On Wed, Jan 25, 2017 at 10:45:55AM -0500, Bertrand Provost wrote:
> Hi,
>
> On 2017-01-24 07:26 PM, Sebastian Benoit wrote:
> > but your diff does not seem to be against -current, you started from 6.0
> >
> > But even with 6.0 i get rejects, maybe you mail client messes this up.
> My patch is based on current I suppose problem came from my mail client.
>
> > Can you please resend a good diff?
>
> I try another config of my mail client and I attach the patch in case it
> fail again.
the attachment applies, the inline one does not. I currently can't
spot why that is.
>
> Index: pfctl.8
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/pfctl.8,v
> retrieving revision 1.165
> diff -u -p -r1.165 pfctl.8
> --- pfctl.8 15 Jun 2015 08:48:23 -0000 1.165
> +++ pfctl.8 24 Jan 2017 21:38:56 -0000
> @@ -47,6 +47,7 @@
> .Op Fl S Ar statefile
> .Op Fl s Ar modifier Op Fl R Ar id
> .Op Fl t Ar table Fl T Ar command Op Ar address ...
> +.Op Fl V Ar rdomain
this misses a description of the V flag later on, it's only mentioned
in an example of the k flag
> .Op Fl x Ar level
> .Ek
> .Sh DESCRIPTION
> @@ -275,6 +276,12 @@ from rules carrying the label
> .Dq foobar :
> .Pp
> .Dl # pfctl -k label -k foobar
> +.Pp
> +To kill states withing a rdomain (the rdomain of a state is displayed
within
and I believe it's an rdomain. Not a big fan of this, but I
guess we will summon jmc sooner or later :)
> +in parentheses before the host by pfctl -s states) use
> +.Fl V Ar rdomain :
> +.Pp
> +.Dl # pfctl -V rdomain -k host
this is an example, but "rdomain" is not a valid argument for -V,
.Dl # pfctl -V 23 -k 0.0.0.0
> .Pp
> To kill one specific state by its unique state ID
> (as shown by pfctl -s state -vv),
> Index: pfctl.c
> ===================================================================
> RCS file: /cvs/src/sbin/pfctl/pfctl.c,v
> retrieving revision 1.334
> diff -u -p -r1.334 pfctl.c
> --- pfctl.c 14 Jan 2016 12:05:51 -0000 1.334
> +++ pfctl.c 24 Jan 2017 21:38:56 -0000
> @@ -69,9 +69,9 @@ int pfctl_clear_src_nodes(int, int);
> int pfctl_clear_states(int, const char *, int);
> void pfctl_addrprefix(char *, struct pf_addr *);
> int pfctl_kill_src_nodes(int, const char *, int);
> -int pfctl_net_kill_states(int, const char *, int);
> -int pfctl_label_kill_states(int, const char *, int);
> -int pfctl_id_kill_states(int, const char *, int);
> +int pfctl_net_kill_states(int, const char *, int, int);
> +int pfctl_label_kill_states(int, const char *, int, int);
> +int pfctl_id_kill_states(int, int);
> void pfctl_init_options(struct pfctl *);
> int pfctl_load_options(struct pfctl *);
> int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
> @@ -512,7 +512,7 @@ pfctl_kill_src_nodes(int dev, const char
> }
>
> int
> -pfctl_net_kill_states(int dev, const char *iface, int opts)
> +pfctl_net_kill_states(int dev, const char *iface, int opts, int rdomain)
> {
> struct pfioc_state_kill psk;
> struct addrinfo *res[2], *resp[2];
> @@ -531,6 +531,8 @@ pfctl_net_kill_states(int dev, const cha
> sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
> errx(1, "invalid interface: %s", iface);
>
> + psk.psk_rdomain = rdomain;
> +
> pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
>
> if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
> @@ -618,7 +620,7 @@ pfctl_net_kill_states(int dev, const cha
> }
>
> int
> -pfctl_label_kill_states(int dev, const char *iface, int opts)
> +pfctl_label_kill_states(int dev, const char *iface, int opts, int rdomain)
> {
> struct pfioc_state_kill psk;
>
> @@ -635,6 +637,8 @@ pfctl_label_kill_states(int dev, const c
> sizeof(psk.psk_label))
> errx(1, "label too long: %s", state_kill[1]);
>
> + psk.psk_rdomain = rdomain;
> +
> if (ioctl(dev, DIOCKILLSTATES, &psk))
> err(1, "DIOCKILLSTATES");
>
> @@ -645,7 +649,7 @@ pfctl_label_kill_states(int dev, const c
> }
>
> int
> -pfctl_id_kill_states(int dev, const char *iface, int opts)
> +pfctl_id_kill_states(int dev, int opts)
> {
> struct pfioc_state_kill psk;
>
> @@ -2098,6 +2102,7 @@ main(int argc, char *argv[])
> int opts = 0;
> int optimize = PF_OPTIMIZE_BASIC;
> int level;
> + int rdomain = 0;
> char anchorname[PATH_MAX];
> int anchor_wildcard = 0;
> char *path;
> @@ -2109,7 +2114,7 @@ main(int argc, char *argv[])
> usage();
>
> while ((ch = getopt(argc, argv,
> - "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vx:z")) != -1) {
> + "a:dD:eqf:F:ghi:k:K:L:no:Pp:R:rS:s:t:T:vV:x:z")) != -1) {
missing diff for usage(); while there, please mark it __dead
othere than that looks good
> switch (ch) {
> case 'a':
> anchoropt = optarg;
> @@ -2215,6 +2220,13 @@ main(int argc, char *argv[])
> opts |= PF_OPT_VERBOSE2;
> opts |= PF_OPT_VERBOSE;
> break;
> + case 'V':
> + rdomain = strtonum(optarg, 0, RT_TABLEID_MAX, &errstr);
> + if (errstr) {
> + warnx("Invalid rdomain: %s", errstr);
> + usage();
> + }
> + break;
> case 'x':
> debugopt = pfctl_lookup_option(optarg, debugopt_list);
> if (debugopt == NULL) {
> @@ -2403,11 +2415,11 @@ main(int argc, char *argv[])
> }
> if (state_killers) {
> if (!strcmp(state_kill[0], "label"))
> - pfctl_label_kill_states(dev, ifaceopt, opts);
> + pfctl_label_kill_states(dev, ifaceopt, opts, rdomain);
> else if (!strcmp(state_kill[0], "id"))
> - pfctl_id_kill_states(dev, ifaceopt, opts);
> + pfctl_id_kill_states(dev, opts);
> else
> - pfctl_net_kill_states(dev, ifaceopt, opts);
> + pfctl_net_kill_states(dev, ifaceopt, opts, rdomain);
> }
>
> if (src_node_killers)
>
>
>
> --
> Bertrand Provost
>
>
--
I'm not entirely sure you are real.
