Lines Matching +full:send +full:- +full:flush +full:- +full:out +full:- +full:sequence
10 .\" - Redistributions of source code must retain the above copyright
12 .\" - Redistributions in binary form must reproduce the above
27 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
45 .Bl -tag -width xxxx
47 User-defined variables may be defined and used later, simplifying
57 Ethernet filtering provides rule-based blocking or passing of Ethernet packets.
62 Queueing provides rule-based bandwidth control.
67 Packet filtering provides rule-based blocking or passing of packets.
81 .Ar set require-order
91 .Bd -literal -offset indent
101 .Ar out ) .
105 .Bd -literal -offset indent
108 pass out on $ext_if from any to any
136 .Ar round-robin
143 .Bl -tag -width "manually"
159 statement, and are especially useful to define non-persistent tables.
160 The contents of a pre-existing table defined without a list of addresses
170 .Bl -tag -width persist
191 flag enables per-address packet and byte counters which can be displayed with
197 .Bd -literal -offset indent
211 .Bd -literal -offset indent
212 # pfctl -t badhosts -Tadd 204.92.77.111
217 .Bd -literal -offset indent
243 .Bl -tag -width xxxx
246 .Bl -tag -width "src.track" -compact
264 .Bl -tag -width xxxx -compact
276 Some hosts (notably web servers on Solaris) send TCP packets even after closing
289 .Bl -tag -width xxxx -compact
305 .Bl -tag -width xxxx -compact
321 .Bl -tag -width xxxx -compact
330 .Bl -tag -width xxxx -compact
335 (adaptive.end - number of states) / (adaptive.end - adaptive.start).
349 When used on a per-rule basis, the values relate to the number of
354 .Bd -literal -offset indent
367 .Bd -literal -offset indent
368 # pfctl -s info
374 .Bd -literal -offset indent
379 .Bd -literal -offset indent
389 .Bd -literal -offset indent
400 .Bd -literal -offset indent
411 .Bd -literal -offset indent
412 set limit src-nodes 2000
417 .Ar sticky-address
422 .Bd -literal -offset indent
423 set limit table-entries 100000
430 .Bd -literal -offset indent
431 set limit { states 20000, frags 20000, src-nodes 2000 }
433 .It Ar set ruleset-optimization
434 .Bl -tag -width xxxxxxxx -compact
443 .Bl -enum -compact
451 re-order the rules to improve evaluation performance
461 A side effect of the ruleset modification is that per-rule accounting
463 If per-rule accounting is important for billing purposes or whatnot,
467 Optimization can also be set as a command-line argument to
474 .Bl -tag -width xxxx -compact
478 .It Ar high-latency
479 A high-latency environment (such as a satellite connection).
482 .Ar high-latency .
495 .Bd -literal -offset indent
498 .It Ar set reassemble yes | no Op Cm no-df
507 .Cm no-df
509 .Dq dont-fragment
513 .Dq dont-fragment
518 This option is ignored if there are pre-FreeBSD 14
521 .It Ar set block-policy
523 .Ar block-policy
528 .Bl -tag -width xxxxxxxx -compact
539 .Bd -literal -offset indent
540 set block-policy return
542 .It Ar set fail-policy
544 .Ar fail-policy
547 This might happen when a nat or route-to rule uses an empty table as list
553 .Bl -tag -width xxxxxxxx -compact
564 .Bd -literal -offset indent
565 set fail-policy return
567 .It Ar set state-policy
569 .Ar state-policy
572 .Bl -tag -width group-bound -compact
573 .It Ar if-bound
580 .Bd -literal -offset indent
581 set state-policy if-bound
597 .Bl -tag -width adaptive -compact
599 pf will never send syncookie SYNACKs (the default).
601 pf will always send syncookie SYNACKs.
604 is used up by half-open TCP connections, as in, those that saw the initial
607 .Bd -literal -offset indent
611 .It Ar set state-defaults
613 .Ar state-defaults
618 .Bd -literal -offset indent
619 set state-defaults no-sync
622 The 32-bit
628 By default the hostid is set to a pseudo-random value, however it may be
631 .Bd -literal -offset indent
636 .It Ar set require-order
648 There may be non-trivial and non-obvious implications to an out of
668 Packets passing in or out on such interfaces are passed as if pf was
680 .Bl -tag -width xxxxxxxxxxxx -compact
713 .Bl -tag -width xxxx
723 A packet always comes in on, or goes out through, one interface.
730 .Bl -tag -width xxxx
731 .It Ar in No or Ar out
736 .Ar out
745 This rule applies only to packets coming in on, or going out through, this
752 .It Ar bridge-to Aq interface
753 Packets matching this rule will be sent out of the specified interface without
809 .Bl -tag -width xxxx
810 .It Ar no-df
812 .Ar dont-fragment
815 .Ar dont-fragment
820 .Ar dont-fragment
822 .Ar no-df
826 .Ar dont-fragment
829 .Ar dont-fragment
833 .Ar random-id
835 .Ar no-df
837 .It Ar min-ttl Aq Ar number
839 .It Ar max-mss Aq Ar number
841 .It Xo Ar set-tos Aq Ar string
862 .It Ar random-id
872 .Bl -tag -width timeout -compact
875 An attacker may send a packet such that it reaches the firewall, affects
881 Modern TCP stacks will send a timestamp on every TCP packet and echo
899 delayed for longer than it takes the connection to wrap its 32-bit sequence
903 The solution to this is called PAWS: Protection Against Wrapped Sequence
912 artificially extends the security of TCP sequence numbers by 10 to 18
919 .Bd -literal -offset indent
920 match in all scrub (no-df random-id max-mss 1440)
922 .Ss Scrub ruleset (pre-FreeBSD 14)
938 .Bl -tag -width xxxx
954 .Bd -literal -offset indent
973 rules must not have the direction (in/out) specified.
1000 sent out immediately.
1004 .Bl -tag -width xxxx
1018 mainly controls the time packets take to get sent out, while
1063 mainly controls the time packets take to get sent out, while
1067 supports both link-sharing and guaranteed real-time services.
1082 .Bl -tag -width xxxx
1128 should queue up to 5Mbps in four second-level queues using
1131 .Bd -literal -offset indent
1137 directive, a sequence of
1151 .Bl -tag -width xxxx
1193 .Bl -tag -width Fl
1203 RIO is RED with IN/OUT, thus running
1215 .Bl -tag -width Fl
1224 .Bl -tag -width Fl
1285 .Bd -literal
1296 block return out on dc0 inet all queue std
1297 pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
1299 pass out on dc0 inet proto tcp from $employeehosts to any port 80 \e
1301 pass out on dc0 inet proto tcp from any to any port 22 \e
1303 pass out on dc0 inet proto tcp from any to any port 25 \e
1364 .Bl -tag -width xxxx
1365 .It Ar af-to
1368 .Ar af-to
1372 .Ar af-to
1384 part is 32-bit long.
1393 .Bd -literal -offset indent
1394 pass in inet af-to inet6 from 2001:db8::1 to 2001:db8::/96
1395 pass in inet af-to inet6 from 2001:db8::1
1404 .Bd -literal -offset indent
1405 pass in inet6 af-to inet from 198.51.100.1 to 0.0.0.0/0
1406 pass in inet6 af-to inet from 198.51.100.1
1431 .Bd -literal
1432 10.0.0.0 - 10.255.255.255 (all of net 10, i.e., 10/8)
1433 172.16.0.0 - 172.31.255.255 (i.e., 172.16/12)
1434 192.168.0.0 - 192.168.255.255 (i.e., 192.168/16)
1441 rdr ... port 2000:2999 -\*(Gt ... port 4000
1443 rdr ... port 2000:2999 -\*(Gt ... port 4000:*
1461 A random source port in the range 50001-65535 is chosen in this case; to
1505 .Bd -literal -offset indent
1506 rdr on ne3 inet proto tcp to port smtp -\*(Gt 127.0.0.1 port spamd
1512 Unless this effect is desired, any of the local non-loopback addresses
1557 .Bl -tag -width xxxx
1567 .Ar block-policy
1568 option, or on a per-rule basis with one of the following options:
1570 .Bl -tag -width xxxx -compact
1573 .It Ar return-rst
1578 .It Ar return-icmp
1579 .It Ar return-icmp6
1598 .Bd -literal -offset indent
1634 After the connection is closed or times out, the state entry is automatically
1639 its sequence numbers, as well as TCP timestamps if a
1645 a fake source address/port but does not know the connection's sequence
1651 .Bd -literal -offset indent
1652 pass out inet proto icmp all icmp-type echoreq
1697 A packet always comes in on, or goes out through, one interface.
1704 .Bl -tag -width xxxx
1705 .It Ar in No or Ar out
1710 .Ar out
1753 Send logs to the specified
1764 This rule applies only to packets coming in on, or going out through, this
1804 .Bl -tag -width xxxxxxxxxxxxxx -compact
1807 .It Ar no-route
1809 .It Ar urpf-failed
1820 .Sq -
1823 .Dq 10.1.1.10 - 10.1.1.12
1831 .Bl -tag -width xxxxxxxxxxxx -compact
1837 Translates to the point-to-point interface's peer address(es).
1845 v4 and non-link-local v6 address found.
1848 ruleset load-time.
1869 .Bd -literal -offset indent
1887 .Bl -tag -width Fl
1899 hence ports 1-1999 and 2005-65535.
1911 .Bd -literal -offset indent
1973 .Bd -literal -offset indent
1974 block out proto { tcp, udp } all
1975 pass out proto { tcp, udp } all user { \*(Lt 1000, dhartmei }
1984 set out of set
1994 .Bl -tag -width Fl
2016 .Pq non-SYN
2026 .Ar af-to,
2035 Such connections will stall and time out.
2036 .It Xo Ar icmp-type Aq Ar type
2039 .It Xo Ar icmp6-type Aq Ar type
2052 .Ar icmp-type
2054 .Ar icmp6-type
2080 .Bd -literal -offset indent
2085 .It Ar allow-opts
2089 .Ar allow-opts
2103 pfctl -s labels
2104 shows per-rule statistics for rules that have labels.
2108 .Bl -tag -width $srcaddr -compact -offset indent
2126 .Bd -literal -offset indent
2133 .Bd -literal -offset indent
2161 .Bd -literal -offset indent
2177 .Bd -literal -offset indent
2181 .It Ar received-on Aq Ar interface
2221 .It Xo Ar divert-to Aq Ar host
2235 If a packet is re-injected and does not change direction then it will not be
2236 re-diverted.
2237 .It Ar divert-reply
2246 .Bd -literal -offset indent
2257 .Bl -tag -width xxxx
2258 .It Ar route-to
2260 .Ar route-to
2264 .Ar route-to
2269 .It Ar reply-to
2271 .Ar reply-to
2273 .Ar route-to ,
2277 .Ar reply-to
2282 .It Ar dup-to
2284 .Ar dup-to
2286 .Ar route-to .
2295 .Ar route-to ,
2296 .Ar reply-to
2298 .Ar dup-to
2303 .Bl -tag -width xxxx
2316 .It Ar source-hash
2318 .Ar source-hash
2324 randomly generates a key for source-hash every time the
2326 .It Ar round-robin
2328 .Ar round-robin
2332 .Ar round-robin
2334 .It Ar static-port
2338 .Ar static-port
2342 .It Xo Ar map-e-portset Aq Ar psid-offset
2343 .No / Aq Ar psid-len
2349 .Ar map-e-portset
2350 option enables the source port translation of MAP-E (RFC 7597) Customer Edge.
2351 In order to make the host act as a MAP-E Customer Edge, setting up a tunneling
2353 to the map-e-portset nat rule.
2356 .Bd -literal -offset indent
2358 -> $ipv4_mape_src map-e-portset 6/8/0x34
2362 .It Ar endpoint-independent
2366 .Ar endpoint-independent
2371 This feature implements "full-cone" NAT behavior.
2375 .Ar sticky-address
2381 .Ar round-robin
2392 initial sequence numbers (ISNs) are chosen.
2400 will create a high quality random sequence number for each connection
2409 .Bd -literal -offset indent
2411 pass out proto tcp from any to any modulate state
2421 respective endpoints time out the connection.
2452 completed the handshake, hence so-called SYN floods with spoofed source
2459 chooses random initial sequence numbers for both handshakes.
2460 Once the handshakes are completed, the sequence number modulators
2475 .Bd -literal -offset indent
2480 per-rule basis.
2489 .Bl -tag -width xxxx -compact
2493 state are dropped until existing states time out.
2494 .It Ar no-sync
2506 Uses a sloppy TCP connection tracker that does not check sequence
2519 .Bd -literal -offset indent
2522 (max 100, source-track rule, max-src-nodes 75, \e
2523 max-src-states 3, tcp.established 60, tcp.closing 5)
2527 .Ar source-track
2530 .Bl -tag -width xxxx -compact
2531 .It Ar source-track rule
2533 .Ar max-src-nodes
2535 .Ar max-src-states
2539 .It Ar source-track global
2542 .Ar max-src-nodes
2544 .Ar max-src-states
2551 .Bl -tag -width xxxx -compact
2552 .It Ar max-src-nodes Aq Ar number
2555 .It Ar max-src-states Aq Ar number
2561 which have completed the TCP 3-way handshake) can also be enforced
2564 .Bl -tag -width xxxx -compact
2565 .It Ar max-src-conn Aq Ar number
2567 completed the 3-way handshake that a single host can make.
2568 .It Xo Ar max-src-conn-rate Aq Ar number
2576 state are dropped until existing states time out.
2578 Because the 3-way handshake ensures that the source address is not being
2589 .Ar flush
2594 modifier to the flush command kills all states originating from the
2605 .Bd -literal -offset indent
2608 (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global)
2639 .Ar no-df
2642 .Dl \&"OpenBSD 3.3 no-df\&"
2651 .Dl # pfctl -so
2664 .Bd -literal -offset indent
2665 pass out proto tcp from any os OpenBSD
2666 block out proto tcp from any os Doors
2667 block out proto tcp from any os "Doors PT"
2668 block out proto tcp from any os "Doors PT SP3"
2669 block out from any os "unknown"
2694 .Bd -literal -offset indent
2699 .Bd -literal -offset indent
2704 For non-loopback interfaces, there are additional rules to block incoming
2709 .Bd -literal -offset indent
2714 .Bd -literal -offset indent
2727 In cases when it is necessary or more efficient to send such large packets,
2765 .Bd -literal -offset indent
2794 are dropped until other entries time out.
2819 characters, similar to how file system hierarchies are laid out.
2828 .Bl -tag -width xxxx
2829 .It Ar nat-anchor Aq Ar name
2834 .It Ar rdr-anchor Aq Ar name
2839 .It Ar binat-anchor Aq Ar name
2892 .Bd -literal -offset indent
2896 pass out on $ext_if all
2906 .Bd -literal -offset indent
2908 pfctl -a spam -f -
2920 .Bd -literal -offset indent
2922 load anchor spam from "/etc/pf-spam.conf"
2930 .Pa /etc/pf-spam.conf
2941 .Bd -literal -offset indent
2944 pass out on $ext_if all
2954 .Bd -literal -offset indent
2956 pfctl -a spam -f -
2966 .Bd -literal -offset indent
2980 Similar to file system path name resolution, if the sequence
2986 .Bd -literal -offset indent
2987 # echo ' anchor "spam/allowed" ' | pfctl -f -
2988 # echo -e ' anchor "../banned" \en pass' | \e
2989 pfctl -a spam/allowed -f -
3004 Brace delimited blocks may contain rules or other brace-delimited blocks.
3006 .Bd -literal -offset indent
3009 anchor out {
3034 .Bd -literal
3039 rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080
3046 .Bd -literal
3047 rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e
3053 when they are going out any interface except vlan12.
3059 .Bd -literal
3060 nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111
3068 .Bd -literal
3071 nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100
3076 .Bd -literal
3080 rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e
3087 .Xr ftp-proxy 8 ,
3090 .Xr ftp-proxy 8
3092 .Xr ftp-proxy 8
3094 .Bd -literal
3098 nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if)
3104 nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e
3111 binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if
3115 binat on $peer_if from 172.21.16.0/20 to any -> 172.22.16.0/20
3121 -\*(Gt 10.1.2.151 port 22
3123 -\*(Gt 10.1.2.151 port 53
3126 # Translate outgoing ftp control connections to send them to localhost
3127 # for proxying with ftp-proxy(8) running on port 8021.
3128 rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021
3135 .Bd -literal
3139 # using the source-hash keyword.
3140 nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash
3146 -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin
3149 .Bd -literal
3164 block in from no-route to any
3168 block in from urpf-failed to any
3172 # for instance), we want to be nice and do not send out garbage.
3173 block out log quick on $ext_if from ! 157.161.48.183 to any
3180 # them anyway (hence, no return-rst).
3186 # pass out/in certain ICMP queries and keep state (ping)
3191 pass on $ext_if inet proto icmp all icmp-type 8 code 0
3195 # pass out all UDP connections and keep state
3196 pass out on $ext_if proto udp all
3203 # pass out all TCP connections and modulate state
3204 pass out on $ext_if proto tcp all modulate state
3216 # pass in/out all IPv6 traffic: note that we have to enable this in two
3225 # $int_if and pass those tagged packets out on $ext_if. all other
3232 block out on $ext_if from any to any
3233 pass out quick on $ext_if tagged INTNET
3234 pass out on $ext_if proto tcp from any to any port 80
3240 tag SPAMD -\*(Gt 127.0.0.1 port spamd
3247 translates an internal IPv4 subnet to IPv6 using the well-known
3249 .Bd -literal -offset 4n
3250 pass in on $v4_if inet af-to inet6 from ($v6_if) to 64:ff9b::/96
3256 .Bd -literal -offset 4n
3257 pass in on $v6_if inet6 to 64:ff9b::/96 af-to inet from ($v4_if)
3263 .Bd -literal
3264 line = ( option | ether-rule | pf-rule | nat-rule | binat-rule |
3265 rdr-rule | antispoof-rule | altq-rule | queue-rule |
3266 trans-anchors | anchor-rule | anchor-close | load-anchor |
3267 table-rule | include )
3269 option = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
3270 [ "ruleset-optimization" [ "none" | "basic" | "profile" ]] |
3272 "high-latency" | "satellite" |
3274 [ "limit" ( limit-item | "{" limit-list "}" ) ] |
3275 [ "loginterface" ( interface-name | "none" ) ] |
3276 [ "block-policy" ( "drop" | "return" ) ] |
3277 [ "state-policy" ( "if-bound" | "floating" ) ]
3278 [ "state-defaults" state-opts ]
3279 [ "require-order" ( "yes" | "no" ) ]
3285 ether-rule = "ether" etheraction [ ( "in" | "out" ) ]
3286 [ "quick" ] [ "on" ifspec ] [ "bridge-to" interface-name ]
3288 [ etherfilteropt-list ]
3290 pf-rule = action [ ( "in" | "out" ) ]
3293 hosts [ filteropt-list ]
3296 logopt = "all" | "matches" | "user" | "to" interface-name
3298 etherfilteropt-list = etherfilteropt-list etherfilteropt | etherfilteropt
3302 filteropt-list = filteropt-list filteropt | filteropt
3303 filteropt = user | group | flags | icmp-type | icmp6-type | "tos" tos |
3304 "af-to" af "from" ( redirhost | "{" redirhost-list "}" )
3305 [ "to" ( redirhost | "{" redirhost-list "}" ) ] |
3307 [ "(" state-opts ")" ] |
3308 "fragment" | "no-df" | "min-ttl" number | "set-tos" tos |
3309 "max-mss" number | "random-id" | "reassemble tcp" |
3310 fragmentation | "allow-opts" |
3318 "received-on" ( interface-name | interface-group )
3320 nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3323 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3324 [ portspec ] [ pooltype ] [ "static-port" ]
3325 [ "map-e-portset" number "/" number "/" number ] ]
3327 binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3328 [ "on" interface-name ] [ af ]
3329 [ "proto" ( proto-name | proto-number ) ]
3330 "from" address [ "/" mask-bits ] "to" ipspec
3332 [ "-\*(Gt" address [ "/" mask-bits ] ]
3334 rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ]
3337 [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" )
3340 antispoof-rule = "antispoof" [ "log" ] [ "quick" ]
3344 table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ]
3345 tableopts-list = tableopts-list tableopts | tableopts
3347 "{" [ tableaddr-list ] "}"
3348 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
3349 tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
3351 ipv4-dotted-quad | ipv6-coloned-hex
3353 altq-rule = "altq on" interface-name queueopts-list
3355 queue-rule = "queue" string [ "on" interface-name ] queueopts-list
3358 anchor-rule = "anchor" [ string ] [ ( "in" | "out" ) ] [ "on" ifspec ]
3359 [ af ] [ protospec ] [ hosts ] [ filteropt-list ] [ "{" ]
3361 anchor-close = "}"
3363 trans-anchors = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
3366 load-anchor = "load anchor" string "from" filename
3368 queueopts-list = queueopts-list queueopts | queueopts
3369 queueopts = [ "bandwidth" bandwidth-spec ] |
3372 schedulers = ( cbq-def | priq-def | hfsc-def )
3373 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
3377 return = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
3378 "return-icmp" [ "(" icmpcode [ [ "," ] icmp6code ] ")" ] |
3379 "return-icmp6" [ "(" icmp6code ")" ]
3380 icmpcode = ( icmp-code-name | icmp-code-number )
3381 icmp6code = ( icmp6-code-name | icmp6-code-number )
3383 ifspec = ( [ "!" ] ( interface-name | interface-group ) ) |
3384 "{" interface-list "}"
3385 interface-list = [ "!" ] ( interface-name | interface-group )
3386 [ [ "," ] interface-list ]
3387 route = ( "route-to" | "reply-to" | "dup-to" )
3388 ( routehost | "{" routehost-list "}" )
3392 etherprotospec = "proto" ( proto-number | "{" etherproto-list "}" )
3393 etherproto-list = proto-number [ [ "," ] etherproto-list ]
3394 protospec = "proto" ( proto-name | proto-number |
3395 "{" proto-list "}" )
3396 proto-list = ( proto-name | proto-number ) [ [ "," ] proto-list ]
3402 "from" ( "any" | "no-route" | "urpf-failed" | "self" | host |
3403 "{" host-list "}" ) [ port ] [ os ]
3404 "to" ( "any" | "no-route" | "self" | host |
3405 "{" host-list "}" ) [ port ]
3407 ipspec = "any" | host | "{" host-list "}"
3408 host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" )
3409 redirhost = address [ "/" mask-bits ]
3410 routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")"
3411 address = ( interface-name | interface-group |
3412 "(" ( interface-name | interface-group ) ")" |
3413 hostname | ipv4-dotted-quad | ipv6-coloned-hex )
3414 host-list = host [ [ "," ] host-list ]
3415 redirhost-list = redirhost [ [ "," ] redirhost-list ]
3416 routehost-list = routehost [ [ "," ] routehost-list ]
3418 port = "port" ( unary-op | binary-op | "{" op-list "}" )
3420 os = "os" ( os-name | "{" os-list "}" )
3421 user = "user" ( unary-op | binary-op | "{" op-list "}" )
3422 group = "group" ( unary-op | binary-op | "{" op-list "}" )
3424 unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ]
3426 binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number
3427 op-list = ( unary-op | binary-op ) [ [ "," ] op-list ]
3429 os-name = operating-system-name
3430 os-list = os-name [ [ "," ] os-list ]
3432 flags = "flags" ( [ flag-set ] "/" flag-set | "any" )
3433 flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] [ "E" ]
3436 icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" )
3437 icmp6-type = "icmp6-type" ( icmp-type-code | "{" icmp-list "}" )
3438 icmp-type-code = ( icmp-type-name | icmp-type-number )
3439 [ "code" ( icmp-code-name | icmp-code-number ) ]
3440 icmp-list = icmp-type-code [ [ "," ] icmp-list ]
3445 state-opts = state-opt [ [ "," ] state-opts ]
3446 state-opt = ( "max" number | "no-sync" | timeout | "sloppy" |
3447 "source-track" [ ( "rule" | "global" ) ] |
3448 "max-src-nodes" number | "max-src-states" number |
3449 "max-src-conn" number |
3450 "max-src-conn-rate" number "/" number |
3451 "overload" "\*(Lt" string "\*(Gt" [ "flush" ] |
3452 "if-bound" | "floating" | "pflow" )
3456 timeout-list = timeout [ [ "," ] timeout-list ]
3467 limit-list = limit-item [ [ "," ] limit-list ]
3468 limit-item = ( "states" | "frags" | "src-nodes" ) number
3471 "source-hash" [ ( hex-key | string-key ) ] |
3472 "round-robin" ) [ sticky-address ]
3474 subqueue = string | "{" queue-list "}"
3475 queue-list = string [ [ "," ] string ]
3476 cbq-def = "cbq" [ "(" cbq-opt [ [ "," ] cbq-opt ] ")" ]
3477 priq-def = "priq" [ "(" priq-opt [ [ "," ] priq-opt ] ")" ]
3478 hfsc-def = "hfsc" [ "(" hfsc-opt [ [ "," ] hfsc-opt ] ")" ]
3479 cbq-opt = ( "default" | "borrow" | "red" | "ecn" | "rio" )
3480 priq-opt = ( "default" | "red" | "ecn" | "rio" )
3481 hfsc-opt = ( "default" | "red" | "ecn" | "rio" |
3482 linkshare-sc | realtime-sc | upperlimit-sc )
3483 linkshare-sc = "linkshare" sc-spec
3484 realtime-sc = "realtime" sc-spec
3485 upperlimit-sc = "upperlimit" sc-spec
3486 sc-spec = ( bandwidth-spec |
3487 "(" bandwidth-spec number bandwidth-spec ")" )
3491 .Bl -tag -width "/etc/protocols" -compact
3522 .Xr ftp-proxy 8 ,