Re: introduce 'pfctl -FR' to reset settings to defaults

[Petr Hoffmann]

Hi,

seeing this in the manpage
--8<--------------------------------------------------------------------------
+.It Fl F Cm Reset
+Reset limits, timeouts and options back to default settings.
-------------------------------------------------------------------------->8--
would make me believe everything mentioned as OPTIONS in pf.conf(5) is 
about to be reset. I see e.g. the debug level is reset, but what about 
the other stuff like fingerprints, 'skip on' and other options set via 
the 'set' command? Maybe the manpage should be more precise here?

PH

On 02.04.2019 9:40, Alexandr Nedvedicky wrote:
Hello,

below is diff I plan to commit. I did add a comment to pfctl_reset()
and wording in manpage.

thanks and
regards
sashan

--------8<---------------8<---------------8<---------------8<-----------
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 48b2893cfcd..00bd27c200a 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -197,6 +197,8 @@ Flush the filter information (statistics that are not bound 
to rules).
  Flush the tables.
  .It Fl F Cm osfp
  Flush the passive operating system fingerprints.
+.It Fl F Cm Reset
+Reset limits, timeouts and options back to default settings.
  .It Fl F Cm all
  Flush all of the above.
  .El
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 493ff47af2f..40929d90530 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -105,6 +105,7 @@ int  pfctl_load_rule(struct pfctl *, char *, struct pf_rule 
*, int);
  const char    *pfctl_lookup_option(char *, const char **);
  void  pfctl_state_store(int, const char *);
  void  pfctl_state_load(int, const char *);
+void   pfctl_reset(int, int);
  
  const char	*clearopt;
  char          *rulesopt;
@@ -205,7 +206,8 @@ static const struct {
  };
  
  static const char *clearopt_list[] = {
-       "rules", "Sources", "states", "info", "Tables", "osfp", "all", NULL
+       "rules", "Sources", "states", "info", "Tables", "osfp", "Reset",
+       "all", NULL
  };
  
  static const char *showopt_list[] = {
@@ -2232,6 +2234,41 @@ pfctl_state_load(int dev, const char *file)
        fclose(f);
  }
  
+void
+pfctl_reset(int dev, int opts)
+{
+       struct pfctl    pf;
+       struct pfr_buffer t;
+       int             i;
+
+       pf.dev = dev;
+       pfctl_init_options(&pf);
+
+       /* Force reset upon pfctl_load_options() */
+       pf.debug_set = 1;
+       pf.reass_set = 1;
+       pf.syncookieswat_set = 1;
+       pf.ifname = strdup("none");
+       pf.ifname_set = 1;
+
+       memset(&t, 0, sizeof(t));
+       t.pfrb_type = PFRB_TRANS;
+       if (pfctl_trans(dev, &t, DIOCXBEGIN, 0))
+               warn("%s, DIOCXBEGIN", __func__);
+
+
+       for (i = 0; pf_limits[i].name; i++)
+               pf.limit_set[pf_limits[i].index] = 1;
+
+       for (i = 0; pf_timeouts[i].name; i++)
+               pf.timeout_set[pf_timeouts[i].timeout] = 1;
+
+       pfctl_load_options(&pf);
+
+       if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+               warn("%s, DIOCXCOMMIT", __func__);
+}
+
  int
  main(int argc, char *argv[])
  {
@@ -2558,6 +2595,7 @@ main(int argc, char *argv[])
                                pfctl_clear_stats(dev, ifaceopt, opts);
                                pfctl_clear_fingerprints(dev, opts);
                                pfctl_clear_interface_flags(dev, opts);
+                               pfctl_reset(dev, opts);
                        }
                        break;
                case 'o':
@@ -2566,6 +2604,9 @@ main(int argc, char *argv[])
                case 'T':
                        pfctl_clear_tables(anchorname, opts);
                        break;
+               case 'R':
+                       pfctl_reset(dev, opts);
+                       break;
                }
        }
        if (state_killers) {