1 /* $OpenBSD: pfctl.c,v 1.278 2008/08/31 20:18:17 jmc Exp $ */
4 * SPDX-License-Identifier: BSD-2-Clause
6 * Copyright (c) 2001 Daniel Hartmeier
7 * Copyright (c) 2002,2003 Henning Brauer
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
14 * - Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * - Redistributions in binary form must reproduce the above
17 * copyright notice, this list of conditions and the following
18 * disclaimer in the documentation and/or other materials provided
19 * with the distribution.
21 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
25 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
29 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
31 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #define PFIOC_USE_LATEST
41 #include <sys/types.h>
42 #include <sys/ioctl.h>
44 #include <sys/socket.h>
46 #include <sys/endian.h>
49 #include <netinet/in.h>
50 #include <net/pfvar.h>
51 #include <arpa/inet.h>
52 #include <net/altq/altq.h>
53 #include <sys/sysctl.h>
67 #include "pfctl_parser.h"
71 int pfctl_enable(int, int);
72 int pfctl_disable(int, int);
73 int pfctl_clear_stats(int, int);
74 int pfctl_get_skip_ifaces(void);
75 int pfctl_check_skip_ifaces(char *);
76 int pfctl_adjust_skip_ifaces(struct pfctl *);
77 int pfctl_clear_interface_flags(int, int);
78 int pfctl_clear_rules(int, int, char *);
79 int pfctl_clear_nat(int, int, char *);
80 int pfctl_clear_altq(int, int);
81 int pfctl_clear_src_nodes(int, int);
82 int pfctl_clear_iface_states(int, const char *, int);
83 void pfctl_addrprefix(char *, struct pf_addr *);
84 int pfctl_kill_src_nodes(int, const char *, int);
85 int pfctl_net_kill_states(int, const char *, int);
86 int pfctl_gateway_kill_states(int, const char *, int);
87 int pfctl_label_kill_states(int, const char *, int);
88 int pfctl_id_kill_states(int, const char *, int);
89 void pfctl_init_options(struct pfctl *);
90 int pfctl_load_options(struct pfctl *);
91 int pfctl_load_limit(struct pfctl *, unsigned int, unsigned int);
92 int pfctl_load_timeout(struct pfctl *, unsigned int, unsigned int);
93 int pfctl_load_debug(struct pfctl *, unsigned int);
94 int pfctl_load_logif(struct pfctl *, char *);
95 int pfctl_load_hostid(struct pfctl *, u_int32_t);
96 int pfctl_load_syncookies(struct pfctl *, u_int8_t);
97 int pfctl_get_pool(int, struct pfctl_pool *, u_int32_t, u_int32_t, int,
99 void pfctl_print_eth_rule_counters(struct pfctl_eth_rule *, int);
100 void pfctl_print_rule_counters(struct pfctl_rule *, int);
101 int pfctl_show_eth_rules(int, int);
102 int pfctl_show_rules(int, char *, int, enum pfctl_show, char *, int);
103 int pfctl_show_nat(int, int, char *);
104 int pfctl_show_src_nodes(int, int);
105 int pfctl_show_states(int, const char *, int);
106 int pfctl_show_status(int, int);
107 int pfctl_show_running(int);
108 int pfctl_show_timeouts(int, int);
109 int pfctl_show_limits(int, int);
110 void pfctl_debug(int, u_int32_t, int);
111 int pfctl_test_altqsupport(int, int);
112 int pfctl_show_anchors(int, int, char *);
113 int pfctl_ruleset_trans(struct pfctl *, char *, struct pfctl_anchor *);
114 int pfctl_load_eth_ruleset(struct pfctl *);
115 int pfctl_load_ruleset(struct pfctl *, char *,
116 struct pfctl_ruleset *, int, int);
117 int pfctl_load_rule(struct pfctl *, char *, struct pfctl_rule *, int);
118 const char *pfctl_lookup_option(char *, const char * const *);
120 static struct pfctl_anchor_global pf_anchors;
121 static struct pfctl_anchor pf_main_anchor;
122 static struct pfr_buffer skip_b;
124 static const char *clearopt;
125 static char *rulesopt;
126 static const char *showopt;
127 static const char *debugopt;
128 static char *anchoropt;
129 static const char *optiopt = NULL;
130 static const char *pf_device = "/dev/pf";
131 static char *ifaceopt;
132 static char *tableopt;
133 static const char *tblcmdopt;
134 static int src_node_killers;
135 static char *src_node_kill[2];
136 static int state_killers;
137 static char *state_kill[2];
142 static int first_title = 1;
143 static int labels = 0;
145 #define INDENT(d, o) do { \
148 for (i=0; i < d; i++) \
154 static const struct {
158 { "states", PF_LIMIT_STATES },
159 { "src-nodes", PF_LIMIT_SRC_NODES },
160 { "frags", PF_LIMIT_FRAGS },
161 { "table-entries", PF_LIMIT_TABLE_ENTRIES },
169 static const struct pf_hint pf_hint_normal[] = {
170 { "tcp.first", 2 * 60 },
171 { "tcp.opening", 30 },
172 { "tcp.established", 24 * 60 * 60 },
173 { "tcp.closing", 15 * 60 },
174 { "tcp.finwait", 45 },
175 { "tcp.closed", 90 },
176 { "tcp.tsdiff", 30 },
179 static const struct pf_hint pf_hint_satellite[] = {
180 { "tcp.first", 3 * 60 },
181 { "tcp.opening", 30 + 5 },
182 { "tcp.established", 24 * 60 * 60 },
183 { "tcp.closing", 15 * 60 + 5 },
184 { "tcp.finwait", 45 + 5 },
185 { "tcp.closed", 90 + 5 },
186 { "tcp.tsdiff", 60 },
189 static const struct pf_hint pf_hint_conservative[] = {
190 { "tcp.first", 60 * 60 },
191 { "tcp.opening", 15 * 60 },
192 { "tcp.established", 5 * 24 * 60 * 60 },
193 { "tcp.closing", 60 * 60 },
194 { "tcp.finwait", 10 * 60 },
195 { "tcp.closed", 3 * 60 },
196 { "tcp.tsdiff", 60 },
199 static const struct pf_hint pf_hint_aggressive[] = {
201 { "tcp.opening", 5 },
202 { "tcp.established", 5 * 60 * 60 },
203 { "tcp.closing", 60 },
204 { "tcp.finwait", 30 },
205 { "tcp.closed", 30 },
206 { "tcp.tsdiff", 10 },
210 static const struct {
212 const struct pf_hint *hint;
214 { "normal", pf_hint_normal },
215 { "satellite", pf_hint_satellite },
216 { "high-latency", pf_hint_satellite },
217 { "conservative", pf_hint_conservative },
218 { "aggressive", pf_hint_aggressive },
222 static const char * const clearopt_list[] = {
223 "nat", "queue", "rules", "Sources",
224 "states", "info", "Tables", "osfp", "all", NULL
227 static const char * const showopt_list[] = {
228 "ether", "nat", "queue", "rules", "Anchors", "Sources", "states",
229 "info", "Interfaces", "labels", "timeouts", "memory", "Tables",
230 "osfp", "Running", "all", NULL
233 static const char * const tblcmdopt_list[] = {
234 "kill", "flush", "add", "delete", "load", "replace", "show",
235 "test", "zero", "expire", NULL
238 static const char * const debugopt_list[] = {
239 "none", "urgent", "misc", "loud", NULL
242 static const char * const optiopt_list[] = {
243 "none", "basic", "profile", NULL
249 extern char *__progname;
252 "usage: %s [-AdeghMmNnOPqRrvz] [-a anchor] [-D macro=value] [-F modifier]\n"
253 "\t[-f file] [-i interface] [-K host | network]\n"
254 "\t[-k host | network | gateway | label | id] [-o level] [-p device]\n"
255 "\t[-s modifier] [-t table -T command [address ...]] [-x level]\n",
262 * Cache protocol number to name translations.
264 * Translation is performed a lot e.g., when dumping states and
265 * getprotobynumber is incredibly expensive.
267 * Note from the getprotobynumber(3) manpage:
269 * These functions use a thread-specific data space; if the data is needed
270 * for future use, it should be copied before any subsequent calls overwrite
271 * it. Only the Internet protocols are currently understood.
274 * Consequently we only cache the name and strdup it for safety.
276 * At the time of writing this comment the last entry in /etc/protocols is:
277 * divert 258 DIVERT # Divert pseudo-protocol [non IANA]
280 pfctl_proto2name(int proto)
282 static const char *pfctl_proto_cache[259];
285 if (proto >= nitems(pfctl_proto_cache)) {
286 p = getprotobynumber(proto);
293 if (pfctl_proto_cache[proto] == NULL) {
294 p = getprotobynumber(proto);
298 pfctl_proto_cache[proto] = strdup(p->p_name);
301 return (pfctl_proto_cache[proto]);
305 pfctl_enable(int dev, int opts)
307 if (ioctl(dev, DIOCSTART)) {
309 errx(1, "pf already enabled");
310 else if (errno == ESRCH)
311 errx(1, "pfil registeration failed");
315 if ((opts & PF_OPT_QUIET) == 0)
316 fprintf(stderr, "pf enabled\n");
318 if (altqsupport && ioctl(dev, DIOCSTARTALTQ))
320 err(1, "DIOCSTARTALTQ");
326 pfctl_disable(int dev, int opts)
328 if (ioctl(dev, DIOCSTOP)) {
330 errx(1, "pf not enabled");
334 if ((opts & PF_OPT_QUIET) == 0)
335 fprintf(stderr, "pf disabled\n");
337 if (altqsupport && ioctl(dev, DIOCSTOPALTQ))
339 err(1, "DIOCSTOPALTQ");
345 pfctl_clear_stats(int dev, int opts)
347 if (ioctl(dev, DIOCCLRSTATUS))
348 err(1, "DIOCCLRSTATUS");
349 if ((opts & PF_OPT_QUIET) == 0)
350 fprintf(stderr, "pf: statistics cleared\n");
355 pfctl_get_skip_ifaces(void)
357 bzero(&skip_b, sizeof(skip_b));
358 skip_b.pfrb_type = PFRB_IFACES;
360 pfr_buf_grow(&skip_b, skip_b.pfrb_size);
361 skip_b.pfrb_size = skip_b.pfrb_msize;
362 if (pfi_get_ifaces(NULL, skip_b.pfrb_caddr, &skip_b.pfrb_size))
363 err(1, "pfi_get_ifaces");
364 if (skip_b.pfrb_size <= skip_b.pfrb_msize)
371 pfctl_check_skip_ifaces(char *ifname)
374 struct node_host *h = NULL, *n = NULL;
376 PFRB_FOREACH(p, &skip_b) {
377 if (!strcmp(ifname, p->pfik_name) &&
378 (p->pfik_flags & PFI_IFLAG_SKIP))
379 p->pfik_flags &= ~PFI_IFLAG_SKIP;
380 if (!strcmp(ifname, p->pfik_name) && p->pfik_group != NULL) {
381 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
384 for (n = h; n != NULL; n = n->next) {
385 if (p->pfik_ifp == NULL)
387 if (strncmp(p->pfik_name, ifname, IFNAMSIZ))
390 p->pfik_flags &= ~PFI_IFLAG_SKIP;
398 pfctl_adjust_skip_ifaces(struct pfctl *pf)
400 struct pfi_kif *p, *pp;
401 struct node_host *h = NULL, *n = NULL;
403 PFRB_FOREACH(p, &skip_b) {
404 if (p->pfik_group == NULL || !(p->pfik_flags & PFI_IFLAG_SKIP))
407 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
408 if ((h = ifa_grouplookup(p->pfik_name, 0)) == NULL)
411 for (n = h; n != NULL; n = n->next)
412 PFRB_FOREACH(pp, &skip_b) {
413 if (pp->pfik_ifp == NULL)
416 if (strncmp(pp->pfik_name, n->ifname, IFNAMSIZ))
419 if (!(pp->pfik_flags & PFI_IFLAG_SKIP))
420 pfctl_set_interface_flags(pf,
421 pp->pfik_name, PFI_IFLAG_SKIP, 1);
422 if (pp->pfik_flags & PFI_IFLAG_SKIP)
423 pp->pfik_flags &= ~PFI_IFLAG_SKIP;
427 PFRB_FOREACH(p, &skip_b) {
428 if (p->pfik_ifp == NULL || ! (p->pfik_flags & PFI_IFLAG_SKIP))
431 pfctl_set_interface_flags(pf, p->pfik_name, PFI_IFLAG_SKIP, 0);
438 pfctl_clear_interface_flags(int dev, int opts)
440 struct pfioc_iface pi;
442 if ((opts & PF_OPT_NOACTION) == 0) {
443 bzero(&pi, sizeof(pi));
444 pi.pfiio_flags = PFI_IFLAG_SKIP;
446 if (ioctl(dev, DIOCCLRIFFLAG, &pi))
447 err(1, "DIOCCLRIFFLAG");
448 if ((opts & PF_OPT_QUIET) == 0)
449 fprintf(stderr, "pf: interface flags reset\n");
455 pfctl_clear_rules(int dev, int opts, char *anchorname)
459 memset(&t, 0, sizeof(t));
460 t.pfrb_type = PFRB_TRANS;
461 if (pfctl_add_trans(&t, PF_RULESET_SCRUB, anchorname) ||
462 pfctl_add_trans(&t, PF_RULESET_FILTER, anchorname) ||
463 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
464 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
465 err(1, "pfctl_clear_rules");
466 if ((opts & PF_OPT_QUIET) == 0)
467 fprintf(stderr, "rules cleared\n");
472 pfctl_clear_nat(int dev, int opts, char *anchorname)
476 memset(&t, 0, sizeof(t));
477 t.pfrb_type = PFRB_TRANS;
478 if (pfctl_add_trans(&t, PF_RULESET_NAT, anchorname) ||
479 pfctl_add_trans(&t, PF_RULESET_BINAT, anchorname) ||
480 pfctl_add_trans(&t, PF_RULESET_RDR, anchorname) ||
481 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
482 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
483 err(1, "pfctl_clear_nat");
484 if ((opts & PF_OPT_QUIET) == 0)
485 fprintf(stderr, "nat cleared\n");
490 pfctl_clear_altq(int dev, int opts)
496 memset(&t, 0, sizeof(t));
497 t.pfrb_type = PFRB_TRANS;
498 if (pfctl_add_trans(&t, PF_RULESET_ALTQ, "") ||
499 pfctl_trans(dev, &t, DIOCXBEGIN, 0) ||
500 pfctl_trans(dev, &t, DIOCXCOMMIT, 0))
501 err(1, "pfctl_clear_altq");
502 if ((opts & PF_OPT_QUIET) == 0)
503 fprintf(stderr, "altq cleared\n");
508 pfctl_clear_src_nodes(int dev, int opts)
510 if (ioctl(dev, DIOCCLRSRCNODES))
511 err(1, "DIOCCLRSRCNODES");
512 if ((opts & PF_OPT_QUIET) == 0)
513 fprintf(stderr, "source tracking entries cleared\n");
518 pfctl_clear_iface_states(int dev, const char *iface, int opts)
520 struct pfctl_kill kill;
523 memset(&kill, 0, sizeof(kill));
524 if (iface != NULL && strlcpy(kill.ifname, iface,
525 sizeof(kill.ifname)) >= sizeof(kill.ifname))
526 errx(1, "invalid interface: %s", iface);
528 if (opts & PF_OPT_KILLMATCH)
529 kill.kill_match = true;
531 if (pfctl_clear_states(dev, &kill, &killed))
532 err(1, "DIOCCLRSTATES");
533 if ((opts & PF_OPT_QUIET) == 0)
534 fprintf(stderr, "%d states cleared\n", killed);
539 pfctl_addrprefix(char *addr, struct pf_addr *mask)
543 int prefix, ret_ga, q, r;
544 struct addrinfo hints, *res;
546 if ((p = strchr(addr, '/')) == NULL)
550 prefix = strtonum(p, 0, 128, &errstr);
552 errx(1, "prefix is %s: %s", errstr, p);
554 bzero(&hints, sizeof(hints));
555 /* prefix only with numeric addresses */
556 hints.ai_flags |= AI_NUMERICHOST;
558 if ((ret_ga = getaddrinfo(addr, NULL, &hints, &res))) {
559 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
563 if (res->ai_family == AF_INET && prefix > 32)
564 errx(1, "prefix too long for AF_INET");
565 else if (res->ai_family == AF_INET6 && prefix > 128)
566 errx(1, "prefix too long for AF_INET6");
570 switch (res->ai_family) {
572 bzero(&mask->v4, sizeof(mask->v4));
573 mask->v4.s_addr = htonl((u_int32_t)
574 (0xffffffffffULL << (32 - prefix)));
577 bzero(&mask->v6, sizeof(mask->v6));
579 memset((void *)&mask->v6, 0xff, q);
581 *((u_char *)&mask->v6 + q) =
582 (0xff00 >> r) & 0xff;
589 pfctl_kill_src_nodes(int dev, const char *iface, int opts)
591 struct pfioc_src_node_kill psnk;
592 struct addrinfo *res[2], *resp[2];
593 struct sockaddr last_src, last_dst;
594 int killed, sources, dests;
597 killed = sources = dests = 0;
599 memset(&psnk, 0, sizeof(psnk));
600 memset(&psnk.psnk_src.addr.v.a.mask, 0xff,
601 sizeof(psnk.psnk_src.addr.v.a.mask));
602 memset(&last_src, 0xff, sizeof(last_src));
603 memset(&last_dst, 0xff, sizeof(last_dst));
605 pfctl_addrprefix(src_node_kill[0], &psnk.psnk_src.addr.v.a.mask);
607 if ((ret_ga = getaddrinfo(src_node_kill[0], NULL, NULL, &res[0]))) {
608 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
611 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
612 if (resp[0]->ai_addr == NULL)
614 /* We get lots of duplicates. Catch the easy ones */
615 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
617 last_src = *(struct sockaddr *)resp[0]->ai_addr;
619 psnk.psnk_af = resp[0]->ai_family;
622 if (psnk.psnk_af == AF_INET)
623 psnk.psnk_src.addr.v.a.addr.v4 =
624 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
625 else if (psnk.psnk_af == AF_INET6)
626 psnk.psnk_src.addr.v.a.addr.v6 =
627 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
630 errx(1, "Unknown address family %d", psnk.psnk_af);
632 if (src_node_killers > 1) {
634 memset(&psnk.psnk_dst.addr.v.a.mask, 0xff,
635 sizeof(psnk.psnk_dst.addr.v.a.mask));
636 memset(&last_dst, 0xff, sizeof(last_dst));
637 pfctl_addrprefix(src_node_kill[1],
638 &psnk.psnk_dst.addr.v.a.mask);
639 if ((ret_ga = getaddrinfo(src_node_kill[1], NULL, NULL,
641 errx(1, "getaddrinfo: %s",
642 gai_strerror(ret_ga));
645 for (resp[1] = res[1]; resp[1];
646 resp[1] = resp[1]->ai_next) {
647 if (resp[1]->ai_addr == NULL)
649 if (psnk.psnk_af != resp[1]->ai_family)
652 if (memcmp(&last_dst, resp[1]->ai_addr,
653 sizeof(last_dst)) == 0)
655 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
659 if (psnk.psnk_af == AF_INET)
660 psnk.psnk_dst.addr.v.a.addr.v4 =
661 ((struct sockaddr_in *)resp[1]->
663 else if (psnk.psnk_af == AF_INET6)
664 psnk.psnk_dst.addr.v.a.addr.v6 =
665 ((struct sockaddr_in6 *)resp[1]->
668 errx(1, "Unknown address family %d",
671 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
672 err(1, "DIOCKILLSRCNODES");
673 killed += psnk.psnk_killed;
675 freeaddrinfo(res[1]);
677 if (ioctl(dev, DIOCKILLSRCNODES, &psnk))
678 err(1, "DIOCKILLSRCNODES");
679 killed += psnk.psnk_killed;
683 freeaddrinfo(res[0]);
685 if ((opts & PF_OPT_QUIET) == 0)
686 fprintf(stderr, "killed %d src nodes from %d sources and %d "
687 "destinations\n", killed, sources, dests);
692 pfctl_net_kill_states(int dev, const char *iface, int opts)
694 struct pfctl_kill kill;
695 struct addrinfo *res[2], *resp[2];
696 struct sockaddr last_src, last_dst;
697 unsigned int newkilled;
698 int killed, sources, dests;
701 killed = sources = dests = 0;
703 memset(&kill, 0, sizeof(kill));
704 memset(&kill.src.addr.v.a.mask, 0xff,
705 sizeof(kill.src.addr.v.a.mask));
706 memset(&last_src, 0xff, sizeof(last_src));
707 memset(&last_dst, 0xff, sizeof(last_dst));
708 if (iface != NULL && strlcpy(kill.ifname, iface,
709 sizeof(kill.ifname)) >= sizeof(kill.ifname))
710 errx(1, "invalid interface: %s", iface);
712 pfctl_addrprefix(state_kill[0], &kill.src.addr.v.a.mask);
714 if (opts & PF_OPT_KILLMATCH)
715 kill.kill_match = true;
717 if ((ret_ga = getaddrinfo(state_kill[0], NULL, NULL, &res[0]))) {
718 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
721 for (resp[0] = res[0]; resp[0]; resp[0] = resp[0]->ai_next) {
722 if (resp[0]->ai_addr == NULL)
724 /* We get lots of duplicates. Catch the easy ones */
725 if (memcmp(&last_src, resp[0]->ai_addr, sizeof(last_src)) == 0)
727 last_src = *(struct sockaddr *)resp[0]->ai_addr;
729 kill.af = resp[0]->ai_family;
732 if (kill.af == AF_INET)
733 kill.src.addr.v.a.addr.v4 =
734 ((struct sockaddr_in *)resp[0]->ai_addr)->sin_addr;
735 else if (kill.af == AF_INET6)
736 kill.src.addr.v.a.addr.v6 =
737 ((struct sockaddr_in6 *)resp[0]->ai_addr)->
740 errx(1, "Unknown address family %d", kill.af);
742 if (state_killers > 1) {
744 memset(&kill.dst.addr.v.a.mask, 0xff,
745 sizeof(kill.dst.addr.v.a.mask));
746 memset(&last_dst, 0xff, sizeof(last_dst));
747 pfctl_addrprefix(state_kill[1],
748 &kill.dst.addr.v.a.mask);
749 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL,
751 errx(1, "getaddrinfo: %s",
752 gai_strerror(ret_ga));
755 for (resp[1] = res[1]; resp[1];
756 resp[1] = resp[1]->ai_next) {
757 if (resp[1]->ai_addr == NULL)
759 if (kill.af != resp[1]->ai_family)
762 if (memcmp(&last_dst, resp[1]->ai_addr,
763 sizeof(last_dst)) == 0)
765 last_dst = *(struct sockaddr *)resp[1]->ai_addr;
769 if (kill.af == AF_INET)
770 kill.dst.addr.v.a.addr.v4 =
771 ((struct sockaddr_in *)resp[1]->
773 else if (kill.af == AF_INET6)
774 kill.dst.addr.v.a.addr.v6 =
775 ((struct sockaddr_in6 *)resp[1]->
778 errx(1, "Unknown address family %d",
781 if (pfctl_kill_states(dev, &kill, &newkilled))
782 err(1, "DIOCKILLSTATES");
785 freeaddrinfo(res[1]);
787 if (pfctl_kill_states(dev, &kill, &newkilled))
788 err(1, "DIOCKILLSTATES");
793 freeaddrinfo(res[0]);
795 if ((opts & PF_OPT_QUIET) == 0)
796 fprintf(stderr, "killed %d states from %d sources and %d "
797 "destinations\n", killed, sources, dests);
802 pfctl_gateway_kill_states(int dev, const char *iface, int opts)
804 struct pfctl_kill kill;
805 struct addrinfo *res, *resp;
806 struct sockaddr last_src;
807 unsigned int newkilled;
811 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
812 warnx("no gateway specified");
816 memset(&kill, 0, sizeof(kill));
817 memset(&kill.rt_addr.addr.v.a.mask, 0xff,
818 sizeof(kill.rt_addr.addr.v.a.mask));
819 memset(&last_src, 0xff, sizeof(last_src));
820 if (iface != NULL && strlcpy(kill.ifname, iface,
821 sizeof(kill.ifname)) >= sizeof(kill.ifname))
822 errx(1, "invalid interface: %s", iface);
824 if (opts & PF_OPT_KILLMATCH)
825 kill.kill_match = true;
827 pfctl_addrprefix(state_kill[1], &kill.rt_addr.addr.v.a.mask);
829 if ((ret_ga = getaddrinfo(state_kill[1], NULL, NULL, &res))) {
830 errx(1, "getaddrinfo: %s", gai_strerror(ret_ga));
833 for (resp = res; resp; resp = resp->ai_next) {
834 if (resp->ai_addr == NULL)
836 /* We get lots of duplicates. Catch the easy ones */
837 if (memcmp(&last_src, resp->ai_addr, sizeof(last_src)) == 0)
839 last_src = *(struct sockaddr *)resp->ai_addr;
841 kill.af = resp->ai_family;
843 if (kill.af == AF_INET)
844 kill.rt_addr.addr.v.a.addr.v4 =
845 ((struct sockaddr_in *)resp->ai_addr)->sin_addr;
846 else if (kill.af == AF_INET6)
847 kill.rt_addr.addr.v.a.addr.v6 =
848 ((struct sockaddr_in6 *)resp->ai_addr)->
851 errx(1, "Unknown address family %d", kill.af);
853 if (pfctl_kill_states(dev, &kill, &newkilled))
854 err(1, "DIOCKILLSTATES");
860 if ((opts & PF_OPT_QUIET) == 0)
861 fprintf(stderr, "killed %d states\n", killed);
866 pfctl_label_kill_states(int dev, const char *iface, int opts)
868 struct pfctl_kill kill;
871 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
872 warnx("no label specified");
875 memset(&kill, 0, sizeof(kill));
876 if (iface != NULL && strlcpy(kill.ifname, iface,
877 sizeof(kill.ifname)) >= sizeof(kill.ifname))
878 errx(1, "invalid interface: %s", iface);
880 if (opts & PF_OPT_KILLMATCH)
881 kill.kill_match = true;
883 if (strlcpy(kill.label, state_kill[1], sizeof(kill.label)) >=
885 errx(1, "label too long: %s", state_kill[1]);
887 if (pfctl_kill_states(dev, &kill, &killed))
888 err(1, "DIOCKILLSTATES");
890 if ((opts & PF_OPT_QUIET) == 0)
891 fprintf(stderr, "killed %d states\n", killed);
897 pfctl_id_kill_states(int dev, const char *iface, int opts)
899 struct pfctl_kill kill;
902 if (state_killers != 2 || (strlen(state_kill[1]) == 0)) {
903 warnx("no id specified");
907 memset(&kill, 0, sizeof(kill));
909 if (opts & PF_OPT_KILLMATCH)
910 kill.kill_match = true;
912 if ((sscanf(state_kill[1], "%jx/%x",
913 &kill.cmp.id, &kill.cmp.creatorid)) == 2) {
915 else if ((sscanf(state_kill[1], "%jx", &kill.cmp.id)) == 1) {
916 kill.cmp.creatorid = 0;
918 warnx("wrong id format specified");
921 if (kill.cmp.id == 0) {
922 warnx("cannot kill id 0");
926 if (pfctl_kill_states(dev, &kill, &killed))
927 err(1, "DIOCKILLSTATES");
929 if ((opts & PF_OPT_QUIET) == 0)
930 fprintf(stderr, "killed %d states\n", killed);
936 pfctl_get_pool(int dev, struct pfctl_pool *pool, u_int32_t nr,
937 u_int32_t ticket, int r_action, char *anchorname)
939 struct pfioc_pooladdr pp;
940 struct pf_pooladdr *pa;
943 memset(&pp, 0, sizeof(pp));
944 memcpy(pp.anchor, anchorname, sizeof(pp.anchor));
945 pp.r_action = r_action;
948 if (ioctl(dev, DIOCGETADDRS, &pp)) {
949 warn("DIOCGETADDRS");
953 TAILQ_INIT(&pool->list);
954 for (pnr = 0; pnr < mpnr; ++pnr) {
956 if (ioctl(dev, DIOCGETADDR, &pp)) {
960 pa = calloc(1, sizeof(struct pf_pooladdr));
963 bcopy(&pp.addr, pa, sizeof(struct pf_pooladdr));
964 TAILQ_INSERT_TAIL(&pool->list, pa, entries);
971 pfctl_move_pool(struct pfctl_pool *src, struct pfctl_pool *dst)
973 struct pf_pooladdr *pa;
975 while ((pa = TAILQ_FIRST(&src->list)) != NULL) {
976 TAILQ_REMOVE(&src->list, pa, entries);
977 TAILQ_INSERT_TAIL(&dst->list, pa, entries);
982 pfctl_clear_pool(struct pfctl_pool *pool)
984 struct pf_pooladdr *pa;
986 while ((pa = TAILQ_FIRST(&pool->list)) != NULL) {
987 TAILQ_REMOVE(&pool->list, pa, entries);
993 pfctl_print_eth_rule_counters(struct pfctl_eth_rule *rule, int opts)
995 if (opts & PF_OPT_VERBOSE) {
996 printf(" [ Evaluations: %-8llu Packets: %-8llu "
998 (unsigned long long)rule->evaluations,
999 (unsigned long long)(rule->packets[0] +
1001 (unsigned long long)(rule->bytes[0] +
1007 pfctl_print_rule_counters(struct pfctl_rule *rule, int opts)
1009 if (opts & PF_OPT_DEBUG) {
1010 const char *t[PF_SKIP_COUNT] = { "i", "d", "f",
1011 "p", "sa", "sp", "da", "dp" };
1014 printf(" [ Skip steps: ");
1015 for (i = 0; i < PF_SKIP_COUNT; ++i) {
1016 if (rule->skip[i].nr == rule->nr + 1)
1018 printf("%s=", t[i]);
1019 if (rule->skip[i].nr == -1)
1022 printf("%u ", rule->skip[i].nr);
1026 printf(" [ queue: qname=%s qid=%u pqname=%s pqid=%u ]\n",
1027 rule->qname, rule->qid, rule->pqname, rule->pqid);
1029 if (opts & PF_OPT_VERBOSE) {
1030 printf(" [ Evaluations: %-8llu Packets: %-8llu "
1031 "Bytes: %-10llu States: %-6ju]\n",
1032 (unsigned long long)rule->evaluations,
1033 (unsigned long long)(rule->packets[0] +
1035 (unsigned long long)(rule->bytes[0] +
1036 rule->bytes[1]), (uintmax_t)rule->states_cur);
1037 if (!(opts & PF_OPT_DEBUG))
1038 printf(" [ Inserted: uid %u pid %u "
1039 "State Creations: %-6ju]\n",
1040 (unsigned)rule->cuid, (unsigned)rule->cpid,
1041 (uintmax_t)rule->states_tot);
1046 pfctl_print_title(char *title)
1051 printf("%s\n", title);
1055 pfctl_show_eth_rules(int dev, int opts)
1057 struct pfctl_eth_rules_info info;
1058 struct pfctl_eth_rule rule;
1059 int dotitle = opts & PF_OPT_SHOWALL;
1061 if (pfctl_get_eth_rules_info(dev, &info)) {
1062 warn("DIOCGETETHRULES");
1065 for (int nr = 0; nr < info.nr; nr++) {
1066 if (pfctl_get_eth_rule(dev, nr, info.ticket, &rule, false)
1068 warn("DIOCGETETHRULE");
1072 pfctl_print_title("ETH RULES:");
1075 print_eth_rule(&rule, opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG));
1077 pfctl_print_eth_rule_counters(&rule, opts);
1084 pfctl_show_rules(int dev, char *path, int opts, enum pfctl_show format,
1085 char *anchorname, int depth)
1087 struct pfioc_rule pr;
1088 struct pfctl_rule rule;
1089 u_int32_t nr, mnr, header = 0;
1090 int rule_numbers = opts & (PF_OPT_VERBOSE2 | PF_OPT_DEBUG);
1091 int numeric = opts & PF_OPT_NUMERIC;
1092 int len = strlen(path);
1097 snprintf(&path[len], MAXPATHLEN - len, "/%s", anchorname);
1099 snprintf(&path[len], MAXPATHLEN - len, "%s", anchorname);
1101 memset(&pr, 0, sizeof(pr));
1102 memcpy(pr.anchor, path, sizeof(pr.anchor));
1103 if (opts & PF_OPT_SHOWALL) {
1104 pr.rule.action = PF_PASS;
1105 if (ioctl(dev, DIOCGETRULES, &pr)) {
1106 warn("DIOCGETRULES");
1111 pr.rule.action = PF_SCRUB;
1112 if (ioctl(dev, DIOCGETRULES, &pr)) {
1113 warn("DIOCGETRULES");
1116 if (opts & PF_OPT_SHOWALL) {
1117 if (format == PFCTL_SHOW_RULES && (pr.nr > 0 || header))
1118 pfctl_print_title("FILTER RULES:");
1119 else if (format == PFCTL_SHOW_LABELS && labels)
1120 pfctl_print_title("LABEL COUNTERS:");
1124 for (nr = 0; nr < mnr; ++nr) {
1126 if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_SCRUB,
1127 &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
1128 warn("DIOCGETRULENV");
1132 if (pfctl_get_pool(dev, &rule.rpool,
1133 nr, pr.ticket, PF_SCRUB, path) != 0)
1137 case PFCTL_SHOW_LABELS:
1139 case PFCTL_SHOW_RULES:
1140 if (rule.label[0] && (opts & PF_OPT_SHOWALL))
1142 print_rule(&rule, pr.anchor_call, rule_numbers, numeric);
1144 pfctl_print_rule_counters(&rule, opts);
1146 case PFCTL_SHOW_NOTHING:
1149 pfctl_clear_pool(&rule.rpool);
1151 pr.rule.action = PF_PASS;
1152 if (ioctl(dev, DIOCGETRULES, &pr)) {
1153 warn("DIOCGETRULES");
1157 for (nr = 0; nr < mnr; ++nr) {
1159 if (pfctl_get_clear_rule(dev, nr, pr.ticket, path, PF_PASS,
1160 &rule, pr.anchor_call, opts & PF_OPT_CLRRULECTRS)) {
1161 warn("DIOCGETRULE");
1165 if (pfctl_get_pool(dev, &rule.rpool,
1166 nr, pr.ticket, PF_PASS, path) != 0)
1170 case PFCTL_SHOW_LABELS: {
1174 while (rule.label[i][0]) {
1175 printf("%s ", rule.label[i++]);
1180 printf("%llu %llu %llu %llu"
1181 " %llu %llu %llu %ju\n",
1182 (unsigned long long)rule.evaluations,
1183 (unsigned long long)(rule.packets[0] +
1185 (unsigned long long)(rule.bytes[0] +
1187 (unsigned long long)rule.packets[0],
1188 (unsigned long long)rule.bytes[0],
1189 (unsigned long long)rule.packets[1],
1190 (unsigned long long)rule.bytes[1],
1191 (uintmax_t)rule.states_tot);
1195 case PFCTL_SHOW_RULES:
1197 if (rule.label[0] && (opts & PF_OPT_SHOWALL))
1199 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1200 if (pr.anchor_call[0] &&
1201 ((((p = strrchr(pr.anchor_call, '_')) != NULL) &&
1202 ((void *)p == (void *)pr.anchor_call ||
1203 *(--p) == '/')) || (opts & PF_OPT_RECURSE))) {
1205 if ((p = strrchr(pr.anchor_call, '/')) !=
1209 p = &pr.anchor_call[0];
1211 p = &pr.anchor_call[0];
1213 print_rule(&rule, p, rule_numbers, numeric);
1218 pfctl_print_rule_counters(&rule, opts);
1220 pfctl_show_rules(dev, path, opts, format,
1222 INDENT(depth, !(opts & PF_OPT_VERBOSE));
1226 case PFCTL_SHOW_NOTHING:
1229 pfctl_clear_pool(&rule.rpool);
1240 pfctl_show_nat(int dev, int opts, char *anchorname)
1242 struct pfioc_rule pr;
1243 struct pfctl_rule rule;
1245 static int nattype[3] = { PF_NAT, PF_RDR, PF_BINAT };
1246 int i, dotitle = opts & PF_OPT_SHOWALL;
1248 memset(&pr, 0, sizeof(pr));
1249 memcpy(pr.anchor, anchorname, sizeof(pr.anchor));
1250 for (i = 0; i < 3; i++) {
1251 pr.rule.action = nattype[i];
1252 if (ioctl(dev, DIOCGETRULES, &pr)) {
1253 warn("DIOCGETRULES");
1257 for (nr = 0; nr < mnr; ++nr) {
1259 if (pfctl_get_rule(dev, nr, pr.ticket, anchorname,
1260 nattype[i], &rule, pr.anchor_call)) {
1261 warn("DIOCGETRULE");
1264 if (pfctl_get_pool(dev, &rule.rpool, nr,
1265 pr.ticket, nattype[i], anchorname) != 0)
1268 pfctl_print_title("TRANSLATION RULES:");
1271 print_rule(&rule, pr.anchor_call,
1272 opts & PF_OPT_VERBOSE2, opts & PF_OPT_NUMERIC);
1274 pfctl_print_rule_counters(&rule, opts);
1275 pfctl_clear_pool(&rule.rpool);
1282 pfctl_show_src_nodes(int dev, int opts)
1284 struct pfioc_src_nodes psn;
1285 struct pf_src_node *p;
1286 char *inbuf = NULL, *newinbuf = NULL;
1287 unsigned int len = 0;
1290 memset(&psn, 0, sizeof(psn));
1294 newinbuf = realloc(inbuf, len);
1295 if (newinbuf == NULL)
1297 psn.psn_buf = inbuf = newinbuf;
1299 if (ioctl(dev, DIOCGETSRCNODES, &psn) < 0) {
1300 warn("DIOCGETSRCNODES");
1304 if (psn.psn_len + sizeof(struct pfioc_src_nodes) < len)
1306 if (len == 0 && psn.psn_len == 0)
1308 if (len == 0 && psn.psn_len != 0)
1310 if (psn.psn_len == 0)
1311 goto done; /* no src_nodes */
1314 p = psn.psn_src_nodes;
1315 if (psn.psn_len > 0 && (opts & PF_OPT_SHOWALL))
1316 pfctl_print_title("SOURCE TRACKING NODES:");
1317 for (i = 0; i < psn.psn_len; i += sizeof(*p)) {
1318 print_src_node(p, opts);
1327 pfctl_show_states(int dev, const char *iface, int opts)
1329 struct pfctl_states states;
1330 struct pfctl_state *s;
1331 int dotitle = (opts & PF_OPT_SHOWALL);
1333 memset(&states, 0, sizeof(states));
1335 if (pfctl_get_states(dev, &states))
1338 TAILQ_FOREACH(s, &states.states, entry) {
1339 if (iface != NULL && strcmp(s->ifname, iface))
1342 pfctl_print_title("STATES:");
1345 print_state(s, opts);
1348 pfctl_free_states(&states);
1354 pfctl_show_status(int dev, int opts)
1356 struct pfctl_status *status;
1357 struct pfctl_syncookies cookies;
1359 if ((status = pfctl_get_status(dev)) == NULL) {
1360 warn("DIOCGETSTATUS");
1363 if (pfctl_get_syncookies(dev, &cookies)) {
1364 pfctl_free_status(status);
1365 warn("DIOCGETSYNCOOKIES");
1368 if (opts & PF_OPT_SHOWALL)
1369 pfctl_print_title("INFO:");
1370 print_status(status, &cookies, opts);
1371 pfctl_free_status(status);
1376 pfctl_show_running(int dev)
1378 struct pfctl_status *status;
1381 if ((status = pfctl_get_status(dev)) == NULL) {
1382 warn("DIOCGETSTATUS");
1386 running = status->running;
1388 print_running(status);
1389 pfctl_free_status(status);
1394 pfctl_show_timeouts(int dev, int opts)
1399 if (opts & PF_OPT_SHOWALL)
1400 pfctl_print_title("TIMEOUTS:");
1401 memset(&pt, 0, sizeof(pt));
1402 for (i = 0; pf_timeouts[i].name; i++) {
1403 pt.timeout = pf_timeouts[i].timeout;
1404 if (ioctl(dev, DIOCGETTIMEOUT, &pt))
1405 err(1, "DIOCGETTIMEOUT");
1406 printf("%-20s %10d", pf_timeouts[i].name, pt.seconds);
1407 if (pf_timeouts[i].timeout >= PFTM_ADAPTIVE_START &&
1408 pf_timeouts[i].timeout <= PFTM_ADAPTIVE_END)
1419 pfctl_show_limits(int dev, int opts)
1421 struct pfioc_limit pl;
1424 if (opts & PF_OPT_SHOWALL)
1425 pfctl_print_title("LIMITS:");
1426 memset(&pl, 0, sizeof(pl));
1427 for (i = 0; pf_limits[i].name; i++) {
1428 pl.index = pf_limits[i].index;
1429 if (ioctl(dev, DIOCGETLIMIT, &pl))
1430 err(1, "DIOCGETLIMIT");
1431 printf("%-13s ", pf_limits[i].name);
1432 if (pl.limit == UINT_MAX)
1433 printf("unlimited\n");
1435 printf("hard limit %8u\n", pl.limit);
1440 /* callbacks for rule/nat/rdr/addr */
1442 pfctl_add_pool(struct pfctl *pf, struct pfctl_pool *p, sa_family_t af)
1444 struct pf_pooladdr *pa;
1446 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1447 if (ioctl(pf->dev, DIOCBEGINADDRS, &pf->paddr))
1448 err(1, "DIOCBEGINADDRS");
1452 TAILQ_FOREACH(pa, &p->list, entries) {
1453 memcpy(&pf->paddr.addr, pa, sizeof(struct pf_pooladdr));
1454 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1455 if (ioctl(pf->dev, DIOCADDADDR, &pf->paddr))
1456 err(1, "DIOCADDADDR");
1463 pfctl_append_rule(struct pfctl *pf, struct pfctl_rule *r,
1464 const char *anchor_call)
1467 struct pfctl_rule *rule;
1468 struct pfctl_ruleset *rs;
1471 rs_num = pf_get_ruleset_number(r->action);
1472 if (rs_num == PF_RULESET_MAX)
1473 errx(1, "Invalid rule type %d", r->action);
1475 rs = &pf->anchor->ruleset;
1477 if (anchor_call[0] && r->anchor == NULL) {
1479 * Don't make non-brace anchors part of the main anchor pool.
1481 if ((r->anchor = calloc(1, sizeof(*r->anchor))) == NULL)
1482 err(1, "pfctl_append_rule: calloc");
1484 pf_init_ruleset(&r->anchor->ruleset);
1485 r->anchor->ruleset.anchor = r->anchor;
1486 if (strlcpy(r->anchor->path, anchor_call,
1487 sizeof(rule->anchor->path)) >= sizeof(rule->anchor->path))
1488 errx(1, "pfctl_append_rule: strlcpy");
1489 if ((p = strrchr(anchor_call, '/')) != NULL) {
1491 err(1, "pfctl_append_rule: bad anchor name %s",
1494 p = (char *)anchor_call;
1495 if (strlcpy(r->anchor->name, p,
1496 sizeof(rule->anchor->name)) >= sizeof(rule->anchor->name))
1497 errx(1, "pfctl_append_rule: strlcpy");
1500 if ((rule = calloc(1, sizeof(*rule))) == NULL)
1502 bcopy(r, rule, sizeof(*rule));
1503 TAILQ_INIT(&rule->rpool.list);
1504 pfctl_move_pool(&r->rpool, &rule->rpool);
1506 TAILQ_INSERT_TAIL(rs->rules[rs_num].active.ptr, rule, entries);
1511 pfctl_ruleset_trans(struct pfctl *pf, char *path, struct pfctl_anchor *a)
1513 int osize = pf->trans->pfrb_size;
1515 if ((pf->loadopt & PFCTL_FLAG_ETH) != 0) {
1517 if (pfctl_add_trans(pf->trans, PF_RULESET_ETH, path))
1521 if ((pf->loadopt & PFCTL_FLAG_NAT) != 0) {
1522 if (pfctl_add_trans(pf->trans, PF_RULESET_NAT, path) ||
1523 pfctl_add_trans(pf->trans, PF_RULESET_BINAT, path) ||
1524 pfctl_add_trans(pf->trans, PF_RULESET_RDR, path))
1527 if (a == pf->astack[0] && ((altqsupport &&
1528 (pf->loadopt & PFCTL_FLAG_ALTQ) != 0))) {
1529 if (pfctl_add_trans(pf->trans, PF_RULESET_ALTQ, path))
1532 if ((pf->loadopt & PFCTL_FLAG_FILTER) != 0) {
1533 if (pfctl_add_trans(pf->trans, PF_RULESET_SCRUB, path) ||
1534 pfctl_add_trans(pf->trans, PF_RULESET_FILTER, path))
1537 if (pf->loadopt & PFCTL_FLAG_TABLE)
1538 if (pfctl_add_trans(pf->trans, PF_RULESET_TABLE, path))
1540 if (pfctl_trans(pf->dev, pf->trans, DIOCXBEGIN, osize))
1547 pfctl_load_eth_ruleset(struct pfctl *pf)
1549 struct pfctl_eth_rule *r;
1552 while ((r = TAILQ_FIRST(&pf->eth_rules)) != NULL) {
1553 TAILQ_REMOVE(&pf->eth_rules, r, entries);
1555 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1556 error = pfctl_add_eth_rule(pf->dev, r, pf->eth_ticket);
1568 pfctl_load_ruleset(struct pfctl *pf, char *path, struct pfctl_ruleset *rs,
1569 int rs_num, int depth)
1571 struct pfctl_rule *r;
1572 int error, len = strlen(path);
1575 pf->anchor = rs->anchor;
1578 snprintf(&path[len], MAXPATHLEN - len, "/%s", pf->anchor->name);
1580 snprintf(&path[len], MAXPATHLEN - len, "%s", pf->anchor->name);
1583 if (TAILQ_FIRST(rs->rules[rs_num].active.ptr) != NULL) {
1585 if (pf->opts & PF_OPT_VERBOSE)
1587 if ((pf->opts & PF_OPT_NOACTION) == 0 &&
1588 (error = pfctl_ruleset_trans(pf,
1589 path, rs->anchor))) {
1590 printf("pfctl_load_rulesets: "
1591 "pfctl_ruleset_trans %d\n", error);
1594 } else if (pf->opts & PF_OPT_VERBOSE)
1599 if (pf->optimize && rs_num == PF_RULESET_FILTER)
1600 pfctl_optimize_ruleset(pf, rs);
1602 while ((r = TAILQ_FIRST(rs->rules[rs_num].active.ptr)) != NULL) {
1603 TAILQ_REMOVE(rs->rules[rs_num].active.ptr, r, entries);
1605 for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++)
1606 expand_label(r->label[i], PF_RULE_LABEL_SIZE, r);
1607 expand_label(r->tagname, PF_TAG_NAME_SIZE, r);
1608 expand_label(r->match_tagname, PF_TAG_NAME_SIZE, r);
1610 if ((error = pfctl_load_rule(pf, path, r, depth)))
1613 if ((error = pfctl_load_ruleset(pf, path,
1614 &r->anchor->ruleset, rs_num, depth + 1)))
1616 } else if (pf->opts & PF_OPT_VERBOSE)
1620 if (brace && pf->opts & PF_OPT_VERBOSE) {
1621 INDENT(depth - 1, (pf->opts & PF_OPT_VERBOSE));
1634 pfctl_load_rule(struct pfctl *pf, char *path, struct pfctl_rule *r, int depth)
1636 u_int8_t rs_num = pf_get_ruleset_number(r->action);
1639 char anchor[PF_ANCHOR_NAME_SIZE];
1640 int len = strlen(path);
1642 /* set up anchor before adding to path for anchor_call */
1643 if ((pf->opts & PF_OPT_NOACTION) == 0)
1644 ticket = pfctl_get_ticket(pf->trans, rs_num, path);
1645 if (strlcpy(anchor, path, sizeof(anchor)) >= sizeof(anchor))
1646 errx(1, "pfctl_load_rule: strlcpy");
1649 if (r->anchor->match) {
1651 snprintf(&path[len], MAXPATHLEN - len,
1652 "/%s", r->anchor->name);
1654 snprintf(&path[len], MAXPATHLEN - len,
1655 "%s", r->anchor->name);
1656 name = r->anchor->name;
1658 name = r->anchor->path;
1662 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1663 if (pfctl_add_pool(pf, &r->rpool, r->af))
1665 if (pfctl_add_rule(pf->dev, r, anchor, name, ticket,
1667 err(1, "DIOCADDRULENV");
1670 if (pf->opts & PF_OPT_VERBOSE) {
1671 INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2));
1672 print_rule(r, r->anchor ? r->anchor->name : "",
1673 pf->opts & PF_OPT_VERBOSE2,
1674 pf->opts & PF_OPT_NUMERIC);
1677 pfctl_clear_pool(&r->rpool);
1682 pfctl_add_altq(struct pfctl *pf, struct pf_altq *a)
1685 (loadopt & PFCTL_FLAG_ALTQ) != 0) {
1686 memcpy(&pf->paltq->altq, a, sizeof(struct pf_altq));
1687 if ((pf->opts & PF_OPT_NOACTION) == 0) {
1688 if (ioctl(pf->dev, DIOCADDALTQ, pf->paltq)) {
1690 errx(1, "qtype not configured");
1691 else if (errno == ENODEV)
1692 errx(1, "%s: driver does not support "
1695 err(1, "DIOCADDALTQ");
1698 pfaltq_store(&pf->paltq->altq);
1704 pfctl_rules(int dev, char *filename, int opts, int optimize,
1705 char *anchorname, struct pfr_buffer *trans)
1707 #define ERR(x) do { warn(x); goto _error; } while(0)
1708 #define ERRX(x) do { warnx(x); goto _error; } while(0)
1710 struct pfr_buffer *t, buf;
1711 struct pfioc_altq pa;
1713 struct pfctl_ruleset *rs;
1714 struct pfr_table trs;
1718 RB_INIT(&pf_anchors);
1719 memset(&pf_main_anchor, 0, sizeof(pf_main_anchor));
1720 pf_init_ruleset(&pf_main_anchor.ruleset);
1721 pf_main_anchor.ruleset.anchor = &pf_main_anchor;
1722 if (trans == NULL) {
1723 bzero(&buf, sizeof(buf));
1724 buf.pfrb_type = PFRB_TRANS;
1729 osize = t->pfrb_size;
1732 memset(&pa, 0, sizeof(pa));
1733 pa.version = PFIOC_ALTQ_VERSION;
1734 memset(&pf, 0, sizeof(pf));
1735 memset(&trs, 0, sizeof(trs));
1736 if ((path = calloc(1, MAXPATHLEN)) == NULL)
1737 ERRX("pfctl_rules: calloc");
1738 if (strlcpy(trs.pfrt_anchor, anchorname,
1739 sizeof(trs.pfrt_anchor)) >= sizeof(trs.pfrt_anchor))
1740 ERRX("pfctl_rules: strlcpy");
1743 pf.optimize = optimize;
1744 pf.loadopt = loadopt;
1745 TAILQ_INIT(&pf.eth_rules);
1747 /* non-brace anchor, create without resolving the path */
1748 if ((pf.anchor = calloc(1, sizeof(*pf.anchor))) == NULL)
1749 ERRX("pfctl_rules: calloc");
1750 rs = &pf.anchor->ruleset;
1751 pf_init_ruleset(rs);
1752 rs->anchor = pf.anchor;
1753 if (strlcpy(pf.anchor->path, anchorname,
1754 sizeof(pf.anchor->path)) >= sizeof(pf.anchor->path))
1755 errx(1, "pfctl_add_rule: strlcpy");
1756 if (strlcpy(pf.anchor->name, anchorname,
1757 sizeof(pf.anchor->name)) >= sizeof(pf.anchor->name))
1758 errx(1, "pfctl_add_rule: strlcpy");
1761 pf.astack[0] = pf.anchor;
1764 pf.loadopt &= ~PFCTL_FLAG_ALTQ;
1767 pfctl_init_options(&pf);
1769 if ((opts & PF_OPT_NOACTION) == 0) {
1771 * XXX For the time being we need to open transactions for
1772 * the main ruleset before parsing, because tables are still
1773 * loaded at parse time.
1775 if (pfctl_ruleset_trans(&pf, anchorname, pf.anchor))
1776 ERRX("pfctl_rules");
1777 if (pf.loadopt & PFCTL_FLAG_ETH)
1778 pf.eth_ticket = pfctl_get_ticket(t, PF_RULESET_ETH, anchorname);
1779 if (altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ))
1781 pfctl_get_ticket(t, PF_RULESET_ALTQ, anchorname);
1782 if (pf.loadopt & PFCTL_FLAG_TABLE)
1783 pf.astack[0]->ruleset.tticket =
1784 pfctl_get_ticket(t, PF_RULESET_TABLE, anchorname);
1787 if (parse_config(filename, &pf) < 0) {
1788 if ((opts & PF_OPT_NOACTION) == 0)
1789 ERRX("Syntax error in config file: "
1790 "pf rules not loaded");
1794 if (loadopt & PFCTL_FLAG_OPTION)
1795 pfctl_adjust_skip_ifaces(&pf);
1797 if ((pf.loadopt & PFCTL_FLAG_FILTER &&
1798 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_SCRUB, 0))) ||
1799 (pf.loadopt & PFCTL_FLAG_ETH &&
1800 (pfctl_load_eth_ruleset(&pf))) ||
1801 (pf.loadopt & PFCTL_FLAG_NAT &&
1802 (pfctl_load_ruleset(&pf, path, rs, PF_RULESET_NAT, 0) ||
1803 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_RDR, 0) ||
1804 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_BINAT, 0))) ||
1805 (pf.loadopt & PFCTL_FLAG_FILTER &&
1806 pfctl_load_ruleset(&pf, path, rs, PF_RULESET_FILTER, 0))) {
1807 if ((opts & PF_OPT_NOACTION) == 0)
1808 ERRX("Unable to load rules into kernel");
1813 if ((altqsupport && (pf.loadopt & PFCTL_FLAG_ALTQ) != 0))
1814 if (check_commit_altq(dev, opts) != 0)
1815 ERRX("errors in altq config");
1817 /* process "load anchor" directives */
1819 if (pfctl_load_anchors(dev, &pf, t) == -1)
1820 ERRX("load anchors");
1822 if (trans == NULL && (opts & PF_OPT_NOACTION) == 0) {
1824 if (pfctl_load_options(&pf))
1826 if (pfctl_trans(dev, t, DIOCXCOMMIT, osize))
1833 if (trans == NULL) { /* main ruleset */
1834 if ((opts & PF_OPT_NOACTION) == 0)
1835 if (pfctl_trans(dev, t, DIOCXROLLBACK, osize))
1836 err(1, "DIOCXROLLBACK");
1838 } else { /* sub ruleset */
1848 pfctl_fopen(const char *name, const char *mode)
1853 fp = fopen(name, mode);
1856 if (fstat(fileno(fp), &st)) {
1860 if (S_ISDIR(st.st_mode)) {
1869 pfctl_init_options(struct pfctl *pf)
1872 pf->timeout[PFTM_TCP_FIRST_PACKET] = PFTM_TCP_FIRST_PACKET_VAL;
1873 pf->timeout[PFTM_TCP_OPENING] = PFTM_TCP_OPENING_VAL;
1874 pf->timeout[PFTM_TCP_ESTABLISHED] = PFTM_TCP_ESTABLISHED_VAL;
1875 pf->timeout[PFTM_TCP_CLOSING] = PFTM_TCP_CLOSING_VAL;
1876 pf->timeout[PFTM_TCP_FIN_WAIT] = PFTM_TCP_FIN_WAIT_VAL;
1877 pf->timeout[PFTM_TCP_CLOSED] = PFTM_TCP_CLOSED_VAL;
1878 pf->timeout[PFTM_UDP_FIRST_PACKET] = PFTM_UDP_FIRST_PACKET_VAL;
1879 pf->timeout[PFTM_UDP_SINGLE] = PFTM_UDP_SINGLE_VAL;
1880 pf->timeout[PFTM_UDP_MULTIPLE] = PFTM_UDP_MULTIPLE_VAL;
1881 pf->timeout[PFTM_ICMP_FIRST_PACKET] = PFTM_ICMP_FIRST_PACKET_VAL;
1882 pf->timeout[PFTM_ICMP_ERROR_REPLY] = PFTM_ICMP_ERROR_REPLY_VAL;
1883 pf->timeout[PFTM_OTHER_FIRST_PACKET] = PFTM_OTHER_FIRST_PACKET_VAL;
1884 pf->timeout[PFTM_OTHER_SINGLE] = PFTM_OTHER_SINGLE_VAL;
1885 pf->timeout[PFTM_OTHER_MULTIPLE] = PFTM_OTHER_MULTIPLE_VAL;
1886 pf->timeout[PFTM_FRAG] = PFTM_FRAG_VAL;
1887 pf->timeout[PFTM_INTERVAL] = PFTM_INTERVAL_VAL;
1888 pf->timeout[PFTM_SRC_NODE] = PFTM_SRC_NODE_VAL;
1889 pf->timeout[PFTM_TS_DIFF] = PFTM_TS_DIFF_VAL;
1890 pf->timeout[PFTM_ADAPTIVE_START] = PFSTATE_ADAPT_START;
1891 pf->timeout[PFTM_ADAPTIVE_END] = PFSTATE_ADAPT_END;
1893 pf->limit[PF_LIMIT_STATES] = PFSTATE_HIWAT;
1894 pf->limit[PF_LIMIT_FRAGS] = PFFRAG_FRENT_HIWAT;
1895 pf->limit[PF_LIMIT_SRC_NODES] = PFSNODE_HIWAT;
1896 pf->limit[PF_LIMIT_TABLE_ENTRIES] = PFR_KENTRY_HIWAT;
1898 pf->debug = PF_DEBUG_URGENT;
1900 pf->syncookies = false;
1901 pf->syncookieswat[0] = PF_SYNCOOKIES_LOWATPCT;
1902 pf->syncookieswat[1] = PF_SYNCOOKIES_HIWATPCT;
1906 pfctl_load_options(struct pfctl *pf)
1910 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
1914 for (i = 0; i < PF_LIMIT_MAX; i++) {
1915 if ((pf->opts & PF_OPT_MERGE) && !pf->limit_set[i])
1917 if (pfctl_load_limit(pf, i, pf->limit[i]))
1922 * If we've set the limit, but haven't explicitly set adaptive
1923 * timeouts, do it now with a start of 60% and end of 120%.
1925 if (pf->limit_set[PF_LIMIT_STATES] &&
1926 !pf->timeout_set[PFTM_ADAPTIVE_START] &&
1927 !pf->timeout_set[PFTM_ADAPTIVE_END]) {
1928 pf->timeout[PFTM_ADAPTIVE_START] =
1929 (pf->limit[PF_LIMIT_STATES] / 10) * 6;
1930 pf->timeout_set[PFTM_ADAPTIVE_START] = 1;
1931 pf->timeout[PFTM_ADAPTIVE_END] =
1932 (pf->limit[PF_LIMIT_STATES] / 10) * 12;
1933 pf->timeout_set[PFTM_ADAPTIVE_END] = 1;
1937 for (i = 0; i < PFTM_MAX; i++) {
1938 if ((pf->opts & PF_OPT_MERGE) && !pf->timeout_set[i])
1940 if (pfctl_load_timeout(pf, i, pf->timeout[i]))
1945 if (!(pf->opts & PF_OPT_MERGE) || pf->debug_set)
1946 if (pfctl_load_debug(pf, pf->debug))
1950 if (!(pf->opts & PF_OPT_MERGE) || pf->ifname_set)
1951 if (pfctl_load_logif(pf, pf->ifname))
1955 if (!(pf->opts & PF_OPT_MERGE) || pf->hostid_set)
1956 if (pfctl_load_hostid(pf, pf->hostid))
1959 /* load keepcounters */
1960 if (pfctl_set_keepcounters(pf->dev, pf->keep_counters))
1963 /* load syncookies settings */
1964 if (pfctl_load_syncookies(pf, pf->syncookies))
1971 pfctl_set_limit(struct pfctl *pf, const char *opt, unsigned int limit)
1976 for (i = 0; pf_limits[i].name; i++) {
1977 if (strcasecmp(opt, pf_limits[i].name) == 0) {
1978 pf->limit[pf_limits[i].index] = limit;
1979 pf->limit_set[pf_limits[i].index] = 1;
1983 if (pf_limits[i].name == NULL) {
1984 warnx("Bad pool name.");
1988 if (pf->opts & PF_OPT_VERBOSE)
1989 printf("set limit %s %d\n", opt, limit);
1995 pfctl_load_limit(struct pfctl *pf, unsigned int index, unsigned int limit)
1997 struct pfioc_limit pl;
1999 memset(&pl, 0, sizeof(pl));
2002 if (ioctl(pf->dev, DIOCSETLIMIT, &pl)) {
2004 warnx("Current pool size exceeds requested hard limit");
2006 warnx("DIOCSETLIMIT");
2013 pfctl_set_timeout(struct pfctl *pf, const char *opt, int seconds, int quiet)
2017 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2020 for (i = 0; pf_timeouts[i].name; i++) {
2021 if (strcasecmp(opt, pf_timeouts[i].name) == 0) {
2022 pf->timeout[pf_timeouts[i].timeout] = seconds;
2023 pf->timeout_set[pf_timeouts[i].timeout] = 1;
2028 if (pf_timeouts[i].name == NULL) {
2029 warnx("Bad timeout name.");
2034 if (pf->opts & PF_OPT_VERBOSE && ! quiet)
2035 printf("set timeout %s %d\n", opt, seconds);
2041 pfctl_load_timeout(struct pfctl *pf, unsigned int timeout, unsigned int seconds)
2045 memset(&pt, 0, sizeof(pt));
2046 pt.timeout = timeout;
2047 pt.seconds = seconds;
2048 if (ioctl(pf->dev, DIOCSETTIMEOUT, &pt)) {
2049 warnx("DIOCSETTIMEOUT");
2056 pfctl_set_optimization(struct pfctl *pf, const char *opt)
2058 const struct pf_hint *hint;
2061 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2064 for (i = 0; pf_hints[i].name; i++)
2065 if (strcasecmp(opt, pf_hints[i].name) == 0)
2068 hint = pf_hints[i].hint;
2070 warnx("invalid state timeouts optimization");
2074 for (i = 0; hint[i].name; i++)
2075 if ((r = pfctl_set_timeout(pf, hint[i].name,
2076 hint[i].timeout, 1)))
2079 if (pf->opts & PF_OPT_VERBOSE)
2080 printf("set optimization %s\n", opt);
2086 pfctl_set_logif(struct pfctl *pf, char *ifname)
2089 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2092 if (!strcmp(ifname, "none")) {
2096 pf->ifname = strdup(ifname);
2098 errx(1, "pfctl_set_logif: strdup");
2102 if (pf->opts & PF_OPT_VERBOSE)
2103 printf("set loginterface %s\n", ifname);
2109 pfctl_load_logif(struct pfctl *pf, char *ifname)
2113 memset(&pi, 0, sizeof(pi));
2114 if (ifname && strlcpy(pi.ifname, ifname,
2115 sizeof(pi.ifname)) >= sizeof(pi.ifname)) {
2116 warnx("pfctl_load_logif: strlcpy");
2119 if (ioctl(pf->dev, DIOCSETSTATUSIF, &pi)) {
2120 warnx("DIOCSETSTATUSIF");
2127 pfctl_set_hostid(struct pfctl *pf, u_int32_t hostid)
2129 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2134 pf->hostid = hostid;
2137 if (pf->opts & PF_OPT_VERBOSE)
2138 printf("set hostid 0x%08x\n", ntohl(hostid));
2144 pfctl_load_hostid(struct pfctl *pf, u_int32_t hostid)
2146 if (ioctl(dev, DIOCSETHOSTID, &hostid)) {
2147 warnx("DIOCSETHOSTID");
2154 pfctl_load_syncookies(struct pfctl *pf, u_int8_t val)
2156 struct pfctl_syncookies cookies;
2158 bzero(&cookies, sizeof(cookies));
2161 cookies.lowwater = pf->syncookieswat[0];
2162 cookies.highwater = pf->syncookieswat[1];
2164 if (pfctl_set_syncookies(dev, &cookies)) {
2165 warnx("DIOCSETSYNCOOKIES");
2172 pfctl_cfg_syncookies(struct pfctl *pf, uint8_t val, struct pfctl_watermarks *w)
2174 if (val != PF_SYNCOOKIES_ADAPTIVE && w != NULL) {
2175 warnx("syncookies start/end only apply to adaptive");
2178 if (val == PF_SYNCOOKIES_ADAPTIVE && w != NULL) {
2180 w->hi = PF_SYNCOOKIES_HIWATPCT;
2183 if (w->lo >= w->hi) {
2184 warnx("start must be higher than end");
2187 pf->syncookieswat[0] = w->lo;
2188 pf->syncookieswat[1] = w->hi;
2189 pf->syncookieswat_set = 1;
2192 if (pf->opts & PF_OPT_VERBOSE) {
2193 if (val == PF_SYNCOOKIES_NEVER)
2194 printf("set syncookies never\n");
2195 else if (val == PF_SYNCOOKIES_ALWAYS)
2196 printf("set syncookies always\n");
2197 else if (val == PF_SYNCOOKIES_ADAPTIVE) {
2198 if (pf->syncookieswat_set)
2199 printf("set syncookies adaptive (start %u%%, "
2200 "end %u%%)\n", pf->syncookieswat[1],
2201 pf->syncookieswat[0]);
2203 printf("set syncookies adaptive\n");
2204 } else { /* cannot happen */
2205 warnx("king bula ate all syncookies");
2210 pf->syncookies = val;
2215 pfctl_set_debug(struct pfctl *pf, char *d)
2219 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2222 if (!strcmp(d, "none"))
2223 pf->debug = PF_DEBUG_NONE;
2224 else if (!strcmp(d, "urgent"))
2225 pf->debug = PF_DEBUG_URGENT;
2226 else if (!strcmp(d, "misc"))
2227 pf->debug = PF_DEBUG_MISC;
2228 else if (!strcmp(d, "loud"))
2229 pf->debug = PF_DEBUG_NOISY;
2231 warnx("unknown debug level \"%s\"", d);
2238 if ((pf->opts & PF_OPT_NOACTION) == 0)
2239 if (ioctl(dev, DIOCSETDEBUG, &level))
2240 err(1, "DIOCSETDEBUG");
2242 if (pf->opts & PF_OPT_VERBOSE)
2243 printf("set debug %s\n", d);
2249 pfctl_load_debug(struct pfctl *pf, unsigned int level)
2251 if (ioctl(pf->dev, DIOCSETDEBUG, &level)) {
2252 warnx("DIOCSETDEBUG");
2259 pfctl_set_interface_flags(struct pfctl *pf, char *ifname, int flags, int how)
2261 struct pfioc_iface pi;
2262 struct node_host *h = NULL, *n = NULL;
2264 if ((loadopt & PFCTL_FLAG_OPTION) == 0)
2267 bzero(&pi, sizeof(pi));
2269 pi.pfiio_flags = flags;
2271 /* Make sure our cache matches the kernel. If we set or clear the flag
2272 * for a group this applies to all members. */
2273 h = ifa_grouplookup(ifname, 0);
2274 for (n = h; n != NULL; n = n->next)
2275 pfctl_set_interface_flags(pf, n->ifname, flags, how);
2277 if (strlcpy(pi.pfiio_name, ifname, sizeof(pi.pfiio_name)) >=
2278 sizeof(pi.pfiio_name))
2279 errx(1, "pfctl_set_interface_flags: strlcpy");
2281 if ((pf->opts & PF_OPT_NOACTION) == 0) {
2283 if (ioctl(pf->dev, DIOCCLRIFFLAG, &pi))
2284 err(1, "DIOCCLRIFFLAG");
2286 if (ioctl(pf->dev, DIOCSETIFFLAG, &pi))
2287 err(1, "DIOCSETIFFLAG");
2288 pfctl_check_skip_ifaces(ifname);
2295 pfctl_debug(int dev, u_int32_t level, int opts)
2297 if (ioctl(dev, DIOCSETDEBUG, &level))
2298 err(1, "DIOCSETDEBUG");
2299 if ((opts & PF_OPT_QUIET) == 0) {
2300 fprintf(stderr, "debug level set to '");
2303 fprintf(stderr, "none");
2305 case PF_DEBUG_URGENT:
2306 fprintf(stderr, "urgent");
2309 fprintf(stderr, "misc");
2311 case PF_DEBUG_NOISY:
2312 fprintf(stderr, "loud");
2315 fprintf(stderr, "<invalid>");
2318 fprintf(stderr, "'\n");
2323 pfctl_test_altqsupport(int dev, int opts)
2325 struct pfioc_altq pa;
2327 pa.version = PFIOC_ALTQ_VERSION;
2328 if (ioctl(dev, DIOCGETALTQS, &pa)) {
2329 if (errno == ENODEV) {
2330 if (opts & PF_OPT_VERBOSE)
2331 fprintf(stderr, "No ALTQ support in kernel\n"
2332 "ALTQ related functions disabled\n");
2335 err(1, "DIOCGETALTQS");
2341 pfctl_show_anchors(int dev, int opts, char *anchorname)
2343 struct pfioc_ruleset pr;
2346 memset(&pr, 0, sizeof(pr));
2347 memcpy(pr.path, anchorname, sizeof(pr.path));
2348 if (ioctl(dev, DIOCGETRULESETS, &pr)) {
2349 if (errno == EINVAL)
2350 fprintf(stderr, "Anchor '%s' not found.\n",
2353 err(1, "DIOCGETRULESETS");
2357 for (nr = 0; nr < mnr; ++nr) {
2358 char sub[MAXPATHLEN];
2361 if (ioctl(dev, DIOCGETRULESET, &pr))
2362 err(1, "DIOCGETRULESET");
2363 if (!strcmp(pr.name, PF_RESERVED_ANCHOR))
2367 strlcat(sub, pr.path, sizeof(sub));
2368 strlcat(sub, "/", sizeof(sub));
2370 strlcat(sub, pr.name, sizeof(sub));
2371 if (sub[0] != '_' || (opts & PF_OPT_VERBOSE))
2372 printf(" %s\n", sub);
2373 if ((opts & PF_OPT_VERBOSE) && pfctl_show_anchors(dev, opts, sub))
2380 pfctl_lookup_option(char *cmd, const char * const *list)
2382 if (cmd != NULL && *cmd)
2383 for (; *list; list++)
2384 if (!strncmp(cmd, *list, strlen(cmd)))
2390 main(int argc, char *argv[])
2394 int mode = O_RDONLY;
2396 int optimize = PF_OPTIMIZE_BASIC;
2397 char anchorname[MAXPATHLEN];
2403 while ((ch = getopt(argc, argv,
2404 "a:AdD:eqf:F:ghi:k:K:mMnNOo:Pp:rRs:t:T:vx:z")) != -1) {
2410 opts |= PF_OPT_DISABLE;
2414 if (pfctl_cmdline_symset(optarg) < 0)
2415 warnx("could not parse macro definition %s",
2419 opts |= PF_OPT_ENABLE;
2423 opts |= PF_OPT_QUIET;
2426 clearopt = pfctl_lookup_option(optarg, clearopt_list);
2427 if (clearopt == NULL) {
2428 warnx("Unknown flush modifier '%s'", optarg);
2437 if (state_killers >= 2) {
2438 warnx("can only specify -k twice");
2442 state_kill[state_killers++] = optarg;
2446 if (src_node_killers >= 2) {
2447 warnx("can only specify -K twice");
2451 src_node_kill[src_node_killers++] = optarg;
2455 opts |= PF_OPT_MERGE;
2458 opts |= PF_OPT_KILLMATCH;
2461 opts |= PF_OPT_NOACTION;
2464 loadopt |= PFCTL_FLAG_NAT;
2467 opts |= PF_OPT_USEDNS;
2474 opts |= PF_OPT_DEBUG;
2477 loadopt |= PFCTL_FLAG_ALTQ;
2480 loadopt |= PFCTL_FLAG_FILTER;
2483 optiopt = pfctl_lookup_option(optarg, optiopt_list);
2484 if (optiopt == NULL) {
2485 warnx("Unknown optimization '%s'", optarg);
2488 opts |= PF_OPT_OPTIMIZE;
2491 loadopt |= PFCTL_FLAG_OPTION;
2497 opts |= PF_OPT_NUMERIC;
2500 showopt = pfctl_lookup_option(optarg, showopt_list);
2501 if (showopt == NULL) {
2502 warnx("Unknown show modifier '%s'", optarg);
2510 tblcmdopt = pfctl_lookup_option(optarg, tblcmdopt_list);
2511 if (tblcmdopt == NULL) {
2512 warnx("Unknown table command '%s'", optarg);
2517 if (opts & PF_OPT_VERBOSE)
2518 opts |= PF_OPT_VERBOSE2;
2519 opts |= PF_OPT_VERBOSE;
2522 debugopt = pfctl_lookup_option(optarg, debugopt_list);
2523 if (debugopt == NULL) {
2524 warnx("Unknown debug level '%s'", optarg);
2530 opts |= PF_OPT_CLRRULECTRS;
2541 if (tblcmdopt != NULL) {
2546 loadopt |= PFCTL_FLAG_TABLE;
2549 mode = strchr("acdefkrz", ch) ? O_RDWR : O_RDONLY;
2550 } else if (argc != optind) {
2551 warnx("unknown command line argument: %s ...", argv[optind]);
2558 if ((path = calloc(1, MAXPATHLEN)) == NULL)
2559 errx(1, "pfctl: calloc");
2560 memset(anchorname, 0, sizeof(anchorname));
2561 if (anchoropt != NULL) {
2562 int len = strlen(anchoropt);
2564 if (anchoropt[len - 1] == '*') {
2565 if (len >= 2 && anchoropt[len - 2] == '/')
2566 anchoropt[len - 2] = '\0';
2568 anchoropt[len - 1] = '\0';
2569 opts |= PF_OPT_RECURSE;
2571 if (strlcpy(anchorname, anchoropt,
2572 sizeof(anchorname)) >= sizeof(anchorname))
2573 errx(1, "anchor name '%s' too long",
2575 loadopt &= PFCTL_FLAG_FILTER|PFCTL_FLAG_NAT|PFCTL_FLAG_TABLE;
2578 if ((opts & PF_OPT_NOACTION) == 0) {
2579 dev = open(pf_device, mode);
2581 err(1, "%s", pf_device);
2582 altqsupport = pfctl_test_altqsupport(dev, opts);
2584 dev = open(pf_device, O_RDONLY);
2586 opts |= PF_OPT_DUMMYACTION;
2587 /* turn off options */
2588 opts &= ~ (PF_OPT_DISABLE | PF_OPT_ENABLE);
2589 clearopt = showopt = debugopt = NULL;
2590 #if !defined(ENABLE_ALTQ)
2597 if (opts & PF_OPT_DISABLE)
2598 if (pfctl_disable(dev, opts))
2601 if (showopt != NULL) {
2604 pfctl_show_anchors(dev, opts, anchorname);
2607 pfctl_load_fingerprints(dev, opts);
2608 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_RULES,
2612 pfctl_load_fingerprints(dev, opts);
2613 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_LABELS,
2617 pfctl_load_fingerprints(dev, opts);
2618 pfctl_show_nat(dev, opts, anchorname);
2621 pfctl_show_altq(dev, ifaceopt, opts,
2622 opts & PF_OPT_VERBOSE2);
2625 pfctl_show_states(dev, ifaceopt, opts);
2628 pfctl_show_src_nodes(dev, opts);
2631 pfctl_show_status(dev, opts);
2634 error = pfctl_show_running(dev);
2637 pfctl_show_timeouts(dev, opts);
2640 pfctl_show_limits(dev, opts);
2643 pfctl_show_eth_rules(dev, opts);
2646 opts |= PF_OPT_SHOWALL;
2647 pfctl_load_fingerprints(dev, opts);
2649 pfctl_show_eth_rules(dev, opts);
2651 pfctl_show_nat(dev, opts, anchorname);
2652 pfctl_show_rules(dev, path, opts, 0, anchorname, 0);
2653 pfctl_show_altq(dev, ifaceopt, opts, 0);
2654 pfctl_show_states(dev, ifaceopt, opts);
2655 pfctl_show_src_nodes(dev, opts);
2656 pfctl_show_status(dev, opts);
2657 pfctl_show_rules(dev, path, opts, 1, anchorname, 0);
2658 pfctl_show_timeouts(dev, opts);
2659 pfctl_show_limits(dev, opts);
2660 pfctl_show_tables(anchorname, opts);
2661 pfctl_show_fingerprints(opts);
2664 pfctl_show_tables(anchorname, opts);
2667 pfctl_load_fingerprints(dev, opts);
2668 pfctl_show_fingerprints(opts);
2671 pfctl_show_ifaces(ifaceopt, opts);
2676 if ((opts & PF_OPT_CLRRULECTRS) && showopt == NULL)
2677 pfctl_show_rules(dev, path, opts, PFCTL_SHOW_NOTHING,
2680 if (clearopt != NULL) {
2681 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2682 errx(1, "anchor names beginning with '_' cannot "
2683 "be modified from the command line");
2685 switch (*clearopt) {
2687 pfctl_clear_rules(dev, opts, anchorname);
2690 pfctl_clear_nat(dev, opts, anchorname);
2693 pfctl_clear_altq(dev, opts);
2696 pfctl_clear_iface_states(dev, ifaceopt, opts);
2699 pfctl_clear_src_nodes(dev, opts);
2702 pfctl_clear_stats(dev, opts);
2705 pfctl_clear_rules(dev, opts, anchorname);
2706 pfctl_clear_nat(dev, opts, anchorname);
2707 pfctl_clear_tables(anchorname, opts);
2709 pfctl_clear_altq(dev, opts);
2710 pfctl_clear_iface_states(dev, ifaceopt, opts);
2711 pfctl_clear_src_nodes(dev, opts);
2712 pfctl_clear_stats(dev, opts);
2713 pfctl_clear_fingerprints(dev, opts);
2714 pfctl_clear_interface_flags(dev, opts);
2718 pfctl_clear_fingerprints(dev, opts);
2721 pfctl_clear_tables(anchorname, opts);
2725 if (state_killers) {
2726 if (!strcmp(state_kill[0], "label"))
2727 pfctl_label_kill_states(dev, ifaceopt, opts);
2728 else if (!strcmp(state_kill[0], "id"))
2729 pfctl_id_kill_states(dev, ifaceopt, opts);
2730 else if (!strcmp(state_kill[0], "gateway"))
2731 pfctl_gateway_kill_states(dev, ifaceopt, opts);
2733 pfctl_net_kill_states(dev, ifaceopt, opts);
2736 if (src_node_killers)
2737 pfctl_kill_src_nodes(dev, ifaceopt, opts);
2739 if (tblcmdopt != NULL) {
2740 error = pfctl_command_tables(argc, argv, tableopt,
2741 tblcmdopt, rulesopt, anchorname, opts);
2744 if (optiopt != NULL) {
2750 optimize |= PF_OPTIMIZE_BASIC;
2754 optimize |= PF_OPTIMIZE_PROFILE;
2759 if ((rulesopt != NULL) && (loadopt & PFCTL_FLAG_OPTION) &&
2760 !anchorname[0] && !(opts & PF_OPT_NOACTION))
2761 if (pfctl_get_skip_ifaces())
2764 if (rulesopt != NULL && !(opts & (PF_OPT_MERGE|PF_OPT_NOACTION)) &&
2765 !anchorname[0] && (loadopt & PFCTL_FLAG_OPTION))
2766 if (pfctl_file_fingerprints(dev, opts, PF_OSFP_FILE))
2769 if (rulesopt != NULL) {
2770 if (anchorname[0] == '_' || strstr(anchorname, "/_") != NULL)
2771 errx(1, "anchor names beginning with '_' cannot "
2772 "be modified from the command line");
2773 if (pfctl_rules(dev, rulesopt, opts, optimize,
2776 else if (!(opts & PF_OPT_NOACTION) &&
2777 (loadopt & PFCTL_FLAG_TABLE))
2778 warn_namespace_collision(NULL);
2781 if (opts & PF_OPT_ENABLE)
2782 if (pfctl_enable(dev, opts))
2785 if (debugopt != NULL) {
2786 switch (*debugopt) {
2788 pfctl_debug(dev, PF_DEBUG_NONE, opts);
2791 pfctl_debug(dev, PF_DEBUG_URGENT, opts);
2794 pfctl_debug(dev, PF_DEBUG_MISC, opts);
2797 pfctl_debug(dev, PF_DEBUG_NOISY, opts);
projects / FreeBSD / FreeBSD.git / blob