PF(4) OpenBSD Programmer's Manual PF(4) NAME pf - packet filter SYNOPSIS pseudo-device pf 1 DESCRIPTION The pf interface is a packet filter pseudo-device for IPv4 and IPv6. pf is administered using the pfctl(8) utility, or through an ioctl inter- face. FILES /dev/pf packet filtering device. IOCTL INTERFACE pf supports to following ioctl(2) commands: DIOCSTART Starts the packet filter. DIOCSTOP Stops the packet filter. DIOCBEGINRULES u_int32_t Clears the inactive filter rule set, returns ticket for subse- quent DIOCADDRULE and DIOCCOMMITRULES calls. DIOCADDRULE struct pfioc_rule struct pfioc_rule { u_int32_t ticket; u_int32_t nr; struct pf_rule rule; }; Adds filter rule at the end of the inactive filter rule set. Re- quires ticket obtained through preceding DIOCBEGINRULES call. nr is ignored. DIOCCOMMITRULES u_int32_t Switch inactive to active filter rule set. Requires ticket DIOCGETRULES struct pfioc_rule Returns ticket for subsequent DIOCGETRULE calls and nr of rules in the active filter rule set. DIOCGETRULE struct pfioc_rule Returns filter rule number nr using ticket obtained through a preceding DIOCGETRULES call. DIOCBEGINNATS u_int32_t DIOCADDNAT struct pfioc_nat struct pfioc_nat { u_int32_t ticket; u_int32_t nr; struct pf_nat nat; }; DIOCCOMMITNATS u_int32_t DIOCGETNATS struct pfioc_nat DIOCGETNAT struct pfioc_nat DIOCBEGINRDRS u_int32_t DIOCADDRDR struct pfioc_rdr struct pfioc_rdr { u_int32_t ticket; u_int32_t nr; struct pf_rdr rdr; }; DIOCCOMMITRDRS u_int32_t DIOCGETRDRS struct pfioc_rdr DIOCGETRDR struct pfioc_rdr DIOCCLRSTATES Clears the state table. DIOCGETSTATE struct pfioc_state struct pfioc_state { u_int32_t nr; struct pf_state state; }; Extracts the entry with the specified number from the state table. DIOCSETSTATUSIF struct pfioc_if struct pfioc_if { char ifname[IFNAMSIZ]; }; Specifies the interface for which statistics are accumulated. DIOCGETSTATUS struct pf_status struct pf_status { u_int64_t counters[PFRES_MAX]; u_int64_t fcounters[FCNT_MAX]; u_int64_t pcounters[2][3]; u_int64_t bcounters[2]; u_int32_t running; u_int32_t states; u_int32_t since; u_int32_t debug; }; Gets the internal packet filter statistics. DIOCCLRSTATUS DIOCNATLOOK struct pfioc_natlook Looks up a state table entry by source and destination addresses and ports. struct pfioc_natlook { struct pf_addr saddr; struct pf_addr daddr; struct pf_addr rsaddr; struct pf_addr rdaddr; u_int16_t sport; u_int16_t dport; u_int16_t rsport; u_int16_t rdport; u_int8_t proto; u_int8_t direction; }; DIOCSETDEBUG u_int32_t enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 }; Sets the debug level. DIOCGETSTATES struct pfioc_states struct pfioc_states { int ps_len; union { caddr_t psu_buf; struct pf_state *psu_states; } ps_u; #define ps_buf ps_u.psu_buf #define ps_states ps_u.psu_states }; DIOCCHANGERULE struct pfioc_changerule Adds or removes a filter rule in the active filter rule set. struct pfioc_changerule { u_int32_t action; struct pf_rule oldrule; struct pf_rule newrule; }; enum { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2, PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4, PF_CHANGE_REMOVE=5 }; DIOCCHANGENAT struct pfioc_changenat Adds or removes a nat rule in the active nat rule set. struct pfioc_changenat { u_int32_t action; struct pf_nat oldnat; struct pf_nat newnat; }; DIOCCHANGERDR struct pfioc_changerdr Adds or removes a rdr rule in the active rdr rule set. struct pfioc_changerdr { u_int32_t action; struct pf_rdr oldrdr; struct pf_rdr newrdr; }; DIOCSETTIMEOUT struct pfioc_tm struct pfioc_tm { int timeout; int seconds; }; DIOCGETTIMEOUT struct pfioc_tm SEE ALSO bridge(4), pfctl(8) HISTORY The pf packet filtering mechanism first appeared in OpenBSD 3.0. BUGS Probably several. OpenBSD 3.0 June 24, 2001 4