1 /* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
4 * SPDX-License-Identifier: BSD-2-Clause
6 * Copyright (c) 2001 Daniel Hartmeier
7 * Copyright (c) 2002,2003 Henning Brauer
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * - Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * - Redistributions in binary form must reproduce the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer in the documentation and/or other materials provided
19 * with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/types.h>
40 #include <sys/ioctl.h>
41 #include <sys/socket.h>
43 #include <sys/endian.h>
46 #include <netinet/in.h>
47 #include <net/pfvar.h>
48 #include <arpa/inet.h>
49 #include <net/altq/altq.h>
50 #include <sys/sysctl.h>
63 #include "pfctl_parser.h"
67 int pfctl_enable(int, int);
68 int pfctl_disable(int, int);
69 int pfctl_clear_stats(int, int);
70 int pfctl_get_skip_ifaces(void);
71 int pfctl_check_skip_ifaces(char *);
72 int pfctl_adjust_skip_ifaces(struct pfctl *);
73 int pfctl_clear_interface_flags(int, int);
74 int pfctl_clear_rules(int, int, char *);
75 int pfctl_clear_nat(int, int, char *);
76 int pfctl_clear_altq(int, int);
77 int pfctl_clear_src_nodes(int, int);
78 int pfctl_clear_states(int, const char *, int);
79 void pfctl_addrprefix(char *, struct pf_addr *);
80 int pfctl_kill_src_nodes(int, const char *, int);
81 int pfctl_net_kill_states(int, const char *, int);
82 int pfctl_label_kill_states(int, const char *, int);
83 int pfctl_id_kill_states(int, const char *, int);
84 void pfctl_init_options(struct pfctl *);
85 int pfctl_load_options(struct pfctl *);
86 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
87 int pfctl_load_timeout(struct pfctl *, unsigned int, unsigned int);
88 int pfctl_load_debug(struct pfctl *, unsigned int);
89 int pfctl_load_logif(struct pfctl *, char *);
90 int pfctl_load_hostid(struct pfctl *, u_int32_t);
91 int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int,
93 void pfctl_print_rule_counters(struct pf_rule *, int);
94 int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
95 int pfctl_show_nat(int, int, char *);
96 int pfctl_show_src_nodes(int, int);
97 int pfctl_show_states(int, const char *, int);
98 int pfctl_show_status(int, int);
99 int pfctl_show_running(int);
100 int pfctl_show_timeouts(int, int);
101 int pfctl_show_limits(int, int);
102 void pfctl_debug(int, u_int32_t, int);
103 int pfctl_test_altqsupport(int, int);
104 int pfctl_show_anchors(int, int, char *);
105 int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *);
106 int pfctl_load_ruleset(struct pfctl *, char *,
107 struct pf_ruleset *, int, int);
108 int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int);
109 const char *pfctl_lookup_option(char *, const char * const *);
111 static struct pf_anchor_global pf_anchors;
112 static struct pf_anchor pf_main_anchor;
113 static struct pfr_buffer skip_b;
115 static const char *clearopt;
116 static char *rulesopt;
117 static const char *showopt;
118 static const char *debugopt;
119 static char *anchoropt;
120 static const char *optiopt = NULL;
121 static const char *pf_device = "/dev/pf";
122 static char *ifaceopt;
123 static char *tableopt;
124 static const char *tblcmdopt;
125 static int src_node_killers;
126 static char *src_node_kill[2];
127 static int state_killers;
128 static char *state_kill[2];
133 static int first_title = 1;
134 static int labels = 0;
136 #define INDENT(d, o) do { \
139 for (i=0; i < d; i++) \
145 static const struct {
149 { "states", PF_LIMIT_STATES },
150 { "src-nodes", PF_LIMIT_SRC_NODES },
151 { "frags", PF_LIMIT_FRAGS },
152 { "table-entries", PF_LIMIT_TABLE_ENTRIES },
160 static const struct pf_hint pf_hint_normal[] = {
161 { "tcp.first", 2 * 60 },
162 { "tcp.opening", 30 },
163 { "tcp.established", 24 * 60 * 60 },
164 { "tcp.closing", 15 * 60 },
165 { "tcp.finwait", 45 },
166 { "tcp.closed", 90 },
167 { "tcp.tsdiff", 30 },
170 static const struct pf_hint pf_hint_satellite[] = {
171 { "tcp.first", 3 * 60 },
172 { "tcp.opening", 30 + 5 },
173 { "tcp.established", 24 * 60 * 60 },
174 { "tcp.closing", 15 * 60 + 5 },
175 { "tcp.finwait", 45 + 5 },
176 { "tcp.closed", 90 + 5 },
177 { "tcp.tsdiff", 60 },
180 static const struct pf_hint pf_hint_conservative[] = {
181 { "tcp.first", 60 * 60 },
182 { "tcp.opening", 15 * 60 },
183 { "tcp.established", 5 * 24 * 60 * 60 },
184 { "tcp.closing", 60 * 60 },
185 { "tcp.finwait", 10 * 60 },
186 { "tcp.closed", 3 * 60 },
187 { "tcp.tsdiff", 60 },
190 static const struct pf_hint pf_hint_aggressive[] = {
192 { "tcp.opening", 5 },
193 { "tcp.established", 5 * 60 * 60 },
194 { "tcp.closing", 60 },
195 { "tcp.finwait", 30 },
196 { "tcp.closed", 30 },
197 { "tcp.tsdiff", 10 },
201 static const struct {
203 const struct pf_hint *hint;
205 { "normal", pf_hint_normal },
206 { "satellite", pf_hint_satellite },
207 { "high-latency", pf_hint_satellite },
208 { "conservative", pf_hint_conservative },
209 { "aggressive", pf_hint_aggressive },
213 static const char * const clearopt_list[] = {
214 "nat", "queue", "rules", "Sources",
215 "states", "info", "Tables", "osfp", "all", NULL
218 static const char * const showopt_list[] = {
219 "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
220 "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
221 "Running", "all", NULL
224 static const char * const tblcmdopt_list[] = {
225 "kill", "flush", "add", "delete", "load", "replace", "show",
226 "test", "zero", "expire", NULL
229 static const char * const debugopt_list[] = {
230 "none", "urgent", "misc", "loud", NULL
233 static const char * const optiopt_list[] = {
234 "none", "basic", "profile", NULL
240 extern char *__progname;
243 "usage: %s [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
244 "\t[-f file] [-i interface] [-K host | network]\n"
245 "\t[-k host | network | label | id] [-o level] [-p device]\n"
246 "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
253 pfctl_enable(int dev, int opts)
255 if (ioctl(dev, DIOCSTART)) {
257 errx(1, "pf already enabled");
258 else if (errno == ESRCH)
259 errx(1, "pfil registeration failed");
263 if ((opts & PF_OPT_QUIET) == 0)
264 fprintf(stderr, "pf enabled\n");
266 if (altqsupport && ioctl(dev, DIOCSTARTALTQ))
268 err(1, "DIOCSTARTALTQ");
274 pfctl_disable(int dev, int opts)
276 if (ioctl(dev, DIOCSTOP)) {
278 errx(1, "pf not enabled");
282 if ((opts & PF_OPT_QUIET) == 0)
283 fprintf(stderr, "pf disabled\n");
285 if (altqsupport && ioctl(dev, DIOCSTOPALTQ))
287 err(1, "DIOCSTOPALTQ");
293 pfctl_clear_stats(int dev, int opts)
295 if (ioctl(dev, DIOCCLRSTATUS))
296 err(1, "DIOCCLRSTATUS");
297 if ((opts & PF_OPT_QUIET) == 0)
298 fprintf(stderr, "pf: statistics cleared\n");
303 pfctl_get_skip_ifaces(void)
305 bzero(&skip_b, sizeof(skip_b));
306 skip_b.pfrb_type = PFRB_IFACES;
308 pfr_buf_grow(&skip_b, skip_b.pfrb_size);
309 skip_b.pfrb_size = skip_b.pfrb_msize;
310 if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size))
311 err(1, "pfi_get_ifaces");
312 if (skip_b.pfrb_size <= skip_b.pfrb_msize)
319 pfctl_check_skip_ifaces(char *ifname)
322 struct node_host *h = NULL, *n = NULL;
324 PFRB_FOREACH(p, &skip_b) {
325 if (!strcmp(ifname, p->pfik_name) &&
326 (p->pfik_flags & PFI_IFLAG_SKIP))
327 p->pfik_flags &= ~PFI_IFLAG_SKIP;
328 if (!strcmp(ifname, p->pfik_name) && p->pfik_group != NULL) {
329 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
332 for (n = h; n != NULL; n = n->next) {
333 if (p->pfik_ifp == NULL)
335 if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
338 p->pfik_flags &= ~PFI_IFLAG_SKIP;
346 pfctl_adjust_skip_ifaces_group_member(struct pfctl *pf, char *ifname)
350 PFRB_FOREACH(p, &skip_b) {
351 if (p->pfik_ifp == NULL)
354 if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
357 if (!(p->pfik_flags & PFI_IFLAG_SKIP))
358 pfctl_set_interface_flags(pf, p->pfik_name,
360 if (p->pfik_flags & PFI_IFLAG_SKIP)
361 p->pfik_flags &= ~PFI_IFLAG_SKIP;
366 pfctl_adjust_skip_ifaces(struct pfctl *pf)
368 struct pfi_kif *p, *pp;
369 struct node_host *h = NULL, *n = NULL;
371 PFRB_FOREACH(p, &skip_b) {
372 if (p->pfik_group == NULL || !(p->pfik_flags & PFI_IFLAG_SKIP))
375 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
376 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
379 for (n = h; n != NULL; n = n->next)
380 PFRB_FOREACH(pp, &skip_b) {
381 if (pp->pfik_ifp == NULL)
384 if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ))
387 if (!(pp->pfik_flags & PFI_IFLAG_SKIP))
388 pfctl_set_interface_flags(pf,
389 pp->pfik_name, PFI_IFLAG_SKIP, 1);
390 if (pp->pfik_flags & PFI_IFLAG_SKIP)
391 pp->pfik_flags &= ~PFI_IFLAG_SKIP;
395 PFRB_FOREACH(p, &skip_b) {
396 if (p->pfik_ifp == NULL || ! (p->pfik_flags & PFI_IFLAG_SKIP))
399 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
406 pfctl_clear_interface_flags(int dev, int opts)
408 struct pfioc_iface pi;
410 if ((opts & PF_OPT_NOACTION) == 0) {
411 bzero(&pi, sizeof(pi));
412 pi.pfiio_flags = PFI_IFLAG_SKIP;
414 if (ioctl(dev, DIOCCLRIFFLAG, &pi))
415 err(1, "DIOCCLRIFFLAG");
416 if ((opts & PF_OPT_QUIET) == 0)
417 fprintf(stderr, "pf: interface flags reset\n");
423 pfctl_clear_rules(int dev, int opts, char *anchorname)
427 memset(&t, 0, sizeof(t));
428 t.pfrb_type = PFRB_TRANS;
429 if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
430 pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
431 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
432 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
433 err(1, "pfctl_clear_rules");
434 if ((opts & PF_OPT_QUIET) == 0)
435 fprintf(stderr, "rules cleared\n");
440 pfctl_clear_nat(int dev, int opts, char *anchorname)
444 memset(&t, 0, sizeof(t));
445 t.pfrb_type = PFRB_TRANS;
446 if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
447 pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
448 pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
449 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
450 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
451 err(1, "pfctl_clear_nat");
452 if ((opts & PF_OPT_QUIET) == 0)
453 fprintf(stderr, "nat cleared\n");
458 pfctl_clear_altq(int dev, int opts)
464 memset(&t, 0, sizeof(t));
465 t.pfrb_type = PFRB_TRANS;
466 if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
467 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
468 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
469 err(1, "pfctl_clear_altq");
470 if ((opts & PF_OPT_QUIET) == 0)
471 fprintf(stderr, "altq cleared\n");
476 pfctl_clear_src_nodes(int dev, int opts)
478 if (ioctl(dev, DIOCCLRSRCNODES))
479 err(1, "DIOCCLRSRCNODES");
480 if ((opts & PF_OPT_QUIET) == 0)
481 fprintf(stderr, "source tracking entries cleared\n");
486 pfctl_clear_states(int dev, const char *iface, int opts)
488 struct pfioc_state_kill psk;
490 memset(&psk, 0, sizeof(psk));
491 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
492 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
493 errx(1, "invalid interface: %s", iface);
495 if (ioctl(dev, DIOCCLRSTATES, &psk))
496 err(1, "DIOCCLRSTATES");
497 if ((opts & PF_OPT_QUIET) == 0)
498 fprintf(stderr, "%d states cleared\n", psk.psk_killed);
503 pfctl_addrprefix(char *addr, struct pf_addr *mask)
507 int prefix, ret_ga, q, r;
508 struct addrinfo hints, *res;
510 if ((p = strchr(addr, '/')) == NULL)
514 prefix = strtonum(p, 0, 128, &errstr);
516 errx(1, "prefix is %s: %s", errstr, p);
518 bzero(&hints, sizeof(hints));
519 /* prefix only with numeric addresses */
520 hints.ai_flags |= AI_NUMERICHOST;
522 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {
523 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
527 if (res->ai_family == AF_INET && prefix > 32)
528 errx(1, "prefix too long for AF_INET");
529 else if (res->ai_family == AF_INET6 && prefix > 128)
530 errx(1, "prefix too long for AF_INET6");
534 switch (res->ai_family) {
536 bzero(&mask->v4, sizeof(mask->v4));
537 mask->v4.s_addr = htonl((u_int32_t)
538 (0xffffffffffULL << (32 - prefix)));
541 bzero(&mask->v6, sizeof(mask->v6));
543 memset((void *)&mask->v6, 0xff, q);
545 *((u_char *)&mask->v6 + q) =
546 (0xff00 >> r) & 0xff;
553 pfctl_kill_src_nodes(int dev, const char *iface, int opts)
555 struct pfioc_src_node_kill psnk;
556 struct addrinfo *res[2], *resp[2];
557 struct sockaddr last_src, last_dst;
558 int killed, sources, dests;
561 killed = sources = dests = 0;
563 memset(&psnk, 0, sizeof(psnk));
564 memset(&psnk.psnk_src.addr.v.a.mask, 0xff,
565 sizeof(psnk.psnk_src.addr.v.a.mask));
566 memset(&last_src, 0xff, sizeof(last_src));
567 memset(&last_dst, 0xff, sizeof(last_dst));
569 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask);
571 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) {
572 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
575 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
576 if (resp[0]->ai_addr == NULL)
578 /* We get lots of duplicates. Catch the easy ones */
579 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
581 last_src = *(struct sockaddr *)resp[0]->ai_addr;
583 psnk.psnk_af = resp[0]->ai_family;
586 if (psnk.psnk_af == AF_INET)
587 psnk.psnk_src.addr.v.a.addr.v4 =
588 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
589 else if (psnk.psnk_af == AF_INET6)
590 psnk.psnk_src.addr.v.a.addr.v6 =
591 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
594 errx(1, "Unknown address family %d", psnk.psnk_af);
596 if (src_node_killers > 1) {
598 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,
599 sizeof(psnk.psnk_dst.addr.v.a.mask));
600 memset(&last_dst, 0xff, sizeof(last_dst));
601 pfctl_addrprefix(src_node_kill[1],
602 &psnk.psnk_dst.addr.v.a.mask);
603 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL,
605 errx(1, "getaddrinfo: %s",
606 gai_strerror(ret_ga));
609 for (resp[1] = res[1]; resp[1];
610 resp[1] = resp[1]->ai_next) {
611 if (resp[1]->ai_addr == NULL)
613 if (psnk.psnk_af != resp[1]->ai_family)
616 if (memcmp(&last_dst, resp[1]->ai_addr,
617 sizeof(last_dst)) == 0)
619 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
623 if (psnk.psnk_af == AF_INET)
624 psnk.psnk_dst.addr.v.a.addr.v4 =
625 ((struct sockaddr_in *)resp[1]->
627 else if (psnk.psnk_af == AF_INET6)
628 psnk.psnk_dst.addr.v.a.addr.v6 =
629 ((struct sockaddr_in6 *)resp[1]->
632 errx(1, "Unknown address family %d",
635 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
636 err(1, "DIOCKILLSRCNODES");
637 killed += psnk.psnk_killed;
639 freeaddrinfo(res[1]);
641 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
642 err(1, "DIOCKILLSRCNODES");
643 killed += psnk.psnk_killed;
647 freeaddrinfo(res[0]);
649 if ((opts & PF_OPT_QUIET) == 0)
650 fprintf(stderr, "killed %d src nodes from %d sources and %d "
651 "destinations\n", killed, sources, dests);
656 pfctl_net_kill_states(int dev, const char *iface, int opts)
658 struct pfioc_state_kill psk;
659 struct addrinfo *res[2], *resp[2];
660 struct sockaddr last_src, last_dst;
661 int killed, sources, dests;
664 killed = sources = dests = 0;
666 memset(&psk, 0, sizeof(psk));
667 memset(&psk.psk_src.addr.v.a.mask, 0xff,
668 sizeof(psk.psk_src.addr.v.a.mask));
669 memset(&last_src, 0xff, sizeof(last_src));
670 memset(&last_dst, 0xff, sizeof(last_dst));
671 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
672 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
673 errx(1, "invalid interface: %s", iface);
675 pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
677 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
678 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
681 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
682 if (resp[0]->ai_addr == NULL)
684 /* We get lots of duplicates. Catch the easy ones */
685 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
687 last_src = *(struct sockaddr *)resp[0]->ai_addr;
689 psk.psk_af = resp[0]->ai_family;
692 if (psk.psk_af == AF_INET)
693 psk.psk_src.addr.v.a.addr.v4 =
694 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
695 else if (psk.psk_af == AF_INET6)
696 psk.psk_src.addr.v.a.addr.v6 =
697 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
700 errx(1, "Unknown address family %d", psk.psk_af);
702 if (state_killers > 1) {
704 memset(&psk.psk_dst.addr.v.a.mask, 0xff,
705 sizeof(psk.psk_dst.addr.v.a.mask));
706 memset(&last_dst, 0xff, sizeof(last_dst));
707 pfctl_addrprefix(state_kill[1],
708 &psk.psk_dst.addr.v.a.mask);
709 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL,
711 errx(1, "getaddrinfo: %s",
712 gai_strerror(ret_ga));
715 for (resp[1] = res[1]; resp[1];
716 resp[1] = resp[1]->ai_next) {
717 if (resp[1]->ai_addr == NULL)
719 if (psk.psk_af != resp[1]->ai_family)
722 if (memcmp(&last_dst, resp[1]->ai_addr,
723 sizeof(last_dst)) == 0)
725 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
729 if (psk.psk_af == AF_INET)
730 psk.psk_dst.addr.v.a.addr.v4 =
731 ((struct sockaddr_in *)resp[1]->
733 else if (psk.psk_af == AF_INET6)
734 psk.psk_dst.addr.v.a.addr.v6 =
735 ((struct sockaddr_in6 *)resp[1]->
738 errx(1, "Unknown address family %d",
741 if (ioctl(dev, DIOCKILLSTATES, &psk))
742 err(1, "DIOCKILLSTATES");
743 killed += psk.psk_killed;
745 freeaddrinfo(res[1]);
747 if (ioctl(dev, DIOCKILLSTATES, &psk))
748 err(1, "DIOCKILLSTATES");
749 killed += psk.psk_killed;
753 freeaddrinfo(res[0]);
755 if ((opts & PF_OPT_QUIET) == 0)
756 fprintf(stderr, "killed %d states from %d sources and %d "
757 "destinations\n", killed, sources, dests);
762 pfctl_label_kill_states(int dev, const char *iface, int opts)
764 struct pfioc_state_kill psk;
766 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
767 warnx("no label specified");
770 memset(&psk, 0, sizeof(psk));
771 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
772 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
773 errx(1, "invalid interface: %s", iface);
775 if (strlcpy(psk.psk_label, state_kill[1], sizeof(psk.psk_label)) >=
776 sizeof(psk.psk_label))
777 errx(1, "label too long: %s", state_kill[1]);
779 if (ioctl(dev, DIOCKILLSTATES, &psk))
780 err(1, "DIOCKILLSTATES");
782 if ((opts & PF_OPT_QUIET) == 0)
783 fprintf(stderr, "killed %d states\n", psk.psk_killed);
789 pfctl_id_kill_states(int dev, const char *iface, int opts)
791 struct pfioc_state_kill psk;
793 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
794 warnx("no id specified");
798 memset(&psk, 0, sizeof(psk));
799 if ((sscanf(state_kill[1], "%jx/%x",
800 &psk.psk_pfcmp.id, &psk.psk_pfcmp.creatorid)) == 2)
801 HTONL(psk.psk_pfcmp.creatorid);
802 else if ((sscanf(state_kill[1], "%jx", &psk.psk_pfcmp.id)) == 1) {
803 psk.psk_pfcmp.creatorid = 0;
805 warnx("wrong id format specified");
808 if (psk.psk_pfcmp.id == 0) {
809 warnx("cannot kill id 0");
813 psk.psk_pfcmp.id = htobe64(psk.psk_pfcmp.id);
814 if (ioctl(dev, DIOCKILLSTATES, &psk))
815 err(1, "DIOCKILLSTATES");
817 if ((opts & PF_OPT_QUIET) == 0)
818 fprintf(stderr, "killed %d states\n", psk.psk_killed);
824 pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
825 u_int32_t ticket, int r_action, char *anchorname)
827 struct pfioc_pooladdr pp;
828 struct pf_pooladdr *pa;
831 memset(&pp, 0, sizeof(pp));
832 memcpy(pp.anchor, anchorname, sizeof(pp.anchor));
833 pp.r_action = r_action;
836 if (ioctl(dev, DIOCGETADDRS, &pp)) {
837 warn("DIOCGETADDRS");
841 TAILQ_INIT(&pool->list);
842 for (pnr = 0; pnr < mpnr; ++pnr) {
844 if (ioctl(dev, DIOCGETADDR, &pp)) {
848 pa = calloc(1, sizeof(struct pf_pooladdr));
851 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr));
852 TAILQ_INSERT_TAIL(&pool->list, pa, entries);
859 pfctl_move_pool(struct pf_pool *src, struct pf_pool *dst)
861 struct pf_pooladdr *pa;
863 while ((pa = TAILQ_FIRST(&src->list)) != NULL) {
864 TAILQ_REMOVE(&src->list, pa, entries);
865 TAILQ_INSERT_TAIL(&dst->list, pa, entries);
870 pfctl_clear_pool(struct pf_pool *pool)
872 struct pf_pooladdr *pa;
874 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
875 TAILQ_REMOVE(&pool->list, pa, entries);
881 pfctl_print_rule_counters(struct pf_rule *rule, int opts)
883 if (opts & PF_OPT_DEBUG) {
884 const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
885 "p", "sa", "sp", "da", "dp" };
888 printf(" [ Skip steps: ");
889 for (i = 0; i < PF_SKIP_COUNT; ++i) {
890 if (rule->skip[i].nr == rule->nr + 1)
893 if (rule->skip[i].nr == -1)
896 printf("%u ", rule->skip[i].nr);
900 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n",
901 rule->qname, rule->qid, rule->pqname, rule->pqid);
903 if (opts & PF_OPT_VERBOSE) {
904 printf(" [ Evaluations: %-8llu Packets: %-8llu "
905 "Bytes: %-10llu States: %-6ju]\n",
906 (unsigned long long)rule->evaluations,
907 (unsigned long long)(rule->packets[0] +
909 (unsigned long long)(rule->bytes[0] +
910 rule->bytes[1]), (uintmax_t)rule->u_states_cur);
911 if (!(opts & PF_OPT_DEBUG))
912 printf(" [ Inserted: uid %u pid %u "
913 "State Creations: %-6ju]\n",
914 (unsigned)rule->cuid, (unsigned)rule->cpid,
915 (uintmax_t)rule->u_states_tot);
920 pfctl_print_title(char *title)
925 printf("%s\n", title);
929 pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
930 char *anchorname, int depth)
932 struct pfioc_rule pr;
933 u_int32_t nr, mnr, header = 0;
934 int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
935 int numeric = opts & PF_OPT_NUMERIC;
936 int len = strlen(path);
941 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
943 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
945 memset(&pr, 0, sizeof(pr));
946 memcpy(pr.anchor, path, sizeof(pr.anchor));
947 if (opts & PF_OPT_SHOWALL) {
948 pr.rule.action = PF_PASS;
949 if (ioctl(dev, DIOCGETRULES, &pr)) {
950 warn("DIOCGETRULES");
955 pr.rule.action = PF_SCRUB;
956 if (ioctl(dev, DIOCGETRULES, &pr)) {
957 warn("DIOCGETRULES");
960 if (opts & PF_OPT_SHOWALL) {
961 if (format == PFCTL_SHOW_RULES && (pr.nr > 0 || header))
962 pfctl_print_title("FILTER RULES:");
963 else if (format == PFCTL_SHOW_LABELS && labels)
964 pfctl_print_title("LABEL COUNTERS:");
967 if (opts & PF_OPT_CLRRULECTRS)
968 pr.action = PF_GET_CLR_CNTR;
970 for (nr = 0; nr < mnr; ++nr) {
972 if (ioctl(dev, DIOCGETRULE, &pr)) {
977 if (pfctl_get_pool(dev, &pr.rule.rpool,
978 nr, pr.ticket, PF_SCRUB, path) != 0)
982 case PFCTL_SHOW_LABELS:
984 case PFCTL_SHOW_RULES:
985 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
987 print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
989 pfctl_print_rule_counters(&pr.rule, opts);
991 case PFCTL_SHOW_NOTHING:
994 pfctl_clear_pool(&pr.rule.rpool);
996 pr.rule.action = PF_PASS;
997 if (ioctl(dev, DIOCGETRULES, &pr)) {
998 warn("DIOCGETRULES");
1002 for (nr = 0; nr < mnr; ++nr) {
1004 if (ioctl(dev, DIOCGETRULE, &pr)) {
1005 warn("DIOCGETRULE");
1009 if (pfctl_get_pool(dev, &pr.rule.rpool,
1010 nr, pr.ticket, PF_PASS, path) != 0)
1014 case PFCTL_SHOW_LABELS:
1015 if (pr.rule.label[0]) {
1016 printf("%s %llu %llu %llu %llu"
1017 " %llu %llu %llu %ju\n",
1019 (unsigned long long)pr.rule.evaluations,
1020 (unsigned long long)(pr.rule.packets[0] +
1021 pr.rule.packets[1]),
1022 (unsigned long long)(pr.rule.bytes[0] +
1024 (unsigned long long)pr.rule.packets[0],
1025 (unsigned long long)pr.rule.bytes[0],
1026 (unsigned long long)pr.rule.packets[1],
1027 (unsigned long long)pr.rule.bytes[1],
1028 (uintmax_t)pr.rule.u_states_tot);
1031 case PFCTL_SHOW_RULES:
1033 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
1035 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1036 if (pr.anchor_call[0] &&
1037 ((((p = strrchr(pr.anchor_call, '_')) != NULL) &&
1038 ((void *)p == (void *)pr.anchor_call ||
1039 *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
1041 if ((p = strrchr(pr.anchor_call, '/')) !=
1045 p = &pr.anchor_call[0];
1047 p = &pr.anchor_call[0];
1049 print_rule(&pr.rule, p, rule_numbers, numeric);
1054 pfctl_print_rule_counters(&pr.rule, opts);
1056 pfctl_show_rules(dev, path, opts, format,
1058 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1062 case PFCTL_SHOW_NOTHING:
1065 pfctl_clear_pool(&pr.rule.rpool);
1076 pfctl_show_nat(int dev, int opts, char *anchorname)
1078 struct pfioc_rule pr;
1080 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
1081 int i, dotitle = opts & PF_OPT_SHOWALL;
1083 memset(&pr, 0, sizeof(pr));
1084 memcpy(pr.anchor, anchorname, sizeof(pr.anchor));
1085 for (i = 0; i < 3; i++) {
1086 pr.rule.action = nattype[i];
1087 if (ioctl(dev, DIOCGETRULES, &pr)) {
1088 warn("DIOCGETRULES");
1092 for (nr = 0; nr < mnr; ++nr) {
1094 if (ioctl(dev, DIOCGETRULE, &pr)) {
1095 warn("DIOCGETRULE");
1098 if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
1099 pr.ticket, nattype[i], anchorname) != 0)
1102 pfctl_print_title("TRANSLATION RULES:");
1105 print_rule(&pr.rule, pr.anchor_call,
1106 opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
1108 pfctl_print_rule_counters(&pr.rule, opts);
1109 pfctl_clear_pool(&pr.rule.rpool);
1116 pfctl_show_src_nodes(int dev, int opts)
1118 struct pfioc_src_nodes psn;
1119 struct pf_src_node *p;
1120 char *inbuf = NULL, *newinbuf = NULL;
1121 unsigned int len = 0;
1124 memset(&psn, 0, sizeof(psn));
1128 newinbuf = realloc(inbuf, len);
1129 if (newinbuf == NULL)
1131 psn.psn_buf = inbuf = newinbuf;
1133 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) {
1134 warn("DIOCGETSRCNODES");
1138 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len)
1140 if (len == 0 && psn.psn_len == 0)
1142 if (len == 0 && psn.psn_len != 0)
1144 if (psn.psn_len == 0)
1145 goto done; /* no src_nodes */
1148 p = psn.psn_src_nodes;
1149 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL))
1150 pfctl_print_title("SOURCE TRACKING NODES:");
1151 for (i = 0; i < psn.psn_len; i += sizeof(*p)) {
1152 print_src_node(p, opts);
1161 pfctl_show_states(int dev, const char *iface, int opts)
1163 struct pfioc_states ps;
1164 struct pfsync_state *p;
1165 char *inbuf = NULL, *newinbuf = NULL;
1166 unsigned int len = 0;
1167 int i, dotitle = (opts & PF_OPT_SHOWALL);
1169 memset(&ps, 0, sizeof(ps));
1173 newinbuf = realloc(inbuf, len);
1174 if (newinbuf == NULL)
1176 ps.ps_buf = inbuf = newinbuf;
1178 if (ioctl(dev, DIOCGETSTATES, &ps) < 0) {
1179 warn("DIOCGETSTATES");
1183 if (ps.ps_len + sizeof(struct pfioc_states) < len)
1185 if (len == 0 && ps.ps_len == 0)
1187 if (len == 0 && ps.ps_len != 0)
1190 goto done; /* no states */
1194 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
1195 if (iface != NULL && strcmp(p->ifname, iface))
1198 pfctl_print_title("STATES:");
1201 print_state(p, opts);
1209 pfctl_show_status(int dev, int opts)
1211 struct pf_status status;
1213 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1214 warn("DIOCGETSTATUS");
1217 if (opts & PF_OPT_SHOWALL)
1218 pfctl_print_title("INFO:");
1219 print_status(&status, opts);
1224 pfctl_show_running(int dev)
1226 struct pf_status status;
1228 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1229 warn("DIOCGETSTATUS");
1233 print_running(&status);
1234 return (!status.running);
1238 pfctl_show_timeouts(int dev, int opts)
1243 if (opts & PF_OPT_SHOWALL)
1244 pfctl_print_title("TIMEOUTS:");
1245 memset(&pt, 0, sizeof(pt));
1246 for (i = 0; pf_timeouts[i].name; i++) {
1247 pt.timeout = pf_timeouts[i].timeout;
1248 if (ioctl(dev, DIOCGETTIMEOUT, &pt))
1249 err(1, "DIOCGETTIMEOUT");
1250 printf("%-20s %10d", pf_timeouts[i].name, pt.seconds);
1251 if (pf_timeouts[i].timeout >= PFTM_ADAPTIVE_START &&
1252 pf_timeouts[i].timeout <= PFTM_ADAPTIVE_END)
1263 pfctl_show_limits(int dev, int opts)
1265 struct pfioc_limit pl;
1268 if (opts & PF_OPT_SHOWALL)
1269 pfctl_print_title("LIMITS:");
1270 memset(&pl, 0, sizeof(pl));
1271 for (i = 0; pf_limits[i].name; i++) {
1272 pl.index = pf_limits[i].index;
1273 if (ioctl(dev, DIOCGETLIMIT, &pl))
1274 err(1, "DIOCGETLIMIT");
1275 printf("%-13s ", pf_limits[i].name);
1276 if (pl.limit == UINT_MAX)
1277 printf("unlimited\n");
1279 printf("hard limit %8u\n", pl.limit);
1284 /* callbacks for rule/nat/rdr/addr */
1286 pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
1288 struct pf_pooladdr *pa;
1290 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1291 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr))
1292 err(1, "DIOCBEGINADDRS");
1296 TAILQ_FOREACH(pa, &p->list, entries) {
1297 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1298 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1299 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr))
1300 err(1, "DIOCADDADDR");
1307 pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
1310 struct pf_rule *rule;
1311 struct pf_ruleset *rs;
1314 rs_num = pf_get_ruleset_number(r->action);
1315 if (rs_num == PF_RULESET_MAX)
1316 errx(1, "Invalid rule type %d", r->action);
1318 rs = &pf->anchor->ruleset;
1320 if (anchor_call[0] && r->anchor == NULL) {
1322 * Don't make non-brace anchors part of the main anchor pool.
1324 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1325 err(1, "pfctl_add_rule: calloc");
1327 pf_init_ruleset(&r->anchor->ruleset);
1328 r->anchor->ruleset.anchor = r->anchor;
1329 if (strlcpy(r->anchor->path, anchor_call,
1330 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1331 errx(1, "pfctl_add_rule: strlcpy");
1332 if ((p = strrchr(anchor_call, '/')) != NULL) {
1334 err(1, "pfctl_add_rule: bad anchor name %s",
1337 p = (char *)anchor_call;
1338 if (strlcpy(r->anchor->name, p,
1339 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1340 errx(1, "pfctl_add_rule: strlcpy");
1343 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1345 bcopy(r, rule, sizeof(*rule));
1346 TAILQ_INIT(&rule->rpool.list);
1347 pfctl_move_pool(&r->rpool, &rule->rpool);
1349 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
1354 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
1356 int osize = pf->trans->pfrb_size;
1358 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1359 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1360 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1361 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1364 if (a == pf->astack[0] && ((altqsupport &&
1365 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1366 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1369 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1370 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1371 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1374 if (pf->loadopt & PFCTL_FLAG_TABLE)
1375 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1377 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1384 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
1385 int rs_num, int depth)
1388 int error, len = strlen(path);
1391 pf->anchor = rs->anchor;
1394 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1396 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1399 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
1401 if (pf->opts & PF_OPT_VERBOSE)
1403 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1404 (error = pfctl_ruleset_trans(pf,
1405 path, rs->anchor))) {
1406 printf("pfctl_load_rulesets: "
1407 "pfctl_ruleset_trans %d\n", error);
1410 } else if (pf->opts & PF_OPT_VERBOSE)
1415 if (pf->optimize && rs_num == PF_RULESET_FILTER)
1416 pfctl_optimize_ruleset(pf, rs);
1418 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
1419 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
1420 if ((error = pfctl_load_rule(pf, path, r, depth)))
1423 if ((error = pfctl_load_ruleset(pf, path,
1424 &r->anchor->ruleset, rs_num, depth + 1)))
1426 } else if (pf->opts & PF_OPT_VERBOSE)
1430 if (brace && pf->opts & PF_OPT_VERBOSE) {
1431 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1444 pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
1446 u_int8_t rs_num = pf_get_ruleset_number(r->action);
1448 struct pfioc_rule pr;
1449 int len = strlen(path);
1451 bzero(&pr, sizeof(pr));
1452 /* set up anchor before adding to path for anchor_call */
1453 if ((pf->opts & PF_OPT_NOACTION) == 0)
1454 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path);
1455 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor))
1456 errx(1, "pfctl_load_rule: strlcpy");
1459 if (r->anchor->match) {
1461 snprintf(&path[len], MAXPATHLEN - len,
1462 "/%s", r->anchor->name);
1464 snprintf(&path[len], MAXPATHLEN - len,
1465 "%s", r->anchor->name);
1466 name = r->anchor->name;
1468 name = r->anchor->path;
1472 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1473 if (pfctl_add_pool(pf, &r->rpool, r->af))
1475 pr.pool_ticket = pf->paddr.ticket;
1476 memcpy(&pr.rule, r, sizeof(pr.rule));
1477 if (r->anchor && strlcpy(pr.anchor_call, name,
1478 sizeof(pr.anchor_call)) >= sizeof(pr.anchor_call))
1479 errx(1, "pfctl_load_rule: strlcpy");
1480 if (ioctl(pf->dev, DIOCADDRULE, &pr))
1481 err(1, "DIOCADDRULE");
1484 if (pf->opts & PF_OPT_VERBOSE) {
1485 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1486 print_rule(r, r->anchor ? r->anchor->name : "",
1487 pf->opts & PF_OPT_VERBOSE2,
1488 pf->opts & PF_OPT_NUMERIC);
1491 pfctl_clear_pool(&r->rpool);
1496 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
1499 (loadopt & PFCTL_FLAG_ALTQ) != 0) {
1500 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
1501 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1502 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
1504 errx(1, "qtype not configured");
1505 else if (errno == ENODEV)
1506 errx(1, "%s: driver does not support "
1509 err(1, "DIOCADDALTQ");
1512 pfaltq_store(&pf->paltq->altq);
1518 pfctl_rules(int dev, char *filename, int opts, int optimize,
1519 char *anchorname, struct pfr_buffer *trans)
1521 #define ERR(x) do { warn(x); goto _error; } while(0)
1522 #define ERRX(x) do { warnx(x); goto _error; } while(0)
1524 struct pfr_buffer *t, buf;
1525 struct pfioc_altq pa;
1527 struct pf_ruleset *rs;
1528 struct pfr_table trs;
1532 RB_INIT(&pf_anchors);
1533 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor));
1534 pf_init_ruleset(&pf_main_anchor.ruleset);
1535 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
1536 if (trans == NULL) {
1537 bzero(&buf, sizeof(buf));
1538 buf.pfrb_type = PFRB_TRANS;
1543 osize = t->pfrb_size;
1546 memset(&pa, 0, sizeof(pa));
1547 memset(&pf, 0, sizeof(pf));
1548 memset(&trs, 0, sizeof(trs));
1549 if ((path = calloc(1, MAXPATHLEN)) == NULL)
1550 ERRX("pfctl_rules: calloc");
1551 if (strlcpy(trs.pfrt_anchor, anchorname,
1552 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
1553 ERRX("pfctl_rules: strlcpy");
1556 pf.optimize = optimize;
1557 pf.loadopt = loadopt;
1559 /* non-brace anchor, create without resolving the path */
1560 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
1561 ERRX("pfctl_rules: calloc");
1562 rs = &pf.anchor->ruleset;
1563 pf_init_ruleset(rs);
1564 rs->anchor = pf.anchor;
1565 if (strlcpy(pf.anchor->path, anchorname,
1566 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
1567 errx(1, "pfctl_add_rule: strlcpy");
1568 if (strlcpy(pf.anchor->name, anchorname,
1569 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
1570 errx(1, "pfctl_add_rule: strlcpy");
1573 pf.astack[0] = pf.anchor;
1576 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
1579 pfctl_init_options(&pf);
1581 if ((opts & PF_OPT_NOACTION) == 0) {
1583 * XXX For the time being we need to open transactions for
1584 * the main ruleset before parsing, because tables are still
1585 * loaded at parse time.
1587 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
1588 ERRX("pfctl_rules");
1589 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1591 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
1592 if (pf.loadopt & PFCTL_FLAG_TABLE)
1593 pf.astack[0]->ruleset.tticket =
1594 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
1597 if (parse_config(filename, &pf) < 0) {
1598 if ((opts & PF_OPT_NOACTION) == 0)
1599 ERRX("Syntax error in config file: "
1600 "pf rules not loaded");
1604 if (loadopt & PFCTL_FLAG_OPTION)
1605 pfctl_adjust_skip_ifaces(&pf);
1607 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
1608 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
1609 (pf.loadopt & PFCTL_FLAG_NAT &&
1610 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
1611 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
1612 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
1613 (pf.loadopt & PFCTL_FLAG_FILTER &&
1614 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
1615 if ((opts & PF_OPT_NOACTION) == 0)
1616 ERRX("Unable to load rules into kernel");
1621 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
1622 if (check_commit_altq(dev, opts) != 0)
1623 ERRX("errors in altq config");
1625 /* process "load anchor" directives */
1627 if (pfctl_load_anchors(dev, &pf, t) == -1)
1628 ERRX("load anchors");
1630 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
1632 if (pfctl_load_options(&pf))
1634 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
1641 if (trans == NULL) { /* main ruleset */
1642 if ((opts & PF_OPT_NOACTION) == 0)
1643 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
1644 err(1, "DIOCXROLLBACK");
1646 } else { /* sub ruleset */
1656 pfctl_fopen(const char *name, const char *mode)
1661 fp = fopen(name, mode);
1664 if (fstat(fileno(fp), &st)) {
1668 if (S_ISDIR(st.st_mode)) {
1677 pfctl_init_options(struct pfctl *pf)
1680 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
1681 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
1682 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
1683 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
1684 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
1685 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
1686 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
1687 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
1688 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
1689 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
1690 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
1691 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
1692 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
1693 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
1694 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
1695 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
1696 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
1697 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
1698 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
1699 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1701 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
1702 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
1703 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
1704 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1706 pf->debug = PF_DEBUG_URGENT;
1710 pfctl_load_options(struct pfctl *pf)
1714 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1718 for (i = 0; i < PF_LIMIT_MAX; i++) {
1719 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
1721 if (pfctl_load_limit(pf, i, pf->limit[i]))
1726 * If we've set the limit, but haven't explicitly set adaptive
1727 * timeouts, do it now with a start of 60% and end of 120%.
1729 if (pf->limit_set[PF_LIMIT_STATES] &&
1730 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
1731 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
1732 pf->timeout[PFTM_ADAPTIVE_START] =
1733 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
1734 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
1735 pf->timeout[PFTM_ADAPTIVE_END] =
1736 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
1737 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
1741 for (i = 0; i < PFTM_MAX; i++) {
1742 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
1744 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
1749 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
1750 if (pfctl_load_debug(pf, pf->debug))
1754 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
1755 if (pfctl_load_logif(pf, pf->ifname))
1759 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
1760 if (pfctl_load_hostid(pf, pf->hostid))
1767 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
1772 for (i = 0; pf_limits[i].name; i++) {
1773 if (strcasecmp(opt, pf_limits[i].name) == 0) {
1774 pf->limit[pf_limits[i].index] = limit;
1775 pf->limit_set[pf_limits[i].index] = 1;
1779 if (pf_limits[i].name == NULL) {
1780 warnx("Bad pool name.");
1784 if (pf->opts & PF_OPT_VERBOSE)
1785 printf("set limit %s %d\n", opt, limit);
1791 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
1793 struct pfioc_limit pl;
1795 memset(&pl, 0, sizeof(pl));
1798 if (ioctl(pf->dev, DIOCSETLIMIT, &pl)) {
1800 warnx("Current pool size exceeds requested hard limit");
1802 warnx("DIOCSETLIMIT");
1809 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
1813 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1816 for (i = 0; pf_timeouts[i].name; i++) {
1817 if (strcasecmp(opt, pf_timeouts[i].name) == 0) {
1818 pf->timeout[pf_timeouts[i].timeout] = seconds;
1819 pf->timeout_set[pf_timeouts[i].timeout] = 1;
1824 if (pf_timeouts[i].name == NULL) {
1825 warnx("Bad timeout name.");
1830 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
1831 printf("set timeout %s %d\n", opt, seconds);
1837 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
1841 memset(&pt, 0, sizeof(pt));
1842 pt.timeout = timeout;
1843 pt.seconds = seconds;
1844 if (ioctl(pf->dev, DIOCSETTIMEOUT, &pt)) {
1845 warnx("DIOCSETTIMEOUT");
1852 pfctl_set_optimization(struct pfctl *pf, const char *opt)
1854 const struct pf_hint *hint;
1857 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1860 for (i = 0; pf_hints[i].name; i++)
1861 if (strcasecmp(opt, pf_hints[i].name) == 0)
1864 hint = pf_hints[i].hint;
1866 warnx("invalid state timeouts optimization");
1870 for (i = 0; hint[i].name; i++)
1871 if ((r = pfctl_set_timeout(pf, hint[i].name,
1872 hint[i].timeout, 1)))
1875 if (pf->opts & PF_OPT_VERBOSE)
1876 printf("set optimization %s\n", opt);
1882 pfctl_set_logif(struct pfctl *pf, char *ifname)
1885 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1888 if (!strcmp(ifname, "none")) {
1892 pf->ifname = strdup(ifname);
1894 errx(1, "pfctl_set_logif: strdup");
1898 if (pf->opts & PF_OPT_VERBOSE)
1899 printf("set loginterface %s\n", ifname);
1905 pfctl_load_logif(struct pfctl *pf, char *ifname)
1909 memset(&pi, 0, sizeof(pi));
1910 if (ifname && strlcpy(pi.ifname, ifname,
1911 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {
1912 warnx("pfctl_load_logif: strlcpy");
1915 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
1916 warnx("DIOCSETSTATUSIF");
1923 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
1925 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1930 pf->hostid = hostid;
1933 if (pf->opts & PF_OPT_VERBOSE)
1934 printf("set hostid 0x%08x\n", ntohl(hostid));
1940 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
1942 if (ioctl(dev, DIOCSETHOSTID, &hostid)) {
1943 warnx("DIOCSETHOSTID");
1950 pfctl_set_debug(struct pfctl *pf, char *d)
1954 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1957 if (!strcmp(d, "none"))
1958 pf->debug = PF_DEBUG_NONE;
1959 else if (!strcmp(d, "urgent"))
1960 pf->debug = PF_DEBUG_URGENT;
1961 else if (!strcmp(d, "misc"))
1962 pf->debug = PF_DEBUG_MISC;
1963 else if (!strcmp(d, "loud"))
1964 pf->debug = PF_DEBUG_NOISY;
1966 warnx("unknown debug level \"%s\"", d);
1973 if ((pf->opts & PF_OPT_NOACTION) == 0)
1974 if (ioctl(dev, DIOCSETDEBUG, &level))
1975 err(1, "DIOCSETDEBUG");
1977 if (pf->opts & PF_OPT_VERBOSE)
1978 printf("set debug %s\n", d);
1984 pfctl_load_debug(struct pfctl *pf, unsigned int level)
1986 if (ioctl(pf->dev, DIOCSETDEBUG, &level)) {
1987 warnx("DIOCSETDEBUG");
1994 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
1996 struct pfioc_iface pi;
1998 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2001 bzero(&pi, sizeof(pi));
2003 pi.pfiio_flags = flags;
2005 if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
2006 sizeof(pi.pfiio_name))
2007 errx(1, "pfctl_set_interface_flags: strlcpy");
2009 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2011 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
2012 err(1, "DIOCCLRIFFLAG");
2014 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
2015 err(1, "DIOCSETIFFLAG");
2016 pfctl_check_skip_ifaces(ifname);
2023 pfctl_debug(int dev, u_int32_t level, int opts)
2025 if (ioctl(dev, DIOCSETDEBUG, &level))
2026 err(1, "DIOCSETDEBUG");
2027 if ((opts & PF_OPT_QUIET) == 0) {
2028 fprintf(stderr, "debug level set to '");
2031 fprintf(stderr, "none");
2033 case PF_DEBUG_URGENT:
2034 fprintf(stderr, "urgent");
2037 fprintf(stderr, "misc");
2039 case PF_DEBUG_NOISY:
2040 fprintf(stderr, "loud");
2043 fprintf(stderr, "<invalid>");
2046 fprintf(stderr, "'\n");
2051 pfctl_test_altqsupport(int dev, int opts)
2053 struct pfioc_altq pa;
2055 if (ioctl(dev, DIOCGETALTQS, &pa)) {
2056 if (errno == ENODEV) {
2057 if (opts & PF_OPT_VERBOSE)
2058 fprintf(stderr, "No ALTQ support in kernel\n"
2059 "ALTQ related functions disabled\n");
2062 err(1, "DIOCGETALTQS");
2068 pfctl_show_anchors(int dev, int opts, char *anchorname)
2070 struct pfioc_ruleset pr;
2073 memset(&pr, 0, sizeof(pr));
2074 memcpy(pr.path, anchorname, sizeof(pr.path));
2075 if (ioctl(dev, DIOCGETRULESETS, &pr)) {
2076 if (errno == EINVAL)
2077 fprintf(stderr, "Anchor '%s' not found.\n",
2080 err(1, "DIOCGETRULESETS");
2084 for (nr = 0; nr < mnr; ++nr) {
2085 char sub[MAXPATHLEN];
2088 if (ioctl(dev, DIOCGETRULESET, &pr))
2089 err(1, "DIOCGETRULESET");
2090 if (!strcmp(pr.name, PF_RESERVED_ANCHOR))
2094 strlcat(sub, pr.path, sizeof(sub));
2095 strlcat(sub, "/", sizeof(sub));
2097 strlcat(sub, pr.name, sizeof(sub));
2098 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
2099 printf(" %s\n", sub);
2100 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
2107 pfctl_lookup_option(char *cmd, const char * const *list)
2109 if (cmd != NULL && *cmd)
2110 for (; *list; list++)
2111 if (!strncmp(cmd, *list, strlen(cmd)))
2117 main(int argc, char *argv[])
2121 int mode = O_RDONLY;
2123 int optimize = PF_OPTIMIZE_BASIC;
2124 char anchorname[MAXPATHLEN];
2130 while ((ch = getopt(argc, argv,
2131 "a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:z")) != -1) {
2137 opts |= PF_OPT_DISABLE;
2141 if (pfctl_cmdline_symset(optarg) < 0)
2142 warnx("could not parse macro definition %s",
2146 opts |= PF_OPT_ENABLE;
2150 opts |= PF_OPT_QUIET;
2153 clearopt = pfctl_lookup_option(optarg, clearopt_list);
2154 if (clearopt == NULL) {
2155 warnx("Unknown flush modifier '%s'", optarg);
2164 if (state_killers >= 2) {
2165 warnx("can only specify -k twice");
2169 state_kill[state_killers++] = optarg;
2173 if (src_node_killers >= 2) {
2174 warnx("can only specify -K twice");
2178 src_node_kill[src_node_killers++] = optarg;
2182 opts |= PF_OPT_MERGE;
2185 opts |= PF_OPT_NOACTION;
2188 loadopt |= PFCTL_FLAG_NAT;
2191 opts |= PF_OPT_USEDNS;
2198 opts |= PF_OPT_DEBUG;
2201 loadopt |= PFCTL_FLAG_ALTQ;
2204 loadopt |= PFCTL_FLAG_FILTER;
2207 optiopt = pfctl_lookup_option(optarg, optiopt_list);
2208 if (optiopt == NULL) {
2209 warnx("Unknown optimization '%s'", optarg);
2212 opts |= PF_OPT_OPTIMIZE;
2215 loadopt |= PFCTL_FLAG_OPTION;
2221 opts |= PF_OPT_NUMERIC;
2224 showopt = pfctl_lookup_option(optarg, showopt_list);
2225 if (showopt == NULL) {
2226 warnx("Unknown show modifier '%s'", optarg);
2234 tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list);
2235 if (tblcmdopt == NULL) {
2236 warnx("Unknown table command '%s'", optarg);
2241 if (opts & PF_OPT_VERBOSE)
2242 opts |= PF_OPT_VERBOSE2;
2243 opts |= PF_OPT_VERBOSE;
2246 debugopt = pfctl_lookup_option(optarg, debugopt_list);
2247 if (debugopt == NULL) {
2248 warnx("Unknown debug level '%s'", optarg);
2254 opts |= PF_OPT_CLRRULECTRS;
2265 if (tblcmdopt != NULL) {
2270 loadopt |= PFCTL_FLAG_TABLE;
2273 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
2274 } else if (argc != optind) {
2275 warnx("unknown command line argument: %s ...", argv[optind]);
2282 if ((path = calloc(1, MAXPATHLEN)) == NULL)
2283 errx(1, "pfctl: calloc");
2284 memset(anchorname, 0, sizeof(anchorname));
2285 if (anchoropt != NULL) {
2286 int len = strlen(anchoropt);
2288 if (anchoropt[len - 1] == '*') {
2289 if (len >= 2 && anchoropt[len - 2] == '/')
2290 anchoropt[len - 2] = '\0';
2292 anchoropt[len - 1] = '\0';
2293 opts |= PF_OPT_RECURSE;
2295 if (strlcpy(anchorname, anchoropt,
2296 sizeof(anchorname)) >= sizeof(anchorname))
2297 errx(1, "anchor name '%s' too long",
2299 loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE;
2302 if ((opts & PF_OPT_NOACTION) == 0) {
2303 dev = open(pf_device, mode);
2305 err(1, "%s", pf_device);
2306 altqsupport = pfctl_test_altqsupport(dev, opts);
2308 dev = open(pf_device, O_RDONLY);
2310 opts |= PF_OPT_DUMMYACTION;
2311 /* turn off options */
2312 opts &= ~ (PF_OPT_DISABLE | PF_OPT_ENABLE);
2313 clearopt = showopt = debugopt = NULL;
2314 #if !defined(ENABLE_ALTQ)
2321 if (opts & PF_OPT_DISABLE)
2322 if (pfctl_disable(dev, opts))
2325 if (showopt != NULL) {
2328 pfctl_show_anchors(dev, opts, anchorname);
2331 pfctl_load_fingerprints(dev, opts);
2332 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
2336 pfctl_load_fingerprints(dev, opts);
2337 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_LABELS,
2341 pfctl_load_fingerprints(dev, opts);
2342 pfctl_show_nat(dev, opts, anchorname);
2345 pfctl_show_altq(dev, ifaceopt, opts,
2346 opts & PF_OPT_VERBOSE2);
2349 pfctl_show_states(dev, ifaceopt, opts);
2352 pfctl_show_src_nodes(dev, opts);
2355 pfctl_show_status(dev, opts);
2358 error = pfctl_show_running(dev);
2361 pfctl_show_timeouts(dev, opts);
2364 pfctl_show_limits(dev, opts);
2367 opts |= PF_OPT_SHOWALL;
2368 pfctl_load_fingerprints(dev, opts);
2370 pfctl_show_nat(dev, opts, anchorname);
2371 pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
2372 pfctl_show_altq(dev, ifaceopt, opts, 0);
2373 pfctl_show_states(dev, ifaceopt, opts);
2374 pfctl_show_src_nodes(dev, opts);
2375 pfctl_show_status(dev, opts);
2376 pfctl_show_rules(dev, path, opts, 1, anchorname, 0);
2377 pfctl_show_timeouts(dev, opts);
2378 pfctl_show_limits(dev, opts);
2379 pfctl_show_tables(anchorname, opts);
2380 pfctl_show_fingerprints(opts);
2383 pfctl_show_tables(anchorname, opts);
2386 pfctl_load_fingerprints(dev, opts);
2387 pfctl_show_fingerprints(opts);
2390 pfctl_show_ifaces(ifaceopt, opts);
2395 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL)
2396 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
2399 if (clearopt != NULL) {
2400 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2401 errx(1, "anchor names beginning with '_' cannot "
2402 "be modified from the command line");
2404 switch (*clearopt) {
2406 pfctl_clear_rules(dev, opts, anchorname);
2409 pfctl_clear_nat(dev, opts, anchorname);
2412 pfctl_clear_altq(dev, opts);
2415 pfctl_clear_states(dev, ifaceopt, opts);
2418 pfctl_clear_src_nodes(dev, opts);
2421 pfctl_clear_stats(dev, opts);
2424 pfctl_clear_rules(dev, opts, anchorname);
2425 pfctl_clear_nat(dev, opts, anchorname);
2426 pfctl_clear_tables(anchorname, opts);
2428 pfctl_clear_altq(dev, opts);
2429 pfctl_clear_states(dev, ifaceopt, opts);
2430 pfctl_clear_src_nodes(dev, opts);
2431 pfctl_clear_stats(dev, opts);
2432 pfctl_clear_fingerprints(dev, opts);
2433 pfctl_clear_interface_flags(dev, opts);
2437 pfctl_clear_fingerprints(dev, opts);
2440 pfctl_clear_tables(anchorname, opts);
2444 if (state_killers) {
2445 if (!strcmp(state_kill[0], "label"))
2446 pfctl_label_kill_states(dev, ifaceopt, opts);
2447 else if (!strcmp(state_kill[0], "id"))
2448 pfctl_id_kill_states(dev, ifaceopt, opts);
2450 pfctl_net_kill_states(dev, ifaceopt, opts);
2453 if (src_node_killers)
2454 pfctl_kill_src_nodes(dev, ifaceopt, opts);
2456 if (tblcmdopt != NULL) {
2457 error = pfctl_command_tables(argc, argv, tableopt,
2458 tblcmdopt, rulesopt, anchorname, opts);
2461 if (optiopt != NULL) {
2467 optimize |= PF_OPTIMIZE_BASIC;
2471 optimize |= PF_OPTIMIZE_PROFILE;
2476 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
2477 !anchorname[0] && !(opts & PF_OPT_NOACTION))
2478 if (pfctl_get_skip_ifaces())
2481 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &&
2482 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION))
2483 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE))
2486 if (rulesopt != NULL) {
2487 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2488 errx(1, "anchor names beginning with '_' cannot "
2489 "be modified from the command line");
2490 if (pfctl_rules(dev, rulesopt, opts, optimize,
2493 else if (!(opts & PF_OPT_NOACTION) &&
2494 (loadopt & PFCTL_FLAG_TABLE))
2495 warn_namespace_collision(NULL);
2498 if (opts & PF_OPT_ENABLE)
2499 if (pfctl_enable(dev, opts))
2502 if (debugopt != NULL) {
2503 switch (*debugopt) {
2505 pfctl_debug(dev, PF_DEBUG_NONE, opts);
2508 pfctl_debug(dev, PF_DEBUG_URGENT, opts);
2511 pfctl_debug(dev, PF_DEBUG_MISC, opts);
2514 pfctl_debug(dev, PF_DEBUG_NOISY, opts);
projects / FreeBSD / FreeBSD.git / blob