }
return (PF_PASS);
}
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 28c08ad989e..420136a43ed 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pf_ioctl.c,v 1.28 2002/12/18 18:25:14 henning Exp $ */
+/* $OpenBSD: pf_ioctl.c,v 1.29 2002/12/18 19:40:41 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -609,8 +609,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
* Rules are about to get freed, clear rule pointers in states
*/
if (ruleset == &pf_main_ruleset) {
- RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
- n->state->rule.ptr = NULL;
+ if (rs_num == PF_RULESET_RULE)
+ RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
+ n->state->rule.ptr = NULL;
+ else
+ RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
+ n->state->nat_rule = NULL;
}
old_rules = ruleset->rules[rs_num].active.ptr;
ruleset->rules[rs_num].active.ptr =
@@ -797,9 +801,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
struct pf_tree_node *n;
if (ruleset == &pf_main_ruleset) {
- RB_FOREACH(n, pf_state_tree, &tree_ext_gwy)
+ RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) {
if (n->state->rule.ptr == oldrule)
n->state->rule.ptr = NULL;
+ if (n->state->nat_rule == oldrule)
+ n->state->nat_rule = NULL;
+ }
}
pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule);
} else {
@@ -887,6 +894,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
s = splsoftnet();
bcopy(&ps->state, state, sizeof(struct pf_state));
state->rule.ptr = NULL;
+ state->nat_rule = NULL;
state->creation = time.tv_sec;
state->expire += state->creation;
state->packets = 0;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 8775c081690..55c613b750f 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.114 2002/12/18 19:04:38 henning Exp $ */
+/* $OpenBSD: pfvar.h,v 1.115 2002/12/18 19:40:41 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -385,6 +385,7 @@ struct pf_state {
struct pf_rule *ptr;
u_int32_t nr;
} rule;
+ struct pf_rule *nat_rule;
struct pf_addr rt_addr;
struct ifnet *rt_ifp;
u_int32_t creation;
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-02 03:49:53 +0000