1.\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $ 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the project nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.\" $FreeBSD$ 30.\" 31.Dd May 7, 2021 32.Dt PF 4 33.Os 34.Sh NAME 35.Nm pf 36.Nd packet filter 37.Sh SYNOPSIS 38.Cd "device pf" 39.Cd "options PF_DEFAULT_TO_DROP" 40.Sh DESCRIPTION 41Packet filtering takes place in the kernel. 42A pseudo-device, 43.Pa /dev/pf , 44allows userland processes to control the 45behavior of the packet filter through an 46.Xr ioctl 2 47interface. 48There are commands to enable and disable the filter, load rulesets, 49add and remove individual rules or state table entries, 50and retrieve statistics. 51The most commonly used functions are covered by 52.Xr pfctl 8 . 53.Pp 54Manipulations like loading a ruleset that involve more than a single 55.Xr ioctl 2 56call require a so-called 57.Em ticket , 58which prevents the occurrence of 59multiple concurrent manipulations. 60.Pp 61Fields of 62.Xr ioctl 2 63parameter structures that refer to packet data (like 64addresses and ports) are generally expected in network byte-order. 65.Pp 66Rules and address tables are contained in so-called 67.Em anchors . 68When servicing an 69.Xr ioctl 2 70request, if the anchor field of the argument structure is empty, 71the kernel will use the default anchor (i.e., the main ruleset) 72in operations. 73Anchors are specified by name and may be nested, with components 74separated by 75.Sq / 76characters, similar to how file system hierarchies are laid out. 77The final component of the anchor path is the anchor under which 78operations will be performed. 79.Sh SYSCTL VARIABLES AND LOADER TUNABLES 80The following 81.Xr loader 8 82tunables are available. 83.Bl -tag -width indent 84.It Va net.pf.states_hashsize 85Size of hash tables that store states. 86Should be power of 2. 87Default value is 131072. 88.It Va net.pf.source_nodes_hashsize 89Size of hash table that store source nodes. 90Should be power of 2. 91Default value is 32768. 92.El 93.Pp 94Read only 95.Xr sysctl 8 96variables with matching names are provided to obtain current values 97at runtime. 98.Sh KERNEL OPTIONS 99The following options in the kernel configuration file are related to 100.Nm 101operation: 102.Pp 103.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact 104.It Dv PF_DEFAULT_TO_DROP 105Change default policy to drop by default 106.El 107.Sh IOCTL INTERFACE 108.Nm 109supports the following 110.Xr ioctl 2 111commands, available through 112.Aq Pa net/pfvar.h : 113.Bl -tag -width xxxxxx 114.It Dv DIOCSTART 115Start the packet filter. 116.It Dv DIOCSTOP 117Stop the packet filter. 118.It Dv DIOCSTARTALTQ 119Start the ALTQ bandwidth control system (see 120.Xr altq 9 ) . 121.It Dv DIOCSTOPALTQ 122Stop the ALTQ bandwidth control system. 123.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp" 124.Bd -literal 125struct pfioc_pooladdr { 126 u_int32_t action; 127 u_int32_t ticket; 128 u_int32_t nr; 129 u_int32_t r_num; 130 u_int8_t r_action; 131 u_int8_t r_last; 132 u_int8_t af; 133 char anchor[MAXPATHLEN]; 134 struct pf_pooladdr addr; 135}; 136.Ed 137.Pp 138Clear the buffer address pool and get a 139.Va ticket 140for subsequent 141.Dv DIOCADDADDR , 142.Dv DIOCADDRULE , 143and 144.Dv DIOCCHANGERULE 145calls. 146.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp" 147.Pp 148Add the pool address 149.Va addr 150to the buffer address pool to be used in the following 151.Dv DIOCADDRULE 152or 153.Dv DIOCCHANGERULE 154call. 155All other members of the structure are ignored. 156.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 157.Bd -literal 158struct pfioc_rule { 159 u_int32_t action; 160 u_int32_t ticket; 161 u_int32_t pool_ticket; 162 u_int32_t nr; 163 char anchor[MAXPATHLEN]; 164 char anchor_call[MAXPATHLEN]; 165 struct pf_rule rule; 166}; 167.Ed 168.Pp 169Add 170.Va rule 171at the end of the inactive ruleset. 172This call requires a 173.Va ticket 174obtained through a preceding 175.Dv DIOCXBEGIN 176call and a 177.Va pool_ticket 178obtained through a 179.Dv DIOCBEGINADDRS 180call. 181.Dv DIOCADDADDR 182must also be called if any pool addresses are required. 183The optional 184.Va anchor 185name indicates the anchor in which to append the rule. 186.Va nr 187and 188.Va action 189are ignored. 190.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa" 191Add an ALTQ discipline or queue. 192.Bd -literal 193struct pfioc_altq { 194 u_int32_t action; 195 u_int32_t ticket; 196 u_int32_t nr; 197 struct pf_altq altq; 198}; 199.Ed 200.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 201Get a 202.Va ticket 203for subsequent 204.Dv DIOCGETRULE 205calls and the number 206.Va nr 207of rules in the active ruleset. 208.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 209Get a 210.Va rule 211by its number 212.Va nr 213using the 214.Va ticket 215obtained through a preceding 216.Dv DIOCGETRULES 217call. 218If 219.Va action 220is set to 221.Dv PF_GET_CLR_CNTR , 222the per-rule statistics on the requested rule are cleared. 223.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 224Get a 225.Va ticket 226for subsequent 227.Dv DIOCGETADDR 228calls and the number 229.Va nr 230of pool addresses in the rule specified with 231.Va r_action , 232.Va r_num , 233and 234.Va anchor . 235.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp" 236Get the pool address 237.Va addr 238by its number 239.Va nr 240from the rule specified with 241.Va r_action , 242.Va r_num , 243and 244.Va anchor 245using the 246.Va ticket 247obtained through a preceding 248.Dv DIOCGETADDRS 249call. 250.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa" 251Get a 252.Va ticket 253for subsequent 254.Dv DIOCGETALTQ 255calls and the number 256.Va nr 257of queues in the active list. 258.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa" 259Get the queueing discipline 260.Va altq 261by its number 262.Va nr 263using the 264.Va ticket 265obtained through a preceding 266.Dv DIOCGETALTQS 267call. 268.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 269Get the statistics on a queue. 270.Bd -literal 271struct pfioc_qstats { 272 u_int32_t ticket; 273 u_int32_t nr; 274 void *buf; 275 int nbytes; 276 u_int8_t scheduler; 277}; 278.Ed 279.Pp 280This call fills in a pointer to the buffer of statistics 281.Va buf , 282of length 283.Va nbytes , 284for the queue specified by 285.Va nr . 286.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 287.Bd -literal 288struct pfioc_ruleset { 289 u_int32_t nr; 290 char path[MAXPATHLEN]; 291 char name[PF_ANCHOR_NAME_SIZE]; 292}; 293.Ed 294.Pp 295Get the number 296.Va nr 297of rulesets (i.e., anchors) directly attached to the anchor named by 298.Va path 299for use in subsequent 300.Dv DIOCGETRULESET 301calls. 302Nested anchors, since they are not directly attached to the given 303anchor, will not be included. 304This ioctl returns 305.Er EINVAL 306if the given anchor does not exist. 307.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 308Get a ruleset (i.e., an anchor) 309.Va name 310by its number 311.Va nr 312from the given anchor 313.Va path , 314the maximum number of which can be obtained from a preceding 315.Dv DIOCGETRULESETS 316call. 317This ioctl returns 318.Er EINVAL 319if the given anchor does not exist or 320.Er EBUSY 321if another process is concurrently updating a ruleset. 322.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 323Add a state entry. 324.Bd -literal 325struct pfioc_state { 326 struct pfsync_state state; 327}; 328.Ed 329.It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv" 330Extract the entry identified by the 331.Va id 332and 333.Va creatorid 334fields of the 335.Va state 336nvlist from the state table. 337.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk" 338Remove matching entries from the state table. 339This ioctl returns the number of killed states in 340.Va psk_killed . 341.Bd -literal 342struct pfioc_state_kill { 343 struct pf_state_cmp psk_pfcmp; 344 sa_family_t psk_af; 345 int psk_proto; 346 struct pf_rule_addr psk_src; 347 struct pf_rule_addr psk_dst; 348 char psk_ifname[IFNAMSIZ]; 349 char psk_label[PF_RULE_LABEL_SIZE]; 350 u_int psk_killed; 351}; 352.Ed 353.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk" 354Clear all states. 355It works like 356.Dv DIOCKILLSTATES , 357but ignores the 358.Va psk_af , 359.Va psk_proto , 360.Va psk_src , 361and 362.Va psk_dst 363fields of the 364.Vt pfioc_state_kill 365structure. 366.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi" 367Specify the interface for which statistics are accumulated. 368.Bd -literal 369struct pfioc_if { 370 char ifname[IFNAMSIZ]; 371}; 372.Ed 373.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 374Get the internal packet filter statistics. 375.Bd -literal 376struct pf_status { 377 u_int64_t counters[PFRES_MAX]; 378 u_int64_t lcounters[LCNT_MAX]; 379 u_int64_t fcounters[FCNT_MAX]; 380 u_int64_t scounters[SCNT_MAX]; 381 u_int64_t pcounters[2][2][3]; 382 u_int64_t bcounters[2][2]; 383 u_int32_t running; 384 u_int32_t states; 385 u_int32_t src_nodes; 386 u_int32_t since; 387 u_int32_t debug; 388 u_int32_t hostid; 389 char ifname[IFNAMSIZ]; 390 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; 391}; 392.Ed 393.It Dv DIOCCLRSTATUS 394Clear the internal packet filter statistics. 395.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 396Look up a state table entry by source and destination addresses and ports. 397.Bd -literal 398struct pfioc_natlook { 399 struct pf_addr saddr; 400 struct pf_addr daddr; 401 struct pf_addr rsaddr; 402 struct pf_addr rdaddr; 403 u_int16_t sport; 404 u_int16_t dport; 405 u_int16_t rsport; 406 u_int16_t rdport; 407 sa_family_t af; 408 u_int8_t proto; 409 u_int8_t direction; 410}; 411.Ed 412.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 413Set the debug level. 414.Bd -literal 415enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 416 PF_DEBUG_NOISY }; 417.Ed 418.It Dv DIOCGETSTATESNV Fa "struct pfioc_nv *nv" 419Get state table entries. 420.Bd -literal 421nvlist pf_state_key { 422 nvlist pf_addr addr[2]; 423 number port[2]; 424 number af; 425 number proto; 426}; 427 428nvlist pf_state_scrub { 429 bool timestamp; 430 number ttl; 431 number ts_mod; 432}; 433 434nvlist pf_state_peer { 435 nvlist pf_state_scrub scrub; 436 number seqlo; 437 number seqhi; 438 number seqdiff; 439 number max_win; 440 number mss; 441 number state; 442 number wscale; 443}; 444 445nvlist pf_state { 446 number id; 447 string ifname; 448 nvlist pf_state_key stack_key; 449 nvlist pf_state_key wire_key; 450 nvlist pf_state_peer src; 451 nvlist pf_state_peer dst; 452 nvlist pf_addr rt_addr; 453 number rule; 454 number anchor; 455 number nat_rule; 456 number expire; 457 number packets[2]; 458 number bytes[2]; 459 number creatorid; 460 number direction; 461 number log; 462 number state_flags; 463 number timeout; 464 number sync_flags; 465}; 466 467nvlist pf_states { 468 number count; 469 nvlist pf_state states[]; 470}; 471.Ed 472.Pp 473If 474.Va pfioc_nv.size 475is insufficiently large, as many states as possible that can fit into this 476size will be copied into the supplied buffer. 477.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 478Add or remove the 479.Va rule 480in the ruleset specified by 481.Va rule.action . 482.Pp 483The type of operation to be performed is indicated by 484.Va action , 485which can be any of the following: 486.Bd -literal 487enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 488 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 489 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 490.Ed 491.Pp 492.Va ticket 493must be set to the value obtained with 494.Dv PF_CHANGE_GET_TICKET 495for all actions except 496.Dv PF_CHANGE_GET_TICKET . 497.Va pool_ticket 498must be set to the value obtained with the 499.Dv DIOCBEGINADDRS 500call for all actions except 501.Dv PF_CHANGE_REMOVE 502and 503.Dv PF_CHANGE_GET_TICKET . 504.Va anchor 505indicates to which anchor the operation applies. 506.Va nr 507indicates the rule number against which 508.Dv PF_CHANGE_ADD_BEFORE , 509.Dv PF_CHANGE_ADD_AFTER , 510or 511.Dv PF_CHANGE_REMOVE 512actions are applied. 513.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr" 514.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca" 515Add or remove the pool address 516.Va addr 517from the rule specified by 518.Va r_action , 519.Va r_num , 520and 521.Va anchor . 522.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 523.Bd -literal 524struct pfioc_tm { 525 int timeout; 526 int seconds; 527}; 528.Ed 529.Pp 530Set the state timeout of 531.Va timeout 532to 533.Va seconds . 534The old value will be placed into 535.Va seconds . 536For possible values of 537.Va timeout , 538consult the 539.Dv PFTM_* 540values in 541.Aq Pa net/pfvar.h . 542.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 543Get the state timeout of 544.Va timeout . 545The value will be placed into the 546.Va seconds 547field. 548.It Dv DIOCCLRRULECTRS 549Clear per-rule statistics. 550.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 551Set the hard limits on the memory pools used by the packet filter. 552.Bd -literal 553struct pfioc_limit { 554 int index; 555 unsigned limit; 556}; 557 558enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 559 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 560.Ed 561.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 562Get the hard 563.Va limit 564for the memory pool indicated by 565.Va index . 566.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 567Clear all tables. 568All the ioctls that manipulate radix tables 569use the same structure described below. 570For 571.Dv DIOCRCLRTABLES , 572.Va pfrio_ndel 573contains on exit the number of tables deleted. 574.Bd -literal 575struct pfioc_table { 576 struct pfr_table pfrio_table; 577 void *pfrio_buffer; 578 int pfrio_esize; 579 int pfrio_size; 580 int pfrio_size2; 581 int pfrio_nadd; 582 int pfrio_ndel; 583 int pfrio_nchange; 584 int pfrio_flags; 585 u_int32_t pfrio_ticket; 586}; 587#define pfrio_exists pfrio_nadd 588#define pfrio_nzero pfrio_nadd 589#define pfrio_nmatch pfrio_nadd 590#define pfrio_naddr pfrio_size2 591#define pfrio_setflag pfrio_size2 592#define pfrio_clrflag pfrio_nadd 593.Ed 594.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 595Create one or more tables. 596On entry, 597.Va pfrio_buffer 598must point to an array of 599.Vt struct pfr_table 600containing at least 601.Vt pfrio_size 602elements. 603.Vt pfrio_esize 604must be the size of 605.Vt struct pfr_table . 606On exit, 607.Va pfrio_nadd 608contains the number of tables effectively created. 609.Bd -literal 610struct pfr_table { 611 char pfrt_anchor[MAXPATHLEN]; 612 char pfrt_name[PF_TABLE_NAME_SIZE]; 613 u_int32_t pfrt_flags; 614 u_int8_t pfrt_fback; 615}; 616.Ed 617.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 618Delete one or more tables. 619On entry, 620.Va pfrio_buffer 621must point to an array of 622.Vt struct pfr_table 623containing at least 624.Vt pfrio_size 625elements. 626.Vt pfrio_esize 627must be the size of 628.Vt struct pfr_table . 629On exit, 630.Va pfrio_ndel 631contains the number of tables effectively deleted. 632.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 633Get the list of all tables. 634On entry, 635.Va pfrio_buffer[pfrio_size] 636contains a valid writeable buffer for 637.Vt pfr_table 638structures. 639On exit, 640.Va pfrio_size 641contains the number of tables written into the buffer. 642If the buffer is too small, the kernel does not store anything but just 643returns the required buffer size, without error. 644.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 645This call is like 646.Dv DIOCRGETTABLES 647but is used to get an array of 648.Vt pfr_tstats 649structures. 650.Bd -literal 651struct pfr_tstats { 652 struct pfr_table pfrts_t; 653 u_int64_t pfrts_packets 654 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 655 u_int64_t pfrts_bytes 656 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 657 u_int64_t pfrts_match; 658 u_int64_t pfrts_nomatch; 659 long pfrts_tzero; 660 int pfrts_cnt; 661 int pfrts_refcnt[PFR_REFCNT_MAX]; 662}; 663#define pfrts_name pfrts_t.pfrt_name 664#define pfrts_flags pfrts_t.pfrt_flags 665.Ed 666.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 667Clear the statistics of one or more tables. 668On entry, 669.Va pfrio_buffer 670must point to an array of 671.Vt struct pfr_table 672containing at least 673.Vt pfrio_size 674elements. 675.Vt pfrio_esize 676must be the size of 677.Vt struct pfr_table . 678On exit, 679.Va pfrio_nzero 680contains the number of tables effectively cleared. 681.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 682Clear all addresses in a table. 683On entry, 684.Va pfrio_table 685contains the table to clear. 686On exit, 687.Va pfrio_ndel 688contains the number of addresses removed. 689.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 690Add one or more addresses to a table. 691On entry, 692.Va pfrio_table 693contains the table ID and 694.Va pfrio_buffer 695must point to an array of 696.Vt struct pfr_addr 697containing at least 698.Vt pfrio_size 699elements to add to the table. 700.Vt pfrio_esize 701must be the size of 702.Vt struct pfr_addr . 703On exit, 704.Va pfrio_nadd 705contains the number of addresses effectively added. 706.Bd -literal 707struct pfr_addr { 708 union { 709 struct in_addr _pfra_ip4addr; 710 struct in6_addr _pfra_ip6addr; 711 } pfra_u; 712 u_int8_t pfra_af; 713 u_int8_t pfra_net; 714 u_int8_t pfra_not; 715 u_int8_t pfra_fback; 716}; 717#define pfra_ip4addr pfra_u._pfra_ip4addr 718#define pfra_ip6addr pfra_u._pfra_ip6addr 719.Ed 720.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 721Delete one or more addresses from a table. 722On entry, 723.Va pfrio_table 724contains the table ID and 725.Va pfrio_buffer 726must point to an array of 727.Vt struct pfr_addr 728containing at least 729.Vt pfrio_size 730elements to delete from the table. 731.Vt pfrio_esize 732must be the size of 733.Vt struct pfr_addr . 734On exit, 735.Va pfrio_ndel 736contains the number of addresses effectively deleted. 737.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 738Replace the content of a table by a new address list. 739This is the most complicated command, which uses all the structure members. 740.Pp 741On entry, 742.Va pfrio_table 743contains the table ID and 744.Va pfrio_buffer 745must point to an array of 746.Vt struct pfr_addr 747containing at least 748.Vt pfrio_size 749elements which become the new contents of the table. 750.Vt pfrio_esize 751must be the size of 752.Vt struct pfr_addr . 753Additionally, if 754.Va pfrio_size2 755is non-zero, 756.Va pfrio_buffer[pfrio_size..pfrio_size2] 757must be a writeable buffer, into which the kernel can copy the 758addresses that have been deleted during the replace operation. 759On exit, 760.Va pfrio_ndel , 761.Va pfrio_nadd , 762and 763.Va pfrio_nchange 764contain the number of addresses deleted, added, and changed by the 765kernel. 766If 767.Va pfrio_size2 768was set on entry, 769.Va pfrio_size2 770will point to the size of the buffer used, exactly like 771.Dv DIOCRGETADDRS . 772.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 773Get all the addresses of a table. 774On entry, 775.Va pfrio_table 776contains the table ID and 777.Va pfrio_buffer[pfrio_size] 778contains a valid writeable buffer for 779.Vt pfr_addr 780structures. 781On exit, 782.Va pfrio_size 783contains the number of addresses written into the buffer. 784If the buffer was too small, the kernel does not store anything but just 785returns the required buffer size, without returning an error. 786.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 787This call is like 788.Dv DIOCRGETADDRS 789but is used to get an array of 790.Vt pfr_astats 791structures. 792.Bd -literal 793struct pfr_astats { 794 struct pfr_addr pfras_a; 795 u_int64_t pfras_packets 796 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 797 u_int64_t pfras_bytes 798 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 799 long pfras_tzero; 800}; 801.Ed 802.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 803Clear the statistics of one or more addresses. 804On entry, 805.Va pfrio_table 806contains the table ID and 807.Va pfrio_buffer 808must point to an array of 809.Vt struct pfr_addr 810containing at least 811.Vt pfrio_size 812elements to be cleared from the table. 813.Vt pfrio_esize 814must be the size of 815.Vt struct pfr_addr . 816On exit, 817.Va pfrio_nzero 818contains the number of addresses effectively cleared. 819.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 820Test if the given addresses match a table. 821On entry, 822.Va pfrio_table 823contains the table ID and 824.Va pfrio_buffer 825must point to an array of 826.Vt struct pfr_addr 827containing at least 828.Vt pfrio_size 829elements, each of which will be tested for a match in the table. 830.Vt pfrio_esize 831must be the size of 832.Vt struct pfr_addr . 833On exit, the kernel updates the 834.Vt pfr_addr 835array by setting the 836.Va pfra_fback 837member appropriately. 838.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 839Change the 840.Dv PFR_TFLAG_CONST 841or 842.Dv PFR_TFLAG_PERSIST 843flags of a table. 844On entry, 845.Va pfrio_buffer 846must point to an array of 847.Vt struct pfr_table 848containing at least 849.Vt pfrio_size 850elements. 851.Va pfrio_esize 852must be the size of 853.Vt struct pfr_table . 854.Va pfrio_setflag 855must contain the flags to add, while 856.Va pfrio_clrflag 857must contain the flags to remove. 858On exit, 859.Va pfrio_nchange 860and 861.Va pfrio_ndel 862contain the number of tables altered or deleted by the kernel. 863Yes, tables can be deleted if one removes the 864.Dv PFR_TFLAG_PERSIST 865flag of an unreferenced table. 866.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 867Defines a table in the inactive set. 868On entry, 869.Va pfrio_table 870contains the table ID and 871.Va pfrio_buffer[pfrio_size] 872contains an array of 873.Vt pfr_addr 874structures to put in the table. 875A valid ticket must also be supplied to 876.Va pfrio_ticket . 877On exit, 878.Va pfrio_nadd 879contains 0 if the table was already defined in the inactive list 880or 1 if a new table has been created. 881.Va pfrio_naddr 882contains the number of addresses effectively put in the table. 883.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 884.Bd -literal 885struct pfioc_trans { 886 int size; /* number of elements */ 887 int esize; /* size of each element in bytes */ 888 struct pfioc_trans_e { 889 int rs_num; 890 char anchor[MAXPATHLEN]; 891 u_int32_t ticket; 892 } *array; 893}; 894.Ed 895.Pp 896Clear all the inactive rulesets specified in the 897.Vt pfioc_trans_e 898array. 899For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 900as well as for the 901.Dv DIOCXCOMMIT 902and 903.Dv DIOCXROLLBACK 904calls. 905.Pp 906Ruleset types, identified by 907.Va rs_num , 908include the following: 909.Pp 910.Bl -tag -width PF_RULESET_FILTER -offset ind -compact 911.It Dv PF_RULESET_SCRUB 912Scrub (packet normalization) rules. 913.It Dv PF_RULESET_FILTER 914Filter rules. 915.It Dv PF_RULESET_NAT 916NAT (Network Address Translation) rules. 917.It Dv PF_RULESET_BINAT 918Bidirectional NAT rules. 919.It Dv PF_RULESET_RDR 920Redirect rules. 921.It Dv PF_RULESET_ALTQ 922ALTQ disciplines. 923.It Dv PF_RULESET_TABLE 924Address tables. 925.El 926.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 927Atomically switch a vector of inactive rulesets to the active rulesets. 928This call is implemented as a standard two-phase commit, which will either 929fail for all rulesets or completely succeed. 930All tickets need to be valid. 931This ioctl returns 932.Er EBUSY 933if another process is concurrently updating some of the same rulesets. 934.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 935Clean up the kernel by undoing all changes that have taken place on the 936inactive rulesets since the last 937.Dv DIOCXBEGIN . 938.Dv DIOCXROLLBACK 939will silently ignore rulesets for which the ticket is invalid. 940.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 941Set the host ID, which is used by 942.Xr pfsync 4 943to identify which host created state table entries. 944.It Dv DIOCOSFPFLUSH 945Flush the passive OS fingerprint table. 946.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 947.Bd -literal 948struct pf_osfp_ioctl { 949 struct pf_osfp_entry { 950 SLIST_ENTRY(pf_osfp_entry) fp_entry; 951 pf_osfp_t fp_os; 952 char fp_class_nm[PF_OSFP_LEN]; 953 char fp_version_nm[PF_OSFP_LEN]; 954 char fp_subtype_nm[PF_OSFP_LEN]; 955 } fp_os; 956 pf_tcpopts_t fp_tcpopts; 957 u_int16_t fp_wsize; 958 u_int16_t fp_psize; 959 u_int16_t fp_mss; 960 u_int16_t fp_flags; 961 u_int8_t fp_optcnt; 962 u_int8_t fp_wscale; 963 u_int8_t fp_ttl; 964 int fp_getnum; 965}; 966.Ed 967.Pp 968Add a passive OS fingerprint to the table. 969Set 970.Va fp_os.fp_os 971to the packed fingerprint, 972.Va fp_os.fp_class_nm 973to the name of the class (Linux, Windows, etc), 974.Va fp_os.fp_version_nm 975to the name of the version (NT, 95, 98), and 976.Va fp_os.fp_subtype_nm 977to the name of the subtype or patchlevel. 978The members 979.Va fp_mss , 980.Va fp_wsize , 981.Va fp_psize , 982.Va fp_ttl , 983.Va fp_optcnt , 984and 985.Va fp_wscale 986are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 987the number of TCP options, and the TCP window scaling constant of the 988TCP SYN packet, respectively. 989.Pp 990The 991.Va fp_flags 992member is filled according to the 993.Aq Pa net/pfvar.h 994include file 995.Dv PF_OSFP_* 996defines. 997The 998.Va fp_tcpopts 999member contains packed TCP options. 1000Each option uses 1001.Dv PF_OSFP_TCPOPT_BITS 1002bits in the packed value. 1003Options include any of 1004.Dv PF_OSFP_TCPOPT_NOP , 1005.Dv PF_OSFP_TCPOPT_SACK , 1006.Dv PF_OSFP_TCPOPT_WSCALE , 1007.Dv PF_OSFP_TCPOPT_MSS , 1008or 1009.Dv PF_OSFP_TCPOPT_TS . 1010.Pp 1011The 1012.Va fp_getnum 1013member is not used with this ioctl. 1014.Pp 1015The structure's slack space must be zeroed for correct operation; 1016.Xr memset 3 1017the whole structure to zero before filling and sending to the kernel. 1018.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 1019Get the passive OS fingerprint number 1020.Va fp_getnum 1021from the kernel's fingerprint list. 1022The rest of the structure members will come back filled. 1023Get the whole list by repeatedly incrementing the 1024.Va fp_getnum 1025number until the ioctl returns 1026.Er EBUSY . 1027.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 1028.Bd -literal 1029struct pfioc_src_nodes { 1030 int psn_len; 1031 union { 1032 caddr_t psu_buf; 1033 struct pf_src_node *psu_src_nodes; 1034 } psn_u; 1035#define psn_buf psn_u.psu_buf 1036#define psn_src_nodes psn_u.psu_src_nodes 1037}; 1038.Ed 1039.Pp 1040Get the list of source nodes kept by sticky addresses and source 1041tracking. 1042The ioctl must be called once with 1043.Va psn_len 1044set to 0. 1045If the ioctl returns without error, 1046.Va psn_len 1047will be set to the size of the buffer required to hold all the 1048.Va pf_src_node 1049structures held in the table. 1050A buffer of this size should then be allocated, and a pointer to this buffer 1051placed in 1052.Va psn_buf . 1053The ioctl must then be called again to fill this buffer with the actual 1054source node data. 1055After that call, 1056.Va psn_len 1057will be set to the length of the buffer actually used. 1058.It Dv DIOCCLRSRCNODES 1059Clear the tree of source tracking nodes. 1060.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 1061Get the list of interfaces and interface drivers known to 1062.Nm . 1063All the ioctls that manipulate interfaces 1064use the same structure described below: 1065.Bd -literal 1066struct pfioc_iface { 1067 char pfiio_name[IFNAMSIZ]; 1068 void *pfiio_buffer; 1069 int pfiio_esize; 1070 int pfiio_size; 1071 int pfiio_nzero; 1072 int pfiio_flags; 1073}; 1074.Ed 1075.Pp 1076If not empty, 1077.Va pfiio_name 1078can be used to restrict the search to a specific interface or driver. 1079.Va pfiio_buffer[pfiio_size] 1080is the user-supplied buffer for returning the data. 1081On entry, 1082.Va pfiio_size 1083contains the number of 1084.Vt pfi_kif 1085entries that can fit into the buffer. 1086The kernel will replace this value by the real number of entries it wants 1087to return. 1088.Va pfiio_esize 1089should be set to 1090.Li sizeof(struct pfi_kif) . 1091.Pp 1092The data is returned in the 1093.Vt pfi_kif 1094structure described below: 1095.Bd -literal 1096struct pfi_kif { 1097 RB_ENTRY(pfi_kif) pfik_tree; 1098 char pfik_name[IFNAMSIZ]; 1099 u_int64_t pfik_packets[2][2][2]; 1100 u_int64_t pfik_bytes[2][2][2]; 1101 u_int32_t pfik_tzero; 1102 int pfik_flags; 1103 struct pf_state_tree_lan_ext pfik_lan_ext; 1104 struct pf_state_tree_ext_gwy pfik_ext_gwy; 1105 TAILQ_ENTRY(pfi_kif) pfik_w_states; 1106 void *pfik_ah_cookie; 1107 struct ifnet *pfik_ifp; 1108 struct ifg_group *pfik_group; 1109 int pfik_states; 1110 int pfik_rules; 1111 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1112}; 1113.Ed 1114.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 1115Set the user settable flags (described above) of the 1116.Nm 1117internal interface description. 1118The filtering process is the same as for 1119.Dv DIOCIGETIFACES . 1120.Bd -literal 1121#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1122.Ed 1123.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1124Works as 1125.Dv DIOCSETIFFLAG 1126above but clears the flags. 1127.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io" 1128Explicitly remove source tracking nodes. 1129.El 1130.Sh FILES 1131.Bl -tag -width /dev/pf -compact 1132.It Pa /dev/pf 1133packet filtering device. 1134.El 1135.Sh EXAMPLES 1136The following example demonstrates how to use the 1137.Dv DIOCNATLOOK 1138command to find the internal host/port of a NATed connection: 1139.Bd -literal 1140#include <sys/types.h> 1141#include <sys/socket.h> 1142#include <sys/ioctl.h> 1143#include <sys/fcntl.h> 1144#include <net/if.h> 1145#include <netinet/in.h> 1146#include <net/pfvar.h> 1147#include <err.h> 1148#include <stdio.h> 1149#include <stdlib.h> 1150 1151u_int32_t 1152read_address(const char *s) 1153{ 1154 int a, b, c, d; 1155 1156 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 1157 return htonl(a << 24 | b << 16 | c << 8 | d); 1158} 1159 1160void 1161print_address(u_int32_t a) 1162{ 1163 a = ntohl(a); 1164 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 1165 a >> 8 & 255, a & 255); 1166} 1167 1168int 1169main(int argc, char *argv[]) 1170{ 1171 struct pfioc_natlook nl; 1172 int dev; 1173 1174 if (argc != 5) { 1175 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", 1176 argv[0]); 1177 return 1; 1178 } 1179 1180 dev = open("/dev/pf", O_RDWR); 1181 if (dev == -1) 1182 err(1, "open(\\"/dev/pf\\") failed"); 1183 1184 memset(&nl, 0, sizeof(struct pfioc_natlook)); 1185 nl.saddr.v4.s_addr = read_address(argv[1]); 1186 nl.sport = htons(atoi(argv[2])); 1187 nl.daddr.v4.s_addr = read_address(argv[3]); 1188 nl.dport = htons(atoi(argv[4])); 1189 nl.af = AF_INET; 1190 nl.proto = IPPROTO_TCP; 1191 nl.direction = PF_IN; 1192 1193 if (ioctl(dev, DIOCNATLOOK, &nl)) 1194 err(1, "DIOCNATLOOK"); 1195 1196 printf("internal host "); 1197 print_address(nl.rsaddr.v4.s_addr); 1198 printf(":%u\\n", ntohs(nl.rsport)); 1199 return 0; 1200} 1201.Ed 1202.Sh SEE ALSO 1203.Xr ioctl 2 , 1204.Xr altq 4 , 1205.Xr if_bridge 4 , 1206.Xr pflog 4 , 1207.Xr pfsync 4 , 1208.Xr pfctl 8 , 1209.Xr altq 9 1210.Sh HISTORY 1211The 1212.Nm 1213packet filtering mechanism first appeared in 1214.Ox 3.0 1215and then 1216.Fx 5.2 . 1217.Pp 1218This implementation is derived from 1219.Ox 4.5 . 1220It has been heavily modified to be capable of running in multithreaded 1221.Fx 1222kernel and scale its performance on multiple CPUs. 1223