| pf.4 (150673) | pf.4 (171172) |
|---|---|
| 1.\" $OpenBSD: pf.4,v 1.54 2004/12/22 17:17:55 dhartmei Exp $ | 1.\" $OpenBSD: pf.4,v 1.58 2007/02/09 11:39:06 henning Exp $ |
| 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" | 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" |
| 29.\" $FreeBSD: head/contrib/pf/man/pf.4 150673 2005-09-28 08:11:15Z mlaier $ | 29.\" $FreeBSD: head/contrib/pf/man/pf.4 171172 2007-07-03 12:30:03Z mlaier $ |
| 30.\" 31.Dd February 7, 2005 32.Dt PF 4 33.Os 34.Sh NAME 35.Nm pf 36.Nd packet filter 37.Sh SYNOPSIS --- 143 unchanged lines hidden (view full) --- 181.Va rule 182by its number 183.Va nr 184using the 185.Va ticket 186obtained through a preceding 187.Dv DIOCGETRULES 188call. | 30.\" 31.Dd February 7, 2005 32.Dt PF 4 33.Os 34.Sh NAME 35.Nm pf 36.Nd packet filter 37.Sh SYNOPSIS --- 143 unchanged lines hidden (view full) --- 181.Va rule 182by its number 183.Va nr 184using the 185.Va ticket 186obtained through a preceding 187.Dv DIOCGETRULES 188call. |
| 189If 190.Va action 191is set to 192.Dv PF_GET_CLR_CNTR , 193the per-rule statistics on the requested rule are cleared. |
|
| 189.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 190Get a 191.Va ticket 192for subsequent 193.Dv DIOCGETADDR 194calls and the number 195.Va nr 196of pool addresses in the rule specified with --- 146 unchanged lines hidden (view full) --- 343 u_int64_t stateid; 344 u_int32_t running; 345 u_int32_t states; 346 u_int32_t src_nodes; 347 u_int32_t since; 348 u_int32_t debug; 349 u_int32_t hostid; 350 char ifname[IFNAMSIZ]; | 194.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 195Get a 196.Va ticket 197for subsequent 198.Dv DIOCGETADDR 199calls and the number 200.Va nr 201of pool addresses in the rule specified with --- 146 unchanged lines hidden (view full) --- 348 u_int64_t stateid; 349 u_int32_t running; 350 u_int32_t states; 351 u_int32_t src_nodes; 352 u_int32_t since; 353 u_int32_t debug; 354 u_int32_t hostid; 355 char ifname[IFNAMSIZ]; |
| 356 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; |
|
| 351}; 352.Ed 353.It Dv DIOCCLRSTATUS 354Clear the internal packet filter statistics. 355.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 356Look up a state table entry by source and destination addresses and ports. 357.Bd -literal 358struct pfioc_natlook { --- 27 unchanged lines hidden (view full) --- 386 } ps_u; 387#define ps_buf ps_u.psu_buf 388#define ps_states ps_u.psu_states 389}; 390.Ed 391.Pp 392If 393.Va ps_len | 357}; 358.Ed 359.It Dv DIOCCLRSTATUS 360Clear the internal packet filter statistics. 361.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 362Look up a state table entry by source and destination addresses and ports. 363.Bd -literal 364struct pfioc_natlook { --- 27 unchanged lines hidden (view full) --- 392 } ps_u; 393#define ps_buf ps_u.psu_buf 394#define ps_states ps_u.psu_states 395}; 396.Ed 397.Pp 398If 399.Va ps_len |
| 394is zero, all states will be gathered into 395.Va pf_states 396and | 400is non-zero on entry, as many states as possible that can fit into this 401size will be copied into the supplied buffer 402.Va ps_states . 403On exit, |
| 397.Va ps_len | 404.Va ps_len |
| 398will be set to the size they take in memory (i.e., | 405is always set to the total size required to hold all state table entries 406(i.e., it is set to |
| 399.Li sizeof(struct pf_state) * nr ) . | 407.Li sizeof(struct pf_state) * nr ) . |
| 400If 401.Va ps_len 402is non-zero, as many states that can fit into 403.Va ps_len 404as possible will be gathered, and 405.Va ps_len 406will be updated to the size those rules take in memory. | |
| 407.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 408Add or remove the 409.Va rule 410in the ruleset specified by 411.Va rule.action . 412.Pp 413The type of operation to be performed is indicated by 414.Va action , --- 65 unchanged lines hidden (view full) --- 480.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 481Set the hard limits on the memory pools used by the packet filter. 482.Bd -literal 483struct pfioc_limit { 484 int index; 485 unsigned limit; 486}; 487 | 408.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 409Add or remove the 410.Va rule 411in the ruleset specified by 412.Va rule.action . 413.Pp 414The type of operation to be performed is indicated by 415.Va action , --- 65 unchanged lines hidden (view full) --- 481.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 482Set the hard limits on the memory pools used by the packet filter. 483.Bd -literal 484struct pfioc_limit { 485 int index; 486 unsigned limit; 487}; 488 |
| 488enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS }; | 489enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 490 PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; |
| 489.Ed 490.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 491Get the hard 492.Va limit 493for the memory pool indicated by 494.Va index . 495.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 496Clear all tables. --- 21 unchanged lines hidden (view full) --- 518#define pfrio_nmatch pfrio_nadd 519#define pfrio_naddr pfrio_size2 520#define pfrio_setflag pfrio_size2 521#define pfrio_clrflag pfrio_nadd 522.Ed 523.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 524Create one or more tables. 525On entry, | 491.Ed 492.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 493Get the hard 494.Va limit 495for the memory pool indicated by 496.Va index . 497.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 498Clear all tables. --- 21 unchanged lines hidden (view full) --- 520#define pfrio_nmatch pfrio_nadd 521#define pfrio_naddr pfrio_size2 522#define pfrio_setflag pfrio_size2 523#define pfrio_clrflag pfrio_nadd 524.Ed 525.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 526Create one or more tables. 527On entry, |
| 526.Va pfrio_buffer[pfrio_size] 527contains a table of 528.Vt pfr_table 529structures. | 528.Va pfrio_buffer 529must point to an array of 530.Vt struct pfr_table 531containing at least 532.Vt pfrio_size 533elements. 534.Vt pfrio_esize 535must be the size of 536.Vt struct pfr_table . |
| 530On exit, 531.Va pfrio_nadd 532contains the number of tables effectively created. 533.Bd -literal 534struct pfr_table { 535 char pfrt_anchor[MAXPATHLEN]; 536 char pfrt_name[PF_TABLE_NAME_SIZE]; 537 u_int32_t pfrt_flags; 538 u_int8_t pfrt_fback; 539}; 540.Ed 541.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 542Delete one or more tables. 543On entry, | 537On exit, 538.Va pfrio_nadd 539contains the number of tables effectively created. 540.Bd -literal 541struct pfr_table { 542 char pfrt_anchor[MAXPATHLEN]; 543 char pfrt_name[PF_TABLE_NAME_SIZE]; 544 u_int32_t pfrt_flags; 545 u_int8_t pfrt_fback; 546}; 547.Ed 548.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 549Delete one or more tables. 550On entry, |
| 544.Va pfrio_buffer[pfrio_size] 545contains a table of 546.Vt pfr_table 547structures. | 551.Va pfrio_buffer 552must point to an array of 553.Vt struct pfr_table 554containing at least 555.Vt pfrio_size 556elements. 557.Vt pfrio_esize 558must be the size of 559.Vt struct pfr_table . |
| 548On exit, | 560On exit, |
| 549.Va pfrio_nadd | 561.Va pfrio_ndel |
| 550contains the number of tables effectively deleted. 551.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 552Get the list of all tables. 553On entry, 554.Va pfrio_buffer[pfrio_size] 555contains a valid writeable buffer for 556.Vt pfr_table 557structures. --- 22 unchanged lines hidden (view full) --- 580 int pfrts_refcnt[PFR_REFCNT_MAX]; 581}; 582#define pfrts_name pfrts_t.pfrt_name 583#define pfrts_flags pfrts_t.pfrt_flags 584.Ed 585.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 586Clear the statistics of one or more tables. 587On entry, | 562contains the number of tables effectively deleted. 563.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 564Get the list of all tables. 565On entry, 566.Va pfrio_buffer[pfrio_size] 567contains a valid writeable buffer for 568.Vt pfr_table 569structures. --- 22 unchanged lines hidden (view full) --- 592 int pfrts_refcnt[PFR_REFCNT_MAX]; 593}; 594#define pfrts_name pfrts_t.pfrt_name 595#define pfrts_flags pfrts_t.pfrt_flags 596.Ed 597.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 598Clear the statistics of one or more tables. 599On entry, |
| 588.Va pfrio_buffer[pfrio_size] 589contains a table of 590.Vt pfr_table 591structures. | 600.Va pfrio_buffer 601must point to an array of 602.Vt struct pfr_table 603containing at least 604.Vt pfrio_size 605elements. 606.Vt pfrio_esize 607must be the size of 608.Vt struct pfr_table . |
| 592On exit, 593.Va pfrio_nzero 594contains the number of tables effectively cleared. 595.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 596Clear all addresses in a table. 597On entry, 598.Va pfrio_table 599contains the table to clear. 600On exit, 601.Va pfrio_ndel 602contains the number of addresses removed. 603.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 604Add one or more addresses to a table. 605On entry, 606.Va pfrio_table 607contains the table ID and | 609On exit, 610.Va pfrio_nzero 611contains the number of tables effectively cleared. 612.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 613Clear all addresses in a table. 614On entry, 615.Va pfrio_table 616contains the table to clear. 617On exit, 618.Va pfrio_ndel 619contains the number of addresses removed. 620.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 621Add one or more addresses to a table. 622On entry, 623.Va pfrio_table 624contains the table ID and |
| 608.Va pfrio_buffer[pfrio_size] 609contains the list of 610.Vt pfr_addr 611structures to add. | 625.Va pfrio_buffer 626must point to an array of 627.Vt struct pfr_addr 628containing at least 629.Vt pfrio_size 630elements to add to the table. 631.Vt pfrio_esize 632must be the size of 633.Vt struct pfr_addr . |
| 612On exit, 613.Va pfrio_nadd 614contains the number of addresses effectively added. 615.Bd -literal 616struct pfr_addr { 617 union { 618 struct in_addr _pfra_ip4addr; 619 struct in6_addr _pfra_ip6addr; --- 6 unchanged lines hidden (view full) --- 626#define pfra_ip4addr pfra_u._pfra_ip4addr 627#define pfra_ip6addr pfra_u._pfra_ip6addr 628.Ed 629.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 630Delete one or more addresses from a table. 631On entry, 632.Va pfrio_table 633contains the table ID and | 634On exit, 635.Va pfrio_nadd 636contains the number of addresses effectively added. 637.Bd -literal 638struct pfr_addr { 639 union { 640 struct in_addr _pfra_ip4addr; 641 struct in6_addr _pfra_ip6addr; --- 6 unchanged lines hidden (view full) --- 648#define pfra_ip4addr pfra_u._pfra_ip4addr 649#define pfra_ip6addr pfra_u._pfra_ip6addr 650.Ed 651.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 652Delete one or more addresses from a table. 653On entry, 654.Va pfrio_table 655contains the table ID and |
| 634.Va pfrio_buffer[pfrio_size] 635contains the list of 636.Vt pfr_addr 637structures to delete. | 656.Va pfrio_buffer 657must point to an array of 658.Vt struct pfr_addr 659containing at least 660.Vt pfrio_size 661elements to delete from the table. 662.Vt pfrio_esize 663must be the size of 664.Vt struct pfr_addr . |
| 638On exit, 639.Va pfrio_ndel 640contains the number of addresses effectively deleted. 641.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 642Replace the content of a table by a new address list. 643This is the most complicated command, which uses all the structure members. 644.Pp 645On entry, 646.Va pfrio_table 647contains the table ID and | 665On exit, 666.Va pfrio_ndel 667contains the number of addresses effectively deleted. 668.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 669Replace the content of a table by a new address list. 670This is the most complicated command, which uses all the structure members. 671.Pp 672On entry, 673.Va pfrio_table 674contains the table ID and |
| 648.Va pfrio_buffer[pfrio_size] 649contains the new list of 650.Vt pfr_addr 651structures. | 675.Va pfrio_buffer 676must point to an array of 677.Vt struct pfr_addr 678containing at least 679.Vt pfrio_size 680elements which become the new contents of the table. 681.Vt pfrio_esize 682must be the size of 683.Vt struct pfr_addr . |
| 652Additionally, if 653.Va pfrio_size2 654is non-zero, 655.Va pfrio_buffer[pfrio_size..pfrio_size2] 656must be a writeable buffer, into which the kernel can copy the 657addresses that have been deleted during the replace operation. 658On exit, 659.Va pfrio_ndel , --- 38 unchanged lines hidden (view full) --- 698 long pfras_tzero; 699}; 700.Ed 701.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 702Clear the statistics of one or more addresses. 703On entry, 704.Va pfrio_table 705contains the table ID and | 684Additionally, if 685.Va pfrio_size2 686is non-zero, 687.Va pfrio_buffer[pfrio_size..pfrio_size2] 688must be a writeable buffer, into which the kernel can copy the 689addresses that have been deleted during the replace operation. 690On exit, 691.Va pfrio_ndel , --- 38 unchanged lines hidden (view full) --- 730 long pfras_tzero; 731}; 732.Ed 733.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 734Clear the statistics of one or more addresses. 735On entry, 736.Va pfrio_table 737contains the table ID and |
| 706.Va pfrio_buffer[pfrio_size] 707contains a table of 708.Vt pfr_addr 709structures to clear. | 738.Va pfrio_buffer 739must point to an array of 740.Vt struct pfr_addr 741containing at least 742.Vt pfrio_size 743elements to be cleared from the table. 744.Vt pfrio_esize 745must be the size of 746.Vt struct pfr_addr . |
| 710On exit, 711.Va pfrio_nzero 712contains the number of addresses effectively cleared. 713.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 714Test if the given addresses match a table. 715On entry, 716.Va pfrio_table 717contains the table ID and | 747On exit, 748.Va pfrio_nzero 749contains the number of addresses effectively cleared. 750.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 751Test if the given addresses match a table. 752On entry, 753.Va pfrio_table 754contains the table ID and |
| 718.Va pfrio_buffer[pfrio_size] 719contains a table of 720.Vt pfr_addr 721structures to test. | 755.Va pfrio_buffer 756must point to an array of 757.Vt struct pfr_addr 758containing at least 759.Vt pfrio_size 760elements, each of which will be tested for a match in the table. 761.Vt pfrio_esize 762must be the size of 763.Vt struct pfr_addr . |
| 722On exit, the kernel updates the 723.Vt pfr_addr | 764On exit, the kernel updates the 765.Vt pfr_addr |
| 724table by setting the | 766array by setting the |
| 725.Va pfra_fback 726member appropriately. 727.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 728Change the 729.Dv PFR_TFLAG_CONST 730or 731.Dv PFR_TFLAG_PERSIST 732flags of a table. 733On entry, | 767.Va pfra_fback 768member appropriately. 769.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 770Change the 771.Dv PFR_TFLAG_CONST 772or 773.Dv PFR_TFLAG_PERSIST 774flags of a table. 775On entry, |
| 734.Va pfrio_buffer[pfrio_size] 735contains a table of 736.Vt pfr_table 737structures, and | 776.Va pfrio_buffer 777must point to an array of 778.Vt struct pfr_table 779containing at least 780.Vt pfrio_size 781elements. 782.Va pfrio_esize 783must be the size of 784.Vt struct pfr_table . |
| 738.Va pfrio_setflag | 785.Va pfrio_setflag |
| 739contains the flags to add, while | 786must contain the flags to add, while |
| 740.Va pfrio_clrflag | 787.Va pfrio_clrflag |
| 741contains the flags to remove. | 788must contain the flags to remove. |
| 742On exit, 743.Va pfrio_nchange 744and 745.Va pfrio_ndel 746contain the number of tables altered or deleted by the kernel. 747Yes, tables can be deleted if one removes the 748.Dv PFR_TFLAG_PERSIST 749flag of an unreferenced table. 750.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 751Defines a table in the inactive set. 752On entry, 753.Va pfrio_table 754contains the table ID and 755.Va pfrio_buffer[pfrio_size] | 789On exit, 790.Va pfrio_nchange 791and 792.Va pfrio_ndel 793contain the number of tables altered or deleted by the kernel. 794Yes, tables can be deleted if one removes the 795.Dv PFR_TFLAG_PERSIST 796flag of an unreferenced table. 797.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 798Defines a table in the inactive set. 799On entry, 800.Va pfrio_table 801contains the table ID and 802.Va pfrio_buffer[pfrio_size] |
| 756contains the list of | 803contains an array of |
| 757.Vt pfr_addr 758structures to put in the table. 759A valid ticket must also be supplied to 760.Va pfrio_ticket . 761On exit, 762.Va pfrio_nadd 763contains 0 if the table was already defined in the inactive list 764or 1 if a new table has been created. --- 185 unchanged lines hidden (view full) --- 950struct pfioc_iface { 951 char pfiio_name[IFNAMSIZ]; 952 void *pfiio_buffer; 953 int pfiio_esize; 954 int pfiio_size; 955 int pfiio_nzero; 956 int pfiio_flags; 957}; | 804.Vt pfr_addr 805structures to put in the table. 806A valid ticket must also be supplied to 807.Va pfrio_ticket . 808On exit, 809.Va pfrio_nadd 810contains 0 if the table was already defined in the inactive list 811or 1 if a new table has been created. --- 185 unchanged lines hidden (view full) --- 997struct pfioc_iface { 998 char pfiio_name[IFNAMSIZ]; 999 void *pfiio_buffer; 1000 int pfiio_esize; 1001 int pfiio_size; 1002 int pfiio_nzero; 1003 int pfiio_flags; 1004}; |
| 958 959#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */ 960#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */ 961#define PFI_FLAG_ALLMASK 0x0003 | |
| 962.Ed 963.Pp 964If not empty, 965.Va pfiio_name 966can be used to restrict the search to a specific interface or driver. 967.Va pfiio_buffer[pfiio_size] 968is the user-supplied buffer for returning the data. 969On entry, 970.Va pfiio_size | 1005.Ed 1006.Pp 1007If not empty, 1008.Va pfiio_name 1009can be used to restrict the search to a specific interface or driver. 1010.Va pfiio_buffer[pfiio_size] 1011is the user-supplied buffer for returning the data. 1012On entry, 1013.Va pfiio_size |
| 971represents the number of 972.Va pfi_if | 1014contains the number of 1015.Vt pfi_kif |
| 973entries that can fit into the buffer. 974The kernel will replace this value by the real number of entries it wants 975to return. 976.Va pfiio_esize 977should be set to | 1016entries that can fit into the buffer. 1017The kernel will replace this value by the real number of entries it wants 1018to return. 1019.Va pfiio_esize 1020should be set to |
| 978.Li sizeof(struct pfi_if) . 979.Va pfiio_flags 980should be set to 981.Dv PFI_FLAG_GROUP , 982.Dv PFI_FLAG_INSTANCE , 983or both, to tell the kernel to return a group of interfaces 984(drivers, like "fxp"), real interface instances (like "fxp1") or both. | 1021.Li sizeof(struct pfi_kif) . 1022.Pp |
| 985The data is returned in the | 1023The data is returned in the |
| 986.Vt pfi_if | 1024.Vt pfi_kif |
| 987structure described below: 988.Bd -literal | 1025structure described below: 1026.Bd -literal |
| 989struct pfi_if { 990 char pfif_name[IFNAMSIZ]; 991 u_int64_t pfif_packets[2][2][2]; 992 u_int64_t pfif_bytes[2][2][2]; 993 u_int64_t pfif_addcnt; 994 u_int64_t pfif_delcnt; 995 long pfif_tzero; 996 int pfif_states; 997 int pfif_rules; 998 int pfif_flags; | 1027struct pfi_kif { 1028 RB_ENTRY(pfi_kif) pfik_tree; 1029 char pfik_name[IFNAMSIZ]; 1030 u_int64_t pfik_packets[2][2][2]; 1031 u_int64_t pfik_bytes[2][2][2]; 1032 u_int32_t pfik_tzero; 1033 int pfik_flags; 1034 struct pf_state_tree_lan_ext pfik_lan_ext; 1035 struct pf_state_tree_ext_gwy pfik_ext_gwy; 1036 TAILQ_ENTRY(pfi_kif) pfik_w_states; 1037 void *pfik_ah_cookie; 1038 struct ifnet *pfik_ifp; 1039 struct ifg_group *pfik_group; 1040 int pfik_states; 1041 int pfik_rules; 1042 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; |
| 999}; | 1043}; |
| 1000 1001#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ 1002#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ 1003#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ 1004#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ 1005#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */ | |
| 1006.Ed | 1044.Ed |
| 1007.It Dv DIOCICLRISTATS Fa "struct pfioc_iface *io" 1008Clear the statistics counters of one or more interfaces. 1009.Va pfiio_name 1010and 1011.Va pfiio_flags 1012can be used to select which interfaces need to be cleared. 1013The filtering process is the same as for 1014.Dv DIOCIGETIFACES . 1015.Va pfiio_nzero 1016will be set by the kernel to the number of interfaces and drivers 1017that have been cleared. | |
| 1018.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" | 1045.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" |
| 1019Set the user setable flags (described below) of the pf internal interface 1020description. | 1046Set the user setable flags (described above) of the 1047.Nm 1048internal interface description. |
| 1021The filtering process is the same as for 1022.Dv DIOCIGETIFACES . 1023.Bd -literal | 1049The filtering process is the same as for 1050.Dv DIOCIGETIFACES . 1051.Bd -literal |
| 1024#define PFI_IFLAG_SKIP 0x0100 /* skip interface */ 1025#define PFI_IFLAG_SETABLE_MASK 0x0100 /* mask */ | 1052#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ |
| 1026.Ed 1027.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1028Works as 1029.Dv DIOCSETIFFLAG 1030above but clears the flags. 1031.El 1032.Sh FILES 1033.Bl -tag -width /dev/pf -compact --- 83 unchanged lines hidden --- | 1053.Ed 1054.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1055Works as 1056.Dv DIOCSETIFFLAG 1057above but clears the flags. 1058.El 1059.Sh FILES 1060.Bl -tag -width /dev/pf -compact --- 83 unchanged lines hidden --- |