Lines Matching +full:literal +full:- +full:block
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
113 .Bd -literal -offset indent
120 srv_lan_range = "'198.51.100.0 - 198.51.100.255'"
122 nat on $ext_if from $nat_ranges to any -> ($ext_if)
156 .Bl -tag -width "manually"
172 statement, and are especially useful to define non-persistent tables.
173 The contents of a pre-existing table defined without a list of addresses
183 .Bl -tag -width counters
204 flag enables per-address packet and byte counters which can be displayed with
210 .Bd -literal -offset indent
213 block on fxp0 from { <private>, <badhosts> } to any
218 A filter rule is set up to block all traffic coming from addresses listed in
224 .Bd -literal -offset indent
225 # pfctl -t badhosts -Tadd 204.92.77.111
230 .Bd -literal -offset indent
232 block on fxp0 from <spam> to any
256 .Bl -tag -width xxxx
259 .Bl -tag -width "src.track" -compact
281 .Bl -tag -width xxxx -compact
309 .Bl -tag -width xxxx -compact
325 .Bl -tag -width xxxx -compact
341 .Bl -tag -width xxxx -compact
350 .Bl -tag -width xxxx -compact
355 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
369 When used on a per-rule basis, the values relate to the number of
374 .Bd -literal -offset indent
387 .Bd -literal -offset indent
388 # pfctl -s info
394 .Bd -literal -offset indent
399 .Bd -literal -offset indent
409 .Bl -tag -width pktdelay_pkts
417 .It Cm src-nodes
420 .Ar sticky-address
425 .It Cm table-entries
431 .It Cm eth-anchors
437 .Bd -literal -offset indent
438 set limit { states 20000, frags 2000, src-nodes 2000 }
440 .It Ar set ruleset-optimization
441 .Bl -tag -width xxxxxxxx -compact
450 .Bl -enum -compact
458 re-order the rules to improve evaluation performance
468 A side effect of the ruleset modification is that per-rule accounting
470 If per-rule accounting is important for billing purposes or whatnot,
474 Optimization can also be set as a command-line argument to
481 .Bl -tag -width xxxx -compact
485 .It Ar high-latency
486 A high-latency environment (such as a satellite connection).
489 .Ar high-latency .
502 .Bd -literal -offset indent
505 .It Ar set reassemble yes | no Op Cm no-df
514 .Cm no-df
516 .Dq dont-fragment
520 .Dq dont-fragment
525 This option is ignored if there are pre-FreeBSD 14
528 .It Ar set block-policy
530 .Ar block-policy
532 .Ar block
535 .Bl -tag -width xxxxxxxx -compact
549 .Bd -literal -offset indent
550 set block-policy return
552 .It Ar set fail-policy
554 .Ar fail-policy
557 This might happen when a nat or route-to rule uses an empty table as list
560 .Ar block
563 .Bl -tag -width xxxxxxxx -compact
574 .Bd -literal -offset indent
575 set fail-policy return
577 .It Ar set state-policy
579 .Ar state-policy
582 .Bl -tag -width group-bound -compact
583 .It Ar if-bound
590 .Bd -literal -offset indent
591 set state-policy if-bound
607 .Bl -tag -width adaptive -compact
614 is used up by half-open TCP connections, as in, those that saw the initial
617 .Bd -literal -offset indent
621 .It Ar set state-defaults
623 .Ar state-defaults
628 .Bd -literal -offset indent
629 set state-defaults no-sync
632 The 32-bit
638 By default the hostid is set to a pseudo-random value, however it may be
641 .Bd -literal -offset indent
646 .It Ar set require-order
658 There may be non-trivial and non-obvious implications to an out of
692 .Bl -tag -width xxxxxxxxxxxx -compact
713 .Ar block
726 .Bl -tag -width xxxx
727 .It Ar block
746 .Bl -tag -width xxxx
770 .It Ar bridge-to Aq interface
827 .Bl -tag -width xxxx
828 .It Ar no-df
830 .Ar dont-fragment
833 .Ar dont-fragment
838 .Ar dont-fragment
840 .Ar no-df
844 .Ar dont-fragment
847 .Ar dont-fragment
851 .Ar random-id
853 .Ar no-df
855 .It Ar min-ttl Aq Ar number
857 .It Ar max-mss Aq Ar number
867 .It Xo Ar set-tos Aq Ar string
888 .It Ar random-id
898 .Bl -tag -width timeout -compact
925 delayed for longer than it takes the connection to wrap its 32-bit sequence
945 .Bd -literal -offset indent
946 match in all scrub (no-df random-id max-mss 1440)
948 .Ss Scrub ruleset (pre-FreeBSD 14)
964 .Bl -tag -width xxxx
980 .Bd -literal -offset indent
1020 .Ar block
1030 .Bl -tag -width xxxx
1093 supports both link-sharing and guaranteed real-time services.
1108 .Bl -tag -width xxxx
1154 should queue up to 5Mbps in four second-level queues using
1157 .Bd -literal -offset indent
1177 .Bl -tag -width xxxx
1219 .Bl -tag -width Fl
1241 .Bl -tag -width Fl
1250 .Bl -tag -width Fl
1311 .Bd -literal
1322 block return out on dc0 inet all queue std
1379 .Bl -tag -width xxxx
1380 .It Ar af-to
1383 .Ar af-to
1387 .Ar af-to
1399 part is 32-bit long.
1408 .Bd -literal -offset indent
1409 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1410 pass in inet af-to inet6 from 2001:db8::1
1419 .Bd -literal -offset indent
1420 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1422 pass in inet6 from any to 64:ff9b::/96 af-to inet \e
1434 .Ar binat-to
1438 .Ar nat-to
1440 .Ar rdr-to
1442 .It Ar nat-to
1444 .Ar nat-to
1453 .Bd -literal -offset indent
1454 10.0.0.0 - 10.255.255.255 (all of net 10.0.0.0, i.e., 10.0.0.0/8)
1455 172.16.0.0 - 172.31.255.255 (i.e., 172.16.0.0/12)
1456 192.168.0.0 - 192.168.255.255 (i.e., 192.168.0.0/16)
1459 .Ar nat-to
1461 If applied inbound, nat-to to a local IP address is not supported.
1462 .It Pa rdr-to
1465 .Ar rdr-to
1468 .Bd -literal -offset indent
1469 match in ... port 2000:2999 rdr-to ... port 4000
1472 .Bd -literal -offset indent
1473 qmatch in ... port 2000:2999 rdr-to ... port 4000:*
1478 .Ar rdr-to
1480 If applied outbound, rdr-to to a local IP address is not supported.
1487 .Ar nat-to
1489 .Ar rdr-to
1492 .Ar rdr-to
1495 A random source port in the range 50001-65535 is chosen in this case.
1497 .Ar binat-to
1502 .Bd -literal -offset indent
1504 rdr-to 127.0.0.1 port spamd
1510 Unless this effect is desired, any of the local non-loopback addresses
1518 .Ss NAT ruleset (pre-FreeBSD 15)
1535 .Ar block
1546 .Ar binat-to ,
1547 .Ar nat-to
1549 .Ar rdr-to
1591 .Ar block
1613 .Ar block
1619 , rules are evaluated every time they match; the pass/block state of a packet
1625 .Bl -tag -width xxxx
1626 .It Ar block
1629 .Ar block
1635 .Ar block-policy
1636 option, or on a per-rule basis with one of the following options:
1638 .Bl -tag -width xxxx -compact
1641 .It Ar return-rst
1646 .It Ar return-icmp
1647 .It Ar return-icmp6
1664 The simplest mechanism to block everything by default and only pass
1666 .Bd -literal -offset indent
1667 block all
1672 block/pass state of a packet.
1675 .Ar block
1682 .Ar nat-to ,
1683 .Ar binat-to ,
1684 .Ar rdr-to ,
1722 .Bd -literal -offset indent
1723 pass out inet proto icmp all icmp-type echoreq
1771 .Bl -tag -width xxxx
1885 .Bl -tag -width xxxxxxxxxxxxxx -compact
1888 .It Ar no-route
1890 .It Ar urpf-failed
1901 .Sq -
1904 .Dq 10.1.1.10 - 10.1.1.12
1912 .Bl -tag -width xxxxxxxxxxxx -compact
1918 Translates to the point-to-point interface's peer address(es).
1926 v4 and non-link-local v6 address found.
1929 ruleset load-time.
1950 .Bd -literal -offset indent
1968 .Bl -tag -width Fl
1980 hence ports 1-1999 and 2005-65535.
1992 .Bd -literal -offset indent
2054 .Bd -literal -offset indent
2055 block out proto { tcp, udp } all
2061 .Bd -literal -offset indent
2062 block out proto tcp all
2090 .Bl -tag -width Fl
2112 .Pq non-SYN
2122 .Ar af-to ,
2132 .It Xo Ar icmp-type Aq Ar type
2135 .It Xo Ar icmp6-type Aq Ar type
2148 .Ar icmp-type
2150 .Ar icmp6-type
2176 .Bd -literal -offset indent
2181 .It Ar allow-opts
2182 By default, packets with IPv4 options or IPv6 hop-by-hop or destination
2185 .Ar allow-opts
2200 pfctl -s labels
2201 shows per-rule statistics for rules that have labels.
2205 .Bl -tag -width $srcaddr -compact -offset indent
2223 .Bd -literal -offset indent
2230 .Bd -literal -offset indent
2243 .It Cm max-pkt-rate Ar number Ns / Ns Ar seconds
2250 .Bd -literal -offset indent
2251 block in proto icmp
2252 pass in proto icmp max-pkt-rate 100/10
2258 .It Ar max-pkt-size Aq Ar number
2283 .Bd -literal -offset indent
2300 .Bd -literal -offset indent
2304 .It Oo Cm \&! Oc Ns Cm received-on Ar interface
2340 .It Xo Ar divert-to Aq Ar host
2354 If a packet is re-injected and does not change direction then it will not be
2355 re-diverted.
2356 .It Ar divert-reply
2365 .Bd -literal -offset indent
2366 block in proto icmp probability 20%
2376 .Bl -tag -width xxxx
2377 .It Ar route-to
2379 .Ar route-to
2383 .Ar route-to
2388 .It Ar reply-to
2390 .Ar reply-to
2392 .Ar route-to ,
2396 .Ar reply-to
2401 .It Ar dup-to
2403 .Ar dup-to
2405 .Ar route-to .
2414 .Ar route-to ,
2415 .Ar reply-to
2417 .Ar dup-to
2422 .Bl -tag -width xxxx
2434 option selects an address at random within the defined block of addresses.
2435 .It Ar source-hash
2437 .Ar source-hash
2443 randomly generates a key for source-hash every time the
2445 .It Ar round-robin
2447 .Ar round-robin
2453 .It Ar static-port
2457 .Ar static-port
2461 .It Xo Ar map-e-portset Aq Ar psid-offset
2462 .No / Aq Ar psid-len
2468 .Ar map-e-portset
2469 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2470 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2472 to the map-e-portset nat rule.
2475 .Bd -literal -offset indent
2477 -> $ipv4_mape_src map-e-portset 6/8/0x34
2481 .It Ar endpoint-independent
2485 .Ar endpoint-independent
2490 This feature implements "full-cone" NAT behavior.
2494 .Ar sticky-address
2496 .Ar prefer-ipv6-nexthop
2500 .Ar sticky-address
2506 .Ar round-robin
2517 .Ar prefer-ipv6-nexthop
2520 .Ar route-to
2522 will be used in round-robin fashion, then IPv4 addresses.
2542 .Bd -literal -offset indent
2543 block all
2585 completed the handshake, hence so-called SYN floods with spoofed source
2609 .Bd -literal -offset indent
2614 per-rule basis.
2623 .Bl -tag -width xxxx -compact
2628 .It Ar no-sync
2650 .It Ar allow-related
2657 .Bd -literal -offset indent
2660 (max 100, source-track rule, max-src-nodes 75, \e
2661 max-src-states 3, tcp.established 60, tcp.closing 5)
2665 .Ar source-track
2668 .Bl -tag -width xxxx -compact
2669 .It Ar source-track rule
2671 .Ar max-src-nodes
2673 .Ar max-src-states
2677 .It Ar source-track global
2680 .Ar max-src-nodes
2682 .Ar max-src-states
2689 .Bl -tag -width xxxx -compact
2690 .It Ar max-src-nodes Aq Ar number
2693 .It Ar max-src-states Aq Ar number
2699 which have completed the TCP 3-way handshake) can also be enforced
2702 .Bl -tag -width xxxx -compact
2703 .It Ar max-src-conn Aq Ar number
2705 completed the 3-way handshake that a single host can make.
2706 .It Xo Ar max-src-conn-rate Aq Ar number
2716 Because the 3-way handshake ensures that the source address is not being
2722 This table can be used in the ruleset to block further activity from
2742 by the block rule.
2743 .Bd -literal -offset indent
2744 block quick from <bad_hosts>
2746 (max-src-conn-rate 100/10, overload <bad_hosts> flush global)
2777 .Ar no-df
2780 .Dl \&"OpenBSD 3.3 no-df\&"
2789 .Dl # pfctl -so
2802 .Bd -literal -offset indent
2804 block out proto tcp from any os Doors
2805 block out proto tcp from any os "Doors PT"
2806 block out proto tcp from any os "Doors PT SP3"
2807 block out from any os "unknown"
2826 directive expands to a set of filter rules which will block all
2832 .Bd -literal -offset indent
2837 .Bd -literal -offset indent
2838 block drop in on ! lo0 inet from 127.0.0.1/8 to any
2839 block drop in on ! lo0 inet6 from ::1 to any
2842 For non-loopback interfaces, there are additional rules to block incoming
2847 .Bd -literal -offset indent
2852 .Bd -literal -offset indent
2853 block drop in on ! wi0 inet from 10.0.0.0/24 to any
2854 block drop in inet from 10.0.0.1 to any
2903 .Bd -literal -offset indent
2966 .Bl -tag -width xxxx
2967 .It Ar nat-anchor Aq Ar name
2972 .It Ar rdr-anchor Aq Ar name
2977 .It Ar binat-anchor Aq Ar name
3030 .Bd -literal -offset indent
3032 block on $ext_if all
3044 .Bd -literal -offset indent
3045 # echo \&"block in quick from 1.2.3.4 to any\&" \&| \e
3046 pfctl -a spam -f -
3058 .Bd -literal -offset indent
3060 load anchor spam from "/etc/pf-spam.conf"
3068 .Pa /etc/pf-spam.conf
3079 .Bd -literal -offset indent
3080 block on $ext_if all
3092 .Bd -literal -offset indent
3093 # echo \&"block in quick from 1.2.3.4 to any" \&| \e
3094 pfctl -a spam -f -
3097 will only block connections from 1.2.3.4 to port 25.
3104 .Bd -literal -offset indent
3124 .Bd -literal -offset indent
3125 # echo ' anchor "spam/allowed" ' | pfctl -f -
3126 # echo -e ' anchor "../banned" \en pass' | \e
3127 pfctl -a spam/allowed -f -
3140 rule can also contain a filter ruleset in a brace-delimited block.
3143 Brace delimited blocks may contain rules or other brace-delimited blocks.
3145 .Bd -literal -offset indent
3173 .Bd -literal -offset indent
3179 rdr-to 127.0.0.1 port 8080
3188 .Bd -literal -offset indent
3190 rdr-to 127.0.0.1 port 8080
3201 .Bd -literal -offset indent
3202 match out on ! vlan12 from 192.168.168.0/24 to any nat-to 204.92.77.111
3208 .Xr ftp-proxy 8 ,
3211 .Xr ftp-proxy 8
3213 .Xr ftp-proxy 8
3215 .Bd -literal -offset indent
3219 pass out on $ext_if inet from ! ($ext_if) to any nat-to ($ext_if)
3226 nat-to ($ext_if) port 500
3232 pass on $ext_if from 10.1.2.150 to any binat-to $ext_if
3236 pass on $peer_if from 172.21.16.0/20 to any binat-to 172.22.16.0/20
3242 rdr-to 10.1.2.151 port 22
3244 rdr-to 10.1.2.151 port 53
3248 # for proxying with ftp-proxy(8) running on port 8021.
3250 rdr-to 127.0.0.1 port 8021
3257 .Bd -literal -offset indent
3261 # using the source-hash keyword.
3262 pass out on $ext_if inet from any to any nat-to 192.0.2.16/28 source-hash
3268 rdr-to { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3276 .Bd -literal -offset indent
3279 nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
3284 .Bd -literal -offset indent
3289 -> 127.0.0.1 port 80
3292 .Bd -literal -offset indent
3303 # block and log everything by default
3304 block return log on $ext_if all
3306 # block anything coming from source we have no back routes for
3307 block in from no-route to any
3309 # block packets whose ingress interface does not match the one in
3311 block in from urpf-failed to any
3313 # block and log outgoing packets that do not have our address as source,
3316 block out log quick on $ext_if from ! 157.161.48.183 to any
3319 block in quick on $ext_if from any to 255.255.255.255
3321 # block and log incoming packets from reserved address space and invalid
3323 # them anyway (hence, no return-rst).
3324 block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, \e
3334 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3355 block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e
3375 block out on $ext_if from any to any
3383 tag SPAMD -> 127.0.0.1 port spamd
3385 block in on $ext_if
3390 translates an internal IPv4 subnet to IPv6 using the well-known
3392 .Bd -literal -offset 4n
3393 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3399 .Bd -literal -offset 4n
3400 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3406 .Bd -literal
3407 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3408 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3409 trans-anchors | anchor-rule | anchor-close | load-anchor |
3410 table-rule | include )
3412 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3413 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3415 "high-latency" | "satellite" |
3417 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3418 [ "loginterface" ( interface-name | "none" ) ] |
3419 [ "block-policy" ( "drop" | "return" ) ] |
3420 [ "state-policy" ( "if-bound" | "floating" ) ]
3421 [ "state-defaults" state-opts ]
3422 [ "require-order" ( "yes" | "no" ) ]
3428 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3429 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3431 [ etherfilteropt-list ]
3433 pf-rule = action [ ( "in" | "out" ) ]
3436 [ hosts ] [ filteropt-list ]
3439 logopt = "all" | "matches" | "user" | "to" interface-name
3441 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3445 filteropt-list = filteropt-list filteropt | filteropt
3446 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3447 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3448 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3450 [ "(" state-opts ")" ] |
3451 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3452 "max-mss" number | "random-id" | "reassemble tcp" |
3453 fragmentation | "allow-opts" | "once" |
3455 "max-pkt-rate" number "/" seconds |
3457 "max-pkt-size" number |
3463 "binat-to" ( redirhost | "{" redirhost-list "}" )
3465 "rdr-to" ( redirhost | "{" redirhost-list "}" )
3467 "nat-to" ( redirhost | "{" redirhost-list "}" )
3468 [ portspec ] [ pooltype ] [ "static-port" ] |
3469 [ ! ] "received-on" ( interface-name | interface-group )
3471 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3474 [ "->" ( redirhost | "{" redirhost-list "}" )
3475 [ portspec ] [ pooltype ] [ "static-port" ]
3476 [ "map-e-portset" number "/" number "/" number ] ]
3478 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3479 [ "on" interface-name ] [ af ]
3480 [ "proto" ( proto-name | proto-number ) ]
3481 "from" address [ "/" mask-bits ] "to" ipspec
3483 [ "->" address [ "/" mask-bits ] ]
3485 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3488 [ "->" ( redirhost | "{" redirhost-list "}" )
3491 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3495 table-rule = "table" "<" string ">" [ tableopts-list ]
3496 tableopts-list = tableopts-list tableopts | tableopts
3498 "{" [ tableaddr-list ] "}"
3499 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3500 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3502 ipv4-dotted-quad | ipv6-coloned-hex
3504 altq-rule = "altq on" interface-name queueopts-list
3506 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3509 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3510 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3512 anchor-close = "}"
3514 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3517 load-anchor = "load anchor" string "from" filename
3519 queueopts-list = queueopts-list queueopts | queueopts
3520 queueopts = [ "bandwidth" bandwidth-spec ] |
3523 schedulers = ( cbq-def | priq-def | hfsc-def )
3524 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3526 etheraction = "pass" | "block"
3527 action = "pass" | "match" | "block" [ return ] | [ "no" ] "scrub"
3528 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3529 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3530 "return-icmp6" [ "(" icmp6code ")" ]
3531 icmpcode = ( icmp-code-name | icmp-code-number )
3532 icmp6code = ( icmp6-code-name | icmp6-code-number )
3534 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3535 "{" interface-list "}"
3536 interface-list = [ "!" ] ( interface-name | interface-group )
3537 [ [ "," ] interface-list ]
3538 route = ( "route-to" | "reply-to" | "dup-to" )
3539 ( routehost | "{" routehost-list "}" )
3543 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3544 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3545 protospec = "proto" ( proto-name | proto-number |
3546 "{" proto-list "}" )
3547 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3553 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3554 "{" host-list "}" ) [ port ] [ os ]
3555 "to" ( "any" | "no-route" | "self" | host |
3556 "{" host-list "}" ) [ port ]
3558 ipspec = "any" | host | "{" host-list "}"
3559 host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
3560 redirhost = address [ "/" mask-bits ]
3561 routehost = "(" interface-name address [ "/" mask-bits ] ")"
3562 address = ( interface-name | interface-group |
3563 "(" ( interface-name | interface-group ) ")" |
3564 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3565 host-list = host [ [ "," ] host-list ]
3566 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3567 routehost-list = routehost [ [ "," ] routehost-list ]
3569 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3571 os = "os" ( os-name | "{" os-list "}" )
3572 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3573 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3575 unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
3577 binary-op = number ( "<>" | "><" | ":" ) number
3578 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3580 os-name = operating-system-name
3581 os-list = os-name [ [ "," ] os-list ]
3583 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3584 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3587 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3588 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3589 icmp-type-code = ( icmp-type-name | icmp-type-number )
3590 [ "code" ( icmp-code-name | icmp-code-number ) ]
3591 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3596 state-opts = state-opt [ [ "," ] state-opts ]
3597 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3598 "source-track" [ ( "rule" | "global" ) ] |
3599 "max-src-nodes" number | "max-src-states" number |
3600 "max-src-conn" number |
3601 "max-src-conn-rate" number "/" number |
3603 "if-bound" | "floating" | "pflow" )
3607 timeout-list = timeout [ [ "," ] timeout-list ]
3618 limit-list = limit-item [ [ "," ] limit-list ]
3619 limit-item = ( "states" | "frags" | "src-nodes" ) number
3622 "source-hash" [ ( hex-key | string-key ) ] |
3623 "round-robin" ) [ sticky-address | prefer-ipv6-nexthop ]
3625 subqueue = string | "{" queue-list "}"
3626 queue-list = string [ [ "," ] string ]
3627 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3628 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3629 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3630 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3631 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3632 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3633 linkshare-sc | realtime-sc | upperlimit-sc )
3634 linkshare-sc = "linkshare" sc-spec
3635 realtime-sc = "realtime" sc-spec
3636 upperlimit-sc = "upperlimit" sc-spec
3637 sc-spec = ( bandwidth-spec |
3638 "(" bandwidth-spec number bandwidth-spec ")" )
3642 .Bl -tag -width "/etc/protocols" -compact
3673 .Xr ftp-proxy 8 ,