diff options
author | sashan <sashan@openbsd.org> | 2019-04-15 21:36:44 +0000 |
---|---|---|
committer | sashan <sashan@openbsd.org> | 2019-04-15 21:36:44 +0000 |
commit | 22f3d0383c550fab1db15772d0206e2bdc5e96d0 (patch) | |
tree | 5d2104c9089c20b7a02a8a1645ff94cf5790e362 /sbin/pfctl | |
parent | Avoid signed integer overflow. (diff) | |
download | wireguard-openbsd-22f3d0383c550fab1db15772d0206e2bdc5e96d0.tar.xz wireguard-openbsd-22f3d0383c550fab1db15772d0206e2bdc5e96d0.zip |
introduce 'pfctl -FR' to reset settings to defaults
(discussed with many at tech@)
OK deraadt@, kn@, sthen@, tedu@
Diffstat (limited to 'sbin/pfctl')
-rw-r--r-- | sbin/pfctl/pfctl.8 | 6 | ||||
-rw-r--r-- | sbin/pfctl/pfctl.c | 49 |
2 files changed, 50 insertions, 5 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 48b2893cfcd..b7e941991ba 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfctl.8,v 1.176 2019/01/29 08:56:22 kn Exp $ +.\" $OpenBSD: pfctl.8,v 1.177 2019/04/15 21:36:44 sashan Exp $ .\" .\" Copyright (c) 2001 Kjell Wooding. All rights reserved. .\" @@ -24,7 +24,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: January 29 2019 $ +.Dd $Mdocdate: April 15 2019 $ .Dt PFCTL 8 .Os .Sh NAME @@ -197,6 +197,8 @@ Flush the filter information (statistics that are not bound to rules). Flush the tables. .It Fl F Cm osfp Flush the passive operating system fingerprints. +.It Fl F Cm Reset +Reset limits, timeouts and options back to default settings. .It Fl F Cm all Flush all of the above. .El diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 493ff47af2f..f56f6f9e90b 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfctl.c,v 1.372 2019/03/06 19:49:05 kn Exp $ */ +/* $OpenBSD: pfctl.c,v 1.373 2019/04/15 21:36:44 sashan Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -105,6 +105,7 @@ int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int); const char *pfctl_lookup_option(char *, const char **); void pfctl_state_store(int, const char *); void pfctl_state_load(int, const char *); +void pfctl_reset(int, int); const char *clearopt; char *rulesopt; @@ -205,7 +206,8 @@ static const struct { }; static const char *clearopt_list[] = { - "rules", "Sources", "states", "info", "Tables", "osfp", "all", NULL + "rules", "Sources", "states", "info", "Tables", "osfp", "Reset", + "all", NULL }; static const char *showopt_list[] = { @@ -2232,6 +2234,44 @@ pfctl_state_load(int dev, const char *file) fclose(f); } +void +pfctl_reset(int dev, int opts) +{ + struct pfctl pf; + struct pfr_buffer t; + int i; + + pf.dev = dev; + pfctl_init_options(&pf); + + /* Force reset upon pfctl_load_options() */ + pf.debug_set = 1; + pf.reass_set = 1; + pf.syncookieswat_set = 1; + pf.ifname = strdup("none"); + if (pf.ifname == NULL) + err(1, "%s: strdup", __func__); + pf.ifname_set = 1; + + memset(&t, 0, sizeof(t)); + t.pfrb_type = PFRB_TRANS; + if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) + err(1, "%s: DIOCXBEGIN", __func__); + + for (i = 0; pf_limits[i].name; i++) + pf.limit_set[pf_limits[i].index] = 1; + + for (i = 0; pf_timeouts[i].name; i++) + pf.timeout_set[pf_timeouts[i].timeout] = 1; + + pfctl_load_options(&pf); + + if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) + err(1, "%s: DIOCXCOMMIT", __func__); + + pfctl_clear_interface_flags(dev, opts); +} + int main(int argc, char *argv[]) { @@ -2557,7 +2597,7 @@ main(int argc, char *argv[]) pfctl_clear_src_nodes(dev, opts); pfctl_clear_stats(dev, ifaceopt, opts); pfctl_clear_fingerprints(dev, opts); - pfctl_clear_interface_flags(dev, opts); + pfctl_reset(dev, opts); } break; case 'o': @@ -2566,6 +2606,9 @@ main(int argc, char *argv[]) case 'T': pfctl_clear_tables(anchorname, opts); break; + case 'R': + pfctl_reset(dev, opts); + break; } } if (state_killers) { |