Add examples for scrubbing

mullvad · Sep 3, 2024 · 28e0dd2 · 28e0dd2
1 parent 019fc08
commit 28e0dd2
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 2 deletions.
diff --git a/examples/add_anchor.rs b/examples/add_anchor.rs
@@ -17,7 +17,9 @@ fn main() {
             .expect("Unable to add filter anchor");
         pf.try_add_anchor(&anchor_name, pfctl::AnchorKind::Redirect)
             .expect("Unable to add redirect anchor");
+        pf.try_add_anchor(&anchor_name, pfctl::AnchorKind::Scrub)
+            .expect("Unable to add scrub anchor");
 
-        println!("Added {} as both a redirect and filter anchor", anchor_name);
+        println!("Added {} as every anchor type", anchor_name);
     }
 }
diff --git a/examples/add_rules.rs b/examples/add_rules.rs
@@ -6,7 +6,7 @@
 // option. This file may not be copied, modified, or distributed
 // except according to those terms.
 
-use pfctl::{ipnetwork, FilterRuleBuilder, PfCtl, RedirectRuleBuilder};
+use pfctl::{ipnetwork, FilterRuleBuilder, PfCtl, RedirectRuleBuilder, ScrubRuleBuilder};
 use std::net::Ipv4Addr;
 
 static ANCHOR_NAME: &str = "test.anchor";
@@ -87,6 +87,11 @@ fn main() {
         .build()
         .unwrap();
 
+    let scrub_rule = ScrubRuleBuilder::default()
+        .action(pfctl::ScrubRuleAction::Scrub)
+        .build()
+        .unwrap();
+
     // Add the rules to the test anchor
     pf.add_rule(ANCHOR_NAME, &pass_all_rule)
         .expect("Unable to add rule");
@@ -106,6 +111,8 @@ fn main() {
         .expect("Unable to add rule");
     pf.add_redirect_rule(ANCHOR_NAME, &redirect_incoming_tcp_from_port_3000_to_4000)
         .expect("Unable to add redirect rule");
+    pf.add_scrub_rule(ANCHOR_NAME, &scrub_rule)
+        .expect("Unable to add scrub rule");
 
     println!("Added a bunch of rules to the {} anchor.", ANCHOR_NAME);
     println!("Run this command to remove them:");

diff --git a/examples/flush_rules.rs b/examples/flush_rules.rs
@@ -20,5 +20,9 @@ fn main() {
         pf.flush_rules(&anchor_name, pfctl::RulesetKind::Redirect)
             .expect("Unable to flush redirect rules");
         println!("Flushed redirect rules under anchor {}", anchor_name);
+
+        pf.flush_rules(&anchor_name, pfctl::RulesetKind::Scrub)
+            .expect("Unable to flush scrub rules");
+        println!("Flushed scrub rules under anchor {}", anchor_name);
     }
 }
diff --git a/examples/transaction.rs b/examples/transaction.rs
@@ -17,6 +17,8 @@ fn main() {
         .expect("Unable to add test filter anchor");
     pf.try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Redirect)
         .expect("Unable to add test redirect anchor");
+    pf.try_add_anchor(ANCHOR_NAME, pfctl::AnchorKind::Scrub)
+        .expect("Unable to add test scrub anchor");
 
     // Create some firewall rules that we want to set in one atomic transaction.
     let trans_rule1 = pfctl::FilterRuleBuilder::default()
@@ -36,11 +38,16 @@ fn main() {
         .redirect_to(pfctl::Port::from(1338))
         .build()
         .unwrap();
+    let trans_rule4 = pfctl::ScrubRuleBuilder::default()
+        .action(pfctl::ScrubRuleAction::Scrub)
+        .build()
+        .unwrap();
 
     // Create a transaction changeset and add the rules to it.
     let mut trans_change = pfctl::AnchorChange::new();
     trans_change.set_filter_rules(vec![trans_rule1, trans_rule2]);
     trans_change.set_redirect_rules(vec![trans_rule3]);
+    trans_change.set_scrub_rules(vec![trans_rule4]);
 
     // Execute the transaction. This will OVERWRITE any existing rules under this anchor as it's
     // a set operation, not an add operation.