1.\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $ 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the project nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd July 2, 2025 30.Dt PF 4 31.Os 32.Sh NAME 33.Nm pf 34.Nd packet filter 35.Sh SYNOPSIS 36.Cd "device pf" 37.Cd "options PF_DEFAULT_TO_DROP" 38.Pp 39In 40.Xr rc.conf 5 : 41.Cd pf_enable="YES" 42.Pp 43In 44.Xr loader.conf 5 : 45.Cd net.pf.states_hashsize 46.Cd net.pf.source_nodes_hashsize 47.Cd net.pf.rule_tag_hashsize 48.Cd net.pf.udpendpoint_hashsize 49.Cd net.pf.default_to_drop 50.Pp 51In 52.Xr sysctl.conf 5 : 53.Cd net.pf.request_maxcount 54.Cd net.pf.filter_local 55.Sh DESCRIPTION 56Packet filtering takes place in the kernel. 57A pseudo-device, 58.Pa /dev/pf , 59allows userland processes to control the 60behavior of the packet filter through an 61.Xr ioctl 2 62interface. 63There are commands to enable and disable the filter, load rulesets, 64add and remove individual rules or state table entries, 65and retrieve statistics. 66The most commonly used functions are covered by 67.Xr pfctl 8 . 68.Pp 69Manipulations like loading a ruleset that involve more than a single 70.Xr ioctl 2 71call require a so-called 72.Em ticket , 73which prevents the occurrence of 74multiple concurrent manipulations. 75.Pp 76Fields of 77.Xr ioctl 2 78parameter structures that refer to packet data (like 79addresses and ports) are generally expected in network byte-order. 80.Pp 81Rules and address tables are contained in so-called 82.Em anchors . 83When servicing an 84.Xr ioctl 2 85request, if the anchor field of the argument structure is empty, 86the kernel will use the default anchor (i.e., the main ruleset) 87in operations. 88Anchors are specified by name and may be nested, with components 89separated by 90.Sq / 91characters, similar to how file system hierarchies are laid out. 92The final component of the anchor path is the anchor under which 93operations will be performed. 94.Sh SYSCTL VARIABLES 95The following variables can be entered at the 96.Xr loader 8 97prompt, set in 98.Xr loader.conf 5 , 99.Xr sysctl.conf 5 , 100or changed at runtime with 101.Xr sysctl 8 : 102.Bl -tag -width indent 103.It Va net.pf.filter_local 104This tells 105.Nm 106to also filter on the loopback output hook. 107This is typically used to allow redirect rules to adjust the source address. 108.It Va net.pf.request_maxcount 109The maximum number of items in a single ioctl call. 110.El 111.Sh LOADER TUNABLES 112The following tunables can be entered at the 113.Xr loader 8 114prompt, or set in 115.Xr loader.conf 5 : 116.Bl -tag -width indent 117.It Va net.pf.states_hashsize 118Size of hash table that stores states. 119Should be power of 2. 120Default value is 131072. 121.It Va net.pf.source_nodes_hashsize 122Size of hash table that stores source nodes. 123Should be power of 2. 124Default value is 32768. 125.It Va net.pf.rule_tag_hashsize 126Size of the hash table that stores tags. 127.It Va net.pf.udpendpoint_hashsize 128Size of hash table that store UDP endpoint mappings. 129Should be power of 2. 130Default value is 32768. 131.It Va net.pf.default_to_drop 132This value overrides 133.Cd "options PF_DEFAULT_TO_DROP" 134from kernel configuration file. 135.It Va net.pf.filter_local 136This tells 137.Nm 138to also filter on the loopback output hook. 139This is typically used to allow redirect rules to adjust the source address. 140.It Va net.pf.request_maxcount 141The maximum number of items in a single ioctl call. 142.El 143.Pp 144Read only 145.Xr sysctl 8 146variables with matching names are provided to obtain current values 147at runtime. 148.Sh KERNEL OPTIONS 149The following options in the kernel configuration file are related to 150.Nm 151operation: 152.Pp 153.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact 154.It Dv PF_DEFAULT_TO_DROP 155Change default policy to drop by default 156.El 157.Sh IOCTL INTERFACE 158.Nm 159supports the following 160.Xr ioctl 2 161commands, available through 162.Aq Pa net/pfvar.h : 163.Bl -tag -width xxxxxx 164.It Dv DIOCSTART 165Start the packet filter. 166.It Dv DIOCSTOP 167Stop the packet filter. 168.It Dv DIOCSTARTALTQ 169Start the ALTQ bandwidth control system (see 170.Xr altq 9 ) . 171.It Dv DIOCSTOPALTQ 172Stop the ALTQ bandwidth control system. 173.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp" 174.Bd -literal 175struct pfioc_pooladdr { 176 u_int32_t action; 177 u_int32_t ticket; 178 u_int32_t nr; 179 u_int32_t r_num; 180 u_int8_t r_action; 181 u_int8_t r_last; 182 u_int8_t af; 183 char anchor[MAXPATHLEN]; 184 struct pf_pooladdr addr; 185}; 186.Ed 187.Pp 188Clear the buffer address pool and get a 189.Va ticket 190for subsequent 191.Dv DIOCADDADDR , 192.Dv DIOCADDRULE , 193and 194.Dv DIOCCHANGERULE 195calls. 196.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp" 197.Pp 198Add the pool address 199.Va addr 200to the buffer address pool to be used in the following 201.Dv DIOCADDRULE 202or 203.Dv DIOCCHANGERULE 204call. 205All other members of the structure are ignored. 206.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 207.Bd -literal 208struct pfioc_rule { 209 u_int32_t action; 210 u_int32_t ticket; 211 u_int32_t pool_ticket; 212 u_int32_t nr; 213 char anchor[MAXPATHLEN]; 214 char anchor_call[MAXPATHLEN]; 215 struct pf_rule rule; 216}; 217.Ed 218.Pp 219Add 220.Va rule 221at the end of the inactive ruleset. 222This call requires a 223.Va ticket 224obtained through a preceding 225.Dv DIOCXBEGIN 226call and a 227.Va pool_ticket 228obtained through a 229.Dv DIOCBEGINADDRS 230call. 231.Dv DIOCADDADDR 232must also be called if any pool addresses are required. 233The optional 234.Va anchor 235name indicates the anchor in which to append the rule. 236.Va nr 237and 238.Va action 239are ignored. 240.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa" 241Add an ALTQ discipline or queue. 242.Bd -literal 243struct pfioc_altq { 244 u_int32_t action; 245 u_int32_t ticket; 246 u_int32_t nr; 247 struct pf_altq altq; 248}; 249.Ed 250.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 251Get a 252.Va ticket 253for subsequent 254.Dv DIOCGETRULE 255calls and the number 256.Va nr 257of rules in the active ruleset. 258.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 259Get a 260.Va rule 261by its number 262.Va nr 263using the 264.Va ticket 265obtained through a preceding 266.Dv DIOCGETRULES 267call. 268If 269.Va action 270is set to 271.Dv PF_GET_CLR_CNTR , 272the per-rule statistics on the requested rule are cleared. 273.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 274Get a 275.Va ticket 276for subsequent 277.Dv DIOCGETADDR 278calls and the number 279.Va nr 280of pool addresses in the rule specified with 281.Va r_action , 282.Va r_num , 283and 284.Va anchor . 285.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp" 286Get the pool address 287.Va addr 288by its number 289.Va nr 290from the rule specified with 291.Va r_action , 292.Va r_num , 293and 294.Va anchor 295using the 296.Va ticket 297obtained through a preceding 298.Dv DIOCGETADDRS 299call. 300.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa" 301Get a 302.Va ticket 303for subsequent 304.Dv DIOCGETALTQ 305calls and the number 306.Va nr 307of queues in the active list. 308.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa" 309Get the queueing discipline 310.Va altq 311by its number 312.Va nr 313using the 314.Va ticket 315obtained through a preceding 316.Dv DIOCGETALTQS 317call. 318.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 319Get the statistics on a queue. 320.Bd -literal 321struct pfioc_qstats { 322 u_int32_t ticket; 323 u_int32_t nr; 324 void *buf; 325 int nbytes; 326 u_int8_t scheduler; 327}; 328.Ed 329.Pp 330This call fills in a pointer to the buffer of statistics 331.Va buf , 332of length 333.Va nbytes , 334for the queue specified by 335.Va nr . 336.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 337.Bd -literal 338struct pfioc_ruleset { 339 u_int32_t nr; 340 char path[MAXPATHLEN]; 341 char name[PF_ANCHOR_NAME_SIZE]; 342}; 343.Ed 344.Pp 345Get the number 346.Va nr 347of rulesets (i.e., anchors) directly attached to the anchor named by 348.Va path 349for use in subsequent 350.Dv DIOCGETRULESET 351calls. 352Nested anchors, since they are not directly attached to the given 353anchor, will not be included. 354This ioctl returns 355.Er ENOENT 356if the parent anchor given at 357.Va path 358does not exist. 359.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 360Get a ruleset (i.e., an anchor) 361.Va name 362by its number 363.Va nr 364from the given anchor 365.Va path , 366the maximum number of which can be obtained from a preceding 367.Dv DIOCGETRULESETS 368call. 369This ioctl returns 370.Er ENOENT 371if the parent anchor given by 372.Va path 373does not exist or 374.Er EBUSY 375if the index passed in by 376.Va nr 377is greater than the number of anchors. 378.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 379Add a state entry. 380.Bd -literal 381struct pfioc_state { 382 struct pfsync_state state; 383}; 384.Ed 385.It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv" 386Extract the entry identified by the 387.Va id 388and 389.Va creatorid 390fields of the 391.Va state 392nvlist from the state table. 393.It Dv DIOCKILLSTATESNV Fa "struct pfioc_nv nv" 394Remove matching entries from the state table. 395This ioctl returns the number of killed states in 396.Va "killed" . 397.Bd -literal 398nvlist pf_state_cmp { 399 number id; 400 number creatorid; 401 number direction; 402}; 403 404nvlist pf_kill { 405 nvlist pf_state_cmp cmp; 406 number af; 407 number proto; 408 nvlist pf_rule_addr src; 409 nvlist pf_rule_addr dst; 410 string ifname[IFNAMSIZ]; 411 string label[PF_RULE_LABEL_SIZE]; 412}; 413.Ed 414.It Dv DIOCCLRSTATESNV Fa "struct pfioc_nv nv" 415Clear all states. 416It works like 417.Dv DIOCKILLSTATESNV , 418but ignores the 419.Va af , 420.Va proto , 421.Va src , 422and 423.Va dst 424fields of the 425.Vt pf_kill 426nvlist. 427.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi" 428Specify the interface for which statistics are accumulated. 429.Bd -literal 430struct pfioc_if { 431 char ifname[IFNAMSIZ]; 432}; 433.Ed 434.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 435Get the internal packet filter statistics. 436.Bd -literal 437struct pf_status { 438 u_int64_t counters[PFRES_MAX]; 439 u_int64_t lcounters[LCNT_MAX]; 440 u_int64_t fcounters[FCNT_MAX]; 441 u_int64_t scounters[SCNT_MAX]; 442 u_int64_t pcounters[2][2][3]; 443 u_int64_t bcounters[2][2]; 444 u_int32_t running; 445 u_int32_t states; 446 u_int32_t src_nodes; 447 u_int32_t since; 448 u_int32_t debug; 449 u_int32_t hostid; 450 char ifname[IFNAMSIZ]; 451 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; 452}; 453.Ed 454.It Dv DIOCCLRSTATUS 455Clear the internal packet filter statistics. 456.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 457Look up a state table entry by source and destination addresses and ports. 458.Bd -literal 459struct pfioc_natlook { 460 struct pf_addr saddr; 461 struct pf_addr daddr; 462 struct pf_addr rsaddr; 463 struct pf_addr rdaddr; 464 u_int16_t sport; 465 u_int16_t dport; 466 u_int16_t rsport; 467 u_int16_t rdport; 468 sa_family_t af; 469 u_int8_t proto; 470 u_int8_t direction; 471}; 472.Ed 473.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 474Set the debug level. 475.Bd -literal 476enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 477 PF_DEBUG_NOISY }; 478.Ed 479.It Dv DIOCGETSTATESV2 Fa "struct pfioc_states_v2 *ps" 480Get state table entries. 481.Bd -literal 482struct pfioc_states_v2 { 483 int ps_len; 484 uint64_t ps_req_version; 485 union { 486 void *ps_buf; 487 struct pf_state_export *ps_states; 488 }; 489}; 490 491struct pf_state_export { 492 uint64_t version; 493 uint64_t id; 494 char ifname[IFNAMSIZ]; 495 char orig_ifname[IFNAMSIZ]; 496 struct pf_state_key_export key[2]; 497 struct pf_state_peer_export src; 498 struct pf_state_peer_export dst; 499 struct pf_addr rt_addr; 500 uint32_t rule; 501 uint32_t anchor; 502 uint32_t nat_rule; 503 uint32_t creation; 504 uint32_t expire; 505 uint32_t spare0; 506 uint64_t packets[2]; 507 uint64_t bytes[2]; 508 uint32_t creatorid; 509 uint32_t spare1; 510 sa_family_t af; 511 uint8_t proto; 512 uint8_t direction; 513 uint8_t log; 514 uint8_t state_flags_compat; 515 uint8_t timeout; 516 uint8_t sync_flags; 517 uint8_t updates; 518 uint16_t state_flags; 519 uint16_t qid; 520 uint16_t pqid; 521 uint16_t dnpipe; 522 uint16_t dnrpipe; 523 int32_t rtableid; 524 uint8_t min_ttl; 525 uint8_t set_tos; 526 uint16_t max_mss; 527 uint8_t set_prio[2]; 528 uint8_t rt; 529 char rt_ifname[IFNAMSIZ]; 530 uint8_t spare[72]; 531}; 532.Ed 533.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 534Add or remove the 535.Va rule 536in the ruleset specified by 537.Va rule.action . 538.Pp 539The type of operation to be performed is indicated by 540.Va action , 541which can be any of the following: 542.Bd -literal 543enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 544 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 545 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 546.Ed 547.Pp 548.Va ticket 549must be set to the value obtained with 550.Dv PF_CHANGE_GET_TICKET 551for all actions except 552.Dv PF_CHANGE_GET_TICKET . 553.Va pool_ticket 554must be set to the value obtained with the 555.Dv DIOCBEGINADDRS 556call for all actions except 557.Dv PF_CHANGE_REMOVE 558and 559.Dv PF_CHANGE_GET_TICKET . 560.Va anchor 561indicates to which anchor the operation applies. 562.Va nr 563indicates the rule number against which 564.Dv PF_CHANGE_ADD_BEFORE , 565.Dv PF_CHANGE_ADD_AFTER , 566or 567.Dv PF_CHANGE_REMOVE 568actions are applied. 569.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr" 570.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca" 571Add or remove the pool address 572.Va addr 573from the rule specified by 574.Va r_action , 575.Va r_num , 576and 577.Va anchor . 578.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 579.Bd -literal 580struct pfioc_tm { 581 int timeout; 582 int seconds; 583}; 584.Ed 585.Pp 586Set the state timeout of 587.Va timeout 588to 589.Va seconds . 590The old value will be placed into 591.Va seconds . 592For possible values of 593.Va timeout , 594consult the 595.Dv PFTM_* 596values in 597.Aq Pa net/pfvar.h . 598.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 599Get the state timeout of 600.Va timeout . 601The value will be placed into the 602.Va seconds 603field. 604.It Dv DIOCCLRRULECTRS 605Clear per-rule statistics. 606.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 607Set the hard limits on the memory pools used by the packet filter. 608.Bd -literal 609struct pfioc_limit { 610 int index; 611 unsigned limit; 612}; 613 614enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 615 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 616.Ed 617.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 618Get the hard 619.Va limit 620for the memory pool indicated by 621.Va index . 622.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 623Clear all tables. 624All the ioctls that manipulate radix tables 625use the same structure described below. 626For 627.Dv DIOCRCLRTABLES , 628.Va pfrio_ndel 629contains on exit the number of tables deleted. 630.Bd -literal 631struct pfioc_table { 632 struct pfr_table pfrio_table; 633 void *pfrio_buffer; 634 int pfrio_esize; 635 int pfrio_size; 636 int pfrio_size2; 637 int pfrio_nadd; 638 int pfrio_ndel; 639 int pfrio_nchange; 640 int pfrio_flags; 641 u_int32_t pfrio_ticket; 642}; 643#define pfrio_exists pfrio_nadd 644#define pfrio_nzero pfrio_nadd 645#define pfrio_nmatch pfrio_nadd 646#define pfrio_naddr pfrio_size2 647#define pfrio_setflag pfrio_size2 648#define pfrio_clrflag pfrio_nadd 649.Ed 650.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 651Create one or more tables. 652On entry, 653.Va pfrio_buffer 654must point to an array of 655.Vt struct pfr_table 656containing at least 657.Vt pfrio_size 658elements. 659.Vt pfrio_esize 660must be the size of 661.Vt struct pfr_table . 662On exit, 663.Va pfrio_nadd 664contains the number of tables effectively created. 665.Bd -literal 666struct pfr_table { 667 char pfrt_anchor[MAXPATHLEN]; 668 char pfrt_name[PF_TABLE_NAME_SIZE]; 669 u_int32_t pfrt_flags; 670 u_int8_t pfrt_fback; 671}; 672.Ed 673.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 674Delete one or more tables. 675On entry, 676.Va pfrio_buffer 677must point to an array of 678.Vt struct pfr_table 679containing at least 680.Vt pfrio_size 681elements. 682.Vt pfrio_esize 683must be the size of 684.Vt struct pfr_table . 685On exit, 686.Va pfrio_ndel 687contains the number of tables effectively deleted. 688.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 689Get the list of all tables. 690On entry, 691.Va pfrio_buffer[pfrio_size] 692contains a valid writeable buffer for 693.Vt pfr_table 694structures. 695On exit, 696.Va pfrio_size 697contains the number of tables written into the buffer. 698If the buffer is too small, the kernel does not store anything but just 699returns the required buffer size, without error. 700.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 701This call is like 702.Dv DIOCRGETTABLES 703but is used to get an array of 704.Vt pfr_tstats 705structures. 706.Bd -literal 707struct pfr_tstats { 708 struct pfr_table pfrts_t; 709 u_int64_t pfrts_packets 710 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 711 u_int64_t pfrts_bytes 712 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 713 u_int64_t pfrts_match; 714 u_int64_t pfrts_nomatch; 715 time_t pfrts_tzero; 716 int pfrts_cnt; 717 int pfrts_refcnt[PFR_REFCNT_MAX]; 718}; 719#define pfrts_name pfrts_t.pfrt_name 720#define pfrts_flags pfrts_t.pfrt_flags 721.Ed 722.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 723Clear the statistics of one or more tables. 724On entry, 725.Va pfrio_buffer 726must point to an array of 727.Vt struct pfr_table 728containing at least 729.Vt pfrio_size 730elements. 731.Vt pfrio_esize 732must be the size of 733.Vt struct pfr_table . 734On exit, 735.Va pfrio_nzero 736contains the number of tables effectively cleared. 737.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 738Clear all addresses in a table. 739On entry, 740.Va pfrio_table 741contains the table to clear. 742On exit, 743.Va pfrio_ndel 744contains the number of addresses removed. 745.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 746Add one or more addresses to a table. 747On entry, 748.Va pfrio_table 749contains the table ID and 750.Va pfrio_buffer 751must point to an array of 752.Vt struct pfr_addr 753containing at least 754.Vt pfrio_size 755elements to add to the table. 756.Vt pfrio_esize 757must be the size of 758.Vt struct pfr_addr . 759On exit, 760.Va pfrio_nadd 761contains the number of addresses effectively added. 762.Bd -literal 763struct pfr_addr { 764 union { 765 struct in_addr _pfra_ip4addr; 766 struct in6_addr _pfra_ip6addr; 767 } pfra_u; 768 u_int8_t pfra_af; 769 u_int8_t pfra_net; 770 u_int8_t pfra_not; 771 u_int8_t pfra_fback; 772}; 773#define pfra_ip4addr pfra_u._pfra_ip4addr 774#define pfra_ip6addr pfra_u._pfra_ip6addr 775.Ed 776.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 777Delete one or more addresses from a table. 778On entry, 779.Va pfrio_table 780contains the table ID and 781.Va pfrio_buffer 782must point to an array of 783.Vt struct pfr_addr 784containing at least 785.Vt pfrio_size 786elements to delete from the table. 787.Vt pfrio_esize 788must be the size of 789.Vt struct pfr_addr . 790On exit, 791.Va pfrio_ndel 792contains the number of addresses effectively deleted. 793.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 794Replace the content of a table by a new address list. 795This is the most complicated command, which uses all the structure members. 796.Pp 797On entry, 798.Va pfrio_table 799contains the table ID and 800.Va pfrio_buffer 801must point to an array of 802.Vt struct pfr_addr 803containing at least 804.Vt pfrio_size 805elements which become the new contents of the table. 806.Vt pfrio_esize 807must be the size of 808.Vt struct pfr_addr . 809Additionally, if 810.Va pfrio_size2 811is non-zero, 812.Va pfrio_buffer[pfrio_size..pfrio_size2] 813must be a writeable buffer, into which the kernel can copy the 814addresses that have been deleted during the replace operation. 815On exit, 816.Va pfrio_ndel , 817.Va pfrio_nadd , 818and 819.Va pfrio_nchange 820contain the number of addresses deleted, added, and changed by the 821kernel. 822If 823.Va pfrio_size2 824was set on entry, 825.Va pfrio_size2 826will point to the size of the buffer used, exactly like 827.Dv DIOCRGETADDRS . 828.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 829Get all the addresses of a table. 830On entry, 831.Va pfrio_table 832contains the table ID and 833.Va pfrio_buffer[pfrio_size] 834contains a valid writeable buffer for 835.Vt pfr_addr 836structures. 837On exit, 838.Va pfrio_size 839contains the number of addresses written into the buffer. 840If the buffer was too small, the kernel does not store anything but just 841returns the required buffer size, without returning an error. 842.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 843This call is like 844.Dv DIOCRGETADDRS 845but is used to get an array of 846.Vt pfr_astats 847structures. 848.Bd -literal 849struct pfr_astats { 850 struct pfr_addr pfras_a; 851 u_int64_t pfras_packets 852 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 853 u_int64_t pfras_bytes 854 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 855 time_t pfras_tzero; 856}; 857.Ed 858.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 859Clear the statistics of one or more addresses. 860On entry, 861.Va pfrio_table 862contains the table ID and 863.Va pfrio_buffer 864must point to an array of 865.Vt struct pfr_addr 866containing at least 867.Vt pfrio_size 868elements to be cleared from the table. 869.Vt pfrio_esize 870must be the size of 871.Vt struct pfr_addr . 872On exit, 873.Va pfrio_nzero 874contains the number of addresses effectively cleared. 875.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 876Test if the given addresses match a table. 877On entry, 878.Va pfrio_table 879contains the table ID and 880.Va pfrio_buffer 881must point to an array of 882.Vt struct pfr_addr 883containing at least 884.Vt pfrio_size 885elements, each of which will be tested for a match in the table. 886.Vt pfrio_esize 887must be the size of 888.Vt struct pfr_addr . 889On exit, the kernel updates the 890.Vt pfr_addr 891array by setting the 892.Va pfra_fback 893member appropriately. 894.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 895Change the 896.Dv PFR_TFLAG_CONST 897or 898.Dv PFR_TFLAG_PERSIST 899flags of a table. 900On entry, 901.Va pfrio_buffer 902must point to an array of 903.Vt struct pfr_table 904containing at least 905.Vt pfrio_size 906elements. 907.Va pfrio_esize 908must be the size of 909.Vt struct pfr_table . 910.Va pfrio_setflag 911must contain the flags to add, while 912.Va pfrio_clrflag 913must contain the flags to remove. 914On exit, 915.Va pfrio_nchange 916and 917.Va pfrio_ndel 918contain the number of tables altered or deleted by the kernel. 919Yes, tables can be deleted if one removes the 920.Dv PFR_TFLAG_PERSIST 921flag of an unreferenced table. 922.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 923Defines a table in the inactive set. 924On entry, 925.Va pfrio_table 926contains the table ID and 927.Va pfrio_buffer[pfrio_size] 928contains an array of 929.Vt pfr_addr 930structures to put in the table. 931A valid ticket must also be supplied to 932.Va pfrio_ticket . 933On exit, 934.Va pfrio_nadd 935contains 0 if the table was already defined in the inactive list 936or 1 if a new table has been created. 937.Va pfrio_naddr 938contains the number of addresses effectively put in the table. 939.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 940.Bd -literal 941struct pfioc_trans { 942 int size; /* number of elements */ 943 int esize; /* size of each element in bytes */ 944 struct pfioc_trans_e { 945 int rs_num; 946 char anchor[MAXPATHLEN]; 947 u_int32_t ticket; 948 } *array; 949}; 950.Ed 951.Pp 952Clear all the inactive rulesets specified in the 953.Vt pfioc_trans_e 954array. 955For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 956as well as for the 957.Dv DIOCXCOMMIT 958and 959.Dv DIOCXROLLBACK 960calls. 961.Pp 962Ruleset types, identified by 963.Va rs_num , 964include the following: 965.Pp 966.Bl -tag -width PF_RULESET_FILTER -offset ind -compact 967.It Dv PF_RULESET_SCRUB 968Scrub (packet normalization) rules. 969.It Dv PF_RULESET_FILTER 970Filter rules. 971.It Dv PF_RULESET_NAT 972NAT (Network Address Translation) rules. 973.It Dv PF_RULESET_BINAT 974Bidirectional NAT rules. 975.It Dv PF_RULESET_RDR 976Redirect rules. 977.It Dv PF_RULESET_ALTQ 978ALTQ disciplines. 979.It Dv PF_RULESET_TABLE 980Address tables. 981.El 982.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 983Atomically switch a vector of inactive rulesets to the active rulesets. 984This call is implemented as a standard two-phase commit, which will either 985fail for all rulesets or completely succeed. 986All tickets need to be valid. 987This ioctl returns 988.Er EBUSY 989if another process is concurrently updating some of the same rulesets. 990.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 991Clean up the kernel by undoing all changes that have taken place on the 992inactive rulesets since the last 993.Dv DIOCXBEGIN . 994.Dv DIOCXROLLBACK 995will silently ignore rulesets for which the ticket is invalid. 996.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 997Set the host ID, which is used by 998.Xr pfsync 4 999to identify which host created state table entries. 1000.It Dv DIOCOSFPFLUSH 1001Flush the passive OS fingerprint table. 1002.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 1003.Bd -literal 1004struct pf_osfp_ioctl { 1005 struct pf_osfp_entry { 1006 SLIST_ENTRY(pf_osfp_entry) fp_entry; 1007 pf_osfp_t fp_os; 1008 char fp_class_nm[PF_OSFP_LEN]; 1009 char fp_version_nm[PF_OSFP_LEN]; 1010 char fp_subtype_nm[PF_OSFP_LEN]; 1011 } fp_os; 1012 pf_tcpopts_t fp_tcpopts; 1013 u_int16_t fp_wsize; 1014 u_int16_t fp_psize; 1015 u_int16_t fp_mss; 1016 u_int16_t fp_flags; 1017 u_int8_t fp_optcnt; 1018 u_int8_t fp_wscale; 1019 u_int8_t fp_ttl; 1020 int fp_getnum; 1021}; 1022.Ed 1023.Pp 1024Add a passive OS fingerprint to the table. 1025Set 1026.Va fp_os.fp_os 1027to the packed fingerprint, 1028.Va fp_os.fp_class_nm 1029to the name of the class (Linux, Windows, etc), 1030.Va fp_os.fp_version_nm 1031to the name of the version (NT, 95, 98), and 1032.Va fp_os.fp_subtype_nm 1033to the name of the subtype or patchlevel. 1034The members 1035.Va fp_mss , 1036.Va fp_wsize , 1037.Va fp_psize , 1038.Va fp_ttl , 1039.Va fp_optcnt , 1040and 1041.Va fp_wscale 1042are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 1043the number of TCP options, and the TCP window scaling constant of the 1044TCP SYN packet, respectively. 1045.Pp 1046The 1047.Va fp_flags 1048member is filled according to the 1049.Aq Pa net/pfvar.h 1050include file 1051.Dv PF_OSFP_* 1052defines. 1053The 1054.Va fp_tcpopts 1055member contains packed TCP options. 1056Each option uses 1057.Dv PF_OSFP_TCPOPT_BITS 1058bits in the packed value. 1059Options include any of 1060.Dv PF_OSFP_TCPOPT_NOP , 1061.Dv PF_OSFP_TCPOPT_SACK , 1062.Dv PF_OSFP_TCPOPT_WSCALE , 1063.Dv PF_OSFP_TCPOPT_MSS , 1064or 1065.Dv PF_OSFP_TCPOPT_TS . 1066.Pp 1067The 1068.Va fp_getnum 1069member is not used with this ioctl. 1070.Pp 1071The structure's slack space must be zeroed for correct operation; 1072.Xr memset 3 1073the whole structure to zero before filling and sending to the kernel. 1074.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 1075Get the passive OS fingerprint number 1076.Va fp_getnum 1077from the kernel's fingerprint list. 1078The rest of the structure members will come back filled. 1079Get the whole list by repeatedly incrementing the 1080.Va fp_getnum 1081number until the ioctl returns 1082.Er EBUSY . 1083.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 1084.Bd -literal 1085struct pfioc_src_nodes { 1086 int psn_len; 1087 union { 1088 caddr_t psu_buf; 1089 struct pf_src_node *psu_src_nodes; 1090 } psn_u; 1091#define psn_buf psn_u.psu_buf 1092#define psn_src_nodes psn_u.psu_src_nodes 1093}; 1094.Ed 1095.Pp 1096Get the list of source nodes kept by sticky addresses and source 1097tracking. 1098The ioctl must be called once with 1099.Va psn_len 1100set to 0. 1101If the ioctl returns without error, 1102.Va psn_len 1103will be set to the size of the buffer required to hold all the 1104.Va pf_src_node 1105structures held in the table. 1106A buffer of this size should then be allocated, and a pointer to this buffer 1107placed in 1108.Va psn_buf . 1109The ioctl must then be called again to fill this buffer with the actual 1110source node data. 1111After that call, 1112.Va psn_len 1113will be set to the length of the buffer actually used. 1114.It Dv DIOCCLRSRCNODES 1115Clear the tree of source tracking nodes. 1116.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 1117Get the list of interfaces and interface groups known to 1118.Nm . 1119All the ioctls that manipulate interfaces 1120use the same structure described below: 1121.Bd -literal 1122struct pfioc_iface { 1123 char pfiio_name[IFNAMSIZ]; 1124 void *pfiio_buffer; 1125 int pfiio_esize; 1126 int pfiio_size; 1127 int pfiio_nzero; 1128 int pfiio_flags; 1129}; 1130.Ed 1131.Pp 1132If not empty, 1133.Va pfiio_name 1134can be used to restrict the search to a specific interface or group. 1135.Va pfiio_buffer[pfiio_size] 1136is the user-supplied buffer for returning the data. 1137On entry, 1138.Va pfiio_size 1139contains the number of 1140.Vt pfi_kif 1141entries that can fit into the buffer. 1142The kernel will replace this value by the real number of entries it wants 1143to return. 1144.Va pfiio_esize 1145should be set to 1146.Li sizeof(struct pfi_kif) . 1147.Pp 1148The data is returned in the 1149.Vt pfi_kif 1150structure described below: 1151.Bd -literal 1152struct pfi_kif { 1153 char pfik_name[IFNAMSIZ]; 1154 union { 1155 RB_ENTRY(pfi_kif) pfik_tree; 1156 LIST_ENTRY(pfi_kif) pfik_list; 1157 }; 1158 u_int64_t pfik_packets[2][2][2]; 1159 u_int64_t pfik_bytes[2][2][2]; 1160 u_int32_t pfik_tzero; 1161 u_int pfik_flags; 1162 struct ifnet *pfik_ifp; 1163 struct ifg_group *pfik_group; 1164 u_int pfik_rulerefs; 1165 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1166}; 1167.Ed 1168.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 1169Set the user settable flags (described above) of the 1170.Nm 1171internal interface description. 1172The filtering process is the same as for 1173.Dv DIOCIGETIFACES . 1174.Bd -literal 1175#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1176.Ed 1177.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1178Works as 1179.Dv DIOCSETIFFLAG 1180above but clears the flags. 1181.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io" 1182Explicitly remove source tracking nodes. 1183.El 1184.Sh FILES 1185.Bl -tag -width /dev/pf -compact 1186.It Pa /dev/pf 1187packet filtering device. 1188.El 1189.Sh EXAMPLES 1190The following example demonstrates how to use the 1191.Dv DIOCNATLOOK 1192command to find the internal host/port of a NATed connection: 1193.Bd -literal 1194#include <sys/types.h> 1195#include <sys/socket.h> 1196#include <sys/ioctl.h> 1197#include <sys/fcntl.h> 1198#include <net/if.h> 1199#include <netinet/in.h> 1200#include <net/pfvar.h> 1201#include <err.h> 1202#include <stdio.h> 1203#include <stdlib.h> 1204 1205u_int32_t 1206read_address(const char *s) 1207{ 1208 int a, b, c, d; 1209 1210 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 1211 return htonl(a << 24 | b << 16 | c << 8 | d); 1212} 1213 1214void 1215print_address(u_int32_t a) 1216{ 1217 a = ntohl(a); 1218 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 1219 a >> 8 & 255, a & 255); 1220} 1221 1222int 1223main(int argc, char *argv[]) 1224{ 1225 struct pfioc_natlook nl; 1226 int dev; 1227 1228 if (argc != 5) { 1229 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", 1230 argv[0]); 1231 return 1; 1232 } 1233 1234 dev = open("/dev/pf", O_RDWR); 1235 if (dev == -1) 1236 err(1, "open(\\"/dev/pf\\") failed"); 1237 1238 memset(&nl, 0, sizeof(struct pfioc_natlook)); 1239 nl.saddr.v4.s_addr = read_address(argv[1]); 1240 nl.sport = htons(atoi(argv[2])); 1241 nl.daddr.v4.s_addr = read_address(argv[3]); 1242 nl.dport = htons(atoi(argv[4])); 1243 nl.af = AF_INET; 1244 nl.proto = IPPROTO_TCP; 1245 nl.direction = PF_IN; 1246 1247 if (ioctl(dev, DIOCNATLOOK, &nl)) 1248 err(1, "DIOCNATLOOK"); 1249 1250 printf("internal host "); 1251 print_address(nl.rsaddr.v4.s_addr); 1252 printf(":%u\\n", ntohs(nl.rsport)); 1253 return 0; 1254} 1255.Ed 1256.Sh SEE ALSO 1257.Xr ioctl 2 , 1258.Xr altq 4 , 1259.Xr if_bridge 4 , 1260.Xr pflog 4 , 1261.Xr pfsync 4 , 1262.Xr pfctl 8 , 1263.Xr altq 9 1264.Sh HISTORY 1265The 1266.Nm 1267packet filtering mechanism first appeared in 1268.Ox 3.0 1269and then 1270.Fx 5.2 . 1271.Pp 1272This implementation is derived from 1273.Ox 4.5 . 1274A number of individual features, improvements, bug fixes and security fixes 1275have been ported from later versions of 1276.Ox . 1277It has been heavily modified to be capable of running in multithreaded 1278.Fx 1279kernel and scale its performance on multiple CPUs. 1280