diff options
Diffstat (limited to 'contrib/pf/man/pf.4')
| -rw-r--r-- | contrib/pf/man/pf.4 | 837 |
1 files changed, 0 insertions, 837 deletions
diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4 deleted file mode 100644 index df0ff6c0fb83..000000000000 --- a/contrib/pf/man/pf.4 +++ /dev/null @@ -1,837 +0,0 @@ -.\" $OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $ -.\" -.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. Neither the name of the project nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.Dd June 24, 2001 -.Dt PF 4 -.Os -.Sh NAME -.Nm pf -.Nd packet filter -.Sh SYNOPSIS -.Cd "pseudo-device pf" -.Sh DESCRIPTION -Packet filtering takes place in the kernel. -A pseudo-device, -.Pa /dev/pf , -allows userland processes to control the -behavior of the packet filter through an -.Xr ioctl 2 -interface. -There are commands to enable and disable the filter, load rulesets, -add and remove individual rules or state table entries, -and retrieve statistics. -The most commonly used functions are covered by -.Xr pfctl 8 . -.Pp -Manipulations like loading a ruleset that involve more than a single -ioctl call require a so-called ticket, which prevents the occurrence of -multiple concurrent manipulations. -.Pp -Fields of ioctl parameter structures that refer to packet data (like -addresses and ports) are generally expected in network byte-order. -.Sh FILES -.Bl -tag -width /dev/pf -compact -.It Pa /dev/pf -packet filtering device. -.El -.Sh IOCTL INTERFACE -pf supports the following -.Xr ioctl 2 -commands: -.Bl -tag -width xxxxxx -.It Dv DIOCSTART -Starts the packet filter. -.It Dv DIOCSTOP -Stops the packet filter. -.It Dv DIOCSTARTALTQ -Starts the ALTQ bandwidth control system. -.It Dv DIOCSTOPALTQ -Stops the ALTQ bandwidth control system. -.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr" -.Bd -literal -struct pfioc_pooladdr { - u_int32_t action; - u_int32_t ticket; - u_int32_t nr; - u_int32_t r_num; - u_int8_t r_action; - u_int8_t r_last; - u_int8_t af; - char anchor[PF_ANCHOR_NAME_SIZE]; - char ruleset[PF_RULESET_NAME_SIZE]; - struct pf_pooladdr addr; -}; -.Ed -.Pp -Clears the buffer address pool -and returns a -.Va ticket -for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls. -.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr" -.Pp -Adds pool address -.Va addr -to the buffer address pool to be used in the following -DIOCADDRULE or DIOCCHANGERULE call. -All other members of the structure are ignored. -.It Dv DIOCADDRULE Fa "struct pfioc_rule" -.Bd -literal -struct pfioc_rule { - u_int32_t action; - u_int32_t ticket; - u_int32_t pool_ticket; - u_int32_t nr; - char anchor[PF_ANCHOR_NAME_SIZE]; - char ruleset[PF_RULESET_NAME_SIZE]; - struct pf_rule rule; -}; -.Ed -.Pp -Adds -.Va rule -at the end of the inactive ruleset. -Requires -.Va ticket -obtained through preceding DIOCXBEGIN call, and -.Va pool_ticket -obtained through DIOCBEGINADDRS call. -DIOCADDADDR must also be called if any pool addresses are required. -The optional -.Va anchor -and -.Va ruleset -names indicate the anchor and ruleset in which to append the rule. -.Va nr -and -.Va action -are ignored. -.It Dv DIOCADDALTQ Fa "struct pfioc_altq" -Adds -.Bd -literal -struct pfioc_altq { - u_int32_t action; - u_int32_t ticket; - u_int32_t nr; - struct pf_altq altq; -}; -.Ed -.It Dv DIOCGETRULES Fa "struct pfioc_rule" -Returns -.Va ticket -for subsequent DIOCGETRULE calls and -.Va nr -of rules in the active ruleset. -.It Dv DIOCGETRULE Fa "struct pfioc_rule" -Returns -.Va rule -number -.Va nr -using -.Va ticket -obtained through a preceding DIOCGETRULES call. -.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr" -Returns -.Va ticket -for subsequent DIOCGETADDR calls and -.Va nr -of pool addresses in the rule specified with -.Va r_action , -.Va r_num , -.Va anchor -and -.Va ruleset . -.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr" -Returns pool address -.Va addr -number -.Va nr -from the rule specified with -.Va r_action , -.Va r_num , -.Va anchor -and -.Va ruleset -using -.Va ticket -obtained through a preceding DIOCGETADDRS call. -.It Dv DIOCGETALTQS Fa "struct pfioc_altq" -Returns -.Va ticket -for subsequent DIOCGETALTQ calls and -.Va nr -of queues in the active list. -.It Dv DIOCGETALTQ Fa "struct pfioc_altq" -Returns -.Va altq -number -.Va nr -using -.Va ticket -obtained through a preceding DIOCGETALTQS call. -.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats" -Returns statistics on a queue. -.Bd -literal -struct pfioc_qstats { - u_int32_t ticket; - u_int32_t nr; - void *buf; - int nbytes; - u_int8_t scheduler; -}; -.Ed -.Pp -A pointer to a buffer of statistics -.Va buf -of length -.Va nbytes -for the queue specified by -.Va nr . -.It Dv DIOCADDSTATE Fa "struct pfioc_state" -Adds a state entry. -.It Dv DIOCGETSTATE Fa "struct pfioc_state" -.Bd -literal -struct pfioc_state { - u_int32_t nr; - struct pf_state state; -}; -.Ed -.Pp -Extracts the entry with the specified number from the state table. -.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill" -Removes matching entries from the state table. -Returns the number of killed states in psk_af. -.Bd -literal -struct pfioc_state_kill { - int psk_af; - int psk_proto; - struct pf_rule_addr psk_src; - struct pf_rule_addr psk_dst; - char psk_ifname[IFNAMSIZ]; -}; -.Ed -.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill" -Clears all states. -It works like -.Dv DIOCKILLSTATES , -but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the -.Fa pfioc_state_kill -structure. -.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if" -.Bd -literal -struct pfioc_if { - char ifname[IFNAMSIZ]; -}; -.Ed -.Pp -Specifies the interface for which statistics are accumulated. -.It Dv DIOCGETSTATUS Fa "struct pf_status" -.Bd -literal -struct pf_status { - u_int64_t counters[PFRES_MAX]; - u_int64_t fcounters[FCNT_MAX]; - u_int64_t scounters[SCNT_MAX]; - u_int64_t pcounters[2][2][3]; - u_int64_t bcounters[2][2]; - u_int64_t stateid; - u_int32_t running; - u_int32_t states; - u_int32_t src_nodes; - u_int32_t since; - u_int32_t debug; - u_int32_t hostid; - char ifname[IFNAMSIZ]; -}; -.Ed -.Pp -Gets the internal packet filter statistics. -.It Dv DIOCCLRSTATUS -Clears the internal packet filter statistics. -.It Dv DIOCNATLOOK Fa "struct pfioc_natlook" -Looks up a state table entry by source and destination addresses and ports. -.Bd -literal -struct pfioc_natlook { - struct pf_addr saddr; - struct pf_addr daddr; - struct pf_addr rsaddr; - struct pf_addr rdaddr; - u_int16_t sport; - u_int16_t dport; - u_int16_t rsport; - u_int16_t rdport; - sa_family_t af; - u_int8_t proto; - u_int8_t direction; -}; -.Ed -.It Dv DIOCSETDEBUG Fa "u_int32_t" -Sets the debug level. -.Bd -literal -enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 }; -.Ed -.It Dv DIOCGETSTATES Fa "struct pfioc_states" -.Bd -literal -struct pfioc_states { - int ps_len; - union { - caddr_t psu_buf; - struct pf_state *psu_states; - } ps_u; -#define ps_buf ps_u.psu_buf -#define ps_states ps_u.psu_states -}; -.Ed -.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" -Adds or removes the -.Va rule -in the ruleset specified by -.Va rule.action . -.Bd -literal -enum { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2, - PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4, - PF_CHANGE_REMOVE=5, PF_CHANGE_GET_TICKET=6 }; -.Ed -.Pp -The type of operation to be performed is indicated by -.Va action . -.Pp -.Va ticket -must be set to the value obtained with PF_CHANGE_GET_TICKET -for all actions except PF_CHANGE_GET_TICKET. -.Va pool_ticket -must be set to the value obtained with the DIOCBEGINADDRS call -for all actions except PF_CHANGE_REMOVE and PF_CHANGE_GET_TICKET. -.Pp -.Va anchor -and -.Va ruleset -indicate which anchor and ruleset the operation applies to. -.Va nr -indicates the rule number against which PF_CHANGE_ADD_BEFORE, -PF_CHANGE_ADD_AFTER or PF_CHANGE_REMOVE actions are applied. -.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr" -Adds or removes a pool address -.Va addr -from a rule specified with -.Va r_action , -.Va r_num , -.Va anchor -and -.Va ruleset . -.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm" -.Bd -literal -struct pfioc_tm { - int timeout; - int seconds; -}; -.Ed -.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm" -.It Dv DIOCCLRRULECTRS -Clear per-rule statistics. -.It Dv DIOCSETLIMIT Fa "struct pfioc_limit" -Sets hard limits on the memory pools used by the packet filter. -.Bd -literal -struct pfioc_limit { - int index; - unsigned limit; -}; -.Ed -.It Dv DIOCGETLIMIT Fa "struct pfioc_limit" -.It Dv DIOCRCLRTABLES Fa "struct pfioc_table" -Clear all tables. -All the IOCTLs that manipulate radix tables -use the same structure described below. -For -.Dv DIOCRCLRTABLES, pfrio_ndel contains on exit the number -of tables deleted. -.Bd -literal -struct pfioc_table { - struct pfr_table pfrio_table; - void *pfrio_buffer; - int pfrio_esize; - int pfrio_size; - int pfrio_size2; - int pfrio_nadd; - int pfrio_ndel; - int pfrio_nchange; - int pfrio_flags; - int pfrio_ticket; -}; -#define pfrio_exists pfrio_nadd -#define pfrio_nzero pfrio_nadd -#define pfrio_nmatch pfrio_nadd -#define pfrio_naddr pfrio_size2 -#define pfrio_setflag pfrio_size2 -#define pfrio_clrflag pfrio_nadd -.Ed -.It Dv DIOCRADDTABLES Fa "struct pfioc_table" -Creates one or more tables. -On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures. -On exit, pfrio_nadd contains the number of tables effectively created. -.Bd -literal -struct pfr_table { - char pfrt_anchor[PF_ANCHOR_NAME_SIZE]; - char pfrt_ruleset[PF_RULESET_NAME_SIZE]; - char pfrt_name[PF_TABLE_NAME_SIZE]; - u_int32_t pfrt_flags; - u_int8_t pfrt_fback; -}; -.Ed -.It Dv DIOCRDELTABLES Fa "struct pfioc_table" -Deletes one or more tables. -On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures. -On exit, pfrio_nadd contains the number of tables effectively deleted. -.It Dv DIOCRGETTABLES Fa "struct pfioc_table" -Get the list of all tables. -On entry, pfrio_buffer[pfrio_size] contains a valid writeable buffer for -pfr_table structures. -On exit, pfrio_size contains the number of tables written into the buffer. -If the buffer is too small, the kernel does not store anything but just -returns the required buffer size, without error. -.It Dv DIOCRGETTSTATS Fa "struct pfioc_table" -Like -.Dv DIOCRGETTABLES , -but returns an array of pfr_tstats structures. -.Bd -literal -struct pfr_tstats { - struct pfr_table pfrts_t; - u_int64_t pfrts_packets - [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; - u_int64_t pfrts_bytes - [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; - u_int64_t pfrts_match; - u_int64_t pfrts_nomatch; - long pfrts_tzero; - int pfrts_cnt; - int pfrts_refcnt[PFR_REFCNT_MAX]; -}; -#define pfrts_name pfrts_t.pfrt_name -#define pfrts_flags pfrts_t.pfrt_flags -.Ed -.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table" -Clears the statistics of one or more tables. -On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures. -On exit, pfrio_nzero contains the number of tables effectively cleared. -.It Dv DIOCRCLRADDRS Fa "struct pfioc_table" -Clear all addresses in a table. -On entry, pfrio_table contains the table to clear. -On exit, pfrio_ndel contains the number of addresses removed. -.It Dv DIOCRADDADDRS Fa "struct pfioc_table" -Add one or more addresses to a table. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains the list of pfr_addr structures to add. -On exit, pfrio_nadd contains the number of addresses effectively added. -.Bd -literal -struct pfr_addr { - union { - struct in_addr _pfra_ip4addr; - struct in6_addr _pfra_ip6addr; - } pfra_u; - u_int8_t pfra_af; - u_int8_t pfra_net; - u_int8_t pfra_not; - u_int8_t pfra_fback; -}; -#define pfra_ip4addr pfra_u._pfra_ip4addr -#define pfra_ip6addr pfra_u._pfra_ip6addr -.Ed -.It Dv DIOCRDELADDRS Fa "struct pfioc_table" -Delete one or more addresses from a table. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains the list of pfr_addr structures to delete. -On exit, pfrio_ndel contains the number of addresses effectively deleted. -.It Dv DIOCRSETADDRS Fa "struct pfioc_table" -Replace the content of a table by a new address list. -This is the most complicated command, which uses all the structure members. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains the new list of pfr_addr structures. -In addition to that, if size2 is nonzero, pfrio_buffer[pfrio_size..pfrio_size2] -must be a writeable buffer, into which the kernel can copy the addresses that -have been deleted during the replace operation. -On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contain the number of -addresses deleted, added and changed by the kernel. -If pfrio_size2 was set on -entry, pfrio_size2 will point to the size of the buffer used, exactly like -.Dv DIOCRGETADDRS . -.It Dv DIOCRGETADDRS Fa "struct pfioc_table" -Get all the addresses of a table. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains a valid writeable buffer for pfr_addr structures. -On exit, pfrio_size contains the number of addresses written into the buffer. -If the buffer was too small, the kernel does not store anything but just -return the required buffer size, without returning an error. -.It Dv DIOCRGETASTATS Fa "struct pfioc_table" -Like -.Dv DIOCRGETADDRS , -but returns an array of pfr_astats structures. -.Bd -literal -struct pfr_astats { - struct pfr_addr pfras_a; - u_int64_t pfras_packets - [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; - u_int64_t pfras_bytes - [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; - long pfras_tzero; -}; -.Ed -.It Dv DIOCRCLRASTATS Fa "struct pfioc_table" -Clears the statistics of one or more addresses. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains a table of pfr_addr structures to clear. -On exit, pfrio_nzero contains the number of addresses effectively cleared. -.It Dv DIOCRTSTADDRS Fa "struct pfioc_table" -Test if the given addresses match a table. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains a table of pfr_addr structures to test. -On exit, the kernel updates the pfr_addr table by setting the pfra_fback -member appropriately. -.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table" -Change the -.Va const -or -.Va persist -flag of a table. -On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures, -and pfrio_setflag contains the flags to add, while pfrio_clrflag contains the -flags to remove. -On exit, pfrio_nchange and pfrio_ndel contain the number of tables altered -or deleted by the kernel. -Yes, tables can be deleted if one removes the -.Va persist -flag of an unreferenced table. -.It Dv DIOCRINADEFINE Fa "struct pfioc_table" -Defines a table in the inactive set. -On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] -contains the list of pfr_addr structures to put in the table. -A valid ticket must also be supplied to pfrio_ticket. -On exit, pfrio_nadd contains 0 if the table was already defined in the -inactive list, or 1 if a new table has been created. -pfrio_naddr contains the number of addresses effectively put in the table. -.It Dv DIOCXBEGIN Fa "struct pfioc_trans" -.Bd -literal -#define PF_RULESET_ALTQ (PF_RULESET_MAX) -#define PF_RULESET_TABLE (PF_RULESET_MAX+1) -struct pfioc_trans { - int size; /* number of elements */ - int esize; /* size of each element in bytes */ - struct pfioc_trans_e { - int rs_num; - char anchor[PF_ANCHOR_NAME_SIZE]; - char ruleset[PF_RULESET_NAME_SIZE]; - u_int32_t ticket; - } *array; -}; -.Ed -.Pp -Clears all the inactive rulesets specified in the -.Fa "struct pfioc_trans_e" -array. -For each ruleset, a ticket is returned for subsequent "add rule" IOCTLs, -as well as for the -.Dv DIOCXCOMMIT -and -.Dv DIOCXROLLBACK -calls. -.It Dv DIOCXCOMMIT Fa "struct pfioc_trans" -Atomically switch a vector of inactive rulesets to the active rulesets. -Implemented as a standard 2-phase commit, which will either fail for all -rulesets or completely succeed. -All tickets need to be valid. -Returns -.Dv EBUSY -if a concurrent process is trying to update some of the same rulesets -concurrently. -.It Dv DIOCXROLLBACK Fa "struct pfioc_trans" -Clean up the kernel by undoing all changes that have taken place on the -inactive rulesets since the last -.Dv DIOCXBEGIN . -.Dv DIOCXROLLBACK -will silently ignore rulesets for which the ticket is invalid. -.It Dv DIOCFPFLUSH -Flush the passive OS fingerprint table. -.It Dv DIOCFPADD Fa "struct pf_osfp_ioctl" -.Bd -literal -struct pf_osfp_ioctl { - struct pf_osfp_entry { - SLIST_ENTRY(pf_osfp_entry) fp_entry; - pf_osfp_t fp_os; - char fp_class_nm[PF_OSFP_LEN]; - char fp_version_nm[PF_OSFP_LEN]; - char fp_subtype_nm[PF_OSFP_LEN]; - } fp_os; - u_int16_t fp_mss; - u_int16_t fp_wsize; - u_int16_t fp_psize; - u_int8_t fp_ttl; - u_int8_t fp_wscale; - u_int8_t fp_flags; - int fp_getnum; -}; -.Ed -.Pp -Add a passive OS fingerprint to the table. -Set -.Va fp_os.fp_os -to the packed fingerprint, -.Va fp_os.fp_class_nm -to the name of the class (Linux, Windows, etc), -.Va fp_os.fp_version_nm -to the name of the version (NT, 95, 98), and -.Va fp_os.fp_subtype_nm -to the name of the subtype or patchlevel. -The members -.Va fp_mss , -.Va fp_wsize , -.Va fp_psize , -.Va fp_ttl , -and -.Va fp_wscale -are set to the TCP MSS, the TCP window size, the IP length and the IP TTL of -the TCP SYN packet respectively. -The -.Va fp_flags -member is filled according to the net/pfvar.h include file PF_OSFP_* defines. -The -.Va fp_getnum -is not used with this ioctl. -.Pp -The structure's slack space must be zeroed for correct operation; memset -the whole structure to zero before filling and sending to the kernel. -.It Dv DIOCFPGET Fa "struct pf_osfp_ioctl" -.Bd -literal -struct pf_osfp_ioctl { - struct pf_osfp_entry { - SLIST_ENTRY(pf_osfp_entry) fp_entry; - pf_osfp_t fp_os; - char fp_class_nm[PF_OSFP_LEN]; - char fp_version_nm[PF_OSFP_LEN]; - char fp_subtype_nm[PF_OSFP_LEN]; - } fp_os; - u_int16_t fp_mss; - u_int16_t fp_wsize; - u_int16_t fp_psize; - u_int8_t fp_ttl; - u_int8_t fp_wscale; - u_int8_t fp_flags; - int fp_getnum; -}; -.Ed -.Pp -Get the passive OS fingerprint number -.Va fp_getnum -from the kernel's fingerprint list. -The rest of the structure members will come back filled. -Get the whole list by repeatedly incrementing the -.Va fp_getnum -number until the ioctl returns EBUSY. -.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes" -.Bd -literal -struct pfioc_src_nodes { - int psn_len; - union { - caddr_t psu_buf; - struct pf_src_node *psu_src_nodes; - } psn_u; -#define psn_buf psn_u.psu_buf -#define psn_src_nodes psn_u.psu_src_nodes -}; -.Ed -.Pp -Get the list of source nodes kept by the -.Ar sticky-address -and -.Ar source-track -options. -The ioctl must be called once with -.Va psn_len -set to 0. -If the ioctl returns without error, -.Va psn_len -will be set to the size of the buffer required to hold all the -.Va pf_src_node -structures held in the table. -A buffer of this size should then be allocated, and a pointer to this buffer -placed in -.Va psn_buf . -The ioctl must then be called again to fill this buffer with the actual -source node data. -After the ioctl call -.Va psn_len -will be set to the length of the buffer actually used. -.It Dv DIOCCLRSRCNODES Fa "struct pfioc_table" -Clear the tree of source tracking nodes. -.It Dv DIOCIGETIFACES Fa "struct pfioc_iface" -Gets the list of interfaces and interface drivers known to -.Nm . -All the IOCTLs that manipulate interfaces -use the same structure described below: -.Bd -literal -struct pfioc_iface { - char pfiio_name[IFNAMSIZ]; - void *pfiio_buffer; - int pfiio_esize; - int pfiio_size; - int pfiio_nzero; - int pfiio_flags; -}; - -#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */ -#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */ -#define PFI_FLAG_ALLMASK 0x0003 -.Ed -.Pp -If not empty, -.Va pfiio_name -can be used to restrict the search to a specific interface or driver. -.Va pfiio_buffer[pfiio_size] -is the user-supplied buffer for returning the data. -On entry, -.Va pfiio_size -represents the number of -.Va pfi_if -entries that can fit into the buffer. -The kernel will replace this value by the real number of entries it wants -to return. -.Va pfiio_esize -should be set to sizeof(struct pfi_if). -.Va pfiio_flags -should be set to -.Dv PFI_FLAG_GROUP , PFI_FLAG_INSTANCE , -or both to tell the kernel to return a group of interfaces -(drivers, like "fxp"), real interface instances (like "fxp1") or both. -The data is returned in the -.Va pfi_if -structure described below: -.Bd -literal -struct pfi_if { - char pfif_name[IFNAMSIZ]; - u_int64_t pfif_packets[2][2][2]; - u_int64_t pfif_bytes[2][2][2]; - u_int64_t pfif_addcnt; - u_int64_t pfif_delcnt; - long pfif_tzero; - int pfif_states; - int pfif_rules; - int pfif_flags; -}; - -#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ -#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ -#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ -#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ -#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */ -#define PFI_IFLAG_REFERENCED 0x0080 /* referenced by rules */ -.Ed -.It Dv DIOCICLRISTATS Fa "struct pfioc_iface" -Clear the statistics counters of one or more interfaces. -.Va pfiio_name -and -.Va pfrio_flags -can be used to select which interfaces need to be cleared. -The filtering process is the same as for -.Dv DIOCIGETIFACES . -.Va pfiio_nzero -will be set by the kernel to the number of interfaces and drivers -that have been cleared. -.El -.Sh EXAMPLES -The following example demonstrates how to use the DIOCNATLOOK command -to find the internal host/port of a NATed connection. -.Bd -literal -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/ioctl.h> -#include <sys/fcntl.h> -#include <net/if.h> -#include <netinet/in.h> -#include <net/pfvar.h> -#include <err.h> -#include <stdio.h> -#include <stdlib.h> - -u_int32_t -read_address(const char *s) -{ - int a, b, c, d; - - sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); - return htonl(a << 24 | b << 16 | c << 8 | d); -} - -void -print_address(u_int32_t a) -{ - a = ntohl(a); - printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, - a >> 8 & 255, a & 255); -} - -int -main(int argc, char *argv[]) -{ - struct pfioc_natlook nl; - int dev; - - if (argc != 5) { - printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", - argv[0]); - return 1; - } - - dev = open("/dev/pf", O_RDWR); - if (dev == -1) - err(1, "open(\\"/dev/pf\\") failed"); - - memset(&nl, 0, sizeof(struct pfioc_natlook)); - nl.saddr.v4.s_addr = read_address(argv[1]); - nl.sport = htons(atoi(argv[2])); - nl.daddr.v4.s_addr = read_address(argv[3]); - nl.dport = htons(atoi(argv[4])); - nl.af = AF_INET; - nl.proto = IPPROTO_TCP; - nl.direction = PF_IN; - - if (ioctl(dev, DIOCNATLOOK, &nl)) - err(1, "DIOCNATLOOK"); - - printf("internal host "); - print_address(nl.rsaddr.v4.s_addr); - printf(":%u\\n", ntohs(nl.rsport)); - return 0; -} -.Ed -.Sh SEE ALSO -.Xr ioctl 2 , -.Xr bridge 4 , -.Xr pflog 4 , -.Xr pfsync 4 , -.Xr pfctl 8 -.Sh HISTORY -The -.Nm -packet filtering mechanism first appeared in -.Ox 3.0 . |