1.\" $NetBSD: pf.4,v 1.3 2005/07/01 12:43:50 peter Exp $ 2.\" $OpenBSD: pf.4,v 1.54 2004/12/22 17:17:55 dhartmei Exp $ 3.\" 4.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. Neither the name of the project nor the names of its contributors 15.\" may be used to endorse or promote products derived from this software 16.\" without specific prior written permission. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 19.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 22.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 23.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 24.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 25.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 27.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 28.\" SUCH DAMAGE. 29.\" 30.Dd June 24, 2001 31.Dt PF 4 32.Os 33.Sh NAME 34.Nm pf 35.Nd packet filter 36.Sh SYNOPSIS 37.Cd "pseudo-device pf" 38.Sh DESCRIPTION 39Packet filtering takes place in the kernel. 40A pseudo-device, 41.Pa /dev/pf , 42allows userland processes to control the 43behavior of the packet filter through an 44.Xr ioctl 2 45interface. 46There are commands to enable and disable the filter, load rulesets, 47add and remove individual rules or state table entries, 48and retrieve statistics. 49The most commonly used functions are covered by 50.Xr pfctl 8 . 51.Pp 52Manipulations like loading a ruleset that involve more than a single 53.Xr ioctl 2 54call require a so-called 55.Em ticket , 56which prevents the occurrence of 57multiple concurrent manipulations. 58.Pp 59Fields of 60.Xr ioctl 2 61parameter structures that refer to packet data (like 62addresses and ports) are generally expected in network byte-order. 63.Pp 64Rules and address tables are contained in so-called 65.Em anchors . 66When servicing an 67.Xr ioctl 2 68request, if the anchor field of the argument structure is empty, 69the kernel will use the default anchor (i.e., the main ruleset) 70in operations. 71Anchors are specified by name and may be nested, with components 72separated by 73.Sq / 74characters, similar to how file system hierarchies are laid out. 75The final component of the anchor path is the anchor under which 76operations will be performed. 77.Sh IOCTL INTERFACE 78.Nm 79supports the following 80.Xr ioctl 2 81commands, available through 82.Aq Pa net/pfvar.h : 83.Bl -tag -width xxxxxx 84.It Dv DIOCSTART 85Start the packet filter. 86.It Dv DIOCSTOP 87Stop the packet filter. 88.It Dv DIOCSTARTALTQ 89Start the ALTQ bandwidth control system (see 90.Xr altq 9 ) . 91.It Dv DIOCSTOPALTQ 92Stop the ALTQ bandwidth control system. 93.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp" 94.Bd -literal 95struct pfioc_pooladdr { 96 u_int32_t action; 97 u_int32_t ticket; 98 u_int32_t nr; 99 u_int32_t r_num; 100 u_int8_t r_action; 101 u_int8_t r_last; 102 u_int8_t af; 103 char anchor[MAXPATHLEN]; 104 struct pf_pooladdr addr; 105}; 106.Ed 107.Pp 108Clear the buffer address pool and get a 109.Va ticket 110for subsequent 111.Dv DIOCADDADDR , 112.Dv DIOCADDRULE , 113and 114.Dv DIOCCHANGERULE 115calls. 116.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp" 117.Pp 118Add the pool address 119.Va addr 120to the buffer address pool to be used in the following 121.Dv DIOCADDRULE 122or 123.Dv DIOCCHANGERULE 124call. 125All other members of the structure are ignored. 126.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 127.Bd -literal 128struct pfioc_rule { 129 u_int32_t action; 130 u_int32_t ticket; 131 u_int32_t pool_ticket; 132 u_int32_t nr; 133 char anchor[MAXPATHLEN]; 134 char anchor_call[MAXPATHLEN]; 135 struct pf_rule rule; 136}; 137.Ed 138.Pp 139Add 140.Va rule 141at the end of the inactive ruleset. 142This call requires a 143.Va ticket 144obtained through a preceding 145.Dv DIOCXBEGIN 146call and a 147.Va pool_ticket 148obtained through a 149.Dv DIOCBEGINADDRS 150call. 151.Dv DIOCADDADDR 152must also be called if any pool addresses are required. 153The optional 154.Va anchor 155name indicates the anchor in which to append the rule. 156.Va nr 157and 158.Va action 159are ignored. 160.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa" 161Add an ALTQ discipline or queue. 162.Bd -literal 163struct pfioc_altq { 164 u_int32_t action; 165 u_int32_t ticket; 166 u_int32_t nr; 167 struct pf_altq altq; 168}; 169.Ed 170.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 171Get a 172.Va ticket 173for subsequent 174.Dv DIOCGETRULE 175calls and the number 176.Va nr 177of rules in the active ruleset. 178.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 179Get a 180.Va rule 181by its number 182.Va nr 183using the 184.Va ticket 185obtained through a preceding 186.Dv DIOCGETRULES 187call. 188.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 189Get a 190.Va ticket 191for subsequent 192.Dv DIOCGETADDR 193calls and the number 194.Va nr 195of pool addresses in the rule specified with 196.Va r_action , 197.Va r_num , 198and 199.Va anchor . 200.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp" 201Get the pool address 202.Va addr 203by its number 204.Va nr 205from the rule specified with 206.Va r_action , 207.Va r_num , 208and 209.Va anchor 210using the 211.Va ticket 212obtained through a preceding 213.Dv DIOCGETADDRS 214call. 215.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa" 216Get a 217.Va ticket 218for subsequent 219.Dv DIOCGETALTQ 220calls and the number 221.Va nr 222of queues in the active list. 223.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa" 224Get the queueing discipline 225.Va altq 226by its number 227.Va nr 228using the 229.Va ticket 230obtained through a preceding 231.Dv DIOCGETALTQS 232call. 233.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 234Get the statistics on a queue. 235.Bd -literal 236struct pfioc_qstats { 237 u_int32_t ticket; 238 u_int32_t nr; 239 void *buf; 240 int nbytes; 241 u_int8_t scheduler; 242}; 243.Ed 244.Pp 245This call fills in a pointer to the buffer of statistics 246.Va buf , 247of length 248.Va nbytes , 249for the queue specified by 250.Va nr . 251.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 252.Bd -literal 253struct pfioc_ruleset { 254 u_int32_t nr; 255 char path[MAXPATHLEN]; 256 char name[PF_ANCHOR_NAME_SIZE]; 257}; 258.Ed 259.Pp 260Get the number 261.Va nr 262of rulesets (i.e., anchors) directly attached to the anchor named by 263.Va path 264for use in subsequent 265.Dv DIOCGETRULESET 266calls. 267Nested anchors, since they are not directly attached to the given 268anchor, will not be included. 269This ioctl returns 270.Er EINVAL 271if the given anchor does not exist. 272.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 273Get a ruleset (i.e., an anchor) 274.Va name 275by its number 276.Va nr 277from the given anchor 278.Va path , 279the maximum number of which can be obtained from a preceding 280.Dv DIOCGETRULESETS 281call. 282This ioctl returns 283.Er EINVAL 284if the given anchor does not exist or 285.Er EBUSY 286if another process is concurrently updating a ruleset. 287.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 288Add a state entry. 289.Bd -literal 290struct pfioc_state { 291 u_int32_t nr; 292 struct pf_state state; 293}; 294.Ed 295.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps" 296Extract the entry with the specified number 297.Va nr 298from the state table. 299.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk" 300Remove matching entries from the state table. 301This ioctl returns the number of killed states in 302.Va psk_af . 303.Bd -literal 304struct pfioc_state_kill { 305 sa_family_t psk_af; 306 int psk_proto; 307 struct pf_rule_addr psk_src; 308 struct pf_rule_addr psk_dst; 309 char psk_ifname[IFNAMSIZ]; 310}; 311.Ed 312.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk" 313Clear all states. 314It works like 315.Dv DIOCKILLSTATES , 316but ignores the 317.Va psk_af , 318.Va psk_proto , 319.Va psk_src , 320and 321.Va psk_dst 322fields of the 323.Vt pfioc_state_kill 324structure. 325.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi" 326Specify the interface for which statistics are accumulated. 327.Bd -literal 328struct pfioc_if { 329 char ifname[IFNAMSIZ]; 330}; 331.Ed 332.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 333Get the internal packet filter statistics. 334.Bd -literal 335struct pf_status { 336 u_int64_t counters[PFRES_MAX]; 337 u_int64_t lcounters[LCNT_MAX]; 338 u_int64_t fcounters[FCNT_MAX]; 339 u_int64_t scounters[SCNT_MAX]; 340 u_int64_t pcounters[2][2][3]; 341 u_int64_t bcounters[2][2]; 342 u_int64_t stateid; 343 u_int32_t running; 344 u_int32_t states; 345 u_int32_t src_nodes; 346 u_int32_t since; 347 u_int32_t debug; 348 u_int32_t hostid; 349 char ifname[IFNAMSIZ]; 350}; 351.Ed 352.It Dv DIOCCLRSTATUS 353Clear the internal packet filter statistics. 354.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 355Look up a state table entry by source and destination addresses and ports. 356.Bd -literal 357struct pfioc_natlook { 358 struct pf_addr saddr; 359 struct pf_addr daddr; 360 struct pf_addr rsaddr; 361 struct pf_addr rdaddr; 362 u_int16_t sport; 363 u_int16_t dport; 364 u_int16_t rsport; 365 u_int16_t rdport; 366 sa_family_t af; 367 u_int8_t proto; 368 u_int8_t direction; 369}; 370.Ed 371.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 372Set the debug level. 373.Bd -literal 374enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 375 PF_DEBUG_NOISY }; 376.Ed 377.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps" 378Get state table entries. 379.Bd -literal 380struct pfioc_states { 381 int ps_len; 382 union { 383 caddr_t psu_buf; 384 struct pf_state *psu_states; 385 } ps_u; 386#define ps_buf ps_u.psu_buf 387#define ps_states ps_u.psu_states 388}; 389.Ed 390.Pp 391If 392.Va ps_len 393is zero, all states will be gathered into 394.Va pf_states 395and 396.Va ps_len 397will be set to the size they take in memory (i.e., 398.Li sizeof(struct pf_state) * nr ) . 399If 400.Va ps_len 401is non-zero, as many states that can fit into 402.Va ps_len 403as possible will be gathered, and 404.Va ps_len 405will be updated to the size those rules take in memory. 406.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 407Add or remove the 408.Va rule 409in the ruleset specified by 410.Va rule.action . 411.Pp 412The type of operation to be performed is indicated by 413.Va action , 414which can be any of the following: 415.Bd -literal 416enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 417 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 418 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 419.Ed 420.Pp 421.Va ticket 422must be set to the value obtained with 423.Dv PF_CHANGE_GET_TICKET 424for all actions except 425.Dv PF_CHANGE_GET_TICKET . 426.Va pool_ticket 427must be set to the value obtained with the 428.Dv DIOCBEGINADDRS 429call for all actions except 430.Dv PF_CHANGE_REMOVE 431and 432.Dv PF_CHANGE_GET_TICKET . 433.Va anchor 434indicates to which anchor the operation applies. 435.Va nr 436indicates the rule number against which 437.Dv PF_CHANGE_ADD_BEFORE , 438.Dv PF_CHANGE_ADD_AFTER , 439or 440.Dv PF_CHANGE_REMOVE 441actions are applied. 442.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr" 443.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca" 444Add or remove the pool address 445.Va addr 446from the rule specified by 447.Va r_action , 448.Va r_num , 449and 450.Va anchor . 451.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 452.Bd -literal 453struct pfioc_tm { 454 int timeout; 455 int seconds; 456}; 457.Ed 458.Pp 459Set the state timeout of 460.Va timeout 461to 462.Va seconds . 463The old value will be placed into 464.Va seconds . 465For possible values of 466.Va timeout , 467consult the 468.Dv PFTM_* 469values in 470.Aq Pa net/pfvar.h . 471.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 472Get the state timeout of 473.Va timeout . 474The value will be placed into the 475.Va seconds 476field. 477.It Dv DIOCCLRRULECTRS 478Clear per-rule statistics. 479.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 480Set the hard limits on the memory pools used by the packet filter. 481.Bd -literal 482struct pfioc_limit { 483 int index; 484 unsigned limit; 485}; 486 487enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS }; 488.Ed 489.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 490Get the hard 491.Va limit 492for the memory pool indicated by 493.Va index . 494.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 495Clear all tables. 496All the ioctls that manipulate radix tables 497use the same structure described below. 498For 499.Dv DIOCRCLRTABLES , 500.Va pfrio_ndel 501contains on exit the number of tables deleted. 502.Bd -literal 503struct pfioc_table { 504 struct pfr_table pfrio_table; 505 void *pfrio_buffer; 506 int pfrio_esize; 507 int pfrio_size; 508 int pfrio_size2; 509 int pfrio_nadd; 510 int pfrio_ndel; 511 int pfrio_nchange; 512 int pfrio_flags; 513 u_int32_t pfrio_ticket; 514}; 515#define pfrio_exists pfrio_nadd 516#define pfrio_nzero pfrio_nadd 517#define pfrio_nmatch pfrio_nadd 518#define pfrio_naddr pfrio_size2 519#define pfrio_setflag pfrio_size2 520#define pfrio_clrflag pfrio_nadd 521.Ed 522.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 523Create one or more tables. 524On entry, 525.Va pfrio_buffer[pfrio_size] 526contains a table of 527.Vt pfr_table 528structures. 529On exit, 530.Va pfrio_nadd 531contains the number of tables effectively created. 532.Bd -literal 533struct pfr_table { 534 char pfrt_anchor[MAXPATHLEN]; 535 char pfrt_name[PF_TABLE_NAME_SIZE]; 536 u_int32_t pfrt_flags; 537 u_int8_t pfrt_fback; 538}; 539.Ed 540.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 541Delete one or more tables. 542On entry, 543.Va pfrio_buffer[pfrio_size] 544contains a table of 545.Vt pfr_table 546structures. 547On exit, 548.Va pfrio_nadd 549contains the number of tables effectively deleted. 550.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 551Get the list of all tables. 552On entry, 553.Va pfrio_buffer[pfrio_size] 554contains a valid writeable buffer for 555.Vt pfr_table 556structures. 557On exit, 558.Va pfrio_size 559contains the number of tables written into the buffer. 560If the buffer is too small, the kernel does not store anything but just 561returns the required buffer size, without error. 562.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 563This call is like 564.Dv DIOCRGETTABLES 565but is used to get an array of 566.Vt pfr_tstats 567structures. 568.Bd -literal 569struct pfr_tstats { 570 struct pfr_table pfrts_t; 571 u_int64_t pfrts_packets 572 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 573 u_int64_t pfrts_bytes 574 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 575 u_int64_t pfrts_match; 576 u_int64_t pfrts_nomatch; 577 long pfrts_tzero; 578 int pfrts_cnt; 579 int pfrts_refcnt[PFR_REFCNT_MAX]; 580}; 581#define pfrts_name pfrts_t.pfrt_name 582#define pfrts_flags pfrts_t.pfrt_flags 583.Ed 584.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 585Clear the statistics of one or more tables. 586On entry, 587.Va pfrio_buffer[pfrio_size] 588contains a table of 589.Vt pfr_table 590structures. 591On exit, 592.Va pfrio_nzero 593contains the number of tables effectively cleared. 594.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 595Clear all addresses in a table. 596On entry, 597.Va pfrio_table 598contains the table to clear. 599On exit, 600.Va pfrio_ndel 601contains the number of addresses removed. 602.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 603Add one or more addresses to a table. 604On entry, 605.Va pfrio_table 606contains the table ID and 607.Va pfrio_buffer[pfrio_size] 608contains the list of 609.Vt pfr_addr 610structures to add. 611On exit, 612.Va pfrio_nadd 613contains the number of addresses effectively added. 614.Bd -literal 615struct pfr_addr { 616 union { 617 struct in_addr _pfra_ip4addr; 618 struct in6_addr _pfra_ip6addr; 619 } pfra_u; 620 u_int8_t pfra_af; 621 u_int8_t pfra_net; 622 u_int8_t pfra_not; 623 u_int8_t pfra_fback; 624}; 625#define pfra_ip4addr pfra_u._pfra_ip4addr 626#define pfra_ip6addr pfra_u._pfra_ip6addr 627.Ed 628.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 629Delete one or more addresses from a table. 630On entry, 631.Va pfrio_table 632contains the table ID and 633.Va pfrio_buffer[pfrio_size] 634contains the list of 635.Vt pfr_addr 636structures to delete. 637On exit, 638.Va pfrio_ndel 639contains the number of addresses effectively deleted. 640.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 641Replace the content of a table by a new address list. 642This is the most complicated command, which uses all the structure members. 643.Pp 644On entry, 645.Va pfrio_table 646contains the table ID and 647.Va pfrio_buffer[pfrio_size] 648contains the new list of 649.Vt pfr_addr 650structures. 651Additionally, if 652.Va pfrio_size2 653is non-zero, 654.Va pfrio_buffer[pfrio_size..pfrio_size2] 655must be a writeable buffer, into which the kernel can copy the 656addresses that have been deleted during the replace operation. 657On exit, 658.Va pfrio_ndel , 659.Va pfrio_nadd , 660and 661.Va pfrio_nchange 662contain the number of addresses deleted, added, and changed by the 663kernel. 664If 665.Va pfrio_size2 666was set on entry, 667.Va pfrio_size2 668will point to the size of the buffer used, exactly like 669.Dv DIOCRGETADDRS . 670.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 671Get all the addresses of a table. 672On entry, 673.Va pfrio_table 674contains the table ID and 675.Va pfrio_buffer[pfrio_size] 676contains a valid writeable buffer for 677.Vt pfr_addr 678structures. 679On exit, 680.Va pfrio_size 681contains the number of addresses written into the buffer. 682If the buffer was too small, the kernel does not store anything but just 683returns the required buffer size, without returning an error. 684.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 685This call is like 686.Dv DIOCRGETADDRS 687but is used to get an array of 688.Vt pfr_astats 689structures. 690.Bd -literal 691struct pfr_astats { 692 struct pfr_addr pfras_a; 693 u_int64_t pfras_packets 694 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 695 u_int64_t pfras_bytes 696 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 697 long pfras_tzero; 698}; 699.Ed 700.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 701Clear the statistics of one or more addresses. 702On entry, 703.Va pfrio_table 704contains the table ID and 705.Va pfrio_buffer[pfrio_size] 706contains a table of 707.Vt pfr_addr 708structures to clear. 709On exit, 710.Va pfrio_nzero 711contains the number of addresses effectively cleared. 712.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 713Test if the given addresses match a table. 714On entry, 715.Va pfrio_table 716contains the table ID and 717.Va pfrio_buffer[pfrio_size] 718contains a table of 719.Vt pfr_addr 720structures to test. 721On exit, the kernel updates the 722.Vt pfr_addr 723table by setting the 724.Va pfra_fback 725member appropriately. 726.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 727Change the 728.Dv PFR_TFLAG_CONST 729or 730.Dv PFR_TFLAG_PERSIST 731flags of a table. 732On entry, 733.Va pfrio_buffer[pfrio_size] 734contains a table of 735.Vt pfr_table 736structures, and 737.Va pfrio_setflag 738contains the flags to add, while 739.Va pfrio_clrflag 740contains the flags to remove. 741On exit, 742.Va pfrio_nchange 743and 744.Va pfrio_ndel 745contain the number of tables altered or deleted by the kernel. 746Yes, tables can be deleted if one removes the 747.Dv PFR_TFLAG_PERSIST 748flag of an unreferenced table. 749.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 750Defines a table in the inactive set. 751On entry, 752.Va pfrio_table 753contains the table ID and 754.Va pfrio_buffer[pfrio_size] 755contains the list of 756.Vt pfr_addr 757structures to put in the table. 758A valid ticket must also be supplied to 759.Va pfrio_ticket . 760On exit, 761.Va pfrio_nadd 762contains 0 if the table was already defined in the inactive list 763or 1 if a new table has been created. 764.Va pfrio_naddr 765contains the number of addresses effectively put in the table. 766.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 767.Bd -literal 768struct pfioc_trans { 769 int size; /* number of elements */ 770 int esize; /* size of each element in bytes */ 771 struct pfioc_trans_e { 772 int rs_num; 773 char anchor[MAXPATHLEN]; 774 u_int32_t ticket; 775 } *array; 776}; 777.Ed 778.Pp 779Clear all the inactive rulesets specified in the 780.Vt pfioc_trans_e 781array. 782For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 783as well as for the 784.Dv DIOCXCOMMIT 785and 786.Dv DIOCXROLLBACK 787calls. 788.Pp 789Ruleset types, identified by 790.Va rs_num , 791include the following: 792.Pp 793.Bl -tag -width PF_RULESET_FILTER -offset ind -compact 794.It Dv PF_RULESET_SCRUB 795Scrub (packet normalization) rules. 796.It Dv PF_RULESET_FILTER 797Filter rules. 798.It Dv PF_RULESET_NAT 799NAT (Network Address Translation) rules. 800.It Dv PF_RULESET_BINAT 801Bidirectional NAT rules. 802.It Dv PF_RULESET_RDR 803Redirect rules. 804.It Dv PF_RULESET_ALTQ 805ALTQ disciplines. 806.It Dv PF_RULESET_TABLE 807Address tables. 808.El 809.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 810Atomically switch a vector of inactive rulesets to the active rulesets. 811This call is implemented as a standard two-phase commit, which will either 812fail for all rulesets or completely succeed. 813All tickets need to be valid. 814This ioctl returns 815.Er EBUSY 816if another process is concurrently updating some of the same rulesets. 817.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 818Clean up the kernel by undoing all changes that have taken place on the 819inactive rulesets since the last 820.Dv DIOCXBEGIN . 821.Dv DIOCXROLLBACK 822will silently ignore rulesets for which the ticket is invalid. 823.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 824Set the host ID, which is used by 825.Xr pfsync 4 826to identify which host created state table entries. 827.It Dv DIOCOSFPFLUSH 828Flush the passive OS fingerprint table. 829.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 830.Bd -literal 831struct pf_osfp_ioctl { 832 struct pf_osfp_entry { 833 SLIST_ENTRY(pf_osfp_entry) fp_entry; 834 pf_osfp_t fp_os; 835 char fp_class_nm[PF_OSFP_LEN]; 836 char fp_version_nm[PF_OSFP_LEN]; 837 char fp_subtype_nm[PF_OSFP_LEN]; 838 } fp_os; 839 pf_tcpopts_t fp_tcpopts; 840 u_int16_t fp_wsize; 841 u_int16_t fp_psize; 842 u_int16_t fp_mss; 843 u_int16_t fp_flags; 844 u_int8_t fp_optcnt; 845 u_int8_t fp_wscale; 846 u_int8_t fp_ttl; 847 int fp_getnum; 848}; 849.Ed 850.Pp 851Add a passive OS fingerprint to the table. 852Set 853.Va fp_os.fp_os 854to the packed fingerprint, 855.Va fp_os.fp_class_nm 856to the name of the class (Linux, Windows, etc), 857.Va fp_os.fp_version_nm 858to the name of the version (NT, 95, 98), and 859.Va fp_os.fp_subtype_nm 860to the name of the subtype or patchlevel. 861The members 862.Va fp_mss , 863.Va fp_wsize , 864.Va fp_psize , 865.Va fp_ttl , 866.Va fp_optcnt , 867and 868.Va fp_wscale 869are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 870the number of TCP options, and the TCP window scaling constant of the 871TCP SYN packet, respectively. 872.Pp 873The 874.Va fp_flags 875member is filled according to the 876.Aq Pa net/pfvar.h 877include file 878.Dv PF_OSFP_* 879defines. 880The 881.Va fp_tcpopts 882member contains packed TCP options. 883Each option uses 884.Dv PF_OSFP_TCPOPT_BITS 885bits in the packed value. 886Options include any of 887.Dv PF_OSFP_TCPOPT_NOP , 888.Dv PF_OSFP_TCPOPT_SACK , 889.Dv PF_OSFP_TCPOPT_WSCALE , 890.Dv PF_OSFP_TCPOPT_MSS , 891or 892.Dv PF_OSFP_TCPOPT_TS . 893.Pp 894The 895.Va fp_getnum 896member is not used with this ioctl. 897.Pp 898The structure's slack space must be zeroed for correct operation; 899.Xr memset 3 900the whole structure to zero before filling and sending to the kernel. 901.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 902Get the passive OS fingerprint number 903.Va fp_getnum 904from the kernel's fingerprint list. 905The rest of the structure members will come back filled. 906Get the whole list by repeatedly incrementing the 907.Va fp_getnum 908number until the ioctl returns 909.Er EBUSY . 910.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 911.Bd -literal 912struct pfioc_src_nodes { 913 int psn_len; 914 union { 915 caddr_t psu_buf; 916 struct pf_src_node *psu_src_nodes; 917 } psn_u; 918#define psn_buf psn_u.psu_buf 919#define psn_src_nodes psn_u.psu_src_nodes 920}; 921.Ed 922.Pp 923Get the list of source nodes kept by sticky addresses and source 924tracking. 925The ioctl must be called once with 926.Va psn_len 927set to 0. 928If the ioctl returns without error, 929.Va psn_len 930will be set to the size of the buffer required to hold all the 931.Va pf_src_node 932structures held in the table. 933A buffer of this size should then be allocated, and a pointer to this buffer 934placed in 935.Va psn_buf . 936The ioctl must then be called again to fill this buffer with the actual 937source node data. 938After that call, 939.Va psn_len 940will be set to the length of the buffer actually used. 941.It Dv DIOCCLRSRCNODES 942Clear the tree of source tracking nodes. 943.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 944Get the list of interfaces and interface drivers known to 945.Nm . 946All the ioctls that manipulate interfaces 947use the same structure described below: 948.Bd -literal 949struct pfioc_iface { 950 char pfiio_name[IFNAMSIZ]; 951 void *pfiio_buffer; 952 int pfiio_esize; 953 int pfiio_size; 954 int pfiio_nzero; 955 int pfiio_flags; 956}; 957 958#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */ 959#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */ 960#define PFI_FLAG_ALLMASK 0x0003 961.Ed 962.Pp 963If not empty, 964.Va pfiio_name 965can be used to restrict the search to a specific interface or driver. 966.Va pfiio_buffer[pfiio_size] 967is the user-supplied buffer for returning the data. 968On entry, 969.Va pfiio_size 970represents the number of 971.Va pfi_if 972entries that can fit into the buffer. 973The kernel will replace this value by the real number of entries it wants 974to return. 975.Va pfiio_esize 976should be set to 977.Li sizeof(struct pfi_if) . 978.Va pfiio_flags 979should be set to 980.Dv PFI_FLAG_GROUP , 981.Dv PFI_FLAG_INSTANCE , 982or both, to tell the kernel to return a group of interfaces 983(drivers, like "fxp"), real interface instances (like "fxp1") or both. 984The data is returned in the 985.Vt pfi_if 986structure described below: 987.Bd -literal 988struct pfi_if { 989 char pfif_name[IFNAMSIZ]; 990 u_int64_t pfif_packets[2][2][2]; 991 u_int64_t pfif_bytes[2][2][2]; 992 u_int64_t pfif_addcnt; 993 u_int64_t pfif_delcnt; 994 long pfif_tzero; 995 int pfif_states; 996 int pfif_rules; 997 int pfif_flags; 998}; 999 1000#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ 1001#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ 1002#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ 1003#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ 1004#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */ 1005.Ed 1006.It Dv DIOCICLRISTATS Fa "struct pfioc_iface *io" 1007Clear the statistics counters of one or more interfaces. 1008.Va pfiio_name 1009and 1010.Va pfiio_flags 1011can be used to select which interfaces need to be cleared. 1012The filtering process is the same as for 1013.Dv DIOCIGETIFACES . 1014.Va pfiio_nzero 1015will be set by the kernel to the number of interfaces and drivers 1016that have been cleared. 1017.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 1018Set the user setable flags (described below) of the pf internal interface 1019description. 1020The filtering process is the same as for 1021.Dv DIOCIGETIFACES . 1022.Bd -literal 1023#define PFI_IFLAG_SKIP 0x0100 /* skip interface */ 1024#define PFI_IFLAG_SETABLE_MASK 0x0100 /* mask */ 1025.Ed 1026.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1027Works as 1028.Dv DIOCSETIFFLAG 1029above but clears the flags. 1030.El 1031.Sh FILES 1032.Bl -tag -width /dev/pf -compact 1033.It Pa /dev/pf 1034packet filtering device. 1035.El 1036.Sh EXAMPLES 1037The following example demonstrates how to use the 1038.Dv DIOCNATLOOK 1039command to find the internal host/port of a NATed connection: 1040.Bd -literal 1041#include <sys/types.h> 1042#include <sys/socket.h> 1043#include <sys/ioctl.h> 1044#include <sys/fcntl.h> 1045#include <net/if.h> 1046#include <netinet/in.h> 1047#include <net/pfvar.h> 1048#include <err.h> 1049#include <stdio.h> 1050#include <stdlib.h> 1051 1052u_int32_t 1053read_address(const char *s) 1054{ 1055 int a, b, c, d; 1056 1057 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 1058 return htonl(a << 24 | b << 16 | c << 8 | d); 1059} 1060 1061void 1062print_address(u_int32_t a) 1063{ 1064 a = ntohl(a); 1065 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 1066 a >> 8 & 255, a & 255); 1067} 1068 1069int 1070main(int argc, char *argv[]) 1071{ 1072 struct pfioc_natlook nl; 1073 int dev; 1074 1075 if (argc != 5) { 1076 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", 1077 argv[0]); 1078 return 1; 1079 } 1080 1081 dev = open("/dev/pf", O_RDWR); 1082 if (dev == -1) 1083 err(1, "open(\\"/dev/pf\\") failed"); 1084 1085 memset(&nl, 0, sizeof(struct pfioc_natlook)); 1086 nl.saddr.v4.s_addr = read_address(argv[1]); 1087 nl.sport = htons(atoi(argv[2])); 1088 nl.daddr.v4.s_addr = read_address(argv[3]); 1089 nl.dport = htons(atoi(argv[4])); 1090 nl.af = AF_INET; 1091 nl.proto = IPPROTO_TCP; 1092 nl.direction = PF_IN; 1093 1094 if (ioctl(dev, DIOCNATLOOK, &nl)) 1095 err(1, "DIOCNATLOOK"); 1096 1097 printf("internal host "); 1098 print_address(nl.rsaddr.v4.s_addr); 1099 printf(":%u\\n", ntohs(nl.rsport)); 1100 return 0; 1101} 1102.Ed 1103.Sh SEE ALSO 1104.Xr ioctl 2 , 1105.Xr bridge 4 , 1106.Xr pflog 4 , 1107.Xr pfsync 4 , 1108.Xr pfctl 8 , 1109.Xr altq 9 1110.Sh HISTORY 1111The 1112.Nm 1113packet filtering mechanism first appeared in 1114.Ox 3.0 . 1115