pfctl does not clear limit couters
Kristof Provost
kristof at sigsegv.be
Fri Apr 14 10:38:35 UTC 2017
On 14 Apr 2017, at 8:24, Max wrote:
> "pfctl -F info" command doesn't clear limit counters (shown in "pfctl
> -vsi" output).
>
> I think, should be
> --- sys/netpfil/pf/pf_ioctl.c.orig 2017-04-14 09:10:25.171380000
> +0300
> +++ sys/netpfil/pf/pf_ioctl.c 2017-04-14 09:13:21.553650000 +0300
> @@ -1835,16 +1835,18 @@
> case DIOCCLRSTATUS: {
> PF_RULES_WLOCK();
> for (int i = 0; i < PFRES_MAX; i++)
> counter_u64_zero(V_pf_status.counters[i]);
> for (int i = 0; i < FCNT_MAX; i++)
> counter_u64_zero(V_pf_status.fcounters[i]);
> for (int i = 0; i < SCNT_MAX; i++)
> counter_u64_zero(V_pf_status.scounters[i]);
> + for (int i = 0; i < LCNT_MAX; i++)
> + counter_u64_zero(V_pf_status.lcounters[i]);
> V_pf_status.since = time_second;
> if (*V_pf_status.ifname)
> pfi_update_status(V_pf_status.ifname, NULL);
> PF_RULES_WUNLOCK();
> break;
> }
>
> case DIOCNATLOOK: {
>
This looks reasonable, but interestingly OpenBSD also don’t clear
lcounters.
I’ll dig into it a bit more in the next few days.
Regards,
Kristof
More information about the freebsd-pf
mailing list