Lines Matching defs:pf
318 errx(1, "pf already enabled");
325 fprintf(stderr, "pf enabled\n");
341 errx(1, "pf not enabled");
346 fprintf(stderr, "pf disabled\n");
362 fprintf(stderr, "pf: statistics cleared\n");
408 pfctl_adjust_skip_ifaces(struct pfctl *pf)
417 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
427 pfctl_set_interface_flags(pf,
438 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
456 fprintf(stderr, "pf: interface flags reset\n");
1715 pfctl_add_pool(struct pfctl *pf, struct pfctl_pool *p, sa_family_t af, int which)
1720 pf->paddr.af = af;
1722 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1723 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1724 if ((ret = pfctl_add_addr(pf->h, &pf->paddr, which)) != 0)
1732 pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r,
1744 rs = &pf->anchor->ruleset;
1784 pfctl_append_eth_rule(struct pfctl *pf, struct pfctl_eth_rule *r,
1791 rs = &pf->eanchor->ruleset;
1825 pfctl_eth_ruleset_trans(struct pfctl *pf, char *path,
1828 int osize = pf->trans->pfrb_size;
1830 if ((pf->loadopt & PFCTL_FLAG_ETH) != 0) {
1831 if (pfctl_add_trans(pf->trans, PF_RULESET_ETH, path))
1834 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1841 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a, bool do_eth)
1843 int osize = pf->trans->pfrb_size;
1845 if ((pf->loadopt & PFCTL_FLAG_ETH) != 0 && do_eth) {
1846 if (pfctl_add_trans(pf->trans, PF_RULESET_ETH, path))
1849 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1850 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1851 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1852 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1855 if (a == pf->astack[0] && ((altqsupport &&
1856 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1857 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1860 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1861 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1862 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1865 if (pf->loadopt & PFCTL_FLAG_TABLE)
1866 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1868 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1875 pfctl_load_eth_ruleset(struct pfctl *pf, char *path,
1882 pf->eanchor = rs->anchor;
1884 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->eanchor->name);
1886 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->eanchor->name);
1891 if (pf->opts & PF_OPT_VERBOSE)
1893 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1894 (error = pfctl_eth_ruleset_trans(pf,
1900 } else if (pf->opts & PF_OPT_VERBOSE)
1907 error = pfctl_load_eth_rule(pf, path, r, depth);
1912 if ((error = pfctl_load_eth_ruleset(pf, path,
1915 } else if (pf->opts & PF_OPT_VERBOSE)
1919 if (brace && pf->opts & PF_OPT_VERBOSE) {
1920 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1932 pfctl_load_eth_rule(struct pfctl *pf, char *path, struct pfctl_eth_rule *r,
1957 if ((pf->opts & PF_OPT_NOACTION) == 0)
1958 if ((ret = pfctl_add_eth_rule(pf->dev, r, anchor, name,
1959 pf->eth_ticket)) != 0)
1962 if (pf->opts & PF_OPT_VERBOSE) {
1963 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1965 pf->opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG));
1974 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
1981 pf->anchor = rs->anchor;
1984 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1986 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1991 if (pf->opts & PF_OPT_VERBOSE)
1993 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1994 (error = pfctl_ruleset_trans(pf,
2000 } else if (pf->opts & PF_OPT_VERBOSE)
2005 if (pf->optimize && rs_num == PF_RULESET_FILTER)
2006 pfctl_optimize_ruleset(pf, rs);
2016 if ((error = pfctl_load_rule(pf, path, r, depth)))
2019 if ((error = pfctl_load_ruleset(pf, path,
2022 } else if (pf->opts & PF_OPT_VERBOSE)
2026 if (brace && pf->opts & PF_OPT_VERBOSE) {
2027 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
2040 pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
2051 if ((pf->opts & PF_OPT_NOACTION) == 0)
2052 ticket = pfctl_get_ticket(pf->trans, rs_num, path);
2071 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2072 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2073 if ((error = pfctl_begin_addrs(pf->h,
2074 &pf->paddr.ticket)) != 0)
2078 if (pfctl_add_pool(pf, &r->rdr, r->af, PF_RDR))
2080 if (pfctl_add_pool(pf, &r->nat, r->naf ? r->naf : r->af, PF_NAT))
2082 if (pfctl_add_pool(pf, &r->route, r->af, PF_RT))
2084 error = pfctl_add_rule_h(pf->h, r, anchor, name, ticket,
2085 pf->paddr.ticket);
2099 if (pf->opts & PF_OPT_VERBOSE) {
2100 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
2102 pf->opts & PF_OPT_VERBOSE2,
2103 pf->opts & PF_OPT_NUMERIC);
2114 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
2118 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
2119 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2120 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
2130 pfaltq_store(&pf->paltq->altq);
2144 struct pfctl pf;
2172 memset(&pf, 0, sizeof(pf));
2179 pf.dev = dev;
2180 pf.h = pfh;
2181 pf.opts = opts;
2182 pf.optimize = optimize;
2183 pf.loadopt = loadopt;
2186 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
2188 rs = &pf.anchor->ruleset;
2190 rs->anchor = pf.anchor;
2191 if (strlcpy(pf.anchor->path, anchorname,
2192 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
2194 if (strlcpy(pf.anchor->name, anchorname,
2195 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
2199 pf.astack[0] = pf.anchor;
2200 pf.asd = 0;
2202 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
2203 pf.paltq = &pa;
2204 pf.trans = t;
2205 pfctl_init_options(&pf);
2208 if ((pf.eanchor = calloc(1, sizeof(*pf.eanchor))) == NULL)
2211 if (strlcpy(pf.eanchor->path, anchorname,
2212 sizeof(pf.eanchor->path)) >= sizeof(pf.eanchor->path))
2214 if (strlcpy(pf.eanchor->name, anchorname,
2215 sizeof(pf.eanchor->name)) >= sizeof(pf.eanchor->name))
2218 ethrs = &pf.eanchor->ruleset;
2220 ethrs->anchor = pf.eanchor;
2221 pf.eastack[0] = pf.eanchor;
2229 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor, true))
2231 if (pf.loadopt & PFCTL_FLAG_ETH)
2232 pf.eth_ticket = pfctl_get_ticket(t, PF_RULESET_ETH, anchorname);
2233 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
2236 if (pf.loadopt & PFCTL_FLAG_TABLE)
2237 pf.astack[0]->ruleset.tticket =
2241 if (parse_config(filename, &pf) < 0) {
2244 "pf rules not loaded");
2249 pfctl_adjust_skip_ifaces(&pf);
2251 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
2252 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
2253 (pf.loadopt & PFCTL_FLAG_ETH &&
2254 (pfctl_load_eth_ruleset(&pf, path, ethrs, 0))) ||
2255 (pf.loadopt & PFCTL_FLAG_NAT &&
2256 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
2257 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
2258 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
2259 (pf.loadopt & PFCTL_FLAG_FILTER &&
2260 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
2267 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
2273 if (pfctl_load_anchors(dev, &pf, t) == -1)
2278 if (pfctl_load_options(&pf))
2323 pfctl_init_options(struct pfctl *pf)
2326 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
2327 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
2328 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
2329 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
2330 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
2331 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
2332 pf->timeout[PFTM_SCTP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
2333 pf->timeout[PFTM_SCTP_OPENING] = PFTM_TCP_OPENING_VAL;
2334 pf->timeout[PFTM_SCTP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
2335 pf->timeout[PFTM_SCTP_CLOSING] = PFTM_TCP_CLOSING_VAL;
2336 pf->timeout[PFTM_SCTP_CLOSED] = PFTM_TCP_CLOSED_VAL;
2337 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
2338 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
2339 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
2340 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
2341 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
2342 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
2343 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
2344 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
2345 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
2346 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
2347 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
2348 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
2349 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
2350 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
2352 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
2353 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
2354 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
2355 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
2357 pf->debug = PF_DEBUG_URGENT;
2358 pf->reassemble = 0;
2360 pf->syncookies = false;
2361 pf->syncookieswat[0] = PF_SYNCOOKIES_LOWATPCT;
2362 pf->syncookieswat[1] = PF_SYNCOOKIES_HIWATPCT;
2366 pfctl_load_options(struct pfctl *pf)
2375 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
2377 if (pfctl_load_limit(pf, i, pf->limit[i]))
2385 if (pf->limit_set[PF_LIMIT_STATES] &&
2386 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
2387 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
2388 pf->timeout[PFTM_ADAPTIVE_START] =
2389 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
2390 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
2391 pf->timeout[PFTM_ADAPTIVE_END] =
2392 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
2393 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
2398 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
2400 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
2405 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
2406 if (pfctl_load_debug(pf, pf->debug))
2410 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
2411 if (pfctl_load_logif(pf, pf->ifname))
2415 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
2416 if (pfctl_load_hostid(pf, pf->hostid))
2420 if (!(pf->opts & PF_OPT_MERGE) || pf->reass_set)
2421 if (pfctl_load_reassembly(pf, pf->reassemble))
2425 if (pfctl_set_keepcounters(pf->dev, pf->keep_counters))
2429 if (pfctl_load_syncookies(pf, pf->syncookies))
2436 pfctl_apply_limit(struct pfctl *pf, const char *opt, unsigned int limit)
2443 pf->limit[pf_limits[i].index] = limit;
2444 pf->limit_set[pf_limits[i].index] = 1;
2453 if (pf->opts & PF_OPT_VERBOSE)
2460 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
2462 if (pfctl_set_limit(pf->h, index, limit)) {
2473 pfctl_apply_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
2482 pf->timeout[pf_timeouts[i].timeout] = seconds;
2483 pf->timeout_set[pf_timeouts[i].timeout] = 1;
2494 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
2501 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
2503 if (pfctl_set_timeout(pf->h, timeout, seconds)) {
2511 pfctl_set_reassembly(struct pfctl *pf, int on, int nodf)
2516 pf->reass_set = 1;
2518 pf->reassemble = PF_REASS_ENABLED;
2520 pf->reassemble |= PF_REASS_NODF;
2522 pf->reassemble = 0;
2525 if (pf->opts & PF_OPT_VERBOSE)
2533 pfctl_set_optimization(struct pfctl *pf, const char *opt)
2552 if ((r = pfctl_apply_timeout(pf, hint[i].name,
2556 if (pf->opts & PF_OPT_VERBOSE)
2563 pfctl_set_logif(struct pfctl *pf, char *ifname)
2570 free(pf->ifname);
2571 pf->ifname = NULL;
2573 pf->ifname = strdup(ifname);
2574 if (!pf->ifname)
2577 pf->ifname_set = 1;
2579 if (pf->opts & PF_OPT_VERBOSE)
2586 pfctl_load_logif(struct pfctl *pf, char *ifname)
2596 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
2603 pf->hostid = hostid;
2604 pf->hostid_set = 1;
2606 if (pf->opts & PF_OPT_VERBOSE)
2611 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
2621 pfctl_load_reassembly(struct pfctl *pf, u_int32_t reassembly)
2631 pfctl_load_syncookies(struct pfctl *pf, u_int8_t val)
2638 cookies.lowwater = pf->syncookieswat[0];
2639 cookies.highwater = pf->syncookieswat[1];
2649 pfctl_cfg_syncookies(struct pfctl *pf, uint8_t val, struct pfctl_watermarks *w)
2664 pf->syncookieswat[0] = w->lo;
2665 pf->syncookieswat[1] = w->hi;
2666 pf->syncookieswat_set = 1;
2669 if (pf->opts & PF_OPT_VERBOSE) {
2675 if (pf->syncookieswat_set)
2677 "end %u%%)\n", pf->syncookieswat[1],
2678 pf->syncookieswat[0]);
2687 pf->syncookies = val;
2692 pfctl_do_set_debug(struct pfctl *pf, char *d)
2701 pf->debug = PF_DEBUG_NONE;
2703 pf->debug = PF_DEBUG_URGENT;
2705 pf->debug = PF_DEBUG_MISC;
2707 pf->debug = PF_DEBUG_NOISY;
2713 pf->debug_set = 1;
2714 level = pf->debug;
2716 if ((pf->opts & PF_OPT_NOACTION) == 0)
2720 if (pf->opts & PF_OPT_VERBOSE)
2727 pfctl_load_debug(struct pfctl *pf, unsigned int level)
2729 if (pfctl_set_debug(pf->h, level)) {
2737 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
2753 pfctl_set_interface_flags(pf, n->ifname, flags, how);
2759 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2761 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
2764 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))