summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2007-01-18 20:45:56 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2007-01-18 20:45:56 +0000
commit8e57b88ee1de7d3309d986e99349c19dabace7ab (patch)
treea281149d390cd28aea65e984e48a3d95ee7d2b1d
parentde1cfcbf14166d44cc0420634c71e93168c3b65c (diff)
implement -T expire.
"pfctl -t tablename -T expire 3600" would expire all entries in the given table that are older than 3600 seconds. ok dhartmei, manpage help & ok jmc
-rw-r--r--sbin/pfctl/pfctl.89
-rw-r--r--sbin/pfctl/pfctl.c6
-rw-r--r--sbin/pfctl/pfctl_table.c38
3 files changed, 48 insertions, 5 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 3d29b8ece0a..eb78e955022 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.126 2006/11/20 14:31:17 mcbride Exp $
+.\" $OpenBSD: pfctl.8,v 1.127 2007/01/18 20:45:55 henning Exp $
.\"
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
.\"
@@ -450,6 +450,13 @@ Add one or more addresses in a table.
Automatically create a nonexisting table.
.It Fl T Cm delete
Delete one or more addresses from a table.
+.It Fl T Cm expire Ar number
+Delete addresses which had their statistics cleared more than
+.Ar number
+seconds ago.
+For entries which have never had their statistics cleared,
+.Ar number
+refers to the time they were added to the table.
.It Fl T Cm replace
Replace the addresses of the table.
Automatically create a nonexisting table.
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index b9ff168aea2..5a6c03bdf71 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.257 2006/11/20 14:31:17 mcbride Exp $ */
+/* $OpenBSD: pfctl.c,v 1.258 2007/01/18 20:45:55 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -212,7 +212,7 @@ static const char *showopt_list[] = {
static const char *tblcmdopt_list[] = {
"kill", "flush", "add", "delete", "load", "replace", "show",
- "test", "zero", NULL
+ "test", "zero", "expire", NULL
};
static const char *debugopt_list[] = {
@@ -2105,7 +2105,7 @@ main(int argc, char *argv[])
loadopt |= PFCTL_FLAG_TABLE;
tblcmdopt = NULL;
} else
- mode = strchr("acdfkrz", ch) ? O_RDWR : O_RDONLY;
+ mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
} else if (argc != optind) {
warnx("unknown command line argument: %s ...", argv[optind]);
usage();
diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index 968c13e6f68..23072eac72a 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_table.c,v 1.64 2005/08/17 14:54:59 dhartmei Exp $ */
+/* $OpenBSD: pfctl_table.c,v 1.65 2007/01/18 20:45:55 henning Exp $ */
/*
* Copyright (c) 2002 Cedric Berger
@@ -253,6 +253,42 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback)
print_addrx(a, NULL,
opts & PF_OPT_USEDNS);
+ } else if (!strcmp(command, "expire")) {
+ const char *errstr;
+ u_int lifetime;
+
+ b.pfrb_type = PFRB_ASTATS;
+ b2.pfrb_type = PFRB_ADDRS;
+ if (argc != 1 || file != NULL)
+ usage();
+ lifetime = strtonum(*argv, 0, UINT_MAX, &errstr);
+ if (errstr)
+ errx(1, "expiry time: %s", errstr);
+ for (;;) {
+ pfr_buf_grow(&b, b.pfrb_size);
+ b.pfrb_size = b.pfrb_msize;
+ RVTEST(pfr_get_astats(&table, b.pfrb_caddr,
+ &b.pfrb_size, flags));
+ if (b.pfrb_size <= b.pfrb_msize)
+ break;
+ }
+ PFRB_FOREACH(p, &b)
+ if (time(NULL) - ((struct pfr_astats *)p)->pfras_tzero >
+ lifetime)
+ if (pfr_buf_add(&b2,
+ &((struct pfr_astats *)p)->pfras_a))
+ err(1, "duplicate buffer");
+
+ if (opts & PF_OPT_VERBOSE)
+ flags |= PFR_FLAG_FEEDBACK;
+ RVTEST(pfr_del_addrs(&table, b2.pfrb_caddr, b2.pfrb_size,
+ &ndel, flags));
+ xprintf(opts, "%d/%d addresses expired", ndel, b2.pfrb_size);
+ if (opts & PF_OPT_VERBOSE)
+ PFRB_FOREACH(a, &b2)
+ if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback)
+ print_addrx(a, NULL,
+ opts & PF_OPT_USEDNS);
} else if (!strcmp(command, "show")) {
b.pfrb_type = (opts & PF_OPT_VERBOSE) ?
PFRB_ASTATS : PFRB_ADDRS;