1.\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $ 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the project nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd September 22, 2023 30.Dt PF 4 31.Os 32.Sh NAME 33.Nm pf 34.Nd packet filter 35.Sh SYNOPSIS 36.Cd "device pf" 37.Cd "options PF_DEFAULT_TO_DROP" 38.Sh DESCRIPTION 39Packet filtering takes place in the kernel. 40A pseudo-device, 41.Pa /dev/pf , 42allows userland processes to control the 43behavior of the packet filter through an 44.Xr ioctl 2 45interface. 46There are commands to enable and disable the filter, load rulesets, 47add and remove individual rules or state table entries, 48and retrieve statistics. 49The most commonly used functions are covered by 50.Xr pfctl 8 . 51.Pp 52Manipulations like loading a ruleset that involve more than a single 53.Xr ioctl 2 54call require a so-called 55.Em ticket , 56which prevents the occurrence of 57multiple concurrent manipulations. 58.Pp 59Fields of 60.Xr ioctl 2 61parameter structures that refer to packet data (like 62addresses and ports) are generally expected in network byte-order. 63.Pp 64Rules and address tables are contained in so-called 65.Em anchors . 66When servicing an 67.Xr ioctl 2 68request, if the anchor field of the argument structure is empty, 69the kernel will use the default anchor (i.e., the main ruleset) 70in operations. 71Anchors are specified by name and may be nested, with components 72separated by 73.Sq / 74characters, similar to how file system hierarchies are laid out. 75The final component of the anchor path is the anchor under which 76operations will be performed. 77.Sh SYSCTL VARIABLES AND LOADER TUNABLES 78The following 79.Xr loader 8 80tunables are available. 81.Bl -tag -width indent 82.It Va net.pf.states_hashsize 83Size of hash tables that store states. 84Should be power of 2. 85Default value is 131072. 86.It Va net.pf.source_nodes_hashsize 87Size of hash table that store source nodes. 88Should be power of 2. 89Default value is 32768. 90.It Va net.pf.default_to_drop 91This value overrides 92.Cd "options PF_DEFAULT_TO_DROP" 93from kernel configuration file. 94.El 95.Pp 96Read only 97.Xr sysctl 8 98variables with matching names are provided to obtain current values 99at runtime. 100.Sh KERNEL OPTIONS 101The following options in the kernel configuration file are related to 102.Nm 103operation: 104.Pp 105.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact 106.It Dv PF_DEFAULT_TO_DROP 107Change default policy to drop by default 108.El 109.Sh IOCTL INTERFACE 110.Nm 111supports the following 112.Xr ioctl 2 113commands, available through 114.Aq Pa net/pfvar.h : 115.Bl -tag -width xxxxxx 116.It Dv DIOCSTART 117Start the packet filter. 118.It Dv DIOCSTOP 119Stop the packet filter. 120.It Dv DIOCSTARTALTQ 121Start the ALTQ bandwidth control system (see 122.Xr altq 9 ) . 123.It Dv DIOCSTOPALTQ 124Stop the ALTQ bandwidth control system. 125.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp" 126.Bd -literal 127struct pfioc_pooladdr { 128 u_int32_t action; 129 u_int32_t ticket; 130 u_int32_t nr; 131 u_int32_t r_num; 132 u_int8_t r_action; 133 u_int8_t r_last; 134 u_int8_t af; 135 char anchor[MAXPATHLEN]; 136 struct pf_pooladdr addr; 137}; 138.Ed 139.Pp 140Clear the buffer address pool and get a 141.Va ticket 142for subsequent 143.Dv DIOCADDADDR , 144.Dv DIOCADDRULE , 145and 146.Dv DIOCCHANGERULE 147calls. 148.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp" 149.Pp 150Add the pool address 151.Va addr 152to the buffer address pool to be used in the following 153.Dv DIOCADDRULE 154or 155.Dv DIOCCHANGERULE 156call. 157All other members of the structure are ignored. 158.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 159.Bd -literal 160struct pfioc_rule { 161 u_int32_t action; 162 u_int32_t ticket; 163 u_int32_t pool_ticket; 164 u_int32_t nr; 165 char anchor[MAXPATHLEN]; 166 char anchor_call[MAXPATHLEN]; 167 struct pf_rule rule; 168}; 169.Ed 170.Pp 171Add 172.Va rule 173at the end of the inactive ruleset. 174This call requires a 175.Va ticket 176obtained through a preceding 177.Dv DIOCXBEGIN 178call and a 179.Va pool_ticket 180obtained through a 181.Dv DIOCBEGINADDRS 182call. 183.Dv DIOCADDADDR 184must also be called if any pool addresses are required. 185The optional 186.Va anchor 187name indicates the anchor in which to append the rule. 188.Va nr 189and 190.Va action 191are ignored. 192.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa" 193Add an ALTQ discipline or queue. 194.Bd -literal 195struct pfioc_altq { 196 u_int32_t action; 197 u_int32_t ticket; 198 u_int32_t nr; 199 struct pf_altq altq; 200}; 201.Ed 202.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 203Get a 204.Va ticket 205for subsequent 206.Dv DIOCGETRULE 207calls and the number 208.Va nr 209of rules in the active ruleset. 210.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 211Get a 212.Va rule 213by its number 214.Va nr 215using the 216.Va ticket 217obtained through a preceding 218.Dv DIOCGETRULES 219call. 220If 221.Va action 222is set to 223.Dv PF_GET_CLR_CNTR , 224the per-rule statistics on the requested rule are cleared. 225.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 226Get a 227.Va ticket 228for subsequent 229.Dv DIOCGETADDR 230calls and the number 231.Va nr 232of pool addresses in the rule specified with 233.Va r_action , 234.Va r_num , 235and 236.Va anchor . 237.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp" 238Get the pool address 239.Va addr 240by its number 241.Va nr 242from the rule specified with 243.Va r_action , 244.Va r_num , 245and 246.Va anchor 247using the 248.Va ticket 249obtained through a preceding 250.Dv DIOCGETADDRS 251call. 252.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa" 253Get a 254.Va ticket 255for subsequent 256.Dv DIOCGETALTQ 257calls and the number 258.Va nr 259of queues in the active list. 260.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa" 261Get the queueing discipline 262.Va altq 263by its number 264.Va nr 265using the 266.Va ticket 267obtained through a preceding 268.Dv DIOCGETALTQS 269call. 270.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 271Get the statistics on a queue. 272.Bd -literal 273struct pfioc_qstats { 274 u_int32_t ticket; 275 u_int32_t nr; 276 void *buf; 277 int nbytes; 278 u_int8_t scheduler; 279}; 280.Ed 281.Pp 282This call fills in a pointer to the buffer of statistics 283.Va buf , 284of length 285.Va nbytes , 286for the queue specified by 287.Va nr . 288.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 289.Bd -literal 290struct pfioc_ruleset { 291 u_int32_t nr; 292 char path[MAXPATHLEN]; 293 char name[PF_ANCHOR_NAME_SIZE]; 294}; 295.Ed 296.Pp 297Get the number 298.Va nr 299of rulesets (i.e., anchors) directly attached to the anchor named by 300.Va path 301for use in subsequent 302.Dv DIOCGETRULESET 303calls. 304Nested anchors, since they are not directly attached to the given 305anchor, will not be included. 306This ioctl returns 307.Er ENOENT 308if the parent anchor given at 309.Va path 310does not exist. 311.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 312Get a ruleset (i.e., an anchor) 313.Va name 314by its number 315.Va nr 316from the given anchor 317.Va path , 318the maximum number of which can be obtained from a preceding 319.Dv DIOCGETRULESETS 320call. 321This ioctl returns 322.Er ENOENT 323if the parent anchor given by 324.Va path 325does not exist or 326.Er EBUSY 327if the index passed in by 328.Va nr 329is greater than the number of anchors. 330.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 331Add a state entry. 332.Bd -literal 333struct pfioc_state { 334 struct pfsync_state state; 335}; 336.Ed 337.It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv" 338Extract the entry identified by the 339.Va id 340and 341.Va creatorid 342fields of the 343.Va state 344nvlist from the state table. 345.It Dv DIOCKILLSTATESNV Fa "struct pfioc_nv nv" 346Remove matching entries from the state table. 347This ioctl returns the number of killed states in 348.Va "killed" . 349.Bd -literal 350nvlist pf_state_cmp { 351 number id; 352 number creatorid; 353 number direction; 354}; 355 356nvlist pf_kill { 357 nvlist pf_state_cmp cmp; 358 number af; 359 number proto; 360 nvlist pf_rule_addr src; 361 nvlist pf_rule_addr dst; 362 string ifname[IFNAMSIZ]; 363 string label[PF_RULE_LABEL_SIZE]; 364}; 365.Ed 366.It Dv DIOCCLRSTATESNV Fa "struct pfioc_nv nv" 367Clear all states. 368It works like 369.Dv DIOCKILLSTATESNV , 370but ignores the 371.Va af , 372.Va proto , 373.Va src , 374and 375.Va dst 376fields of the 377.Vt pf_kill 378nvlist. 379.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi" 380Specify the interface for which statistics are accumulated. 381.Bd -literal 382struct pfioc_if { 383 char ifname[IFNAMSIZ]; 384}; 385.Ed 386.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 387Get the internal packet filter statistics. 388.Bd -literal 389struct pf_status { 390 u_int64_t counters[PFRES_MAX]; 391 u_int64_t lcounters[LCNT_MAX]; 392 u_int64_t fcounters[FCNT_MAX]; 393 u_int64_t scounters[SCNT_MAX]; 394 u_int64_t pcounters[2][2][3]; 395 u_int64_t bcounters[2][2]; 396 u_int32_t running; 397 u_int32_t states; 398 u_int32_t src_nodes; 399 u_int32_t since; 400 u_int32_t debug; 401 u_int32_t hostid; 402 char ifname[IFNAMSIZ]; 403 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; 404}; 405.Ed 406.It Dv DIOCCLRSTATUS 407Clear the internal packet filter statistics. 408.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 409Look up a state table entry by source and destination addresses and ports. 410.Bd -literal 411struct pfioc_natlook { 412 struct pf_addr saddr; 413 struct pf_addr daddr; 414 struct pf_addr rsaddr; 415 struct pf_addr rdaddr; 416 u_int16_t sport; 417 u_int16_t dport; 418 u_int16_t rsport; 419 u_int16_t rdport; 420 sa_family_t af; 421 u_int8_t proto; 422 u_int8_t direction; 423}; 424.Ed 425.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 426Set the debug level. 427.Bd -literal 428enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 429 PF_DEBUG_NOISY }; 430.Ed 431.It Dv DIOCGETSTATESNV Fa "struct pfioc_nv *nv" 432Get state table entries. 433.Bd -literal 434nvlist pf_state_key { 435 nvlist pf_addr addr[2]; 436 number port[2]; 437 number af; 438 number proto; 439}; 440 441nvlist pf_state_scrub { 442 bool timestamp; 443 number ttl; 444 number ts_mod; 445}; 446 447nvlist pf_state_peer { 448 nvlist pf_state_scrub scrub; 449 number seqlo; 450 number seqhi; 451 number seqdiff; 452 number max_win; 453 number mss; 454 number state; 455 number wscale; 456}; 457 458nvlist pf_state { 459 number id; 460 string ifname; 461 nvlist pf_state_key stack_key; 462 nvlist pf_state_key wire_key; 463 nvlist pf_state_peer src; 464 nvlist pf_state_peer dst; 465 nvlist pf_addr rt_addr; 466 number rule; 467 number anchor; 468 number nat_rule; 469 number expire; 470 number packets[2]; 471 number bytes[2]; 472 number creatorid; 473 number direction; 474 number log; 475 number state_flags; 476 number timeout; 477 number sync_flags; 478}; 479 480nvlist pf_states { 481 number count; 482 nvlist pf_state states[]; 483}; 484.Ed 485.Pp 486If 487.Va pfioc_nv.size 488is insufficiently large, as many states as possible that can fit into this 489size will be copied into the supplied buffer. 490.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 491Add or remove the 492.Va rule 493in the ruleset specified by 494.Va rule.action . 495.Pp 496The type of operation to be performed is indicated by 497.Va action , 498which can be any of the following: 499.Bd -literal 500enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 501 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 502 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 503.Ed 504.Pp 505.Va ticket 506must be set to the value obtained with 507.Dv PF_CHANGE_GET_TICKET 508for all actions except 509.Dv PF_CHANGE_GET_TICKET . 510.Va pool_ticket 511must be set to the value obtained with the 512.Dv DIOCBEGINADDRS 513call for all actions except 514.Dv PF_CHANGE_REMOVE 515and 516.Dv PF_CHANGE_GET_TICKET . 517.Va anchor 518indicates to which anchor the operation applies. 519.Va nr 520indicates the rule number against which 521.Dv PF_CHANGE_ADD_BEFORE , 522.Dv PF_CHANGE_ADD_AFTER , 523or 524.Dv PF_CHANGE_REMOVE 525actions are applied. 526.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr" 527.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca" 528Add or remove the pool address 529.Va addr 530from the rule specified by 531.Va r_action , 532.Va r_num , 533and 534.Va anchor . 535.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 536.Bd -literal 537struct pfioc_tm { 538 int timeout; 539 int seconds; 540}; 541.Ed 542.Pp 543Set the state timeout of 544.Va timeout 545to 546.Va seconds . 547The old value will be placed into 548.Va seconds . 549For possible values of 550.Va timeout , 551consult the 552.Dv PFTM_* 553values in 554.Aq Pa net/pfvar.h . 555.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 556Get the state timeout of 557.Va timeout . 558The value will be placed into the 559.Va seconds 560field. 561.It Dv DIOCCLRRULECTRS 562Clear per-rule statistics. 563.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 564Set the hard limits on the memory pools used by the packet filter. 565.Bd -literal 566struct pfioc_limit { 567 int index; 568 unsigned limit; 569}; 570 571enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 572 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 573.Ed 574.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 575Get the hard 576.Va limit 577for the memory pool indicated by 578.Va index . 579.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 580Clear all tables. 581All the ioctls that manipulate radix tables 582use the same structure described below. 583For 584.Dv DIOCRCLRTABLES , 585.Va pfrio_ndel 586contains on exit the number of tables deleted. 587.Bd -literal 588struct pfioc_table { 589 struct pfr_table pfrio_table; 590 void *pfrio_buffer; 591 int pfrio_esize; 592 int pfrio_size; 593 int pfrio_size2; 594 int pfrio_nadd; 595 int pfrio_ndel; 596 int pfrio_nchange; 597 int pfrio_flags; 598 u_int32_t pfrio_ticket; 599}; 600#define pfrio_exists pfrio_nadd 601#define pfrio_nzero pfrio_nadd 602#define pfrio_nmatch pfrio_nadd 603#define pfrio_naddr pfrio_size2 604#define pfrio_setflag pfrio_size2 605#define pfrio_clrflag pfrio_nadd 606.Ed 607.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 608Create one or more tables. 609On entry, 610.Va pfrio_buffer 611must point to an array of 612.Vt struct pfr_table 613containing at least 614.Vt pfrio_size 615elements. 616.Vt pfrio_esize 617must be the size of 618.Vt struct pfr_table . 619On exit, 620.Va pfrio_nadd 621contains the number of tables effectively created. 622.Bd -literal 623struct pfr_table { 624 char pfrt_anchor[MAXPATHLEN]; 625 char pfrt_name[PF_TABLE_NAME_SIZE]; 626 u_int32_t pfrt_flags; 627 u_int8_t pfrt_fback; 628}; 629.Ed 630.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 631Delete one or more tables. 632On entry, 633.Va pfrio_buffer 634must point to an array of 635.Vt struct pfr_table 636containing at least 637.Vt pfrio_size 638elements. 639.Vt pfrio_esize 640must be the size of 641.Vt struct pfr_table . 642On exit, 643.Va pfrio_ndel 644contains the number of tables effectively deleted. 645.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 646Get the list of all tables. 647On entry, 648.Va pfrio_buffer[pfrio_size] 649contains a valid writeable buffer for 650.Vt pfr_table 651structures. 652On exit, 653.Va pfrio_size 654contains the number of tables written into the buffer. 655If the buffer is too small, the kernel does not store anything but just 656returns the required buffer size, without error. 657.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 658This call is like 659.Dv DIOCRGETTABLES 660but is used to get an array of 661.Vt pfr_tstats 662structures. 663.Bd -literal 664struct pfr_tstats { 665 struct pfr_table pfrts_t; 666 u_int64_t pfrts_packets 667 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 668 u_int64_t pfrts_bytes 669 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 670 u_int64_t pfrts_match; 671 u_int64_t pfrts_nomatch; 672 long pfrts_tzero; 673 int pfrts_cnt; 674 int pfrts_refcnt[PFR_REFCNT_MAX]; 675}; 676#define pfrts_name pfrts_t.pfrt_name 677#define pfrts_flags pfrts_t.pfrt_flags 678.Ed 679.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 680Clear the statistics of one or more tables. 681On entry, 682.Va pfrio_buffer 683must point to an array of 684.Vt struct pfr_table 685containing at least 686.Vt pfrio_size 687elements. 688.Vt pfrio_esize 689must be the size of 690.Vt struct pfr_table . 691On exit, 692.Va pfrio_nzero 693contains the number of tables effectively cleared. 694.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 695Clear all addresses in a table. 696On entry, 697.Va pfrio_table 698contains the table to clear. 699On exit, 700.Va pfrio_ndel 701contains the number of addresses removed. 702.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 703Add one or more addresses to a table. 704On entry, 705.Va pfrio_table 706contains the table ID and 707.Va pfrio_buffer 708must point to an array of 709.Vt struct pfr_addr 710containing at least 711.Vt pfrio_size 712elements to add to the table. 713.Vt pfrio_esize 714must be the size of 715.Vt struct pfr_addr . 716On exit, 717.Va pfrio_nadd 718contains the number of addresses effectively added. 719.Bd -literal 720struct pfr_addr { 721 union { 722 struct in_addr _pfra_ip4addr; 723 struct in6_addr _pfra_ip6addr; 724 } pfra_u; 725 u_int8_t pfra_af; 726 u_int8_t pfra_net; 727 u_int8_t pfra_not; 728 u_int8_t pfra_fback; 729}; 730#define pfra_ip4addr pfra_u._pfra_ip4addr 731#define pfra_ip6addr pfra_u._pfra_ip6addr 732.Ed 733.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 734Delete one or more addresses from a table. 735On entry, 736.Va pfrio_table 737contains the table ID and 738.Va pfrio_buffer 739must point to an array of 740.Vt struct pfr_addr 741containing at least 742.Vt pfrio_size 743elements to delete from the table. 744.Vt pfrio_esize 745must be the size of 746.Vt struct pfr_addr . 747On exit, 748.Va pfrio_ndel 749contains the number of addresses effectively deleted. 750.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 751Replace the content of a table by a new address list. 752This is the most complicated command, which uses all the structure members. 753.Pp 754On entry, 755.Va pfrio_table 756contains the table ID and 757.Va pfrio_buffer 758must point to an array of 759.Vt struct pfr_addr 760containing at least 761.Vt pfrio_size 762elements which become the new contents of the table. 763.Vt pfrio_esize 764must be the size of 765.Vt struct pfr_addr . 766Additionally, if 767.Va pfrio_size2 768is non-zero, 769.Va pfrio_buffer[pfrio_size..pfrio_size2] 770must be a writeable buffer, into which the kernel can copy the 771addresses that have been deleted during the replace operation. 772On exit, 773.Va pfrio_ndel , 774.Va pfrio_nadd , 775and 776.Va pfrio_nchange 777contain the number of addresses deleted, added, and changed by the 778kernel. 779If 780.Va pfrio_size2 781was set on entry, 782.Va pfrio_size2 783will point to the size of the buffer used, exactly like 784.Dv DIOCRGETADDRS . 785.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 786Get all the addresses of a table. 787On entry, 788.Va pfrio_table 789contains the table ID and 790.Va pfrio_buffer[pfrio_size] 791contains a valid writeable buffer for 792.Vt pfr_addr 793structures. 794On exit, 795.Va pfrio_size 796contains the number of addresses written into the buffer. 797If the buffer was too small, the kernel does not store anything but just 798returns the required buffer size, without returning an error. 799.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 800This call is like 801.Dv DIOCRGETADDRS 802but is used to get an array of 803.Vt pfr_astats 804structures. 805.Bd -literal 806struct pfr_astats { 807 struct pfr_addr pfras_a; 808 u_int64_t pfras_packets 809 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 810 u_int64_t pfras_bytes 811 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 812 long pfras_tzero; 813}; 814.Ed 815.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 816Clear the statistics of one or more addresses. 817On entry, 818.Va pfrio_table 819contains the table ID and 820.Va pfrio_buffer 821must point to an array of 822.Vt struct pfr_addr 823containing at least 824.Vt pfrio_size 825elements to be cleared from the table. 826.Vt pfrio_esize 827must be the size of 828.Vt struct pfr_addr . 829On exit, 830.Va pfrio_nzero 831contains the number of addresses effectively cleared. 832.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 833Test if the given addresses match a table. 834On entry, 835.Va pfrio_table 836contains the table ID and 837.Va pfrio_buffer 838must point to an array of 839.Vt struct pfr_addr 840containing at least 841.Vt pfrio_size 842elements, each of which will be tested for a match in the table. 843.Vt pfrio_esize 844must be the size of 845.Vt struct pfr_addr . 846On exit, the kernel updates the 847.Vt pfr_addr 848array by setting the 849.Va pfra_fback 850member appropriately. 851.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 852Change the 853.Dv PFR_TFLAG_CONST 854or 855.Dv PFR_TFLAG_PERSIST 856flags of a table. 857On entry, 858.Va pfrio_buffer 859must point to an array of 860.Vt struct pfr_table 861containing at least 862.Vt pfrio_size 863elements. 864.Va pfrio_esize 865must be the size of 866.Vt struct pfr_table . 867.Va pfrio_setflag 868must contain the flags to add, while 869.Va pfrio_clrflag 870must contain the flags to remove. 871On exit, 872.Va pfrio_nchange 873and 874.Va pfrio_ndel 875contain the number of tables altered or deleted by the kernel. 876Yes, tables can be deleted if one removes the 877.Dv PFR_TFLAG_PERSIST 878flag of an unreferenced table. 879.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 880Defines a table in the inactive set. 881On entry, 882.Va pfrio_table 883contains the table ID and 884.Va pfrio_buffer[pfrio_size] 885contains an array of 886.Vt pfr_addr 887structures to put in the table. 888A valid ticket must also be supplied to 889.Va pfrio_ticket . 890On exit, 891.Va pfrio_nadd 892contains 0 if the table was already defined in the inactive list 893or 1 if a new table has been created. 894.Va pfrio_naddr 895contains the number of addresses effectively put in the table. 896.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 897.Bd -literal 898struct pfioc_trans { 899 int size; /* number of elements */ 900 int esize; /* size of each element in bytes */ 901 struct pfioc_trans_e { 902 int rs_num; 903 char anchor[MAXPATHLEN]; 904 u_int32_t ticket; 905 } *array; 906}; 907.Ed 908.Pp 909Clear all the inactive rulesets specified in the 910.Vt pfioc_trans_e 911array. 912For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 913as well as for the 914.Dv DIOCXCOMMIT 915and 916.Dv DIOCXROLLBACK 917calls. 918.Pp 919Ruleset types, identified by 920.Va rs_num , 921include the following: 922.Pp 923.Bl -tag -width PF_RULESET_FILTER -offset ind -compact 924.It Dv PF_RULESET_SCRUB 925Scrub (packet normalization) rules. 926.It Dv PF_RULESET_FILTER 927Filter rules. 928.It Dv PF_RULESET_NAT 929NAT (Network Address Translation) rules. 930.It Dv PF_RULESET_BINAT 931Bidirectional NAT rules. 932.It Dv PF_RULESET_RDR 933Redirect rules. 934.It Dv PF_RULESET_ALTQ 935ALTQ disciplines. 936.It Dv PF_RULESET_TABLE 937Address tables. 938.El 939.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 940Atomically switch a vector of inactive rulesets to the active rulesets. 941This call is implemented as a standard two-phase commit, which will either 942fail for all rulesets or completely succeed. 943All tickets need to be valid. 944This ioctl returns 945.Er EBUSY 946if another process is concurrently updating some of the same rulesets. 947.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 948Clean up the kernel by undoing all changes that have taken place on the 949inactive rulesets since the last 950.Dv DIOCXBEGIN . 951.Dv DIOCXROLLBACK 952will silently ignore rulesets for which the ticket is invalid. 953.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 954Set the host ID, which is used by 955.Xr pfsync 4 956to identify which host created state table entries. 957.It Dv DIOCOSFPFLUSH 958Flush the passive OS fingerprint table. 959.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 960.Bd -literal 961struct pf_osfp_ioctl { 962 struct pf_osfp_entry { 963 SLIST_ENTRY(pf_osfp_entry) fp_entry; 964 pf_osfp_t fp_os; 965 char fp_class_nm[PF_OSFP_LEN]; 966 char fp_version_nm[PF_OSFP_LEN]; 967 char fp_subtype_nm[PF_OSFP_LEN]; 968 } fp_os; 969 pf_tcpopts_t fp_tcpopts; 970 u_int16_t fp_wsize; 971 u_int16_t fp_psize; 972 u_int16_t fp_mss; 973 u_int16_t fp_flags; 974 u_int8_t fp_optcnt; 975 u_int8_t fp_wscale; 976 u_int8_t fp_ttl; 977 int fp_getnum; 978}; 979.Ed 980.Pp 981Add a passive OS fingerprint to the table. 982Set 983.Va fp_os.fp_os 984to the packed fingerprint, 985.Va fp_os.fp_class_nm 986to the name of the class (Linux, Windows, etc), 987.Va fp_os.fp_version_nm 988to the name of the version (NT, 95, 98), and 989.Va fp_os.fp_subtype_nm 990to the name of the subtype or patchlevel. 991The members 992.Va fp_mss , 993.Va fp_wsize , 994.Va fp_psize , 995.Va fp_ttl , 996.Va fp_optcnt , 997and 998.Va fp_wscale 999are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 1000the number of TCP options, and the TCP window scaling constant of the 1001TCP SYN packet, respectively. 1002.Pp 1003The 1004.Va fp_flags 1005member is filled according to the 1006.Aq Pa net/pfvar.h 1007include file 1008.Dv PF_OSFP_* 1009defines. 1010The 1011.Va fp_tcpopts 1012member contains packed TCP options. 1013Each option uses 1014.Dv PF_OSFP_TCPOPT_BITS 1015bits in the packed value. 1016Options include any of 1017.Dv PF_OSFP_TCPOPT_NOP , 1018.Dv PF_OSFP_TCPOPT_SACK , 1019.Dv PF_OSFP_TCPOPT_WSCALE , 1020.Dv PF_OSFP_TCPOPT_MSS , 1021or 1022.Dv PF_OSFP_TCPOPT_TS . 1023.Pp 1024The 1025.Va fp_getnum 1026member is not used with this ioctl. 1027.Pp 1028The structure's slack space must be zeroed for correct operation; 1029.Xr memset 3 1030the whole structure to zero before filling and sending to the kernel. 1031.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 1032Get the passive OS fingerprint number 1033.Va fp_getnum 1034from the kernel's fingerprint list. 1035The rest of the structure members will come back filled. 1036Get the whole list by repeatedly incrementing the 1037.Va fp_getnum 1038number until the ioctl returns 1039.Er EBUSY . 1040.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 1041.Bd -literal 1042struct pfioc_src_nodes { 1043 int psn_len; 1044 union { 1045 caddr_t psu_buf; 1046 struct pf_src_node *psu_src_nodes; 1047 } psn_u; 1048#define psn_buf psn_u.psu_buf 1049#define psn_src_nodes psn_u.psu_src_nodes 1050}; 1051.Ed 1052.Pp 1053Get the list of source nodes kept by sticky addresses and source 1054tracking. 1055The ioctl must be called once with 1056.Va psn_len 1057set to 0. 1058If the ioctl returns without error, 1059.Va psn_len 1060will be set to the size of the buffer required to hold all the 1061.Va pf_src_node 1062structures held in the table. 1063A buffer of this size should then be allocated, and a pointer to this buffer 1064placed in 1065.Va psn_buf . 1066The ioctl must then be called again to fill this buffer with the actual 1067source node data. 1068After that call, 1069.Va psn_len 1070will be set to the length of the buffer actually used. 1071.It Dv DIOCCLRSRCNODES 1072Clear the tree of source tracking nodes. 1073.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 1074Get the list of interfaces and interface drivers known to 1075.Nm . 1076All the ioctls that manipulate interfaces 1077use the same structure described below: 1078.Bd -literal 1079struct pfioc_iface { 1080 char pfiio_name[IFNAMSIZ]; 1081 void *pfiio_buffer; 1082 int pfiio_esize; 1083 int pfiio_size; 1084 int pfiio_nzero; 1085 int pfiio_flags; 1086}; 1087.Ed 1088.Pp 1089If not empty, 1090.Va pfiio_name 1091can be used to restrict the search to a specific interface or driver. 1092.Va pfiio_buffer[pfiio_size] 1093is the user-supplied buffer for returning the data. 1094On entry, 1095.Va pfiio_size 1096contains the number of 1097.Vt pfi_kif 1098entries that can fit into the buffer. 1099The kernel will replace this value by the real number of entries it wants 1100to return. 1101.Va pfiio_esize 1102should be set to 1103.Li sizeof(struct pfi_kif) . 1104.Pp 1105The data is returned in the 1106.Vt pfi_kif 1107structure described below: 1108.Bd -literal 1109struct pfi_kif { 1110 char pfik_name[IFNAMSIZ]; 1111 union { 1112 RB_ENTRY(pfi_kif) pfik_tree; 1113 LIST_ENTRY(pfi_kif) pfik_list; 1114 }; 1115 u_int64_t pfik_packets[2][2][2]; 1116 u_int64_t pfik_bytes[2][2][2]; 1117 u_int32_t pfik_tzero; 1118 u_int pfik_flags; 1119 struct ifnet *pfik_ifp; 1120 struct ifg_group *pfik_group; 1121 u_int pfik_rulerefs; 1122 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1123}; 1124.Ed 1125.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 1126Set the user settable flags (described above) of the 1127.Nm 1128internal interface description. 1129The filtering process is the same as for 1130.Dv DIOCIGETIFACES . 1131.Bd -literal 1132#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1133.Ed 1134.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1135Works as 1136.Dv DIOCSETIFFLAG 1137above but clears the flags. 1138.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io" 1139Explicitly remove source tracking nodes. 1140.El 1141.Sh FILES 1142.Bl -tag -width /dev/pf -compact 1143.It Pa /dev/pf 1144packet filtering device. 1145.El 1146.Sh EXAMPLES 1147The following example demonstrates how to use the 1148.Dv DIOCNATLOOK 1149command to find the internal host/port of a NATed connection: 1150.Bd -literal 1151#include <sys/types.h> 1152#include <sys/socket.h> 1153#include <sys/ioctl.h> 1154#include <sys/fcntl.h> 1155#include <net/if.h> 1156#include <netinet/in.h> 1157#include <net/pfvar.h> 1158#include <err.h> 1159#include <stdio.h> 1160#include <stdlib.h> 1161 1162u_int32_t 1163read_address(const char *s) 1164{ 1165 int a, b, c, d; 1166 1167 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 1168 return htonl(a << 24 | b << 16 | c << 8 | d); 1169} 1170 1171void 1172print_address(u_int32_t a) 1173{ 1174 a = ntohl(a); 1175 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 1176 a >> 8 & 255, a & 255); 1177} 1178 1179int 1180main(int argc, char *argv[]) 1181{ 1182 struct pfioc_natlook nl; 1183 int dev; 1184 1185 if (argc != 5) { 1186 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", 1187 argv[0]); 1188 return 1; 1189 } 1190 1191 dev = open("/dev/pf", O_RDWR); 1192 if (dev == -1) 1193 err(1, "open(\\"/dev/pf\\") failed"); 1194 1195 memset(&nl, 0, sizeof(struct pfioc_natlook)); 1196 nl.saddr.v4.s_addr = read_address(argv[1]); 1197 nl.sport = htons(atoi(argv[2])); 1198 nl.daddr.v4.s_addr = read_address(argv[3]); 1199 nl.dport = htons(atoi(argv[4])); 1200 nl.af = AF_INET; 1201 nl.proto = IPPROTO_TCP; 1202 nl.direction = PF_IN; 1203 1204 if (ioctl(dev, DIOCNATLOOK, &nl)) 1205 err(1, "DIOCNATLOOK"); 1206 1207 printf("internal host "); 1208 print_address(nl.rsaddr.v4.s_addr); 1209 printf(":%u\\n", ntohs(nl.rsport)); 1210 return 0; 1211} 1212.Ed 1213.Sh SEE ALSO 1214.Xr ioctl 2 , 1215.Xr altq 4 , 1216.Xr if_bridge 4 , 1217.Xr pflog 4 , 1218.Xr pfsync 4 , 1219.Xr pfctl 8 , 1220.Xr altq 9 1221.Sh HISTORY 1222The 1223.Nm 1224packet filtering mechanism first appeared in 1225.Ox 3.0 1226and then 1227.Fx 5.2 . 1228.Pp 1229This implementation is derived from 1230.Ox 4.5 . 1231A number of individual features, improvements, bug fixes and security fixes 1232have been ported from later versions of 1233.Ox . 1234It has been heavily modified to be capable of running in multithreaded 1235.Fx 1236kernel and scale its performance on multiple CPUs. 1237