Lines Matching refs:pf
108 char *pf_device = "/dev/pf";
246 errx(1, "pf already enabled");
251 fprintf(stderr, "pf enabled\n");
265 errx(1, "pf not enabled");
270 fprintf(stderr, "pf disabled\n");
285 fprintf(stderr, "pf: statistics cleared\n");
301 fprintf(stderr, "pf: interface flags reset\n");
1110 pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
1114 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1115 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr))
1119 pf->paddr.af = af;
1121 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1122 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1123 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr))
1131 pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
1142 rs = &pf->anchor->ruleset;
1178 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
1180 int osize = pf->trans->pfrb_size;
1182 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1183 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1184 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1185 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1188 if (a == pf->astack[0] && ((altqsupport &&
1189 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1190 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1193 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1194 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1195 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1198 if (pf->loadopt & PFCTL_FLAG_TABLE)
1199 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1201 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1208 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
1215 pf->anchor = rs->anchor;
1218 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1220 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1225 if (pf->opts & PF_OPT_VERBOSE)
1227 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1228 (error = pfctl_ruleset_trans(pf,
1234 } else if (pf->opts & PF_OPT_VERBOSE)
1239 if (pf->optimize && rs_num == PF_RULESET_FILTER)
1240 pfctl_optimize_ruleset(pf, rs);
1244 if ((error = pfctl_load_rule(pf, path, r, depth)))
1247 if ((error = pfctl_load_ruleset(pf, path,
1250 } else if (pf->opts & PF_OPT_VERBOSE)
1254 if (brace && pf->opts & PF_OPT_VERBOSE) {
1255 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1268 pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
1277 if ((pf->opts & PF_OPT_NOACTION) == 0)
1278 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path);
1296 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1297 if (pfctl_add_pool(pf, &r->rpool, r->af))
1299 pr.pool_ticket = pf->paddr.ticket;
1304 if (ioctl(pf->dev, DIOCADDRULE, &pr))
1308 if (pf->opts & PF_OPT_VERBOSE) {
1309 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1311 pf->opts & PF_OPT_VERBOSE2);
1319 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
1323 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
1324 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1325 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
1335 pfaltq_store(&pf->paltq->altq);
1349 struct pfctl pf;
1370 memset(&pf, 0, sizeof(pf));
1378 pf.dev = dev;
1379 pf.opts = opts;
1380 pf.optimize = optimize;
1381 pf.loadopt = loadopt;
1384 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
1386 rs = &pf.anchor->ruleset;
1388 rs->anchor = pf.anchor;
1389 if (strlcpy(pf.anchor->path, anchorname,
1390 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
1392 if (strlcpy(pf.anchor->name, anchorname,
1393 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
1397 pf.astack[0] = pf.anchor;
1398 pf.asd = 0;
1400 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
1401 pf.paltq = &pa;
1402 pf.trans = t;
1403 pfctl_init_options(&pf);
1411 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
1413 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1416 if (pf.loadopt & PFCTL_FLAG_TABLE)
1417 pf.astack[0]->ruleset.tticket =
1421 if (parse_rules(fin, &pf) < 0) {
1424 "pf rules not loaded");
1429 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
1430 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
1431 (pf.loadopt & PFCTL_FLAG_NAT &&
1432 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
1433 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
1434 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
1435 (pf.loadopt & PFCTL_FLAG_FILTER &&
1436 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
1443 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
1454 if (pfctl_load_anchors(dev, &pf, t) == -1)
1459 if (pfctl_load_options(&pf))
1504 pfctl_init_options(struct pfctl *pf)
1509 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
1510 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
1511 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
1512 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
1513 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
1514 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
1515 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
1516 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
1517 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
1518 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
1519 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
1520 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
1521 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
1522 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
1523 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
1524 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
1525 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
1526 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
1527 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
1528 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1530 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
1531 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
1532 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
1533 pf->limit[PF_LIMIT_TABLES] = PFR_KTABLE_HIWAT;
1534 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1541 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT_SMALL;
1543 pf->debug = PF_DEBUG_URGENT;
1547 pfctl_load_options(struct pfctl *pf)
1556 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
1558 if (pfctl_load_limit(pf, i, pf->limit[i]))
1566 if (pf->limit_set[PF_LIMIT_STATES] &&
1567 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
1568 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
1569 pf->timeout[PFTM_ADAPTIVE_START] =
1570 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
1571 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
1572 pf->timeout[PFTM_ADAPTIVE_END] =
1573 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
1574 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
1579 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
1581 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
1586 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
1587 if (pfctl_load_debug(pf, pf->debug))
1591 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
1592 if (pfctl_load_logif(pf, pf->ifname))
1596 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
1597 if (pfctl_load_hostid(pf, pf->hostid))
1604 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
1611 pf->limit[pf_limits[i].index] = limit;
1612 pf->limit_set[pf_limits[i].index] = 1;
1621 if (pf->opts & PF_OPT_VERBOSE)
1628 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
1635 if (ioctl(pf->dev, DIOCSETLIMIT, &pl)) {
1646 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
1655 pf->timeout[pf_timeouts[i].timeout] = seconds;
1656 pf->timeout_set[pf_timeouts[i].timeout] = 1;
1667 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
1674 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
1681 if (ioctl(pf->dev, DIOCSETTIMEOUT, &pt)) {
1689 pfctl_set_optimization(struct pfctl *pf, const char *opt)
1708 if ((r = pfctl_set_timeout(pf, hint[i].name,
1712 if (pf->opts & PF_OPT_VERBOSE)
1719 pfctl_set_logif(struct pfctl *pf, char *ifname)
1726 free(pf->ifname);
1727 pf->ifname = NULL;
1729 pf->ifname = strdup(ifname);
1730 if (!pf->ifname)
1733 pf->ifname_set = 1;
1735 if (pf->opts & PF_OPT_VERBOSE)
1742 pfctl_load_logif(struct pfctl *pf, char *ifname)
1752 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
1760 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
1767 pf->hostid = hostid;
1768 pf->hostid_set = 1;
1770 if (pf->opts & PF_OPT_VERBOSE)
1777 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
1787 pfctl_set_debug(struct pfctl *pf, char *d)
1795 pf->debug = PF_DEBUG_NONE;
1797 pf->debug = PF_DEBUG_URGENT;
1799 pf->debug = PF_DEBUG_MISC;
1801 pf->debug = PF_DEBUG_NOISY;
1807 pf->debug_set = 1;
1809 if ((pf->opts & PF_OPT_NOACTION) == 0)
1813 if (pf->opts & PF_OPT_VERBOSE)
1820 pfctl_load_debug(struct pfctl *pf, unsigned int level)
1822 if (ioctl(pf->dev, DIOCSETDEBUG, &level)) {
1830 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
1845 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1847 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
1850 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
Indexes created Mon Oct 13 16:09:52 GMT 2025