Lines Matching +full:system +full:- +full:critical +full:- +full:regulator
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
105 .Bd -literal -offset indent
136 .Ar round-robin
143 .Bl -tag -width "manually"
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
170 .Bl -tag -width persist
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
289 .Bl -tag -width xxxx -compact
305 .Bl -tag -width xxxx -compact
321 .Bl -tag -width xxxx -compact
330 .Bl -tag -width xxxx -compact
335 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
349 When used on a per-rule basis, the values relate to the number of
354 .Bd -literal -offset indent
367 .Bd -literal -offset indent
368 # pfctl -s info
374 .Bd -literal -offset indent
379 .Bd -literal -offset indent
389 .Bd -literal -offset indent
400 .Bd -literal -offset indent
411 .Bd -literal -offset indent
412 set limit src-nodes 2000
417 .Ar sticky-address
422 .Bd -literal -offset indent
423 set limit table-entries 100000
430 .Bd -literal -offset indent
431 set limit { states 20000, frags 20000, src-nodes 2000 }
433 .It Ar set ruleset-optimization
434 .Bl -tag -width xxxxxxxx -compact
443 .Bl -enum -compact
451 re-order the rules to improve evaluation performance
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
467 Optimization can also be set as a command-line argument to
474 .Bl -tag -width xxxx -compact
478 .It Ar high-latency
479 A high-latency environment (such as a satellite connection).
482 .Ar high-latency .
495 .Bd -literal -offset indent
498 .It Ar set reassemble yes | no Op Cm no-df
507 .Cm no-df
509 .Dq dont-fragment
513 .Dq dont-fragment
518 This option is ignored if there are pre-FreeBSD 14
521 .It Ar set block-policy
523 .Ar block-policy
528 .Bl -tag -width xxxxxxxx -compact
539 .Bd -literal -offset indent
540 set block-policy return
542 .It Ar set fail-policy
544 .Ar fail-policy
547 This might happen when a nat or route-to rule uses an empty table as list
553 .Bl -tag -width xxxxxxxx -compact
564 .Bd -literal -offset indent
565 set fail-policy return
567 .It Ar set state-policy
569 .Ar state-policy
572 .Bl -tag -width group-bound -compact
573 .It Ar if-bound
580 .Bd -literal -offset indent
581 set state-policy if-bound
597 .Bl -tag -width adaptive -compact
604 is used up by half-open TCP connections, as in, those that saw the initial
607 .Bd -literal -offset indent
611 .It Ar set state-defaults
613 .Ar state-defaults
618 .Bd -literal -offset indent
619 set state-defaults no-sync
622 The 32-bit
628 By default the hostid is set to a pseudo-random value, however it may be
631 .Bd -literal -offset indent
636 .It Ar set require-order
648 There may be non-trivial and non-obvious implications to an out of
680 .Bl -tag -width xxxxxxxxxxxx -compact
713 .Bl -tag -width xxxx
730 .Bl -tag -width xxxx
752 .It Ar bridge-to Aq interface
809 .Bl -tag -width xxxx
810 .It Ar no-df
812 .Ar dont-fragment
815 .Ar dont-fragment
820 .Ar dont-fragment
822 .Ar no-df
826 .Ar dont-fragment
829 .Ar dont-fragment
833 .Ar random-id
835 .Ar no-df
837 .It Ar min-ttl Aq Ar number
839 .It Ar max-mss Aq Ar number
841 .It Xo Ar set-tos Aq Ar string
850 .Ar critical ,
862 .It Ar random-id
872 .Bl -tag -width timeout -compact
899 delayed for longer than it takes the connection to wrap its 32-bit sequence
919 .Bd -literal -offset indent
920 match in all scrub (no-df random-id max-mss 1440)
922 .Ss Scrub ruleset (pre-FreeBSD 14)
938 .Bl -tag -width xxxx
954 .Bd -literal -offset indent
975 The ALTQ system is currently not available in the GENERIC kernel nor as
1004 .Bl -tag -width xxxx
1067 supports both link-sharing and guaranteed real-time services.
1082 .Bl -tag -width xxxx
1120 Adjusts the size, in bytes, of the token bucket regulator.
1128 should queue up to 5Mbps in four second-level queues using
1131 .Bd -literal -offset indent
1151 .Bl -tag -width xxxx
1193 .Bl -tag -width Fl
1215 .Bl -tag -width Fl
1224 .Bl -tag -width Fl
1285 .Bd -literal
1364 .Bl -tag -width xxxx
1365 .It Ar af-to
1368 .Ar af-to
1372 .Ar af-to
1384 part is 32-bit long.
1393 .Bd -literal -offset indent
1394 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1395 pass in inet af-to inet6 from 2001:db8::1
1404 .Bd -literal -offset indent
1405 pass in inet6 af-to inet from 198.51.100.1 to 0.0.0.0/0
1406 pass in inet6 af-to inet from 198.51.100.1
1431 .Bd -literal
1432 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1433 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1434 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1441 rdr ... port 2000:2999 -\*(Gt ... port 4000
1443 rdr ... port 2000:2999 -\*(Gt ... port 4000:*
1461 A random source port in the range 50001-65535 is chosen in this case; to
1505 .Bd -literal -offset indent
1506 rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
1512 Unless this effect is desired, any of the local non-loopback addresses
1557 .Bl -tag -width xxxx
1567 .Ar block-policy
1568 option, or on a per-rule basis with one of the following options:
1570 .Bl -tag -width xxxx -compact
1573 .It Ar return-rst
1578 .It Ar return-icmp
1579 .It Ar return-icmp6
1598 .Bd -literal -offset indent
1651 .Bd -literal -offset indent
1652 pass out inet proto icmp all icmp-type echoreq
1665 Furthermore, correct handling of ICMP error messages is critical to
1704 .Bl -tag -width xxxx
1804 .Bl -tag -width xxxxxxxxxxxxxx -compact
1807 .It Ar no-route
1809 .It Ar urpf-failed
1820 .Sq -
1823 .Dq 10.1.1.10 - 10.1.1.12
1831 .Bl -tag -width xxxxxxxxxxxx -compact
1837 Translates to the point-to-point interface's peer address(es).
1845 v4 and non-link-local v6 address found.
1848 ruleset load-time.
1869 .Bd -literal -offset indent
1887 .Bl -tag -width Fl
1899 hence ports 1-1999 and 2005-65535.
1902 The operating system of the source host can be specified in the case of TCP
1907 .Sx OPERATING SYSTEM FINGERPRINTING
1911 .Bd -literal -offset indent
1973 .Bd -literal -offset indent
1994 .Bl -tag -width Fl
2016 .Pq non-SYN
2026 .Ar af-to,
2036 .It Xo Ar icmp-type Aq Ar type
2039 .It Xo Ar icmp6-type Aq Ar type
2052 .Ar icmp-type
2054 .Ar icmp6-type
2066 .Ar critical ,
2080 .Bd -literal -offset indent
2085 .It Ar allow-opts
2089 .Ar allow-opts
2103 pfctl -s labels
2104 shows per-rule statistics for rules that have labels.
2108 .Bl -tag -width $srcaddr -compact -offset indent
2126 .Bd -literal -offset indent
2133 .Bd -literal -offset indent
2161 .Bd -literal -offset indent
2177 .Bd -literal -offset indent
2181 .It Ar received-on Aq Ar interface
2221 .It Xo Ar divert-to Aq Ar host
2235 If a packet is re-injected and does not change direction then it will not be
2236 re-diverted.
2237 .It Ar divert-reply
2246 .Bd -literal -offset indent
2257 .Bl -tag -width xxxx
2258 .It Ar route-to
2260 .Ar route-to
2264 .Ar route-to
2269 .It Ar reply-to
2271 .Ar reply-to
2273 .Ar route-to ,
2277 .Ar reply-to
2282 .It Ar dup-to
2284 .Ar dup-to
2286 .Ar route-to .
2295 .Ar route-to ,
2296 .Ar reply-to
2298 .Ar dup-to
2303 .Bl -tag -width xxxx
2316 .It Ar source-hash
2318 .Ar source-hash
2324 randomly generates a key for source-hash every time the
2326 .It Ar round-robin
2328 .Ar round-robin
2332 .Ar round-robin
2334 .It Ar static-port
2338 .Ar static-port
2342 .It Xo Ar map-e-portset Aq Ar psid-offset
2343 .No / Aq Ar psid-len
2349 .Ar map-e-portset
2350 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2351 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2353 to the map-e-portset nat rule.
2356 .Bd -literal -offset indent
2358 -> $ipv4_mape_src map-e-portset 6/8/0x34
2362 .It Ar endpoint-independent
2366 .Ar endpoint-independent
2371 This feature implements "full-cone" NAT behavior.
2375 .Ar sticky-address
2381 .Ar round-robin
2409 .Bd -literal -offset indent
2452 completed the handshake, hence so-called SYN floods with spoofed source
2475 .Bd -literal -offset indent
2480 per-rule basis.
2489 .Bl -tag -width xxxx -compact
2494 .It Ar no-sync
2516 .It Ar allow-related
2523 .Bd -literal -offset indent
2526 (max 100, source-track rule, max-src-nodes 75, \e
2527 max-src-states 3, tcp.established 60, tcp.closing 5)
2531 .Ar source-track
2534 .Bl -tag -width xxxx -compact
2535 .It Ar source-track rule
2537 .Ar max-src-nodes
2539 .Ar max-src-states
2543 .It Ar source-track global
2546 .Ar max-src-nodes
2548 .Ar max-src-states
2555 .Bl -tag -width xxxx -compact
2556 .It Ar max-src-nodes Aq Ar number
2559 .It Ar max-src-states Aq Ar number
2565 which have completed the TCP 3-way handshake) can also be enforced
2568 .Bl -tag -width xxxx -compact
2569 .It Ar max-src-conn Aq Ar number
2571 completed the 3-way handshake that a single host can make.
2572 .It Xo Ar max-src-conn-rate Aq Ar number
2582 Because the 3-way handshake ensures that the source address is not being
2609 .Bd -literal -offset indent
2612 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
2614 .Sh OPERATING SYSTEM FINGERPRINTING
2616 connection's initial SYN packet and guess at the host's operating system.
2622 The fingerprints may be specified by operating system class, by
2624 The class of an operating system is typically the vendor or genre
2637 The subtype of an operating system is typically used to describe the
2643 .Ar no-df
2646 .Dl \&"OpenBSD 3.3 no-df\&"
2652 is running, a complete list of known operating system fingerprints may
2655 .Dl # pfctl -so
2657 Filter rules can enforce policy at any level of operating system specification
2665 which no operating system fingerprint is known.
2668 .Bd -literal -offset indent
2677 Operating system fingerprinting is limited only to the TCP SYN packet.
2681 Caveat: operating system fingerprints are occasionally wrong.
2683 appear as any operating system he chooses;
2684 an operating system patch could change the stack behavior and no fingerprints
2694 to the specified interface(s) from entering the system through
2698 .Bd -literal -offset indent
2703 .Bd -literal -offset indent
2708 For non-loopback interfaces, there are additional rules to block incoming
2713 .Bd -literal -offset indent
2718 .Bd -literal -offset indent
2769 .Bd -literal -offset indent
2823 characters, similar to how file system hierarchies are laid out.
2832 .Bl -tag -width xxxx
2833 .It Ar nat-anchor Aq Ar name
2838 .It Ar rdr-anchor Aq Ar name
2843 .It Ar binat-anchor Aq Ar name
2896 .Bd -literal -offset indent
2910 .Bd -literal -offset indent
2912 pfctl -a spam -f -
2924 .Bd -literal -offset indent
2926 load anchor spam from "/etc/pf-spam.conf"
2934 .Pa /etc/pf-spam.conf
2945 .Bd -literal -offset indent
2958 .Bd -literal -offset indent
2960 pfctl -a spam -f -
2970 .Bd -literal -offset indent
2984 Similar to file system path name resolution, if the sequence
2990 .Bd -literal -offset indent
2991 # echo ' anchor "spam/allowed" ' | pfctl -f -
2992 # echo -e ' anchor "../banned" \en pass' | \e
2993 pfctl -a spam/allowed -f -
3008 Brace delimited blocks may contain rules or other brace-delimited blocks.
3010 .Bd -literal -offset indent
3038 .Bd -literal
3043 rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
3050 .Bd -literal
3051 rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
3063 .Bd -literal
3064 nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
3072 .Bd -literal
3075 nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
3080 .Bd -literal
3084 rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
3091 .Xr ftp-proxy 8 ,
3094 .Xr ftp-proxy 8
3096 .Xr ftp-proxy 8
3098 .Bd -literal
3102 nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
3108 nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
3115 binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
3119 binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20
3125 -\*(Gt 10.1.2.151 port 22
3127 -\*(Gt 10.1.2.151 port 53
3131 # for proxying with ftp-proxy(8) running on port 8021.
3132 rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
3139 .Bd -literal
3143 # using the source-hash keyword.
3144 nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
3150 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3153 .Bd -literal
3168 block in from no-route to any
3172 block in from urpf-failed to any
3184 # them anyway (hence, no return-rst).
3195 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3244 tag SPAMD -\*(Gt 127.0.0.1 port spamd
3251 translates an internal IPv4 subnet to IPv6 using the well-known
3253 .Bd -literal -offset 4n
3254 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3260 .Bd -literal -offset 4n
3261 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3267 .Bd -literal
3268 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3269 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3270 trans-anchors | anchor-rule | anchor-close | load-anchor |
3271 table-rule | include )
3273 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3274 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3276 "high-latency" | "satellite" |
3278 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3279 [ "loginterface" ( interface-name | "none" ) ] |
3280 [ "block-policy" ( "drop" | "return" ) ] |
3281 [ "state-policy" ( "if-bound" | "floating" ) ]
3282 [ "state-defaults" state-opts ]
3283 [ "require-order" ( "yes" | "no" ) ]
3289 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3290 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3292 [ etherfilteropt-list ]
3294 pf-rule = action [ ( "in" | "out" ) ]
3297 hosts [ filteropt-list ]
3300 logopt = "all" | "matches" | "user" | "to" interface-name
3302 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3306 filteropt-list = filteropt-list filteropt | filteropt
3307 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3308 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3309 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3311 [ "(" state-opts ")" ] |
3312 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3313 "max-mss" number | "random-id" | "reassemble tcp" |
3314 fragmentation | "allow-opts" |
3322 "received-on" ( interface-name | interface-group )
3324 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3327 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3328 [ portspec ] [ pooltype ] [ "static-port" ]
3329 [ "map-e-portset" number "/" number "/" number ] ]
3331 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3332 [ "on" interface-name ] [ af ]
3333 [ "proto" ( proto-name | proto-number ) ]
3334 "from" address [ "/" mask-bits ] "to" ipspec
3336 [ "-\*(Gt" address [ "/" mask-bits ] ]
3338 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3341 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3344 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3348 table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
3349 tableopts-list = tableopts-list tableopts | tableopts
3351 "{" [ tableaddr-list ] "}"
3352 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3353 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3355 ipv4-dotted-quad | ipv6-coloned-hex
3357 altq-rule = "altq on" interface-name queueopts-list
3359 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3362 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3363 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3365 anchor-close = "}"
3367 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3370 load-anchor = "load anchor" string "from" filename
3372 queueopts-list = queueopts-list queueopts | queueopts
3373 queueopts = [ "bandwidth" bandwidth-spec ] |
3376 schedulers = ( cbq-def | priq-def | hfsc-def )
3377 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3381 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3382 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3383 "return-icmp6" [ "(" icmp6code ")" ]
3384 icmpcode = ( icmp-code-name | icmp-code-number )
3385 icmp6code = ( icmp6-code-name | icmp6-code-number )
3387 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3388 "{" interface-list "}"
3389 interface-list = [ "!" ] ( interface-name | interface-group )
3390 [ [ "," ] interface-list ]
3391 route = ( "route-to" | "reply-to" | "dup-to" )
3392 ( routehost | "{" routehost-list "}" )
3396 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3397 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3398 protospec = "proto" ( proto-name | proto-number |
3399 "{" proto-list "}" )
3400 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3406 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3407 "{" host-list "}" ) [ port ] [ os ]
3408 "to" ( "any" | "no-route" | "self" | host |
3409 "{" host-list "}" ) [ port ]
3411 ipspec = "any" | host | "{" host-list "}"
3412 host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
3413 redirhost = address [ "/" mask-bits ]
3414 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3415 address = ( interface-name | interface-group |
3416 "(" ( interface-name | interface-group ) ")" |
3417 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3418 host-list = host [ [ "," ] host-list ]
3419 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3420 routehost-list = routehost [ [ "," ] routehost-list ]
3422 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3424 os = "os" ( os-name | "{" os-list "}" )
3425 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3426 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3428 unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
3430 binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
3431 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3433 os-name = operating-system-name
3434 os-list = os-name [ [ "," ] os-list ]
3436 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3437 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3440 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3441 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3442 icmp-type-code = ( icmp-type-name | icmp-type-number )
3443 [ "code" ( icmp-code-name | icmp-code-number ) ]
3444 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3449 state-opts = state-opt [ [ "," ] state-opts ]
3450 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3451 "source-track" [ ( "rule" | "global" ) ] |
3452 "max-src-nodes" number | "max-src-states" number |
3453 "max-src-conn" number |
3454 "max-src-conn-rate" number "/" number |
3456 "if-bound" | "floating" | "pflow" )
3460 timeout-list = timeout [ [ "," ] timeout-list ]
3471 limit-list = limit-item [ [ "," ] limit-list ]
3472 limit-item = ( "states" | "frags" | "src-nodes" ) number
3475 "source-hash" [ ( hex-key | string-key ) ] |
3476 "round-robin" ) [ sticky-address ]
3478 subqueue = string | "{" queue-list "}"
3479 queue-list = string [ [ "," ] string ]
3480 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3481 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3482 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3483 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3484 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3485 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3486 linkshare-sc | realtime-sc | upperlimit-sc )
3487 linkshare-sc = "linkshare" sc-spec
3488 realtime-sc = "realtime" sc-spec
3489 upperlimit-sc = "upperlimit" sc-spec
3490 sc-spec = ( bandwidth-spec |
3491 "(" bandwidth-spec number bandwidth-spec ")" )
3495 .Bl -tag -width "/etc/protocols" -compact
3526 .Xr ftp-proxy 8 ,