1 .\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $
3 .\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
13 .\" 3. Neither the name of the project nor the names of its contributors
14 .\" may be used to endorse or promote products derived from this software
15 .\" without specific prior written permission.
17 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
37 .Cd "options PF_DEFAULT_TO_DROP"
39 Packet filtering takes place in the kernel.
42 allows userland processes to control the
43 behavior of the packet filter through an
46 There are commands to enable and disable the filter, load rulesets,
47 add and remove individual rules or state table entries,
48 and retrieve statistics.
49 The most commonly used functions are covered by
52 Manipulations like loading a ruleset that involve more than a single
54 call require a so-called
56 which prevents the occurrence of
57 multiple concurrent manipulations.
61 parameter structures that refer to packet data (like
62 addresses and ports) are generally expected in network byte-order.
64 Rules and address tables are contained in so-called
68 request, if the anchor field of the argument structure is empty,
69 the kernel will use the default anchor (i.e., the main ruleset)
71 Anchors are specified by name and may be nested, with components
74 characters, similar to how file system hierarchies are laid out.
75 The final component of the anchor path is the anchor under which
76 operations will be performed.
77 .Sh SYSCTL VARIABLES AND LOADER TUNABLES
80 tunables are available.
81 .Bl -tag -width indent
82 .It Va net.pf.states_hashsize
83 Size of hash tables that store states.
85 Default value is 131072.
86 .It Va net.pf.source_nodes_hashsize
87 Size of hash table that store source nodes.
89 Default value is 32768.
90 .It Va net.pf.default_to_drop
92 .Cd "options PF_DEFAULT_TO_DROP"
93 from kernel configuration file.
98 variables with matching names are provided to obtain current values
101 The following options in the kernel configuration file are related to
105 .Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
106 .It Dv PF_DEFAULT_TO_DROP
107 Change default policy to drop by default
111 supports the following
113 commands, available through
115 .Bl -tag -width xxxxxx
117 Start the packet filter.
119 Stop the packet filter.
121 Start the ALTQ bandwidth control system (see
124 Stop the ALTQ bandwidth control system.
125 .It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp"
127 struct pfioc_pooladdr {
135 char anchor[MAXPATHLEN];
136 struct pf_pooladdr addr;
140 Clear the buffer address pool and get a
148 .It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
152 to the buffer address pool to be used in the following
157 All other members of the structure are ignored.
158 .It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
163 u_int32_t pool_ticket;
165 char anchor[MAXPATHLEN];
166 char anchor_call[MAXPATHLEN];
173 at the end of the inactive ruleset.
176 obtained through a preceding
184 must also be called if any pool addresses are required.
187 name indicates the anchor in which to append the rule.
192 .It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
193 Add an ALTQ discipline or queue.
202 .It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
209 of rules in the active ruleset.
210 .It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
217 obtained through a preceding
223 .Dv PF_GET_CLR_CNTR ,
224 the per-rule statistics on the requested rule are cleared.
225 .It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
232 of pool addresses in the rule specified with
237 .It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp"
242 from the rule specified with
249 obtained through a preceding
252 .It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
259 of queues in the active list.
260 .It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
261 Get the queueing discipline
267 obtained through a preceding
270 .It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
271 Get the statistics on a queue.
273 struct pfioc_qstats {
282 This call fills in a pointer to the buffer of statistics
286 for the queue specified by
288 .It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
290 struct pfioc_ruleset {
292 char path[MAXPATHLEN];
293 char name[PF_ANCHOR_NAME_SIZE];
299 of rulesets (i.e., anchors) directly attached to the anchor named by
301 for use in subsequent
304 Nested anchors, since they are not directly attached to the given
305 anchor, will not be included.
308 if the parent anchor given at
311 .It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
312 Get a ruleset (i.e., an anchor)
316 from the given anchor
318 the maximum number of which can be obtained from a preceding
323 if the parent anchor given by
327 if the index passed in by
329 is greater than the number of anchors.
330 .It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
334 struct pfsync_state state;
337 .It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv"
338 Extract the entry identified by the
344 nvlist from the state table.
345 .It Dv DIOCKILLSTATESNV Fa "struct pfioc_nv nv"
346 Remove matching entries from the state table.
347 This ioctl returns the number of killed states in
350 nvlist pf_state_cmp {
357 nvlist pf_state_cmp cmp;
360 nvlist pf_rule_addr src;
361 nvlist pf_rule_addr dst;
362 string ifname[IFNAMSIZ];
363 string label[PF_RULE_LABEL_SIZE];
366 .It Dv DIOCCLRSTATESNV Fa "struct pfioc_nv nv"
369 .Dv DIOCKILLSTATESNV ,
379 .It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
380 Specify the interface for which statistics are accumulated.
383 char ifname[IFNAMSIZ];
386 .It Dv DIOCGETSTATUS Fa "struct pf_status *s"
387 Get the internal packet filter statistics.
390 u_int64_t counters[PFRES_MAX];
391 u_int64_t lcounters[LCNT_MAX];
392 u_int64_t fcounters[FCNT_MAX];
393 u_int64_t scounters[SCNT_MAX];
394 u_int64_t pcounters[2][2][3];
395 u_int64_t bcounters[2][2];
402 char ifname[IFNAMSIZ];
403 u_int8_t pf_chksum[MD5_DIGEST_LENGTH];
407 Clear the internal packet filter statistics.
408 .It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
409 Look up a state table entry by source and destination addresses and ports.
411 struct pfioc_natlook {
412 struct pf_addr saddr;
413 struct pf_addr daddr;
414 struct pf_addr rsaddr;
415 struct pf_addr rdaddr;
425 .It Dv DIOCSETDEBUG Fa "u_int32_t *level"
428 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
431 .It Dv DIOCGETSTATESV2 Fa "struct pfioc_states_v2 *ps"
432 Get state table entries.
434 struct pfioc_states_v2 {
436 uint64_t ps_req_version;
439 struct pf_state_export *ps_states;
443 struct pf_state_export {
446 char ifname[IFNAMSIZ];
447 char orig_ifname[IFNAMSIZ];
448 struct pf_state_key_export key[2];
449 struct pf_state_peer_export src;
450 struct pf_state_peer_export dst;
451 struct pf_addr rt_addr;
466 uint8_t state_flags_compat;
470 uint16_t state_flags;
481 char rt_ifname[IFNAMSIZ];
485 .It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
488 in the ruleset specified by
491 The type of operation to be performed is indicated by
493 which can be any of the following:
495 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
496 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
497 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
501 must be set to the value obtained with
502 .Dv PF_CHANGE_GET_TICKET
503 for all actions except
504 .Dv PF_CHANGE_GET_TICKET .
506 must be set to the value obtained with the
508 call for all actions except
511 .Dv PF_CHANGE_GET_TICKET .
513 indicates to which anchor the operation applies.
515 indicates the rule number against which
516 .Dv PF_CHANGE_ADD_BEFORE ,
517 .Dv PF_CHANGE_ADD_AFTER ,
521 .\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
522 .It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
523 Add or remove the pool address
525 from the rule specified by
530 .It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
538 Set the state timeout of
542 The old value will be placed into
544 For possible values of
550 .It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
551 Get the state timeout of
553 The value will be placed into the
556 .It Dv DIOCCLRRULECTRS
557 Clear per-rule statistics.
558 .It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
559 Set the hard limits on the memory pools used by the packet filter.
566 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
567 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
569 .It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
572 for the memory pool indicated by
574 .It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
576 All the ioctls that manipulate radix tables
577 use the same structure described below.
581 contains on exit the number of tables deleted.
584 struct pfr_table pfrio_table;
593 u_int32_t pfrio_ticket;
595 #define pfrio_exists pfrio_nadd
596 #define pfrio_nzero pfrio_nadd
597 #define pfrio_nmatch pfrio_nadd
598 #define pfrio_naddr pfrio_size2
599 #define pfrio_setflag pfrio_size2
600 #define pfrio_clrflag pfrio_nadd
602 .It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
603 Create one or more tables.
606 must point to an array of
613 .Vt struct pfr_table .
616 contains the number of tables effectively created.
619 char pfrt_anchor[MAXPATHLEN];
620 char pfrt_name[PF_TABLE_NAME_SIZE];
621 u_int32_t pfrt_flags;
625 .It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
626 Delete one or more tables.
629 must point to an array of
636 .Vt struct pfr_table .
639 contains the number of tables effectively deleted.
640 .It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
641 Get the list of all tables.
643 .Va pfrio_buffer[pfrio_size]
644 contains a valid writeable buffer for
649 contains the number of tables written into the buffer.
650 If the buffer is too small, the kernel does not store anything but just
651 returns the required buffer size, without error.
652 .It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
655 but is used to get an array of
660 struct pfr_table pfrts_t;
661 u_int64_t pfrts_packets
662 [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
663 u_int64_t pfrts_bytes
664 [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
665 u_int64_t pfrts_match;
666 u_int64_t pfrts_nomatch;
669 int pfrts_refcnt[PFR_REFCNT_MAX];
671 #define pfrts_name pfrts_t.pfrt_name
672 #define pfrts_flags pfrts_t.pfrt_flags
674 .It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
675 Clear the statistics of one or more tables.
678 must point to an array of
685 .Vt struct pfr_table .
688 contains the number of tables effectively cleared.
689 .It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
690 Clear all addresses in a table.
693 contains the table to clear.
696 contains the number of addresses removed.
697 .It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
698 Add one or more addresses to a table.
701 contains the table ID and
703 must point to an array of
707 elements to add to the table.
710 .Vt struct pfr_addr .
713 contains the number of addresses effectively added.
717 struct in_addr _pfra_ip4addr;
718 struct in6_addr _pfra_ip6addr;
725 #define pfra_ip4addr pfra_u._pfra_ip4addr
726 #define pfra_ip6addr pfra_u._pfra_ip6addr
728 .It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
729 Delete one or more addresses from a table.
732 contains the table ID and
734 must point to an array of
738 elements to delete from the table.
741 .Vt struct pfr_addr .
744 contains the number of addresses effectively deleted.
745 .It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
746 Replace the content of a table by a new address list.
747 This is the most complicated command, which uses all the structure members.
751 contains the table ID and
753 must point to an array of
757 elements which become the new contents of the table.
760 .Vt struct pfr_addr .
764 .Va pfrio_buffer[pfrio_size..pfrio_size2]
765 must be a writeable buffer, into which the kernel can copy the
766 addresses that have been deleted during the replace operation.
772 contain the number of addresses deleted, added, and changed by the
778 will point to the size of the buffer used, exactly like
780 .It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
781 Get all the addresses of a table.
784 contains the table ID and
785 .Va pfrio_buffer[pfrio_size]
786 contains a valid writeable buffer for
791 contains the number of addresses written into the buffer.
792 If the buffer was too small, the kernel does not store anything but just
793 returns the required buffer size, without returning an error.
794 .It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
797 but is used to get an array of
802 struct pfr_addr pfras_a;
803 u_int64_t pfras_packets
804 [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
805 u_int64_t pfras_bytes
806 [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
810 .It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
811 Clear the statistics of one or more addresses.
814 contains the table ID and
816 must point to an array of
820 elements to be cleared from the table.
823 .Vt struct pfr_addr .
826 contains the number of addresses effectively cleared.
827 .It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
828 Test if the given addresses match a table.
831 contains the table ID and
833 must point to an array of
837 elements, each of which will be tested for a match in the table.
840 .Vt struct pfr_addr .
841 On exit, the kernel updates the
845 member appropriately.
846 .It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
850 .Dv PFR_TFLAG_PERSIST
854 must point to an array of
861 .Vt struct pfr_table .
863 must contain the flags to add, while
865 must contain the flags to remove.
870 contain the number of tables altered or deleted by the kernel.
871 Yes, tables can be deleted if one removes the
872 .Dv PFR_TFLAG_PERSIST
873 flag of an unreferenced table.
874 .It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
875 Defines a table in the inactive set.
878 contains the table ID and
879 .Va pfrio_buffer[pfrio_size]
882 structures to put in the table.
883 A valid ticket must also be supplied to
887 contains 0 if the table was already defined in the inactive list
888 or 1 if a new table has been created.
890 contains the number of addresses effectively put in the table.
891 .It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
894 int size; /* number of elements */
895 int esize; /* size of each element in bytes */
896 struct pfioc_trans_e {
898 char anchor[MAXPATHLEN];
904 Clear all the inactive rulesets specified in the
907 For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
914 Ruleset types, identified by
916 include the following:
918 .Bl -tag -width PF_RULESET_FILTER -offset ind -compact
919 .It Dv PF_RULESET_SCRUB
920 Scrub (packet normalization) rules.
921 .It Dv PF_RULESET_FILTER
923 .It Dv PF_RULESET_NAT
924 NAT (Network Address Translation) rules.
925 .It Dv PF_RULESET_BINAT
926 Bidirectional NAT rules.
927 .It Dv PF_RULESET_RDR
929 .It Dv PF_RULESET_ALTQ
931 .It Dv PF_RULESET_TABLE
934 .It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
935 Atomically switch a vector of inactive rulesets to the active rulesets.
936 This call is implemented as a standard two-phase commit, which will either
937 fail for all rulesets or completely succeed.
938 All tickets need to be valid.
941 if another process is concurrently updating some of the same rulesets.
942 .It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
943 Clean up the kernel by undoing all changes that have taken place on the
944 inactive rulesets since the last
947 will silently ignore rulesets for which the ticket is invalid.
948 .It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
949 Set the host ID, which is used by
951 to identify which host created state table entries.
953 Flush the passive OS fingerprint table.
954 .It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
956 struct pf_osfp_ioctl {
957 struct pf_osfp_entry {
958 SLIST_ENTRY(pf_osfp_entry) fp_entry;
960 char fp_class_nm[PF_OSFP_LEN];
961 char fp_version_nm[PF_OSFP_LEN];
962 char fp_subtype_nm[PF_OSFP_LEN];
964 pf_tcpopts_t fp_tcpopts;
976 Add a passive OS fingerprint to the table.
979 to the packed fingerprint,
980 .Va fp_os.fp_class_nm
981 to the name of the class (Linux, Windows, etc),
982 .Va fp_os.fp_version_nm
983 to the name of the version (NT, 95, 98), and
984 .Va fp_os.fp_subtype_nm
985 to the name of the subtype or patchlevel.
994 are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
995 the number of TCP options, and the TCP window scaling constant of the
996 TCP SYN packet, respectively.
1000 member is filled according to the
1007 member contains packed TCP options.
1009 .Dv PF_OSFP_TCPOPT_BITS
1010 bits in the packed value.
1011 Options include any of
1012 .Dv PF_OSFP_TCPOPT_NOP ,
1013 .Dv PF_OSFP_TCPOPT_SACK ,
1014 .Dv PF_OSFP_TCPOPT_WSCALE ,
1015 .Dv PF_OSFP_TCPOPT_MSS ,
1017 .Dv PF_OSFP_TCPOPT_TS .
1021 member is not used with this ioctl.
1023 The structure's slack space must be zeroed for correct operation;
1025 the whole structure to zero before filling and sending to the kernel.
1026 .It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
1027 Get the passive OS fingerprint number
1029 from the kernel's fingerprint list.
1030 The rest of the structure members will come back filled.
1031 Get the whole list by repeatedly incrementing the
1033 number until the ioctl returns
1035 .It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
1037 struct pfioc_src_nodes {
1041 struct pf_src_node *psu_src_nodes;
1043 #define psn_buf psn_u.psu_buf
1044 #define psn_src_nodes psn_u.psu_src_nodes
1048 Get the list of source nodes kept by sticky addresses and source
1050 The ioctl must be called once with
1053 If the ioctl returns without error,
1055 will be set to the size of the buffer required to hold all the
1057 structures held in the table.
1058 A buffer of this size should then be allocated, and a pointer to this buffer
1061 The ioctl must then be called again to fill this buffer with the actual
1065 will be set to the length of the buffer actually used.
1066 .It Dv DIOCCLRSRCNODES
1067 Clear the tree of source tracking nodes.
1068 .It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
1069 Get the list of interfaces and interface drivers known to
1071 All the ioctls that manipulate interfaces
1072 use the same structure described below:
1074 struct pfioc_iface {
1075 char pfiio_name[IFNAMSIZ];
1086 can be used to restrict the search to a specific interface or driver.
1087 .Va pfiio_buffer[pfiio_size]
1088 is the user-supplied buffer for returning the data.
1091 contains the number of
1093 entries that can fit into the buffer.
1094 The kernel will replace this value by the real number of entries it wants
1098 .Li sizeof(struct pfi_kif) .
1100 The data is returned in the
1102 structure described below:
1105 char pfik_name[IFNAMSIZ];
1107 RB_ENTRY(pfi_kif) pfik_tree;
1108 LIST_ENTRY(pfi_kif) pfik_list;
1110 u_int64_t pfik_packets[2][2][2];
1111 u_int64_t pfik_bytes[2][2][2];
1112 u_int32_t pfik_tzero;
1114 struct ifnet *pfik_ifp;
1115 struct ifg_group *pfik_group;
1116 u_int pfik_rulerefs;
1117 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
1120 .It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1121 Set the user settable flags (described above) of the
1123 internal interface description.
1124 The filtering process is the same as for
1125 .Dv DIOCIGETIFACES .
1127 #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
1129 .It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1132 above but clears the flags.
1133 .It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
1134 Explicitly remove source tracking nodes.
1137 .Bl -tag -width /dev/pf -compact
1139 packet filtering device.
1142 The following example demonstrates how to use the
1144 command to find the internal host/port of a NATed connection:
1146 #include <sys/types.h>
1147 #include <sys/socket.h>
1148 #include <sys/ioctl.h>
1149 #include <sys/fcntl.h>
1151 #include <netinet/in.h>
1152 #include <net/pfvar.h>
1158 read_address(const char *s)
1162 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
1163 return htonl(a << 24 | b << 16 | c << 8 | d);
1167 print_address(u_int32_t a)
1170 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
1171 a >> 8 & 255, a & 255);
1175 main(int argc, char *argv[])
1177 struct pfioc_natlook nl;
1181 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
1186 dev = open("/dev/pf", O_RDWR);
1188 err(1, "open(\\"/dev/pf\\") failed");
1190 memset(&nl, 0, sizeof(struct pfioc_natlook));
1191 nl.saddr.v4.s_addr = read_address(argv[1]);
1192 nl.sport = htons(atoi(argv[2]));
1193 nl.daddr.v4.s_addr = read_address(argv[3]);
1194 nl.dport = htons(atoi(argv[4]));
1196 nl.proto = IPPROTO_TCP;
1197 nl.direction = PF_IN;
1199 if (ioctl(dev, DIOCNATLOOK, &nl))
1200 err(1, "DIOCNATLOOK");
1202 printf("internal host ");
1203 print_address(nl.rsaddr.v4.s_addr);
1204 printf(":%u\\n", ntohs(nl.rsport));
1219 packet filtering mechanism first appeared in
1224 This implementation is derived from
1226 A number of individual features, improvements, bug fixes and security fixes
1227 have been ported from later versions of
1229 It has been heavily modified to be capable of running in multithreaded
1231 kernel and scale its performance on multiple CPUs.