6 files changed, 177 insertions, 62 deletions

diff --git a/man/pf.4 b/man/pf.4
index ab9ad88f82cc..8acf5e0610b8 100644
--- a/man/pf.4
+++ b/man/pf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.60 2007/12/02 12:08:04 pascoe Exp $
+.\"	$OpenBSD: pf.4,v 1.61 2008/09/04 13:50:37 jmc Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 31 2007 $
+.Dd $Mdocdate: September 4 2008 $
 .Dt PF 4
 .Os
 .Sh NAME
@@ -1050,12 +1050,14 @@ internal interface description.
 The filtering process is the same as for
 .Dv DIOCIGETIFACES .
 .Bd -literal
-#define PFI_IFLAG_SKIP		0x0100	/* skip filtering on interface */
+#define PFI_IFLAG_SKIP	0x0100	/* skip filtering on interface */
 .Ed
 .It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
 Works as
 .Dv DIOCSETIFFLAG
 above but clears the flags.
+.It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
+Explicitly remove source tracking nodes.
 .El
 .Sh FILES
 .Bl -tag -width /dev/pf -compact
@@ -1133,6 +1135,7 @@ main(int argc, char *argv[])
 .Xr ioctl 2 ,
 .Xr bridge 4 ,
 .Xr pflog 4 ,
+.Xr pflow 4 ,
 .Xr pfsync 4 ,
 .Xr pfctl 8 ,
 .Xr altq 9
diff --git a/man/pf.conf.5 b/man/pf.conf.5
index 5e49a3c24930..3adc6395f846 100644
--- a/man/pf.conf.5
+++ b/man/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.402 2008/06/11 07:21:00 jmc Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.405 2008/10/02 12:36:32 henning Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -27,7 +27,7 @@
 .\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2008 $
+.Dd $Mdocdate: October 2 2008 $
 .Dt PF.CONF 5
 .Os
 .Sh NAME
@@ -517,6 +517,16 @@ For example:
 .Bd -literal -offset indent
 set state-policy if-bound
 .Ed
+.It Ar set state-defaults
+The
+.Ar state-defaults
+option sets the state options for states created from rules
+without an explicit
+.Ar keep state .
+For example:
+.Bd -literal -offset indent
+set state-defaults pflow, no-sync
+.Ed
 .It Ar set hostid
 The 32-bit
 .Ar hostid
@@ -901,7 +911,7 @@ Defines a list of subqueues to create on an interface.
 .El
 .Pp
 In the following example, the interface dc0
-should queue up to 5 Mbit/s in four second-level queues using
+should queue up to 5Mbps in four second-level queues using
 Class Based Queueing.
 Those four queues will be shown in a later example.
 .Bd -literal -offset indent
@@ -1488,7 +1498,7 @@ Translates to the network(s) attached to the interface.
 .It Ar :broadcast
 Translates to the interface's broadcast address(es).
 .It Ar :peer
-Translates to the point to point interface's peer address(es).
+Translates to the point-to-point interface's peer address(es).
 .It Ar :0
 Do not include interface aliases.
 .El
@@ -2098,6 +2108,10 @@ easier.
 This is intended to be used in situations where one does not see all
 packets of a connection, e.g. in asymmetric routing situations.
 Cannot be used with modulate or synproxy state.
+.It Ar pflow
+States created by this rule are exported on the
+.Xr pflow 4
+interface.
 .El
 .Pp
 Multiple options can be specified, separated by commas:
@@ -2821,6 +2835,7 @@ option         = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
                  [ "loginterface" ( interface-name | "none" ) ] |
                  [ "block-policy" ( "drop" | "return" ) ] |
                  [ "state-policy" ( "if-bound" | "floating" ) ]
+                 [ "state-defaults" state-opts ]
                  [ "require-order" ( "yes" | "no" ) ]
                  [ "fingerprints" filename ] |
                  [ "skip on" ifspec ] |
@@ -2963,7 +2978,7 @@ tos            = ( "lowdelay" | "throughput" | "reliability" |
                  [ "0x" ] number )
 
 state-opts     = state-opt [ [ "," ] state-opts ]
-state-opt      = ( "max" number | "no-sync" | timeout | sloppy |
+state-opt      = ( "max" number | "no-sync" | timeout | "sloppy" | "pflow" |
                  "source-track" [ ( "rule" | "global" ) ] |
                  "max-src-nodes" number | "max-src-states" number |
                  "max-src-conn" number |
@@ -3026,6 +3041,7 @@ Service name database.
 .Xr ip 4 ,
 .Xr ip6 4 ,
 .Xr pf 4 ,
+.Xr pflow 4 ,
 .Xr pfsync 4 ,
 .Xr route 4 ,
 .Xr tcp 4 ,
diff --git a/man/pf.os.5 b/man/pf.os.5
index 7ee63ce52f48..0920f91acfce 100644
--- a/man/pf.os.5
+++ b/man/pf.os.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.os.5,v 1.8 2007/05/31 19:19:58 jmc Exp $
+.\"	$OpenBSD: pf.os.5,v 1.7 2005/11/16 20:07:18 stevesk Exp $
 .\"
 .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
 .\"
diff --git a/man/pflog.4 b/man/pflog.4
index 1b42a83f437f..cd5145e978c4 100644
--- a/man/pflog.4
+++ b/man/pflog.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflog.4,v 1.10 2007/05/31 19:19:51 jmc Exp $
+.\"	$OpenBSD: pflog.4,v 1.9 2006/10/25 12:51:31 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Tobias Weingartner
 .\" All rights reserved.
diff --git a/man/pflow.4 b/man/pflow.4
new file mode 100644
index 000000000000..9f6dbe331293
--- /dev/null
+++ b/man/pflow.4
@@ -0,0 +1,113 @@
+.\" $OpenBSD: pflow.4,v 1.8 2008/10/28 16:55:37 gollo Exp $
+.\"
+.\" Copyright (c) 2008 Henning Brauer <henning@openbsd.org>
+.\" Copyright (c) 2008 Joerg Goltermann <jg@osn.de>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALLWARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BELIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISINGOUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: October 28 2008 $
+.Dt PFLOW 4
+.Os
+.Sh NAME
+.Nm pflow
+.Nd kernel interface for pflow data export
+.Sh SYNOPSIS
+.Cd "pseudo-device pflow"
+.Sh DESCRIPTION
+The
+.Nm
+interface is a pseudo-device which exports
+.Nm
+accounting data from the kernel using
+.Xr udp 4
+packets.
+.Nm
+is compatible with netflow v5.
+The data is extracted from the
+.Xr pf 4
+state table.
+.Pp
+Multiple
+.Nm
+interfaces can be created at runtime using the
+.Ic ifconfig pflow Ns Ar N Ic create
+command.
+Each interface must be configured with a flow receiver IP address and
+port number.
+.Pp
+Only states created by a rule marked with the
+.Ar pflow
+keyword are exported by the
+.Nm
+interface.
+.Pp
+The
+.Nm
+interface will attempt to export multiple
+.Nm
+records in one
+UDP packet, but will not hold a record for longer than 30 seconds.
+The packet size and thus the maximum number of flows is controlled by the
+.Cm mtu
+parameter of
+.Xr ifconfig 8 .
+.Pp
+Each packet seen on this interface has one header and a variable number of
+flows.
+The header indicates the version of the protocol, number of
+flows in the packet, a unique sequence number, system time, and an engine
+ID and type.
+Header and flow structs are defined in
+.Aq Pa net/if_pflow.h .
+.Pp
+There is a one-to-one correspondence between packets seen by
+.Xr bpf 4
+on the
+.Nm
+interface and packets sent out to the flow receiver.
+That is, a packet with 30 flows on
+.Nm
+means that the same 30 flows were sent out to the receiver.
+.Pp
+The
+.Nm
+source and destination addresses are controlled by
+.Xr ifconfig 8 .
+.Cm flowsrc
+is the sender IP address of the UDP packet which can be used
+to identify the source of the data on the
+.Nm
+collector.
+.Cm flowdst
+defines the collector IP address and the port.
+The
+.Cm flowdst
+IP address and port must be defined to enable the export of flows.
+.Pp
+For example, the following command sets 10.0.0.1 as the source
+and 10.0.0.2:1234 as destination:
+.Bd -literal -offset indent
+# ifconfig pflow0 flowsrc 10.0.0.1 flowdst 10.0.0.2:1234
+.Ed
+.Sh SEE ALSO
+.Xr netintro 4 ,
+.Xr pf 4 ,
+.Xr udp 4 ,
+.Xr pf.conf 5 ,
+.Xr ifconfig 8 ,
+.Xr tcpdump 8
+.Sh HISTORY
+The
+.Nm
+device first appeared in
+.Ox 4.5 .
diff --git a/man/pfsync.4 b/man/pfsync.4
index d10131457ad8..da64eaa94303 100644
--- a/man/pfsync.4
+++ b/man/pfsync.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pfsync.4,v 1.27 2008/06/03 19:51:02 jmc Exp $
+.\"	$OpenBSD: pfsync.4,v 1.26 2007/09/20 20:50:07 mpf Exp $
 .\"
 .\" Copyright (c) 2002 Michael Shalayeff
 .\" Copyright (c) 2003-2004 Ryan McBride
@@ -29,7 +29,7 @@
 .Os
 .Sh NAME
 .Nm pfsync
-.Nd packet filter state table logging interface
+.Nd packet filter state table sychronisation interface
 .Sh SYNOPSIS
 .Cd "pseudo-device pfsync"
 .Sh DESCRIPTION
@@ -45,18 +45,18 @@ on the
 interface.
 If configured with a physical synchronisation interface,
 .Nm
-will also send state changes out on that interface using IP multicast,
+will also send state changes out on that interface,
 and insert state changes received on that interface from other systems
 into the state table.
 .Pp
 By default, all local changes to the state table are exposed via
 .Nm .
-However, state changes from packets received by
+State changes from packets received by
 .Nm
 over the network are not rebroadcast.
-States created by a rule marked with the
+Updates to states created by a rule marked with the
 .Ar no-sync
-keyword are omitted from the
+keyword are ignored by the
 .Nm
 interface (see
 .Xr pf.conf 5
@@ -64,33 +64,19 @@ for details).
 .Pp
 The
 .Nm
-interface will attempt to collapse multiple updates of the same
-state into one message where possible.
-The maximum number of times this can be done before the update is sent out
-is controlled by the
+interface will attempt to collapse multiple state updates into a single
+packet where possible.
+The maximum number of times a single state can be updated before a
+.Nm
+packet will be sent out is controlled by the
 .Ar maxupd
 parameter to ifconfig
 (see
 .Xr ifconfig 8
 and the example below for more details).
-.Pp
-Each packet retrieved on this interface has a header associated
-with it of length
-.Dv PFSYNC_HDRLEN .
-The header indicates the version of the protocol, address family,
-action taken on the following states, and the number of state
-table entries attached in this packet.
-This structure is defined in
-.Aq Pa net/if_pfsync.h
-as:
-.Bd -literal -offset indent
-struct pfsync_header {
-	u_int8_t version;
-	u_int8_t af;
-	u_int8_t action;
-	u_int8_t count;
-};
-.Ed
+The sending out of a
+.Nm
+packet will be delayed by a maximum of one second.
 .Sh NETWORK SYNCHRONISATION
 States can be synchronised between two or more firewalls using this
 interface, by specifying a synchronisation interface using
@@ -102,14 +88,15 @@ interface:
 .Ed
 .Pp
 By default, state change messages are sent out on the synchronisation
-interface using IP multicast packets.
-The protocol is IP protocol 240, PFSYNC, and the multicast group
-used is 224.0.0.240.
-When a peer address is specified using the
+interface using IP multicast packets to the 244.0.0.240 group address.
+An alternative destination address for
+.Nm
+packets can be specified using the
 .Ic syncpeer
-keyword, the peer address is used as a destination for the pfsync traffic,
-and the traffic can then be protected using
-.Xr ipsec 4 .
+keyword.
+This can be used in combination with
+.Xr ipsec 4
+to protect the synchronisation traffic.
 In such a configuration, the syncdev should be set to the
 .Xr enc 4
 interface, as this is where the traffic arrives when it is decapsulated,
@@ -125,27 +112,15 @@ Either run the pfsync protocol on a trusted network \- ideally a network
 dedicated to pfsync messages such as a crossover cable between two firewalls,
 or specify a peer address and protect the traffic with
 .Xr ipsec 4 .
-.Pp
-There is a one-to-one correspondence between packets seen by
-.Xr bpf 4
-on the
-.Nm
-interface, and packets sent out on the synchronisation interface, i.e.\&
-a packet with 4 state deletion messages on
-.Nm
-means that the same 4 deletions were sent out on the synchronisation
-interface.
-However, the actual packet contents may differ as the messages
-sent over the network are "compressed" where possible, containing
-only the necessary information.
 .Sh EXAMPLES
 .Nm
 and
 .Xr carp 4
 can be used together to provide automatic failover of a pair of firewalls
 configured in parallel.
-One firewall handles all traffic \- if it dies or
-is shut down, the second firewall takes over automatically.
+One firewall will handle all traffic until it dies, is shut down, or is
+manually demoted, at which point the second firewall will take over
+automatically.
 .Pp
 Both firewalls in this example have three
 .Xr sis 4
@@ -203,8 +178,8 @@ pass quick on { sis2 } proto pfsync keep state (no-sync)
 pass on { sis0 sis1 } proto carp keep state (no-sync)
 .Ed
 .Pp
-If it is preferable that one firewall handle the traffic,
-the
+It is preferable that one firewall handle the forwarding of all the traffic,
+therefore the
 .Ar advskew
 on the backup firewall's
 .Xr carp 4
@@ -243,3 +218,11 @@ The
 .Nm
 device first appeared in
 .Ox 3.3 .
+.Pp
+The
+.Nm
+protocol and kernel implementation were significantly modified between
+.Ox 4.4
+and
+.Ox 4.5 .
+The two protocols are incompatible and will not interoperate.