Lines Matching +full:address +full:- +full:translation
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
63 .It Cm Translation Li (Various forms of NAT)
64 Translation rules specify how addresses are to be mapped or redirected to
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
113 .Bd -literal -offset indent
120 srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
122 nat on $ext_if from $nat_ranges to any -> ($ext_if)
132 differ only in IP address (either created explicitly or automatically by rule
139 translation rules such as
144 Tables can also be used for the redirect address of
156 .Bl -tag -width "manually"
172 statement, and are especially useful to define non-persistent tables.
173 The contents of a pre-existing table defined without a list of addresses
183 .Bl -tag -width counters
204 flag enables per-address packet and byte counters which can be displayed with
210 .Bd -literal -offset indent
224 .Bd -literal -offset indent
225 # pfctl -t badhosts -Tadd 204.92.77.111
228 A table can also be initialized with an address list specified in one or more
230 .Bd -literal -offset indent
241 In addition to being specified by IP address, hosts may also be
256 .Bl -tag -width xxxx
259 .Bl -tag -width "src.track" -compact
281 .Bl -tag -width xxxx -compact
309 .Bl -tag -width xxxx -compact
325 .Bl -tag -width xxxx -compact
341 .Bl -tag -width xxxx -compact
350 .Bl -tag -width xxxx -compact
355 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
369 When used on a per-rule basis, the values relate to the number of
374 .Bd -literal -offset indent
387 .Bd -literal -offset indent
388 # pfctl -s info
394 .Bd -literal -offset indent
399 .Bd -literal -offset indent
409 .Bl -tag -width pktdelay_pkts
417 .It Cm src-nodes
420 .Ar sticky-address
425 .It Cm table-entries
431 .It Cm eth-anchors
437 .Bd -literal -offset indent
438 set limit { states 20000, frags 2000, src-nodes 2000 }
440 .It Ar set ruleset-optimization
441 .Bl -tag -width xxxxxxxx -compact
450 .Bl -enum -compact
458 re-order the rules to improve evaluation performance
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
474 Optimization can also be set as a command-line argument to
481 .Bl -tag -width xxxx -compact
485 .It Ar high-latency
486 A high-latency environment (such as a satellite connection).
489 .Ar high-latency .
502 .Bd -literal -offset indent
505 .It Ar set reassemble yes | no Op Cm no-df
514 .Cm no-df
516 .Dq dont-fragment
520 .Dq dont-fragment
525 This option is ignored if there are pre-FreeBSD 14
528 .It Ar set block-policy
530 .Ar block-policy
535 .Bl -tag -width xxxxxxxx -compact
549 .Bd -literal -offset indent
550 set block-policy return
552 .It Ar set fail-policy
554 .Ar fail-policy
557 This might happen when a nat or route-to rule uses an empty table as list
563 .Bl -tag -width xxxxxxxx -compact
574 .Bd -literal -offset indent
575 set fail-policy return
577 .It Ar set state-policy
579 .Ar state-policy
582 .Bl -tag -width group-bound -compact
583 .It Ar if-bound
590 .Bd -literal -offset indent
591 set state-policy if-bound
607 .Bl -tag -width adaptive -compact
614 is used up by half-open TCP connections, as in, those that saw the initial
617 .Bd -literal -offset indent
621 .It Ar set state-defaults
623 .Ar state-defaults
628 .Bd -literal -offset indent
629 set state-defaults no-sync
632 The 32-bit
638 By default the hostid is set to a pseudo-random value, however it may be
641 .Bd -literal -offset indent
646 .It Ar set require-order
653 .Em translation ,
658 There may be non-trivial and non-obvious implications to an out of
692 .Bl -tag -width xxxxxxxxxxxx -compact
726 .Bl -tag -width xxxx
746 .Bl -tag -width xxxx
770 .It Ar bridge-to Aq interface
799 processed by translation rules.
827 .Bl -tag -width xxxx
828 .It Ar no-df
830 .Ar dont-fragment
833 .Ar dont-fragment
838 .Ar dont-fragment
840 .Ar no-df
844 .Ar dont-fragment
847 .Ar dont-fragment
851 .Ar random-id
853 .Ar no-df
855 .It Ar min-ttl Aq Ar number
857 .It Ar max-mss Aq Ar number
867 .It Xo Ar set-tos Aq Ar string
888 .It Ar random-id
898 .Bl -tag -width timeout -compact
925 delayed for longer than it takes the connection to wrap its 32-bit sequence
945 .Bd -literal -offset indent
946 match in all scrub (no-df random-id max-mss 1440)
948 .Ss Scrub ruleset (pre-FreeBSD 14)
964 .Bl -tag -width xxxx
980 .Bd -literal -offset indent
1030 .Bl -tag -width xxxx
1093 supports both link-sharing and guaranteed real-time services.
1108 .Bl -tag -width xxxx
1154 should queue up to 5Mbps in four second-level queues using
1157 .Bd -literal -offset indent
1177 .Bl -tag -width xxxx
1219 .Bl -tag -width Fl
1241 .Bl -tag -width Fl
1250 .Bl -tag -width Fl
1311 .Bd -literal
1359 .Sh TRANSLATION
1360 Translation options modify either the source or destination address and
1363 modifies the specified address and/or port in the packet and recalculates
1371 address and port number.
1375 to keep track of the original address for traffic associated with that state
1378 Various types of translation are possible with pf:
1379 .Bl -tag -width xxxx
1380 .It Ar af-to
1381 Translation between different address families (NAT64) is handled
1383 .Ar af-to
1385 Because address family translation overrides the routing table, it's
1387 .Ar af-to
1388 on inbound rules, and a source address of the resulting translation
1393 The lowest bits of the original destination address form the host
1394 part of the new destination address according to the specified subnet.
1395 It is possible to embed a complete IPv4 address into an IPv6 address
1398 When a destination address is not specified, it is assumed that the host
1399 part is 32-bit long.
1400 For IPv6 to IPv4 translation this would mean using only the lower 32
1401 bits of the original IPv6 destination address.
1402 For IPv4 to IPv6 translation the destination subnet defaults to the
1403 subnet of the new IPv6 source address with a prefix length of /96.
1405 destination address encoding.
1408 .Bd -literal -offset indent
1409 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1410 pass in inet af-to inet6 from 2001:db8::1
1414 have a source address of 2001:db8::1 and a destination address will
1419 .Bd -literal -offset indent
1420 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1422 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1426 The destination IPv4 address is assumed to be embedded inside the
1427 original IPv6 destination address, e.g. 64:ff9b::c633:6464 will be
1434 .Ar binat-to
1438 .Ar nat-to
1440 .Ar rdr-to
1442 .It Ar nat-to
1444 .Ar nat-to
1450 Although in theory any IP address can be used on the inside, it is strongly
1451 recommended that one of the address ranges defined by RFC 1918 be used.
1453 .Bd -literal -offset indent
1454 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1455 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1456 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1459 .Ar nat-to
1461 If applied inbound, nat-to to a local IP address is not supported.
1462 .It Pa rdr-to
1465 .Ar rdr-to
1468 .Bd -literal -offset indent
1469 match in ... port 2000:2999 rdr-to ... port 4000
1472 .Bd -literal -offset indent
1473 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1478 .Ar rdr-to
1480 If applied outbound, rdr-to to a local IP address is not supported.
1481 In addition to modifying the address, some translation rules may modify
1487 .Ar nat-to
1489 .Ar rdr-to
1492 .Ar rdr-to
1495 A random source port in the range 50001-65535 is chosen in this case.
1497 .Ar binat-to
1501 address, as in
1502 .Bd -literal -offset indent
1504 rdr-to 127.0.0.1 port spamd
1508 bound solely to the loopback address, circumventing the traditional
1510 Unless this effect is desired, any of the local non-loopback addresses
1512 connections only to daemons bound to this address or not bound to
1513 any address.
1516 .Sx TRANSLATION EXAMPLES
1518 .Ss NAT ruleset (pre-FreeBSD 15)
1525 Since translation occurs before filtering the filter
1529 address and port number.
1530 Packets that match a translation rule are only automatically passed if
1546 .Ar binat-to ,
1547 .Ar nat-to
1549 .Ar rdr-to
1554 option prefixed to a translation rule causes packets to remain untranslated,
1560 Evaluation order of the translation rules is dependent on the type
1561 of the translation rules and of the direction of a packet.
1573 Translation rules apply only to packets that pass through
1575 translation is applied to packets on all interfaces.
1578 Connections to the address of the external interface from local hosts will
1586 .Sx COMPATIBILITY TRANSLATION EXAMPLES
1625 .Bl -tag -width xxxx
1635 .Ar block-policy
1636 option, or on a per-rule basis with one of the following options:
1638 .Bl -tag -width xxxx -compact
1641 .It Ar return-rst
1646 .It Ar return-icmp
1647 .It Ar return-icmp6
1666 .Bd -literal -offset indent
1682 .Ar nat-to ,
1683 .Ar binat-to ,
1684 .Ar rdr-to ,
1716 a fake source address/port but does not know the connection's sequence
1722 .Bd -literal -offset indent
1723 pass out inet proto icmp all icmp-type echoreq
1742 rules, in order to track address and port translations and reverse the
1743 translation on returning packets.
1771 .Bl -tag -width xxxx
1853 This rule applies only to packets of this address family.
1885 .Bl -tag -width xxxxxxxxxxxxxx -compact
1887 Any address.
1888 .It Ar no-route
1889 Any address which is not currently routable.
1890 .It Ar urpf-failed
1891 Any source address that fails a unicast reverse path forwarding (URPF)
1893 the route back to the packet's source address.
1897 Any address that matches the given table.
1901 .Sq -
1904 .Dq 10.1.1.10 - 10.1.1.12
1912 .Bl -tag -width xxxxxxxxxxxx -compact
1916 Translates to the interface's broadcast address(es).
1918 Translates to the point-to-point interface's peer address(es).
1926 v4 and non-link-local v6 address found.
1928 Host name resolution and interface to address translation are done at
1929 ruleset load-time.
1930 When the address of an interface (or host name) changes (under DHCP or PPP,
1936 automatically updated whenever the interface changes its address.
1950 .Bd -literal -offset indent
1968 .Bl -tag -width Fl
1980 hence ports 1-1999 and 2005-65535.
1992 .Bd -literal -offset indent
2054 .Bd -literal -offset indent
2061 .Bd -literal -offset indent
2090 .Bl -tag -width Fl
2112 .Pq non-SYN
2122 .Ar af-to ,
2132 .It Xo Ar icmp-type Aq Ar type
2135 .It Xo Ar icmp6-type Aq Ar type
2148 .Ar icmp-type
2150 .Ar icmp6-type
2176 .Bd -literal -offset indent
2181 .It Ar allow-opts
2182 By default, packets with IPv4 options or IPv6 hop-by-hop or destination
2185 .Ar allow-opts
2200 pfctl -s labels
2201 shows per-rule statistics for rules that have labels.
2205 .Bl -tag -width $srcaddr -compact -offset indent
2209 The source IP address.
2211 The destination IP address.
2223 .Bd -literal -offset indent
2230 .Bd -literal -offset indent
2243 .It Cm max-pkt-rate Ar number Ns / Ns Ar seconds
2250 .Bd -literal -offset indent
2252 pass in proto icmp max-pkt-rate 100/10
2258 .It Ar max-pkt-size Aq Ar number
2283 .Bd -literal -offset indent
2300 .Bd -literal -offset indent
2304 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2317 processed by translation rules.
2334 Used with filter, translation or scrub rules
2340 .It Xo Ar divert-to Aq Ar host
2354 If a packet is re-injected and does not change direction then it will not be
2355 re-diverted.
2356 .It Ar divert-reply
2365 .Bd -literal -offset indent
2376 .Bl -tag -width xxxx
2377 .It Ar route-to
2379 .Ar route-to
2380 option routes the packet to the specified interface with an address
2383 .Ar route-to
2388 .It Ar reply-to
2390 .Ar reply-to
2392 .Ar route-to ,
2396 .Ar reply-to
2401 .It Ar dup-to
2403 .Ar dup-to
2405 .Ar route-to .
2414 .Ar route-to ,
2415 .Ar reply-to
2417 .Ar dup-to
2418 rule options) for which there is a single redirection address which has a
2420 address), a variety of different methods for assigning this address can be
2422 .Bl -tag -width xxxx
2426 option applies the network portion of the redirection address to the address
2434 option selects an address at random within the defined block of addresses.
2435 .It Ar source-hash
2437 .Ar source-hash
2438 option uses a hash of the source address to determine the redirection address,
2439 ensuring that the redirection address is always the same for a given source.
2443 randomly generates a key for source-hash every time the
2445 .It Ar round-robin
2447 .Ar round-robin
2448 option loops through the redirection address(es).
2450 When more than one redirection address is specified,
2453 .It Ar static-port
2457 .Ar static-port
2461 .It Xo Ar map-e-portset Aq Ar psid-offset
2462 .No / Aq Ar psid-len
2468 .Ar map-e-portset
2469 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2470 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2472 to the map-e-portset nat rule.
2475 .Bd -literal -offset indent
2477 -> $ipv4_mape_src map-e-portset 6/8/0x34
2481 .It Ar endpoint-independent
2485 .Ar endpoint-independent
2488 to always map connections from a UDP source address and port to the same
2489 NAT address and port.
2490 This feature implements "full-cone" NAT behavior.
2494 .Ar sticky-address
2496 .Ar prefer-ipv6-nexthop
2500 .Ar sticky-address
2502 same source are mapped to the same redirection address.
2506 .Ar round-robin
2517 .Ar prefer-ipv6-nexthop
2520 .Ar route-to
2522 will be used in round-robin fashion, then IPv4 addresses.
2542 .Bd -literal -offset indent
2585 completed the handshake, hence so-called SYN floods with spoofed source
2609 .Bd -literal -offset indent
2614 per-rule basis.
2623 .Bl -tag -width xxxx -compact
2628 .It Ar no-sync
2650 .It Ar allow-related
2657 .Bd -literal -offset indent
2660 (max 100, source-track rule, max-src-nodes 75, \e
2661 max-src-states 3, tcp.established 60, tcp.closing 5)
2665 .Ar source-track
2668 .Bl -tag -width xxxx -compact
2669 .It Ar source-track rule
2671 .Ar max-src-nodes
2673 .Ar max-src-states
2677 .It Ar source-track global
2680 .Ar max-src-nodes
2682 .Ar max-src-states
2689 .Bl -tag -width xxxx -compact
2690 .It Ar max-src-nodes Aq Ar number
2693 .It Ar max-src-states Aq Ar number
2695 source address can create with this rule.
2699 which have completed the TCP 3-way handshake) can also be enforced
2702 .Bl -tag -width xxxx -compact
2703 .It Ar max-src-conn Aq Ar number
2705 completed the 3-way handshake that a single host can make.
2706 .It Xo Ar max-src-conn-rate Aq Ar number
2716 Because the 3-way handshake ensures that the source address is not being
2737 Any host which connects faster than this rate will have its address added
2743 .Bd -literal -offset indent
2746 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2777 .Ar no-df
2780 .Dl \&"OpenBSD 3.3 no-df\&"
2789 .Dl # pfctl -so
2802 .Bd -literal -offset indent
2832 .Bd -literal -offset indent
2837 .Bd -literal -offset indent
2842 For non-loopback interfaces, there are additional rules to block incoming
2843 packets with a source IP address identical to the interface's IP(s).
2844 For example, assuming the interface wi0 had an IP address of 10.0.0.1 and a
2847 .Bd -literal -offset indent
2852 .Bd -literal -offset indent
2893 fields (source/destination address, protocol), since subprotocol header
2903 .Bd -literal -offset indent
2911 state table entries, which makes stateful filtering and address
2912 translation (NAT, redirection) for fragments impossible.
2947 is a container that can hold rules, address tables, and other anchors.
2959 translation rules, for example, may also be contained in any anchor.
2966 .Bl -tag -width xxxx
2967 .It Ar nat-anchor Aq Ar name
2972 .It Ar rdr-anchor Aq Ar name
2977 .It Ar binat-anchor Aq Ar name
3000 Matching filter and translation rules marked with the
3030 .Bd -literal -offset indent
3044 .Bd -literal -offset indent
3046 pfctl -a spam -f -
3051 which blocks all packets from a specific address.
3058 .Bd -literal -offset indent
3060 load anchor spam from "/etc/pf-spam.conf"
3068 .Pa /etc/pf-spam.conf
3079 .Bd -literal -offset indent
3092 .Bd -literal -offset indent
3094 pfctl -a spam -f -
3104 .Bd -literal -offset indent
3124 .Bd -literal -offset indent
3125 # echo ' anchor "spam/allowed" ' | pfctl -f -
3126 # echo -e ' anchor "../banned" \en pass' | \e
3127 pfctl -a spam/allowed -f -
3140 rule can also contain a filter ruleset in a brace-delimited block.
3143 Brace delimited blocks may contain rules or other brace-delimited blocks.
3145 .Bd -literal -offset indent
3169 .Sh TRANSLATION EXAMPLES
3173 .Bd -literal -offset indent
3179 rdr-to 127.0.0.1 port 8080
3186 modifier, packets matching the translation rule are passed without
3188 .Bd -literal -offset indent
3190 rdr-to 127.0.0.1 port 8080
3197 network appear as though it is the Internet routable address
3201 .Bd -literal -offset indent
3202 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3206 The external interface has the address 157.161.48.183.
3208 .Xr ftp-proxy 8 ,
3211 .Xr ftp-proxy 8
3213 .Xr ftp-proxy 8
3215 .Bd -literal -offset indent
3218 # In this case, any address but the gateway's external address is mapped.
3219 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3226 nat-to ($ext_if) port 500
3229 # Translate outgoing packets' source address (any protocol).
3230 # Translate incoming packets' destination address to an internal machine
3232 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3235 # to the corresponding address in 172.21.16.0/20 (bidirectional).
3236 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3242 rdr-to 10.1.2.151 port 22
3244 rdr-to 10.1.2.151 port 53
3248 # for proxying with ftp-proxy(8) running on port 8021.
3250 rdr-to 127.0.0.1 port 8021
3257 .Bd -literal -offset indent
3259 # Translate outgoing packets' source addresses using an address pool.
3260 # A given source address is always translated to the same pool address by
3261 # using the source-hash keyword.
3262 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3268 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3270 .Sh COMPATIBILITY TRANSLATION EXAMPLES
3276 .Bd -literal -offset indent
3279 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3284 .Bd -literal -offset indent
3289 -> 127.0.0.1 port 80
3292 .Bd -literal -offset indent
3294 # (157.161.48.183, the only routable address)
3307 block in from no-route to any
3310 # the route back to their source address
3311 block in from urpf-failed to any
3313 # block and log outgoing packets that do not have our address as source,
3321 # block and log incoming packets from reserved address space and invalid
3323 # them anyway (hence, no return-rst).
3334 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3383 tag SPAMD -> 127.0.0.1 port spamd
3389 In the example below, a router handling both address families
3390 translates an internal IPv4 subnet to IPv6 using the well-known
3392 .Bd -literal -offset 4n
3393 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3397 another router handling both address families to translate back
3399 .Bd -literal -offset 4n
3400 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3406 .Bd -literal
3407 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3408 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3409 trans-anchors | anchor-rule | anchor-close | load-anchor |
3410 table-rule | include )
3412 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3413 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3415 "high-latency" | "satellite" |
3417 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3418 [ "loginterface" ( interface-name | "none" ) ] |
3419 [ "block-policy" ( "drop" | "return" ) ] |
3420 [ "state-policy" ( "if-bound" | "floating" ) ]
3421 [ "state-defaults" state-opts ]
3422 [ "require-order" ( "yes" | "no" ) ]
3428 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3429 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3431 [ etherfilteropt-list ]
3433 pf-rule = action [ ( "in" | "out" ) ]
3436 [ hosts ] [ filteropt-list ]
3439 logopt = "all" | "matches" | "user" | "to" interface-name
3441 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3445 filteropt-list = filteropt-list filteropt | filteropt
3446 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3447 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3448 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3450 [ "(" state-opts ")" ] |
3451 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3452 "max-mss" number | "random-id" | "reassemble tcp" |
3453 fragmentation | "allow-opts" | "once" |
3455 "max-pkt-rate" number "/" seconds |
3457 "max-pkt-size" number |
3463 "binat-to" ( redirhost | "{" redirhost-list "}" )
3465 "rdr-to" ( redirhost | "{" redirhost-list "}" )
3467 "nat-to" ( redirhost | "{" redirhost-list "}" )
3468 [ portspec ] [ pooltype ] [ "static-port" ] |
3469 [ ! ] "received-on" ( interface-name | interface-group )
3471 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3474 [ "->" ( redirhost | "{" redirhost-list "}" )
3475 [ portspec ] [ pooltype ] [ "static-port" ]
3476 [ "map-e-portset" number "/" number "/" number ] ]
3478 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3479 [ "on" interface-name ] [ af ]
3480 [ "proto" ( proto-name | proto-number ) ]
3481 "from" address [ "/" mask-bits ] "to" ipspec
3483 [ "->" address [ "/" mask-bits ] ]
3485 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3488 [ "->" ( redirhost | "{" redirhost-list "}" )
3491 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3495 table-rule = "table" "<" string ">" [ tableopts-list ]
3496 tableopts-list = tableopts-list tableopts | tableopts
3498 "{" [ tableaddr-list ] "}"
3499 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3500 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3502 ipv4-dotted-quad | ipv6-coloned-hex
3504 altq-rule = "altq on" interface-name queueopts-list
3506 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3509 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3510 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3512 anchor-close = "}"
3514 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3517 load-anchor = "load anchor" string "from" filename
3519 queueopts-list = queueopts-list queueopts | queueopts
3520 queueopts = [ "bandwidth" bandwidth-spec ] |
3523 schedulers = ( cbq-def | priq-def | hfsc-def )
3524 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3528 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3529 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3530 "return-icmp6" [ "(" icmp6code ")" ]
3531 icmpcode = ( icmp-code-name | icmp-code-number )
3532 icmp6code = ( icmp6-code-name | icmp6-code-number )
3534 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3535 "{" interface-list "}"
3536 interface-list = [ "!" ] ( interface-name | interface-group )
3537 [ [ "," ] interface-list ]
3538 route = ( "route-to" | "reply-to" | "dup-to" )
3539 ( routehost | "{" routehost-list "}" )
3543 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3544 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3545 protospec = "proto" ( proto-name | proto-number |
3546 "{" proto-list "}" )
3547 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3553 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3554 "{" host-list "}" ) [ port ] [ os ]
3555 "to" ( "any" | "no-route" | "self" | host |
3556 "{" host-list "}" ) [ port ]
3558 ipspec = "any" | host | "{" host-list "}"
3559 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3560 redirhost = address [ "/" mask-bits ]
3561 routehost = "(" interface-name address [ "/" mask-bits ] ")"
3562 address = ( interface-name | interface-group |
3563 "(" ( interface-name | interface-group ) ")" |
3564 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3565 host-list = host [ [ "," ] host-list ]
3566 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3567 routehost-list = routehost [ [ "," ] routehost-list ]
3569 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3571 os = "os" ( os-name | "{" os-list "}" )
3572 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3573 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3575 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3577 binary-op = number ( "<>" | "><" | ":" ) number
3578 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3580 os-name = operating-system-name
3581 os-list = os-name [ [ "," ] os-list ]
3583 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3584 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3587 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3588 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3589 icmp-type-code = ( icmp-type-name | icmp-type-number )
3590 [ "code" ( icmp-code-name | icmp-code-number ) ]
3591 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3596 state-opts = state-opt [ [ "," ] state-opts ]
3597 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3598 "source-track" [ ( "rule" | "global" ) ] |
3599 "max-src-nodes" number | "max-src-states" number |
3600 "max-src-conn" number |
3601 "max-src-conn-rate" number "/" number |
3603 "if-bound" | "floating" | "pflow" )
3607 timeout-list = timeout [ [ "," ] timeout-list ]
3618 limit-list = limit-item [ [ "," ] limit-list ]
3619 limit-item = ( "states" | "frags" | "src-nodes" ) number
3622 "source-hash" [ ( hex-key | string-key ) ] |
3623 "round-robin" ) [ sticky-address | prefer-ipv6-nexthop ]
3625 subqueue = string | "{" queue-list "}"
3626 queue-list = string [ [ "," ] string ]
3627 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3628 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3629 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3630 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3631 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3632 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3633 linkshare-sc | realtime-sc | upperlimit-sc )
3634 linkshare-sc = "linkshare" sc-spec
3635 realtime-sc = "realtime" sc-spec
3636 upperlimit-sc = "upperlimit" sc-spec
3637 sc-spec = ( bandwidth-spec |
3638 "(" bandwidth-spec number bandwidth-spec ")" )
3642 .Bl -tag -width "/etc/protocols" -compact
3673 .Xr ftp-proxy 8 ,