diff options
author | Kristof Provost <kp@FreeBSD.org> | 2021-04-15 14:12:11 +0000 |
---|---|---|
committer | Kristof Provost <kp@FreeBSD.org> | 2021-04-19 12:31:47 +0000 |
commit | 42ec75f83aa321fcea8d2eddc4e9099724f0669e (patch) | |
tree | cb2ed4204eef02f1724d5b6a98e7c95bf5b25160 /sbin/pfctl | |
parent | 8bb0f1b87b80fd0a9c9dc388851cb609298d36ef (diff) | |
download | src-42ec75f83aa321fcea8d2eddc4e9099724f0669e.tar.gz src-42ec75f83aa321fcea8d2eddc4e9099724f0669e.zip |
pf: Optionally attempt to preserve rule counter values across ruleset updates
Usually rule counters are reset to zero on every update of the ruleset.
With keepcounters set pf will attempt to find matching rules between old
and new rulesets and preserve the rule counters.
MFC after: 4 weeks
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D29780
Diffstat (limited to 'sbin/pfctl')
-rw-r--r-- | sbin/pfctl/parse.y | 6 | ||||
-rw-r--r-- | sbin/pfctl/pfctl.c | 4 | ||||
-rw-r--r-- | sbin/pfctl/pfctl_parser.h | 1 |
3 files changed, 10 insertions, 1 deletions
diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y index 9eac41fbf66f..e0314241eec3 100644 --- a/sbin/pfctl/parse.y +++ b/sbin/pfctl/parse.y @@ -461,7 +461,7 @@ int parseport(char *, struct range *r, int); %token REASSEMBLE FRAGDROP FRAGCROP ANCHOR NATANCHOR RDRANCHOR BINATANCHOR %token SET OPTIMIZATION TIMEOUT LIMIT LOGINTERFACE BLOCKPOLICY FAILPOLICY %token RANDOMID REQUIREORDER SYNPROXY FINGERPRINTS NOSYNC DEBUG SKIP HOSTID -%token ANTISPOOF FOR INCLUDE +%token ANTISPOOF FOR INCLUDE KEEPCOUNTERS %token BITMASK RANDOM SOURCEHASH ROUNDROBIN STATICPORT PROBABILITY MAPEPORTSET %token ALTQ CBQ CODEL PRIQ HFSC FAIRQ BANDWIDTH TBRSIZE LINKSHARE REALTIME %token UPPERLIMIT QUEUE PRIORITY QLIMIT HOGS BUCKETS RTABLE TARGET INTERVAL @@ -719,6 +719,9 @@ option : SET OPTIMIZATION STRING { } keep_state_defaults = $3; } + | SET KEEPCOUNTERS { + pf->keep_counters = true; + } ; stringall : STRING { $$ = $1; } @@ -5593,6 +5596,7 @@ lookup(char *s) { "inet6", INET6}, { "interval", INTERVAL}, { "keep", KEEP}, + { "keepcounters", KEEPCOUNTERS}, { "label", LABEL}, { "limit", LIMIT}, { "linkshare", LINKSHARE}, diff --git a/sbin/pfctl/pfctl.c b/sbin/pfctl/pfctl.c index 9f6b3d2e36ea..82af047e7571 100644 --- a/sbin/pfctl/pfctl.c +++ b/sbin/pfctl/pfctl.c @@ -1745,6 +1745,10 @@ pfctl_load_options(struct pfctl *pf) if (pfctl_load_hostid(pf, pf->hostid)) error = 1; + /* load keepcounters */ + if (pfctl_set_keepcounters(pf->dev, pf->keep_counters)) + error = 1; + return (error); } diff --git a/sbin/pfctl/pfctl_parser.h b/sbin/pfctl/pfctl_parser.h index 43d8488dcab8..0c66d5dda97a 100644 --- a/sbin/pfctl/pfctl_parser.h +++ b/sbin/pfctl/pfctl_parser.h @@ -98,6 +98,7 @@ struct pfctl { u_int32_t debug; u_int32_t hostid; char *ifname; + bool keep_counters; u_int8_t timeout_set[PFTM_MAX]; u_int8_t limit_set[PF_LIMIT_MAX]; |