Expand description
Library for interfacing with the Packet Filter (PF) firewall on macOS.
Allows controlling the PF firewall on macOS through ioctl syscalls and the /dev/pf device.
Reading and writing to /dev/pf requires root permissions. So any program using this crate
must run as the superuser, otherwise creating the PfCtl instance will fail with a
“Permission denied” error.
§OS Compatibility
PF is the firewall used in most (all?) BSD systems, but this crate only supports the macOS variant for now. If it can be made to work on more BSD systems that would be great, but no work has been put into that so far.
§Usage and examples
A lot of examples of how to use the various features of this crate can be found in the integration tests in and examples.
Here is a simple example showing how to enable the firewall and add a packet filtering rule:
extern crate pfctl;
// Create a PfCtl instance to control PF with:
let mut pf = pfctl::PfCtl::new().unwrap();
// Enable the firewall, equivalent to the command "pfctl -e":
pf.try_enable().unwrap();
// Add an anchor rule for packet filtering rules into PF. This will fail if it already exists,
// use `try_add_anchor` to avoid that:
let anchor_name = "testing-out-pfctl";
pf.add_anchor(anchor_name, pfctl::AnchorKind::Filter)
.unwrap();
// Create a packet filtering rule matching all packets on the "lo0" interface and allowing
// them to pass:
let rule = pfctl::FilterRuleBuilder::default()
.action(pfctl::FilterRuleAction::Pass)
.interface("lo0")
.build()
.unwrap();
// Add the filterig rule to the anchor we just created.
pf.add_rule(anchor_name, &rule).unwrap();Re-exports§
pub use ipnetwork;
Structs§
- Anchor
Change - Structure that describes anchor rules manipulation allowing for targeted changes in anchors. The rules set to this structure will replace the active rules by transaction. Not setting either of rules will leave active rules untouched by transaction. In contrast, setting an empty vector for either of rules will remove the corresponding rules.
- Endpoint
- Error
- Filter
Rule - Filter
Rule Builder - Builder for
FilterRule. - Gid
- Interface
Name - NatEndpoint
- NatRule
- NatRule
Builder - Builder for
NatRule. - PfCtl
- Struct communicating with the PF firewall.
- Pool
Addr - Pool
Addr List - Represents a list of IPs used to set up a table of addresses for traffic redirection in PF.
- Redirect
Rule - Redirect
Rule Builder - Builder for
RedirectRule. - Rule
LogSet - Scrub
Rule - Scrub
Rule Builder - Builder for
ScrubRule. - State
- PF connection state created by a stateful rule
- TcpFlag
Set - TcpFlags
- Transaction
- Structure that allows to manipulate rules in batches
- Uid
Enums§
- Addr
Family - Anchor
Kind - Enum describing the kinds of anchors
- Direction
- Enum describing matching of rule towards packet flow direction.
- Drop
Action - Action to take for
FilterRuleAction::Drop. - Error
Kind - Filter
Rule Action - Enum describing what should happen to a packet that matches a filter rule.
- Icmp6
Type - Values for the
typefield in ICMPv6 packets. - Icmp
Timex Code - ICMP Code fields for time exceeded ICMP packets (
IcmpType::Timex) - Icmp
Type - ICMP type (and code). Used to match a rule against an ICMP packets
typeandcodefields. - Icmp
Unreach Code - ICMP code fields for destination unreachable ICMP packet’s (
IcmpType::Unreach). - Id
- IdRange
Modifier - IdUnary
Modifier - Interface
- Ip
- NatRule
Action - Enum describing what should happen to a packet that matches a NAT rule.
- Port
- Port
Range Modifier - Port
Unary Modifier - Proto
- Redirect
Rule Action - Enum describing what should happen to a packet that matches a redirect rule.
- Route
- RuleLog
- Enum describing logging options
- Ruleset
Kind - Enum describing the kinds of rulesets
- Scrub
Rule Action - Enum describing what should happen to a packet that matches a scrub rule.
- State
Policy - TcpFlag