1 /* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
4 * SPDX-License-Identifier: BSD-2-Clause
6 * Copyright (c) 2001 Daniel Hartmeier
7 * Copyright (c) 2002,2003 Henning Brauer
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * - Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * - Redistributions in binary form must reproduce the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer in the documentation and/or other materials provided
19 * with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/types.h>
40 #include <sys/ioctl.h>
41 #include <sys/socket.h>
43 #include <sys/endian.h>
46 #include <netinet/in.h>
47 #include <net/pfvar.h>
48 #include <arpa/inet.h>
49 #include <net/altq/altq.h>
50 #include <sys/sysctl.h>
63 #include "pfctl_parser.h"
67 int pfctl_enable(int, int);
68 int pfctl_disable(int, int);
69 int pfctl_clear_stats(int, int);
70 int pfctl_get_skip_ifaces(void);
71 int pfctl_check_skip_ifaces(char *);
72 int pfctl_adjust_skip_ifaces(struct pfctl *);
73 int pfctl_clear_interface_flags(int, int);
74 int pfctl_clear_rules(int, int, char *);
75 int pfctl_clear_nat(int, int, char *);
76 int pfctl_clear_altq(int, int);
77 int pfctl_clear_src_nodes(int, int);
78 int pfctl_clear_states(int, const char *, int);
79 void pfctl_addrprefix(char *, struct pf_addr *);
80 int pfctl_kill_src_nodes(int, const char *, int);
81 int pfctl_net_kill_states(int, const char *, int);
82 int pfctl_label_kill_states(int, const char *, int);
83 int pfctl_id_kill_states(int, const char *, int);
84 void pfctl_init_options(struct pfctl *);
85 int pfctl_load_options(struct pfctl *);
86 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
87 int pfctl_load_timeout(struct pfctl *, unsigned int, unsigned int);
88 int pfctl_load_debug(struct pfctl *, unsigned int);
89 int pfctl_load_logif(struct pfctl *, char *);
90 int pfctl_load_hostid(struct pfctl *, unsigned int);
91 int pfctl_get_pool(int, struct pf_pool *, u_int32_t, u_int32_t, int,
93 void pfctl_print_rule_counters(struct pf_rule *, int);
94 int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
95 int pfctl_show_nat(int, int, char *);
96 int pfctl_show_src_nodes(int, int);
97 int pfctl_show_states(int, const char *, int);
98 int pfctl_show_status(int, int);
99 int pfctl_show_running(int);
100 int pfctl_show_timeouts(int, int);
101 int pfctl_show_limits(int, int);
102 void pfctl_debug(int, u_int32_t, int);
103 int pfctl_test_altqsupport(int, int);
104 int pfctl_show_anchors(int, int, char *);
105 int pfctl_ruleset_trans(struct pfctl *, char *, struct pf_anchor *);
106 int pfctl_load_ruleset(struct pfctl *, char *,
107 struct pf_ruleset *, int, int);
108 int pfctl_load_rule(struct pfctl *, char *, struct pf_rule *, int);
109 const char *pfctl_lookup_option(char *, const char **);
111 struct pf_anchor_global pf_anchors;
112 struct pf_anchor pf_main_anchor;
113 static struct pfr_buffer skip_b;
115 const char *clearopt;
118 const char *debugopt;
120 const char *optiopt = NULL;
121 char *pf_device = "/dev/pf";
124 const char *tblcmdopt;
125 int src_node_killers;
126 char *src_node_kill[2];
136 #define INDENT(d, o) do { \
139 for (i=0; i < d; i++) \
145 static const struct {
149 { "states", PF_LIMIT_STATES },
150 { "src-nodes", PF_LIMIT_SRC_NODES },
151 { "frags", PF_LIMIT_FRAGS },
152 { "table-entries", PF_LIMIT_TABLE_ENTRIES },
160 static const struct pf_hint pf_hint_normal[] = {
161 { "tcp.first", 2 * 60 },
162 { "tcp.opening", 30 },
163 { "tcp.established", 24 * 60 * 60 },
164 { "tcp.closing", 15 * 60 },
165 { "tcp.finwait", 45 },
166 { "tcp.closed", 90 },
167 { "tcp.tsdiff", 30 },
170 static const struct pf_hint pf_hint_satellite[] = {
171 { "tcp.first", 3 * 60 },
172 { "tcp.opening", 30 + 5 },
173 { "tcp.established", 24 * 60 * 60 },
174 { "tcp.closing", 15 * 60 + 5 },
175 { "tcp.finwait", 45 + 5 },
176 { "tcp.closed", 90 + 5 },
177 { "tcp.tsdiff", 60 },
180 static const struct pf_hint pf_hint_conservative[] = {
181 { "tcp.first", 60 * 60 },
182 { "tcp.opening", 15 * 60 },
183 { "tcp.established", 5 * 24 * 60 * 60 },
184 { "tcp.closing", 60 * 60 },
185 { "tcp.finwait", 10 * 60 },
186 { "tcp.closed", 3 * 60 },
187 { "tcp.tsdiff", 60 },
190 static const struct pf_hint pf_hint_aggressive[] = {
192 { "tcp.opening", 5 },
193 { "tcp.established", 5 * 60 * 60 },
194 { "tcp.closing", 60 },
195 { "tcp.finwait", 30 },
196 { "tcp.closed", 30 },
197 { "tcp.tsdiff", 10 },
201 static const struct {
203 const struct pf_hint *hint;
205 { "normal", pf_hint_normal },
206 { "satellite", pf_hint_satellite },
207 { "high-latency", pf_hint_satellite },
208 { "conservative", pf_hint_conservative },
209 { "aggressive", pf_hint_aggressive },
213 static const char *clearopt_list[] = {
214 "nat", "queue", "rules", "Sources",
215 "states", "info", "Tables", "osfp", "all", NULL
218 static const char *showopt_list[] = {
219 "nat", "queue", "rules", "Anchors", "Sources", "states", "info",
220 "Interfaces", "labels", "timeouts", "memory", "Tables", "osfp",
221 "Running", "all", NULL
224 static const char *tblcmdopt_list[] = {
225 "kill", "flush", "add", "delete", "load", "replace", "show",
226 "test", "zero", "expire", NULL
229 static const char *debugopt_list[] = {
230 "none", "urgent", "misc", "loud", NULL
233 static const char *optiopt_list[] = {
234 "none", "basic", "profile", NULL
240 extern char *__progname;
243 "usage: %s [-AdeghmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
244 "\t[-f file] [-i interface] [-K host | network]\n"
245 "\t[-k host | network | label | id] [-o level] [-p device]\n"
246 "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
253 pfctl_enable(int dev, int opts)
255 if (ioctl(dev, DIOCSTART)) {
257 errx(1, "pf already enabled");
258 else if (errno == ESRCH)
259 errx(1, "pfil registeration failed");
263 if ((opts & PF_OPT_QUIET) == 0)
264 fprintf(stderr, "pf enabled\n");
266 if (altqsupport && ioctl(dev, DIOCSTARTALTQ))
268 err(1, "DIOCSTARTALTQ");
274 pfctl_disable(int dev, int opts)
276 if (ioctl(dev, DIOCSTOP)) {
278 errx(1, "pf not enabled");
282 if ((opts & PF_OPT_QUIET) == 0)
283 fprintf(stderr, "pf disabled\n");
285 if (altqsupport && ioctl(dev, DIOCSTOPALTQ))
287 err(1, "DIOCSTOPALTQ");
293 pfctl_clear_stats(int dev, int opts)
295 if (ioctl(dev, DIOCCLRSTATUS))
296 err(1, "DIOCCLRSTATUS");
297 if ((opts & PF_OPT_QUIET) == 0)
298 fprintf(stderr, "pf: statistics cleared\n");
303 pfctl_get_skip_ifaces(void)
305 bzero(&skip_b, sizeof(skip_b));
306 skip_b.pfrb_type = PFRB_IFACES;
308 pfr_buf_grow(&skip_b, skip_b.pfrb_size);
309 skip_b.pfrb_size = skip_b.pfrb_msize;
310 if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size))
311 err(1, "pfi_get_ifaces");
312 if (skip_b.pfrb_size <= skip_b.pfrb_msize)
319 pfctl_check_skip_ifaces(char *ifname)
322 struct node_host *h = NULL, *n = NULL;
324 PFRB_FOREACH(p, &skip_b) {
325 if (!strcmp(ifname, p->pfik_name) &&
326 (p->pfik_flags & PFI_IFLAG_SKIP))
327 p->pfik_flags &= ~PFI_IFLAG_SKIP;
328 if (!strcmp(ifname, p->pfik_name) && p->pfik_group != NULL) {
329 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
332 for (n = h; n != NULL; n = n->next) {
333 if (p->pfik_ifp == NULL)
335 if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
338 p->pfik_flags &= ~PFI_IFLAG_SKIP;
346 pfctl_adjust_skip_ifaces(struct pfctl *pf)
348 struct pfi_kif *p, *pp;
349 struct node_host *h = NULL, *n = NULL;
351 PFRB_FOREACH(p, &skip_b) {
352 if (p->pfik_group == NULL || !(p->pfik_flags & PFI_IFLAG_SKIP))
355 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
356 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
359 for (n = h; n != NULL; n = n->next)
360 PFRB_FOREACH(pp, &skip_b) {
361 if (pp->pfik_ifp == NULL)
364 if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ))
367 if (!(pp->pfik_flags & PFI_IFLAG_SKIP))
368 pfctl_set_interface_flags(pf,
369 pp->pfik_name, PFI_IFLAG_SKIP, 1);
370 if (pp->pfik_flags & PFI_IFLAG_SKIP)
371 pp->pfik_flags &= ~PFI_IFLAG_SKIP;
375 PFRB_FOREACH(p, &skip_b) {
376 if (p->pfik_ifp == NULL || ! (p->pfik_flags & PFI_IFLAG_SKIP))
379 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
386 pfctl_clear_interface_flags(int dev, int opts)
388 struct pfioc_iface pi;
390 if ((opts & PF_OPT_NOACTION) == 0) {
391 bzero(&pi, sizeof(pi));
392 pi.pfiio_flags = PFI_IFLAG_SKIP;
394 if (ioctl(dev, DIOCCLRIFFLAG, &pi))
395 err(1, "DIOCCLRIFFLAG");
396 if ((opts & PF_OPT_QUIET) == 0)
397 fprintf(stderr, "pf: interface flags reset\n");
403 pfctl_clear_rules(int dev, int opts, char *anchorname)
407 memset(&t, 0, sizeof(t));
408 t.pfrb_type = PFRB_TRANS;
409 if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
410 pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
411 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
412 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
413 err(1, "pfctl_clear_rules");
414 if ((opts & PF_OPT_QUIET) == 0)
415 fprintf(stderr, "rules cleared\n");
420 pfctl_clear_nat(int dev, int opts, char *anchorname)
424 memset(&t, 0, sizeof(t));
425 t.pfrb_type = PFRB_TRANS;
426 if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
427 pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
428 pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
429 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
430 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
431 err(1, "pfctl_clear_nat");
432 if ((opts & PF_OPT_QUIET) == 0)
433 fprintf(stderr, "nat cleared\n");
438 pfctl_clear_altq(int dev, int opts)
444 memset(&t, 0, sizeof(t));
445 t.pfrb_type = PFRB_TRANS;
446 if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
447 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
448 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
449 err(1, "pfctl_clear_altq");
450 if ((opts & PF_OPT_QUIET) == 0)
451 fprintf(stderr, "altq cleared\n");
456 pfctl_clear_src_nodes(int dev, int opts)
458 if (ioctl(dev, DIOCCLRSRCNODES))
459 err(1, "DIOCCLRSRCNODES");
460 if ((opts & PF_OPT_QUIET) == 0)
461 fprintf(stderr, "source tracking entries cleared\n");
466 pfctl_clear_states(int dev, const char *iface, int opts)
468 struct pfioc_state_kill psk;
470 memset(&psk, 0, sizeof(psk));
471 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
472 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
473 errx(1, "invalid interface: %s", iface);
475 if (ioctl(dev, DIOCCLRSTATES, &psk))
476 err(1, "DIOCCLRSTATES");
477 if ((opts & PF_OPT_QUIET) == 0)
478 fprintf(stderr, "%d states cleared\n", psk.psk_killed);
483 pfctl_addrprefix(char *addr, struct pf_addr *mask)
487 int prefix, ret_ga, q, r;
488 struct addrinfo hints, *res;
490 if ((p = strchr(addr, '/')) == NULL)
494 prefix = strtonum(p, 0, 128, &errstr);
496 errx(1, "prefix is %s: %s", errstr, p);
498 bzero(&hints, sizeof(hints));
499 /* prefix only with numeric addresses */
500 hints.ai_flags |= AI_NUMERICHOST;
502 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {
503 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
507 if (res->ai_family == AF_INET && prefix > 32)
508 errx(1, "prefix too long for AF_INET");
509 else if (res->ai_family == AF_INET6 && prefix > 128)
510 errx(1, "prefix too long for AF_INET6");
514 switch (res->ai_family) {
516 bzero(&mask->v4, sizeof(mask->v4));
517 mask->v4.s_addr = htonl((u_int32_t)
518 (0xffffffffffULL << (32 - prefix)));
521 bzero(&mask->v6, sizeof(mask->v6));
523 memset((void *)&mask->v6, 0xff, q);
525 *((u_char *)&mask->v6 + q) =
526 (0xff00 >> r) & 0xff;
533 pfctl_kill_src_nodes(int dev, const char *iface, int opts)
535 struct pfioc_src_node_kill psnk;
536 struct addrinfo *res[2], *resp[2];
537 struct sockaddr last_src, last_dst;
538 int killed, sources, dests;
541 killed = sources = dests = 0;
543 memset(&psnk, 0, sizeof(psnk));
544 memset(&psnk.psnk_src.addr.v.a.mask, 0xff,
545 sizeof(psnk.psnk_src.addr.v.a.mask));
546 memset(&last_src, 0xff, sizeof(last_src));
547 memset(&last_dst, 0xff, sizeof(last_dst));
549 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask);
551 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) {
552 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
555 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
556 if (resp[0]->ai_addr == NULL)
558 /* We get lots of duplicates. Catch the easy ones */
559 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
561 last_src = *(struct sockaddr *)resp[0]->ai_addr;
563 psnk.psnk_af = resp[0]->ai_family;
566 if (psnk.psnk_af == AF_INET)
567 psnk.psnk_src.addr.v.a.addr.v4 =
568 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
569 else if (psnk.psnk_af == AF_INET6)
570 psnk.psnk_src.addr.v.a.addr.v6 =
571 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
574 errx(1, "Unknown address family %d", psnk.psnk_af);
576 if (src_node_killers > 1) {
578 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,
579 sizeof(psnk.psnk_dst.addr.v.a.mask));
580 memset(&last_dst, 0xff, sizeof(last_dst));
581 pfctl_addrprefix(src_node_kill[1],
582 &psnk.psnk_dst.addr.v.a.mask);
583 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL,
585 errx(1, "getaddrinfo: %s",
586 gai_strerror(ret_ga));
589 for (resp[1] = res[1]; resp[1];
590 resp[1] = resp[1]->ai_next) {
591 if (resp[1]->ai_addr == NULL)
593 if (psnk.psnk_af != resp[1]->ai_family)
596 if (memcmp(&last_dst, resp[1]->ai_addr,
597 sizeof(last_dst)) == 0)
599 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
603 if (psnk.psnk_af == AF_INET)
604 psnk.psnk_dst.addr.v.a.addr.v4 =
605 ((struct sockaddr_in *)resp[1]->
607 else if (psnk.psnk_af == AF_INET6)
608 psnk.psnk_dst.addr.v.a.addr.v6 =
609 ((struct sockaddr_in6 *)resp[1]->
612 errx(1, "Unknown address family %d",
615 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
616 err(1, "DIOCKILLSRCNODES");
617 killed += psnk.psnk_killed;
619 freeaddrinfo(res[1]);
621 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
622 err(1, "DIOCKILLSRCNODES");
623 killed += psnk.psnk_killed;
627 freeaddrinfo(res[0]);
629 if ((opts & PF_OPT_QUIET) == 0)
630 fprintf(stderr, "killed %d src nodes from %d sources and %d "
631 "destinations\n", killed, sources, dests);
636 pfctl_net_kill_states(int dev, const char *iface, int opts)
638 struct pfioc_state_kill psk;
639 struct addrinfo *res[2], *resp[2];
640 struct sockaddr last_src, last_dst;
641 int killed, sources, dests;
644 killed = sources = dests = 0;
646 memset(&psk, 0, sizeof(psk));
647 memset(&psk.psk_src.addr.v.a.mask, 0xff,
648 sizeof(psk.psk_src.addr.v.a.mask));
649 memset(&last_src, 0xff, sizeof(last_src));
650 memset(&last_dst, 0xff, sizeof(last_dst));
651 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
652 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
653 errx(1, "invalid interface: %s", iface);
655 pfctl_addrprefix(state_kill[0], &psk.psk_src.addr.v.a.mask);
657 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
658 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
661 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
662 if (resp[0]->ai_addr == NULL)
664 /* We get lots of duplicates. Catch the easy ones */
665 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
667 last_src = *(struct sockaddr *)resp[0]->ai_addr;
669 psk.psk_af = resp[0]->ai_family;
672 if (psk.psk_af == AF_INET)
673 psk.psk_src.addr.v.a.addr.v4 =
674 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
675 else if (psk.psk_af == AF_INET6)
676 psk.psk_src.addr.v.a.addr.v6 =
677 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
680 errx(1, "Unknown address family %d", psk.psk_af);
682 if (state_killers > 1) {
684 memset(&psk.psk_dst.addr.v.a.mask, 0xff,
685 sizeof(psk.psk_dst.addr.v.a.mask));
686 memset(&last_dst, 0xff, sizeof(last_dst));
687 pfctl_addrprefix(state_kill[1],
688 &psk.psk_dst.addr.v.a.mask);
689 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL,
691 errx(1, "getaddrinfo: %s",
692 gai_strerror(ret_ga));
695 for (resp[1] = res[1]; resp[1];
696 resp[1] = resp[1]->ai_next) {
697 if (resp[1]->ai_addr == NULL)
699 if (psk.psk_af != resp[1]->ai_family)
702 if (memcmp(&last_dst, resp[1]->ai_addr,
703 sizeof(last_dst)) == 0)
705 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
709 if (psk.psk_af == AF_INET)
710 psk.psk_dst.addr.v.a.addr.v4 =
711 ((struct sockaddr_in *)resp[1]->
713 else if (psk.psk_af == AF_INET6)
714 psk.psk_dst.addr.v.a.addr.v6 =
715 ((struct sockaddr_in6 *)resp[1]->
718 errx(1, "Unknown address family %d",
721 if (ioctl(dev, DIOCKILLSTATES, &psk))
722 err(1, "DIOCKILLSTATES");
723 killed += psk.psk_killed;
725 freeaddrinfo(res[1]);
727 if (ioctl(dev, DIOCKILLSTATES, &psk))
728 err(1, "DIOCKILLSTATES");
729 killed += psk.psk_killed;
733 freeaddrinfo(res[0]);
735 if ((opts & PF_OPT_QUIET) == 0)
736 fprintf(stderr, "killed %d states from %d sources and %d "
737 "destinations\n", killed, sources, dests);
742 pfctl_label_kill_states(int dev, const char *iface, int opts)
744 struct pfioc_state_kill psk;
746 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
747 warnx("no label specified");
750 memset(&psk, 0, sizeof(psk));
751 if (iface != NULL && strlcpy(psk.psk_ifname, iface,
752 sizeof(psk.psk_ifname)) >= sizeof(psk.psk_ifname))
753 errx(1, "invalid interface: %s", iface);
755 if (strlcpy(psk.psk_label, state_kill[1], sizeof(psk.psk_label)) >=
756 sizeof(psk.psk_label))
757 errx(1, "label too long: %s", state_kill[1]);
759 if (ioctl(dev, DIOCKILLSTATES, &psk))
760 err(1, "DIOCKILLSTATES");
762 if ((opts & PF_OPT_QUIET) == 0)
763 fprintf(stderr, "killed %d states\n", psk.psk_killed);
769 pfctl_id_kill_states(int dev, const char *iface, int opts)
771 struct pfioc_state_kill psk;
773 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
774 warnx("no id specified");
778 memset(&psk, 0, sizeof(psk));
779 if ((sscanf(state_kill[1], "%jx/%x",
780 &psk.psk_pfcmp.id, &psk.psk_pfcmp.creatorid)) == 2)
781 HTONL(psk.psk_pfcmp.creatorid);
782 else if ((sscanf(state_kill[1], "%jx", &psk.psk_pfcmp.id)) == 1) {
783 psk.psk_pfcmp.creatorid = 0;
785 warnx("wrong id format specified");
788 if (psk.psk_pfcmp.id == 0) {
789 warnx("cannot kill id 0");
793 psk.psk_pfcmp.id = htobe64(psk.psk_pfcmp.id);
794 if (ioctl(dev, DIOCKILLSTATES, &psk))
795 err(1, "DIOCKILLSTATES");
797 if ((opts & PF_OPT_QUIET) == 0)
798 fprintf(stderr, "killed %d states\n", psk.psk_killed);
804 pfctl_get_pool(int dev, struct pf_pool *pool, u_int32_t nr,
805 u_int32_t ticket, int r_action, char *anchorname)
807 struct pfioc_pooladdr pp;
808 struct pf_pooladdr *pa;
811 memset(&pp, 0, sizeof(pp));
812 memcpy(pp.anchor, anchorname, sizeof(pp.anchor));
813 pp.r_action = r_action;
816 if (ioctl(dev, DIOCGETADDRS, &pp)) {
817 warn("DIOCGETADDRS");
821 TAILQ_INIT(&pool->list);
822 for (pnr = 0; pnr < mpnr; ++pnr) {
824 if (ioctl(dev, DIOCGETADDR, &pp)) {
828 pa = calloc(1, sizeof(struct pf_pooladdr));
831 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr));
832 TAILQ_INSERT_TAIL(&pool->list, pa, entries);
839 pfctl_move_pool(struct pf_pool *src, struct pf_pool *dst)
841 struct pf_pooladdr *pa;
843 while ((pa = TAILQ_FIRST(&src->list)) != NULL) {
844 TAILQ_REMOVE(&src->list, pa, entries);
845 TAILQ_INSERT_TAIL(&dst->list, pa, entries);
850 pfctl_clear_pool(struct pf_pool *pool)
852 struct pf_pooladdr *pa;
854 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
855 TAILQ_REMOVE(&pool->list, pa, entries);
861 pfctl_print_rule_counters(struct pf_rule *rule, int opts)
863 if (opts & PF_OPT_DEBUG) {
864 const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
865 "p", "sa", "sp", "da", "dp" };
868 printf(" [ Skip steps: ");
869 for (i = 0; i < PF_SKIP_COUNT; ++i) {
870 if (rule->skip[i].nr == rule->nr + 1)
873 if (rule->skip[i].nr == -1)
876 printf("%u ", rule->skip[i].nr);
880 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n",
881 rule->qname, rule->qid, rule->pqname, rule->pqid);
883 if (opts & PF_OPT_VERBOSE) {
884 printf(" [ Evaluations: %-8llu Packets: %-8llu "
885 "Bytes: %-10llu States: %-6ju]\n",
886 (unsigned long long)rule->evaluations,
887 (unsigned long long)(rule->packets[0] +
889 (unsigned long long)(rule->bytes[0] +
890 rule->bytes[1]), (uintmax_t)rule->u_states_cur);
891 if (!(opts & PF_OPT_DEBUG))
892 printf(" [ Inserted: uid %u pid %u "
893 "State Creations: %-6ju]\n",
894 (unsigned)rule->cuid, (unsigned)rule->cpid,
895 (uintmax_t)rule->u_states_tot);
900 pfctl_print_title(char *title)
905 printf("%s\n", title);
909 pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
910 char *anchorname, int depth)
912 struct pfioc_rule pr;
913 u_int32_t nr, mnr, header = 0;
914 int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
915 int numeric = opts & PF_OPT_NUMERIC;
916 int len = strlen(path);
921 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
923 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
925 memset(&pr, 0, sizeof(pr));
926 memcpy(pr.anchor, path, sizeof(pr.anchor));
927 if (opts & PF_OPT_SHOWALL) {
928 pr.rule.action = PF_PASS;
929 if (ioctl(dev, DIOCGETRULES, &pr)) {
930 warn("DIOCGETRULES");
935 pr.rule.action = PF_SCRUB;
936 if (ioctl(dev, DIOCGETRULES, &pr)) {
937 warn("DIOCGETRULES");
940 if (opts & PF_OPT_SHOWALL) {
941 if (format == PFCTL_SHOW_RULES && (pr.nr > 0 || header))
942 pfctl_print_title("FILTER RULES:");
943 else if (format == PFCTL_SHOW_LABELS && labels)
944 pfctl_print_title("LABEL COUNTERS:");
947 if (opts & PF_OPT_CLRRULECTRS)
948 pr.action = PF_GET_CLR_CNTR;
950 for (nr = 0; nr < mnr; ++nr) {
952 if (ioctl(dev, DIOCGETRULE, &pr)) {
957 if (pfctl_get_pool(dev, &pr.rule.rpool,
958 nr, pr.ticket, PF_SCRUB, path) != 0)
962 case PFCTL_SHOW_LABELS:
964 case PFCTL_SHOW_RULES:
965 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
967 print_rule(&pr.rule, pr.anchor_call, rule_numbers, numeric);
969 pfctl_print_rule_counters(&pr.rule, opts);
971 case PFCTL_SHOW_NOTHING:
974 pfctl_clear_pool(&pr.rule.rpool);
976 pr.rule.action = PF_PASS;
977 if (ioctl(dev, DIOCGETRULES, &pr)) {
978 warn("DIOCGETRULES");
982 for (nr = 0; nr < mnr; ++nr) {
984 if (ioctl(dev, DIOCGETRULE, &pr)) {
989 if (pfctl_get_pool(dev, &pr.rule.rpool,
990 nr, pr.ticket, PF_PASS, path) != 0)
994 case PFCTL_SHOW_LABELS:
995 if (pr.rule.label[0]) {
996 printf("%s %llu %llu %llu %llu"
997 " %llu %llu %llu %ju\n",
999 (unsigned long long)pr.rule.evaluations,
1000 (unsigned long long)(pr.rule.packets[0] +
1001 pr.rule.packets[1]),
1002 (unsigned long long)(pr.rule.bytes[0] +
1004 (unsigned long long)pr.rule.packets[0],
1005 (unsigned long long)pr.rule.bytes[0],
1006 (unsigned long long)pr.rule.packets[1],
1007 (unsigned long long)pr.rule.bytes[1],
1008 (uintmax_t)pr.rule.u_states_tot);
1011 case PFCTL_SHOW_RULES:
1013 if (pr.rule.label[0] && (opts & PF_OPT_SHOWALL))
1015 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1016 if (pr.anchor_call[0] &&
1017 ((((p = strrchr(pr.anchor_call, '_')) != NULL) &&
1018 ((void *)p == (void *)pr.anchor_call ||
1019 *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
1021 if ((p = strrchr(pr.anchor_call, '/')) !=
1025 p = &pr.anchor_call[0];
1027 p = &pr.anchor_call[0];
1029 print_rule(&pr.rule, p, rule_numbers, numeric);
1034 pfctl_print_rule_counters(&pr.rule, opts);
1036 pfctl_show_rules(dev, path, opts, format,
1038 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1042 case PFCTL_SHOW_NOTHING:
1045 pfctl_clear_pool(&pr.rule.rpool);
1056 pfctl_show_nat(int dev, int opts, char *anchorname)
1058 struct pfioc_rule pr;
1060 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
1061 int i, dotitle = opts & PF_OPT_SHOWALL;
1063 memset(&pr, 0, sizeof(pr));
1064 memcpy(pr.anchor, anchorname, sizeof(pr.anchor));
1065 for (i = 0; i < 3; i++) {
1066 pr.rule.action = nattype[i];
1067 if (ioctl(dev, DIOCGETRULES, &pr)) {
1068 warn("DIOCGETRULES");
1072 for (nr = 0; nr < mnr; ++nr) {
1074 if (ioctl(dev, DIOCGETRULE, &pr)) {
1075 warn("DIOCGETRULE");
1078 if (pfctl_get_pool(dev, &pr.rule.rpool, nr,
1079 pr.ticket, nattype[i], anchorname) != 0)
1082 pfctl_print_title("TRANSLATION RULES:");
1085 print_rule(&pr.rule, pr.anchor_call,
1086 opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
1088 pfctl_print_rule_counters(&pr.rule, opts);
1089 pfctl_clear_pool(&pr.rule.rpool);
1096 pfctl_show_src_nodes(int dev, int opts)
1098 struct pfioc_src_nodes psn;
1099 struct pf_src_node *p;
1100 char *inbuf = NULL, *newinbuf = NULL;
1101 unsigned int len = 0;
1104 memset(&psn, 0, sizeof(psn));
1108 newinbuf = realloc(inbuf, len);
1109 if (newinbuf == NULL)
1111 psn.psn_buf = inbuf = newinbuf;
1113 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) {
1114 warn("DIOCGETSRCNODES");
1118 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len)
1120 if (len == 0 && psn.psn_len == 0)
1122 if (len == 0 && psn.psn_len != 0)
1124 if (psn.psn_len == 0)
1125 goto done; /* no src_nodes */
1128 p = psn.psn_src_nodes;
1129 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL))
1130 pfctl_print_title("SOURCE TRACKING NODES:");
1131 for (i = 0; i < psn.psn_len; i += sizeof(*p)) {
1132 print_src_node(p, opts);
1141 pfctl_show_states(int dev, const char *iface, int opts)
1143 struct pfioc_states ps;
1144 struct pfsync_state *p;
1145 char *inbuf = NULL, *newinbuf = NULL;
1146 unsigned int len = 0;
1147 int i, dotitle = (opts & PF_OPT_SHOWALL);
1149 memset(&ps, 0, sizeof(ps));
1153 newinbuf = realloc(inbuf, len);
1154 if (newinbuf == NULL)
1156 ps.ps_buf = inbuf = newinbuf;
1158 if (ioctl(dev, DIOCGETSTATES, &ps) < 0) {
1159 warn("DIOCGETSTATES");
1163 if (ps.ps_len + sizeof(struct pfioc_states) < len)
1165 if (len == 0 && ps.ps_len == 0)
1167 if (len == 0 && ps.ps_len != 0)
1170 goto done; /* no states */
1174 for (i = 0; i < ps.ps_len; i += sizeof(*p), p++) {
1175 if (iface != NULL && strcmp(p->ifname, iface))
1178 pfctl_print_title("STATES:");
1181 print_state(p, opts);
1189 pfctl_show_status(int dev, int opts)
1191 struct pf_status status;
1193 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1194 warn("DIOCGETSTATUS");
1197 if (opts & PF_OPT_SHOWALL)
1198 pfctl_print_title("INFO:");
1199 print_status(&status, opts);
1204 pfctl_show_running(int dev)
1206 struct pf_status status;
1208 if (ioctl(dev, DIOCGETSTATUS, &status)) {
1209 warn("DIOCGETSTATUS");
1213 print_running(&status);
1214 return (!status.running);
1218 pfctl_show_timeouts(int dev, int opts)
1223 if (opts & PF_OPT_SHOWALL)
1224 pfctl_print_title("TIMEOUTS:");
1225 memset(&pt, 0, sizeof(pt));
1226 for (i = 0; pf_timeouts[i].name; i++) {
1227 pt.timeout = pf_timeouts[i].timeout;
1228 if (ioctl(dev, DIOCGETTIMEOUT, &pt))
1229 err(1, "DIOCGETTIMEOUT");
1230 printf("%-20s %10d", pf_timeouts[i].name, pt.seconds);
1231 if (pf_timeouts[i].timeout >= PFTM_ADAPTIVE_START &&
1232 pf_timeouts[i].timeout <= PFTM_ADAPTIVE_END)
1243 pfctl_show_limits(int dev, int opts)
1245 struct pfioc_limit pl;
1248 if (opts & PF_OPT_SHOWALL)
1249 pfctl_print_title("LIMITS:");
1250 memset(&pl, 0, sizeof(pl));
1251 for (i = 0; pf_limits[i].name; i++) {
1252 pl.index = pf_limits[i].index;
1253 if (ioctl(dev, DIOCGETLIMIT, &pl))
1254 err(1, "DIOCGETLIMIT");
1255 printf("%-13s ", pf_limits[i].name);
1256 if (pl.limit == UINT_MAX)
1257 printf("unlimited\n");
1259 printf("hard limit %8u\n", pl.limit);
1264 /* callbacks for rule/nat/rdr/addr */
1266 pfctl_add_pool(struct pfctl *pf, struct pf_pool *p, sa_family_t af)
1268 struct pf_pooladdr *pa;
1270 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1271 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr))
1272 err(1, "DIOCBEGINADDRS");
1276 TAILQ_FOREACH(pa, &p->list, entries) {
1277 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1278 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1279 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr))
1280 err(1, "DIOCADDADDR");
1287 pfctl_add_rule(struct pfctl *pf, struct pf_rule *r, const char *anchor_call)
1290 struct pf_rule *rule;
1291 struct pf_ruleset *rs;
1294 rs_num = pf_get_ruleset_number(r->action);
1295 if (rs_num == PF_RULESET_MAX)
1296 errx(1, "Invalid rule type %d", r->action);
1298 rs = &pf->anchor->ruleset;
1300 if (anchor_call[0] && r->anchor == NULL) {
1302 * Don't make non-brace anchors part of the main anchor pool.
1304 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1305 err(1, "pfctl_add_rule: calloc");
1307 pf_init_ruleset(&r->anchor->ruleset);
1308 r->anchor->ruleset.anchor = r->anchor;
1309 if (strlcpy(r->anchor->path, anchor_call,
1310 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1311 errx(1, "pfctl_add_rule: strlcpy");
1312 if ((p = strrchr(anchor_call, '/')) != NULL) {
1314 err(1, "pfctl_add_rule: bad anchor name %s",
1317 p = (char *)anchor_call;
1318 if (strlcpy(r->anchor->name, p,
1319 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1320 errx(1, "pfctl_add_rule: strlcpy");
1323 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1325 bcopy(r, rule, sizeof(*rule));
1326 TAILQ_INIT(&rule->rpool.list);
1327 pfctl_move_pool(&r->rpool, &rule->rpool);
1329 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
1334 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pf_anchor *a)
1336 int osize = pf->trans->pfrb_size;
1338 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1339 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1340 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1341 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1344 if (a == pf->astack[0] && ((altqsupport &&
1345 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1346 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1349 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1350 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1351 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1354 if (pf->loadopt & PFCTL_FLAG_TABLE)
1355 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1357 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1364 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pf_ruleset *rs,
1365 int rs_num, int depth)
1368 int error, len = strlen(path);
1371 pf->anchor = rs->anchor;
1374 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1376 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1379 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
1381 if (pf->opts & PF_OPT_VERBOSE)
1383 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1384 (error = pfctl_ruleset_trans(pf,
1385 path, rs->anchor))) {
1386 printf("pfctl_load_rulesets: "
1387 "pfctl_ruleset_trans %d\n", error);
1390 } else if (pf->opts & PF_OPT_VERBOSE)
1395 if (pf->optimize && rs_num == PF_RULESET_FILTER)
1396 pfctl_optimize_ruleset(pf, rs);
1398 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
1399 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
1400 if ((error = pfctl_load_rule(pf, path, r, depth)))
1403 if ((error = pfctl_load_ruleset(pf, path,
1404 &r->anchor->ruleset, rs_num, depth + 1)))
1406 } else if (pf->opts & PF_OPT_VERBOSE)
1410 if (brace && pf->opts & PF_OPT_VERBOSE) {
1411 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1424 pfctl_load_rule(struct pfctl *pf, char *path, struct pf_rule *r, int depth)
1426 u_int8_t rs_num = pf_get_ruleset_number(r->action);
1428 struct pfioc_rule pr;
1429 int len = strlen(path);
1431 bzero(&pr, sizeof(pr));
1432 /* set up anchor before adding to path for anchor_call */
1433 if ((pf->opts & PF_OPT_NOACTION) == 0)
1434 pr.ticket = pfctl_get_ticket(pf->trans, rs_num, path);
1435 if (strlcpy(pr.anchor, path, sizeof(pr.anchor)) >= sizeof(pr.anchor))
1436 errx(1, "pfctl_load_rule: strlcpy");
1439 if (r->anchor->match) {
1441 snprintf(&path[len], MAXPATHLEN - len,
1442 "/%s", r->anchor->name);
1444 snprintf(&path[len], MAXPATHLEN - len,
1445 "%s", r->anchor->name);
1448 name = r->anchor->path;
1452 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1453 if (pfctl_add_pool(pf, &r->rpool, r->af))
1455 pr.pool_ticket = pf->paddr.ticket;
1456 memcpy(&pr.rule, r, sizeof(pr.rule));
1457 if (r->anchor && strlcpy(pr.anchor_call, name,
1458 sizeof(pr.anchor_call)) >= sizeof(pr.anchor_call))
1459 errx(1, "pfctl_load_rule: strlcpy");
1460 if (ioctl(pf->dev, DIOCADDRULE, &pr))
1461 err(1, "DIOCADDRULE");
1464 if (pf->opts & PF_OPT_VERBOSE) {
1465 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1466 print_rule(r, r->anchor ? r->anchor->name : "",
1467 pf->opts & PF_OPT_VERBOSE2,
1468 pf->opts & PF_OPT_NUMERIC);
1471 pfctl_clear_pool(&r->rpool);
1476 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
1479 (loadopt & PFCTL_FLAG_ALTQ) != 0) {
1480 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
1481 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1482 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
1484 errx(1, "qtype not configured");
1485 else if (errno == ENODEV)
1486 errx(1, "%s: driver does not support "
1489 err(1, "DIOCADDALTQ");
1492 pfaltq_store(&pf->paltq->altq);
1498 pfctl_rules(int dev, char *filename, int opts, int optimize,
1499 char *anchorname, struct pfr_buffer *trans)
1501 #define ERR(x) do { warn(x); goto _error; } while(0)
1502 #define ERRX(x) do { warnx(x); goto _error; } while(0)
1504 struct pfr_buffer *t, buf;
1505 struct pfioc_altq pa;
1507 struct pf_ruleset *rs;
1508 struct pfr_table trs;
1512 RB_INIT(&pf_anchors);
1513 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor));
1514 pf_init_ruleset(&pf_main_anchor.ruleset);
1515 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
1516 if (trans == NULL) {
1517 bzero(&buf, sizeof(buf));
1518 buf.pfrb_type = PFRB_TRANS;
1523 osize = t->pfrb_size;
1526 memset(&pa, 0, sizeof(pa));
1527 memset(&pf, 0, sizeof(pf));
1528 memset(&trs, 0, sizeof(trs));
1529 if ((path = calloc(1, MAXPATHLEN)) == NULL)
1530 ERRX("pfctl_rules: calloc");
1531 if (strlcpy(trs.pfrt_anchor, anchorname,
1532 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
1533 ERRX("pfctl_rules: strlcpy");
1536 pf.optimize = optimize;
1537 pf.loadopt = loadopt;
1539 /* non-brace anchor, create without resolving the path */
1540 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
1541 ERRX("pfctl_rules: calloc");
1542 rs = &pf.anchor->ruleset;
1543 pf_init_ruleset(rs);
1544 rs->anchor = pf.anchor;
1545 if (strlcpy(pf.anchor->path, anchorname,
1546 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
1547 errx(1, "pfctl_add_rule: strlcpy");
1548 if (strlcpy(pf.anchor->name, anchorname,
1549 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
1550 errx(1, "pfctl_add_rule: strlcpy");
1553 pf.astack[0] = pf.anchor;
1556 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
1559 pfctl_init_options(&pf);
1561 if ((opts & PF_OPT_NOACTION) == 0) {
1563 * XXX For the time being we need to open transactions for
1564 * the main ruleset before parsing, because tables are still
1565 * loaded at parse time.
1567 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
1568 ERRX("pfctl_rules");
1569 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1571 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
1572 if (pf.loadopt & PFCTL_FLAG_TABLE)
1573 pf.astack[0]->ruleset.tticket =
1574 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
1577 if (parse_config(filename, &pf) < 0) {
1578 if ((opts & PF_OPT_NOACTION) == 0)
1579 ERRX("Syntax error in config file: "
1580 "pf rules not loaded");
1584 if (loadopt & PFCTL_FLAG_OPTION)
1585 pfctl_adjust_skip_ifaces(&pf);
1587 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
1588 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
1589 (pf.loadopt & PFCTL_FLAG_NAT &&
1590 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
1591 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
1592 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
1593 (pf.loadopt & PFCTL_FLAG_FILTER &&
1594 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
1595 if ((opts & PF_OPT_NOACTION) == 0)
1596 ERRX("Unable to load rules into kernel");
1601 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
1602 if (check_commit_altq(dev, opts) != 0)
1603 ERRX("errors in altq config");
1605 /* process "load anchor" directives */
1607 if (pfctl_load_anchors(dev, &pf, t) == -1)
1608 ERRX("load anchors");
1610 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
1612 if (pfctl_load_options(&pf))
1614 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
1620 if (trans == NULL) { /* main ruleset */
1621 if ((opts & PF_OPT_NOACTION) == 0)
1622 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
1623 err(1, "DIOCXROLLBACK");
1625 } else { /* sub ruleset */
1634 pfctl_fopen(const char *name, const char *mode)
1639 fp = fopen(name, mode);
1642 if (fstat(fileno(fp), &st)) {
1646 if (S_ISDIR(st.st_mode)) {
1655 pfctl_init_options(struct pfctl *pf)
1658 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
1659 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
1660 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
1661 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
1662 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
1663 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
1664 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
1665 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
1666 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
1667 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
1668 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
1669 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
1670 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
1671 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
1672 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
1673 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
1674 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
1675 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
1676 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
1677 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1679 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
1680 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
1681 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
1682 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1684 pf->debug = PF_DEBUG_URGENT;
1688 pfctl_load_options(struct pfctl *pf)
1692 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1696 for (i = 0; i < PF_LIMIT_MAX; i++) {
1697 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
1699 if (pfctl_load_limit(pf, i, pf->limit[i]))
1704 * If we've set the limit, but haven't explicitly set adaptive
1705 * timeouts, do it now with a start of 60% and end of 120%.
1707 if (pf->limit_set[PF_LIMIT_STATES] &&
1708 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
1709 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
1710 pf->timeout[PFTM_ADAPTIVE_START] =
1711 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
1712 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
1713 pf->timeout[PFTM_ADAPTIVE_END] =
1714 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
1715 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
1719 for (i = 0; i < PFTM_MAX; i++) {
1720 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
1722 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
1727 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
1728 if (pfctl_load_debug(pf, pf->debug))
1732 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
1733 if (pfctl_load_logif(pf, pf->ifname))
1737 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
1738 if (pfctl_load_hostid(pf, pf->hostid))
1745 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
1750 for (i = 0; pf_limits[i].name; i++) {
1751 if (strcasecmp(opt, pf_limits[i].name) == 0) {
1752 pf->limit[pf_limits[i].index] = limit;
1753 pf->limit_set[pf_limits[i].index] = 1;
1757 if (pf_limits[i].name == NULL) {
1758 warnx("Bad pool name.");
1762 if (pf->opts & PF_OPT_VERBOSE)
1763 printf("set limit %s %d\n", opt, limit);
1769 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
1771 struct pfioc_limit pl;
1773 memset(&pl, 0, sizeof(pl));
1776 if (ioctl(pf->dev, DIOCSETLIMIT, &pl)) {
1778 warnx("Current pool size exceeds requested hard limit");
1780 warnx("DIOCSETLIMIT");
1787 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
1791 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1794 for (i = 0; pf_timeouts[i].name; i++) {
1795 if (strcasecmp(opt, pf_timeouts[i].name) == 0) {
1796 pf->timeout[pf_timeouts[i].timeout] = seconds;
1797 pf->timeout_set[pf_timeouts[i].timeout] = 1;
1802 if (pf_timeouts[i].name == NULL) {
1803 warnx("Bad timeout name.");
1808 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
1809 printf("set timeout %s %d\n", opt, seconds);
1815 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
1819 memset(&pt, 0, sizeof(pt));
1820 pt.timeout = timeout;
1821 pt.seconds = seconds;
1822 if (ioctl(pf->dev, DIOCSETTIMEOUT, &pt)) {
1823 warnx("DIOCSETTIMEOUT");
1830 pfctl_set_optimization(struct pfctl *pf, const char *opt)
1832 const struct pf_hint *hint;
1835 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1838 for (i = 0; pf_hints[i].name; i++)
1839 if (strcasecmp(opt, pf_hints[i].name) == 0)
1842 hint = pf_hints[i].hint;
1844 warnx("invalid state timeouts optimization");
1848 for (i = 0; hint[i].name; i++)
1849 if ((r = pfctl_set_timeout(pf, hint[i].name,
1850 hint[i].timeout, 1)))
1853 if (pf->opts & PF_OPT_VERBOSE)
1854 printf("set optimization %s\n", opt);
1860 pfctl_set_logif(struct pfctl *pf, char *ifname)
1863 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1866 if (!strcmp(ifname, "none")) {
1870 pf->ifname = strdup(ifname);
1872 errx(1, "pfctl_set_logif: strdup");
1876 if (pf->opts & PF_OPT_VERBOSE)
1877 printf("set loginterface %s\n", ifname);
1883 pfctl_load_logif(struct pfctl *pf, char *ifname)
1887 memset(&pi, 0, sizeof(pi));
1888 if (ifname && strlcpy(pi.ifname, ifname,
1889 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {
1890 warnx("pfctl_load_logif: strlcpy");
1893 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
1894 warnx("DIOCSETSTATUSIF");
1901 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
1903 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1908 pf->hostid = hostid;
1911 if (pf->opts & PF_OPT_VERBOSE)
1912 printf("set hostid 0x%08x\n", ntohl(hostid));
1918 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
1920 if (ioctl(dev, DIOCSETHOSTID, &hostid)) {
1921 warnx("DIOCSETHOSTID");
1928 pfctl_set_debug(struct pfctl *pf, char *d)
1932 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1935 if (!strcmp(d, "none"))
1936 pf->debug = PF_DEBUG_NONE;
1937 else if (!strcmp(d, "urgent"))
1938 pf->debug = PF_DEBUG_URGENT;
1939 else if (!strcmp(d, "misc"))
1940 pf->debug = PF_DEBUG_MISC;
1941 else if (!strcmp(d, "loud"))
1942 pf->debug = PF_DEBUG_NOISY;
1944 warnx("unknown debug level \"%s\"", d);
1951 if ((pf->opts & PF_OPT_NOACTION) == 0)
1952 if (ioctl(dev, DIOCSETDEBUG, &level))
1953 err(1, "DIOCSETDEBUG");
1955 if (pf->opts & PF_OPT_VERBOSE)
1956 printf("set debug %s\n", d);
1962 pfctl_load_debug(struct pfctl *pf, unsigned int level)
1964 if (ioctl(pf->dev, DIOCSETDEBUG, &level)) {
1965 warnx("DIOCSETDEBUG");
1972 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
1974 struct pfioc_iface pi;
1975 struct node_host *h = NULL, *n = NULL;
1977 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1980 bzero(&pi, sizeof(pi));
1982 pi.pfiio_flags = flags;
1984 /* Make sure our cache matches the kernel. If we set or clear the flag
1985 * for a group this applies to all members. */
1986 h = ifa_grouplookup(ifname, 0);
1987 for (n = h; n != NULL; n = n->next)
1988 pfctl_set_interface_flags(pf, n->ifname, flags, how);
1990 if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
1991 sizeof(pi.pfiio_name))
1992 errx(1, "pfctl_set_interface_flags: strlcpy");
1994 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1996 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
1997 err(1, "DIOCCLRIFFLAG");
1999 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
2000 err(1, "DIOCSETIFFLAG");
2001 pfctl_check_skip_ifaces(ifname);
2008 pfctl_debug(int dev, u_int32_t level, int opts)
2010 if (ioctl(dev, DIOCSETDEBUG, &level))
2011 err(1, "DIOCSETDEBUG");
2012 if ((opts & PF_OPT_QUIET) == 0) {
2013 fprintf(stderr, "debug level set to '");
2016 fprintf(stderr, "none");
2018 case PF_DEBUG_URGENT:
2019 fprintf(stderr, "urgent");
2022 fprintf(stderr, "misc");
2024 case PF_DEBUG_NOISY:
2025 fprintf(stderr, "loud");
2028 fprintf(stderr, "<invalid>");
2031 fprintf(stderr, "'\n");
2036 pfctl_test_altqsupport(int dev, int opts)
2038 struct pfioc_altq pa;
2040 if (ioctl(dev, DIOCGETALTQS, &pa)) {
2041 if (errno == ENODEV) {
2042 if (opts & PF_OPT_VERBOSE)
2043 fprintf(stderr, "No ALTQ support in kernel\n"
2044 "ALTQ related functions disabled\n");
2047 err(1, "DIOCGETALTQS");
2053 pfctl_show_anchors(int dev, int opts, char *anchorname)
2055 struct pfioc_ruleset pr;
2058 memset(&pr, 0, sizeof(pr));
2059 memcpy(pr.path, anchorname, sizeof(pr.path));
2060 if (ioctl(dev, DIOCGETRULESETS, &pr)) {
2061 if (errno == EINVAL)
2062 fprintf(stderr, "Anchor '%s' not found.\n",
2065 err(1, "DIOCGETRULESETS");
2069 for (nr = 0; nr < mnr; ++nr) {
2070 char sub[MAXPATHLEN];
2073 if (ioctl(dev, DIOCGETRULESET, &pr))
2074 err(1, "DIOCGETRULESET");
2075 if (!strcmp(pr.name, PF_RESERVED_ANCHOR))
2079 strlcat(sub, pr.path, sizeof(sub));
2080 strlcat(sub, "/", sizeof(sub));
2082 strlcat(sub, pr.name, sizeof(sub));
2083 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
2084 printf(" %s\n", sub);
2085 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
2092 pfctl_lookup_option(char *cmd, const char **list)
2094 if (cmd != NULL && *cmd)
2095 for (; *list; list++)
2096 if (!strncmp(cmd, *list, strlen(cmd)))
2102 main(int argc, char *argv[])
2106 int mode = O_RDONLY;
2108 int optimize = PF_OPTIMIZE_BASIC;
2109 char anchorname[MAXPATHLEN];
2115 while ((ch = getopt(argc, argv,
2116 "a:AdD:eqf:F:ghi:k:K:mnNOo:Pp:rRs:t:T:vx:z")) != -1) {
2122 opts |= PF_OPT_DISABLE;
2126 if (pfctl_cmdline_symset(optarg) < 0)
2127 warnx("could not parse macro definition %s",
2131 opts |= PF_OPT_ENABLE;
2135 opts |= PF_OPT_QUIET;
2138 clearopt = pfctl_lookup_option(optarg, clearopt_list);
2139 if (clearopt == NULL) {
2140 warnx("Unknown flush modifier '%s'", optarg);
2149 if (state_killers >= 2) {
2150 warnx("can only specify -k twice");
2154 state_kill[state_killers++] = optarg;
2158 if (src_node_killers >= 2) {
2159 warnx("can only specify -K twice");
2163 src_node_kill[src_node_killers++] = optarg;
2167 opts |= PF_OPT_MERGE;
2170 opts |= PF_OPT_NOACTION;
2173 loadopt |= PFCTL_FLAG_NAT;
2176 opts |= PF_OPT_USEDNS;
2183 opts |= PF_OPT_DEBUG;
2186 loadopt |= PFCTL_FLAG_ALTQ;
2189 loadopt |= PFCTL_FLAG_FILTER;
2192 optiopt = pfctl_lookup_option(optarg, optiopt_list);
2193 if (optiopt == NULL) {
2194 warnx("Unknown optimization '%s'", optarg);
2197 opts |= PF_OPT_OPTIMIZE;
2200 loadopt |= PFCTL_FLAG_OPTION;
2206 opts |= PF_OPT_NUMERIC;
2209 showopt = pfctl_lookup_option(optarg, showopt_list);
2210 if (showopt == NULL) {
2211 warnx("Unknown show modifier '%s'", optarg);
2219 tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list);
2220 if (tblcmdopt == NULL) {
2221 warnx("Unknown table command '%s'", optarg);
2226 if (opts & PF_OPT_VERBOSE)
2227 opts |= PF_OPT_VERBOSE2;
2228 opts |= PF_OPT_VERBOSE;
2231 debugopt = pfctl_lookup_option(optarg, debugopt_list);
2232 if (debugopt == NULL) {
2233 warnx("Unknown debug level '%s'", optarg);
2239 opts |= PF_OPT_CLRRULECTRS;
2250 if (tblcmdopt != NULL) {
2255 loadopt |= PFCTL_FLAG_TABLE;
2258 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
2259 } else if (argc != optind) {
2260 warnx("unknown command line argument: %s ...", argv[optind]);
2267 if ((path = calloc(1, MAXPATHLEN)) == NULL)
2268 errx(1, "pfctl: calloc");
2269 memset(anchorname, 0, sizeof(anchorname));
2270 if (anchoropt != NULL) {
2271 int len = strlen(anchoropt);
2273 if (anchoropt[len - 1] == '*') {
2274 if (len >= 2 && anchoropt[len - 2] == '/')
2275 anchoropt[len - 2] = '\0';
2277 anchoropt[len - 1] = '\0';
2278 opts |= PF_OPT_RECURSE;
2280 if (strlcpy(anchorname, anchoropt,
2281 sizeof(anchorname)) >= sizeof(anchorname))
2282 errx(1, "anchor name '%s' too long",
2284 loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE;
2287 if ((opts & PF_OPT_NOACTION) == 0) {
2288 dev = open(pf_device, mode);
2290 err(1, "%s", pf_device);
2291 altqsupport = pfctl_test_altqsupport(dev, opts);
2293 dev = open(pf_device, O_RDONLY);
2295 opts |= PF_OPT_DUMMYACTION;
2296 /* turn off options */
2297 opts &= ~ (PF_OPT_DISABLE | PF_OPT_ENABLE);
2298 clearopt = showopt = debugopt = NULL;
2299 #if !defined(ENABLE_ALTQ)
2306 if (opts & PF_OPT_DISABLE)
2307 if (pfctl_disable(dev, opts))
2310 if (showopt != NULL) {
2313 pfctl_show_anchors(dev, opts, anchorname);
2316 pfctl_load_fingerprints(dev, opts);
2317 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
2321 pfctl_load_fingerprints(dev, opts);
2322 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_LABELS,
2326 pfctl_load_fingerprints(dev, opts);
2327 pfctl_show_nat(dev, opts, anchorname);
2330 pfctl_show_altq(dev, ifaceopt, opts,
2331 opts & PF_OPT_VERBOSE2);
2334 pfctl_show_states(dev, ifaceopt, opts);
2337 pfctl_show_src_nodes(dev, opts);
2340 pfctl_show_status(dev, opts);
2343 error = pfctl_show_running(dev);
2346 pfctl_show_timeouts(dev, opts);
2349 pfctl_show_limits(dev, opts);
2352 opts |= PF_OPT_SHOWALL;
2353 pfctl_load_fingerprints(dev, opts);
2355 pfctl_show_nat(dev, opts, anchorname);
2356 pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
2357 pfctl_show_altq(dev, ifaceopt, opts, 0);
2358 pfctl_show_states(dev, ifaceopt, opts);
2359 pfctl_show_src_nodes(dev, opts);
2360 pfctl_show_status(dev, opts);
2361 pfctl_show_rules(dev, path, opts, 1, anchorname, 0);
2362 pfctl_show_timeouts(dev, opts);
2363 pfctl_show_limits(dev, opts);
2364 pfctl_show_tables(anchorname, opts);
2365 pfctl_show_fingerprints(opts);
2368 pfctl_show_tables(anchorname, opts);
2371 pfctl_load_fingerprints(dev, opts);
2372 pfctl_show_fingerprints(opts);
2375 pfctl_show_ifaces(ifaceopt, opts);
2380 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL)
2381 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
2384 if (clearopt != NULL) {
2385 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2386 errx(1, "anchor names beginning with '_' cannot "
2387 "be modified from the command line");
2389 switch (*clearopt) {
2391 pfctl_clear_rules(dev, opts, anchorname);
2394 pfctl_clear_nat(dev, opts, anchorname);
2397 pfctl_clear_altq(dev, opts);
2400 pfctl_clear_states(dev, ifaceopt, opts);
2403 pfctl_clear_src_nodes(dev, opts);
2406 pfctl_clear_stats(dev, opts);
2409 pfctl_clear_rules(dev, opts, anchorname);
2410 pfctl_clear_nat(dev, opts, anchorname);
2411 pfctl_clear_tables(anchorname, opts);
2413 pfctl_clear_altq(dev, opts);
2414 pfctl_clear_states(dev, ifaceopt, opts);
2415 pfctl_clear_src_nodes(dev, opts);
2416 pfctl_clear_stats(dev, opts);
2417 pfctl_clear_fingerprints(dev, opts);
2418 pfctl_clear_interface_flags(dev, opts);
2422 pfctl_clear_fingerprints(dev, opts);
2425 pfctl_clear_tables(anchorname, opts);
2429 if (state_killers) {
2430 if (!strcmp(state_kill[0], "label"))
2431 pfctl_label_kill_states(dev, ifaceopt, opts);
2432 else if (!strcmp(state_kill[0], "id"))
2433 pfctl_id_kill_states(dev, ifaceopt, opts);
2435 pfctl_net_kill_states(dev, ifaceopt, opts);
2438 if (src_node_killers)
2439 pfctl_kill_src_nodes(dev, ifaceopt, opts);
2441 if (tblcmdopt != NULL) {
2442 error = pfctl_command_tables(argc, argv, tableopt,
2443 tblcmdopt, rulesopt, anchorname, opts);
2446 if (optiopt != NULL) {
2452 optimize |= PF_OPTIMIZE_BASIC;
2456 optimize |= PF_OPTIMIZE_PROFILE;
2461 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
2462 !anchorname[0] && !(opts & PF_OPT_NOACTION))
2463 if (pfctl_get_skip_ifaces())
2466 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &&
2467 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION))
2468 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE))
2471 if (rulesopt != NULL) {
2472 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2473 errx(1, "anchor names beginning with '_' cannot "
2474 "be modified from the command line");
2475 if (pfctl_rules(dev, rulesopt, opts, optimize,
2478 else if (!(opts & PF_OPT_NOACTION) &&
2479 (loadopt & PFCTL_FLAG_TABLE))
2480 warn_namespace_collision(NULL);
2483 if (opts & PF_OPT_ENABLE)
2484 if (pfctl_enable(dev, opts))
2487 if (debugopt != NULL) {
2488 switch (*debugopt) {
2490 pfctl_debug(dev, PF_DEBUG_NONE, opts);
2493 pfctl_debug(dev, PF_DEBUG_URGENT, opts);
2496 pfctl_debug(dev, PF_DEBUG_MISC, opts);
2499 pfctl_debug(dev, PF_DEBUG_NOISY, opts);
projects / FreeBSD / FreeBSD.git / blob