Hi,
On 2017-01-24 07:26 PM, Sebastian Benoit wrote:
> but your diff does not seem to be against -current, you started from 6.0
>
> But even with 6.0 i get rejects, maybe you mail client messes this up.
My patch is based on current I suppose problem came from my mail client.
> Can you please resend a good diff?
I try another config of my mail client and I attach the patch in case it
fail again.
Index: pfctl.8
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.165
diff -u -p -r1.165 pfctl.8
--- pfctl.8 15 Jun 2015 08:48:23 -0000 1.165
+++ pfctl.8 24 Jan 2017 21:38:56 -0000
@@ -47,6 +47,7 @@
.Op Fl S Ar statefile
.Op Fl s Ar modifier Op Fl R Ar id
.Op Fl t Ar table Fl T Ar command Op Ar address ...
+.Op Fl V Ar rdomain
.Op Fl x Ar level
.Ek
.Sh DESCRIPTION
@@ -275,6 +276,12 @@ from rules carrying the label
.Dq foobar :
.Pp
.Dl # pfctl -k label -k foobar
+.Pp
+To kill states withing a rdomain (the rdomain of a state is displayed
+in parentheses before the host by pfctl -s states) use
+.Fl V Ar rdomain :
+.Pp
+.Dl # pfctl -V rdomain -k host
.Pp
To kill one specific state by its unique state ID
(as shown by pfctl -s state -vv),
Index: pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.334
diff -u -p -r1.334 pfctl.c
--- pfctl.c 14 Jan 2016 12:05:51 -0000 1.334
+++ pfctl.c 24 Jan 2017 21:38:56 -0000
@@ -69,9 +69,9 @@ int pfctl_clear_src_nodes(int, int);
int pfctl_clear_states(int, const char *, int);
void pfctl_addrprefix(char *, struct pf_addr *);
int pfctl_kill_src_nodes(int, const char *, int);
-int pfctl_net_kill_states(int, const char *, int);
-int pfctl_label_kill_states(int, const char *, int);
-int pfctl_id_kill_states(int, const char *, int);
+int pfctl_net_kill_states(int, const char *, int, int);
+int pfctl_label_kill_states(int, const char *, int, int);
+int pfctl_id_kill_states(int, int);
void pfctl_init_options(struct pfctl *);
int pfctl_load_options(struct pfctl *);
int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
@@ -512,7 +512,7 @@ pfctl_kill_src_nodes(int dev, const char
}
int
-pfctl_net_kill_states(int dev, const char *iface, int opts)
+pfctl_net_kill_states(int dev, const char *iface, int opts, int rdomain)
{
struct pfioc_state_kill psk;
struct addrinfo *res[2], *resp[2];
@@ -531,6 +531,8 @@ pfctl_net_kill_states(int dev, const cha
sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
errx(1, "invalid interface: %s", iface);
+ psk.psk_rdomain = rdomain;
+
pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
@@ -618,7 +620,7 @@ pfctl_net_kill_states(int dev, const cha
}
int
-pfctl_label_kill_states(int dev, const char *iface, int opts)
+pfctl_label_kill_states(int dev, const char *iface, int opts, int rdomain)
{
struct pfioc_state_kill psk;
@@ -635,6 +637,8 @@ pfctl_label_kill_states(int dev, const c
sizeof(psk.psk_label))
errx(1, "label too long: %s", state_kill[1]);
+ psk.psk_rdomain = rdomain;
+
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
@@ -645,7 +649,7 @@ pfctl_label_kill_states(int dev, const c
}
int
-pfctl_id_kill_states(int dev, const char *iface, int opts)
+pfctl_id_kill_states(int dev, int opts)
{
struct pfioc_state_kill psk;
@@ -2098,6 +2102,7 @@ main(int argc, char *argv[])
int opts = 0;
int optimize = PF_OPTIMIZE_BASIC;
int level;
+ int rdomain = 0;
char anchorname[PATH_MAX];
int anchor_wildcard = 0;
char *path;
@@ -2109,7 +2114,7 @@ main(int argc, char *argv[])
usage();
while ((ch = getopt(argc, argv,
- "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vx:z")) != -1) {
+ "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vV:x:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -2215,6 +2220,13 @@ main(int argc, char *argv[])
opts |= PF_OPT_VERBOSE2;
opts |= PF_OPT_VERBOSE;
break;
+ case 'V':
+ rdomain = strtonum(optarg, 0, RT_TABLEID_MAX, &errstr);
+ if (errstr) {
+ warnx("Invalid rdomain: %s", errstr);
+ usage();
+ }
+ break;
case 'x':
debugopt = pfctl_lookup_option(optarg, debugopt_list);
if (debugopt == NULL) {
@@ -2403,11 +2415,11 @@ main(int argc, char *argv[])
}
if (state_killers) {
if (!strcmp(state_kill[0], "label"))
- pfctl_label_kill_states(dev, ifaceopt, opts);
+ pfctl_label_kill_states(dev, ifaceopt, opts, rdomain);
else if (!strcmp(state_kill[0], "id"))
- pfctl_id_kill_states(dev, ifaceopt, opts);
+ pfctl_id_kill_states(dev, opts);
else
- pfctl_net_kill_states(dev, ifaceopt, opts);
+ pfctl_net_kill_states(dev, ifaceopt, opts, rdomain);
}
if (src_node_killers)
--
Bertrand Provost
Index: pfctl.8
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
retrieving revision 1.165
diff -u -p -r1.165 pfctl.8
--- pfctl.8 15 Jun 2015 08:48:23 -0000 1.165
+++ pfctl.8 24 Jan 2017 21:38:56 -0000
@@ -47,6 +47,7 @@
.Op Fl S Ar statefile
.Op Fl s Ar modifier Op Fl R Ar id
.Op Fl t Ar table Fl T Ar command Op Ar address ...
+.Op Fl V Ar rdomain
.Op Fl x Ar level
.Ek
.Sh DESCRIPTION
@@ -275,6 +276,12 @@ from rules carrying the label
.Dq foobar :
.Pp
.Dl # pfctl -k label -k foobar
+.Pp
+To kill states withing a rdomain (the rdomain of a state is displayed
+in parentheses before the host by pfctl -s states) use
+.Fl V Ar rdomain :
+.Pp
+.Dl # pfctl -V rdomain -k host
.Pp
To kill one specific state by its unique state ID
(as shown by pfctl -s state -vv),
Index: pfctl.c
===================================================================
RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
retrieving revision 1.334
diff -u -p -r1.334 pfctl.c
--- pfctl.c 14 Jan 2016 12:05:51 -0000 1.334
+++ pfctl.c 24 Jan 2017 21:38:56 -0000
@@ -69,9 +69,9 @@ int pfctl_clear_src_nodes(int, int);
int pfctl_clear_states(int, const char *, int);
void pfctl_addrprefix(char *, struct pf_addr *);
int pfctl_kill_src_nodes(int, const char *, int);
-int pfctl_net_kill_states(int, const char *, int);
-int pfctl_label_kill_states(int, const char *, int);
-int pfctl_id_kill_states(int, const char *, int);
+int pfctl_net_kill_states(int, const char *, int, int);
+int pfctl_label_kill_states(int, const char *, int, int);
+int pfctl_id_kill_states(int, int);
void pfctl_init_options(struct pfctl *);
int pfctl_load_options(struct pfctl *);
int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
@@ -512,7 +512,7 @@ pfctl_kill_src_nodes(int dev, const char
}
int
-pfctl_net_kill_states(int dev, const char *iface, int opts)
+pfctl_net_kill_states(int dev, const char *iface, int opts, int rdomain)
{
struct pfioc_state_kill psk;
struct addrinfo *res[2], *resp[2];
@@ -531,6 +531,8 @@ pfctl_net_kill_states(int dev, const cha
sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
errx(1, "invalid interface: %s", iface);
+ psk.psk_rdomain = rdomain;
+
pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
@@ -618,7 +620,7 @@ pfctl_net_kill_states(int dev, const cha
}
int
-pfctl_label_kill_states(int dev, const char *iface, int opts)
+pfctl_label_kill_states(int dev, const char *iface, int opts, int rdomain)
{
struct pfioc_state_kill psk;
@@ -635,6 +637,8 @@ pfctl_label_kill_states(int dev, const c
sizeof(psk.psk_label))
errx(1, "label too long: %s", state_kill[1]);
+ psk.psk_rdomain = rdomain;
+
if (ioctl(dev, DIOCKILLSTATES, &psk))
err(1, "DIOCKILLSTATES");
@@ -645,7 +649,7 @@ pfctl_label_kill_states(int dev, const c
}
int
-pfctl_id_kill_states(int dev, const char *iface, int opts)
+pfctl_id_kill_states(int dev, int opts)
{
struct pfioc_state_kill psk;
@@ -2098,6 +2102,7 @@ main(int argc, char *argv[])
int opts = 0;
int optimize = PF_OPTIMIZE_BASIC;
int level;
+ int rdomain = 0;
char anchorname[PATH_MAX];
int anchor_wildcard = 0;
char *path;
@@ -2109,7 +2114,7 @@ main(int argc, char *argv[])
usage();
while ((ch = getopt(argc, argv,
- "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vx:z")) != -1) {
+ "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vV:x:z")) != -1) {
switch (ch) {
case 'a':
anchoropt = optarg;
@@ -2215,6 +2220,13 @@ main(int argc, char *argv[])
opts |= PF_OPT_VERBOSE2;
opts |= PF_OPT_VERBOSE;
break;
+ case 'V':
+ rdomain = strtonum(optarg, 0, RT_TABLEID_MAX, &errstr);
+ if (errstr) {
+ warnx("Invalid rdomain: %s", errstr);
+ usage();
+ }
+ break;
case 'x':
debugopt = pfctl_lookup_option(optarg, debugopt_list);
if (debugopt == NULL) {
@@ -2403,11 +2415,11 @@ main(int argc, char *argv[])
}
if (state_killers) {
if (!strcmp(state_kill[0], "label"))
- pfctl_label_kill_states(dev, ifaceopt, opts);
+ pfctl_label_kill_states(dev, ifaceopt, opts, rdomain);
else if (!strcmp(state_kill[0], "id"))
- pfctl_id_kill_states(dev, ifaceopt, opts);
+ pfctl_id_kill_states(dev, opts);
else
- pfctl_net_kill_states(dev, ifaceopt, opts);
+ pfctl_net_kill_states(dev, ifaceopt, opts, rdomain);
}
if (src_node_killers)
