summaryrefslogtreecommitdiff
path: root/pfctl/pfctl.c
diff options
context:
space:
mode:
Diffstat (limited to 'pfctl/pfctl.c')
-rw-r--r--pfctl/pfctl.c132
1 files changed, 93 insertions, 39 deletions
diff --git a/pfctl/pfctl.c b/pfctl/pfctl.c
index 3829f2cb413f9..f01b6a92717f8 100644
--- a/pfctl/pfctl.c
+++ b/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfctl.c,v 1.273 2008/02/13 19:55:12 kettenis Exp $ */
+/* $OpenBSD: pfctl.c,v 1.277 2008/07/24 10:52:43 henning Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -68,7 +68,9 @@ int pfctl_clear_src_nodes(int, int);
int pfctl_clear_states(int, const char *, int);
void pfctl_addrprefix(char *, struct pf_addr *);
int pfctl_kill_src_nodes(int, const char *, int);
-int pfctl_kill_states(int, const char *, int);
+int pfctl_net_kill_states(int, const char *, int);
+int pfctl_label_kill_states(int, const char *, int);
+int pfctl_id_kill_states(int, const char *, int);
void pfctl_init_options(struct pfctl *);
int pfctl_load_options(struct pfctl *);
int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
@@ -229,7 +231,7 @@ usage(void)
fprintf(stderr, "usage: %s [-AdeghmNnOqRrvz] ", __progname);
fprintf(stderr, "[-a anchor] [-D macro=value] [-F modifier]\n");
fprintf(stderr, "\t[-f file] [-i interface] [-K host | network] ");
- fprintf(stderr, "[-k host | network]\n");
+ fprintf(stderr, "[-k host | network | label | id]\n");
fprintf(stderr, "\t[-o level] [-p device] [-s modifier]\n");
fprintf(stderr, "\t[-t table -T command [address ...]] [-x level]\n");
exit(1);
@@ -376,7 +378,7 @@ pfctl_clear_states(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCCLRSTATES, &psk))
err(1, "DIOCCLRSTATES");
if ((opts & PF_OPT_QUIET) == 0)
- fprintf(stderr, "%d states cleared\n", psk.psk_af);
+ fprintf(stderr, "%d states cleared\n", psk.psk_killed);
return (0);
}
@@ -515,17 +517,13 @@ pfctl_kill_src_nodes(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
err(1, "DIOCKILLSRCNODES");
- killed += psnk.psnk_af;
- /* fixup psnk.psnk_af */
- psnk.psnk_af = resp[1]->ai_family;
+ killed += psnk.psnk_killed;
}
freeaddrinfo(res[1]);
} else {
if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
err(1, "DIOCKILLSRCNODES");
- killed += psnk.psnk_af;
- /* fixup psnk.psnk_af */
- psnk.psnk_af = res[0]->ai_family;
+ killed += psnk.psnk_killed;
}
}
@@ -538,7 +536,7 @@ pfctl_kill_src_nodes(int dev, const char *iface, int opts)
}
int
-pfctl_kill_states(int dev, const char *iface, int opts)
+pfctl_net_kill_states(int dev, const char *iface, int opts)
{
struct pfioc_state_kill psk;
struct addrinfo *res[2], *resp[2];
@@ -625,17 +623,13 @@ pfctl_kill_states(int dev, const char *iface, int opts)
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
- killed += psk.psk_af;
- /* fixup psk.psk_af */
- psk.psk_af = resp[1]->ai_family;
+ killed += psk.psk_killed;
}
freeaddrinfo(res[1]);
} else {
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
- killed += psk.psk_af;
- /* fixup psk.psk_af */
- psk.psk_af = res[0]->ai_family;
+ killed += psk.psk_killed;
}
}
@@ -648,6 +642,68 @@ pfctl_kill_states(int dev, const char *iface, int opts)
}
int
+pfctl_label_kill_states(int dev, const char *iface, int opts)
+{
+ struct pfioc_state_kill psk;
+
+ if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
+ warnx("no label specified");
+ usage();
+ }
+ memset(&psk, 0, sizeof(psk));
+ if (iface != NULL && strlcpy(psk.psk_ifname, iface,
+ sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
+ errx(1, "invalid interface: %s", iface);
+
+ if (strlcpy(psk.psk_label, state_kill[1], sizeof(psk.psk_label)) >=
+ sizeof(psk.psk_label))
+ errx(1, "label too long: %s", state_kill[1]);
+
+ if (ioctl(dev, DIOCKILLSTATES, &psk))
+ err(1, "DIOCKILLSTATES");
+
+ if ((opts & PF_OPT_QUIET) == 0)
+ fprintf(stderr, "killed %d states\n", psk.psk_killed);
+
+ return (0);
+}
+
+int
+pfctl_id_kill_states(int dev, const char *iface, int opts)
+{
+ struct pfioc_state_kill psk;
+
+ if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
+ warnx("no id specified");
+ usage();
+ }
+
+ memset(&psk, 0, sizeof(psk));
+ if ((sscanf(state_kill[1], "%llx/%x",
+ &psk.psk_pfcmp.id, &psk.psk_pfcmp.creatorid)) == 2)
+ HTONL(psk.psk_pfcmp.creatorid);
+ else if ((sscanf(state_kill[1], "%llx", &psk.psk_pfcmp.id)) == 1) {
+ psk.psk_pfcmp.creatorid = 0;
+ } else {
+ warnx("wrong id format specified");
+ usage();
+ }
+ if (psk.psk_pfcmp.id == 0) {
+ warnx("cannot kill id 0");
+ usage();
+ }
+
+ psk.psk_pfcmp.id = htobe64(psk.psk_pfcmp.id);
+ if (ioctl(dev, DIOCKILLSTATES, &psk))
+ err(1, "DIOCKILLSTATES");
+
+ if ((opts & PF_OPT_QUIET) == 0)
+ fprintf(stderr, "killed %d states\n", psk.psk_killed);
+
+ return (0);
+}
+
+int
pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
u_int32_t ticket, int r_action, char *anchorname)
{
@@ -734,10 +790,12 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts)
(unsigned long long)(rule->packets[0] +
rule->packets[1]),
(unsigned long long)(rule->bytes[0] +
- rule->bytes[1]), rule->states);
+ rule->bytes[1]), rule->states_cur);
if (!(opts & PF_OPT_DEBUG))
- printf(" [ Inserted: uid %u pid %u ]\n",
- (unsigned)rule->cuid, (unsigned)rule->cpid);
+ printf(" [ Inserted: uid %u pid %u "
+ "State Creations: %-6u]\n",
+ (unsigned)rule->cuid, (unsigned)rule->cpid,
+ rule->states_tot);
}
}
@@ -804,19 +862,6 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
switch (format) {
case PFCTL_SHOW_LABELS:
- if (pr.rule.label[0]) {
- printf("%s ", pr.rule.label);
- printf("%llu %llu %llu %llu %llu %llu %llu\n",
- (unsigned long long)pr.rule.evaluations,
- (unsigned long long)(pr.rule.packets[0] +
- pr.rule.packets[1]),
- (unsigned long long)(pr.rule.bytes[0] +
- pr.rule.bytes[1]),
- (unsigned long long)pr.rule.packets[0],
- (unsigned long long)pr.rule.bytes[0],
- (unsigned long long)pr.rule.packets[1],
- (unsigned long long)pr.rule.bytes[1]);
- }
break;
case PFCTL_SHOW_RULES:
if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
@@ -850,8 +895,9 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
switch (format) {
case PFCTL_SHOW_LABELS:
if (pr.rule.label[0]) {
- printf("%s ", pr.rule.label);
- printf("%llu %llu %llu %llu %llu %llu %llu\n",
+ printf("%s %llu %llu %llu %llu"
+ " %llu %llu %llu %llu\n",
+ pr.rule.label,
(unsigned long long)pr.rule.evaluations,
(unsigned long long)(pr.rule.packets[0] +
pr.rule.packets[1]),
@@ -860,7 +906,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
(unsigned long long)pr.rule.packets[0],
(unsigned long long)pr.rule.bytes[0],
(unsigned long long)pr.rule.packets[1],
- (unsigned long long)pr.rule.bytes[1]);
+ (unsigned long long)pr.rule.bytes[1],
+ (unsigned long long)pr.rule.states_tot);
}
break;
case PFCTL_SHOW_RULES:
@@ -1526,7 +1573,8 @@ pfctl_init_options(struct pfctl *pf)
mib[0] = CTL_HW;
mib[1] = HW_PHYSMEM64;
size = sizeof(mem);
- (void) sysctl(mib, 2, &mem, &size, NULL, 0);
+ if (sysctl(mib, 2, &mem, &size, NULL, 0) == -1)
+ err(1, "sysctl");
if (mem <= 100*1024*1024)
pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
@@ -2256,8 +2304,14 @@ main(int argc, char *argv[])
break;
}
}
- if (state_killers)
- pfctl_kill_states(dev, ifaceopt, opts);
+ if (state_killers) {
+ if (!strcmp(state_kill[0], "label"))
+ pfctl_label_kill_states(dev, ifaceopt, opts);
+ else if (!strcmp(state_kill[0], "id"))
+ pfctl_id_kill_states(dev, ifaceopt, opts);
+ else
+ pfctl_net_kill_states(dev, ifaceopt, opts);
+ }
if (src_node_killers)
pfctl_kill_src_nodes(dev, ifaceopt, opts);
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-18 21:55:32 +0000