739 lines
20 KiB
Groff
739 lines
20 KiB
Groff
.\" $OpenBSD: pfctl.8,v 1.183 2022/11/18 18:11:10 kn Exp $
|
|
.\"
|
|
.\" Copyright (c) 2001 Kjell Wooding. All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. The name of the author may not be used to endorse or promote products
|
|
.\" derived from this software without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd $Mdocdate: November 18 2022 $
|
|
.Dt PFCTL 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm pfctl
|
|
.Nd control the packet filter (PF) device
|
|
.Sh SYNOPSIS
|
|
.Nm pfctl
|
|
.Bk -words
|
|
.Op Fl deghNnPqrvz
|
|
.Op Fl a Ar anchor
|
|
.Op Fl D Ar macro Ns = Ns Ar value
|
|
.Op Fl F Ar modifier
|
|
.Op Fl f Ar file
|
|
.Op Fl i Ar interface
|
|
.Op Fl K Ar key
|
|
.Op Fl k Ar key
|
|
.Op Fl L Ar statefile
|
|
.Op Fl o Ar level
|
|
.Op Fl p Ar device
|
|
.Op Fl S Ar statefile
|
|
.Op Fl s Ar modifier Op Fl R Ar id
|
|
.Op Fl t Ar table Fl T Ar command Op Ar address ...
|
|
.Op Fl V Ar rdomain
|
|
.Op Fl x Ar level
|
|
.Ek
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility communicates with the packet filter device using the
|
|
ioctl interface described in
|
|
.Xr pf 4 .
|
|
It allows ruleset and parameter configuration,
|
|
and retrieval of status information from the packet filter.
|
|
Packet filtering restricts the types of packets that pass through
|
|
network interfaces entering or leaving the host based on filter
|
|
rules as described in
|
|
.Xr pf.conf 5 .
|
|
The packet filter can also replace addresses and ports of packets.
|
|
.Pp
|
|
The packet filter is enabled by default.
|
|
Should
|
|
.Nm
|
|
be unable to load a ruleset,
|
|
an error occurs and the original ruleset remains in place.
|
|
If this happens at system startup,
|
|
the ruleset defined by the
|
|
.Va RULES
|
|
variable in
|
|
.Xr rc 8
|
|
remains in place.
|
|
.Pp
|
|
The packet filter does not itself forward packets between interfaces.
|
|
Forwarding can be enabled by setting the
|
|
.Xr sysctl 8
|
|
variables
|
|
.Em net.inet.ip.forwarding
|
|
and/or
|
|
.Em net.inet6.ip6.forwarding
|
|
to 1.
|
|
Set them permanently in
|
|
.Xr sysctl.conf 5 .
|
|
.Pp
|
|
At least one option must be specified.
|
|
The options are as follows:
|
|
.Bl -tag -width Ds
|
|
.It Fl a Ar anchor
|
|
Apply flags
|
|
.Fl f ,
|
|
.Fl F ,
|
|
.Fl s ,
|
|
and
|
|
.Fl T
|
|
only to the rules in the specified
|
|
.Ar anchor .
|
|
In addition to the main ruleset,
|
|
.Nm
|
|
can load and manipulate additional rulesets by name,
|
|
called anchors.
|
|
The main ruleset is the default anchor.
|
|
.Pp
|
|
Anchors are referenced by name and may be nested,
|
|
with the various components of the anchor path separated by
|
|
.Sq /
|
|
characters, similar to how file system hierarchies are laid out.
|
|
The last component of the anchor path is where ruleset operations are
|
|
performed.
|
|
.Pp
|
|
Evaluation of
|
|
.Ar anchor
|
|
rules from the main ruleset is described in
|
|
.Xr pf.conf 5 .
|
|
.Pp
|
|
For example, the following will show all filter rules (see the
|
|
.Fl s
|
|
flag below) inside the anchor
|
|
.Dq authpf/smith(1234) ,
|
|
which would have been created for user
|
|
.Dq smith
|
|
by
|
|
.Xr authpf 8 ,
|
|
PID 1234:
|
|
.Bd -literal -offset indent
|
|
# pfctl -a "authpf/smith(1234)" -s rules
|
|
.Ed
|
|
.Pp
|
|
Private tables can also be put inside anchors, either by having table
|
|
statements in the
|
|
.Xr pf.conf 5
|
|
file that is loaded in the anchor, or by using regular table commands, as in:
|
|
.Bd -literal -offset indent
|
|
# pfctl -a foo/bar -t mytable -T add 1.2.3.4 5.6.7.8
|
|
.Ed
|
|
.Pp
|
|
When a rule referring to a table is loaded in an anchor, the rule will use the
|
|
private table if one is defined, and then fall back to the table defined in the
|
|
main ruleset, if there is one.
|
|
This is similar to C rules for variable scope.
|
|
It is possible to create distinct tables with the same name in the global
|
|
ruleset and in an anchor, but this is often bad design and a warning will be
|
|
issued in that case.
|
|
.Pp
|
|
By default, recursive inline printing of anchors applies only to unnamed
|
|
anchors specified inline in the ruleset.
|
|
If the anchor name is terminated with a
|
|
.Sq *
|
|
character, the
|
|
.Fl s
|
|
flag will recursively print all anchors in a brace delimited block.
|
|
For example the following will print the
|
|
.Dq authpf
|
|
ruleset recursively:
|
|
.Bd -literal -offset indent
|
|
# pfctl -a 'authpf/*' -sr
|
|
.Ed
|
|
.Pp
|
|
To print the main ruleset recursively, specify only
|
|
.Sq *
|
|
as the anchor name:
|
|
.Bd -literal -offset indent
|
|
# pfctl -a '*' -sr
|
|
.Ed
|
|
.Pp
|
|
To flush all rulesets and tables recursively, specify only
|
|
.Sq *
|
|
as the anchor name:
|
|
.Bd -literal -offset indent
|
|
# pfctl -a '*' -Fa
|
|
.Ed
|
|
.It Fl D Ar macro Ns = Ns Ar value
|
|
Define
|
|
.Ar macro
|
|
to be set to
|
|
.Ar value
|
|
on the command line.
|
|
Overrides the definition of
|
|
.Ar macro
|
|
in the ruleset.
|
|
.It Fl d
|
|
Disable the packet filter.
|
|
.It Fl e
|
|
Enable the packet filter.
|
|
.It Fl F Ar modifier
|
|
Flush the filter parameters specified by
|
|
.Ar modifier
|
|
(may be abbreviated):
|
|
.Pp
|
|
.Bl -tag -width xxxxxxxxxxxx -compact
|
|
.It Fl F Cm rules
|
|
Flush the filter rules.
|
|
.It Fl F Cm states
|
|
Flush the state table (NAT and filter).
|
|
.It Fl F Cm Sources
|
|
Flush the source tracking table.
|
|
.It Fl F Cm info
|
|
Flush the filter information (statistics that are not bound to rules).
|
|
.It Fl F Cm Tables
|
|
Flush the tables.
|
|
.It Fl F Cm osfp
|
|
Flush the passive operating system fingerprints.
|
|
.It Fl F Cm Reset
|
|
Reset limits, timeouts and other options back to default settings.
|
|
See the OPTIONS section in
|
|
.Xr pf.conf 5
|
|
for details.
|
|
.It Fl F Cm all
|
|
Flush all of the above.
|
|
.El
|
|
.Pp
|
|
If
|
|
.Fl a
|
|
is specified as well and
|
|
.Ar anchor
|
|
is terminated with a
|
|
.Sq *
|
|
character,
|
|
.Cm rules ,
|
|
.Cm Tables
|
|
and
|
|
.Cm all
|
|
flush the given anchor recursively.
|
|
.It Fl f Ar file
|
|
Replace the current ruleset with
|
|
the rules contained in
|
|
.Ar file .
|
|
This
|
|
.Ar file
|
|
may contain macros, tables, options, and normalization, queueing,
|
|
translation, and filtering rules.
|
|
With the exception of macros and tables, the statements must appear in that
|
|
order.
|
|
.It Fl g
|
|
Include output helpful for debugging.
|
|
.It Fl h
|
|
Help.
|
|
.It Fl i Ar interface
|
|
Restrict the operation to the given
|
|
.Ar interface .
|
|
.It Fl K Ar key
|
|
Kill all of the source tracking entries originating from the
|
|
host or network specified by
|
|
.Ar key .
|
|
A second
|
|
.Fl K
|
|
option may be specified, which will kill all the source tracking entries
|
|
from the first host/network to the second.
|
|
.It Fl k Ar key
|
|
Kill all of the state entries originating from the
|
|
host or network specified by
|
|
.Ar key .
|
|
A second
|
|
.Fl k
|
|
option may be specified, which will kill all the state entries
|
|
from the first host/network to the second.
|
|
.Pp
|
|
A network prefix length of 0 can be used as a wildcard.
|
|
To kill all states with the target
|
|
.Dq host2 :
|
|
.Pp
|
|
.Dl # pfctl -k 0.0.0.0/0 -k host2
|
|
.Pp
|
|
It is also possible to kill states by rule label, state key, or state ID.
|
|
In this mode the first
|
|
.Fl k
|
|
argument is used to specify the type;
|
|
a second
|
|
.Fl k
|
|
gives the actual target.
|
|
.Pp
|
|
To kill states by rule label,
|
|
use the
|
|
.Cm label
|
|
modifier.
|
|
To kill all states created from rules carrying the label
|
|
.Dq foobar :
|
|
.Pp
|
|
.Dl # pfctl -k label -k foobar
|
|
.Pp
|
|
To kill one specific state by its state key
|
|
(as shown by pfctl -s state),
|
|
use the
|
|
.Cm key
|
|
modifier.
|
|
To kill a state originating from 10.0.0.101:32123 to 10.0.0.1:80,
|
|
protocol TCP, use:
|
|
.Pp
|
|
.Dl # pfctl -k key -k 'tcp 10.0.0.1:80 <- 10.0.0.101:32123'
|
|
.Pp
|
|
To kill one specific state by its unique state ID
|
|
(as shown by pfctl -s state -vv),
|
|
use the
|
|
.Cm id
|
|
modifier.
|
|
To kill a state with ID 4823e84500000003 use:
|
|
.Pp
|
|
.Dl # pfctl -k id -k 4823e84500000003
|
|
.Pp
|
|
To kill a state with ID 4823e84500000018 created from a backup
|
|
firewall with hostid 00000002 use:
|
|
.Pp
|
|
.Dl # pfctl -k id -k 4823e84500000018/2
|
|
.It Fl L Ar statefile
|
|
Load pf states from the file specified by
|
|
.Ar statefile .
|
|
.It Fl N
|
|
Do not perform domain name resolution.
|
|
If a name cannot be resolved without DNS, an error will be reported.
|
|
.It Fl n
|
|
Do not actually load rules, just parse them.
|
|
.It Fl o Ar level
|
|
Control the ruleset optimizer, overriding any rule file settings.
|
|
.Pp
|
|
.Bl -tag -width xxxxxxxxxxxx -compact
|
|
.It Fl o Cm none
|
|
Disable the ruleset optimizer.
|
|
.It Fl o Cm basic
|
|
Enable basic ruleset optimizations.
|
|
This is the default behaviour.
|
|
.It Fl o Cm profile
|
|
Enable basic ruleset optimizations with profiling.
|
|
.El
|
|
.Pp
|
|
For further information on the ruleset optimizer, see
|
|
.Xr pf.conf 5 .
|
|
.It Fl P
|
|
Print ports using their names in
|
|
.Pa /etc/services
|
|
if available.
|
|
.It Fl p Ar device
|
|
Use the device file
|
|
.Ar device
|
|
instead of the default
|
|
.Pa /dev/pf .
|
|
.It Fl q
|
|
Only print errors and warnings.
|
|
.It Fl r
|
|
Perform reverse DNS lookups on states and tables when displaying them.
|
|
.Fl N
|
|
and
|
|
.Fl r
|
|
are mutually exclusive.
|
|
.It Fl S Ar statefile
|
|
Store the pf state table in the file specified by
|
|
.Ar statefile .
|
|
.It Fl s Ar modifier Op Fl R Ar id
|
|
Show the filter parameters specified by
|
|
.Ar modifier
|
|
(may be abbreviated):
|
|
.Pp
|
|
.Bl -tag -width xxxxxxxxxxxxxx -compact
|
|
.It Fl s Cm queue
|
|
Show the currently loaded queue definitions.
|
|
When used together with
|
|
.Fl v ,
|
|
per-queue statistics are also shown.
|
|
When used together with
|
|
.Fl v v ,
|
|
.Nm
|
|
will loop and show updated queue statistics every five seconds, including
|
|
measured bandwidth and packets per second.
|
|
.It Fl s Cm rules
|
|
Show the currently loaded filter rules.
|
|
If
|
|
.Fl R Ar id
|
|
is specified as well,
|
|
only the rule with the specified numeric ID is shown.
|
|
When used together with
|
|
.Fl v ,
|
|
the per-rule statistics (number of evaluations,
|
|
packets and bytes) are also shown.
|
|
When used together with
|
|
.Fl g
|
|
or
|
|
.Fl vv ,
|
|
expired rules
|
|
.Pq marked as Dq # expired
|
|
are also shown.
|
|
Note that the
|
|
.Dq skip step
|
|
optimization done automatically by the kernel
|
|
will skip evaluation of rules where possible.
|
|
Packets passed statefully are counted in the rule that created the state
|
|
(even though the rule isn't evaluated more than once for the entire
|
|
connection).
|
|
.It Fl s Cm Anchors
|
|
Show the currently loaded anchors directly attached to the main ruleset.
|
|
If
|
|
.Fl a Ar anchor
|
|
is specified as well, the anchors loaded directly below the given
|
|
.Ar anchor
|
|
are shown instead.
|
|
If
|
|
.Fl v
|
|
is specified, all anchors attached under the target anchor will be
|
|
displayed recursively.
|
|
.It Fl s Cm states
|
|
Show the contents of the state table.
|
|
If
|
|
.Fl R Ar id
|
|
is specified as well,
|
|
only states created by the rule with the specified numeric ID are shown.
|
|
.It Fl s Cm Sources
|
|
Show the contents of the source tracking table.
|
|
.It Fl s Cm info
|
|
Show filter information (statistics and counters).
|
|
When used together with
|
|
.Fl v ,
|
|
source tracking statistics, the firewall's 32-bit hostid number and the
|
|
main ruleset's MD5 checksum for use with
|
|
.Xr pfsync 4
|
|
are also shown.
|
|
.It Fl s Cm labels
|
|
Show per-rule statistics (label, evaluations, packets total, bytes total,
|
|
packets in, bytes in, packets out, bytes out, state creations) of
|
|
filter rules with labels, useful for accounting.
|
|
If
|
|
.Fl R Ar id
|
|
is specified as well,
|
|
only the statistics for the rule with the specified numeric ID are shown.
|
|
.It Fl s Cm timeouts
|
|
Show the current global timeouts.
|
|
.It Fl s Cm memory
|
|
Show the current pool memory hard limits.
|
|
.It Fl s Cm Tables
|
|
Show the list of tables.
|
|
.It Fl s Cm osfp
|
|
Show the list of operating system fingerprints.
|
|
.It Fl s Cm Interfaces
|
|
Show the list of interfaces and interface groups available to PF.
|
|
When used together with
|
|
.Fl v ,
|
|
it additionally lists which interfaces have skip rules activated.
|
|
When used together with
|
|
.Fl vv ,
|
|
interface statistics are also shown.
|
|
.Fl i
|
|
can be used to select an interface or a group of interfaces.
|
|
.It Fl s Cm all
|
|
Show all of the above, except for the lists of interfaces and operating
|
|
system fingerprints.
|
|
.El
|
|
.Pp
|
|
Counters shown with
|
|
.Fl s Cm info
|
|
are:
|
|
.Pp
|
|
.Bl -tag -width xxxxxxxxxxxxxx -compact
|
|
.It match
|
|
explicit rule match
|
|
.It bad-offset
|
|
currently unused
|
|
.It fragment
|
|
invalid fragments dropped
|
|
.It short
|
|
short packets dropped
|
|
.It normalize
|
|
dropped by normalizer: illegal packets
|
|
.It memory
|
|
memory could not be allocated
|
|
.It bad-timestamp
|
|
bad TCP timestamp; RFC 1323
|
|
.It congestion
|
|
network interface queue congested
|
|
.It ip-option
|
|
bad IP/IPv6 options
|
|
.It proto-cksum
|
|
invalid protocol checksum
|
|
.It state-mismatch
|
|
packet was associated with a state entry, but sequence numbers did not match
|
|
.It state-insert
|
|
state insertion failure
|
|
.It state-limit
|
|
configured state limit was reached
|
|
.It src-limit
|
|
source node/connection limit
|
|
.It synproxy
|
|
dropped by synproxy
|
|
.It translate
|
|
no free ports in translation port range
|
|
.It no-route
|
|
dropped by no-route
|
|
.El
|
|
.It Fl t Ar table Fl T Ar command Op Ar address ...
|
|
Specify the
|
|
.Ar command
|
|
(may be abbreviated) to apply to
|
|
.Ar table .
|
|
Commands include:
|
|
.Pp
|
|
.Bl -tag -width "-T expire number" -compact
|
|
.It Fl T Cm add
|
|
Add one or more addresses to a table.
|
|
Automatically create a persistent table if it does not exist.
|
|
.It Fl T Cm delete
|
|
Delete one or more addresses from a table.
|
|
.It Fl T Cm expire Ar number
|
|
Delete addresses which had their statistics cleared more than
|
|
.Ar number
|
|
seconds ago.
|
|
For entries which have never had their statistics cleared,
|
|
.Ar number
|
|
refers to the time they were added to the table.
|
|
.It Fl T Cm flush
|
|
Flush all addresses in a table.
|
|
.It Fl T Cm kill
|
|
Kill a table.
|
|
.It Fl T Cm replace
|
|
Replace the addresses of the table.
|
|
Automatically create a persistent table if it does not exist.
|
|
.It Fl T Cm show
|
|
Show the content (addresses) of a table.
|
|
.It Fl T Cm test
|
|
Test if the given addresses match a table.
|
|
.It Fl T Cm zero
|
|
Clear all the statistics of a table.
|
|
.El
|
|
.Pp
|
|
For the
|
|
.Cm add ,
|
|
.Cm delete ,
|
|
.Cm replace ,
|
|
and
|
|
.Cm test
|
|
commands, the list of addresses can be specified either directly on the command
|
|
line and/or in an unformatted text file, using the
|
|
.Fl f
|
|
flag.
|
|
Comments starting with a
|
|
.Sq #
|
|
are allowed in the text file.
|
|
With these commands, the
|
|
.Fl v
|
|
flag can also be used once or twice, in which case
|
|
.Nm
|
|
will print the
|
|
detailed result of the operation for each individual address, prefixed by
|
|
one of the following letters:
|
|
.Pp
|
|
.Bl -tag -width XXX -compact
|
|
.It A
|
|
The address/network has been added.
|
|
.It C
|
|
The address/network has been changed (negated).
|
|
.It D
|
|
The address/network has been deleted.
|
|
.It M
|
|
The address matches
|
|
.Po
|
|
.Cm test
|
|
operation only
|
|
.Pc .
|
|
.It X
|
|
The address/network is duplicated and therefore ignored.
|
|
.It Y
|
|
The address/network cannot be added/deleted due to conflicting
|
|
.Sq \&!
|
|
attributes.
|
|
.It Z
|
|
The address/network has been cleared (statistics).
|
|
.El
|
|
.Pp
|
|
Each table can maintain a set of counters that can be retrieved using the
|
|
.Fl v
|
|
flag of
|
|
.Nm .
|
|
For example, the following commands define a wide open firewall which will keep
|
|
track of packets going to or coming from the
|
|
.Ox
|
|
FTP server.
|
|
The following commands configure the firewall and send 10 pings to the FTP
|
|
server:
|
|
.Bd -literal -offset indent
|
|
# printf "table <test> counters { ftp.secbsd.org }\en \e
|
|
pass out to <test>\en" | pfctl -f-
|
|
# ping -qc10 ftp.secbsd.org
|
|
.Ed
|
|
.Pp
|
|
We can now use the table
|
|
.Cm show
|
|
command to output, for each address and packet direction, the number of packets
|
|
and bytes that are being passed, matched or blocked by rules referencing the
|
|
table.
|
|
Note that the match counters are incremented for every match rule in which
|
|
they are referenced, meaning that a single packet may be counted multiple times.
|
|
The time at which the current accounting started is also shown with the
|
|
.Dq Cleared
|
|
line.
|
|
.Bd -literal -offset indent
|
|
# pfctl -t test -vTshow
|
|
198.51.100.81
|
|
Cleared: Fri Jun 28 11:17:37 2013
|
|
In/Block: [ Packets: 0 Bytes: 0 ]
|
|
In/Match [ Packets: 54 Bytes: 10028 ]
|
|
In/Pass: [ Packets: 5 Bytes: 1949 ]
|
|
Out/Block: [ Packets: 0 Bytes: 0 ]
|
|
Out/Match [ Packets: 65 Bytes: 12684 ]
|
|
Out/Pass: [ Packets: 6 Bytes: 389 ]
|
|
.Ed
|
|
.Pp
|
|
Similarly, it is possible to view global information about the tables
|
|
by using the
|
|
.Fl v
|
|
modifier twice and the
|
|
.Fl s
|
|
.Cm Tables
|
|
command.
|
|
This will display the number of addresses on each table,
|
|
the number of rules which reference the table, and the global
|
|
packet statistics for the whole table:
|
|
.Bd -literal -offset indent
|
|
# pfctl -vvsTables
|
|
--a-r-C test
|
|
Addresses: 1
|
|
Cleared: Fri Jun 28 11:17:37 2013
|
|
References: [ Anchors: 0 Rules: 4 ]
|
|
Evaluations: [ NoMatch: 35 Match: 8 ]
|
|
In/Block: [ Packets: 0 Bytes: 0 ]
|
|
In/Match: [ Packets: 54 Bytes: 10028 ]
|
|
In/Pass: [ Packets: 5 Bytes: 1949 ]
|
|
In/XPass: [ Packets: 0 Bytes: 0 ]
|
|
Out/Block: [ Packets: 0 Bytes: 0 ]
|
|
Out/Match: [ Packets: 65 Bytes: 12684 ]
|
|
Out/Pass: [ Packets: 6 Bytes: 389 ]
|
|
Out/XPass: [ Packets: 0 Bytes: 0 ]
|
|
.Ed
|
|
.Pp
|
|
Only packets creating state are matched in the Evaluations line,
|
|
but all packets passing as a result of the state are correctly accounted for.
|
|
Reloading the table(s) or ruleset will not affect packet accounting in any way.
|
|
The two
|
|
.Dq XPass
|
|
counters are incremented instead of the
|
|
.Dq Pass
|
|
counters when a
|
|
.Dq stateful
|
|
packet is passed but doesn't match the table anymore.
|
|
This will happen in our example if someone flushes the table while the
|
|
.Xr ping 8
|
|
command is running.
|
|
.Pp
|
|
When used with a single
|
|
.Fl v ,
|
|
.Nm
|
|
will only display the first line containing the table flags and name.
|
|
The flags are defined as follows:
|
|
.Pp
|
|
.Bl -tag -width XXX -compact
|
|
.It c
|
|
For constant tables, which cannot be altered outside
|
|
.Xr pf.conf 5 .
|
|
.It p
|
|
For persistent tables, which don't get automatically killed when no rules
|
|
refer to them.
|
|
.It a
|
|
For tables which are part of the
|
|
.Em active
|
|
tableset.
|
|
Tables without this flag do not really exist, cannot contain addresses, and are
|
|
only listed if the
|
|
.Fl g
|
|
flag is given.
|
|
.It i
|
|
For tables which are part of the
|
|
.Em inactive
|
|
tableset.
|
|
This flag can only be witnessed briefly during the loading of
|
|
.Xr pf.conf 5 .
|
|
.It r
|
|
For tables which are referenced (used) by rules.
|
|
.It h
|
|
This flag is set when a table in the main ruleset is hidden by one or more
|
|
tables of the same name from anchors attached below it.
|
|
.It C
|
|
This flag is set when per-address counters are enabled on the table.
|
|
.El
|
|
.It Fl V Ar rdomain
|
|
Select the routing domain to be used to kill states by host or by label.
|
|
The rdomain of a state is displayed in parentheses before the host by
|
|
.Fl s Cm states .
|
|
.It Fl v
|
|
Produce more verbose output.
|
|
A second use of
|
|
.Fl v
|
|
will produce even more verbose output including ruleset warnings.
|
|
See the previous section for its effect on table commands.
|
|
.It Fl x Ar level
|
|
Set the debug
|
|
.Ar level ,
|
|
which limits the severity of log messages printed by
|
|
.Xr pf 4 .
|
|
This should be a keyword from the following ordered list
|
|
(highest to lowest):
|
|
.Cm emerg ,
|
|
.Cm alert ,
|
|
.Cm crit ,
|
|
.Cm err ,
|
|
.Cm warning ,
|
|
.Cm notice ,
|
|
.Cm info ,
|
|
and
|
|
.Cm debug .
|
|
These keywords correspond to the similar (LOG_) values specified to the
|
|
.Xr syslog 3
|
|
library routine,
|
|
and may be abbreviated on the command line.
|
|
.It Fl z
|
|
Clear per-rule statistics.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width "/etc/pf.conf" -compact
|
|
.It Pa /etc/pf.conf
|
|
Packet filter rules file.
|
|
.It Pa /etc/pf.os
|
|
Passive operating system fingerprint database.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr pf 4 ,
|
|
.Xr pf.conf 5 ,
|
|
.Xr pf.os 5 ,
|
|
.Xr sysctl.conf 5 ,
|
|
.Xr authpf 8 ,
|
|
.Xr ftp-proxy 8 ,
|
|
.Xr rc 8 ,
|
|
.Xr rc.conf 8 ,
|
|
.Xr sysctl 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
program and the
|
|
.Xr pf 4
|
|
filter mechanism first appeared in
|
|
.Ox 3.0 .
|