1.\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $ 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the project nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.\" $FreeBSD$ 30.\" 31.Dd July 12, 2023 32.Dt PF 4 33.Os 34.Sh NAME 35.Nm pf 36.Nd packet filter 37.Sh SYNOPSIS 38.Cd "device pf" 39.Cd "options PF_DEFAULT_TO_DROP" 40.Sh DESCRIPTION 41Packet filtering takes place in the kernel. 42A pseudo-device, 43.Pa /dev/pf , 44allows userland processes to control the 45behavior of the packet filter through an 46.Xr ioctl 2 47interface. 48There are commands to enable and disable the filter, load rulesets, 49add and remove individual rules or state table entries, 50and retrieve statistics. 51The most commonly used functions are covered by 52.Xr pfctl 8 . 53.Pp 54Manipulations like loading a ruleset that involve more than a single 55.Xr ioctl 2 56call require a so-called 57.Em ticket , 58which prevents the occurrence of 59multiple concurrent manipulations. 60.Pp 61Fields of 62.Xr ioctl 2 63parameter structures that refer to packet data (like 64addresses and ports) are generally expected in network byte-order. 65.Pp 66Rules and address tables are contained in so-called 67.Em anchors . 68When servicing an 69.Xr ioctl 2 70request, if the anchor field of the argument structure is empty, 71the kernel will use the default anchor (i.e., the main ruleset) 72in operations. 73Anchors are specified by name and may be nested, with components 74separated by 75.Sq / 76characters, similar to how file system hierarchies are laid out. 77The final component of the anchor path is the anchor under which 78operations will be performed. 79.Sh SYSCTL VARIABLES AND LOADER TUNABLES 80The following 81.Xr loader 8 82tunables are available. 83.Bl -tag -width indent 84.It Va net.pf.states_hashsize 85Size of hash tables that store states. 86Should be power of 2. 87Default value is 131072. 88.It Va net.pf.source_nodes_hashsize 89Size of hash table that store source nodes. 90Should be power of 2. 91Default value is 32768. 92.El 93.Pp 94Read only 95.Xr sysctl 8 96variables with matching names are provided to obtain current values 97at runtime. 98.Sh KERNEL OPTIONS 99The following options in the kernel configuration file are related to 100.Nm 101operation: 102.Pp 103.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact 104.It Dv PF_DEFAULT_TO_DROP 105Change default policy to drop by default 106.El 107.Sh IOCTL INTERFACE 108.Nm 109supports the following 110.Xr ioctl 2 111commands, available through 112.Aq Pa net/pfvar.h : 113.Bl -tag -width xxxxxx 114.It Dv DIOCSTART 115Start the packet filter. 116.It Dv DIOCSTOP 117Stop the packet filter. 118.It Dv DIOCSTARTALTQ 119Start the ALTQ bandwidth control system (see 120.Xr altq 9 ) . 121.It Dv DIOCSTOPALTQ 122Stop the ALTQ bandwidth control system. 123.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp" 124.Bd -literal 125struct pfioc_pooladdr { 126 u_int32_t action; 127 u_int32_t ticket; 128 u_int32_t nr; 129 u_int32_t r_num; 130 u_int8_t r_action; 131 u_int8_t r_last; 132 u_int8_t af; 133 char anchor[MAXPATHLEN]; 134 struct pf_pooladdr addr; 135}; 136.Ed 137.Pp 138Clear the buffer address pool and get a 139.Va ticket 140for subsequent 141.Dv DIOCADDADDR , 142.Dv DIOCADDRULE , 143and 144.Dv DIOCCHANGERULE 145calls. 146.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp" 147.Pp 148Add the pool address 149.Va addr 150to the buffer address pool to be used in the following 151.Dv DIOCADDRULE 152or 153.Dv DIOCCHANGERULE 154call. 155All other members of the structure are ignored. 156.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 157.Bd -literal 158struct pfioc_rule { 159 u_int32_t action; 160 u_int32_t ticket; 161 u_int32_t pool_ticket; 162 u_int32_t nr; 163 char anchor[MAXPATHLEN]; 164 char anchor_call[MAXPATHLEN]; 165 struct pf_rule rule; 166}; 167.Ed 168.Pp 169Add 170.Va rule 171at the end of the inactive ruleset. 172This call requires a 173.Va ticket 174obtained through a preceding 175.Dv DIOCXBEGIN 176call and a 177.Va pool_ticket 178obtained through a 179.Dv DIOCBEGINADDRS 180call. 181.Dv DIOCADDADDR 182must also be called if any pool addresses are required. 183The optional 184.Va anchor 185name indicates the anchor in which to append the rule. 186.Va nr 187and 188.Va action 189are ignored. 190.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa" 191Add an ALTQ discipline or queue. 192.Bd -literal 193struct pfioc_altq { 194 u_int32_t action; 195 u_int32_t ticket; 196 u_int32_t nr; 197 struct pf_altq altq; 198}; 199.Ed 200.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 201Get a 202.Va ticket 203for subsequent 204.Dv DIOCGETRULE 205calls and the number 206.Va nr 207of rules in the active ruleset. 208.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 209Get a 210.Va rule 211by its number 212.Va nr 213using the 214.Va ticket 215obtained through a preceding 216.Dv DIOCGETRULES 217call. 218If 219.Va action 220is set to 221.Dv PF_GET_CLR_CNTR , 222the per-rule statistics on the requested rule are cleared. 223.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 224Get a 225.Va ticket 226for subsequent 227.Dv DIOCGETADDR 228calls and the number 229.Va nr 230of pool addresses in the rule specified with 231.Va r_action , 232.Va r_num , 233and 234.Va anchor . 235.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp" 236Get the pool address 237.Va addr 238by its number 239.Va nr 240from the rule specified with 241.Va r_action , 242.Va r_num , 243and 244.Va anchor 245using the 246.Va ticket 247obtained through a preceding 248.Dv DIOCGETADDRS 249call. 250.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa" 251Get a 252.Va ticket 253for subsequent 254.Dv DIOCGETALTQ 255calls and the number 256.Va nr 257of queues in the active list. 258.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa" 259Get the queueing discipline 260.Va altq 261by its number 262.Va nr 263using the 264.Va ticket 265obtained through a preceding 266.Dv DIOCGETALTQS 267call. 268.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 269Get the statistics on a queue. 270.Bd -literal 271struct pfioc_qstats { 272 u_int32_t ticket; 273 u_int32_t nr; 274 void *buf; 275 int nbytes; 276 u_int8_t scheduler; 277}; 278.Ed 279.Pp 280This call fills in a pointer to the buffer of statistics 281.Va buf , 282of length 283.Va nbytes , 284for the queue specified by 285.Va nr . 286.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 287.Bd -literal 288struct pfioc_ruleset { 289 u_int32_t nr; 290 char path[MAXPATHLEN]; 291 char name[PF_ANCHOR_NAME_SIZE]; 292}; 293.Ed 294.Pp 295Get the number 296.Va nr 297of rulesets (i.e., anchors) directly attached to the anchor named by 298.Va path 299for use in subsequent 300.Dv DIOCGETRULESET 301calls. 302Nested anchors, since they are not directly attached to the given 303anchor, will not be included. 304This ioctl returns 305.Er ENOENT 306if the parent anchor given at 307.Va path 308does not exist. 309.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 310Get a ruleset (i.e., an anchor) 311.Va name 312by its number 313.Va nr 314from the given anchor 315.Va path , 316the maximum number of which can be obtained from a preceding 317.Dv DIOCGETRULESETS 318call. 319This ioctl returns 320.Er ENOENT 321if the parent anchor given by 322.Va path 323does not exist or 324.Er EBUSY 325if the index passed in by 326.Va nr 327is greater than the number of anchors. 328.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 329Add a state entry. 330.Bd -literal 331struct pfioc_state { 332 struct pfsync_state state; 333}; 334.Ed 335.It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv" 336Extract the entry identified by the 337.Va id 338and 339.Va creatorid 340fields of the 341.Va state 342nvlist from the state table. 343.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk" 344Remove matching entries from the state table. 345This ioctl returns the number of killed states in 346.Va psk_killed . 347.Bd -literal 348struct pfioc_state_kill { 349 struct pf_state_cmp psk_pfcmp; 350 sa_family_t psk_af; 351 int psk_proto; 352 struct pf_rule_addr psk_src; 353 struct pf_rule_addr psk_dst; 354 char psk_ifname[IFNAMSIZ]; 355 char psk_label[PF_RULE_LABEL_SIZE]; 356 u_int psk_killed; 357}; 358.Ed 359.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk" 360Clear all states. 361It works like 362.Dv DIOCKILLSTATES , 363but ignores the 364.Va psk_af , 365.Va psk_proto , 366.Va psk_src , 367and 368.Va psk_dst 369fields of the 370.Vt pfioc_state_kill 371structure. 372.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi" 373Specify the interface for which statistics are accumulated. 374.Bd -literal 375struct pfioc_if { 376 char ifname[IFNAMSIZ]; 377}; 378.Ed 379.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 380Get the internal packet filter statistics. 381.Bd -literal 382struct pf_status { 383 u_int64_t counters[PFRES_MAX]; 384 u_int64_t lcounters[LCNT_MAX]; 385 u_int64_t fcounters[FCNT_MAX]; 386 u_int64_t scounters[SCNT_MAX]; 387 u_int64_t pcounters[2][2][3]; 388 u_int64_t bcounters[2][2]; 389 u_int32_t running; 390 u_int32_t states; 391 u_int32_t src_nodes; 392 u_int32_t since; 393 u_int32_t debug; 394 u_int32_t hostid; 395 char ifname[IFNAMSIZ]; 396 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; 397}; 398.Ed 399.It Dv DIOCCLRSTATUS 400Clear the internal packet filter statistics. 401.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 402Look up a state table entry by source and destination addresses and ports. 403.Bd -literal 404struct pfioc_natlook { 405 struct pf_addr saddr; 406 struct pf_addr daddr; 407 struct pf_addr rsaddr; 408 struct pf_addr rdaddr; 409 u_int16_t sport; 410 u_int16_t dport; 411 u_int16_t rsport; 412 u_int16_t rdport; 413 sa_family_t af; 414 u_int8_t proto; 415 u_int8_t direction; 416}; 417.Ed 418.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 419Set the debug level. 420.Bd -literal 421enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 422 PF_DEBUG_NOISY }; 423.Ed 424.It Dv DIOCGETSTATESNV Fa "struct pfioc_nv *nv" 425Get state table entries. 426.Bd -literal 427nvlist pf_state_key { 428 nvlist pf_addr addr[2]; 429 number port[2]; 430 number af; 431 number proto; 432}; 433 434nvlist pf_state_scrub { 435 bool timestamp; 436 number ttl; 437 number ts_mod; 438}; 439 440nvlist pf_state_peer { 441 nvlist pf_state_scrub scrub; 442 number seqlo; 443 number seqhi; 444 number seqdiff; 445 number max_win; 446 number mss; 447 number state; 448 number wscale; 449}; 450 451nvlist pf_state { 452 number id; 453 string ifname; 454 nvlist pf_state_key stack_key; 455 nvlist pf_state_key wire_key; 456 nvlist pf_state_peer src; 457 nvlist pf_state_peer dst; 458 nvlist pf_addr rt_addr; 459 number rule; 460 number anchor; 461 number nat_rule; 462 number expire; 463 number packets[2]; 464 number bytes[2]; 465 number creatorid; 466 number direction; 467 number log; 468 number state_flags; 469 number timeout; 470 number sync_flags; 471}; 472 473nvlist pf_states { 474 number count; 475 nvlist pf_state states[]; 476}; 477.Ed 478.Pp 479If 480.Va pfioc_nv.size 481is insufficiently large, as many states as possible that can fit into this 482size will be copied into the supplied buffer. 483.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 484Add or remove the 485.Va rule 486in the ruleset specified by 487.Va rule.action . 488.Pp 489The type of operation to be performed is indicated by 490.Va action , 491which can be any of the following: 492.Bd -literal 493enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 494 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 495 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 496.Ed 497.Pp 498.Va ticket 499must be set to the value obtained with 500.Dv PF_CHANGE_GET_TICKET 501for all actions except 502.Dv PF_CHANGE_GET_TICKET . 503.Va pool_ticket 504must be set to the value obtained with the 505.Dv DIOCBEGINADDRS 506call for all actions except 507.Dv PF_CHANGE_REMOVE 508and 509.Dv PF_CHANGE_GET_TICKET . 510.Va anchor 511indicates to which anchor the operation applies. 512.Va nr 513indicates the rule number against which 514.Dv PF_CHANGE_ADD_BEFORE , 515.Dv PF_CHANGE_ADD_AFTER , 516or 517.Dv PF_CHANGE_REMOVE 518actions are applied. 519.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr" 520.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca" 521Add or remove the pool address 522.Va addr 523from the rule specified by 524.Va r_action , 525.Va r_num , 526and 527.Va anchor . 528.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 529.Bd -literal 530struct pfioc_tm { 531 int timeout; 532 int seconds; 533}; 534.Ed 535.Pp 536Set the state timeout of 537.Va timeout 538to 539.Va seconds . 540The old value will be placed into 541.Va seconds . 542For possible values of 543.Va timeout , 544consult the 545.Dv PFTM_* 546values in 547.Aq Pa net/pfvar.h . 548.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 549Get the state timeout of 550.Va timeout . 551The value will be placed into the 552.Va seconds 553field. 554.It Dv DIOCCLRRULECTRS 555Clear per-rule statistics. 556.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 557Set the hard limits on the memory pools used by the packet filter. 558.Bd -literal 559struct pfioc_limit { 560 int index; 561 unsigned limit; 562}; 563 564enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 565 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 566.Ed 567.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 568Get the hard 569.Va limit 570for the memory pool indicated by 571.Va index . 572.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 573Clear all tables. 574All the ioctls that manipulate radix tables 575use the same structure described below. 576For 577.Dv DIOCRCLRTABLES , 578.Va pfrio_ndel 579contains on exit the number of tables deleted. 580.Bd -literal 581struct pfioc_table { 582 struct pfr_table pfrio_table; 583 void *pfrio_buffer; 584 int pfrio_esize; 585 int pfrio_size; 586 int pfrio_size2; 587 int pfrio_nadd; 588 int pfrio_ndel; 589 int pfrio_nchange; 590 int pfrio_flags; 591 u_int32_t pfrio_ticket; 592}; 593#define pfrio_exists pfrio_nadd 594#define pfrio_nzero pfrio_nadd 595#define pfrio_nmatch pfrio_nadd 596#define pfrio_naddr pfrio_size2 597#define pfrio_setflag pfrio_size2 598#define pfrio_clrflag pfrio_nadd 599.Ed 600.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 601Create one or more tables. 602On entry, 603.Va pfrio_buffer 604must point to an array of 605.Vt struct pfr_table 606containing at least 607.Vt pfrio_size 608elements. 609.Vt pfrio_esize 610must be the size of 611.Vt struct pfr_table . 612On exit, 613.Va pfrio_nadd 614contains the number of tables effectively created. 615.Bd -literal 616struct pfr_table { 617 char pfrt_anchor[MAXPATHLEN]; 618 char pfrt_name[PF_TABLE_NAME_SIZE]; 619 u_int32_t pfrt_flags; 620 u_int8_t pfrt_fback; 621}; 622.Ed 623.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 624Delete one or more tables. 625On entry, 626.Va pfrio_buffer 627must point to an array of 628.Vt struct pfr_table 629containing at least 630.Vt pfrio_size 631elements. 632.Vt pfrio_esize 633must be the size of 634.Vt struct pfr_table . 635On exit, 636.Va pfrio_ndel 637contains the number of tables effectively deleted. 638.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 639Get the list of all tables. 640On entry, 641.Va pfrio_buffer[pfrio_size] 642contains a valid writeable buffer for 643.Vt pfr_table 644structures. 645On exit, 646.Va pfrio_size 647contains the number of tables written into the buffer. 648If the buffer is too small, the kernel does not store anything but just 649returns the required buffer size, without error. 650.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 651This call is like 652.Dv DIOCRGETTABLES 653but is used to get an array of 654.Vt pfr_tstats 655structures. 656.Bd -literal 657struct pfr_tstats { 658 struct pfr_table pfrts_t; 659 u_int64_t pfrts_packets 660 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 661 u_int64_t pfrts_bytes 662 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 663 u_int64_t pfrts_match; 664 u_int64_t pfrts_nomatch; 665 long pfrts_tzero; 666 int pfrts_cnt; 667 int pfrts_refcnt[PFR_REFCNT_MAX]; 668}; 669#define pfrts_name pfrts_t.pfrt_name 670#define pfrts_flags pfrts_t.pfrt_flags 671.Ed 672.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 673Clear the statistics of one or more tables. 674On entry, 675.Va pfrio_buffer 676must point to an array of 677.Vt struct pfr_table 678containing at least 679.Vt pfrio_size 680elements. 681.Vt pfrio_esize 682must be the size of 683.Vt struct pfr_table . 684On exit, 685.Va pfrio_nzero 686contains the number of tables effectively cleared. 687.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 688Clear all addresses in a table. 689On entry, 690.Va pfrio_table 691contains the table to clear. 692On exit, 693.Va pfrio_ndel 694contains the number of addresses removed. 695.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 696Add one or more addresses to a table. 697On entry, 698.Va pfrio_table 699contains the table ID and 700.Va pfrio_buffer 701must point to an array of 702.Vt struct pfr_addr 703containing at least 704.Vt pfrio_size 705elements to add to the table. 706.Vt pfrio_esize 707must be the size of 708.Vt struct pfr_addr . 709On exit, 710.Va pfrio_nadd 711contains the number of addresses effectively added. 712.Bd -literal 713struct pfr_addr { 714 union { 715 struct in_addr _pfra_ip4addr; 716 struct in6_addr _pfra_ip6addr; 717 } pfra_u; 718 u_int8_t pfra_af; 719 u_int8_t pfra_net; 720 u_int8_t pfra_not; 721 u_int8_t pfra_fback; 722}; 723#define pfra_ip4addr pfra_u._pfra_ip4addr 724#define pfra_ip6addr pfra_u._pfra_ip6addr 725.Ed 726.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 727Delete one or more addresses from a table. 728On entry, 729.Va pfrio_table 730contains the table ID and 731.Va pfrio_buffer 732must point to an array of 733.Vt struct pfr_addr 734containing at least 735.Vt pfrio_size 736elements to delete from the table. 737.Vt pfrio_esize 738must be the size of 739.Vt struct pfr_addr . 740On exit, 741.Va pfrio_ndel 742contains the number of addresses effectively deleted. 743.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 744Replace the content of a table by a new address list. 745This is the most complicated command, which uses all the structure members. 746.Pp 747On entry, 748.Va pfrio_table 749contains the table ID and 750.Va pfrio_buffer 751must point to an array of 752.Vt struct pfr_addr 753containing at least 754.Vt pfrio_size 755elements which become the new contents of the table. 756.Vt pfrio_esize 757must be the size of 758.Vt struct pfr_addr . 759Additionally, if 760.Va pfrio_size2 761is non-zero, 762.Va pfrio_buffer[pfrio_size..pfrio_size2] 763must be a writeable buffer, into which the kernel can copy the 764addresses that have been deleted during the replace operation. 765On exit, 766.Va pfrio_ndel , 767.Va pfrio_nadd , 768and 769.Va pfrio_nchange 770contain the number of addresses deleted, added, and changed by the 771kernel. 772If 773.Va pfrio_size2 774was set on entry, 775.Va pfrio_size2 776will point to the size of the buffer used, exactly like 777.Dv DIOCRGETADDRS . 778.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 779Get all the addresses of a table. 780On entry, 781.Va pfrio_table 782contains the table ID and 783.Va pfrio_buffer[pfrio_size] 784contains a valid writeable buffer for 785.Vt pfr_addr 786structures. 787On exit, 788.Va pfrio_size 789contains the number of addresses written into the buffer. 790If the buffer was too small, the kernel does not store anything but just 791returns the required buffer size, without returning an error. 792.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 793This call is like 794.Dv DIOCRGETADDRS 795but is used to get an array of 796.Vt pfr_astats 797structures. 798.Bd -literal 799struct pfr_astats { 800 struct pfr_addr pfras_a; 801 u_int64_t pfras_packets 802 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 803 u_int64_t pfras_bytes 804 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 805 long pfras_tzero; 806}; 807.Ed 808.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 809Clear the statistics of one or more addresses. 810On entry, 811.Va pfrio_table 812contains the table ID and 813.Va pfrio_buffer 814must point to an array of 815.Vt struct pfr_addr 816containing at least 817.Vt pfrio_size 818elements to be cleared from the table. 819.Vt pfrio_esize 820must be the size of 821.Vt struct pfr_addr . 822On exit, 823.Va pfrio_nzero 824contains the number of addresses effectively cleared. 825.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 826Test if the given addresses match a table. 827On entry, 828.Va pfrio_table 829contains the table ID and 830.Va pfrio_buffer 831must point to an array of 832.Vt struct pfr_addr 833containing at least 834.Vt pfrio_size 835elements, each of which will be tested for a match in the table. 836.Vt pfrio_esize 837must be the size of 838.Vt struct pfr_addr . 839On exit, the kernel updates the 840.Vt pfr_addr 841array by setting the 842.Va pfra_fback 843member appropriately. 844.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 845Change the 846.Dv PFR_TFLAG_CONST 847or 848.Dv PFR_TFLAG_PERSIST 849flags of a table. 850On entry, 851.Va pfrio_buffer 852must point to an array of 853.Vt struct pfr_table 854containing at least 855.Vt pfrio_size 856elements. 857.Va pfrio_esize 858must be the size of 859.Vt struct pfr_table . 860.Va pfrio_setflag 861must contain the flags to add, while 862.Va pfrio_clrflag 863must contain the flags to remove. 864On exit, 865.Va pfrio_nchange 866and 867.Va pfrio_ndel 868contain the number of tables altered or deleted by the kernel. 869Yes, tables can be deleted if one removes the 870.Dv PFR_TFLAG_PERSIST 871flag of an unreferenced table. 872.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 873Defines a table in the inactive set. 874On entry, 875.Va pfrio_table 876contains the table ID and 877.Va pfrio_buffer[pfrio_size] 878contains an array of 879.Vt pfr_addr 880structures to put in the table. 881A valid ticket must also be supplied to 882.Va pfrio_ticket . 883On exit, 884.Va pfrio_nadd 885contains 0 if the table was already defined in the inactive list 886or 1 if a new table has been created. 887.Va pfrio_naddr 888contains the number of addresses effectively put in the table. 889.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 890.Bd -literal 891struct pfioc_trans { 892 int size; /* number of elements */ 893 int esize; /* size of each element in bytes */ 894 struct pfioc_trans_e { 895 int rs_num; 896 char anchor[MAXPATHLEN]; 897 u_int32_t ticket; 898 } *array; 899}; 900.Ed 901.Pp 902Clear all the inactive rulesets specified in the 903.Vt pfioc_trans_e 904array. 905For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 906as well as for the 907.Dv DIOCXCOMMIT 908and 909.Dv DIOCXROLLBACK 910calls. 911.Pp 912Ruleset types, identified by 913.Va rs_num , 914include the following: 915.Pp 916.Bl -tag -width PF_RULESET_FILTER -offset ind -compact 917.It Dv PF_RULESET_SCRUB 918Scrub (packet normalization) rules. 919.It Dv PF_RULESET_FILTER 920Filter rules. 921.It Dv PF_RULESET_NAT 922NAT (Network Address Translation) rules. 923.It Dv PF_RULESET_BINAT 924Bidirectional NAT rules. 925.It Dv PF_RULESET_RDR 926Redirect rules. 927.It Dv PF_RULESET_ALTQ 928ALTQ disciplines. 929.It Dv PF_RULESET_TABLE 930Address tables. 931.El 932.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 933Atomically switch a vector of inactive rulesets to the active rulesets. 934This call is implemented as a standard two-phase commit, which will either 935fail for all rulesets or completely succeed. 936All tickets need to be valid. 937This ioctl returns 938.Er EBUSY 939if another process is concurrently updating some of the same rulesets. 940.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 941Clean up the kernel by undoing all changes that have taken place on the 942inactive rulesets since the last 943.Dv DIOCXBEGIN . 944.Dv DIOCXROLLBACK 945will silently ignore rulesets for which the ticket is invalid. 946.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 947Set the host ID, which is used by 948.Xr pfsync 4 949to identify which host created state table entries. 950.It Dv DIOCOSFPFLUSH 951Flush the passive OS fingerprint table. 952.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 953.Bd -literal 954struct pf_osfp_ioctl { 955 struct pf_osfp_entry { 956 SLIST_ENTRY(pf_osfp_entry) fp_entry; 957 pf_osfp_t fp_os; 958 char fp_class_nm[PF_OSFP_LEN]; 959 char fp_version_nm[PF_OSFP_LEN]; 960 char fp_subtype_nm[PF_OSFP_LEN]; 961 } fp_os; 962 pf_tcpopts_t fp_tcpopts; 963 u_int16_t fp_wsize; 964 u_int16_t fp_psize; 965 u_int16_t fp_mss; 966 u_int16_t fp_flags; 967 u_int8_t fp_optcnt; 968 u_int8_t fp_wscale; 969 u_int8_t fp_ttl; 970 int fp_getnum; 971}; 972.Ed 973.Pp 974Add a passive OS fingerprint to the table. 975Set 976.Va fp_os.fp_os 977to the packed fingerprint, 978.Va fp_os.fp_class_nm 979to the name of the class (Linux, Windows, etc), 980.Va fp_os.fp_version_nm 981to the name of the version (NT, 95, 98), and 982.Va fp_os.fp_subtype_nm 983to the name of the subtype or patchlevel. 984The members 985.Va fp_mss , 986.Va fp_wsize , 987.Va fp_psize , 988.Va fp_ttl , 989.Va fp_optcnt , 990and 991.Va fp_wscale 992are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 993the number of TCP options, and the TCP window scaling constant of the 994TCP SYN packet, respectively. 995.Pp 996The 997.Va fp_flags 998member is filled according to the 999.Aq Pa net/pfvar.h 1000include file 1001.Dv PF_OSFP_* 1002defines. 1003The 1004.Va fp_tcpopts 1005member contains packed TCP options. 1006Each option uses 1007.Dv PF_OSFP_TCPOPT_BITS 1008bits in the packed value. 1009Options include any of 1010.Dv PF_OSFP_TCPOPT_NOP , 1011.Dv PF_OSFP_TCPOPT_SACK , 1012.Dv PF_OSFP_TCPOPT_WSCALE , 1013.Dv PF_OSFP_TCPOPT_MSS , 1014or 1015.Dv PF_OSFP_TCPOPT_TS . 1016.Pp 1017The 1018.Va fp_getnum 1019member is not used with this ioctl. 1020.Pp 1021The structure's slack space must be zeroed for correct operation; 1022.Xr memset 3 1023the whole structure to zero before filling and sending to the kernel. 1024.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 1025Get the passive OS fingerprint number 1026.Va fp_getnum 1027from the kernel's fingerprint list. 1028The rest of the structure members will come back filled. 1029Get the whole list by repeatedly incrementing the 1030.Va fp_getnum 1031number until the ioctl returns 1032.Er EBUSY . 1033.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 1034.Bd -literal 1035struct pfioc_src_nodes { 1036 int psn_len; 1037 union { 1038 caddr_t psu_buf; 1039 struct pf_src_node *psu_src_nodes; 1040 } psn_u; 1041#define psn_buf psn_u.psu_buf 1042#define psn_src_nodes psn_u.psu_src_nodes 1043}; 1044.Ed 1045.Pp 1046Get the list of source nodes kept by sticky addresses and source 1047tracking. 1048The ioctl must be called once with 1049.Va psn_len 1050set to 0. 1051If the ioctl returns without error, 1052.Va psn_len 1053will be set to the size of the buffer required to hold all the 1054.Va pf_src_node 1055structures held in the table. 1056A buffer of this size should then be allocated, and a pointer to this buffer 1057placed in 1058.Va psn_buf . 1059The ioctl must then be called again to fill this buffer with the actual 1060source node data. 1061After that call, 1062.Va psn_len 1063will be set to the length of the buffer actually used. 1064.It Dv DIOCCLRSRCNODES 1065Clear the tree of source tracking nodes. 1066.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 1067Get the list of interfaces and interface drivers known to 1068.Nm . 1069All the ioctls that manipulate interfaces 1070use the same structure described below: 1071.Bd -literal 1072struct pfioc_iface { 1073 char pfiio_name[IFNAMSIZ]; 1074 void *pfiio_buffer; 1075 int pfiio_esize; 1076 int pfiio_size; 1077 int pfiio_nzero; 1078 int pfiio_flags; 1079}; 1080.Ed 1081.Pp 1082If not empty, 1083.Va pfiio_name 1084can be used to restrict the search to a specific interface or driver. 1085.Va pfiio_buffer[pfiio_size] 1086is the user-supplied buffer for returning the data. 1087On entry, 1088.Va pfiio_size 1089contains the number of 1090.Vt pfi_kif 1091entries that can fit into the buffer. 1092The kernel will replace this value by the real number of entries it wants 1093to return. 1094.Va pfiio_esize 1095should be set to 1096.Li sizeof(struct pfi_kif) . 1097.Pp 1098The data is returned in the 1099.Vt pfi_kif 1100structure described below: 1101.Bd -literal 1102struct pfi_kif { 1103 char pfik_name[IFNAMSIZ]; 1104 union { 1105 RB_ENTRY(pfi_kif) pfik_tree; 1106 LIST_ENTRY(pfi_kif) pfik_list; 1107 }; 1108 u_int64_t pfik_packets[2][2][2]; 1109 u_int64_t pfik_bytes[2][2][2]; 1110 u_int32_t pfik_tzero; 1111 u_int pfik_flags; 1112 struct ifnet *pfik_ifp; 1113 struct ifg_group *pfik_group; 1114 u_int pfik_rulerefs; 1115 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1116}; 1117.Ed 1118.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 1119Set the user settable flags (described above) of the 1120.Nm 1121internal interface description. 1122The filtering process is the same as for 1123.Dv DIOCIGETIFACES . 1124.Bd -literal 1125#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1126.Ed 1127.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1128Works as 1129.Dv DIOCSETIFFLAG 1130above but clears the flags. 1131.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io" 1132Explicitly remove source tracking nodes. 1133.El 1134.Sh FILES 1135.Bl -tag -width /dev/pf -compact 1136.It Pa /dev/pf 1137packet filtering device. 1138.El 1139.Sh EXAMPLES 1140The following example demonstrates how to use the 1141.Dv DIOCNATLOOK 1142command to find the internal host/port of a NATed connection: 1143.Bd -literal 1144#include <sys/types.h> 1145#include <sys/socket.h> 1146#include <sys/ioctl.h> 1147#include <sys/fcntl.h> 1148#include <net/if.h> 1149#include <netinet/in.h> 1150#include <net/pfvar.h> 1151#include <err.h> 1152#include <stdio.h> 1153#include <stdlib.h> 1154 1155u_int32_t 1156read_address(const char *s) 1157{ 1158 int a, b, c, d; 1159 1160 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 1161 return htonl(a << 24 | b << 16 | c << 8 | d); 1162} 1163 1164void 1165print_address(u_int32_t a) 1166{ 1167 a = ntohl(a); 1168 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 1169 a >> 8 & 255, a & 255); 1170} 1171 1172int 1173main(int argc, char *argv[]) 1174{ 1175 struct pfioc_natlook nl; 1176 int dev; 1177 1178 if (argc != 5) { 1179 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", 1180 argv[0]); 1181 return 1; 1182 } 1183 1184 dev = open("/dev/pf", O_RDWR); 1185 if (dev == -1) 1186 err(1, "open(\\"/dev/pf\\") failed"); 1187 1188 memset(&nl, 0, sizeof(struct pfioc_natlook)); 1189 nl.saddr.v4.s_addr = read_address(argv[1]); 1190 nl.sport = htons(atoi(argv[2])); 1191 nl.daddr.v4.s_addr = read_address(argv[3]); 1192 nl.dport = htons(atoi(argv[4])); 1193 nl.af = AF_INET; 1194 nl.proto = IPPROTO_TCP; 1195 nl.direction = PF_IN; 1196 1197 if (ioctl(dev, DIOCNATLOOK, &nl)) 1198 err(1, "DIOCNATLOOK"); 1199 1200 printf("internal host "); 1201 print_address(nl.rsaddr.v4.s_addr); 1202 printf(":%u\\n", ntohs(nl.rsport)); 1203 return 0; 1204} 1205.Ed 1206.Sh SEE ALSO 1207.Xr ioctl 2 , 1208.Xr altq 4 , 1209.Xr if_bridge 4 , 1210.Xr pflog 4 , 1211.Xr pfsync 4 , 1212.Xr pfctl 8 , 1213.Xr altq 9 1214.Sh HISTORY 1215The 1216.Nm 1217packet filtering mechanism first appeared in 1218.Ox 3.0 1219and then 1220.Fx 5.2 . 1221.Pp 1222This implementation is derived from 1223.Ox 4.5 . 1224It has been heavily modified to be capable of running in multithreaded 1225.Fx 1226kernel and scale its performance on multiple CPUs. 1227