pf: Support clearing ether counters

Allow the evaluations/packets/bytes counters on Ethernet rules to be cleared. Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D31748
2021-02-17 17:24:05 +01:00 · 2021-02-17 17:24:05 +01:00 · 30087aa2e0
commit 30087aa2e0
parent feefb5625b
2 changed files with 23 additions and 7 deletions
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@ -98,7 +98,7 @@ int	 pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int,
 	    char *);
 void	 pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
 void	 pfctl_print_rule_counters(struct pfctl_rule *, int);
-int	 pfctl_show_eth_rules(int, int);
+int	 pfctl_show_eth_rules(int, int, enum pfctl_show);
 int	 pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
 int	 pfctl_show_nat(int, int, char *);
 int	 pfctl_show_src_nodes(int, int);
@ -1052,7 +1052,7 @@ pfctl_print_title(char *title)
 }

 int
-pfctl_show_eth_rules(int dev, int opts)
+pfctl_show_eth_rules(int dev, int opts, enum pfctl_show format)
 {
 	struct pfctl_eth_rules_info info;
 	struct pfctl_eth_rule rule;
@ -1063,8 +1063,8 @@ pfctl_show_eth_rules(int dev, int opts)
 		return (-1);
 	}
 	for (int nr = 0; nr < info.nr; nr++) {
-		if (pfctl_get_eth_rule(dev, nr, info.ticket, &rule, false)
-		    != 0) {
+		if (pfctl_get_eth_rule(dev, nr, info.ticket, &rule,
+		    opts & PF_OPT_CLRRULECTRS) != 0) {
 			warn("DIOCGETETHRULE");
 			return (-1);
 		}
@ -2640,13 +2640,13 @@ main(int argc, char *argv[])
 			pfctl_show_limits(dev, opts);
 			break;
 		case 'e':
-			pfctl_show_eth_rules(dev, opts);
+			pfctl_show_eth_rules(dev, opts, 0);
 			break;
 		case 'a':
 			opts |= PF_OPT_SHOWALL;
 			pfctl_load_fingerprints(dev, opts);

-			pfctl_show_eth_rules(dev, opts);
+			pfctl_show_eth_rules(dev, opts, 0);

 			pfctl_show_nat(dev, opts, anchorname);
 			pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
@ -2673,9 +2673,11 @@ main(int argc, char *argv[])
 		}
 	}

-	if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL)
+	if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL) {
+		pfctl_show_eth_rules(dev, opts, PFCTL_SHOW_NOTHING);
 		pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
 		    anchorname, 0);
+	}

 	if (clearopt != NULL) {
 		if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@ -2555,6 +2555,7 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 		void			*nvlpacked = NULL;
 		struct pf_keth_rule	*rule = NULL;
 		u_int32_t		 ticket, nr;
+		bool			 clear = false;

 #define ERROUT(x)	do { error = (x); goto DIOCGETETHRULE_error; } while (0)

@ -2571,6 +2572,12 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			ERROUT(EBADMSG);
 		ticket = nvlist_get_number(nvl, "ticket");

+		if (nvlist_exists_bool(nvl, "clear"))
+			clear = nvlist_get_bool(nvl, "clear");
+
+		if (clear && !(flags & FWRITE))
+			ERROUT(EACCES);
+
 		if (! nvlist_exists_number(nvl, "nr"))
 			ERROUT(EBADMSG);
 		nr = nvlist_get_number(nvl, "nr");
@ -2612,6 +2619,13 @@ pfioctl(struct cdev *dev, u_long cmd, caddr_t addr, int flags, struct thread *td
 			ERROUT(ENOSPC);

 		error = copyout(nvlpacked, nv->data, nv->len);
+		if (error == 0 && clear) {
+			counter_u64_zero(rule->evaluations);
+			for (int i = 0; i < 2; i++) {
+				counter_u64_zero(rule->packets[i]);
+				counter_u64_zero(rule->bytes[i]);
+			}
+		}

 #undef ERROUT
 DIOCGETETHRULE_error: