1c1
< .\" $OpenBSD: pfctl.8,v 1.118 2005/01/05 23:41:45 jmc Exp $
---
> .\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $
27c27
< .\" $FreeBSD: head/contrib/pf/pfctl/pfctl.8 148011 2005-07-14 20:29:08Z brueffer $
---
> .\" $FreeBSD: head/contrib/pf/pfctl/pfctl.8 171172 2007-07-03 12:30:03Z mlaier $
38c38
< .Op Fl AdeghmNnOoqRrvz
---
> .Op Fl AdeghmNnOqRrvz
40,43c40,41
< .Xo
< .Oo Fl D
< .Ar macro Ns = Ns Ar value Oc
< .Xc
---
> .Oo Fl D Ar macro Ns =
> .Ar value Oc
47c45,47
< .Op Fl k Ar host
---
> .Op Fl K Ar host | network
> .Op Fl k Ar host | network
> .Op Fl o Op Ar level
50c50
< .Oo Xo
---
> .Oo
53,54c53,54
< .Op Ar address ... Oc
< .Xc
---
> .Op Ar address ...
> .Oc
143,144c143,146
< .Li authpf/smith(1234) ,
< which would have been created for user smith by
---
> .Dq authpf/smith(1234) ,
> which would have been created for user
> .Dq smith
> by
165a168,188
> .Pp
> By default, recursive inline printing of anchors applies only to unnamed
> anchors specified inline in the ruleset.
> If the anchor name is terminated with a
> .Sq *
> character, the
> .Fl s
> flag will recursively print all anchors in a brace delimited block.
> For example the following will print the
> .Dq authpf
> ruleset recursively:
> .Bd -literal -offset indent
> # pfctl -a 'authpf/*' -sr
> .Ed
> .Pp
> To print the main ruleset recursively, specify only
> .Sq *
> as the anchor name:
> .Bd -literal -offset indent
> # pfctl -a '*' -sr
> .Ed
220c243,254
< .It Fl k Ar host
---
> .It Fl K Ar host | network
> Kill all of the source tracking entries originating from the specified
> .Ar host
> or
> .Ar network .
> A second
> .Fl K Ar host
> or
> .Fl K Ar network
> option may be specified, which will kill all the source tracking
> entries from the first host/network to the second.
> .It Fl k Ar host | network
222c256,258
< .Ar host .
---
> .Ar host
> or
> .Ar network .
224a261,262
> or
> .Fl k Ar network
226,229c264
< from the first
< .Ar host
< to the second
< .Ar host .
---
> from the first host/network to the second.
231,234c266
< .Li host :
< .Bd -literal -offset indent
< # pfctl -k host
< .Ed
---
> .Dq host :
235a268,269
> .Dl # pfctl -k host
> .Pp
237c271
< .Li host1
---
> .Dq host1
239,242c273,285
< .Li host2 :
< .Bd -literal -offset indent
< # pfctl -k host1 -k host2
< .Ed
---
> .Dq host2 :
> .Pp
> .Dl # pfctl -k host1 -k host2
> .Pp
> To kill all states originating from 192.168.1.0/24 to 172.16.0.0/16:
> .Pp
> .Dl # pfctl -k 192.168.1.0/24 -k 172.16.0.0/16
> .Pp
> A network prefix length of 0 can be used as a wildcard.
> To kill all states with the target
> .Dq host2 :
> .Pp
> .Dl # pfctl -k 0.0.0.0/0 -k host2
258,259c301,302
< .It Fl o
< Enable the ruleset optimizer.
---
> .It Fl o Op Ar level
> Control the ruleset optimizer.
262d304
< Specifically, it does four things:
263a306,317
> .Bl -tag -width xxxxxxxxxxxx -compact
> .It Fl o Cm none
> Disable the ruleset optimizer.
> .It Fl o Cm basic
> Enable basic ruleset optimizations.
> .It Fl o Cm profile
> Enable basic ruleset optimizations with profiling.
> .El
> .Pp
> .Cm basic
> optimization does does four things:
> .Pp
275,278c329,332
< A second
< .Fl o
< may be specified to use the currently loaded ruleset as a feedback profile
< to tailor the optimization of the
---
> If
> .Cm profile
> is specified, the currently loaded ruleset will be examined as a feedback
> profile to tailor the optimization of the
290a345,352
> .Pp
> To retain compatibility with previous behaviour, a single
> .Fl o
> without any options will enable
> .Cm basic
> optimizations, and a second
> .Fl o
> will enable profiling.
355c417,418
< Show per-rule statistics (label, evaluations, packets, bytes) of
---
> Show per-rule statistics (label, evaluations, packets total, bytes total,
> packets in, bytes in, packets out, bytes out) of
367c430
< When used together with a double
---
> When used together with
368a432,434
> it additionally lists which interfaces have skip rules activated.
> When used together with
> .Fl vv ,
391a458,464
> .It Fl T Cm expire Ar number
> Delete addresses which had their statistics cleared more than
> .Ar number
> seconds ago.
> For entries which have never had their statistics cleared,
> .Ar number
> refers to the time they were added to the table.
468c541
< pass out to <test> keep state\en" | pfctl -f-
---
> pass out to <test>\en" | pfctl -f-
< .\" $OpenBSD: pfctl.8,v 1.118 2005/01/05 23:41:45 jmc Exp $
---
> .\" $OpenBSD: pfctl.8,v 1.128 2007/01/30 21:01:56 jmc Exp $
27c27
< .\" $FreeBSD: head/contrib/pf/pfctl/pfctl.8 148011 2005-07-14 20:29:08Z brueffer $
---
> .\" $FreeBSD: head/contrib/pf/pfctl/pfctl.8 171172 2007-07-03 12:30:03Z mlaier $
38c38
< .Op Fl AdeghmNnOoqRrvz
---
> .Op Fl AdeghmNnOqRrvz
40,43c40,41
< .Xo
< .Oo Fl D
< .Ar macro Ns = Ns Ar value Oc
< .Xc
---
> .Oo Fl D Ar macro Ns =
> .Ar value Oc
47c45,47
< .Op Fl k Ar host
---
> .Op Fl K Ar host | network
> .Op Fl k Ar host | network
> .Op Fl o Op Ar level
50c50
< .Oo Xo
---
> .Oo
53,54c53,54
< .Op Ar address ... Oc
< .Xc
---
> .Op Ar address ...
> .Oc
143,144c143,146
< .Li authpf/smith(1234) ,
< which would have been created for user smith by
---
> .Dq authpf/smith(1234) ,
> which would have been created for user
> .Dq smith
> by
165a168,188
> .Pp
> By default, recursive inline printing of anchors applies only to unnamed
> anchors specified inline in the ruleset.
> If the anchor name is terminated with a
> .Sq *
> character, the
> .Fl s
> flag will recursively print all anchors in a brace delimited block.
> For example the following will print the
> .Dq authpf
> ruleset recursively:
> .Bd -literal -offset indent
> # pfctl -a 'authpf/*' -sr
> .Ed
> .Pp
> To print the main ruleset recursively, specify only
> .Sq *
> as the anchor name:
> .Bd -literal -offset indent
> # pfctl -a '*' -sr
> .Ed
220c243,254
< .It Fl k Ar host
---
> .It Fl K Ar host | network
> Kill all of the source tracking entries originating from the specified
> .Ar host
> or
> .Ar network .
> A second
> .Fl K Ar host
> or
> .Fl K Ar network
> option may be specified, which will kill all the source tracking
> entries from the first host/network to the second.
> .It Fl k Ar host | network
222c256,258
< .Ar host .
---
> .Ar host
> or
> .Ar network .
224a261,262
> or
> .Fl k Ar network
226,229c264
< from the first
< .Ar host
< to the second
< .Ar host .
---
> from the first host/network to the second.
231,234c266
< .Li host :
< .Bd -literal -offset indent
< # pfctl -k host
< .Ed
---
> .Dq host :
235a268,269
> .Dl # pfctl -k host
> .Pp
237c271
< .Li host1
---
> .Dq host1
239,242c273,285
< .Li host2 :
< .Bd -literal -offset indent
< # pfctl -k host1 -k host2
< .Ed
---
> .Dq host2 :
> .Pp
> .Dl # pfctl -k host1 -k host2
> .Pp
> To kill all states originating from 192.168.1.0/24 to 172.16.0.0/16:
> .Pp
> .Dl # pfctl -k 192.168.1.0/24 -k 172.16.0.0/16
> .Pp
> A network prefix length of 0 can be used as a wildcard.
> To kill all states with the target
> .Dq host2 :
> .Pp
> .Dl # pfctl -k 0.0.0.0/0 -k host2
258,259c301,302
< .It Fl o
< Enable the ruleset optimizer.
---
> .It Fl o Op Ar level
> Control the ruleset optimizer.
262d304
< Specifically, it does four things:
263a306,317
> .Bl -tag -width xxxxxxxxxxxx -compact
> .It Fl o Cm none
> Disable the ruleset optimizer.
> .It Fl o Cm basic
> Enable basic ruleset optimizations.
> .It Fl o Cm profile
> Enable basic ruleset optimizations with profiling.
> .El
> .Pp
> .Cm basic
> optimization does does four things:
> .Pp
275,278c329,332
< A second
< .Fl o
< may be specified to use the currently loaded ruleset as a feedback profile
< to tailor the optimization of the
---
> If
> .Cm profile
> is specified, the currently loaded ruleset will be examined as a feedback
> profile to tailor the optimization of the
290a345,352
> .Pp
> To retain compatibility with previous behaviour, a single
> .Fl o
> without any options will enable
> .Cm basic
> optimizations, and a second
> .Fl o
> will enable profiling.
355c417,418
< Show per-rule statistics (label, evaluations, packets, bytes) of
---
> Show per-rule statistics (label, evaluations, packets total, bytes total,
> packets in, bytes in, packets out, bytes out) of
367c430
< When used together with a double
---
> When used together with
368a432,434
> it additionally lists which interfaces have skip rules activated.
> When used together with
> .Fl vv ,
391a458,464
> .It Fl T Cm expire Ar number
> Delete addresses which had their statistics cleared more than
> .Ar number
> seconds ago.
> For entries which have never had their statistics cleared,
> .Ar number
> refers to the time they were added to the table.
468c541
< pass out to <test> keep state\en" | pfctl -f-
---
> pass out to <test>\en" | pfctl -f-