diff options
| author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2001-08-28 00:02:44 +0000 |
|---|---|---|
| committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2001-08-28 00:02:44 +0000 |
| commit | 56d4f14971daa56ff829fba393cc16c622452e8c (patch) | |
| tree | f2822fc6aab6c2e6aeec93b42efff74c37ef6d61 /sbin/pfctl/pfctl.c | |
| parent | 4720b63fb057ed876a30c2bacf45c2a4e54327c5 (diff) | |
Bump state timeouts and allow tweaking them from pfctl.
(The state timeouts need some _serious_ tuning)
Diffstat (limited to 'sbin/pfctl/pfctl.c')
| -rw-r--r-- | sbin/pfctl/pfctl.c | 120 |
1 files changed, 117 insertions, 3 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 723087f972d..524cae198a5 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.37 2001/08/23 04:10:31 deraadt Exp $ */ +/* $OpenBSD: pfctl.c,v 1.38 2001/08/28 00:02:43 frantzen Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -67,6 +67,9 @@ int pfctl_show_status(int); int pfctl_rules(int, char *, int); int pfctl_nat(int, char *, int); int pfctl_log(int, char *, int); +int pfctl_timeout(int, char *, int); +int pfctl_gettimeout(int, const char *); +int pfctl_settimeout(int, const char *, int); int pfctl_debug(int, u_int32_t, int); int opts = 0; @@ -75,10 +78,31 @@ char *logopt; char *natopt; char *rulesopt; char *showopt; +char *timeoutopt; char *debugopt; char *infile; + +static const struct { + const char *name; + int timeout; +} pf_timeouts[] = { + { "tcp.first", PFTM_TCP_FIRST_PACKET }, + { "tcp.opening", PFTM_TCP_OPENING }, + { "tcp.established", PFTM_TCP_ESTABLISHED }, + { "tcp.closing", PFTM_TCP_CLOSING }, + { "tcp.finwait", PFTM_TCP_FIN_WAIT }, + { "tcp.closed", PFTM_TCP_CLOSED }, + { "udp.first", PFTM_UDP_FIRST_PACKET }, + { "udp.single", PFTM_UDP_SINGLE }, + { "udp.multiple", PFTM_UDP_MULTIPLE }, + { "icmp.first", PFTM_ICMP_FIRST_PACKET }, + { "icmp.error", PFTM_ICMP_ERROR_REPLY }, + { "frag", PFTM_FRAG }, + { "interval", PFTM_INTERVAL }, + { NULL, 0 }}; + void usage() { @@ -86,7 +110,7 @@ usage() fprintf(stderr, "usage: %s [-dehnqv] [-F set] [-l interface] ", __progname); - fprintf(stderr, "[-N file] [-R file] [-s set] [-x level]\n"); + fprintf(stderr, "[-N file] [-R file] [-s set] [-t set] [-x level]\n"); exit(1); } @@ -428,6 +452,89 @@ pfctl_log(int dev, char *ifname, int opts) } int +pfctl_timeout(int dev, char *opt, int opts) +{ + char *seconds, *serr = NULL; + int setval; + + seconds = index(opt, '='); + if (seconds == NULL) + return pfctl_gettimeout(dev, opt); + else { + /* Set the timeout value */ + if (*seconds != '\0') + *seconds++ = '\0'; /* Eat '=' */ + setval = strtol(seconds, &serr, 10); + if (*serr != '\0' || *seconds == '\0' || setval < 0) { + warnx("Bad timeout arguement. Format -t name=seconds"); + return 1; + } + return pfctl_settimeout(dev, opt, setval); + } +} + +int +pfctl_gettimeout(int dev, const char *opt) +{ + struct pfioc_tm pt; + int i; + + for (i = 0; pf_timeouts[i].name; i++) { + if (strcmp(opt, "all") == 0) { + /* Need to dump all of the values */ + pt.timeout = pf_timeouts[i].timeout; + if (ioctl(dev, DIOCGETTIMEOUT, &pt)) + err(1, "DIOCGETTIMEOUT"); + printf("%-20s %ds\n", pf_timeouts[i].name, pt.seconds); + } else if (strcasecmp(opt, pf_timeouts[i].name) == 0) { + pt.timeout = pf_timeouts[i].timeout; + break; + } + } + if (strcmp(opt, "all") == 0) + return 0; + + if (pf_timeouts[i].name == NULL) { + warnx("Bad timeout name. Format -t name[=<seconds>]"); + return 1; + } + + if (ioctl(dev, DIOCGETTIMEOUT, &pt)) + err(1, "DIOCSETTIMEOUT"); + if ((opts & PF_OPT_QUIET) == 0) + printf("%s timeout %ds\n", pf_timeouts[i].name, + pt.seconds); + return (0); +} + +int +pfctl_settimeout(int dev, const char *opt, int seconds) +{ + struct pfioc_tm pt; + int i; + + for (i = 0; pf_timeouts[i].name; i++) { + if (strcasecmp(opt, pf_timeouts[i].name) == 0) { + pt.timeout = pf_timeouts[i].timeout; + break; + } + } + + if (pf_timeouts[i].name == NULL) { + warnx("Bad timeout name. Format -t name[=<seconds>]"); + return 1; + } + + pt.seconds = seconds; + if (ioctl(dev, DIOCSETTIMEOUT, &pt)) + err(1, "DIOCSETTIMEOUT"); + if ((opts & PF_OPT_QUIET) == 0) + printf("%s timeout %ds -> %ds\n", pf_timeouts[i].name, + pt.seconds, seconds); + return (0); +} + +int pfctl_debug(int dev, u_int32_t level, int opts) { if (ioctl(dev, DIOCSETDEBUG, &level)) @@ -465,7 +572,7 @@ main(int argc, char *argv[]) if (argc < 2) usage(); - while ((ch = getopt(argc, argv, "deqF:hl:nN:R:s:vx:")) != -1) { + while ((ch = getopt(argc, argv, "deqF:hl:nN:R:s:t:vx:")) != -1) { switch (ch) { case 'd': opts |= PF_OPT_DISABLE; @@ -494,6 +601,9 @@ main(int argc, char *argv[]) case 's': showopt = optarg; break; + case 't': + timeoutopt = optarg; + break; case 'v': opts |= PF_OPT_VERBOSE; break; @@ -591,6 +701,10 @@ main(int argc, char *argv[]) if (pfctl_log(dev, logopt, opts)) error = 1; + if (timeoutopt != NULL) + if (pfctl_timeout(dev, timeoutopt, opts)) + error = 1; + if (opts & PF_OPT_ENABLE) if (pfctl_enable(dev, opts)) error = 1; |