Lines Matching +full:send +full:- +full:flush +full:- +full:out +full:- +full:sequence
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
27 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
101 .Ar out ) .
105 .Bd -literal -offset indent
108 pass out on $ext_if from any to any
136 .Ar round-robin
143 .Bl -tag -width "manually"
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
170 .Bl -tag -width persist
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
276 Some hosts (notably web servers on Solaris) send TCP packets even after closing
289 .Bl -tag -width xxxx -compact
305 .Bl -tag -width xxxx -compact
321 .Bl -tag -width xxxx -compact
330 .Bl -tag -width xxxx -compact
335 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
349 When used on a per-rule basis, the values relate to the number of
354 .Bd -literal -offset indent
367 .Bd -literal -offset indent
368 # pfctl -s info
374 .Bd -literal -offset indent
379 .Bd -literal -offset indent
389 .Bd -literal -offset indent
400 .Bd -literal -offset indent
411 .Bd -literal -offset indent
412 set limit src-nodes 2000
417 .Ar sticky-address
422 .Bd -literal -offset indent
423 set limit table-entries 100000
430 .Bd -literal -offset indent
431 set limit { states 20000, frags 20000, src-nodes 2000 }
433 .It Ar set ruleset-optimization
434 .Bl -tag -width xxxxxxxx -compact
443 .Bl -enum -compact
451 re-order the rules to improve evaluation performance
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
467 Optimization can also be set as a command-line argument to
474 .Bl -tag -width xxxx -compact
478 .It Ar high-latency
479 A high-latency environment (such as a satellite connection).
482 .Ar high-latency .
495 .Bd -literal -offset indent
498 .It Ar set reassemble yes | no Op Cm no-df
507 .Cm no-df
509 .Dq dont-fragment
513 .Dq dont-fragment
518 This option is ignored if there are pre-FreeBSD 14
521 .It Ar set block-policy
523 .Ar block-policy
528 .Bl -tag -width xxxxxxxx -compact
539 .Bd -literal -offset indent
540 set block-policy return
542 .It Ar set fail-policy
544 .Ar fail-policy
547 This might happen when a nat or route-to rule uses an empty table as list
553 .Bl -tag -width xxxxxxxx -compact
564 .Bd -literal -offset indent
565 set fail-policy return
567 .It Ar set state-policy
569 .Ar state-policy
572 .Bl -tag -width group-bound -compact
573 .It Ar if-bound
580 .Bd -literal -offset indent
581 set state-policy if-bound
597 .Bl -tag -width adaptive -compact
599 pf will never send syncookie SYNACKs (the default).
601 pf will always send syncookie SYNACKs.
604 is used up by half-open TCP connections, as in, those that saw the initial
607 .Bd -literal -offset indent
611 .It Ar set state-defaults
613 .Ar state-defaults
618 .Bd -literal -offset indent
619 set state-defaults no-sync
622 The 32-bit
628 By default the hostid is set to a pseudo-random value, however it may be
631 .Bd -literal -offset indent
636 .It Ar set require-order
648 There may be non-trivial and non-obvious implications to an out of
668 Packets passing in or out on such interfaces are passed as if pf was
680 .Bl -tag -width xxxxxxxxxxxx -compact
713 .Bl -tag -width xxxx
723 A packet always comes in on, or goes out through, one interface.
730 .Bl -tag -width xxxx
731 .It Ar in No or Ar out
736 .Ar out
745 This rule applies only to packets coming in on, or going out through, this
752 .It Ar bridge-to Aq interface
753 Packets matching this rule will be sent out of the specified interface without
809 .Bl -tag -width xxxx
810 .It Ar no-df
812 .Ar dont-fragment
815 .Ar dont-fragment
820 .Ar dont-fragment
822 .Ar no-df
826 .Ar dont-fragment
829 .Ar dont-fragment
833 .Ar random-id
835 .Ar no-df
837 .It Ar min-ttl Aq Ar number
839 .It Ar max-mss Aq Ar number
841 .It Xo Ar set-tos Aq Ar string
862 .It Ar random-id
872 .Bl -tag -width timeout -compact
875 An attacker may send a packet such that it reaches the firewall, affects
881 Modern TCP stacks will send a timestamp on every TCP packet and echo
899 delayed for longer than it takes the connection to wrap its 32-bit sequence
903 The solution to this is called PAWS: Protection Against Wrapped Sequence
912 artificially extends the security of TCP sequence numbers by 10 to 18
919 .Bd -literal -offset indent
920 match in all scrub (no-df random-id max-mss 1440)
922 .Ss Scrub ruleset (pre-FreeBSD 14)
938 .Bl -tag -width xxxx
954 .Bd -literal -offset indent
973 rules must not have the direction (in/out) specified.
1000 sent out immediately.
1004 .Bl -tag -width xxxx
1018 mainly controls the time packets take to get sent out, while
1063 mainly controls the time packets take to get sent out, while
1067 supports both link-sharing and guaranteed real-time services.
1082 .Bl -tag -width xxxx
1128 should queue up to 5Mbps in four second-level queues using
1131 .Bd -literal -offset indent
1137 directive, a sequence of
1151 .Bl -tag -width xxxx
1193 .Bl -tag -width Fl
1203 RIO is RED with IN/OUT, thus running
1215 .Bl -tag -width Fl
1224 .Bl -tag -width Fl
1285 .Bd -literal
1296 block return out on dc0 inet all queue std
1297 pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
1299 pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
1301 pass out on dc0 inet proto tcp from any to any port 22 \e
1303 pass out on dc0 inet proto tcp from any to any port 25 \e
1364 .Bl -tag -width xxxx
1365 .It Ar af-to
1368 .Ar af-to
1372 .Ar af-to
1384 part is 32-bit long.
1393 .Bd -literal -offset indent
1394 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1395 pass in inet af-to inet6 from 2001:db8::1
1404 .Bd -literal -offset indent
1405 pass in inet6 af-to inet from 198.51.100.1 to 0.0.0.0/0
1406 pass in inet6 af-to inet from 198.51.100.1
1431 .Bd -literal
1432 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1433 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1434 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1441 rdr ... port 2000:2999 -\*(Gt ... port 4000
1443 rdr ... port 2000:2999 -\*(Gt ... port 4000:*
1461 A random source port in the range 50001-65535 is chosen in this case; to
1505 .Bd -literal -offset indent
1506 rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
1512 Unless this effect is desired, any of the local non-loopback addresses
1557 .Bl -tag -width xxxx
1567 .Ar block-policy
1568 option, or on a per-rule basis with one of the following options:
1570 .Bl -tag -width xxxx -compact
1573 .It Ar return-rst
1578 .It Ar return-icmp
1579 .It Ar return-icmp6
1598 .Bd -literal -offset indent
1634 After the connection is closed or times out, the state entry is automatically
1639 its sequence numbers, as well as TCP timestamps if a
1645 a fake source address/port but does not know the connection's sequence
1651 .Bd -literal -offset indent
1652 pass out inet proto icmp all icmp-type echoreq
1657 out statefully, and matches incoming echo replies correctly to states.
1697 A packet always comes in on, or goes out through, one interface.
1704 .Bl -tag -width xxxx
1705 .It Ar in No or Ar out
1710 .Ar out
1753 Send logs to the specified
1764 This rule applies only to packets coming in on, or going out through, this
1804 .Bl -tag -width xxxxxxxxxxxxxx -compact
1807 .It Ar no-route
1809 .It Ar urpf-failed
1820 .Sq -
1823 .Dq 10.1.1.10 - 10.1.1.12
1831 .Bl -tag -width xxxxxxxxxxxx -compact
1837 Translates to the point-to-point interface's peer address(es).
1845 v4 and non-link-local v6 address found.
1848 ruleset load-time.
1869 .Bd -literal -offset indent
1887 .Bl -tag -width Fl
1899 hence ports 1-1999 and 2005-65535.
1911 .Bd -literal -offset indent
1973 .Bd -literal -offset indent
1974 block out proto { tcp, udp } all
1975 pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei }
1984 set out of set
1994 .Bl -tag -width Fl
2000 Out of SYN and ACK, exactly SYN may be set.
2016 .Pq non-SYN
2026 .Ar af-to,
2035 Such connections will stall and time out.
2036 .It Xo Ar icmp-type Aq Ar type
2039 .It Xo Ar icmp6-type Aq Ar type
2052 .Ar icmp-type
2054 .Ar icmp6-type
2080 .Bd -literal -offset indent
2085 .It Ar allow-opts
2089 .Ar allow-opts
2103 pfctl -s labels
2104 shows per-rule statistics for rules that have labels.
2108 .Bl -tag -width $srcaddr -compact -offset indent
2126 .Bd -literal -offset indent
2133 .Bd -literal -offset indent
2161 .Bd -literal -offset indent
2177 .Bd -literal -offset indent
2181 .It Ar received-on Aq Ar interface
2221 .It Xo Ar divert-to Aq Ar host
2235 If a packet is re-injected and does not change direction then it will not be
2236 re-diverted.
2237 .It Ar divert-reply
2246 .Bd -literal -offset indent
2257 .Bl -tag -width xxxx
2258 .It Ar route-to
2260 .Ar route-to
2264 .Ar route-to
2269 .It Ar reply-to
2271 .Ar reply-to
2273 .Ar route-to ,
2277 .Ar reply-to
2282 .It Ar dup-to
2284 .Ar dup-to
2286 .Ar route-to .
2295 .Ar route-to ,
2296 .Ar reply-to
2298 .Ar dup-to
2303 .Bl -tag -width xxxx
2316 .It Ar source-hash
2318 .Ar source-hash
2324 randomly generates a key for source-hash every time the
2326 .It Ar round-robin
2328 .Ar round-robin
2332 .Ar round-robin
2334 .It Ar static-port
2338 .Ar static-port
2342 .It Xo Ar map-e-portset Aq Ar psid-offset
2343 .No / Aq Ar psid-len
2349 .Ar map-e-portset
2350 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2351 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2353 to the map-e-portset nat rule.
2356 .Bd -literal -offset indent
2358 -> $ipv4_mape_src map-e-portset 6/8/0x34
2362 .It Ar endpoint-independent
2366 .Ar endpoint-independent
2371 This feature implements "full-cone" NAT behavior.
2375 .Ar sticky-address
2381 .Ar round-robin
2392 initial sequence numbers (ISNs) are chosen.
2400 will create a high quality random sequence number for each connection
2409 .Bd -literal -offset indent
2411 pass out proto tcp from any to any modulate state
2421 respective endpoints time out the connection.
2452 completed the handshake, hence so-called SYN floods with spoofed source
2459 chooses random initial sequence numbers for both handshakes.
2460 Once the handshakes are completed, the sequence number modulators
2475 .Bd -literal -offset indent
2480 per-rule basis.
2489 .Bl -tag -width xxxx -compact
2493 state are dropped until existing states time out.
2494 .It Ar no-sync
2506 Uses a sloppy TCP connection tracker that does not check sequence
2516 .It Ar allow-related
2523 .Bd -literal -offset indent
2526 (max 100, source-track rule, max-src-nodes 75, \e
2527 max-src-states 3, tcp.established 60, tcp.closing 5)
2531 .Ar source-track
2534 .Bl -tag -width xxxx -compact
2535 .It Ar source-track rule
2537 .Ar max-src-nodes
2539 .Ar max-src-states
2543 .It Ar source-track global
2546 .Ar max-src-nodes
2548 .Ar max-src-states
2555 .Bl -tag -width xxxx -compact
2556 .It Ar max-src-nodes Aq Ar number
2559 .It Ar max-src-states Aq Ar number
2565 which have completed the TCP 3-way handshake) can also be enforced
2568 .Bl -tag -width xxxx -compact
2569 .It Ar max-src-conn Aq Ar number
2571 completed the 3-way handshake that a single host can make.
2572 .It Xo Ar max-src-conn-rate Aq Ar number
2580 state are dropped until existing states time out.
2582 Because the 3-way handshake ensures that the source address is not being
2593 .Ar flush
2598 modifier to the flush command kills all states originating from the
2609 .Bd -literal -offset indent
2612 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
2643 .Ar no-df
2646 .Dl \&"OpenBSD 3.3 no-df\&"
2655 .Dl # pfctl -so
2668 .Bd -literal -offset indent
2669 pass out proto tcp from any os OpenBSD
2670 block out proto tcp from any os Doors
2671 block out proto tcp from any os "Doors PT"
2672 block out proto tcp from any os "Doors PT SP3"
2673 block out from any os "unknown"
2698 .Bd -literal -offset indent
2703 .Bd -literal -offset indent
2708 For non-loopback interfaces, there are additional rules to block incoming
2713 .Bd -literal -offset indent
2718 .Bd -literal -offset indent
2731 In cases when it is necessary or more efficient to send such large packets,
2769 .Bd -literal -offset indent
2798 are dropped until other entries time out.
2823 characters, similar to how file system hierarchies are laid out.
2832 .Bl -tag -width xxxx
2833 .It Ar nat-anchor Aq Ar name
2838 .It Ar rdr-anchor Aq Ar name
2843 .It Ar binat-anchor Aq Ar name
2896 .Bd -literal -offset indent
2900 pass out on $ext_if all
2910 .Bd -literal -offset indent
2912 pfctl -a spam -f -
2924 .Bd -literal -offset indent
2926 load anchor spam from "/etc/pf-spam.conf"
2934 .Pa /etc/pf-spam.conf
2945 .Bd -literal -offset indent
2948 pass out on $ext_if all
2958 .Bd -literal -offset indent
2960 pfctl -a spam -f -
2970 .Bd -literal -offset indent
2984 Similar to file system path name resolution, if the sequence
2990 .Bd -literal -offset indent
2991 # echo ' anchor "spam/allowed" ' | pfctl -f -
2992 # echo -e ' anchor "../banned" \en pass' | \e
2993 pfctl -a spam/allowed -f -
3008 Brace delimited blocks may contain rules or other brace-delimited blocks.
3010 .Bd -literal -offset indent
3013 anchor out {
3038 .Bd -literal
3043 rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
3050 .Bd -literal
3051 rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
3057 when they are going out any interface except vlan12.
3063 .Bd -literal
3064 nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
3072 .Bd -literal
3075 nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
3080 .Bd -literal
3084 rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
3091 .Xr ftp-proxy 8 ,
3094 .Xr ftp-proxy 8
3096 .Xr ftp-proxy 8
3098 .Bd -literal
3102 nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
3108 nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
3115 binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
3119 binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20
3125 -\*(Gt 10.1.2.151 port 22
3127 -\*(Gt 10.1.2.151 port 53
3130 # Translate outgoing ftp control connections to send them to localhost
3131 # for proxying with ftp-proxy(8) running on port 8021.
3132 rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
3139 .Bd -literal
3143 # using the source-hash keyword.
3144 nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
3150 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3153 .Bd -literal
3168 block in from no-route to any
3172 block in from urpf-failed to any
3176 # for instance), we want to be nice and do not send out garbage.
3177 block out log quick on $ext_if from ! 157.161.48.183 to any
3184 # them anyway (hence, no return-rst).
3190 # pass out/in certain ICMP queries and keep state (ping)
3195 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3199 # pass out all UDP connections and keep state
3200 pass out on $ext_if proto udp all
3207 # pass out all TCP connections and modulate state
3208 pass out on $ext_if proto tcp all modulate state
3220 # pass in/out all IPv6 traffic: note that we have to enable this in two
3229 # $int_if and pass those tagged packets out on $ext_if. all other
3236 block out on $ext_if from any to any
3237 pass out quick on $ext_if tagged INTNET
3238 pass out on $ext_if proto tcp from any to any port 80
3244 tag SPAMD -\*(Gt 127.0.0.1 port spamd
3251 translates an internal IPv4 subnet to IPv6 using the well-known
3253 .Bd -literal -offset 4n
3254 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3260 .Bd -literal -offset 4n
3261 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3267 .Bd -literal
3268 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3269 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3270 trans-anchors | anchor-rule | anchor-close | load-anchor |
3271 table-rule | include )
3273 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3274 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3276 "high-latency" | "satellite" |
3278 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3279 [ "loginterface" ( interface-name | "none" ) ] |
3280 [ "block-policy" ( "drop" | "return" ) ] |
3281 [ "state-policy" ( "if-bound" | "floating" ) ]
3282 [ "state-defaults" state-opts ]
3283 [ "require-order" ( "yes" | "no" ) ]
3289 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3290 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3292 [ etherfilteropt-list ]
3294 pf-rule = action [ ( "in" | "out" ) ]
3297 hosts [ filteropt-list ]
3300 logopt = "all" | "matches" | "user" | "to" interface-name
3302 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3306 filteropt-list = filteropt-list filteropt | filteropt
3307 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3308 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3309 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3311 [ "(" state-opts ")" ] |
3312 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3313 "max-mss" number | "random-id" | "reassemble tcp" |
3314 fragmentation | "allow-opts" |
3322 "received-on" ( interface-name | interface-group )
3324 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3327 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3328 [ portspec ] [ pooltype ] [ "static-port" ]
3329 [ "map-e-portset" number "/" number "/" number ] ]
3331 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3332 [ "on" interface-name ] [ af ]
3333 [ "proto" ( proto-name | proto-number ) ]
3334 "from" address [ "/" mask-bits ] "to" ipspec
3336 [ "-\*(Gt" address [ "/" mask-bits ] ]
3338 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3341 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3344 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3348 table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
3349 tableopts-list = tableopts-list tableopts | tableopts
3351 "{" [ tableaddr-list ] "}"
3352 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3353 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3355 ipv4-dotted-quad | ipv6-coloned-hex
3357 altq-rule = "altq on" interface-name queueopts-list
3359 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3362 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3363 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3365 anchor-close = "}"
3367 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3370 load-anchor = "load anchor" string "from" filename
3372 queueopts-list = queueopts-list queueopts | queueopts
3373 queueopts = [ "bandwidth" bandwidth-spec ] |
3376 schedulers = ( cbq-def | priq-def | hfsc-def )
3377 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3381 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3382 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3383 "return-icmp6" [ "(" icmp6code ")" ]
3384 icmpcode = ( icmp-code-name | icmp-code-number )
3385 icmp6code = ( icmp6-code-name | icmp6-code-number )
3387 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3388 "{" interface-list "}"
3389 interface-list = [ "!" ] ( interface-name | interface-group )
3390 [ [ "," ] interface-list ]
3391 route = ( "route-to" | "reply-to" | "dup-to" )
3392 ( routehost | "{" routehost-list "}" )
3396 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3397 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3398 protospec = "proto" ( proto-name | proto-number |
3399 "{" proto-list "}" )
3400 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3406 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3407 "{" host-list "}" ) [ port ] [ os ]
3408 "to" ( "any" | "no-route" | "self" | host |
3409 "{" host-list "}" ) [ port ]
3411 ipspec = "any" | host | "{" host-list "}"
3412 host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
3413 redirhost = address [ "/" mask-bits ]
3414 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3415 address = ( interface-name | interface-group |
3416 "(" ( interface-name | interface-group ) ")" |
3417 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3418 host-list = host [ [ "," ] host-list ]
3419 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3420 routehost-list = routehost [ [ "," ] routehost-list ]
3422 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3424 os = "os" ( os-name | "{" os-list "}" )
3425 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3426 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3428 unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
3430 binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
3431 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3433 os-name = operating-system-name
3434 os-list = os-name [ [ "," ] os-list ]
3436 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3437 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3440 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3441 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3442 icmp-type-code = ( icmp-type-name | icmp-type-number )
3443 [ "code" ( icmp-code-name | icmp-code-number ) ]
3444 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3449 state-opts = state-opt [ [ "," ] state-opts ]
3450 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3451 "source-track" [ ( "rule" | "global" ) ] |
3452 "max-src-nodes" number | "max-src-states" number |
3453 "max-src-conn" number |
3454 "max-src-conn-rate" number "/" number |
3455 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] |
3456 "if-bound" | "floating" | "pflow" )
3460 timeout-list = timeout [ [ "," ] timeout-list ]
3471 limit-list = limit-item [ [ "," ] limit-list ]
3472 limit-item = ( "states" | "frags" | "src-nodes" ) number
3475 "source-hash" [ ( hex-key | string-key ) ] |
3476 "round-robin" ) [ sticky-address ]
3478 subqueue = string | "{" queue-list "}"
3479 queue-list = string [ [ "," ] string ]
3480 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3481 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3482 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3483 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3484 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3485 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3486 linkshare-sc | realtime-sc | upperlimit-sc )
3487 linkshare-sc = "linkshare" sc-spec
3488 realtime-sc = "realtime" sc-spec
3489 upperlimit-sc = "upperlimit" sc-spec
3490 sc-spec = ( bandwidth-spec |
3491 "(" bandwidth-spec number bandwidth-spec ")" )
3495 .Bl -tag -width "/etc/protocols" -compact
3526 .Xr ftp-proxy 8 ,