From ac8f01f7ad3b7eec3350e296c1c485403cc9878b Mon Sep 17 00:00:00 2001 From: Marco Pfatschbacher Date: Fri, 9 May 2008 13:59:32 +0000 Subject: Add support to kill states by rule label or state id. Fix printing of the state id in pfctl -ss -vv. Remove the psnk_af hack to return the number of killed states. OK markus, beck. "I like it" henning, deraadt. Manpage help from jmc. --- sys/net/pf_ioctl.c | 31 ++++++++++++++++++++++++------- sys/net/pfvar.h | 8 +++++--- 2 files changed, 29 insertions(+), 10 deletions(-) (limited to 'sys/net') diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c index 50b319a9b9f..5243d3aea4e 100644 --- a/sys/net/pf_ioctl.c +++ b/sys/net/pf_ioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf_ioctl.c,v 1.195 2008/05/06 03:45:22 mpf Exp $ */ +/* $OpenBSD: pf_ioctl.c,v 1.196 2008/05/09 13:59:31 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1557,7 +1557,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) case DIOCCLRSTATES: { struct pf_state *s, *nexts; struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; - int killed = 0; + u_int killed = 0; for (s = RB_MIN(pf_state_tree_id, &tree_id); s; s = nexts) { nexts = RB_NEXT(pf_state_tree_id, &tree_id, s); @@ -1572,7 +1572,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) killed++; } } - psk->psk_af = killed; + psk->psk_killed = killed; #if NPFSYNC pfsync_clear_states(pf_status.hostid, psk->psk_ifname); #endif @@ -1584,7 +1584,22 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pf_state_key *sk; struct pf_state_host *src, *dst; struct pfioc_state_kill *psk = (struct pfioc_state_kill *)addr; - int killed = 0; + u_int killed = 0; + + if (psk->psk_pfcmp.id) { + if (psk->psk_pfcmp.creatorid == 0) + psk->psk_pfcmp.creatorid = pf_status.hostid; + if ((s = pf_find_state_byid(&psk->psk_pfcmp))) { +#if NPFSYNC > 0 + /* send immediate delete of state */ + pfsync_delete_state(s); + s->sync_flags |= PFSTATE_NOSYNC; +#endif + pf_unlink_state(s); + psk->psk_killed = 1; + } + break; + } for (s = RB_MIN(pf_state_tree_id, &tree_id); s; s = nexts) { @@ -1617,6 +1632,8 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) pf_match_port(psk->psk_dst.port_op, psk->psk_dst.port[0], psk->psk_dst.port[1], dst->port)) && + (!psk->psk_label[0] || (s->rule.ptr->label[0] && + !strcmp(psk->psk_label, s->rule.ptr->label))) && (!psk->psk_ifname[0] || !strcmp(psk->psk_ifname, s->kif->pfik_name))) { #if NPFSYNC > 0 @@ -1628,7 +1645,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) killed++; } } - psk->psk_af = killed; + psk->psk_killed = killed; break; } @@ -2852,7 +2869,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) struct pf_state *s; struct pfioc_src_node_kill *psnk = \ (struct pfioc_src_node_kill *) addr; - int killed = 0; + u_int killed = 0; RB_FOREACH(sn, pf_src_tree, &tree_src_tracking) { if (PF_MATCHA(psnk->psnk_src.neg, \ @@ -2882,7 +2899,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p) if (killed > 0) pf_purge_expired_src_nodes(1); - psnk->psnk_af = killed; + psnk->psnk_killed = killed; break; } diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 340071c3577..d9e27c57787 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pfvar.h,v 1.265 2008/05/09 02:44:54 markus Exp $ */ +/* $OpenBSD: pfvar.h,v 1.266 2008/05/09 13:59:31 mpf Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -1351,19 +1351,21 @@ struct pfioc_state { }; struct pfioc_src_node_kill { - /* XXX returns the number of src nodes killed in psnk_af */ sa_family_t psnk_af; struct pf_rule_addr psnk_src; struct pf_rule_addr psnk_dst; + u_int psnk_killed; }; struct pfioc_state_kill { - /* XXX returns the number of states killed in psk_af */ + struct pf_state_cmp psk_pfcmp; sa_family_t psk_af; int psk_proto; struct pf_rule_addr psk_src; struct pf_rule_addr psk_dst; char psk_ifname[IFNAMSIZ]; + char psk_label[PF_RULE_LABEL_SIZE]; + u_int psk_killed; }; struct pfioc_states { -- cgit v1.2.3