OpenBSD manual page server

Manual Page Search Parameters

PF(4)                     OpenBSD Programmer's Manual                    PF(4)

NAME
     pf - packet filter

SYNOPSIS
     pseudo-device pf 1

DESCRIPTION
     The pf interface is a packet filter pseudo-device for IPv4 and IPv6.

     pf is administered using the pfctl(8) utility, or through an ioctl inter-
     face.

FILES
     /dev/pf  packet filtering device.

IOCTL INTERFACE
     pf supports to following ioctl(2) commands:

     DIOCSTART
             Starts the packet filter.

     DIOCSTOP
             Stops the packet filter.

     DIOCBEGINRULES u_int32_t
             Clears the inactive filter rule set, returns ticket for subse-
             quent DIOCADDRULE and DIOCCOMMITRULES calls.

     DIOCADDRULE struct pfioc_rule

             struct pfioc_rule {
                     u_int32_t        ticket;
                     u_int32_t        nr;
                     struct pf_rule   rule;
             };

             Adds filter rule at the end of the inactive filter rule set.  Re-
             quires ticket obtained through preceding DIOCBEGINRULES call.  nr
             is ignored.

     DIOCCOMMITRULES u_int32_t
             Switch inactive to active filter rule set.  Requires ticket

     DIOCGETRULES struct pfioc_rule
             Returns ticket for subsequent DIOCGETRULE calls and nr of rules
             in the active filter rule set.

     DIOCGETRULE struct pfioc_rule
             Returns filter rule number nr using ticket obtained through a
             preceding DIOCGETRULES call.

     DIOCBEGINNATS u_int32_t

     DIOCADDNAT struct pfioc_nat

             struct pfioc_nat {
                     u_int32_t        ticket;
                     u_int32_t        nr;
                     struct pf_nat    nat;
             };

     DIOCCOMMITNATS u_int32_t


     DIOCGETNATS struct pfioc_nat

     DIOCGETNAT struct pfioc_nat

     DIOCBEGINRDRS u_int32_t

     DIOCADDRDR struct pfioc_rdr

             struct pfioc_rdr {
                     u_int32_t        ticket;
                     u_int32_t        nr;
                     struct pf_rdr    rdr;
             };

     DIOCCOMMITRDRS u_int32_t

     DIOCGETRDRS struct pfioc_rdr

     DIOCGETRDR struct pfioc_rdr

     DIOCCLRSTATES
             Clears the state table.

     DIOCGETSTATE struct pfioc_state

             struct pfioc_state {
                     u_int32_t        nr;
                     struct pf_state  state;
             };

             Extracts the entry with the specified number from the state
             table.

     DIOCSETSTATUSIF struct pfioc_if

             struct pfioc_if {
                     char             ifname[IFNAMSIZ];
             };

             Specifies the interface for which statistics are accumulated.

     DIOCGETSTATUS struct pf_status

             struct pf_status {
                     u_int64_t        counters[PFRES_MAX];
                     u_int64_t        fcounters[FCNT_MAX];
                     u_int64_t        pcounters[2][3];
                     u_int64_t        bcounters[2];
                     u_int32_t        running;
                     u_int32_t        states;
                     u_int32_t        since;
                     u_int32_t        debug;
             };

             Gets the internal packet filter statistics.

     DIOCCLRSTATUS

     DIOCNATLOOK struct pfioc_natlook
             Looks up a state table entry by source and destination addresses
             and ports.

             struct pfioc_natlook {
                     struct pf_addr   saddr;
                     struct pf_addr   daddr;
                     struct pf_addr   rsaddr;
                     struct pf_addr   rdaddr;
                     u_int16_t        sport;
                     u_int16_t        dport;
                     u_int16_t        rsport;
                     u_int16_t        rdport;
                     u_int8_t         proto;
                     u_int8_t         direction;
             };

     DIOCSETDEBUG u_int32_t

             enum    { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
             Sets the debug level.

     DIOCGETSTATES struct pfioc_states

             struct pfioc_states {
                     int     ps_len;
                     union {
                             caddr_t psu_buf;
                             struct pf_state *psu_states;
                     } ps_u;
             #define ps_buf          ps_u.psu_buf
             #define ps_states       ps_u.psu_states
             };

     DIOCCHANGERULE struct pfioc_changerule
             Adds or removes a filter rule in the active filter rule set.

             struct pfioc_changerule {
                     u_int32_t        action;
                     struct pf_rule   oldrule;
                     struct pf_rule   newrule;
             };
             enum    { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2,
                       PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4,
                       PF_CHANGE_REMOVE=5 };

     DIOCCHANGENAT struct pfioc_changenat
             Adds or removes a nat rule in the active nat rule set.

             struct pfioc_changenat {
                     u_int32_t        action;
                     struct pf_nat    oldnat;
                     struct pf_nat    newnat;
             };

     DIOCCHANGERDR struct pfioc_changerdr
             Adds or removes a rdr rule in the active rdr rule set.

             struct pfioc_changerdr {
                     u_int32_t        action;
                     struct pf_rdr    oldrdr;
                     struct pf_rdr    newrdr;
             };

     DIOCSETTIMEOUT struct pfioc_tm

             struct pfioc_tm {
                     int              timeout;
                     int              seconds;
             };

     DIOCGETTIMEOUT struct pfioc_tm

SEE ALSO
     bridge(4), pfctl(8)

HISTORY
     The pf packet filtering mechanism first appeared in OpenBSD 3.0.

BUGS
     Probably several.

OpenBSD 3.0                      June 24, 2001                               4