xref: /openbsd-src/share/man/man4/pf.4 (revision d13be5d47e4149db2549a9828e244d59dbc43f15) 
1.\"	$OpenBSD: pf.4,v 1.72 2010/12/28 13:56:11 jmc Exp $
2.\"
3.\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. Neither the name of the project nor the names of its contributors
14.\"    may be used to endorse or promote products derived from this software
15.\"    without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.Dd $Mdocdate: December 28 2010 $
30.Dt PF 4
31.Os
32.Sh NAME
33.Nm pf
34.Nd packet filter
35.Sh SYNOPSIS
36.Cd "pseudo-device pf"
37.Sh DESCRIPTION
38Packet filtering takes place in the kernel.
39A pseudo-device,
40.Pa /dev/pf ,
41allows userland processes to control the
42behavior of the packet filter through an
43.Xr ioctl 2
44interface.
45There are commands to enable and disable the filter, load rulesets,
46add and remove individual rules or state table entries,
47and retrieve statistics.
48The most commonly used functions are covered by
49.Xr pfctl 8 .
50.Pp
51Manipulations like loading a ruleset that involve more than a single
52.Xr ioctl 2
53call require a so-called
54.Em ticket ,
55which prevents the occurrence of
56multiple concurrent manipulations.
57.Pp
58Fields of
59.Xr ioctl 2
60parameter structures that refer to packet data (like
61addresses and ports) are generally expected in network byte-order.
62.Pp
63Rules and address tables are contained in so-called
64.Em anchors .
65When servicing an
66.Xr ioctl 2
67request, if the anchor field of the argument structure is empty,
68the kernel will use the default anchor (i.e., the main ruleset)
69in operations.
70Anchors are specified by name and may be nested, with components
71separated by
72.Sq /
73characters, similar to how file system hierarchies are laid out.
74The final component of the anchor path is the anchor under which
75operations will be performed.
76Anchor names with characters after the terminating null byte are
77considered invalid; if used in an ioctl,
78.Er EINVAL
79will be returned.
80.Sh IOCTL INTERFACE
81.Nm
82supports the following
83.Xr ioctl 2
84commands, available through
85.Aq Pa net/pfvar.h :
86.Bl -tag -width xxxxxx
87.It Dv DIOCSTART
88Start the packet filter.
89.It Dv DIOCSTOP
90Stop the packet filter.
91.It Dv DIOCSTARTALTQ
92Start the ALTQ bandwidth control system (see
93.Xr altq 9 ) .
94.It Dv DIOCSTOPALTQ
95Stop the ALTQ bandwidth control system.
96.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
97.Bd -literal
98struct pfioc_rule {
99	u_int32_t	action;
100	u_int32_t	ticket;
101	u_int32_t	nr;
102	char		anchor[MAXPATHLEN];
103	char		anchor_call[MAXPATHLEN];
104	struct pf_rule	rule;
105};
106.Ed
107.Pp
108Add
109.Va rule
110at the end of the inactive ruleset.
111This call requires a
112.Va ticket
113obtained through a preceding
114.Dv DIOCXBEGIN
115call.
116The optional
117.Va anchor
118name indicates the anchor in which to append the rule.
119.Va nr
120and
121.Va action
122are ignored.
123.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
124Add an ALTQ discipline or queue.
125.Bd -literal
126struct pfioc_altq {
127	u_int32_t	action;
128	u_int32_t	ticket;
129	u_int32_t	nr;
130	struct pf_altq  altq;
131};
132.Ed
133.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
134Get a
135.Va ticket
136for subsequent
137.Dv DIOCGETRULE
138calls and the number
139.Va nr
140of rules in the active ruleset.
141.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
142Get a
143.Va rule
144by its number
145.Va nr
146using the
147.Va ticket
148obtained through a preceding
149.Dv DIOCGETRULES
150call.
151If
152.Va action
153is set to
154.Dv PF_GET_CLR_CNTR ,
155the per-rule statistics on the requested rule are cleared.
156.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
157Get a
158.Va ticket
159for subsequent
160.Dv DIOCGETALTQ
161calls and the number
162.Va nr
163of queues in the active list.
164.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
165Get the queueing discipline
166.Va altq
167by its number
168.Va nr
169using the
170.Va ticket
171obtained through a preceding
172.Dv DIOCGETALTQS
173call.
174.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
175Get the statistics on a queue.
176.Bd -literal
177struct pfioc_qstats {
178	u_int32_t	 ticket;
179	u_int32_t	 nr;
180	void		*buf;
181	int		 nbytes;
182	u_int8_t	 scheduler;
183};
184.Ed
185.Pp
186This call fills in a pointer to the buffer of statistics
187.Va buf ,
188of length
189.Va nbytes ,
190for the queue specified by
191.Va nr .
192.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
193.Bd -literal
194struct pfioc_ruleset {
195	u_int32_t	 nr;
196	char		 path[MAXPATHLEN];
197	char		 name[PF_ANCHOR_NAME_SIZE];
198};
199.Ed
200.Pp
201Get the number
202.Va nr
203of rulesets (i.e., anchors) directly attached to the anchor named by
204.Va path
205for use in subsequent
206.Dv DIOCGETRULESET
207calls.
208Nested anchors, since they are not directly attached to the given
209anchor, will not be included.
210This ioctl returns
211.Er EINVAL
212if the given anchor does not exist.
213.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
214Get a ruleset (i.e., an anchor)
215.Va name
216by its number
217.Va nr
218from the given anchor
219.Va path ,
220the maximum number of which can be obtained from a preceding
221.Dv DIOCGETRULESETS
222call.
223This ioctl returns
224.Er EINVAL
225if the given anchor does not exist or
226.Er EBUSY
227if another process is concurrently updating a ruleset.
228.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
229Add a state entry.
230.Bd -literal
231struct pfioc_state {
232	struct pfsync_state	state;
233};
234.Ed
235.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
236Extract the entry identified by the
237.Va id
238and
239.Va creatorid
240fields of the
241.Va state
242structure from the state table.
243.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
244Remove matching entries from the state table.
245This ioctl returns the number of killed states in
246.Va psk_killed .
247.Bd -literal
248struct pfioc_state_kill {
249	struct pf_state_cmp	psk_pfcmp;
250	sa_family_t		psk_af;
251	int			psk_proto;
252	struct pf_rule_addr	psk_src;
253	struct pf_rule_addr	psk_dst;
254	char			psk_ifname[IFNAMSIZ];
255	char			psk_label[PF_RULE_LABEL_SIZE];
256	u_int			psk_killed;
257	u_int16_t		psk_rdomain;
258};
259.Ed
260.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk"
261Clear all states.
262It works like
263.Dv DIOCKILLSTATES ,
264but ignores all fields of the
265.Vt pfioc_state_kill
266structure, except
267.Va psk_ifname .
268.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
269Specify the interface for which statistics are accumulated.
270.Bd -literal
271struct pfioc_if {
272	char		 ifname[IFNAMSIZ];
273};
274.Ed
275.It Dv DIOCGETSTATUS Fa "struct pf_status *s"
276Get the internal packet filter statistics.
277.Bd -literal
278struct pf_status {
279	u_int64_t	counters[PFRES_MAX];
280	u_int64_t	lcounters[LCNT_MAX];	/* limit counters */
281	u_int64_t	fcounters[FCNT_MAX];
282	u_int64_t	scounters[SCNT_MAX];
283	u_int64_t	pcounters[2][2][3];
284	u_int64_t	bcounters[2][2];
285	u_int64_t	stateid;
286	u_int32_t	running;
287	u_int32_t	states;
288	u_int32_t	src_nodes;
289	u_int32_t	since;
290	u_int32_t	debug;
291	u_int32_t	hostid;
292	u_int32_t	reass;			/* reassembly */
293	char		ifname[IFNAMSIZ];
294	u_int8_t	pf_chksum[MD5_DIGEST_LENGTH];
295};
296.Ed
297.It Dv DIOCCLRSTATUS
298Clear the internal packet filter statistics.
299.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
300Look up a state table entry by source and destination addresses and ports.
301.Bd -literal
302struct pfioc_natlook {
303	struct pf_addr	 saddr;
304	struct pf_addr	 daddr;
305	struct pf_addr	 rsaddr;
306	struct pf_addr	 rdaddr;
307	u_int16_t	 rdomain;
308	u_int16_t	 sport;
309	u_int16_t	 dport;
310	u_int16_t	 rsport;
311	u_int16_t	 rdport;
312	sa_family_t	 af;
313	u_int8_t	 proto;
314	u_int8_t	 direction;
315};
316.Ed
317.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
318Set the debug level.
319See the
320.Xr syslog 3
321man page for a list of valid debug levels.
322.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps"
323Get state table entries.
324.Bd -literal
325struct pfioc_states {
326	int	ps_len;
327	union {
328		caddr_t		     psu_buf;
329		struct pfsync_state *psu_states;
330	} ps_u;
331#define ps_buf		ps_u.psu_buf
332#define ps_states	ps_u.psu_states
333};
334.Ed
335.Pp
336If
337.Va ps_len
338is non-zero on entry, as many states as possible that can fit into this
339size will be copied into the supplied buffer
340.Va ps_states .
341On exit,
342.Va ps_len
343is always set to the total size required to hold all state table entries
344(i.e., it is set to
345.Li sizeof(struct pfsync_state) * nr ) .
346.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
347Add or remove the
348.Va rule
349in the ruleset specified by
350.Va rule.action .
351.Pp
352The type of operation to be performed is indicated by
353.Va action ,
354which can be any of the following:
355.Bd -literal
356enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
357	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
358	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
359.Ed
360.Pp
361.Va ticket
362must be set to the value obtained with
363.Dv PF_CHANGE_GET_TICKET
364for all actions except
365.Dv PF_CHANGE_GET_TICKET .
366.Va anchor
367indicates to which anchor the operation applies.
368.Va nr
369indicates the rule number against which
370.Dv PF_CHANGE_ADD_BEFORE ,
371.Dv PF_CHANGE_ADD_AFTER ,
372or
373.Dv PF_CHANGE_REMOVE
374actions are applied.
375.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
376.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
377.Bd -literal
378struct pfioc_tm {
379	int		 timeout;
380	int		 seconds;
381};
382.Ed
383.Pp
384Set the state timeout of
385.Va timeout
386to
387.Va seconds .
388The old value will be placed into
389.Va seconds .
390For possible values of
391.Va timeout ,
392consult the
393.Dv PFTM_*
394values in
395.Aq Pa net/pfvar.h .
396.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
397Get the state timeout of
398.Va timeout .
399The value will be placed into the
400.Va seconds
401field.
402.It Dv DIOCCLRRULECTRS
403Clear per-rule statistics.
404.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
405Set the hard limits on the memory pools used by the packet filter.
406.Bd -literal
407struct pfioc_limit {
408	int		index;
409	unsigned	limit;
410};
411
412enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
413	  PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
414.Ed
415.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
416Get the hard
417.Va limit
418for the memory pool indicated by
419.Va index .
420.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
421Clear all tables.
422All the ioctls that manipulate radix tables
423use the same structure described below.
424For
425.Dv DIOCRCLRTABLES ,
426.Va pfrio_ndel
427contains on exit the number of tables deleted.
428.Bd -literal
429struct pfioc_table {
430	struct pfr_table	 pfrio_table;
431	void			*pfrio_buffer;
432	int			 pfrio_esize;
433	int			 pfrio_size;
434	int			 pfrio_size2;
435	int			 pfrio_nadd;
436	int			 pfrio_ndel;
437	int			 pfrio_nchange;
438	int			 pfrio_flags;
439	u_int32_t		 pfrio_ticket;
440};
441#define pfrio_exists    pfrio_nadd
442#define pfrio_nzero     pfrio_nadd
443#define pfrio_nmatch    pfrio_nadd
444#define pfrio_naddr     pfrio_size2
445#define pfrio_setflag   pfrio_size2
446#define pfrio_clrflag   pfrio_nadd
447.Ed
448.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
449Create one or more tables.
450On entry,
451.Va pfrio_buffer
452must point to an array of
453.Vt struct pfr_table
454containing at least
455.Vt pfrio_size
456elements.
457.Vt pfrio_esize
458must be the size of
459.Vt struct pfr_table .
460On exit,
461.Va pfrio_nadd
462contains the number of tables effectively created.
463.Bd -literal
464struct pfr_table {
465	char		pfrt_anchor[MAXPATHLEN];
466	char		pfrt_name[PF_TABLE_NAME_SIZE];
467	u_int32_t	pfrt_flags;
468	u_int8_t	pfrt_fback;
469};
470.Ed
471.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
472Delete one or more tables.
473On entry,
474.Va pfrio_buffer
475must point to an array of
476.Vt struct pfr_table
477containing at least
478.Vt pfrio_size
479elements.
480.Vt pfrio_esize
481must be the size of
482.Vt struct pfr_table .
483On exit,
484.Va pfrio_ndel
485contains the number of tables effectively deleted.
486.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
487Get the list of all tables.
488On entry,
489.Va pfrio_buffer[pfrio_size]
490contains a valid writeable buffer for
491.Vt pfr_table
492structures.
493On exit,
494.Va pfrio_size
495contains the number of tables written into the buffer.
496If the buffer is too small, the kernel does not store anything but just
497returns the required buffer size, without error.
498.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
499This call is like
500.Dv DIOCRGETTABLES
501but is used to get an array of
502.Vt pfr_tstats
503structures.
504.Bd -literal
505struct pfr_tstats {
506	struct pfr_table pfrts_t;
507	u_int64_t	 pfrts_packets
508			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
509	u_int64_t	 pfrts_bytes
510			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
511	u_int64_t	 pfrts_match;
512	u_int64_t	 pfrts_nomatch;
513	long		 pfrts_tzero;
514	int		 pfrts_cnt;
515	int		 pfrts_refcnt[PFR_REFCNT_MAX];
516};
517#define pfrts_name	 pfrts_t.pfrt_name
518#define pfrts_flags	 pfrts_t.pfrt_flags
519.Ed
520.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
521Clear the statistics of one or more tables.
522On entry,
523.Va pfrio_buffer
524must point to an array of
525.Vt struct pfr_table
526containing at least
527.Vt pfrio_size
528elements.
529.Vt pfrio_esize
530must be the size of
531.Vt struct pfr_table .
532On exit,
533.Va pfrio_nzero
534contains the number of tables effectively cleared.
535.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
536Clear all addresses in a table.
537On entry,
538.Va pfrio_table
539contains the table to clear.
540On exit,
541.Va pfrio_ndel
542contains the number of addresses removed.
543.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
544Add one or more addresses to a table.
545On entry,
546.Va pfrio_table
547contains the table ID and
548.Va pfrio_buffer
549must point to an array of
550.Vt struct pfr_addr
551containing at least
552.Vt pfrio_size
553elements to add to the table.
554.Vt pfrio_esize
555must be the size of
556.Vt struct pfr_addr .
557On exit,
558.Va pfrio_nadd
559contains the number of addresses effectively added.
560.Bd -literal
561struct pfr_addr {
562	union {
563		struct in_addr	 _pfra_ip4addr;
564		struct in6_addr	 _pfra_ip6addr;
565	}		 pfra_u;
566	char		 pfra_ifname[IFNAMSIZ];
567	u_int8_t	 pfra_af;
568	u_int8_t	 pfra_net;
569	u_int8_t	 pfra_not;
570	u_int8_t	 pfra_fback;
571	u_int8_t	 pfra_type;
572	u_int8_t	 pad[7];
573};
574#define pfra_ip4addr    pfra_u._pfra_ip4addr
575#define pfra_ip6addr    pfra_u._pfra_ip6addr
576.Ed
577.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
578Delete one or more addresses from a table.
579On entry,
580.Va pfrio_table
581contains the table ID and
582.Va pfrio_buffer
583must point to an array of
584.Vt struct pfr_addr
585containing at least
586.Vt pfrio_size
587elements to delete from the table.
588.Vt pfrio_esize
589must be the size of
590.Vt struct pfr_addr .
591On exit,
592.Va pfrio_ndel
593contains the number of addresses effectively deleted.
594.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
595Replace the content of a table by a new address list.
596This is the most complicated command, which uses all the structure members.
597.Pp
598On entry,
599.Va pfrio_table
600contains the table ID and
601.Va pfrio_buffer
602must point to an array of
603.Vt struct pfr_addr
604containing at least
605.Vt pfrio_size
606elements which become the new contents of the table.
607.Vt pfrio_esize
608must be the size of
609.Vt struct pfr_addr .
610Additionally, if
611.Va pfrio_size2
612is non-zero,
613.Va pfrio_buffer[pfrio_size..pfrio_size2]
614must be a writeable buffer, into which the kernel can copy the
615addresses that have been deleted during the replace operation.
616On exit,
617.Va pfrio_ndel ,
618.Va pfrio_nadd ,
619and
620.Va pfrio_nchange
621contain the number of addresses deleted, added, and changed by the
622kernel.
623If
624.Va pfrio_size2
625was set on entry,
626.Va pfrio_size2
627will point to the size of the buffer used, exactly like
628.Dv DIOCRGETADDRS .
629.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
630Get all the addresses of a table.
631On entry,
632.Va pfrio_table
633contains the table ID and
634.Va pfrio_buffer[pfrio_size]
635contains a valid writeable buffer for
636.Vt pfr_addr
637structures.
638On exit,
639.Va pfrio_size
640contains the number of addresses written into the buffer.
641If the buffer was too small, the kernel does not store anything but just
642returns the required buffer size, without returning an error.
643.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
644This call is like
645.Dv DIOCRGETADDRS
646but is used to get an array of
647.Vt pfr_astats
648structures.
649.Bd -literal
650struct pfr_astats {
651	struct pfr_addr	 pfras_a;
652	u_int64_t	 pfras_packets
653			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
654	u_int64_t	 pfras_bytes
655			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
656	long		 pfras_tzero;
657};
658.Ed
659.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
660Clear the statistics of one or more addresses.
661On entry,
662.Va pfrio_table
663contains the table ID and
664.Va pfrio_buffer
665must point to an array of
666.Vt struct pfr_addr
667containing at least
668.Vt pfrio_size
669elements to be cleared from the table.
670.Vt pfrio_esize
671must be the size of
672.Vt struct pfr_addr .
673On exit,
674.Va pfrio_nzero
675contains the number of addresses effectively cleared.
676.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
677Test if the given addresses match a table.
678On entry,
679.Va pfrio_table
680contains the table ID and
681.Va pfrio_buffer
682must point to an array of
683.Vt struct pfr_addr
684containing at least
685.Vt pfrio_size
686elements, each of which will be tested for a match in the table.
687.Vt pfrio_esize
688must be the size of
689.Vt struct pfr_addr .
690On exit, the kernel updates the
691.Vt pfr_addr
692array by setting the
693.Va pfra_fback
694member appropriately.
695.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
696Change the
697.Dv PFR_TFLAG_CONST
698or
699.Dv PFR_TFLAG_PERSIST
700flags of a table.
701On entry,
702.Va pfrio_buffer
703must point to an array of
704.Vt struct pfr_table
705containing at least
706.Vt pfrio_size
707elements.
708.Va pfrio_esize
709must be the size of
710.Vt struct pfr_table .
711.Va pfrio_setflag
712must contain the flags to add, while
713.Va pfrio_clrflag
714must contain the flags to remove.
715On exit,
716.Va pfrio_nchange
717and
718.Va pfrio_ndel
719contain the number of tables altered or deleted by the kernel.
720Yes, tables can be deleted if one removes the
721.Dv PFR_TFLAG_PERSIST
722flag of an unreferenced table.
723.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
724Defines a table in the inactive set.
725On entry,
726.Va pfrio_table
727contains the table ID and
728.Va pfrio_buffer[pfrio_size]
729contains an array of
730.Vt pfr_addr
731structures to put in the table.
732A valid ticket must also be supplied to
733.Va pfrio_ticket .
734On exit,
735.Va pfrio_nadd
736contains 0 if the table was already defined in the inactive list
737or 1 if a new table has been created.
738.Va pfrio_naddr
739contains the number of addresses effectively put in the table.
740.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
741.Bd -literal
742struct pfioc_trans {
743	int		 size;	/* number of elements */
744	int		 esize;	/* size of each element in bytes */
745	struct pfioc_trans_e {
746		int		type;
747		char		anchor[MAXPATHLEN];
748		u_int32_t	ticket;
749	}		*array;
750};
751.Ed
752.Pp
753Clear all the inactive rulesets specified in the
754.Vt pfioc_trans_e
755array.
756For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
757as well as for the
758.Dv DIOCXCOMMIT
759and
760.Dv DIOCXROLLBACK
761calls.
762.Pp
763Ruleset types, identified by
764.Va type ,
765include the following:
766.Pp
767.Bl -tag -width PF_RULESET_FILTER -offset ind -compact
768.It Dv PF_RULESET_FILTER
769Filter rules.
770.It Dv PF_RULESET_ALTQ
771ALTQ disciplines.
772.It Dv PF_RULESET_TABLE
773Address tables.
774.El
775.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
776Atomically switch a vector of inactive rulesets to the active rulesets.
777This call is implemented as a standard two-phase commit, which will either
778fail for all rulesets or completely succeed.
779All tickets need to be valid.
780This ioctl returns
781.Er EBUSY
782if another process is concurrently updating some of the same rulesets.
783.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
784Clean up the kernel by undoing all changes that have taken place on the
785inactive rulesets since the last
786.Dv DIOCXBEGIN .
787.Dv DIOCXROLLBACK
788will silently ignore rulesets for which the ticket is invalid.
789.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
790Set the host ID, which is used by
791.Xr pfsync 4
792to identify which host created state table entries.
793.It Dv DIOCOSFPFLUSH
794Flush the passive OS fingerprint table.
795.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
796.Bd -literal
797struct pf_osfp_ioctl {
798	struct pf_osfp_entry	fp_os;
799	pf_tcpopts_t		fp_tcpopts;	/* packed TCP options */
800	u_int16_t		fp_wsize;	/* TCP window size */
801	u_int16_t		fp_psize;	/* ip->ip_len */
802	u_int16_t		fp_mss;		/* TCP MSS */
803	u_int16_t		fp_flags;
804	u_int8_t		fp_optcnt;	/* TCP option count */
805	u_int8_t		fp_wscale;	/* TCP window scaling */
806	u_int8_t		fp_ttl;		/* IPv4 TTL */
807
808	int			fp_getnum;	/* DIOCOSFPGET number */
809};
810
811struct pf_osfp_entry {
812	SLIST_ENTRY(pf_osfp_entry) fp_entry;
813	pf_osfp_t		fp_os;
814	int			fp_enflags;
815#define PF_OSFP_EXPANDED	0x001		/* expanded entry */
816#define PF_OSFP_GENERIC		0x002		/* generic signature */
817#define PF_OSFP_NODETAIL	0x004		/* no p0f details */
818#define PF_OSFP_LEN	32
819	char			fp_class_nm[PF_OSFP_LEN];
820	char			fp_version_nm[PF_OSFP_LEN];
821	char			fp_subtype_nm[PF_OSFP_LEN];
822};
823.Ed
824.Pp
825Add a passive OS fingerprint to the table.
826Set
827.Va fp_os.fp_os
828to the packed fingerprint,
829.Va fp_os.fp_class_nm
830to the name of the class (Linux, Windows, etc),
831.Va fp_os.fp_version_nm
832to the name of the version (NT, 95, 98), and
833.Va fp_os.fp_subtype_nm
834to the name of the subtype or patchlevel.
835The members
836.Va fp_mss ,
837.Va fp_wsize ,
838.Va fp_psize ,
839.Va fp_ttl ,
840.Va fp_optcnt ,
841and
842.Va fp_wscale
843are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
844the number of TCP options, and the TCP window scaling constant of the
845TCP SYN packet, respectively.
846.Pp
847The
848.Va fp_flags
849member is filled according to the
850.Aq Pa net/pfvar.h
851include file
852.Dv PF_OSFP_*
853defines.
854The
855.Va fp_tcpopts
856member contains packed TCP options.
857Each option uses
858.Dv PF_OSFP_TCPOPT_BITS
859bits in the packed value.
860Options include any of
861.Dv PF_OSFP_TCPOPT_NOP ,
862.Dv PF_OSFP_TCPOPT_SACK ,
863.Dv PF_OSFP_TCPOPT_WSCALE ,
864.Dv PF_OSFP_TCPOPT_MSS ,
865or
866.Dv PF_OSFP_TCPOPT_TS .
867.Pp
868The
869.Va fp_getnum
870member is not used with this ioctl.
871.Pp
872The structure's slack space must be zeroed for correct operation;
873.Xr memset 3
874the whole structure to zero before filling and sending to the kernel.
875.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
876Get the passive OS fingerprint number
877.Va fp_getnum
878from the kernel's fingerprint list.
879The rest of the structure members will come back filled.
880Get the whole list by repeatedly incrementing the
881.Va fp_getnum
882number until the ioctl returns
883.Er EBUSY .
884.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
885.Bd -literal
886struct pfioc_src_nodes {
887	int	psn_len;
888	union {
889		caddr_t		psu_buf;
890		struct pf_src_node	*psu_src_nodes;
891	} psn_u;
892#define psn_buf		psn_u.psu_buf
893#define psn_src_nodes	psn_u.psu_src_nodes
894};
895.Ed
896.Pp
897Get the list of source nodes kept by sticky addresses and source
898tracking.
899The ioctl must be called once with
900.Va psn_len
901set to 0.
902If the ioctl returns without error,
903.Va psn_len
904will be set to the size of the buffer required to hold all the
905.Va pf_src_node
906structures held in the table.
907A buffer of this size should then be allocated, and a pointer to this buffer
908placed in
909.Va psn_buf .
910The ioctl must then be called again to fill this buffer with the actual
911source node data.
912After that call,
913.Va psn_len
914will be set to the length of the buffer actually used.
915.It Dv DIOCCLRSRCNODES
916Clear the tree of source tracking nodes.
917.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
918Get the list of interfaces and interface drivers known to
919.Nm .
920All the ioctls that manipulate interfaces
921use the same structure described below:
922.Bd -literal
923struct pfioc_iface {
924	char			 pfiio_name[IFNAMSIZ];
925	void			*pfiio_buffer;
926	int			 pfiio_esize;
927	int			 pfiio_size;
928	int			 pfiio_nzero;
929	int			 pfiio_flags;
930};
931.Ed
932.Pp
933If not empty,
934.Va pfiio_name
935can be used to restrict the search to a specific interface or driver.
936.Va pfiio_buffer[pfiio_size]
937is the user-supplied buffer for returning the data.
938On entry,
939.Va pfiio_size
940contains the number of
941.Vt pfi_kif
942entries that can fit into the buffer.
943The kernel will replace this value by the real number of entries it wants
944to return.
945.Va pfiio_esize
946should be set to
947.Li sizeof(struct pfi_kif) .
948.Pp
949The data is returned in the
950.Vt pfi_kif
951structure described below:
952.Bd -literal
953struct pfi_kif {
954	char				 pfik_name[IFNAMSIZ];
955	RB_ENTRY(pfi_kif)		 pfik_tree;
956	u_int64_t			 pfik_packets[2][2][2];
957	u_int64_t			 pfik_bytes[2][2][2];
958	u_int32_t			 pfik_tzero;
959	int				 pfik_flags;
960	int				 pfik_flags_new;
961	void				*pfik_ah_cookie;
962	struct ifnet			*pfik_ifp;
963	struct ifg_group		*pfik_group;
964	int				 pfik_states;
965	int				 pfik_rules;
966	int				 pfik_routes;
967	TAILQ_HEAD(, pfi_dynaddr)	 pfik_dynaddrs;
968};
969.Ed
970.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
971Set the user setable flags (described above) of the
972.Nm
973internal interface description.
974The filtering process is the same as for
975.Dv DIOCIGETIFACES .
976.Bd -literal
977#define PFI_IFLAG_SKIP	0x0100	/* skip filtering on interface */
978.Ed
979.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
980Works as
981.Dv DIOCSETIFFLAG
982above but clears the flags.
983.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
984Explicitly remove source tracking nodes.
985.El
986.Sh FILES
987.Bl -tag -width /dev/pf -compact
988.It Pa /dev/pf
989packet filtering device.
990.El
991.Sh EXAMPLES
992The following example demonstrates how to use the
993.Dv DIOCNATLOOK
994command to find the internal host/port of a NATed connection:
995.Bd -literal
996#include <sys/types.h>
997#include <sys/socket.h>
998#include <sys/ioctl.h>
999#include <sys/fcntl.h>
1000#include <net/if.h>
1001#include <netinet/in.h>
1002#include <net/pfvar.h>
1003#include <err.h>
1004#include <stdio.h>
1005#include <stdlib.h>
1006
1007u_int32_t
1008read_address(const char *s)
1009{
1010	int a, b, c, d;
1011
1012	sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
1013	return htonl(a << 24 | b << 16 | c << 8 | d);
1014}
1015
1016void
1017print_address(u_int32_t a)
1018{
1019	a = ntohl(a);
1020	printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
1021	    a >> 8 & 255, a & 255);
1022}
1023
1024int
1025main(int argc, char *argv[])
1026{
1027	struct pfioc_natlook nl;
1028	int dev;
1029
1030	if (argc != 5) {
1031		printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\en",
1032		    argv[0]);
1033		return 1;
1034	}
1035
1036	dev = open("/dev/pf", O_RDWR);
1037	if (dev == -1)
1038		err(1, "open(\e"/dev/pf\e") failed");
1039
1040	memset(&nl, 0, sizeof(struct pfioc_natlook));
1041	nl.saddr.v4.s_addr	= read_address(argv[1]);
1042	nl.sport		= htons(atoi(argv[2]));
1043	nl.daddr.v4.s_addr	= read_address(argv[3]);
1044	nl.dport		= htons(atoi(argv[4]));
1045	nl.af			= AF_INET;
1046	nl.proto		= IPPROTO_TCP;
1047	nl.direction		= PF_IN;
1048
1049	if (ioctl(dev, DIOCNATLOOK, &nl))
1050		err(1, "DIOCNATLOOK");
1051
1052	printf("internal host ");
1053	print_address(nl.rsaddr.v4.s_addr);
1054	printf(":%u\en", ntohs(nl.rsport));
1055	return 0;
1056}
1057.Ed
1058.Sh SEE ALSO
1059.Xr ioctl 2 ,
1060.Xr bridge 4 ,
1061.Xr pflog 4 ,
1062.Xr pflow 4 ,
1063.Xr pfsync 4 ,
1064.Xr pf.conf 5 ,
1065.Xr pfctl 8 ,
1066.Xr altq 9
1067.Sh HISTORY
1068The
1069.Nm
1070packet filtering mechanism first appeared in
1071.Ox 3.0 .
1072