1 /* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
4 * SPDX-License-Identifier: BSD-2-Clause
6 * Copyright (c) 2001 Daniel Hartmeier
7 * Copyright (c) 2002,2003 Henning Brauer
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * - Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * - Redistributions in binary form must reproduce the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer in the documentation and/or other materials provided
19 * with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #define PFIOC_USE_LATEST
41 #include <sys/types.h>
42 #include <sys/ioctl.h>
43 #include <sys/socket.h>
45 #include <sys/endian.h>
48 #include <netinet/in.h>
49 #include <net/pfvar.h>
50 #include <arpa/inet.h>
51 #include <net/altq/altq.h>
52 #include <sys/sysctl.h>
65 #include "pfctl_parser.h"
69 int pfctl_enable(int, int);
70 int pfctl_disable(int, int);
71 int pfctl_clear_stats(int, int);
72 int pfctl_get_skip_ifaces(void);
73 int pfctl_check_skip_ifaces(char *);
74 int pfctl_adjust_skip_ifaces(struct pfctl *);
75 int pfctl_clear_interface_flags(int, int);
76 int pfctl_clear_rules(int, int, char *);
77 int pfctl_clear_nat(int, int, char *);
78 int pfctl_clear_altq(int, int);
79 int pfctl_clear_src_nodes(int, int);
80 int pfctl_clear_states(int, const char *, int);
81 void pfctl_addrprefix(char *, struct pf_addr *);
82 int pfctl_kill_src_nodes(int, const char *, int);
83 int pfctl_net_kill_states(int, const char *, int);
84 int pfctl_label_kill_states(int, const char *, int);
85 int pfctl_id_kill_states(int, const char *, int);
86 void pfctl_init_options(struct pfctl *);
87 int pfctl_load_options(struct pfctl *);
88 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
89 int pfctl_load_timeout(struct pfctl *, unsigned int, unsigned int);
90 int pfctl_load_debug(struct pfctl *, unsigned int);
91 int pfctl_load_logif(struct pfctl *, char *);
92 int pfctl_load_hostid(struct pfctl *, u_int32_t);
93 int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int,
95 void pfctl_print_rule_counters(struct pf_rule *, int);
96 int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
97 int pfctl_show_nat(int, int, char *);
98 int pfctl_show_src_nodes(int, int);
99 int pfctl_show_states(int, const char *, int);
100 int pfctl_show_status(int, int);
101 int pfctl_show_running(int);
102 int pfctl_show_timeouts(int, int);
103 int pfctl_show_limits(int, int);
104 void pfctl_debug(int, u_int32_t, int);
105 int pfctl_test_altqsupport(int, int);
106 int pfctl_show_anchors(int, int, char *);
107 int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *);
108 int pfctl_load_ruleset(struct pfctl *, char *,
109 struct pf_ruleset *, int, int);
110 int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int);
111 const char *pfctl_lookup_option(char *, const char * const *);
113 static struct pf_anchor_global pf_anchors;
114 static struct pf_anchor pf_main_anchor;
115 static struct pfr_buffer skip_b;
117 static const char *clearopt;
118 static char *rulesopt;
119 static const char *showopt;
120 static const char *debugopt;
121 static char *anchoropt;
122 static const char *optiopt = NULL;
123 static const char *pf_device = "/dev/pf";
124 static char *ifaceopt;
125 static char *tableopt;
126 static const char *tblcmdopt;
127 static int src_node_killers;
128 static char *src_node_kill[2];
129 static int state_killers;
130 static char *state_kill[2];
135 static int first_title = 1;
136 static int labels = 0;
138 #define INDENT(d, o) do { \
141 for (i=0; i < d; i++) \
147 static const struct {
151 { "states", PF_LIMIT_STATES },
152 { "src-nodes", PF_LIMIT_SRC_NODES },
153 { "frags", PF_LIMIT_FRAGS },
154 { "table-entries", PF_LIMIT_TABLE_ENTRIES },
162 static const struct pf_hint pf_hint_normal[] = {
163 { "tcp.first", 2 * 60 },
164 { "tcp.opening", 30 },
165 { "tcp.established", 24 * 60 * 60 },
166 { "tcp.closing", 15 * 60 },
167 { "tcp.finwait", 45 },
168 { "tcp.closed", 90 },
169 { "tcp.tsdiff", 30 },
172 static const struct pf_hint pf_hint_satellite[] = {
173 { "tcp.first", 3 * 60 },
174 { "tcp.opening", 30 + 5 },
175 { "tcp.established", 24 * 60 * 60 },
176 { "tcp.closing", 15 * 60 + 5 },
177 { "tcp.finwait", 45 + 5 },
178 { "tcp.closed", 90 + 5 },
179 { "tcp.tsdiff", 60 },
182 static const struct pf_hint pf_hint_conservative[] = {
183 { "tcp.first", 60 * 60 },
184 { "tcp.opening", 15 * 60 },
185 { "tcp.established", 5 * 24 * 60 * 60 },
186 { "tcp.closing", 60 * 60 },
187 { "tcp.finwait", 10 * 60 },
188 { "tcp.closed", 3 * 60 },
189 { "tcp.tsdiff", 60 },
192 static const struct pf_hint pf_hint_aggressive[] = {
194 { "tcp.opening", 5 },
195 { "tcp.established", 5 * 60 * 60 },
196 { "tcp.closing", 60 },
197 { "tcp.finwait", 30 },
198 { "tcp.closed", 30 },
199 { "tcp.tsdiff", 10 },
203 static const struct {
205 const struct pf_hint *hint;
207 { "normal", pf_hint_normal },
208 { "satellite", pf_hint_satellite },
209 { "high-latency", pf_hint_satellite },
210 { "conservative", pf_hint_conservative },
211 { "aggressive", pf_hint_aggressive },
215 static const char * const clearopt_list[] = {
216 "nat", "queue", "rules", "Sources",
217 "states", "info", "Tables", "osfp", "all", NULL
220 static const char * const showopt_list[] = {
221 "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
222 "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
223 "Running", "all", NULL
226 static const char * const tblcmdopt_list[] = {
227 "kill", "flush", "add", "delete", "load", "replace", "show",
228 "test", "zero", "expire", NULL
231 static const char * const debugopt_list[] = {
232 "none", "urgent", "misc", "loud", NULL
235 static const char * const optiopt_list[] = {
236 "none", "basic", "profile", NULL
242 extern char *__progname;
245 "usage: %s [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
246 "\t[-f file] [-i interface] [-K host | network]\n"
247 "\t[-k host | network | label | id] [-o level] [-p device]\n"
248 "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
255 pfctl_enable(int dev, int opts)
257 if (ioctl(dev, DIOCSTART)) {
259 errx(1, "pf already enabled");
260 else if (errno == ESRCH)
261 errx(1, "pfil registeration failed");
265 if ((opts & PF_OPT_QUIET) == 0)
266 fprintf(stderr, "pf enabled\n");
268 if (altqsupport && ioctl(dev, DIOCSTARTALTQ))
270 err(1, "DIOCSTARTALTQ");
276 pfctl_disable(int dev, int opts)
278 if (ioctl(dev, DIOCSTOP)) {
280 errx(1, "pf not enabled");
284 if ((opts & PF_OPT_QUIET) == 0)
285 fprintf(stderr, "pf disabled\n");
287 if (altqsupport && ioctl(dev, DIOCSTOPALTQ))
289 err(1, "DIOCSTOPALTQ");
295 pfctl_clear_stats(int dev, int opts)
297 if (ioctl(dev, DIOCCLRSTATUS))
298 err(1, "DIOCCLRSTATUS");
299 if ((opts & PF_OPT_QUIET) == 0)
300 fprintf(stderr, "pf: statistics cleared\n");
305 pfctl_get_skip_ifaces(void)
307 bzero(&skip_b, sizeof(skip_b));
308 skip_b.pfrb_type = PFRB_IFACES;
310 pfr_buf_grow(&skip_b, skip_b.pfrb_size);
311 skip_b.pfrb_size = skip_b.pfrb_msize;
312 if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size))
313 err(1, "pfi_get_ifaces");
314 if (skip_b.pfrb_size <= skip_b.pfrb_msize)
321 pfctl_check_skip_ifaces(char *ifname)
324 struct node_host *h = NULL, *n = NULL;
326 PFRB_FOREACH(p, &skip_b) {
327 if (!strcmp(ifname, p->pfik_name) &&
328 (p->pfik_flags & PFI_IFLAG_SKIP))
329 p->pfik_flags &= ~PFI_IFLAG_SKIP;
330 if (!strcmp(ifname, p->pfik_name) && p->pfik_group != NULL) {
331 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
334 for (n = h; n != NULL; n = n->next) {
335 if (p->pfik_ifp == NULL)
337 if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
340 p->pfik_flags &= ~PFI_IFLAG_SKIP;
348 pfctl_adjust_skip_ifaces(struct pfctl *pf)
350 struct pfi_kif *p, *pp;
351 struct node_host *h = NULL, *n = NULL;
353 PFRB_FOREACH(p, &skip_b) {
354 if (p->pfik_group == NULL || !(p->pfik_flags & PFI_IFLAG_SKIP))
357 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
358 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
361 for (n = h; n != NULL; n = n->next)
362 PFRB_FOREACH(pp, &skip_b) {
363 if (pp->pfik_ifp == NULL)
366 if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ))
369 if (!(pp->pfik_flags & PFI_IFLAG_SKIP))
370 pfctl_set_interface_flags(pf,
371 pp->pfik_name, PFI_IFLAG_SKIP, 1);
372 if (pp->pfik_flags & PFI_IFLAG_SKIP)
373 pp->pfik_flags &= ~PFI_IFLAG_SKIP;
377 PFRB_FOREACH(p, &skip_b) {
378 if (p->pfik_ifp == NULL || ! (p->pfik_flags & PFI_IFLAG_SKIP))
381 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
388 pfctl_clear_interface_flags(int dev, int opts)
390 struct pfioc_iface pi;
392 if ((opts & PF_OPT_NOACTION) == 0) {
393 bzero(&pi, sizeof(pi));
394 pi.pfiio_flags = PFI_IFLAG_SKIP;
396 if (ioctl(dev, DIOCCLRIFFLAG, &pi))
397 err(1, "DIOCCLRIFFLAG");
398 if ((opts & PF_OPT_QUIET) == 0)
399 fprintf(stderr, "pf: interface flags reset\n");
405 pfctl_clear_rules(int dev, int opts, char *anchorname)
409 memset(&t, 0, sizeof(t));
410 t.pfrb_type = PFRB_TRANS;
411 if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
412 pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
413 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
414 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
415 err(1, "pfctl_clear_rules");
416 if ((opts & PF_OPT_QUIET) == 0)
417 fprintf(stderr, "rules cleared\n");
422 pfctl_clear_nat(int dev, int opts, char *anchorname)
426 memset(&t, 0, sizeof(t));
427 t.pfrb_type = PFRB_TRANS;
428 if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
429 pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
430 pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
431 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
432 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
433 err(1, "pfctl_clear_nat");
434 if ((opts & PF_OPT_QUIET) == 0)
435 fprintf(stderr, "nat cleared\n");
440 pfctl_clear_altq(int dev, int opts)
446 memset(&t, 0, sizeof(t));
447 t.pfrb_type = PFRB_TRANS;
448 if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
449 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
450 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
451 err(1, "pfctl_clear_altq");
452 if ((opts & PF_OPT_QUIET) == 0)
453 fprintf(stderr, "altq cleared\n");
458 pfctl_clear_src_nodes(int dev, int opts)
460 if (ioctl(dev, DIOCCLRSRCNODES))
461 err(1, "DIOCCLRSRCNODES");
462 if ((opts & PF_OPT_QUIET) == 0)
463 fprintf(stderr, "source tracking entries cleared\n");
468 pfctl_clear_states(int dev, const char *iface, int opts)
470 struct pfioc_state_kill psk;
472 memset(&psk, 0, sizeof(psk));
473 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
474 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
475 errx(1, "invalid interface: %s", iface);
477 if (ioctl(dev, DIOCCLRSTATES, &psk))
478 err(1, "DIOCCLRSTATES");
479 if ((opts & PF_OPT_QUIET) == 0)
480 fprintf(stderr, "%d states cleared\n", psk.psk_killed);
485 pfctl_addrprefix(char *addr, struct pf_addr *mask)
489 int prefix, ret_ga, q, r;
490 struct addrinfo hints, *res;
492 if ((p = strchr(addr, '/')) == NULL)
496 prefix = strtonum(p, 0, 128, &errstr);
498 errx(1, "prefix is %s: %s", errstr, p);
500 bzero(&hints, sizeof(hints));
501 /* prefix only with numeric addresses */
502 hints.ai_flags |= AI_NUMERICHOST;
504 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {
505 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
509 if (res->ai_family == AF_INET && prefix > 32)
510 errx(1, "prefix too long for AF_INET");
511 else if (res->ai_family == AF_INET6 && prefix > 128)
512 errx(1, "prefix too long for AF_INET6");
516 switch (res->ai_family) {
518 bzero(&mask->v4, sizeof(mask->v4));
519 mask->v4.s_addr = htonl((u_int32_t)
520 (0xffffffffffULL << (32 - prefix)));
523 bzero(&mask->v6, sizeof(mask->v6));
525 memset((void *)&mask->v6, 0xff, q);
527 *((u_char *)&mask->v6 + q) =
528 (0xff00 >> r) & 0xff;
535 pfctl_kill_src_nodes(int dev, const char *iface, int opts)
537 struct pfioc_src_node_kill psnk;
538 struct addrinfo *res[2], *resp[2];
539 struct sockaddr last_src, last_dst;
540 int killed, sources, dests;
543 killed = sources = dests = 0;
545 memset(&psnk, 0, sizeof(psnk));
546 memset(&psnk.psnk_src.addr.v.a.mask, 0xff,
547 sizeof(psnk.psnk_src.addr.v.a.mask));
548 memset(&last_src, 0xff, sizeof(last_src));
549 memset(&last_dst, 0xff, sizeof(last_dst));
551 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask);
553 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) {
554 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
557 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
558 if (resp[0]->ai_addr == NULL)
560 /* We get lots of duplicates. Catch the easy ones */
561 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
563 last_src = *(struct sockaddr *)resp[0]->ai_addr;
565 psnk.psnk_af = resp[0]->ai_family;
568 if (psnk.psnk_af == AF_INET)
569 psnk.psnk_src.addr.v.a.addr.v4 =
570 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
571 else if (psnk.psnk_af == AF_INET6)
572 psnk.psnk_src.addr.v.a.addr.v6 =
573 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
576 errx(1, "Unknown address family %d", psnk.psnk_af);
578 if (src_node_killers > 1) {
580 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,
581 sizeof(psnk.psnk_dst.addr.v.a.mask));
582 memset(&last_dst, 0xff, sizeof(last_dst));
583 pfctl_addrprefix(src_node_kill[1],
584 &psnk.psnk_dst.addr.v.a.mask);
585 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL,
587 errx(1, "getaddrinfo: %s",
588 gai_strerror(ret_ga));
591 for (resp[1] = res[1]; resp[1];
592 resp[1] = resp[1]->ai_next) {
593 if (resp[1]->ai_addr == NULL)
595 if (psnk.psnk_af != resp[1]->ai_family)
598 if (memcmp(&last_dst, resp[1]->ai_addr,
599 sizeof(last_dst)) == 0)
601 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
605 if (psnk.psnk_af == AF_INET)
606 psnk.psnk_dst.addr.v.a.addr.v4 =
607 ((struct sockaddr_in *)resp[1]->
609 else if (psnk.psnk_af == AF_INET6)
610 psnk.psnk_dst.addr.v.a.addr.v6 =
611 ((struct sockaddr_in6 *)resp[1]->
614 errx(1, "Unknown address family %d",
617 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
618 err(1, "DIOCKILLSRCNODES");
619 killed += psnk.psnk_killed;
621 freeaddrinfo(res[1]);
623 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
624 err(1, "DIOCKILLSRCNODES");
625 killed += psnk.psnk_killed;
629 freeaddrinfo(res[0]);
631 if ((opts & PF_OPT_QUIET) == 0)
632 fprintf(stderr, "killed %d src nodes from %d sources and %d "
633 "destinations\n", killed, sources, dests);
638 pfctl_net_kill_states(int dev, const char *iface, int opts)
640 struct pfioc_state_kill psk;
641 struct addrinfo *res[2], *resp[2];
642 struct sockaddr last_src, last_dst;
643 int killed, sources, dests;
646 killed = sources = dests = 0;
648 memset(&psk, 0, sizeof(psk));
649 memset(&psk.psk_src.addr.v.a.mask, 0xff,
650 sizeof(psk.psk_src.addr.v.a.mask));
651 memset(&last_src, 0xff, sizeof(last_src));
652 memset(&last_dst, 0xff, sizeof(last_dst));
653 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
654 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
655 errx(1, "invalid interface: %s", iface);
657 pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
659 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
660 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
663 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
664 if (resp[0]->ai_addr == NULL)
666 /* We get lots of duplicates. Catch the easy ones */
667 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
669 last_src = *(struct sockaddr *)resp[0]->ai_addr;
671 psk.psk_af = resp[0]->ai_family;
674 if (psk.psk_af == AF_INET)
675 psk.psk_src.addr.v.a.addr.v4 =
676 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
677 else if (psk.psk_af == AF_INET6)
678 psk.psk_src.addr.v.a.addr.v6 =
679 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
682 errx(1, "Unknown address family %d", psk.psk_af);
684 if (state_killers > 1) {
686 memset(&psk.psk_dst.addr.v.a.mask, 0xff,
687 sizeof(psk.psk_dst.addr.v.a.mask));
688 memset(&last_dst, 0xff, sizeof(last_dst));
689 pfctl_addrprefix(state_kill[1],
690 &psk.psk_dst.addr.v.a.mask);
691 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL,
693 errx(1, "getaddrinfo: %s",
694 gai_strerror(ret_ga));
697 for (resp[1] = res[1]; resp[1];
698 resp[1] = resp[1]->ai_next) {
699 if (resp[1]->ai_addr == NULL)
701 if (psk.psk_af != resp[1]->ai_family)
704 if (memcmp(&last_dst, resp[1]->ai_addr,
705 sizeof(last_dst)) == 0)
707 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
711 if (psk.psk_af == AF_INET)
712 psk.psk_dst.addr.v.a.addr.v4 =
713 ((struct sockaddr_in *)resp[1]->
715 else if (psk.psk_af == AF_INET6)
716 psk.psk_dst.addr.v.a.addr.v6 =
717 ((struct sockaddr_in6 *)resp[1]->
720 errx(1, "Unknown address family %d",
723 if (ioctl(dev, DIOCKILLSTATES, &psk))
724 err(1, "DIOCKILLSTATES");
725 killed += psk.psk_killed;
727 freeaddrinfo(res[1]);
729 if (ioctl(dev, DIOCKILLSTATES, &psk))
730 err(1, "DIOCKILLSTATES");
731 killed += psk.psk_killed;
735 freeaddrinfo(res[0]);
737 if ((opts & PF_OPT_QUIET) == 0)
738 fprintf(stderr, "killed %d states from %d sources and %d "
739 "destinations\n", killed, sources, dests);
744 pfctl_label_kill_states(int dev, const char *iface, int opts)
746 struct pfioc_state_kill psk;
748 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
749 warnx("no label specified");
752 memset(&psk, 0, sizeof(psk));
753 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
754 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
755 errx(1, "invalid interface: %s", iface);
757 if (strlcpy(psk.psk_label, state_kill[1], sizeof(psk.psk_label)) >=
758 sizeof(psk.psk_label))
759 errx(1, "label too long: %s", state_kill[1]);
761 if (ioctl(dev, DIOCKILLSTATES, &psk))
762 err(1, "DIOCKILLSTATES");
764 if ((opts & PF_OPT_QUIET) == 0)
765 fprintf(stderr, "killed %d states\n", psk.psk_killed);
771 pfctl_id_kill_states(int dev, const char *iface, int opts)
773 struct pfioc_state_kill psk;
775 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
776 warnx("no id specified");
780 memset(&psk, 0, sizeof(psk));
781 if ((sscanf(state_kill[1], "%jx/%x",
782 &psk.psk_pfcmp.id, &psk.psk_pfcmp.creatorid)) == 2)
783 HTONL(psk.psk_pfcmp.creatorid);
784 else if ((sscanf(state_kill[1], "%jx", &psk.psk_pfcmp.id)) == 1) {
785 psk.psk_pfcmp.creatorid = 0;
787 warnx("wrong id format specified");
790 if (psk.psk_pfcmp.id == 0) {
791 warnx("cannot kill id 0");
795 psk.psk_pfcmp.id = htobe64(psk.psk_pfcmp.id);
796 if (ioctl(dev, DIOCKILLSTATES, &psk))
797 err(1, "DIOCKILLSTATES");
799 if ((opts & PF_OPT_QUIET) == 0)
800 fprintf(stderr, "killed %d states\n", psk.psk_killed);
806 pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
807 u_int32_t ticket, int r_action, char *anchorname)
809 struct pfioc_pooladdr pp;
810 struct pf_pooladdr *pa;
813 memset(&pp, 0, sizeof(pp));
814 memcpy(pp.anchor, anchorname, sizeof(pp.anchor));
815 pp.r_action = r_action;
818 if (ioctl(dev, DIOCGETADDRS, &pp)) {
819 warn("DIOCGETADDRS");
823 TAILQ_INIT(&pool->list);
824 for (pnr = 0; pnr < mpnr; ++pnr) {
826 if (ioctl(dev, DIOCGETADDR, &pp)) {
830 pa = calloc(1, sizeof(struct pf_pooladdr));
833 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr));
834 TAILQ_INSERT_TAIL(&pool->list, pa, entries);
841 pfctl_move_pool(struct pf_pool *src, struct pf_pool *dst)
843 struct pf_pooladdr *pa;
845 while ((pa = TAILQ_FIRST(&src->list)) != NULL) {
846 TAILQ_REMOVE(&src->list, pa, entries);
847 TAILQ_INSERT_TAIL(&dst->list, pa, entries);
852 pfctl_clear_pool(struct pf_pool *pool)
854 struct pf_pooladdr *pa;
856 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
857 TAILQ_REMOVE(&pool->list, pa, entries);
863 pfctl_print_rule_counters(struct pf_rule *rule, int opts)
865 if (opts & PF_OPT_DEBUG) {
866 const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
867 "p", "sa", "sp", "da", "dp" };
870 printf(" [ Skip steps: ");
871 for (i = 0; i < PF_SKIP_COUNT; ++i) {
872 if (rule->skip[i].nr == rule->nr + 1)
875 if (rule->skip[i].nr == -1)
878 printf("%u ", rule->skip[i].nr);
882 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n",
883 rule->qname, rule->qid, rule->pqname, rule->pqid);
885 if (opts & PF_OPT_VERBOSE) {
886 printf(" [ Evaluations: %-8llu Packets: %-8llu "
887 "Bytes: %-10llu States: %-6ju]\n",
888 (unsigned long long)rule->evaluations,
889 (unsigned long long)(rule->packets[0] +
891 (unsigned long long)(rule->bytes[0] +
892 rule->bytes[1]), (uintmax_t)rule->u_states_cur);
893 if (!(opts & PF_OPT_DEBUG))
894 printf(" [ Inserted: uid %u pid %u "
895 "State Creations: %-6ju]\n",
896 (unsigned)rule->cuid, (unsigned)rule->cpid,
897 (uintmax_t)rule->u_states_tot);
902 pfctl_print_title(char *title)
907 printf("%s\n", title);
911 pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
912 char *anchorname, int depth)
914 struct pfioc_rule pr;
915 u_int32_t nr, mnr, header = 0;
916 int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
917 int numeric = opts & PF_OPT_NUMERIC;
918 int len = strlen(path);
923 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
925 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
927 memset(&pr, 0, sizeof(pr));
928 memcpy(pr.anchor, path, sizeof(pr.anchor));
929 if (opts & PF_OPT_SHOWALL) {
930 pr.rule.action = PF_PASS;
931 if (ioctl(dev, DIOCGETRULES, &pr)) {
932 warn("DIOCGETRULES");
937 pr.rule.action = PF_SCRUB;
938 if (ioctl(dev, DIOCGETRULES, &pr)) {
939 warn("DIOCGETRULES");
942 if (opts & PF_OPT_SHOWALL) {
943 if (format == PFCTL_SHOW_RULES && (pr.nr > 0 || header))
944 pfctl_print_title("FILTER RULES:");
945 else if (format == PFCTL_SHOW_LABELS && labels)
946 pfctl_print_title("LABEL COUNTERS:");
949 if (opts & PF_OPT_CLRRULECTRS)
950 pr.action = PF_GET_CLR_CNTR;
952 for (nr = 0; nr < mnr; ++nr) {
954 if (ioctl(dev, DIOCGETRULE, &pr)) {
959 if (pfctl_get_pool(dev, &pr.rule.rpool,
960 nr, pr.ticket, PF_SCRUB, path) != 0)
964 case PFCTL_SHOW_LABELS:
966 case PFCTL_SHOW_RULES:
967 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
969 print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
971 pfctl_print_rule_counters(&pr.rule, opts);
973 case PFCTL_SHOW_NOTHING:
976 pfctl_clear_pool(&pr.rule.rpool);
978 pr.rule.action = PF_PASS;
979 if (ioctl(dev, DIOCGETRULES, &pr)) {
980 warn("DIOCGETRULES");
984 for (nr = 0; nr < mnr; ++nr) {
986 if (ioctl(dev, DIOCGETRULE, &pr)) {
991 if (pfctl_get_pool(dev, &pr.rule.rpool,
992 nr, pr.ticket, PF_PASS, path) != 0)
996 case PFCTL_SHOW_LABELS:
997 if (pr.rule.label[0]) {
998 printf("%s %llu %llu %llu %llu"
999 " %llu %llu %llu %ju\n",
1001 (unsigned long long)pr.rule.evaluations,
1002 (unsigned long long)(pr.rule.packets[0] +
1003 pr.rule.packets[1]),
1004 (unsigned long long)(pr.rule.bytes[0] +
1006 (unsigned long long)pr.rule.packets[0],
1007 (unsigned long long)pr.rule.bytes[0],
1008 (unsigned long long)pr.rule.packets[1],
1009 (unsigned long long)pr.rule.bytes[1],
1010 (uintmax_t)pr.rule.u_states_tot);
1013 case PFCTL_SHOW_RULES:
1015 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
1017 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1018 if (pr.anchor_call[0] &&
1019 ((((p = strrchr(pr.anchor_call, '_')) != NULL) &&
1020 ((void *)p == (void *)pr.anchor_call ||
1021 *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
1023 if ((p = strrchr(pr.anchor_call, '/')) !=
1027 p = &pr.anchor_call[0];
1029 p = &pr.anchor_call[0];
1031 print_rule(&pr.rule, p, rule_numbers, numeric);
1036 pfctl_print_rule_counters(&pr.rule, opts);
1038 pfctl_show_rules(dev, path, opts, format,
1040 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1044 case PFCTL_SHOW_NOTHING:
1047 pfctl_clear_pool(&pr.rule.rpool);
1058 pfctl_show_nat(int dev, int opts, char *anchorname)
1060 struct pfioc_rule pr;
1062 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
1063 int i, dotitle = opts & PF_OPT_SHOWALL;
1065 memset(&pr, 0, sizeof(pr));
1066 memcpy(pr.anchor, anchorname, sizeof(pr.anchor));
1067 for (i = 0; i < 3; i++) {
1068 pr.rule.action = nattype[i];
1069 if (ioctl(dev, DIOCGETRULES, &pr)) {
1070 warn("DIOCGETRULES");
1074 for (nr = 0; nr < mnr; ++nr) {
1076 if (ioctl(dev, DIOCGETRULE, &pr)) {
1077 warn("DIOCGETRULE");
1080 if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
1081 pr.ticket, nattype[i], anchorname) != 0)
1084 pfctl_print_title("TRANSLATION RULES:");
1087 print_rule(&pr.rule, pr.anchor_call,
1088 opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
1090 pfctl_print_rule_counters(&pr.rule, opts);
1091 pfctl_clear_pool(&pr.rule.rpool);
1098 pfctl_show_src_nodes(int dev, int opts)
1100 struct pfioc_src_nodes psn;
1101 struct pf_src_node *p;
1102 char *inbuf = NULL, *newinbuf = NULL;
1103 unsigned int len = 0;
1106 memset(&psn, 0, sizeof(psn));
1110 newinbuf = realloc(inbuf, len);
1111 if (newinbuf == NULL)
1113 psn.psn_buf = inbuf = newinbuf;
1115 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) {
1116 warn("DIOCGETSRCNODES");
1120 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len)
1122 if (len == 0 && psn.psn_len == 0)
1124 if (len == 0 && psn.psn_len != 0)
1126 if (psn.psn_len == 0)
1127 goto done; /* no src_nodes */
1130 p = psn.psn_src_nodes;
1131 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL))
1132 pfctl_print_title("SOURCE TRACKING NODES:");
1133 for (i = 0; i < psn.psn_len; i += sizeof(*p)) {
1134 print_src_node(p, opts);
1143 pfctl_show_states(int dev, const char *iface, int opts)
1145 struct pfioc_states ps;
1146 struct pfsync_state *p;
1147 char *inbuf = NULL, *newinbuf = NULL;
1148 unsigned int len = 0;
1149 int i, dotitle = (opts & PF_OPT_SHOWALL);
1151 memset(&ps, 0, sizeof(ps));
1155 newinbuf = realloc(inbuf, len);
1156 if (newinbuf == NULL)
1158 ps.ps_buf = inbuf = newinbuf;
1160 if (ioctl(dev, DIOCGETSTATES, &ps) < 0) {
1161 warn("DIOCGETSTATES");
1165 if (ps.ps_len + sizeof(struct pfioc_states) < len)
1167 if (len == 0 && ps.ps_len == 0)
1169 if (len == 0 && ps.ps_len != 0)
1172 goto done; /* no states */
1176 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
1177 if (iface != NULL && strcmp(p->ifname, iface))
1180 pfctl_print_title("STATES:");
1183 print_state(p, opts);
1191 pfctl_show_status(int dev, int opts)
1193 struct pf_status status;
1195 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1196 warn("DIOCGETSTATUS");
1199 if (opts & PF_OPT_SHOWALL)
1200 pfctl_print_title("INFO:");
1201 print_status(&status, opts);
1206 pfctl_show_running(int dev)
1208 struct pf_status status;
1210 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1211 warn("DIOCGETSTATUS");
1215 print_running(&status);
1216 return (!status.running);
1220 pfctl_show_timeouts(int dev, int opts)
1225 if (opts & PF_OPT_SHOWALL)
1226 pfctl_print_title("TIMEOUTS:");
1227 memset(&pt, 0, sizeof(pt));
1228 for (i = 0; pf_timeouts[i].name; i++) {
1229 pt.timeout = pf_timeouts[i].timeout;
1230 if (ioctl(dev, DIOCGETTIMEOUT, &pt))
1231 err(1, "DIOCGETTIMEOUT");
1232 printf("%-20s %10d", pf_timeouts[i].name, pt.seconds);
1233 if (pf_timeouts[i].timeout >= PFTM_ADAPTIVE_START &&
1234 pf_timeouts[i].timeout <= PFTM_ADAPTIVE_END)
1245 pfctl_show_limits(int dev, int opts)
1247 struct pfioc_limit pl;
1250 if (opts & PF_OPT_SHOWALL)
1251 pfctl_print_title("LIMITS:");
1252 memset(&pl, 0, sizeof(pl));
1253 for (i = 0; pf_limits[i].name; i++) {
1254 pl.index = pf_limits[i].index;
1255 if (ioctl(dev, DIOCGETLIMIT, &pl))
1256 err(1, "DIOCGETLIMIT");
1257 printf("%-13s ", pf_limits[i].name);
1258 if (pl.limit == UINT_MAX)
1259 printf("unlimited\n");
1261 printf("hard limit %8u\n", pl.limit);
1266 /* callbacks for rule/nat/rdr/addr */
1268 pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
1270 struct pf_pooladdr *pa;
1272 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1273 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr))
1274 err(1, "DIOCBEGINADDRS");
1278 TAILQ_FOREACH(pa, &p->list, entries) {
1279 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1280 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1281 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr))
1282 err(1, "DIOCADDADDR");
1289 pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
1292 struct pf_rule *rule;
1293 struct pf_ruleset *rs;
1296 rs_num = pf_get_ruleset_number(r->action);
1297 if (rs_num == PF_RULESET_MAX)
1298 errx(1, "Invalid rule type %d", r->action);
1300 rs = &pf->anchor->ruleset;
1302 if (anchor_call[0] && r->anchor == NULL) {
1304 * Don't make non-brace anchors part of the main anchor pool.
1306 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1307 err(1, "pfctl_add_rule: calloc");
1309 pf_init_ruleset(&r->anchor->ruleset);
1310 r->anchor->ruleset.anchor = r->anchor;
1311 if (strlcpy(r->anchor->path, anchor_call,
1312 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1313 errx(1, "pfctl_add_rule: strlcpy");
1314 if ((p = strrchr(anchor_call, '/')) != NULL) {
1316 err(1, "pfctl_add_rule: bad anchor name %s",
1319 p = (char *)anchor_call;
1320 if (strlcpy(r->anchor->name, p,
1321 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1322 errx(1, "pfctl_add_rule: strlcpy");
1325 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1327 bcopy(r, rule, sizeof(*rule));
1328 TAILQ_INIT(&rule->rpool.list);
1329 pfctl_move_pool(&r->rpool, &rule->rpool);
1331 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
1336 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
1338 int osize = pf->trans->pfrb_size;
1340 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1341 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1342 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1343 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1346 if (a == pf->astack[0] && ((altqsupport &&
1347 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1348 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1351 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1352 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1353 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1356 if (pf->loadopt & PFCTL_FLAG_TABLE)
1357 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1359 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1366 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
1367 int rs_num, int depth)
1370 int error, len = strlen(path);
1373 pf->anchor = rs->anchor;
1376 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1378 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1381 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
1383 if (pf->opts & PF_OPT_VERBOSE)
1385 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1386 (error = pfctl_ruleset_trans(pf,
1387 path, rs->anchor))) {
1388 printf("pfctl_load_rulesets: "
1389 "pfctl_ruleset_trans %d\n", error);
1392 } else if (pf->opts & PF_OPT_VERBOSE)
1397 if (pf->optimize && rs_num == PF_RULESET_FILTER)
1398 pfctl_optimize_ruleset(pf, rs);
1400 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
1401 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
1402 if ((error = pfctl_load_rule(pf, path, r, depth)))
1405 if ((error = pfctl_load_ruleset(pf, path,
1406 &r->anchor->ruleset, rs_num, depth + 1)))
1408 } else if (pf->opts & PF_OPT_VERBOSE)
1412 if (brace && pf->opts & PF_OPT_VERBOSE) {
1413 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1426 pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
1428 u_int8_t rs_num = pf_get_ruleset_number(r->action);
1430 struct pfioc_rule pr;
1431 int len = strlen(path);
1433 bzero(&pr, sizeof(pr));
1434 /* set up anchor before adding to path for anchor_call */
1435 if ((pf->opts & PF_OPT_NOACTION) == 0)
1436 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path);
1437 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor))
1438 errx(1, "pfctl_load_rule: strlcpy");
1441 if (r->anchor->match) {
1443 snprintf(&path[len], MAXPATHLEN - len,
1444 "/%s", r->anchor->name);
1446 snprintf(&path[len], MAXPATHLEN - len,
1447 "%s", r->anchor->name);
1448 name = r->anchor->name;
1450 name = r->anchor->path;
1454 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1455 if (pfctl_add_pool(pf, &r->rpool, r->af))
1457 pr.pool_ticket = pf->paddr.ticket;
1458 memcpy(&pr.rule, r, sizeof(pr.rule));
1459 if (r->anchor && strlcpy(pr.anchor_call, name,
1460 sizeof(pr.anchor_call)) >= sizeof(pr.anchor_call))
1461 errx(1, "pfctl_load_rule: strlcpy");
1462 if (ioctl(pf->dev, DIOCADDRULE, &pr))
1463 err(1, "DIOCADDRULE");
1466 if (pf->opts & PF_OPT_VERBOSE) {
1467 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1468 print_rule(r, r->anchor ? r->anchor->name : "",
1469 pf->opts & PF_OPT_VERBOSE2,
1470 pf->opts & PF_OPT_NUMERIC);
1473 pfctl_clear_pool(&r->rpool);
1478 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
1481 (loadopt & PFCTL_FLAG_ALTQ) != 0) {
1482 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
1483 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1484 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
1486 errx(1, "qtype not configured");
1487 else if (errno == ENODEV)
1488 errx(1, "%s: driver does not support "
1491 err(1, "DIOCADDALTQ");
1494 pfaltq_store(&pf->paltq->altq);
1500 pfctl_rules(int dev, char *filename, int opts, int optimize,
1501 char *anchorname, struct pfr_buffer *trans)
1503 #define ERR(x) do { warn(x); goto _error; } while(0)
1504 #define ERRX(x) do { warnx(x); goto _error; } while(0)
1506 struct pfr_buffer *t, buf;
1507 struct pfioc_altq pa;
1509 struct pf_ruleset *rs;
1510 struct pfr_table trs;
1514 RB_INIT(&pf_anchors);
1515 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor));
1516 pf_init_ruleset(&pf_main_anchor.ruleset);
1517 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
1518 if (trans == NULL) {
1519 bzero(&buf, sizeof(buf));
1520 buf.pfrb_type = PFRB_TRANS;
1525 osize = t->pfrb_size;
1528 memset(&pa, 0, sizeof(pa));
1529 pa.version = PFIOC_ALTQ_VERSION;
1530 memset(&pf, 0, sizeof(pf));
1531 memset(&trs, 0, sizeof(trs));
1532 if ((path = calloc(1, MAXPATHLEN)) == NULL)
1533 ERRX("pfctl_rules: calloc");
1534 if (strlcpy(trs.pfrt_anchor, anchorname,
1535 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
1536 ERRX("pfctl_rules: strlcpy");
1539 pf.optimize = optimize;
1540 pf.loadopt = loadopt;
1542 /* non-brace anchor, create without resolving the path */
1543 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
1544 ERRX("pfctl_rules: calloc");
1545 rs = &pf.anchor->ruleset;
1546 pf_init_ruleset(rs);
1547 rs->anchor = pf.anchor;
1548 if (strlcpy(pf.anchor->path, anchorname,
1549 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
1550 errx(1, "pfctl_add_rule: strlcpy");
1551 if (strlcpy(pf.anchor->name, anchorname,
1552 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
1553 errx(1, "pfctl_add_rule: strlcpy");
1556 pf.astack[0] = pf.anchor;
1559 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
1562 pfctl_init_options(&pf);
1564 if ((opts & PF_OPT_NOACTION) == 0) {
1566 * XXX For the time being we need to open transactions for
1567 * the main ruleset before parsing, because tables are still
1568 * loaded at parse time.
1570 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
1571 ERRX("pfctl_rules");
1572 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1574 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
1575 if (pf.loadopt & PFCTL_FLAG_TABLE)
1576 pf.astack[0]->ruleset.tticket =
1577 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
1580 if (parse_config(filename, &pf) < 0) {
1581 if ((opts & PF_OPT_NOACTION) == 0)
1582 ERRX("Syntax error in config file: "
1583 "pf rules not loaded");
1587 if (loadopt & PFCTL_FLAG_OPTION)
1588 pfctl_adjust_skip_ifaces(&pf);
1590 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
1591 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
1592 (pf.loadopt & PFCTL_FLAG_NAT &&
1593 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
1594 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
1595 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
1596 (pf.loadopt & PFCTL_FLAG_FILTER &&
1597 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
1598 if ((opts & PF_OPT_NOACTION) == 0)
1599 ERRX("Unable to load rules into kernel");
1604 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
1605 if (check_commit_altq(dev, opts) != 0)
1606 ERRX("errors in altq config");
1608 /* process "load anchor" directives */
1610 if (pfctl_load_anchors(dev, &pf, t) == -1)
1611 ERRX("load anchors");
1613 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
1615 if (pfctl_load_options(&pf))
1617 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
1624 if (trans == NULL) { /* main ruleset */
1625 if ((opts & PF_OPT_NOACTION) == 0)
1626 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
1627 err(1, "DIOCXROLLBACK");
1629 } else { /* sub ruleset */
1639 pfctl_fopen(const char *name, const char *mode)
1644 fp = fopen(name, mode);
1647 if (fstat(fileno(fp), &st)) {
1651 if (S_ISDIR(st.st_mode)) {
1660 pfctl_init_options(struct pfctl *pf)
1663 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
1664 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
1665 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
1666 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
1667 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
1668 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
1669 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
1670 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
1671 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
1672 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
1673 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
1674 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
1675 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
1676 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
1677 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
1678 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
1679 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
1680 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
1681 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
1682 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1684 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
1685 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
1686 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
1687 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1689 pf->debug = PF_DEBUG_URGENT;
1693 pfctl_load_options(struct pfctl *pf)
1697 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1701 for (i = 0; i < PF_LIMIT_MAX; i++) {
1702 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
1704 if (pfctl_load_limit(pf, i, pf->limit[i]))
1709 * If we've set the limit, but haven't explicitly set adaptive
1710 * timeouts, do it now with a start of 60% and end of 120%.
1712 if (pf->limit_set[PF_LIMIT_STATES] &&
1713 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
1714 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
1715 pf->timeout[PFTM_ADAPTIVE_START] =
1716 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
1717 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
1718 pf->timeout[PFTM_ADAPTIVE_END] =
1719 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
1720 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
1724 for (i = 0; i < PFTM_MAX; i++) {
1725 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
1727 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
1732 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
1733 if (pfctl_load_debug(pf, pf->debug))
1737 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
1738 if (pfctl_load_logif(pf, pf->ifname))
1742 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
1743 if (pfctl_load_hostid(pf, pf->hostid))
1750 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
1755 for (i = 0; pf_limits[i].name; i++) {
1756 if (strcasecmp(opt, pf_limits[i].name) == 0) {
1757 pf->limit[pf_limits[i].index] = limit;
1758 pf->limit_set[pf_limits[i].index] = 1;
1762 if (pf_limits[i].name == NULL) {
1763 warnx("Bad pool name.");
1767 if (pf->opts & PF_OPT_VERBOSE)
1768 printf("set limit %s %d\n", opt, limit);
1774 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
1776 struct pfioc_limit pl;
1778 memset(&pl, 0, sizeof(pl));
1781 if (ioctl(pf->dev, DIOCSETLIMIT, &pl)) {
1783 warnx("Current pool size exceeds requested hard limit");
1785 warnx("DIOCSETLIMIT");
1792 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
1796 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1799 for (i = 0; pf_timeouts[i].name; i++) {
1800 if (strcasecmp(opt, pf_timeouts[i].name) == 0) {
1801 pf->timeout[pf_timeouts[i].timeout] = seconds;
1802 pf->timeout_set[pf_timeouts[i].timeout] = 1;
1807 if (pf_timeouts[i].name == NULL) {
1808 warnx("Bad timeout name.");
1813 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
1814 printf("set timeout %s %d\n", opt, seconds);
1820 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
1824 memset(&pt, 0, sizeof(pt));
1825 pt.timeout = timeout;
1826 pt.seconds = seconds;
1827 if (ioctl(pf->dev, DIOCSETTIMEOUT, &pt)) {
1828 warnx("DIOCSETTIMEOUT");
1835 pfctl_set_optimization(struct pfctl *pf, const char *opt)
1837 const struct pf_hint *hint;
1840 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1843 for (i = 0; pf_hints[i].name; i++)
1844 if (strcasecmp(opt, pf_hints[i].name) == 0)
1847 hint = pf_hints[i].hint;
1849 warnx("invalid state timeouts optimization");
1853 for (i = 0; hint[i].name; i++)
1854 if ((r = pfctl_set_timeout(pf, hint[i].name,
1855 hint[i].timeout, 1)))
1858 if (pf->opts & PF_OPT_VERBOSE)
1859 printf("set optimization %s\n", opt);
1865 pfctl_set_logif(struct pfctl *pf, char *ifname)
1868 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1871 if (!strcmp(ifname, "none")) {
1875 pf->ifname = strdup(ifname);
1877 errx(1, "pfctl_set_logif: strdup");
1881 if (pf->opts & PF_OPT_VERBOSE)
1882 printf("set loginterface %s\n", ifname);
1888 pfctl_load_logif(struct pfctl *pf, char *ifname)
1892 memset(&pi, 0, sizeof(pi));
1893 if (ifname && strlcpy(pi.ifname, ifname,
1894 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {
1895 warnx("pfctl_load_logif: strlcpy");
1898 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
1899 warnx("DIOCSETSTATUSIF");
1906 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
1908 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1913 pf->hostid = hostid;
1916 if (pf->opts & PF_OPT_VERBOSE)
1917 printf("set hostid 0x%08x\n", ntohl(hostid));
1923 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
1925 if (ioctl(dev, DIOCSETHOSTID, &hostid)) {
1926 warnx("DIOCSETHOSTID");
1933 pfctl_set_debug(struct pfctl *pf, char *d)
1937 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1940 if (!strcmp(d, "none"))
1941 pf->debug = PF_DEBUG_NONE;
1942 else if (!strcmp(d, "urgent"))
1943 pf->debug = PF_DEBUG_URGENT;
1944 else if (!strcmp(d, "misc"))
1945 pf->debug = PF_DEBUG_MISC;
1946 else if (!strcmp(d, "loud"))
1947 pf->debug = PF_DEBUG_NOISY;
1949 warnx("unknown debug level \"%s\"", d);
1956 if ((pf->opts & PF_OPT_NOACTION) == 0)
1957 if (ioctl(dev, DIOCSETDEBUG, &level))
1958 err(1, "DIOCSETDEBUG");
1960 if (pf->opts & PF_OPT_VERBOSE)
1961 printf("set debug %s\n", d);
1967 pfctl_load_debug(struct pfctl *pf, unsigned int level)
1969 if (ioctl(pf->dev, DIOCSETDEBUG, &level)) {
1970 warnx("DIOCSETDEBUG");
1977 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
1979 struct pfioc_iface pi;
1980 struct node_host *h = NULL, *n = NULL;
1982 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1985 bzero(&pi, sizeof(pi));
1987 pi.pfiio_flags = flags;
1989 /* Make sure our cache matches the kernel. If we set or clear the flag
1990 * for a group this applies to all members. */
1991 h = ifa_grouplookup(ifname, 0);
1992 for (n = h; n != NULL; n = n->next)
1993 pfctl_set_interface_flags(pf, n->ifname, flags, how);
1995 if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
1996 sizeof(pi.pfiio_name))
1997 errx(1, "pfctl_set_interface_flags: strlcpy");
1999 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2001 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
2002 err(1, "DIOCCLRIFFLAG");
2004 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
2005 err(1, "DIOCSETIFFLAG");
2006 pfctl_check_skip_ifaces(ifname);
2013 pfctl_debug(int dev, u_int32_t level, int opts)
2015 if (ioctl(dev, DIOCSETDEBUG, &level))
2016 err(1, "DIOCSETDEBUG");
2017 if ((opts & PF_OPT_QUIET) == 0) {
2018 fprintf(stderr, "debug level set to '");
2021 fprintf(stderr, "none");
2023 case PF_DEBUG_URGENT:
2024 fprintf(stderr, "urgent");
2027 fprintf(stderr, "misc");
2029 case PF_DEBUG_NOISY:
2030 fprintf(stderr, "loud");
2033 fprintf(stderr, "<invalid>");
2036 fprintf(stderr, "'\n");
2041 pfctl_test_altqsupport(int dev, int opts)
2043 struct pfioc_altq pa;
2045 pa.version = PFIOC_ALTQ_VERSION;
2046 if (ioctl(dev, DIOCGETALTQS, &pa)) {
2047 if (errno == ENODEV) {
2048 if (opts & PF_OPT_VERBOSE)
2049 fprintf(stderr, "No ALTQ support in kernel\n"
2050 "ALTQ related functions disabled\n");
2053 err(1, "DIOCGETALTQS");
2059 pfctl_show_anchors(int dev, int opts, char *anchorname)
2061 struct pfioc_ruleset pr;
2064 memset(&pr, 0, sizeof(pr));
2065 memcpy(pr.path, anchorname, sizeof(pr.path));
2066 if (ioctl(dev, DIOCGETRULESETS, &pr)) {
2067 if (errno == EINVAL)
2068 fprintf(stderr, "Anchor '%s' not found.\n",
2071 err(1, "DIOCGETRULESETS");
2075 for (nr = 0; nr < mnr; ++nr) {
2076 char sub[MAXPATHLEN];
2079 if (ioctl(dev, DIOCGETRULESET, &pr))
2080 err(1, "DIOCGETRULESET");
2081 if (!strcmp(pr.name, PF_RESERVED_ANCHOR))
2085 strlcat(sub, pr.path, sizeof(sub));
2086 strlcat(sub, "/", sizeof(sub));
2088 strlcat(sub, pr.name, sizeof(sub));
2089 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
2090 printf(" %s\n", sub);
2091 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
2098 pfctl_lookup_option(char *cmd, const char * const *list)
2100 if (cmd != NULL && *cmd)
2101 for (; *list; list++)
2102 if (!strncmp(cmd, *list, strlen(cmd)))
2108 main(int argc, char *argv[])
2112 int mode = O_RDONLY;
2114 int optimize = PF_OPTIMIZE_BASIC;
2115 char anchorname[MAXPATHLEN];
2121 while ((ch = getopt(argc, argv,
2122 "a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:z")) != -1) {
2128 opts |= PF_OPT_DISABLE;
2132 if (pfctl_cmdline_symset(optarg) < 0)
2133 warnx("could not parse macro definition %s",
2137 opts |= PF_OPT_ENABLE;
2141 opts |= PF_OPT_QUIET;
2144 clearopt = pfctl_lookup_option(optarg, clearopt_list);
2145 if (clearopt == NULL) {
2146 warnx("Unknown flush modifier '%s'", optarg);
2155 if (state_killers >= 2) {
2156 warnx("can only specify -k twice");
2160 state_kill[state_killers++] = optarg;
2164 if (src_node_killers >= 2) {
2165 warnx("can only specify -K twice");
2169 src_node_kill[src_node_killers++] = optarg;
2173 opts |= PF_OPT_MERGE;
2176 opts |= PF_OPT_NOACTION;
2179 loadopt |= PFCTL_FLAG_NAT;
2182 opts |= PF_OPT_USEDNS;
2189 opts |= PF_OPT_DEBUG;
2192 loadopt |= PFCTL_FLAG_ALTQ;
2195 loadopt |= PFCTL_FLAG_FILTER;
2198 optiopt = pfctl_lookup_option(optarg, optiopt_list);
2199 if (optiopt == NULL) {
2200 warnx("Unknown optimization '%s'", optarg);
2203 opts |= PF_OPT_OPTIMIZE;
2206 loadopt |= PFCTL_FLAG_OPTION;
2212 opts |= PF_OPT_NUMERIC;
2215 showopt = pfctl_lookup_option(optarg, showopt_list);
2216 if (showopt == NULL) {
2217 warnx("Unknown show modifier '%s'", optarg);
2225 tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list);
2226 if (tblcmdopt == NULL) {
2227 warnx("Unknown table command '%s'", optarg);
2232 if (opts & PF_OPT_VERBOSE)
2233 opts |= PF_OPT_VERBOSE2;
2234 opts |= PF_OPT_VERBOSE;
2237 debugopt = pfctl_lookup_option(optarg, debugopt_list);
2238 if (debugopt == NULL) {
2239 warnx("Unknown debug level '%s'", optarg);
2245 opts |= PF_OPT_CLRRULECTRS;
2256 if (tblcmdopt != NULL) {
2261 loadopt |= PFCTL_FLAG_TABLE;
2264 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
2265 } else if (argc != optind) {
2266 warnx("unknown command line argument: %s ...", argv[optind]);
2273 if ((path = calloc(1, MAXPATHLEN)) == NULL)
2274 errx(1, "pfctl: calloc");
2275 memset(anchorname, 0, sizeof(anchorname));
2276 if (anchoropt != NULL) {
2277 int len = strlen(anchoropt);
2279 if (anchoropt[len - 1] == '*') {
2280 if (len >= 2 && anchoropt[len - 2] == '/')
2281 anchoropt[len - 2] = '\0';
2283 anchoropt[len - 1] = '\0';
2284 opts |= PF_OPT_RECURSE;
2286 if (strlcpy(anchorname, anchoropt,
2287 sizeof(anchorname)) >= sizeof(anchorname))
2288 errx(1, "anchor name '%s' too long",
2290 loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE;
2293 if ((opts & PF_OPT_NOACTION) == 0) {
2294 dev = open(pf_device, mode);
2296 err(1, "%s", pf_device);
2297 altqsupport = pfctl_test_altqsupport(dev, opts);
2299 dev = open(pf_device, O_RDONLY);
2301 opts |= PF_OPT_DUMMYACTION;
2302 /* turn off options */
2303 opts &= ~ (PF_OPT_DISABLE | PF_OPT_ENABLE);
2304 clearopt = showopt = debugopt = NULL;
2305 #if !defined(ENABLE_ALTQ)
2312 if (opts & PF_OPT_DISABLE)
2313 if (pfctl_disable(dev, opts))
2316 if (showopt != NULL) {
2319 pfctl_show_anchors(dev, opts, anchorname);
2322 pfctl_load_fingerprints(dev, opts);
2323 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
2327 pfctl_load_fingerprints(dev, opts);
2328 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_LABELS,
2332 pfctl_load_fingerprints(dev, opts);
2333 pfctl_show_nat(dev, opts, anchorname);
2336 pfctl_show_altq(dev, ifaceopt, opts,
2337 opts & PF_OPT_VERBOSE2);
2340 pfctl_show_states(dev, ifaceopt, opts);
2343 pfctl_show_src_nodes(dev, opts);
2346 pfctl_show_status(dev, opts);
2349 error = pfctl_show_running(dev);
2352 pfctl_show_timeouts(dev, opts);
2355 pfctl_show_limits(dev, opts);
2358 opts |= PF_OPT_SHOWALL;
2359 pfctl_load_fingerprints(dev, opts);
2361 pfctl_show_nat(dev, opts, anchorname);
2362 pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
2363 pfctl_show_altq(dev, ifaceopt, opts, 0);
2364 pfctl_show_states(dev, ifaceopt, opts);
2365 pfctl_show_src_nodes(dev, opts);
2366 pfctl_show_status(dev, opts);
2367 pfctl_show_rules(dev, path, opts, 1, anchorname, 0);
2368 pfctl_show_timeouts(dev, opts);
2369 pfctl_show_limits(dev, opts);
2370 pfctl_show_tables(anchorname, opts);
2371 pfctl_show_fingerprints(opts);
2374 pfctl_show_tables(anchorname, opts);
2377 pfctl_load_fingerprints(dev, opts);
2378 pfctl_show_fingerprints(opts);
2381 pfctl_show_ifaces(ifaceopt, opts);
2386 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL)
2387 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
2390 if (clearopt != NULL) {
2391 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2392 errx(1, "anchor names beginning with '_' cannot "
2393 "be modified from the command line");
2395 switch (*clearopt) {
2397 pfctl_clear_rules(dev, opts, anchorname);
2400 pfctl_clear_nat(dev, opts, anchorname);
2403 pfctl_clear_altq(dev, opts);
2406 pfctl_clear_states(dev, ifaceopt, opts);
2409 pfctl_clear_src_nodes(dev, opts);
2412 pfctl_clear_stats(dev, opts);
2415 pfctl_clear_rules(dev, opts, anchorname);
2416 pfctl_clear_nat(dev, opts, anchorname);
2417 pfctl_clear_tables(anchorname, opts);
2419 pfctl_clear_altq(dev, opts);
2420 pfctl_clear_states(dev, ifaceopt, opts);
2421 pfctl_clear_src_nodes(dev, opts);
2422 pfctl_clear_stats(dev, opts);
2423 pfctl_clear_fingerprints(dev, opts);
2424 pfctl_clear_interface_flags(dev, opts);
2428 pfctl_clear_fingerprints(dev, opts);
2431 pfctl_clear_tables(anchorname, opts);
2435 if (state_killers) {
2436 if (!strcmp(state_kill[0], "label"))
2437 pfctl_label_kill_states(dev, ifaceopt, opts);
2438 else if (!strcmp(state_kill[0], "id"))
2439 pfctl_id_kill_states(dev, ifaceopt, opts);
2441 pfctl_net_kill_states(dev, ifaceopt, opts);
2444 if (src_node_killers)
2445 pfctl_kill_src_nodes(dev, ifaceopt, opts);
2447 if (tblcmdopt != NULL) {
2448 error = pfctl_command_tables(argc, argv, tableopt,
2449 tblcmdopt, rulesopt, anchorname, opts);
2452 if (optiopt != NULL) {
2458 optimize |= PF_OPTIMIZE_BASIC;
2462 optimize |= PF_OPTIMIZE_PROFILE;
2467 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
2468 !anchorname[0] && !(opts & PF_OPT_NOACTION))
2469 if (pfctl_get_skip_ifaces())
2472 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &&
2473 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION))
2474 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE))
2477 if (rulesopt != NULL) {
2478 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2479 errx(1, "anchor names beginning with '_' cannot "
2480 "be modified from the command line");
2481 if (pfctl_rules(dev, rulesopt, opts, optimize,
2484 else if (!(opts & PF_OPT_NOACTION) &&
2485 (loadopt & PFCTL_FLAG_TABLE))
2486 warn_namespace_collision(NULL);
2489 if (opts & PF_OPT_ENABLE)
2490 if (pfctl_enable(dev, opts))
2493 if (debugopt != NULL) {
2494 switch (*debugopt) {
2496 pfctl_debug(dev, PF_DEBUG_NONE, opts);
2499 pfctl_debug(dev, PF_DEBUG_URGENT, opts);
2502 pfctl_debug(dev, PF_DEBUG_MISC, opts);
2505 pfctl_debug(dev, PF_DEBUG_NOISY, opts);
projects / FreeBSD / FreeBSD.git / blob