diff options
| author | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-12-18 19:40:42 +0000 |
|---|---|---|
| committer | Daniel Hartmeier <dhartmei@cvs.openbsd.org> | 2002-12-18 19:40:42 +0000 |
| commit | 1b33c38cd3170b6cdfd4fabac6582b6177177605 (patch) | |
| tree | f7cf8354676118fac3304133795fdfd26f5b6b1b /sys/net | |
| parent | 29d2e9a7f2313652b63884678ea2b63bd7170c38 (diff) | |
Store translation rule pointer in state entries, so pfctl -vsn can print
evaluation, packet, byte and state entry counters similar to -vsr. Helps
verify whether/how often translation rules are evaluated/matched.
ok frantzen@, henning@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/pf.c | 40 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 16 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 3 |
3 files changed, 53 insertions, 6 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 8fd60b07c85..b129bb52590 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.276 2002/12/18 18:35:30 dhartmei Exp $ */ +/* $OpenBSD: pf.c,v 1.277 2002/12/18 19:40:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -477,6 +477,8 @@ pf_purge_expired_states(void) #endif if (cur->state->rule.ptr != NULL) cur->state->rule.ptr->states--; + if (cur->state->nat_rule != NULL) + cur->state->nat_rule->states--; pool_put(&pf_state_pl, cur->state); pool_put(&pf_tree_pl, cur); pool_put(&pf_tree_pl, peer); @@ -1928,6 +1930,12 @@ pf_test_tcp(struct pf_rule **rm, int direction, struct ifnet *ifp, rs->states++; s->rule.ptr = rs; + if (nat != NULL) + s->nat_rule = nat; + else if (rdr != NULL) + s->nat_rule = rdr; + if (s->nat_rule != NULL) + s->nat_rule->states++; s->allow_opts = *rm && (*rm)->allow_opts; s->log = *rm && ((*rm)->log & 2); s->proto = IPPROTO_TCP; @@ -2167,6 +2175,12 @@ pf_test_udp(struct pf_rule **rm, int direction, struct ifnet *ifp, rs->states++; s->rule.ptr = rs; + if (nat != NULL) + s->nat_rule = nat; + else if (rdr != NULL) + s->nat_rule = rdr; + if (s->nat_rule != NULL) + s->nat_rule->states++; s->allow_opts = *rm && (*rm)->allow_opts; s->log = *rm && ((*rm)->log & 2); s->proto = IPPROTO_UDP; @@ -2407,6 +2421,12 @@ pf_test_icmp(struct pf_rule **rm, int direction, struct ifnet *ifp, rs->states++; s->rule.ptr = rs; + if (nat != NULL) + s->nat_rule = nat; + else if (rdr != NULL) + s->nat_rule = rdr; + if (s->nat_rule != NULL) + s->nat_rule->states++; s->allow_opts = *rm && (*rm)->allow_opts; s->log = *rm && ((*rm)->log & 2); s->proto = pd->proto; @@ -2594,6 +2614,12 @@ pf_test_other(struct pf_rule **rm, int direction, struct ifnet *ifp, rs->states++; s->rule.ptr = rs; + if (nat != NULL) + s->nat_rule = nat; + else if (rdr != NULL) + s->nat_rule = rdr; + if (s->nat_rule != NULL) + s->nat_rule->states++; s->allow_opts = *rm && (*rm)->allow_opts; s->log = *rm && ((*rm)->log & 2); s->proto = pd->proto; @@ -3007,6 +3033,10 @@ pf_test_state_tcp(struct pf_state **state, int direction, struct ifnet *ifp, (*state)->rule.ptr->packets++; (*state)->rule.ptr->bytes += pd->tot_len; } + if ((*state)->nat_rule != NULL) { + (*state)->nat_rule->packets++; + (*state)->nat_rule->bytes += pd->tot_len; + } return (PF_PASS); } @@ -3074,6 +3104,10 @@ pf_test_state_udp(struct pf_state **state, int direction, struct ifnet *ifp, (*state)->rule.ptr->packets++; (*state)->rule.ptr->bytes += pd->tot_len; } + if ((*state)->nat_rule != NULL) { + (*state)->nat_rule->packets++; + (*state)->nat_rule->bytes += pd->tot_len; + } return (PF_PASS); } @@ -3650,6 +3684,10 @@ pf_test_state_other(struct pf_state **state, int direction, struct ifnet *ifp, (*state)->rule.ptr->packets++; (*state)->rule.ptr->bytes += pd->tot_len; } + if ((*state)->nat_rule != NULL) { + (*state)->nat_rule->packets++; + (*state)->nat_rule->bytes += pd->tot_len; + } return (PF_PASS); } diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 28c08ad989e..420136a43ed 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.28 2002/12/18 18:25:14 henning Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.29 2002/12/18 19:40:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -609,8 +609,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) * Rules are about to get freed, clear rule pointers in states */ if (ruleset == &pf_main_ruleset) { - RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) - n->state->rule.ptr = NULL; + if (rs_num == PF_RULESET_RULE) + RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) + n->state->rule.ptr = NULL; + else + RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) + n->state->nat_rule = NULL; } old_rules = ruleset->rules[rs_num].active.ptr; ruleset->rules[rs_num].active.ptr = @@ -797,9 +801,12 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pf_tree_node *n; if (ruleset == &pf_main_ruleset) { - RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) + RB_FOREACH(n, pf_state_tree, &tree_ext_gwy) { if (n->state->rule.ptr == oldrule) n->state->rule.ptr = NULL; + if (n->state->nat_rule == oldrule) + n->state->nat_rule = NULL; + } } pf_rm_rule(ruleset->rules[rs_num].active.ptr, oldrule); } else { @@ -887,6 +894,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) s = splsoftnet(); bcopy(&ps->state, state, sizeof(struct pf_state)); state->rule.ptr = NULL; + state->nat_rule = NULL; state->creation = time.tv_sec; state->expire += state->creation; state->packets = 0; diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 8775c081690..55c613b750f 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.114 2002/12/18 19:04:38 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.115 2002/12/18 19:40:41 dhartmei Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -385,6 +385,7 @@ struct pf_state { struct pf_rule *ptr; u_int32_t nr; } rule; + struct pf_rule *nat_rule; struct pf_addr rt_addr; struct ifnet *rt_ifp; u_int32_t creation; |