xref: /freebsd/share/man/man4/pf.4 (revision 9f23cbd6cae82fd77edfad7173432fa8dccd0a95)
1.\"	$OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $
2.\"
3.\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. Neither the name of the project nor the names of its contributors
14.\"    may be used to endorse or promote products derived from this software
15.\"    without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.\" $FreeBSD$
30.\"
31.Dd July 12, 2023
32.Dt PF 4
33.Os
34.Sh NAME
35.Nm pf
36.Nd packet filter
37.Sh SYNOPSIS
38.Cd "device pf"
39.Cd "options PF_DEFAULT_TO_DROP"
40.Sh DESCRIPTION
41Packet filtering takes place in the kernel.
42A pseudo-device,
43.Pa /dev/pf ,
44allows userland processes to control the
45behavior of the packet filter through an
46.Xr ioctl 2
47interface.
48There are commands to enable and disable the filter, load rulesets,
49add and remove individual rules or state table entries,
50and retrieve statistics.
51The most commonly used functions are covered by
52.Xr pfctl 8 .
53.Pp
54Manipulations like loading a ruleset that involve more than a single
55.Xr ioctl 2
56call require a so-called
57.Em ticket ,
58which prevents the occurrence of
59multiple concurrent manipulations.
60.Pp
61Fields of
62.Xr ioctl 2
63parameter structures that refer to packet data (like
64addresses and ports) are generally expected in network byte-order.
65.Pp
66Rules and address tables are contained in so-called
67.Em anchors .
68When servicing an
69.Xr ioctl 2
70request, if the anchor field of the argument structure is empty,
71the kernel will use the default anchor (i.e., the main ruleset)
72in operations.
73Anchors are specified by name and may be nested, with components
74separated by
75.Sq /
76characters, similar to how file system hierarchies are laid out.
77The final component of the anchor path is the anchor under which
78operations will be performed.
79.Sh SYSCTL VARIABLES AND LOADER TUNABLES
80The following
81.Xr loader 8
82tunables are available.
83.Bl -tag -width indent
84.It Va net.pf.states_hashsize
85Size of hash tables that store states.
86Should be power of 2.
87Default value is 131072.
88.It Va net.pf.source_nodes_hashsize
89Size of hash table that store source nodes.
90Should be power of 2.
91Default value is 32768.
92.El
93.Pp
94Read only
95.Xr sysctl 8
96variables with matching names are provided to obtain current values
97at runtime.
98.Sh KERNEL OPTIONS
99The following options in the kernel configuration file are related to
100.Nm
101operation:
102.Pp
103.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
104.It Dv PF_DEFAULT_TO_DROP
105Change default policy to drop by default
106.El
107.Sh IOCTL INTERFACE
108.Nm
109supports the following
110.Xr ioctl 2
111commands, available through
112.Aq Pa net/pfvar.h :
113.Bl -tag -width xxxxxx
114.It Dv DIOCSTART
115Start the packet filter.
116.It Dv DIOCSTOP
117Stop the packet filter.
118.It Dv DIOCSTARTALTQ
119Start the ALTQ bandwidth control system (see
120.Xr altq 9 ) .
121.It Dv DIOCSTOPALTQ
122Stop the ALTQ bandwidth control system.
123.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp"
124.Bd -literal
125struct pfioc_pooladdr {
126	u_int32_t		action;
127	u_int32_t		ticket;
128	u_int32_t		nr;
129	u_int32_t		r_num;
130	u_int8_t		r_action;
131	u_int8_t		r_last;
132	u_int8_t		af;
133	char			anchor[MAXPATHLEN];
134	struct pf_pooladdr	addr;
135};
136.Ed
137.Pp
138Clear the buffer address pool and get a
139.Va ticket
140for subsequent
141.Dv DIOCADDADDR ,
142.Dv DIOCADDRULE ,
143and
144.Dv DIOCCHANGERULE
145calls.
146.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
147.Pp
148Add the pool address
149.Va addr
150to the buffer address pool to be used in the following
151.Dv DIOCADDRULE
152or
153.Dv DIOCCHANGERULE
154call.
155All other members of the structure are ignored.
156.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
157.Bd -literal
158struct pfioc_rule {
159	u_int32_t	action;
160	u_int32_t	ticket;
161	u_int32_t	pool_ticket;
162	u_int32_t	nr;
163	char		anchor[MAXPATHLEN];
164	char		anchor_call[MAXPATHLEN];
165	struct pf_rule	rule;
166};
167.Ed
168.Pp
169Add
170.Va rule
171at the end of the inactive ruleset.
172This call requires a
173.Va ticket
174obtained through a preceding
175.Dv DIOCXBEGIN
176call and a
177.Va pool_ticket
178obtained through a
179.Dv DIOCBEGINADDRS
180call.
181.Dv DIOCADDADDR
182must also be called if any pool addresses are required.
183The optional
184.Va anchor
185name indicates the anchor in which to append the rule.
186.Va nr
187and
188.Va action
189are ignored.
190.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
191Add an ALTQ discipline or queue.
192.Bd -literal
193struct pfioc_altq {
194	u_int32_t	action;
195	u_int32_t	ticket;
196	u_int32_t	nr;
197	struct pf_altq  altq;
198};
199.Ed
200.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
201Get a
202.Va ticket
203for subsequent
204.Dv DIOCGETRULE
205calls and the number
206.Va nr
207of rules in the active ruleset.
208.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
209Get a
210.Va rule
211by its number
212.Va nr
213using the
214.Va ticket
215obtained through a preceding
216.Dv DIOCGETRULES
217call.
218If
219.Va action
220is set to
221.Dv PF_GET_CLR_CNTR ,
222the per-rule statistics on the requested rule are cleared.
223.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
224Get a
225.Va ticket
226for subsequent
227.Dv DIOCGETADDR
228calls and the number
229.Va nr
230of pool addresses in the rule specified with
231.Va r_action ,
232.Va r_num ,
233and
234.Va anchor .
235.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp"
236Get the pool address
237.Va addr
238by its number
239.Va nr
240from the rule specified with
241.Va r_action ,
242.Va r_num ,
243and
244.Va anchor
245using the
246.Va ticket
247obtained through a preceding
248.Dv DIOCGETADDRS
249call.
250.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
251Get a
252.Va ticket
253for subsequent
254.Dv DIOCGETALTQ
255calls and the number
256.Va nr
257of queues in the active list.
258.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
259Get the queueing discipline
260.Va altq
261by its number
262.Va nr
263using the
264.Va ticket
265obtained through a preceding
266.Dv DIOCGETALTQS
267call.
268.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
269Get the statistics on a queue.
270.Bd -literal
271struct pfioc_qstats {
272	u_int32_t	 ticket;
273	u_int32_t	 nr;
274	void		*buf;
275	int		 nbytes;
276	u_int8_t	 scheduler;
277};
278.Ed
279.Pp
280This call fills in a pointer to the buffer of statistics
281.Va buf ,
282of length
283.Va nbytes ,
284for the queue specified by
285.Va nr .
286.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
287.Bd -literal
288struct pfioc_ruleset {
289	u_int32_t	 nr;
290	char		 path[MAXPATHLEN];
291	char		 name[PF_ANCHOR_NAME_SIZE];
292};
293.Ed
294.Pp
295Get the number
296.Va nr
297of rulesets (i.e., anchors) directly attached to the anchor named by
298.Va path
299for use in subsequent
300.Dv DIOCGETRULESET
301calls.
302Nested anchors, since they are not directly attached to the given
303anchor, will not be included.
304This ioctl returns
305.Er ENOENT
306if the parent anchor given at
307.Va path
308does not exist.
309.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
310Get a ruleset (i.e., an anchor)
311.Va name
312by its number
313.Va nr
314from the given anchor
315.Va path ,
316the maximum number of which can be obtained from a preceding
317.Dv DIOCGETRULESETS
318call.
319This ioctl returns
320.Er ENOENT
321if the parent anchor given by
322.Va path
323does not exist or
324.Er EBUSY
325if the index passed in by
326.Va nr
327is greater than the number of anchors.
328.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
329Add a state entry.
330.Bd -literal
331struct pfioc_state {
332	struct pfsync_state	state;
333};
334.Ed
335.It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv"
336Extract the entry identified by the
337.Va id
338and
339.Va creatorid
340fields of the
341.Va state
342nvlist from the state table.
343.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
344Remove matching entries from the state table.
345This ioctl returns the number of killed states in
346.Va psk_killed .
347.Bd -literal
348struct pfioc_state_kill {
349	struct pf_state_cmp	psk_pfcmp;
350	sa_family_t		psk_af;
351	int			psk_proto;
352	struct pf_rule_addr	psk_src;
353	struct pf_rule_addr	psk_dst;
354	char			psk_ifname[IFNAMSIZ];
355	char			psk_label[PF_RULE_LABEL_SIZE];
356	u_int			psk_killed;
357};
358.Ed
359.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk"
360Clear all states.
361It works like
362.Dv DIOCKILLSTATES ,
363but ignores the
364.Va psk_af ,
365.Va psk_proto ,
366.Va psk_src ,
367and
368.Va psk_dst
369fields of the
370.Vt pfioc_state_kill
371structure.
372.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
373Specify the interface for which statistics are accumulated.
374.Bd -literal
375struct pfioc_if {
376	char		 ifname[IFNAMSIZ];
377};
378.Ed
379.It Dv DIOCGETSTATUS Fa "struct pf_status *s"
380Get the internal packet filter statistics.
381.Bd -literal
382struct pf_status {
383	u_int64_t	counters[PFRES_MAX];
384	u_int64_t	lcounters[LCNT_MAX];
385	u_int64_t	fcounters[FCNT_MAX];
386	u_int64_t	scounters[SCNT_MAX];
387	u_int64_t	pcounters[2][2][3];
388	u_int64_t	bcounters[2][2];
389	u_int32_t	running;
390	u_int32_t	states;
391	u_int32_t	src_nodes;
392	u_int32_t	since;
393	u_int32_t	debug;
394	u_int32_t	hostid;
395	char		ifname[IFNAMSIZ];
396	u_int8_t	pf_chksum[MD5_DIGEST_LENGTH];
397};
398.Ed
399.It Dv DIOCCLRSTATUS
400Clear the internal packet filter statistics.
401.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
402Look up a state table entry by source and destination addresses and ports.
403.Bd -literal
404struct pfioc_natlook {
405	struct pf_addr	 saddr;
406	struct pf_addr	 daddr;
407	struct pf_addr	 rsaddr;
408	struct pf_addr	 rdaddr;
409	u_int16_t	 sport;
410	u_int16_t	 dport;
411	u_int16_t	 rsport;
412	u_int16_t	 rdport;
413	sa_family_t	 af;
414	u_int8_t	 proto;
415	u_int8_t	 direction;
416};
417.Ed
418.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
419Set the debug level.
420.Bd -literal
421enum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
422	  PF_DEBUG_NOISY };
423.Ed
424.It Dv DIOCGETSTATESNV Fa "struct pfioc_nv *nv"
425Get state table entries.
426.Bd -literal
427nvlist pf_state_key {
428	nvlist pf_addr	addr[2];
429	number		port[2];
430	number		af;
431	number		proto;
432};
433
434nvlist pf_state_scrub {
435	bool	timestamp;
436	number	ttl;
437	number	ts_mod;
438};
439
440nvlist pf_state_peer {
441	nvlist pf_state_scrub	scrub;
442	number			seqlo;
443	number			seqhi;
444	number			seqdiff;
445	number			max_win;
446	number			mss;
447	number			state;
448	number			wscale;
449};
450
451nvlist pf_state {
452	number			id;
453	string			ifname;
454	nvlist pf_state_key	stack_key;
455	nvlist pf_state_key	wire_key;
456	nvlist pf_state_peer	src;
457	nvlist pf_state_peer	dst;
458	nvlist pf_addr		rt_addr;
459	number			rule;
460	number			anchor;
461	number			nat_rule;
462	number			expire;
463	number			packets[2];
464	number			bytes[2];
465	number			creatorid;
466	number			direction;
467	number			log;
468	number			state_flags;
469	number			timeout;
470	number			sync_flags;
471};
472
473nvlist pf_states {
474	number		count;
475	nvlist pf_state	states[];
476};
477.Ed
478.Pp
479If
480.Va pfioc_nv.size
481is insufficiently large, as many states as possible that can fit into this
482size will be copied into the supplied buffer.
483.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
484Add or remove the
485.Va rule
486in the ruleset specified by
487.Va rule.action .
488.Pp
489The type of operation to be performed is indicated by
490.Va action ,
491which can be any of the following:
492.Bd -literal
493enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
494	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
495	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
496.Ed
497.Pp
498.Va ticket
499must be set to the value obtained with
500.Dv PF_CHANGE_GET_TICKET
501for all actions except
502.Dv PF_CHANGE_GET_TICKET .
503.Va pool_ticket
504must be set to the value obtained with the
505.Dv DIOCBEGINADDRS
506call for all actions except
507.Dv PF_CHANGE_REMOVE
508and
509.Dv PF_CHANGE_GET_TICKET .
510.Va anchor
511indicates to which anchor the operation applies.
512.Va nr
513indicates the rule number against which
514.Dv PF_CHANGE_ADD_BEFORE ,
515.Dv PF_CHANGE_ADD_AFTER ,
516or
517.Dv PF_CHANGE_REMOVE
518actions are applied.
519.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
520.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
521Add or remove the pool address
522.Va addr
523from the rule specified by
524.Va r_action ,
525.Va r_num ,
526and
527.Va anchor .
528.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
529.Bd -literal
530struct pfioc_tm {
531	int		 timeout;
532	int		 seconds;
533};
534.Ed
535.Pp
536Set the state timeout of
537.Va timeout
538to
539.Va seconds .
540The old value will be placed into
541.Va seconds .
542For possible values of
543.Va timeout ,
544consult the
545.Dv PFTM_*
546values in
547.Aq Pa net/pfvar.h .
548.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
549Get the state timeout of
550.Va timeout .
551The value will be placed into the
552.Va seconds
553field.
554.It Dv DIOCCLRRULECTRS
555Clear per-rule statistics.
556.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
557Set the hard limits on the memory pools used by the packet filter.
558.Bd -literal
559struct pfioc_limit {
560	int		index;
561	unsigned	limit;
562};
563
564enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
565	  PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
566.Ed
567.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
568Get the hard
569.Va limit
570for the memory pool indicated by
571.Va index .
572.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
573Clear all tables.
574All the ioctls that manipulate radix tables
575use the same structure described below.
576For
577.Dv DIOCRCLRTABLES ,
578.Va pfrio_ndel
579contains on exit the number of tables deleted.
580.Bd -literal
581struct pfioc_table {
582	struct pfr_table	 pfrio_table;
583	void			*pfrio_buffer;
584	int			 pfrio_esize;
585	int			 pfrio_size;
586	int			 pfrio_size2;
587	int			 pfrio_nadd;
588	int			 pfrio_ndel;
589	int			 pfrio_nchange;
590	int			 pfrio_flags;
591	u_int32_t		 pfrio_ticket;
592};
593#define pfrio_exists    pfrio_nadd
594#define pfrio_nzero     pfrio_nadd
595#define pfrio_nmatch    pfrio_nadd
596#define pfrio_naddr     pfrio_size2
597#define pfrio_setflag   pfrio_size2
598#define pfrio_clrflag   pfrio_nadd
599.Ed
600.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
601Create one or more tables.
602On entry,
603.Va pfrio_buffer
604must point to an array of
605.Vt struct pfr_table
606containing at least
607.Vt pfrio_size
608elements.
609.Vt pfrio_esize
610must be the size of
611.Vt struct pfr_table .
612On exit,
613.Va pfrio_nadd
614contains the number of tables effectively created.
615.Bd -literal
616struct pfr_table {
617	char		pfrt_anchor[MAXPATHLEN];
618	char		pfrt_name[PF_TABLE_NAME_SIZE];
619	u_int32_t	pfrt_flags;
620	u_int8_t	pfrt_fback;
621};
622.Ed
623.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
624Delete one or more tables.
625On entry,
626.Va pfrio_buffer
627must point to an array of
628.Vt struct pfr_table
629containing at least
630.Vt pfrio_size
631elements.
632.Vt pfrio_esize
633must be the size of
634.Vt struct pfr_table .
635On exit,
636.Va pfrio_ndel
637contains the number of tables effectively deleted.
638.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
639Get the list of all tables.
640On entry,
641.Va pfrio_buffer[pfrio_size]
642contains a valid writeable buffer for
643.Vt pfr_table
644structures.
645On exit,
646.Va pfrio_size
647contains the number of tables written into the buffer.
648If the buffer is too small, the kernel does not store anything but just
649returns the required buffer size, without error.
650.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
651This call is like
652.Dv DIOCRGETTABLES
653but is used to get an array of
654.Vt pfr_tstats
655structures.
656.Bd -literal
657struct pfr_tstats {
658	struct pfr_table pfrts_t;
659	u_int64_t	 pfrts_packets
660			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
661	u_int64_t	 pfrts_bytes
662			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
663	u_int64_t	 pfrts_match;
664	u_int64_t	 pfrts_nomatch;
665	long		 pfrts_tzero;
666	int		 pfrts_cnt;
667	int		 pfrts_refcnt[PFR_REFCNT_MAX];
668};
669#define pfrts_name	 pfrts_t.pfrt_name
670#define pfrts_flags	 pfrts_t.pfrt_flags
671.Ed
672.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
673Clear the statistics of one or more tables.
674On entry,
675.Va pfrio_buffer
676must point to an array of
677.Vt struct pfr_table
678containing at least
679.Vt pfrio_size
680elements.
681.Vt pfrio_esize
682must be the size of
683.Vt struct pfr_table .
684On exit,
685.Va pfrio_nzero
686contains the number of tables effectively cleared.
687.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
688Clear all addresses in a table.
689On entry,
690.Va pfrio_table
691contains the table to clear.
692On exit,
693.Va pfrio_ndel
694contains the number of addresses removed.
695.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
696Add one or more addresses to a table.
697On entry,
698.Va pfrio_table
699contains the table ID and
700.Va pfrio_buffer
701must point to an array of
702.Vt struct pfr_addr
703containing at least
704.Vt pfrio_size
705elements to add to the table.
706.Vt pfrio_esize
707must be the size of
708.Vt struct pfr_addr .
709On exit,
710.Va pfrio_nadd
711contains the number of addresses effectively added.
712.Bd -literal
713struct pfr_addr {
714	union {
715		struct in_addr	 _pfra_ip4addr;
716		struct in6_addr	 _pfra_ip6addr;
717	}		 pfra_u;
718	u_int8_t	 pfra_af;
719	u_int8_t	 pfra_net;
720	u_int8_t	 pfra_not;
721	u_int8_t	 pfra_fback;
722};
723#define pfra_ip4addr    pfra_u._pfra_ip4addr
724#define pfra_ip6addr    pfra_u._pfra_ip6addr
725.Ed
726.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
727Delete one or more addresses from a table.
728On entry,
729.Va pfrio_table
730contains the table ID and
731.Va pfrio_buffer
732must point to an array of
733.Vt struct pfr_addr
734containing at least
735.Vt pfrio_size
736elements to delete from the table.
737.Vt pfrio_esize
738must be the size of
739.Vt struct pfr_addr .
740On exit,
741.Va pfrio_ndel
742contains the number of addresses effectively deleted.
743.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
744Replace the content of a table by a new address list.
745This is the most complicated command, which uses all the structure members.
746.Pp
747On entry,
748.Va pfrio_table
749contains the table ID and
750.Va pfrio_buffer
751must point to an array of
752.Vt struct pfr_addr
753containing at least
754.Vt pfrio_size
755elements which become the new contents of the table.
756.Vt pfrio_esize
757must be the size of
758.Vt struct pfr_addr .
759Additionally, if
760.Va pfrio_size2
761is non-zero,
762.Va pfrio_buffer[pfrio_size..pfrio_size2]
763must be a writeable buffer, into which the kernel can copy the
764addresses that have been deleted during the replace operation.
765On exit,
766.Va pfrio_ndel ,
767.Va pfrio_nadd ,
768and
769.Va pfrio_nchange
770contain the number of addresses deleted, added, and changed by the
771kernel.
772If
773.Va pfrio_size2
774was set on entry,
775.Va pfrio_size2
776will point to the size of the buffer used, exactly like
777.Dv DIOCRGETADDRS .
778.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
779Get all the addresses of a table.
780On entry,
781.Va pfrio_table
782contains the table ID and
783.Va pfrio_buffer[pfrio_size]
784contains a valid writeable buffer for
785.Vt pfr_addr
786structures.
787On exit,
788.Va pfrio_size
789contains the number of addresses written into the buffer.
790If the buffer was too small, the kernel does not store anything but just
791returns the required buffer size, without returning an error.
792.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
793This call is like
794.Dv DIOCRGETADDRS
795but is used to get an array of
796.Vt pfr_astats
797structures.
798.Bd -literal
799struct pfr_astats {
800	struct pfr_addr	 pfras_a;
801	u_int64_t	 pfras_packets
802			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
803	u_int64_t	 pfras_bytes
804			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
805	long		 pfras_tzero;
806};
807.Ed
808.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
809Clear the statistics of one or more addresses.
810On entry,
811.Va pfrio_table
812contains the table ID and
813.Va pfrio_buffer
814must point to an array of
815.Vt struct pfr_addr
816containing at least
817.Vt pfrio_size
818elements to be cleared from the table.
819.Vt pfrio_esize
820must be the size of
821.Vt struct pfr_addr .
822On exit,
823.Va pfrio_nzero
824contains the number of addresses effectively cleared.
825.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
826Test if the given addresses match a table.
827On entry,
828.Va pfrio_table
829contains the table ID and
830.Va pfrio_buffer
831must point to an array of
832.Vt struct pfr_addr
833containing at least
834.Vt pfrio_size
835elements, each of which will be tested for a match in the table.
836.Vt pfrio_esize
837must be the size of
838.Vt struct pfr_addr .
839On exit, the kernel updates the
840.Vt pfr_addr
841array by setting the
842.Va pfra_fback
843member appropriately.
844.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
845Change the
846.Dv PFR_TFLAG_CONST
847or
848.Dv PFR_TFLAG_PERSIST
849flags of a table.
850On entry,
851.Va pfrio_buffer
852must point to an array of
853.Vt struct pfr_table
854containing at least
855.Vt pfrio_size
856elements.
857.Va pfrio_esize
858must be the size of
859.Vt struct pfr_table .
860.Va pfrio_setflag
861must contain the flags to add, while
862.Va pfrio_clrflag
863must contain the flags to remove.
864On exit,
865.Va pfrio_nchange
866and
867.Va pfrio_ndel
868contain the number of tables altered or deleted by the kernel.
869Yes, tables can be deleted if one removes the
870.Dv PFR_TFLAG_PERSIST
871flag of an unreferenced table.
872.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
873Defines a table in the inactive set.
874On entry,
875.Va pfrio_table
876contains the table ID and
877.Va pfrio_buffer[pfrio_size]
878contains an array of
879.Vt pfr_addr
880structures to put in the table.
881A valid ticket must also be supplied to
882.Va pfrio_ticket .
883On exit,
884.Va pfrio_nadd
885contains 0 if the table was already defined in the inactive list
886or 1 if a new table has been created.
887.Va pfrio_naddr
888contains the number of addresses effectively put in the table.
889.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
890.Bd -literal
891struct pfioc_trans {
892	int		 size;	/* number of elements */
893	int		 esize;	/* size of each element in bytes */
894	struct pfioc_trans_e {
895		int		rs_num;
896		char		anchor[MAXPATHLEN];
897		u_int32_t	ticket;
898	}		*array;
899};
900.Ed
901.Pp
902Clear all the inactive rulesets specified in the
903.Vt pfioc_trans_e
904array.
905For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
906as well as for the
907.Dv DIOCXCOMMIT
908and
909.Dv DIOCXROLLBACK
910calls.
911.Pp
912Ruleset types, identified by
913.Va rs_num ,
914include the following:
915.Pp
916.Bl -tag -width PF_RULESET_FILTER -offset ind -compact
917.It Dv PF_RULESET_SCRUB
918Scrub (packet normalization) rules.
919.It Dv PF_RULESET_FILTER
920Filter rules.
921.It Dv PF_RULESET_NAT
922NAT (Network Address Translation) rules.
923.It Dv PF_RULESET_BINAT
924Bidirectional NAT rules.
925.It Dv PF_RULESET_RDR
926Redirect rules.
927.It Dv PF_RULESET_ALTQ
928ALTQ disciplines.
929.It Dv PF_RULESET_TABLE
930Address tables.
931.El
932.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
933Atomically switch a vector of inactive rulesets to the active rulesets.
934This call is implemented as a standard two-phase commit, which will either
935fail for all rulesets or completely succeed.
936All tickets need to be valid.
937This ioctl returns
938.Er EBUSY
939if another process is concurrently updating some of the same rulesets.
940.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
941Clean up the kernel by undoing all changes that have taken place on the
942inactive rulesets since the last
943.Dv DIOCXBEGIN .
944.Dv DIOCXROLLBACK
945will silently ignore rulesets for which the ticket is invalid.
946.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
947Set the host ID, which is used by
948.Xr pfsync 4
949to identify which host created state table entries.
950.It Dv DIOCOSFPFLUSH
951Flush the passive OS fingerprint table.
952.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
953.Bd -literal
954struct pf_osfp_ioctl {
955	struct pf_osfp_entry {
956		SLIST_ENTRY(pf_osfp_entry) fp_entry;
957		pf_osfp_t		fp_os;
958		char			fp_class_nm[PF_OSFP_LEN];
959		char			fp_version_nm[PF_OSFP_LEN];
960		char			fp_subtype_nm[PF_OSFP_LEN];
961	} 			fp_os;
962	pf_tcpopts_t		fp_tcpopts;
963	u_int16_t		fp_wsize;
964	u_int16_t		fp_psize;
965	u_int16_t		fp_mss;
966	u_int16_t		fp_flags;
967	u_int8_t		fp_optcnt;
968	u_int8_t		fp_wscale;
969	u_int8_t		fp_ttl;
970	int			fp_getnum;
971};
972.Ed
973.Pp
974Add a passive OS fingerprint to the table.
975Set
976.Va fp_os.fp_os
977to the packed fingerprint,
978.Va fp_os.fp_class_nm
979to the name of the class (Linux, Windows, etc),
980.Va fp_os.fp_version_nm
981to the name of the version (NT, 95, 98), and
982.Va fp_os.fp_subtype_nm
983to the name of the subtype or patchlevel.
984The members
985.Va fp_mss ,
986.Va fp_wsize ,
987.Va fp_psize ,
988.Va fp_ttl ,
989.Va fp_optcnt ,
990and
991.Va fp_wscale
992are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
993the number of TCP options, and the TCP window scaling constant of the
994TCP SYN packet, respectively.
995.Pp
996The
997.Va fp_flags
998member is filled according to the
999.Aq Pa net/pfvar.h
1000include file
1001.Dv PF_OSFP_*
1002defines.
1003The
1004.Va fp_tcpopts
1005member contains packed TCP options.
1006Each option uses
1007.Dv PF_OSFP_TCPOPT_BITS
1008bits in the packed value.
1009Options include any of
1010.Dv PF_OSFP_TCPOPT_NOP ,
1011.Dv PF_OSFP_TCPOPT_SACK ,
1012.Dv PF_OSFP_TCPOPT_WSCALE ,
1013.Dv PF_OSFP_TCPOPT_MSS ,
1014or
1015.Dv PF_OSFP_TCPOPT_TS .
1016.Pp
1017The
1018.Va fp_getnum
1019member is not used with this ioctl.
1020.Pp
1021The structure's slack space must be zeroed for correct operation;
1022.Xr memset 3
1023the whole structure to zero before filling and sending to the kernel.
1024.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
1025Get the passive OS fingerprint number
1026.Va fp_getnum
1027from the kernel's fingerprint list.
1028The rest of the structure members will come back filled.
1029Get the whole list by repeatedly incrementing the
1030.Va fp_getnum
1031number until the ioctl returns
1032.Er EBUSY .
1033.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
1034.Bd -literal
1035struct pfioc_src_nodes {
1036	int	psn_len;
1037	union {
1038		caddr_t		psu_buf;
1039		struct pf_src_node	*psu_src_nodes;
1040	} psn_u;
1041#define psn_buf		psn_u.psu_buf
1042#define psn_src_nodes	psn_u.psu_src_nodes
1043};
1044.Ed
1045.Pp
1046Get the list of source nodes kept by sticky addresses and source
1047tracking.
1048The ioctl must be called once with
1049.Va psn_len
1050set to 0.
1051If the ioctl returns without error,
1052.Va psn_len
1053will be set to the size of the buffer required to hold all the
1054.Va pf_src_node
1055structures held in the table.
1056A buffer of this size should then be allocated, and a pointer to this buffer
1057placed in
1058.Va psn_buf .
1059The ioctl must then be called again to fill this buffer with the actual
1060source node data.
1061After that call,
1062.Va psn_len
1063will be set to the length of the buffer actually used.
1064.It Dv DIOCCLRSRCNODES
1065Clear the tree of source tracking nodes.
1066.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
1067Get the list of interfaces and interface drivers known to
1068.Nm .
1069All the ioctls that manipulate interfaces
1070use the same structure described below:
1071.Bd -literal
1072struct pfioc_iface {
1073	char			 pfiio_name[IFNAMSIZ];
1074	void			*pfiio_buffer;
1075	int			 pfiio_esize;
1076	int			 pfiio_size;
1077	int			 pfiio_nzero;
1078	int			 pfiio_flags;
1079};
1080.Ed
1081.Pp
1082If not empty,
1083.Va pfiio_name
1084can be used to restrict the search to a specific interface or driver.
1085.Va pfiio_buffer[pfiio_size]
1086is the user-supplied buffer for returning the data.
1087On entry,
1088.Va pfiio_size
1089contains the number of
1090.Vt pfi_kif
1091entries that can fit into the buffer.
1092The kernel will replace this value by the real number of entries it wants
1093to return.
1094.Va pfiio_esize
1095should be set to
1096.Li sizeof(struct pfi_kif) .
1097.Pp
1098The data is returned in the
1099.Vt pfi_kif
1100structure described below:
1101.Bd -literal
1102struct pfi_kif {
1103	char				 pfik_name[IFNAMSIZ];
1104	union {
1105		RB_ENTRY(pfi_kif)	 pfik_tree;
1106		LIST_ENTRY(pfi_kif)	 pfik_list;
1107	};
1108	u_int64_t			 pfik_packets[2][2][2];
1109	u_int64_t			 pfik_bytes[2][2][2];
1110	u_int32_t			 pfik_tzero;
1111	u_int				 pfik_flags;
1112	struct ifnet			*pfik_ifp;
1113	struct ifg_group		*pfik_group;
1114	u_int				 pfik_rulerefs;
1115	TAILQ_HEAD(, pfi_dynaddr)	 pfik_dynaddrs;
1116};
1117.Ed
1118.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1119Set the user settable flags (described above) of the
1120.Nm
1121internal interface description.
1122The filtering process is the same as for
1123.Dv DIOCIGETIFACES .
1124.Bd -literal
1125#define PFI_IFLAG_SKIP	0x0100	/* skip filtering on interface */
1126.Ed
1127.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1128Works as
1129.Dv DIOCSETIFFLAG
1130above but clears the flags.
1131.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
1132Explicitly remove source tracking nodes.
1133.El
1134.Sh FILES
1135.Bl -tag -width /dev/pf -compact
1136.It Pa /dev/pf
1137packet filtering device.
1138.El
1139.Sh EXAMPLES
1140The following example demonstrates how to use the
1141.Dv DIOCNATLOOK
1142command to find the internal host/port of a NATed connection:
1143.Bd -literal
1144#include <sys/types.h>
1145#include <sys/socket.h>
1146#include <sys/ioctl.h>
1147#include <sys/fcntl.h>
1148#include <net/if.h>
1149#include <netinet/in.h>
1150#include <net/pfvar.h>
1151#include <err.h>
1152#include <stdio.h>
1153#include <stdlib.h>
1154
1155u_int32_t
1156read_address(const char *s)
1157{
1158	int a, b, c, d;
1159
1160	sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
1161	return htonl(a << 24 | b << 16 | c << 8 | d);
1162}
1163
1164void
1165print_address(u_int32_t a)
1166{
1167	a = ntohl(a);
1168	printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
1169	    a >> 8 & 255, a & 255);
1170}
1171
1172int
1173main(int argc, char *argv[])
1174{
1175	struct pfioc_natlook nl;
1176	int dev;
1177
1178	if (argc != 5) {
1179		printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
1180		    argv[0]);
1181		return 1;
1182	}
1183
1184	dev = open("/dev/pf", O_RDWR);
1185	if (dev == -1)
1186		err(1, "open(\\"/dev/pf\\") failed");
1187
1188	memset(&nl, 0, sizeof(struct pfioc_natlook));
1189	nl.saddr.v4.s_addr	= read_address(argv[1]);
1190	nl.sport		= htons(atoi(argv[2]));
1191	nl.daddr.v4.s_addr	= read_address(argv[3]);
1192	nl.dport		= htons(atoi(argv[4]));
1193	nl.af			= AF_INET;
1194	nl.proto		= IPPROTO_TCP;
1195	nl.direction		= PF_IN;
1196
1197	if (ioctl(dev, DIOCNATLOOK, &nl))
1198		err(1, "DIOCNATLOOK");
1199
1200	printf("internal host ");
1201	print_address(nl.rsaddr.v4.s_addr);
1202	printf(":%u\\n", ntohs(nl.rsport));
1203	return 0;
1204}
1205.Ed
1206.Sh SEE ALSO
1207.Xr ioctl 2 ,
1208.Xr altq 4 ,
1209.Xr if_bridge 4 ,
1210.Xr pflog 4 ,
1211.Xr pfsync 4 ,
1212.Xr pfctl 8 ,
1213.Xr altq 9
1214.Sh HISTORY
1215The
1216.Nm
1217packet filtering mechanism first appeared in
1218.Ox 3.0
1219and then
1220.Fx 5.2 .
1221.Pp
1222This implementation is derived from
1223.Ox 4.5 .
1224It has been heavily modified to be capable of running in multithreaded
1225.Fx
1226kernel and scale its performance on multiple CPUs.
1227