d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pfctl: Fix clearing rules counters

Browse Source 
After the migration to libpfctl for rule retrieval we accidentally lost
support for clearing the rules counters.

Introduce a get_clear variant of pfctl_get_rule() which allows rules
counters to be cleared.

MFC after:	4 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D29727
This commit is contained in:
Kristof Provost 2021-04-12 17:23:33 +02:00
parent 6db169e920
commit 4eabfe468b
3 changed files with 18 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/libpfctl/libpfctl.c
View File

@ -507,6 +507,14 @@ pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
int int
pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor, pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call) u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
{
return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule,
anchor_call, false));
}
int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
char *anchor_call, bool clear)
{ {
struct pfioc_nv nv; struct pfioc_nv nv;
nvlist_t *nvl; nvlist_t *nvl;
@ -522,6 +530,9 @@ pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
nvlist_add_string(nvl, "anchor", anchor); nvlist_add_string(nvl, "anchor", anchor);
nvlist_add_number(nvl, "ruleset", ruleset); nvlist_add_number(nvl, "ruleset", ruleset);
if (clear)
nvlist_add_bool(nvl, "clear_counter", true);
nvlpacked = nvlist_pack(nvl, &nv.len); nvlpacked = nvlist_pack(nvl, &nv.len);
if (nvlpacked == NULL) { if (nvlpacked == NULL) {
nvlist_destroy(nvl); nvlist_destroy(nvl);

3
lib/libpfctl/libpfctl.h
View File

@ -182,6 +182,9 @@ RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
char *anchor_call); char *anchor_call);
int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
char *anchor_call, bool clear);
int pfctl_add_rule(int dev, const struct pfctl_rule *r, int pfctl_add_rule(int dev, const struct pfctl_rule *r,
const char *anchor, const char *anchor_call, u_int32_t ticket, const char *anchor, const char *anchor_call, u_int32_t ticket,
u_int32_t pool_ticket); u_int32_t pool_ticket);

10
sbin/pfctl/pfctl.c
View File

@ -949,13 +949,11 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
pfctl_print_title("LABEL COUNTERS:"); pfctl_print_title("LABEL COUNTERS:");
} }
mnr = pr.nr; mnr = pr.nr;
if (opts & PF_OPT_CLRRULECTRS)
pr.action = PF_GET_CLR_CNTR;
for (nr = 0; nr < mnr; ++nr) { for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr; pr.nr = nr;
if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB, if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_SCRUB,
&rule, pr.anchor_call)) { &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
warn("DIOCGETRULENV"); warn("DIOCGETRULENV");
goto error; goto error;
} }
@ -987,8 +985,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
mnr = pr.nr; mnr = pr.nr;
for (nr = 0; nr < mnr; ++nr) { for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr; pr.nr = nr;
if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS, if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_PASS,
&rule, pr.anchor_call)) { &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
warn("DIOCGETRULE"); warn("DIOCGETRULE");
goto error; goto error;
} }