Many improvements to the handling of interfaces in PF.

1) PF should do the right thing when unplugging/replugging or cloning/
destroying NICs.

2) Rules can be loaded in the kernel for not-yet-existing devices
(USB, PCMCIA, Cardbus). For example, it is valid to write:
"pass in on kue0" before kue USB is plugged in.

3) It is possible to write rules that apply to group of interfaces
(drivers), like "pass in on ppp all"

4) There is a new ":peer" modifier that completes the ":broadcast"
and ":network" modifiers.

5) There is a new ":0" modifier that will filter out interface aliases.
Can also be applied to DNS names to restore original PF behaviour.

6) The dynamic interface syntax (foo) has been vastly improved, and
now support multiple addresses, v4 and v6 addresses, and all userland
modifiers, like "pass in from (fxp0:network)"

7) Scrub rules now support the !if syntax.

8) States can be bound to the specific interface that created them or
to  a group of interfaces for example:

- pass all keep state (if-bound)
- pass all keep state (group-bound)
- pass all keep state (floating)

9) The default value when only keep state is given can be selected by
using the "set state-policy" statement.

10) "pfctl -ss" will now print the interface scope of the state.

This diff change the pf_state structure slighltly, so you should
recompile your userland tools (pfctl, authpf, pflogd, tcpdump...)

Tested on i386, sparc, sparc64 by Ryan
Tested on macppc, sparc64 by Daniel

ok deraadt@ mcbride@

1 files changed, 80 insertions, 1 deletions

diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c
index 57bdf19c6da..419989be5f8 100644
--- a/sbin/pfctl/pfctl_table.c
+++ b/sbin/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_table.c,v 1.50 2003/08/29 21:47:36 cedric Exp $ */
+/*	$OpenBSD: pfctl_table.c,v 1.51 2003/12/31 11:18:24 cedric Exp $ */
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -61,12 +61,19 @@ static void	print_addrx(struct pfr_addr *, struct pfr_addr *, int);
 static void	print_astats(struct pfr_astats *, int);
 static void	radix_perror(void);
 static void	xprintf(int, const char *, ...);
+static void	print_iface(struct pfi_if *, int);
+static void	oprintf(int, int, const char *, int *, int);
 
 static const char	*stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = {
 	{ "In/Block:",	"In/Pass:",	"In/XPass:" },
 	{ "Out/Block:",	"Out/Pass:",	"Out/XPass:" }
 };
 
+static const char	*istats_text[2][2][2] = {
+	{ { "In4/Pass:", "In4/Block:" }, { "Out4/Pass:", "Out4/Block:" } },
+	{ { "In6/Pass:", "In6/Block:" }, { "Out6/Pass:", "Out6/Block:" } }
+};
+
 #define RVTEST(fct) do {				\
 		if ((!(opts & PF_OPT_NOACTION) ||	\
 		    (opts & PF_OPT_DUMMYACTION)) &&	\
@@ -522,3 +529,75 @@ xprintf(int opts, const char *fmt, ...)
 	else
 		fprintf(stderr, ".\n");
 }
+
+
+/* interface stuff */
+
+int
+pfctl_show_ifaces(int opts)
+{
+	struct pfr_buffer 	 b;
+	struct pfi_if		*p;
+
+	bzero(&b, sizeof(b));
+	b.pfrb_type = PFRB_IFACES;
+	for (;;) {
+		pfr_buf_grow(&b, b.pfrb_size);
+		b.pfrb_size = b.pfrb_msize;
+		if (pfi_get_ifaces(NULL, b.pfrb_caddr, &b.pfrb_size,
+		    PFI_FLAG_GROUP|PFI_FLAG_INSTANCE)) {
+			radix_perror();
+			return (1);
+		}
+		if (b.pfrb_size <= b.pfrb_msize)
+			break;
+	}
+	PFRB_FOREACH(p, &b)
+		print_iface(p, opts);
+	return (0);
+}
+
+void 
+print_iface(struct pfi_if *p, int opts)
+{
+	time_t	tzero = p->pfif_tzero;
+	int	flags = (opts & PF_OPT_VERBOSE) ? p->pfif_flags : 0;
+	int	first = 1;
+	int	i, af, dir, act;
+	
+
+	printf("%s", p->pfif_name);
+	oprintf(flags, PFI_IFLAG_INSTANCE, "instance", &first, 0);
+	oprintf(flags, PFI_IFLAG_GROUP, "group", &first, 0);
+	oprintf(flags, PFI_IFLAG_CLONABLE, "clonable", &first, 0);
+	oprintf(flags, PFI_IFLAG_DYNAMIC, "dynamic", &first, 0);
+	oprintf(flags, PFI_IFLAG_ATTACHED, "attached", &first, 1);
+	printf("\n");
+
+	if (!(opts & PF_OPT_VERBOSE2))
+		return;
+        printf("\tCleared:     %s", ctime(&tzero));
+	printf("\tReferences:  [ States:  %-18d Rules: %-18d ]\n",
+	    p->pfif_states, p->pfif_rules);
+	for (i = 0; i < 8; i++) {
+		af = (i>>2) & 1;
+		dir = (i>>1) &1;
+		act = i & 1;
+		printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
+		    istats_text[af][dir][act],
+		    p->pfif_packets[af][dir][act],
+		    p->pfif_bytes[af][dir][act]);
+	}
+}
+
+void
+oprintf(int flags, int flag, const char *s, int *first, int last)
+{
+	if (flags & flag) {
+		printf(*first ? "\t(%s" : ", %s", s);
+		*first = 0;
+	}
+	if (last && !*first)
+		printf(")");
+}
+