1.\" $OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $ 2.\" 3.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the project nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd January 2, 2011 30.Dt PF 4 31.Os 32.Sh NAME 33.Nm pf 34.Nd packet filter 35.Sh SYNOPSIS 36.Cd "device pf" 37.Sh DESCRIPTION 38Packet filtering takes place in the kernel. 39A pseudo-device, 40.Pa /dev/pf , 41allows userland processes to control the 42behavior of the packet filter through an 43.Xr ioctl 2 44interface. 45There are commands to enable and disable the filter, load rulesets, 46add and remove individual rules or state table entries, 47and retrieve statistics. 48The most commonly used functions are covered by 49.Xr pfctl 8 . 50.Pp 51Manipulations like loading a ruleset that involve more than a single 52.Xr ioctl 2 53call require a so-called 54.Em ticket , 55which prevents the occurrence of 56multiple concurrent manipulations. 57.Pp 58Fields of 59.Xr ioctl 2 60parameter structures that refer to packet data (like 61addresses and ports) are generally expected in network byte-order. 62.Pp 63Rules and address tables are contained in so-called 64.Em anchors . 65When servicing an 66.Xr ioctl 2 67request, if the anchor field of the argument structure is empty, 68the kernel will use the default anchor (i.e., the main ruleset) 69in operations. 70Anchors are specified by name and may be nested, with components 71separated by 72.Sq / 73characters, similar to how file system hierarchies are laid out. 74The final component of the anchor path is the anchor under which 75operations will be performed. 76.Sh IOCTL INTERFACE 77.Nm 78supports the following 79.Xr ioctl 2 80commands, available through 81.Aq Pa net/pfvar.h : 82.Bl -tag -width xxxxxx 83.It Dv DIOCSTART 84Start the packet filter. 85.It Dv DIOCSTOP 86Stop the packet filter. 87.It Dv DIOCSTARTALTQ 88Start the ALTQ bandwidth control system (see 89.Xr altq 9 ) . 90.It Dv DIOCSTOPALTQ 91Stop the ALTQ bandwidth control system. 92.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp" 93.Bd -literal 94struct pfioc_pooladdr { 95 u_int32_t action; 96 u_int32_t ticket; 97 u_int32_t nr; 98 u_int32_t r_num; 99 u_int8_t r_action; 100 u_int8_t r_last; 101 u_int8_t af; 102 char anchor[MAXPATHLEN]; 103 struct pf_pooladdr addr; 104}; 105.Ed 106.Pp 107Clear the buffer address pool and get a 108.Va ticket 109for subsequent 110.Dv DIOCADDADDR , 111.Dv DIOCADDRULE , 112and 113.Dv DIOCCHANGERULE 114calls. 115.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp" 116.Pp 117Add the pool address 118.Va addr 119to the buffer address pool to be used in the following 120.Dv DIOCADDRULE 121or 122.Dv DIOCCHANGERULE 123call. 124All other members of the structure are ignored. 125.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr" 126.Bd -literal 127struct pfioc_rule { 128 u_int32_t action; 129 u_int32_t ticket; 130 u_int32_t pool_ticket; 131 u_int32_t nr; 132 char anchor[MAXPATHLEN]; 133 char anchor_call[MAXPATHLEN]; 134 struct pf_rule rule; 135}; 136.Ed 137.Pp 138Add 139.Va rule 140at the end of the inactive ruleset. 141This call requires a 142.Va ticket 143obtained through a preceding 144.Dv DIOCXBEGIN 145call and a 146.Va pool_ticket 147obtained through a 148.Dv DIOCBEGINADDRS 149call. 150.Dv DIOCADDADDR 151must also be called if any pool addresses are required. 152The optional 153.Va anchor 154name indicates the anchor in which to append the rule. 155.Va nr 156and 157.Va action 158are ignored. 159.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa" 160Add an ALTQ discipline or queue. 161.Bd -literal 162struct pfioc_altq { 163 u_int32_t action; 164 u_int32_t ticket; 165 u_int32_t nr; 166 struct pf_altq altq; 167}; 168.Ed 169.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr" 170Get a 171.Va ticket 172for subsequent 173.Dv DIOCGETRULE 174calls and the number 175.Va nr 176of rules in the active ruleset. 177.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr" 178Get a 179.Va rule 180by its number 181.Va nr 182using the 183.Va ticket 184obtained through a preceding 185.Dv DIOCGETRULES 186call. 187If 188.Va action 189is set to 190.Dv PF_GET_CLR_CNTR , 191the per-rule statistics on the requested rule are cleared. 192.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp" 193Get a 194.Va ticket 195for subsequent 196.Dv DIOCGETADDR 197calls and the number 198.Va nr 199of pool addresses in the rule specified with 200.Va r_action , 201.Va r_num , 202and 203.Va anchor . 204.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp" 205Get the pool address 206.Va addr 207by its number 208.Va nr 209from the rule specified with 210.Va r_action , 211.Va r_num , 212and 213.Va anchor 214using the 215.Va ticket 216obtained through a preceding 217.Dv DIOCGETADDRS 218call. 219.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa" 220Get a 221.Va ticket 222for subsequent 223.Dv DIOCGETALTQ 224calls and the number 225.Va nr 226of queues in the active list. 227.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa" 228Get the queueing discipline 229.Va altq 230by its number 231.Va nr 232using the 233.Va ticket 234obtained through a preceding 235.Dv DIOCGETALTQS 236call. 237.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq" 238Get the statistics on a queue. 239.Bd -literal 240struct pfioc_qstats { 241 u_int32_t ticket; 242 u_int32_t nr; 243 void *buf; 244 int nbytes; 245 u_int8_t scheduler; 246}; 247.Ed 248.Pp 249This call fills in a pointer to the buffer of statistics 250.Va buf , 251of length 252.Va nbytes , 253for the queue specified by 254.Va nr . 255.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr" 256.Bd -literal 257struct pfioc_ruleset { 258 u_int32_t nr; 259 char path[MAXPATHLEN]; 260 char name[PF_ANCHOR_NAME_SIZE]; 261}; 262.Ed 263.Pp 264Get the number 265.Va nr 266of rulesets (i.e., anchors) directly attached to the anchor named by 267.Va path 268for use in subsequent 269.Dv DIOCGETRULESET 270calls. 271Nested anchors, since they are not directly attached to the given 272anchor, will not be included. 273This ioctl returns 274.Er EINVAL 275if the given anchor does not exist. 276.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr" 277Get a ruleset (i.e., an anchor) 278.Va name 279by its number 280.Va nr 281from the given anchor 282.Va path , 283the maximum number of which can be obtained from a preceding 284.Dv DIOCGETRULESETS 285call. 286This ioctl returns 287.Er EINVAL 288if the given anchor does not exist or 289.Er EBUSY 290if another process is concurrently updating a ruleset. 291.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps" 292Add a state entry. 293.Bd -literal 294struct pfioc_state { 295 struct pfsync_state state; 296}; 297.Ed 298.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps" 299Extract the entry identified by the 300.Va id 301and 302.Va creatorid 303fields of the 304.Va state 305structure from the state table. 306.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk" 307Remove matching entries from the state table. 308This ioctl returns the number of killed states in 309.Va psk_af . 310.Bd -literal 311struct pfioc_state_kill { 312 sa_family_t psk_af; 313 int psk_proto; 314 struct pf_rule_addr psk_src; 315 struct pf_rule_addr psk_dst; 316 char psk_ifname[IFNAMSIZ]; 317}; 318.Ed 319.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk" 320Clear all states. 321It works like 322.Dv DIOCKILLSTATES , 323but ignores the 324.Va psk_af , 325.Va psk_proto , 326.Va psk_src , 327and 328.Va psk_dst 329fields of the 330.Vt pfioc_state_kill 331structure. 332.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi" 333Specify the interface for which statistics are accumulated. 334.Bd -literal 335struct pfioc_if { 336 char ifname[IFNAMSIZ]; 337}; 338.Ed 339.It Dv DIOCGETSTATUS Fa "struct pf_status *s" 340Get the internal packet filter statistics. 341.Bd -literal 342struct pf_status { 343 u_int64_t counters[PFRES_MAX]; 344 u_int64_t lcounters[LCNT_MAX]; 345 u_int64_t fcounters[FCNT_MAX]; 346 u_int64_t scounters[SCNT_MAX]; 347 u_int64_t pcounters[2][2][3]; 348 u_int64_t bcounters[2][2]; 349 u_int64_t stateid; 350 u_int32_t running; 351 u_int32_t states; 352 u_int32_t src_nodes; 353 u_int32_t since; 354 u_int32_t debug; 355 u_int32_t hostid; 356 char ifname[IFNAMSIZ]; 357 u_int8_t pf_chksum[MD5_DIGEST_LENGTH]; 358}; 359.Ed 360.It Dv DIOCCLRSTATUS 361Clear the internal packet filter statistics. 362.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl" 363Look up a state table entry by source and destination addresses and ports. 364.Bd -literal 365struct pfioc_natlook { 366 struct pf_addr saddr; 367 struct pf_addr daddr; 368 struct pf_addr rsaddr; 369 struct pf_addr rdaddr; 370 u_int16_t sport; 371 u_int16_t dport; 372 u_int16_t rsport; 373 u_int16_t rdport; 374 sa_family_t af; 375 u_int8_t proto; 376 u_int8_t direction; 377}; 378.Ed 379.It Dv DIOCSETDEBUG Fa "u_int32_t *level" 380Set the debug level. 381.Bd -literal 382enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 383 PF_DEBUG_NOISY }; 384.Ed 385.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps" 386Get state table entries. 387.Bd -literal 388struct pfioc_states { 389 int ps_len; 390 union { 391 caddr_t psu_buf; 392 struct pf_state *psu_states; 393 } ps_u; 394#define ps_buf ps_u.psu_buf 395#define ps_states ps_u.psu_states 396}; 397.Ed 398.Pp 399If 400.Va ps_len 401is non-zero on entry, as many states as possible that can fit into this 402size will be copied into the supplied buffer 403.Va ps_states . 404On exit, 405.Va ps_len 406is always set to the total size required to hold all state table entries 407(i.e., it is set to 408.Li sizeof(struct pf_state) * nr ) . 409.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr" 410Add or remove the 411.Va rule 412in the ruleset specified by 413.Va rule.action . 414.Pp 415The type of operation to be performed is indicated by 416.Va action , 417which can be any of the following: 418.Bd -literal 419enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 420 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 421 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 422.Ed 423.Pp 424.Va ticket 425must be set to the value obtained with 426.Dv PF_CHANGE_GET_TICKET 427for all actions except 428.Dv PF_CHANGE_GET_TICKET . 429.Va pool_ticket 430must be set to the value obtained with the 431.Dv DIOCBEGINADDRS 432call for all actions except 433.Dv PF_CHANGE_REMOVE 434and 435.Dv PF_CHANGE_GET_TICKET . 436.Va anchor 437indicates to which anchor the operation applies. 438.Va nr 439indicates the rule number against which 440.Dv PF_CHANGE_ADD_BEFORE , 441.Dv PF_CHANGE_ADD_AFTER , 442or 443.Dv PF_CHANGE_REMOVE 444actions are applied. 445.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr" 446.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca" 447Add or remove the pool address 448.Va addr 449from the rule specified by 450.Va r_action , 451.Va r_num , 452and 453.Va anchor . 454.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt" 455.Bd -literal 456struct pfioc_tm { 457 int timeout; 458 int seconds; 459}; 460.Ed 461.Pp 462Set the state timeout of 463.Va timeout 464to 465.Va seconds . 466The old value will be placed into 467.Va seconds . 468For possible values of 469.Va timeout , 470consult the 471.Dv PFTM_* 472values in 473.Aq Pa net/pfvar.h . 474.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt" 475Get the state timeout of 476.Va timeout . 477The value will be placed into the 478.Va seconds 479field. 480.It Dv DIOCCLRRULECTRS 481Clear per-rule statistics. 482.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl" 483Set the hard limits on the memory pools used by the packet filter. 484.Bd -literal 485struct pfioc_limit { 486 int index; 487 unsigned limit; 488}; 489 490enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 491 PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 492.Ed 493.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl" 494Get the hard 495.Va limit 496for the memory pool indicated by 497.Va index . 498.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io" 499Clear all tables. 500All the ioctls that manipulate radix tables 501use the same structure described below. 502For 503.Dv DIOCRCLRTABLES , 504.Va pfrio_ndel 505contains on exit the number of tables deleted. 506.Bd -literal 507struct pfioc_table { 508 struct pfr_table pfrio_table; 509 void *pfrio_buffer; 510 int pfrio_esize; 511 int pfrio_size; 512 int pfrio_size2; 513 int pfrio_nadd; 514 int pfrio_ndel; 515 int pfrio_nchange; 516 int pfrio_flags; 517 u_int32_t pfrio_ticket; 518}; 519#define pfrio_exists pfrio_nadd 520#define pfrio_nzero pfrio_nadd 521#define pfrio_nmatch pfrio_nadd 522#define pfrio_naddr pfrio_size2 523#define pfrio_setflag pfrio_size2 524#define pfrio_clrflag pfrio_nadd 525.Ed 526.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io" 527Create one or more tables. 528On entry, 529.Va pfrio_buffer 530must point to an array of 531.Vt struct pfr_table 532containing at least 533.Vt pfrio_size 534elements. 535.Vt pfrio_esize 536must be the size of 537.Vt struct pfr_table . 538On exit, 539.Va pfrio_nadd 540contains the number of tables effectively created. 541.Bd -literal 542struct pfr_table { 543 char pfrt_anchor[MAXPATHLEN]; 544 char pfrt_name[PF_TABLE_NAME_SIZE]; 545 u_int32_t pfrt_flags; 546 u_int8_t pfrt_fback; 547}; 548.Ed 549.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io" 550Delete one or more tables. 551On entry, 552.Va pfrio_buffer 553must point to an array of 554.Vt struct pfr_table 555containing at least 556.Vt pfrio_size 557elements. 558.Vt pfrio_esize 559must be the size of 560.Vt struct pfr_table . 561On exit, 562.Va pfrio_ndel 563contains the number of tables effectively deleted. 564.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io" 565Get the list of all tables. 566On entry, 567.Va pfrio_buffer[pfrio_size] 568contains a valid writeable buffer for 569.Vt pfr_table 570structures. 571On exit, 572.Va pfrio_size 573contains the number of tables written into the buffer. 574If the buffer is too small, the kernel does not store anything but just 575returns the required buffer size, without error. 576.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io" 577This call is like 578.Dv DIOCRGETTABLES 579but is used to get an array of 580.Vt pfr_tstats 581structures. 582.Bd -literal 583struct pfr_tstats { 584 struct pfr_table pfrts_t; 585 u_int64_t pfrts_packets 586 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 587 u_int64_t pfrts_bytes 588 [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 589 u_int64_t pfrts_match; 590 u_int64_t pfrts_nomatch; 591 long pfrts_tzero; 592 int pfrts_cnt; 593 int pfrts_refcnt[PFR_REFCNT_MAX]; 594}; 595#define pfrts_name pfrts_t.pfrt_name 596#define pfrts_flags pfrts_t.pfrt_flags 597.Ed 598.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io" 599Clear the statistics of one or more tables. 600On entry, 601.Va pfrio_buffer 602must point to an array of 603.Vt struct pfr_table 604containing at least 605.Vt pfrio_size 606elements. 607.Vt pfrio_esize 608must be the size of 609.Vt struct pfr_table . 610On exit, 611.Va pfrio_nzero 612contains the number of tables effectively cleared. 613.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io" 614Clear all addresses in a table. 615On entry, 616.Va pfrio_table 617contains the table to clear. 618On exit, 619.Va pfrio_ndel 620contains the number of addresses removed. 621.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io" 622Add one or more addresses to a table. 623On entry, 624.Va pfrio_table 625contains the table ID and 626.Va pfrio_buffer 627must point to an array of 628.Vt struct pfr_addr 629containing at least 630.Vt pfrio_size 631elements to add to the table. 632.Vt pfrio_esize 633must be the size of 634.Vt struct pfr_addr . 635On exit, 636.Va pfrio_nadd 637contains the number of addresses effectively added. 638.Bd -literal 639struct pfr_addr { 640 union { 641 struct in_addr _pfra_ip4addr; 642 struct in6_addr _pfra_ip6addr; 643 } pfra_u; 644 u_int8_t pfra_af; 645 u_int8_t pfra_net; 646 u_int8_t pfra_not; 647 u_int8_t pfra_fback; 648}; 649#define pfra_ip4addr pfra_u._pfra_ip4addr 650#define pfra_ip6addr pfra_u._pfra_ip6addr 651.Ed 652.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io" 653Delete one or more addresses from a table. 654On entry, 655.Va pfrio_table 656contains the table ID and 657.Va pfrio_buffer 658must point to an array of 659.Vt struct pfr_addr 660containing at least 661.Vt pfrio_size 662elements to delete from the table. 663.Vt pfrio_esize 664must be the size of 665.Vt struct pfr_addr . 666On exit, 667.Va pfrio_ndel 668contains the number of addresses effectively deleted. 669.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io" 670Replace the content of a table by a new address list. 671This is the most complicated command, which uses all the structure members. 672.Pp 673On entry, 674.Va pfrio_table 675contains the table ID and 676.Va pfrio_buffer 677must point to an array of 678.Vt struct pfr_addr 679containing at least 680.Vt pfrio_size 681elements which become the new contents of the table. 682.Vt pfrio_esize 683must be the size of 684.Vt struct pfr_addr . 685Additionally, if 686.Va pfrio_size2 687is non-zero, 688.Va pfrio_buffer[pfrio_size..pfrio_size2] 689must be a writeable buffer, into which the kernel can copy the 690addresses that have been deleted during the replace operation. 691On exit, 692.Va pfrio_ndel , 693.Va pfrio_nadd , 694and 695.Va pfrio_nchange 696contain the number of addresses deleted, added, and changed by the 697kernel. 698If 699.Va pfrio_size2 700was set on entry, 701.Va pfrio_size2 702will point to the size of the buffer used, exactly like 703.Dv DIOCRGETADDRS . 704.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io" 705Get all the addresses of a table. 706On entry, 707.Va pfrio_table 708contains the table ID and 709.Va pfrio_buffer[pfrio_size] 710contains a valid writeable buffer for 711.Vt pfr_addr 712structures. 713On exit, 714.Va pfrio_size 715contains the number of addresses written into the buffer. 716If the buffer was too small, the kernel does not store anything but just 717returns the required buffer size, without returning an error. 718.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io" 719This call is like 720.Dv DIOCRGETADDRS 721but is used to get an array of 722.Vt pfr_astats 723structures. 724.Bd -literal 725struct pfr_astats { 726 struct pfr_addr pfras_a; 727 u_int64_t pfras_packets 728 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 729 u_int64_t pfras_bytes 730 [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 731 long pfras_tzero; 732}; 733.Ed 734.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io" 735Clear the statistics of one or more addresses. 736On entry, 737.Va pfrio_table 738contains the table ID and 739.Va pfrio_buffer 740must point to an array of 741.Vt struct pfr_addr 742containing at least 743.Vt pfrio_size 744elements to be cleared from the table. 745.Vt pfrio_esize 746must be the size of 747.Vt struct pfr_addr . 748On exit, 749.Va pfrio_nzero 750contains the number of addresses effectively cleared. 751.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io" 752Test if the given addresses match a table. 753On entry, 754.Va pfrio_table 755contains the table ID and 756.Va pfrio_buffer 757must point to an array of 758.Vt struct pfr_addr 759containing at least 760.Vt pfrio_size 761elements, each of which will be tested for a match in the table. 762.Vt pfrio_esize 763must be the size of 764.Vt struct pfr_addr . 765On exit, the kernel updates the 766.Vt pfr_addr 767array by setting the 768.Va pfra_fback 769member appropriately. 770.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io" 771Change the 772.Dv PFR_TFLAG_CONST 773or 774.Dv PFR_TFLAG_PERSIST 775flags of a table. 776On entry, 777.Va pfrio_buffer 778must point to an array of 779.Vt struct pfr_table 780containing at least 781.Vt pfrio_size 782elements. 783.Va pfrio_esize 784must be the size of 785.Vt struct pfr_table . 786.Va pfrio_setflag 787must contain the flags to add, while 788.Va pfrio_clrflag 789must contain the flags to remove. 790On exit, 791.Va pfrio_nchange 792and 793.Va pfrio_ndel 794contain the number of tables altered or deleted by the kernel. 795Yes, tables can be deleted if one removes the 796.Dv PFR_TFLAG_PERSIST 797flag of an unreferenced table. 798.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io" 799Defines a table in the inactive set. 800On entry, 801.Va pfrio_table 802contains the table ID and 803.Va pfrio_buffer[pfrio_size] 804contains an array of 805.Vt pfr_addr 806structures to put in the table. 807A valid ticket must also be supplied to 808.Va pfrio_ticket . 809On exit, 810.Va pfrio_nadd 811contains 0 if the table was already defined in the inactive list 812or 1 if a new table has been created. 813.Va pfrio_naddr 814contains the number of addresses effectively put in the table. 815.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io" 816.Bd -literal 817struct pfioc_trans { 818 int size; /* number of elements */ 819 int esize; /* size of each element in bytes */ 820 struct pfioc_trans_e { 821 int rs_num; 822 char anchor[MAXPATHLEN]; 823 u_int32_t ticket; 824 } *array; 825}; 826.Ed 827.Pp 828Clear all the inactive rulesets specified in the 829.Vt pfioc_trans_e 830array. 831For each ruleset, a ticket is returned for subsequent "add rule" ioctls, 832as well as for the 833.Dv DIOCXCOMMIT 834and 835.Dv DIOCXROLLBACK 836calls. 837.Pp 838Ruleset types, identified by 839.Va rs_num , 840include the following: 841.Pp 842.Bl -tag -width PF_RULESET_FILTER -offset ind -compact 843.It Dv PF_RULESET_SCRUB 844Scrub (packet normalization) rules. 845.It Dv PF_RULESET_FILTER 846Filter rules. 847.It Dv PF_RULESET_NAT 848NAT (Network Address Translation) rules. 849.It Dv PF_RULESET_BINAT 850Bidirectional NAT rules. 851.It Dv PF_RULESET_RDR 852Redirect rules. 853.It Dv PF_RULESET_ALTQ 854ALTQ disciplines. 855.It Dv PF_RULESET_TABLE 856Address tables. 857.El 858.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io" 859Atomically switch a vector of inactive rulesets to the active rulesets. 860This call is implemented as a standard two-phase commit, which will either 861fail for all rulesets or completely succeed. 862All tickets need to be valid. 863This ioctl returns 864.Er EBUSY 865if another process is concurrently updating some of the same rulesets. 866.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io" 867Clean up the kernel by undoing all changes that have taken place on the 868inactive rulesets since the last 869.Dv DIOCXBEGIN . 870.Dv DIOCXROLLBACK 871will silently ignore rulesets for which the ticket is invalid. 872.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid" 873Set the host ID, which is used by 874.Xr pfsync 4 875to identify which host created state table entries. 876.It Dv DIOCOSFPFLUSH 877Flush the passive OS fingerprint table. 878.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io" 879.Bd -literal 880struct pf_osfp_ioctl { 881 struct pf_osfp_entry { 882 SLIST_ENTRY(pf_osfp_entry) fp_entry; 883 pf_osfp_t fp_os; 884 char fp_class_nm[PF_OSFP_LEN]; 885 char fp_version_nm[PF_OSFP_LEN]; 886 char fp_subtype_nm[PF_OSFP_LEN]; 887 } fp_os; 888 pf_tcpopts_t fp_tcpopts; 889 u_int16_t fp_wsize; 890 u_int16_t fp_psize; 891 u_int16_t fp_mss; 892 u_int16_t fp_flags; 893 u_int8_t fp_optcnt; 894 u_int8_t fp_wscale; 895 u_int8_t fp_ttl; 896 int fp_getnum; 897}; 898.Ed 899.Pp 900Add a passive OS fingerprint to the table. 901Set 902.Va fp_os.fp_os 903to the packed fingerprint, 904.Va fp_os.fp_class_nm 905to the name of the class (Linux, Windows, etc), 906.Va fp_os.fp_version_nm 907to the name of the version (NT, 95, 98), and 908.Va fp_os.fp_subtype_nm 909to the name of the subtype or patchlevel. 910The members 911.Va fp_mss , 912.Va fp_wsize , 913.Va fp_psize , 914.Va fp_ttl , 915.Va fp_optcnt , 916and 917.Va fp_wscale 918are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, 919the number of TCP options, and the TCP window scaling constant of the 920TCP SYN packet, respectively. 921.Pp 922The 923.Va fp_flags 924member is filled according to the 925.Aq Pa net/pfvar.h 926include file 927.Dv PF_OSFP_* 928defines. 929The 930.Va fp_tcpopts 931member contains packed TCP options. 932Each option uses 933.Dv PF_OSFP_TCPOPT_BITS 934bits in the packed value. 935Options include any of 936.Dv PF_OSFP_TCPOPT_NOP , 937.Dv PF_OSFP_TCPOPT_SACK , 938.Dv PF_OSFP_TCPOPT_WSCALE , 939.Dv PF_OSFP_TCPOPT_MSS , 940or 941.Dv PF_OSFP_TCPOPT_TS . 942.Pp 943The 944.Va fp_getnum 945member is not used with this ioctl. 946.Pp 947The structure's slack space must be zeroed for correct operation; 948.Xr memset 3 949the whole structure to zero before filling and sending to the kernel. 950.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io" 951Get the passive OS fingerprint number 952.Va fp_getnum 953from the kernel's fingerprint list. 954The rest of the structure members will come back filled. 955Get the whole list by repeatedly incrementing the 956.Va fp_getnum 957number until the ioctl returns 958.Er EBUSY . 959.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn" 960.Bd -literal 961struct pfioc_src_nodes { 962 int psn_len; 963 union { 964 caddr_t psu_buf; 965 struct pf_src_node *psu_src_nodes; 966 } psn_u; 967#define psn_buf psn_u.psu_buf 968#define psn_src_nodes psn_u.psu_src_nodes 969}; 970.Ed 971.Pp 972Get the list of source nodes kept by sticky addresses and source 973tracking. 974The ioctl must be called once with 975.Va psn_len 976set to 0. 977If the ioctl returns without error, 978.Va psn_len 979will be set to the size of the buffer required to hold all the 980.Va pf_src_node 981structures held in the table. 982A buffer of this size should then be allocated, and a pointer to this buffer 983placed in 984.Va psn_buf . 985The ioctl must then be called again to fill this buffer with the actual 986source node data. 987After that call, 988.Va psn_len 989will be set to the length of the buffer actually used. 990.It Dv DIOCCLRSRCNODES 991Clear the tree of source tracking nodes. 992.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" 993Get the list of interfaces and interface drivers known to 994.Nm . 995All the ioctls that manipulate interfaces 996use the same structure described below: 997.Bd -literal 998struct pfioc_iface { 999 char pfiio_name[IFNAMSIZ]; 1000 void *pfiio_buffer; 1001 int pfiio_esize; 1002 int pfiio_size; 1003 int pfiio_nzero; 1004 int pfiio_flags; 1005}; 1006.Ed 1007.Pp 1008If not empty, 1009.Va pfiio_name 1010can be used to restrict the search to a specific interface or driver. 1011.Va pfiio_buffer[pfiio_size] 1012is the user-supplied buffer for returning the data. 1013On entry, 1014.Va pfiio_size 1015contains the number of 1016.Vt pfi_kif 1017entries that can fit into the buffer. 1018The kernel will replace this value by the real number of entries it wants 1019to return. 1020.Va pfiio_esize 1021should be set to 1022.Li sizeof(struct pfi_kif) . 1023.Pp 1024The data is returned in the 1025.Vt pfi_kif 1026structure described below: 1027.Bd -literal 1028struct pfi_kif { 1029 RB_ENTRY(pfi_kif) pfik_tree; 1030 char pfik_name[IFNAMSIZ]; 1031 u_int64_t pfik_packets[2][2][2]; 1032 u_int64_t pfik_bytes[2][2][2]; 1033 u_int32_t pfik_tzero; 1034 int pfik_flags; 1035 struct pf_state_tree_lan_ext pfik_lan_ext; 1036 struct pf_state_tree_ext_gwy pfik_ext_gwy; 1037 TAILQ_ENTRY(pfi_kif) pfik_w_states; 1038 void *pfik_ah_cookie; 1039 struct ifnet *pfik_ifp; 1040 struct ifg_group *pfik_group; 1041 int pfik_states; 1042 int pfik_rules; 1043 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1044}; 1045.Ed 1046.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io" 1047Set the user setable flags (described above) of the 1048.Nm 1049internal interface description. 1050The filtering process is the same as for 1051.Dv DIOCIGETIFACES . 1052.Bd -literal 1053#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1054.Ed 1055.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io" 1056Works as 1057.Dv DIOCSETIFFLAG 1058above but clears the flags. 1059.El 1060.Sh FILES 1061.Bl -tag -width /dev/pf -compact 1062.It Pa /dev/pf 1063packet filtering device. 1064.El 1065.Sh EXAMPLES 1066The following example demonstrates how to use the 1067.Dv DIOCNATLOOK 1068command to find the internal host/port of a NATed connection: 1069.Bd -literal 1070#include <sys/types.h> 1071#include <sys/socket.h> 1072#include <sys/ioctl.h> 1073#include <sys/fcntl.h> 1074#include <net/if.h> 1075#include <netinet/in.h> 1076#include <net/pfvar.h> 1077#include <err.h> 1078#include <stdio.h> 1079#include <stdlib.h> 1080 1081u_int32_t 1082read_address(const char *s) 1083{ 1084 int a, b, c, d; 1085 1086 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 1087 return htonl(a << 24 | b << 16 | c << 8 | d); 1088} 1089 1090void 1091print_address(u_int32_t a) 1092{ 1093 a = ntohl(a); 1094 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 1095 a >> 8 & 255, a & 255); 1096} 1097 1098int 1099main(int argc, char *argv[]) 1100{ 1101 struct pfioc_natlook nl; 1102 int dev; 1103 1104 if (argc != 5) { 1105 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", 1106 argv[0]); 1107 return 1; 1108 } 1109 1110 dev = open("/dev/pf", O_RDWR); 1111 if (dev == -1) 1112 err(1, "open(\\"/dev/pf\\") failed"); 1113 1114 memset(&nl, 0, sizeof(struct pfioc_natlook)); 1115 nl.saddr.v4.s_addr = read_address(argv[1]); 1116 nl.sport = htons(atoi(argv[2])); 1117 nl.daddr.v4.s_addr = read_address(argv[3]); 1118 nl.dport = htons(atoi(argv[4])); 1119 nl.af = AF_INET; 1120 nl.proto = IPPROTO_TCP; 1121 nl.direction = PF_IN; 1122 1123 if (ioctl(dev, DIOCNATLOOK, &nl)) 1124 err(1, "DIOCNATLOOK"); 1125 1126 printf("internal host "); 1127 print_address(nl.rsaddr.v4.s_addr); 1128 printf(":%u\\n", ntohs(nl.rsport)); 1129 return 0; 1130} 1131.Ed 1132.Sh SEE ALSO 1133.Xr ioctl 2 , 1134.Xr bridge 4 , 1135.Xr pflog 4 , 1136.Xr pfsync 4 , 1137.Xr pfctl 8 , 1138.Xr altq 9 1139.Sh HISTORY 1140The 1141.Nm 1142packet filtering mechanism first appeared in 1143.Ox 3.0 1144and was imported into 1145.Dx 1.1 1146by Devon H. O'Dell and Simon Schubert. 1147