f00a812528
Submitted by: Anders Hanssen MFC after: 1 day
840 lines
25 KiB
Groff
840 lines
25 KiB
Groff
.\" $OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $
|
|
.\"
|
|
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the project nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd September 26, 2001
|
|
.Dt PF 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm pf
|
|
.Nd packet filter
|
|
.Sh SYNOPSIS
|
|
.Cd "device pf"
|
|
.Sh DESCRIPTION
|
|
Packet filtering takes place in the kernel.
|
|
A pseudo-device,
|
|
.Pa /dev/pf ,
|
|
allows userland processes to control the
|
|
behavior of the packet filter through an
|
|
.Xr ioctl 2
|
|
interface.
|
|
There are commands to enable and disable the filter, load rulesets,
|
|
add and remove individual rules or state table entries,
|
|
and retrieve statistics.
|
|
The most commonly used functions are covered by
|
|
.Xr pfctl 8 .
|
|
.Pp
|
|
Manipulations like loading a ruleset that involve more than a single
|
|
ioctl call require a so-called ticket, which prevents the occurrence of
|
|
multiple concurrent manipulations.
|
|
.Pp
|
|
Fields of ioctl parameter structures that refer to packet data (like
|
|
addresses and ports) are generally expected in network byte-order.
|
|
.Sh FILES
|
|
.Bl -tag -width /dev/pf -compact
|
|
.It Pa /dev/pf
|
|
packet filtering device.
|
|
.El
|
|
.Sh IOCTL INTERFACE
|
|
pf supports the following
|
|
.Xr ioctl 2
|
|
commands:
|
|
.Bl -tag -width xxxxxx
|
|
.It Dv DIOCSTART
|
|
Starts the packet filter.
|
|
.It Dv DIOCSTOP
|
|
Stops the packet filter.
|
|
.It Dv DIOCSTARTALTQ
|
|
Starts the ALTQ bandwidth control system.
|
|
.It Dv DIOCSTOPALTQ
|
|
Stops the ALTQ bandwidth control system.
|
|
.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr"
|
|
.Bd -literal
|
|
struct pfioc_pooladdr {
|
|
u_int32_t action;
|
|
u_int32_t ticket;
|
|
u_int32_t nr;
|
|
u_int32_t r_num;
|
|
u_int8_t r_action;
|
|
u_int8_t r_last;
|
|
u_int8_t af;
|
|
char anchor[PF_ANCHOR_NAME_SIZE];
|
|
char ruleset[PF_RULESET_NAME_SIZE];
|
|
struct pf_pooladdr addr;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Clears the buffer address pool
|
|
and returns a
|
|
.Va ticket
|
|
for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
|
|
.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr"
|
|
.Pp
|
|
Adds pool address
|
|
.Va addr
|
|
to the buffer address pool to be used in the following
|
|
DIOCADDRULE or DIOCCHANGERULE call.
|
|
All other members of the structure are ignored.
|
|
.It Dv DIOCADDRULE Fa "struct pfioc_rule"
|
|
.Bd -literal
|
|
struct pfioc_rule {
|
|
u_int32_t action;
|
|
u_int32_t ticket;
|
|
u_int32_t pool_ticket;
|
|
u_int32_t nr;
|
|
char anchor[PF_ANCHOR_NAME_SIZE];
|
|
char ruleset[PF_RULESET_NAME_SIZE];
|
|
struct pf_rule rule;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Adds
|
|
.Va rule
|
|
at the end of the inactive ruleset.
|
|
Requires
|
|
.Va ticket
|
|
obtained through preceding DIOCXBEGIN call, and
|
|
.Va pool_ticket
|
|
obtained through DIOCBEGINADDRS call.
|
|
DIOCADDADDR must also be called if any pool addresses are required.
|
|
The optional
|
|
.Va anchor
|
|
and
|
|
.Va ruleset
|
|
names indicate the anchor and ruleset in which to append the rule.
|
|
.Va nr
|
|
and
|
|
.Va action
|
|
are ignored.
|
|
.It Dv DIOCADDALTQ Fa "struct pfioc_altq"
|
|
Adds
|
|
.Bd -literal
|
|
struct pfioc_altq {
|
|
u_int32_t action;
|
|
u_int32_t ticket;
|
|
u_int32_t nr;
|
|
struct pf_altq altq;
|
|
};
|
|
.Ed
|
|
.It Dv DIOCGETRULES Fa "struct pfioc_rule"
|
|
Returns
|
|
.Va ticket
|
|
for subsequent DIOCGETRULE calls and
|
|
.Va nr
|
|
of rules in the active ruleset.
|
|
.It Dv DIOCGETRULE Fa "struct pfioc_rule"
|
|
Returns
|
|
.Va rule
|
|
number
|
|
.Va nr
|
|
using
|
|
.Va ticket
|
|
obtained through a preceding DIOCGETRULES call.
|
|
.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr"
|
|
Returns
|
|
.Va ticket
|
|
for subsequent DIOCGETADDR calls and
|
|
.Va nr
|
|
of pool addresses in the rule specified with
|
|
.Va r_action ,
|
|
.Va r_num ,
|
|
.Va anchor
|
|
and
|
|
.Va ruleset .
|
|
.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr"
|
|
Returns pool address
|
|
.Va addr
|
|
number
|
|
.Va nr
|
|
from the rule specified with
|
|
.Va r_action ,
|
|
.Va r_num ,
|
|
.Va anchor
|
|
and
|
|
.Va ruleset
|
|
using
|
|
.Va ticket
|
|
obtained through a preceding DIOCGETADDRS call.
|
|
.It Dv DIOCGETALTQS Fa "struct pfioc_altq"
|
|
Returns
|
|
.Va ticket
|
|
for subsequent DIOCGETALTQ calls and
|
|
.Va nr
|
|
of queues in the active list.
|
|
.It Dv DIOCGETALTQ Fa "struct pfioc_altq"
|
|
Returns
|
|
.Va altq
|
|
number
|
|
.Va nr
|
|
using
|
|
.Va ticket
|
|
obtained through a preceding DIOCGETALTQS call.
|
|
.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats"
|
|
Returns statistics on a queue.
|
|
.Bd -literal
|
|
struct pfioc_qstats {
|
|
u_int32_t ticket;
|
|
u_int32_t nr;
|
|
void *buf;
|
|
int nbytes;
|
|
u_int8_t scheduler;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
A pointer to a buffer of statistics
|
|
.Va buf
|
|
of length
|
|
.Va nbytes
|
|
for the queue specified by
|
|
.Va nr .
|
|
.It Dv DIOCADDSTATE Fa "struct pfioc_state"
|
|
Adds a state entry.
|
|
.It Dv DIOCGETSTATE Fa "struct pfioc_state"
|
|
.Bd -literal
|
|
struct pfioc_state {
|
|
u_int32_t nr;
|
|
struct pf_state state;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Extracts the entry with the specified number from the state table.
|
|
.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill"
|
|
Removes matching entries from the state table.
|
|
Returns the number of killed states in psk_af.
|
|
.Bd -literal
|
|
struct pfioc_state_kill {
|
|
int psk_af;
|
|
int psk_proto;
|
|
struct pf_rule_addr psk_src;
|
|
struct pf_rule_addr psk_dst;
|
|
char psk_ifname[IFNAMSIZ];
|
|
};
|
|
.Ed
|
|
.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill"
|
|
Clears all states.
|
|
It works like
|
|
.Dv DIOCKILLSTATES ,
|
|
but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the
|
|
.Fa pfioc_state_kill
|
|
structure.
|
|
.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if"
|
|
.Bd -literal
|
|
struct pfioc_if {
|
|
char ifname[IFNAMSIZ];
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Specifies the interface for which statistics are accumulated.
|
|
.It Dv DIOCGETSTATUS Fa "struct pf_status"
|
|
.Bd -literal
|
|
struct pf_status {
|
|
u_int64_t counters[PFRES_MAX];
|
|
u_int64_t fcounters[FCNT_MAX];
|
|
u_int64_t scounters[SCNT_MAX];
|
|
u_int64_t pcounters[2][2][3];
|
|
u_int64_t bcounters[2][2];
|
|
u_int64_t stateid;
|
|
u_int32_t running;
|
|
u_int32_t states;
|
|
u_int32_t src_nodes;
|
|
u_int32_t since;
|
|
u_int32_t debug;
|
|
u_int32_t hostid;
|
|
char ifname[IFNAMSIZ];
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Gets the internal packet filter statistics.
|
|
.It Dv DIOCCLRSTATUS
|
|
Clears the internal packet filter statistics.
|
|
.It Dv DIOCNATLOOK Fa "struct pfioc_natlook"
|
|
Looks up a state table entry by source and destination addresses and ports.
|
|
.Bd -literal
|
|
struct pfioc_natlook {
|
|
struct pf_addr saddr;
|
|
struct pf_addr daddr;
|
|
struct pf_addr rsaddr;
|
|
struct pf_addr rdaddr;
|
|
u_int16_t sport;
|
|
u_int16_t dport;
|
|
u_int16_t rsport;
|
|
u_int16_t rdport;
|
|
sa_family_t af;
|
|
u_int8_t proto;
|
|
u_int8_t direction;
|
|
};
|
|
.Ed
|
|
.It Dv DIOCSETDEBUG Fa "u_int32_t"
|
|
Sets the debug level.
|
|
.Bd -literal
|
|
enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
|
|
.Ed
|
|
.It Dv DIOCGETSTATES Fa "struct pfioc_states"
|
|
.Bd -literal
|
|
struct pfioc_states {
|
|
int ps_len;
|
|
union {
|
|
caddr_t psu_buf;
|
|
struct pf_state *psu_states;
|
|
} ps_u;
|
|
#define ps_buf ps_u.psu_buf
|
|
#define ps_states ps_u.psu_states
|
|
};
|
|
.Ed
|
|
.It Dv DIOCCHANGERULE Fa "struct pfioc_rule"
|
|
Adds or removes the
|
|
.Va rule
|
|
in the ruleset specified by
|
|
.Va rule.action .
|
|
.Bd -literal
|
|
enum { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2,
|
|
PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4,
|
|
PF_CHANGE_REMOVE=5, PF_CHANGE_GET_TICKET=6 };
|
|
.Ed
|
|
.Pp
|
|
The type of operation to be performed is indicated by
|
|
.Va action .
|
|
.Pp
|
|
.Va ticket
|
|
must be set to the value obtained with PF_CHANGE_GET_TICKET
|
|
for all actions except PF_CHANGE_GET_TICKET.
|
|
.Va pool_ticket
|
|
must be set to the value obtained with the DIOCBEGINADDRS call
|
|
for all actions except PF_CHANGE_REMOVE and PF_CHANGE_GET_TICKET.
|
|
.Pp
|
|
.Va anchor
|
|
and
|
|
.Va ruleset
|
|
indicate which anchor and ruleset the operation applies to.
|
|
.Va nr
|
|
indicates the rule number against which PF_CHANGE_ADD_BEFORE,
|
|
PF_CHANGE_ADD_AFTER or PF_CHANGE_REMOVE actions are applied.
|
|
.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr"
|
|
Adds or removes a pool address
|
|
.Va addr
|
|
from a rule specified with
|
|
.Va r_action ,
|
|
.Va r_num ,
|
|
.Va anchor
|
|
and
|
|
.Va ruleset .
|
|
.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm"
|
|
.Bd -literal
|
|
struct pfioc_tm {
|
|
int timeout;
|
|
int seconds;
|
|
};
|
|
.Ed
|
|
.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm"
|
|
.It Dv DIOCCLRRULECTRS
|
|
Clear per-rule statistics.
|
|
.It Dv DIOCSETLIMIT Fa "struct pfioc_limit"
|
|
Sets hard limits on the memory pools used by the packet filter.
|
|
.Bd -literal
|
|
struct pfioc_limit {
|
|
int index;
|
|
unsigned limit;
|
|
};
|
|
.Ed
|
|
.It Dv DIOCGETLIMIT Fa "struct pfioc_limit"
|
|
.It Dv DIOCRCLRTABLES Fa "struct pfioc_table"
|
|
Clear all tables.
|
|
All the IOCTLs that manipulate radix tables
|
|
use the same structure described below.
|
|
For
|
|
.Dv DIOCRCLRTABLES, pfrio_ndel contains on exit the number
|
|
of tables deleted.
|
|
.Bd -literal
|
|
struct pfioc_table {
|
|
struct pfr_table pfrio_table;
|
|
void *pfrio_buffer;
|
|
int pfrio_esize;
|
|
int pfrio_size;
|
|
int pfrio_size2;
|
|
int pfrio_nadd;
|
|
int pfrio_ndel;
|
|
int pfrio_nchange;
|
|
int pfrio_flags;
|
|
int pfrio_ticket;
|
|
};
|
|
#define pfrio_exists pfrio_nadd
|
|
#define pfrio_nzero pfrio_nadd
|
|
#define pfrio_nmatch pfrio_nadd
|
|
#define pfrio_naddr pfrio_size2
|
|
#define pfrio_setflag pfrio_size2
|
|
#define pfrio_clrflag pfrio_nadd
|
|
.Ed
|
|
.It Dv DIOCRADDTABLES Fa "struct pfioc_table"
|
|
Creates one or more tables.
|
|
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
|
|
On exit, pfrio_nadd contains the number of tables effectively created.
|
|
.Bd -literal
|
|
struct pfr_table {
|
|
char pfrt_anchor[PF_ANCHOR_NAME_SIZE];
|
|
char pfrt_ruleset[PF_RULESET_NAME_SIZE];
|
|
char pfrt_name[PF_TABLE_NAME_SIZE];
|
|
u_int32_t pfrt_flags;
|
|
u_int8_t pfrt_fback;
|
|
};
|
|
.Ed
|
|
.It Dv DIOCRDELTABLES Fa "struct pfioc_table"
|
|
Deletes one or more tables.
|
|
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
|
|
On exit, pfrio_nadd contains the number of tables effectively deleted.
|
|
.It Dv DIOCRGETTABLES Fa "struct pfioc_table"
|
|
Get the list of all tables.
|
|
On entry, pfrio_buffer[pfrio_size] contains a valid writeable buffer for
|
|
pfr_table structures.
|
|
On exit, pfrio_size contains the number of tables written into the buffer.
|
|
If the buffer is too small, the kernel does not store anything but just
|
|
returns the required buffer size, without error.
|
|
.It Dv DIOCRGETTSTATS Fa "struct pfioc_table"
|
|
Like
|
|
.Dv DIOCRGETTABLES ,
|
|
but returns an array of pfr_tstats structures.
|
|
.Bd -literal
|
|
struct pfr_tstats {
|
|
struct pfr_table pfrts_t;
|
|
u_int64_t pfrts_packets
|
|
[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
|
|
u_int64_t pfrts_bytes
|
|
[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
|
|
u_int64_t pfrts_match;
|
|
u_int64_t pfrts_nomatch;
|
|
long pfrts_tzero;
|
|
int pfrts_cnt;
|
|
int pfrts_refcnt[PFR_REFCNT_MAX];
|
|
};
|
|
#define pfrts_name pfrts_t.pfrt_name
|
|
#define pfrts_flags pfrts_t.pfrt_flags
|
|
.Ed
|
|
.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table"
|
|
Clears the statistics of one or more tables.
|
|
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
|
|
On exit, pfrio_nzero contains the number of tables effectively cleared.
|
|
.It Dv DIOCRCLRADDRS Fa "struct pfioc_table"
|
|
Clear all addresses in a table.
|
|
On entry, pfrio_table contains the table to clear.
|
|
On exit, pfrio_ndel contains the number of addresses removed.
|
|
.It Dv DIOCRADDADDRS Fa "struct pfioc_table"
|
|
Add one or more addresses to a table.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains the list of pfr_addr structures to add.
|
|
On exit, pfrio_nadd contains the number of addresses effectively added.
|
|
.Bd -literal
|
|
struct pfr_addr {
|
|
union {
|
|
struct in_addr _pfra_ip4addr;
|
|
struct in6_addr _pfra_ip6addr;
|
|
} pfra_u;
|
|
u_int8_t pfra_af;
|
|
u_int8_t pfra_net;
|
|
u_int8_t pfra_not;
|
|
u_int8_t pfra_fback;
|
|
};
|
|
#define pfra_ip4addr pfra_u._pfra_ip4addr
|
|
#define pfra_ip6addr pfra_u._pfra_ip6addr
|
|
.Ed
|
|
.It Dv DIOCRDELADDRS Fa "struct pfioc_table"
|
|
Delete one or more addresses from a table.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains the list of pfr_addr structures to delete.
|
|
On exit, pfrio_ndel contains the number of addresses effectively deleted.
|
|
.It Dv DIOCRSETADDRS Fa "struct pfioc_table"
|
|
Replace the content of a table by a new address list.
|
|
This is the most complicated command, which uses all the structure members.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains the new list of pfr_addr structures.
|
|
In addition to that, if size2 is nonzero, pfrio_buffer[pfrio_size..pfrio_size2]
|
|
must be a writeable buffer, into which the kernel can copy the addresses that
|
|
have been deleted during the replace operation.
|
|
On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contain the number of
|
|
addresses deleted, added and changed by the kernel.
|
|
If pfrio_size2 was set on
|
|
entry, pfrio_size2 will point to the size of the buffer used, exactly like
|
|
.Dv DIOCRGETADDRS .
|
|
.It Dv DIOCRGETADDRS Fa "struct pfioc_table"
|
|
Get all the addresses of a table.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains a valid writeable buffer for pfr_addr structures.
|
|
On exit, pfrio_size contains the number of addresses written into the buffer.
|
|
If the buffer was too small, the kernel does not store anything but just
|
|
return the required buffer size, without returning an error.
|
|
.It Dv DIOCRGETASTATS Fa "struct pfioc_table"
|
|
Like
|
|
.Dv DIOCRGETADDRS ,
|
|
but returns an array of pfr_astats structures.
|
|
.Bd -literal
|
|
struct pfr_astats {
|
|
struct pfr_addr pfras_a;
|
|
u_int64_t pfras_packets
|
|
[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
|
|
u_int64_t pfras_bytes
|
|
[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
|
|
long pfras_tzero;
|
|
};
|
|
.Ed
|
|
.It Dv DIOCRCLRASTATS Fa "struct pfioc_table"
|
|
Clears the statistics of one or more addresses.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains a table of pfr_addr structures to clear.
|
|
On exit, pfrio_nzero contains the number of addresses effectively cleared.
|
|
.It Dv DIOCRTSTADDRS Fa "struct pfioc_table"
|
|
Test if the given addresses match a table.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains a table of pfr_addr structures to test.
|
|
On exit, the kernel updates the pfr_addr table by setting the pfra_fback
|
|
member appropriately.
|
|
.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table"
|
|
Change the
|
|
.Va const
|
|
or
|
|
.Va persist
|
|
flag of a table.
|
|
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures,
|
|
and pfrio_setflag contains the flags to add, while pfrio_clrflag contains the
|
|
flags to remove.
|
|
On exit, pfrio_nchange and pfrio_ndel contain the number of tables altered
|
|
or deleted by the kernel.
|
|
Yes, tables can be deleted if one removes the
|
|
.Va persist
|
|
flag of an unreferenced table.
|
|
.It Dv DIOCRINADEFINE Fa "struct pfioc_table"
|
|
Defines a table in the inactive set.
|
|
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
|
|
contains the list of pfr_addr structures to put in the table.
|
|
A valid ticket must also be supplied to pfrio_ticket.
|
|
On exit, pfrio_nadd contains 0 if the table was already defined in the
|
|
inactive list, or 1 if a new table has been created.
|
|
pfrio_naddr contains the number of addresses effectively put in the table.
|
|
.It Dv DIOCXBEGIN Fa "struct pfioc_trans"
|
|
.Bd -literal
|
|
#define PF_RULESET_ALTQ (PF_RULESET_MAX)
|
|
#define PF_RULESET_TABLE (PF_RULESET_MAX+1)
|
|
struct pfioc_trans {
|
|
int size; /* number of elements */
|
|
int esize; /* size of each element in bytes */
|
|
struct pfioc_trans_e {
|
|
int rs_num;
|
|
char anchor[PF_ANCHOR_NAME_SIZE];
|
|
char ruleset[PF_RULESET_NAME_SIZE];
|
|
u_int32_t ticket;
|
|
} *array;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Clears all the inactive rulesets specified in the
|
|
.Fa "struct pfioc_trans_e"
|
|
array.
|
|
For each ruleset, a ticket is returned for subsequent "add rule" IOCTLs,
|
|
as well as for the
|
|
.Dv DIOCXCOMMIT
|
|
and
|
|
.Dv DIOCXROLLBACK
|
|
calls.
|
|
.It Dv DIOCXCOMMIT Fa "struct pfioc_trans"
|
|
Atomically switch a vector of inactive rulesets to the active rulesets.
|
|
Implemented as a standard 2-phase commit, which will either fail for all
|
|
rulesets or completely succeed.
|
|
All tickets need to be valid.
|
|
Returns
|
|
.Dv EBUSY
|
|
if a concurrent process is trying to update some of the same rulesets
|
|
concurrently.
|
|
.It Dv DIOCXROLLBACK Fa "struct pfioc_trans"
|
|
Clean up the kernel by undoing all changes that have taken place on the
|
|
inactive rulesets since the last
|
|
.Dv DIOCXBEGIN .
|
|
.Dv DIOCXROLLBACK
|
|
will silently ignore rulesets for which the ticket is invalid.
|
|
.It Dv DIOCFPFLUSH
|
|
Flush the passive OS fingerprint table.
|
|
.It Dv DIOCFPADD Fa "struct pf_osfp_ioctl"
|
|
.Bd -literal
|
|
struct pf_osfp_ioctl {
|
|
struct pf_osfp_entry {
|
|
SLIST_ENTRY(pf_osfp_entry) fp_entry;
|
|
pf_osfp_t fp_os;
|
|
char fp_class_nm[PF_OSFP_LEN];
|
|
char fp_version_nm[PF_OSFP_LEN];
|
|
char fp_subtype_nm[PF_OSFP_LEN];
|
|
} fp_os;
|
|
u_int16_t fp_mss;
|
|
u_int16_t fp_wsize;
|
|
u_int16_t fp_psize;
|
|
u_int8_t fp_ttl;
|
|
u_int8_t fp_wscale;
|
|
u_int8_t fp_flags;
|
|
int fp_getnum;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Add a passive OS fingerprint to the table.
|
|
Set
|
|
.Va fp_os.fp_os
|
|
to the packed fingerprint,
|
|
.Va fp_os.fp_class_nm
|
|
to the name of the class (Linux, Windows, etc),
|
|
.Va fp_os.fp_version_nm
|
|
to the name of the version (NT, 95, 98), and
|
|
.Va fp_os.fp_subtype_nm
|
|
to the name of the subtype or patchlevel.
|
|
The members
|
|
.Va fp_mss ,
|
|
.Va fp_wsize ,
|
|
.Va fp_psize ,
|
|
.Va fp_ttl ,
|
|
and
|
|
.Va fp_wscale
|
|
are set to the TCP MSS, the TCP window size, the IP length and the IP TTL of
|
|
the TCP SYN packet respectively.
|
|
The
|
|
.Va fp_flags
|
|
member is filled according to the net/pfvar.h include file PF_OSFP_* defines.
|
|
The
|
|
.Va fp_getnum
|
|
is not used with this ioctl.
|
|
.Pp
|
|
The structure's slack space must be zeroed for correct operation; memset
|
|
the whole structure to zero before filling and sending to the kernel.
|
|
.It Dv DIOCFPGET Fa "struct pf_osfp_ioctl"
|
|
.Bd -literal
|
|
struct pf_osfp_ioctl {
|
|
struct pf_osfp_entry {
|
|
SLIST_ENTRY(pf_osfp_entry) fp_entry;
|
|
pf_osfp_t fp_os;
|
|
char fp_class_nm[PF_OSFP_LEN];
|
|
char fp_version_nm[PF_OSFP_LEN];
|
|
char fp_subtype_nm[PF_OSFP_LEN];
|
|
} fp_os;
|
|
u_int16_t fp_mss;
|
|
u_int16_t fp_wsize;
|
|
u_int16_t fp_psize;
|
|
u_int8_t fp_ttl;
|
|
u_int8_t fp_wscale;
|
|
u_int8_t fp_flags;
|
|
int fp_getnum;
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Get the passive OS fingerprint number
|
|
.Va fp_getnum
|
|
from the kernel's fingerprint list.
|
|
The rest of the structure members will come back filled.
|
|
Get the whole list by repeatedly incrementing the
|
|
.Va fp_getnum
|
|
number until the ioctl returns EBUSY.
|
|
.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes"
|
|
.Bd -literal
|
|
struct pfioc_src_nodes {
|
|
int psn_len;
|
|
union {
|
|
caddr_t psu_buf;
|
|
struct pf_src_node *psu_src_nodes;
|
|
} psn_u;
|
|
#define psn_buf psn_u.psu_buf
|
|
#define psn_src_nodes psn_u.psu_src_nodes
|
|
};
|
|
.Ed
|
|
.Pp
|
|
Get the list of source nodes kept by the
|
|
.Ar sticky-address
|
|
and
|
|
.Ar source-track
|
|
options.
|
|
The ioctl must be called once with
|
|
.Va psn_len
|
|
set to 0.
|
|
If the ioctl returns without error,
|
|
.Va psn_len
|
|
will be set to the size of the buffer required to hold all the
|
|
.Va pf_src_node
|
|
structures held in the table.
|
|
A buffer of this size should then be allocated, and a pointer to this buffer
|
|
placed in
|
|
.Va psn_buf .
|
|
The ioctl must then be called again to fill this buffer with the actual
|
|
source node data.
|
|
After the ioctl call
|
|
.Va psn_len
|
|
will be set to the length of the buffer actually used.
|
|
.It Dv DIOCCLRSRCNODES Fa "struct pfioc_table"
|
|
Clear the tree of source tracking nodes.
|
|
.It Dv DIOCIGETIFACES Fa "struct pfioc_iface"
|
|
Gets the list of interfaces and interface drivers known to
|
|
.Nm .
|
|
All the IOCTLs that manipulate interfaces
|
|
use the same structure described below:
|
|
.Bd -literal
|
|
struct pfioc_iface {
|
|
char pfiio_name[IFNAMSIZ];
|
|
void *pfiio_buffer;
|
|
int pfiio_esize;
|
|
int pfiio_size;
|
|
int pfiio_nzero;
|
|
int pfiio_flags;
|
|
};
|
|
|
|
#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
|
|
#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
|
|
#define PFI_FLAG_ALLMASK 0x0003
|
|
.Ed
|
|
.Pp
|
|
If not empty,
|
|
.Va pfiio_name
|
|
can be used to restrict the search to a specific interface or driver.
|
|
.Va pfiio_buffer[pfiio_size]
|
|
is the user-supplied buffer for returning the data.
|
|
On entry,
|
|
.Va pfiio_size
|
|
represents the number of
|
|
.Va pfi_if
|
|
entries that can fit into the buffer.
|
|
The kernel will replace this value by the real number of entries it wants
|
|
to return.
|
|
.Va pfiio_esize
|
|
should be set to sizeof(struct pfi_if).
|
|
.Va pfiio_flags
|
|
should be set to
|
|
.Dv PFI_FLAG_GROUP , PFI_FLAG_INSTANCE ,
|
|
or both to tell the kernel to return a group of interfaces
|
|
(drivers, like "fxp"), real interface instances (like "fxp1") or both.
|
|
The data is returned in the
|
|
.Va pfi_if
|
|
structure described below:
|
|
.Bd -literal
|
|
struct pfi_if {
|
|
char pfif_name[IFNAMSIZ];
|
|
u_int64_t pfif_packets[2][2][2];
|
|
u_int64_t pfif_bytes[2][2][2];
|
|
u_int64_t pfif_addcnt;
|
|
u_int64_t pfif_delcnt;
|
|
long pfif_tzero;
|
|
int pfif_states;
|
|
int pfif_rules;
|
|
int pfif_flags;
|
|
};
|
|
|
|
#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
|
|
#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
|
|
#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
|
|
#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
|
|
#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
|
|
#define PFI_IFLAG_REFERENCED 0x0080 /* referenced by rules */
|
|
.Ed
|
|
.It Dv DIOCICLRISTATS Fa "struct pfioc_iface"
|
|
Clear the statistics counters of one or more interfaces.
|
|
.Va pfiio_name
|
|
and
|
|
.Va pfrio_flags
|
|
can be used to select which interfaces need to be cleared.
|
|
The filtering process is the same as for
|
|
.Dv DIOCIGETIFACES .
|
|
.Va pfiio_nzero
|
|
will be set by the kernel to the number of interfaces and drivers
|
|
that have been cleared.
|
|
.El
|
|
.Sh EXAMPLES
|
|
The following example demonstrates how to use the DIOCNATLOOK command
|
|
to find the internal host/port of a NATed connection.
|
|
.Bd -literal
|
|
#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/fcntl.h>
|
|
#include <net/if.h>
|
|
#include <netinet/in.h>
|
|
#include <net/pfvar.h>
|
|
#include <err.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
|
|
u_int32_t
|
|
read_address(const char *s)
|
|
{
|
|
int a, b, c, d;
|
|
|
|
sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
|
|
return htonl(a << 24 | b << 16 | c << 8 | d);
|
|
}
|
|
|
|
void
|
|
print_address(u_int32_t a)
|
|
{
|
|
a = ntohl(a);
|
|
printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
|
|
a >> 8 & 255, a & 255);
|
|
}
|
|
|
|
int
|
|
main(int argc, char *argv[])
|
|
{
|
|
struct pfioc_natlook nl;
|
|
int dev;
|
|
|
|
if (argc != 5) {
|
|
printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
|
|
argv[0]);
|
|
return 1;
|
|
}
|
|
|
|
dev = open("/dev/pf", O_RDWR);
|
|
if (dev == -1)
|
|
err(1, "open(\\"/dev/pf\\") failed");
|
|
|
|
memset(&nl, 0, sizeof(struct pfioc_natlook));
|
|
nl.saddr.v4.s_addr = read_address(argv[1]);
|
|
nl.sport = htons(atoi(argv[2]));
|
|
nl.daddr.v4.s_addr = read_address(argv[3]);
|
|
nl.dport = htons(atoi(argv[4]));
|
|
nl.af = AF_INET;
|
|
nl.proto = IPPROTO_TCP;
|
|
nl.direction = PF_IN;
|
|
|
|
if (ioctl(dev, DIOCNATLOOK, &nl))
|
|
err(1, "DIOCNATLOOK");
|
|
|
|
printf("internal host ");
|
|
print_address(nl.rsaddr.v4.s_addr);
|
|
printf(":%u\\n", ntohs(nl.rsport));
|
|
return 0;
|
|
}
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr ioctl 2 ,
|
|
.Xr bridge 4 ,
|
|
.Xr pflog 4 ,
|
|
.Xr pfsync 4 ,
|
|
.Xr pfctl 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
packet filtering mechanism first appeared in
|
|
.Ox 3.0 .
|