git: 9f283b1ca6df - stable/12 - pfctl: Fix clearing rules counters
Kristof Provost
kp at FreeBSD.org
Fri May 7 15:25:57 UTC 2021
The branch stable/12 has been updated by kp:
URL: https://cgit.FreeBSD.org/src/commit/?id=9f283b1ca6df02e798f51d4d891b0d34446d2fcc
commit 9f283b1ca6df02e798f51d4d891b0d34446d2fcc
Author: Kristof Provost <kp at FreeBSD.org>
AuthorDate: 2021-04-12 15:23:33 +0000
Commit: Kristof Provost <kp at FreeBSD.org>
CommitDate: 2021-05-07 08:16:02 +0000
pfctl: Fix clearing rules counters
After the migration to libpfctl for rule retrieval we accidentally lost
support for clearing the rules counters.
Introduce a get_clear variant of pfctl_get_rule() which allows rules
counters to be cleared.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29727
(cherry picked from commit 4eabfe468b6e80a0823523d83dc908c27ec823c7)
---
lib/libpfctl/libpfctl.c | 11 +++++++++++
lib/libpfctl/libpfctl.h | 3 +++
sbin/pfctl/pfctl.c | 10 ++++------
3 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c
index a487e5a20018..6d5397cb64b2 100644
--- a/lib/libpfctl/libpfctl.c
+++ b/lib/libpfctl/libpfctl.c
@@ -483,6 +483,14 @@ pfctl_add_rule(int dev, const struct pfctl_rule *r, const char *anchor,
int
pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
u_int32_t ruleset, struct pfctl_rule *rule, char *anchor_call)
+{
+ return (pfctl_get_clear_rule(dev, nr, ticket, anchor, ruleset, rule,
+ anchor_call, false));
+}
+
+int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
+ const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
+ char *anchor_call, bool clear)
{
struct pfioc_nv nv;
nvlist_t *nvl;
@@ -498,6 +506,9 @@ pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, const char *anchor,
nvlist_add_string(nvl, "anchor", anchor);
nvlist_add_number(nvl, "ruleset", ruleset);
+ if (clear)
+ nvlist_add_bool(nvl, "clear_counter", true);
+
nvlpacked = nvlist_pack(nvl, &nv.len);
if (nvlpacked == NULL) {
nvlist_destroy(nvl);
diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h
index bc27c18cfbb6..38108de769f4 100644
--- a/lib/libpfctl/libpfctl.h
+++ b/lib/libpfctl/libpfctl.h
@@ -181,6 +181,9 @@ RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
char *anchor_call);
+int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
+ const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
+ char *anchor_call, bool clear);
int pfctl_add_rule(int dev, const struct pfctl_rule *r,
const char *anchor, const char *anchor_call, u_int32_t ticket,
u_int32_t pool_ticket);
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 879fc876826c..9f6b3d2e36ea 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -949,13 +949,11 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
pfctl_print_title("LABEL COUNTERS:");
}
mnr = pr.nr;
- if (opts & PF_OPT_CLRRULECTRS)
- pr.action = PF_GET_CLR_CNTR;
for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr;
- if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_SCRUB,
- &rule, pr.anchor_call)) {
+ if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_SCRUB,
+ &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
warn("DIOCGETRULENV");
goto error;
}
@@ -987,8 +985,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
mnr = pr.nr;
for (nr = 0; nr < mnr; ++nr) {
pr.nr = nr;
- if (pfctl_get_rule(dev, nr, pr.ticket, path, PF_PASS,
- &rule, pr.anchor_call)) {
+ if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_PASS,
+ &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
warn("DIOCGETRULE");
goto error;
}
More information about the dev-commits-src-all
mailing list