Documentation ¶
Overview ¶
Package pf (Packet Filter)
The FreeBSD operating system has multiple packet filter build-in. One of the packet filters was ported from OpenBSD and is called pf (packetfilter).
Packet filtering restricts the types of packets that pass through network interfaces entering or leaving the host based on filter rules as described in. The packet filter can also replace addresses and ports of packets. Replacing source addresses and ports of outgoing packets is called NAT (Network Address Translation) and is used to connect an internal network (usually reserved address space) to an external one (the Internet) by making all connections to external hosts appear to come from the gateway. Replacing destination addresses and ports of incoming packets is used to redirect connections to different hosts and/or ports. A combination of both translations, bidirectional NAT, is also supported.
This go module enables easy access to the packet filter inside the kernel. The FreeBSD kernel module responsible for implementing pf is called pf.ko.
Since the kernel interface is different between the operating systems this version currently only works with FreeBSD.
The packet filter creates the pseudo-device node /dev/pf, it allows userland processes to control the behavior of the packet filter through an ioctl(2) interface. There are commands to enable and disable the filter, load rulesets, add and remove individual rules or state table entries, and retrieve statistics. The most commonly used functions are covered by this library.
Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations. Tickets are modeled as transaction objects inside the library.
Working with pf directly on a remote connection can cause you to loose the connection in case of a programming error. Make sure you have a second way to access the system e.g. a serial console.
Index ¶
- Variables
- type Action
- type Address
- func (a Address) Any() bool
- func (a Address) Dynamic() bool
- func (a Address) DynamicCount() int
- func (a Address) DynamicFlag(flag DynamicFlag) bool
- func (a Address) IPNet() *net.IPNet
- func (a Address) IPRange() (net.IP, net.IP)
- func (a Address) Interface() string
- func (a Address) Mask() bool
- func (a Address) NoRoute() bool
- func (a *Address) ParseCIDR(address string) error
- func (a Address) Range() bool
- func (a *Address) SetAny()
- func (a *Address) SetDynamicFlag(flag DynamicFlag)
- func (a *Address) SetIPNet(ipn *net.IPNet)
- func (a *Address) SetIPRange(start, end net.IP)
- func (a *Address) SetInterface(itf string) error
- func (a *Address) SetNoRoute()
- func (a *Address) SetTableName(name string) error
- func (a *Address) SetURPFFailed()
- func (a Address) String() string
- func (a Address) Table() bool
- func (a Address) TableCount() int
- func (a Address) TableName() string
- func (a Address) URPFFailed() bool
- type AddressFamily
- type Anchor
- type DebugMode
- type Direction
- type DynamicFlag
- type Handle
- func (h Handle) ClearPFStats() error
- func (h Handle) ClearPerRuleStats() error
- func (h Handle) ClearSourceNodes() error
- func (dev Handle) Close() error
- func (h Handle) Limit(l Limit) (uint, error)
- func (h Handle) NewTransaction(numRS int) *Transaction
- func (h Handle) SetDebugMode(mode DebugMode) error
- func (h Handle) SetHostID(id uint32) error
- func (h Handle) SetLimit(l Limit, limit uint) error
- func (h Handle) SetStatusInterface(dev string) error
- func (h Handle) SetTimeout(t Timeout, d time.Duration) error
- func (h Handle) Start() error
- func (h Handle) StatusInterface() (string, error)
- func (h Handle) Stop() error
- func (h Handle) Timeout(t Timeout) (time.Duration, error)
- func (h Handle) UpdateStatistics(stats *Statistics) error
- type Limit
- type Protocol
- type Rule
- func (r Rule) Action() Action
- func (r Rule) AddressFamily() AddressFamily
- func (r Rule) Direction() Direction
- func (r Rule) Log() bool
- func (r *Rule) ParseDestination(dst, port string, neg bool) error
- func (r *Rule) ParseSource(src, port string, neg bool) error
- func (r Rule) Protocol() Protocol
- func (r Rule) Quick() bool
- func (r *Rule) SetAction(a Action)
- func (r *Rule) SetAddressFamily(af AddressFamily)
- func (r *Rule) SetDirection(dir Direction)
- func (r *Rule) SetLog(enabled bool)
- func (r *Rule) SetProtocol(p Protocol)
- func (r *Rule) SetQuick(enabled bool)
- func (r *Rule) SetState(s State)
- func (r Rule) State() State
- func (r Rule) Stats(stats *RuleStats)
- func (r Rule) String() string
- type RuleSet
- type RuleSetType
- type RuleStats
- type SendReceivedStats
- type State
- type Statistics
- func (s Statistics) Bytes() SendReceivedStats
- func (s Statistics) ChecksumMD5() []byte
- func (s Statistics) CounterNodeInsert() uint64
- func (s Statistics) CounterNodeRemovals() uint64
- func (s Statistics) CounterNodeSearch() uint64
- func (s Statistics) CounterOverloadFlush() uint64
- func (s Statistics) CounterOverloadTable() uint64
- func (s Statistics) CounterSrcConn() uint64
- func (s Statistics) CounterSrcConnRate() uint64
- func (s Statistics) CounterSrcNodes() uint64
- func (s Statistics) CounterSrcStates() uint64
- func (s Statistics) CounterStateInsert() uint64
- func (s Statistics) CounterStateRemovals() uint64
- func (s Statistics) CounterStateSearch() uint64
- func (s Statistics) CounterStates() uint64
- func (s Statistics) Debug() DebugMode
- func (s Statistics) HostID() uint32
- func (s Statistics) Interface() string
- func (s Statistics) PacketsDrop() SendReceivedStats
- func (s Statistics) PacketsPass() SendReceivedStats
- func (s Statistics) ReasonBadOffset() uint64
- func (s Statistics) ReasonBadState() uint64
- func (s Statistics) ReasonBadTimestamp() uint64
- func (s Statistics) ReasonCongestion() uint64
- func (s Statistics) ReasonFragment() uint64
- func (s Statistics) ReasonIPOption() uint64
- func (s Statistics) ReasonMapFailed() uint64
- func (s Statistics) ReasonMatch() uint64
- func (s Statistics) ReasonMaxStates() uint64
- func (s Statistics) ReasonMemory() uint64
- func (s Statistics) ReasonNormalizer() uint64
- func (s Statistics) ReasonProtocolChecksum() uint64
- func (s Statistics) ReasonShort() uint64
- func (s Statistics) ReasonSourceLimit() uint64
- func (s Statistics) ReasonStateInsertion() uint64
- func (s Statistics) ReasonSynProxy() uint64
- func (s Statistics) Running() bool
- func (s Statistics) RunningSince() time.Time
- func (s Statistics) SourceNodes() int
- func (s Statistics) States() int
- func (s Statistics) String() string
- type Timeout
- type Transaction
Constants ¶
This section is empty.
Variables ¶
var AllDynamicFlags = []DynamicFlag{ DynamicFlagNetwork, DynamicFlagBroadcast, DynamicFlagPeer, DynamicFlagNoAlias, }
AllDynamicFlags contains all danymic flags in usual order
Functions ¶
This section is empty.
Types ¶
type Action ¶
type Action uint8
Action that should be performed by pf
const ( // ActionPass Filter rule action to pass the traffic ActionPass Action = C.PF_PASS // ActionDrop Filter rule action to drop the traffic ActionDrop Action = C.PF_DROP // ActionScrub Scrub rule action to do scrubbing ActionScrub Action = C.PF_SCRUB // ActionNoScrub Srub rule action to not do scrubbing ActionNoScrub Action = C.PF_NOSCRUB // ActionNAT NAT rule action to to NAT ActionNAT Action = C.PF_NAT // ActionNoNAT NAT rule action to not do NAT ActionNoNAT Action = C.PF_NONAT // ActionBINAT NAT rule action to to BINAT ActionBINAT Action = C.PF_BINAT // ActionNoBINAT NAT rule action to not do BINAT ActionNoBINAT Action = C.PF_NOBINAT // ActionRDR RDR rule action to to RDR ActionRDR Action = C.PF_RDR // ActionNoRDR RDR rule action to not do RDR ActionNoRDR Action = C.PF_NORDR // ActionSynProxyDrop TODO ActionSynProxyDrop Action = C.PF_SYNPROXY_DROP // ActionDefer TODO is this divert? ActionDefer Action = C.PF_DEFER )
type Address ¶
type Address struct {
// contains filtered or unexported fields
}
Address wraps the pf address (cgo)
func (Address) DynamicCount ¶
DynamicCount returns the dynamic count
func (Address) DynamicFlag ¶
func (a Address) DynamicFlag(flag DynamicFlag) bool
DynamicFlag returns true if the flag is set for the address
func (Address) Interface ¶
Interface the name of the interface (e..g. used for dynamic address), returns an empty string if no interface is set
func (*Address) ParseCIDR ¶
ParseCIDR parses the passed address in CIDR notation and sets the extracted addess, mask and af. Id mask is missing IP address is assumed and mask is set to 32 IPv4 or 128 IPv6. May return a parse error if the address is invalid CIDR or IP address
func (*Address) SetAny ¶
func (a *Address) SetAny()
SetAny will turn the address into an any IP address
func (*Address) SetDynamicFlag ¶
func (a *Address) SetDynamicFlag(flag DynamicFlag)
SetDynamicFlag sets the dynamic interface flag
func (*Address) SetIPNet ¶
SetIPNet updates the ip address and mask and changes the type to AddressMask
func (*Address) SetIPRange ¶
SetIPRange sets start and end address and turns object into ip range
func (*Address) SetInterface ¶
SetInterface turns address into dynamic interface reference, type of interface reference can be changed with flags
func (*Address) SetNoRoute ¶
func (a *Address) SetNoRoute()
SetNoRoute turns address into no routeable address
func (*Address) SetTableName ¶
SetTableName turns address into table reference, using given name
func (*Address) SetURPFFailed ¶
func (a *Address) SetURPFFailed()
SetURPFFailed see URPFFailed for details
func (Address) URPFFailed ¶
URPFFailed any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address
type AddressFamily ¶
type AddressFamily uint8
AddressFamily that should be filtered by pf (inet / inet6)
const ( // AddressFamilyAny Any matches any address family AddressFamilyAny AddressFamily = 0 // AddressFamilyInet IPv4 AddressFamilyInet AddressFamily = C.AF_INET // AddressFamilyInet6 IPv6 AddressFamilyInet6 AddressFamily = C.AF_INET6 )
func (AddressFamily) String ¶
func (af AddressFamily) String() string
type Anchor ¶
type Anchor struct { Path string // contains filtered or unexported fields }
Anchor allows to read and manipulate rulesets without requiring a transaction
type DebugMode ¶
type DebugMode int
DebugMode of the packet filter
const ( // DebugModeNone debugging is disabled DebugModeNone DebugMode = C.PF_DEBUG_NONE // DebugModeUrgent only urgent info DebugModeUrgent DebugMode = C.PF_DEBUG_URGENT // DebugModeMisc some more info DebugModeMisc DebugMode = C.PF_DEBUG_MISC // DebugModeNoisy lots of debug messages DebugModeNoisy DebugMode = C.PF_DEBUG_NOISY )
type DynamicFlag ¶
type DynamicFlag uint8
DynamicFlag can be set on an address that is derived from an interface
const ( // DynamicFlagNetwork translates to the network(s) attached to the interface DynamicFlagNetwork DynamicFlag = C.PFI_AFLAG_NETWORK // DynamicFlagBroadcast translates to the interface's broadcast address(es). DynamicFlagBroadcast DynamicFlag = C.PFI_AFLAG_BROADCAST // DynamicFlagPeer translates to the point-to-point interface's peer address(es). DynamicFlagPeer DynamicFlag = C.PFI_AFLAG_PEER // DynamicFlagNoAlias do not include interface aliases. DynamicFlagNoAlias DynamicFlag = C.PFI_AFLAG_NOALIAS )
func (DynamicFlag) String ¶
func (f DynamicFlag) String() string
type Handle ¶
type Handle struct { // Anchor root anchor (ruleset without anchor) Anchor }
Handle to the pf kernel module using ioctl
func (Handle) ClearPFStats ¶
ClearPFStats clear the internal packet filter statistics
func (Handle) ClearPerRuleStats ¶
ClearPerRuleStats clear per-rule statistics
func (Handle) ClearSourceNodes ¶
ClearSourceNodes clear the tree of source tracking nodes
func (Handle) NewTransaction ¶
func (h Handle) NewTransaction(numRS int) *Transaction
NewTransaction creates a new transaction containing the passed number of rulesets. Transactions are reusable if the number of result sets is not changing. For resuable transactions every transaction must be closed by either Commit() or Rollback().
func (Handle) SetDebugMode ¶
SetDebugMode of the packetfilter
func (Handle) SetHostID ¶
SetHostID set the host ID, which is used by pfsync to identify which host created state table entries.
func (Handle) SetStatusInterface ¶
SetStatusInterface sets the status interface(s) for pf usually that is something like pflog0. The device needs to be created before using interface cloning.
func (Handle) SetTimeout ¶
SetTimeout set the state timeout to specified duration
func (Handle) StatusInterface ¶
StatusInterface returns the currently configured status interface or an error.
func (Handle) UpdateStatistics ¶
func (h Handle) UpdateStatistics(stats *Statistics) error
UpdateStatistics of the packet filter
type Limit ¶
type Limit int
Limit represents a hard packet filter limit
const ( // LimitStates limits the number of pf states LimitStates Limit = C.PF_LIMIT_STATES // LimitSourceNodes limits the number of pf source nodes LimitSourceNodes Limit = C.PF_LIMIT_SRC_NODES // LimitFragments limits the number of pf fragments LimitFragments Limit = C.PF_LIMIT_FRAGS // LimitTableEntries limits the number of addresses in a table LimitTableEntries Limit = C.PF_LIMIT_TABLE_ENTRIES )
type Protocol ¶
type Protocol uint8
Protocol that should be filtered by pf
const ( // ProtocolAny Any matches any protocol ProtocolAny Protocol = 0 // ProtocolTCP TCP ProtocolTCP Protocol = C.IPPROTO_TCP // ProtocolUDP UDP ProtocolUDP Protocol = C.IPPROTO_UDP // ProtocolICMP ICMP ProtocolICMP Protocol = C.IPPROTO_ICMP )
type Rule ¶
type Rule struct {
// contains filtered or unexported fields
}
Rule wraps the pf rule (cgo)
func (Rule) AddressFamily ¶
func (r Rule) AddressFamily() AddressFamily
AddressFamily returns the address family that is matched on
func (*Rule) ParseDestination ¶
ParseDestination sets the destination (inet and inet6) based on the passed strings, if parsing failes err returned
func (*Rule) ParseSource ¶
ParseSource sets the source ip (inet and inet6) based on the passed strings, if parsing failes err is returned
func (*Rule) SetAddressFamily ¶
func (r *Rule) SetAddressFamily(af AddressFamily)
SetAddressFamily sets the address family to match on
func (*Rule) SetDirection ¶
SetDirection sets the direction the traffic flows
func (*Rule) SetProtocol ¶
SetProtocol sets the protocol matcher of the rule if the
type RuleSet ¶
type RuleSet struct {
// contains filtered or unexported fields
}
RuleSet represents a pf rule set that is a collection of rules
func (*RuleSet) SetType ¶
func (rs *RuleSet) SetType(t RuleSetType)
SetType can be used to change the type of a rule set
type RuleSetType ¶
type RuleSetType int
RuleSetType is the type of a given rule set
const ( // RuleSetScrub Scrub (packet normalization) rules. RuleSetScrub RuleSetType = C.PF_RULESET_SCRUB // RuleSetFilter Filter rules. RuleSetFilter RuleSetType = C.PF_RULESET_FILTER // RuleSetNAT NAT (Network Address Translation) rules. RuleSetNAT RuleSetType = C.PF_RULESET_NAT // RuleSetBINAT Bidirectional NAT rules. RuleSetBINAT RuleSetType = C.PF_RULESET_BINAT // RuleSetRedirect Redirect rules. RuleSetRedirect RuleSetType = C.PF_RULESET_RDR // RuleSetALTQ ALTQ disciplines. RuleSetALTQ RuleSetType = C.PF_RULESET_ALTQ // RuleSetTable Address tables. RuleSetTable RuleSetType = C.PF_RULESET_TABLE )
type SendReceivedStats ¶
type SendReceivedStats struct {
SendIPv4, ReceivedIPv4, SendIPv6, ReceivedIPv6 uint64
}
SendReceivedStats stats for send and received IPv4/6 traffic
type State ¶
type State uint8
State wether the packet filter should keep track of the packet flows (stateful packet filter) or not (stateless packet filter).
const ( // StateNo no state tracking with this rule StateNo State = 0 // StateKeep track state inside the packet filter StateKeep State = C.PF_STATE_NORMAL // StateModulate keeps state and adds high quality random sequence numbers // for tcp StateModulate State = C.PF_STATE_MODULATE // StateSynproxy keeps state and creates new tcp connections to hide internals StateSynproxy State = C.PF_STATE_SYNPROXY )
type Statistics ¶
type Statistics struct {
// contains filtered or unexported fields
}
Statistics about the internal packet filter
func (Statistics) Bytes ¶
func (s Statistics) Bytes() SendReceivedStats
Bytes returns num of send and received bytes for the interface
func (Statistics) ChecksumMD5 ¶
func (s Statistics) ChecksumMD5() []byte
ChecksumMD5 of the statistics
func (Statistics) CounterNodeInsert ¶
func (s Statistics) CounterNodeInsert() uint64
CounterNodeInsert num state insert
func (Statistics) CounterNodeRemovals ¶
func (s Statistics) CounterNodeRemovals() uint64
CounterNodeRemovals num state insert
func (Statistics) CounterNodeSearch ¶
func (s Statistics) CounterNodeSearch() uint64
CounterNodeSearch num state search
func (Statistics) CounterOverloadFlush ¶
func (s Statistics) CounterOverloadFlush() uint64
CounterOverloadFlush state entries flushed
func (Statistics) CounterOverloadTable ¶
func (s Statistics) CounterOverloadTable() uint64
CounterOverloadTable entry added to overload table
func (Statistics) CounterSrcConn ¶
func (s Statistics) CounterSrcConn() uint64
CounterSrcConn max src conn
func (Statistics) CounterSrcConnRate ¶
func (s Statistics) CounterSrcConnRate() uint64
CounterSrcConnRate max src conn rate
func (Statistics) CounterSrcNodes ¶
func (s Statistics) CounterSrcNodes() uint64
CounterSrcNodes max src nodes
func (Statistics) CounterSrcStates ¶
func (s Statistics) CounterSrcStates() uint64
CounterSrcStates max src states
func (Statistics) CounterStateInsert ¶
func (s Statistics) CounterStateInsert() uint64
CounterStateInsert num state insert
func (Statistics) CounterStateRemovals ¶
func (s Statistics) CounterStateRemovals() uint64
CounterStateRemovals num state insert
func (Statistics) CounterStateSearch ¶
func (s Statistics) CounterStateSearch() uint64
CounterStateSearch num state search
func (Statistics) CounterStates ¶
func (s Statistics) CounterStates() uint64
CounterStates num states
func (Statistics) Interface ¶
func (s Statistics) Interface() string
Interface return the name of the interface if any (otherwise empty string)
func (Statistics) PacketsDrop ¶
func (s Statistics) PacketsDrop() SendReceivedStats
PacketsDrop num of packets droped for the interface
func (Statistics) PacketsPass ¶
func (s Statistics) PacketsPass() SendReceivedStats
PacketsPass num of packets passed for the interface
func (Statistics) ReasonBadOffset ¶
func (s Statistics) ReasonBadOffset() uint64
ReasonBadOffset num of bad offset for pull_hdr
func (Statistics) ReasonBadState ¶
func (s Statistics) ReasonBadState() uint64
ReasonBadState num of state mismatch
func (Statistics) ReasonBadTimestamp ¶
func (s Statistics) ReasonBadTimestamp() uint64
ReasonBadTimestamp num of bad TCP Timestamp (RFC1323)
func (Statistics) ReasonCongestion ¶
func (s Statistics) ReasonCongestion() uint64
ReasonCongestion num of congestion of ipintrq
func (Statistics) ReasonFragment ¶
func (s Statistics) ReasonFragment() uint64
ReasonFragment num dropping following fragment
func (Statistics) ReasonIPOption ¶
func (s Statistics) ReasonIPOption() uint64
ReasonIPOption num IP option
func (Statistics) ReasonMapFailed ¶
func (s Statistics) ReasonMapFailed() uint64
ReasonMapFailed num pf_map_addr() failed
func (Statistics) ReasonMatch ¶
func (s Statistics) ReasonMatch() uint64
ReasonMatch num of explicit match of a rule
func (Statistics) ReasonMaxStates ¶
func (s Statistics) ReasonMaxStates() uint64
ReasonMaxStates num of state limit
func (Statistics) ReasonMemory ¶
func (s Statistics) ReasonMemory() uint64
ReasonMemory num dropped die to lacking mem
func (Statistics) ReasonNormalizer ¶
func (s Statistics) ReasonNormalizer() uint64
ReasonNormalizer num dropping by normalizer
func (Statistics) ReasonProtocolChecksum ¶
func (s Statistics) ReasonProtocolChecksum() uint64
ReasonProtocolChecksum num protocol checksum invalid
func (Statistics) ReasonShort ¶
func (s Statistics) ReasonShort() uint64
ReasonShort num dropping short packet
func (Statistics) ReasonSourceLimit ¶
func (s Statistics) ReasonSourceLimit() uint64
ReasonSourceLimit num of source node/conn limit
func (Statistics) ReasonStateInsertion ¶
func (s Statistics) ReasonStateInsertion() uint64
ReasonStateInsertion num of state insertion failure
func (Statistics) ReasonSynProxy ¶
func (s Statistics) ReasonSynProxy() uint64
ReasonSynProxy num SYN proxy
func (Statistics) Running ¶
func (s Statistics) Running() bool
Running returns true if packet filter enabled
func (Statistics) RunningSince ¶
func (s Statistics) RunningSince() time.Time
RunningSince returns time since the packet filter is enabled
func (Statistics) SourceNodes ¶
func (s Statistics) SourceNodes() int
SourceNodes num source nodes in the packet filter
func (Statistics) String ¶
func (s Statistics) String() string
type Timeout ¶
type Timeout int
Timeout configuration identifier
const ( // TimeoutTCPFirstPacket first tcp packet (default 2 min) TimeoutTCPFirstPacket Timeout = C.PFTM_TCP_FIRST_PACKET // TimeoutTCPOpening no response yet (default 30 sec) TimeoutTCPOpening Timeout = C.PFTM_TCP_OPENING // TimeoutTCPEstablished connection established (default 1 day) TimeoutTCPEstablished Timeout = C.PFTM_TCP_ESTABLISHED // TimeoutTCPClosing half closed connection (default 15 min) TimeoutTCPClosing Timeout = C.PFTM_TCP_CLOSING // TimeoutTCPFinWait got both FIN's (default 45 sec) TimeoutTCPFinWait Timeout = C.PFTM_TCP_FIN_WAIT // TimeoutTCPClosed got a RST (default 1 min 30 sec) TimeoutTCPClosed Timeout = C.PFTM_TCP_CLOSED // TimeoutUDPFirstPacket first udp packet (default 1 min) TimeoutUDPFirstPacket Timeout = C.PFTM_UDP_FIRST_PACKET // TimeoutUDPSingle unidirectional (default 30 sec) TimeoutUDPSingle Timeout = C.PFTM_UDP_SINGLE // TimeoutUDPMultiple bidirectional (default 1 min) TimeoutUDPMultiple Timeout = C.PFTM_UDP_MULTIPLE // TimeoutICMPFirstPacket first ICMP packet (default 20 sec) TimeoutICMPFirstPacket Timeout = C.PFTM_ICMP_FIRST_PACKET // TimeoutICMPErrorReply go error response (default 10 sec) TimeoutICMPErrorReply Timeout = C.PFTM_ICMP_ERROR_REPLY // TimeoutOtherFirstPacket first packet (default 1 min) TimeoutOtherFirstPacket Timeout = C.PFTM_OTHER_FIRST_PACKET // TimeoutOtherSingle unidirectional (default 30 sec) TimeoutOtherSingle Timeout = C.PFTM_OTHER_SINGLE // TimeoutOtherMultiple bidirectional (default 1 min) TimeoutOtherMultiple Timeout = C.PFTM_OTHER_MULTIPLE // TimeoutFragment fragment expire (default 30 sec) TimeoutFragment Timeout = C.PFTM_FRAG // TimeoutInterval expire interval (default 10 sec) TimeoutInterval Timeout = C.PFTM_INTERVAL // TimeoutAdaptiveStart adaptive start TimeoutAdaptiveStart Timeout = C.PFTM_ADAPTIVE_START // TimeoutAdaptiveEnd adaptive end TimeoutAdaptiveEnd Timeout = C.PFTM_ADAPTIVE_END // TimeoutSourceNode source tracking (default 0 sec) TimeoutSourceNode Timeout = C.PFTM_SRC_NODE // TimeoutTSDiff allowed TS diff (default 30 sec) TimeoutTSDiff Timeout = C.PFTM_TS_DIFF // TimeoutPurge purge TimeoutPurge Timeout = C.PFTM_PURGE // TimeoutUnlinked unlinked TimeoutUnlinked Timeout = C.PFTM_UNLINKED )
type Transaction ¶
type Transaction struct {
// contains filtered or unexported fields
}
Transaction represents a pf transaction that can be used to add, change or remove rules and rulesets atomically
func (Transaction) Begin ¶
func (tx Transaction) Begin() error
Begin opens pf for transaction changes. This happens atomically and can fail, if there is currently a transaction open.
func (Transaction) Commit ¶
func (tx Transaction) Commit() error
Commit closes the transaction and applies the changes that where done since the last Begin() transaction
func (Transaction) Rollback ¶
func (tx Transaction) Rollback() error
Rollback removes the kernel side transaction and all chnages that where made since the last Begin() transaction are ignored
func (Transaction) RuleSet ¶
func (tx Transaction) RuleSet(index int) *RuleSet
RuleSet returns the rule set of o the passed index