1.\" $OpenBSD: pf.4,v 1.54 2004/12/22 17:17:55 dhartmei Exp $
2.\"
3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
--- 11 unchanged lines hidden (view full) ---
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.\" $FreeBSD: head/contrib/pf/man/pf.4 150673 2005-09-28 08:11:15Z mlaier $
30.\"
31.Dd February 7, 2005
32.Dt PF 4
33.Os
34.Sh NAME
35.Nm pf
36.Nd packet filter
37.Sh SYNOPSIS
--- 143 unchanged lines hidden (view full) ---
181.Va rule
182by its number
183.Va nr
184using the
185.Va ticket
186obtained through a preceding
187.Dv DIOCGETRULES
188call.
189.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
190Get a
191.Va ticket
192for subsequent
193.Dv DIOCGETADDR
194calls and the number
195.Va nr
196of pool addresses in the rule specified with
--- 146 unchanged lines hidden (view full) ---
343 u_int64_t stateid;
344 u_int32_t running;
345 u_int32_t states;
346 u_int32_t src_nodes;
347 u_int32_t since;
348 u_int32_t debug;
349 u_int32_t hostid;
350 char ifname[IFNAMSIZ];
351};
352.Ed
353.It Dv DIOCCLRSTATUS
354Clear the internal packet filter statistics.
355.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
356Look up a state table entry by source and destination addresses and ports.
357.Bd -literal
358struct pfioc_natlook {
--- 27 unchanged lines hidden (view full) ---
386 } ps_u;
387#define ps_buf ps_u.psu_buf
388#define ps_states ps_u.psu_states
389};
390.Ed
391.Pp
392If
393.Va ps_len
394is zero, all states will be gathered into
395.Va pf_states
396and
397.Va ps_len
398will be set to the size they take in memory (i.e.,
399.Li sizeof(struct pf_state) * nr ) .
400If
401.Va ps_len
402is non-zero, as many states that can fit into
403.Va ps_len
404as possible will be gathered, and
405.Va ps_len
406will be updated to the size those rules take in memory.
407.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
408Add or remove the
409.Va rule
410in the ruleset specified by
411.Va rule.action .
412.Pp
413The type of operation to be performed is indicated by
414.Va action ,
--- 65 unchanged lines hidden (view full) ---
480.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
481Set the hard limits on the memory pools used by the packet filter.
482.Bd -literal
483struct pfioc_limit {
484 int index;
485 unsigned limit;
486};
487
488enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS };
489.Ed
490.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
491Get the hard
492.Va limit
493for the memory pool indicated by
494.Va index .
495.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
496Clear all tables.
--- 21 unchanged lines hidden (view full) ---
518#define pfrio_nmatch pfrio_nadd
519#define pfrio_naddr pfrio_size2
520#define pfrio_setflag pfrio_size2
521#define pfrio_clrflag pfrio_nadd
522.Ed
523.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
524Create one or more tables.
525On entry,
526.Va pfrio_buffer[pfrio_size]
527contains a table of
528.Vt pfr_table
529structures.
530On exit,
531.Va pfrio_nadd
532contains the number of tables effectively created.
533.Bd -literal
534struct pfr_table {
535 char pfrt_anchor[MAXPATHLEN];
536 char pfrt_name[PF_TABLE_NAME_SIZE];
537 u_int32_t pfrt_flags;
538 u_int8_t pfrt_fback;
539};
540.Ed
541.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
542Delete one or more tables.
543On entry,
544.Va pfrio_buffer[pfrio_size]
545contains a table of
546.Vt pfr_table
547structures.
548On exit,
549.Va pfrio_nadd
550contains the number of tables effectively deleted.
551.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
552Get the list of all tables.
553On entry,
554.Va pfrio_buffer[pfrio_size]
555contains a valid writeable buffer for
556.Vt pfr_table
557structures.
--- 22 unchanged lines hidden (view full) ---
580 int pfrts_refcnt[PFR_REFCNT_MAX];
581};
582#define pfrts_name pfrts_t.pfrt_name
583#define pfrts_flags pfrts_t.pfrt_flags
584.Ed
585.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
586Clear the statistics of one or more tables.
587On entry,
588.Va pfrio_buffer[pfrio_size]
589contains a table of
590.Vt pfr_table
591structures.
592On exit,
593.Va pfrio_nzero
594contains the number of tables effectively cleared.
595.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
596Clear all addresses in a table.
597On entry,
598.Va pfrio_table
599contains the table to clear.
600On exit,
601.Va pfrio_ndel
602contains the number of addresses removed.
603.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
604Add one or more addresses to a table.
605On entry,
606.Va pfrio_table
607contains the table ID and
608.Va pfrio_buffer[pfrio_size]
609contains the list of
610.Vt pfr_addr
611structures to add.
612On exit,
613.Va pfrio_nadd
614contains the number of addresses effectively added.
615.Bd -literal
616struct pfr_addr {
617 union {
618 struct in_addr _pfra_ip4addr;
619 struct in6_addr _pfra_ip6addr;
--- 6 unchanged lines hidden (view full) ---
626#define pfra_ip4addr pfra_u._pfra_ip4addr
627#define pfra_ip6addr pfra_u._pfra_ip6addr
628.Ed
629.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
630Delete one or more addresses from a table.
631On entry,
632.Va pfrio_table
633contains the table ID and
634.Va pfrio_buffer[pfrio_size]
635contains the list of
636.Vt pfr_addr
637structures to delete.
638On exit,
639.Va pfrio_ndel
640contains the number of addresses effectively deleted.
641.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
642Replace the content of a table by a new address list.
643This is the most complicated command, which uses all the structure members.
644.Pp
645On entry,
646.Va pfrio_table
647contains the table ID and
648.Va pfrio_buffer[pfrio_size]
649contains the new list of
650.Vt pfr_addr
651structures.
652Additionally, if
653.Va pfrio_size2
654is non-zero,
655.Va pfrio_buffer[pfrio_size..pfrio_size2]
656must be a writeable buffer, into which the kernel can copy the
657addresses that have been deleted during the replace operation.
658On exit,
659.Va pfrio_ndel ,
--- 38 unchanged lines hidden (view full) ---
698 long pfras_tzero;
699};
700.Ed
701.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
702Clear the statistics of one or more addresses.
703On entry,
704.Va pfrio_table
705contains the table ID and
706.Va pfrio_buffer[pfrio_size]
707contains a table of
708.Vt pfr_addr
709structures to clear.
710On exit,
711.Va pfrio_nzero
712contains the number of addresses effectively cleared.
713.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
714Test if the given addresses match a table.
715On entry,
716.Va pfrio_table
717contains the table ID and
718.Va pfrio_buffer[pfrio_size]
719contains a table of
720.Vt pfr_addr
721structures to test.
722On exit, the kernel updates the
723.Vt pfr_addr
724table by setting the
725.Va pfra_fback
726member appropriately.
727.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
728Change the
729.Dv PFR_TFLAG_CONST
730or
731.Dv PFR_TFLAG_PERSIST
732flags of a table.
733On entry,
734.Va pfrio_buffer[pfrio_size]
735contains a table of
736.Vt pfr_table
737structures, and
738.Va pfrio_setflag
739contains the flags to add, while
740.Va pfrio_clrflag
741contains the flags to remove.
742On exit,
743.Va pfrio_nchange
744and
745.Va pfrio_ndel
746contain the number of tables altered or deleted by the kernel.
747Yes, tables can be deleted if one removes the
748.Dv PFR_TFLAG_PERSIST
749flag of an unreferenced table.
750.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
751Defines a table in the inactive set.
752On entry,
753.Va pfrio_table
754contains the table ID and
755.Va pfrio_buffer[pfrio_size]
756contains the list of
757.Vt pfr_addr
758structures to put in the table.
759A valid ticket must also be supplied to
760.Va pfrio_ticket .
761On exit,
762.Va pfrio_nadd
763contains 0 if the table was already defined in the inactive list
764or 1 if a new table has been created.
--- 185 unchanged lines hidden (view full) ---
950struct pfioc_iface {
951 char pfiio_name[IFNAMSIZ];
952 void *pfiio_buffer;
953 int pfiio_esize;
954 int pfiio_size;
955 int pfiio_nzero;
956 int pfiio_flags;
957};
958
959#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
960#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
961#define PFI_FLAG_ALLMASK 0x0003
962.Ed
963.Pp
964If not empty,
965.Va pfiio_name
966can be used to restrict the search to a specific interface or driver.
967.Va pfiio_buffer[pfiio_size]
968is the user-supplied buffer for returning the data.
969On entry,
970.Va pfiio_size
971represents the number of
972.Va pfi_if
973entries that can fit into the buffer.
974The kernel will replace this value by the real number of entries it wants
975to return.
976.Va pfiio_esize
977should be set to
978.Li sizeof(struct pfi_if) .
979.Va pfiio_flags
980should be set to
981.Dv PFI_FLAG_GROUP ,
982.Dv PFI_FLAG_INSTANCE ,
983or both, to tell the kernel to return a group of interfaces
984(drivers, like "fxp"), real interface instances (like "fxp1") or both.
985The data is returned in the
986.Vt pfi_if
987structure described below:
988.Bd -literal
989struct pfi_if {
990 char pfif_name[IFNAMSIZ];
991 u_int64_t pfif_packets[2][2][2];
992 u_int64_t pfif_bytes[2][2][2];
993 u_int64_t pfif_addcnt;
994 u_int64_t pfif_delcnt;
995 long pfif_tzero;
996 int pfif_states;
997 int pfif_rules;
998 int pfif_flags;
999};
1000
1001#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
1002#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
1003#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
1004#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
1005#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
1006.Ed
1007.It Dv DIOCICLRISTATS Fa "struct pfioc_iface *io"
1008Clear the statistics counters of one or more interfaces.
1009.Va pfiio_name
1010and
1011.Va pfiio_flags
1012can be used to select which interfaces need to be cleared.
1013The filtering process is the same as for
1014.Dv DIOCIGETIFACES .
1015.Va pfiio_nzero
1016will be set by the kernel to the number of interfaces and drivers
1017that have been cleared.
1018.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1019Set the user setable flags (described below) of the pf internal interface
1020description.
1021The filtering process is the same as for
1022.Dv DIOCIGETIFACES .
1023.Bd -literal
1024#define PFI_IFLAG_SKIP 0x0100 /* skip interface */
1025#define PFI_IFLAG_SETABLE_MASK 0x0100 /* mask */
1026.Ed
1027.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1028Works as
1029.Dv DIOCSETIFFLAG
1030above but clears the flags.
1031.El
1032.Sh FILES
1033.Bl -tag -width /dev/pf -compact
--- 83 unchanged lines hidden ---
2.\"
3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\" notice, this list of conditions and the following disclaimer.
--- 11 unchanged lines hidden (view full) ---
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.\" $FreeBSD: head/contrib/pf/man/pf.4 150673 2005-09-28 08:11:15Z mlaier $
30.\"
31.Dd February 7, 2005
32.Dt PF 4
33.Os
34.Sh NAME
35.Nm pf
36.Nd packet filter
37.Sh SYNOPSIS
--- 143 unchanged lines hidden (view full) ---
181.Va rule
182by its number
183.Va nr
184using the
185.Va ticket
186obtained through a preceding
187.Dv DIOCGETRULES
188call.
189.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
190Get a
191.Va ticket
192for subsequent
193.Dv DIOCGETADDR
194calls and the number
195.Va nr
196of pool addresses in the rule specified with
--- 146 unchanged lines hidden (view full) ---
343 u_int64_t stateid;
344 u_int32_t running;
345 u_int32_t states;
346 u_int32_t src_nodes;
347 u_int32_t since;
348 u_int32_t debug;
349 u_int32_t hostid;
350 char ifname[IFNAMSIZ];
351};
352.Ed
353.It Dv DIOCCLRSTATUS
354Clear the internal packet filter statistics.
355.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
356Look up a state table entry by source and destination addresses and ports.
357.Bd -literal
358struct pfioc_natlook {
--- 27 unchanged lines hidden (view full) ---
386 } ps_u;
387#define ps_buf ps_u.psu_buf
388#define ps_states ps_u.psu_states
389};
390.Ed
391.Pp
392If
393.Va ps_len
394is zero, all states will be gathered into
395.Va pf_states
396and
397.Va ps_len
398will be set to the size they take in memory (i.e.,
399.Li sizeof(struct pf_state) * nr ) .
400If
401.Va ps_len
402is non-zero, as many states that can fit into
403.Va ps_len
404as possible will be gathered, and
405.Va ps_len
406will be updated to the size those rules take in memory.
407.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
408Add or remove the
409.Va rule
410in the ruleset specified by
411.Va rule.action .
412.Pp
413The type of operation to be performed is indicated by
414.Va action ,
--- 65 unchanged lines hidden (view full) ---
480.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
481Set the hard limits on the memory pools used by the packet filter.
482.Bd -literal
483struct pfioc_limit {
484 int index;
485 unsigned limit;
486};
487
488enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS };
489.Ed
490.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
491Get the hard
492.Va limit
493for the memory pool indicated by
494.Va index .
495.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
496Clear all tables.
--- 21 unchanged lines hidden (view full) ---
518#define pfrio_nmatch pfrio_nadd
519#define pfrio_naddr pfrio_size2
520#define pfrio_setflag pfrio_size2
521#define pfrio_clrflag pfrio_nadd
522.Ed
523.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
524Create one or more tables.
525On entry,
526.Va pfrio_buffer[pfrio_size]
527contains a table of
528.Vt pfr_table
529structures.
530On exit,
531.Va pfrio_nadd
532contains the number of tables effectively created.
533.Bd -literal
534struct pfr_table {
535 char pfrt_anchor[MAXPATHLEN];
536 char pfrt_name[PF_TABLE_NAME_SIZE];
537 u_int32_t pfrt_flags;
538 u_int8_t pfrt_fback;
539};
540.Ed
541.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
542Delete one or more tables.
543On entry,
544.Va pfrio_buffer[pfrio_size]
545contains a table of
546.Vt pfr_table
547structures.
548On exit,
549.Va pfrio_nadd
550contains the number of tables effectively deleted.
551.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
552Get the list of all tables.
553On entry,
554.Va pfrio_buffer[pfrio_size]
555contains a valid writeable buffer for
556.Vt pfr_table
557structures.
--- 22 unchanged lines hidden (view full) ---
580 int pfrts_refcnt[PFR_REFCNT_MAX];
581};
582#define pfrts_name pfrts_t.pfrt_name
583#define pfrts_flags pfrts_t.pfrt_flags
584.Ed
585.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
586Clear the statistics of one or more tables.
587On entry,
588.Va pfrio_buffer[pfrio_size]
589contains a table of
590.Vt pfr_table
591structures.
592On exit,
593.Va pfrio_nzero
594contains the number of tables effectively cleared.
595.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
596Clear all addresses in a table.
597On entry,
598.Va pfrio_table
599contains the table to clear.
600On exit,
601.Va pfrio_ndel
602contains the number of addresses removed.
603.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
604Add one or more addresses to a table.
605On entry,
606.Va pfrio_table
607contains the table ID and
608.Va pfrio_buffer[pfrio_size]
609contains the list of
610.Vt pfr_addr
611structures to add.
612On exit,
613.Va pfrio_nadd
614contains the number of addresses effectively added.
615.Bd -literal
616struct pfr_addr {
617 union {
618 struct in_addr _pfra_ip4addr;
619 struct in6_addr _pfra_ip6addr;
--- 6 unchanged lines hidden (view full) ---
626#define pfra_ip4addr pfra_u._pfra_ip4addr
627#define pfra_ip6addr pfra_u._pfra_ip6addr
628.Ed
629.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
630Delete one or more addresses from a table.
631On entry,
632.Va pfrio_table
633contains the table ID and
634.Va pfrio_buffer[pfrio_size]
635contains the list of
636.Vt pfr_addr
637structures to delete.
638On exit,
639.Va pfrio_ndel
640contains the number of addresses effectively deleted.
641.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
642Replace the content of a table by a new address list.
643This is the most complicated command, which uses all the structure members.
644.Pp
645On entry,
646.Va pfrio_table
647contains the table ID and
648.Va pfrio_buffer[pfrio_size]
649contains the new list of
650.Vt pfr_addr
651structures.
652Additionally, if
653.Va pfrio_size2
654is non-zero,
655.Va pfrio_buffer[pfrio_size..pfrio_size2]
656must be a writeable buffer, into which the kernel can copy the
657addresses that have been deleted during the replace operation.
658On exit,
659.Va pfrio_ndel ,
--- 38 unchanged lines hidden (view full) ---
698 long pfras_tzero;
699};
700.Ed
701.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
702Clear the statistics of one or more addresses.
703On entry,
704.Va pfrio_table
705contains the table ID and
706.Va pfrio_buffer[pfrio_size]
707contains a table of
708.Vt pfr_addr
709structures to clear.
710On exit,
711.Va pfrio_nzero
712contains the number of addresses effectively cleared.
713.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
714Test if the given addresses match a table.
715On entry,
716.Va pfrio_table
717contains the table ID and
718.Va pfrio_buffer[pfrio_size]
719contains a table of
720.Vt pfr_addr
721structures to test.
722On exit, the kernel updates the
723.Vt pfr_addr
724table by setting the
725.Va pfra_fback
726member appropriately.
727.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
728Change the
729.Dv PFR_TFLAG_CONST
730or
731.Dv PFR_TFLAG_PERSIST
732flags of a table.
733On entry,
734.Va pfrio_buffer[pfrio_size]
735contains a table of
736.Vt pfr_table
737structures, and
738.Va pfrio_setflag
739contains the flags to add, while
740.Va pfrio_clrflag
741contains the flags to remove.
742On exit,
743.Va pfrio_nchange
744and
745.Va pfrio_ndel
746contain the number of tables altered or deleted by the kernel.
747Yes, tables can be deleted if one removes the
748.Dv PFR_TFLAG_PERSIST
749flag of an unreferenced table.
750.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
751Defines a table in the inactive set.
752On entry,
753.Va pfrio_table
754contains the table ID and
755.Va pfrio_buffer[pfrio_size]
756contains the list of
757.Vt pfr_addr
758structures to put in the table.
759A valid ticket must also be supplied to
760.Va pfrio_ticket .
761On exit,
762.Va pfrio_nadd
763contains 0 if the table was already defined in the inactive list
764or 1 if a new table has been created.
--- 185 unchanged lines hidden (view full) ---
950struct pfioc_iface {
951 char pfiio_name[IFNAMSIZ];
952 void *pfiio_buffer;
953 int pfiio_esize;
954 int pfiio_size;
955 int pfiio_nzero;
956 int pfiio_flags;
957};
958
959#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
960#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
961#define PFI_FLAG_ALLMASK 0x0003
962.Ed
963.Pp
964If not empty,
965.Va pfiio_name
966can be used to restrict the search to a specific interface or driver.
967.Va pfiio_buffer[pfiio_size]
968is the user-supplied buffer for returning the data.
969On entry,
970.Va pfiio_size
971represents the number of
972.Va pfi_if
973entries that can fit into the buffer.
974The kernel will replace this value by the real number of entries it wants
975to return.
976.Va pfiio_esize
977should be set to
978.Li sizeof(struct pfi_if) .
979.Va pfiio_flags
980should be set to
981.Dv PFI_FLAG_GROUP ,
982.Dv PFI_FLAG_INSTANCE ,
983or both, to tell the kernel to return a group of interfaces
984(drivers, like "fxp"), real interface instances (like "fxp1") or both.
985The data is returned in the
986.Vt pfi_if
987structure described below:
988.Bd -literal
989struct pfi_if {
990 char pfif_name[IFNAMSIZ];
991 u_int64_t pfif_packets[2][2][2];
992 u_int64_t pfif_bytes[2][2][2];
993 u_int64_t pfif_addcnt;
994 u_int64_t pfif_delcnt;
995 long pfif_tzero;
996 int pfif_states;
997 int pfif_rules;
998 int pfif_flags;
999};
1000
1001#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
1002#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
1003#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
1004#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
1005#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
1006.Ed
1007.It Dv DIOCICLRISTATS Fa "struct pfioc_iface *io"
1008Clear the statistics counters of one or more interfaces.
1009.Va pfiio_name
1010and
1011.Va pfiio_flags
1012can be used to select which interfaces need to be cleared.
1013The filtering process is the same as for
1014.Dv DIOCIGETIFACES .
1015.Va pfiio_nzero
1016will be set by the kernel to the number of interfaces and drivers
1017that have been cleared.
1018.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1019Set the user setable flags (described below) of the pf internal interface
1020description.
1021The filtering process is the same as for
1022.Dv DIOCIGETIFACES .
1023.Bd -literal
1024#define PFI_IFLAG_SKIP 0x0100 /* skip interface */
1025#define PFI_IFLAG_SETABLE_MASK 0x0100 /* mask */
1026.Ed
1027.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1028Works as
1029.Dv DIOCSETIFFLAG
1030above but clears the flags.
1031.El
1032.Sh FILES
1033.Bl -tag -width /dev/pf -compact
--- 83 unchanged lines hidden ---