1.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $ |
2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" |
29.\" $FreeBSD: head/contrib/pf/man/pf.4 171172 2007-07-03 12:30:03Z mlaier $ |
30.\" 31.Dd February 7, 2005 32.Dt PF 4 33.Os 34.Sh NAME 35.Nm pf 36.Nd packet filter 37.Sh SYNOPSIS --- 143 unchanged lines hidden (view full) --- 181.Va rule 182by its number 183.Va nr 184using the 185.Va ticket 186obtained through a preceding 187.Dv DIOCGETRULES 188call. |
189If 190.Va action 191is set to 192.Dv PF_GET_CLR_CNTR , 193the per-rule statistics on the requested rule are cleared. |
194.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 195Get a 196.Va ticket 197for subsequent 198.Dv DIOCGETADDR 199calls and the number 200.Va nr 201of pool addresses in the rule specified with --- 146 unchanged lines hidden (view full) --- 348 u_int64_t stateid; 349 u_int32_t running; 350 u_int32_t states; 351 u_int32_t src_nodes; 352 u_int32_t since; 353 u_int32_t debug; 354 u_int32_t hostid; 355 char ifname[IFNAMSIZ]; |
356 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; |
357}; 358.Ed 359.It Dv DIOCCLRSTATUS 360Clear the internal packet filter statistics. 361.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 362Look up a state table entry by source and destination addresses and ports. 363.Bd -literal 364struct pfioc_natlook { --- 27 unchanged lines hidden (view full) --- 392 } ps_u; 393#define ps_buf ps_u.psu_buf 394#define ps_states ps_u.psu_states 395}; 396.Ed 397.Pp 398If 399.Va ps_len |
400is non-zero on entry, as many states as possible that can fit into this 401size will be copied into the supplied buffer 402.Va ps_states . 403On exit, |
404.Va ps_len |
405is always set to the total size required to hold all state table entries 406(i.e., it is set to |
407.Li sizeof(struct pf_state) * nr ) . |
408.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 409Add or remove the 410.Va rule 411in the ruleset specified by 412.Va rule.action . 413.Pp 414The type of operation to be performed is indicated by 415.Va action , --- 65 unchanged lines hidden (view full) --- 481.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 482Set the hard limits on the memory pools used by the packet filter. 483.Bd -literal 484struct pfioc_limit { 485 int index; 486 unsigned limit; 487}; 488 |
489enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 490 PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; |
491.Ed 492.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 493Get the hard 494.Va limit 495for the memory pool indicated by 496.Va index . 497.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 498Clear all tables. --- 21 unchanged lines hidden (view full) --- 520#define pfrio_nmatch pfrio_nadd 521#define pfrio_naddr pfrio_size2 522#define pfrio_setflag pfrio_size2 523#define pfrio_clrflag pfrio_nadd 524.Ed 525.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 526Create one or more tables. 527On entry, |
528.Va pfrio_buffer 529must point to an array of 530.Vt struct pfr_table 531containing at least 532.Vt pfrio_size 533elements. 534.Vt pfrio_esize 535must be the size of 536.Vt struct pfr_table . |
537On exit, 538.Va pfrio_nadd 539contains the number of tables effectively created. 540.Bd -literal 541struct pfr_table { 542 char pfrt_anchor[MAXPATHLEN]; 543 char pfrt_name[PF_TABLE_NAME_SIZE]; 544 u_int32_t pfrt_flags; 545 u_int8_t pfrt_fback; 546}; 547.Ed 548.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 549Delete one or more tables. 550On entry, |
551.Va pfrio_buffer 552must point to an array of 553.Vt struct pfr_table 554containing at least 555.Vt pfrio_size 556elements. 557.Vt pfrio_esize 558must be the size of 559.Vt struct pfr_table . |
560On exit, |
561.Va pfrio_ndel |
562contains the number of tables effectively deleted. 563.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 564Get the list of all tables. 565On entry, 566.Va pfrio_buffer[pfrio_size] 567contains a valid writeable buffer for 568.Vt pfr_table 569structures. --- 22 unchanged lines hidden (view full) --- 592 int pfrts_refcnt[PFR_REFCNT_MAX]; 593}; 594#define pfrts_name pfrts_t.pfrt_name 595#define pfrts_flags pfrts_t.pfrt_flags 596.Ed 597.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 598Clear the statistics of one or more tables. 599On entry, |
600.Va pfrio_buffer 601must point to an array of 602.Vt struct pfr_table 603containing at least 604.Vt pfrio_size 605elements. 606.Vt pfrio_esize 607must be the size of 608.Vt struct pfr_table . |
609On exit, 610.Va pfrio_nzero 611contains the number of tables effectively cleared. 612.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 613Clear all addresses in a table. 614On entry, 615.Va pfrio_table 616contains the table to clear. 617On exit, 618.Va pfrio_ndel 619contains the number of addresses removed. 620.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 621Add one or more addresses to a table. 622On entry, 623.Va pfrio_table 624contains the table ID and |
625.Va pfrio_buffer 626must point to an array of 627.Vt struct pfr_addr 628containing at least 629.Vt pfrio_size 630elements to add to the table. 631.Vt pfrio_esize 632must be the size of 633.Vt struct pfr_addr . |
634On exit, 635.Va pfrio_nadd 636contains the number of addresses effectively added. 637.Bd -literal 638struct pfr_addr { 639 union { 640 struct in_addr _pfra_ip4addr; 641 struct in6_addr _pfra_ip6addr; --- 6 unchanged lines hidden (view full) --- 648#define pfra_ip4addr pfra_u._pfra_ip4addr 649#define pfra_ip6addr pfra_u._pfra_ip6addr 650.Ed 651.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 652Delete one or more addresses from a table. 653On entry, 654.Va pfrio_table 655contains the table ID and |
656.Va pfrio_buffer 657must point to an array of 658.Vt struct pfr_addr 659containing at least 660.Vt pfrio_size 661elements to delete from the table. 662.Vt pfrio_esize 663must be the size of 664.Vt struct pfr_addr . |
665On exit, 666.Va pfrio_ndel 667contains the number of addresses effectively deleted. 668.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 669Replace the content of a table by a new address list. 670This is the most complicated command, which uses all the structure members. 671.Pp 672On entry, 673.Va pfrio_table 674contains the table ID and |
675.Va pfrio_buffer 676must point to an array of 677.Vt struct pfr_addr 678containing at least 679.Vt pfrio_size 680elements which become the new contents of the table. 681.Vt pfrio_esize 682must be the size of 683.Vt struct pfr_addr . |
684Additionally, if 685.Va pfrio_size2 686is non-zero, 687.Va pfrio_buffer[pfrio_size..pfrio_size2] 688must be a writeable buffer, into which the kernel can copy the 689addresses that have been deleted during the replace operation. 690On exit, 691.Va pfrio_ndel , --- 38 unchanged lines hidden (view full) --- 730 long pfras_tzero; 731}; 732.Ed 733.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 734Clear the statistics of one or more addresses. 735On entry, 736.Va pfrio_table 737contains the table ID and |
738.Va pfrio_buffer 739must point to an array of 740.Vt struct pfr_addr 741containing at least 742.Vt pfrio_size 743elements to be cleared from the table. 744.Vt pfrio_esize 745must be the size of 746.Vt struct pfr_addr . |
747On exit, 748.Va pfrio_nzero 749contains the number of addresses effectively cleared. 750.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 751Test if the given addresses match a table. 752On entry, 753.Va pfrio_table 754contains the table ID and |
755.Va pfrio_buffer 756must point to an array of 757.Vt struct pfr_addr 758containing at least 759.Vt pfrio_size 760elements, each of which will be tested for a match in the table. 761.Vt pfrio_esize 762must be the size of 763.Vt struct pfr_addr . |
764On exit, the kernel updates the 765.Vt pfr_addr |
766array by setting the |
767.Va pfra_fback 768member appropriately. 769.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 770Change the 771.Dv PFR_TFLAG_CONST 772or 773.Dv PFR_TFLAG_PERSIST 774flags of a table. 775On entry, |
776.Va pfrio_buffer 777must point to an array of 778.Vt struct pfr_table 779containing at least 780.Vt pfrio_size 781elements. 782.Va pfrio_esize 783must be the size of 784.Vt struct pfr_table . |
785.Va pfrio_setflag |
786must contain the flags to add, while |
787.Va pfrio_clrflag |
788must contain the flags to remove. |
789On exit, 790.Va pfrio_nchange 791and 792.Va pfrio_ndel 793contain the number of tables altered or deleted by the kernel. 794Yes, tables can be deleted if one removes the 795.Dv PFR_TFLAG_PERSIST 796flag of an unreferenced table. 797.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 798Defines a table in the inactive set. 799On entry, 800.Va pfrio_table 801contains the table ID and 802.Va pfrio_buffer[pfrio_size] |
803contains an array of |
804.Vt pfr_addr 805structures to put in the table. 806A valid ticket must also be supplied to 807.Va pfrio_ticket . 808On exit, 809.Va pfrio_nadd 810contains 0 if the table was already defined in the inactive list 811or 1 if a new table has been created. --- 185 unchanged lines hidden (view full) --- 997struct pfioc_iface { 998 char pfiio_name[IFNAMSIZ]; 999 void *pfiio_buffer; 1000 int pfiio_esize; 1001 int pfiio_size; 1002 int pfiio_nzero; 1003 int pfiio_flags; 1004}; |
1005.Ed 1006.Pp 1007If not empty, 1008.Va pfiio_name 1009can be used to restrict the search to a specific interface or driver. 1010.Va pfiio_buffer[pfiio_size] 1011is the user-supplied buffer for returning the data. 1012On entry, 1013.Va pfiio_size |
1014contains the number of 1015.Vt pfi_kif |
1016entries that can fit into the buffer. 1017The kernel will replace this value by the real number of entries it wants 1018to return. 1019.Va pfiio_esize 1020should be set to |
1021.Li sizeof(struct pfi_kif) . 1022.Pp |
1023The data is returned in the |
1024.Vt pfi_kif |
1025structure described below: 1026.Bd -literal |
1027struct pfi_kif { 1028 RB_ENTRY(pfi_kif) pfik_tree; 1029 char pfik_name[IFNAMSIZ]; 1030 u_int64_t pfik_packets[2][2][2]; 1031 u_int64_t pfik_bytes[2][2][2]; 1032 u_int32_t pfik_tzero; 1033 int pfik_flags; 1034 struct pf_state_tree_lan_ext pfik_lan_ext; 1035 struct pf_state_tree_ext_gwy pfik_ext_gwy; 1036 TAILQ_ENTRY(pfi_kif) pfik_w_states; 1037 void *pfik_ah_cookie; 1038 struct ifnet *pfik_ifp; 1039 struct ifg_group *pfik_group; 1040 int pfik_states; 1041 int pfik_rules; 1042 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; |
1043}; |
1044.Ed |
1045.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" |
1046Set the user setable flags (described above) of the 1047.Nm 1048internal interface description. |
1049The filtering process is the same as for 1050.Dv DIOCIGETIFACES . 1051.Bd -literal |
1052#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ |
1053.Ed 1054.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1055Works as 1056.Dv DIOCSETIFFLAG 1057above but clears the flags. 1058.El 1059.Sh FILES 1060.Bl -tag -width /dev/pf -compact --- 83 unchanged lines hidden --- |