pfctl.8 (130614) | pfctl.8 (145837) |
---|---|
1.\" $OpenBSD: pfctl.8,v 1.110 2004/03/20 09:31:42 david Exp $ | 1.\" $OpenBSD: pfctl.8,v 1.118 2005/01/05 23:41:45 jmc Exp $ |
2.\" 3.\" Copyright (c) 2001 Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 18 unchanged lines hidden (view full) --- 28.Dt PFCTL 8 29.Os 30.Sh NAME 31.Nm pfctl 32.Nd "control the packet filter (PF) and network address translation (NAT) device" 33.Sh SYNOPSIS 34.Nm pfctl 35.Bk -words | 2.\" 3.\" Copyright (c) 2001 Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 18 unchanged lines hidden (view full) --- 28.Dt PFCTL 8 29.Os 30.Sh NAME 31.Nm pfctl 32.Nd "control the packet filter (PF) and network address translation (NAT) device" 33.Sh SYNOPSIS 34.Nm pfctl 35.Bk -words |
36.Op Fl AdeghNnOqRrvz 37.Op Fl a Ar anchor Ns Op Ar :ruleset 38.Op Fl D Ar macro=value | 36.Op Fl AdeghmNnOoqRrvz 37.Op Fl a Ar anchor 38.Xo 39.Oo Fl D 40.Ar macro Ns = Ns Ar value Oc 41.Xc |
39.Op Fl F Ar modifier 40.Op Fl f Ar file 41.Op Fl i Ar interface 42.Op Fl k Ar host 43.Op Fl p Ar device 44.Op Fl s Ar modifier | 42.Op Fl F Ar modifier 43.Op Fl f Ar file 44.Op Fl i Ar interface 45.Op Fl k Ar host 46.Op Fl p Ar device 47.Op Fl s Ar modifier |
45.Op Fl T Ar command Op Ar address ... 46.Op Fl t Ar table | 48.Oo Xo 49.Fl t Ar table 50.Fl T Ar command 51.Op Ar address ... Oc 52.Xc |
47.Op Fl x Ar level 48.Ek 49.Sh DESCRIPTION 50The 51.Nm 52utility communicates with the packet filter device using the 53ioctl interface described in 54.Xr pf 4 . --- 12 unchanged lines hidden (view full) --- 67come from the gateway. 68Replacing destination addresses and ports of incoming packets 69is used to redirect connections to different hosts and/or ports. 70A combination of both translations, bidirectional NAT, is also 71supported. 72Translation rules are described in 73.Xr pf.conf 5 . 74.Pp | 53.Op Fl x Ar level 54.Ek 55.Sh DESCRIPTION 56The 57.Nm 58utility communicates with the packet filter device using the 59ioctl interface described in 60.Xr pf 4 . --- 12 unchanged lines hidden (view full) --- 73come from the gateway. 74Replacing destination addresses and ports of incoming packets 75is used to redirect connections to different hosts and/or ports. 76A combination of both translations, bidirectional NAT, is also 77supported. 78Translation rules are described in 79.Xr pf.conf 5 . 80.Pp |
75When the variable pf is set to YES in 76.Xr rc.conf 8 , 77the rule file specified with the variable pf_rules | 81When the variable 82.Va pf 83is set to 84.Dv YES 85in 86.Xr rc.conf.local 8 , 87the rule file specified with the variable 88.Va pf_rules |
78is loaded automatically by the 79.Xr rc 8 80scripts and the packet filter is enabled. 81.Pp 82The packet filter does not itself forward packets between interfaces. 83Forwarding can be enabled by setting the 84.Xr sysctl 8 85variables 86.Em net.inet.ip.forwarding 87and/or | 89is loaded automatically by the 90.Xr rc 8 91scripts and the packet filter is enabled. 92.Pp 93The packet filter does not itself forward packets between interfaces. 94Forwarding can be enabled by setting the 95.Xr sysctl 8 96variables 97.Em net.inet.ip.forwarding 98and/or |
88.Em net.inet6.ip6.forwarding , | 99.Em net.inet6.ip6.forwarding |
89to 1. 90Set them permanently in 91.Xr sysctl.conf 5 . 92.Pp 93The 94.Nm 95utility provides several commands. 96The options are as follows: 97.Bl -tag -width Ds 98.It Fl A 99Load only the queue rules present in the rule file. 100Other rules and options are ignored. | 100to 1. 101Set them permanently in 102.Xr sysctl.conf 5 . 103.Pp 104The 105.Nm 106utility provides several commands. 107The options are as follows: 108.Bl -tag -width Ds 109.It Fl A 110Load only the queue rules present in the rule file. 111Other rules and options are ignored. |
101.It Fl a Ar anchor Ns Op Ar :ruleset | 112.It Fl a Ar anchor |
102Apply flags 103.Fl f , | 113Apply flags 114.Fl f , |
104.Fl F | 115.Fl F , |
105and 106.Fl s 107only to the rules in the specified | 116and 117.Fl s 118only to the rules in the specified |
108.Ar anchor 109and optional named ruleset 110.Ar ruleset . | 119.Ar anchor . |
111In addition to the main ruleset, 112.Nm | 120In addition to the main ruleset, 121.Nm |
113can load and manipulate additional rulesets by name. 114Named rulesets are attached at 115.Ar anchor 116points, which are also referenced by name. | 122can load and manipulate additional rulesets by name, 123called anchors. 124The main ruleset is the default anchor. 125.Pp 126Anchors are referenced by name and may be nested, 127with the various components of the anchor path separated by 128.Sq / 129characters, similar to how file system hierarchies are laid out. 130The last component of the anchor path is where ruleset operations are 131performed. 132.Pp |
117Evaluation of 118.Ar anchor 119rules from the main ruleset is described in 120.Xr pf.conf 5 . | 133Evaluation of 134.Ar anchor 135rules from the main ruleset is described in 136.Xr pf.conf 5 . |
121For example, to show all filter rules inside anchor 122.Li foo : | 137.Pp 138For example, the following will show all filter rules (see the 139.Fl s 140flag below) inside the anchor 141.Li authpf/smith(1234) , 142which would have been created for user smith by 143.Xr authpf 8 , 144PID 1234: |
123.Bd -literal -offset indent | 145.Bd -literal -offset indent |
124# pfctl -a foo -s rules | 146# pfctl -a "authpf/smith(1234)" -s rules |
125.Ed 126.Pp | 147.Ed 148.Pp |
127Private tables can also be put inside subrulesets, either by having table | 149Private tables can also be put inside anchors, either by having table |
128statements in the 129.Xr pf.conf 5 | 150statements in the 151.Xr pf.conf 5 |
130file that is loaded in the anchor, or by using regular table commands as in: | 152file that is loaded in the anchor, or by using regular table commands, as in: |
131.Bd -literal -offset indent | 153.Bd -literal -offset indent |
132# pfctl -a foo:bar -t mytable -T add 1.2.3.4 5.6.7.8 | 154# pfctl -a foo/bar -t mytable -T add 1.2.3.4 5.6.7.8 |
133.Ed 134.Pp 135When a rule referring to a table is loaded in an anchor, the rule will use the | 155.Ed 156.Pp 157When a rule referring to a table is loaded in an anchor, the rule will use the |
136private table if one is defined, and then fallback to the table defined in the | 158private table if one is defined, and then fall back to the table defined in the |
137main ruleset, if there is one. | 159main ruleset, if there is one. |
138This is similar to C rules for variables. | 160This is similar to C rules for variable scope. |
139It is possible to create distinct tables with the same name in the global 140ruleset and in an anchor, but this is often bad design and a warning will be 141issued in that case. | 161It is possible to create distinct tables with the same name in the global 162ruleset and in an anchor, but this is often bad design and a warning will be 163issued in that case. |
142.It Fl D Ar macro=value | 164.It Fl D Ar macro Ns = Ns Ar value |
143Define 144.Ar macro 145to be set to 146.Ar value 147on the command line. 148Overrides the definition of 149.Ar macro 150in the ruleset. 151.It Fl d 152Disable the packet filter. 153.It Fl e 154Enable the packet filter. 155.It Fl F Ar modifier 156Flush the filter parameters specified by 157.Ar modifier 158(may be abbreviated): 159.Pp 160.Bl -tag -width xxxxxxxxxxxx -compact | 165Define 166.Ar macro 167to be set to 168.Ar value 169on the command line. 170Overrides the definition of 171.Ar macro 172in the ruleset. 173.It Fl d 174Disable the packet filter. 175.It Fl e 176Enable the packet filter. 177.It Fl F Ar modifier 178Flush the filter parameters specified by 179.Ar modifier 180(may be abbreviated): 181.Pp 182.Bl -tag -width xxxxxxxxxxxx -compact |
161.It Fl F Ar nat | 183.It Fl F Cm nat |
162Flush the NAT rules. | 184Flush the NAT rules. |
163.It Fl F Ar queue | 185.It Fl F Cm queue |
164Flush the queue rules. | 186Flush the queue rules. |
165.It Fl F Ar rules | 187.It Fl F Cm rules |
166Flush the filter rules. | 188Flush the filter rules. |
167.It Fl F Ar state | 189.It Fl F Cm state |
168Flush the state table (NAT and filter). | 190Flush the state table (NAT and filter). |
169.It Fl F Ar Sources | 191.It Fl F Cm Sources |
170Flush the source tracking table. | 192Flush the source tracking table. |
171.It Fl F Ar info | 193.It Fl F Cm info |
172Flush the filter information (statistics that are not bound to rules). | 194Flush the filter information (statistics that are not bound to rules). |
173.It Fl F Ar Tables | 195.It Fl F Cm Tables |
174Flush the tables. | 196Flush the tables. |
175.It Fl F Ar osfp | 197.It Fl F Cm osfp |
176Flush the passive operating system fingerprints. | 198Flush the passive operating system fingerprints. |
177.It Fl F Ar all | 199.It Fl F Cm all |
178Flush all of the above. 179.El 180.It Fl f Ar file 181Load the rules contained in 182.Ar file . 183This 184.Ar file 185may contain macros, tables, options, and normalization, queueing, --- 25 unchanged lines hidden (view full) --- 211.Pp 212To kill all of the state entries from 213.Li host1 214to 215.Li host2 : 216.Bd -literal -offset indent 217# pfctl -k host1 -k host2 218.Ed | 200Flush all of the above. 201.El 202.It Fl f Ar file 203Load the rules contained in 204.Ar file . 205This 206.Ar file 207may contain macros, tables, options, and normalization, queueing, --- 25 unchanged lines hidden (view full) --- 233.Pp 234To kill all of the state entries from 235.Li host1 236to 237.Li host2 : 238.Bd -literal -offset indent 239# pfctl -k host1 -k host2 240.Ed |
241.It Fl m 242Merge in explicitly given options without resetting those 243which are omitted. 244Allows single options to be modified without disturbing the others: 245.Bd -literal -offset indent 246# echo "set loginterface fxp0" | pfctl -mf - 247.Ed |
|
219.It Fl N 220Load only the NAT rules present in the rule file. 221Other rules and options are ignored. 222.It Fl n 223Do not actually load rules, just parse them. 224.It Fl O 225Load only the options present in the rule file. 226Other rules and options are ignored. | 248.It Fl N 249Load only the NAT rules present in the rule file. 250Other rules and options are ignored. 251.It Fl n 252Do not actually load rules, just parse them. 253.It Fl O 254Load only the options present in the rule file. 255Other rules and options are ignored. |
256.It Fl o 257Enable the ruleset optimizer. 258The ruleset optimizer attempts to improve rulesets by removing rule 259duplication and making better use of rule ordering. 260Specifically, it does four things: 261.Pp 262.Bl -enum -compact 263.It 264remove duplicate rules 265.It 266remove rules that are a subset of another rule 267.It 268combine multiple rules into a table when advantageous 269.It 270re-order the rules to improve evaluation performance 271.El 272.Pp 273A second 274.Fl o 275may be specified to use the currently loaded ruleset as a feedback profile 276to tailor the optimization of the 277.Ar quick 278rules to the actual network behavior. 279.Pp 280It is important to note that the ruleset optimizer will modify the ruleset 281to improve performance. 282A side effect of the ruleset modification is that per-rule accounting 283statistics will have different meanings than before. 284If per-rule accounting is important for billing purposes or whatnot, either 285the ruleset optimizer should not be used or a 286.Ar label 287field should be added to all of the accounting rules to act as optimization 288barriers. |
|
227.It Fl p Ar device 228Use the device file 229.Ar device 230instead of the default 231.Pa /dev/pf . 232.It Fl q 233Only print errors and warnings. 234.It Fl R 235Load only the filter rules present in the rule file. 236Other rules and options are ignored. 237.It Fl r 238Perform reverse DNS lookups on states when displaying them. 239.It Fl s Ar modifier 240Show the filter parameters specified by 241.Ar modifier 242(may be abbreviated): 243.Pp 244.Bl -tag -width xxxxxxxxxxxxx -compact | 289.It Fl p Ar device 290Use the device file 291.Ar device 292instead of the default 293.Pa /dev/pf . 294.It Fl q 295Only print errors and warnings. 296.It Fl R 297Load only the filter rules present in the rule file. 298Other rules and options are ignored. 299.It Fl r 300Perform reverse DNS lookups on states when displaying them. 301.It Fl s Ar modifier 302Show the filter parameters specified by 303.Ar modifier 304(may be abbreviated): 305.Pp 306.Bl -tag -width xxxxxxxxxxxxx -compact |
245.It Fl s Ar nat | 307.It Fl s Cm nat |
246Show the currently loaded NAT rules. | 308Show the currently loaded NAT rules. |
247.It Fl s Ar queue | 309.It Fl s Cm queue |
248Show the currently loaded queue rules. 249When used together with 250.Fl v , 251per-queue statistics are also shown. 252When used together with 253.Fl v v , 254.Nm 255will loop and show updated queue statistics every five seconds, including 256measured bandwidth and packets per second. | 310Show the currently loaded queue rules. 311When used together with 312.Fl v , 313per-queue statistics are also shown. 314When used together with 315.Fl v v , 316.Nm 317will loop and show updated queue statistics every five seconds, including 318measured bandwidth and packets per second. |
257.It Fl s Ar rules | 319.It Fl s Cm rules |
258Show the currently loaded filter rules. 259When used together with 260.Fl v , 261the per-rule statistics (number of evaluations, 262packets and bytes) are also shown. | 320Show the currently loaded filter rules. 321When used together with 322.Fl v , 323the per-rule statistics (number of evaluations, 324packets and bytes) are also shown. |
263Note that the 'skip step' optimization done automatically by the kernel | 325Note that the 326.Dq skip step 327optimization done automatically by the kernel |
264will skip evaluation of rules where possible. 265Packets passed statefully are counted in the rule that created the state 266(even though the rule isn't evaluated more than once for the entire 267connection). | 328will skip evaluation of rules where possible. 329Packets passed statefully are counted in the rule that created the state 330(even though the rule isn't evaluated more than once for the entire 331connection). |
268.It Fl s Ar Anchors 269Show the currently loaded anchors. | 332.It Fl s Cm Anchors 333Show the currently loaded anchors directly attached to the main ruleset. |
270If 271.Fl a Ar anchor | 334If 335.Fl a Ar anchor |
272is specified as well, the named rulesets currently loaded in the specified 273anchor are shown instead. 274.It Fl s Ar state | 336is specified as well, the anchors loaded directly below the given 337.Ar anchor 338are shown instead. 339If 340.Fl v 341is specified, all anchors attached under the target anchor will be 342displayed recursively. 343.It Fl s Cm state |
275Show the contents of the state table. | 344Show the contents of the state table. |
276.It Fl s Ar Sources | 345.It Fl s Cm Sources |
277Show the contents of the source tracking table. | 346Show the contents of the source tracking table. |
278.It Fl s Ar info | 347.It Fl s Cm info |
279Show filter information (statistics and counters). 280When used together with 281.Fl v , 282source tracking statistics are also shown. | 348Show filter information (statistics and counters). 349When used together with 350.Fl v , 351source tracking statistics are also shown. |
283.It Fl s Ar labels | 352.It Fl s Cm labels |
284Show per-rule statistics (label, evaluations, packets, bytes) of 285filter rules with labels, useful for accounting. | 353Show per-rule statistics (label, evaluations, packets, bytes) of 354filter rules with labels, useful for accounting. |
286.It Fl s Ar timeouts | 355.It Fl s Cm timeouts |
287Show the current global timeouts. | 356Show the current global timeouts. |
288.It Fl s Ar memory | 357.It Fl s Cm memory |
289Show the current pool memory hard limits. | 358Show the current pool memory hard limits. |
290.It Fl s Ar Tables | 359.It Fl s Cm Tables |
291Show the list of tables. | 360Show the list of tables. |
292.It Fl s Ar osfp | 361.It Fl s Cm osfp |
293Show the list of operating system fingerprints. | 362Show the list of operating system fingerprints. |
294.It Fl s Ar Interfaces | 363.It Fl s Cm Interfaces |
295Show the list of interfaces and interface drivers available to PF. 296When used together with a double 297.Fl v , 298interface statistics are also shown. 299.Fl i 300can be used to select an interface or a group of interfaces. | 364Show the list of interfaces and interface drivers available to PF. 365When used together with a double 366.Fl v , 367interface statistics are also shown. 368.Fl i 369can be used to select an interface or a group of interfaces. |
301.It Fl s Ar all | 370.It Fl s Cm all |
302Show all of the above, except for the lists of interfaces and operating 303system fingerprints. 304.El 305.It Fl T Ar command Op Ar address ... 306Specify the 307.Ar command 308(may be abbreviated) to apply to the table. 309Commands include: 310.Pp 311.Bl -tag -width xxxxxxxxxxxx -compact | 371Show all of the above, except for the lists of interfaces and operating 372system fingerprints. 373.El 374.It Fl T Ar command Op Ar address ... 375Specify the 376.Ar command 377(may be abbreviated) to apply to the table. 378Commands include: 379.Pp 380.Bl -tag -width xxxxxxxxxxxx -compact |
312.It Fl T Ar kill | 381.It Fl T Cm kill |
313Kill a table. | 382Kill a table. |
314.It Fl T Ar flush | 383.It Fl T Cm flush |
315Flush all addresses of a table. | 384Flush all addresses of a table. |
316.It Fl T Ar add | 385.It Fl T Cm add |
317Add one or more addresses in a table. 318Automatically create a nonexisting table. | 386Add one or more addresses in a table. 387Automatically create a nonexisting table. |
319.It Fl T Ar delete | 388.It Fl T Cm delete |
320Delete one or more addresses from a table. | 389Delete one or more addresses from a table. |
321.It Fl T Ar replace | 390.It Fl T Cm replace |
322Replace the addresses of the table. 323Automatically create a nonexisting table. | 391Replace the addresses of the table. 392Automatically create a nonexisting table. |
324.It Fl T Ar show | 393.It Fl T Cm show |
325Show the content (addresses) of a table. | 394Show the content (addresses) of a table. |
326.It Fl T Ar test | 395.It Fl T Cm test |
327Test if the given addresses match a table. | 396Test if the given addresses match a table. |
328.It Fl T Ar zero | 397.It Fl T Cm zero |
329Clear all the statistics of a table. | 398Clear all the statistics of a table. |
330.It Fl T Ar load | 399.It Fl T Cm load |
331Load only the table definitions from 332.Xr pf.conf 5 . 333This is used in conjunction with the 334.Fl f 335flag, as in: 336.Bd -literal -offset indent 337# pfctl -Tl -f pf.conf 338.Ed 339.El 340.Pp 341For the | 400Load only the table definitions from 401.Xr pf.conf 5 . 402This is used in conjunction with the 403.Fl f 404flag, as in: 405.Bd -literal -offset indent 406# pfctl -Tl -f pf.conf 407.Ed 408.El 409.Pp 410For the |
342.Ar add , 343.Ar delete , 344.Ar replace | 411.Cm add , 412.Cm delete , 413.Cm replace , |
345and | 414and |
346.Ar test | 415.Cm test |
347commands, the list of addresses can be specified either directly on the command 348line and/or in an unformatted text file, using the 349.Fl f 350flag. | 416commands, the list of addresses can be specified either directly on the command 417line and/or in an unformatted text file, using the 418.Fl f 419flag. |
351Comments starting with a "#" are allowed in the text file. | 420Comments starting with a 421.Sq # 422are allowed in the text file. |
352With these commands, the 353.Fl v 354flag can also be used once or twice, in which case 355.Nm 356will print the 357detailed result of the operation for each individual address, prefixed by 358one of the following letters: 359.Pp 360.Bl -tag -width XXX -compact 361.It A 362The address/network has been added. 363.It C 364The address/network has been changed (negated). 365.It D 366The address/network has been deleted. 367.It M | 423With these commands, the 424.Fl v 425flag can also be used once or twice, in which case 426.Nm 427will print the 428detailed result of the operation for each individual address, prefixed by 429one of the following letters: 430.Pp 431.Bl -tag -width XXX -compact 432.It A 433The address/network has been added. 434.It C 435The address/network has been changed (negated). 436.It D 437The address/network has been deleted. 438.It M |
368The address matches (test operation only). | 439The address matches 440.Po 441.Cm test 442operation only 443.Pc . |
369.It X 370The address/network is duplicated and therefore ignored. 371.It Y | 444.It X 445The address/network is duplicated and therefore ignored. 446.It Y |
372The address/network cannot be added/deleted due to conflicting "!" attribute. | 447The address/network cannot be added/deleted due to conflicting 448.Sq \&! 449attributes. |
373.It Z 374The address/network has been cleared (statistics). 375.El 376.Pp 377Each table maintains a set of counters that can be retrieved using the 378.Fl v 379flag of 380.Nm . 381For example, the following commands define a wide open firewall which will keep 382track of packets going to or coming from the 383.Ox | 450.It Z 451The address/network has been cleared (statistics). 452.El 453.Pp 454Each table maintains a set of counters that can be retrieved using the 455.Fl v 456flag of 457.Nm . 458For example, the following commands define a wide open firewall which will keep 459track of packets going to or coming from the 460.Ox |
384ftp server. 385The following commands configure the firewall and send 10 pings to the ftp | 461FTP server. 462The following commands configure the firewall and send 10 pings to the FTP |
386server: 387.Bd -literal -offset indent 388# printf "table <test> { ftp.openbsd.org }\en \e 389 pass out to <test> keep state\en" | pfctl -f- 390# ping -qc10 ftp.openbsd.org 391.Ed 392.Pp 393We can now use the table | 463server: 464.Bd -literal -offset indent 465# printf "table <test> { ftp.openbsd.org }\en \e 466 pass out to <test> keep state\en" | pfctl -f- 467# ping -qc10 ftp.openbsd.org 468.Ed 469.Pp 470We can now use the table |
394.Ar show | 471.Cm show |
395command to output, for each address and packet direction, the number of packets 396and bytes that are being passed or blocked by rules referencing the table. 397The time at which the current accounting started is also shown with the | 472command to output, for each address and packet direction, the number of packets 473and bytes that are being passed or blocked by rules referencing the table. 474The time at which the current accounting started is also shown with the |
398.Ar Cleared | 475.Dq Cleared |
399line. 400.Bd -literal -offset indent 401# pfctl -t test -vTshow 402 129.128.5.191 403 Cleared: Thu Feb 13 18:55:18 2003 404 In/Block: [ Packets: 0 Bytes: 0 ] 405 In/Pass: [ Packets: 10 Bytes: 840 ] 406 Out/Block: [ Packets: 0 Bytes: 0 ] 407 Out/Pass: [ Packets: 10 Bytes: 840 ] 408.Ed 409.Pp 410Similarly, it is possible to view global information about the tables 411by using the 412.Fl v 413modifier twice and the | 476line. 477.Bd -literal -offset indent 478# pfctl -t test -vTshow 479 129.128.5.191 480 Cleared: Thu Feb 13 18:55:18 2003 481 In/Block: [ Packets: 0 Bytes: 0 ] 482 In/Pass: [ Packets: 10 Bytes: 840 ] 483 Out/Block: [ Packets: 0 Bytes: 0 ] 484 Out/Pass: [ Packets: 10 Bytes: 840 ] 485.Ed 486.Pp 487Similarly, it is possible to view global information about the tables 488by using the 489.Fl v 490modifier twice and the |
414.Ar show Tables | 491.Fl s 492.Cm Tables |
415command. 416This will display the number of addresses on each table, 417the number of rules which reference the table, and the global 418packet statistics for the whole table: 419.Bd -literal -offset indent 420# pfctl -vvsTables 421--a-r- test 422 Addresses: 1 --- 4 unchanged lines hidden (view full) --- 427 In/Pass: [ Packets: 10 Bytes: 840 ] 428 In/XPass: [ Packets: 0 Bytes: 0 ] 429 Out/Block: [ Packets: 0 Bytes: 0 ] 430 Out/Pass: [ Packets: 10 Bytes: 840 ] 431 Out/XPass: [ Packets: 0 Bytes: 0 ] 432.Ed 433.Pp 434As we can see here, only one packet \- the initial ping request \- matched the | 493command. 494This will display the number of addresses on each table, 495the number of rules which reference the table, and the global 496packet statistics for the whole table: 497.Bd -literal -offset indent 498# pfctl -vvsTables 499--a-r- test 500 Addresses: 1 --- 4 unchanged lines hidden (view full) --- 505 In/Pass: [ Packets: 10 Bytes: 840 ] 506 In/XPass: [ Packets: 0 Bytes: 0 ] 507 Out/Block: [ Packets: 0 Bytes: 0 ] 508 Out/Pass: [ Packets: 10 Bytes: 840 ] 509 Out/XPass: [ Packets: 0 Bytes: 0 ] 510.Ed 511.Pp 512As we can see here, only one packet \- the initial ping request \- matched the |
435table; but all packets passing as the result of the state are correctly | 513table, but all packets passing as the result of the state are correctly |
436accounted for. 437Reloading the table(s) or ruleset will not affect packet accounting in any way. 438The two | 514accounted for. 515Reloading the table(s) or ruleset will not affect packet accounting in any way. 516The two |
439.Ar XPass | 517.Dq XPass |
440counters are incremented instead of the | 518counters are incremented instead of the |
441.Ar Pass 442counters when a "stateful" packet is passed but doesn't match the table 443anymore. 444This will happen in our example if someone flushes the table while the ping | 519.Dq Pass 520counters when a 521.Dq stateful 522packet is passed but doesn't match the table anymore. 523This will happen in our example if someone flushes the table while the 524.Xr ping 8 |
445command is running. 446.Pp 447When used with a single 448.Fl v , 449.Nm 450will only display the first line containing the table flags and name. 451The flags are defined as follows: 452.Pp 453.Bl -tag -width XXX -compact 454.It c 455For constant tables, which cannot be altered outside 456.Xr pf.conf 5 . 457.It p | 525command is running. 526.Pp 527When used with a single 528.Fl v , 529.Nm 530will only display the first line containing the table flags and name. 531The flags are defined as follows: 532.Pp 533.Bl -tag -width XXX -compact 534.It c 535For constant tables, which cannot be altered outside 536.Xr pf.conf 5 . 537.It p |
458For persistent tables, which don't get automatically flushed when no rules | 538For persistent tables, which don't get automatically killed when no rules |
459refer to them. 460.It a 461For tables which are part of the | 539refer to them. 540.It a 541For tables which are part of the |
462.Ar active | 542.Em active |
463tableset. 464Tables without this flag do not really exist, cannot contain addresses, and are 465only listed if the 466.Fl g 467flag is given. 468.It i 469For tables which are part of the | 543tableset. 544Tables without this flag do not really exist, cannot contain addresses, and are 545only listed if the 546.Fl g 547flag is given. 548.It i 549For tables which are part of the |
470.Ar inactive | 550.Em inactive |
471tableset. 472This flag can only be witnessed briefly during the loading of 473.Xr pf.conf 5 . 474.It r 475For tables which are referenced (used) by rules. 476.It h 477This flag is set when a table in the main ruleset is hidden by one or more | 551tableset. 552This flag can only be witnessed briefly during the loading of 553.Xr pf.conf 5 . 554.It r 555For tables which are referenced (used) by rules. 556.It h 557This flag is set when a table in the main ruleset is hidden by one or more |
478tables of the same name in sub-rulesets (anchors). | 558tables of the same name from anchors attached below it. |
479.El 480.It Fl t Ar table 481Specify the name of the table. 482.It Fl v 483Produce more verbose output. 484A second use of 485.Fl v 486will produce even more verbose output including ruleset warnings. | 559.El 560.It Fl t Ar table 561Specify the name of the table. 562.It Fl v 563Produce more verbose output. 564A second use of 565.Fl v 566will produce even more verbose output including ruleset warnings. |
487See previous section for its effect on table commands. | 567See the previous section for its effect on table commands. |
488.It Fl x Ar level 489Set the debug 490.Ar level 491(may be abbreviated) to one of the following: 492.Pp 493.Bl -tag -width xxxxxxxxxxxx -compact | 568.It Fl x Ar level 569Set the debug 570.Ar level 571(may be abbreviated) to one of the following: 572.Pp 573.Bl -tag -width xxxxxxxxxxxx -compact |
494.It Fl x Ar none | 574.It Fl x Cm none |
495Don't generate debug messages. | 575Don't generate debug messages. |
496.It Fl x Ar urgent | 576.It Fl x Cm urgent |
497Generate debug messages only for serious errors. | 577Generate debug messages only for serious errors. |
498.It Fl x Ar misc | 578.It Fl x Cm misc |
499Generate debug messages for various errors. | 579Generate debug messages for various errors. |
500.It Fl x Ar loud | 580.It Fl x Cm loud |
501Generate debug messages for common conditions. 502.El 503.It Fl z 504Clear per-rule statistics. 505.El 506.Sh FILES 507.Bl -tag -width "/etc/pf.conf" -compact 508.It Pa /etc/pf.conf 509Packet filter rules file. | 581Generate debug messages for common conditions. 582.El 583.It Fl z 584Clear per-rule statistics. 585.El 586.Sh FILES 587.Bl -tag -width "/etc/pf.conf" -compact 588.It Pa /etc/pf.conf 589Packet filter rules file. |
590.It Pa /etc/pf.os 591Passive operating system fingerprint database. |
|
510.El 511.Sh SEE ALSO 512.Xr pf 4 , 513.Xr pf.conf 5 , 514.Xr pf.os 5 , 515.Xr sysctl.conf 5 , | 592.El 593.Sh SEE ALSO 594.Xr pf 4 , 595.Xr pf.conf 5 , 596.Xr pf.os 5 , 597.Xr sysctl.conf 5 , |
598.Xr authpf 8 , |
|
516.Xr ftp-proxy 8 , 517.Xr rc 8 , 518.Xr rc.conf 8 , 519.Xr sysctl 8 520.Sh HISTORY 521The 522.Nm 523program and the 524.Xr pf 4 525filter mechanism first appeared in 526.Ox 3.0 . | 599.Xr ftp-proxy 8 , 600.Xr rc 8 , 601.Xr rc.conf 8 , 602.Xr sysctl 8 603.Sh HISTORY 604The 605.Nm 606program and the 607.Xr pf 4 608filter mechanism first appeared in 609.Ox 3.0 . |