adds limit get/set func

go-freebsd · Mar 21, 2017 · a7b1fc6 · a7b1fc6
1 parent 87bfb73
commit a7b1fc6
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 0 deletions.
diff --git a/limit.go b/limit.go
@@ -0,0 +1,19 @@
+package pf
+
+// #include <net/if.h>
+// #include <net/pfvar.h>
+import "C"
+
+// Limit represents a hard packet filter limit
+type Limit int
+
+const (
+	// LimitStates limits the number of pf states
+	LimitStates Limit = C.PF_LIMIT_STATES
+	// LimitSourceNodes limits the number of pf source nodes
+	LimitSourceNodes Limit = C.PF_LIMIT_SRC_NODES
+	// LimitFragments limits the number of pf fragments
+	LimitFragments Limit = C.PF_LIMIT_FRAGS
+	// LimitTableEntries limits the number of addresses in a table
+	LimitTableEntries Limit = C.PF_LIMIT_TABLE_ENTRIES
+)
diff --git a/pf.go b/pf.go
@@ -174,6 +174,29 @@ func (file Handle) SetTimeout(t Timeout, d time.Duration) error {
 	return nil
 }
 
+// Limit returns the currently configured limit for the memory pool
+func (file Handle) Limit(l Limit) (uint, error) {
+	var lm C.struct_pfioc_limit
+	lm.index = C.int(l)
+	err := file.ioctl(C.DIOCGETLIMIT, unsafe.Pointer(&lm))
+	if err != nil {
+		return uint(0), fmt.Errorf("DIOCGETLIMIT: %s", err)
+	}
+	return uint(lm.limit), nil
+}
+
+// SetLimit sets hard limits on the memory pools used by the packet filter
+func (file Handle) SetLimit(l Limit, limit uint) error {
+	var lm C.struct_pfioc_limit
+	lm.index = C.int(l)
+	lm.limit = C.uint(limit)
+	err := file.ioctl(C.DIOCSETLIMIT, unsafe.Pointer(&lm))
+	if err != nil {
+		return fmt.Errorf("DIOCSETLIMIT: %s", err)
+	}
+	return nil
+}
+
 // Timeout returns the currently configured timeout duration
 func (file Handle) Timeout(t Timeout) (time.Duration, error) {
 	var tm C.struct_pfioc_tm

diff --git a/pf_test.go b/pf_test.go
@@ -113,6 +113,25 @@ func TestTimeouts(t *testing.T) {
 	assert.Equal(t, time.Hour*24, d)
 }
 
+func TestLimits(t *testing.T) {
+	oldLimit, err := pfh.Limit(LimitTableEntries)
+	assert.NoError(t, err)
+
+	err = pfh.SetLimit(LimitTableEntries, 512*1024*1024)
+	assert.NoError(t, err)
+
+	limit, err := pfh.Limit(LimitTableEntries)
+	assert.NoError(t, err)
+	assert.Equal(t, uint(512*1024*1024), limit)
+
+	err = pfh.SetLimit(LimitTableEntries, oldLimit)
+	assert.NoError(t, err)
+
+	limit, err = pfh.Limit(LimitTableEntries)
+	assert.NoError(t, err)
+	assert.Equal(t, oldLimit, limit)
+}
+
 func TestRule(t *testing.T) {
 	// invalid ticket
 	assert.Error(t, pfh.Rule(0, 0, nil))