Lines Matching +full:eth +full:- +full:ck
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
113 .Bd -literal -offset indent
120 srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
122 nat on $ext_if from $nat_ranges to any -> ($ext_if)
156 .Bl -tag -width "manually"
172 statement, and are especially useful to define non-persistent tables.
173 The contents of a pre-existing table defined without a list of addresses
183 .Bl -tag -width counters
204 flag enables per-address packet and byte counters which can be displayed with
210 .Bd -literal -offset indent
224 .Bd -literal -offset indent
225 # pfctl -t badhosts -Tadd 204.92.77.111
230 .Bd -literal -offset indent
256 .Bl -tag -width xxxx
259 .Bl -tag -width "src.track" -compact
281 .Bl -tag -width xxxx -compact
309 .Bl -tag -width xxxx -compact
325 .Bl -tag -width xxxx -compact
341 .Bl -tag -width xxxx -compact
350 .Bl -tag -width xxxx -compact
355 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
369 When used on a per-rule basis, the values relate to the number of
374 .Bd -literal -offset indent
387 .Bd -literal -offset indent
388 # pfctl -s info
394 .Bd -literal -offset indent
399 .Bd -literal -offset indent
409 .Bl -tag -width pktdelay_pkts
417 .It Cm src-nodes
420 .Ar sticky-address
425 .It Cm table-entries
431 .It Cm eth-anchors
437 .Bd -literal -offset indent
438 set limit { states 20000, frags 2000, src-nodes 2000 }
440 .It Ar set ruleset-optimization
441 .Bl -tag -width xxxxxxxx -compact
450 .Bl -enum -compact
458 re-order the rules to improve evaluation performance
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
474 Optimization can also be set as a command-line argument to
481 .Bl -tag -width xxxx -compact
485 .It Ar high-latency
486 A high-latency environment (such as a satellite connection).
489 .Ar high-latency .
502 .Bd -literal -offset indent
505 .It Ar set reassemble yes | no Op Cm no-df
514 .Cm no-df
516 .Dq dont-fragment
520 .Dq dont-fragment
525 This option is ignored if there are pre-FreeBSD 14
528 .It Ar set block-policy
530 .Ar block-policy
535 .Bl -tag -width xxxxxxxx -compact
549 .Bd -literal -offset indent
550 set block-policy return
552 .It Ar set fail-policy
554 .Ar fail-policy
557 This might happen when a nat or route-to rule uses an empty table as list
563 .Bl -tag -width xxxxxxxx -compact
574 .Bd -literal -offset indent
575 set fail-policy return
577 .It Ar set state-policy
579 .Ar state-policy
582 .Bl -tag -width group-bound -compact
583 .It Ar if-bound
590 .Bd -literal -offset indent
591 set state-policy if-bound
607 .Bl -tag -width adaptive -compact
614 is used up by half-open TCP connections, as in, those that saw the initial
617 .Bd -literal -offset indent
621 .It Ar set state-defaults
623 .Ar state-defaults
628 .Bd -literal -offset indent
629 set state-defaults no-sync
632 The 32-bit
638 By default the hostid is set to a pseudo-random value, however it may be
641 .Bd -literal -offset indent
646 .It Ar set require-order
658 There may be non-trivial and non-obvious implications to an out of
692 .Bl -tag -width xxxxxxxxxxxx -compact
726 .Bl -tag -width xxxx
746 .Bl -tag -width xxxx
770 .It Ar bridge-to Aq interface
827 .Bl -tag -width xxxx
828 .It Ar no-df
830 .Ar dont-fragment
833 .Ar dont-fragment
838 .Ar dont-fragment
840 .Ar no-df
844 .Ar dont-fragment
847 .Ar dont-fragment
851 .Ar random-id
853 .Ar no-df
855 .It Ar min-ttl Aq Ar number
857 .It Ar max-mss Aq Ar number
867 .It Xo Ar set-tos Aq Ar string
888 .It Ar random-id
898 .Bl -tag -width timeout -compact
925 delayed for longer than it takes the connection to wrap its 32-bit sequence
945 .Bd -literal -offset indent
946 match in all scrub (no-df random-id max-mss 1440)
948 .Ss Scrub ruleset (pre-FreeBSD 14)
964 .Bl -tag -width xxxx
980 .Bd -literal -offset indent
1030 .Bl -tag -width xxxx
1093 supports both link-sharing and guaranteed real-time services.
1108 .Bl -tag -width xxxx
1154 should queue up to 5Mbps in four second-level queues using
1157 .Bd -literal -offset indent
1177 .Bl -tag -width xxxx
1219 .Bl -tag -width Fl
1241 .Bl -tag -width Fl
1250 .Bl -tag -width Fl
1311 .Bd -literal
1379 .Bl -tag -width xxxx
1380 .It Ar af-to
1383 .Ar af-to
1387 .Ar af-to
1399 part is 32-bit long.
1408 .Bd -literal -offset indent
1409 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1410 pass in inet af-to inet6 from 2001:db8::1
1419 .Bd -literal -offset indent
1420 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1422 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1434 .Ar binat-to
1438 .Ar nat-to
1440 .Ar rdr-to
1442 .It Ar nat-to
1444 .Ar nat-to
1453 .Bd -literal -offset indent
1454 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1455 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1456 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1459 .Ar nat-to
1461 If applied inbound, nat-to to a local IP address is not supported.
1462 .It Pa rdr-to
1465 .Ar rdr-to
1468 .Bd -literal -offset indent
1469 match in ... port 2000:2999 rdr-to ... port 4000
1472 .Bd -literal -offset indent
1473 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1478 .Ar rdr-to
1480 If applied outbound, rdr-to to a local IP address is not supported.
1487 .Ar nat-to
1489 .Ar rdr-to
1492 .Ar rdr-to
1495 A random source port in the range 50001-65535 is chosen in this case.
1497 .Ar binat-to
1502 .Bd -literal -offset indent
1504 rdr-to 127.0.0.1 port spamd
1510 Unless this effect is desired, any of the local non-loopback addresses
1518 .Ss NAT ruleset (pre-FreeBSD 15)
1546 .Ar binat-to ,
1547 .Ar nat-to
1549 .Ar rdr-to
1625 .Bl -tag -width xxxx
1635 .Ar block-policy
1636 option, or on a per-rule basis with one of the following options:
1638 .Bl -tag -width xxxx -compact
1641 .It Ar return-rst
1646 .It Ar return-icmp
1647 .It Ar return-icmp6
1666 .Bd -literal -offset indent
1682 .Ar nat-to ,
1683 .Ar binat-to ,
1684 .Ar rdr-to ,
1722 .Bd -literal -offset indent
1723 pass out inet proto icmp all icmp-type echoreq
1771 .Bl -tag -width xxxx
1885 .Bl -tag -width xxxxxxxxxxxxxx -compact
1888 .It Ar no-route
1890 .It Ar urpf-failed
1901 .Sq -
1904 .Dq 10.1.1.10 - 10.1.1.12
1912 .Bl -tag -width xxxxxxxxxxxx -compact
1918 Translates to the point-to-point interface's peer address(es).
1926 v4 and non-link-local v6 address found.
1929 ruleset load-time.
1950 .Bd -literal -offset indent
1968 .Bl -tag -width Fl
1980 hence ports 1-1999 and 2005-65535.
1992 .Bd -literal -offset indent
2054 .Bd -literal -offset indent
2061 .Bd -literal -offset indent
2089 The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R.
2090 .Bl -tag -width Fl
2112 .Pq non-SYN
2122 .Ar af-to ,
2132 .It Xo Ar icmp-type Aq Ar type
2135 .It Xo Ar icmp6-type Aq Ar type
2148 .Ar icmp-type
2150 .Ar icmp6-type
2176 .Bd -literal -offset indent
2181 .It Ar allow-opts
2182 By default, packets with IPv4 options or IPv6 hop-by-hop or destination
2185 .Ar allow-opts
2200 pfctl -s labels
2201 shows per-rule statistics for rules that have labels.
2205 .Bl -tag -width $srcaddr -compact -offset indent
2223 .Bd -literal -offset indent
2230 .Bd -literal -offset indent
2243 .It Cm max-pkt-rate Ar number Ns / Ns Ar seconds
2250 .Bd -literal -offset indent
2252 pass in proto icmp max-pkt-rate 100/10
2258 .It Ar max-pkt-size Aq Ar number
2283 .Bd -literal -offset indent
2300 .Bd -literal -offset indent
2304 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2340 .It Xo Ar divert-to Aq Ar host
2354 If a packet is re-injected and does not change direction then it will not be
2355 re-diverted.
2356 .It Ar divert-reply
2365 .Bd -literal -offset indent
2376 .Bl -tag -width xxxx
2377 .It Ar route-to
2379 .Ar route-to
2383 .Ar route-to
2388 .It Ar reply-to
2390 .Ar reply-to
2392 .Ar route-to ,
2396 .Ar reply-to
2401 .It Ar dup-to
2403 .Ar dup-to
2405 .Ar route-to .
2414 .Ar route-to ,
2415 .Ar reply-to
2417 .Ar dup-to
2422 .Bl -tag -width xxxx
2435 .It Ar source-hash
2437 .Ar source-hash
2443 randomly generates a key for source-hash every time the
2445 .It Ar round-robin
2447 .Ar round-robin
2453 .It Ar static-port
2457 .Ar static-port
2461 .It Xo Ar map-e-portset Aq Ar psid-offset
2462 .No / Aq Ar psid-len
2468 .Ar map-e-portset
2469 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2470 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2472 to the map-e-portset nat rule.
2475 .Bd -literal -offset indent
2477 -> $ipv4_mape_src map-e-portset 6/8/0x34
2481 .It Ar endpoint-independent
2485 .Ar endpoint-independent
2490 This feature implements "full-cone" NAT behavior.
2494 .Ar sticky-address
2496 .Ar prefer-ipv6-nexthop
2500 .Ar sticky-address
2506 .Ar round-robin
2517 .Ar prefer-ipv6-nexthop
2520 .Ar route-to
2522 will be used in round-robin fashion, then IPv4 addresses.
2542 .Bd -literal -offset indent
2585 completed the handshake, hence so-called SYN floods with spoofed source
2609 .Bd -literal -offset indent
2614 per-rule basis.
2623 .Bl -tag -width xxxx -compact
2628 .It Ar no-sync
2650 .It Ar allow-related
2657 .Bd -literal -offset indent
2660 (max 100, source-track rule, max-src-nodes 75, \e
2661 max-src-states 3, tcp.established 60, tcp.closing 5)
2665 .Ar source-track
2668 .Bl -tag -width xxxx -compact
2669 .It Ar source-track rule
2671 .Ar max-src-nodes
2673 .Ar max-src-states
2677 .It Ar source-track global
2680 .Ar max-src-nodes
2682 .Ar max-src-states
2689 .Bl -tag -width xxxx -compact
2690 .It Ar max-src-nodes Aq Ar number
2693 .It Ar max-src-states Aq Ar number
2699 which have completed the TCP 3-way handshake) can also be enforced
2702 .Bl -tag -width xxxx -compact
2703 .It Ar max-src-conn Aq Ar number
2705 completed the 3-way handshake that a single host can make.
2706 .It Xo Ar max-src-conn-rate Aq Ar number
2716 Because the 3-way handshake ensures that the source address is not being
2743 .Bd -literal -offset indent
2746 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2777 .Ar no-df
2780 .Dl \&"OpenBSD 3.3 no-df\&"
2789 .Dl # pfctl -so
2802 .Bd -literal -offset indent
2832 .Bd -literal -offset indent
2837 .Bd -literal -offset indent
2842 For non-loopback interfaces, there are additional rules to block incoming
2847 .Bd -literal -offset indent
2852 .Bd -literal -offset indent
2903 .Bd -literal -offset indent
2966 .Bl -tag -width xxxx
2967 .It Ar nat-anchor Aq Ar name
2972 .It Ar rdr-anchor Aq Ar name
2977 .It Ar binat-anchor Aq Ar name
3030 .Bd -literal -offset indent
3044 .Bd -literal -offset indent
3046 pfctl -a spam -f -
3058 .Bd -literal -offset indent
3060 load anchor spam from "/etc/pf-spam.conf"
3068 .Pa /etc/pf-spam.conf
3079 .Bd -literal -offset indent
3092 .Bd -literal -offset indent
3094 pfctl -a spam -f -
3104 .Bd -literal -offset indent
3124 .Bd -literal -offset indent
3125 # echo ' anchor "spam/allowed" ' | pfctl -f -
3126 # echo -e ' anchor "../banned" \en pass' | \e
3127 pfctl -a spam/allowed -f -
3140 rule can also contain a filter ruleset in a brace-delimited block.
3143 Brace delimited blocks may contain rules or other brace-delimited blocks.
3145 .Bd -literal -offset indent
3173 .Bd -literal -offset indent
3179 rdr-to 127.0.0.1 port 8080
3188 .Bd -literal -offset indent
3190 rdr-to 127.0.0.1 port 8080
3201 .Bd -literal -offset indent
3202 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3208 .Xr ftp-proxy 8 ,
3211 .Xr ftp-proxy 8
3213 .Xr ftp-proxy 8
3215 .Bd -literal -offset indent
3219 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3226 nat-to ($ext_if) port 500
3232 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3236 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3242 rdr-to 10.1.2.151 port 22
3244 rdr-to 10.1.2.151 port 53
3248 # for proxying with ftp-proxy(8) running on port 8021.
3250 rdr-to 127.0.0.1 port 8021
3257 .Bd -literal -offset indent
3261 # using the source-hash keyword.
3262 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3268 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3276 .Bd -literal -offset indent
3279 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3284 .Bd -literal -offset indent
3289 -> 127.0.0.1 port 80
3292 .Bd -literal -offset indent
3307 block in from no-route to any
3311 block in from urpf-failed to any
3323 # them anyway (hence, no return-rst).
3334 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3383 tag SPAMD -> 127.0.0.1 port spamd
3390 translates an internal IPv4 subnet to IPv6 using the well-known
3392 .Bd -literal -offset 4n
3393 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3399 .Bd -literal -offset 4n
3400 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3406 .Bd -literal
3407 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3408 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3409 trans-anchors | anchor-rule | anchor-close | load-anchor |
3410 table-rule | include )
3412 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3413 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3415 "high-latency" | "satellite" |
3417 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3418 [ "loginterface" ( interface-name | "none" ) ] |
3419 [ "block-policy" ( "drop" | "return" ) ] |
3420 [ "state-policy" ( "if-bound" | "floating" ) ]
3421 [ "state-defaults" state-opts ]
3422 [ "require-order" ( "yes" | "no" ) ]
3428 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3429 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3431 [ etherfilteropt-list ]
3433 pf-rule = action [ ( "in" | "out" ) ]
3436 [ hosts ] [ filteropt-list ]
3439 logopt = "all" | "matches" | "user" | "to" interface-name
3441 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3445 filteropt-list = filteropt-list filteropt | filteropt
3446 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3447 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3448 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3450 [ "(" state-opts ")" ] |
3451 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3452 "max-mss" number | "random-id" | "reassemble tcp" |
3453 fragmentation | "allow-opts" | "once" |
3455 "max-pkt-rate" number "/" seconds |
3457 "max-pkt-size" number |
3463 [ ! ] "received-on" ( interface-name | interface-group )
3465 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3468 [ "->" ( redirhost | "{" redirhost-list "}" )
3469 [ portspec ] [ pooltype ] [ "static-port" ]
3470 [ "map-e-portset" number "/" number "/" number ] ]
3472 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3473 [ "on" interface-name ] [ af ]
3474 [ "proto" ( proto-name | proto-number ) ]
3475 "from" address [ "/" mask-bits ] "to" ipspec
3477 [ "->" address [ "/" mask-bits ] ]
3479 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3482 [ "->" ( redirhost | "{" redirhost-list "}" )
3485 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3489 table-rule = "table" "<" string ">" [ tableopts-list ]
3490 tableopts-list = tableopts-list tableopts | tableopts
3492 "{" [ tableaddr-list ] "}"
3493 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3494 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3496 ipv4-dotted-quad | ipv6-coloned-hex
3498 altq-rule = "altq on" interface-name queueopts-list
3500 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3503 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3504 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3506 anchor-close = "}"
3508 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3511 load-anchor = "load anchor" string "from" filename
3513 queueopts-list = queueopts-list queueopts | queueopts
3514 queueopts = [ "bandwidth" bandwidth-spec ] |
3517 schedulers = ( cbq-def | priq-def | hfsc-def )
3518 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3522 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3523 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3524 "return-icmp6" [ "(" icmp6code ")" ]
3525 icmpcode = ( icmp-code-name | icmp-code-number )
3526 icmp6code = ( icmp6-code-name | icmp6-code-number )
3528 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3529 "{" interface-list "}"
3530 interface-list = [ "!" ] ( interface-name | interface-group )
3531 [ [ "," ] interface-list ]
3532 route = ( "route-to" | "reply-to" | "dup-to" )
3533 ( routehost | "{" routehost-list "}" )
3537 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3538 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3539 protospec = "proto" ( proto-name | proto-number |
3540 "{" proto-list "}" )
3541 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3547 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3548 "{" host-list "}" ) [ port ] [ os ]
3549 "to" ( "any" | "no-route" | "self" | host |
3550 "{" host-list "}" ) [ port ]
3552 ipspec = "any" | host | "{" host-list "}"
3553 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3554 redirhost = address [ "/" mask-bits ]
3555 routehost = "(" interface-name address [ "/" mask-bits ] ")"
3556 address = ( interface-name | interface-group |
3557 "(" ( interface-name | interface-group ) ")" |
3558 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3559 host-list = host [ [ "," ] host-list ]
3560 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3561 routehost-list = routehost [ [ "," ] routehost-list ]
3563 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3565 os = "os" ( os-name | "{" os-list "}" )
3566 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3567 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3569 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3571 binary-op = number ( "<>" | "><" | ":" ) number
3572 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3574 os-name = operating-system-name
3575 os-list = os-name [ [ "," ] os-list ]
3577 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3578 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3581 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3582 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3583 icmp-type-code = ( icmp-type-name | icmp-type-number )
3584 [ "code" ( icmp-code-name | icmp-code-number ) ]
3585 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3590 state-opts = state-opt [ [ "," ] state-opts ]
3591 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3592 "source-track" [ ( "rule" | "global" ) ] |
3593 "max-src-nodes" number | "max-src-states" number |
3594 "max-src-conn" number |
3595 "max-src-conn-rate" number "/" number |
3597 "if-bound" | "floating" | "pflow" )
3601 timeout-list = timeout [ [ "," ] timeout-list ]
3612 limit-list = limit-item [ [ "," ] limit-list ]
3613 limit-item = ( "states" | "frags" | "src-nodes" ) number
3616 "source-hash" [ ( hex-key | string-key ) ] |
3617 "round-robin" ) [ sticky-address | prefer-ipv6-nexthop ]
3619 subqueue = string | "{" queue-list "}"
3620 queue-list = string [ [ "," ] string ]
3621 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3622 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3623 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3624 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3625 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3626 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3627 linkshare-sc | realtime-sc | upperlimit-sc )
3628 linkshare-sc = "linkshare" sc-spec
3629 realtime-sc = "realtime" sc-spec
3630 upperlimit-sc = "upperlimit" sc-spec
3631 sc-spec = ( bandwidth-spec |
3632 "(" bandwidth-spec number bandwidth-spec ")" )
3636 .Bl -tag -width "/etc/protocols" -compact
3667 .Xr ftp-proxy 8 ,