Add labels to rules. These are arbitrary names (not to be confused with

tags that will be used to tag packets later on). Add pfctl -z to clear
per-rule counters. Add pfctl -s labels to output per-rule counters in
terse format and only for rules that have labels. Suggested by
Henning Brauer.

8 files changed, 112 insertions, 24 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index c51f29971c1..ae0492cda36 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.50 2002/01/08 09:31:55 dhartmei Exp $	*/
+/*	$OpenBSD: parse.y,v 1.51 2002/01/09 11:30:53 dhartmei Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -170,7 +170,7 @@ typedef struct {
 %token	PASS BLOCK SCRUB RETURN IN OUT LOG LOGALL QUICK ON FROM TO FLAGS
 %token	RETURNRST RETURNICMP RETURNICMP6 PROTO INET INET6 ALL ANY ICMPTYPE
 %token  ICMP6TYPE CODE KEEP MODULATE STATE PORT RDR NAT BINAT ARROW NODF
-%token	MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO
+%token	MINTTL IPV6ADDR ERROR ALLOWOPTS FASTROUTE ROUTETO DUPTO NO LABEL
 %token	<v.string> STRING
 %token	<v.number> NUMBER
 %token	<v.i>	PORTUNARY PORTBINARY
@@ -187,6 +187,7 @@ typedef struct {
 %type	<v.port>	portspec port_list port_item
 %type	<v.route>	route
 %type	<v.redirection>	redirection
+%type	<v.string>	label
 %%
 
 ruleset		: /* empty */
@@ -210,7 +211,7 @@ varset		: STRING PORTUNARY STRING
 		}
 		;
 
-pfrule		: action dir log quick interface route af proto fromto flags icmpspec keep nodf minttl allowopts
+pfrule		: action dir log quick interface route af proto fromto flags icmpspec keep nodf minttl allowopts label
 		{
 			struct pf_rule r;
 
@@ -263,6 +264,16 @@ pfrule		: action dir log quick interface route af proto fromto flags icmpspec ke
 				}
 			}
 
+			if ($16) {
+				if (strlen($16) >= PF_RULE_LABEL_SIZE) {
+					yyerror("rule label too long (max "
+					    "%d chars)", PF_RULE_LABEL_SIZE-1);
+					YYERROR;
+				}
+				strcpy(r.label, $16);
+				free($16);
+			}
+
 			expand_rule(&r, $5, $8, $9.src.host, $9.src.port,
 			    $9.dst.host, $9.dst.port, $11);
 		}
@@ -754,6 +765,15 @@ nodf		: /* empty */			{ $$ = 0; }
 allowopts	: /* empty */			{ $$ = 0; }
 		| ALLOWOPTS			{ $$ = 1; }
 
+label		: /* empty */			{ $$ = NULL; }
+		| LABEL STRING			{
+			if (($$ = strdup($2)) == NULL) {
+				yyerror("rule label strdup() failed");
+				YYERROR;
+			}
+		}
+		;
+
 no		: /* empty */			{ $$ = 0; }
 		| NO				{ $$ = 1; }
 		;
@@ -1331,6 +1351,7 @@ lookup(char *s)
 		{ "inet",	INET},
 		{ "inet6",	INET6},
 		{ "keep",	KEEP},
+		{ "label",	LABEL},
 		{ "log",	LOG},
 		{ "log-all",	LOGALL},
 		{ "min-ttl",	MINTTL},
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 4bfa1bd2069..07b79fd4a88 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.38 2001/12/21 11:41:50 mpech Exp $
+.\" $OpenBSD: pfctl.8,v 1.39 2002/01/09 11:30:53 dhartmei Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -32,7 +32,7 @@
 .Nd control the packet filter device
 .Sh SYNOPSIS
 .Nm pfctl
-.Op Fl dehnqv
+.Op Fl dehnqvz
 .Op Fl F Ar modifier
 .Op Fl l Ar interface
 .Op Fl N Ar file
@@ -102,7 +102,7 @@ Flush the filter rules.
 .It Fl F Ar state
 Flush the state table (NAT and filter).
 .It Fl F Ar info
-Flush the filter information (statistics and counters).
+Flush the filter information (statistics that are not bound to rules).
 .It Fl F Ar all
 Flush all of the above.
 .El
@@ -168,6 +168,9 @@ connection).
 Show the contents of the state table.
 .It Fl s Ar info
 Show filter information (statistics and counters).
+.It Fl s Ar labels
+Show per-rule statistics (in terse format) of filter rules with labels,
+useful for accounting.
 .It Fl s Ar all
 Show all of the above.
 .El
@@ -254,6 +257,8 @@ Generate debug messages only for serious errors.
 .It Fl x Ar misc
 Generate debug messages for various errors.
 .El
+.It Fl z
+Clear per-rule statistics.
 .El
 .Sh FILES
 .Bl -tag -width "/etc/nat.conf" -compact
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 73334d9cc84..367a78dcd16 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.50 2002/01/06 21:56:12 dhartmei Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.51 2002/01/09 11:30:53 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -55,7 +55,7 @@ int	 pfctl_clear_rules(int, int);
 int	 pfctl_clear_nat(int, int);
 int	 pfctl_clear_states(int, int);
 int	 pfctl_hint(int, const char *, int);
-int	 pfctl_show_rules(int, int);
+int	 pfctl_show_rules(int, int, int);
 int	 pfctl_show_nat(int);
 int	 pfctl_show_states(int, u_int8_t, int);
 int	 pfctl_show_status(int);
@@ -66,6 +66,7 @@ int	 pfctl_timeout(int, char *, int);
 int	 pfctl_gettimeout(int, const char *);
 int	 pfctl_settimeout(int, const char *, int);
 int	 pfctl_debug(int, u_int32_t, int);
+int	 pfctl_clear_rule_counters(int, int);
 
 int	 opts = 0;
 char	*clearopt;
@@ -157,7 +158,8 @@ usage()
 
 	fprintf(stderr, "usage: %s [-dehnqv] [-F set] [-l interface] ",
 	    __progname);
-	fprintf(stderr, "[-N file] [-O level] [-R file] [-s set] [-t set] [-x level]\n");
+	fprintf(stderr, "[-N file] [-O level] [-R file] [-s set] [-t set] "
+	    "[-x level] [-z]\n");
 	exit(1);
 }
 
@@ -248,7 +250,7 @@ pfctl_clear_states(int dev, int opts)
 }
 
 int
-pfctl_show_rules(int dev, int opts)
+pfctl_show_rules(int dev, int opts, int format)
 {
 	struct pfioc_rule pr;
 	u_int32_t nr, mnr;
@@ -264,11 +266,25 @@ pfctl_show_rules(int dev, int opts)
 			warnx("DIOCGETRULE");
 			return (-1);
 		}
-		print_rule(&pr.rule);
-		if (opts & PF_OPT_VERBOSE)
-			printf("[ Evaluations: %-10llu  Packets: %-10llu  "
-			    "Bytes: %-10llu ]\n\n", pr.rule.evaluations,
-			    pr.rule.packets, pr.rule.bytes);
+		switch (format) {
+		case 1:
+			if (pr.rule.label[0]) {
+				if (opts & PF_OPT_VERBOSE)
+					print_rule(&pr.rule);
+				else
+					printf("%s ", pr.rule.label);
+				printf("%llu %llu %llu\n",
+				    pr.rule.evaluations, pr.rule.packets,
+				    pr.rule.bytes);
+			}
+			break;
+		default:
+			print_rule(&pr.rule);
+			if (opts & PF_OPT_VERBOSE)
+				printf("[ Evaluations: %-10llu  Packets: %-10llu  "
+				    "Bytes: %-10llu ]\n\n", pr.rule.evaluations,
+				    pr.rule.packets, pr.rule.bytes);
+		}
 	}
 	return (0);
 }
@@ -671,6 +687,16 @@ pfctl_debug(int dev, u_int32_t level, int opts)
 }
 
 int
+pfctl_clear_rule_counters(int dev, int opts)
+{
+	if (ioctl(dev, DIOCCLRRULECTRS))
+		err(1, "DIOCCLRRULECTRS");
+	if ((opts & PF_OPT_QUIET) == 0)
+		printf("pf: rule counters cleared\n");
+	return (0);
+}
+
+int
 main(int argc, char *argv[])
 {
 	extern char *optarg;
@@ -683,7 +709,7 @@ main(int argc, char *argv[])
 	if (argc < 2)
 		usage();
 
-	while ((ch = getopt(argc, argv, "deqF:hl:nN:O:R:s:t:vx:")) != -1) {
+	while ((ch = getopt(argc, argv, "deqF:hl:nN:O:R:s:t:vx:z")) != -1) {
 		switch (ch) {
 		case 'd':
 			opts |= PF_OPT_DISABLE;
@@ -733,6 +759,10 @@ main(int argc, char *argv[])
 			debugopt = optarg;
 			mode = O_RDWR;
 			break;
+		case 'z':
+			opts |= PF_OPT_CLRRULECTRS;
+			mode = O_RDWR;
+			break;
 		case 'h':
 		default:
 			usage();
@@ -799,7 +829,10 @@ main(int argc, char *argv[])
 	if (showopt != NULL) {
 		switch (*showopt) {
 		case 'r':
-			pfctl_show_rules(dev, opts);
+			pfctl_show_rules(dev, opts, 0);
+			break;
+		case 'l':
+			pfctl_show_rules(dev, opts, 1);
 			break;
 		case 'n':
 			pfctl_show_nat(dev);
@@ -811,7 +844,7 @@ main(int argc, char *argv[])
 			pfctl_show_status(dev);
 			break;
 		case 'a':
-			pfctl_show_rules(dev, opts);
+			pfctl_show_rules(dev, opts, 0);
 			pfctl_show_nat(dev);
 			pfctl_show_states(dev, 0, opts);
 			pfctl_show_status(dev);
@@ -855,6 +888,11 @@ main(int argc, char *argv[])
 		}
 	}
 
+	if (opts & PF_OPT_CLRRULECTRS) {
+		if (pfctl_clear_rule_counters(dev, opts))
+			error = 1;
+	}
+
 	close(dev);
 
 	exit(error);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 15ccbad7249..e880980edd8 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.59 2002/01/08 09:31:55 dhartmei Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.60 2002/01/09 11:30:53 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -753,6 +753,8 @@ print_rule(struct pf_rule *r)
 		printf("min-ttl %d ", r->min_ttl);
 	if (r->allow_opts)
 		printf("allow-opts ");
+	if (r->label[0])
+		printf("label %s", r->label);
 
 	printf("\n");
 }
diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index ddc13232132..a0522f43cf7 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.h,v 1.12 2001/10/04 21:54:15 dhartmei Exp $ */
+/*	$OpenBSD: pfctl_parser.h,v 1.13 2002/01/09 11:30:53 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -38,6 +38,7 @@
 #define PF_OPT_VERBOSE		0x0004
 #define PF_OPT_NOACTION		0x0008
 #define PF_OPT_QUIET		0x0010
+#define PF_OPT_CLRRULECTRS	0x0020
 
 struct pfctl {
 	int dev;
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 0db1d6a94ff..1731cf2708a 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.28 2001/12/07 20:36:17 beck Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.29 2002/01/09 11:30:53 dhartmei Exp $
 .\"
 .\" Copyright (c) 2001, Daniel Hartmeier
 .\" All rights reserved.
@@ -51,7 +51,8 @@ rule       = action ( "in" | "out" )
              hosts
              [ flags ] ( [ icmp-type ] | [ ipv6-icmp-type ] )
              [ "keep state" ] [ "modulate state" ]
-             [ "no-df" ] [ "min-ttl" number ] [ "allow-opts" ] .
+             [ "no-df" ] [ "min-ttl" number ] [ "allow-opts" ]
+             [ "label" string ] .
 
 action     = "pass" | "block" [ return ] | "scrub" .
 return     = "return-rst" |
@@ -294,6 +295,11 @@ The implicit
 .Em pass
 rule that is used when a packet doesn't match any rules does not
 allow IP options.
+.Ss label <string>
+Adds a label (name) to the rule, which can be used to identify the rule.
+For instance,
+.Em pfctl -s labels
+shows per-rule statistics for rules that have labels.
 .Sh MACROS
 .Em pfctl
 supports macro definition and expansion like:
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 2631df64659..45edabf0ea8 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.182 2002/01/08 09:31:55 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.183 2002/01/09 11:30:53 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1039,6 +1039,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		case DIOCSETDEBUG:
 		case DIOCGETSTATES:
 		case DIOCGETTIMEOUT:
+		case DIOCCLRRULECTRS:
 			break;
 		default:
 			return EPERM;
@@ -2149,6 +2150,17 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		break;
 	}
 
+	case DIOCCLRRULECTRS: {
+		struct pf_rule *rule;
+
+		s = splsoftnet();
+		TAILQ_FOREACH(rule, pf_rules_active, entries)
+			rule->evaluations = rule->packets =
+			    rule->bytes = 0;
+		splx(s);
+		break;
+	}
+
 	default:
 		error = ENODEV;
 		break;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 3a1cc53f793..dd40551847e 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.59 2002/01/08 09:31:55 dhartmei Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.60 2002/01/09 11:30:53 dhartmei Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -191,6 +191,8 @@ struct pf_rule_addr {
 struct pf_rule {
 	char		 ifname[IFNAMSIZ];
 	char		 rt_ifname[IFNAMSIZ];
+#define PF_RULE_LABEL_SIZE	32
+	char		 label[PF_RULE_LABEL_SIZE];
 	struct ifnet	*ifp;
 	struct ifnet	*rt_ifp;
 	struct pf_rule_addr src;
@@ -559,6 +561,7 @@ struct pfioc_tm {
 #define DIOCGETBINAT	_IOWR('D', 35, struct pfioc_binat)
 #define DIOCCHANGEBINAT	_IOWR('D', 36, struct pfioc_changebinat)
 #define DIOCADDSTATE	_IOWR('D', 37, struct pfioc_state)
+#define DIOCCLRRULECTRS	_IO  ('D', 38)
 
 #ifdef _KERNEL