Change the default for 'overload <table> flush' to flush only states from the

offending source created by the rule. 'flush global' flushes all states
originating from the offending source. ABI change, requires kernel and pfctl
to be in sync.

ok deraadt@ henning@ dhartmei@

5 files changed, 41 insertions, 26 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index 3d3e68a9867..a5e46d0988c 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.462 2004/12/05 10:11:29 dhartmei Exp $	*/
+/*	$OpenBSD: parse.y,v 1.463 2004/12/07 05:30:26 mcbride Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -1613,9 +1613,7 @@ pfrule		: action dir logquick interface route af proto fromto
 						    "strlcpy");
 						YYERROR;
 					}
-					if (o->data.overload.flush)
-						r.rule_flag |=
-						    PFRULE_SRCTRACK_FLUSH;
+					r.flush = o->data.overload.flush;
 					break;
 				case PF_STATE_OPT_MAX_SRC_CONN:
 					if (r.max_src_conn) {
@@ -2807,7 +2805,10 @@ keep		: KEEP STATE state_opt_spec	{
 		;
 
 flush		: /* empty */			{ $$ = 0; }
-		| FLUSH				{ $$ = 1; }
+		| FLUSH				{ $$ = PF_FLUSH; }
+		| FLUSH	GLOBAL			{
+			$$ = PF_FLUSH | PF_FLUSH_GLOBAL;
+		}
 		;
 
 state_opt_spec	: '(' state_opt_list ')'	{ $$ = $2; }
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 419bbbb6170..748f23b1c02 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.208 2004/12/04 07:58:52 mcbride Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.209 2004/12/07 05:30:27 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -877,8 +877,10 @@ print_rule(struct pf_rule *r, const char *anchor_call, int verbose)
 			if (!opts)
 				printf(", ");
 			printf("overload <%s>", r->overload_tblname);
-			if (r->rule_flag & PFRULE_SRCTRACK_FLUSH)
+			if (r->flush)
 				printf(" flush");
+			if (r->flush & PF_FLUSH_GLOBAL)
+				printf(" global");
 		}
 		if (r->rule_flag & PFRULE_IFBOUND) {
 			if (!opts)
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 4cf312d340e..837164fe3d8 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.307 2004/12/04 16:07:31 mcbride Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.308 2004/12/07 05:30:27 mcbride Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -1963,8 +1963,13 @@ host's bandwidth.
 .Pp
 The optional
 .Ar flush
-keyword kills all existing states originating from hosts exceeding these
-limits.
+keyword kills all states created by the matching rule which originate
+from the host which exceeds these limits.
+The
+.Ar global
+modifier to the flush command kills all states originating from the
+offending host, regardless of which rule created the state.
+.Pp
 For example, the following rules will protect the webserver against
 hosts making more than 100 connections in 10 seconds.
 Any host which connects faster than this rate will have its address added
@@ -1974,7 +1979,7 @@ by the block rule.
 .Bd -literal -offset indent
 block quick from <bad_hosts>
 pass in on $ext_if to $webserver port www flags S/SA keep state \e
-	(max-src-conn-rate 100/10, overflow <bad_hosts> flush)
+	(max-src-conn-rate 100/10, overflow <bad_hosts> flush global)
 .Ed
 .Sh OPERATING SYSTEM FINGERPRINTING
 Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 6b2c61043dd..961ed27c69d 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.467 2004/12/06 23:28:38 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.468 2004/12/07 05:30:25 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -682,14 +682,14 @@ pf_src_connlimit(struct pf_state **state)
 		    &p, time_second);
 
 		/* kill existing states if that's required. */
-		if ((*state)->rule.ptr->rule_flag & PFRULE_SRCTRACK_FLUSH) {
+		if ((*state)->rule.ptr->flush) {
 			pf_status.lcounters[LCNT_OVERLOAD_FLUSH]++;
 			
 			RB_FOREACH(s, pf_state_tree_id, &tree_id) {
 				/*
-				 * Kill all states from this source.
-				 *
-				 * XXX Kill states _to_ the source?
+				 * Kill states from this source.  (Only those
+				 * from the same rule if PF_FLUSH_GLOBAL is not
+				 * set)
 				 */
 				if (s->af == (*state)->af &&
 				    (((*state)->direction == PF_OUT &&
@@ -697,7 +697,10 @@ pf_src_connlimit(struct pf_state **state)
 				    &s->lan.addr, s->af)) ||
 				    ((*state)->direction == PF_IN &&
 				    PF_AEQ(&(*state)->src_node->addr,
-                                    &s->ext.addr, s->af)))) {
+                                    &s->ext.addr, s->af))) &&
+				    ((*state)->rule.ptr->flush &
+				    PF_FLUSH_GLOBAL ||
+				    (*state)->rule.ptr == s->rule.ptr)) {
 					s->timeout = PFTM_PURGE;
 					s->src.state = s->dst.state =
 					    TCPS_CLOSED;
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index 3c385a966c3..cbffd25aa5d 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.205 2004/12/04 07:49:48 mcbride Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.206 2004/12/07 05:30:26 mcbride Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -537,6 +537,10 @@ struct pf_rule {
 	u_int8_t		 tos;
 	u_int8_t		 anchor_relative;
 	u_int8_t		 anchor_wildcard;
+
+#define PF_FLUSH		0x01
+#define PF_FLUSH_GLOBAL		0x02
+	u_int8_t		 flush;
 };
 
 /* rule flags */
@@ -548,7 +552,6 @@ struct pf_rule {
 #define	PFRULE_NOSYNC		0x0010
 #define PFRULE_SRCTRACK		0x0020  /* track source states */
 #define PFRULE_RULESRCTRACK	0x0040  /* per rule */
-#define PFRULE_SRCTRACK_FLUSH	0x0080	/* flush for src_node->open_states */
 
 /* scrub flags */
 #define	PFRULE_NODF		0x0100
@@ -1219,7 +1222,8 @@ struct pfioc_table {
 	struct pfr_table	 pfrio_table;
 	void			*pfrio_buffer;
 	int			 pfrio_esize;
-	int			 pfrio_size;
+	int			 pfrio_size;	/* entries this transaction */
+	int			 pfrio_tsize;	/* total entries */
 	int			 pfrio_size2;
 	int			 pfrio_nadd;
 	int			 pfrio_ndel;
@@ -1444,12 +1448,12 @@ int	pfr_clr_tstats(struct pfr_table *, int, int *, int);
 int	pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
 int	pfr_clr_addrs(struct pfr_table *, int *, int);
 int	pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
-int	pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
-	    int);
-int	pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
-	    int);
-int	pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
-	    int *, int *, int *, int);
+int	pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int, int *,
+	    int, u_int32_t *);
+int	pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int, int *,
+	    int, u_int32_t *);
+int	pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int, int *,
+	    int *, int *, int *, int, u_int32_t *);
 int	pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
 int	pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
 int	pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *,