src - OpenBSD base system

diff options


context:
space:
mode:

author	Daniel Hartmeier <dhartmei@cvs.openbsd.org>	2002-12-18 19:40:42 +0000
committer	Daniel Hartmeier <dhartmei@cvs.openbsd.org>	2002-12-18 19:40:42 +0000
commit	1b33c38cd3170b6cdfd4fabac6582b6177177605 (patch)
tree	f7cf8354676118fac3304133795fdfd26f5b6b1b /sbin/pfctl
parent	29d2e9a7f2313652b63884678ea2b63bd7170c38 (diff)

Store translation rule pointer in state entries, so pfctl -vsn can print

evaluation, packet, byte and state entry counters similar to -vsr. Helps verify whether/how often translation rules are evaluated/matched. ok frantzen@, henning@

Diffstat (limited to 'sbin/pfctl')

-rw-r--r--

sbin/pfctl/pfctl.c

-rw-r--r--

sbin/pfctl/pfctl_parser.c

-rw-r--r--

sbin/pfctl/pfctl_parser.h

3 files changed, 57 insertions, 45 deletions

diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 7a506d07aa4..43a7d8cb972 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl.c,v 1.108 2002/12/18 16:28:40 dhartmei Exp $ */

+/* $OpenBSD: pfctl.c,v 1.109 2002/12/18 19:40:41 dhartmei Exp $ */

@@ -65,8 +65,9 @@ int pfctl_clear_states(int, int);

int pfctl_kill_states(int, int);

int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int);

void pfctl_clear_pool(struct pf_pool *);

+void pfctl_print_rule_counters(struct pf_rule *, int);

int pfctl_show_rules(int, int, int);

-int pfctl_show_nat(int);

+int pfctl_show_nat(int, int);

int pfctl_show_altq(int);

int pfctl_show_states(int, u_int8_t, int);

int pfctl_show_status(int);

@@ -453,6 +454,33 @@ pfctl_clear_pool(struct pf_pool *pool)

}

+void

+pfctl_print_rule_counters(struct pf_rule *rule, int opts)

+ if (opts & PF_OPT_VERBOSE2) {

+ const char *t[PF_SKIP_COUNT] = { "a", "i", "d", "f",

+ "p", "sa", "sp", "da", "dp" };

+ int i;

+ printf("[ Skip steps: ");

+ for (i = 0; i < PF_SKIP_COUNT; ++i) {

+ if (rule->skip[i].nr == rule->nr + 1)

+ continue;

+ printf("%s=", t[i]);

+ if (rule->skip[i].nr == -1)

+ printf("end ");

+ else if (rule->skip[i].nr != rule->nr + 1)

+ printf("%u ", rule->skip[i].nr);

+ }

+ printf("]\n");

+ }

+ if (opts & PF_OPT_VERBOSE)

+ printf("[ Evaluations: %-8llu Packets: %-8llu "

+ "Bytes: %-10llu States: %-6u]\n\n",

+ rule->evaluations, rule->packets,

+ rule->bytes, rule->states);

int

pfctl_show_rules(int dev, int opts, int format)

{

@@ -494,32 +522,7 @@ pfctl_show_rules(int dev, int opts, int format)

break;

default:

print_rule(&pr.rule, opts & PF_OPT_VERBOSE2);

- if (opts & PF_OPT_VERBOSE2) {

- const char *t[PF_SKIP_COUNT] = { "a",

- "i", "d", "f", "p", "sa", "sp",

- "da", "dp" };

- int i;

- printf("[ Skip steps: ");

- for (i = 0; i < PF_SKIP_COUNT; ++i) {

- if (pr.rule.skip[i].nr ==

- pr.rule.nr + 1)

- continue;

- printf("%s=", t[i]);

- if (pr.rule.skip[i].nr == -1)

- printf("end ");

- else if (pr.rule.skip[i].nr !=

- pr.rule.nr + 1)

- printf("%u ",

- pr.rule.skip[i].nr);

- }

- printf("]\n");

- }

- if (opts & PF_OPT_VERBOSE)

- printf("[ Evaluations: %-8llu Packets: %-8llu "

- "Bytes: %-10llu States: %-6u]\n\n",

- pr.rule.evaluations, pr.rule.packets,

- pr.rule.bytes, pr.rule.states);

+ pfctl_print_rule_counters(&pr.rule, opts);

}

pfctl_clear_pool(&pr.rule.rpool);

}

@@ -557,7 +560,7 @@ pfctl_show_altq(int dev)

}

int

-pfctl_show_nat(int dev)

+pfctl_show_nat(int dev, int opts)

{

struct pfioc_rule pr;

u_int32_t mnr, nr;

@@ -580,7 +583,8 @@ pfctl_show_nat(int dev)

if (pfctl_get_pool(dev, &pr.rule.rpool, nr,

pr.ticket, PF_NAT) != 0)

return (-1);

- print_nat(&pr.rule);

+ print_nat(&pr.rule, opts & PF_OPT_VERBOSE2);

+ pfctl_print_rule_counters(&pr.rule, opts);

pfctl_clear_pool(&pr.rule.rpool);

}

pr.rule.action = PF_RDR;

@@ -598,7 +602,8 @@ pfctl_show_nat(int dev)

if (pfctl_get_pool(dev, &pr.rule.rpool, nr,

pr.ticket, PF_RDR) != 0)

return (-1);

- print_rdr(&pr.rule);

+ print_rdr(&pr.rule, opts & PF_OPT_VERBOSE2);

+ pfctl_print_rule_counters(&pr.rule, opts);

pfctl_clear_pool(&pr.rule.rpool);

}

pr.rule.action = PF_BINAT;

@@ -613,7 +618,8 @@ pfctl_show_nat(int dev)

warn("DIOCGETRULE");

return (-1);

}

- print_binat(&pr.rule);

+ print_binat(&pr.rule, opts & PF_OPT_VERBOSE2);

+ pfctl_print_rule_counters(&pr.rule, opts);

}

return (0);

}

@@ -1298,7 +1304,7 @@ main(int argc, char *argv[])

pfctl_show_rules(dev, opts, 1);

break;

case 'n':

- pfctl_show_nat(dev);

+ pfctl_show_nat(dev, opts);

break;

case 'q':

pfctl_show_altq(dev);

@@ -1317,7 +1323,7 @@ main(int argc, char *argv[])

break;

case 'a':

pfctl_show_rules(dev, opts, 0);

- pfctl_show_nat(dev);

+ pfctl_show_nat(dev, opts);

pfctl_show_altq(dev);

pfctl_show_states(dev, 0, opts);

pfctl_show_status(dev);

diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index aeb65573d51..521a7d95526 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.c,v 1.122 2002/12/17 12:36:59 mcbride Exp $ */

+/* $OpenBSD: pfctl_parser.c,v 1.123 2002/12/18 19:40:41 dhartmei Exp $ */

@@ -401,15 +401,15 @@ print_rule(struct pf_rule *r, int verbose)

switch (r->action) {

case PF_NAT:

case PF_NONAT:

- print_nat(r);

+ print_nat(r, verbose);

break;

case PF_BINAT:

case PF_NOBINAT:

- print_binat(r);

+ print_binat(r, verbose);

break;

case PF_RDR:

case PF_NORDR:

- print_rdr(r);

+ print_rdr(r, verbose);

break;

default:

case PF_PASS:

@@ -496,8 +496,10 @@ print_pool(struct pf_pool *pool, u_int16_t p1, u_int16_t p2,

}

void

-print_nat(struct pf_rule *n)

+print_nat(struct pf_rule *n, int verbose)

{

+ if (verbose)

+ printf("@%d ", n->nr);

if (n->anchorname[0])

printf("nat-anchor %s ", n->anchorname);

else {

@@ -535,8 +537,10 @@ print_nat(struct pf_rule *n)

}

void

-print_binat(struct pf_rule *b)

+print_binat(struct pf_rule *b, int verbose)

{

+ if (verbose)

+ printf("@%d ", b->nr);

if (b->anchorname[0])

printf("binat-anchor %s ", b->anchorname);

else {

@@ -586,8 +590,10 @@ print_binat(struct pf_rule *b)

}

void

-print_rdr(struct pf_rule *r)

+print_rdr(struct pf_rule *r, int verbose)

{

+ if (verbose)

+ printf("@%d ", r->nr);

if (r->anchorname[0])

printf("rdr-anchor %s ", r->anchorname);

else {

diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h
index a58239c387a..4dedd1516b1 100644
--- a/sbin/pfctl/pfctl_parser.h
+++ b/sbin/pfctl/pfctl_parser.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: pfctl_parser.h,v 1.35 2002/12/18 14:14:09 mcbride Exp $ */

+/* $OpenBSD: pfctl_parser.h,v 1.36 2002/12/18 19:40:41 dhartmei Exp $ */

@@ -78,9 +78,9 @@ int parse_flags(char *);

void print_filter(struct pf_rule *, int);

void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);

void print_rule(struct pf_rule *, int);

-void print_nat(struct pf_rule *);

-void print_binat(struct pf_rule *);

-void print_rdr(struct pf_rule *);

+void print_nat(struct pf_rule *, int);

+void print_binat(struct pf_rule *, int);

+void print_rdr(struct pf_rule *, int);

void print_status(struct pf_status *);

struct icmptypeent {