pfctl: Fix clearing rules counters

After the migration to libpfctl for rule retrieval we accidentally lost support for clearing the rules counters. Introduce a get_clear variant of pfctl_get_rule() which allows rules counters to be cleared. MFC after: 4 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D29727
2021-04-12 17:23:33 +02:00 · 2021-04-12 17:23:33 +02:00 · 4eabfe468b
commit 4eabfe468b
parent 6db169e920
3 changed files with 18 additions and 6 deletions
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@ -507,6 +507,14 @@ pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
 int
 pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
    u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
+{
+	return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule,
+	    anchor_call, false));
+}
+
+int	pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
+	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
+	    char *anchor_call, bool clear)
 {
 	struct pfioc_nv nv;
 	nvlist_t *nvl;
@ -522,6 +530,9 @@ pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
 	nvlist_add_string(nvl, "anchor", anchor);
 	nvlist_add_number(nvl, "ruleset", ruleset);

+	if (clear)
+		nvlist_add_bool(nvl, "clear_counter", true);
+
 	nvlpacked = nvlist_pack(nvl, &nv.len);
 	if (nvlpacked == NULL) {
 		nvlist_destroy(nvl);
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@ -182,6 +182,9 @@ RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
 int	pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
 	    char *anchor_call);
+int	pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
+	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
+	    char *anchor_call, bool clear);
 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
 	    const char *anchor, const char *anchor_call, u_int32_t ticket,
 	    u_int32_t pool_ticket);
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@ -949,13 +949,11 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
 			pfctl_print_title("LABEL COUNTERS:");
 	}
 	mnr = pr.nr;
-	if (opts & PF_OPT_CLRRULECTRS)
-		pr.action = PF_GET_CLR_CNTR;

 	for (nr = 0; nr < mnr; ++nr) {
 		pr.nr = nr;
-		if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB,
-		    &rule, pr.anchor_call)) {
+		if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_SCRUB,
+		    &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
 			warn("DIOCGETRULENV");
 			goto error;
 		}
@ -987,8 +985,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
 	mnr = pr.nr;
 	for (nr = 0; nr < mnr; ++nr) {
 		pr.nr = nr;
-		if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS,
-		    &rule, pr.anchor_call)) {
+		if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_PASS,
+		    &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
 			warn("DIOCGETRULE");
 			goto error;
 		}