The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=6ea1c3cfc89905b0f703b5d549b481fa0718a1a7
commit 6ea1c3cfc89905b0f703b5d549b481fa0718a1a7 Author: Kristof Provost <[email protected]> AuthorDate: 2022-01-17 16:38:28 +0000 Commit: Kristof Provost <[email protected]> CommitDate: 2022-03-02 16:00:07 +0000 pfctl: support flushing ethernet rules Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.8 | 2 ++ sbin/pfctl/pfctl.c | 24 +++++++++++++++++++++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index f61feef8bc16..95d098f6d585 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -212,6 +212,8 @@ Flush the filter parameters specified by Flush the NAT rules. .It Fl F Cm queue Flush the queue rules. +.It Fl F Cm ethernet +Flush the Ethernet filter rules. .It Fl F Cm rules Flush the filter rules. .It Fl F Cm states diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index bec37b0bf85f..89b546a1b9e2 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -75,6 +75,7 @@ int pfctl_get_skip_ifaces(void); int pfctl_check_skip_ifaces(char *); int pfctl_adjust_skip_ifaces(struct pfctl *); int pfctl_clear_interface_flags(int, int); +int pfctl_clear_eth_rules(int, int, char *); int pfctl_clear_rules(int, int, char *); int pfctl_clear_nat(int, int, char *); int pfctl_clear_altq(int, int); @@ -227,7 +228,8 @@ static const struct { static const char * const clearopt_list[] = { "nat", "queue", "rules", "Sources", - "states", "info", "Tables", "osfp", "all", NULL + "states", "info", "Tables", "osfp", "all", + "ethernet", NULL }; static const char * const showopt_list[] = { @@ -457,6 +459,22 @@ pfctl_clear_interface_flags(int dev, int opts) return (0); } +int +pfctl_clear_eth_rules(int dev, int opts, char *anchorname) +{ + struct pfr_buffer t; + + memset(&t, 0, sizeof(t)); + t.pfrb_type = PFRB_TRANS; + if (pfctl_add_trans(&t, PF_RULESET_ETH, anchorname) || + pfctl_trans(dev, &t, DIOCXBEGIN, 0) || + pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) + err(1, "pfctl_clear_eth_rules"); + if ((opts & PF_OPT_QUIET) == 0) + fprintf(stderr, "Ethernet rules cleared\n"); + return (0); +} + int pfctl_clear_rules(int dev, int opts, char *anchorname) { @@ -2873,6 +2891,9 @@ main(int argc, char *argv[]) "be modified from the command line"); switch (*clearopt) { + case 'e': + pfctl_clear_eth_rules(dev, opts, anchorname); + break; case 'r': pfctl_clear_rules(dev, opts, anchorname); break; @@ -2892,6 +2913,7 @@ main(int argc, char *argv[]) pfctl_clear_stats(dev, opts); break; case 'a': + pfctl_clear_eth_rules(dev, opts, anchorname); pfctl_clear_rules(dev, opts, anchorname); pfctl_clear_nat(dev, opts, anchorname); pfctl_clear_tables(anchorname, opts);
