git: 6ea1c3cfc899 - main - pfctl: support flushing ethernet rules

Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 02 Mar 2022 16:01:05 UTC
The branch main has been updated by kp:

URL: https://cgit.FreeBSD.org/src/commit/?id=6ea1c3cfc89905b0f703b5d549b481fa0718a1a7

commit 6ea1c3cfc89905b0f703b5d549b481fa0718a1a7
Author:     Kristof Provost <kp@FreeBSD.org>
AuthorDate: 2022-01-17 16:38:28 +0000
Commit:     Kristof Provost <kp@FreeBSD.org>
CommitDate: 2022-03-02 16:00:07 +0000

    pfctl: support flushing ethernet rules
    
    Sponsored by:   Rubicon Communications, LLC ("Netgate")
---
 sbin/pfctl/pfctl.8 |  2 ++
 sbin/pfctl/pfctl.c | 24 +++++++++++++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index f61feef8bc16..95d098f6d585 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -212,6 +212,8 @@ Flush the filter parameters specified by
 Flush the NAT rules.
 .It Fl F Cm queue
 Flush the queue rules.
+.It Fl F Cm ethernet
+Flush the Ethernet filter rules.
 .It Fl F Cm rules
 Flush the filter rules.
 .It Fl F Cm states
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index bec37b0bf85f..89b546a1b9e2 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -75,6 +75,7 @@ int	 pfctl_get_skip_ifaces(void);
 int	 pfctl_check_skip_ifaces(char *);
 int	 pfctl_adjust_skip_ifaces(struct pfctl *);
 int	 pfctl_clear_interface_flags(int, int);
+int	 pfctl_clear_eth_rules(int, int, char *);
 int	 pfctl_clear_rules(int, int, char *);
 int	 pfctl_clear_nat(int, int, char *);
 int	 pfctl_clear_altq(int, int);
@@ -227,7 +228,8 @@ static const struct {
 
 static const char * const clearopt_list[] = {
 	"nat", "queue", "rules", "Sources",
-	"states", "info", "Tables", "osfp", "all", NULL
+	"states", "info", "Tables", "osfp", "all",
+	"ethernet", NULL
 };
 
 static const char * const showopt_list[] = {
@@ -457,6 +459,22 @@ pfctl_clear_interface_flags(int dev, int opts)
 	return (0);
 }
 
+int
+pfctl_clear_eth_rules(int dev, int opts, char *anchorname)
+{
+	struct pfr_buffer t;
+
+	memset(&t, 0, sizeof(t));
+	t.pfrb_type = PFRB_TRANS;
+	if (pfctl_add_trans(&t, PF_RULESET_ETH, anchorname) ||
+	    pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
+	    pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+		err(1, "pfctl_clear_eth_rules");
+	if ((opts & PF_OPT_QUIET) == 0)
+		fprintf(stderr, "Ethernet rules cleared\n");
+	return (0);
+}
+
 int
 pfctl_clear_rules(int dev, int opts, char *anchorname)
 {
@@ -2873,6 +2891,9 @@ main(int argc, char *argv[])
 			    "be modified from the command line");
 
 		switch (*clearopt) {
+		case 'e':
+			pfctl_clear_eth_rules(dev, opts, anchorname);
+			break;
 		case 'r':
 			pfctl_clear_rules(dev, opts, anchorname);
 			break;
@@ -2892,6 +2913,7 @@ main(int argc, char *argv[])
 			pfctl_clear_stats(dev, opts);
 			break;
 		case 'a':
+			pfctl_clear_eth_rules(dev, opts, anchorname);
 			pfctl_clear_rules(dev, opts, anchorname);
 			pfctl_clear_nat(dev, opts, anchorname);
 			pfctl_clear_tables(anchorname, opts);