Hello Klemens,
On Tue, Apr 09, 2019 at 04:02:06PM +0200, Klemens Nanni wrote:
> OK either way, but see below.
>
> On Mon, Apr 08, 2019 at 09:56:46AM +0200, Alexandr Nedvedicky wrote:
> > + pf.ifname = strdup("none");
> > + if (pf.ifname == NULL)
> > + err(1, "%s: strdup", __func__);
> > + else
> > + pf.ifname_set = 1;
> This branch is redundant and confusing, that pattern is also rarely
> seen in the tree. The following is more obvious to the reader and
> resembles the code flow more clearly, I'd say:
>
> pf.ifname = strdup("none");
> if (pf.ifname == NULL)
> err(1, "%s: strdup", __func__);
> pf.ifname_set = 1;
you are absolutely right.
Looks like I need glasses, but not the glasses with beer.
thanks and
regards
sashan
--------8<---------------8<---------------8<------------------8<--------
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 48b2893cfcd..00bd27c200a 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -197,6 +197,8 @@ Flush the filter information (statistics that are not bound
to rules).
Flush the tables.
.It Fl F Cm osfp
Flush the passive operating system fingerprints.
+.It Fl F Cm Reset
+Reset limits, timeouts and options back to default settings.
.It Fl F Cm all
Flush all of the above.
.El
diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c
index 493ff47af2f..17461a4bf77 100644
--- a/sbin/pfctl/pfctl.c
+++ b/sbin/pfctl/pfctl.c
@@ -105,6 +105,7 @@ int pfctl_load_rule(struct pfctl *, char *, struct pf_rule
*, int);
const char *pfctl_lookup_option(char *, const char **);
void pfctl_state_store(int, const char *);
void pfctl_state_load(int, const char *);
+void pfctl_reset(int, int);
const char *clearopt;
char *rulesopt;
@@ -205,7 +206,8 @@ static const struct {
};
static const char *clearopt_list[] = {
- "rules", "Sources", "states", "info", "Tables", "osfp", "all", NULL
+ "rules", "Sources", "states", "info", "Tables", "osfp", "Reset",
+ "all", NULL
};
static const char *showopt_list[] = {
@@ -2232,6 +2234,44 @@ pfctl_state_load(int dev, const char *file)
fclose(f);
}
+void
+pfctl_reset(int dev, int opts)
+{
+ struct pfctl pf;
+ struct pfr_buffer t;
+ int i;
+
+ pf.dev = dev;
+ pfctl_init_options(&pf);
+
+ /* Force reset upon pfctl_load_options() */
+ pf.debug_set = 1;
+ pf.reass_set = 1;
+ pf.syncookieswat_set = 1;
+ pf.ifname = strdup("none");
+ if (pf.ifname == NULL)
+ err(1, "%s: strdup", __func__);
+ pf.ifname_set = 1;
+
+ memset(&t, 0, sizeof(t));
+ t.pfrb_type = PFRB_TRANS;
+ if (pfctl_trans(dev, &t, DIOCXBEGIN, 0))
+ err(1, "%s: DIOCXBEGIN", __func__);
+
+ for (i = 0; pf_limits[i].name; i++)
+ pf.limit_set[pf_limits[i].index] = 1;
+
+ for (i = 0; pf_timeouts[i].name; i++)
+ pf.timeout_set[pf_timeouts[i].timeout] = 1;
+
+ pfctl_load_options(&pf);
+
+ if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
+ err(1, "%s: DIOCXCOMMIT", __func__);
+
+ pfctl_clear_interface_flags(dev, opts);
+}
+
int
main(int argc, char *argv[])
{
@@ -2557,7 +2597,7 @@ main(int argc, char *argv[])
pfctl_clear_src_nodes(dev, opts);
pfctl_clear_stats(dev, ifaceopt, opts);
pfctl_clear_fingerprints(dev, opts);
- pfctl_clear_interface_flags(dev, opts);
+ pfctl_reset(dev, opts);
}
break;
case 'o':
@@ -2566,6 +2606,9 @@ main(int argc, char *argv[])
case 'T':
pfctl_clear_tables(anchorname, opts);
break;
+ case 'R':
+ pfctl_reset(dev, opts);
+ break;
}
}
if (state_killers) {
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 247ceef40a5..dfa8d15d37a 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1129,12 +1129,24 @@ can be used.
.Xr pf 4
may be tuned for various situations using the
.Ic set
-command.
+command. Two sorts of options should be distinguished.
+.Em runtime
+options, which define parameters for
+.Xr pf 4
+driver and
+.Em parser
+options, which fine-tune interpretation of rules, while
+they are being loaded from file. The runtime options
+may be restored to their default values using:
+.Pp
+.Dl # pfctl -FReset
+.Pp
+
.Bl -tag -width Ds
.It Ic set Cm block-policy drop | return
The
.Cm block-policy
-option sets the default behaviour for the packet
+parser option sets the default behaviour for the packet
.Ic block
action:
.Pp
@@ -1146,8 +1158,13 @@ A TCP RST is returned for blocked TCP packets,
an ICMP UNREACHABLE is returned for blocked UDP packets,
and all other packets are silently dropped.
.El
+.Pp
+The default value is
+.Cm drop .
.It Ic set Cm debug Ar level
-Set the debug
+The
+.Cm debug
+runtime option defines
.Ar level ,
which limits the severity of log messages printed by
.Xr pf 4 .
@@ -1164,9 +1181,10 @@ and
.Cm debug .
These keywords correspond to the similar (LOG_) values specified to the
.Xr syslog 3
-library routine.
+library routine. The default value is
+.Cm err .
.It Cm set Cm fingerprints Ar filename
-Load fingerprints of known operating systems from the given
+Parser option loads fingerprints of known operating systems from the given
.Ar filename .
By default fingerprints of known operating systems are automatically
loaded from
@@ -1174,23 +1192,29 @@ loaded from
but can be overridden via this option.
Setting this option may leave a small period of time where the fingerprints
referenced by the currently active ruleset are inconsistent until the new
-ruleset finishes loading.
+ruleset finishes loading. The default location for fingerprints is
+/etc/pf.os file.
.It Ic set Cm hostid Ar number
-The 32-bit hostid
-.Ar number
-identifies this firewall's state table entries to other firewalls
+The runtime option specifies 32-bit hostid
+.Ar number ,
+which identifies this firewall's state table entries to other firewalls
in a
.Xr pfsync 4
failover cluster.
By default the hostid is set to a pseudo-random value, however it may be
desirable to manually configure it, for example to more easily identify the
source of state table entries.
-The hostid may be specified in either decimal or hexadecimal.
+The hostid may be specified in either decimal or hexadecimal. The
+.Cm hostid
+option value does not get changed by
+.Xr pfctl 8
+.Fl F
+.Cm Reset .
.It Ic set Cm limit Ar limit-item number
Sets hard limits on the memory pools used by the packet filter.
See
.Xr pool 9
-for an explanation of memory pools.
+for an explanation of memory pools. All limits are runtime options.
.Pp
For example,
to set the maximum number of entries in the memory pool used by state table
@@ -1235,6 +1259,16 @@ Various limits can be combined on a single line:
.Bd -literal -offset indent
set limit { states 20000, frags 2000, src-nodes 2000 }
.Ed
+.Pp
+.Xr pf 4
+uses defaults as follows:
+.Bd -literal -offset indent
+states PFSTATE_HIWAT (100000)
+tables PFR_KTABLE_HIWAT (1000)
+table-entries PFR_KENTRY_HIWAT (200000)
+ PFR_KENTRY_HIWAT_SMALL (100000)
+frags NMBCLUSTERS/32 (platform dependent)
+.Ed
.It Ic set Cm loginterface Ar interface | Cm none
Enable collection of packet and byte count statistics for the given
interface or interface group.
