Hello,
</snip>
> > +void
> > +pfctl_reset(int dev, int opts)
> > +{
> > + struct pfctl pf;
> > + struct pfr_buffer t;
> > + int i;
> > +
> > + pf.dev = dev;
> > + pfctl_init_options(&pf);
> > +
> > + /* Force reset upon pfctl_load_options() */
> > + pf.debug_set = 1;
> > + pf.reass_set = 1;
> > + pf.syncookieswat_set = 1;
> > + pf.ifname = strdup("none");
>
> I think strdup should be checked for NULL.
good point. does something like this look good?
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 032fdd08b57..88d31d6190e 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -2249,7 +2249,10 @@ pfctl_reset(int dev, int opts)
pf.reass_set = 1;
pf.syncookieswat_set = 1;
pf.ifname = strdup("none");
- pf.ifname_set = 1;
+ if (pf.ifname == NULL)
+ warn("%s: Warning: can't reset loginterface\n", __func__);
+ else
+ pf.ifname_set = 1;
memset(&t, 0, sizeof(t));
t.pfrb_type = PFRB_TRANS;
--------8<---------------8<---------------8<------------------8<--------
>
> > + pf.ifname_set = 1;
> > +
> > + memset(&t, 0, sizeof(t));
> > + t.pfrb_type = PFRB_TRANS;
> > + if (pfctl_trans(dev, &t, DIOCXBEGIN, 0))
> > + warn("%s, DIOCXBEGIN", __func__);
> > +
> > +
>
> There is an extra white-space line here.
fixed.
updated diff is attached. I'll commit the change after unlock.
thanks and
regards
sasha
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 48b2893cfcd..00bd27c200a 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -197,6 +197,8 @@ Flush the filter information (statistics that are not bound
to rules).
Flush the tables.
.It Fl F Cm osfp
Flush the passive operating system fingerprints.
+.It Fl F Cm Reset
+Reset limits, timeouts and options back to default settings.
.It Fl F Cm all
Flush all of the above.
.El
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 493ff47af2f..470c54644ba 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -105,6 +105,7 @@ int pfctl_load_rule(struct pfctl *, char *, struct pf_rule
*, int);
const char *pfctl_lookup_option(char *, const char **);
void pfctl_state_store(int, const char *);
void pfctl_state_load(int, const char *);
+void pfctl_reset(int, int);
const char *clearopt;
char *rulesopt;
@@ -205,7 +206,8 @@ static const struct {
};
static const char *clearopt_list[] = {
- "rules", "Sources", "states", "info", "Tables", "osfp", "all", NULL
+ "rules", "Sources", "states", "info", "Tables", "osfp", "Reset",
+ "all", NULL
};
static const char *showopt_list[] = {
@@ -2232,6 +2234,45 @@ pfctl_state_load(int dev, const char *file)
fclose(f);
}
+void
+pfctl_reset(int dev, int opts)
+{
+ struct pfctl pf;
+ struct pfr_buffer t;
+ int i;
+
+ pf.dev = dev;
+ pfctl_init_options(&pf);
+
+ /* Force reset upon pfctl_load_options() */
+ pf.debug_set = 1;
+ pf.reass_set = 1;
+ pf.syncookieswat_set = 1;
+ pf.ifname = strdup("none");
+ if (pf.ifname == NULL)
+ warn("%s: Warning: can't reset loginterface\n", __func__);
+ else
+ pf.ifname_set = 1;
+
+ memset(&t, 0, sizeof(t));
+ t.pfrb_type = PFRB_TRANS;
+ if (pfctl_trans(dev, &t, DIOCXBEGIN, 0))
+ warn("%s, DIOCXBEGIN", __func__);
+
+ for (i = 0; pf_limits[i].name; i++)
+ pf.limit_set[pf_limits[i].index] = 1;
+
+ for (i = 0; pf_timeouts[i].name; i++)
+ pf.timeout_set[pf_timeouts[i].timeout] = 1;
+
+ pfctl_load_options(&pf);
+
+ if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+ warn("%s, DIOCXCOMMIT", __func__);
+
+ pfctl_clear_interface_flags(dev, opts);
+}
+
int
main(int argc, char *argv[])
{
@@ -2557,7 +2598,7 @@ main(int argc, char *argv[])
pfctl_clear_src_nodes(dev, opts);
pfctl_clear_stats(dev, ifaceopt, opts);
pfctl_clear_fingerprints(dev, opts);
- pfctl_clear_interface_flags(dev, opts);
+ pfctl_reset(dev, opts);
}
break;
case 'o':
@@ -2566,6 +2607,9 @@ main(int argc, char *argv[])
case 'T':
pfctl_clear_tables(anchorname, opts);
break;
+ case 'R':
+ pfctl_reset(dev, opts);
+ break;
}
}
if (state_killers) {
