1.\" $OpenBSD: pf.4,v 1.86 2015/10/15 02:26:27 lteo Exp $ 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the project nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd $Mdocdate: October 15 2015 $ 30.Dt PF 4 31.Os 32.Sh NAME 33.Nm pf 34.Nd packet filter 35.Sh SYNOPSIS 36.Cd "pseudo-device pf" 37.Sh DESCRIPTION 38Packet filtering takes place in the kernel. 39A pseudo-device, 40.Pa /dev/pf , 41allows userland processes to control the 42behavior of the packet filter through an 43.Xr ioctl 2 44interface. 45There are commands to enable and disable the filter, load rulesets, 46add and remove individual rules or state table entries, 47and retrieve statistics. 48The most commonly used functions are covered by 49.Xr pfctl 8 . 50.Pp 51Manipulations like loading a ruleset that involve more than a single 52.Xr ioctl 2 53call require a so-called 54.Em ticket , 55which prevents the occurrence of 56multiple concurrent manipulations. 57.Pp 58Fields of 59.Xr ioctl 2 60parameter structures that refer to packet data (like 61addresses and ports) are generally expected in network byte-order. 62.Pp 63Rules and address tables are contained in so-called 64.Em anchors . 65When servicing an 66.Xr ioctl 2 67request, if the anchor field of the argument structure is empty, 68the kernel will use the default anchor (i.e., the main ruleset) 69in operations. 70Anchors are specified by name and may be nested, with components 71separated by 72.Sq / 73characters, similar to how file system hierarchies are laid out. 74The final component of the anchor path is the anchor under which 75operations will be performed. 76Anchor names with characters after the terminating null byte are 77considered invalid; if used in an ioctl, 78.Er EINVAL 79will be returned. 80.Sh IOCTL INTERFACE 81.Nm 82supports the following 83.Xr ioctl 2 84commands, available through 85.In net/pfvar.h : 86.Bl -tag -width xxxxxx 87.It Dv DIOCSTART 88Start the packet filter. 89.It Dv DIOCSTOP 90Stop the packet filter. 91.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 92.Bd -literal 93struct pfioc_rule { 94 u_int32_t action; 95 u_int32_t ticket; 96 u_int32_t nr; 97 char anchor[MAXPATHLEN]; 98 char anchor_call[MAXPATHLEN]; 99 struct pf_rule rule; 100}; 101.Ed 102.Pp 103Add 104.Va rule 105at the end of the inactive ruleset. 106This call requires a 107.Va ticket 108obtained through a preceding 109.Dv DIOCXBEGIN 110call. 111The optional 112.Va anchor 113name indicates the anchor in which to append the rule. 114.Va nr 115and 116.Va action 117are ignored. 118.It Dv DIOCADDQUEUE Fa "struct pfioc_queue *q" 119Add a queue. 120.Bd -literal 121struct pfioc_queue { 122 u_int32_t ticket; 123 u_int nr; 124 struct pf_queuespec queue; 125}; 126.Ed 127.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 128Get a 129.Va ticket 130for subsequent 131.Dv DIOCGETRULE 132calls and the number 133.Va nr 134of rules in the active ruleset. 135.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 136Get a 137.Va rule 138by its number 139.Va nr 140using the 141.Va ticket 142obtained through a preceding 143.Dv DIOCGETRULES 144call. 145If 146.Va action 147is set to 148.Dv PF_GET_CLR_CNTR , 149the per-rule statistics on the requested rule are cleared. 150.It Dv DIOCGETQUEUES Fa "struct pfioc_queue *pq" 151Get a 152.Va ticket 153for subsequent 154.Dv DIOCGETQUEUE 155calls and the number 156.Va nr 157of queues in the active list. 158.It Dv DIOCGETQUEUE Fa "struct pfioc_queue *pq" 159Get the queueing discipline 160by its number 161.Va nr 162using the 163.Va ticket 164obtained through a preceding 165.Dv DIOCGETQUEUES 166call. 167.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 168Get the statistics on a queue. 169.Bd -literal 170struct pfioc_qstats { 171 u_int32_t ticket; 172 u_int32_t nr; 173 struct pf_queuespec queue; 174 void *buf; 175 int nbytes; 176}; 177.Ed 178.Pp 179This call fills in a pointer to the buffer of statistics 180.Va buf , 181of length 182.Va nbytes , 183for the queue specified by 184.Va nr . 185.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 186.Bd -literal 187struct pfioc_ruleset { 188 u_int32_t nr; 189 char path[MAXPATHLEN]; 190 char name[PF_ANCHOR_NAME_SIZE]; 191}; 192.Ed 193.Pp 194Get the number 195.Va nr 196of rulesets (i.e., anchors) directly attached to the anchor named by 197.Va path 198for use in subsequent 199.Dv DIOCGETRULESET 200calls. 201Nested anchors, since they are not directly attached to the given 202anchor, will not be included. 203This ioctl returns 204.Er EINVAL 205if the given anchor does not exist. 206.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 207Get a ruleset (i.e., an anchor) 208.Va name 209by its number 210.Va nr 211from the given anchor 212.Va path , 213the maximum number of which can be obtained from a preceding 214.Dv DIOCGETRULESETS 215call. 216This ioctl returns 217.Er EINVAL 218if the given anchor does not exist or 219.Er EBUSY 220if another process is concurrently updating a ruleset. 221.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 222Add a state entry. 223.Bd -literal 224struct pfioc_state { 225 struct pfsync_state state; 226}; 227.Ed 228.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps" 229Extract the entry identified by the 230.Va id 231and 232.Va creatorid 233fields of the 234.Va state 235structure from the state table. 236.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk" 237Remove matching entries from the state table. 238This ioctl returns the number of killed states in 239.Va psk_killed . 240.Bd -literal 241struct pfioc_state_kill { 242 struct pf_state_cmp psk_pfcmp; 243 sa_family_t psk_af; 244 int psk_proto; 245 struct pf_rule_addr psk_src; 246 struct pf_rule_addr psk_dst; 247 char psk_ifname[IFNAMSIZ]; 248 char psk_label[PF_RULE_LABEL_SIZE]; 249 u_int psk_killed; 250 u_int16_t psk_rdomain; 251}; 252.Ed 253.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk" 254Clear all states. 255It works like 256.Dv DIOCKILLSTATES , 257but ignores all fields of the 258.Vt pfioc_state_kill 259structure, except 260.Va psk_ifname . 261.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 262Get the internal packet filter statistics. 263.Bd -literal 264struct pf_status { 265 u_int64_t counters[PFRES_MAX]; 266 u_int64_t lcounters[LCNT_MAX]; /* limit counters */ 267 u_int64_t fcounters[FCNT_MAX]; 268 u_int64_t scounters[SCNT_MAX]; 269 u_int64_t pcounters[2][2][3]; 270 u_int64_t bcounters[2][2]; 271 u_int64_t stateid; 272 time_t since; 273 u_int32_t running; 274 u_int32_t states; 275 u_int32_t src_nodes; 276 u_int32_t debug; 277 u_int32_t hostid; 278 u_int32_t reass; /* reassembly */ 279 char ifname[IFNAMSIZ]; 280 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; 281}; 282.Ed 283.It Dv DIOCCLRSTATUS 284Clear the internal packet filter statistics. 285.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 286Look up a state table entry by source and destination addresses and ports. 287.Bd -literal 288struct pfioc_natlook { 289 struct pf_addr saddr; 290 struct pf_addr daddr; 291 struct pf_addr rsaddr; 292 struct pf_addr rdaddr; 293 u_int16_t rdomain; 294 u_int16_t rrdomain; 295 u_int16_t sport; 296 u_int16_t dport; 297 u_int16_t rsport; 298 u_int16_t rdport; 299 sa_family_t af; 300 u_int8_t proto; 301 u_int8_t direction; 302}; 303.Ed 304.Pp 305This was primarily used to support transparent proxies with rdr-to rules. 306New proxies should use divert-to rules instead. 307These do not require access to the privileged 308.Pa /dev/pf 309device and preserve the original destination address for 310.Xr getsockname 2 . 311For 312.Dv SOCK_DGRAM 313sockets, the 314.Xr ip 4 315socket options 316.Dv IP_RECVDSTADDR 317and 318.Dv IP_RECVDSTPORT 319can be used to retrieve the destination address and port. 320.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 321Set the debug level. 322See the 323.Xr syslog 3 324man page for a list of valid debug levels. 325.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps" 326Get state table entries. 327.Bd -literal 328struct pfioc_states { 329 int ps_len; 330 union { 331 caddr_t psu_buf; 332 struct pfsync_state *psu_states; 333 } ps_u; 334#define ps_buf ps_u.psu_buf 335#define ps_states ps_u.psu_states 336}; 337.Ed 338.Pp 339If 340.Va ps_len 341is non-zero on entry, as many states as possible that can fit into this 342size will be copied into the supplied buffer 343.Va ps_states . 344On exit, 345.Va ps_len 346is always set to the total size required to hold all state table entries 347(i.e., it is set to 348.Li sizeof(struct pfsync_state) * nr ) . 349.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 350Add or remove the 351.Va rule 352in the ruleset specified by 353.Va rule.action . 354.Pp 355The type of operation to be performed is indicated by 356.Va action , 357which can be any of the following: 358.Bd -literal 359enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 360 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 361 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 362.Ed 363.Pp 364.Va ticket 365must be set to the value obtained with 366.Dv PF_CHANGE_GET_TICKET 367for all actions except 368.Dv PF_CHANGE_GET_TICKET . 369.Va anchor 370indicates to which anchor the operation applies. 371.Va nr 372indicates the rule number against which 373.Dv PF_CHANGE_ADD_BEFORE , 374.Dv PF_CHANGE_ADD_AFTER , 375or 376.Dv PF_CHANGE_REMOVE 377actions are applied. 378.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 379.Bd -literal 380struct pfioc_tm { 381 int timeout; 382 int seconds; 383}; 384.Ed 385.Pp 386Set the state timeout of 387.Va timeout 388to 389.Va seconds . 390The old value will be placed into 391.Va seconds . 392For possible values of 393.Va timeout , 394consult the 395.Dv PFTM_* 396values in 397.In net/pfvar.h . 398.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 399Get the state timeout of 400.Va timeout . 401The value will be placed into the 402.Va seconds 403field. 404.It Dv DIOCCLRRULECTRS 405Clear per-rule statistics. 406.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 407Set the hard limits on the memory pools used by the packet filter. 408.Bd -literal 409struct pfioc_limit { 410 int index; 411 unsigned limit; 412}; 413 414enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 415 PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 416.Ed 417.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 418Get the hard 419.Va limit 420for the memory pool indicated by 421.Va index . 422.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 423Clear all tables. 424All the ioctls that manipulate radix tables 425use the same structure described below. 426For 427.Dv DIOCRCLRTABLES , 428.Va pfrio_ndel 429contains on exit the number of tables deleted. 430.Bd -literal 431struct pfioc_table { 432 struct pfr_table pfrio_table; 433 void *pfrio_buffer; 434 int pfrio_esize; 435 int pfrio_size; 436 int pfrio_size2; 437 int pfrio_nadd; 438 int pfrio_ndel; 439 int pfrio_nchange; 440 int pfrio_flags; 441 u_int32_t pfrio_ticket; 442}; 443#define pfrio_exists pfrio_nadd 444#define pfrio_nzero pfrio_nadd 445#define pfrio_nmatch pfrio_nadd 446#define pfrio_naddr pfrio_size2 447#define pfrio_setflag pfrio_size2 448#define pfrio_clrflag pfrio_nadd 449.Ed 450.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 451Create one or more tables. 452On entry, 453.Va pfrio_buffer 454must point to an array of 455.Vt struct pfr_table 456containing at least 457.Vt pfrio_size 458elements. 459.Vt pfrio_esize 460must be the size of 461.Vt struct pfr_table . 462On exit, 463.Va pfrio_nadd 464contains the number of tables effectively created. 465.Bd -literal 466struct pfr_table { 467 char pfrt_anchor[MAXPATHLEN]; 468 char pfrt_name[PF_TABLE_NAME_SIZE]; 469 u_int32_t pfrt_flags; 470 u_int8_t pfrt_fback; 471}; 472.Ed 473.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 474Delete one or more tables. 475On entry, 476.Va pfrio_buffer 477must point to an array of 478.Vt struct pfr_table 479containing at least 480.Vt pfrio_size 481elements. 482.Vt pfrio_esize 483must be the size of 484.Vt struct pfr_table . 485On exit, 486.Va pfrio_ndel 487contains the number of tables effectively deleted. 488.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 489Get the list of all tables. 490On entry, 491.Va pfrio_buffer[pfrio_size] 492contains a valid writeable buffer for 493.Vt pfr_table 494structures. 495On exit, 496.Va pfrio_size 497contains the number of tables written into the buffer. 498If the buffer is too small, the kernel does not store anything but just 499returns the required buffer size, without error. 500.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 501This call is like 502.Dv DIOCRGETTABLES 503but is used to get an array of 504.Vt pfr_tstats 505structures. 506.Bd -literal 507struct pfr_tstats { 508 struct pfr_table pfrts_t; 509 u_int64_t pfrts_packets 510 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 511 u_int64_t pfrts_bytes 512 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 513 u_int64_t pfrts_match; 514 u_int64_t pfrts_nomatch; 515 time_t pfrts_tzero; 516 int pfrts_cnt; 517 int pfrts_refcnt[PFR_REFCNT_MAX]; 518}; 519#define pfrts_name pfrts_t.pfrt_name 520#define pfrts_flags pfrts_t.pfrt_flags 521.Ed 522.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 523Clear the statistics of one or more tables. 524On entry, 525.Va pfrio_buffer 526must point to an array of 527.Vt struct pfr_table 528containing at least 529.Vt pfrio_size 530elements. 531.Vt pfrio_esize 532must be the size of 533.Vt struct pfr_table . 534On exit, 535.Va pfrio_nzero 536contains the number of tables effectively cleared. 537.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 538Clear all addresses in a table. 539On entry, 540.Va pfrio_table 541contains the table to clear. 542On exit, 543.Va pfrio_ndel 544contains the number of addresses removed. 545.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 546Add one or more addresses to a table. 547On entry, 548.Va pfrio_table 549contains the table ID and 550.Va pfrio_buffer 551must point to an array of 552.Vt struct pfr_addr 553containing at least 554.Vt pfrio_size 555elements to add to the table. 556.Vt pfrio_esize 557must be the size of 558.Vt struct pfr_addr . 559On exit, 560.Va pfrio_nadd 561contains the number of addresses effectively added. 562.Bd -literal 563struct pfr_addr { 564 union { 565 struct in_addr _pfra_ip4addr; 566 struct in6_addr _pfra_ip6addr; 567 } pfra_u; 568 char pfra_ifname[IFNAMSIZ]; 569 u_int32_t pfra_states; 570 u_int16_t pfra_weight; 571 u_int8_t pfra_af; 572 u_int8_t pfra_net; 573 u_int8_t pfra_not; 574 u_int8_t pfra_fback; 575 u_int8_t pfra_type; 576 u_int8_t pad[7]; 577}; 578#define pfra_ip4addr pfra_u._pfra_ip4addr 579#define pfra_ip6addr pfra_u._pfra_ip6addr 580.Ed 581.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 582Delete one or more addresses from a table. 583On entry, 584.Va pfrio_table 585contains the table ID and 586.Va pfrio_buffer 587must point to an array of 588.Vt struct pfr_addr 589containing at least 590.Vt pfrio_size 591elements to delete from the table. 592.Vt pfrio_esize 593must be the size of 594.Vt struct pfr_addr . 595On exit, 596.Va pfrio_ndel 597contains the number of addresses effectively deleted. 598.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 599Replace the content of a table by a new address list. 600This is the most complicated command, which uses all the structure members. 601.Pp 602On entry, 603.Va pfrio_table 604contains the table ID and 605.Va pfrio_buffer 606must point to an array of 607.Vt struct pfr_addr 608containing at least 609.Vt pfrio_size 610elements which become the new contents of the table. 611.Vt pfrio_esize 612must be the size of 613.Vt struct pfr_addr . 614Additionally, if 615.Va pfrio_size2 616is non-zero, 617.Va pfrio_buffer[pfrio_size..pfrio_size2] 618must be a writeable buffer, into which the kernel can copy the 619addresses that have been deleted during the replace operation. 620On exit, 621.Va pfrio_ndel , 622.Va pfrio_nadd , 623and 624.Va pfrio_nchange 625contain the number of addresses deleted, added, and changed by the 626kernel. 627If 628.Va pfrio_size2 629was set on entry, 630.Va pfrio_size2 631will point to the size of the buffer used, exactly like 632.Dv DIOCRGETADDRS . 633.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 634Get all the addresses of a table. 635On entry, 636.Va pfrio_table 637contains the table ID and 638.Va pfrio_buffer[pfrio_size] 639contains a valid writeable buffer for 640.Vt pfr_addr 641structures. 642On exit, 643.Va pfrio_size 644contains the number of addresses written into the buffer. 645If the buffer was too small, the kernel does not store anything but just 646returns the required buffer size, without returning an error. 647.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 648This call is like 649.Dv DIOCRGETADDRS 650but is used to get an array of 651.Vt pfr_astats 652structures. 653.Bd -literal 654struct pfr_astats { 655 struct pfr_addr pfras_a; 656 u_int64_t pfras_packets 657 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 658 u_int64_t pfras_bytes 659 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 660 time_t pfras_tzero; 661}; 662.Ed 663.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 664Clear the statistics of one or more addresses. 665On entry, 666.Va pfrio_table 667contains the table ID and 668.Va pfrio_buffer 669must point to an array of 670.Vt struct pfr_addr 671containing at least 672.Vt pfrio_size 673elements to be cleared from the table. 674.Vt pfrio_esize 675must be the size of 676.Vt struct pfr_addr . 677On exit, 678.Va pfrio_nzero 679contains the number of addresses effectively cleared. 680.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 681Test if the given addresses match a table. 682On entry, 683.Va pfrio_table 684contains the table ID and 685.Va pfrio_buffer 686must point to an array of 687.Vt struct pfr_addr 688containing at least 689.Vt pfrio_size 690elements, each of which will be tested for a match in the table. 691.Vt pfrio_esize 692must be the size of 693.Vt struct pfr_addr . 694On exit, the kernel updates the 695.Vt pfr_addr 696array by setting the 697.Va pfra_fback 698member appropriately. 699.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 700Change the 701.Dv PFR_TFLAG_CONST 702or 703.Dv PFR_TFLAG_PERSIST 704flags of a table. 705On entry, 706.Va pfrio_buffer 707must point to an array of 708.Vt struct pfr_table 709containing at least 710.Vt pfrio_size 711elements. 712.Va pfrio_esize 713must be the size of 714.Vt struct pfr_table . 715.Va pfrio_setflag 716must contain the flags to add, while 717.Va pfrio_clrflag 718must contain the flags to remove. 719On exit, 720.Va pfrio_nchange 721and 722.Va pfrio_ndel 723contain the number of tables altered or deleted by the kernel. 724Yes, tables can be deleted if one removes the 725.Dv PFR_TFLAG_PERSIST 726flag of an unreferenced table. 727.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 728Defines a table in the inactive set. 729On entry, 730.Va pfrio_table 731contains the table ID and 732.Va pfrio_buffer[pfrio_size] 733contains an array of 734.Vt pfr_addr 735structures to put in the table. 736A valid ticket must also be supplied to 737.Va pfrio_ticket . 738On exit, 739.Va pfrio_nadd 740contains 0 if the table was already defined in the inactive list 741or 1 if a new table has been created. 742.Va pfrio_naddr 743contains the number of addresses effectively put in the table. 744.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 745.Bd -literal 746struct pfioc_trans { 747 int size; /* number of elements */ 748 int esize; /* size of each element in bytes */ 749 struct pfioc_trans_e { 750 int type; 751 char anchor[MAXPATHLEN]; 752 u_int32_t ticket; 753 } *array; 754}; 755.Ed 756.Pp 757Clear all the inactive rulesets specified in the 758.Vt pfioc_trans_e 759array. 760For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 761as well as for the 762.Dv DIOCXCOMMIT 763and 764.Dv DIOCXROLLBACK 765calls. 766.Pp 767Ruleset types, identified by 768.Va type , 769can be one of the following: 770.Pp 771.Bl -tag -width PF_TRANS_RULESET -offset ind -compact 772.It Dv PF_TRANS_RULESET 773Filter rules. 774.It Dv PF_TRANS_TABLE 775Address tables. 776.El 777.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 778Atomically switch a vector of inactive rulesets to the active rulesets. 779This call is implemented as a standard two-phase commit, which will either 780fail for all rulesets or completely succeed. 781All tickets need to be valid. 782This ioctl returns 783.Er EBUSY 784if another process is concurrently updating some of the same rulesets. 785.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 786Clean up the kernel by undoing all changes that have taken place on the 787inactive rulesets since the last 788.Dv DIOCXBEGIN . 789.Dv DIOCXROLLBACK 790will silently ignore rulesets for which the ticket is invalid. 791.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 792Set the host ID, which is used by 793.Xr pfsync 4 794to identify which host created state table entries. 795.It Dv DIOCOSFPFLUSH 796Flush the passive OS fingerprint table. 797.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 798.Bd -literal 799struct pf_osfp_ioctl { 800 struct pf_osfp_entry fp_os; 801 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 802 u_int16_t fp_wsize; /* TCP window size */ 803 u_int16_t fp_psize; /* ip->ip_len */ 804 u_int16_t fp_mss; /* TCP MSS */ 805 u_int16_t fp_flags; 806 u_int8_t fp_optcnt; /* TCP option count */ 807 u_int8_t fp_wscale; /* TCP window scaling */ 808 u_int8_t fp_ttl; /* IPv4 TTL */ 809 810 int fp_getnum; /* DIOCOSFPGET number */ 811}; 812 813struct pf_osfp_entry { 814 SLIST_ENTRY(pf_osfp_entry) fp_entry; 815 pf_osfp_t fp_os; 816 int fp_enflags; 817#define PF_OSFP_EXPANDED 0x001 /* expanded entry */ 818#define PF_OSFP_GENERIC 0x002 /* generic signature */ 819#define PF_OSFP_NODETAIL 0x004 /* no p0f details */ 820#define PF_OSFP_LEN 32 821 u_char fp_class_nm[PF_OSFP_LEN]; 822 u_char fp_version_nm[PF_OSFP_LEN]; 823 u_char fp_subtype_nm[PF_OSFP_LEN]; 824}; 825.Ed 826.Pp 827Add a passive OS fingerprint to the table. 828Set 829.Va fp_os.fp_os 830to the packed fingerprint, 831.Va fp_os.fp_class_nm 832to the name of the class (Linux, Windows, etc), 833.Va fp_os.fp_version_nm 834to the name of the version (NT, 95, 98), and 835.Va fp_os.fp_subtype_nm 836to the name of the subtype or patchlevel. 837The members 838.Va fp_mss , 839.Va fp_wsize , 840.Va fp_psize , 841.Va fp_ttl , 842.Va fp_optcnt , 843and 844.Va fp_wscale 845are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 846the number of TCP options, and the TCP window scaling constant of the 847TCP SYN packet, respectively. 848.Pp 849The 850.Va fp_flags 851member is filled according to the 852.In net/pfvar.h 853include file 854.Dv PF_OSFP_* 855defines. 856The 857.Va fp_tcpopts 858member contains packed TCP options. 859Each option uses 860.Dv PF_OSFP_TCPOPT_BITS 861bits in the packed value. 862Options include any of 863.Dv PF_OSFP_TCPOPT_NOP , 864.Dv PF_OSFP_TCPOPT_SACK , 865.Dv PF_OSFP_TCPOPT_WSCALE , 866.Dv PF_OSFP_TCPOPT_MSS , 867or 868.Dv PF_OSFP_TCPOPT_TS . 869.Pp 870The 871.Va fp_getnum 872member is not used with this ioctl. 873.Pp 874The structure's slack space must be zeroed for correct operation; 875.Xr memset 3 876the whole structure to zero before filling and sending to the kernel. 877.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 878Get the passive OS fingerprint number 879.Va fp_getnum 880from the kernel's fingerprint list. 881The rest of the structure members will come back filled. 882Get the whole list by repeatedly incrementing the 883.Va fp_getnum 884number until the ioctl returns 885.Er EBUSY . 886.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 887.Bd -literal 888struct pfioc_src_nodes { 889 int psn_len; 890 union { 891 caddr_t psu_buf; 892 struct pf_src_node *psu_src_nodes; 893 } psn_u; 894#define psn_buf psn_u.psu_buf 895#define psn_src_nodes psn_u.psu_src_nodes 896}; 897.Ed 898.Pp 899Get the list of source nodes kept by sticky addresses and source 900tracking. 901The ioctl must be called once with 902.Va psn_len 903set to 0. 904If the ioctl returns without error, 905.Va psn_len 906will be set to the size of the buffer required to hold all the 907.Va pf_src_node 908structures held in the table. 909A buffer of this size should then be allocated, and a pointer to this buffer 910placed in 911.Va psn_buf . 912The ioctl must then be called again to fill this buffer with the actual 913source node data. 914After that call, 915.Va psn_len 916will be set to the length of the buffer actually used. 917.It Dv DIOCCLRSRCNODES 918Clear the tree of source tracking nodes. 919.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 920Get the list of interfaces and interface drivers known to 921.Nm . 922All the ioctls that manipulate interfaces 923use the same structure described below: 924.Bd -literal 925struct pfioc_iface { 926 char pfiio_name[IFNAMSIZ]; 927 void *pfiio_buffer; 928 int pfiio_esize; 929 int pfiio_size; 930 int pfiio_nzero; 931 int pfiio_flags; 932}; 933.Ed 934.Pp 935If not empty, 936.Va pfiio_name 937can be used to restrict the search to a specific interface or driver. 938.Va pfiio_buffer[pfiio_size] 939is the user-supplied buffer for returning the data. 940On entry, 941.Va pfiio_size 942contains the number of 943.Vt pfi_kif 944entries that can fit into the buffer. 945The kernel will replace this value by the real number of entries it wants 946to return. 947.Va pfiio_esize 948should be set to 949.Li sizeof(struct pfi_kif) . 950.Pp 951The data is returned in the 952.Vt pfi_kif 953structure described below: 954.Bd -literal 955struct pfi_kif { 956 char pfik_name[IFNAMSIZ]; 957 RB_ENTRY(pfi_kif) pfik_tree; 958 u_int64_t pfik_packets[2][2][2]; 959 u_int64_t pfik_bytes[2][2][2]; 960 time_t pfik_tzero; 961 int pfik_flags; 962 int pfik_flags_new; 963 void *pfik_ah_cookie; 964 struct ifnet *pfik_ifp; 965 struct ifg_group *pfik_group; 966 int pfik_states; 967 int pfik_rules; 968 int pfik_routes; 969 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 970}; 971.Ed 972.It Dv DIOCSETSTATUSIF Fa "struct pfioc_iface *pi" 973Specify the interface for which statistics are accumulated. 974.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 975Set the user settable flags (described above) of the 976.Nm 977internal interface description. 978The filtering process is the same as for 979.Dv DIOCIGETIFACES . 980.Bd -literal 981#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 982.Ed 983.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 984Works as 985.Dv DIOCSETIFFLAG 986above but clears the flags. 987.It Dv DIOCKILLSRCNODES Fa "struct pfioc_src_node_kill *psnk" 988Explicitly remove source tracking nodes. 989.Bd -literal 990struct pfioc_src_node_kill { 991 sa_family_t psnk_af; 992 struct pf_rule_addr psnk_src; 993 struct pf_rule_addr psnk_dst; 994 u_int psnk_killed; 995}; 996.Ed 997.El 998.Sh FILES 999.Bl -tag -width /dev/pf -compact 1000.It Pa /dev/pf 1001packet filtering device. 1002.El 1003.Sh EXAMPLES 1004The following example demonstrates how to use the 1005.Dv DIOCGETLIMIT 1006command to show the hard limit of a memory pool used by the packet filter: 1007.Bd -literal 1008#include <sys/types.h> 1009#include <sys/socket.h> 1010#include <sys/ioctl.h> 1011#include <sys/fcntl.h> 1012#include <netinet/in.h> 1013#include <net/if.h> 1014#include <net/pfvar.h> 1015#include <limits.h> 1016#include <stdio.h> 1017#include <stdlib.h> 1018#include <string.h> 1019#include <err.h> 1020 1021static const struct { 1022 const char *name; 1023 int index; 1024} pf_limits[] = { 1025 { "states", PF_LIMIT_STATES }, 1026 { "src-nodes", PF_LIMIT_SRC_NODES }, 1027 { "frags", PF_LIMIT_FRAGS }, 1028 { "tables", PF_LIMIT_TABLES }, 1029 { "table-entries", PF_LIMIT_TABLE_ENTRIES }, 1030 { NULL, 0 } 1031}; 1032 1033void 1034usage(void) 1035{ 1036 extern char *__progname; 1037 int i; 1038 1039 fprintf(stderr, "usage: %s [", __progname); 1040 for (i = 0; pf_limits[i].name; i++) 1041 fprintf(stderr, "%s%s", (i > 0 ? "|" : ""), pf_limits[i].name); 1042 fprintf(stderr, "]\en"); 1043 exit(1); 1044} 1045 1046int 1047main(int argc, char *argv[]) 1048{ 1049 struct pfioc_limit pl; 1050 int i, dev; 1051 int pool_index = -1; 1052 1053 if (argc != 2) 1054 usage(); 1055 1056 for (i = 0; pf_limits[i].name; i++) 1057 if (!strcmp(argv[1], pf_limits[i].name)) { 1058 pool_index = pf_limits[i].index; 1059 break; 1060 } 1061 1062 if (pool_index == -1) { 1063 warnx("no such memory pool: %s", argv[1]); 1064 usage(); 1065 } 1066 1067 dev = open("/dev/pf", O_RDWR); 1068 if (dev == -1) 1069 err(1, "open(\e"/dev/pf\e") failed"); 1070 1071 bzero(&pl, sizeof(struct pfioc_limit)); 1072 pl.index = pool_index; 1073 1074 if (ioctl(dev, DIOCGETLIMIT, &pl)) 1075 err(1, "DIOCGETLIMIT"); 1076 1077 printf("The %s memory pool has ", pf_limits[i].name); 1078 if (pl.limit == UINT_MAX) 1079 printf("unlimited entries.\en"); 1080 else 1081 printf("a hard limit of %u entries.\en", pl.limit); 1082 1083 return (0); 1084} 1085.Ed 1086.Sh SEE ALSO 1087.Xr ioctl 2 , 1088.Xr bridge 4 , 1089.Xr pflog 4 , 1090.Xr pflow 4 , 1091.Xr pfsync 4 , 1092.Xr pf.conf 5 , 1093.Xr pfctl 8 1094.Sh HISTORY 1095The 1096.Nm 1097packet filtering mechanism first appeared in 1098.Ox 3.0 . 1099