pfctl 0.7.0

Library for interfacing with the Packet Filter (PF) firewall on macOS
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

#[macro_use]
#[allow(dead_code)]
mod helper;

use crate::helper::pfcli;
use assert_matches::assert_matches;
use std::net::{Ipv4Addr, Ipv6Addr};

static ANCHOR_NAME: &str = "pfctl-rs.integration.testing.nat-rules";

fn nat_rule(dest: pfctl::Ip, nat_to: pfctl::Ip) -> pfctl::NatRule {
    pfctl::NatRuleBuilder::default()
        .action(pfctl::NatRuleAction::Nat {
            nat_to: nat_to.into(),
        })
        .to(pfctl::Endpoint::new(dest, 1234))
        .build()
        .unwrap()
}

fn nat_rule_ipv4() -> pfctl::NatRule {
    nat_rule(
        pfctl::Ip::from(Ipv4Addr::new(127, 0, 0, 1)),
        pfctl::Ip::from(Ipv4Addr::new(127, 0, 0, 2)),
    )
}

fn nat_rule_ipv6() -> pfctl::NatRule {
    nat_rule(
        pfctl::Ip::from(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)),
        pfctl::Ip::from(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 2)),
    )
}

fn nonat_rule(dest: pfctl::Ip) -> pfctl::NatRule {
    pfctl::NatRuleBuilder::default()
        .action(pfctl::NatRuleAction::NoNat)
        .to(pfctl::Endpoint::new(dest, 1234))
        .build()
        .unwrap()
}

fn nonat_rule_ipv4() -> pfctl::NatRule {
    nonat_rule(pfctl::Ip::from(Ipv4Addr::new(127, 0, 0, 1)))
}

fn nonat_rule_ipv6() -> pfctl::NatRule {
    nonat_rule(pfctl::Ip::from(Ipv6Addr::new(0, 0, 0, 0, 0, 0, 0, 1)))
}

fn before_each() {
    pfctl::PfCtl::new()
        .unwrap()
        .try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat)
        .unwrap();
}

fn after_each() {
    pfcli::flush_rules(ANCHOR_NAME, pfcli::FlushOptions::Nat);
    pfctl::PfCtl::new()
        .unwrap()
        .try_remove_anchor(ANCHOR_NAME, pfctl::AnchorKind::Nat)
        .unwrap();
}

test!(add_nat_rule_ipv4 {
    let mut pf = pfctl::PfCtl::new().unwrap();
    let rule = nat_rule_ipv4();
    assert_matches!(pf.add_nat_rule(ANCHOR_NAME, &rule), Ok(()));
    assert_eq!(
        pfcli::get_nat_rules(ANCHOR_NAME),
        &["nat inet from any to 127.0.0.1 port = 1234 -> 127.0.0.2"]
    );
});

test!(add_nat_rule_ipv6 {
    let mut pf = pfctl::PfCtl::new().unwrap();
    let rule = nat_rule_ipv6();
    assert_matches!(pf.add_nat_rule(ANCHOR_NAME, &rule), Ok(()));
    assert_eq!(
        pfcli::get_nat_rules(ANCHOR_NAME),
        &["nat inet6 from any to ::1 port = 1234 -> ::2"]
    );
});

test!(add_nonat_rule_ipv4 {
    let mut pf = pfctl::PfCtl::new().unwrap();
    let rule = nonat_rule_ipv4();
    assert_matches!(pf.add_nat_rule(ANCHOR_NAME, &rule), Ok(()));
    assert_eq!(
        pfcli::get_nat_rules(ANCHOR_NAME),
        &["no nat inet from any to 127.0.0.1 port = 1234"]
    );
});

test!(add_nonat_rule_ipv6 {
    let mut pf = pfctl::PfCtl::new().unwrap();
    let rule = nonat_rule_ipv6();
    assert_matches!(pf.add_nat_rule(ANCHOR_NAME, &rule), Ok(()));
    assert_eq!(
        pfcli::get_nat_rules(ANCHOR_NAME),
        &["no nat inet6 from any to ::1 port = 1234"]
    );
});