From nobody Fri Nov 22 12:26:33 2024 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XvvV15ry5z5dqlG; Fri, 22 Nov 2024 12:26:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XvvV14zMCz4jbN; Fri, 22 Nov 2024 12:26:33 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732278393; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XML9SVvVUAevNZUonRVliVPMnQmYCFIWdOUwG8qdE6w=; b=lpT6gHDb878e/68Ih/Ust06/bzYeK+jnoUuv72CAjnOSj/Ten9KQ5sMGtAkTEDbdYOpTYJ Bk2WtbZcutwFPyEjqMaksNFDYoiaw2Ll1Iw/mtPRhZzq/e2B9kZZOKSAtOast8kjTyHD42 oae0cjZF+RfcsHd5d1paXagNwmhO8QKkFUoGHeYjcZl42zLswK6imNaiP2ogDstoZy10cj NXicYy5oKBnGXv0GEtneFTs9oP4WyegN6YFt52XwcT55JmecZgC4x9FqHg6D/yNQAQa02d 6cuEreIqR1oaRhEjSoMZuP5SRyObLizqTbBnqTrWLGEpNFpgRFet5h4Xc9l8yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1732278393; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XML9SVvVUAevNZUonRVliVPMnQmYCFIWdOUwG8qdE6w=; b=mOJe/FWbjP3BmtZH2f+lF1eGyMxLi0CuV4BMlS0O/FacMWLPItnB40JLWWum/v+rbQQLFf STL0bVMEzyGn/BUYlFT9q8lL38ThOZztz0msGxLZteDSMOybScoh8FCD9SpUAX3BUipHYD IINomNVDU+sp4mMyGb31u7N8Ny7eRIRRg/P4me3wkTLekzqfjY678KclNJk+Y3YI7zaF+g 1tFvkCvaoxOyjIE9gny2Rpip+YV2oQkVE9WWUBlAk7uE/J/pLpqJzr6Td8ieXmoMBiuubt J7KDvQJQZRvw1zP9cPWL6WUV5cym2YLLsXkps7h++AAhnl8NzuvTmd9RJx2eSQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732278393; a=rsa-sha256; cv=none; b=QOwfesBzD1RekLIHThJ2f56avUrR/g2186JhgZS+fHi/Xd//GRmdhse+mHZnch22K9b12L FKzUBnIPgm5ewQlQyr8Aihwt9bReujlMdUiGqEQdlG7gjCYLSXeFX5U1hiv2DrPgypc1g+ dRhZfhJBzyyz5TfilYGmieHuwjbSMlVDn9hnuKdodJoLBt8mITj242MMYpUzFPHShgMAH5 xq08Ay9ijL9sfgnGc6oeSpwVR8FYn2w4ciP4XsXiPUfkGiCVNc0IQmKj9t9cciRGSvavb6 elGEDpUwBqBmSmNTPNMyuNtM30rjzGb4bi9t16MnPD/nB5X21cDl3ojgy67ZGQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XvvV14SYkzPVx; Fri, 22 Nov 2024 12:26:33 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AMCQX1s078168; Fri, 22 Nov 2024 12:26:33 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AMCQXdN078165; Fri, 22 Nov 2024 12:26:33 GMT (envelope-from git) Date: Fri, 22 Nov 2024 12:26:33 GMT Message-Id: <202411221226.4AMCQXdN078165@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Kristof Provost Subject: git: 6463b6b59152 - main - pfctl: clear statistic for specified addresses List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-main@freebsd.org Sender: owner-dev-commits-src-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: kp X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 6463b6b59152fb1695bbe0de78f6e2675c5a765a Auto-Submitted: auto-generated The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6463b6b59152fb1695bbe0de78f6e2675c5a765a commit 6463b6b59152fb1695bbe0de78f6e2675c5a765a Author: Kristof Provost AuthorDate: 2024-11-21 20:33:41 +0000 Commit: Kristof Provost CommitDate: 2024-11-22 11:22:16 +0000 pfctl: clear statistic for specified addresses The ioctl DIOCRCLRASTATS provides the functionality of clearing stats not only for the whole table for for addresses stored in that table. The functionality was missing from pfctl, though. Add it now. PR: 282877 Obtained from: OpenBSD, kirill , e496dff3a7 MFC after: 3 weeks --- sbin/pfctl/pfctl.8 | 6 ++--- sbin/pfctl/pfctl.h | 1 + sbin/pfctl/pfctl_radix.c | 23 +++++++++++++++++ sbin/pfctl/pfctl_table.c | 17 +++++++++++-- tests/sys/netpfil/pf/table.sh | 57 +++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 99 insertions(+), 5 deletions(-) diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 80fdc394a568..45a6ea525694 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 23, 2024 +.Dd November 20, 2024 .Dt PFCTL 8 .Os .Sh NAME @@ -506,8 +506,8 @@ Automatically create a nonexisting table. Show the content (addresses) of a table. .It Fl T Cm test Test if the given addresses match a table. -.It Fl T Cm zero -Clear all the statistics of a table. +.It Fl T Cm zero Op Ar address ... +Clear all the statistics of a table, or only for specified addresses. .It Fl T Cm load Load only the table definitions from .Xr pf.conf 5 . diff --git a/sbin/pfctl/pfctl.h b/sbin/pfctl/pfctl.h index cf198d557299..b4aba3beb4a6 100644 --- a/sbin/pfctl/pfctl.h +++ b/sbin/pfctl/pfctl.h @@ -60,6 +60,7 @@ int pfr_del_tables(struct pfr_table *, int, int *, int); int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); int pfr_clr_tstats(struct pfr_table *, int, int *, int); +int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, int); int pfr_clr_addrs(struct pfr_table *, int *, int); int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int); int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, int); diff --git a/sbin/pfctl/pfctl_radix.c b/sbin/pfctl/pfctl_radix.c index cfe982a84e95..749e8b4affc9 100644 --- a/sbin/pfctl/pfctl_radix.c +++ b/sbin/pfctl/pfctl_radix.c @@ -286,6 +286,29 @@ pfr_get_astats(struct pfr_table *tbl, struct pfr_astats *addr, int *size, return (0); } +int +pfr_clr_astats(struct pfr_table *tbl, struct pfr_addr *addr, int size, + int *nzero, int flags) +{ + struct pfioc_table io; + + if (size < 0 || (size && !tbl) || addr == NULL) { + errno = EINVAL; + return (-1); + } + bzero(&io, sizeof io); + io.pfrio_flags = flags; + io.pfrio_table = *tbl; + io.pfrio_buffer = addr; + io.pfrio_esize = sizeof(*addr); + io.pfrio_size = size; + if (ioctl(dev, DIOCRCLRASTATS, &io) == -1) + return (-1); + if (nzero) + *nzero = io.pfrio_nzero; + return (0); +} + int pfr_clr_tstats(struct pfr_table *tbl, int size, int *nzero, int flags) { diff --git a/sbin/pfctl/pfctl_table.c b/sbin/pfctl/pfctl_table.c index 6085722f9306..25d9b87d8718 100644 --- a/sbin/pfctl/pfctl_table.c +++ b/sbin/pfctl/pfctl_table.c @@ -344,9 +344,22 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command, } if (nmatch < b.pfrb_size) rv = 2; + } else if (!strcmp(command, "zero") && (argc || file != NULL)) { + b.pfrb_type = PFRB_ADDRS; + if (load_addr(&b, argc, argv, file, 0)) + goto _error; + if (opts & PF_OPT_VERBOSE) + flags |= PFR_FLAG_FEEDBACK; + RVTEST(pfr_clr_astats(&table, b.pfrb_caddr, b.pfrb_size, + &nzero, flags)); + xprintf(opts, "%d/%d addresses cleared", nzero, b.pfrb_size); + if (opts & PF_OPT_VERBOSE) + PFRB_FOREACH(a, &b) + if (opts & PF_OPT_VERBOSE2 || + a->pfra_fback != PFR_FB_NONE) + print_addrx(a, NULL, + opts & PF_OPT_USEDNS); } else if (!strcmp(command, "zero")) { - if (argc || file != NULL) - usage(); flags |= PFR_FLAG_ADDRSTOO; RVTEST(pfr_clr_tstats(&table, 1, &nzero, flags)); xprintf(opts, "%d table/stats cleared", nzero); diff --git a/tests/sys/netpfil/pf/table.sh b/tests/sys/netpfil/pf/table.sh index 32943e659bd0..828d76a998be 100644 --- a/tests/sys/netpfil/pf/table.sh +++ b/tests/sys/netpfil/pf/table.sh @@ -109,6 +109,62 @@ v6_counters_cleanup() pft_cleanup } +atf_test_case "zero_one" "cleanup" +zero_one_head() +{ + atf_set descr 'Test zeroing a single address in a table' + atf_set require.user root +} + +zero_one_body() +{ + epair_send=$(vnet_mkepair) + ifconfig ${epair_send}a 192.0.2.1/24 up + ifconfig ${epair_send}a inet alias 192.0.2.3/24 + + vnet_mkjail alcatraz ${epair_send}b + jexec alcatraz ifconfig ${epair_send}b 192.0.2.2/24 up + jexec alcatraz pfctl -e + + pft_set_rules alcatraz \ + "table counters { 192.0.2.1, 192.0.2.3 }" \ + "block all" \ + "pass in from to any" \ + "pass out from any to " \ + "set skip on lo" + + atf_check -s exit:0 -o ignore ping -c 3 -S 192.0.2.1 192.0.2.2 + atf_check -s exit:0 -o ignore ping -c 3 -S 192.0.2.3 192.0.2.2 + + jexec alcatraz pfctl -t foo -T show -vv + + atf_check -s exit:0 -e ignore \ + -o match:'In/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \ + -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ + -o match:'Out/Block:.*'"$TABLE_STATS_ZERO_REGEXP" \ + -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ + jexec alcatraz pfctl -t foo -T show -vv + + atf_check -s exit:0 -e ignore \ + jexec alcatraz pfctl -t foo -T zero 192.0.2.3 + + # We now have a zeroed and a non-zeroed counter, so both patterns + # should match + atf_check -s exit:0 -e ignore \ + -o match:'In/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ + -o match:'Out/Pass:.*'"$TABLE_STATS_NONZERO_REGEXP" \ + jexec alcatraz pfctl -t foo -T show -vv + atf_check -s exit:0 -e ignore \ + -o match:'In/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \ + -o match:'Out/Pass:.*'"$TABLE_STATS_ZERO_REGEXP" \ + jexec alcatraz pfctl -t foo -T show -vv +} + +zero_one_cleanup() +{ + pft_cleanup +} + atf_test_case "pr251414" "cleanup" pr251414_head() { @@ -324,6 +380,7 @@ atf_init_test_cases() { atf_add_test_case "v4_counters" atf_add_test_case "v6_counters" + atf_add_test_case "zero_one" atf_add_test_case "pr251414" atf_add_test_case "automatic" atf_add_test_case "network"