The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=b9d652bb75ffa0945a3bebf68d6d82de26efd269
commit b9d652bb75ffa0945a3bebf68d6d82de26efd269 Author: Kristof Provost <[email protected]> AuthorDate: 2025-08-27 15:51:29 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2025-09-25 12:41:09 +0000 pf: print 'once' rule expire time Obtained from: OpenBSD, sashan <[email protected]>, 8cf23eed7f Sponsored by: Rubicon Communications, LLC ("Netgate") --- lib/libpfctl/libpfctl.c | 1 + lib/libpfctl/libpfctl.h | 2 ++ sbin/pfctl/pfctl.c | 11 ++++++++++- sbin/pfctl/pfctl_parser.c | 3 +++ sys/net/pfvar.h | 1 + sys/netpfil/pf/pf.c | 2 +- sys/netpfil/pf/pf_nl.c | 1 + sys/netpfil/pf/pf_nl.h | 1 + 8 files changed, 20 insertions(+), 2 deletions(-) diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index b96b973ddc7c..e38469643571 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -1699,6 +1699,7 @@ static struct snl_attr_parser ap_getrule[] = { { .type = PF_RT_MAX_PKT_SIZE, .off =_OUT(r.max_pkt_size), .cb = snl_attr_get_uint16 }, { .type = PF_RT_TYPE_2, .off = _OUT(r.type), .cb = snl_attr_get_uint16 }, { .type = PF_RT_CODE_2, .off = _OUT(r.code), .cb = snl_attr_get_uint16 }, + { .type = PF_RT_EXPTIME, .off = _OUT(r.exptime), .cb = snl_attr_get_uint64 }, }; #undef _OUT SNL_DECLARE_PARSER(getrule_parser, struct genlmsghdr, snl_f_p_empty, ap_getrule); diff --git a/lib/libpfctl/libpfctl.h b/lib/libpfctl/libpfctl.h index dd76cab163b5..5880e1a88371 100644 --- a/lib/libpfctl/libpfctl.h +++ b/lib/libpfctl/libpfctl.h @@ -285,6 +285,8 @@ struct pfctl_rule { struct pf_addr addr; uint16_t port; } divert; + + time_t exptime; }; TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index b29d992b1cda..7e1195fdf2f0 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1142,6 +1142,9 @@ pfctl_print_rule_counters(struct pfctl_rule *rule, int opts) printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n", rule->qname, rule->qid, rule->pqname, rule->pqid); + if (rule->rule_flag & PFRULE_EXPIRED) + printf(" [ Expired: %lld secs ago ]\n", + (long long)(time(NULL) - rule->exptime)); } if (opts & PF_OPT_VERBOSE) { printf(" [ Evaluations: %-8llu Packets: %-8llu " @@ -1411,7 +1414,13 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format, if (rule.label[0][0] && (opts & PF_OPT_SHOWALL)) labels = 1; print_rule(&rule, anchor_call, rule_numbers, numeric); - printf("\n"); + /* + * Do not print newline, when we have not + * printed expired rule. + */ + if (!(rule.rule_flag & PFRULE_EXPIRED) || + (opts & (PF_OPT_VERBOSE2|PF_OPT_DEBUG))) + printf("\n"); pfctl_print_rule_counters(&rule, opts); break; case PFCTL_SHOW_NOTHING: diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c index ce493570a25e..54d3e7c8dc79 100644 --- a/sbin/pfctl/pfctl_parser.c +++ b/sbin/pfctl/pfctl_parser.c @@ -865,6 +865,9 @@ print_rule(struct pfctl_rule *r, const char *anchor_call, int verbose, int numer int i, ropts; char *p; + if ((r->rule_flag & PFRULE_EXPIRED) && (!verbose)) + return; + if (verbose) printf("@%d ", r->nr); if (anchor_call[0]) { diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index d7d69615151d..c6a3448584ac 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -901,6 +901,7 @@ struct pf_krule { LIST_ENTRY(pf_krule) allrulelist; bool allrulelinked; #endif + time_t exptime; }; struct pf_krule_item { diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 450e465e926a..ec6960180413 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -5747,7 +5747,7 @@ pf_match_rule(struct pf_test_ctx *ctx, struct pf_kruleset *ruleset) if ((rule_flag & PFRULE_EXPIRED) == 0 && atomic_cmpset_int(&r->rule_flag, rule_flag, rule_flag | PFRULE_EXPIRED)) { - //r->exptime = gettime(); + r->exptime = time_uptime; } else { r = TAILQ_NEXT(r, entries); continue; diff --git a/sys/netpfil/pf/pf_nl.c b/sys/netpfil/pf/pf_nl.c index 5c8f56ea4567..ff3edd43e3a5 100644 --- a/sys/netpfil/pf/pf_nl.c +++ b/sys/netpfil/pf/pf_nl.c @@ -1025,6 +1025,7 @@ pf_handle_getrule(struct nlmsghdr *hdr, struct nl_pstate *npt) nlattr_add_u64(nw, PF_RT_SRC_NODES_NAT, counter_u64_fetch(rule->src_nodes[PF_SN_NAT])); nlattr_add_u64(nw, PF_RT_SRC_NODES_ROUTE, counter_u64_fetch(rule->src_nodes[PF_SN_ROUTE])); nlattr_add_pf_threshold(nw, PF_RT_PKTRATE, &rule->pktrate); + nlattr_add_u64(nw, PF_RT_EXPTIME, time_second - (time_uptime - rule->exptime)); error = pf_kanchor_copyout(ruleset, rule, anchor_call, sizeof(anchor_call)); MPASS(error == 0); diff --git a/sys/netpfil/pf/pf_nl.h b/sys/netpfil/pf/pf_nl.h index b769421bbfcc..38891339450e 100644 --- a/sys/netpfil/pf/pf_nl.h +++ b/sys/netpfil/pf/pf_nl.h @@ -285,6 +285,7 @@ enum pf_rule_type_t { PF_RT_MAX_PKT_SIZE = 83, /* u16 */ PF_RT_TYPE_2 = 84, /* u16 */ PF_RT_CODE_2 = 85, /* u16 */ + PF_RT_EXPTIME = 86, /* u64 */ }; enum pf_addrule_type_t {
