Add a counter to record how many states have been created by a rule.

It shows up in pfctl verbose mode and in the 7th field of the labels output. Also remove the label printing for scrub rules, as they do not support labels. OK dhartmei@ (on an earlier version), henning@, mcbride@
author: mpf <mpf@openbsd.org> 2008-05-06 03:45:21 +0000
committer: mpf <mpf@openbsd.org> 2008-05-06 03:45:21 +0000
commit: 95959bd1d5f2c50d6f23d886b22dc2fa88f9223f (patch)
tree: da15c80c30eab73672c968c94e175e52874a7312
parent: Labels in the sockaddr are stored like on the wire so shift and byte swap (diff)
download: wireguard-openbsd-95959bd1d5f2c50d6f23d886b22dc2fa88f9223f.tar.xz
wireguard-openbsd-95959bd1d5f2c50d6f23d886b22dc2fa88f9223f.zip
6 files changed, 49 insertions, 49 deletions
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 3829f2cb413..a9ba4e76b64 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl.c,v 1.273 2008/02/13 19:55:12 kettenis Exp $ */
+/*	$OpenBSD: pfctl.c,v 1.274 2008/05/06 03:45:21 mpf Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -734,10 +734,12 @@ pfctl_print_rule_counters(struct pf_rule *rule, int opts)
 			    (unsigned long long)(rule->packets[0] +
 			    rule->packets[1]),
 			    (unsigned long long)(rule->bytes[0] +
-			    rule->bytes[1]), rule->states);
+			    rule->bytes[1]), rule->states_cur);
 		if (!(opts & PF_OPT_DEBUG))
-			printf("  [ Inserted: uid %u pid %u ]\n",
-			    (unsigned)rule->cuid, (unsigned)rule->cpid);
+			printf("  [ Inserted: uid %u pid %u "
+			    "State Creations: %-6u]\n",
+			    (unsigned)rule->cuid, (unsigned)rule->cpid,
+			    rule->states_tot);
 	}
 }
 
@@ -804,19 +806,6 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
 
 		switch (format) {
 		case PFCTL_SHOW_LABELS:
-			if (pr.rule.label[0]) {
-				printf("%s ", pr.rule.label);
-				printf("%llu %llu %llu %llu %llu %llu %llu\n",
-				    (unsigned long long)pr.rule.evaluations,
-				    (unsigned long long)(pr.rule.packets[0] +
-				    pr.rule.packets[1]),
-				    (unsigned long long)(pr.rule.bytes[0] +
-				    pr.rule.bytes[1]),
-				    (unsigned long long)pr.rule.packets[0],
-				    (unsigned long long)pr.rule.bytes[0],
-				    (unsigned long long)pr.rule.packets[1],
-				    (unsigned long long)pr.rule.bytes[1]);
-			}
 			break;
 		case PFCTL_SHOW_RULES:
 			if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
@@ -850,8 +839,9 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
 		switch (format) {
 		case PFCTL_SHOW_LABELS:
 			if (pr.rule.label[0]) {
-				printf("%s ", pr.rule.label);
-				printf("%llu %llu %llu %llu %llu %llu %llu\n",
+				printf("%s %llu %llu %llu %llu"
+				    " %llu %llu %llu %llu\n",
+				    pr.rule.label,
 				    (unsigned long long)pr.rule.evaluations,
 				    (unsigned long long)(pr.rule.packets[0] +
 				    pr.rule.packets[1]),
@@ -860,7 +850,8 @@ pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
 				    (unsigned long long)pr.rule.packets[0],
 				    (unsigned long long)pr.rule.bytes[0],
 				    (unsigned long long)pr.rule.packets[1],
-				    (unsigned long long)pr.rule.bytes[1]);
+				    (unsigned long long)pr.rule.bytes[1],
+				    (unsigned long long)pr.rule.states_tot);
 			}
 			break;
 		case PFCTL_SHOW_RULES:
diff --git a/sbin/pfctl/pfctl_optimize.c b/sbin/pfctl/pfctl_optimize.c
index 8a80232cc5b..7a2860d9248 100644
--- a/sbin/pfctl/pfctl_optimize.c
+++ b/sbin/pfctl/pfctl_optimize.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_optimize.c,v 1.16 2008/01/26 13:16:36 mcbride Exp $ */
+/*	$OpenBSD: pfctl_optimize.c,v 1.17 2008/05/06 03:45:21 mpf Exp $ */
 
 /*
  * Copyright (c) 2004 Mike Frantzen <frantzen@openbsd.org>
@@ -182,7 +182,8 @@ struct pf_rule_field {
     PF_RULE_FIELD(packets,		DC),
     PF_RULE_FIELD(bytes,		DC),
     PF_RULE_FIELD(kif,			DC),
-    PF_RULE_FIELD(states,		DC),
+    PF_RULE_FIELD(states_cur,		DC),
+    PF_RULE_FIELD(states_tot,		DC),
     PF_RULE_FIELD(src_nodes,		DC),
     PF_RULE_FIELD(nr,			DC),
     PF_RULE_FIELD(entries,		DC),
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 2d3d3e4443a..537549b2c9f 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.89 2008/01/12 17:08:33 mpf Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.90 2008/05/06 03:45:21 mpf Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -268,7 +268,7 @@ pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag)
 	else
 		r = &pf_default_rule;
 
-	if (!r->max_states || r->states < r->max_states)
+	if (!r->max_states || r->states_cur < r->max_states)
 		st = pool_get(&pf_state_pl, PR_NOWAIT);
 	if (st == NULL) {
 		pfi_kif_unref(kif, PFI_KIF_REF_NONE);
@@ -297,7 +297,8 @@ pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag)
 	/* XXX get pointers to nat_rule and anchor */
 
 	/* XXX when we have nat_rule/anchors, use STATE_INC_COUNTERS */
-	r->states++;
+	r->states_cur++;
+	r->states_tot++;
 
 	/* fill in the rest of the state entry */
 	pf_state_host_ntoh(&sp->lan, &sk->lan);
@@ -325,7 +326,7 @@ pfsync_insert_net_state(struct pfsync_state *sp, u_int8_t chksum_flag)
 	if (pf_insert_state(kif, st)) {
 		pfi_kif_unref(kif, PFI_KIF_REF_NONE);
 		/* XXX when we have nat_rule/anchors, use STATE_DEC_COUNTERS */
-		r->states--;
+		r->states_cur--;
 		if (st->dst.scrub)
 			pool_put(&pf_state_scrub_pl, st->dst.scrub);
 		if (st->src.scrub)
diff --git a/sys/net/pf.c b/sys/net/pf.c
index 957320be3c3..a51badfdb6f 100644
--- a/sys/net/pf.c
+++ b/sys/net/pf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.568 2008/05/05 13:00:43 henning Exp $ */
+/*	$OpenBSD: pf.c,v 1.569 2008/05/06 03:45:21 mpf Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -267,20 +267,25 @@ struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX] = {
 
 #define STATE_INC_COUNTERS(s)				\
 	do {						\
-		s->rule.ptr->states++;			\
-		if (s->anchor.ptr != NULL)		\
-			s->anchor.ptr->states++;	\
-		if (s->nat_rule.ptr != NULL)		\
-			s->nat_rule.ptr->states++;	\
+		s->rule.ptr->states_cur++;		\
+		s->rule.ptr->states_tot++;		\
+		if (s->anchor.ptr != NULL) {		\
+			s->anchor.ptr->states_cur++;	\
+			s->anchor.ptr->states_tot++;	\
+		}					\
+		if (s->nat_rule.ptr != NULL) {		\
+			s->nat_rule.ptr->states_cur++;	\
+			s->nat_rule.ptr->states_tot++;	\
+		}					\
 	} while (0)
 
 #define STATE_DEC_COUNTERS(s)				\
 	do {						\
 		if (s->nat_rule.ptr != NULL)		\
-			s->nat_rule.ptr->states--;	\
+			s->nat_rule.ptr->states_cur--;	\
 		if (s->anchor.ptr != NULL)		\
-			s->anchor.ptr->states--;	\
-		s->rule.ptr->states--;			\
+			s->anchor.ptr->states_cur--;	\
+		s->rule.ptr->states_cur--;		\
 	} while (0)
 
 static __inline int pf_src_compare(struct pf_src_node *, struct pf_src_node *);
@@ -913,7 +918,7 @@ pf_state_expires(const struct pf_state *state)
 	start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
 	if (start) {
 		end = state->rule.ptr->timeout[PFTM_ADAPTIVE_END];
-		states = state->rule.ptr->states;
+		states = state->rule.ptr->states_cur;
 	} else {
 		start = pf_default_rule.timeout[PFTM_ADAPTIVE_START];
 		end = pf_default_rule.timeout[PFTM_ADAPTIVE_END];
@@ -947,7 +952,7 @@ pf_purge_expired_src_nodes(int waslocked)
 			 }
 			 if (cur->rule.ptr != NULL) {
 				 cur->rule.ptr->src_nodes--;
-				 if (cur->rule.ptr->states <= 0 &&
+				 if (cur->rule.ptr->states_cur <= 0 &&
 				     cur->rule.ptr->max_src_nodes <= 0)
 					 pf_rm_rule(NULL, cur->rule.ptr);
 			 }
@@ -1023,15 +1028,15 @@ pf_free_state(struct pf_state *cur)
 		return;
 #endif
 	KASSERT(cur->timeout == PFTM_UNLINKED);
-	if (--cur->rule.ptr->states <= 0 &&
+	if (--cur->rule.ptr->states_cur <= 0 &&
 	    cur->rule.ptr->src_nodes <= 0)
 		pf_rm_rule(NULL, cur->rule.ptr);
 	if (cur->nat_rule.ptr != NULL)
-		if (--cur->nat_rule.ptr->states <= 0 &&
+		if (--cur->nat_rule.ptr->states_cur <= 0 &&
 			cur->nat_rule.ptr->src_nodes <= 0)
 			pf_rm_rule(NULL, cur->nat_rule.ptr);
 	if (cur->anchor.ptr != NULL)
-		if (--cur->anchor.ptr->states <= 0)
+		if (--cur->anchor.ptr->states_cur <= 0)
 			pf_rm_rule(NULL, cur->anchor.ptr);
 	pf_normalize_tcp_cleanup(cur);
 	pfi_kif_unref(cur->kif, PFI_KIF_REF_STATE);
@@ -3328,7 +3333,7 @@ pf_test_rule(struct pf_rule **rm, struct pf_state **sm, int direction,
 		struct pf_src_node *sn = NULL;
 
 		/* check maximums */
-		if (r->max_states && (r->states >= r->max_states)) {
+		if (r->max_states && (r->states_cur >= r->max_states)) {
 			pf_status.lcounters[LCNT_STATES]++;
 			REASON_SET(&reason, PFRES_MAXSTATES);
 			goto cleanup;
diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index 16032abb727..50b319a9b9f 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.194 2008/05/06 03:24:25 weingart Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.195 2008/05/06 03:45:22 mpf Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -309,7 +309,7 @@ void
 pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
 {
 	if (rulequeue != NULL) {
-		if (rule->states <= 0) {
+		if (rule->states_cur <= 0) {
 			/*
 			 * XXX - we need to remove the table *before* detaching
 			 * the rule to make sure the table code does not delete
@@ -325,7 +325,7 @@ pf_rm_rule(struct pf_rulequeue *rulequeue, struct pf_rule *rule)
 		rule->nr = -1;
 	}
 
-	if (rule->states > 0 || rule->src_nodes > 0 ||
+	if (rule->states_cur > 0 || rule->src_nodes > 0 ||
 	    rule->entries.tqe_prev != NULL)
 		return;
 	pf_tag_unref(rule->tag);
@@ -1148,7 +1148,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 		rule->kif = NULL;
 		TAILQ_INIT(&rule->rpool.list);
 		/* initialize refcounting */
-		rule->states = 0;
+		rule->states_cur = 0;
 		rule->src_nodes = 0;
 		rule->entries.tqe_prev = NULL;
 #ifndef INET
@@ -1335,6 +1335,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			rule->evaluations = 0;
 			rule->packets[0] = rule->packets[1] = 0;
 			rule->bytes[0] = rule->bytes[1] = 0;
+			rule->states_tot = 0;
 		}
 		break;
 	}
@@ -1395,7 +1396,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			newrule->cpid = p->p_pid;
 			TAILQ_INIT(&newrule->rpool.list);
 			/* initialize refcounting */
-			newrule->states = 0;
+			newrule->states_cur = 0;
 			newrule->entries.tqe_prev = NULL;
 #ifndef INET
 			if (newrule->af == AF_INET) {
@@ -1668,7 +1669,7 @@ pfioctl(dev_t dev, u_long cmd, caddr_t addr, int flags, struct proc *p)
 			error = EEXIST;
 			break;
 		}
-		pf_default_rule.states++;
+		pf_default_rule.states_cur++;
 		break;
 	}
 
diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
index d063b4fdf63..a78efc35421 100644
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfvar.h,v 1.260 2008/05/05 13:00:43 henning Exp $ */
+/*	$OpenBSD: pfvar.h,v 1.261 2008/05/06 03:45:22 mpf Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -538,7 +538,8 @@ struct pf_rule {
 
 	int			 rtableid;
 	u_int32_t		 timeout[PFTM_MAX];
-	u_int32_t		 states;
+	u_int32_t		 states_cur;
+	u_int32_t		 states_tot;
 	u_int32_t		 max_states;
 	u_int32_t		 src_nodes;
 	u_int32_t		 max_src_nodes;
author	mpf <mpf@openbsd.org>	2008-05-06 03:45:21 +0000
committer	mpf <mpf@openbsd.org>	2008-05-06 03:45:21 +0000
commit	95959bd1d5f2c50d6f23d886b22dc2fa88f9223f (patch)
tree	da15c80c30eab73672c968c94e175e52874a7312
parent	Labels in the sockaddr are stored like on the wire so shift and byte swap (diff)
download	wireguard-openbsd-95959bd1d5f2c50d6f23d886b22dc2fa88f9223f.tar.xz wireguard-openbsd-95959bd1d5f2c50d6f23d886b22dc2fa88f9223f.zip