summaryrefslogtreecommitdiff
path: root/sbin/pfctl
diff options
context:
space:
mode:
authorHenning Brauer <henning@cvs.openbsd.org>2009-12-14 12:31:46 +0000
committerHenning Brauer <henning@cvs.openbsd.org>2009-12-14 12:31:46 +0000
commit4f35e8f6a0e5a588652214cff0b402cdcddff9ad (patch)
tree2719c4331751ddb27b59edea2b6165cf3f0b5513 /sbin/pfctl
parent05813d26aa0af17535ea41acf9b69bfc2f3feefa (diff)
fix sticky-address - by pretty much re-implementing it. still following
the original approach using a source tracking node. the reimplementation i smore flexible than the original one, we now have an slist of source tracking nodes per state. that is cheap because more than one entry will be an absolute exception. ok beck and jsg, also stress tested by Sebastian Benoit <benoit-lists at fb12.de>
Diffstat (limited to 'sbin/pfctl')
-rw-r--r--sbin/pfctl/pfctl_parser.c28
1 files changed, 17 insertions, 11 deletions
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 99c5b04164e..04c05d56ba8 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl_parser.c,v 1.252 2009/11/23 21:29:21 henning Exp $ */
+/* $OpenBSD: pfctl_parser.c,v 1.253 2009/12/14 12:31:45 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -619,9 +619,20 @@ print_src_node(struct pf_src_node *sn, int opts)
aw.v.a.addr = sn->addr;
print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2);
- printf(" -> ");
- aw.v.a.addr = sn->raddr;
- print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2);
+
+ if (!PF_AZERO(&sn->raddr, sn->af)) {
+ if (sn->type == PF_SN_NAT)
+ printf(" nat-to ");
+ else if (sn->type == PF_SN_RDR)
+ printf(" rdr-to ");
+ else if (sn->type == PF_SN_ROUTE)
+ printf(" route-to ");
+ else
+ printf(" ??? (%u) ", sn->type);
+ aw.v.a.addr = sn->raddr;
+ print_addr(&aw, sn->af, opts & PF_OPT_VERBOSE2);
+ }
+
printf(" ( states %u, connections %u, rate %u.%u/%us )\n", sn->states,
sn->conn, sn->conn_rate.count / 1000,
(sn->conn_rate.count % 1000) / 100, sn->conn_rate.seconds);
@@ -642,13 +653,8 @@ print_src_node(struct pf_src_node *sn, int opts)
printf(", %llu pkts, %llu bytes",
sn->packets[0] + sn->packets[1],
sn->bytes[0] + sn->bytes[1]);
- switch (sn->ruletype) {
- case PF_PASS:
- case PF_MATCH:
- if (sn->rule.nr != -1)
- printf(", filter rule %u", sn->rule.nr);
- break;
- }
+ if (sn->rule.nr != -1)
+ printf(", rule %u", sn->rule.nr);
printf("\n");
}
}