PF(4) OpenBSD Programmer's Manual PF(4)
NAME
pf - packet filter
SYNOPSIS
pseudo-device pf 1
DESCRIPTION
Packet filtering takes place in the kernel. A pseudo-device, /dev/pf,
allows userland processes to control the behavior of the packet filter
through an ioctl(2) interface. There are commands to enable and disable
the filter, load rule sets, add and remove individual rules or retrieve
state table entries and statistics. The most commonly used functions are
covered by pfctl(8).
Manipulations like loading a rule set that involve more than a single
ioctl call require a so-called ticket, which prevents the occurance of
multiple concurrent manipulations.
Fields of ioctl parameter structures that refer to packet data (like ad-
dresses and ports) are generally expected in network byte-order.
FILES
/dev/pf packet filtering device.
IOCTL INTERFACE
pf supports the following ioctl(2) commands:
DIOCSTART
Starts the packet filter.
DIOCSTOP
Stops the packet filter.
DIOCBEGINRULES u_int32_t
Clears the inactive filter rule set, returns ticket for subse-
quent DIOCADDRULE and DIOCCOMMITRULES calls.
DIOCADDRULE struct pfioc_rule
struct pfioc_rule {
u_int32_t ticket;
u_int32_t nr;
struct pf_rule rule;
};
Adds filter rule at the end of the inactive filter rule set. Re-
quires ticket obtained through preceding DIOCBEGINRULES call. nr
is ignored.
DIOCCOMMITRULES u_int32_t
Switch inactive to active filter rule set. Requires ticket.
DIOCGETRULES struct pfioc_rule
Returns ticket for subsequent DIOCGETRULE calls and nr of rules
in the active filter rule set.
DIOCGETRULE struct pfioc_rule
Returns filter rule number nr using ticket obtained through a
preceding DIOCGETRULES call.
DIOCBEGINNATS u_int32_t
DIOCADDNAT struct pfioc_nat
struct pfioc_nat {
u_int32_t ticket;
u_int32_t nr;
struct pf_nat nat;
};
DIOCCOMMITNATS u_int32_t
DIOCGETNATS struct pfioc_nat
DIOCGETNAT struct pfioc_nat
DIOCBEGINBINATS u_int32_t
DIOCADDBINAT struct pfioc_binat
struct pfioc_binat {
u_int32_t ticket;
u_int32_t nr;
struct pf_binat binat;
};
DIOCCOMMITBINATS u_int32_t
DIOCGETBINATS struct pfioc_binat
DIOCGETBINAT struct pfioc_binat
DIOCBEGINRDRS u_int32_t
DIOCADDRDR struct pfioc_rdr
struct pfioc_rdr {
u_int32_t ticket;
u_int32_t nr;
struct pf_rdr rdr;
};
DIOCCOMMITRDRS u_int32_t
DIOCGETRDRS struct pfioc_rdr
DIOCGETRDR struct pfioc_rdr
DIOCCLRSTATES
Clears the state table.
DIOCADDSTATE struct pfioc_state
Adds a state entry.
DIOCGETSTATE struct pfioc_state
struct pfioc_state {
u_int32_t nr;
struct pf_state state;
};
Extracts the entry with the specified number from the state
table.
DIOCKILLSTATES struct pfioc_state_kill
Removes matching entries from the state table. Returns the num-
ber of killed states in psk_af.
struct pfioc_state_kill {
int psk_af;
int psk_proto;
struct pf_rule_addr psk_src;
struct pf_rule_addr psk_dst;
};
DIOCSETSTATUSIF struct pfioc_if
struct pfioc_if {
char ifname[IFNAMSIZ];
};
Specifies the interface for which statistics are accumulated.
DIOCGETSTATUS struct pf_status
struct pf_status {
u_int64_t counters[PFRES_MAX];
u_int64_t fcounters[FCNT_MAX];
u_int64_t pcounters[2][2][3];
u_int64_t bcounters[2][2];
u_int32_t running;
u_int32_t states;
u_int32_t since;
u_int32_t debug;
};
Gets the internal packet filter statistics.
DIOCCLRSTATUS
Clears the internal packet filter statistics.
DIOCNATLOOK struct pfioc_natlook
Looks up a state table entry by source and destination addresses
and ports.
struct pfioc_natlook {
struct pf_addr saddr;
struct pf_addr daddr;
struct pf_addr rsaddr;
struct pf_addr rdaddr;
u_int16_t sport;
u_int16_t dport;
u_int16_t rsport;
u_int16_t rdport;
u_int8_t af;
u_int8_t proto;
u_int8_t direction;
};
DIOCSETDEBUG u_int32_t
Sets the debug level.
enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
DIOCGETSTATES struct pfioc_states
struct pfioc_states {
int ps_len;
union {
caddr_t psu_buf;
struct pf_state *psu_states;
} ps_u;
#define ps_buf ps_u.psu_buf
#define ps_states ps_u.psu_states
};
DIOCCHANGERULE struct pfioc_changerule
Adds or removes a filter rule in the active filter rule set.
struct pfioc_changerule {
u_int32_t action;
struct pf_rule oldrule;
struct pf_rule newrule;
};
enum { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2,
PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4,
PF_CHANGE_REMOVE=5 };
DIOCCHANGENAT struct pfioc_changenat
Adds or removes a nat rule in the active nat rule set.
struct pfioc_changenat {
u_int32_t action;
struct pf_nat oldnat;
struct pf_nat newnat;
};
DIOCCHANGEBINAT struct pfioc_changebinat
Adds or removes a binat rule in the active binat rule set.
struct pfioc_changebinat {
u_int32_t action;
struct pf_binat oldbinat;
struct pf_binat newbinat;
};
DIOCCHANGERDR struct pfioc_changerdr
Adds or removes a rdr rule in the active rdr rule set.
struct pfioc_changerdr {
u_int32_t action;
struct pf_rdr oldrdr;
struct pf_rdr newrdr;
};
DIOCSETTIMEOUT struct pfioc_tm
struct pfioc_tm {
int timeout;
int seconds;
};
DIOCGETTIMEOUT struct pfioc_tm
DIOCCLRRULECTRS
Clear per-rule statistics.
DIOCSETLIMIT struct pfioc_limit
Sets hard limits on the memory pools used by the packet filter.
struct pfioc_limit {
int index;
unsigned limit;
};
DIOCGETLIMIT struct pfioc_limit
EXAMPLES
The following example demonstrates how to use the DIOCNATLOOK command to
find the internal host/port of a NATed connection.
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <net/pfvar.h>
#include <stdio.h>
u_int32_t
read_address(const char *s)
{
int a, b, c, d;
sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
return htonl(a << 24 | b << 16 | c << 8 | d);
}
void
print_address(u_int32_t a)
{
a = ntohl(a);
printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
a >> 8 & 255, a & 255);
}
int
main(int argc, char *argv[])
{
struct pfioc_natlook nl;
int dev;
if (argc != 5) {
printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\n",
argv[0]);
return 1;
}
dev = open("/dev/pf", O_RDWR);
if (dev == -1)
err(0, "open(\"/dev/pf\") failed");
memset(&nl, 0, sizeof(struct pfioc_natlook));
nl.saddr.v4.s_addr = read_address(argv[1]);
nl.sport = htons(atoi(argv[2]));
nl.daddr.v4.s_addr = read_address(argv[3]);
nl.dport = htons(atoi(argv[4]));
nl.af = AF_INET;
nl.proto = IPPROTO_TCP;
nl.direction = PF_IN;
if (ioctl(dev, DIOCNATLOOK, &nl))
err(0, "DIOCNATLOOK");
printf("internal host ");
print_address(nl.rsaddr.v4.s_addr);
printf(":%u\n", ntohs(nl.rsport));
return 0;
}
SEE ALSO
bridge(4), pflog(4), pfctl(8)
HISTORY
The pf packet filtering mechanism first appeared in OpenBSD 3.0.
OpenBSD 3.2 June 24, 2001 6