2 * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
4 * Copyright (c) 2005 Philip Paeps <philip@FreeBSD.org>
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #define PFIOC_USE_LATEST
33 #include <sys/queue.h>
34 #include <bsnmp/snmpmod.h>
36 #include <net/pfvar.h>
37 #include <sys/ioctl.h>
48 #define SNMPTREE_TYPES
52 struct lmodule *module;
56 static uint64_t pf_tick;
58 static struct pf_status pfs;
64 #define PFI_IFTYPE_GROUP 0
65 #define PFI_IFTYPE_INSTANCE 1
66 #define PFI_IFTYPE_DETACHED 2
71 TAILQ_ENTRY(pfi_entry) link;
73 TAILQ_HEAD(pfi_table, pfi_entry);
75 static struct pfi_table pfi_table;
76 static time_t pfi_table_age;
77 static int pfi_table_count;
79 #define PFI_TABLE_MAXAGE 5
82 struct pfr_tstats pft;
84 TAILQ_ENTRY(pft_entry) link;
86 TAILQ_HEAD(pft_table, pft_entry);
88 static struct pft_table pft_table;
89 static time_t pft_table_age;
90 static int pft_table_count;
92 #define PFT_TABLE_MAXAGE 5
95 struct pfr_astats pfas;
97 TAILQ_ENTRY(pfa_entry) link;
99 TAILQ_HEAD(pfa_table, pfa_entry);
101 static struct pfa_table pfa_table;
102 static time_t pfa_table_age;
103 static int pfa_table_count;
105 #define PFA_TABLE_MAXAGE 5
110 TAILQ_ENTRY(pfq_entry) link;
112 TAILQ_HEAD(pfq_table, pfq_entry);
114 static struct pfq_table pfq_table;
115 static time_t pfq_table_age;
116 static int pfq_table_count;
118 static int altq_enabled = 0;
120 #define PFQ_TABLE_MAXAGE 5
123 char name[MAXPATHLEN + PF_RULE_LABEL_SIZE];
128 TAILQ_ENTRY(pfl_entry) link;
130 TAILQ_HEAD(pfl_table, pfl_entry);
132 static struct pfl_table pfl_table;
133 static time_t pfl_table_age;
134 static int pfl_table_count;
136 #define PFL_TABLE_MAXAGE 5
138 /* Forward declarations */
139 static int pfi_refresh(void);
140 static int pfq_refresh(void);
141 static int pfs_refresh(void);
142 static int pft_refresh(void);
143 static int pfa_refresh(void);
144 static int pfl_refresh(void);
145 static struct pfi_entry * pfi_table_find(u_int idx);
146 static struct pfq_entry * pfq_table_find(u_int idx);
147 static struct pft_entry * pft_table_find(u_int idx);
148 static struct pfa_entry * pfa_table_find(u_int idx);
149 static struct pfl_entry * pfl_table_find(u_int idx);
151 static int altq_is_enabled(int pfdevice);
154 pf_status(struct snmp_context __unused *ctx, struct snmp_value *val,
155 u_int sub, u_int __unused vindex, enum snmp_op op)
157 asn_subid_t which = val->var.subs[sub - 1];
159 unsigned char str[128];
161 if (op == SNMP_OP_SET)
162 return (SNMP_ERR_NOT_WRITEABLE);
164 if (op == SNMP_OP_GET) {
165 if (pfs_refresh() == -1)
166 return (SNMP_ERR_GENERR);
169 case LEAF_pfStatusRunning:
170 val->v.uint32 = pfs.running;
172 case LEAF_pfStatusRuntime:
173 runtime = (pfs.since > 0) ?
174 time(NULL) - pfs.since : 0;
175 val->v.uint32 = runtime * 100;
177 case LEAF_pfStatusDebug:
178 val->v.uint32 = pfs.debug;
180 case LEAF_pfStatusHostId:
181 sprintf(str, "0x%08x", ntohl(pfs.hostid));
182 return (string_get(val, str, strlen(str)));
185 return (SNMP_ERR_NOSUCHNAME);
188 return (SNMP_ERR_NOERROR);
195 pf_counter(struct snmp_context __unused *ctx, struct snmp_value *val,
196 u_int sub, u_int __unused vindex, enum snmp_op op)
198 asn_subid_t which = val->var.subs[sub - 1];
200 if (op == SNMP_OP_SET)
201 return (SNMP_ERR_NOT_WRITEABLE);
203 if (op == SNMP_OP_GET) {
204 if (pfs_refresh() == -1)
205 return (SNMP_ERR_GENERR);
208 case LEAF_pfCounterMatch:
209 val->v.counter64 = pfs.counters[PFRES_MATCH];
211 case LEAF_pfCounterBadOffset:
212 val->v.counter64 = pfs.counters[PFRES_BADOFF];
214 case LEAF_pfCounterFragment:
215 val->v.counter64 = pfs.counters[PFRES_FRAG];
217 case LEAF_pfCounterShort:
218 val->v.counter64 = pfs.counters[PFRES_SHORT];
220 case LEAF_pfCounterNormalize:
221 val->v.counter64 = pfs.counters[PFRES_NORM];
223 case LEAF_pfCounterMemDrop:
224 val->v.counter64 = pfs.counters[PFRES_MEMORY];
228 return (SNMP_ERR_NOSUCHNAME);
231 return (SNMP_ERR_NOERROR);
238 pf_statetable(struct snmp_context __unused *ctx, struct snmp_value *val,
239 u_int sub, u_int __unused vindex, enum snmp_op op)
241 asn_subid_t which = val->var.subs[sub - 1];
243 if (op == SNMP_OP_SET)
244 return (SNMP_ERR_NOT_WRITEABLE);
246 if (op == SNMP_OP_GET) {
247 if (pfs_refresh() == -1)
248 return (SNMP_ERR_GENERR);
251 case LEAF_pfStateTableCount:
252 val->v.uint32 = pfs.states;
254 case LEAF_pfStateTableSearches:
256 pfs.fcounters[FCNT_STATE_SEARCH];
258 case LEAF_pfStateTableInserts:
260 pfs.fcounters[FCNT_STATE_INSERT];
262 case LEAF_pfStateTableRemovals:
264 pfs.fcounters[FCNT_STATE_REMOVALS];
268 return (SNMP_ERR_NOSUCHNAME);
271 return (SNMP_ERR_NOERROR);
278 pf_srcnodes(struct snmp_context __unused *ctx, struct snmp_value *val,
279 u_int sub, u_int __unused vindex, enum snmp_op op)
281 asn_subid_t which = val->var.subs[sub - 1];
283 if (op == SNMP_OP_SET)
284 return (SNMP_ERR_NOT_WRITEABLE);
286 if (op == SNMP_OP_GET) {
287 if (pfs_refresh() == -1)
288 return (SNMP_ERR_GENERR);
291 case LEAF_pfSrcNodesCount:
292 val->v.uint32 = pfs.src_nodes;
294 case LEAF_pfSrcNodesSearches:
296 pfs.scounters[SCNT_SRC_NODE_SEARCH];
298 case LEAF_pfSrcNodesInserts:
300 pfs.scounters[SCNT_SRC_NODE_INSERT];
302 case LEAF_pfSrcNodesRemovals:
304 pfs.scounters[SCNT_SRC_NODE_REMOVALS];
308 return (SNMP_ERR_NOSUCHNAME);
311 return (SNMP_ERR_NOERROR);
318 pf_limits(struct snmp_context __unused *ctx, struct snmp_value *val,
319 u_int sub, u_int __unused vindex, enum snmp_op op)
321 asn_subid_t which = val->var.subs[sub - 1];
322 struct pfioc_limit pl;
324 if (op == SNMP_OP_SET)
325 return (SNMP_ERR_NOT_WRITEABLE);
327 if (op == SNMP_OP_GET) {
328 bzero(&pl, sizeof(struct pfioc_limit));
331 case LEAF_pfLimitsStates:
332 pl.index = PF_LIMIT_STATES;
334 case LEAF_pfLimitsSrcNodes:
335 pl.index = PF_LIMIT_SRC_NODES;
337 case LEAF_pfLimitsFrags:
338 pl.index = PF_LIMIT_FRAGS;
342 return (SNMP_ERR_NOSUCHNAME);
345 if (ioctl(dev, DIOCGETLIMIT, &pl)) {
346 syslog(LOG_ERR, "pf_limits(): ioctl(): %s",
348 return (SNMP_ERR_GENERR);
351 val->v.uint32 = pl.limit;
353 return (SNMP_ERR_NOERROR);
360 pf_timeouts(struct snmp_context __unused *ctx, struct snmp_value *val,
361 u_int sub, u_int __unused vindex, enum snmp_op op)
363 asn_subid_t which = val->var.subs[sub - 1];
366 if (op == SNMP_OP_SET)
367 return (SNMP_ERR_NOT_WRITEABLE);
369 if (op == SNMP_OP_GET) {
370 bzero(&pt, sizeof(struct pfioc_tm));
373 case LEAF_pfTimeoutsTcpFirst:
374 pt.timeout = PFTM_TCP_FIRST_PACKET;
376 case LEAF_pfTimeoutsTcpOpening:
377 pt.timeout = PFTM_TCP_OPENING;
379 case LEAF_pfTimeoutsTcpEstablished:
380 pt.timeout = PFTM_TCP_ESTABLISHED;
382 case LEAF_pfTimeoutsTcpClosing:
383 pt.timeout = PFTM_TCP_CLOSING;
385 case LEAF_pfTimeoutsTcpFinWait:
386 pt.timeout = PFTM_TCP_FIN_WAIT;
388 case LEAF_pfTimeoutsTcpClosed:
389 pt.timeout = PFTM_TCP_CLOSED;
391 case LEAF_pfTimeoutsUdpFirst:
392 pt.timeout = PFTM_UDP_FIRST_PACKET;
394 case LEAF_pfTimeoutsUdpSingle:
395 pt.timeout = PFTM_UDP_SINGLE;
397 case LEAF_pfTimeoutsUdpMultiple:
398 pt.timeout = PFTM_UDP_MULTIPLE;
400 case LEAF_pfTimeoutsIcmpFirst:
401 pt.timeout = PFTM_ICMP_FIRST_PACKET;
403 case LEAF_pfTimeoutsIcmpError:
404 pt.timeout = PFTM_ICMP_ERROR_REPLY;
406 case LEAF_pfTimeoutsOtherFirst:
407 pt.timeout = PFTM_OTHER_FIRST_PACKET;
409 case LEAF_pfTimeoutsOtherSingle:
410 pt.timeout = PFTM_OTHER_SINGLE;
412 case LEAF_pfTimeoutsOtherMultiple:
413 pt.timeout = PFTM_OTHER_MULTIPLE;
415 case LEAF_pfTimeoutsFragment:
416 pt.timeout = PFTM_FRAG;
418 case LEAF_pfTimeoutsInterval:
419 pt.timeout = PFTM_INTERVAL;
421 case LEAF_pfTimeoutsAdaptiveStart:
422 pt.timeout = PFTM_ADAPTIVE_START;
424 case LEAF_pfTimeoutsAdaptiveEnd:
425 pt.timeout = PFTM_ADAPTIVE_END;
427 case LEAF_pfTimeoutsSrcNode:
428 pt.timeout = PFTM_SRC_NODE;
432 return (SNMP_ERR_NOSUCHNAME);
435 if (ioctl(dev, DIOCGETTIMEOUT, &pt)) {
436 syslog(LOG_ERR, "pf_timeouts(): ioctl(): %s",
438 return (SNMP_ERR_GENERR);
441 val->v.integer = pt.seconds;
443 return (SNMP_ERR_NOERROR);
450 pf_logif(struct snmp_context __unused *ctx, struct snmp_value *val,
451 u_int sub, u_int __unused vindex, enum snmp_op op)
453 asn_subid_t which = val->var.subs[sub - 1];
454 unsigned char str[IFNAMSIZ];
456 if (op == SNMP_OP_SET)
457 return (SNMP_ERR_NOT_WRITEABLE);
459 if (op == SNMP_OP_GET) {
460 if (pfs_refresh() == -1)
461 return (SNMP_ERR_GENERR);
464 case LEAF_pfLogInterfaceName:
465 strlcpy(str, pfs.ifname, sizeof str);
466 return (string_get(val, str, strlen(str)));
467 case LEAF_pfLogInterfaceIp4BytesIn:
468 val->v.counter64 = pfs.bcounters[IPV4][IN];
470 case LEAF_pfLogInterfaceIp4BytesOut:
471 val->v.counter64 = pfs.bcounters[IPV4][OUT];
473 case LEAF_pfLogInterfaceIp4PktsInPass:
475 pfs.pcounters[IPV4][IN][PF_PASS];
477 case LEAF_pfLogInterfaceIp4PktsInDrop:
479 pfs.pcounters[IPV4][IN][PF_DROP];
481 case LEAF_pfLogInterfaceIp4PktsOutPass:
483 pfs.pcounters[IPV4][OUT][PF_PASS];
485 case LEAF_pfLogInterfaceIp4PktsOutDrop:
487 pfs.pcounters[IPV4][OUT][PF_DROP];
489 case LEAF_pfLogInterfaceIp6BytesIn:
490 val->v.counter64 = pfs.bcounters[IPV6][IN];
492 case LEAF_pfLogInterfaceIp6BytesOut:
493 val->v.counter64 = pfs.bcounters[IPV6][OUT];
495 case LEAF_pfLogInterfaceIp6PktsInPass:
497 pfs.pcounters[IPV6][IN][PF_PASS];
499 case LEAF_pfLogInterfaceIp6PktsInDrop:
501 pfs.pcounters[IPV6][IN][PF_DROP];
503 case LEAF_pfLogInterfaceIp6PktsOutPass:
505 pfs.pcounters[IPV6][OUT][PF_PASS];
507 case LEAF_pfLogInterfaceIp6PktsOutDrop:
509 pfs.pcounters[IPV6][OUT][PF_DROP];
513 return (SNMP_ERR_NOSUCHNAME);
516 return (SNMP_ERR_NOERROR);
523 pf_interfaces(struct snmp_context __unused *ctx, struct snmp_value *val,
524 u_int sub, u_int __unused vindex, enum snmp_op op)
526 asn_subid_t which = val->var.subs[sub - 1];
528 if (op == SNMP_OP_SET)
529 return (SNMP_ERR_NOT_WRITEABLE);
531 if (op == SNMP_OP_GET) {
532 if ((time(NULL) - pfi_table_age) > PFI_TABLE_MAXAGE)
533 if (pfi_refresh() == -1)
534 return (SNMP_ERR_GENERR);
537 case LEAF_pfInterfacesIfNumber:
538 val->v.uint32 = pfi_table_count;
542 return (SNMP_ERR_NOSUCHNAME);
545 return (SNMP_ERR_NOERROR);
552 pf_iftable(struct snmp_context __unused *ctx, struct snmp_value *val,
553 u_int sub, u_int __unused vindex, enum snmp_op op)
555 asn_subid_t which = val->var.subs[sub - 1];
556 struct pfi_entry *e = NULL;
558 if ((time(NULL) - pfi_table_age) > PFI_TABLE_MAXAGE)
563 return (SNMP_ERR_NOT_WRITEABLE);
564 case SNMP_OP_GETNEXT:
565 if ((e = NEXT_OBJECT_INT(&pfi_table,
566 &val->var, sub)) == NULL)
567 return (SNMP_ERR_NOSUCHNAME);
568 val->var.len = sub + 1;
569 val->var.subs[sub] = e->index;
572 if (val->var.len - sub != 1)
573 return (SNMP_ERR_NOSUCHNAME);
574 if ((e = pfi_table_find(val->var.subs[sub])) == NULL)
575 return (SNMP_ERR_NOSUCHNAME);
579 case SNMP_OP_ROLLBACK:
585 case LEAF_pfInterfacesIfDescr:
586 return (string_get(val, e->pfi.pfik_name, -1));
587 case LEAF_pfInterfacesIfType:
588 val->v.integer = PFI_IFTYPE_INSTANCE;
590 case LEAF_pfInterfacesIfTZero:
592 (time(NULL) - e->pfi.pfik_tzero) * 100;
594 case LEAF_pfInterfacesIfRefsRule:
595 val->v.uint32 = e->pfi.pfik_rulerefs;
597 case LEAF_pfInterfacesIf4BytesInPass:
599 e->pfi.pfik_bytes[IPV4][IN][PASS];
601 case LEAF_pfInterfacesIf4BytesInBlock:
603 e->pfi.pfik_bytes[IPV4][IN][BLOCK];
605 case LEAF_pfInterfacesIf4BytesOutPass:
607 e->pfi.pfik_bytes[IPV4][OUT][PASS];
609 case LEAF_pfInterfacesIf4BytesOutBlock:
611 e->pfi.pfik_bytes[IPV4][OUT][BLOCK];
613 case LEAF_pfInterfacesIf4PktsInPass:
615 e->pfi.pfik_packets[IPV4][IN][PASS];
617 case LEAF_pfInterfacesIf4PktsInBlock:
619 e->pfi.pfik_packets[IPV4][IN][BLOCK];
621 case LEAF_pfInterfacesIf4PktsOutPass:
623 e->pfi.pfik_packets[IPV4][OUT][PASS];
625 case LEAF_pfInterfacesIf4PktsOutBlock:
627 e->pfi.pfik_packets[IPV4][OUT][BLOCK];
629 case LEAF_pfInterfacesIf6BytesInPass:
631 e->pfi.pfik_bytes[IPV6][IN][PASS];
633 case LEAF_pfInterfacesIf6BytesInBlock:
635 e->pfi.pfik_bytes[IPV6][IN][BLOCK];
637 case LEAF_pfInterfacesIf6BytesOutPass:
639 e->pfi.pfik_bytes[IPV6][OUT][PASS];
641 case LEAF_pfInterfacesIf6BytesOutBlock:
643 e->pfi.pfik_bytes[IPV6][OUT][BLOCK];
645 case LEAF_pfInterfacesIf6PktsInPass:
647 e->pfi.pfik_packets[IPV6][IN][PASS];
649 case LEAF_pfInterfacesIf6PktsInBlock:
651 e->pfi.pfik_packets[IPV6][IN][BLOCK];
653 case LEAF_pfInterfacesIf6PktsOutPass:
655 e->pfi.pfik_packets[IPV6][OUT][PASS];
657 case LEAF_pfInterfacesIf6PktsOutBlock:
659 e->pfi.pfik_packets[IPV6][OUT][BLOCK];
663 return (SNMP_ERR_NOSUCHNAME);
666 return (SNMP_ERR_NOERROR);
670 pf_tables(struct snmp_context __unused *ctx, struct snmp_value *val,
671 u_int sub, u_int __unused vindex, enum snmp_op op)
673 asn_subid_t which = val->var.subs[sub - 1];
675 if (op == SNMP_OP_SET)
676 return (SNMP_ERR_NOT_WRITEABLE);
678 if (op == SNMP_OP_GET) {
679 if ((time(NULL) - pft_table_age) > PFT_TABLE_MAXAGE)
680 if (pft_refresh() == -1)
681 return (SNMP_ERR_GENERR);
684 case LEAF_pfTablesTblNumber:
685 val->v.uint32 = pft_table_count;
689 return (SNMP_ERR_NOSUCHNAME);
692 return (SNMP_ERR_NOERROR);
699 pf_tbltable(struct snmp_context __unused *ctx, struct snmp_value *val,
700 u_int sub, u_int __unused vindex, enum snmp_op op)
702 asn_subid_t which = val->var.subs[sub - 1];
703 struct pft_entry *e = NULL;
705 if ((time(NULL) - pft_table_age) > PFT_TABLE_MAXAGE)
710 return (SNMP_ERR_NOT_WRITEABLE);
711 case SNMP_OP_GETNEXT:
712 if ((e = NEXT_OBJECT_INT(&pft_table,
713 &val->var, sub)) == NULL)
714 return (SNMP_ERR_NOSUCHNAME);
715 val->var.len = sub + 1;
716 val->var.subs[sub] = e->index;
719 if (val->var.len - sub != 1)
720 return (SNMP_ERR_NOSUCHNAME);
721 if ((e = pft_table_find(val->var.subs[sub])) == NULL)
722 return (SNMP_ERR_NOSUCHNAME);
726 case SNMP_OP_ROLLBACK:
732 case LEAF_pfTablesTblDescr:
733 return (string_get(val, e->pft.pfrts_name, -1));
734 case LEAF_pfTablesTblCount:
735 val->v.integer = e->pft.pfrts_cnt;
737 case LEAF_pfTablesTblTZero:
739 (time(NULL) - e->pft.pfrts_tzero) * 100;
741 case LEAF_pfTablesTblRefsAnchor:
743 e->pft.pfrts_refcnt[PFR_REFCNT_ANCHOR];
745 case LEAF_pfTablesTblRefsRule:
747 e->pft.pfrts_refcnt[PFR_REFCNT_RULE];
749 case LEAF_pfTablesTblEvalMatch:
750 val->v.counter64 = e->pft.pfrts_match;
752 case LEAF_pfTablesTblEvalNoMatch:
753 val->v.counter64 = e->pft.pfrts_nomatch;
755 case LEAF_pfTablesTblBytesInPass:
757 e->pft.pfrts_bytes[PFR_DIR_IN][PFR_OP_PASS];
759 case LEAF_pfTablesTblBytesInBlock:
761 e->pft.pfrts_bytes[PFR_DIR_IN][PFR_OP_BLOCK];
763 case LEAF_pfTablesTblBytesInXPass:
765 e->pft.pfrts_bytes[PFR_DIR_IN][PFR_OP_XPASS];
767 case LEAF_pfTablesTblBytesOutPass:
769 e->pft.pfrts_bytes[PFR_DIR_OUT][PFR_OP_PASS];
771 case LEAF_pfTablesTblBytesOutBlock:
773 e->pft.pfrts_bytes[PFR_DIR_OUT][PFR_OP_BLOCK];
775 case LEAF_pfTablesTblBytesOutXPass:
777 e->pft.pfrts_bytes[PFR_DIR_OUT][PFR_OP_XPASS];
779 case LEAF_pfTablesTblPktsInPass:
781 e->pft.pfrts_packets[PFR_DIR_IN][PFR_OP_PASS];
783 case LEAF_pfTablesTblPktsInBlock:
785 e->pft.pfrts_packets[PFR_DIR_IN][PFR_OP_BLOCK];
787 case LEAF_pfTablesTblPktsInXPass:
789 e->pft.pfrts_packets[PFR_DIR_IN][PFR_OP_XPASS];
791 case LEAF_pfTablesTblPktsOutPass:
793 e->pft.pfrts_packets[PFR_DIR_OUT][PFR_OP_PASS];
795 case LEAF_pfTablesTblPktsOutBlock:
797 e->pft.pfrts_packets[PFR_DIR_OUT][PFR_OP_BLOCK];
799 case LEAF_pfTablesTblPktsOutXPass:
801 e->pft.pfrts_packets[PFR_DIR_OUT][PFR_OP_XPASS];
805 return (SNMP_ERR_NOSUCHNAME);
808 return (SNMP_ERR_NOERROR);
812 pf_tbladdr(struct snmp_context __unused *ctx, struct snmp_value __unused *val,
813 u_int __unused sub, u_int __unused vindex, enum snmp_op __unused op)
815 asn_subid_t which = val->var.subs[sub - 1];
816 struct pfa_entry *e = NULL;
818 if ((time(NULL) - pfa_table_age) > PFA_TABLE_MAXAGE)
823 return (SNMP_ERR_NOT_WRITEABLE);
824 case SNMP_OP_GETNEXT:
825 if ((e = NEXT_OBJECT_INT(&pfa_table,
826 &val->var, sub)) == NULL)
827 return (SNMP_ERR_NOSUCHNAME);
828 val->var.len = sub + 1;
829 val->var.subs[sub] = e->index;
832 if (val->var.len - sub != 1)
833 return (SNMP_ERR_NOSUCHNAME);
834 if ((e = pfa_table_find(val->var.subs[sub])) == NULL)
835 return (SNMP_ERR_NOSUCHNAME);
839 case SNMP_OP_ROLLBACK:
845 case LEAF_pfTablesAddrNetType:
846 if (e->pfas.pfras_a.pfra_af == AF_INET)
847 val->v.integer = pfTablesAddrNetType_ipv4;
848 else if (e->pfas.pfras_a.pfra_af == AF_INET6)
849 val->v.integer = pfTablesAddrNetType_ipv6;
851 return (SNMP_ERR_GENERR);
853 case LEAF_pfTablesAddrNet:
854 if (e->pfas.pfras_a.pfra_af == AF_INET) {
855 return (string_get(val,
856 (u_char *)&e->pfas.pfras_a.pfra_ip4addr, 4));
857 } else if (e->pfas.pfras_a.pfra_af == AF_INET6)
858 return (string_get(val,
859 (u_char *)&e->pfas.pfras_a.pfra_ip6addr, 16));
861 return (SNMP_ERR_GENERR);
863 case LEAF_pfTablesAddrPrefix:
864 val->v.integer = (int32_t) e->pfas.pfras_a.pfra_net;
866 case LEAF_pfTablesAddrTZero:
868 (time(NULL) - e->pfas.pfras_tzero) * 100;
870 case LEAF_pfTablesAddrBytesInPass:
872 e->pfas.pfras_bytes[PFR_DIR_IN][PFR_OP_PASS];
874 case LEAF_pfTablesAddrBytesInBlock:
876 e->pfas.pfras_bytes[PFR_DIR_IN][PFR_OP_BLOCK];
878 case LEAF_pfTablesAddrBytesOutPass:
880 e->pfas.pfras_bytes[PFR_DIR_OUT][PFR_OP_PASS];
882 case LEAF_pfTablesAddrBytesOutBlock:
884 e->pfas.pfras_bytes[PFR_DIR_OUT][PFR_OP_BLOCK];
886 case LEAF_pfTablesAddrPktsInPass:
888 e->pfas.pfras_packets[PFR_DIR_IN][PFR_OP_PASS];
890 case LEAF_pfTablesAddrPktsInBlock:
892 e->pfas.pfras_packets[PFR_DIR_IN][PFR_OP_BLOCK];
894 case LEAF_pfTablesAddrPktsOutPass:
896 e->pfas.pfras_packets[PFR_DIR_OUT][PFR_OP_PASS];
898 case LEAF_pfTablesAddrPktsOutBlock:
900 e->pfas.pfras_packets[PFR_DIR_OUT][PFR_OP_BLOCK];
903 return (SNMP_ERR_NOSUCHNAME);
906 return (SNMP_ERR_NOERROR);
910 pf_altq_num(struct snmp_context __unused *ctx, struct snmp_value *val,
911 u_int sub, u_int __unused vindex, enum snmp_op op)
913 asn_subid_t which = val->var.subs[sub - 1];
916 return (SNMP_ERR_NOSUCHNAME);
918 if (op == SNMP_OP_SET)
919 return (SNMP_ERR_NOT_WRITEABLE);
921 if (op == SNMP_OP_GET) {
922 if ((time(NULL) - pfq_table_age) > PFQ_TABLE_MAXAGE)
923 if (pfq_refresh() == -1)
924 return (SNMP_ERR_GENERR);
927 case LEAF_pfAltqQueueNumber:
928 val->v.uint32 = pfq_table_count;
932 return (SNMP_ERR_NOSUCHNAME);
935 return (SNMP_ERR_NOERROR);
939 return (SNMP_ERR_GENERR);
943 pf_altqq(struct snmp_context __unused *ctx, struct snmp_value *val,
944 u_int sub, u_int __unused vindex, enum snmp_op op)
946 asn_subid_t which = val->var.subs[sub - 1];
947 struct pfq_entry *e = NULL;
950 return (SNMP_ERR_NOSUCHNAME);
952 if ((time(NULL) - pfq_table_age) > PFQ_TABLE_MAXAGE)
957 return (SNMP_ERR_NOT_WRITEABLE);
958 case SNMP_OP_GETNEXT:
959 if ((e = NEXT_OBJECT_INT(&pfq_table,
960 &val->var, sub)) == NULL)
961 return (SNMP_ERR_NOSUCHNAME);
962 val->var.len = sub + 1;
963 val->var.subs[sub] = e->index;
966 if (val->var.len - sub != 1)
967 return (SNMP_ERR_NOSUCHNAME);
968 if ((e = pfq_table_find(val->var.subs[sub])) == NULL)
969 return (SNMP_ERR_NOSUCHNAME);
973 case SNMP_OP_ROLLBACK:
979 case LEAF_pfAltqQueueDescr:
980 return (string_get(val, e->altq.qname, -1));
981 case LEAF_pfAltqQueueParent:
982 return (string_get(val, e->altq.parent, -1));
983 case LEAF_pfAltqQueueScheduler:
984 val->v.integer = e->altq.scheduler;
986 case LEAF_pfAltqQueueBandwidth:
987 val->v.uint32 = (e->altq.bandwidth > UINT_MAX) ?
988 UINT_MAX : (u_int32_t)e->altq.bandwidth;
990 case LEAF_pfAltqQueuePriority:
991 val->v.integer = e->altq.priority;
993 case LEAF_pfAltqQueueLimit:
994 val->v.integer = e->altq.qlimit;
998 return (SNMP_ERR_NOSUCHNAME);
1001 return (SNMP_ERR_NOERROR);
1005 pf_labels(struct snmp_context __unused *ctx, struct snmp_value *val,
1006 u_int sub, u_int __unused vindex, enum snmp_op op)
1008 asn_subid_t which = val->var.subs[sub - 1];
1010 if (op == SNMP_OP_SET)
1011 return (SNMP_ERR_NOT_WRITEABLE);
1013 if (op == SNMP_OP_GET) {
1014 if ((time(NULL) - pfl_table_age) > PFL_TABLE_MAXAGE)
1015 if (pfl_refresh() == -1)
1016 return (SNMP_ERR_GENERR);
1019 case LEAF_pfLabelsLblNumber:
1020 val->v.uint32 = pfl_table_count;
1024 return (SNMP_ERR_NOSUCHNAME);
1027 return (SNMP_ERR_NOERROR);
1031 return (SNMP_ERR_GENERR);
1035 pf_lbltable(struct snmp_context __unused *ctx, struct snmp_value *val,
1036 u_int sub, u_int __unused vindex, enum snmp_op op)
1038 asn_subid_t which = val->var.subs[sub - 1];
1039 struct pfl_entry *e = NULL;
1041 if ((time(NULL) - pfl_table_age) > PFL_TABLE_MAXAGE)
1046 return (SNMP_ERR_NOT_WRITEABLE);
1047 case SNMP_OP_GETNEXT:
1048 if ((e = NEXT_OBJECT_INT(&pfl_table,
1049 &val->var, sub)) == NULL)
1050 return (SNMP_ERR_NOSUCHNAME);
1051 val->var.len = sub + 1;
1052 val->var.subs[sub] = e->index;
1055 if (val->var.len - sub != 1)
1056 return (SNMP_ERR_NOSUCHNAME);
1057 if ((e = pfl_table_find(val->var.subs[sub])) == NULL)
1058 return (SNMP_ERR_NOSUCHNAME);
1061 case SNMP_OP_COMMIT:
1062 case SNMP_OP_ROLLBACK:
1068 case LEAF_pfLabelsLblName:
1069 return (string_get(val, e->name, -1));
1070 case LEAF_pfLabelsLblEvals:
1071 val->v.counter64 = e->evals;
1073 case LEAF_pfLabelsLblBytesIn:
1074 val->v.counter64 = e->bytes[IN];
1076 case LEAF_pfLabelsLblBytesOut:
1077 val->v.counter64 = e->bytes[OUT];
1079 case LEAF_pfLabelsLblPktsIn:
1080 val->v.counter64 = e->pkts[IN];
1082 case LEAF_pfLabelsLblPktsOut:
1083 val->v.counter64 = e->pkts[OUT];
1086 return (SNMP_ERR_NOSUCHNAME);
1089 return (SNMP_ERR_NOERROR);
1092 static struct pfi_entry *
1093 pfi_table_find(u_int idx)
1095 struct pfi_entry *e;
1097 TAILQ_FOREACH(e, &pfi_table, link)
1098 if (e->index == idx)
1103 static struct pfq_entry *
1104 pfq_table_find(u_int idx)
1106 struct pfq_entry *e;
1108 TAILQ_FOREACH(e, &pfq_table, link)
1109 if (e->index == idx)
1114 static struct pft_entry *
1115 pft_table_find(u_int idx)
1117 struct pft_entry *e;
1119 TAILQ_FOREACH(e, &pft_table, link)
1120 if (e->index == idx)
1125 static struct pfa_entry *
1126 pfa_table_find(u_int idx)
1128 struct pfa_entry *e;
1130 TAILQ_FOREACH(e, &pfa_table, link)
1131 if (e->index == idx)
1136 static struct pfl_entry *
1137 pfl_table_find(u_int idx)
1139 struct pfl_entry *e;
1141 TAILQ_FOREACH(e, &pfl_table, link)
1142 if (e->index == idx)
1151 struct pfioc_iface io;
1152 struct pfi_kif *p = NULL;
1153 struct pfi_entry *e;
1156 if (started && this_tick <= pf_tick)
1159 while (!TAILQ_EMPTY(&pfi_table)) {
1160 e = TAILQ_FIRST(&pfi_table);
1161 TAILQ_REMOVE(&pfi_table, e, link);
1165 bzero(&io, sizeof(io));
1166 io.pfiio_esize = sizeof(struct pfi_kif);
1169 p = reallocf(p, numifs * sizeof(struct pfi_kif));
1171 syslog(LOG_ERR, "pfi_refresh(): reallocf() numifs=%d: %s",
1172 numifs, strerror(errno));
1175 io.pfiio_size = numifs;
1176 io.pfiio_buffer = p;
1178 if (ioctl(dev, DIOCIGETIFACES, &io)) {
1179 syslog(LOG_ERR, "pfi_refresh(): ioctl(): %s",
1184 if (numifs >= io.pfiio_size)
1187 numifs = io.pfiio_size;
1190 for (i = 0; i < numifs; i++) {
1191 e = malloc(sizeof(struct pfi_entry));
1195 memcpy(&e->pfi, p+i, sizeof(struct pfi_kif));
1196 TAILQ_INSERT_TAIL(&pfi_table, e, link);
1199 pfi_table_age = time(NULL);
1200 pfi_table_count = numifs;
1201 pf_tick = this_tick;
1207 while (!TAILQ_EMPTY(&pfi_table)) {
1208 e = TAILQ_FIRST(&pfi_table);
1209 TAILQ_REMOVE(&pfi_table, e, link);
1220 struct pfioc_altq pa;
1221 struct pfq_entry *e;
1222 int i, numqs, ticket;
1224 if (started && this_tick <= pf_tick)
1227 while (!TAILQ_EMPTY(&pfq_table)) {
1228 e = TAILQ_FIRST(&pfq_table);
1229 TAILQ_REMOVE(&pfq_table, e, link);
1233 bzero(&pa, sizeof(pa));
1234 pa.version = PFIOC_ALTQ_VERSION;
1235 if (ioctl(dev, DIOCGETALTQS, &pa)) {
1236 syslog(LOG_ERR, "pfq_refresh: ioctl(DIOCGETALTQS): %s",
1244 for (i = 0; i < numqs; i++) {
1245 e = malloc(sizeof(struct pfq_entry));
1247 syslog(LOG_ERR, "pfq_refresh(): "
1255 if (ioctl(dev, DIOCGETALTQ, &pa)) {
1256 syslog(LOG_ERR, "pfq_refresh(): "
1257 "ioctl(DIOCGETALTQ): %s",
1262 if (pa.altq.qid > 0) {
1263 memcpy(&e->altq, &pa.altq, sizeof(struct pf_altq));
1264 e->index = pa.altq.qid;
1265 pfq_table_count = i;
1266 INSERT_OBJECT_INT_LINK_INDEX(e, &pfq_table, link, index);
1270 pfq_table_age = time(NULL);
1271 pf_tick = this_tick;
1276 while (!TAILQ_EMPTY(&pfq_table)) {
1277 e = TAILQ_FIRST(&pfq_table);
1278 TAILQ_REMOVE(&pfq_table, e, link);
1287 if (started && this_tick <= pf_tick)
1290 bzero(&pfs, sizeof(struct pf_status));
1292 if (ioctl(dev, DIOCGETSTATUS, &pfs)) {
1293 syslog(LOG_ERR, "pfs_refresh(): ioctl(): %s",
1298 pf_tick = this_tick;
1305 struct pfioc_table io;
1306 struct pfr_tstats *t = NULL;
1307 struct pft_entry *e;
1310 if (started && this_tick <= pf_tick)
1313 while (!TAILQ_EMPTY(&pft_table)) {
1314 e = TAILQ_FIRST(&pft_table);
1315 TAILQ_REMOVE(&pft_table, e, link);
1319 bzero(&io, sizeof(io));
1320 io.pfrio_esize = sizeof(struct pfr_tstats);
1323 t = reallocf(t, numtbls * sizeof(struct pfr_tstats));
1325 syslog(LOG_ERR, "pft_refresh(): reallocf() numtbls=%d: %s",
1326 numtbls, strerror(errno));
1329 io.pfrio_size = numtbls;
1330 io.pfrio_buffer = t;
1332 if (ioctl(dev, DIOCRGETTSTATS, &io)) {
1333 syslog(LOG_ERR, "pft_refresh(): ioctl(): %s",
1338 if (numtbls >= io.pfrio_size)
1341 numtbls = io.pfrio_size;
1344 for (i = 0; i < numtbls; i++) {
1345 e = malloc(sizeof(struct pft_entry));
1349 memcpy(&e->pft, t+i, sizeof(struct pfr_tstats));
1350 TAILQ_INSERT_TAIL(&pft_table, e, link);
1353 pft_table_age = time(NULL);
1354 pft_table_count = numtbls;
1355 pf_tick = this_tick;
1360 while (!TAILQ_EMPTY(&pft_table)) {
1361 e = TAILQ_FIRST(&pft_table);
1362 TAILQ_REMOVE(&pft_table, e, link);
1371 pfa_table_addrs(u_int sidx, struct pfr_table *pt)
1373 struct pfioc_table io;
1374 struct pfr_astats *t = NULL;
1375 struct pfa_entry *e;
1376 int i, numaddrs = 1;
1381 memset(&io, 0, sizeof(io));
1382 strlcpy(io.pfrio_table.pfrt_name, pt->pfrt_name,
1383 sizeof(io.pfrio_table.pfrt_name));
1386 t = reallocf(t, numaddrs * sizeof(struct pfr_astats));
1388 syslog(LOG_ERR, "pfa_table_addrs(): reallocf(): %s",
1394 memset(t, 0, sizeof(*t));
1395 io.pfrio_size = numaddrs;
1396 io.pfrio_buffer = t;
1397 io.pfrio_esize = sizeof(struct pfr_astats);
1399 if (ioctl(dev, DIOCRGETASTATS, &io)) {
1400 syslog(LOG_ERR, "pfa_table_addrs(): ioctl() on %s: %s",
1401 pt->pfrt_name, strerror(errno));
1406 if (numaddrs >= io.pfrio_size)
1409 numaddrs = io.pfrio_size;
1412 for (i = 0; i < numaddrs; i++) {
1413 if ((t + i)->pfras_a.pfra_af != AF_INET &&
1414 (t + i)->pfras_a.pfra_af != AF_INET6) {
1419 e = (struct pfa_entry *)malloc(sizeof(struct pfa_entry));
1421 syslog(LOG_ERR, "pfa_table_addrs(): malloc(): %s",
1426 e->index = sidx + i;
1427 memcpy(&e->pfas, t + i, sizeof(struct pfr_astats));
1428 TAILQ_INSERT_TAIL(&pfa_table, e, link);
1439 struct pfioc_table io;
1440 struct pfr_table *pt = NULL, *it = NULL;
1441 struct pfa_entry *e;
1442 int i, numtbls = 1, cidx, naddrs;
1444 if (started && this_tick <= pf_tick)
1447 while (!TAILQ_EMPTY(&pfa_table)) {
1448 e = TAILQ_FIRST(&pfa_table);
1449 TAILQ_REMOVE(&pfa_table, e, link);
1453 memset(&io, 0, sizeof(io));
1454 io.pfrio_esize = sizeof(struct pfr_table);
1457 pt = reallocf(pt, numtbls * sizeof(struct pfr_table));
1459 syslog(LOG_ERR, "pfa_refresh(): reallocf() %s",
1463 memset(pt, 0, sizeof(*pt));
1464 io.pfrio_size = numtbls;
1465 io.pfrio_buffer = pt;
1467 if (ioctl(dev, DIOCRGETTABLES, &io)) {
1468 syslog(LOG_ERR, "pfa_refresh(): ioctl(): %s",
1473 if (numtbls >= io.pfrio_size)
1476 numtbls = io.pfrio_size;
1481 for (it = pt, i = 0; i < numtbls; it++, i++) {
1483 * Skip the table if not active - ioctl(DIOCRGETASTATS) will
1484 * return ESRCH for this entry anyway.
1486 if (!(it->pfrt_flags & PFR_TFLAG_ACTIVE))
1489 if ((naddrs = pfa_table_addrs(cidx, it)) < 0)
1495 pfa_table_age = time(NULL);
1496 pfa_table_count = cidx;
1497 pf_tick = this_tick;
1502 while (!TAILQ_EMPTY(&pfa_table)) {
1503 e = TAILQ_FIRST(&pfa_table);
1504 TAILQ_REMOVE(&pfa_table, e, link);
1514 pfl_scan_ruleset(const char *path)
1516 struct pfioc_rule pr;
1517 struct pfl_entry *e;
1520 bzero(&pr, sizeof(pr));
1521 strlcpy(pr.anchor, path, sizeof(pr.anchor));
1522 pr.rule.action = PF_PASS;
1523 if (ioctl(dev, DIOCGETRULES, &pr)) {
1524 syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULES): %s",
1529 for (nr = pr.nr, i = 0; i < nr; i++) {
1531 if (ioctl(dev, DIOCGETRULE, &pr)) {
1532 syslog(LOG_ERR, "pfl_scan_ruleset: ioctl(DIOCGETRULE):"
1533 " %s", strerror(errno));
1537 if (pr.rule.label[0]) {
1538 e = (struct pfl_entry *)malloc(sizeof(*e));
1542 strlcpy(e->name, path, sizeof(e->name));
1544 strlcat(e->name, "/", sizeof(e->name));
1545 strlcat(e->name, pr.rule.label, sizeof(e->name));
1547 e->evals = pr.rule.evaluations;
1548 e->bytes[IN] = pr.rule.bytes[IN];
1549 e->bytes[OUT] = pr.rule.bytes[OUT];
1550 e->pkts[IN] = pr.rule.packets[IN];
1551 e->pkts[OUT] = pr.rule.packets[OUT];
1552 e->index = ++pfl_table_count;
1554 TAILQ_INSERT_TAIL(&pfl_table, e, link);
1565 pfl_walk_rulesets(const char *path)
1567 struct pfioc_ruleset prs;
1568 char newpath[MAXPATHLEN];
1571 if (pfl_scan_ruleset(path))
1574 bzero(&prs, sizeof(prs));
1575 strlcpy(prs.path, path, sizeof(prs.path));
1576 if (ioctl(dev, DIOCGETRULESETS, &prs)) {
1577 syslog(LOG_ERR, "pfl_walk_rulesets: ioctl(DIOCGETRULESETS): %s",
1582 for (nr = prs.nr, i = 0; i < nr; i++) {
1584 if (ioctl(dev, DIOCGETRULESET, &prs)) {
1585 syslog(LOG_ERR, "pfl_walk_rulesets: ioctl(DIOCGETRULESET):"
1586 " %s", strerror(errno));
1590 if (strcmp(prs.name, PF_RESERVED_ANCHOR) == 0)
1593 strlcpy(newpath, path, sizeof(newpath));
1595 strlcat(newpath, "/", sizeof(newpath));
1597 strlcat(newpath, prs.name, sizeof(newpath));
1598 if (pfl_walk_rulesets(newpath))
1611 struct pfl_entry *e;
1613 if (started && this_tick <= pf_tick)
1616 while (!TAILQ_EMPTY(&pfl_table)) {
1617 e = TAILQ_FIRST(&pfl_table);
1618 TAILQ_REMOVE(&pfl_table, e, link);
1621 pfl_table_count = 0;
1623 if (pfl_walk_rulesets(""))
1626 pfl_table_age = time(NULL);
1627 pf_tick = this_tick;
1632 while (!TAILQ_EMPTY(&pfl_table)) {
1633 e = TAILQ_FIRST(&pfl_table);
1634 TAILQ_REMOVE(&pfl_table, e, link);
1637 pfl_table_count = 0;
1643 * check whether altq support is enabled in kernel
1647 altq_is_enabled(int pfdev)
1649 struct pfioc_altq pa;
1652 pa.version = PFIOC_ALTQ_VERSION;
1653 if (ioctl(pfdev, DIOCGETALTQS, &pa)) {
1654 if (errno == ENODEV) {
1655 syslog(LOG_INFO, "No ALTQ support in kernel\n"
1656 "ALTQ related functions disabled\n");
1659 syslog(LOG_ERR, "DIOCGETALTQS returned an error: %s",
1668 * Implement the bsnmpd module interface
1671 pf_init(struct lmodule *mod, int __unused argc, char __unused *argv[])
1675 if ((dev = open("/dev/pf", O_RDONLY)) == -1) {
1676 syslog(LOG_ERR, "pf_init(): open(): %s\n",
1681 if ((altq_enabled = altq_is_enabled(dev)) == -1) {
1682 syslog(LOG_ERR, "pf_init(): altq test failed");
1686 /* Prepare internal state */
1687 TAILQ_INIT(&pfi_table);
1688 TAILQ_INIT(&pfq_table);
1689 TAILQ_INIT(&pft_table);
1690 TAILQ_INIT(&pfa_table);
1691 TAILQ_INIT(&pfl_table);
1711 struct pfi_entry *i1, *i2;
1712 struct pfq_entry *q1, *q2;
1713 struct pft_entry *t1, *t2;
1714 struct pfa_entry *a1, *a2;
1715 struct pfl_entry *l1, *l2;
1717 /* Empty the list of interfaces */
1718 i1 = TAILQ_FIRST(&pfi_table);
1719 while (i1 != NULL) {
1720 i2 = TAILQ_NEXT(i1, link);
1725 /* List of queues */
1726 q1 = TAILQ_FIRST(&pfq_table);
1727 while (q1 != NULL) {
1728 q2 = TAILQ_NEXT(q1, link);
1733 /* List of tables */
1734 t1 = TAILQ_FIRST(&pft_table);
1735 while (t1 != NULL) {
1736 t2 = TAILQ_NEXT(t1, link);
1741 /* List of table addresses */
1742 a1 = TAILQ_FIRST(&pfa_table);
1743 while (a1 != NULL) {
1744 a2 = TAILQ_NEXT(a1, link);
1749 /* And the list of labeled filter rules */
1750 l1 = TAILQ_FIRST(&pfl_table);
1751 while (l1 != NULL) {
1752 l2 = TAILQ_NEXT(l1, link);
1772 syslog(LOG_ERR, "Dump: pfi_table_age = %jd",
1773 (intmax_t)pfi_table_age);
1774 syslog(LOG_ERR, "Dump: pfi_table_count = %d",
1777 syslog(LOG_ERR, "Dump: pfq_table_age = %jd",
1778 (intmax_t)pfq_table_age);
1779 syslog(LOG_ERR, "Dump: pfq_table_count = %d",
1782 syslog(LOG_ERR, "Dump: pft_table_age = %jd",
1783 (intmax_t)pft_table_age);
1784 syslog(LOG_ERR, "Dump: pft_table_count = %d",
1787 syslog(LOG_ERR, "Dump: pfa_table_age = %jd",
1788 (intmax_t)pfa_table_age);
1789 syslog(LOG_ERR, "Dump: pfa_table_count = %d",
1792 syslog(LOG_ERR, "Dump: pfl_table_age = %jd",
1793 (intmax_t)pfl_table_age);
1794 syslog(LOG_ERR, "Dump: pfl_table_count = %d",
1798 const struct snmp_module config = {
1799 .comment = "This module implements a MIB for the pf packet filter.",
1804 .tree_size = pf_CTREE_SIZE,