Date: Mon, 7 Jul 2025 15:08:01 GMT From: Kristof Provost <kp@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: 613a144a4b78 - main - pfctl: introduce 'pfctl -FR' to reset settings to defaults Message-ID: <202507071508.567F81NN016810@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by kp: URL: https://cgit.FreeBSD.org/src/commit/?id=613a144a4b7819f2ac9619d3ae85dd4db08aac59 commit 613a144a4b7819f2ac9619d3ae85dd4db08aac59 Author: Kristof Provost <kp@FreeBSD.org> AuthorDate: 2025-07-02 14:47:43 +0000 Commit: Kristof Provost <kp@FreeBSD.org> CommitDate: 2025-07-07 15:06:51 +0000 pfctl: introduce 'pfctl -FR' to reset settings to defaults (discussed with many at tech@) OK deraadt@, kn@, sthen@, tedu@ Obtained from: OpenBSD, sashan <sashan@openbsd.org>, 22f3d0383c Sponsored by: Rubicon Communications, LLC ("Netgate") --- sbin/pfctl/pfctl.8 | 2 ++ sbin/pfctl/pfctl.c | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index 0c4a7b519bf6..2391c1d1cd12 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -223,6 +223,8 @@ Flush the filter information (statistics that are not bound to rules). Flush the tables. .It Fl F Cm osfp Flush the passive operating system fingerprints. +.It Fl F Cm Reset +Reset limits, timeouts and options back to default settings. .It Fl F Cm all Flush all of the above. .El diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 0fb0602eb04f..8c20c8250ed1 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -123,6 +123,7 @@ int pfctl_load_ruleset(struct pfctl *, char *, struct pfctl_ruleset *, int, int); int pfctl_load_rule(struct pfctl *, char *, struct pfctl_rule *, int); const char *pfctl_lookup_option(char *, const char * const *); +void pfctl_reset(int, int); static struct pfctl_anchor_global pf_anchors; struct pfctl_anchor pf_main_anchor; @@ -231,7 +232,7 @@ static const struct { static const char * const clearopt_list[] = { "nat", "queue", "rules", "Sources", "states", "info", "Tables", "osfp", "all", - "ethernet", NULL + "ethernet", "Reset", NULL }; static const char * const showopt_list[] = { @@ -2947,6 +2948,45 @@ pfctl_lookup_option(char *cmd, const char * const *list) return (NULL); } +void +pfctl_reset(int dev, int opts) +{ + struct pfctl pf; + struct pfr_buffer t; + int i; + + pf.dev = dev; + pf.h = pfh; + pfctl_init_options(&pf); + + /* Force reset upon pfctl_load_options() */ + pf.debug_set = 1; + pf.reass_set = 1; + pf.syncookieswat_set = 1; + pf.ifname = strdup("none"); + if (pf.ifname == NULL) + err(1, "%s: strdup", __func__); + pf.ifname_set = 1; + + memset(&t, 0, sizeof(t)); + t.pfrb_type = PFRB_TRANS; + if (pfctl_trans(dev, &t, DIOCXBEGIN, 0)) + err(1, "%s: DIOCXBEGIN", __func__); + + for (i = 0; pf_limits[i].name; i++) + pf.limit_set[pf_limits[i].index] = 1; + + for (i = 0; pf_timeouts[i].name; i++) + pf.timeout_set[pf_timeouts[i].timeout] = 1; + + pfctl_load_options(&pf); + + if (pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) + err(1, "%s: DIOCXCOMMIT", __func__); + + pfctl_clear_interface_flags(dev, opts); +} + int main(int argc, char *argv[]) { @@ -3314,7 +3354,7 @@ main(int argc, char *argv[]) pfctl_clear_src_nodes(dev, opts); pfctl_clear_stats(pfh, opts); pfctl_clear_fingerprints(dev, opts); - pfctl_clear_interface_flags(dev, opts); + pfctl_reset(dev, opts); } break; case 'o': @@ -3323,6 +3363,9 @@ main(int argc, char *argv[]) case 'T': pfctl_do_clear_tables(anchorname, opts); break; + case 'R': + pfctl_reset(dev, opts); + break; } } if (state_killers) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202507071508.567F81NN016810>