pfctl 0.7.0

Library for interfacing with the Packet Filter (PF) firewall on macOS
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

// Copyright 2025 Mullvad VPN AB.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.

use crate::{NatEndpoint, ffi};

/// Enum describing what should happen to a packet that matches a filter rule.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum FilterRuleAction {
    Pass,
    Drop(DropAction),
}

/// Action to take for [`FilterRuleAction::Drop`].
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum DropAction {
    /// Silently drop the packet.
    Drop,
    /// Return a TCP RST or ICMP reject packet.
    Return,
    /// Return a TCP RST packet.
    ReturnRst,
    /// Return an ICMP reject packet.
    ReturnIcmp,
}

impl FilterRuleAction {
    pub fn rule_flags(&self) -> u32 {
        match *self {
            FilterRuleAction::Pass => 0u32,
            FilterRuleAction::Drop(action) => action.into(),
        }
    }
}

impl From<FilterRuleAction> for u8 {
    fn from(rule_action: FilterRuleAction) -> Self {
        match rule_action {
            FilterRuleAction::Pass => ffi::pfvar::PF_PASS as u8,
            FilterRuleAction::Drop(_) => ffi::pfvar::PF_DROP as u8,
        }
    }
}

impl From<DropAction> for u32 {
    fn from(drop_action: DropAction) -> Self {
        use crate::ffi::pfvar::*;
        match drop_action {
            DropAction::Drop => PFRULE_DROP,
            DropAction::Return => PFRULE_RETURN,
            DropAction::ReturnRst => PFRULE_RETURNRST,
            DropAction::ReturnIcmp => PFRULE_RETURNICMP,
        }
    }
}

/// Enum describing what should happen to a packet that matches a NAT rule.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum NatRuleAction {
    Nat { nat_to: NatEndpoint },
    NoNat,
}

impl From<NatRuleAction> for u8 {
    fn from(rule_action: NatRuleAction) -> Self {
        match rule_action {
            NatRuleAction::Nat { .. } => ffi::pfvar::PF_NAT as u8,
            NatRuleAction::NoNat => ffi::pfvar::PF_NONAT as u8,
        }
    }
}

/// Enum describing what should happen to a packet that matches a redirect rule.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum RedirectRuleAction {
    Redirect,
    NoRedirect,
}

impl From<RedirectRuleAction> for u8 {
    fn from(rule_action: RedirectRuleAction) -> Self {
        match rule_action {
            RedirectRuleAction::Redirect => ffi::pfvar::PF_RDR as u8,
            RedirectRuleAction::NoRedirect => ffi::pfvar::PF_NORDR as u8,
        }
    }
}

/// Enum describing what should happen to a packet that matches a scrub rule.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum ScrubRuleAction {
    Scrub,
    NoScrub,
}

impl From<ScrubRuleAction> for u8 {
    fn from(rule_action: ScrubRuleAction) -> Self {
        match rule_action {
            ScrubRuleAction::Scrub => ffi::pfvar::PF_SCRUB as u8,
            ScrubRuleAction::NoScrub => ffi::pfvar::PF_NOSCRUB as u8,
        }
    }
}