Lines Matching +full:cpu +full:- +full:viewed
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
107 .Bd -literal -offset indent
114 srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
116 nat on $ext_if from $nat_ranges to any -> ($ext_if)
150 .Bl -tag -width "manually"
166 statement, and are especially useful to define non-persistent tables.
167 The contents of a pre-existing table defined without a list of addresses
177 .Bl -tag -width counters
198 flag enables per-address packet and byte counters which can be displayed with
204 .Bd -literal -offset indent
218 .Bd -literal -offset indent
219 # pfctl -t badhosts -Tadd 204.92.77.111
224 .Bd -literal -offset indent
250 .Bl -tag -width xxxx
253 .Bl -tag -width "src.track" -compact
271 .Bl -tag -width xxxx -compact
296 .Bl -tag -width xxxx -compact
312 .Bl -tag -width xxxx -compact
328 .Bl -tag -width xxxx -compact
337 .Bl -tag -width xxxx -compact
342 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
356 When used on a per-rule basis, the values relate to the number of
361 .Bd -literal -offset indent
373 These statistics can be viewed using
374 .Bd -literal -offset indent
375 # pfctl -s info
381 .Bd -literal -offset indent
386 .Bd -literal -offset indent
396 .Bd -literal -offset indent
407 .Bd -literal -offset indent
418 .Bd -literal -offset indent
419 set limit src-nodes 2000
424 .Ar sticky-address
429 .Bd -literal -offset indent
430 set limit table-entries 100000
437 .Bd -literal -offset indent
438 set limit { states 20000, frags 20000, src-nodes 2000 }
440 .It Ar set ruleset-optimization
441 .Bl -tag -width xxxxxxxx -compact
450 .Bl -enum -compact
458 re-order the rules to improve evaluation performance
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
474 Optimization can also be set as a command-line argument to
481 .Bl -tag -width xxxx -compact
485 .It Ar high-latency
486 A high-latency environment (such as a satellite connection).
489 .Ar high-latency .
502 .Bd -literal -offset indent
505 .It Ar set reassemble yes | no Op Cm no-df
514 .Cm no-df
516 .Dq dont-fragment
520 .Dq dont-fragment
525 This option is ignored if there are pre-FreeBSD 14
528 .It Ar set block-policy
530 .Ar block-policy
535 .Bl -tag -width xxxxxxxx -compact
549 .Bd -literal -offset indent
550 set block-policy return
552 .It Ar set fail-policy
554 .Ar fail-policy
557 This might happen when a nat or route-to rule uses an empty table as list
563 .Bl -tag -width xxxxxxxx -compact
574 .Bd -literal -offset indent
575 set fail-policy return
577 .It Ar set state-policy
579 .Ar state-policy
582 .Bl -tag -width group-bound -compact
583 .It Ar if-bound
590 .Bd -literal -offset indent
591 set state-policy if-bound
607 .Bl -tag -width adaptive -compact
614 is used up by half-open TCP connections, as in, those that saw the initial
617 .Bd -literal -offset indent
621 .It Ar set state-defaults
623 .Ar state-defaults
628 .Bd -literal -offset indent
629 set state-defaults no-sync
632 The 32-bit
638 By default the hostid is set to a pseudo-random value, however it may be
641 .Bd -literal -offset indent
646 .It Ar set require-order
658 There may be non-trivial and non-obvious implications to an out of
692 .Bl -tag -width xxxxxxxxxxxx -compact
726 .Bl -tag -width xxxx
746 .Bl -tag -width xxxx
770 .It Ar bridge-to Aq interface
827 .Bl -tag -width xxxx
828 .It Ar no-df
830 .Ar dont-fragment
833 .Ar dont-fragment
838 .Ar dont-fragment
840 .Ar no-df
844 .Ar dont-fragment
847 .Ar dont-fragment
851 .Ar random-id
853 .Ar no-df
855 .It Ar min-ttl Aq Ar number
857 .It Ar max-mss Aq Ar number
859 .It Xo Ar set-tos Aq Ar string
880 .It Ar random-id
890 .Bl -tag -width timeout -compact
917 delayed for longer than it takes the connection to wrap its 32-bit sequence
937 .Bd -literal -offset indent
938 match in all scrub (no-df random-id max-mss 1440)
940 .Ss Scrub ruleset (pre-FreeBSD 14)
956 .Bl -tag -width xxxx
972 .Bd -literal -offset indent
1022 .Bl -tag -width xxxx
1085 supports both link-sharing and guaranteed real-time services.
1100 .Bl -tag -width xxxx
1146 should queue up to 5Mbps in four second-level queues using
1149 .Bd -literal -offset indent
1169 .Bl -tag -width xxxx
1211 .Bl -tag -width Fl
1233 .Bl -tag -width Fl
1242 .Bl -tag -width Fl
1303 .Bd -literal
1371 .Bl -tag -width xxxx
1372 .It Ar af-to
1375 .Ar af-to
1379 .Ar af-to
1391 part is 32-bit long.
1400 .Bd -literal -offset indent
1401 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1402 pass in inet af-to inet6 from 2001:db8::1
1411 .Bd -literal -offset indent
1412 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1414 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1426 .Ar binat-to
1430 .Ar nat-to
1432 .Ar rdr-to
1434 .It Ar nat-to
1436 .Ar nat-to
1445 .Bd -literal -offset indent
1446 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1447 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1448 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1451 .Ar nat-to
1453 If applied inbound, nat-to to a local IP address is not supported.
1454 .It Pa rdr-to
1457 .Ar rdr-to
1460 .Bd -literal -offset indent
1461 match in ... port 2000:2999 rdr-to ... port 4000
1464 .Bd -literal -offset indent
1465 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1470 .Ar rdr-to
1472 If applied outbound, rdr-to to a local IP address is not supported.
1479 .Ar nat-to
1481 .Ar rdr-to
1484 .Ar rdr-to
1487 A random source port in the range 50001-65535 is chosen in this case.
1489 .Ar binat-to
1494 .Bd -literal -offset indent
1496 rdr-to 127.0.0.1 port spamd
1502 Unless this effect is desired, any of the local non-loopback addresses
1510 .Ss NAT ruleset (pre-FreeBSD 15)
1538 .Ar binat-to ,
1539 .Ar nat-to
1541 .Ar rdr-to
1617 .Bl -tag -width xxxx
1627 .Ar block-policy
1628 option, or on a per-rule basis with one of the following options:
1630 .Bl -tag -width xxxx -compact
1633 .It Ar return-rst
1638 .It Ar return-icmp
1639 .It Ar return-icmp6
1658 .Bd -literal -offset indent
1674 .Ar nat-to ,
1675 .Ar binat-to ,
1676 .Ar rdr-to ,
1714 .Bd -literal -offset indent
1715 pass out inet proto icmp all icmp-type echoreq
1763 .Bl -tag -width xxxx
1877 .Bl -tag -width xxxxxxxxxxxxxx -compact
1880 .It Ar no-route
1882 .It Ar urpf-failed
1893 .Sq -
1896 .Dq 10.1.1.10 - 10.1.1.12
1904 .Bl -tag -width xxxxxxxxxxxx -compact
1910 Translates to the point-to-point interface's peer address(es).
1918 v4 and non-link-local v6 address found.
1921 ruleset load-time.
1942 .Bd -literal -offset indent
1960 .Bl -tag -width Fl
1972 hence ports 1-1999 and 2005-65535.
1984 .Bd -literal -offset indent
2046 .Bd -literal -offset indent
2053 .Bd -literal -offset indent
2082 .Bl -tag -width Fl
2104 .Pq non-SYN
2114 .Ar af-to ,
2124 .It Xo Ar icmp-type Aq Ar type
2127 .It Xo Ar icmp6-type Aq Ar type
2140 .Ar icmp-type
2142 .Ar icmp6-type
2168 .Bd -literal -offset indent
2173 .It Ar allow-opts
2174 By default, packets with IPv4 options or IPv6 hop-by-hop or destination
2177 .Ar allow-opts
2192 pfctl -s labels
2193 shows per-rule statistics for rules that have labels.
2197 .Bl -tag -width $srcaddr -compact -offset indent
2215 .Bd -literal -offset indent
2222 .Bd -literal -offset indent
2235 .It Cm max-pkt-rate Ar number Ns / Ns Ar seconds
2242 .Bd -literal -offset indent
2244 pass in proto icmp max-pkt-rate 100/10
2250 .It Ar max-pkt-size Aq Ar number
2268 .Bd -literal -offset indent
2285 .Bd -literal -offset indent
2289 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2325 .It Xo Ar divert-to Aq Ar host
2339 If a packet is re-injected and does not change direction then it will not be
2340 re-diverted.
2341 .It Ar divert-reply
2350 .Bd -literal -offset indent
2361 .Bl -tag -width xxxx
2362 .It Ar route-to
2364 .Ar route-to
2368 .Ar route-to
2373 .It Ar reply-to
2375 .Ar reply-to
2377 .Ar route-to ,
2381 .Ar reply-to
2386 .It Ar dup-to
2388 .Ar dup-to
2390 .Ar route-to .
2399 .Ar route-to ,
2400 .Ar reply-to
2402 .Ar dup-to
2407 .Bl -tag -width xxxx
2420 .It Ar source-hash
2422 .Ar source-hash
2428 randomly generates a key for source-hash every time the
2430 .It Ar round-robin
2432 .Ar round-robin
2438 .It Ar static-port
2442 .Ar static-port
2446 .It Xo Ar map-e-portset Aq Ar psid-offset
2447 .No / Aq Ar psid-len
2453 .Ar map-e-portset
2454 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2455 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2457 to the map-e-portset nat rule.
2460 .Bd -literal -offset indent
2462 -> $ipv4_mape_src map-e-portset 6/8/0x34
2466 .It Ar endpoint-independent
2470 .Ar endpoint-independent
2475 This feature implements "full-cone" NAT behavior.
2479 .Ar sticky-address
2485 .Ar round-robin
2513 .Bd -literal -offset indent
2556 completed the handshake, hence so-called SYN floods with spoofed source
2580 .Bd -literal -offset indent
2585 per-rule basis.
2594 .Bl -tag -width xxxx -compact
2599 .It Ar no-sync
2621 .It Ar allow-related
2628 .Bd -literal -offset indent
2631 (max 100, source-track rule, max-src-nodes 75, \e
2632 max-src-states 3, tcp.established 60, tcp.closing 5)
2636 .Ar source-track
2639 .Bl -tag -width xxxx -compact
2640 .It Ar source-track rule
2642 .Ar max-src-nodes
2644 .Ar max-src-states
2648 .It Ar source-track global
2651 .Ar max-src-nodes
2653 .Ar max-src-states
2660 .Bl -tag -width xxxx -compact
2661 .It Ar max-src-nodes Aq Ar number
2664 .It Ar max-src-states Aq Ar number
2670 which have completed the TCP 3-way handshake) can also be enforced
2673 .Bl -tag -width xxxx -compact
2674 .It Ar max-src-conn Aq Ar number
2676 completed the 3-way handshake that a single host can make.
2677 .It Xo Ar max-src-conn-rate Aq Ar number
2687 Because the 3-way handshake ensures that the source address is not being
2714 .Bd -literal -offset indent
2717 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2748 .Ar no-df
2751 .Dl \&"OpenBSD 3.3 no-df\&"
2760 .Dl # pfctl -so
2773 .Bd -literal -offset indent
2803 .Bd -literal -offset indent
2808 .Bd -literal -offset indent
2813 For non-loopback interfaces, there are additional rules to block incoming
2818 .Bd -literal -offset indent
2823 .Bd -literal -offset indent
2874 .Bd -literal -offset indent
2937 .Bl -tag -width xxxx
2938 .It Ar nat-anchor Aq Ar name
2943 .It Ar rdr-anchor Aq Ar name
2948 .It Ar binat-anchor Aq Ar name
3001 .Bd -literal -offset indent
3015 .Bd -literal -offset indent
3017 pfctl -a spam -f -
3029 .Bd -literal -offset indent
3031 load anchor spam from "/etc/pf-spam.conf"
3039 .Pa /etc/pf-spam.conf
3050 .Bd -literal -offset indent
3063 .Bd -literal -offset indent
3065 pfctl -a spam -f -
3075 .Bd -literal -offset indent
3095 .Bd -literal -offset indent
3096 # echo ' anchor "spam/allowed" ' | pfctl -f -
3097 # echo -e ' anchor "../banned" \en pass' | \e
3098 pfctl -a spam/allowed -f -
3111 rule can also contain a filter ruleset in a brace-delimited block.
3114 Brace delimited blocks may contain rules or other brace-delimited blocks.
3116 .Bd -literal -offset indent
3144 .Bd -literal -offset indent
3150 rdr-to 127.0.0.1 port 8080
3159 .Bd -literal -offset indent
3161 rdr-to 127.0.0.1 port 8080
3172 .Bd -literal -offset indent
3173 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3179 .Xr ftp-proxy 8 ,
3182 .Xr ftp-proxy 8
3184 .Xr ftp-proxy 8
3186 .Bd -literal -offset indent
3190 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3197 nat-to ($ext_if) port 500
3203 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3207 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3213 rdr-to 10.1.2.151 port 22
3215 rdr-to 10.1.2.151 port 53
3219 # for proxying with ftp-proxy(8) running on port 8021.
3221 rdr-to 127.0.0.1 port 8021
3228 .Bd -literal -offset indent
3232 # using the source-hash keyword.
3233 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3239 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3247 .Bd -literal -offset indent
3250 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3255 .Bd -literal -offset indent
3260 -> 127.0.0.1 port 80
3263 .Bd -literal -offset indent
3278 block in from no-route to any
3282 block in from urpf-failed to any
3294 # them anyway (hence, no return-rst).
3305 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3354 tag SPAMD -> 127.0.0.1 port spamd
3361 translates an internal IPv4 subnet to IPv6 using the well-known
3363 .Bd -literal -offset 4n
3364 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3370 .Bd -literal -offset 4n
3371 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3377 .Bd -literal
3378 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3379 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3380 trans-anchors | anchor-rule | anchor-close | load-anchor |
3381 table-rule | include )
3383 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3384 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3386 "high-latency" | "satellite" |
3388 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3389 [ "loginterface" ( interface-name | "none" ) ] |
3390 [ "block-policy" ( "drop" | "return" ) ] |
3391 [ "state-policy" ( "if-bound" | "floating" ) ]
3392 [ "state-defaults" state-opts ]
3393 [ "require-order" ( "yes" | "no" ) ]
3399 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3400 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3402 [ etherfilteropt-list ]
3404 pf-rule = action [ ( "in" | "out" ) ]
3407 [ hosts ] [ filteropt-list ]
3410 logopt = "all" | "matches" | "user" | "to" interface-name
3412 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3416 filteropt-list = filteropt-list filteropt | filteropt
3417 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3418 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3419 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3421 [ "(" state-opts ")" ] |
3422 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3423 "max-mss" number | "random-id" | "reassemble tcp" |
3424 fragmentation | "allow-opts" |
3426 "max-pkt-rate" number "/" seconds |
3428 "max-pkt-size" number |
3434 [ ! ] "received-on" ( interface-name | interface-group )
3436 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3439 [ "->" ( redirhost | "{" redirhost-list "}" )
3440 [ portspec ] [ pooltype ] [ "static-port" ]
3441 [ "map-e-portset" number "/" number "/" number ] ]
3443 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3444 [ "on" interface-name ] [ af ]
3445 [ "proto" ( proto-name | proto-number ) ]
3446 "from" address [ "/" mask-bits ] "to" ipspec
3448 [ "->" address [ "/" mask-bits ] ]
3450 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3453 [ "->" ( redirhost | "{" redirhost-list "}" )
3456 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3460 table-rule = "table" "<" string ">" [ tableopts-list ]
3461 tableopts-list = tableopts-list tableopts | tableopts
3463 "{" [ tableaddr-list ] "}"
3464 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3465 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3467 ipv4-dotted-quad | ipv6-coloned-hex
3469 altq-rule = "altq on" interface-name queueopts-list
3471 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3474 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3475 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3477 anchor-close = "}"
3479 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3482 load-anchor = "load anchor" string "from" filename
3484 queueopts-list = queueopts-list queueopts | queueopts
3485 queueopts = [ "bandwidth" bandwidth-spec ] |
3488 schedulers = ( cbq-def | priq-def | hfsc-def )
3489 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3493 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3494 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3495 "return-icmp6" [ "(" icmp6code ")" ]
3496 icmpcode = ( icmp-code-name | icmp-code-number )
3497 icmp6code = ( icmp6-code-name | icmp6-code-number )
3499 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3500 "{" interface-list "}"
3501 interface-list = [ "!" ] ( interface-name | interface-group )
3502 [ [ "," ] interface-list ]
3503 route = ( "route-to" | "reply-to" | "dup-to" )
3504 ( routehost | "{" routehost-list "}" )
3508 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3509 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3510 protospec = "proto" ( proto-name | proto-number |
3511 "{" proto-list "}" )
3512 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3518 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3519 "{" host-list "}" ) [ port ] [ os ]
3520 "to" ( "any" | "no-route" | "self" | host |
3521 "{" host-list "}" ) [ port ]
3523 ipspec = "any" | host | "{" host-list "}"
3524 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3525 redirhost = address [ "/" mask-bits ]
3526 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3527 address = ( interface-name | interface-group |
3528 "(" ( interface-name | interface-group ) ")" |
3529 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3530 host-list = host [ [ "," ] host-list ]
3531 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3532 routehost-list = routehost [ [ "," ] routehost-list ]
3534 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3536 os = "os" ( os-name | "{" os-list "}" )
3537 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3538 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3540 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3542 binary-op = number ( "<>" | "><" | ":" ) number
3543 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3545 os-name = operating-system-name
3546 os-list = os-name [ [ "," ] os-list ]
3548 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3549 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3552 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3553 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3554 icmp-type-code = ( icmp-type-name | icmp-type-number )
3555 [ "code" ( icmp-code-name | icmp-code-number ) ]
3556 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3561 state-opts = state-opt [ [ "," ] state-opts ]
3562 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3563 "source-track" [ ( "rule" | "global" ) ] |
3564 "max-src-nodes" number | "max-src-states" number |
3565 "max-src-conn" number |
3566 "max-src-conn-rate" number "/" number |
3568 "if-bound" | "floating" | "pflow" )
3572 timeout-list = timeout [ [ "," ] timeout-list ]
3583 limit-list = limit-item [ [ "," ] limit-list ]
3584 limit-item = ( "states" | "frags" | "src-nodes" ) number
3587 "source-hash" [ ( hex-key | string-key ) ] |
3588 "round-robin" ) [ sticky-address ]
3590 subqueue = string | "{" queue-list "}"
3591 queue-list = string [ [ "," ] string ]
3592 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3593 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3594 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3595 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3596 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3597 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3598 linkshare-sc | realtime-sc | upperlimit-sc )
3599 linkshare-sc = "linkshare" sc-spec
3600 realtime-sc = "realtime" sc-spec
3601 upperlimit-sc = "upperlimit" sc-spec
3602 sc-spec = ( bandwidth-spec |
3603 "(" bandwidth-spec number bandwidth-spec ")" )
3607 .Bl -tag -width "/etc/protocols" -compact
3638 .Xr ftp-proxy 8 ,