Commit resolved import of OpenBSD 4.1 pf userland from perforce.

Approved by:	re (kensmith)

1 files changed, 35 insertions, 9 deletions

diff --git a/contrib/pf/pflogd/pflogd.8 b/contrib/pf/pflogd/pflogd.8
index 0eef77b..22643fc 100644
--- a/contrib/pf/pflogd/pflogd.8
+++ b/contrib/pf/pflogd/pflogd.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflogd.8,v 1.25 2005/01/02 18:15:02 jmc Exp $
+.\"	$OpenBSD: pflogd.8,v 1.32 2006/12/08 10:26:38 joel Exp $
 .\"
 .\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
 .\"
@@ -37,14 +37,17 @@
 .Op Fl Dx
 .Op Fl d Ar delay
 .Op Fl f Ar filename
+.Op Fl i Ar interface
 .Op Fl s Ar snaplen
 .Op Ar expression
 .Sh DESCRIPTION
 .Nm
 is a background daemon which reads packets logged by
 .Xr pf 4
-to the packet logging interface
-.Pa pflog0
+to a
+.Xr pflog 4
+interface, normally
+.Pa pflog0 ,
 and writes the packets to a logfile (normally
 .Pa /var/log/pflog )
 in
@@ -83,7 +86,9 @@ temporarily uses the old snaplen to keep the log file consistent.
 tries to preserve the integrity of the log file against I/O errors.
 Furthermore, integrity of an existing log file is verified before
 appending.
-If there is an invalid log file or an I/O error, logging is suspended until a
+If there is an invalid log file or an I/O error, the log file is moved
+out of the way and a new one is created.
+If a new file cannot be created, logging is suspended until a
 .Dv SIGHUP
 or a
 .Dv SIGALRM
@@ -103,11 +108,19 @@ If not specified, the default is 60 seconds.
 Log output filename.
 Default is
 .Pa /var/log/pflog .
+.It Fl i Ar interface
+Specifies the
+.Xr pflog 4
+interface to use.
+By default,
+.Nm
+will use
+.Ar pflog0 .
 .It Fl s Ar snaplen
 Analyze at most the first
 .Ar snaplen
-bytes of data from each packet rather than the default of 96.
-The default of 96 is adequate for IP, ICMP, TCP, and UDP headers but may
+bytes of data from each packet rather than the default of 116.
+The default of 116 is adequate for IP, ICMP, TCP, and UDP headers but may
 truncate protocol information for other protocols.
 Other file parsers may desire a higher snaplen.
 .It Fl x
@@ -131,6 +144,13 @@ Log specific tcp packets to a different log file with a large snaplen
 # pflogd -s 1600 -f suspicious.log port 80 and host evilhost
 .Ed
 .Pp
+Log from another
+.Xr pflog 4
+interface, excluding specific packets:
+.Bd -literal -offset indent
+# pflogd -i pflog3 -f network3.log "not (tcp and port 23)"
+.Ed
+.Pp
 Display binary logs:
 .Bd -literal -offset indent
 # tcpdump -n -e -ttt -r /var/log/pflog
@@ -150,7 +170,7 @@ Tcpdump can restrict the output
 to packets logged on a specified interface, a rule number, a reason,
 a direction, an IP family or an action.
 .Pp
-.Bl -tag -width "reason match " -compact
+.Bl -tag -width "ruleset authpf " -compact
 .It ip
 Address family equals IPv4.
 .It ip6
@@ -159,12 +179,16 @@ Address family equals IPv6.
 Interface name equals "kue0".
 .It on kue0
 Interface name equals "kue0".
+.It ruleset authpf
+Ruleset name equals "authpf".
 .It rulenum 10
 Rule number equals 10.
 .It reason match
 Reason equals match.
 Also accepts "bad-offset", "fragment", "bad-timestamp", "short",
-"normalize" and "memory".
+"normalize", "memory", "congestion", "ip-option", "proto-cksum",
+"state-mismatch", "state-insert", "state-limit", "src-limit",
+and "synproxy".
 .It action pass
 Action equals pass.
 Also accepts "block".
@@ -192,4 +216,6 @@ The
 command appeared in
 .Ox 3.0 .
 .Sh AUTHORS
-Can Erkin Acar
+.Nm
+was written by
+.An Can Erkin Acar Aq canacar@openbsd.org .