From 511d1c13c361b4534ed4c6f973fd891d95055cab Mon Sep 17 00:00:00 2001
From: mlaier <mlaier@FreeBSD.org>
Date: Tue, 3 May 2005 16:47:37 +0000
Subject: Import pf userland from OpenBSD 3.7 (OPENBSD_3_7 as of today)

---
 contrib/pf/man/pf.4      | 970 ++++++++++++++++++++++++++++++-----------------
 contrib/pf/man/pf.conf.5 | 372 ++++++++++++++----
 contrib/pf/man/pf.os.5   |   4 +-
 contrib/pf/man/pfsync.4  |  52 ++-
 4 files changed, 948 insertions(+), 450 deletions(-)

(limited to 'contrib/pf/man')

diff --git a/contrib/pf/man/pf.4 b/contrib/pf/man/pf.4
index df0ff6c..a394627 100644
--- a/contrib/pf/man/pf.4
+++ b/contrib/pf/man/pf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.48 2004/03/27 17:15:30 henning Exp $
+.\"	$OpenBSD: pf.4,v 1.54 2004/12/22 17:17:55 dhartmei Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -49,30 +49,47 @@ The most commonly used functions are covered by
 .Xr pfctl 8 .
 .Pp
 Manipulations like loading a ruleset that involve more than a single
-ioctl call require a so-called ticket, which prevents the occurrence of
+.Xr ioctl 2
+call require a so-called
+.Em ticket ,
+which prevents the occurrence of
 multiple concurrent manipulations.
 .Pp
-Fields of ioctl parameter structures that refer to packet data (like
+Fields of
+.Xr ioctl 2
+parameter structures that refer to packet data (like
 addresses and ports) are generally expected in network byte-order.
-.Sh FILES
-.Bl -tag -width /dev/pf -compact
-.It Pa /dev/pf
-packet filtering device.
-.El
+.Pp
+Rules and address tables are contained in so-called
+.Em anchors .
+When servicing an
+.Xr ioctl 2
+request, if the anchor field of the argument structure is empty,
+the kernel will use the default anchor (i.e., the main ruleset)
+in operations.
+Anchors are specified by name and may be nested, with components
+separated by
+.Sq /
+characters, similar to how file system hierarchies are laid out.
+The final component of the anchor path is the anchor under which
+operations will be performed.
 .Sh IOCTL INTERFACE
-pf supports the following
+.Nm
+supports the following
 .Xr ioctl 2
-commands:
+commands, available through
+.Aq Pa net/pfvar.h :
 .Bl -tag -width xxxxxx
 .It Dv DIOCSTART
-Starts the packet filter.
+Start the packet filter.
 .It Dv DIOCSTOP
-Stops the packet filter.
+Stop the packet filter.
 .It Dv DIOCSTARTALTQ
-Starts the ALTQ bandwidth control system.
+Start the ALTQ bandwidth control system (see
+.Xr altq 9 ) .
 .It Dv DIOCSTOPALTQ
-Stops the ALTQ bandwidth control system.
-.It Dv DIOCBEGINADDRS  Fa "struct pfioc_pooladdr"
+Stop the ALTQ bandwidth control system.
+.It Dv DIOCBEGINADDRS Fa "struct pfioc_pooladdr *pp"
 .Bd -literal
 struct pfioc_pooladdr {
 	u_int32_t		action;
@@ -82,119 +99,138 @@ struct pfioc_pooladdr {
 	u_int8_t		r_action;
 	u_int8_t		r_last;
 	u_int8_t		af;
-	char			anchor[PF_ANCHOR_NAME_SIZE];
-	char			ruleset[PF_RULESET_NAME_SIZE];
+	char			anchor[MAXPATHLEN];
 	struct pf_pooladdr	addr;
 };
 .Ed
 .Pp
-Clears the buffer address pool
-and returns a
+Clear the buffer address pool and get a
 .Va ticket
-for subsequent DIOCADDADDR, DIOCADDRULE and DIOCCHANGERULE calls.
-.It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
+for subsequent
+.Dv DIOCADDADDR ,
+.Dv DIOCADDRULE ,
+and
+.Dv DIOCCHANGERULE
+calls.
+.It Dv DIOCADDADDR Fa "struct pfioc_pooladdr *pp"
 .Pp
-Adds pool address
+Add the pool address
 .Va addr
 to the buffer address pool to be used in the following
-DIOCADDRULE or DIOCCHANGERULE call.
+.Dv DIOCADDRULE
+or
+.Dv DIOCCHANGERULE
+call.
 All other members of the structure are ignored.
-.It Dv DIOCADDRULE     Fa "struct pfioc_rule"
+.It Dv DIOCADDRULE Fa "struct pfioc_rule *pr"
 .Bd -literal
 struct pfioc_rule {
 	u_int32_t	action;
 	u_int32_t	ticket;
 	u_int32_t	pool_ticket;
 	u_int32_t	nr;
-	char		anchor[PF_ANCHOR_NAME_SIZE];
-	char		ruleset[PF_RULESET_NAME_SIZE];
+	char		anchor[MAXPATHLEN];
+	char		anchor_call[MAXPATHLEN];
 	struct pf_rule	rule;
 };
 .Ed
 .Pp
-Adds
+Add
 .Va rule
 at the end of the inactive ruleset.
-Requires
+This call requires a
 .Va ticket
-obtained through preceding DIOCXBEGIN call, and
+obtained through a preceding
+.Dv DIOCXBEGIN
+call and a
 .Va pool_ticket
-obtained through DIOCBEGINADDRS call.
-DIOCADDADDR must also be called if any pool addresses are required.
+obtained through a
+.Dv DIOCBEGINADDRS
+call.
+.Dv DIOCADDADDR
+must also be called if any pool addresses are required.
 The optional
 .Va anchor
-and
-.Va ruleset
-names indicate the anchor and ruleset in which to append the rule.
+name indicates the anchor in which to append the rule.
 .Va nr
 and
 .Va action
 are ignored.
-.It Dv DIOCADDALTQ     Fa "struct pfioc_altq"
-Adds
+.It Dv DIOCADDALTQ Fa "struct pfioc_altq *pa"
+Add an ALTQ discipline or queue.
 .Bd -literal
 struct pfioc_altq {
 	u_int32_t	action;
 	u_int32_t	ticket;
 	u_int32_t	nr;
-	struct pf_altq   altq;
+	struct pf_altq  altq;
 };
 .Ed
-.It Dv DIOCGETRULES    Fa "struct pfioc_rule"
-Returns
+.It Dv DIOCGETRULES Fa "struct pfioc_rule *pr"
+Get a
 .Va ticket
-for subsequent DIOCGETRULE calls and
+for subsequent
+.Dv DIOCGETRULE
+calls and the number
 .Va nr
 of rules in the active ruleset.
-.It Dv DIOCGETRULE     Fa "struct pfioc_rule"
-Returns
+.It Dv DIOCGETRULE Fa "struct pfioc_rule *pr"
+Get a
 .Va rule
-number
+by its number
 .Va nr
-using
+using the
 .Va ticket
-obtained through a preceding DIOCGETRULES call.
-.It Dv DIOCGETADDRS    Fa "struct pfioc_pooladdr"
-Returns
+obtained through a preceding
+.Dv DIOCGETRULES
+call.
+.It Dv DIOCGETADDRS Fa "struct pfioc_pooladdr *pp"
+Get a
 .Va ticket
-for subsequent DIOCGETADDR calls and
+for subsequent
+.Dv DIOCGETADDR
+calls and the number
 .Va nr
 of pool addresses in the rule specified with
 .Va r_action ,
 .Va r_num ,
-.Va anchor
 and
-.Va ruleset .
-.It Dv DIOCGETADDR     Fa "struct pfioc_pooladdr"
-Returns pool address
+.Va anchor .
+.It Dv DIOCGETADDR Fa "struct pfioc_pooladdr *pp"
+Get the pool address
 .Va addr
-number
+by its number
 .Va nr
 from the rule specified with
 .Va r_action ,
 .Va r_num ,
-.Va anchor
 and
-.Va ruleset
-using
+.Va anchor
+using the
 .Va ticket
-obtained through a preceding DIOCGETADDRS call.
-.It Dv DIOCGETALTQS    Fa "struct pfioc_altq"
-Returns
+obtained through a preceding
+.Dv DIOCGETADDRS
+call.
+.It Dv DIOCGETALTQS Fa "struct pfioc_altq *pa"
+Get a
 .Va ticket
-for subsequent DIOCGETALTQ calls and
+for subsequent
+.Dv DIOCGETALTQ
+calls and the number
 .Va nr
 of queues in the active list.
-.It Dv DIOCGETALTQ     Fa "struct pfioc_altq"
-Returns
+.It Dv DIOCGETALTQ Fa "struct pfioc_altq *pa"
+Get the queueing discipline
 .Va altq
-number
+by its number
 .Va nr
-using
+using the
 .Va ticket
-obtained through a preceding DIOCGETALTQS call.
-.It Dv DIOCGETQSTATS   Fa "struct pfioc_qstats"
-Returns statistics on a queue.
+obtained through a preceding
+.Dv DIOCGETALTQS
+call.
+.It Dv DIOCGETQSTATS Fa "struct pfioc_qstats *pq"
+Get the statistics on a queue.
 .Bd -literal
 struct pfioc_qstats {
 	u_int32_t	 ticket;
@@ -205,54 +241,99 @@ struct pfioc_qstats {
 };
 .Ed
 .Pp
-A pointer to a buffer of statistics
-.Va buf
+This call fills in a pointer to the buffer of statistics
+.Va buf ,
 of length
-.Va nbytes
+.Va nbytes ,
 for the queue specified by
 .Va nr .
-.It Dv DIOCADDSTATE    Fa "struct pfioc_state"
-Adds a state entry.
-.It Dv DIOCGETSTATE    Fa "struct pfioc_state"
+.It Dv DIOCGETRULESETS Fa "struct pfioc_ruleset *pr"
+.Bd -literal
+struct pfioc_ruleset {
+	u_int32_t	 nr;
+	char		 path[MAXPATHLEN];
+	char		 name[PF_ANCHOR_NAME_SIZE];
+};
+.Ed
+.Pp
+Get the number
+.Va nr
+of rulesets (i.e., anchors) directly attached to the anchor named by
+.Va path
+for use in subsequent
+.Dv DIOCGETRULESET
+calls.
+Nested anchors, since they are not directly attached to the given
+anchor, will not be included.
+This ioctl returns
+.Er EINVAL
+if the given anchor does not exist.
+.It Dv DIOCGETRULESET Fa "struct pfioc_ruleset *pr"
+Get a ruleset (i.e., an anchor)
+.Va name
+by its number
+.Va nr
+from the given anchor
+.Va path ,
+the maximum number of which can be obtained from a preceding
+.Dv DIOCGETRULESETS
+call.
+This ioctl returns
+.Er EINVAL
+if the given anchor does not exist or
+.Er EBUSY
+if another process is concurrently updating a ruleset.
+.It Dv DIOCADDSTATE Fa "struct pfioc_state *ps"
+Add a state entry.
 .Bd -literal
 struct pfioc_state {
 	u_int32_t	 nr;
 	struct pf_state	 state;
 };
 .Ed
-.Pp
-Extracts the entry with the specified number from the state table.
-.It Dv DIOCKILLSTATES  Fa "struct pfioc_state_kill"
-Removes matching entries from the state table.
-Returns the number of killed states in psk_af.
+.It Dv DIOCGETSTATE Fa "struct pfioc_state *ps"
+Extract the entry with the specified number
+.Va nr
+from the state table.
+.It Dv DIOCKILLSTATES Fa "struct pfioc_state_kill *psk"
+Remove matching entries from the state table.
+This ioctl returns the number of killed states in
+.Va psk_af .
 .Bd -literal
 struct pfioc_state_kill {
-	int			psk_af;
+	sa_family_t		psk_af;
 	int			psk_proto;
 	struct pf_rule_addr	psk_src;
 	struct pf_rule_addr	psk_dst;
 	char			psk_ifname[IFNAMSIZ];
 };
 .Ed
-.It Dv DIOCCLRSTATES  Fa "struct pfioc_state_kill"
-Clears all states.
+.It Dv DIOCCLRSTATES Fa "struct pfioc_state_kill *psk"
+Clear all states.
 It works like
 .Dv DIOCKILLSTATES ,
-but ignores the psk_af, psk_proto, psk_src and psk_dst fields of the
-.Fa pfioc_state_kill
+but ignores the
+.Va psk_af ,
+.Va psk_proto ,
+.Va psk_src ,
+and
+.Va psk_dst
+fields of the
+.Vt pfioc_state_kill
 structure.
-.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if"
+.It Dv DIOCSETSTATUSIF Fa "struct pfioc_if *pi"
+Specify the interface for which statistics are accumulated.
 .Bd -literal
 struct pfioc_if {
 	char		 ifname[IFNAMSIZ];
 };
 .Ed
-.Pp
-Specifies the interface for which statistics are accumulated.
-.It Dv DIOCGETSTATUS   Fa "struct pf_status"
+.It Dv DIOCGETSTATUS Fa "struct pf_status *s"
+Get the internal packet filter statistics.
 .Bd -literal
 struct pf_status {
 	u_int64_t	counters[PFRES_MAX];
+	u_int64_t	lcounters[LCNT_MAX];
 	u_int64_t	fcounters[FCNT_MAX];
 	u_int64_t	scounters[SCNT_MAX];
 	u_int64_t	pcounters[2][2][3];
@@ -267,12 +348,10 @@ struct pf_status {
 	char		ifname[IFNAMSIZ];
 };
 .Ed
-.Pp
-Gets the internal packet filter statistics.
 .It Dv DIOCCLRSTATUS
-Clears the internal packet filter statistics.
-.It Dv DIOCNATLOOK     Fa "struct pfioc_natlook"
-Looks up a state table entry by source and destination addresses and ports.
+Clear the internal packet filter statistics.
+.It Dv DIOCNATLOOK Fa "struct pfioc_natlook *pnl"
+Look up a state table entry by source and destination addresses and ports.
 .Bd -literal
 struct pfioc_natlook {
 	struct pf_addr	 saddr;
@@ -288,98 +367,149 @@ struct pfioc_natlook {
 	u_int8_t	 direction;
 };
 .Ed
-.It Dv DIOCSETDEBUG    Fa "u_int32_t"
-Sets the debug level.
+.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
+Set the debug level.
 .Bd -literal
-enum	{ PF_DEBUG_NONE=0, PF_DEBUG_URGENT=1, PF_DEBUG_MISC=2 };
+enum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
+	  PF_DEBUG_NOISY };
 .Ed
-.It Dv DIOCGETSTATES   Fa "struct pfioc_states"
+.It Dv DIOCGETSTATES Fa "struct pfioc_states *ps"
+Get state table entries.
 .Bd -literal
 struct pfioc_states {
 	int	ps_len;
 	union {
-		caddr_t psu_buf;
+		caddr_t		 psu_buf;
 		struct pf_state *psu_states;
 	} ps_u;
 #define ps_buf		ps_u.psu_buf
 #define ps_states	ps_u.psu_states
 };
 .Ed
-.It Dv DIOCCHANGERULE  Fa "struct pfioc_rule"
-Adds or removes the
+.Pp
+If
+.Va ps_len
+is zero, all states will be gathered into
+.Va pf_states
+and
+.Va ps_len
+will be set to the size they take in memory (i.e.,
+.Li sizeof(struct pf_state) * nr ) .
+If
+.Va ps_len
+is non-zero, as many states that can fit into
+.Va ps_len
+as possible will be gathered, and
+.Va ps_len
+will be updated to the size those rules take in memory.
+.It Dv DIOCCHANGERULE Fa "struct pfioc_rule *pcr"
+Add or remove the
 .Va rule
 in the ruleset specified by
 .Va rule.action .
-.Bd -literal
-enum	{ PF_CHANGE_ADD_HEAD=1, PF_CHANGE_ADD_TAIL=2,
-	  PF_CHANGE_ADD_BEFORE=3, PF_CHANGE_ADD_AFTER=4,
-	  PF_CHANGE_REMOVE=5, PF_CHANGE_GET_TICKET=6 };
-.Ed
 .Pp
 The type of operation to be performed is indicated by
-.Va action .
+.Va action ,
+which can be any of the following:
+.Bd -literal
+enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
+	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
+	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
+.Ed
 .Pp
 .Va ticket
-must be set to the value obtained with PF_CHANGE_GET_TICKET
-for all actions except PF_CHANGE_GET_TICKET.
+must be set to the value obtained with
+.Dv PF_CHANGE_GET_TICKET
+for all actions except
+.Dv PF_CHANGE_GET_TICKET .
 .Va pool_ticket
-must be set to the value obtained with the DIOCBEGINADDRS call
-for all actions except PF_CHANGE_REMOVE and PF_CHANGE_GET_TICKET.
-.Pp
-.Va anchor
+must be set to the value obtained with the
+.Dv DIOCBEGINADDRS
+call for all actions except
+.Dv PF_CHANGE_REMOVE
 and
-.Va ruleset
-indicate which anchor and ruleset the operation applies to.
+.Dv PF_CHANGE_GET_TICKET .
+.Va anchor
+indicates to which anchor the operation applies.
 .Va nr
-indicates the rule number against which PF_CHANGE_ADD_BEFORE,
-PF_CHANGE_ADD_AFTER or PF_CHANGE_REMOVE actions are applied.
-.It Dv DIOCCHANGEADDR  Fa "struct pfioc_pooladdr"
-Adds or removes a pool address
+indicates the rule number against which
+.Dv PF_CHANGE_ADD_BEFORE ,
+.Dv PF_CHANGE_ADD_AFTER ,
+or
+.Dv PF_CHANGE_REMOVE
+actions are applied.
+.\" It Dv DIOCCHANGEALTQ Fa "struct pfioc_altq *pcr"
+.It Dv DIOCCHANGEADDR Fa "struct pfioc_pooladdr *pca"
+Add or remove the pool address
 .Va addr
-from a rule specified with
+from the rule specified by
 .Va r_action ,
 .Va r_num ,
-.Va anchor
 and
-.Va ruleset .
-.It Dv DIOCSETTIMEOUT  Fa "struct pfioc_tm"
+.Va anchor .
+.It Dv DIOCSETTIMEOUT Fa "struct pfioc_tm *pt"
 .Bd -literal
 struct pfioc_tm {
 	int		 timeout;
 	int		 seconds;
 };
 .Ed
-.It Dv DIOCGETTIMEOUT  Fa "struct pfioc_tm"
+.Pp
+Set the state timeout of
+.Va timeout
+to
+.Va seconds .
+The old value will be placed into
+.Va seconds .
+For possible values of
+.Va timeout ,
+consult the
+.Dv PFTM_*
+values in
+.Aq Pa net/pfvar.h .
+.It Dv DIOCGETTIMEOUT Fa "struct pfioc_tm *pt"
+Get the state timeout of
+.Va timeout .
+The value will be placed into the
+.Va seconds
+field.
 .It Dv DIOCCLRRULECTRS
 Clear per-rule statistics.
-.It Dv DIOCSETLIMIT   Fa "struct pfioc_limit"
-Sets hard limits on the memory pools used by the packet filter.
+.It Dv DIOCSETLIMIT Fa "struct pfioc_limit *pl"
+Set the hard limits on the memory pools used by the packet filter.
 .Bd -literal
 struct pfioc_limit {
 	int		index;
 	unsigned	limit;
 };
+
+enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS };
 .Ed
-.It Dv DIOCGETLIMIT   Fa "struct pfioc_limit"
-.It Dv DIOCRCLRTABLES Fa "struct pfioc_table"
+.It Dv DIOCGETLIMIT Fa "struct pfioc_limit *pl"
+Get the hard
+.Va limit
+for the memory pool indicated by
+.Va index .
+.It Dv DIOCRCLRTABLES Fa "struct pfioc_table *io"
 Clear all tables.
-All the IOCTLs that manipulate radix tables
+All the ioctls that manipulate radix tables
 use the same structure described below.
 For
-.Dv DIOCRCLRTABLES, pfrio_ndel contains on exit the number
-of tables deleted.
+.Dv DIOCRCLRTABLES ,
+.Va pfrio_ndel
+contains on exit the number of tables deleted.
 .Bd -literal
 struct pfioc_table {
-        struct pfr_table         pfrio_table;
-        void                    *pfrio_buffer;
-        int                      pfrio_esize;
-        int                      pfrio_size;
-        int                      pfrio_size2;
-        int                      pfrio_nadd;
-        int                      pfrio_ndel;
-        int                      pfrio_nchange;
-        int                      pfrio_flags;
-        int                      pfrio_ticket;
+	struct pfr_table	 pfrio_table;
+	void			*pfrio_buffer;
+	int			 pfrio_esize;
+	int			 pfrio_size;
+	int			 pfrio_size2;
+	int			 pfrio_nadd;
+	int			 pfrio_ndel;
+	int			 pfrio_nchange;
+	int			 pfrio_flags;
+	u_int32_t		 pfrio_ticket;
 };
 #define pfrio_exists    pfrio_nadd
 #define pfrio_nzero     pfrio_nadd
@@ -388,192 +518,314 @@ struct pfioc_table {
 #define pfrio_setflag   pfrio_size2
 #define pfrio_clrflag   pfrio_nadd
 .Ed
-.It Dv DIOCRADDTABLES Fa "struct pfioc_table"
-Creates one or more tables.
-On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
-On exit, pfrio_nadd contains the number of tables effectively created.
+.It Dv DIOCRADDTABLES Fa "struct pfioc_table *io"
+Create one or more tables.
+On entry,
+.Va pfrio_buffer[pfrio_size]
+contains a table of
+.Vt pfr_table
+structures.
+On exit,
+.Va pfrio_nadd
+contains the number of tables effectively created.
 .Bd -literal
 struct pfr_table {
-        char                     pfrt_anchor[PF_ANCHOR_NAME_SIZE];
-        char                     pfrt_ruleset[PF_RULESET_NAME_SIZE];
-        char                     pfrt_name[PF_TABLE_NAME_SIZE];
-        u_int32_t                pfrt_flags;
-        u_int8_t                 pfrt_fback;
+	char		pfrt_anchor[MAXPATHLEN];
+	char		pfrt_name[PF_TABLE_NAME_SIZE];
+	u_int32_t	pfrt_flags;
+	u_int8_t	pfrt_fback;
 };
 .Ed
-.It Dv DIOCRDELTABLES Fa "struct pfioc_table"
-Deletes one or more tables.
-On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
-On exit, pfrio_nadd contains the number of tables effectively deleted.
-.It Dv DIOCRGETTABLES Fa "struct pfioc_table"
+.It Dv DIOCRDELTABLES Fa "struct pfioc_table *io"
+Delete one or more tables.
+On entry,
+.Va pfrio_buffer[pfrio_size]
+contains a table of
+.Vt pfr_table
+structures.
+On exit,
+.Va pfrio_nadd
+contains the number of tables effectively deleted.
+.It Dv DIOCRGETTABLES Fa "struct pfioc_table *io"
 Get the list of all tables.
-On entry, pfrio_buffer[pfrio_size] contains a valid writeable buffer for
-pfr_table structures.
-On exit, pfrio_size contains the number of tables written into the buffer.
+On entry,
+.Va pfrio_buffer[pfrio_size]
+contains a valid writeable buffer for
+.Vt pfr_table
+structures.
+On exit,
+.Va pfrio_size
+contains the number of tables written into the buffer.
 If the buffer is too small, the kernel does not store anything but just
 returns the required buffer size, without error.
-.It Dv DIOCRGETTSTATS Fa "struct pfioc_table"
-Like
-.Dv DIOCRGETTABLES ,
-but returns an array of pfr_tstats structures.
+.It Dv DIOCRGETTSTATS Fa "struct pfioc_table *io"
+This call is like
+.Dv DIOCRGETTABLES
+but is used to get an array of
+.Vt pfr_tstats
+structures.
 .Bd -literal
 struct pfr_tstats {
-        struct pfr_table pfrts_t;
-        u_int64_t        pfrts_packets
-                             [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
-        u_int64_t        pfrts_bytes
-                             [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
-        u_int64_t        pfrts_match;
-        u_int64_t        pfrts_nomatch;
-        long             pfrts_tzero;
-        int              pfrts_cnt;
-        int              pfrts_refcnt[PFR_REFCNT_MAX];
+	struct pfr_table pfrts_t;
+	u_int64_t	 pfrts_packets
+			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
+	u_int64_t	 pfrts_bytes
+			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX];
+	u_int64_t	 pfrts_match;
+	u_int64_t	 pfrts_nomatch;
+	long		 pfrts_tzero;
+	int		 pfrts_cnt;
+	int		 pfrts_refcnt[PFR_REFCNT_MAX];
 };
-#define pfrts_name      pfrts_t.pfrt_name
-#define pfrts_flags     pfrts_t.pfrt_flags
+#define pfrts_name	 pfrts_t.pfrt_name
+#define pfrts_flags	 pfrts_t.pfrt_flags
 .Ed
-.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table"
-Clears the statistics of one or more tables.
-On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures.
-On exit, pfrio_nzero contains the number of tables effectively cleared.
-.It Dv DIOCRCLRADDRS Fa "struct pfioc_table"
+.It Dv DIOCRCLRTSTATS Fa "struct pfioc_table *io"
+Clear the statistics of one or more tables.
+On entry,
+.Va pfrio_buffer[pfrio_size]
+contains a table of
+.Vt pfr_table
+structures.
+On exit,
+.Va pfrio_nzero
+contains the number of tables effectively cleared.
+.It Dv DIOCRCLRADDRS Fa "struct pfioc_table *io"
 Clear all addresses in a table.
-On entry, pfrio_table contains the table to clear.
-On exit, pfrio_ndel contains the number of addresses removed.
-.It Dv DIOCRADDADDRS Fa "struct pfioc_table"
+On entry,
+.Va pfrio_table
+contains the table to clear.
+On exit,
+.Va pfrio_ndel
+contains the number of addresses removed.
+.It Dv DIOCRADDADDRS Fa "struct pfioc_table *io"
 Add one or more addresses to a table.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains the list of pfr_addr structures to add.
-On exit, pfrio_nadd contains the number of addresses effectively added.
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains the list of
+.Vt pfr_addr
+structures to add.
+On exit,
+.Va pfrio_nadd
+contains the number of addresses effectively added.
 .Bd -literal
 struct pfr_addr {
-        union {
-                struct in_addr   _pfra_ip4addr;
-                struct in6_addr  _pfra_ip6addr;
-        }                pfra_u;
-        u_int8_t         pfra_af;
-        u_int8_t         pfra_net;
-        u_int8_t         pfra_not;
-        u_int8_t         pfra_fback;
+	union {
+		struct in_addr	 _pfra_ip4addr;
+		struct in6_addr	 _pfra_ip6addr;
+	}		 pfra_u;
+	u_int8_t	 pfra_af;
+	u_int8_t	 pfra_net;
+	u_int8_t	 pfra_not;
+	u_int8_t	 pfra_fback;
 };
 #define pfra_ip4addr    pfra_u._pfra_ip4addr
 #define pfra_ip6addr    pfra_u._pfra_ip6addr
 .Ed
-.It Dv DIOCRDELADDRS Fa "struct pfioc_table"
+.It Dv DIOCRDELADDRS Fa "struct pfioc_table *io"
 Delete one or more addresses from a table.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains the list of pfr_addr structures to delete.
-On exit, pfrio_ndel contains the number of addresses effectively deleted.
-.It Dv DIOCRSETADDRS Fa "struct pfioc_table"
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains the list of
+.Vt pfr_addr
+structures to delete.
+On exit,
+.Va pfrio_ndel
+contains the number of addresses effectively deleted.
+.It Dv DIOCRSETADDRS Fa "struct pfioc_table *io"
 Replace the content of a table by a new address list.
 This is the most complicated command, which uses all the structure members.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains the new list of pfr_addr structures.
-In addition to that, if size2 is nonzero, pfrio_buffer[pfrio_size..pfrio_size2]
-must be a writeable buffer, into which the kernel can copy the addresses that
-have been deleted during the replace operation.
-On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contain the number of
-addresses deleted, added and changed by the kernel.
-If pfrio_size2 was set on
-entry, pfrio_size2 will point to the size of the buffer used, exactly like
+.Pp
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains the new list of
+.Vt pfr_addr
+structures.
+Additionally, if
+.Va pfrio_size2
+is non-zero,
+.Va pfrio_buffer[pfrio_size..pfrio_size2]
+must be a writeable buffer, into which the kernel can copy the
+addresses that have been deleted during the replace operation.
+On exit,
+.Va pfrio_ndel ,
+.Va pfrio_nadd ,
+and
+.Va pfrio_nchange
+contain the number of addresses deleted, added, and changed by the
+kernel.
+If
+.Va pfrio_size2
+was set on entry,
+.Va pfrio_size2
+will point to the size of the buffer used, exactly like
 .Dv DIOCRGETADDRS .
-.It Dv DIOCRGETADDRS Fa "struct pfioc_table"
+.It Dv DIOCRGETADDRS Fa "struct pfioc_table *io"
 Get all the addresses of a table.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains a valid writeable buffer for pfr_addr structures.
-On exit, pfrio_size contains the number of addresses written into the buffer.
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains a valid writeable buffer for
+.Vt pfr_addr
+structures.
+On exit,
+.Va pfrio_size
+contains the number of addresses written into the buffer.
 If the buffer was too small, the kernel does not store anything but just
-return the required buffer size, without returning an error.
-.It Dv DIOCRGETASTATS Fa "struct pfioc_table"
-Like
-.Dv DIOCRGETADDRS ,
-but returns an array of pfr_astats structures.
+returns the required buffer size, without returning an error.
+.It Dv DIOCRGETASTATS Fa "struct pfioc_table *io"
+This call is like
+.Dv DIOCRGETADDRS
+but is used to get an array of
+.Vt pfr_astats
+structures.
 .Bd -literal
 struct pfr_astats {
-        struct pfr_addr  pfras_a;
-        u_int64_t        pfras_packets
-                             [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
-        u_int64_t        pfras_bytes
-                             [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
-        long             pfras_tzero;
+	struct pfr_addr	 pfras_a;
+	u_int64_t	 pfras_packets
+			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
+	u_int64_t	 pfras_bytes
+			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX];
+	long		 pfras_tzero;
 };
 .Ed
-.It Dv DIOCRCLRASTATS Fa "struct pfioc_table"
-Clears the statistics of one or more addresses.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains a table of pfr_addr structures to clear.
-On exit, pfrio_nzero contains the number of addresses effectively cleared.
-.It Dv DIOCRTSTADDRS Fa "struct pfioc_table"
+.It Dv DIOCRCLRASTATS Fa "struct pfioc_table *io"
+Clear the statistics of one or more addresses.
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains a table of
+.Vt pfr_addr
+structures to clear.
+On exit,
+.Va pfrio_nzero
+contains the number of addresses effectively cleared.
+.It Dv DIOCRTSTADDRS Fa "struct pfioc_table *io"
 Test if the given addresses match a table.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains a table of pfr_addr structures to test.
-On exit, the kernel updates the pfr_addr table by setting the pfra_fback
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains a table of
+.Vt pfr_addr
+structures to test.
+On exit, the kernel updates the
+.Vt pfr_addr
+table by setting the
+.Va pfra_fback
 member appropriately.
-.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table"
+.It Dv DIOCRSETTFLAGS Fa "struct pfioc_table *io"
 Change the
-.Va const
+.Dv PFR_TFLAG_CONST
 or
-.Va persist
-flag of a table.
-On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures,
-and pfrio_setflag contains the flags to add, while pfrio_clrflag contains the
-flags to remove.
-On exit, pfrio_nchange and pfrio_ndel contain the number of tables altered
-or deleted by the kernel.
+.Dv PFR_TFLAG_PERSIST
+flags of a table.
+On entry,
+.Va pfrio_buffer[pfrio_size]
+contains a table of
+.Vt pfr_table
+structures, and
+.Va pfrio_setflag
+contains the flags to add, while
+.Va pfrio_clrflag
+contains the flags to remove.
+On exit,
+.Va pfrio_nchange
+and
+.Va pfrio_ndel
+contain the number of tables altered or deleted by the kernel.
 Yes, tables can be deleted if one removes the
-.Va persist
+.Dv PFR_TFLAG_PERSIST
 flag of an unreferenced table.
-.It Dv DIOCRINADEFINE Fa "struct pfioc_table"
+.It Dv DIOCRINADEFINE Fa "struct pfioc_table *io"
 Defines a table in the inactive set.
-On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
-contains the list of pfr_addr structures to put in the table.
-A valid ticket must also be supplied to pfrio_ticket.
-On exit, pfrio_nadd contains 0 if the table was already defined in the
-inactive list, or 1 if a new table has been created.
-pfrio_naddr contains the number of addresses effectively put in the table.
-.It Dv DIOCXBEGIN Fa "struct pfioc_trans"
+On entry,
+.Va pfrio_table
+contains the table ID and
+.Va pfrio_buffer[pfrio_size]
+contains the list of
+.Vt pfr_addr
+structures to put in the table.
+A valid ticket must also be supplied to
+.Va pfrio_ticket .
+On exit,
+.Va pfrio_nadd
+contains 0 if the table was already defined in the inactive list
+or 1 if a new table has been created.
+.Va pfrio_naddr
+contains the number of addresses effectively put in the table.
+.It Dv DIOCXBEGIN Fa "struct pfioc_trans *io"
 .Bd -literal
-#define PF_RULESET_ALTQ         (PF_RULESET_MAX)
-#define PF_RULESET_TABLE        (PF_RULESET_MAX+1)
 struct pfioc_trans {
-        int              size;  /* number of elements */
-        int              esize; /* size of each element in bytes */
-        struct pfioc_trans_e {
-                int             rs_num;
-                char            anchor[PF_ANCHOR_NAME_SIZE];
-                char            ruleset[PF_RULESET_NAME_SIZE];
-                u_int32_t       ticket;
-        }               *array;
+	int		 size;	/* number of elements */
+	int		 esize;	/* size of each element in bytes */
+	struct pfioc_trans_e {
+		int		rs_num;
+		char		anchor[MAXPATHLEN];
+		u_int32_t	ticket;
+	}		*array;
 };
 .Ed
 .Pp
-Clears all the inactive rulesets specified in the
-.Fa "struct pfioc_trans_e"
+Clear all the inactive rulesets specified in the
+.Vt pfioc_trans_e
 array.
-For each ruleset, a ticket is returned for subsequent "add rule" IOCTLs,
+For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
 as well as for the
 .Dv DIOCXCOMMIT
 and
 .Dv DIOCXROLLBACK
 calls.
-.It Dv DIOCXCOMMIT Fa "struct pfioc_trans"
+.Pp
+Ruleset types, identified by
+.Va rs_num ,
+include the following:
+.Pp
+.Bl -tag -width PF_RULESET_FILTER -offset ind -compact
+.It Dv PF_RULESET_SCRUB
+Scrub (packet normalization) rules.
+.It Dv PF_RULESET_FILTER
+Filter rules.
+.It Dv PF_RULESET_NAT
+NAT (Network Address Translation) rules.
+.It Dv PF_RULESET_BINAT
+Bidirectional NAT rules.
+.It Dv PF_RULESET_RDR
+Redirect rules.
+.It Dv PF_RULESET_ALTQ
+ALTQ disciplines.
+.It Dv PF_RULESET_TABLE
+Address tables.
+.El
+.It Dv DIOCXCOMMIT Fa "struct pfioc_trans *io"
 Atomically switch a vector of inactive rulesets to the active rulesets.
-Implemented as a standard 2-phase commit, which will either fail for all
-rulesets or completely succeed.
+This call is implemented as a standard two-phase commit, which will either
+fail for all rulesets or completely succeed.
 All tickets need to be valid.
-Returns
-.Dv EBUSY
-if a concurrent process is trying to update some of the same rulesets
-concurrently.
-.It Dv DIOCXROLLBACK Fa "struct pfioc_trans"
+This ioctl returns
+.Er EBUSY
+if another process is concurrently updating some of the same rulesets.
+.It Dv DIOCXROLLBACK Fa "struct pfioc_trans *io"
 Clean up the kernel by undoing all changes that have taken place on the
 inactive rulesets since the last
 .Dv DIOCXBEGIN .
 .Dv DIOCXROLLBACK
 will silently ignore rulesets for which the ticket is invalid.
-.It Dv DIOCFPFLUSH
+.It Dv DIOCSETHOSTID Fa "u_int32_t *hostid"
+Set the host ID, which is used by
+.Xr pfsync 4
+to identify which host created state table entries.
+.It Dv DIOCOSFPFLUSH
 Flush the passive OS fingerprint table.
-.It Dv DIOCFPADD Fa "struct pf_osfp_ioctl"
+.It Dv DIOCOSFPADD Fa "struct pf_osfp_ioctl *io"
 .Bd -literal
 struct pf_osfp_ioctl {
 	struct pf_osfp_entry {
@@ -583,12 +835,14 @@ struct pf_osfp_ioctl {
 		char			fp_version_nm[PF_OSFP_LEN];
 		char			fp_subtype_nm[PF_OSFP_LEN];
 	} 			fp_os;
-	u_int16_t		fp_mss;
+	pf_tcpopts_t		fp_tcpopts;
 	u_int16_t		fp_wsize;
 	u_int16_t		fp_psize;
-	u_int8_t		fp_ttl;
+	u_int16_t		fp_mss;
+	u_int16_t		fp_flags;
+	u_int8_t		fp_optcnt;
 	u_int8_t		fp_wscale;
-	u_int8_t		fp_flags;
+	u_int8_t		fp_ttl;
 	int			fp_getnum;
 };
 .Ed
@@ -608,64 +862,65 @@ The members
 .Va fp_wsize ,
 .Va fp_psize ,
 .Va fp_ttl ,
+.Va fp_optcnt ,
 and
 .Va fp_wscale
-are set to the TCP MSS, the TCP window size, the IP length and the IP TTL of
-the TCP SYN packet respectively.
+are set to the TCP MSS, the TCP window size, the IP length, the IP TTL,
+the number of TCP options, and the TCP window scaling constant of the
+TCP SYN packet, respectively.
+.Pp
 The
 .Va fp_flags
-member is filled according to the net/pfvar.h include file PF_OSFP_* defines.
+member is filled according to the
+.Aq Pa net/pfvar.h
+include file
+.Dv PF_OSFP_*
+defines.
+The
+.Va fp_tcpopts
+member contains packed TCP options.
+Each option uses
+.Dv PF_OSFP_TCPOPT_BITS
+bits in the packed value.
+Options include any of
+.Dv PF_OSFP_TCPOPT_NOP ,
+.Dv PF_OSFP_TCPOPT_SACK ,
+.Dv PF_OSFP_TCPOPT_WSCALE ,
+.Dv PF_OSFP_TCPOPT_MSS ,
+or
+.Dv PF_OSFP_TCPOPT_TS .
+.Pp
 The
 .Va fp_getnum
-is not used with this ioctl.
+member is not used with this ioctl.
 .Pp
-The structure's slack space must be zeroed for correct operation; memset
+The structure's slack space must be zeroed for correct operation;
+.Xr memset 3
 the whole structure to zero before filling and sending to the kernel.
-.It Dv DIOCFPGET Fa "struct pf_osfp_ioctl"
-.Bd -literal
-struct pf_osfp_ioctl {
-	struct pf_osfp_entry {
-		SLIST_ENTRY(pf_osfp_entry) fp_entry;
-		pf_osfp_t		fp_os;
-		char			fp_class_nm[PF_OSFP_LEN];
-		char			fp_version_nm[PF_OSFP_LEN];
-		char			fp_subtype_nm[PF_OSFP_LEN];
-	} 			fp_os;
-	u_int16_t		fp_mss;
-	u_int16_t		fp_wsize;
-	u_int16_t		fp_psize;
-	u_int8_t		fp_ttl;
-	u_int8_t		fp_wscale;
-	u_int8_t		fp_flags;
-	int			fp_getnum;
-};
-.Ed
-.Pp
+.It Dv DIOCOSFPGET Fa "struct pf_osfp_ioctl *io"
 Get the passive OS fingerprint number
 .Va fp_getnum
 from the kernel's fingerprint list.
 The rest of the structure members will come back filled.
 Get the whole list by repeatedly incrementing the
 .Va fp_getnum
-number until the ioctl returns EBUSY.
-.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes"
+number until the ioctl returns
+.Er EBUSY .
+.It Dv DIOCGETSRCNODES Fa "struct pfioc_src_nodes *psn"
 .Bd -literal
 struct pfioc_src_nodes {
-        int     psn_len;
-        union {
-                caddr_t          psu_buf;
-                struct pf_src_node      *psu_src_nodes;
-        } psn_u;
-#define psn_buf         psn_u.psu_buf
-#define psn_src_nodes   psn_u.psu_src_nodes
+	int	psn_len;
+	union {
+		caddr_t		psu_buf;
+		struct pf_src_node	*psu_src_nodes;
+	} psn_u;
+#define psn_buf		psn_u.psu_buf
+#define psn_src_nodes	psn_u.psu_src_nodes
 };
 .Ed
 .Pp
-Get the list of source nodes kept by the
-.Ar sticky-address
-and
-.Ar source-track
-options.
+Get the list of source nodes kept by sticky addresses and source
+tracking.
 The ioctl must be called once with
 .Va psn_len
 set to 0.
@@ -679,24 +934,24 @@ placed in
 .Va psn_buf .
 The ioctl must then be called again to fill this buffer with the actual
 source node data.
-After the ioctl call
+After that call,
 .Va psn_len
 will be set to the length of the buffer actually used.
-.It Dv DIOCCLRSRCNODES Fa "struct pfioc_table"
+.It Dv DIOCCLRSRCNODES
 Clear the tree of source tracking nodes.
-.It Dv DIOCIGETIFACES Fa "struct pfioc_iface"
-Gets the list of interfaces and interface drivers known to
+.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
+Get the list of interfaces and interface drivers known to
 .Nm .
-All the IOCTLs that manipulate interfaces
+All the ioctls that manipulate interfaces
 use the same structure described below:
 .Bd -literal
 struct pfioc_iface {
-        char                     pfiio_name[IFNAMSIZ];
-        void                    *pfiio_buffer;
-        int                      pfiio_esize;
-        int                      pfiio_size;
-        int                      pfiio_nzero;
-        int                      pfiio_flags;
+	char			 pfiio_name[IFNAMSIZ];
+	void			*pfiio_buffer;
+	int			 pfiio_esize;
+	int			 pfiio_size;
+	int			 pfiio_nzero;
+	int			 pfiio_flags;
 };
 
 #define PFI_FLAG_GROUP     0x0001  /* gets groups of interfaces */
@@ -717,50 +972,70 @@ entries that can fit into the buffer.
 The kernel will replace this value by the real number of entries it wants
 to return.
 .Va pfiio_esize
-should be set to sizeof(struct pfi_if).
+should be set to
+.Li sizeof(struct pfi_if) .
 .Va pfiio_flags
 should be set to
-.Dv PFI_FLAG_GROUP , PFI_FLAG_INSTANCE ,
-or both to tell the kernel to return a group of interfaces
+.Dv PFI_FLAG_GROUP ,
+.Dv PFI_FLAG_INSTANCE ,
+or both, to tell the kernel to return a group of interfaces
 (drivers, like "fxp"), real interface instances (like "fxp1") or both.
 The data is returned in the
-.Va pfi_if
+.Vt pfi_if
 structure described below:
 .Bd -literal
 struct pfi_if {
-        char                             pfif_name[IFNAMSIZ];
-        u_int64_t                        pfif_packets[2][2][2];
-        u_int64_t                        pfif_bytes[2][2][2];
-        u_int64_t                        pfif_addcnt;
-        u_int64_t                        pfif_delcnt;
-        long                             pfif_tzero;
-        int                              pfif_states;
-        int                              pfif_rules;
-        int                              pfif_flags;
+	char				 pfif_name[IFNAMSIZ];
+	u_int64_t			 pfif_packets[2][2][2];
+	u_int64_t			 pfif_bytes[2][2][2];
+	u_int64_t			 pfif_addcnt;
+	u_int64_t			 pfif_delcnt;
+	long				 pfif_tzero;
+	int				 pfif_states;
+	int				 pfif_rules;
+	int				 pfif_flags;
 };
 
-#define PFI_IFLAG_GROUP         0x0001  /* group of interfaces */
-#define PFI_IFLAG_INSTANCE      0x0002  /* single instance */
-#define PFI_IFLAG_CLONABLE      0x0010  /* clonable group */
-#define PFI_IFLAG_DYNAMIC       0x0020  /* dynamic group */
-#define PFI_IFLAG_ATTACHED      0x0040  /* interface attached */
-#define PFI_IFLAG_REFERENCED    0x0080  /* referenced by rules */
+#define PFI_IFLAG_GROUP		0x0001	/* group of interfaces */
+#define PFI_IFLAG_INSTANCE	0x0002	/* single instance */
+#define PFI_IFLAG_CLONABLE	0x0010	/* clonable group */
+#define PFI_IFLAG_DYNAMIC	0x0020	/* dynamic group */
+#define PFI_IFLAG_ATTACHED	0x0040	/* interface attached */
 .Ed
-.It Dv DIOCICLRISTATS Fa "struct pfioc_iface"
+.It Dv DIOCICLRISTATS Fa "struct pfioc_iface *io"
 Clear the statistics counters of one or more interfaces.
 .Va pfiio_name
 and
-.Va pfrio_flags
+.Va pfiio_flags
 can be used to select which interfaces need to be cleared.
 The filtering process is the same as for
 .Dv DIOCIGETIFACES .
 .Va pfiio_nzero
 will be set by the kernel to the number of interfaces and drivers
 that have been cleared.
+.It Dv DIOCSETIFFLAG Fa "struct pfioc_iface *io"
+Set the user setable flags (described below) of the pf internal interface
+description.
+The filtering process is the same as for
+.Dv DIOCIGETIFACES .
+.Bd -literal
+#define PFI_IFLAG_SKIP		0x0100	/* skip interface */
+#define PFI_IFLAG_SETABLE_MASK	0x0100	/* mask */
+.Ed
+.It Dv DIOCCLRIFFLAG Fa "struct pfioc_iface *io"
+Works as
+.Dv DIOCSETIFFLAG
+above but clears the flags.
+.El
+.Sh FILES
+.Bl -tag -width /dev/pf -compact
+.It Pa /dev/pf
+packet filtering device.
 .El
 .Sh EXAMPLES
-The following example demonstrates how to use the DIOCNATLOOK command
-to find the internal host/port of a NATed connection.
+The following example demonstrates how to use the
+.Dv DIOCNATLOOK
+command to find the internal host/port of a NATed connection:
 .Bd -literal
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -829,7 +1104,8 @@ main(int argc, char *argv[])
 .Xr bridge 4 ,
 .Xr pflog 4 ,
 .Xr pfsync 4 ,
-.Xr pfctl 8
+.Xr pfctl 8 ,
+.Xr altq 9
 .Sh HISTORY
 The
 .Nm
diff --git a/contrib/pf/man/pf.conf.5 b/contrib/pf/man/pf.conf.5
index b5db412..817fa0b 100644
--- a/contrib/pf/man/pf.conf.5
+++ b/contrib/pf/man/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.292 2004/02/24 05:44:48 mcbride Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.326 2005/03/01 18:10:44 jmc Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -229,7 +229,7 @@ command.
 .Bl -tag -width xxxx
 .It Ar set timeout
 .Pp
-.Bl -tag -width interval -compact
+.Bl -tag -width "src.track" -compact
 .It Ar interval
 Interval between purging expired states and fragments.
 .It Ar frag
@@ -483,6 +483,16 @@ For example:
 .Pp
 .Dl set fingerprints \&"/etc/pf.os.devel\&"
 .Pp
+.It Ar set skip on <ifspec>
+List interfaces for which packets should not be filtered.
+Packets passing in or out on such interfaces are passed as if pf was
+disabled, i.e. pf does not process them in any way.
+This can be useful on loopback and other virtual interfaces, when
+packet filtering is not desired and can have unexpected effects.
+For example:
+.Pp
+.Dl set skip on lo0
+.Pp
 .It Ar set debug
 Set the debug
 .Ar level
@@ -547,7 +557,7 @@ Enforces a maximum MSS for matching TCP packets.
 .It Ar random-id
 Replaces the IP identification field with random values to compensate
 for predictable values generated by many hosts.
-This option only applies to outgoing packets that are not fragmented
+This option only applies to packets that are not fragmented
 after the optional fragment reassembly.
 .It Ar fragment reassemble
 Using
@@ -601,7 +611,7 @@ the firewall state, and expires before reaching the destination host.
 .Ar reassemble tcp
 will raise the TTL of all packets back up to the highest value seen on
 the connection.
-.It timeout modulation
+.It timestamp modulation
 Modern TCP stacks will send a timestamp on every TCP packet and echo
 the other endpoint's timestamp back to them.
 Many operating systems will merely start the timestamp at zero when
@@ -618,6 +628,24 @@ guessable base time.
 will cause
 .Ar scrub
 to modulate the TCP timestamps with a random number.
+.It extended PAWS checks
+There is a problem with TCP on long fat pipes, in that a packet might get
+delayed for longer than it takes the connection to wrap its 32-bit sequence
+space.
+In such an occurrence, the old packet would be indistinguishable from a
+new packet and would be accepted as such.
+The solution to this is called PAWS: Protection Against Wrapped Sequence
+numbers.
+It protects against it by making sure the timestamp on each packet does
+not go backwards.
+.Ar reassemble tcp
+also makes sure the timestamp on the packet does not go forward more
+than the RFC allows.
+By doing this,
+.Xr pf 4
+artificially extends the security of TCP sequence numbers by 10 to 18
+bits when the host uses appropriately randomized timestamps, since a
+blind attacker would have to guess the timestamp as well.
 .El
 .El
 .Pp
@@ -625,6 +653,15 @@ For example,
 .Bd -literal -offset indent
 scrub in on $ext_if all fragment reassemble
 .Ed
+.Pp
+The
+.Ar no
+option prefixed to a scrub rule causes matching packets to remain unscrubbed,
+much in the same way as
+.Ar drop quick
+works in the packet filter (see below).
+This mechanism should be used when it is necessary to exclude specific packets
+from broader scrub rules.
 .Sh QUEUEING
 Packets can be assigned to queues for the purpose of bandwidth
 control.
@@ -664,6 +701,18 @@ assigned.
 mainly controls the time packets take to get sent out, while
 .Ar bandwidth
 has primarily effects on throughput.
+.Ar cbq
+achieves both partitioning and sharing of link bandwidth
+by hierarchically structured classes.
+Each class has its own
+.Ar queue
+and is assigned its share of
+.Ar bandwidth .
+A child class can borrow bandwidth from its parent class
+as long as excess bandwidth is available
+(see the option
+.Ar borrow ,
+below).
 .It Ar priq
 Priority Queueing.
 .Ar Queues
@@ -697,6 +746,14 @@ assigned.
 mainly controls the time packets take to get sent out, while
 .Ar bandwidth
 has primarily effects on throughput.
+.Ar hfsc
+supports both link-sharing and guaranteed real-time services.
+It employs a service curve based QoS model,
+and its unique feature is an ability to decouple
+.Ar delay
+and
+.Ar bandwidth
+allocation.
 .El
 .Pp
 The interfaces on which queueing should be activated are declared using
@@ -782,6 +839,7 @@ This value must not exceed the value of the parent
 .Ar queue
 and can be specified as an absolute value or a percentage of the parent
 queue's bandwidth.
+If not specified, defaults to 100% of the parent queue's bandwidth.
 The
 .Ar priq
 scheduler does not support bandwidth specification.
@@ -910,8 +968,8 @@ queue  developers bandwidth 75% cbq(borrow)
 queue  employees bandwidth 15%
 queue mail bandwidth 10% priority 0 cbq(borrow ecn)
 queue ssh bandwidth 20% cbq(borrow) { ssh_interactive, ssh_bulk }
-queue  ssh_interactive priority 7
-queue  ssh_bulk priority 0
+queue  ssh_interactive bandwidth 50% priority 7 cbq(borrow)
+queue  ssh_bulk bandwidth 50% priority 0 cbq(borrow)
 
 block return out on dc0 inet all queue std
 pass out on dc0 inet proto tcp from $developerhosts to any port 80 \e
@@ -935,8 +993,8 @@ the packet filter for evaluation.
 .Pp
 Since translation occurs before filtering the filter
 engine will see packets as they look after any
-addresses and ports have been translated. Filter rules
-will therefore have to filter based on the translated
+addresses and ports have been translated.
+Filter rules will therefore have to filter based on the translated
 address and port number.
 Packets that match a translation rule are only automatically passed if
 the
@@ -1098,10 +1156,11 @@ This causes a TCP RST to be returned for
 packets and an ICMP UNREACHABLE for UDP and other packets.
 .El
 .Pp
-Options returning packets have no effect if
+Options returning ICMP packets currently have no effect if
 .Xr pf 4
 operates on a
-.Xr bridge 4 .
+.Xr bridge 4 ,
+as the code to support this feature has not yet been implemented.
 .It Ar pass
 The packet is passed.
 .El
@@ -1212,9 +1271,16 @@ addresses and ports.
 Addresses can be specified in CIDR notation (matching netblocks), as
 symbolic host names or interface names, or as any of the following keywords:
 .Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
+.Bl -tag -width xxxxxxxxxxxxxx -compact
 .It Ar any
 Any address.
+.It Ar route <label>
+Any address whose associated route has label
+.Ar <label> .
+See
+.Xr route 4
+and
+.Xr route 8 .
 .It Ar no-route
 Any address which is not currently routable.
 .It Ar <table>
@@ -1308,6 +1374,7 @@ pass in proto tcp from any to any port 25
 pass in proto tcp from 10.0.0.0/8 port > 1024 \e
       to ! 10.1.2.3 port != ssh
 pass in proto tcp from any os "OpenBSD" flags S/SA
+pass in proto tcp from route "DTAG"
 .Ed
 .It Ar all
 This is equivalent to "from any to any".
@@ -1392,9 +1459,18 @@ All of SYN, FIN, RST and ACK must be unset.
 .It Ar icmp6-type <type> code <code>
 This rule only applies to ICMP or ICMPv6 packets with the specified type
 and code.
+Text names for ICMP types and codes are listed in
+.Xr icmp 4
+and
+.Xr icmp6 4 .
 This parameter is only valid for rules that cover protocols ICMP or
 ICMP6.
-The protocol and the ICMP type indicator (icmp-type or icmp6-type)
+The protocol and the ICMP type indicator
+.Po
+.Ar icmp-type
+or
+.Ar icmp6-type
+.Pc
 must match.
 .It Ar allow-opts
 By default, packets which contain IP options are blocked.
@@ -1500,7 +1576,7 @@ or
 rules in addition to filter rules.
 Tags take the same macros as labels (see above).
 .It Ar tagged <string>
-Used with filter rules to specify that packets must already
+Used with filter or translation rules to specify that packets must already
 be tagged with the given tag in order to match the rule.
 Inverse tag matching can also be done
 by specifying the
@@ -1508,6 +1584,15 @@ by specifying the
 operator before the
 .Ar tagged
 keyword.
+.It Ar probability <number>
+A probability attribute can be attached to a rule, with a value set between
+0 and 1, bounds not included.
+In that case, the rule will be honoured using the given probability value
+only.
+For example, the following rule will drop 20% of incoming ICMP packets:
+.Bd -literal -offset indent
+block in proto icmp probability 20%
+.Ed
 .El
 .Sh ROUTING
 If a packet matches a rule with a route option set, the packet filter will
@@ -1538,7 +1623,7 @@ option is similar to
 but routes packets that pass in the opposite direction (replies) to the
 specified interface.
 Opposite direction is only defined in the context of a state entry, and
-.Ar route-to
+.Ar reply-to
 is useful only in rules that create state.
 It can be used on systems with multiple external connections to
 route all outgoing packets of a connection through the interface
@@ -1855,32 +1940,96 @@ Prevent state changes for states created by this rule from appearing on the
 interface.
 .It Ar <timeout> <seconds>
 Changes the timeout values used for states created by this rule.
+For a list of all valid timeout names, see
+.Sx OPTIONS
+above.
+.El
+.Pp
+Multiple options can be specified, separated by commas:
+.Bd -literal -offset indent
+pass in proto tcp from any to any \e
+      port www flags S/SA keep state \e
+      (max 100, source-track rule, max-src-nodes 75, \e
+      max-src-states 3, tcp.established 60, tcp.closing 5)
+.Ed
 .Pp
 When the
 .Ar source-track
 keyword is specified, the number of states per source IP is tracked.
+.Pp
+.Bl -tag -width xxxx -compact
+.It Ar source-track rule
+The maximum number of states created by this rule is limited by the rule's
+.Ar max-src-nodes
+and
+.Ar max-src-state
+options.
+Only state entries created by this particular rule count toward the rule's
+limits.
+.It Ar source-track global
+The number of states created by all rules that use this option is limited.
+Each rule can specify different
+.Ar max-src-nodes
+and
+.Ar max-src-states
+options, however state entries created by any participating rule count towards
+each individual rule's limits.
+.El
+.Pp
 The following limits can be set:
 .Pp
-.Bl  -tag -width xxxx -compact
-.It Ar max-src-nodes
+.Bl -tag -width xxxx -compact
+.It Ar max-src-nodes <number>
 Limits the maximum number of source addresses which can simultaneously
 have state table entries.
-.It Ar max-src-states
+.It Ar max-src-states <number>
 Limits the maximum number of simultaneous state entries that a single
 source address can create with this rule.
 .El
-For a list of all valid timeout names, see
-.Sx OPTIONS
-above.
 .Pp
-Multiple options can be specified, separated by commas:
-.Bd -literal
-pass in proto tcp from any to any \e
-      port www flags S/SA keep state \e
-      (max 100, source-track rule, max-src-nodes 75, \e
-      max-src-states 3, tcp.established 60, tcp.closing 5)
-.Ed
+For stateful TCP connections, limits on established connections (connections
+which have completed the TCP 3-way handshake) can also be enforced
+per source IP.
+.Pp
+.Bl -tag -width xxxx -compact
+.It Ar max-src-conn <number>
+Limits the maximum number of simultaneous TCP connections which have
+completed the 3-way handshake that a single host can make.
+.It Ar max-src-conn-rate <number> / <seconds>
+Limit the rate of new connections over a time interval.
+The connection rate is an approximation calculated as a moving average.
 .El
+.Pp
+Because the 3-way handshake ensures that the source address is not being
+spoofed, more aggressive action can be taken based on these limits.
+With the
+.Ar overload <table>
+state option, source IP addresses which hit either of the limits on
+established connections will be added to the named table.
+This table can be used in the ruleset to block further activity from
+the offending host, redirect it to a tarpit process, or restrict its
+bandwidth.
+.Pp
+The optional
+.Ar flush
+keyword kills all states created by the matching rule which originate
+from the host which exceeds these limits.
+The
+.Ar global
+modifier to the flush command kills all states originating from the
+offending host, regardless of which rule created the state.
+.Pp
+For example, the following rules will protect the webserver against
+hosts making more than 100 connections in 10 seconds.
+Any host which connects faster than this rate will have its address added
+to the <bad_hosts> table and have all states originating from it flushed.
+Any new packets arriving from this host will be dropped unconditionally
+by the block rule.
+.Bd -literal -offset indent
+block quick from <bad_hosts>
+pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state \e
+	(max-src-conn-rate 100/10, overload <bad_hosts> flush global)
+.Ed
 .Sh OPERATING SYSTEM FINGERPRINTING
 Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP
 connection's initial SYN packet and guess at the host's operating system.
@@ -1891,7 +2040,7 @@ upon.
 .Pp
 The fingerprints may be specified by operating system class, by
 version, or by subtype/patchlevel.
-The class of an operating system is typically the vender or genre
+The class of an operating system is typically the vendor or genre
 and would be OpenBSD for the
 .Xr pf 4
 firewall itself.
@@ -2056,84 +2205,87 @@ The timeout value can also be adjusted.
 .Pp
 Currently, only IPv4 fragments are supported and IPv6 fragments
 are blocked unconditionally.
-.Sh ANCHORS AND NAMED RULESETS
+.Sh ANCHORS
 Besides the main ruleset,
 .Xr pfctl 8
-can load named rulesets into
+can load rulesets into
 .Ar anchor
 attachment points.
 An
 .Ar anchor
-contains a list of named rulesets.
+is a container that can hold rules, address tables, and other anchors.
+.Pp
 An
 .Ar anchor
-has a name which specifies where
+has a name which specifies the path where
 .Xr pfctl 8
-can be used to attach sub-rulesets.
-A named ruleset contains filter and translation rules, like the
-main ruleset.
-The main ruleset can reference
+can be used to access the anchor to perform operations on it, such as
+attaching child anchors to it or loading rules into it.
+Anchors may be nested, with components separated by
+.Sq /
+characters, similar to how file system hierarchies are laid out.
+The main ruleset is actually the default anchor, so filter and
+translation rules, for example, may also be contained in any anchor.
+.Pp
+An anchor can reference another
 .Ar anchor
-attachment points
+attachment point
 using the following kinds
 of rules:
 .Bl -tag -width xxxx
 .It Ar nat-anchor <name>
 Evaluates the
 .Ar nat
-rules of all named rulesets in the specified
+rules in the specified
 .Ar anchor .
 .It Ar rdr-anchor <name>
 Evaluates the
 .Ar rdr
-rules of all named rulesets in the specified
+rules in the specified
 .Ar anchor .
 .It Ar binat-anchor <name>
 Evaluates the
 .Ar binat
-rules of all named rulesets in the specified
+rules in the specified
 .Ar anchor .
 .It Ar anchor <name>
-Evaluates the filter rules of all named rulesets in the specified
+Evaluates the filter rules in the specified
 .Ar anchor .
-.It Ar load anchor <name>:<ruleset> from <file>
-Loads the rules from the specified file into the named
-ruleset
-.Ar <ruleset>
-attached to the anchor
-.Ar <name> .
+.It Ar load anchor <name> from <file>
+Loads the rules from the specified file into the
+anchor
+.Ar name .
 .El
 .Pp
 When evaluation of the main ruleset reaches an
 .Ar anchor
 rule,
 .Xr pf 4
-will proceed to evaluate all rules specified in the
-named rulesets attached to that
-.Ar anchor .
+will proceed to evaluate all rules specified in that anchor.
 .Pp
-Matching filter rules in named rulesets with the
+Matching filter and translation rules in anchors with the
 .Ar quick
-option and matching translation rules are final and abort the
-evaluation of both the rules in the
-.Ar anchor
+option are final and abort the evaluation of the rules in other
+anchors
 and the main ruleset.
 .Pp
-Only the main ruleset can contain
 .Ar anchor
-rules.
-.Pp
-When an
+rules are evaluated relative to the anchor in which they are contained.
+For example, all
+.Ar anchor
+rules specified in the main ruleset will reference anchor
+attachment points underneath the main ruleset, and
 .Ar anchor
-contains more than one named ruleset, they are evaluated
-in the alphabetical order of their names.
+rules specified in a file loaded from a
+.Ar load anchor
+rule will be attached under that anchor point.
 .Pp
-Rules may contain
+Rules may be contained in
 .Ar anchor
 attachment points which do not contain any rules when the main ruleset
-is loaded, and later such named rulesets can be manipulated through
+is loaded, and later such anchors can be manipulated through
 .Xr pfctl 8
-without reloading the main ruleset.
+without reloading the main ruleset or other anchors.
 For example,
 .Bd -literal -offset indent
 ext_if = \&"kue0\&"
@@ -2145,27 +2297,27 @@ pass in on $ext_if proto tcp from any \e
 .Ed
 .Pp
 blocks all packets on the external interface by default, then evaluates
-all rulesets in the
+all rules in the
 .Ar anchor
 named "spam", and finally passes all outgoing connections and
 incoming connections to port 25.
 .Bd -literal -offset indent
 # echo \&"block in quick from 1.2.3.4 to any\&" \&| \e
-      pfctl -a spam:manual -f -
+      pfctl -a spam -f -
 .Ed
 .Pp
-loads a single ruleset containing a single rule into the
+This loads a single rule into the
 .Ar anchor ,
 which blocks all packets from a specific address.
 .Pp
-The named ruleset can also be populated by adding a
+The anchor can also be populated by adding a
 .Ar load anchor
 rule after the
 .Ar anchor
 rule:
 .Bd -literal -offset indent
 anchor spam
-load anchor spam:manual from "/etc/pf-spam.conf"
+load anchor spam from "/etc/pf-spam.conf"
 .Ed
 .Pp
 When
@@ -2174,7 +2326,7 @@ loads
 .Nm pf.conf ,
 it will also load all the rules from the file
 .Pa /etc/pf-spam.conf
-into the named ruleset.
+into the anchor.
 .Pp
 Optionally,
 .Ar anchor
@@ -2185,7 +2337,7 @@ using the same syntax as filter rules.
 When parameters are used, the
 .Ar anchor
 rule is only evaluated for matching packets.
-This allows conditional evaluation of named rulesets, like:
+This allows conditional evaluation of anchors, like:
 .Bd -literal -offset indent
 block on $ext_if all
 anchor spam proto tcp from any to any port smtp
@@ -2201,10 +2353,56 @@ packets with destination port 25.
 Hence,
 .Bd -literal -offset indent
 # echo \&"block in quick from 1.2.3.4 to any" \&| \e
-      pfctl -a spam:manual -f -
+      pfctl -a spam -f -
 .Ed
 .Pp
 will only block connections from 1.2.3.4 to port 25.
+.Pp
+Anchors may end with the asterisk
+.Pq Sq *
+character, which signifies that all anchors attached at that point
+should be evaluated in the alphabetical ordering of their anchor name.
+For example,
+.Bd -literal -offset indent
+anchor "spam/*"
+.Ed
+.Pp
+will evaluate each rule in each anchor attached to the
+.Li spam
+anchor.
+Note that it will only evaluate anchors that are directly attached to the
+.Li spam
+anchor, and will not descend to evaluate anchors recursively.
+.Pp
+Since anchors are evaluated relative to the anchor in which they are
+contained, there is a mechanism for accessing the parent and ancestor
+anchors of a given anchor.
+Similar to file system path name resolution, if the sequence
+.Dq ..
+appears as an anchor path component, the parent anchor of the current
+anchor in the path evaluation at that point will become the new current
+anchor.
+As an example, consider the following:
+.Bd -literal -offset indent
+# echo ' anchor "spam/allowed" ' | pfctl -f -
+# echo -e ' anchor "../banned" \en pass' | \e
+      pfctl -a spam/allowed -f -
+.Ed
+.Pp
+Evaluation of the main ruleset will lead into the
+.Li spam/allowed
+anchor, which will evaluate the rules in the
+.Li spam/banned
+anchor, if any, before finally evaluating the
+.Ar pass
+rule.
+.Pp
+Since the parser specification for anchor names is a string, any
+reference to an anchor name containing solidus
+.Pq Sq /
+characters will require double quote
+.Pq Sq \&"
+characters around the anchor name.
 .Sh TRANSLATION EXAMPLES
 This example maps incoming requests on port 80 to port 8080, on
 which a daemon is running (because, for example, it is not run as root,
@@ -2281,7 +2479,7 @@ nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e
 # Translate outgoing packets' source address (any protocol).
 # Translate incoming packets' destination address to an internal machine
 # (bidirectional).
-binat on $ext_if from 10.1.2.150 to any -> ($ext_if)
+binat on $ext_if from 10.1.2.150 to any -> $ext_if
 
 # RDR
 # Translate incoming packets' destination addresses.
@@ -2395,7 +2593,7 @@ pass in on $wifi_if from any to any keep state
 
 block out on $ext_if from any to any
 pass out quick on $ext_if tagged INTNET keep state
-pass out on $ext_if from any to any port 80 keep state
+pass out on $ext_if proto tcp from any to any port 80 keep state
 
 # tag incoming packets as they are redirected to spamd(8). use the tag
 # to pass those packets through the packet filter.
@@ -2422,7 +2620,7 @@ option         = "set" ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
                  [ "limit" ( limit-item | "{" limit-list "}" ) ] |
                  [ "loginterface" ( interface-name | "none" ) ] |
                  [ "block-policy" ( "drop" | "return" ) ] |
-		 [ "state-policy" ( "if-bound" | "group-bound" |
+                 [ "state-policy" ( "if-bound" | "group-bound" |
                  "floating" ) ]
                  [ "require-order" ( "yes" | "no" ) ]
                  [ "fingerprints" filename ] |
@@ -2441,21 +2639,22 @@ filteropt      = user | group | flags | icmp-type | icmp6-type | tos |
                  "max-mss" number | "random-id" | "reassemble tcp" |
                  fragmentation | "allow-opts" |
                  "label" string | "tag" string | [ ! ] "tagged" string
-                 "queue" ( string | "(" string [ [ "," ] string ] ")" )
+                 "queue" ( string | "(" string [ [ "," ] string ] ")" ) |
+                 "probability" number"%"
 
 nat-rule       = [ "no" ] "nat" [ "pass" ] [ "on" ifspec ] [ af ]
-                 [ protospec ] hosts [ "tag" string ]
+                 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] [ "static-port" ] ]
 
 binat-rule     = [ "no" ] "binat" [ "pass" ] [ "on" interface-name ]
                  [ af ] [ "proto" ( proto-name | proto-number ) ]
                  "from" address [ "/" mask-bits ] "to" ipspec
-                 [ "tag" string ]
+                 [ "tag" string ] [ "tagged" string ]
                  [ "->" address [ "/" mask-bits ] ]
 
 rdr-rule       = [ "no" ] "rdr" [ "pass" ] [ "on" ifspec ] [ af ]
-                 [ protospec ] hosts [ "tag" string ]
+                 [ protospec ] hosts [ "tag" string ] [ "tagged" string ]
                  [ "->" ( redirhost | "{" redirhost-list "}" )
                  [ portspec ] [ pooltype ] ]
 
@@ -2483,7 +2682,7 @@ anchor-rule    = "anchor" string [ ( "in" | "out" ) ] [ "on" ifspec ]
 trans-anchors  = ( "nat-anchor" | "rdr-anchor" | "binat-anchor" ) string
                  [ "on" ifspec ] [ af ] [ "proto" ] [ protospec ] [ hosts ]
 
-load-anchor    = "load anchor" anchorname:rulesetname "from" filename
+load-anchor    = "load anchor" string "from" filename
 
 queueopts-list = queueopts-list queueopts | queueopts
 queueopts      = [ "bandwidth" bandwidth-spec ] |
@@ -2492,7 +2691,7 @@ queueopts      = [ "bandwidth" bandwidth-spec ] |
 schedulers     = ( cbq-def | priq-def | hfsc-def )
 bandwidth-spec = "number" ( "b" | "Kb" | "Mb" | "Gb" | "%" )
 
-action         = "pass" | "block" [ return ] | "scrub"
+action         = "pass" | "block" [ return ] | [ "no" ] "scrub"
 return         = "drop" | "return" | "return-rst" [ "( ttl" number ")" ] |
                  "return-icmp" [ "(" icmpcode ["," icmp6code ] ")" ] |
                  "return-icmp6" [ "(" icmp6code ")" ]
@@ -2513,9 +2712,9 @@ proto-list     = ( proto-name | proto-number ) [ [ "," ] proto-list ]
 
 hosts          = "all" |
                  "from" ( "any" | "no-route" | "self" | host |
-                 "{" host-list "}" ) [ port ] [ os ]
+                 "{" host-list "}" | "route" string ) [ port ] [ os ]
                  "to"   ( "any" | "no-route" | "self" | host |
-                 "{" host-list "}" ) [ port ]
+                 "{" host-list "}" | "route" string ) [ port ]
 
 ipspec         = "any" | host | "{" host-list "}"
 host           = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" )
@@ -2557,7 +2756,10 @@ tos            = "tos" ( "lowdelay" | "throughput" | "reliability" |
 state-opts     = state-opt [ [ "," ] state-opts ]
 state-opt      = ( "max" number | "no-sync" | timeout |
                  "source-track" [ ( "rule" | "global" ) ] |
-		 "max-src-nodes" number | "max-src-states" number |
+                 "max-src-nodes" number | "max-src-states" number |
+                 "max-src-conn" number |
+                 "max-src-conn-rate" number "/" number |
+                 "overload" "<" string ">" [ "flush" ] |
                  "if-bound" | "group-bound" | "floating" )
 
 fragmentation  = [ "fragment reassemble" | "fragment crop" |
@@ -2616,6 +2818,7 @@ Example rulesets.
 .Xr ip6 4 ,
 .Xr pf 4 ,
 .Xr pfsync 4 ,
+.Xr route 4 ,
 .Xr tcp 4 ,
 .Xr udp 4 ,
 .Xr hosts 5 ,
@@ -2624,7 +2827,8 @@ Example rulesets.
 .Xr services 5 ,
 .Xr ftp-proxy 8 ,
 .Xr pfctl 8 ,
-.Xr pflogd 8
+.Xr pflogd 8 ,
+.Xr route 8
 .Sh HISTORY
 The
 .Nm
diff --git a/contrib/pf/man/pf.os.5 b/contrib/pf/man/pf.os.5
index 9978174..f4bdeda 100644
--- a/contrib/pf/man/pf.os.5
+++ b/contrib/pf/man/pf.os.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.os.5,v 1.5 2003/10/25 07:55:27 jmc Exp $
+.\"	$OpenBSD: pf.os.5,v 1.6 2004/03/31 11:13:03 dhartmei Exp $
 .\"
 .\" Copyright (c) 2003 Mike Frantzen <frantzen@w4g.org>
 .\"
@@ -160,7 +160,7 @@ exact same TCP options in the same order.
 .Pp
 The
 .Ar class
-field is the class, genre or vender of the operating system.
+field is the class, genre or vendor of the operating system.
 .Pp
 The
 .Ar version
diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4
index f7b39df..4c3c698 100644
--- a/contrib/pf/man/pfsync.4
+++ b/contrib/pf/man/pfsync.4
@@ -1,6 +1,7 @@
-.\"	$OpenBSD: pfsync.4,v 1.16 2004/03/22 21:04:36 jmc Exp $
+.\"	$OpenBSD: pfsync.4,v 1.22 2005/02/24 15:53:17 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Michael Shalayeff
+.\" Copyright (c) 2003-2004 Ryan McBride
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -28,7 +29,7 @@
 .Os
 .Sh NAME
 .Nm pfsync
-.Nd packet filter states table logging interface
+.Nd packet filter state table logging interface
 .Sh SYNOPSIS
 .Cd "pseudo-device pfsync"
 .Sh DESCRIPTION
@@ -68,20 +69,20 @@ state into one message where possible.
 The maximum number of times this can be done before the update is sent out
 is controlled by the
 .Ar maxupd
-to ifconfig.
+parameter to ifconfig
 (see
 .Xr ifconfig 8
-and the example below for more details)
+and the example below for more details).
 .Pp
 Each packet retrieved on this interface has a header associated
 with it of length
 .Dv PFSYNC_HDRLEN .
 The header indicates the version of the protocol, address family,
-action taken on the following states and the number of state
+action taken on the following states, and the number of state
 table entries attached in this packet.
-This structure, defined in
+This structure is defined in
 .Aq Pa net/if_pfsync.h
-looks like:
+as:
 .Bd -literal -offset indent
 struct pfsync_header {
 	u_int8_t version;
@@ -95,21 +96,35 @@ States can be synchronised between two or more firewalls using this
 interface, by specifying a synchronisation interface using
 .Xr ifconfig 8 .
 For example, the following command sets fxp0 as the synchronisation
-interface.
+interface:
 .Bd -literal -offset indent
-# ifconfig pfsync0 syncif fxp0
+# ifconfig pfsync0 syncdev fxp0
 .Ed
 .Pp
-State change messages are sent out on the synchronisation
+By default, state change messages are sent out on the synchronisation
 interface using IP multicast packets.
 The protocol is IP protocol 240, PFSYNC, and the multicast group
 used is 224.0.0.240.
+When a peer address is specified using the
+.Ic syncpeer
+keyword, the peer address is used as a destination for the pfsync traffic,
+and the traffic can then be protected using
+.Xr ipsec 4 .
+In such a configuration, the syncdev should be set to the
+.Xr enc 4
+interface, as this is where the traffic arrives when it is decapsulated,
+e.g.:
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
+.Ed
 .Pp
-It is important that the synchronisation interface be on a trusted
-network as there is no authentication on the protocol and it would
+It is important that the pfsync traffic be well secured
+as there is no authentication on the protocol and it would
 be trivial to spoof packets which create states, bypassing the pf ruleset.
-Ideally, this is a network dedicated to pfsync messages,
-i.e. a crossover cable between two firewalls.
+Either run the pfsync protocol on a trusted network \- ideally  a network
+dedicated to pfsync messages such as a crossover cable between two firewalls,
+or specify a peer address and protect the traffic with
+.Xr ipsec 4 .
 .Pp
 There is a one-to-one correspondence between packets seen by
 .Xr bpf 4
@@ -135,8 +150,8 @@ is shut down, the second firewall takes over automatically.
 Both firewalls in this example have three
 .Xr sis 4
 interfaces.
-sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the
-internal interface, on the 192.168.0.0/24 subnet, and sis2 is the
+sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 is the
+internal interface, on the 192.168.0.0/24 subnet; and sis2 is the
 .Nm
 interface, using the 192.168.254.0/24 subnet.
 A crossover cable connects the two firewalls via their sis2 interfaces.
@@ -172,7 +187,7 @@ inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
 .Pp
 .Pa /etc/hostname.pfsync0 :
 .Bd -literal -offset indent
-up syncif sis2
+up syncdev sis2
 .Ed
 .Pp
 .Xr pf 4
@@ -210,8 +225,11 @@ net.inet.carp.preempt=1
 .Ed
 .Sh SEE ALSO
 .Xr bpf 4 ,
+.Xr carp 4 ,
+.Xr enc 4 ,
 .Xr inet 4 ,
 .Xr inet6 4 ,
+.Xr ipsec 4 ,
 .Xr netintro 4 ,
 .Xr pf 4 ,
 .Xr hostname.if 5 ,
-- 
cgit v1.1