diff options
Diffstat (limited to 'contrib/pf/man/pf.4')
-rw-r--r-- | contrib/pf/man/pf.4 | 703 |
1 files changed, 703 insertions, 0 deletions
diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4 new file mode 100644 index 0000000..f01dcb3 --- /dev/null +++ b/contrib/pf/man/pf.4 @@ -0,0 +1,703 @@ +.\" $OpenBSD: pf.4,v 1.37 2003/08/28 09:41:22 jmc Exp $ +.\" +.\" Copyright (C) 2001, Kjell Wooding. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of the project nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd June 24, 2001 +.Dt PF 4 +.Os +.Sh NAME +.Nm pf +.Nd packet filter +.Sh SYNOPSIS +.Cd "pseudo-device pf 1" +.Sh DESCRIPTION +Packet filtering takes place in the kernel. +A pseudo-device, +.Pa /dev/pf , +allows userland processes to control the +behavior of the packet filter through an +.Xr ioctl 2 +interface. +There are commands to enable and disable the filter, load rulesets, +add and remove individual rules or state table entries, +and retrieve statistics. +The most commonly used functions are covered by +.Xr pfctl 8 . +.Pp +Manipulations like loading a ruleset that involve more than a single +ioctl call require a so-called ticket, which prevents the occurrence of +multiple concurrent manipulations. +.Pp +Fields of ioctl parameter structures that refer to packet data (like +addresses and ports) are generally expected in network byte-order. +.Sh FILES +.Bl -tag -width /dev/pf -compact +.It Pa /dev/pf +packet filtering device. +.El +.Sh IOCTL INTERFACE +pf supports the following +.Xr ioctl 2 +commands: +.Bl -tag -width xxxxxx +.It Dv DIOCSTART +Starts the packet filter. +.It Dv DIOCSTOP +Stops the packet filter. +.It Dv DIOCSTARTALTQ +Starts the ALTQ bandwidth control system. +.It Dv DIOCSTOPALTQ +Stops the ALTQ bandwidth control system. +.It Dv DIOCBEGINADDRS Fa "u_int32_t" +Clears the buffer address pool +and returns a ticket for subsequent DIOCADDADDR, DIOCADDRULE and +DIOCCHANGERULE calls. +.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr" +.Bd -literal +struct pfioc_pooladdr { + u_int32_t action; + u_int32_t ticket; + u_int32_t nr; + u_int32_t r_num; + u_int8_t r_action; + u_int8_t r_last; + u_int8_t af; + char anchor[PF_ANCHOR_NAME_SIZE]; + char ruleset[PF_RULESET_NAME_SIZE]; + struct pf_pooladdr addr; +}; +.Ed +.Pp +Adds pool address +.Va addr +to the buffer address pool to be used in the following +DIOCADDRULE or DIOCCHANGERULE call. +All other members of the structure are ignored. +.It Dv DIOCBEGINRULES Fa "u_int32_t" +Clears the inactive ruleset for the type of rule indicated by +.Va rule.action +and returns a ticket for subsequent +DIOCADDRULE and DIOCCOMMITRULES calls. +.It Dv DIOCADDRULE Fa "struct pfioc_rule" +.Bd -literal +struct pfioc_rule { + u_int32_t action; + u_int32_t ticket; + u_int32_t pool_ticket; + u_int32_t nr; + char anchor[PF_ANCHOR_NAME_SIZE]; + char ruleset[PF_RULESET_NAME_SIZE]; + struct pf_rule rule; +}; +.Ed +.Pp +Adds +.Va rule +at the end of the inactive ruleset. +Requires +.Va ticket +obtained through preceding DIOCBEGINRULES call, and +.Va pool_ticket +obtained through DIOCBEGINADDRS call. +DIOCADDADDR must also be called if any pool addresses are required. +The optional +.Va anchor +and +.Va ruleset +names indicate the anchor and ruleset in which to append the rule. +.Va nr +and +.Va action +are ignored. +.It Dv DIOCCOMMITRULES Fa "u_int32_t" +Switch inactive to active filter ruleset. +Requires +.Va ticket . +.It Dv DIOCBEGINALTQS Fa "u_int32_t" +Clears the inactive list of queues and returns a ticket for subsequent +DIOCADDALTQ and DIOCCOMMITALTQS calls. +.It Dv DIOCADDALTQ Fa "struct pfioc_altq" +Adds +.Bd -literal +struct pfioc_altq { + u_int32_t ticket; + u_int32_t nr; + struct pf_altq altq; +}; +.Ed +.It Dv DIOCCOMMITALTQS Fa "u_int32_t" +Switch inactive to active list of queues. +Requires +.Va ticket . +.It Dv DIOCGETRULES Fa "struct pfioc_rule" +Returns +.Va ticket +for subsequent DIOCGETRULE calls and +.Va nr +of rules in the active ruleset. +.It Dv DIOCGETRULE Fa "struct pfioc_rule" +Returns +.Va rule +number +.Va nr +using +.Va ticket +obtained through a preceding DIOCGETRULES call. +.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr" +Returns +.Va ticket +for subsequent DIOCGETADDR calls and +.Va nr +of pool addresses in the rule specified with +.Va r_action , +.Va r_num , +.Va anchor +and +.Va ruleset . +.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr" +Returns pool address +.Va addr +number +.Va nr +from the rule specified with +.Va r_action , +.Va r_num , +.Va anchor +and +.Va ruleset +using +.Va ticket +obtained through a preceding DIOCGETADDRS call. +.It Dv DIOCGETALTQS Fa "struct pfioc_altq" +Returns +.Va ticket +for subsequent DIOCGETALTQ calls and +.Va nr +of queues in the active list. +.It Dv DIOCGETALTQ Fa "struct pfioc_altq" +Returns +.Va altq +number +.Va nr +using +.Va ticket +obtained through a preceding DIOCGETALTQS call. +.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats" +Returns statistics on a queue. +.Bd -literal +struct pfioc_qstats { + u_int32_t ticket; + u_int32_t nr; + void *buf; + int nbytes; + u_int8_t scheduler; +}; +.Ed +.Pp +A pointer to a buffer of statistics +.Va buf +of length +.Va nbytes +for the queue specified by +.Va nr . +.It Dv DIOCCLRSTATES +Clears the state table. +.It Dv DIOCADDSTATE Fa "struct pfioc_state" +Adds a state entry. +.It Dv DIOCGETSTATE Fa "struct pfioc_state" +.Bd -literal +struct pfioc_state { + u_int32_t nr; + struct pf_state state; +}; +.Ed +.Pp +Extracts the entry with the specified number from the state table. +.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill" +Removes matching entries from the state table. +Returns the number of killed states in psk_af. +.Bd -literal +struct pfioc_state_kill { + int psk_af; + int psk_proto; + struct pf_rule_addr psk_src; + struct pf_rule_addr psk_dst; +}; +.Ed +.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if" +.Bd -literal +struct pfioc_if { + char ifname[IFNAMSIZ]; +}; +.Ed +.Pp +Specifies the interface for which statistics are accumulated. +.It Dv DIOCGETSTATUS Fa "struct pf_status" +.Bd -literal +struct pf_status { + u_int64_t counters[PFRES_MAX]; + u_int64_t fcounters[FCNT_MAX]; + u_int64_t pcounters[2][2][3]; + u_int64_t bcounters[2][2]; + u_int32_t running; + u_int32_t states; + u_int32_t since; + u_int32_t debug; +}; +.Ed +.Pp +Gets the internal packet filter statistics. +.It Dv DIOCCLRSTATUS +Clears the internal packet filter statistics. +.It Dv DIOCNATLOOK Fa "struct pfioc_natlook" +Looks up a state table entry by source and destination addresses and ports. +.Bd -literal +struct pfioc_natlook { + struct pf_addr saddr; + struct pf_addr daddr; + struct pf_addr rsaddr; + struct pf_addr rdaddr; + u_int16_t sport; + u_int16_t dport; + u_int16_t rsport; + u_int16_t rdport; + u_int8_t af; + u_int8_t proto; + u_int8_t direction; +}; +.Ed +.It Dv DIOCSETDEBUG Fa "u_int32_t" +Sets the debug level. +.Bd -literal +enum { PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 }; +.Ed +.It Dv DIOCGETSTATES Fa "struct pfioc_states" +.Bd -literal +struct pfioc_states { + int ps_len; + union { + caddr_t psu_buf; + struct pf_state *psu_states; + } ps_u; +#define ps_buf ps_u.psu_buf +#define ps_states ps_u.psu_states +}; +.Ed +.It Dv DIOCCHANGERULE Fa "struct pfioc_rule" +Adds or removes the +.Va rule +in the ruleset specified by +.Va rule.action . +.Bd -literal +enum { PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2, + PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4, + PF_CHANGE_REMOVE=5, PF_CHANGE_GET_TICKET=6 }; +.Ed +.Pp +The type of operation to be performed is indicated by +.Va action . +.Pp +.Va ticket +must be set to the value obtained with PF_CHANGE_GET_TICKET +for all actions except PF_CHANGE_GET_TICKET. +.Va pool_ticket +must be set to the value obtained with the DIOCBEGINADDRS call +for all actions except PF_CHANGE_REMOVE and PF_CHANGE_GET_TICKET. +.Pp +.Va anchor +and +.Va ruleset +indicate which anchor and ruleset the operation applies to. +.Va nr +indicates the rule number against which PF_CHANGE_ADD_BEFORE, +PF_CHANGE_ADD_AFTER or PF_CHANGE_REMOVE actions are applied. +.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr" +Adds or removes a pool address +.Va addr +from a rule specified with +.Va r_action , +.Va r_num , +.Va anchor +and +.Va ruleset . +.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm" +.Bd -literal +struct pfioc_tm { + int timeout; + int seconds; +}; +.Ed +.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm" +.It Dv DIOCCLRRULECTRS +Clear per-rule statistics. +.It Dv DIOCSETLIMIT Fa "struct pfioc_limit" +Sets hard limits on the memory pools used by the packet filter. +.Bd -literal +struct pfioc_limit { + int index; + unsigned limit; +}; +.Ed +.It Dv DIOCGETLIMIT Fa "struct pfioc_limit" +.It Dv DIOCRCLRTABLES Fa "struct pfioc_table" +Clear all tables. +All the IOCTLs that manipulate radix tables +use the same structure described below. +For +.Dv DIOCRCLRTABLES, pfrio_ndel contains on exit the number +of tables deleted. +.Bd -literal +struct pfioc_table { + struct pfr_table pfrio_table; + void *pfrio_buffer; + int pfrio_esize; + int pfrio_size; + int pfrio_size2; + int pfrio_nadd; + int pfrio_ndel; + int pfrio_nchange; + int pfrio_flags; + int pfrio_ticket; +}; +#define pfrio_exists pfrio_nadd +#define pfrio_nzero pfrio_nadd +#define pfrio_nmatch pfrio_nadd +#define pfrio_naddr pfrio_size2 +#define pfrio_setflag pfrio_size2 +#define pfrio_clrflag pfrio_nadd +.Ed +.It Dv DIOCRADDTABLES Fa "struct pfioc_table" +Creates one or more tables. +On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures. +On exit, pfrio_nadd contains the number of tables effectively created. +.Bd -literal +struct pfr_table { + char pfrt_anchor[PF_ANCHOR_NAME_SIZE]; + char pfrt_ruleset[PF_RULESET_NAME_SIZE]; + char pfrt_name[PF_TABLE_NAME_SIZE]; + u_int32_t pfrt_flags; + u_int8_t pfrt_fback; +}; +.Ed +.It Dv DIOCRDELTABLES Fa "struct pfioc_table" +Deletes one or more tables. +On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures. +On exit, pfrio_nadd contains the number of tables effectively deleted. +.It Dv DIOCRGETTABLES Fa "struct pfioc_table" +Get the list of all tables. +On entry, pfrio_buffer[pfrio_size] contains a valid writeable buffer for +pfr_table structures. +On exit, pfrio_size contains the number of tables written into the buffer. +If the buffer is too small, the kernel does not store anything but just +returns the required buffer size, without error. +.It Dv DIOCRGETTSTATS Fa "struct pfioc_table" +Like +.Dv DIOCRGETTABLES , +but returns an array of pfr_tstats structures. +.Bd -literal +struct pfr_tstats { + struct pfr_table pfrts_t; + u_int64_t pfrts_packets + [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; + u_int64_t pfrts_bytes + [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; + u_int64_t pfrts_match; + u_int64_t pfrts_nomatch; + long pfrts_tzero; + int pfrts_cnt; + int pfrts_refcnt[PFR_REFCNT_MAX]; +}; +#define pfrts_name pfrts_t.pfrt_name +#define pfrts_flags pfrts_t.pfrt_flags +.Ed +.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table" +Clears the statistics of one or more tables. +On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures. +On exit, pfrio_nzero contains the number of tables effectively cleared. +.It Dv DIOCRCLRADDRS Fa "struct pfioc_table" +Clear all addresses in a table. +On entry, pfrio_table contains the table to clear. +On exit, pfrio_ndel contains the number of addresses removed. +.It Dv DIOCRADDADDRS Fa "struct pfioc_table" +Add one or more addresses to a table. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains the list of pfr_addr structures to add. +On exit, pfrio_nadd contains the number of addresses effectively added. +.Bd -literal +struct pfr_addr { + union { + struct in_addr _pfra_ip4addr; + struct in6_addr _pfra_ip6addr; + } pfra_u; + u_int8_t pfra_af; + u_int8_t pfra_net; + u_int8_t pfra_not; + u_int8_t pfra_fback; +}; +#define pfra_ip4addr pfra_u._pfra_ip4addr +#define pfra_ip6addr pfra_u._pfra_ip6addr +.Ed +.It Dv DIOCRDELADDRS Fa "struct pfioc_table" +Delete one or more addresses from a table. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains the list of pfr_addr structures to delete. +On exit, pfrio_ndel contains the number of addresses effectively deleted. +.It Dv DIOCRSETADDRS Fa "struct pfioc_table" +Replace the content of a table by a new address list. +This is the most complicated command, which uses all the structure members. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains the new list of pfr_addr structures. +In addition to that, if size2 is nonzero, pfrio_buffer[pfrio_size..pfrio_size2] +must be a writeable buffer, into which the kernel can copy the addresses that +have been deleted during the replace operation. +On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contain the number of +addresses deleted, added and changed by the kernel. +If pfrio_size2 was set on +entry, pfrio_size2 will point to the size of the buffer used, exactly like +.Dv DIOCRGETADDRS . +.It Dv DIOCRGETADDRS Fa "struct pfioc_table" +Get all the addresses of a table. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains a valid writeable buffer for pfr_addr structures. +On exit, pfrio_size contains the number of addresses written into the buffer. +If the buffer was too small, the kernel does not store anything but just +return the required buffer size, without returning an error. +.It Dv DIOCRGETASTATS Fa "struct pfioc_table" +Like +.Dv DIOCRGETADDRS , +but returns an array of pfr_astats structures. +.Bd -literal +struct pfr_astats { + struct pfr_addr pfras_a; + u_int64_t pfras_packets + [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; + u_int64_t pfras_bytes + [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; + long pfras_tzero; +}; +.Ed +.It Dv DIOCRCLRASTATS Fa "struct pfioc_table" +Clears the statistics of one or more addresses. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains a table of pfr_addr structures to clear. +On exit, pfrio_nzero contains the number of addresses effectively cleared. +.It Dv DIOCRTSTADDRS Fa "struct pfioc_table" +Test if the given addresses match a table. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains a table of pfr_addr structures to test. +On exit, the kernel updates the pfr_addr table by setting the pfra_fback +member appropriately. +.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table" +Change the +.Va const +or +.Va persist +flag of a table. +On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures, +and pfrio_setflag contains the flags to add, while pfrio_clrflag contains the +flags to remove. +On exit, pfrio_nchange and pfrio_ndel contain the number of tables altered +or deleted by the kernel. +Yes, tables can be deleted if one removes the +.Va persist +flag of an unreferenced table. +.It Dv DIOCRINABEGIN Fa "struct pfioc_table" +Starts a transaction with the inactive set of tables. +Cleans up any leftover from a previously aborted transaction, and returns +a new ticket. +On exit, pfrio_ndel contains the number of leftover table deleted, and +pfrio_ticket contains a valid ticket to use for the following two IOCTLs. +.It Dv DIOCRINACOMMIT Fa "struct pfioc_table" +Commit the inactive set of tables into the active set. +While copying the addresses, do a best effort to keep statistics for +addresses present before and after the commit. +On entry, io->pfrio_ticket takes a valid ticket. +On exit, io->pfrio_nadd and io->pfrio_nchange contain the number of tables +added and altered by the commit operation. +.It Dv DIOCRINADEFINE Fa "struct pfioc_table" +Defines a table in the inactive set. +On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size] +contains the list of pfr_addr structures to put in the table. +A valid ticket must also be supplied to pfrio_ticket. +On exit, pfrio_nadd contains 0 if the table was already defined in the +inactive list, or 1 if a new table has been created. +pfrio_naddr contains the number of addresses effectively put in the table. +.It Dv DIOCFPFLUSH +Flush the passive OS fingerprint table. +.It Dv DIOCFPADD Fa "struct pf_osfp_ioctl" +.Bd -literal +struct pf_osfp_ioctl { + struct pf_osfp_entry { + SLIST_ENTRY(pf_osfp_entry) fp_entry; + pf_osfp_t fp_os; + char fp_class_nm[PF_OSFP_LEN]; + char fp_version_nm[PF_OSFP_LEN]; + char fp_subtype_nm[PF_OSFP_LEN]; + } fp_os; + u_int16_t fp_mss; + u_int16_t fp_wsize; + u_int16_t fp_psize; + u_int8_t fp_ttl; + u_int8_t fp_wscale; + u_int8_t fp_flags; + int fp_getnum; +}; +.Ed +.Pp +Add a passive OS fingerprint to the table. +Set +.Va fp_os.fp_os +to the packed fingerprint, +.Va fp_os.fp_class_nm +to the name of the class (Linux, Windows, etc), +.Va fp_os.fp_version_nm +to the name of the version (NT, 95, 98), and +.Va fp_os.fp_subtype_nm +to the name of the subtype or patchlevel. +The members +.Va fp_mss , +.Va fp_wsize , +.Va fp_psize , +.Va fp_ttl , +and +.Va fp_wscale +are set to the TCP MSS, the TCP window size, the IP length and the IP TTL of +the TCP SYN packet respectively. +The +.Va fp_flags +member is filled according to the net/pfvar.h include file PF_OSFP_* defines. +The +.Va fp_getnum +is not used with this ioctl. +.Pp +The structure's slack space must be zeroed for correct operation; memset +the whole structure to zero before filling and sending to the kernel. +.It Dv DIOCFPGET Fa "struct pf_osfp_ioctl" +.Bd -literal +struct pf_osfp_ioctl { + struct pf_osfp_entry { + SLIST_ENTRY(pf_osfp_entry) fp_entry; + pf_osfp_t fp_os; + char fp_class_nm[PF_OSFP_LEN]; + char fp_version_nm[PF_OSFP_LEN]; + char fp_subtype_nm[PF_OSFP_LEN]; + } fp_os; + u_int16_t fp_mss; + u_int16_t fp_wsize; + u_int16_t fp_psize; + u_int8_t fp_ttl; + u_int8_t fp_wscale; + u_int8_t fp_flags; + int fp_getnum; +}; +.Ed +.Pp +Get the passive OS fingerprint number +.Va fp_getnum +from the kernel's fingerprint list. +The rest of the structure members will come back filled. +Get the whole list by repeatedly incrementing the +.Va fp_getnum +number until the ioctl returns EBUSY. +.El +.Sh EXAMPLES +The following example demonstrates how to use the DIOCNATLOOK command +to find the internal host/port of a NATed connection. +.Bd -literal +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/ioctl.h> +#include <sys/fcntl.h> +#include <net/if.h> +#include <netinet/in.h> +#include <net/pfvar.h> +#include <err.h> +#include <stdio.h> +#include <stdlib.h> + +u_int32_t +read_address(const char *s) +{ + int a, b, c, d; + + sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); + return htonl(a << 24 | b << 16 | c << 8 | d); +} + +void +print_address(u_int32_t a) +{ + a = ntohl(a); + printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, + a >> 8 & 255, a & 255); +} + +int +main(int argc, char *argv[]) +{ + struct pfioc_natlook nl; + int dev; + + if (argc != 5) { + printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\\n", + argv[0]); + return 1; + } + + dev = open("/dev/pf", O_RDWR); + if (dev == -1) + err(1, "open(\\"/dev/pf\\") failed"); + + memset(&nl, 0, sizeof(struct pfioc_natlook)); + nl.saddr.v4.s_addr = read_address(argv[1]); + nl.sport = htons(atoi(argv[2])); + nl.daddr.v4.s_addr = read_address(argv[3]); + nl.dport = htons(atoi(argv[4])); + nl.af = AF_INET; + nl.proto = IPPROTO_TCP; + nl.direction = PF_IN; + + if (ioctl(dev, DIOCNATLOOK, &nl)) + err(1, "DIOCNATLOOK"); + + printf("internal host "); + print_address(nl.rsaddr.v4.s_addr); + printf(":%u\\n", ntohs(nl.rsport)); + return 0; +} +.Ed +.Sh SEE ALSO +.Xr ioctl 2 , +.Xr bridge 4 , +.Xr pflog 4 , +.Xr pfsync 4 , +.Xr pfctl 8 +.Sh HISTORY +The +.Nm +packet filtering mechanism first appeared in +.Ox 3.0 . |