Lines Matching +full:assigned +full:- +full:addresses
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
53 rules with large numbers of source or destination addresses.
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
64 Translation rules specify how addresses are to be mapped or redirected to
65 other addresses.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
105 .Bd -literal -offset indent
112 Tables are named structures which can hold a collection of addresses and
143 .Bl -tag -width "manually"
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
170 .Bl -tag -width counters
184 can be used to add or remove addresses from the table at any time, even
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
205 A filter rule is set up to block all traffic coming from addresses listed in
209 Addresses may later be added to the badhosts table, so that traffic from
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
226 list IP addresses, one per line.
232 resulting IPv4 and IPv6 addresses are placed into the table.
233 IP addresses can also be entered in a table by specifying a valid interface
236 keyword, in which case all addresses assigned to the interface(s) will be
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
289 .Bl -tag -width xxxx -compact
305 .Bl -tag -width xxxx -compact
321 .Bl -tag -width xxxx -compact
330 .Bl -tag -width xxxx -compact
335 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
349 When used on a per-rule basis, the values relate to the number of
354 .Bd -literal -offset indent
367 .Bd -literal -offset indent
368 # pfctl -s info
374 .Bd -literal -offset indent
379 .Bd -literal -offset indent
389 .Bd -literal -offset indent
400 .Bd -literal -offset indent
411 .Bd -literal -offset indent
412 set limit src-nodes 2000
416 source IP addresses (generated by the
417 .Ar sticky-address
422 .Bd -literal -offset indent
423 set limit table-entries 100000
426 sets the limit on the overall number of addresses that can be stored
430 .Bd -literal -offset indent
431 set limit { states 20000, frags 20000, src-nodes 2000 }
433 .It Ar set ruleset-optimization
434 .Bl -tag -width xxxxxxxx -compact
443 .Bl -enum -compact
451 re-order the rules to improve evaluation performance
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
467 Optimization can also be set as a command-line argument to
474 .Bl -tag -width xxxx -compact
478 .It Ar high-latency
479 A high-latency environment (such as a satellite connection).
482 .Ar high-latency .
495 .Bd -literal -offset indent
498 .It Ar set reassemble yes | no Op Cm no-df
507 .Cm no-df
509 .Dq dont-fragment
513 .Dq dont-fragment
518 This option is ignored if there are pre-FreeBSD 14
521 .It Ar set block-policy
523 .Ar block-policy
528 .Bl -tag -width xxxxxxxx -compact
539 .Bd -literal -offset indent
540 set block-policy return
542 .It Ar set fail-policy
544 .Ar fail-policy
547 This might happen when a nat or route-to rule uses an empty table as list
553 .Bl -tag -width xxxxxxxx -compact
564 .Bd -literal -offset indent
565 set fail-policy return
567 .It Ar set state-policy
569 .Ar state-policy
572 .Bl -tag -width group-bound -compact
573 .It Ar if-bound
580 .Bd -literal -offset indent
581 set state-policy if-bound
597 .Bl -tag -width adaptive -compact
604 is used up by half-open TCP connections, as in, those that saw the initial
607 .Bd -literal -offset indent
611 .It Ar set state-defaults
613 .Ar state-defaults
618 .Bd -literal -offset indent
619 set state-defaults no-sync
622 The 32-bit
628 By default the hostid is set to a pseudo-random value, however it may be
631 .Bd -literal -offset indent
636 .It Ar set require-order
648 There may be non-trivial and non-obvious implications to an out of
680 .Bl -tag -width xxxxxxxxxxxx -compact
713 .Bl -tag -width xxxx
733 .Bl -tag -width xxxx
757 .It Ar bridge-to Aq interface
771 MAC addresses.
774 Packets matching this rule will be assigned to the specified queue.
793 A packet is only ever assigned one tag at a time.
814 .Bl -tag -width xxxx
815 .It Ar no-df
817 .Ar dont-fragment
820 .Ar dont-fragment
825 .Ar dont-fragment
827 .Ar no-df
831 .Ar dont-fragment
834 .Ar dont-fragment
838 .Ar random-id
840 .Ar no-df
842 .It Ar min-ttl Aq Ar number
844 .It Ar max-mss Aq Ar number
846 .It Xo Ar set-tos Aq Ar string
867 .It Ar random-id
877 .Bl -tag -width timeout -compact
904 delayed for longer than it takes the connection to wrap its 32-bit sequence
924 .Bd -literal -offset indent
925 match in all scrub (no-df random-id max-mss 1440)
927 .Ss Scrub ruleset (pre-FreeBSD 14)
943 .Bl -tag -width xxxx
959 .Bd -literal -offset indent
988 Packets can be assigned to queues for the purpose of bandwidth
1009 .Bl -tag -width xxxx
1021 assigned.
1031 and is assigned its share of
1049 assigned, ranging from 0 to 15.
1066 assigned.
1072 supports both link-sharing and guaranteed real-time services.
1087 .Bl -tag -width xxxx
1133 should queue up to 5Mbps in four second-level queues using
1136 .Bd -literal -offset indent
1156 .Bl -tag -width xxxx
1198 .Bl -tag -width Fl
1200 Packets not matched by another queue are assigned to this one.
1220 .Bl -tag -width Fl
1229 .Bl -tag -width Fl
1245 controls the bandwidth assigned to the queue.
1266 Packets can be assigned to queues based on filter rules by using the
1290 .Bd -literal
1317 Packets can be assigned to queues and pipes using
1348 after any addresses and ports have been translated.
1358 .Bl -tag -width xxxx
1359 .It Ar af-to
1362 .Ar af-to
1366 .Ar af-to
1371 addresses are translated into for the destination.
1378 part is 32-bit long.
1387 .Bd -literal -offset indent
1388 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1389 pass in inet af-to inet6 from 2001:db8::1
1398 .Bd -literal -offset indent
1399 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1401 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1409 The current implementation will only extract IPv4 addresses from the
1410 IPv6 addresses with a prefix length of /96 and greater.
1413 .Ar binat-to
1417 .Ar nat-to
1419 .Ar rdr-to
1421 .It Ar nat-to
1423 .Ar nat-to
1424 option specifies that IP addresses are to be changed as the packet
1426 This technique allows one or more IP addresses
1432 .Bd -literal -offset indent
1433 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1434 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1435 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1438 .Ar nat-to
1440 If applied inbound, nat-to to a local IP address is not supported.
1441 .It Pa rdr-to
1444 .Ar rdr-to
1447 .Bd -literal -offset indent
1448 match in ... port 2000:2999 rdr-to ... port 4000
1451 .Bd -literal -offset indent
1452 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1457 .Ar rdr-to
1459 If applied outbound, rdr-to to a local IP address is not supported.
1466 .Ar nat-to
1468 .Ar rdr-to
1471 .Ar rdr-to
1474 A random source port in the range 50001-65535 is chosen in this case; to
1480 .Ar binat-to
1485 .Bd -literal -offset indent
1487 rdr-to 127.0.0.1 port spamd
1493 Unless this effect is desired, any of the local non-loopback addresses
1501 .Ss NAT ruleset (pre-FreeBSD 15)
1510 addresses and ports have been translated.
1529 .Ar binat-to ,
1530 .Ar nat-to
1532 .Ar rdr-to
1591 assigned to queues for the purpose of bandwidth control.
1608 .Bl -tag -width xxxx
1618 .Ar block-policy
1619 option, or on a per-rule basis with one of the following options:
1621 .Bl -tag -width xxxx -compact
1624 .It Ar return-rst
1629 .It Ar return-icmp
1630 .It Ar return-icmp6
1649 .Bd -literal -offset indent
1665 .Ar nat-to ,
1666 .Ar binat-to ,
1667 .Ar rdr-to ,
1705 .Bd -literal -offset indent
1706 pass out inet proto icmp all icmp-type echoreq
1731 UDP packets are matched to states using only host addresses and ports,
1732 and other protocols are matched to states using only the host addresses.
1754 .Bl -tag -width xxxx
1862 addresses and ports.
1864 Addresses can be specified in CIDR notation (matching netblocks), as
1868 .Bl -tag -width xxxxxxxxxxxxxx -compact
1871 .It Ar no-route
1873 .It Ar urpf-failed
1878 Expands to all addresses assigned to all interfaces.
1883 Ranges of addresses are specified by using the
1884 .Sq -
1887 .Dq 10.1.1.10 - 10.1.1.12
1888 means all addresses from 10.1.1.10 to 10.1.1.12,
1889 hence addresses 10.1.1.10, 10.1.1.11, and 10.1.1.12.
1895 .Bl -tag -width xxxxxxxxxxxx -compact
1901 Translates to the point-to-point interface's peer address(es).
1909 v4 and non-link-local v6 address found.
1912 ruleset load-time.
1933 .Bd -literal -offset indent
1951 .Bl -tag -width Fl
1963 hence ports 1-1999 and 2005-65535.
1975 .Bd -literal -offset indent
2037 .Bd -literal -offset indent
2058 .Bl -tag -width Fl
2080 .Pq non-SYN
2090 .Ar af-to ,
2100 .It Xo Ar icmp-type Aq Ar type
2103 .It Xo Ar icmp6-type Aq Ar type
2116 .Ar icmp-type
2118 .Ar icmp6-type
2144 .Bd -literal -offset indent
2149 .It Ar allow-opts
2153 .Ar allow-opts
2167 pfctl -s labels
2168 shows per-rule statistics for rules that have labels.
2172 .Bl -tag -width $srcaddr -compact -offset indent
2190 .Bd -literal -offset indent
2197 .Bd -literal -offset indent
2214 Packets matching this rule will be assigned to the specified queue.
2219 and TCP ACKs with no data payload will be assigned to the second one.
2225 .Bd -literal -offset indent
2230 Packets matching this rule will be assigned a specific queueing priority.
2231 Priorities are assigned as integers 0 through 7.
2238 and TCP ACKs with no data payload will be assigned to the second one.
2241 .Bd -literal -offset indent
2245 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2265 A packet is only ever assigned one tag at a time.
2281 .It Xo Ar divert-to Aq Ar host
2295 If a packet is re-injected and does not change direction then it will not be
2296 re-diverted.
2297 .It Ar divert-reply
2306 .Bd -literal -offset indent
2310 Only match packets which have the given queueing priority assigned.
2317 .Bl -tag -width xxxx
2318 .It Ar route-to
2320 .Ar route-to
2324 .Ar route-to
2329 .It Ar reply-to
2331 .Ar reply-to
2333 .Ar route-to ,
2337 .Ar reply-to
2342 .It Ar dup-to
2344 .Ar dup-to
2346 .Ar route-to .
2355 .Ar route-to ,
2356 .Ar reply-to
2358 .Ar dup-to
2363 .Bl -tag -width xxxx
2375 option selects an address at random within the defined block of addresses.
2376 .It Ar source-hash
2378 .Ar source-hash
2384 randomly generates a key for source-hash every time the
2386 .It Ar round-robin
2388 .Ar round-robin
2394 .It Ar static-port
2398 .Ar static-port
2402 .It Xo Ar map-e-portset Aq Ar psid-offset
2403 .No / Aq Ar psid-len
2409 .Ar map-e-portset
2410 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2411 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2413 to the map-e-portset nat rule.
2416 .Bd -literal -offset indent
2418 -> $ipv4_mape_src map-e-portset 6/8/0x34
2422 .It Ar endpoint-independent
2426 .Ar endpoint-independent
2431 This feature implements "full-cone" NAT behavior.
2435 .Ar sticky-address
2441 .Ar round-robin
2469 .Bd -literal -offset indent
2512 completed the handshake, hence so-called SYN floods with spoofed source
2513 addresses will not reach the passive endpoint, as the sender can't complete the
2535 .Bd -literal -offset indent
2540 per-rule basis.
2549 .Bl -tag -width xxxx -compact
2554 .It Ar no-sync
2576 .It Ar allow-related
2583 .Bd -literal -offset indent
2586 (max 100, source-track rule, max-src-nodes 75, \e
2587 max-src-states 3, tcp.established 60, tcp.closing 5)
2591 .Ar source-track
2594 .Bl -tag -width xxxx -compact
2595 .It Ar source-track rule
2597 .Ar max-src-nodes
2599 .Ar max-src-states
2603 .It Ar source-track global
2606 .Ar max-src-nodes
2608 .Ar max-src-states
2615 .Bl -tag -width xxxx -compact
2616 .It Ar max-src-nodes Aq Ar number
2617 Limits the maximum number of source addresses which can simultaneously
2619 .It Ar max-src-states Aq Ar number
2625 which have completed the TCP 3-way handshake) can also be enforced
2628 .Bl -tag -width xxxx -compact
2629 .It Ar max-src-conn Aq Ar number
2631 completed the 3-way handshake that a single host can make.
2632 .It Xo Ar max-src-conn-rate Aq Ar number
2642 Because the 3-way handshake ensures that the source address is not being
2646 state option, source IP addresses which hit either of the limits on
2669 .Bd -literal -offset indent
2672 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2703 .Ar no-df
2706 .Dl \&"OpenBSD 3.3 no-df\&"
2715 .Dl # pfctl -so
2728 .Bd -literal -offset indent
2748 "Spoofing" is the faking of IP addresses, typically for malicious
2758 .Bd -literal -offset indent
2763 .Bd -literal -offset indent
2768 For non-loopback interfaces, there are additional rules to block incoming
2773 .Bd -literal -offset indent
2778 .Bd -literal -offset indent
2786 to local addresses.
2829 .Bd -literal -offset indent
2841 source or destination addresses or protocols as parameters in
2892 .Bl -tag -width xxxx
2893 .It Ar nat-anchor Aq Ar name
2898 .It Ar rdr-anchor Aq Ar name
2903 .It Ar binat-anchor Aq Ar name
2956 .Bd -literal -offset indent
2970 .Bd -literal -offset indent
2972 pfctl -a spam -f -
2984 .Bd -literal -offset indent
2986 load anchor spam from "/etc/pf-spam.conf"
2994 .Pa /etc/pf-spam.conf
3005 .Bd -literal -offset indent
3018 .Bd -literal -offset indent
3020 pfctl -a spam -f -
3030 .Bd -literal -offset indent
3050 .Bd -literal -offset indent
3051 # echo ' anchor "spam/allowed" ' | pfctl -f -
3052 # echo -e ' anchor "../banned" \en pass' | \e
3053 pfctl -a spam/allowed -f -
3068 Brace delimited blocks may contain rules or other brace-delimited blocks.
3070 .Bd -literal -offset indent
3098 .Bd -literal -offset indent
3104 rdr-to 127.0.0.1 port 8080
3113 .Bd -literal -offset indent
3115 rdr-to 127.0.0.1 port 8080
3126 .Bd -literal -offset indent
3127 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3133 .Xr ftp-proxy 8 ,
3136 .Xr ftp-proxy 8
3138 .Xr ftp-proxy 8
3140 .Bd -literal -offset indent
3142 # Translate outgoing packets' source addresses (any protocol).
3144 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3147 # Map outgoing packets' source port to an assigned proxy port instead of
3151 nat-to ($ext_if) port 500
3157 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3161 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3164 # Translate incoming packets' destination addresses.
3167 rdr-to 10.1.2.151 port 22
3169 rdr-to 10.1.2.151 port 53
3173 # for proxying with ftp-proxy(8) running on port 8021.
3175 rdr-to 127.0.0.1 port 8021
3178 In this example, a NAT gateway is set up to translate internal addresses
3179 using a pool of public addresses (192.0.2.16/28) and to redirect
3182 .Bd -literal -offset indent
3184 # Translate outgoing packets' source addresses using an address pool.
3186 # using the source-hash keyword.
3187 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3193 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3201 .Bd -literal -offset indent
3204 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3209 .Bd -literal -offset indent
3214 -> 127.0.0.1 port 80
3217 .Bd -literal -offset indent
3232 block in from no-route to any
3236 block in from urpf-failed to any
3247 # addresses, they are either spoofed or misconfigured, we cannot reply to
3248 # them anyway (hence, no return-rst).
3255 # state matching is done on host addresses and ICMP id (not type/code),
3259 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3308 tag SPAMD -> 127.0.0.1 port spamd
3315 translates an internal IPv4 subnet to IPv6 using the well-known
3317 .Bd -literal -offset 4n
3318 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3324 .Bd -literal -offset 4n
3325 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3331 .Bd -literal
3332 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3333 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3334 trans-anchors | anchor-rule | anchor-close | load-anchor |
3335 table-rule | include )
3337 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3338 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3340 "high-latency" | "satellite" |
3342 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3343 [ "loginterface" ( interface-name | "none" ) ] |
3344 [ "block-policy" ( "drop" | "return" ) ] |
3345 [ "state-policy" ( "if-bound" | "floating" ) ]
3346 [ "state-defaults" state-opts ]
3347 [ "require-order" ( "yes" | "no" ) ]
3353 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3354 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3356 [ etherfilteropt-list ]
3358 pf-rule = action [ ( "in" | "out" ) ]
3361 [ hosts ] [ filteropt-list ]
3364 logopt = "all" | "matches" | "user" | "to" interface-name
3366 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3370 filteropt-list = filteropt-list filteropt | filteropt
3371 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3372 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3373 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3375 [ "(" state-opts ")" ] |
3376 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3377 "max-mss" number | "random-id" | "reassemble tcp" |
3378 fragmentation | "allow-opts" |
3386 [ ! ] "received-on" ( interface-name | interface-group )
3388 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3391 [ "->" ( redirhost | "{" redirhost-list "}" )
3392 [ portspec ] [ pooltype ] [ "static-port" ]
3393 [ "map-e-portset" number "/" number "/" number ] ]
3395 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3396 [ "on" interface-name ] [ af ]
3397 [ "proto" ( proto-name | proto-number ) ]
3398 "from" address [ "/" mask-bits ] "to" ipspec
3400 [ "->" address [ "/" mask-bits ] ]
3402 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3405 [ "->" ( redirhost | "{" redirhost-list "}" )
3408 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3412 table-rule = "table" "<" string ">" [ tableopts-list ]
3413 tableopts-list = tableopts-list tableopts | tableopts
3415 "{" [ tableaddr-list ] "}"
3416 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3417 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3419 ipv4-dotted-quad | ipv6-coloned-hex
3421 altq-rule = "altq on" interface-name queueopts-list
3423 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3426 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3427 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3429 anchor-close = "}"
3431 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3434 load-anchor = "load anchor" string "from" filename
3436 queueopts-list = queueopts-list queueopts | queueopts
3437 queueopts = [ "bandwidth" bandwidth-spec ] |
3440 schedulers = ( cbq-def | priq-def | hfsc-def )
3441 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3445 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3446 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3447 "return-icmp6" [ "(" icmp6code ")" ]
3448 icmpcode = ( icmp-code-name | icmp-code-number )
3449 icmp6code = ( icmp6-code-name | icmp6-code-number )
3451 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3452 "{" interface-list "}"
3453 interface-list = [ "!" ] ( interface-name | interface-group )
3454 [ [ "," ] interface-list ]
3455 route = ( "route-to" | "reply-to" | "dup-to" )
3456 ( routehost | "{" routehost-list "}" )
3460 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3461 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3462 protospec = "proto" ( proto-name | proto-number |
3463 "{" proto-list "}" )
3464 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3470 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3471 "{" host-list "}" ) [ port ] [ os ]
3472 "to" ( "any" | "no-route" | "self" | host |
3473 "{" host-list "}" ) [ port ]
3475 ipspec = "any" | host | "{" host-list "}"
3476 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3477 redirhost = address [ "/" mask-bits ]
3478 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3479 address = ( interface-name | interface-group |
3480 "(" ( interface-name | interface-group ) ")" |
3481 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3482 host-list = host [ [ "," ] host-list ]
3483 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3484 routehost-list = routehost [ [ "," ] routehost-list ]
3486 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3488 os = "os" ( os-name | "{" os-list "}" )
3489 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3490 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3492 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3494 binary-op = number ( "<>" | "><" | ":" ) number
3495 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3497 os-name = operating-system-name
3498 os-list = os-name [ [ "," ] os-list ]
3500 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3501 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3504 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3505 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3506 icmp-type-code = ( icmp-type-name | icmp-type-number )
3507 [ "code" ( icmp-code-name | icmp-code-number ) ]
3508 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3513 state-opts = state-opt [ [ "," ] state-opts ]
3514 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3515 "source-track" [ ( "rule" | "global" ) ] |
3516 "max-src-nodes" number | "max-src-states" number |
3517 "max-src-conn" number |
3518 "max-src-conn-rate" number "/" number |
3520 "if-bound" | "floating" | "pflow" )
3524 timeout-list = timeout [ [ "," ] timeout-list ]
3535 limit-list = limit-item [ [ "," ] limit-list ]
3536 limit-item = ( "states" | "frags" | "src-nodes" ) number
3539 "source-hash" [ ( hex-key | string-key ) ] |
3540 "round-robin" ) [ sticky-address ]
3542 subqueue = string | "{" queue-list "}"
3543 queue-list = string [ [ "," ] string ]
3544 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3545 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3546 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3547 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3548 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3549 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3550 linkshare-sc | realtime-sc | upperlimit-sc )
3551 linkshare-sc = "linkshare" sc-spec
3552 realtime-sc = "realtime" sc-spec
3553 upperlimit-sc = "upperlimit" sc-spec
3554 sc-spec = ( bandwidth-spec |
3555 "(" bandwidth-spec number bandwidth-spec ")" )
3559 .Bl -tag -width "/etc/protocols" -compact
3590 .Xr ftp-proxy 8 ,