[dragonfly.git] / share / man / man4 / pf.4

.\"     $OpenBSD: pf.4,v 1.46 2004/02/19 21:29:51 cedric Exp $
.\"     $DragonFly: src/share/man/man4/pf.4,v 1.5 2007/05/19 17:32:12 swildner Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of the project nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd June 24, 2001
.Dt PF 4
.Os
.Sh NAME
.Nm pf
.Nd packet filter
.Sh SYNOPSIS
.Cd "device pf"
.Sh DESCRIPTION
Packet filtering takes place in the kernel.
A pseudo-device,
.Pa /dev/pf ,
allows userland processes to control the
behavior of the packet filter through an
.Xr ioctl 2
interface.
There are commands to enable and disable the filter, load rulesets,
add and remove individual rules or state table entries,
and retrieve statistics.
The most commonly used functions are covered by
.Xr pfctl 8 .
.Pp
Manipulations like loading a ruleset that involve more than a single
ioctl call require a so-called ticket, which prevents the occurrence of
multiple concurrent manipulations.
.Pp
Fields of ioctl parameter structures that refer to packet data (like
addresses and ports) are generally expected in network byte-order.
.Sh FILES
.Bl -tag -width /dev/pf -compact
.It Pa /dev/pf
packet filtering device.
.El
.Sh IOCTL INTERFACE
pf supports the following
.Xr ioctl 2
commands:
.Bl -tag -width xxxxxx
.It Dv DIOCSTART
Starts the packet filter.
.It Dv DIOCSTOP
Stops the packet filter.
.It Dv DIOCSTARTALTQ
Starts the
.Xr altq 4
bandwidth control system.
.It Dv DIOCSTOPALTQ
Stops the
.Xr altq 4
bandwidth control system.
.It Dv DIOCBEGINADDRS  Fa "struct pfioc_pooladdr"
.Bd -literal
struct pfioc_pooladdr {
        u_int32_t               action;
        u_int32_t               ticket;
        u_int32_t               nr;
        u_int32_t               r_num;
        u_int8_t                r_action;
        u_int8_t                r_last;
        u_int8_t                af;
        char                    anchor[PF_ANCHOR_NAME_SIZE];
        char                    ruleset[PF_RULESET_NAME_SIZE];
        struct pf_pooladdr      addr;
};
.Ed
.Pp
Clears the buffer address pool
and returns a
.Va ticket
for subsequent
.Dv DIOCADDADDR ,
.Dv DIOCADDRULE
and
.Dv DIOCCHANGERULE
calls.
.It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
.Pp
Adds pool address
.Va addr
to the buffer address pool to be used in the following
.Dv DIOCADDRULE
or
.Dv DIOCCHANGERULE
call.
All other members of the structure are ignored.
.It Dv DIOCADDRULE     Fa "struct pfioc_rule"
.Bd -literal
struct pfioc_rule {
        u_int32_t       action;
        u_int32_t       ticket;
        u_int32_t       pool_ticket;
        u_int32_t       nr;
        char            anchor[PF_ANCHOR_NAME_SIZE];
        char            ruleset[PF_RULESET_NAME_SIZE];
        struct pf_rule  rule;
};
.Ed
.Pp
Adds
.Va rule
at the end of the inactive ruleset.
Requires
.Va ticket
obtained through preceding
.Dv DIOCXBEGIN
call, and
.Va pool_ticket
obtained through
.Dv DIOCBEGINADDRS
call.
.Dv DIOCADDADDR
must also be called if any pool addresses are required.
The optional
.Va anchor
and
.Va ruleset
names indicate the anchor and ruleset in which to append the rule.
.Va nr
and
.Va action
are ignored.
.It Dv DIOCADDALTQ     Fa "struct pfioc_altq"
Adds
.Bd -literal
struct pfioc_altq {
        u_int32_t       action;
        u_int32_t       ticket;
        u_int32_t       nr;
        struct pf_altq   altq;
};
.Ed
.It Dv DIOCGETRULES    Fa "struct pfioc_rule"
Returns
.Va ticket
for subsequent
.Dv DIOCGETRULE
calls and
.Va nr
of rules in the active ruleset.
.It Dv DIOCGETRULE     Fa "struct pfioc_rule"
Returns
.Va rule
number
.Va nr
using
.Va ticket
obtained through a preceding
.Dv DIOCGETRULES
call.
.It Dv DIOCGETADDRS    Fa "struct pfioc_pooladdr"
Returns
.Va ticket
for subsequent
.Dv DIOCGETADDR
calls and
.Va nr
of pool addresses in the rule specified with
.Va r_action ,
.Va r_num ,
.Va anchor
and
.Va ruleset .
.It Dv DIOCGETADDR     Fa "struct pfioc_pooladdr"
Returns pool address
.Va addr
number
.Va nr
from the rule specified with
.Va r_action ,
.Va r_num ,
.Va anchor
and
.Va ruleset
using
.Va ticket
obtained through a preceding
.Dv DIOCGETADDRS
call.
.It Dv DIOCGETALTQS    Fa "struct pfioc_altq"
Returns
.Va ticket
for subsequent
.Dv DIOCGETALTQ
calls and
.Va nr
of queues in the active list.
.It Dv DIOCGETALTQ     Fa "struct pfioc_altq"
Returns
.Va altq
number
.Va nr
using
.Va ticket
obtained through a preceding
.Dv DIOCGETALTQS
call.
.It Dv DIOCGETQSTATS   Fa "struct pfioc_qstats"
Returns statistics on a queue.
.Bd -literal
struct pfioc_qstats {
        u_int32_t        ticket;
        u_int32_t        nr;
        void            *buf;
        int              nbytes;
        u_int8_t         scheduler;
};
.Ed
.Pp
A pointer to a buffer of statistics
.Va buf
of length
.Va nbytes
for the queue specified by
.Va nr .
.It Dv DIOCADDSTATE    Fa "struct pfioc_state"
Adds a state entry.
.It Dv DIOCGETSTATE    Fa "struct pfioc_state"
.Bd -literal
struct pfioc_state {
        u_int32_t        nr;
        struct pf_state  state;
};
.Ed
.Pp
Extracts the entry with the specified number from the state table.
.It Dv DIOCKILLSTATES  Fa "struct pfioc_state_kill"
Removes matching entries from the state table.
Returns the number of killed states in psk_af.
.Bd -literal
struct pfioc_state_kill {
        int                     psk_af;
        int                     psk_proto;
        struct pf_rule_addr     psk_src;
        struct pf_rule_addr     psk_dst;
        char                    psk_ifname[IFNAMSIZ];
};
.Ed
.It Dv DIOCCLRSTATES  Fa "struct pfioc_state_kill"
Clears all states.
It works like
.Dv DIOCKILLSTATES ,
but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the
.Fa pfioc_state_kill
structure.
.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if"
.Bd -literal
struct pfioc_if {
        char             ifname[IFNAMSIZ];
};
.Ed
.Pp
Specifies the interface for which statistics are accumulated.
.It Dv DIOCGETSTATUS   Fa "struct pf_status"
.Bd -literal
struct pf_status {
        u_int64_t       counters[PFRES_MAX];
        u_int64_t       fcounters[FCNT_MAX];
        u_int64_t       scounters[SCNT_MAX];
        u_int64_t       pcounters[2][2][3];
        u_int64_t       bcounters[2][2];
        u_int32_t       running;
        u_int32_t       states;
        u_int32_t       src_nodes;
        u_int32_t       since;
        u_int32_t       debug;
        char            ifname[IFNAMSIZ];
};
.Ed
.Pp
Gets the internal packet filter statistics.
.It Dv DIOCCLRSTATUS
Clears the internal packet filter statistics.
.It Dv DIOCNATLOOK     Fa "struct pfioc_natlook"
Looks up a state table entry by source and destination addresses and ports.
.Bd -literal
struct pfioc_natlook {
        struct pf_addr   saddr;
        struct pf_addr   daddr;
        struct pf_addr   rsaddr;
        struct pf_addr   rdaddr;
        u_int16_t        sport;
        u_int16_t        dport;
        u_int16_t        rsport;
        u_int16_t        rdport;
        sa_family_t      af;
        u_int8_t         proto;
        u_int8_t         direction;
};
.Ed
.It Dv DIOCSETDEBUG    Fa "u_int32_t"
Sets the debug level.
.Bd -literal
enum    { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
.Ed
.It Dv DIOCGETSTATES   Fa "struct pfioc_states"
.Bd -literal
struct pfioc_states {
        int     ps_len;
        union {
                caddr_t psu_buf;
                struct pf_state *psu_states;
        } ps_u;
#define ps_buf          ps_u.psu_buf
#define ps_states       ps_u.psu_states
};
.Ed
.It Dv DIOCCHANGERULE  Fa "struct pfioc_rule"
Adds or removes the
.Va rule
in the ruleset specified by
.Va rule.action .
.Bd -literal
enum    { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2,
          PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4,
          PF_CHANGE_REMOVE=5, PF_CHANGE_GET_TICKET=6 };
.Ed
.Pp
The type of operation to be performed is indicated by
.Va action .
.Pp
.Va ticket
must be set to the value obtained with PF_CHANGE_GET_TICKET
for all actions except PF_CHANGE_GET_TICKET.
.Va pool_ticket
must be set to the value obtained with the
.Dv DIOCBEGINADDRS
call for all actions except PF_CHANGE_REMOVE and PF_CHANGE_GET_TICKET.
.Pp
.Va anchor
and
.Va ruleset
indicate which anchor and ruleset the operation applies to.
.Va nr
indicates the rule number against which PF_CHANGE_ADD_BEFORE,
PF_CHANGE_ADD_AFTER or PF_CHANGE_REMOVE actions are applied.
.It Dv DIOCCHANGEADDR  Fa "struct pfioc_pooladdr"
Adds or removes a pool address
.Va addr
from a rule specified with
.Va r_action ,
.Va r_num ,
.Va anchor
and
.Va ruleset .
.It Dv DIOCSETTIMEOUT  Fa "struct pfioc_tm"
.Bd -literal
struct pfioc_tm {
        int              timeout;
        int              seconds;
};
.Ed
.It Dv DIOCGETTIMEOUT  Fa "struct pfioc_tm"
.It Dv DIOCCLRRULECTRS
Clear per-rule statistics.
.It Dv DIOCSETLIMIT   Fa "struct pfioc_limit"
Sets hard limits on the memory pools used by the packet filter.
.Bd -literal
struct pfioc_limit {
        int             index;
        unsigned        limit;
};
.Ed
.It Dv DIOCGETLIMIT   Fa "struct pfioc_limit"
.It Dv DIOCRCLRTABLES Fa "struct pfioc_table"
Clear all tables.
All the IOCTLs that manipulate radix tables
use the same structure described below.
For
.Dv DIOCRCLRTABLES, pfrio_ndel contains on exit the number
of tables deleted.
.Bd -literal
struct pfioc_table {
        struct pfr_table         pfrio_table;
        void                    *pfrio_buffer;
        int                      pfrio_esize;
        int                      pfrio_size;
        int                      pfrio_size2;
        int                      pfrio_nadd;
        int                      pfrio_ndel;
        int                      pfrio_nchange;
        int                      pfrio_flags;
        int                      pfrio_ticket;
};
#define pfrio_exists    pfrio_nadd
#define pfrio_nzero     pfrio_nadd
#define pfrio_nmatch    pfrio_nadd
#define pfrio_naddr     pfrio_size2
#define pfrio_setflag   pfrio_size2
#define pfrio_clrflag   pfrio_nadd
.Ed
.It Dv DIOCRADDTABLES Fa "struct pfioc_table"
Creates one or more tables.
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
On exit, pfrio_nadd contains the number of tables effectively created.
.Bd -literal
struct pfr_table {
        char                     pfrt_anchor[PF_ANCHOR_NAME_SIZE];
        char                     pfrt_ruleset[PF_RULESET_NAME_SIZE];
        char                     pfrt_name[PF_TABLE_NAME_SIZE];
        u_int32_t                pfrt_flags;
        u_int8_t                 pfrt_fback;
};
.Ed
.It Dv DIOCRDELTABLES Fa "struct pfioc_table"
Deletes one or more tables.
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
On exit, pfrio_nadd contains the number of tables effectively deleted.
.It Dv DIOCRGETTABLES Fa "struct pfioc_table"
Get the list of all tables.
On entry, pfrio_buffer[pfrio_size] contains a valid writeable buffer for
pfr_table structures.
On exit, pfrio_size contains the number of tables written into the buffer.
If the buffer is too small, the kernel does not store anything but just
returns the required buffer size, without error.
.It Dv DIOCRGETTSTATS Fa "struct pfioc_table"
Like
.Dv DIOCRGETTABLES ,
but returns an array of pfr_tstats structures.
.Bd -literal
struct pfr_tstats {
        struct pfr_table pfrts_t;
        u_int64_t        pfrts_packets
                             [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
        u_int64_t        pfrts_bytes
                             [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
        u_int64_t        pfrts_match;
        u_int64_t        pfrts_nomatch;
        long             pfrts_tzero;
        int              pfrts_cnt;
        int              pfrts_refcnt[PFR_REFCNT_MAX];
};
#define pfrts_name      pfrts_t.pfrt_name
#define pfrts_flags     pfrts_t.pfrt_flags
.Ed
.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table"
Clears the statistics of one or more tables.
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
On exit, pfrio_nzero contains the number of tables effectively cleared.
.It Dv DIOCRCLRADDRS Fa "struct pfioc_table"
Clear all addresses in a table.
On entry, pfrio_table contains the table to clear.
On exit, pfrio_ndel contains the number of addresses removed.
.It Dv DIOCRADDADDRS Fa "struct pfioc_table"
Add one or more addresses to a table.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains the list of pfr_addr structures to add.
On exit, pfrio_nadd contains the number of addresses effectively added.
.Bd -literal
struct pfr_addr {
        union {
                struct in_addr   _pfra_ip4addr;
                struct in6_addr  _pfra_ip6addr;
        }                pfra_u;
        u_int8_t         pfra_af;
        u_int8_t         pfra_net;
        u_int8_t         pfra_not;
        u_int8_t         pfra_fback;
};
#define pfra_ip4addr    pfra_u._pfra_ip4addr
#define pfra_ip6addr    pfra_u._pfra_ip6addr
.Ed
.It Dv DIOCRDELADDRS Fa "struct pfioc_table"
Delete one or more addresses from a table.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains the list of pfr_addr structures to delete.
On exit, pfrio_ndel contains the number of addresses effectively deleted.
.It Dv DIOCRSETADDRS Fa "struct pfioc_table"
Replace the content of a table by a new address list.
This is the most complicated command, which uses all the structure members.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains the new list of pfr_addr structures.
In addition to that, if size2 is nonzero, pfrio_buffer[pfrio_size..pfrio_size2]
must be a writeable buffer, into which the kernel can copy the addresses that
have been deleted during the replace operation.
On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contain the number of
addresses deleted, added and changed by the kernel.
If pfrio_size2 was set on
entry, pfrio_size2 will point to the size of the buffer used, exactly like
.Dv DIOCRGETADDRS .
.It Dv DIOCRGETADDRS Fa "struct pfioc_table"
Get all the addresses of a table.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains a valid writeable buffer for pfr_addr structures.
On exit, pfrio_size contains the number of addresses written into the buffer.
If the buffer was too small, the kernel does not store anything but just
return the required buffer size, without returning an error.
.It Dv DIOCRGETASTATS Fa "struct pfioc_table"
Like
.Dv DIOCRGETADDRS ,
but returns an array of pfr_astats structures.
.Bd -literal
struct pfr_astats {
        struct pfr_addr  pfras_a;
        u_int64_t        pfras_packets
                             [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
        u_int64_t        pfras_bytes
                             [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
        long             pfras_tzero;
};
.Ed
.It Dv DIOCRCLRASTATS Fa "struct pfioc_table"
Clears the statistics of one or more addresses.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains a table of pfr_addr structures to clear.
On exit, pfrio_nzero contains the number of addresses effectively cleared.
.It Dv DIOCRTSTADDRS Fa "struct pfioc_table"
Test if the given addresses match a table.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains a table of pfr_addr structures to test.
On exit, the kernel updates the pfr_addr table by setting the pfra_fback
member appropriately.
.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table"
Change the
.Va const
or
.Va persist
flag of a table.
On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures,
and pfrio_setflag contains the flags to add, while pfrio_clrflag contains the
flags to remove.
On exit, pfrio_nchange and pfrio_ndel contain the number of tables altered
or deleted by the kernel.
Yes, tables can be deleted if one removes the
.Va persist
flag of an unreferenced table.
.It Dv DIOCRINADEFINE Fa "struct pfioc_table"
Defines a table in the inactive set.
On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
contains the list of pfr_addr structures to put in the table.
A valid ticket must also be supplied to pfrio_ticket.
On exit, pfrio_nadd contains 0 if the table was already defined in the
inactive list, or 1 if a new table has been created.
pfrio_naddr contains the number of addresses effectively put in the table.
.It Dv DIOCXBEGIN Fa "struct pfioc_trans"
.Bd -literal
#define PF_RULESET_ALTQ         (PF_RULESET_MAX)
#define PF_RULESET_TABLE        (PF_RULESET_MAX+1)
struct pfioc_trans {
        int              size;  /* number of elements */
        int              esize; /* size of each element in bytes */
        struct pfioc_trans_e {
                int             rs_num;
                char            anchor[PF_ANCHOR_NAME_SIZE];
                char            ruleset[PF_RULESET_NAME_SIZE];
                u_int32_t       ticket;
        }               *array;
};
.Ed
.Pp
Clears all the inactive rulesets specified in the
.Fa "struct pfioc_trans_e"
array.
For each ruleset, a ticket is returned for subsequent "add rule" IOCTLs,
as well as for the
.Dv DIOCXCOMMIT
and
.Dv DIOCXROLLBACK
calls.
.It Dv DIOCXCOMMIT Fa "struct pfioc_trans"
Atomically switch a vector of inactive rulesets to the active rulesets.
Implemented as a standard 2-phase commit, which will either fail for all
rulesets or completely succeed.
All tickets need to be valid.
Returns
.Er EBUSY
if a concurrent process is trying to update some of the same rulesets
concurrently.
.It Dv DIOCXROLLBACK Fa "struct pfioc_trans"
Clean up the kernel by undoing all changes that have taken place on the
inactive rulesets since the last
.Dv DIOCXBEGIN .
.Dv DIOCXROLLBACK
will silently ignore rulesets for which the ticket is invalid.
.It Dv DIOCFPFLUSH
Flush the passive OS fingerprint table.
.It Dv DIOCFPADD Fa "struct pf_osfp_ioctl"
.Bd -literal
struct pf_osfp_ioctl {
        struct pf_osfp_entry {
                SLIST_ENTRY(pf_osfp_entry) fp_entry;
                pf_osfp_t               fp_os;
                char                    fp_class_nm[PF_OSFP_LEN];
                char                    fp_version_nm[PF_OSFP_LEN];
                char                    fp_subtype_nm[PF_OSFP_LEN];
        }                       fp_os;
        u_int16_t               fp_mss;
        u_int16_t               fp_wsize;
        u_int16_t               fp_psize;
        u_int8_t                fp_ttl;
        u_int8_t                fp_wscale;
        u_int8_t                fp_flags;
        int                     fp_getnum;
};
.Ed
.Pp
Add a passive OS fingerprint to the table.
Set
.Va fp_os.fp_os
to the packed fingerprint,
.Va fp_os.fp_class_nm
to the name of the class (Linux, Windows, etc),
.Va fp_os.fp_version_nm
to the name of the version (NT, 95, 98), and
.Va fp_os.fp_subtype_nm
to the name of the subtype or patchlevel.
The members
.Va fp_mss ,
.Va fp_wsize ,
.Va fp_psize ,
.Va fp_ttl ,
and
.Va fp_wscale
are set to the TCP MSS, the TCP window size, the IP length and the IP TTL of
the TCP SYN packet respectively.
The
.Va fp_flags
member is filled according to the
.In net/pf/pfvar.h
include file PF_OSFP_* defines.
The
.Va fp_getnum
is not used with this ioctl.
.Pp
The structure's slack space must be zeroed for correct operation; memset
the whole structure to zero before filling and sending to the kernel.
.It Dv DIOCFPGET Fa "struct pf_osfp_ioctl"
.Bd -literal
struct pf_osfp_ioctl {
        struct pf_osfp_entry {
                SLIST_ENTRY(pf_osfp_entry) fp_entry;
                pf_osfp_t               fp_os;
                char                    fp_class_nm[PF_OSFP_LEN];
                char                    fp_version_nm[PF_OSFP_LEN];
                char                    fp_subtype_nm[PF_OSFP_LEN];
        }                       fp_os;
        u_int16_t               fp_mss;
        u_int16_t               fp_wsize;
        u_int16_t               fp_psize;
        u_int8_t                fp_ttl;
        u_int8_t                fp_wscale;
        u_int8_t                fp_flags;
        int                     fp_getnum;
};
.Ed
.Pp
Get the passive OS fingerprint number
.Va fp_getnum
from the kernel's fingerprint list.
The rest of the structure members will come back filled.
Get the whole list by repeatedly incrementing the
.Va fp_getnum
number until the ioctl returns
.Er EBUSY .
.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes"
.Bd -literal
struct pfioc_src_nodes {
        int     psn_len;
        union {
                caddr_t          psu_buf;
                struct pf_src_node      *psu_src_nodes;
        } psn_u;
#define psn_buf         psn_u.psu_buf
#define psn_src_nodes   psn_u.psu_src_nodes
};
.Ed
.Pp
Get the list of source nodes kept by the
.Ar sticky-address
and
.Ar source-track
options.
The ioctl must be called once with
.Va psn_len
set to 0.
If the ioctl returns without error,
.Va psn_len
will be set to the size of the buffer required to hold all the
.Va pf_src_node
structures held in the table.
A buffer of this size should then be allocated, and a pointer to this buffer
placed in
.Va psn_buf .
The ioctl must then be called again to fill this buffer with the actual
source node data.
After the ioctl call
.Va psn_len
will be set to the length of the buffer actually used.
.It Dv DIOCCLRSRCNODES Fa "struct pfioc_table"
Clear the tree of source tracking nodes.
.It Dv DIOCIGETIFACES Fa "struct pfioc_iface"
Gets the list of interfaces and interface drivers known to
.Nm .
All the IOCTLs that manipulate interfaces
use the same structure described below:
.Bd -literal
struct pfioc_iface {
        char                     pfiio_name[IFNAMSIZ];
        void                    *pfiio_buffer;
        int                      pfiio_esize;
        int                      pfiio_size;
        int                      pfiio_nzero;
        int                      pfiio_flags;
};

#define PFI_FLAG_GROUP     0x0001  /* gets groups of interfaces */
#define PFI_FLAG_INSTANCE  0x0002  /* gets single interfaces */
#define PFI_FLAG_ALLMASK   0x0003
.Ed
.Pp
If not empty,
.Va pfiio_name
can be used to restrict the search to a specific interface or driver.
.Va pfiio_buffer[pfiio_size]
is the user-supplied buffer for returning the data.
On entry,
.Va pfiio_size
represents the number of
.Va pfi_if
entries that can fit into the buffer.
The kernel will replace this value by the real number of entries it wants
to return.
.Va pfiio_esize
should be set to sizeof(struct pfi_if).
.Va pfiio_flags
should be set to
.Dv PFI_FLAG_GROUP , PFI_FLAG_INSTANCE ,
or both to tell the kernel to return a group of interfaces
(drivers, like "fxp"), real interface instances (like "fxp1") or both.
The data is returned in the
.Va pfi_if
structure described below:
.Bd -literal
struct pfi_if {
        char                             pfif_name[IFNAMSIZ];
        u_int64_t                        pfif_packets[2][2][2];
        u_int64_t                        pfif_bytes[2][2][2];
        u_int64_t                        pfif_addcnt;
        u_int64_t                        pfif_delcnt;
        long                             pfif_tzero;
        int                              pfif_states;
        int                              pfif_rules;
        int                              pfif_flags;
};

#define PFI_IFLAG_GROUP         0x0001  /* group of interfaces */
#define PFI_IFLAG_INSTANCE      0x0002  /* single instance */
#define PFI_IFLAG_CLONABLE      0x0010  /* clonable group */
#define PFI_IFLAG_DYNAMIC       0x0020  /* dynamic group */
#define PFI_IFLAG_ATTACHED      0x0040  /* interface attached */
#define PFI_IFLAG_REFERENCED    0x0080  /* referenced by rules */
.Ed
.It Dv DIOCICLRISTATS Fa "struct pfioc_iface"
Clear the statistics counters of one or more interfaces.
.Va pfiio_name
and
.Va pfrio_flags
can be used to select which interfaces need to be cleared.
The filtering process is the same as for
.Dv DIOCIGETIFACES .
.Va pfiio_nzero
will be set by the kernel to the number of interfaces and drivers
that have been cleared.
.El
.Sh EXAMPLES
The following example demonstrates how to use the
.Dv DIOCNATLOOK
command to find the internal host/port of a NATed connection.
.Bd -literal
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <net/pfvar.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>

u_int32_t
read_address(const char *s)
{
        int a, b, c, d;

        sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
        return htonl(a << 24 | b << 16 | c << 8 | d);
}

void
print_address(u_int32_t a)
{
        a = ntohl(a);
        printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
            a >> 8 & 255, a & 255);
}

int
main(int argc, char *argv[])
{
        struct pfioc_natlook nl;
        int dev;

        if (argc != 5) {
                printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n",
                    argv[0]);
                return 1;
        }

        dev = open("/dev/pf", O_RDWR);
        if (dev == -1)
                err(1, "open(\\"/dev/pf\\") failed");

        memset(&nl, 0, sizeof(struct pfioc_natlook));
        nl.saddr.v4.s_addr      = read_address(argv[1]);
        nl.sport                = htons(atoi(argv[2]));
        nl.daddr.v4.s_addr      = read_address(argv[3]);
        nl.dport                = htons(atoi(argv[4]));
        nl.af                   = AF_INET;
        nl.proto                = IPPROTO_TCP;
        nl.direction            = PF_IN;

        if (ioctl(dev, DIOCNATLOOK, &nl))
                err(1, "DIOCNATLOOK");

        printf("internal host ");
        print_address(nl.rsaddr.v4.s_addr);
        printf(":%u\\n", ntohs(nl.rsport));
        return 0;
}
.Ed
.Sh SEE ALSO
.Xr ioctl 2 ,
.Xr bridge 4 ,
.Xr pflog 4 ,
.Xr pfsync 4 ,
.Xr pfctl 8
.Sh HISTORY
The
.Nm
packet filtering mechanism first appeared in
.Ox 3.0
and was imported into
.Dx 1.1
by Devon H. O'Dell and Simon Schubert.