pf

package module
v0.0.0-...-719aae7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 18, 2019 License: BSD-2-Clause Imports: 11 Imported by: 0

README

PF (Packet Filter)

GoDoc FreeBSD 10.3 FreeBSD 11 FreeBSD HEAD

The FreeBSD operating system has multiple packet filter build-in. One of the packet filters was ported from OpenBSD and is called pf (packetfilter).

Packet filtering restricts the types of packets that pass through network interfaces entering or leaving the host based on filter rules as described in. The packet filter can also replace addresses and ports of packets. Replacing source addresses and ports of outgoing packets is called NAT (Network Address Translation) and is used to connect an internal network (usually reserved address space) to an external one (the Internet) by making all connections to external hosts appear to come from the gateway. Replacing destination addresses and ports of incoming packets is used to redirect connections to different hosts and/or ports. A combination of both translations, bidirectional NAT, is also supported.

This go module enables easy access to the packet filter inside the kernel. The FreeBSD kernel module responsible for implementing pf is called pf.ko.

Since the kernel interface is different between the operating systems this version currently only works with FreeBSD.

The packet filter creates the pseudo-device node /dev/pf, it allows userland processes to control the behavior of the packet filter through an ioctl(2) interface. There are commands to enable and disable the filter, load rulesets, add and remove individual rules or state table entries, and retrieve statistics. The most commonly used functions are covered by this library.

Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations. Tickets are modeled as transaction objects inside the library.

Working with pf directly on a remote connection can cause you to loose the connection in case of a programming error. Make sure you have a second way to access the system e.g. a serial console.

Testing

You need to be root to execute the tests.

make test

Documentation

Overview

Package pf (Packet Filter)

The FreeBSD operating system has multiple packet filter build-in. One of the packet filters was ported from OpenBSD and is called pf (packetfilter).

Packet filtering restricts the types of packets that pass through network interfaces entering or leaving the host based on filter rules as described in. The packet filter can also replace addresses and ports of packets. Replacing source addresses and ports of outgoing packets is called NAT (Network Address Translation) and is used to connect an internal network (usually reserved address space) to an external one (the Internet) by making all connections to external hosts appear to come from the gateway. Replacing destination addresses and ports of incoming packets is used to redirect connections to different hosts and/or ports. A combination of both translations, bidirectional NAT, is also supported.

This go module enables easy access to the packet filter inside the kernel. The FreeBSD kernel module responsible for implementing pf is called pf.ko.

Since the kernel interface is different between the operating systems this version currently only works with FreeBSD.

The packet filter creates the pseudo-device node /dev/pf, it allows userland processes to control the behavior of the packet filter through an ioctl(2) interface. There are commands to enable and disable the filter, load rulesets, add and remove individual rules or state table entries, and retrieve statistics. The most commonly used functions are covered by this library.

Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations. Tickets are modeled as transaction objects inside the library.

Working with pf directly on a remote connection can cause you to loose the connection in case of a programming error. Make sure you have a second way to access the system e.g. a serial console.

Index

Constants

This section is empty.

Variables

View Source 
var AllDynamicFlags = []DynamicFlag{
	DynamicFlagNetwork,
	DynamicFlagBroadcast,
	DynamicFlagPeer,
	DynamicFlagNoAlias,
}

AllDynamicFlags contains all danymic flags in usual order

Functions

This section is empty.

Types

type Action 

type Action uint8

Action that should be performed by pf 

const (
	// ActionPass Filter rule action to pass the traffic
	ActionPass Action = C.PF_PASS
	// ActionDrop Filter rule action to drop the traffic
	ActionDrop Action = C.PF_DROP

	// ActionScrub Scrub rule action to do scrubbing
	ActionScrub Action = C.PF_SCRUB
	// ActionNoScrub Srub rule action to not do scrubbing
	ActionNoScrub Action = C.PF_NOSCRUB

	// ActionNAT NAT rule action to to NAT
	ActionNAT Action = C.PF_NAT
	// ActionNoNAT NAT rule action to not do NAT
	ActionNoNAT Action = C.PF_NONAT

	// ActionBINAT NAT rule action to to BINAT
	ActionBINAT Action = C.PF_BINAT
	// ActionNoBINAT NAT rule action to not do BINAT
	ActionNoBINAT Action = C.PF_NOBINAT

	// ActionRDR RDR rule action to to RDR
	ActionRDR Action = C.PF_RDR
	// ActionNoRDR RDR rule action to not do RDR
	ActionNoRDR Action = C.PF_NORDR

	// ActionSynProxyDrop TODO
	ActionSynProxyDrop Action = C.PF_SYNPROXY_DROP

	// ActionDefer TODO is this divert?
	ActionDefer Action = C.PF_DEFER
)

func (Action) String 

func (a Action) String() string

type Address 

type Address struct {
	// contains filtered or unexported fields
}

Address wraps the pf address (cgo)

func (Address) Any 

func (a Address) Any() bool

Any returns true if address represents any address

func (Address) Dynamic 

func (a Address) Dynamic() bool

Dynamic returns true if the address is dynamic based of the interface

func (Address) DynamicCount 

func (a Address) DynamicCount() int

DynamicCount returns the dynamic count

func (Address) DynamicFlag 

func (a Address) DynamicFlag(flag DynamicFlag) bool

DynamicFlag returns true if the flag is set for the address

func (Address) IPNet 

func (a Address) IPNet() *net.IPNet

IPNet returns the IPNetwork (IPv4/IPv6) of the address with mask

func (Address) IPRange 

func (a Address) IPRange() (net.IP, net.IP)

IPRange returns the start and end ip address of the range

func (Address) Interface 

func (a Address) Interface() string

Interface the name of the interface (e..g. used for dynamic address), returns an empty string if no interface is set

func (Address) Mask 

func (a Address) Mask() bool

Mask returns true if address is an ip address with mask

func (Address) NoRoute 

func (a Address) NoRoute() bool

NoRoute any address which is not currently routable

func (*Address) ParseCIDR 

func (a *Address) ParseCIDR(address string) error

ParseCIDR parses the passed address in CIDR notation and sets the extracted addess, mask and af. Id mask is missing IP address is assumed and mask is set to 32 IPv4 or 128 IPv6. May return a parse error if the address is invalid CIDR or IP address

func (Address) Range 

func (a Address) Range() bool

Range returns true if is an address range with start and end ip addr

func (*Address) SetAny 

func (a *Address) SetAny()

SetAny will turn the address into an any IP address

func (*Address) SetDynamicFlag 

func (a *Address) SetDynamicFlag(flag DynamicFlag)

SetDynamicFlag sets the dynamic interface flag

func (*Address) SetIPNet 

func (a *Address) SetIPNet(ipn *net.IPNet)

SetIPNet updates the ip address and mask and changes the type to AddressMask

func (*Address) SetIPRange 

func (a *Address) SetIPRange(start, end net.IP)

SetIPRange sets start and end address and turns object into ip range

func (*Address) SetInterface 

func (a *Address) SetInterface(itf string) error

SetInterface turns address into dynamic interface reference, type of interface reference can be changed with flags

func (*Address) SetNoRoute 

func (a *Address) SetNoRoute()

SetNoRoute turns address into no routeable address

func (*Address) SetTableName 

func (a *Address) SetTableName(name string) error

SetTableName turns address into table reference, using given name

func (*Address) SetURPFFailed 

func (a *Address) SetURPFFailed()

SetURPFFailed see URPFFailed for details

func (Address) String 

func (a Address) String() string

func (Address) Table 

func (a Address) Table() bool

Table returns true if the address references a table

func (Address) TableCount 

func (a Address) TableCount() int

TableCount returns the table count

func (Address) TableName 

func (a Address) TableName() string

TableName returns the name of the table or an empty string if not set

func (Address) URPFFailed 

func (a Address) URPFFailed() bool

URPFFailed any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address

type AddressFamily 

type AddressFamily uint8

AddressFamily that should be filtered by pf (inet / inet6) 

const (
	// AddressFamilyAny Any matches any address family
	AddressFamilyAny AddressFamily = 0
	// AddressFamilyInet IPv4
	AddressFamilyInet AddressFamily = C.AF_INET
	// AddressFamilyInet6 IPv6
	AddressFamilyInet6 AddressFamily = C.AF_INET6
)

func (AddressFamily) String 

func (af AddressFamily) String() string

type Anchor 

type Anchor struct {
	Path string
	// contains filtered or unexported fields
}

Anchor allows to read and manipulate rulesets without requiring a transaction

func (Anchor) Close 

func (dev Anchor) Close() error

Close pf ioctl dev

func (Anchor) Rules 

func (a Anchor) Rules() ([]Rule, error)

Rules returns all rules using one ticket

type DebugMode 

type DebugMode int

DebugMode of the packet filter 

const (
	// DebugModeNone debugging is disabled
	DebugModeNone DebugMode = C.PF_DEBUG_NONE
	// DebugModeUrgent only urgent info
	DebugModeUrgent DebugMode = C.PF_DEBUG_URGENT
	// DebugModeMisc some more info
	DebugModeMisc DebugMode = C.PF_DEBUG_MISC
	// DebugModeNoisy lots of debug messages
	DebugModeNoisy DebugMode = C.PF_DEBUG_NOISY
)

func (DebugMode) String 

func (d DebugMode) String() string

type Direction 

type Direction uint8

Direction in which the traffic flows 

const (
	// DirectionIn In incoming (ingress) traffic
	DirectionIn Direction = C.PF_IN
	// DirectionOut Out outgoing (egress) traffic
	DirectionOut Direction = C.PF_OUT
	// DirectionInOut InOut any direction (ingress/egress) traffic
	DirectionInOut Direction = C.PF_INOUT
)

func (Direction) String 

func (d Direction) String() string

type DynamicFlag 

type DynamicFlag uint8

DynamicFlag can be set on an address that is derived from an interface 

const (
	// DynamicFlagNetwork translates to the network(s) attached to the interface
	DynamicFlagNetwork DynamicFlag = C.PFI_AFLAG_NETWORK
	// DynamicFlagBroadcast translates to the interface's broadcast address(es).
	DynamicFlagBroadcast DynamicFlag = C.PFI_AFLAG_BROADCAST
	// DynamicFlagPeer translates to the point-to-point interface's peer address(es).
	DynamicFlagPeer DynamicFlag = C.PFI_AFLAG_PEER
	// DynamicFlagNoAlias do not include interface aliases.
	DynamicFlagNoAlias DynamicFlag = C.PFI_AFLAG_NOALIAS
)

func (DynamicFlag) String 

func (f DynamicFlag) String() string

type Handle 

type Handle struct {
	// Anchor root anchor (ruleset without anchor)
	Anchor
}

Handle to the pf kernel module using ioctl

func Open 

func Open() (*Handle, error)

Open pf ioctl dev

func (Handle) ClearPFStats 

func (h Handle) ClearPFStats() error

ClearPFStats clear the internal packet filter statistics

func (Handle) ClearPerRuleStats 

func (h Handle) ClearPerRuleStats() error

ClearPerRuleStats clear per-rule statistics

func (Handle) ClearSourceNodes 

func (h Handle) ClearSourceNodes() error

ClearSourceNodes clear the tree of source tracking nodes

func (Handle) Close 

func (dev Handle) Close() error

Close pf ioctl dev

func (Handle) Limit 

func (h Handle) Limit(l Limit) (uint, error)

Limit returns the currently configured limit for the memory pool

func (Handle) NewTransaction 

func (h Handle) NewTransaction(numRS int) *Transaction

NewTransaction creates a new transaction containing the passed number of rulesets. Transactions are reusable if the number of result sets is not changing. For resuable transactions every transaction must be closed by either Commit() or Rollback().

func (Handle) SetDebugMode 

func (h Handle) SetDebugMode(mode DebugMode) error

SetDebugMode of the packetfilter

func (Handle) SetHostID 

func (h Handle) SetHostID(id uint32) error

SetHostID set the host ID, which is used by pfsync to identify which host created state table entries.

func (Handle) SetLimit 

func (h Handle) SetLimit(l Limit, limit uint) error

SetLimit sets hard limits on the memory pools used by the packet filter

func (Handle) SetStatusInterface 

func (h Handle) SetStatusInterface(dev string) error

SetStatusInterface sets the status interface(s) for pf usually that is something like pflog0. The device needs to be created before using interface cloning.

func (Handle) SetTimeout 

func (h Handle) SetTimeout(t Timeout, d time.Duration) error

SetTimeout set the state timeout to specified duration

func (Handle) Start 

func (h Handle) Start() error

Start the packet filter.

func (Handle) StatusInterface 

func (h Handle) StatusInterface() (string, error)

StatusInterface returns the currently configured status interface or an error.

func (Handle) Stop 

func (h Handle) Stop() error

Stop the packet filter

func (Handle) Timeout 

func (h Handle) Timeout(t Timeout) (time.Duration, error)

Timeout returns the currently configured timeout duration

func (Handle) UpdateStatistics 

func (h Handle) UpdateStatistics(stats *Statistics) error

UpdateStatistics of the packet filter

type Limit 

type Limit int

Limit represents a hard packet filter limit 

const (
	// LimitStates limits the number of pf states
	LimitStates Limit = C.PF_LIMIT_STATES
	// LimitSourceNodes limits the number of pf source nodes
	LimitSourceNodes Limit = C.PF_LIMIT_SRC_NODES
	// LimitFragments limits the number of pf fragments
	LimitFragments Limit = C.PF_LIMIT_FRAGS
	// LimitTableEntries limits the number of addresses in a table
	LimitTableEntries Limit = C.PF_LIMIT_TABLE_ENTRIES
)

type Protocol 

type Protocol uint8

Protocol that should be filtered by pf 

const (
	// ProtocolAny Any matches any protocol
	ProtocolAny Protocol = 0
	// ProtocolTCP TCP
	ProtocolTCP Protocol = C.IPPROTO_TCP
	// ProtocolUDP UDP
	ProtocolUDP Protocol = C.IPPROTO_UDP
	// ProtocolICMP ICMP
	ProtocolICMP Protocol = C.IPPROTO_ICMP
)

func (Protocol) String 

func (p Protocol) String() string

type Rule 

type Rule struct {
	// contains filtered or unexported fields
}

Rule wraps the pf rule (cgo)

func (Rule) Action 

func (r Rule) Action() Action

Action returns the action that is performed when rule matches

func (Rule) AddressFamily 

func (r Rule) AddressFamily() AddressFamily

AddressFamily returns the address family that is matched on

func (Rule) Direction 

func (r Rule) Direction() Direction

Direction returns the rule matching direction

func (Rule) Log 

func (r Rule) Log() bool

Log returns true if matching packets are logged

func (*Rule) ParseDestination 

func (r *Rule) ParseDestination(dst, port string, neg bool) error

ParseDestination sets the destination (inet and inet6) based on the passed strings, if parsing failes err returned

func (*Rule) ParseSource 

func (r *Rule) ParseSource(src, port string, neg bool) error

ParseSource sets the source ip (inet and inet6) based on the passed strings, if parsing failes err is returned

func (Rule) Protocol 

func (r Rule) Protocol() Protocol

Protocol that is matched by the rule

func (Rule) Quick 

func (r Rule) Quick() bool

Quick returns true if matching packets are last to evaluate in the rule list

func (*Rule) SetAction 

func (r *Rule) SetAction(a Action)

SetAction sets the action on the traffic flow

func (*Rule) SetAddressFamily 

func (r *Rule) SetAddressFamily(af AddressFamily)

SetAddressFamily sets the address family to match on

func (*Rule) SetDirection 

func (r *Rule) SetDirection(dir Direction)

SetDirection sets the direction the traffic flows

func (*Rule) SetLog 

func (r *Rule) SetLog(enabled bool)

SetLog enables logging of packets to the log interface

func (*Rule) SetProtocol 

func (r *Rule) SetProtocol(p Protocol)

SetProtocol sets the protocol matcher of the rule if the

func (*Rule) SetQuick 

func (r *Rule) SetQuick(enabled bool)

SetQuick skips further evaluations if packet matched

func (*Rule) SetState 

func (r *Rule) SetState(s State)

SetState sets if the rule keeps state or not

func (Rule) State 

func (r Rule) State() State

State returns the state tracking configuration of the rule

func (Rule) Stats 

func (r Rule) Stats(stats *RuleStats)

Stats copies the rule statistics into the passed RuleStats struct

func (Rule) String 

func (r Rule) String() string

String returns the rule as pf.conf representation

type RuleSet 

type RuleSet struct {
	// contains filtered or unexported fields
}

RuleSet represents a pf rule set that is a collection of rules

func (RuleSet) AddRule 

func (rs RuleSet) AddRule(r *Rule) error

AddRule adds the given rule to the end of the rule set

func (RuleSet) Anchor 

func (rs RuleSet) Anchor() string

Anchor returns the anchor of the rule set

func (*RuleSet) SetAnchor 

func (rs *RuleSet) SetAnchor(path string) error

SetAnchor can be used to set the anchor path for the rule set

func (*RuleSet) SetType 

func (rs *RuleSet) SetType(t RuleSetType)

SetType can be used to change the type of a rule set

func (RuleSet) Type 

func (rs RuleSet) Type() RuleSetType

Type returns the type of the rule set

type RuleSetType 

type RuleSetType int

RuleSetType is the type of a given rule set 

const (
	// RuleSetScrub Scrub (packet normalization) rules.
	RuleSetScrub RuleSetType = C.PF_RULESET_SCRUB
	// RuleSetFilter Filter rules.
	RuleSetFilter RuleSetType = C.PF_RULESET_FILTER
	// RuleSetNAT NAT (Network Address Translation) rules.
	RuleSetNAT RuleSetType = C.PF_RULESET_NAT
	// RuleSetBINAT Bidirectional NAT rules.
	RuleSetBINAT RuleSetType = C.PF_RULESET_BINAT
	// RuleSetRedirect Redirect rules.
	RuleSetRedirect RuleSetType = C.PF_RULESET_RDR
	// RuleSetALTQ ALTQ disciplines.
	RuleSetALTQ RuleSetType = C.PF_RULESET_ALTQ
	// RuleSetTable Address tables.
	RuleSetTable RuleSetType = C.PF_RULESET_TABLE
)

type RuleStats 

type RuleStats struct {
	Evaluations         uint64
	PacketIn, PacketOut uint64
	BytesIn, BytesOut   uint64
}

RuleStats contains usefule pf rule statistics

type SendReceivedStats 

type SendReceivedStats struct {
	SendIPv4, ReceivedIPv4, SendIPv6, ReceivedIPv6 uint64
}

SendReceivedStats stats for send and received IPv4/6 traffic

type State 

type State uint8

State wether the packet filter should keep track of the packet flows (stateful packet filter) or not (stateless packet filter). 

const (
	// StateNo no state tracking with this rule
	StateNo State = 0
	// StateKeep track state inside the packet filter
	StateKeep State = C.PF_STATE_NORMAL
	// StateModulate keeps state and adds high quality random sequence numbers
	// for tcp
	StateModulate State = C.PF_STATE_MODULATE
	// StateSynproxy keeps state and creates new tcp connections to hide internals
	StateSynproxy State = C.PF_STATE_SYNPROXY
)

func (State) String 

func (s State) String() string

type Statistics 

type Statistics struct {
	// contains filtered or unexported fields
}

Statistics about the internal packet filter

func (Statistics) Bytes 

func (s Statistics) Bytes() SendReceivedStats

Bytes returns num of send and received bytes for the interface

func (Statistics) ChecksumMD5 

func (s Statistics) ChecksumMD5() []byte

ChecksumMD5 of the statistics

func (Statistics) CounterNodeInsert 

func (s Statistics) CounterNodeInsert() uint64

CounterNodeInsert num state insert

func (Statistics) CounterNodeRemovals 

func (s Statistics) CounterNodeRemovals() uint64

CounterNodeRemovals num state insert

func (Statistics) CounterNodeSearch 

func (s Statistics) CounterNodeSearch() uint64

CounterNodeSearch num state search

func (Statistics) CounterOverloadFlush 

func (s Statistics) CounterOverloadFlush() uint64

CounterOverloadFlush state entries flushed

func (Statistics) CounterOverloadTable 

func (s Statistics) CounterOverloadTable() uint64

CounterOverloadTable entry added to overload table

func (Statistics) CounterSrcConn 

func (s Statistics) CounterSrcConn() uint64

CounterSrcConn max src conn

func (Statistics) CounterSrcConnRate 

func (s Statistics) CounterSrcConnRate() uint64

CounterSrcConnRate max src conn rate

func (Statistics) CounterSrcNodes 

func (s Statistics) CounterSrcNodes() uint64

CounterSrcNodes max src nodes

func (Statistics) CounterSrcStates 

func (s Statistics) CounterSrcStates() uint64

CounterSrcStates max src states

func (Statistics) CounterStateInsert 

func (s Statistics) CounterStateInsert() uint64

CounterStateInsert num state insert

func (Statistics) CounterStateRemovals 

func (s Statistics) CounterStateRemovals() uint64

CounterStateRemovals num state insert

func (Statistics) CounterStateSearch 

func (s Statistics) CounterStateSearch() uint64

CounterStateSearch num state search

func (Statistics) CounterStates 

func (s Statistics) CounterStates() uint64

CounterStates num states

func (Statistics) Debug 

func (s Statistics) Debug() DebugMode

Debug returns debug mode enabdled

func (Statistics) HostID 

func (s Statistics) HostID() uint32

HostID returns the ID of the host

func (Statistics) Interface 

func (s Statistics) Interface() string

Interface return the name of the interface if any (otherwise empty string)

func (Statistics) PacketsDrop 

func (s Statistics) PacketsDrop() SendReceivedStats

PacketsDrop num of packets droped for the interface

func (Statistics) PacketsPass 

func (s Statistics) PacketsPass() SendReceivedStats

PacketsPass num of packets passed for the interface

func (Statistics) ReasonBadOffset 

func (s Statistics) ReasonBadOffset() uint64

ReasonBadOffset num of bad offset for pull_hdr

func (Statistics) ReasonBadState 

func (s Statistics) ReasonBadState() uint64

ReasonBadState num of state mismatch

func (Statistics) ReasonBadTimestamp 

func (s Statistics) ReasonBadTimestamp() uint64

ReasonBadTimestamp num of bad TCP Timestamp (RFC1323)

func (Statistics) ReasonCongestion 

func (s Statistics) ReasonCongestion() uint64

ReasonCongestion num of congestion of ipintrq

func (Statistics) ReasonFragment 

func (s Statistics) ReasonFragment() uint64

ReasonFragment num dropping following fragment

func (Statistics) ReasonIPOption 

func (s Statistics) ReasonIPOption() uint64

ReasonIPOption num IP option

func (Statistics) ReasonMapFailed 

func (s Statistics) ReasonMapFailed() uint64

ReasonMapFailed num pf_map_addr() failed

func (Statistics) ReasonMatch 

func (s Statistics) ReasonMatch() uint64

ReasonMatch num of explicit match of a rule

func (Statistics) ReasonMaxStates 

func (s Statistics) ReasonMaxStates() uint64

ReasonMaxStates num of state limit

func (Statistics) ReasonMemory 

func (s Statistics) ReasonMemory() uint64

ReasonMemory num dropped die to lacking mem

func (Statistics) ReasonNormalizer 

func (s Statistics) ReasonNormalizer() uint64

ReasonNormalizer num dropping by normalizer

func (Statistics) ReasonProtocolChecksum 

func (s Statistics) ReasonProtocolChecksum() uint64

ReasonProtocolChecksum num protocol checksum invalid

func (Statistics) ReasonShort 

func (s Statistics) ReasonShort() uint64

ReasonShort num dropping short packet

func (Statistics) ReasonSourceLimit 

func (s Statistics) ReasonSourceLimit() uint64

ReasonSourceLimit num of source node/conn limit

func (Statistics) ReasonStateInsertion 

func (s Statistics) ReasonStateInsertion() uint64

ReasonStateInsertion num of state insertion failure

func (Statistics) ReasonSynProxy 

func (s Statistics) ReasonSynProxy() uint64

ReasonSynProxy num SYN proxy

func (Statistics) Running 

func (s Statistics) Running() bool

Running returns true if packet filter enabled

func (Statistics) RunningSince 

func (s Statistics) RunningSince() time.Time

RunningSince returns time since the packet filter is enabled

func (Statistics) SourceNodes 

func (s Statistics) SourceNodes() int

SourceNodes num source nodes in the packet filter

func (Statistics) States 

func (s Statistics) States() int

States num states in the packet filter

func (Statistics) String 

func (s Statistics) String() string

type Timeout 

type Timeout int

Timeout configuration identifier 

const (
	// TimeoutTCPFirstPacket first tcp packet (default 2 min)
	TimeoutTCPFirstPacket Timeout = C.PFTM_TCP_FIRST_PACKET
	// TimeoutTCPOpening no response yet (default 30 sec)
	TimeoutTCPOpening Timeout = C.PFTM_TCP_OPENING
	// TimeoutTCPEstablished connection established (default 1 day)
	TimeoutTCPEstablished Timeout = C.PFTM_TCP_ESTABLISHED
	// TimeoutTCPClosing half closed connection (default 15 min)
	TimeoutTCPClosing Timeout = C.PFTM_TCP_CLOSING
	// TimeoutTCPFinWait got both FIN's (default 45 sec)
	TimeoutTCPFinWait Timeout = C.PFTM_TCP_FIN_WAIT
	// TimeoutTCPClosed got a RST (default 1 min 30 sec)
	TimeoutTCPClosed Timeout = C.PFTM_TCP_CLOSED
	// TimeoutUDPFirstPacket first udp packet (default 1 min)
	TimeoutUDPFirstPacket Timeout = C.PFTM_UDP_FIRST_PACKET
	// TimeoutUDPSingle unidirectional (default 30 sec)
	TimeoutUDPSingle Timeout = C.PFTM_UDP_SINGLE
	// TimeoutUDPMultiple bidirectional (default 1 min)
	TimeoutUDPMultiple Timeout = C.PFTM_UDP_MULTIPLE
	// TimeoutICMPFirstPacket first ICMP packet (default 20 sec)
	TimeoutICMPFirstPacket Timeout = C.PFTM_ICMP_FIRST_PACKET
	// TimeoutICMPErrorReply go error response (default 10 sec)
	TimeoutICMPErrorReply Timeout = C.PFTM_ICMP_ERROR_REPLY
	// TimeoutOtherFirstPacket first packet (default 1 min)
	TimeoutOtherFirstPacket Timeout = C.PFTM_OTHER_FIRST_PACKET
	// TimeoutOtherSingle unidirectional (default 30 sec)
	TimeoutOtherSingle Timeout = C.PFTM_OTHER_SINGLE
	// TimeoutOtherMultiple bidirectional (default 1 min)
	TimeoutOtherMultiple Timeout = C.PFTM_OTHER_MULTIPLE
	// TimeoutFragment fragment expire (default 30 sec)
	TimeoutFragment Timeout = C.PFTM_FRAG
	// TimeoutInterval expire interval (default 10 sec)
	TimeoutInterval Timeout = C.PFTM_INTERVAL
	// TimeoutAdaptiveStart adaptive start
	TimeoutAdaptiveStart Timeout = C.PFTM_ADAPTIVE_START
	// TimeoutAdaptiveEnd adaptive end
	TimeoutAdaptiveEnd Timeout = C.PFTM_ADAPTIVE_END
	// TimeoutSourceNode source tracking (default 0 sec)
	TimeoutSourceNode Timeout = C.PFTM_SRC_NODE
	// TimeoutTSDiff allowed TS diff (default 30 sec)
	TimeoutTSDiff Timeout = C.PFTM_TS_DIFF
	// TimeoutPurge purge
	TimeoutPurge Timeout = C.PFTM_PURGE
	// TimeoutUnlinked unlinked
	TimeoutUnlinked Timeout = C.PFTM_UNLINKED
)

type Transaction 

type Transaction struct {
	// contains filtered or unexported fields
}

Transaction represents a pf transaction that can be used to add, change or remove rules and rulesets atomically

func (Transaction) Begin 

func (tx Transaction) Begin() error

Begin opens pf for transaction changes. This happens atomically and can fail, if there is currently a transaction open.

func (Transaction) Commit 

func (tx Transaction) Commit() error

Commit closes the transaction and applies the changes that where done since the last Begin() transaction

func (Transaction) Rollback 

func (tx Transaction) Rollback() error

Rollback removes the kernel side transaction and all chnages that where made since the last Begin() transaction are ignored

func (Transaction) RuleSet 

func (tx Transaction) RuleSet(index int) *RuleSet

RuleSet returns the rule set of o the passed index

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.