Hello, tedu@ has planted idea for diff below here [1]. That particular email is part of thread [2], where various cleanup/unconfigure options for PF are discussed. To keep progressing in small steps I've decided to factor out the first diff here, which introduces '-FR' (a.k.a. reset settings) for pfctl(8).
OK? thanks and regards sashan [1] https://marc.info/?l=openbsd-tech&m=155356735115005&w=2 [2] https://marc.info/?l=openbsd-tech&m=155341612701577&w=2 [ this is a good start point where to gather the context ] --------8<---------------8<---------------8<------------------8<-------- diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 48b2893cfcd..ab1693e5854 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -197,8 +197,10 @@ Flush the filter information (statistics that are not bound to rules). Flush the tables. .It Fl F Cm osfp Flush the passive operating system fingerprints. +.It Fl F Cm Reset +Reset limits, timeouts and options back to default settings. .It Fl F Cm all -Flush all of the above. +Flush all of the above (+ reset settings). .El .It Fl f Ar file Replace the current ruleset with diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 493ff47af2f..a6cf265451c 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -105,6 +105,7 @@ int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int); const char *pfctl_lookup_option(char *, const char **); void pfctl_state_store(int, const char *); void pfctl_state_load(int, const char *); +void pfctl_restore_defaults(int, int); const char *clearopt; char *rulesopt; @@ -205,7 +206,8 @@ static const struct { }; static const char *clearopt_list[] = { - "rules", "Sources", "states", "info", "Tables", "osfp", "all", NULL + "rules", "Sources", "states", "info", "Tables", "osfp", "Reset", + "all", NULL }; static const char *showopt_list[] = { @@ -2232,6 +2234,40 @@ pfctl_state_load(int dev, const char *file) fclose(f); } +void +pfctl_restore_defaults(int dev, int opts) +{ + struct pfctl pf; + struct pfr_buffer t; + int i; + + pf.dev = dev; + pfctl_init_options(&pf); + + pf.debug_set = 1; + pf.reass_set = 1; + pf.syncookieswat_set = 1; + pf.ifname = strdup("none"); + pf.ifname_set = 1; + + memset(&t, 0, sizeof(t)); + t.pfrb_type = PFRB_TRANS; + if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) + warn("%s, DIOCXBEGIN", __func__); + + + for (i = 0; pf_limits[i].name; i++) + pf.limit_set[pf_limits[i].index] = 1; + + for (i = 0; pf_timeouts[i].name; i++) + pf.timeout_set[pf_timeouts[i].timeout] = 1; + + pfctl_load_options(&pf); + + if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) + warn("%s, DIOCXCOMMIT", __func__); +} + int main(int argc, char *argv[]) { @@ -2558,6 +2594,7 @@ main(int argc, char *argv[]) pfctl_clear_stats(dev, ifaceopt, opts); pfctl_clear_fingerprints(dev, opts); pfctl_clear_interface_flags(dev, opts); + pfctl_restore_defaults(dev, opts); } break; case 'o': @@ -2566,6 +2603,9 @@ main(int argc, char *argv[]) case 'T': pfctl_clear_tables(anchorname, opts); break; + case 'R': + pfctl_restore_defaults(dev, opts); + break; } } if (state_killers) {
