xref: /freebsd/share/man/man4/pf.4 (revision fcb560670601b2a4d87bb31d7531c8dcc37ee71b)
1.\"	$OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $
2.\"
3.\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. Neither the name of the project nor the names of its contributors
14.\"    may be used to endorse or promote products derived from this software
15.\"    without specific prior written permission.
16.\"
17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27.\" SUCH DAMAGE.
28.\"
29.\" $FreeBSD$
30.\"
31.Dd November 14, 2013
32.Dt PF 4
33.Os
34.Sh NAME
35.Nm pf
36.Nd packet filter
37.Sh SYNOPSIS
38.Cd "device pf"
39.Cd "options PF_DEFAULT_TO_DROP"
40.Sh DESCRIPTION
41Packet filtering takes place in the kernel.
42A pseudo-device,
43.Pa /dev/pf ,
44allows userland processes to control the
45behavior of the packet filter through an
46.Xr ioctl 2
47interface.
48There are commands to enable and disable the filter, load rulesets,
49add and remove individual rules or state table entries,
50and retrieve statistics.
51The most commonly used functions are covered by
52.Xr pfctl 8 .
53.Pp
54Manipulations like loading a ruleset that involve more than a single
55.Xr ioctl 2
56call require a so-called
57.Em ticket ,
58which prevents the occurrence of
59multiple concurrent manipulations.
60.Pp
61Fields of
62.Xr ioctl 2
63parameter structures that refer to packet data (like
64addresses and ports) are generally expected in network byte-order.
65.Pp
66Rules and address tables are contained in so-called
67.Em anchors .
68When servicing an
69.Xr ioctl 2
70request, if the anchor field of the argument structure is empty,
71the kernel will use the default anchor (i.e., the main ruleset)
72in operations.
73Anchors are specified by name and may be nested, with components
74separated by
75.Sq /
76characters, similar to how file system hierarchies are laid out.
77The final component of the anchor path is the anchor under which
78operations will be performed.
79.Sh SYSCTL VARIABLES AND LOADER TUNABLES
80The following
81.Xr loader 8
82tunables are available.
83.Bl -tag -width indent
84.It Va net.pf.states_hashsize
85Size of hash tables that store states.
86Should be power of 2.
87Default value is 32768.
88.It Va net.pf.source_nodes_hashsize
89Size of hash table that store source nodes.
90Should be power of 2.
91Default value is 8192.
92.El
93.Pp
94Read only
95.Xr sysctl 8
96variables with matching names are provided to obtain current values
97at runtime.
98.Sh KERNEL OPTIONS
99The following options in the kernel configuration file are related to
100.Nm
101operation:
102.Pp
103.Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
104.It Dv PF_DEFAULT_TO_DROP
105Change default policy to drop by default
106.El
107.Sh IOCTL INTERFACE
108.Nm
109supports the following
110.Xr ioctl 2
111commands, available through
112.Aq Pa net/pfvar.h :
113.Bl -tag -width xxxxxx
114.It Dv DIOCSTART
115Start the packet filter.
116.It Dv DIOCSTOP
117Stop the packet filter.
118.It Dv DIOCSTARTALTQ
119Start the ALTQ bandwidth control system (see
120.Xr altq 9 ) .
121.It Dv DIOCSTOPALTQ
122Stop the ALTQ bandwidth control system.
123.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp"
124.Bd -literal
125struct pfioc_pooladdr {
126	u_int32_t		action;
127	u_int32_t		ticket;
128	u_int32_t		nr;
129	u_int32_t		r_num;
130	u_int8_t		r_action;
131	u_int8_t		r_last;
132	u_int8_t		af;
133	char			anchor[MAXPATHLEN];
134	struct pf_pooladdr	addr;
135};
136.Ed
137.Pp
138Clear the buffer address pool and get a
139.Va ticket
140for subsequent
141.Dv DIOCADDADDR ,
142.Dv DIOCADDRULE ,
143and
144.Dv DIOCCHANGERULE
145calls.
146.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
147.Pp
148Add the pool address
149.Va addr
150to the buffer address pool to be used in the following
151.Dv DIOCADDRULE
152or
153.Dv DIOCCHANGERULE
154call.
155All other members of the structure are ignored.
156.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
157.Bd -literal
158struct pfioc_rule {
159	u_int32_t	action;
160	u_int32_t	ticket;
161	u_int32_t	pool_ticket;
162	u_int32_t	nr;
163	char		anchor[MAXPATHLEN];
164	char		anchor_call[MAXPATHLEN];
165	struct pf_rule	rule;
166};
167.Ed
168.Pp
169Add
170.Va rule
171at the end of the inactive ruleset.
172This call requires a
173.Va ticket
174obtained through a preceding
175.Dv DIOCXBEGIN
176call and a
177.Va pool_ticket
178obtained through a
179.Dv DIOCBEGINADDRS
180call.
181.Dv DIOCADDADDR
182must also be called if any pool addresses are required.
183The optional
184.Va anchor
185name indicates the anchor in which to append the rule.
186.Va nr
187and
188.Va action
189are ignored.
190.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
191Add an ALTQ discipline or queue.
192.Bd -literal
193struct pfioc_altq {
194	u_int32_t	action;
195	u_int32_t	ticket;
196	u_int32_t	nr;
197	struct pf_altq  altq;
198};
199.Ed
200.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
201Get a
202.Va ticket
203for subsequent
204.Dv DIOCGETRULE
205calls and the number
206.Va nr
207of rules in the active ruleset.
208.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
209Get a
210.Va rule
211by its number
212.Va nr
213using the
214.Va ticket
215obtained through a preceding
216.Dv DIOCGETRULES
217call.
218If
219.Va action
220is set to
221.Dv PF_GET_CLR_CNTR ,
222the per-rule statistics on the requested rule are cleared.
223.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
224Get a
225.Va ticket
226for subsequent
227.Dv DIOCGETADDR
228calls and the number
229.Va nr
230of pool addresses in the rule specified with
231.Va r_action ,
232.Va r_num ,
233and
234.Va anchor .
235.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp"
236Get the pool address
237.Va addr
238by its number
239.Va nr
240from the rule specified with
241.Va r_action ,
242.Va r_num ,
243and
244.Va anchor
245using the
246.Va ticket
247obtained through a preceding
248.Dv DIOCGETADDRS
249call.
250.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
251Get a
252.Va ticket
253for subsequent
254.Dv DIOCGETALTQ
255calls and the number
256.Va nr
257of queues in the active list.
258.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
259Get the queueing discipline
260.Va altq
261by its number
262.Va nr
263using the
264.Va ticket
265obtained through a preceding
266.Dv DIOCGETALTQS
267call.
268.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
269Get the statistics on a queue.
270.Bd -literal
271struct pfioc_qstats {
272	u_int32_t	 ticket;
273	u_int32_t	 nr;
274	void		*buf;
275	int		 nbytes;
276	u_int8_t	 scheduler;
277};
278.Ed
279.Pp
280This call fills in a pointer to the buffer of statistics
281.Va buf ,
282of length
283.Va nbytes ,
284for the queue specified by
285.Va nr .
286.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
287.Bd -literal
288struct pfioc_ruleset {
289	u_int32_t	 nr;
290	char		 path[MAXPATHLEN];
291	char		 name[PF_ANCHOR_NAME_SIZE];
292};
293.Ed
294.Pp
295Get the number
296.Va nr
297of rulesets (i.e., anchors) directly attached to the anchor named by
298.Va path
299for use in subsequent
300.Dv DIOCGETRULESET
301calls.
302Nested anchors, since they are not directly attached to the given
303anchor, will not be included.
304This ioctl returns
305.Er EINVAL
306if the given anchor does not exist.
307.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
308Get a ruleset (i.e., an anchor)
309.Va name
310by its number
311.Va nr
312from the given anchor
313.Va path ,
314the maximum number of which can be obtained from a preceding
315.Dv DIOCGETRULESETS
316call.
317This ioctl returns
318.Er EINVAL
319if the given anchor does not exist or
320.Er EBUSY
321if another process is concurrently updating a ruleset.
322.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
323Add a state entry.
324.Bd -literal
325struct pfioc_state {
326	struct pfsync_state	state;
327};
328.Ed
329.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
330Extract the entry identified by the
331.Va id
332and
333.Va creatorid
334fields of the
335.Va state
336structure from the state table.
337.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
338Remove matching entries from the state table.
339This ioctl returns the number of killed states in
340.Va psk_killed .
341.Bd -literal
342struct pfioc_state_kill {
343	struct pf_state_cmp	psk_pfcmp;
344	sa_family_t		psk_af;
345	int			psk_proto;
346	struct pf_rule_addr	psk_src;
347	struct pf_rule_addr	psk_dst;
348	char			psk_ifname[IFNAMSIZ];
349	char			psk_label[PF_RULE_LABEL_SIZE];
350	u_int			psk_killed;
351};
352.Ed
353.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk"
354Clear all states.
355It works like
356.Dv DIOCKILLSTATES ,
357but ignores the
358.Va psk_af ,
359.Va psk_proto ,
360.Va psk_src ,
361and
362.Va psk_dst
363fields of the
364.Vt pfioc_state_kill
365structure.
366.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
367Specify the interface for which statistics are accumulated.
368.Bd -literal
369struct pfioc_if {
370	char		 ifname[IFNAMSIZ];
371};
372.Ed
373.It Dv DIOCGETSTATUS Fa "struct pf_status *s"
374Get the internal packet filter statistics.
375.Bd -literal
376struct pf_status {
377	u_int64_t	counters[PFRES_MAX];
378	u_int64_t	lcounters[LCNT_MAX];
379	u_int64_t	fcounters[FCNT_MAX];
380	u_int64_t	scounters[SCNT_MAX];
381	u_int64_t	pcounters[2][2][3];
382	u_int64_t	bcounters[2][2];
383	u_int32_t	running;
384	u_int32_t	states;
385	u_int32_t	src_nodes;
386	u_int32_t	since;
387	u_int32_t	debug;
388	u_int32_t	hostid;
389	char		ifname[IFNAMSIZ];
390	u_int8_t	pf_chksum[MD5_DIGEST_LENGTH];
391};
392.Ed
393.It Dv DIOCCLRSTATUS
394Clear the internal packet filter statistics.
395.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
396Look up a state table entry by source and destination addresses and ports.
397.Bd -literal
398struct pfioc_natlook {
399	struct pf_addr	 saddr;
400	struct pf_addr	 daddr;
401	struct pf_addr	 rsaddr;
402	struct pf_addr	 rdaddr;
403	u_int16_t	 sport;
404	u_int16_t	 dport;
405	u_int16_t	 rsport;
406	u_int16_t	 rdport;
407	sa_family_t	 af;
408	u_int8_t	 proto;
409	u_int8_t	 direction;
410};
411.Ed
412.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
413Set the debug level.
414.Bd -literal
415enum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
416	  PF_DEBUG_NOISY };
417.Ed
418.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps"
419Get state table entries.
420.Bd -literal
421struct pfioc_states {
422	int	ps_len;
423	union {
424		caddr_t		 psu_buf;
425		struct pf_state *psu_states;
426	} ps_u;
427#define ps_buf		ps_u.psu_buf
428#define ps_states	ps_u.psu_states
429};
430.Ed
431.Pp
432If
433.Va ps_len
434is non-zero on entry, as many states as possible that can fit into this
435size will be copied into the supplied buffer
436.Va ps_states .
437On exit,
438.Va ps_len
439is always set to the total size required to hold all state table entries
440(i.e., it is set to
441.Li sizeof(struct pf_state) * nr ) .
442.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
443Add or remove the
444.Va rule
445in the ruleset specified by
446.Va rule.action .
447.Pp
448The type of operation to be performed is indicated by
449.Va action ,
450which can be any of the following:
451.Bd -literal
452enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
453	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
454	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
455.Ed
456.Pp
457.Va ticket
458must be set to the value obtained with
459.Dv PF_CHANGE_GET_TICKET
460for all actions except
461.Dv PF_CHANGE_GET_TICKET .
462.Va pool_ticket
463must be set to the value obtained with the
464.Dv DIOCBEGINADDRS
465call for all actions except
466.Dv PF_CHANGE_REMOVE
467and
468.Dv PF_CHANGE_GET_TICKET .
469.Va anchor
470indicates to which anchor the operation applies.
471.Va nr
472indicates the rule number against which
473.Dv PF_CHANGE_ADD_BEFORE ,
474.Dv PF_CHANGE_ADD_AFTER ,
475or
476.Dv PF_CHANGE_REMOVE
477actions are applied.
478.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
479.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
480Add or remove the pool address
481.Va addr
482from the rule specified by
483.Va r_action ,
484.Va r_num ,
485and
486.Va anchor .
487.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
488.Bd -literal
489struct pfioc_tm {
490	int		 timeout;
491	int		 seconds;
492};
493.Ed
494.Pp
495Set the state timeout of
496.Va timeout
497to
498.Va seconds .
499The old value will be placed into
500.Va seconds .
501For possible values of
502.Va timeout ,
503consult the
504.Dv PFTM_*
505values in
506.Aq Pa net/pfvar.h .
507.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
508Get the state timeout of
509.Va timeout .
510The value will be placed into the
511.Va seconds
512field.
513.It Dv DIOCCLRRULECTRS
514Clear per-rule statistics.
515.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
516Set the hard limits on the memory pools used by the packet filter.
517.Bd -literal
518struct pfioc_limit {
519	int		index;
520	unsigned	limit;
521};
522
523enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
524	  PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
525.Ed
526.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
527Get the hard
528.Va limit
529for the memory pool indicated by
530.Va index .
531.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
532Clear all tables.
533All the ioctls that manipulate radix tables
534use the same structure described below.
535For
536.Dv DIOCRCLRTABLES ,
537.Va pfrio_ndel
538contains on exit the number of tables deleted.
539.Bd -literal
540struct pfioc_table {
541	struct pfr_table	 pfrio_table;
542	void			*pfrio_buffer;
543	int			 pfrio_esize;
544	int			 pfrio_size;
545	int			 pfrio_size2;
546	int			 pfrio_nadd;
547	int			 pfrio_ndel;
548	int			 pfrio_nchange;
549	int			 pfrio_flags;
550	u_int32_t		 pfrio_ticket;
551};
552#define pfrio_exists    pfrio_nadd
553#define pfrio_nzero     pfrio_nadd
554#define pfrio_nmatch    pfrio_nadd
555#define pfrio_naddr     pfrio_size2
556#define pfrio_setflag   pfrio_size2
557#define pfrio_clrflag   pfrio_nadd
558.Ed
559.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
560Create one or more tables.
561On entry,
562.Va pfrio_buffer
563must point to an array of
564.Vt struct pfr_table
565containing at least
566.Vt pfrio_size
567elements.
568.Vt pfrio_esize
569must be the size of
570.Vt struct pfr_table .
571On exit,
572.Va pfrio_nadd
573contains the number of tables effectively created.
574.Bd -literal
575struct pfr_table {
576	char		pfrt_anchor[MAXPATHLEN];
577	char		pfrt_name[PF_TABLE_NAME_SIZE];
578	u_int32_t	pfrt_flags;
579	u_int8_t	pfrt_fback;
580};
581.Ed
582.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
583Delete one or more tables.
584On entry,
585.Va pfrio_buffer
586must point to an array of
587.Vt struct pfr_table
588containing at least
589.Vt pfrio_size
590elements.
591.Vt pfrio_esize
592must be the size of
593.Vt struct pfr_table .
594On exit,
595.Va pfrio_ndel
596contains the number of tables effectively deleted.
597.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
598Get the list of all tables.
599On entry,
600.Va pfrio_buffer[pfrio_size]
601contains a valid writeable buffer for
602.Vt pfr_table
603structures.
604On exit,
605.Va pfrio_size
606contains the number of tables written into the buffer.
607If the buffer is too small, the kernel does not store anything but just
608returns the required buffer size, without error.
609.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
610This call is like
611.Dv DIOCRGETTABLES
612but is used to get an array of
613.Vt pfr_tstats
614structures.
615.Bd -literal
616struct pfr_tstats {
617	struct pfr_table pfrts_t;
618	u_int64_t	 pfrts_packets
619			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
620	u_int64_t	 pfrts_bytes
621			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
622	u_int64_t	 pfrts_match;
623	u_int64_t	 pfrts_nomatch;
624	long		 pfrts_tzero;
625	int		 pfrts_cnt;
626	int		 pfrts_refcnt[PFR_REFCNT_MAX];
627};
628#define pfrts_name	 pfrts_t.pfrt_name
629#define pfrts_flags	 pfrts_t.pfrt_flags
630.Ed
631.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
632Clear the statistics of one or more tables.
633On entry,
634.Va pfrio_buffer
635must point to an array of
636.Vt struct pfr_table
637containing at least
638.Vt pfrio_size
639elements.
640.Vt pfrio_esize
641must be the size of
642.Vt struct pfr_table .
643On exit,
644.Va pfrio_nzero
645contains the number of tables effectively cleared.
646.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
647Clear all addresses in a table.
648On entry,
649.Va pfrio_table
650contains the table to clear.
651On exit,
652.Va pfrio_ndel
653contains the number of addresses removed.
654.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
655Add one or more addresses to a table.
656On entry,
657.Va pfrio_table
658contains the table ID and
659.Va pfrio_buffer
660must point to an array of
661.Vt struct pfr_addr
662containing at least
663.Vt pfrio_size
664elements to add to the table.
665.Vt pfrio_esize
666must be the size of
667.Vt struct pfr_addr .
668On exit,
669.Va pfrio_nadd
670contains the number of addresses effectively added.
671.Bd -literal
672struct pfr_addr {
673	union {
674		struct in_addr	 _pfra_ip4addr;
675		struct in6_addr	 _pfra_ip6addr;
676	}		 pfra_u;
677	u_int8_t	 pfra_af;
678	u_int8_t	 pfra_net;
679	u_int8_t	 pfra_not;
680	u_int8_t	 pfra_fback;
681};
682#define pfra_ip4addr    pfra_u._pfra_ip4addr
683#define pfra_ip6addr    pfra_u._pfra_ip6addr
684.Ed
685.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
686Delete one or more addresses from a table.
687On entry,
688.Va pfrio_table
689contains the table ID and
690.Va pfrio_buffer
691must point to an array of
692.Vt struct pfr_addr
693containing at least
694.Vt pfrio_size
695elements to delete from the table.
696.Vt pfrio_esize
697must be the size of
698.Vt struct pfr_addr .
699On exit,
700.Va pfrio_ndel
701contains the number of addresses effectively deleted.
702.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
703Replace the content of a table by a new address list.
704This is the most complicated command, which uses all the structure members.
705.Pp
706On entry,
707.Va pfrio_table
708contains the table ID and
709.Va pfrio_buffer
710must point to an array of
711.Vt struct pfr_addr
712containing at least
713.Vt pfrio_size
714elements which become the new contents of the table.
715.Vt pfrio_esize
716must be the size of
717.Vt struct pfr_addr .
718Additionally, if
719.Va pfrio_size2
720is non-zero,
721.Va pfrio_buffer[pfrio_size..pfrio_size2]
722must be a writeable buffer, into which the kernel can copy the
723addresses that have been deleted during the replace operation.
724On exit,
725.Va pfrio_ndel ,
726.Va pfrio_nadd ,
727and
728.Va pfrio_nchange
729contain the number of addresses deleted, added, and changed by the
730kernel.
731If
732.Va pfrio_size2
733was set on entry,
734.Va pfrio_size2
735will point to the size of the buffer used, exactly like
736.Dv DIOCRGETADDRS .
737.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
738Get all the addresses of a table.
739On entry,
740.Va pfrio_table
741contains the table ID and
742.Va pfrio_buffer[pfrio_size]
743contains a valid writeable buffer for
744.Vt pfr_addr
745structures.
746On exit,
747.Va pfrio_size
748contains the number of addresses written into the buffer.
749If the buffer was too small, the kernel does not store anything but just
750returns the required buffer size, without returning an error.
751.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
752This call is like
753.Dv DIOCRGETADDRS
754but is used to get an array of
755.Vt pfr_astats
756structures.
757.Bd -literal
758struct pfr_astats {
759	struct pfr_addr	 pfras_a;
760	u_int64_t	 pfras_packets
761			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
762	u_int64_t	 pfras_bytes
763			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
764	long		 pfras_tzero;
765};
766.Ed
767.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
768Clear the statistics of one or more addresses.
769On entry,
770.Va pfrio_table
771contains the table ID and
772.Va pfrio_buffer
773must point to an array of
774.Vt struct pfr_addr
775containing at least
776.Vt pfrio_size
777elements to be cleared from the table.
778.Vt pfrio_esize
779must be the size of
780.Vt struct pfr_addr .
781On exit,
782.Va pfrio_nzero
783contains the number of addresses effectively cleared.
784.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
785Test if the given addresses match a table.
786On entry,
787.Va pfrio_table
788contains the table ID and
789.Va pfrio_buffer
790must point to an array of
791.Vt struct pfr_addr
792containing at least
793.Vt pfrio_size
794elements, each of which will be tested for a match in the table.
795.Vt pfrio_esize
796must be the size of
797.Vt struct pfr_addr .
798On exit, the kernel updates the
799.Vt pfr_addr
800array by setting the
801.Va pfra_fback
802member appropriately.
803.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
804Change the
805.Dv PFR_TFLAG_CONST
806or
807.Dv PFR_TFLAG_PERSIST
808flags of a table.
809On entry,
810.Va pfrio_buffer
811must point to an array of
812.Vt struct pfr_table
813containing at least
814.Vt pfrio_size
815elements.
816.Va pfrio_esize
817must be the size of
818.Vt struct pfr_table .
819.Va pfrio_setflag
820must contain the flags to add, while
821.Va pfrio_clrflag
822must contain the flags to remove.
823On exit,
824.Va pfrio_nchange
825and
826.Va pfrio_ndel
827contain the number of tables altered or deleted by the kernel.
828Yes, tables can be deleted if one removes the
829.Dv PFR_TFLAG_PERSIST
830flag of an unreferenced table.
831.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
832Defines a table in the inactive set.
833On entry,
834.Va pfrio_table
835contains the table ID and
836.Va pfrio_buffer[pfrio_size]
837contains an array of
838.Vt pfr_addr
839structures to put in the table.
840A valid ticket must also be supplied to
841.Va pfrio_ticket .
842On exit,
843.Va pfrio_nadd
844contains 0 if the table was already defined in the inactive list
845or 1 if a new table has been created.
846.Va pfrio_naddr
847contains the number of addresses effectively put in the table.
848.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
849.Bd -literal
850struct pfioc_trans {
851	int		 size;	/* number of elements */
852	int		 esize;	/* size of each element in bytes */
853	struct pfioc_trans_e {
854		int		rs_num;
855		char		anchor[MAXPATHLEN];
856		u_int32_t	ticket;
857	}		*array;
858};
859.Ed
860.Pp
861Clear all the inactive rulesets specified in the
862.Vt pfioc_trans_e
863array.
864For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
865as well as for the
866.Dv DIOCXCOMMIT
867and
868.Dv DIOCXROLLBACK
869calls.
870.Pp
871Ruleset types, identified by
872.Va rs_num ,
873include the following:
874.Pp
875.Bl -tag -width PF_RULESET_FILTER -offset ind -compact
876.It Dv PF_RULESET_SCRUB
877Scrub (packet normalization) rules.
878.It Dv PF_RULESET_FILTER
879Filter rules.
880.It Dv PF_RULESET_NAT
881NAT (Network Address Translation) rules.
882.It Dv PF_RULESET_BINAT
883Bidirectional NAT rules.
884.It Dv PF_RULESET_RDR
885Redirect rules.
886.It Dv PF_RULESET_ALTQ
887ALTQ disciplines.
888.It Dv PF_RULESET_TABLE
889Address tables.
890.El
891.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
892Atomically switch a vector of inactive rulesets to the active rulesets.
893This call is implemented as a standard two-phase commit, which will either
894fail for all rulesets or completely succeed.
895All tickets need to be valid.
896This ioctl returns
897.Er EBUSY
898if another process is concurrently updating some of the same rulesets.
899.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
900Clean up the kernel by undoing all changes that have taken place on the
901inactive rulesets since the last
902.Dv DIOCXBEGIN .
903.Dv DIOCXROLLBACK
904will silently ignore rulesets for which the ticket is invalid.
905.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
906Set the host ID, which is used by
907.Xr pfsync 4
908to identify which host created state table entries.
909.It Dv DIOCOSFPFLUSH
910Flush the passive OS fingerprint table.
911.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
912.Bd -literal
913struct pf_osfp_ioctl {
914	struct pf_osfp_entry {
915		SLIST_ENTRY(pf_osfp_entry) fp_entry;
916		pf_osfp_t		fp_os;
917		char			fp_class_nm[PF_OSFP_LEN];
918		char			fp_version_nm[PF_OSFP_LEN];
919		char			fp_subtype_nm[PF_OSFP_LEN];
920	} 			fp_os;
921	pf_tcpopts_t		fp_tcpopts;
922	u_int16_t		fp_wsize;
923	u_int16_t		fp_psize;
924	u_int16_t		fp_mss;
925	u_int16_t		fp_flags;
926	u_int8_t		fp_optcnt;
927	u_int8_t		fp_wscale;
928	u_int8_t		fp_ttl;
929	int			fp_getnum;
930};
931.Ed
932.Pp
933Add a passive OS fingerprint to the table.
934Set
935.Va fp_os.fp_os
936to the packed fingerprint,
937.Va fp_os.fp_class_nm
938to the name of the class (Linux, Windows, etc),
939.Va fp_os.fp_version_nm
940to the name of the version (NT, 95, 98), and
941.Va fp_os.fp_subtype_nm
942to the name of the subtype or patchlevel.
943The members
944.Va fp_mss ,
945.Va fp_wsize ,
946.Va fp_psize ,
947.Va fp_ttl ,
948.Va fp_optcnt ,
949and
950.Va fp_wscale
951are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
952the number of TCP options, and the TCP window scaling constant of the
953TCP SYN packet, respectively.
954.Pp
955The
956.Va fp_flags
957member is filled according to the
958.Aq Pa net/pfvar.h
959include file
960.Dv PF_OSFP_*
961defines.
962The
963.Va fp_tcpopts
964member contains packed TCP options.
965Each option uses
966.Dv PF_OSFP_TCPOPT_BITS
967bits in the packed value.
968Options include any of
969.Dv PF_OSFP_TCPOPT_NOP ,
970.Dv PF_OSFP_TCPOPT_SACK ,
971.Dv PF_OSFP_TCPOPT_WSCALE ,
972.Dv PF_OSFP_TCPOPT_MSS ,
973or
974.Dv PF_OSFP_TCPOPT_TS .
975.Pp
976The
977.Va fp_getnum
978member is not used with this ioctl.
979.Pp
980The structure's slack space must be zeroed for correct operation;
981.Xr memset 3
982the whole structure to zero before filling and sending to the kernel.
983.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
984Get the passive OS fingerprint number
985.Va fp_getnum
986from the kernel's fingerprint list.
987The rest of the structure members will come back filled.
988Get the whole list by repeatedly incrementing the
989.Va fp_getnum
990number until the ioctl returns
991.Er EBUSY .
992.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
993.Bd -literal
994struct pfioc_src_nodes {
995	int	psn_len;
996	union {
997		caddr_t		psu_buf;
998		struct pf_src_node	*psu_src_nodes;
999	} psn_u;
1000#define psn_buf		psn_u.psu_buf
1001#define psn_src_nodes	psn_u.psu_src_nodes
1002};
1003.Ed
1004.Pp
1005Get the list of source nodes kept by sticky addresses and source
1006tracking.
1007The ioctl must be called once with
1008.Va psn_len
1009set to 0.
1010If the ioctl returns without error,
1011.Va psn_len
1012will be set to the size of the buffer required to hold all the
1013.Va pf_src_node
1014structures held in the table.
1015A buffer of this size should then be allocated, and a pointer to this buffer
1016placed in
1017.Va psn_buf .
1018The ioctl must then be called again to fill this buffer with the actual
1019source node data.
1020After that call,
1021.Va psn_len
1022will be set to the length of the buffer actually used.
1023.It Dv DIOCCLRSRCNODES
1024Clear the tree of source tracking nodes.
1025.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
1026Get the list of interfaces and interface drivers known to
1027.Nm .
1028All the ioctls that manipulate interfaces
1029use the same structure described below:
1030.Bd -literal
1031struct pfioc_iface {
1032	char			 pfiio_name[IFNAMSIZ];
1033	void			*pfiio_buffer;
1034	int			 pfiio_esize;
1035	int			 pfiio_size;
1036	int			 pfiio_nzero;
1037	int			 pfiio_flags;
1038};
1039.Ed
1040.Pp
1041If not empty,
1042.Va pfiio_name
1043can be used to restrict the search to a specific interface or driver.
1044.Va pfiio_buffer[pfiio_size]
1045is the user-supplied buffer for returning the data.
1046On entry,
1047.Va pfiio_size
1048contains the number of
1049.Vt pfi_kif
1050entries that can fit into the buffer.
1051The kernel will replace this value by the real number of entries it wants
1052to return.
1053.Va pfiio_esize
1054should be set to
1055.Li sizeof(struct pfi_kif) .
1056.Pp
1057The data is returned in the
1058.Vt pfi_kif
1059structure described below:
1060.Bd -literal
1061struct pfi_kif {
1062	RB_ENTRY(pfi_kif)		 pfik_tree;
1063	char				 pfik_name[IFNAMSIZ];
1064	u_int64_t			 pfik_packets[2][2][2];
1065	u_int64_t			 pfik_bytes[2][2][2];
1066	u_int32_t			 pfik_tzero;
1067	int				 pfik_flags;
1068	struct pf_state_tree_lan_ext	 pfik_lan_ext;
1069	struct pf_state_tree_ext_gwy	 pfik_ext_gwy;
1070	TAILQ_ENTRY(pfi_kif)		 pfik_w_states;
1071	void				*pfik_ah_cookie;
1072	struct ifnet			*pfik_ifp;
1073	struct ifg_group		*pfik_group;
1074	int				 pfik_states;
1075	int				 pfik_rules;
1076	TAILQ_HEAD(, pfi_dynaddr)	 pfik_dynaddrs;
1077};
1078.Ed
1079.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1080Set the user setable flags (described above) of the
1081.Nm
1082internal interface description.
1083The filtering process is the same as for
1084.Dv DIOCIGETIFACES .
1085.Bd -literal
1086#define PFI_IFLAG_SKIP	0x0100	/* skip filtering on interface */
1087.Ed
1088.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1089Works as
1090.Dv DIOCSETIFFLAG
1091above but clears the flags.
1092.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
1093Explicitly remove source tracking nodes.
1094.El
1095.Sh FILES
1096.Bl -tag -width /dev/pf -compact
1097.It Pa /dev/pf
1098packet filtering device.
1099.El
1100.Sh EXAMPLES
1101The following example demonstrates how to use the
1102.Dv DIOCNATLOOK
1103command to find the internal host/port of a NATed connection:
1104.Bd -literal
1105#include <sys/types.h>
1106#include <sys/socket.h>
1107#include <sys/ioctl.h>
1108#include <sys/fcntl.h>
1109#include <net/if.h>
1110#include <netinet/in.h>
1111#include <net/pfvar.h>
1112#include <err.h>
1113#include <stdio.h>
1114#include <stdlib.h>
1115
1116u_int32_t
1117read_address(const char *s)
1118{
1119	int a, b, c, d;
1120
1121	sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
1122	return htonl(a << 24 | b << 16 | c << 8 | d);
1123}
1124
1125void
1126print_address(u_int32_t a)
1127{
1128	a = ntohl(a);
1129	printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
1130	    a >> 8 & 255, a & 255);
1131}
1132
1133int
1134main(int argc, char *argv[])
1135{
1136	struct pfioc_natlook nl;
1137	int dev;
1138
1139	if (argc != 5) {
1140		printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
1141		    argv[0]);
1142		return 1;
1143	}
1144
1145	dev = open("/dev/pf", O_RDWR);
1146	if (dev == -1)
1147		err(1, "open(\\"/dev/pf\\") failed");
1148
1149	memset(&nl, 0, sizeof(struct pfioc_natlook));
1150	nl.saddr.v4.s_addr	= read_address(argv[1]);
1151	nl.sport		= htons(atoi(argv[2]));
1152	nl.daddr.v4.s_addr	= read_address(argv[3]);
1153	nl.dport		= htons(atoi(argv[4]));
1154	nl.af			= AF_INET;
1155	nl.proto		= IPPROTO_TCP;
1156	nl.direction		= PF_IN;
1157
1158	if (ioctl(dev, DIOCNATLOOK, &nl))
1159		err(1, "DIOCNATLOOK");
1160
1161	printf("internal host ");
1162	print_address(nl.rsaddr.v4.s_addr);
1163	printf(":%u\\n", ntohs(nl.rsport));
1164	return 0;
1165}
1166.Ed
1167.Sh SEE ALSO
1168.Xr ioctl 2 ,
1169.Xr altq 4 ,
1170.Xr if_bridge 4 ,
1171.Xr pflog 4 ,
1172.Xr pflow 4 ,
1173.Xr pfsync 4 ,
1174.Xr pfctl 8 ,
1175.Xr altq 9
1176.Sh HISTORY
1177The
1178.Nm
1179packet filtering mechanism first appeared in
1180.Ox 3.0
1181and then
1182.Fx 5.2 .
1183.Pp
1184This implementation is derived from
1185.Ox 4.5 .
1186It has been heavily modified to be capable of running in multithreaded
1187.Fx
1188kernel and scale its performance on multiple CPUs.
1189