xref: /openbsd-src/share/man/man4/pf.4 (revision a28daedfc357b214be5c701aa8ba8adb29a7f1c2) 
1.\"	$OpenBSD: pf.4,v 1.64 2009/04/02 13:46:06 sthen Exp $
2.\"
3.\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. Neither the name of the project nor the names of its contributors
14.\"    may be used to endorse or promote products derived from this software
15.\"    without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.Dd $Mdocdate: April 2 2009 $
30.Dt PF 4
31.Os
32.Sh NAME
33.Nm pf
34.Nd packet filter
35.Sh SYNOPSIS
36.Cd "pseudo-device pf"
37.Sh DESCRIPTION
38Packet filtering takes place in the kernel.
39A pseudo-device,
40.Pa /dev/pf ,
41allows userland processes to control the
42behavior of the packet filter through an
43.Xr ioctl 2
44interface.
45There are commands to enable and disable the filter, load rulesets,
46add and remove individual rules or state table entries,
47and retrieve statistics.
48The most commonly used functions are covered by
49.Xr pfctl 8 .
50.Pp
51Manipulations like loading a ruleset that involve more than a single
52.Xr ioctl 2
53call require a so-called
54.Em ticket ,
55which prevents the occurrence of
56multiple concurrent manipulations.
57.Pp
58Fields of
59.Xr ioctl 2
60parameter structures that refer to packet data (like
61addresses and ports) are generally expected in network byte-order.
62.Pp
63Rules and address tables are contained in so-called
64.Em anchors .
65When servicing an
66.Xr ioctl 2
67request, if the anchor field of the argument structure is empty,
68the kernel will use the default anchor (i.e., the main ruleset)
69in operations.
70Anchors are specified by name and may be nested, with components
71separated by
72.Sq /
73characters, similar to how file system hierarchies are laid out.
74The final component of the anchor path is the anchor under which
75operations will be performed.
76Anchor names with characters after the terminating null byte are
77considered invalid; if used in an ioctl,
78.Er EINVAL
79will be returned.
80.Sh IOCTL INTERFACE
81.Nm
82supports the following
83.Xr ioctl 2
84commands, available through
85.Aq Pa net/pfvar.h :
86.Bl -tag -width xxxxxx
87.It Dv DIOCSTART
88Start the packet filter.
89.It Dv DIOCSTOP
90Stop the packet filter.
91.It Dv DIOCSTARTALTQ
92Start the ALTQ bandwidth control system (see
93.Xr altq 9 ) .
94.It Dv DIOCSTOPALTQ
95Stop the ALTQ bandwidth control system.
96.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp"
97.Bd -literal
98struct pfioc_pooladdr {
99	u_int32_t		action;
100	u_int32_t		ticket;
101	u_int32_t		nr;
102	u_int32_t		r_num;
103	u_int8_t		r_action;
104	u_int8_t		r_last;
105	u_int8_t		af;
106	char			anchor[MAXPATHLEN];
107	struct pf_pooladdr	addr;
108};
109.Ed
110.Pp
111Clear the buffer address pool and get a
112.Va ticket
113for subsequent
114.Dv DIOCADDADDR ,
115.Dv DIOCADDRULE ,
116and
117.Dv DIOCCHANGERULE
118calls.
119.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
120.Pp
121Add the pool address
122.Va addr
123to the buffer address pool to be used in the following
124.Dv DIOCADDRULE
125or
126.Dv DIOCCHANGERULE
127call.
128All other members of the structure are ignored.
129.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
130.Bd -literal
131struct pfioc_rule {
132	u_int32_t	action;
133	u_int32_t	ticket;
134	u_int32_t	pool_ticket;
135	u_int32_t	nr;
136	char		anchor[MAXPATHLEN];
137	char		anchor_call[MAXPATHLEN];
138	struct pf_rule	rule;
139};
140.Ed
141.Pp
142Add
143.Va rule
144at the end of the inactive ruleset.
145This call requires a
146.Va ticket
147obtained through a preceding
148.Dv DIOCXBEGIN
149call and a
150.Va pool_ticket
151obtained through a
152.Dv DIOCBEGINADDRS
153call.
154.Dv DIOCADDADDR
155must also be called if any pool addresses are required.
156The optional
157.Va anchor
158name indicates the anchor in which to append the rule.
159.Va nr
160and
161.Va action
162are ignored.
163.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
164Add an ALTQ discipline or queue.
165.Bd -literal
166struct pfioc_altq {
167	u_int32_t	action;
168	u_int32_t	ticket;
169	u_int32_t	nr;
170	struct pf_altq  altq;
171};
172.Ed
173.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
174Get a
175.Va ticket
176for subsequent
177.Dv DIOCGETRULE
178calls and the number
179.Va nr
180of rules in the active ruleset.
181.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
182Get a
183.Va rule
184by its number
185.Va nr
186using the
187.Va ticket
188obtained through a preceding
189.Dv DIOCGETRULES
190call.
191If
192.Va action
193is set to
194.Dv PF_GET_CLR_CNTR ,
195the per-rule statistics on the requested rule are cleared.
196.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
197Get a
198.Va ticket
199for subsequent
200.Dv DIOCGETADDR
201calls and the number
202.Va nr
203of pool addresses in the rule specified with
204.Va r_action ,
205.Va r_num ,
206and
207.Va anchor .
208.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp"
209Get the pool address
210.Va addr
211by its number
212.Va nr
213from the rule specified with
214.Va r_action ,
215.Va r_num ,
216and
217.Va anchor
218using the
219.Va ticket
220obtained through a preceding
221.Dv DIOCGETADDRS
222call.
223.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
224Get a
225.Va ticket
226for subsequent
227.Dv DIOCGETALTQ
228calls and the number
229.Va nr
230of queues in the active list.
231.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
232Get the queueing discipline
233.Va altq
234by its number
235.Va nr
236using the
237.Va ticket
238obtained through a preceding
239.Dv DIOCGETALTQS
240call.
241.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
242Get the statistics on a queue.
243.Bd -literal
244struct pfioc_qstats {
245	u_int32_t	 ticket;
246	u_int32_t	 nr;
247	void		*buf;
248	int		 nbytes;
249	u_int8_t	 scheduler;
250};
251.Ed
252.Pp
253This call fills in a pointer to the buffer of statistics
254.Va buf ,
255of length
256.Va nbytes ,
257for the queue specified by
258.Va nr .
259.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
260.Bd -literal
261struct pfioc_ruleset {
262	u_int32_t	 nr;
263	char		 path[MAXPATHLEN];
264	char		 name[PF_ANCHOR_NAME_SIZE];
265};
266.Ed
267.Pp
268Get the number
269.Va nr
270of rulesets (i.e., anchors) directly attached to the anchor named by
271.Va path
272for use in subsequent
273.Dv DIOCGETRULESET
274calls.
275Nested anchors, since they are not directly attached to the given
276anchor, will not be included.
277This ioctl returns
278.Er EINVAL
279if the given anchor does not exist.
280.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
281Get a ruleset (i.e., an anchor)
282.Va name
283by its number
284.Va nr
285from the given anchor
286.Va path ,
287the maximum number of which can be obtained from a preceding
288.Dv DIOCGETRULESETS
289call.
290This ioctl returns
291.Er EINVAL
292if the given anchor does not exist or
293.Er EBUSY
294if another process is concurrently updating a ruleset.
295.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
296Add a state entry.
297.Bd -literal
298struct pfioc_state {
299	struct pfsync_state	state;
300};
301.Ed
302.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
303Extract the entry identified by the
304.Va id
305and
306.Va creatorid
307fields of the
308.Va state
309structure from the state table.
310.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
311Remove matching entries from the state table.
312This ioctl returns the number of killed states in
313.Va psk_af .
314.Bd -literal
315struct pfioc_state_kill {
316	sa_family_t		psk_af;
317	int			psk_proto;
318	struct pf_rule_addr	psk_src;
319	struct pf_rule_addr	psk_dst;
320	char			psk_ifname[IFNAMSIZ];
321};
322.Ed
323.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk"
324Clear all states.
325It works like
326.Dv DIOCKILLSTATES ,
327but ignores the
328.Va psk_af ,
329.Va psk_proto ,
330.Va psk_src ,
331and
332.Va psk_dst
333fields of the
334.Vt pfioc_state_kill
335structure.
336.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
337Specify the interface for which statistics are accumulated.
338.Bd -literal
339struct pfioc_if {
340	char		 ifname[IFNAMSIZ];
341};
342.Ed
343.It Dv DIOCGETSTATUS Fa "struct pf_status *s"
344Get the internal packet filter statistics.
345.Bd -literal
346struct pf_status {
347	u_int64_t	counters[PFRES_MAX];
348	u_int64_t	lcounters[LCNT_MAX];
349	u_int64_t	fcounters[FCNT_MAX];
350	u_int64_t	scounters[SCNT_MAX];
351	u_int64_t	pcounters[2][2][3];
352	u_int64_t	bcounters[2][2];
353	u_int64_t	stateid;
354	u_int32_t	running;
355	u_int32_t	states;
356	u_int32_t	src_nodes;
357	u_int32_t	since;
358	u_int32_t	debug;
359	u_int32_t	hostid;
360	char		ifname[IFNAMSIZ];
361	u_int8_t	pf_chksum[MD5_DIGEST_LENGTH];
362};
363.Ed
364.It Dv DIOCCLRSTATUS
365Clear the internal packet filter statistics.
366.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
367Look up a state table entry by source and destination addresses and ports.
368.Bd -literal
369struct pfioc_natlook {
370	struct pf_addr	 saddr;
371	struct pf_addr	 daddr;
372	struct pf_addr	 rsaddr;
373	struct pf_addr	 rdaddr;
374	u_int16_t	 sport;
375	u_int16_t	 dport;
376	u_int16_t	 rsport;
377	u_int16_t	 rdport;
378	sa_family_t	 af;
379	u_int8_t	 proto;
380	u_int8_t	 direction;
381};
382.Ed
383.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
384Set the debug level.
385.Bd -literal
386enum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
387	  PF_DEBUG_NOISY };
388.Ed
389.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps"
390Get state table entries.
391.Bd -literal
392struct pfioc_states {
393	int	ps_len;
394	union {
395		caddr_t		 psu_buf;
396		struct pf_state *psu_states;
397	} ps_u;
398#define ps_buf		ps_u.psu_buf
399#define ps_states	ps_u.psu_states
400};
401.Ed
402.Pp
403If
404.Va ps_len
405is non-zero on entry, as many states as possible that can fit into this
406size will be copied into the supplied buffer
407.Va ps_states .
408On exit,
409.Va ps_len
410is always set to the total size required to hold all state table entries
411(i.e., it is set to
412.Li sizeof(struct pf_state) * nr ) .
413.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
414Add or remove the
415.Va rule
416in the ruleset specified by
417.Va rule.action .
418.Pp
419The type of operation to be performed is indicated by
420.Va action ,
421which can be any of the following:
422.Bd -literal
423enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
424	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
425	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
426.Ed
427.Pp
428.Va ticket
429must be set to the value obtained with
430.Dv PF_CHANGE_GET_TICKET
431for all actions except
432.Dv PF_CHANGE_GET_TICKET .
433.Va pool_ticket
434must be set to the value obtained with the
435.Dv DIOCBEGINADDRS
436call for all actions except
437.Dv PF_CHANGE_REMOVE
438and
439.Dv PF_CHANGE_GET_TICKET .
440.Va anchor
441indicates to which anchor the operation applies.
442.Va nr
443indicates the rule number against which
444.Dv PF_CHANGE_ADD_BEFORE ,
445.Dv PF_CHANGE_ADD_AFTER ,
446or
447.Dv PF_CHANGE_REMOVE
448actions are applied.
449.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
450.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
451Add or remove the pool address
452.Va addr
453from the rule specified by
454.Va r_action ,
455.Va r_num ,
456and
457.Va anchor .
458.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
459.Bd -literal
460struct pfioc_tm {
461	int		 timeout;
462	int		 seconds;
463};
464.Ed
465.Pp
466Set the state timeout of
467.Va timeout
468to
469.Va seconds .
470The old value will be placed into
471.Va seconds .
472For possible values of
473.Va timeout ,
474consult the
475.Dv PFTM_*
476values in
477.Aq Pa net/pfvar.h .
478.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
479Get the state timeout of
480.Va timeout .
481The value will be placed into the
482.Va seconds
483field.
484.It Dv DIOCCLRRULECTRS
485Clear per-rule statistics.
486.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
487Set the hard limits on the memory pools used by the packet filter.
488.Bd -literal
489struct pfioc_limit {
490	int		index;
491	unsigned	limit;
492};
493
494enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
495	  PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
496.Ed
497.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
498Get the hard
499.Va limit
500for the memory pool indicated by
501.Va index .
502.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
503Clear all tables.
504All the ioctls that manipulate radix tables
505use the same structure described below.
506For
507.Dv DIOCRCLRTABLES ,
508.Va pfrio_ndel
509contains on exit the number of tables deleted.
510.Bd -literal
511struct pfioc_table {
512	struct pfr_table	 pfrio_table;
513	void			*pfrio_buffer;
514	int			 pfrio_esize;
515	int			 pfrio_size;
516	int			 pfrio_size2;
517	int			 pfrio_nadd;
518	int			 pfrio_ndel;
519	int			 pfrio_nchange;
520	int			 pfrio_flags;
521	u_int32_t		 pfrio_ticket;
522};
523#define pfrio_exists    pfrio_nadd
524#define pfrio_nzero     pfrio_nadd
525#define pfrio_nmatch    pfrio_nadd
526#define pfrio_naddr     pfrio_size2
527#define pfrio_setflag   pfrio_size2
528#define pfrio_clrflag   pfrio_nadd
529.Ed
530.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
531Create one or more tables.
532On entry,
533.Va pfrio_buffer
534must point to an array of
535.Vt struct pfr_table
536containing at least
537.Vt pfrio_size
538elements.
539.Vt pfrio_esize
540must be the size of
541.Vt struct pfr_table .
542On exit,
543.Va pfrio_nadd
544contains the number of tables effectively created.
545.Bd -literal
546struct pfr_table {
547	char		pfrt_anchor[MAXPATHLEN];
548	char		pfrt_name[PF_TABLE_NAME_SIZE];
549	u_int32_t	pfrt_flags;
550	u_int8_t	pfrt_fback;
551};
552.Ed
553.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
554Delete one or more tables.
555On entry,
556.Va pfrio_buffer
557must point to an array of
558.Vt struct pfr_table
559containing at least
560.Vt pfrio_size
561elements.
562.Vt pfrio_esize
563must be the size of
564.Vt struct pfr_table .
565On exit,
566.Va pfrio_ndel
567contains the number of tables effectively deleted.
568.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
569Get the list of all tables.
570On entry,
571.Va pfrio_buffer[pfrio_size]
572contains a valid writeable buffer for
573.Vt pfr_table
574structures.
575On exit,
576.Va pfrio_size
577contains the number of tables written into the buffer.
578If the buffer is too small, the kernel does not store anything but just
579returns the required buffer size, without error.
580.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
581This call is like
582.Dv DIOCRGETTABLES
583but is used to get an array of
584.Vt pfr_tstats
585structures.
586.Bd -literal
587struct pfr_tstats {
588	struct pfr_table pfrts_t;
589	u_int64_t	 pfrts_packets
590			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
591	u_int64_t	 pfrts_bytes
592			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
593	u_int64_t	 pfrts_match;
594	u_int64_t	 pfrts_nomatch;
595	long		 pfrts_tzero;
596	int		 pfrts_cnt;
597	int		 pfrts_refcnt[PFR_REFCNT_MAX];
598};
599#define pfrts_name	 pfrts_t.pfrt_name
600#define pfrts_flags	 pfrts_t.pfrt_flags
601.Ed
602.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
603Clear the statistics of one or more tables.
604On entry,
605.Va pfrio_buffer
606must point to an array of
607.Vt struct pfr_table
608containing at least
609.Vt pfrio_size
610elements.
611.Vt pfrio_esize
612must be the size of
613.Vt struct pfr_table .
614On exit,
615.Va pfrio_nzero
616contains the number of tables effectively cleared.
617.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
618Clear all addresses in a table.
619On entry,
620.Va pfrio_table
621contains the table to clear.
622On exit,
623.Va pfrio_ndel
624contains the number of addresses removed.
625.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
626Add one or more addresses to a table.
627On entry,
628.Va pfrio_table
629contains the table ID and
630.Va pfrio_buffer
631must point to an array of
632.Vt struct pfr_addr
633containing at least
634.Vt pfrio_size
635elements to add to the table.
636.Vt pfrio_esize
637must be the size of
638.Vt struct pfr_addr .
639On exit,
640.Va pfrio_nadd
641contains the number of addresses effectively added.
642.Bd -literal
643struct pfr_addr {
644	union {
645		struct in_addr	 _pfra_ip4addr;
646		struct in6_addr	 _pfra_ip6addr;
647	}		 pfra_u;
648	u_int8_t	 pfra_af;
649	u_int8_t	 pfra_net;
650	u_int8_t	 pfra_not;
651	u_int8_t	 pfra_fback;
652};
653#define pfra_ip4addr    pfra_u._pfra_ip4addr
654#define pfra_ip6addr    pfra_u._pfra_ip6addr
655.Ed
656.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
657Delete one or more addresses from a table.
658On entry,
659.Va pfrio_table
660contains the table ID and
661.Va pfrio_buffer
662must point to an array of
663.Vt struct pfr_addr
664containing at least
665.Vt pfrio_size
666elements to delete from the table.
667.Vt pfrio_esize
668must be the size of
669.Vt struct pfr_addr .
670On exit,
671.Va pfrio_ndel
672contains the number of addresses effectively deleted.
673.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
674Replace the content of a table by a new address list.
675This is the most complicated command, which uses all the structure members.
676.Pp
677On entry,
678.Va pfrio_table
679contains the table ID and
680.Va pfrio_buffer
681must point to an array of
682.Vt struct pfr_addr
683containing at least
684.Vt pfrio_size
685elements which become the new contents of the table.
686.Vt pfrio_esize
687must be the size of
688.Vt struct pfr_addr .
689Additionally, if
690.Va pfrio_size2
691is non-zero,
692.Va pfrio_buffer[pfrio_size..pfrio_size2]
693must be a writeable buffer, into which the kernel can copy the
694addresses that have been deleted during the replace operation.
695On exit,
696.Va pfrio_ndel ,
697.Va pfrio_nadd ,
698and
699.Va pfrio_nchange
700contain the number of addresses deleted, added, and changed by the
701kernel.
702If
703.Va pfrio_size2
704was set on entry,
705.Va pfrio_size2
706will point to the size of the buffer used, exactly like
707.Dv DIOCRGETADDRS .
708.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
709Get all the addresses of a table.
710On entry,
711.Va pfrio_table
712contains the table ID and
713.Va pfrio_buffer[pfrio_size]
714contains a valid writeable buffer for
715.Vt pfr_addr
716structures.
717On exit,
718.Va pfrio_size
719contains the number of addresses written into the buffer.
720If the buffer was too small, the kernel does not store anything but just
721returns the required buffer size, without returning an error.
722.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
723This call is like
724.Dv DIOCRGETADDRS
725but is used to get an array of
726.Vt pfr_astats
727structures.
728.Bd -literal
729struct pfr_astats {
730	struct pfr_addr	 pfras_a;
731	u_int64_t	 pfras_packets
732			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
733	u_int64_t	 pfras_bytes
734			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
735	long		 pfras_tzero;
736};
737.Ed
738.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
739Clear the statistics of one or more addresses.
740On entry,
741.Va pfrio_table
742contains the table ID and
743.Va pfrio_buffer
744must point to an array of
745.Vt struct pfr_addr
746containing at least
747.Vt pfrio_size
748elements to be cleared from the table.
749.Vt pfrio_esize
750must be the size of
751.Vt struct pfr_addr .
752On exit,
753.Va pfrio_nzero
754contains the number of addresses effectively cleared.
755.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
756Test if the given addresses match a table.
757On entry,
758.Va pfrio_table
759contains the table ID and
760.Va pfrio_buffer
761must point to an array of
762.Vt struct pfr_addr
763containing at least
764.Vt pfrio_size
765elements, each of which will be tested for a match in the table.
766.Vt pfrio_esize
767must be the size of
768.Vt struct pfr_addr .
769On exit, the kernel updates the
770.Vt pfr_addr
771array by setting the
772.Va pfra_fback
773member appropriately.
774.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
775Change the
776.Dv PFR_TFLAG_CONST
777or
778.Dv PFR_TFLAG_PERSIST
779flags of a table.
780On entry,
781.Va pfrio_buffer
782must point to an array of
783.Vt struct pfr_table
784containing at least
785.Vt pfrio_size
786elements.
787.Va pfrio_esize
788must be the size of
789.Vt struct pfr_table .
790.Va pfrio_setflag
791must contain the flags to add, while
792.Va pfrio_clrflag
793must contain the flags to remove.
794On exit,
795.Va pfrio_nchange
796and
797.Va pfrio_ndel
798contain the number of tables altered or deleted by the kernel.
799Yes, tables can be deleted if one removes the
800.Dv PFR_TFLAG_PERSIST
801flag of an unreferenced table.
802.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
803Defines a table in the inactive set.
804On entry,
805.Va pfrio_table
806contains the table ID and
807.Va pfrio_buffer[pfrio_size]
808contains an array of
809.Vt pfr_addr
810structures to put in the table.
811A valid ticket must also be supplied to
812.Va pfrio_ticket .
813On exit,
814.Va pfrio_nadd
815contains 0 if the table was already defined in the inactive list
816or 1 if a new table has been created.
817.Va pfrio_naddr
818contains the number of addresses effectively put in the table.
819.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
820.Bd -literal
821struct pfioc_trans {
822	int		 size;	/* number of elements */
823	int		 esize;	/* size of each element in bytes */
824	struct pfioc_trans_e {
825		int		rs_num;
826		char		anchor[MAXPATHLEN];
827		u_int32_t	ticket;
828	}		*array;
829};
830.Ed
831.Pp
832Clear all the inactive rulesets specified in the
833.Vt pfioc_trans_e
834array.
835For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
836as well as for the
837.Dv DIOCXCOMMIT
838and
839.Dv DIOCXROLLBACK
840calls.
841.Pp
842Ruleset types, identified by
843.Va rs_num ,
844include the following:
845.Pp
846.Bl -tag -width PF_RULESET_FILTER -offset ind -compact
847.It Dv PF_RULESET_SCRUB
848Scrub (packet normalization) rules.
849.It Dv PF_RULESET_FILTER
850Filter rules.
851.It Dv PF_RULESET_NAT
852NAT (Network Address Translation) rules.
853.It Dv PF_RULESET_BINAT
854Bidirectional NAT rules.
855.It Dv PF_RULESET_RDR
856Redirect rules.
857.It Dv PF_RULESET_ALTQ
858ALTQ disciplines.
859.It Dv PF_RULESET_TABLE
860Address tables.
861.El
862.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
863Atomically switch a vector of inactive rulesets to the active rulesets.
864This call is implemented as a standard two-phase commit, which will either
865fail for all rulesets or completely succeed.
866All tickets need to be valid.
867This ioctl returns
868.Er EBUSY
869if another process is concurrently updating some of the same rulesets.
870.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
871Clean up the kernel by undoing all changes that have taken place on the
872inactive rulesets since the last
873.Dv DIOCXBEGIN .
874.Dv DIOCXROLLBACK
875will silently ignore rulesets for which the ticket is invalid.
876.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
877Set the host ID, which is used by
878.Xr pfsync 4
879to identify which host created state table entries.
880.It Dv DIOCOSFPFLUSH
881Flush the passive OS fingerprint table.
882.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
883.Bd -literal
884struct pf_osfp_ioctl {
885	struct pf_osfp_entry {
886		SLIST_ENTRY(pf_osfp_entry) fp_entry;
887		pf_osfp_t		fp_os;
888		char			fp_class_nm[PF_OSFP_LEN];
889		char			fp_version_nm[PF_OSFP_LEN];
890		char			fp_subtype_nm[PF_OSFP_LEN];
891	} 			fp_os;
892	pf_tcpopts_t		fp_tcpopts;
893	u_int16_t		fp_wsize;
894	u_int16_t		fp_psize;
895	u_int16_t		fp_mss;
896	u_int16_t		fp_flags;
897	u_int8_t		fp_optcnt;
898	u_int8_t		fp_wscale;
899	u_int8_t		fp_ttl;
900	int			fp_getnum;
901};
902.Ed
903.Pp
904Add a passive OS fingerprint to the table.
905Set
906.Va fp_os.fp_os
907to the packed fingerprint,
908.Va fp_os.fp_class_nm
909to the name of the class (Linux, Windows, etc),
910.Va fp_os.fp_version_nm
911to the name of the version (NT, 95, 98), and
912.Va fp_os.fp_subtype_nm
913to the name of the subtype or patchlevel.
914The members
915.Va fp_mss ,
916.Va fp_wsize ,
917.Va fp_psize ,
918.Va fp_ttl ,
919.Va fp_optcnt ,
920and
921.Va fp_wscale
922are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
923the number of TCP options, and the TCP window scaling constant of the
924TCP SYN packet, respectively.
925.Pp
926The
927.Va fp_flags
928member is filled according to the
929.Aq Pa net/pfvar.h
930include file
931.Dv PF_OSFP_*
932defines.
933The
934.Va fp_tcpopts
935member contains packed TCP options.
936Each option uses
937.Dv PF_OSFP_TCPOPT_BITS
938bits in the packed value.
939Options include any of
940.Dv PF_OSFP_TCPOPT_NOP ,
941.Dv PF_OSFP_TCPOPT_SACK ,
942.Dv PF_OSFP_TCPOPT_WSCALE ,
943.Dv PF_OSFP_TCPOPT_MSS ,
944or
945.Dv PF_OSFP_TCPOPT_TS .
946.Pp
947The
948.Va fp_getnum
949member is not used with this ioctl.
950.Pp
951The structure's slack space must be zeroed for correct operation;
952.Xr memset 3
953the whole structure to zero before filling and sending to the kernel.
954.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
955Get the passive OS fingerprint number
956.Va fp_getnum
957from the kernel's fingerprint list.
958The rest of the structure members will come back filled.
959Get the whole list by repeatedly incrementing the
960.Va fp_getnum
961number until the ioctl returns
962.Er EBUSY .
963.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
964.Bd -literal
965struct pfioc_src_nodes {
966	int	psn_len;
967	union {
968		caddr_t		psu_buf;
969		struct pf_src_node	*psu_src_nodes;
970	} psn_u;
971#define psn_buf		psn_u.psu_buf
972#define psn_src_nodes	psn_u.psu_src_nodes
973};
974.Ed
975.Pp
976Get the list of source nodes kept by sticky addresses and source
977tracking.
978The ioctl must be called once with
979.Va psn_len
980set to 0.
981If the ioctl returns without error,
982.Va psn_len
983will be set to the size of the buffer required to hold all the
984.Va pf_src_node
985structures held in the table.
986A buffer of this size should then be allocated, and a pointer to this buffer
987placed in
988.Va psn_buf .
989The ioctl must then be called again to fill this buffer with the actual
990source node data.
991After that call,
992.Va psn_len
993will be set to the length of the buffer actually used.
994.It Dv DIOCCLRSRCNODES
995Clear the tree of source tracking nodes.
996.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
997Get the list of interfaces and interface drivers known to
998.Nm .
999All the ioctls that manipulate interfaces
1000use the same structure described below:
1001.Bd -literal
1002struct pfioc_iface {
1003	char			 pfiio_name[IFNAMSIZ];
1004	void			*pfiio_buffer;
1005	int			 pfiio_esize;
1006	int			 pfiio_size;
1007	int			 pfiio_nzero;
1008	int			 pfiio_flags;
1009};
1010.Ed
1011.Pp
1012If not empty,
1013.Va pfiio_name
1014can be used to restrict the search to a specific interface or driver.
1015.Va pfiio_buffer[pfiio_size]
1016is the user-supplied buffer for returning the data.
1017On entry,
1018.Va pfiio_size
1019contains the number of
1020.Vt pfi_kif
1021entries that can fit into the buffer.
1022The kernel will replace this value by the real number of entries it wants
1023to return.
1024.Va pfiio_esize
1025should be set to
1026.Li sizeof(struct pfi_kif) .
1027.Pp
1028The data is returned in the
1029.Vt pfi_kif
1030structure described below:
1031.Bd -literal
1032struct pfi_kif {
1033	RB_ENTRY(pfi_kif)		 pfik_tree;
1034	char				 pfik_name[IFNAMSIZ];
1035	u_int64_t			 pfik_packets[2][2][2];
1036	u_int64_t			 pfik_bytes[2][2][2];
1037	u_int32_t			 pfik_tzero;
1038	int				 pfik_flags;
1039	struct pf_state_tree_lan_ext	 pfik_lan_ext;
1040	struct pf_state_tree_ext_gwy	 pfik_ext_gwy;
1041	TAILQ_ENTRY(pfi_kif)		 pfik_w_states;
1042	void				*pfik_ah_cookie;
1043	struct ifnet			*pfik_ifp;
1044	struct ifg_group		*pfik_group;
1045	int				 pfik_states;
1046	int				 pfik_rules;
1047	TAILQ_HEAD(, pfi_dynaddr)	 pfik_dynaddrs;
1048};
1049.Ed
1050.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1051Set the user setable flags (described above) of the
1052.Nm
1053internal interface description.
1054The filtering process is the same as for
1055.Dv DIOCIGETIFACES .
1056.Bd -literal
1057#define PFI_IFLAG_SKIP	0x0100	/* skip filtering on interface */
1058.Ed
1059.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1060Works as
1061.Dv DIOCSETIFFLAG
1062above but clears the flags.
1063.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
1064Explicitly remove source tracking nodes.
1065.El
1066.Sh FILES
1067.Bl -tag -width /dev/pf -compact
1068.It Pa /dev/pf
1069packet filtering device.
1070.El
1071.Sh EXAMPLES
1072The following example demonstrates how to use the
1073.Dv DIOCNATLOOK
1074command to find the internal host/port of a NATed connection:
1075.Bd -literal
1076#include <sys/types.h>
1077#include <sys/socket.h>
1078#include <sys/ioctl.h>
1079#include <sys/fcntl.h>
1080#include <net/if.h>
1081#include <netinet/in.h>
1082#include <net/pfvar.h>
1083#include <err.h>
1084#include <stdio.h>
1085#include <stdlib.h>
1086
1087u_int32_t
1088read_address(const char *s)
1089{
1090	int a, b, c, d;
1091
1092	sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
1093	return htonl(a << 24 | b << 16 | c << 8 | d);
1094}
1095
1096void
1097print_address(u_int32_t a)
1098{
1099	a = ntohl(a);
1100	printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
1101	    a >> 8 & 255, a & 255);
1102}
1103
1104int
1105main(int argc, char *argv[])
1106{
1107	struct pfioc_natlook nl;
1108	int dev;
1109
1110	if (argc != 5) {
1111		printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
1112		    argv[0]);
1113		return 1;
1114	}
1115
1116	dev = open("/dev/pf", O_RDWR);
1117	if (dev == -1)
1118		err(1, "open(\\"/dev/pf\\") failed");
1119
1120	memset(&nl, 0, sizeof(struct pfioc_natlook));
1121	nl.saddr.v4.s_addr	= read_address(argv[1]);
1122	nl.sport		= htons(atoi(argv[2]));
1123	nl.daddr.v4.s_addr	= read_address(argv[3]);
1124	nl.dport		= htons(atoi(argv[4]));
1125	nl.af			= AF_INET;
1126	nl.proto		= IPPROTO_TCP;
1127	nl.direction		= PF_IN;
1128
1129	if (ioctl(dev, DIOCNATLOOK, &nl))
1130		err(1, "DIOCNATLOOK");
1131
1132	printf("internal host ");
1133	print_address(nl.rsaddr.v4.s_addr);
1134	printf(":%u\\n", ntohs(nl.rsport));
1135	return 0;
1136}
1137.Ed
1138.Sh SEE ALSO
1139.Xr ioctl 2 ,
1140.Xr bridge 4 ,
1141.Xr pflog 4 ,
1142.Xr pflow 4 ,
1143.Xr pfsync 4 ,
1144.Xr pf.conf 5 ,
1145.Xr pfctl 8 ,
1146.Xr altq 9
1147.Sh HISTORY
1148The
1149.Nm
1150packet filtering mechanism first appeared in
1151.Ox 3.0 .
1152