Commit resolved import of OpenBSD 4.1 pf userland from perforce.

Approved by:	re (kensmith)

1 files changed, 53 insertions, 40 deletions

diff --git a/contrib/pf/pfctl/pfctl_table.c b/contrib/pf/pfctl/pfctl_table.c
index ecdd7e2..3d54466 100644
--- a/contrib/pf/pfctl/pfctl_table.c
+++ b/contrib/pf/pfctl/pfctl_table.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_table.c,v 1.62 2004/12/22 17:17:55 dhartmei Exp $ */
+/*	$OpenBSD: pfctl_table.c,v 1.66 2007/03/01 17:20:54 deraadt Exp $ */
 
 /*
  * Copyright (c) 2002 Cedric Berger
@@ -64,8 +64,7 @@ static void	print_addrx(struct pfr_addr *, struct pfr_addr *, int);
 static void	print_astats(struct pfr_astats *, int);
 static void	radix_perror(void);
 static void	xprintf(int, const char *, ...);
-static void	print_iface(struct pfi_if *, int);
-static void	oprintf(int, int, const char *, int *, int);
+static void	print_iface(struct pfi_kif *, int);
 
 static const char	*stats_text[PFR_DIR_MAX][PFR_OP_TABLE_MAX] = {
 	{ "In/Block:",	"In/Pass:",	"In/XPass:" },
@@ -178,7 +177,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
 				break;
 		}
 
-		if (opts & PF_OPT_SHOWALL && b.pfrb_size > 0)
+		if ((opts & PF_OPT_SHOWALL) && b.pfrb_size > 0)
 			pfctl_print_title("TABLES:");
 
 		PFRB_FOREACH(p, &b)
@@ -257,6 +256,42 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
 				if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback)
 					print_addrx(a, NULL,
 					    opts & PF_OPT_USEDNS);
+	} else if (!strcmp(command, "expire")) {
+		const char		*errstr;
+		u_int			 lifetime;
+
+		b.pfrb_type = PFRB_ASTATS;
+		b2.pfrb_type = PFRB_ADDRS;
+		if (argc != 1 || file != NULL)
+			usage();
+		lifetime = strtonum(*argv, 0, UINT_MAX, &errstr);
+		if (errstr)
+			errx(1, "expiry time: %s", errstr);
+		for (;;) {
+			pfr_buf_grow(&b, b.pfrb_size);
+			b.pfrb_size = b.pfrb_msize;
+			RVTEST(pfr_get_astats(&table, b.pfrb_caddr,
+			    &b.pfrb_size, flags));
+			if (b.pfrb_size <= b.pfrb_msize)
+				break;
+		}
+		PFRB_FOREACH(p, &b)
+			if (time(NULL) - ((struct pfr_astats *)p)->pfras_tzero >
+			     lifetime)
+				if (pfr_buf_add(&b2,
+				    &((struct pfr_astats *)p)->pfras_a))
+					err(1, "duplicate buffer");
+
+		if (opts & PF_OPT_VERBOSE)
+			flags |= PFR_FLAG_FEEDBACK;
+		RVTEST(pfr_del_addrs(&table, b2.pfrb_caddr, b2.pfrb_size,
+		    &ndel, flags));
+		xprintf(opts, "%d/%d addresses expired", ndel, b2.pfrb_size);
+		if (opts & PF_OPT_VERBOSE)
+			PFRB_FOREACH(a, &b2)
+				if ((opts & PF_OPT_VERBOSE2) || a->pfra_fback)
+					print_addrx(a, NULL,
+					    opts & PF_OPT_USEDNS);
 	} else if (!strcmp(command, "show")) {
 		b.pfrb_type = (opts & PF_OPT_VERBOSE) ?
 			PFRB_ASTATS : PFRB_ADDRS;
@@ -294,7 +329,7 @@ pfctl_table(int argc, char *argv[], char *tname, const char *command,
 		RVTEST(pfr_tst_addrs(&table, b.pfrb_caddr, b.pfrb_size,
 		    &nmatch, flags));
 		xprintf(opts, "%d/%d addresses match", nmatch, b.pfrb_size);
-		if (opts & PF_OPT_VERBOSE && !(opts & PF_OPT_VERBOSE2))
+		if ((opts & PF_OPT_VERBOSE) && !(opts & PF_OPT_VERBOSE2))
 			PFRB_FOREACH(a, &b)
 				if (a->pfra_fback == PFR_FB_MATCH)
 					print_addrx(a, NULL,
@@ -542,17 +577,15 @@ int
 pfctl_show_ifaces(const char *filter, int opts)
 {
 	struct pfr_buffer	 b;
-	struct pfi_if		*p;
-	int			 i = 0, f = PFI_FLAG_GROUP|PFI_FLAG_INSTANCE;
+	struct pfi_kif		*p;
+	int			 i = 0;
 
-	if (filter != NULL && *filter && !isdigit(filter[strlen(filter)-1]))
-		f &= ~PFI_FLAG_INSTANCE;
 	bzero(&b, sizeof(b));
 	b.pfrb_type = PFRB_IFACES;
 	for (;;) {
 		pfr_buf_grow(&b, b.pfrb_size);
 		b.pfrb_size = b.pfrb_msize;
-		if (pfi_get_ifaces(filter, b.pfrb_caddr, &b.pfrb_size, f)) {
+		if (pfi_get_ifaces(filter, b.pfrb_caddr, &b.pfrb_size)) {
 			radix_perror();
 			return (1);
 		}
@@ -568,50 +601,30 @@ pfctl_show_ifaces(const char *filter, int opts)
 }
 
 void
-print_iface(struct pfi_if *p, int opts)
+print_iface(struct pfi_kif *p, int opts)
 {
-	time_t	tzero = p->pfif_tzero;
-	int	flags = (opts & PF_OPT_VERBOSE) ? p->pfif_flags : 0;
-	int	first = 1;
+	time_t	tzero = p->pfik_tzero;
 	int	i, af, dir, act;
 
-	printf("%s", p->pfif_name);
-	oprintf(flags, PFI_IFLAG_INSTANCE, "instance", &first, 0);
-	oprintf(flags, PFI_IFLAG_GROUP, "group", &first, 0);
-	oprintf(flags, PFI_IFLAG_CLONABLE, "clonable", &first, 0);
-	oprintf(flags, PFI_IFLAG_DYNAMIC, "dynamic", &first, 0);
-	oprintf(flags, PFI_IFLAG_ATTACHED, "attached", &first, 0);
-	oprintf(flags, PFI_IFLAG_SKIP, "skipped", &first, 1);
-#ifdef __FreeBSD__
-	first = 1;
-	oprintf(flags, PFI_IFLAG_PLACEHOLDER, "placeholder", &first, 1);
-#endif
+	printf("%s", p->pfik_name);
+	if (opts & PF_OPT_VERBOSE) {
+		if (p->pfik_flags & PFI_IFLAG_SKIP)
+			printf(" (skip)");
+	}
 	printf("\n");
 
 	if (!(opts & PF_OPT_VERBOSE2))
 		return;
 	printf("\tCleared:     %s", ctime(&tzero));
 	printf("\tReferences:  [ States:  %-18d Rules: %-18d ]\n",
-	    p->pfif_states, p->pfif_rules);
+	    p->pfik_states, p->pfik_rules);
 	for (i = 0; i < 8; i++) {
 		af = (i>>2) & 1;
 		dir = (i>>1) &1;
 		act = i & 1;
 		printf("\t%-12s [ Packets: %-18llu Bytes: %-18llu ]\n",
 		    istats_text[af][dir][act],
-		    (unsigned long long)p->pfif_packets[af][dir][act],
-		    (unsigned long long)p->pfif_bytes[af][dir][act]);
+		    (unsigned long long)p->pfik_packets[af][dir][act],
+		    (unsigned long long)p->pfik_bytes[af][dir][act]);
 	}
 }
-
-void
-oprintf(int flags, int flag, const char *s, int *first, int last)
-{
-	if (flags & flag) {
-		printf(*first ? "\t(%s" : ", %s", s);
-		*first = 0;
-	}
-	if (last && !*first)
-		printf(")");
-}
-