1 .\" $OpenBSD: pf.4,v 1.62 2008/09/10 14:57:37 jmc Exp $
3 .\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
5 .\" Redistribution and use in source and binary forms, with or without
6 .\" modification, are permitted provided that the following conditions
8 .\" 1. Redistributions of source code must retain the above copyright
9 .\" notice, this list of conditions and the following disclaimer.
10 .\" 2. Redistributions in binary form must reproduce the above copyright
11 .\" notice, this list of conditions and the following disclaimer in the
12 .\" documentation and/or other materials provided with the distribution.
13 .\" 3. Neither the name of the project nor the names of its contributors
14 .\" may be used to endorse or promote products derived from this software
15 .\" without specific prior written permission.
17 .\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
18 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
21 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39 .Cd "options PF_DEFAULT_TO_DROP"
41 Packet filtering takes place in the kernel.
44 allows userland processes to control the
45 behavior of the packet filter through an
48 There are commands to enable and disable the filter, load rulesets,
49 add and remove individual rules or state table entries,
50 and retrieve statistics.
51 The most commonly used functions are covered by
54 Manipulations like loading a ruleset that involve more than a single
56 call require a so-called
58 which prevents the occurrence of
59 multiple concurrent manipulations.
63 parameter structures that refer to packet data (like
64 addresses and ports) are generally expected in network byte-order.
66 Rules and address tables are contained in so-called
70 request, if the anchor field of the argument structure is empty,
71 the kernel will use the default anchor (i.e., the main ruleset)
73 Anchors are specified by name and may be nested, with components
76 characters, similar to how file system hierarchies are laid out.
77 The final component of the anchor path is the anchor under which
78 operations will be performed.
79 .Sh SYSCTL VARIABLES AND LOADER TUNABLES
82 tunables are available.
83 .Bl -tag -width indent
84 .It Va net.pf.states_hashsize
85 Size of hash tables that store states.
87 Default value is 131072.
88 .It Va net.pf.source_nodes_hashsize
89 Size of hash table that store source nodes.
91 Default value is 32768.
96 variables with matching names are provided to obtain current values
99 The following options in the kernel configuration file are related to
103 .Bl -tag -width ".Dv PF_DEFAULT_TO_DROP" -compact
104 .It Dv PF_DEFAULT_TO_DROP
105 Change default policy to drop by default
109 supports the following
111 commands, available through
113 .Bl -tag -width xxxxxx
115 Start the packet filter.
117 Stop the packet filter.
119 Start the ALTQ bandwidth control system (see
122 Stop the ALTQ bandwidth control system.
123 .It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp"
125 struct pfioc_pooladdr {
133 char anchor[MAXPATHLEN];
134 struct pf_pooladdr addr;
138 Clear the buffer address pool and get a
146 .It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
150 to the buffer address pool to be used in the following
155 All other members of the structure are ignored.
156 .It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
161 u_int32_t pool_ticket;
163 char anchor[MAXPATHLEN];
164 char anchor_call[MAXPATHLEN];
171 at the end of the inactive ruleset.
174 obtained through a preceding
182 must also be called if any pool addresses are required.
185 name indicates the anchor in which to append the rule.
190 .It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
191 Add an ALTQ discipline or queue.
200 .It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
207 of rules in the active ruleset.
208 .It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
215 obtained through a preceding
221 .Dv PF_GET_CLR_CNTR ,
222 the per-rule statistics on the requested rule are cleared.
223 .It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
230 of pool addresses in the rule specified with
235 .It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp"
240 from the rule specified with
247 obtained through a preceding
250 .It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
257 of queues in the active list.
258 .It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
259 Get the queueing discipline
265 obtained through a preceding
268 .It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
269 Get the statistics on a queue.
271 struct pfioc_qstats {
280 This call fills in a pointer to the buffer of statistics
284 for the queue specified by
286 .It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
288 struct pfioc_ruleset {
290 char path[MAXPATHLEN];
291 char name[PF_ANCHOR_NAME_SIZE];
297 of rulesets (i.e., anchors) directly attached to the anchor named by
299 for use in subsequent
302 Nested anchors, since they are not directly attached to the given
303 anchor, will not be included.
306 if the given anchor does not exist.
307 .It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
308 Get a ruleset (i.e., an anchor)
312 from the given anchor
314 the maximum number of which can be obtained from a preceding
319 if the given anchor does not exist or
321 if another process is concurrently updating a ruleset.
322 .It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
326 struct pfsync_state state;
329 .It Dv DIOCGETSTATENV Fa "struct pfioc_nv *nv"
330 Extract the entry identified by the
336 nvlist from the state table.
337 .It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
338 Remove matching entries from the state table.
339 This ioctl returns the number of killed states in
342 struct pfioc_state_kill {
343 struct pf_state_cmp psk_pfcmp;
346 struct pf_rule_addr psk_src;
347 struct pf_rule_addr psk_dst;
348 char psk_ifname[IFNAMSIZ];
349 char psk_label[PF_RULE_LABEL_SIZE];
353 .It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk"
366 .It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
367 Specify the interface for which statistics are accumulated.
370 char ifname[IFNAMSIZ];
373 .It Dv DIOCGETSTATUS Fa "struct pf_status *s"
374 Get the internal packet filter statistics.
377 u_int64_t counters[PFRES_MAX];
378 u_int64_t lcounters[LCNT_MAX];
379 u_int64_t fcounters[FCNT_MAX];
380 u_int64_t scounters[SCNT_MAX];
381 u_int64_t pcounters[2][2][3];
382 u_int64_t bcounters[2][2];
389 char ifname[IFNAMSIZ];
390 u_int8_t pf_chksum[MD5_DIGEST_LENGTH];
394 Clear the internal packet filter statistics.
395 .It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
396 Look up a state table entry by source and destination addresses and ports.
398 struct pfioc_natlook {
399 struct pf_addr saddr;
400 struct pf_addr daddr;
401 struct pf_addr rsaddr;
402 struct pf_addr rdaddr;
412 .It Dv DIOCSETDEBUG Fa "u_int32_t *level"
415 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
418 .It Dv DIOCGETSTATESNV Fa "struct pfioc_nv *nv"
419 Get state table entries.
421 nvlist pf_state_key {
422 nvlist pf_addr addr[2];
428 nvlist pf_state_scrub {
434 nvlist pf_state_peer {
435 nvlist pf_state_scrub scrub;
448 nvlist pf_state_key stack_key;
449 nvlist pf_state_key wire_key;
450 nvlist pf_state_peer src;
451 nvlist pf_state_peer dst;
452 nvlist pf_addr rt_addr;
469 nvlist pf_state states[];
475 is insufficiently large, as many states as possible that can fit into this
476 size will be copied into the supplied buffer.
477 .It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
480 in the ruleset specified by
483 The type of operation to be performed is indicated by
485 which can be any of the following:
487 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
488 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
489 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
493 must be set to the value obtained with
494 .Dv PF_CHANGE_GET_TICKET
495 for all actions except
496 .Dv PF_CHANGE_GET_TICKET .
498 must be set to the value obtained with the
500 call for all actions except
503 .Dv PF_CHANGE_GET_TICKET .
505 indicates to which anchor the operation applies.
507 indicates the rule number against which
508 .Dv PF_CHANGE_ADD_BEFORE ,
509 .Dv PF_CHANGE_ADD_AFTER ,
513 .\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
514 .It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
515 Add or remove the pool address
517 from the rule specified by
522 .It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
530 Set the state timeout of
534 The old value will be placed into
536 For possible values of
542 .It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
543 Get the state timeout of
545 The value will be placed into the
548 .It Dv DIOCCLRRULECTRS
549 Clear per-rule statistics.
550 .It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
551 Set the hard limits on the memory pools used by the packet filter.
558 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
559 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
561 .It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
564 for the memory pool indicated by
566 .It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
568 All the ioctls that manipulate radix tables
569 use the same structure described below.
573 contains on exit the number of tables deleted.
576 struct pfr_table pfrio_table;
585 u_int32_t pfrio_ticket;
587 #define pfrio_exists pfrio_nadd
588 #define pfrio_nzero pfrio_nadd
589 #define pfrio_nmatch pfrio_nadd
590 #define pfrio_naddr pfrio_size2
591 #define pfrio_setflag pfrio_size2
592 #define pfrio_clrflag pfrio_nadd
594 .It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
595 Create one or more tables.
598 must point to an array of
605 .Vt struct pfr_table .
608 contains the number of tables effectively created.
611 char pfrt_anchor[MAXPATHLEN];
612 char pfrt_name[PF_TABLE_NAME_SIZE];
613 u_int32_t pfrt_flags;
617 .It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
618 Delete one or more tables.
621 must point to an array of
628 .Vt struct pfr_table .
631 contains the number of tables effectively deleted.
632 .It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
633 Get the list of all tables.
635 .Va pfrio_buffer[pfrio_size]
636 contains a valid writeable buffer for
641 contains the number of tables written into the buffer.
642 If the buffer is too small, the kernel does not store anything but just
643 returns the required buffer size, without error.
644 .It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
647 but is used to get an array of
652 struct pfr_table pfrts_t;
653 u_int64_t pfrts_packets
654 [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
655 u_int64_t pfrts_bytes
656 [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
657 u_int64_t pfrts_match;
658 u_int64_t pfrts_nomatch;
661 int pfrts_refcnt[PFR_REFCNT_MAX];
663 #define pfrts_name pfrts_t.pfrt_name
664 #define pfrts_flags pfrts_t.pfrt_flags
666 .It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
667 Clear the statistics of one or more tables.
670 must point to an array of
677 .Vt struct pfr_table .
680 contains the number of tables effectively cleared.
681 .It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
682 Clear all addresses in a table.
685 contains the table to clear.
688 contains the number of addresses removed.
689 .It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
690 Add one or more addresses to a table.
693 contains the table ID and
695 must point to an array of
699 elements to add to the table.
702 .Vt struct pfr_addr .
705 contains the number of addresses effectively added.
709 struct in_addr _pfra_ip4addr;
710 struct in6_addr _pfra_ip6addr;
717 #define pfra_ip4addr pfra_u._pfra_ip4addr
718 #define pfra_ip6addr pfra_u._pfra_ip6addr
720 .It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
721 Delete one or more addresses from a table.
724 contains the table ID and
726 must point to an array of
730 elements to delete from the table.
733 .Vt struct pfr_addr .
736 contains the number of addresses effectively deleted.
737 .It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
738 Replace the content of a table by a new address list.
739 This is the most complicated command, which uses all the structure members.
743 contains the table ID and
745 must point to an array of
749 elements which become the new contents of the table.
752 .Vt struct pfr_addr .
756 .Va pfrio_buffer[pfrio_size..pfrio_size2]
757 must be a writeable buffer, into which the kernel can copy the
758 addresses that have been deleted during the replace operation.
764 contain the number of addresses deleted, added, and changed by the
770 will point to the size of the buffer used, exactly like
772 .It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
773 Get all the addresses of a table.
776 contains the table ID and
777 .Va pfrio_buffer[pfrio_size]
778 contains a valid writeable buffer for
783 contains the number of addresses written into the buffer.
784 If the buffer was too small, the kernel does not store anything but just
785 returns the required buffer size, without returning an error.
786 .It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
789 but is used to get an array of
794 struct pfr_addr pfras_a;
795 u_int64_t pfras_packets
796 [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
797 u_int64_t pfras_bytes
798 [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
802 .It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
803 Clear the statistics of one or more addresses.
806 contains the table ID and
808 must point to an array of
812 elements to be cleared from the table.
815 .Vt struct pfr_addr .
818 contains the number of addresses effectively cleared.
819 .It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
820 Test if the given addresses match a table.
823 contains the table ID and
825 must point to an array of
829 elements, each of which will be tested for a match in the table.
832 .Vt struct pfr_addr .
833 On exit, the kernel updates the
837 member appropriately.
838 .It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
842 .Dv PFR_TFLAG_PERSIST
846 must point to an array of
853 .Vt struct pfr_table .
855 must contain the flags to add, while
857 must contain the flags to remove.
862 contain the number of tables altered or deleted by the kernel.
863 Yes, tables can be deleted if one removes the
864 .Dv PFR_TFLAG_PERSIST
865 flag of an unreferenced table.
866 .It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
867 Defines a table in the inactive set.
870 contains the table ID and
871 .Va pfrio_buffer[pfrio_size]
874 structures to put in the table.
875 A valid ticket must also be supplied to
879 contains 0 if the table was already defined in the inactive list
880 or 1 if a new table has been created.
882 contains the number of addresses effectively put in the table.
883 .It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
886 int size; /* number of elements */
887 int esize; /* size of each element in bytes */
888 struct pfioc_trans_e {
890 char anchor[MAXPATHLEN];
896 Clear all the inactive rulesets specified in the
899 For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
906 Ruleset types, identified by
908 include the following:
910 .Bl -tag -width PF_RULESET_FILTER -offset ind -compact
911 .It Dv PF_RULESET_SCRUB
912 Scrub (packet normalization) rules.
913 .It Dv PF_RULESET_FILTER
915 .It Dv PF_RULESET_NAT
916 NAT (Network Address Translation) rules.
917 .It Dv PF_RULESET_BINAT
918 Bidirectional NAT rules.
919 .It Dv PF_RULESET_RDR
921 .It Dv PF_RULESET_ALTQ
923 .It Dv PF_RULESET_TABLE
926 .It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
927 Atomically switch a vector of inactive rulesets to the active rulesets.
928 This call is implemented as a standard two-phase commit, which will either
929 fail for all rulesets or completely succeed.
930 All tickets need to be valid.
933 if another process is concurrently updating some of the same rulesets.
934 .It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
935 Clean up the kernel by undoing all changes that have taken place on the
936 inactive rulesets since the last
939 will silently ignore rulesets for which the ticket is invalid.
940 .It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
941 Set the host ID, which is used by
943 to identify which host created state table entries.
945 Flush the passive OS fingerprint table.
946 .It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
948 struct pf_osfp_ioctl {
949 struct pf_osfp_entry {
950 SLIST_ENTRY(pf_osfp_entry) fp_entry;
952 char fp_class_nm[PF_OSFP_LEN];
953 char fp_version_nm[PF_OSFP_LEN];
954 char fp_subtype_nm[PF_OSFP_LEN];
956 pf_tcpopts_t fp_tcpopts;
968 Add a passive OS fingerprint to the table.
971 to the packed fingerprint,
972 .Va fp_os.fp_class_nm
973 to the name of the class (Linux, Windows, etc),
974 .Va fp_os.fp_version_nm
975 to the name of the version (NT, 95, 98), and
976 .Va fp_os.fp_subtype_nm
977 to the name of the subtype or patchlevel.
986 are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
987 the number of TCP options, and the TCP window scaling constant of the
988 TCP SYN packet, respectively.
992 member is filled according to the
999 member contains packed TCP options.
1001 .Dv PF_OSFP_TCPOPT_BITS
1002 bits in the packed value.
1003 Options include any of
1004 .Dv PF_OSFP_TCPOPT_NOP ,
1005 .Dv PF_OSFP_TCPOPT_SACK ,
1006 .Dv PF_OSFP_TCPOPT_WSCALE ,
1007 .Dv PF_OSFP_TCPOPT_MSS ,
1009 .Dv PF_OSFP_TCPOPT_TS .
1013 member is not used with this ioctl.
1015 The structure's slack space must be zeroed for correct operation;
1017 the whole structure to zero before filling and sending to the kernel.
1018 .It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
1019 Get the passive OS fingerprint number
1021 from the kernel's fingerprint list.
1022 The rest of the structure members will come back filled.
1023 Get the whole list by repeatedly incrementing the
1025 number until the ioctl returns
1027 .It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
1029 struct pfioc_src_nodes {
1033 struct pf_src_node *psu_src_nodes;
1035 #define psn_buf psn_u.psu_buf
1036 #define psn_src_nodes psn_u.psu_src_nodes
1040 Get the list of source nodes kept by sticky addresses and source
1042 The ioctl must be called once with
1045 If the ioctl returns without error,
1047 will be set to the size of the buffer required to hold all the
1049 structures held in the table.
1050 A buffer of this size should then be allocated, and a pointer to this buffer
1053 The ioctl must then be called again to fill this buffer with the actual
1057 will be set to the length of the buffer actually used.
1058 .It Dv DIOCCLRSRCNODES
1059 Clear the tree of source tracking nodes.
1060 .It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
1061 Get the list of interfaces and interface drivers known to
1063 All the ioctls that manipulate interfaces
1064 use the same structure described below:
1066 struct pfioc_iface {
1067 char pfiio_name[IFNAMSIZ];
1078 can be used to restrict the search to a specific interface or driver.
1079 .Va pfiio_buffer[pfiio_size]
1080 is the user-supplied buffer for returning the data.
1083 contains the number of
1085 entries that can fit into the buffer.
1086 The kernel will replace this value by the real number of entries it wants
1090 .Li sizeof(struct pfi_kif) .
1092 The data is returned in the
1094 structure described below:
1097 RB_ENTRY(pfi_kif) pfik_tree;
1098 char pfik_name[IFNAMSIZ];
1099 u_int64_t pfik_packets[2][2][2];
1100 u_int64_t pfik_bytes[2][2][2];
1101 u_int32_t pfik_tzero;
1103 struct pf_state_tree_lan_ext pfik_lan_ext;
1104 struct pf_state_tree_ext_gwy pfik_ext_gwy;
1105 TAILQ_ENTRY(pfi_kif) pfik_w_states;
1106 void *pfik_ah_cookie;
1107 struct ifnet *pfik_ifp;
1108 struct ifg_group *pfik_group;
1111 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
1114 .It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
1115 Set the user settable flags (described above) of the
1117 internal interface description.
1118 The filtering process is the same as for
1119 .Dv DIOCIGETIFACES .
1121 #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
1123 .It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
1126 above but clears the flags.
1127 .It Dv DIOCKILLSRCNODES Fa "struct pfioc_iface *io"
1128 Explicitly remove source tracking nodes.
1131 .Bl -tag -width /dev/pf -compact
1133 packet filtering device.
1136 The following example demonstrates how to use the
1138 command to find the internal host/port of a NATed connection:
1140 #include <sys/types.h>
1141 #include <sys/socket.h>
1142 #include <sys/ioctl.h>
1143 #include <sys/fcntl.h>
1145 #include <netinet/in.h>
1146 #include <net/pfvar.h>
1152 read_address(const char *s)
1156 sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
1157 return htonl(a << 24 | b << 16 | c << 8 | d);
1161 print_address(u_int32_t a)
1164 printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
1165 a >> 8 & 255, a & 255);
1169 main(int argc, char *argv[])
1171 struct pfioc_natlook nl;
1175 printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
1180 dev = open("/dev/pf", O_RDWR);
1182 err(1, "open(\\"/dev/pf\\") failed");
1184 memset(&nl, 0, sizeof(struct pfioc_natlook));
1185 nl.saddr.v4.s_addr = read_address(argv[1]);
1186 nl.sport = htons(atoi(argv[2]));
1187 nl.daddr.v4.s_addr = read_address(argv[3]);
1188 nl.dport = htons(atoi(argv[4]));
1190 nl.proto = IPPROTO_TCP;
1191 nl.direction = PF_IN;
1193 if (ioctl(dev, DIOCNATLOOK, &nl))
1194 err(1, "DIOCNATLOOK");
1196 printf("internal host ");
1197 print_address(nl.rsaddr.v4.s_addr);
1198 printf(":%u\\n", ntohs(nl.rsport));
1213 packet filtering mechanism first appeared in
1218 This implementation is derived from
1220 It has been heavily modified to be capable of running in multithreaded
1222 kernel and scale its performance on multiple CPUs.
projects / FreeBSD / FreeBSD.git / blob