Lines Matching +full:conf +full:- +full:rst
1 .\" $OpenBSD: pf.conf.5,v 1.406 2009/01/31 19:37:12 sobrado Exp $
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
34 .Nm pf.conf
41 .Nm pf.conf .
44 .Nm pf.conf :
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
50 .Nm pf.conf .
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
75 .Nm pf.conf
81 .Ar set require-order
91 .Bd -literal -offset indent
92 include "/etc/pf/sub.filter.conf"
105 .Bd -literal -offset indent
136 .Ar round-robin
143 .Bl -tag -width "manually"
152 .It Pa pf.conf
156 .Nm pf.conf
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
162 .Nm pf.conf
170 .Bl -tag -width persist
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
283 The state after one endpoint sends an RST.
288 .Bl -tag -width xxxx -compact
304 .Bl -tag -width xxxx -compact
320 .Bl -tag -width xxxx -compact
329 .Bl -tag -width xxxx -compact
334 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
348 When used on a per-rule basis, the values relate to the number of
353 .Bd -literal -offset indent
366 .Bd -literal -offset indent
367 # pfctl -s info
373 .Bd -literal -offset indent
378 .Bd -literal -offset indent
388 .Bd -literal -offset indent
399 .Bd -literal -offset indent
410 .Bd -literal -offset indent
411 set limit src-nodes 2000
416 .Ar sticky-address
421 .Bd -literal -offset indent
422 set limit table-entries 100000
429 .Bd -literal -offset indent
430 set limit { states 20000, frags 20000, src-nodes 2000 }
432 .It Ar set ruleset-optimization
433 .Bl -tag -width xxxxxxxx -compact
442 .Bl -enum -compact
450 re-order the rules to improve evaluation performance
460 A side effect of the ruleset modification is that per-rule accounting
462 If per-rule accounting is important for billing purposes or whatnot,
466 Optimization can also be set as a command-line argument to
473 .Bl -tag -width xxxx -compact
477 .It Ar high-latency
478 A high-latency environment (such as a satellite connection).
481 .Ar high-latency .
494 .Bd -literal -offset indent
497 .It Ar set reassemble yes | no Op Cm no-df
506 .Cm no-df
508 .Dq dont-fragment
512 .Dq dont-fragment
517 This option is ignored if there are pre-FreeBSD 14
520 .It Ar set block-policy
522 .Ar block-policy
527 .Bl -tag -width xxxxxxxx -compact
531 A TCP RST is returned for blocked TCP packets,
538 .Bd -literal -offset indent
539 set block-policy return
541 .It Ar set fail-policy
543 .Ar fail-policy
546 This might happen when a nat or route-to rule uses an empty table as list
552 .Bl -tag -width xxxxxxxx -compact
556 Incoming packet is dropped and TCP RST is returned for TCP packets,
563 .Bd -literal -offset indent
564 set fail-policy return
566 .It Ar set state-policy
568 .Ar state-policy
571 .Bl -tag -width group-bound -compact
572 .It Ar if-bound
579 .Bd -literal -offset indent
580 set state-policy if-bound
596 .Bl -tag -width adaptive -compact
603 is used up by half-open TCP connections, as in, those that saw the initial
606 .Bd -literal -offset indent
610 .It Ar set state-defaults
612 .Ar state-defaults
617 .Bd -literal -offset indent
618 set state-defaults no-sync
621 The 32-bit
627 By default the hostid is set to a pseudo-random value, however it may be
630 .Bd -literal -offset indent
635 .It Ar set require-order
647 There may be non-trivial and non-obvious implications to an out of
679 .Bl -tag -width xxxxxxxxxxxx -compact
712 .Bl -tag -width xxxx
729 .Bl -tag -width xxxx
751 .It Ar bridge-to Aq interface
808 .Bl -tag -width xxxx
809 .It Ar no-df
811 .Ar dont-fragment
814 .Ar dont-fragment
819 .Ar dont-fragment
821 .Ar no-df
825 .Ar dont-fragment
828 .Ar dont-fragment
832 .Ar random-id
834 .Ar no-df
836 .It Ar min-ttl Aq Ar number
838 .It Ar max-mss Aq Ar number
840 .It Xo Ar set-tos Aq Ar string
861 .It Ar random-id
871 .Bl -tag -width timeout -compact
898 delayed for longer than it takes the connection to wrap its 32-bit sequence
918 .Bd -literal -offset indent
919 match in all scrub (no-df random-id max-mss 1440)
921 .Ss Scrub ruleset (pre-FreeBSD 14)
937 .Bl -tag -width xxxx
953 .Bd -literal -offset indent
987 .Nm pf.conf ,
994 rules it specifies where any resulting ICMP or TCP RST
1003 .Bl -tag -width xxxx
1066 supports both link-sharing and guaranteed real-time services.
1081 .Bl -tag -width xxxx
1127 should queue up to 5Mbps in four second-level queues using
1130 .Bd -literal -offset indent
1150 .Bl -tag -width xxxx
1192 .Bl -tag -width Fl
1214 .Bl -tag -width Fl
1223 .Bl -tag -width Fl
1284 .Bd -literal
1337 .Nm pf.conf .
1363 .Bl -tag -width xxxx
1364 .It Ar af-to
1367 .Ar af-to
1371 .Ar af-to
1383 part is 32-bit long.
1392 .Bd -literal -offset indent
1393 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1394 pass in inet af-to inet6 from 2001:db8::1
1403 .Bd -literal -offset indent
1404 pass in inet6 af-to inet from 198.51.100.1 to 0.0.0.0/0
1405 pass in inet6 af-to inet from 198.51.100.1
1430 .Bd -literal
1431 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1432 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1433 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1440 rdr ... port 2000:2999 -\*(Gt ... port 4000
1442 rdr ... port 2000:2999 -\*(Gt ... port 4000:*
1460 A random source port in the range 50001-65535 is chosen in this case; to
1504 .Bd -literal -offset indent
1505 rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
1511 Unless this effect is desired, any of the local non-loopback addresses
1556 .Bl -tag -width xxxx
1566 .Ar block-policy
1567 option, or on a per-rule basis with one of the following options:
1569 .Bl -tag -width xxxx -compact
1572 .It Ar return-rst
1575 packets, and issues a TCP RST which closes the
1577 .It Ar return-icmp
1578 .It Ar return-icmp6
1583 This causes a TCP RST to be returned for
1597 .Bd -literal -offset indent
1650 .Bd -literal -offset indent
1651 pass out inet proto icmp all icmp-type echoreq
1703 .Bl -tag -width xxxx
1803 .Bl -tag -width xxxxxxxxxxxxxx -compact
1806 .It Ar no-route
1808 .It Ar urpf-failed
1817 .Sq -
1820 .Dq 10.1.1.10 - 10.1.1.12
1826 .Bl -tag -width xxxxxxxxxxxx -compact
1832 Translates to the point-to-point interface's peer address(es).
1840 v4 and non-link-local v6 address found.
1843 ruleset load-time.
1864 .Bd -literal -offset indent
1882 .Bl -tag -width Fl
1894 hence ports 1-1999 and 2005-65535.
1906 .Bd -literal -offset indent
1968 .Bd -literal -offset indent
1989 .Bl -tag -width Fl
1996 SYN, SYN+PSH and SYN+RST match, but SYN+ACK, ACK and ACK+RST do not.
2000 All of SYN, FIN, RST and ACK must be unset.
2011 .Pq non-SYN
2021 .Ar af-to,
2031 .It Xo Ar icmp-type Aq Ar type
2034 .It Xo Ar icmp6-type Aq Ar type
2047 .Ar icmp-type
2049 .Ar icmp6-type
2075 .Bd -literal -offset indent
2080 .It Ar allow-opts
2084 .Ar allow-opts
2098 pfctl -s labels
2099 shows per-rule statistics for rules that have labels.
2103 .Bl -tag -width $srcaddr -compact -offset indent
2121 .Bd -literal -offset indent
2128 .Bd -literal -offset indent
2156 .Bd -literal -offset indent
2172 .Bd -literal -offset indent
2176 .It Ar received-on Aq Ar interface
2216 .It Xo Ar divert-to Aq Ar host
2230 If a packet is re-injected and does not change direction then it will not be
2231 re-diverted.
2232 .It Ar divert-reply
2241 .Bd -literal -offset indent
2252 .Bl -tag -width xxxx
2253 .It Ar route-to
2255 .Ar route-to
2259 .Ar route-to
2264 .It Ar reply-to
2266 .Ar reply-to
2268 .Ar route-to ,
2272 .Ar reply-to
2277 .It Ar dup-to
2279 .Ar dup-to
2281 .Ar route-to .
2290 .Ar route-to ,
2291 .Ar reply-to
2293 .Ar dup-to
2298 .Bl -tag -width xxxx
2311 .It Ar source-hash
2313 .Ar source-hash
2319 randomly generates a key for source-hash every time the
2321 .It Ar round-robin
2323 .Ar round-robin
2327 .Ar round-robin
2329 .It Ar static-port
2333 .Ar static-port
2337 .It Xo Ar map-e-portset Aq Ar psid-offset
2338 .No / Aq Ar psid-len
2344 .It Ar endpoint-independent
2348 .Ar endpoint-independent
2353 This feature implements "full-cone" NAT behavior.
2354 .Ar map-e-portset
2355 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2356 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2358 to the map-e-portset nat rule.
2361 .Bd -literal -offset indent
2363 -> $ipv4_mape_src map-e-portset 6/8/0x34
2370 .Ar sticky-address
2376 .Ar round-robin
2404 .Bd -literal -offset indent
2447 completed the handshake, hence so-called SYN floods with spoofed source
2470 .Bd -literal -offset indent
2475 per-rule basis.
2484 .Bl -tag -width xxxx -compact
2489 .It Ar no-sync
2514 .Bd -literal -offset indent
2517 (max 100, source-track rule, max-src-nodes 75, \e
2518 max-src-states 3, tcp.established 60, tcp.closing 5)
2522 .Ar source-track
2525 .Bl -tag -width xxxx -compact
2526 .It Ar source-track rule
2528 .Ar max-src-nodes
2530 .Ar max-src-states
2534 .It Ar source-track global
2537 .Ar max-src-nodes
2539 .Ar max-src-states
2546 .Bl -tag -width xxxx -compact
2547 .It Ar max-src-nodes Aq Ar number
2550 .It Ar max-src-states Aq Ar number
2556 which have completed the TCP 3-way handshake) can also be enforced
2559 .Bl -tag -width xxxx -compact
2560 .It Ar max-src-conn Aq Ar number
2562 completed the 3-way handshake that a single host can make.
2563 .It Xo Ar max-src-conn-rate Aq Ar number
2573 Because the 3-way handshake ensures that the source address is not being
2600 .Bd -literal -offset indent
2603 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
2634 .Ar no-df
2637 .Dl \&"OpenBSD 3.3 no-df\&"
2646 .Dl # pfctl -so
2659 .Bd -literal -offset indent
2689 .Bd -literal -offset indent
2694 .Bd -literal -offset indent
2699 For non-loopback interfaces, there are additional rules to block incoming
2704 .Bd -literal -offset indent
2709 .Bd -literal -offset indent
2760 .Bd -literal -offset indent
2823 .Bl -tag -width xxxx
2824 .It Ar nat-anchor Aq Ar name
2829 .It Ar rdr-anchor Aq Ar name
2834 .It Ar binat-anchor Aq Ar name
2887 .Bd -literal -offset indent
2901 .Bd -literal -offset indent
2903 pfctl -a spam -f -
2915 .Bd -literal -offset indent
2917 load anchor spam from "/etc/pf-spam.conf"
2923 .Nm pf.conf ,
2925 .Pa /etc/pf-spam.conf
2936 .Bd -literal -offset indent
2949 .Bd -literal -offset indent
2951 pfctl -a spam -f -
2961 .Bd -literal -offset indent
2981 .Bd -literal -offset indent
2982 # echo ' anchor "spam/allowed" ' | pfctl -f -
2983 # echo -e ' anchor "../banned" \en pass' | \e
2984 pfctl -a spam/allowed -f -
2999 Brace delimited blocks may contain rules or other brace-delimited blocks.
3001 .Bd -literal -offset indent
3029 .Bd -literal
3034 rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
3041 .Bd -literal
3042 rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
3054 .Bd -literal
3055 nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
3063 .Bd -literal
3066 nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
3071 .Bd -literal
3075 rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
3082 .Xr ftp-proxy 8 ,
3085 .Xr ftp-proxy 8
3087 .Xr ftp-proxy 8
3089 .Bd -literal
3093 nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
3099 nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
3106 binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
3110 binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20
3116 -\*(Gt 10.1.2.151 port 22
3118 -\*(Gt 10.1.2.151 port 53
3122 # for proxying with ftp-proxy(8) running on port 8021.
3123 rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
3130 .Bd -literal
3134 # using the source-hash keyword.
3135 nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
3141 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3144 .Bd -literal
3159 block in from no-route to any
3163 block in from urpf-failed to any
3175 # them anyway (hence, no return-rst).
3186 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3235 tag SPAMD -\*(Gt 127.0.0.1 port spamd
3242 translates an internal IPv4 subnet to IPv6 using the well-known
3244 .Bd -literal -offset 4n
3245 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3251 .Bd -literal -offset 4n
3252 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3258 .Bd -literal
3259 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3260 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3261 trans-anchors | anchor-rule | anchor-close | load-anchor |
3262 table-rule | include )
3264 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3265 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3267 "high-latency" | "satellite" |
3269 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3270 [ "loginterface" ( interface-name | "none" ) ] |
3271 [ "block-policy" ( "drop" | "return" ) ] |
3272 [ "state-policy" ( "if-bound" | "floating" ) ]
3273 [ "state-defaults" state-opts ]
3274 [ "require-order" ( "yes" | "no" ) ]
3280 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3281 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3283 [ etherfilteropt-list ]
3285 pf-rule = action [ ( "in" | "out" ) ]
3288 hosts [ filteropt-list ]
3291 logopt = "all" | "matches" | "user" | "to" interface-name
3293 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3297 filteropt-list = filteropt-list filteropt | filteropt
3298 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3299 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3300 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3302 [ "(" state-opts ")" ] |
3303 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3304 "max-mss" number | "random-id" | "reassemble tcp" |
3305 fragmentation | "allow-opts" |
3313 "received-on" ( interface-name | interface-group )
3315 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3318 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3319 [ portspec ] [ pooltype ] [ "static-port" ]
3320 [ "map-e-portset" number "/" number "/" number ] ]
3322 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3323 [ "on" interface-name ] [ af ]
3324 [ "proto" ( proto-name | proto-number ) ]
3325 "from" address [ "/" mask-bits ] "to" ipspec
3327 [ "-\*(Gt" address [ "/" mask-bits ] ]
3329 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3332 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3335 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3339 table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
3340 tableopts-list = tableopts-list tableopts | tableopts
3342 "{" [ tableaddr-list ] "}"
3343 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3344 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3346 ipv4-dotted-quad | ipv6-coloned-hex
3348 altq-rule = "altq on" interface-name queueopts-list
3350 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3353 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3354 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3356 anchor-close = "}"
3358 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3361 load-anchor = "load anchor" string "from" filename
3363 queueopts-list = queueopts-list queueopts | queueopts
3364 queueopts = [ "bandwidth" bandwidth-spec ] |
3367 schedulers = ( cbq-def | priq-def | hfsc-def )
3368 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3372 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3373 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3374 "return-icmp6" [ "(" icmp6code ")" ]
3375 icmpcode = ( icmp-code-name | icmp-code-number )
3376 icmp6code = ( icmp6-code-name | icmp6-code-number )
3378 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3379 "{" interface-list "}"
3380 interface-list = [ "!" ] ( interface-name | interface-group )
3381 [ [ "," ] interface-list ]
3382 route = ( "route-to" | "reply-to" | "dup-to" )
3383 ( routehost | "{" routehost-list "}" )
3387 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3388 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3389 protospec = "proto" ( proto-name | proto-number |
3390 "{" proto-list "}" )
3391 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3397 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3398 "{" host-list "}" ) [ port ] [ os ]
3399 "to" ( "any" | "no-route" | "self" | host |
3400 "{" host-list "}" ) [ port ]
3402 ipspec = "any" | host | "{" host-list "}"
3403 host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
3404 redirhost = address [ "/" mask-bits ]
3405 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3406 address = ( interface-name | interface-group |
3407 "(" ( interface-name | interface-group ) ")" |
3408 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3409 host-list = host [ [ "," ] host-list ]
3410 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3411 routehost-list = routehost [ [ "," ] routehost-list ]
3413 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3415 os = "os" ( os-name | "{" os-list "}" )
3416 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3417 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3419 unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
3421 binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
3422 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3424 os-name = operating-system-name
3425 os-list = os-name [ [ "," ] os-list ]
3427 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3428 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3431 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3432 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3433 icmp-type-code = ( icmp-type-name | icmp-type-number )
3434 [ "code" ( icmp-code-name | icmp-code-number ) ]
3435 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3440 state-opts = state-opt [ [ "," ] state-opts ]
3441 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3442 "source-track" [ ( "rule" | "global" ) ] |
3443 "max-src-nodes" number | "max-src-states" number |
3444 "max-src-conn" number |
3445 "max-src-conn-rate" number "/" number |
3447 "if-bound" | "floating" | "pflow" )
3451 timeout-list = timeout [ [ "," ] timeout-list ]
3462 limit-list = limit-item [ [ "," ] limit-list ]
3463 limit-item = ( "states" | "frags" | "src-nodes" ) number
3466 "source-hash" [ ( hex-key | string-key ) ] |
3467 "round-robin" ) [ sticky-address ]
3469 subqueue = string | "{" queue-list "}"
3470 queue-list = string [ [ "," ] string ]
3471 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3472 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3473 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3474 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3475 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3476 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3477 linkshare-sc | realtime-sc | upperlimit-sc )
3478 linkshare-sc = "linkshare" sc-spec
3479 realtime-sc = "realtime" sc-spec
3480 upperlimit-sc = "upperlimit" sc-spec
3481 sc-spec = ( bandwidth-spec |
3482 "(" bandwidth-spec number bandwidth-spec ")" )
3486 .Bl -tag -width "/etc/protocols" -compact
3489 .It Pa /etc/pf.conf
3517 .Xr ftp-proxy 8 ,