diff options
| author | Cedric Berger <cedric@cvs.openbsd.org> | 2004-02-19 21:29:52 +0000 |
|---|---|---|
| committer | Cedric Berger <cedric@cvs.openbsd.org> | 2004-02-19 21:29:52 +0000 |
| commit | b35e42339a6675e65c7e31d8bcd86d5acd7fb33b (patch) | |
| tree | 77970cbae8bb6d0c6421dbf094130680e79cc825 | |
| parent | d8e9badb65d542e8e27a37cd48807b8931dd8db1 (diff) | |
Makes pfctl -Fs and pfctl -w works with the optional -i specifier.
Kernel/Userland Sync needed. ok dhartmei@ jmc@ markus@ mcbride@
| -rw-r--r-- | sbin/pfctl/pfctl.c | 30 | ||||
| -rw-r--r-- | share/man/man4/pf.4 | 12 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 23 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 5 |
4 files changed, 49 insertions, 21 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index e7048e9100f..5e5e3cb6739 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.205 2004/02/17 08:48:29 cedric Exp $ */ +/* $OpenBSD: pfctl.c,v 1.206 2004/02/19 21:29:51 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -62,8 +62,8 @@ int pfctl_clear_rules(int, int, char *, char *); int pfctl_clear_nat(int, int, char *, char *); int pfctl_clear_altq(int, int); int pfctl_clear_src_nodes(int, int); -int pfctl_clear_states(int, int); -int pfctl_kill_states(int, int); +int pfctl_clear_states(int, const char *, int); +int pfctl_kill_states(int, const char *, int); int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int, char *, char *); void pfctl_print_rule_counters(struct pf_rule *, int); @@ -368,17 +368,24 @@ pfctl_clear_src_nodes(int dev, int opts) } int -pfctl_clear_states(int dev, int opts) +pfctl_clear_states(int dev, const char *iface, int opts) { - if (ioctl(dev, DIOCCLRSTATES)) + struct pfioc_state_kill psk; + + memset(&psk, 0, sizeof(psk)); + if (iface != NULL && strlcpy(psk.psk_ifname, iface, + sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname)) + errx(1, "invalid interface: %s\n", iface); + + if (ioctl(dev, DIOCCLRSTATES, &psk)) err(1, "DIOCCLRSTATES"); if ((opts & PF_OPT_QUIET) == 0) - fprintf(stderr, "states cleared\n"); + fprintf(stderr, "%d states cleared\n", psk.psk_af); return (0); } int -pfctl_kill_states(int dev, int opts) +pfctl_kill_states(int dev, const char *iface, int opts) { struct pfioc_state_kill psk; struct addrinfo *res[2], *resp[2]; @@ -393,6 +400,9 @@ pfctl_kill_states(int dev, int opts) sizeof(psk.psk_src.addr.v.a.mask)); memset(&last_src, 0xff, sizeof(last_src)); memset(&last_dst, 0xff, sizeof(last_dst)); + if (iface != NULL && strlcpy(psk.psk_ifname, iface, + sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname)) + errx(1, "invalid interface: %s\n", iface); if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) { errx(1, "getaddrinfo: %s", gai_strerror(ret_ga)); @@ -1708,7 +1718,7 @@ main(int argc, char *argv[]) pfctl_clear_altq(dev, opts); break; case 's': - pfctl_clear_states(dev, opts); + pfctl_clear_states(dev, ifaceopt, opts); break; case 'S': pfctl_clear_src_nodes(dev, opts); @@ -1720,7 +1730,7 @@ main(int argc, char *argv[]) pfctl_clear_rules(dev, opts, anchorname, rulesetname); pfctl_clear_nat(dev, opts, anchorname, rulesetname); pfctl_clear_altq(dev, opts); - pfctl_clear_states(dev, opts); + pfctl_clear_states(dev, ifaceopt, opts); pfctl_clear_src_nodes(dev, opts); pfctl_clear_stats(dev, opts); pfctl_clear_tables(anchorname, rulesetname, opts); @@ -1735,7 +1745,7 @@ main(int argc, char *argv[]) } } if (state_killers) - pfctl_kill_states(dev, opts); + pfctl_kill_states(dev, ifaceopt, opts); if (tblcmdopt != NULL) { error = pfctl_command_tables(argc, argv, tableopt, diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 82df4b47eee..4b269f84c46 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.45 2004/01/24 18:54:40 deraadt Exp $ +.\" $OpenBSD: pf.4,v 1.46 2004/02/19 21:29:51 cedric Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -211,8 +211,6 @@ of length .Va nbytes for the queue specified by .Va nr . -.It Dv DIOCCLRSTATES -Clears the state table. .It Dv DIOCADDSTATE Fa "struct pfioc_state" Adds a state entry. .It Dv DIOCGETSTATE Fa "struct pfioc_state" @@ -233,8 +231,16 @@ struct pfioc_state_kill { int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; + char psk_ifname[IFNAMSIZ]; }; .Ed +.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill" +Clears all states. +It works like +.Dv DIOCKILLSTATES , +but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the +.Fa pfioc_state_kill +structure. .It Dv DIOCSETSTATUSIF Fa "struct pfioc_if" .Bd -literal struct pfioc_if { diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 49bb601f10f..93aa298cfc8 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.106 2004/02/19 07:41:45 kjc Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.107 2004/02/19 21:29:51 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1265,16 +1265,25 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) } case DIOCCLRSTATES: { - struct pf_state *state; + struct pf_state *state; + struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; + int killed = 0; s = splsoftnet(); - RB_FOREACH(state, pf_state_tree_id, &tree_id) - state->timeout = PFTM_PURGE; + RB_FOREACH(state, pf_state_tree_id, &tree_id) { + if (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname, + state->u.s.kif->pfik_name)) { + state->timeout = PFTM_PURGE; + killed++; + } + } pf_purge_expired_states(); pf_status.states = 0; splx(s); + psk->psk_af = killed; #if NPFSYNC - pfsync_clear_states(pf_status.hostid); + if (!psk->psk_ifname[0]) + pfsync_clear_states(pf_status.hostid); #endif break; } @@ -1304,7 +1313,9 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) (psk->psk_dst.port_op == 0 || pf_match_port(psk->psk_dst.port_op, psk->psk_dst.port[0], psk->psk_dst.port[1], - state->ext.port))) { + state->ext.port)) && + (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname, + state->u.s.kif->pfik_name))) { state->timeout = PFTM_PURGE; killed++; } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 492074bba88..29e000285e0 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.184 2004/02/19 07:41:45 kjc Exp $ */ +/* $OpenBSD: pfvar.h,v 1.185 2004/02/19 21:29:51 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1069,6 +1069,7 @@ struct pfioc_state_kill { int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; + char psk_ifname[IFNAMSIZ]; }; struct pfioc_states { @@ -1202,7 +1203,7 @@ struct pfioc_iface { #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) /* XXX cut 8 - 17 */ -#define DIOCCLRSTATES _IO ('D', 18) +#define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) |