diff options
| author | Kristof Provost <kp@FreeBSD.org> | 2022-01-17 16:38:28 +0000 |
|---|---|---|
| committer | Kristof Provost <kp@FreeBSD.org> | 2022-03-02 16:00:07 +0000 |
| commit | 6ea1c3cfc89905b0f703b5d549b481fa0718a1a7 (patch) | |
| tree | cfd8f202cf56f74b9dba4af0e42c64511f527af6 | |
| parent | 93b64cdc59d66fa7cd5d7e2ba2de0a67bd717840 (diff) | |
| download | src-6ea1c3cfc89905b0f703b5d549b481fa0718a1a7.tar.gz src-6ea1c3cfc89905b0f703b5d549b481fa0718a1a7.zip | |
pfctl: support flushing ethernet rules
Sponsored by: Rubicon Communications, LLC ("Netgate")
| -rw-r--r-- | sbin/pfctl/pfctl.8 | 2 | ||||
| -rw-r--r-- | sbin/pfctl/pfctl.c | 24 |
2 files changed, 25 insertions, 1 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8 index f61feef8bc16..95d098f6d585 100644 --- a/sbin/pfctl/pfctl.8 +++ b/sbin/pfctl/pfctl.8 @@ -212,6 +212,8 @@ Flush the filter parameters specified by Flush the NAT rules. .It Fl F Cm queue Flush the queue rules. +.It Fl F Cm ethernet +Flush the Ethernet filter rules. .It Fl F Cm rules Flush the filter rules. .It Fl F Cm states diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index bec37b0bf85f..89b546a1b9e2 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -75,6 +75,7 @@ int pfctl_get_skip_ifaces(void); int pfctl_check_skip_ifaces(char *); int pfctl_adjust_skip_ifaces(struct pfctl *); int pfctl_clear_interface_flags(int, int); +int pfctl_clear_eth_rules(int, int, char *); int pfctl_clear_rules(int, int, char *); int pfctl_clear_nat(int, int, char *); int pfctl_clear_altq(int, int); @@ -227,7 +228,8 @@ static const struct { static const char * const clearopt_list[] = { "nat", "queue", "rules", "Sources", - "states", "info", "Tables", "osfp", "all", NULL + "states", "info", "Tables", "osfp", "all", + "ethernet", NULL }; static const char * const showopt_list[] = { @@ -458,6 +460,22 @@ pfctl_clear_interface_flags(int dev, int opts) } int +pfctl_clear_eth_rules(int dev, int opts, char *anchorname) +{ + struct pfr_buffer t; + + memset(&t, 0, sizeof(t)); + t.pfrb_type = PFRB_TRANS; + if (pfctl_add_trans(&t, PF_RULESET_ETH, anchorname) || + pfctl_trans(dev, &t, DIOCXBEGIN, 0) || + pfctl_trans(dev, &t, DIOCXCOMMIT, 0)) + err(1, "pfctl_clear_eth_rules"); + if ((opts & PF_OPT_QUIET) == 0) + fprintf(stderr, "Ethernet rules cleared\n"); + return (0); +} + +int pfctl_clear_rules(int dev, int opts, char *anchorname) { struct pfr_buffer t; @@ -2873,6 +2891,9 @@ main(int argc, char *argv[]) "be modified from the command line"); switch (*clearopt) { + case 'e': + pfctl_clear_eth_rules(dev, opts, anchorname); + break; case 'r': pfctl_clear_rules(dev, opts, anchorname); break; @@ -2892,6 +2913,7 @@ main(int argc, char *argv[]) pfctl_clear_stats(dev, opts); break; case 'a': + pfctl_clear_eth_rules(dev, opts, anchorname); pfctl_clear_rules(dev, opts, anchorname); pfctl_clear_nat(dev, opts, anchorname); pfctl_clear_tables(anchorname, opts); |