diff options
| author | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2008-05-06 03:45:23 +0000 |
|---|---|---|
| committer | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2008-05-06 03:45:23 +0000 |
| commit | 52aca7715fbb9cd6060bc34753ee23c8682629a2 (patch) | |
| tree | 101eeb6367095e3a476679cf82d4d9f13b035b8b /sys/net | |
| parent | 60c2728fe21cc9532441ef9e7c148a77f3e018f4 (diff) | |
Add a counter to record how many states have been created by a rule.
It shows up in pfctl verbose mode and in the 7th field of the labels
output. Also remove the label printing for scrub rules, as they
do not support labels.
OK dhartmei@ (on an earlier version), henning@, mcbride@
Diffstat (limited to 'sys/net')
| -rw-r--r-- | sys/net/if_pfsync.c | 9 | ||||
| -rw-r--r-- | sys/net/pf.c | 35 | ||||
| -rw-r--r-- | sys/net/pf_ioctl.c | 13 | ||||
| -rw-r--r-- | sys/net/pfvar.h | 5 |
4 files changed, 35 insertions, 27 deletions
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c index 2d3d3e4443a..537549b2c9f 100644 --- a/sys/net/if_pfsync.c +++ b/sys/net/if_pfsync.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_pfsync.c,v 1.89 2008/01/12 17:08:33 mpf Exp $ */ +/* $OpenBSD: if_pfsync.c,v 1.90 2008/05/06 03:45:21 mpf Exp $ */ /* * Copyright (c) 2002 Michael Shalayeff @@ -268,7 +268,7 @@ pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag) else r = &pf_default_rule; - if (!r->max_states || r->states < r->max_states) + if (!r->max_states || r->states_cur < r->max_states) st = pool_get(&pf_state_pl, PR_NOWAIT); if (st == NULL) { pfi_kif_unref(kif, PFI_KIF_REF_NONE); @@ -297,7 +297,8 @@ pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag) /* XXX get pointers to nat_rule and anchor */ /* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */ - r->states++; + r->states_cur++; + r->states_tot++; /* fill in the rest of the state entry */ pf_state_host_ntoh(&sp->lan, &sk->lan); @@ -325,7 +326,7 @@ pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag) if (pf_insert_state(kif, st)) { pfi_kif_unref(kif, PFI_KIF_REF_NONE); /* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */ - r->states--; + r->states_cur--; if (st->dst.scrub) pool_put(&pf_state_scrub_pl, st->dst.scrub); if (st->src.scrub) diff --git a/sys/net/pf.c b/sys/net/pf.c index 957320be3c3..a51badfdb6f 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.568 2008/05/05 13:00:43 henning Exp $ */ +/* $OpenBSD: pf.c,v 1.569 2008/05/06 03:45:21 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -267,20 +267,25 @@ struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = { #define STATE_INC_COUNTERS(s) \ do { \ - s->rule.ptr->states++; \ - if (s->anchor.ptr != NULL) \ - s->anchor.ptr->states++; \ - if (s->nat_rule.ptr != NULL) \ - s->nat_rule.ptr->states++; \ + s->rule.ptr->states_cur++; \ + s->rule.ptr->states_tot++; \ + if (s->anchor.ptr != NULL) { \ + s->anchor.ptr->states_cur++; \ + s->anchor.ptr->states_tot++; \ + } \ + if (s->nat_rule.ptr != NULL) { \ + s->nat_rule.ptr->states_cur++; \ + s->nat_rule.ptr->states_tot++; \ + } \ } while (0) #define STATE_DEC_COUNTERS(s) \ do { \ if (s->nat_rule.ptr != NULL) \ - s->nat_rule.ptr->states--; \ + s->nat_rule.ptr->states_cur--; \ if (s->anchor.ptr != NULL) \ - s->anchor.ptr->states--; \ - s->rule.ptr->states--; \ + s->anchor.ptr->states_cur--; \ + s->rule.ptr->states_cur--; \ } while (0) static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *); @@ -913,7 +918,7 @@ pf_state_expires(const struct pf_state *state) start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START]; if (start) { end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END]; - states = state->rule.ptr->states; + states = state->rule.ptr->states_cur; } else { start = pf_default_rule.timeout[PFTM_ADAPTIVE_START]; end = pf_default_rule.timeout[PFTM_ADAPTIVE_END]; @@ -947,7 +952,7 @@ pf_purge_expired_src_nodes(int waslocked) } if (cur->rule.ptr != NULL) { cur->rule.ptr->src_nodes--; - if (cur->rule.ptr->states <= 0 && + if (cur->rule.ptr->states_cur <= 0 && cur->rule.ptr->max_src_nodes <= 0) pf_rm_rule(NULL, cur->rule.ptr); } @@ -1023,15 +1028,15 @@ pf_free_state(struct pf_state *cur) return; #endif KASSERT(cur->timeout == PFTM_UNLINKED); - if (--cur->rule.ptr->states <= 0 && + if (--cur->rule.ptr->states_cur <= 0 && cur->rule.ptr->src_nodes <= 0) pf_rm_rule(NULL, cur->rule.ptr); if (cur->nat_rule.ptr != NULL) - if (--cur->nat_rule.ptr->states <= 0 && + if (--cur->nat_rule.ptr->states_cur <= 0 && cur->nat_rule.ptr->src_nodes <= 0) pf_rm_rule(NULL, cur->nat_rule.ptr); if (cur->anchor.ptr != NULL) - if (--cur->anchor.ptr->states <= 0) + if (--cur->anchor.ptr->states_cur <= 0) pf_rm_rule(NULL, cur->anchor.ptr); pf_normalize_tcp_cleanup(cur); pfi_kif_unref(cur->kif, PFI_KIF_REF_STATE); @@ -3328,7 +3333,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction, struct pf_src_node *sn = NULL; /* check maximums */ - if (r->max_states && (r->states >= r->max_states)) { + if (r->max_states && (r->states_cur >= r->max_states)) { pf_status.lcounters[LCNT_STATES]++; REASON_SET(&reason, PFRES_MAXSTATES); goto cleanup; diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 16032abb727..50b319a9b9f 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.194 2008/05/06 03:24:25 weingart Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.195 2008/05/06 03:45:22 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -309,7 +309,7 @@ void pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) { if (rulequeue != NULL) { - if (rule->states <= 0) { + if (rule->states_cur <= 0) { /* * XXX - we need to remove the table *before* detaching * the rule to make sure the table code does not delete @@ -325,7 +325,7 @@ pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule) rule->nr = -1; } - if (rule->states > 0 || rule->src_nodes > 0 || + if (rule->states_cur > 0 || rule->src_nodes > 0 || rule->entries.tqe_prev != NULL) return; pf_tag_unref(rule->tag); @@ -1148,7 +1148,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) rule->kif = NULL; TAILQ_INIT(&rule->rpool.list); /* initialize refcounting */ - rule->states = 0; + rule->states_cur = 0; rule->src_nodes = 0; rule->entries.tqe_prev = NULL; #ifndef INET @@ -1335,6 +1335,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) rule->evaluations = 0; rule->packets[0] = rule->packets[1] = 0; rule->bytes[0] = rule->bytes[1] = 0; + rule->states_tot = 0; } break; } @@ -1395,7 +1396,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) newrule->cpid = p->p_pid; TAILQ_INIT(&newrule->rpool.list); /* initialize refcounting */ - newrule->states = 0; + newrule->states_cur = 0; newrule->entries.tqe_prev = NULL; #ifndef INET if (newrule->af == AF_INET) { @@ -1668,7 +1669,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) error = EEXIST; break; } - pf_default_rule.states++; + pf_default_rule.states_cur++; break; } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index d063b4fdf63..a78efc35421 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.260 2008/05/05 13:00:43 henning Exp $ */ +/* $OpenBSD: pfvar.h,v 1.261 2008/05/06 03:45:22 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -538,7 +538,8 @@ struct pf_rule { int rtableid; u_int32_t timeout[PFTM_MAX]; - u_int32_t states; + u_int32_t states_cur; + u_int32_t states_tot; u_int32_t max_states; u_int32_t src_nodes; u_int32_t max_src_nodes; |