/dev/pf
,
allows userland processes to control the
behavior of the packet filter through an
ioctl(2)
interface.
There are commands to enable and disable the filter, load rulesets,
add and remove individual rules or state table entries,
and retrieve statistics.
The most commonly used functions are covered by
pfctl(8).
Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations.
Fields of ioctl(2) parameter structures that refer to packet data (like addresses and ports) are generally expected in network byte-order.
Rules and address tables are contained in so-called anchors. When servicing an ioctl(2) request, if the anchor field of the argument structure is empty, the kernel will use the default anchor (i.e., the main ruleset) in operations. Anchors are specified by name and may be nested, with components separated by `/' characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed.
net/pfvar.h
>:
DIOCSTART
DIOCSTOP
DIOCSTARTALTQ
DIOCSTOPALTQ
DIOCBEGINADDRS
struct pfioc_pooladdr *pp
struct pfioc_pooladdr {
u_int32_t action;
u_int32_t ticket;
u_int32_t nr;
u_int32_t r_num;
u_int8_t r_action;
u_int8_t r_last;
u_int8_t af;
char anchor[MAXPATHLEN];
struct pf_pooladdr addr;
};
Clear the buffer address pool and get a
ticket
for subsequent
DIOCADDADDR
,
DIOCADDRULE
,
and
DIOCCHANGERULE
calls.
DIOCADDADDR
struct pfioc_pooladdr *pp
Add the pool address
addr
to the buffer address pool to be used in the following
DIOCADDRULE
or
DIOCCHANGERULE
call.
All other members of the structure are ignored.
DIOCADDRULE
struct pfioc_rule *pr
struct pfioc_rule {
u_int32_t action;
u_int32_t ticket;
u_int32_t pool_ticket;
u_int32_t nr;
char anchor[MAXPATHLEN];
char anchor_call[MAXPATHLEN];
struct pf_rule rule;
};
Add
rule
at the end of the inactive ruleset.
This call requires a
ticket
obtained through a preceding
DIOCXBEGIN
call and a
pool_ticket
obtained through a
DIOCBEGINADDRS
call.
DIOCADDADDR
must also be called if any pool addresses are required.
The optional
anchor
name indicates the anchor in which to append the rule.
nr
and
action
are ignored.
DIOCADDALTQ
struct pfioc_altq *pa
struct pfioc_altq {
u_int32_t action;
u_int32_t ticket;
u_int32_t nr;
struct pf_altq altq;
};
DIOCGETRULES
struct pfioc_rule *pr
DIOCGETRULE
calls and the number
nr
of rules in the active ruleset.
DIOCGETRULE
struct pfioc_rule *pr
DIOCGETRULES
call.
If
action
is set to
PF_GET_CLR_CNTR
,
the per-rule statistics on the requested rule are cleared.
DIOCGETADDRS
struct pfioc_pooladdr *pp
DIOCGETADDR
calls and the number
nr
of pool addresses in the rule specified with
r_action,
r_num,
and
anchor.
DIOCGETADDR
struct pfioc_pooladdr *pp
DIOCGETADDRS
call.
DIOCGETALTQS
struct pfioc_altq *pa
DIOCGETALTQ
calls and the number
nr
of queues in the active list.
DIOCGETALTQ
struct pfioc_altq *pa
DIOCGETALTQS
call.
DIOCGETQSTATS
struct pfioc_qstats *pq
struct pfioc_qstats {
u_int32_t ticket;
u_int32_t nr;
void *buf;
int nbytes;
u_int8_t scheduler;
};
This call fills in a pointer to the buffer of statistics buf, of length nbytes, for the queue specified by nr.
DIOCGETRULESETS
struct pfioc_ruleset *pr
struct pfioc_ruleset {
u_int32_t nr;
char path[MAXPATHLEN];
char name[PF_ANCHOR_NAME_SIZE];
};
Get the number
nr
of rulesets (i.e., anchors) directly attached to the anchor named by
path
for use in subsequent
DIOCGETRULESET
calls.
Nested anchors, since they are not directly attached to the given
anchor, will not be included.
This ioctl returns
EINVAL
if the given anchor does not exist.
DIOCGETRULESET
struct pfioc_ruleset *pr
DIOCGETRULESETS
call.
This ioctl returns
EINVAL
if the given anchor does not exist or
EBUSY
if another process is concurrently updating a ruleset.
DIOCADDSTATE
struct pfioc_state *ps
struct pfioc_state {
u_int32_t nr;
struct pf_state state;
};
DIOCGETSTATE
struct pfioc_state *ps
DIOCKILLSTATES
struct pfioc_state_kill *psk
struct pfioc_state_kill {
sa_family_t psk_af;
int psk_proto;
struct pf_rule_addr psk_src;
struct pf_rule_addr psk_dst;
char psk_ifname[IFNAMSIZ];
};
DIOCCLRSTATES
struct pfioc_state_kill *psk
DIOCKILLSTATES
,
but ignores the
psk_af,
psk_proto,
psk_src,
and
psk_dst
fields of the
structure.
DIOCSETSTATUSIF
struct pfioc_if *pi
struct pfioc_if {
char ifname[IFNAMSIZ];
};
DIOCGETSTATUS
struct pf_status *s
struct pf_status {
u_int64_t counters[PFRES_MAX];
u_int64_t lcounters[LCNT_MAX];
u_int64_t fcounters[FCNT_MAX];
u_int64_t scounters[SCNT_MAX];
u_int64_t pcounters[2][2][3];
u_int64_t bcounters[2][2];
u_int64_t stateid;
u_int32_t running;
u_int32_t states;
u_int32_t src_nodes;
u_int32_t since;
u_int32_t debug;
u_int32_t hostid;
char ifname[IFNAMSIZ];
u_int8_t pf_chksum[MD5_DIGEST_LENGTH];
};
DIOCCLRSTATUS
DIOCNATLOOK
struct pfioc_natlook *pnl
struct pfioc_natlook {
struct pf_addr saddr;
struct pf_addr daddr;
struct pf_addr rsaddr;
struct pf_addr rdaddr;
u_int16_t sport;
u_int16_t dport;
u_int16_t rsport;
u_int16_t rdport;
sa_family_t af;
u_int8_t proto;
u_int8_t direction;
};
DIOCSETDEBUG
u_int32_t *level
enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
PF_DEBUG_NOISY };
DIOCGETSTATES
struct pfioc_states *ps
struct pfioc_states {
int ps_len;
union {
caddr_t psu_buf;
struct pf_state *psu_states;
} ps_u;
#define ps_buf ps_u.psu_buf
#define ps_states ps_u.psu_states
};
If
ps_len
is non-zero on entry, as many states as possible that can fit into this
size will be copied into the supplied buffer
ps_states.
On exit,
ps_len
is always set to the total size required to hold all state table entries
(i.e., it is set to
sizeof(struct
pf_state)
*
nr
).
DIOCCHANGERULE
struct pfioc_rule *pcr
The type of operation to be performed is indicated by
action,
which can be any of the following:
enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
ticket
must be set to the value obtained with
PF_CHANGE_GET_TICKET
for all actions except
PF_CHANGE_GET_TICKET
.
pool_ticket
must be set to the value obtained with the
DIOCBEGINADDRS
call for all actions except
PF_CHANGE_REMOVE
and
PF_CHANGE_GET_TICKET
.
anchor
indicates to which anchor the operation applies.
nr
indicates the rule number against which
PF_CHANGE_ADD_BEFORE
,
PF_CHANGE_ADD_AFTER
,
or
PF_CHANGE_REMOVE
actions are applied.
DIOCCHANGEADDR
struct pfioc_pooladdr *pca
DIOCSETTIMEOUT
struct pfioc_tm *pt
struct pfioc_tm {
int timeout;
int seconds;
};
Set the state timeout of
timeout
to
seconds.
The old value will be placed into
seconds.
For possible values of
timeout,
consult the
PFTM_*
values in
<net/pfvar.h
>.
DIOCGETTIMEOUT
struct pfioc_tm *pt
DIOCCLRRULECTRS
DIOCSETLIMIT
struct pfioc_limit *pl
struct pfioc_limit {
int index;
unsigned limit;
};
enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
DIOCGETLIMIT
struct pfioc_limit *pl
DIOCRCLRTABLES
struct pfioc_table *io
DIOCRCLRTABLES
,
pfrio_ndel
contains on exit the number of tables deleted.
struct pfioc_table {
struct pfr_table pfrio_table;
void *pfrio_buffer;
int pfrio_esize;
int pfrio_size;
int pfrio_size2;
int pfrio_nadd;
int pfrio_ndel;
int pfrio_nchange;
int pfrio_flags;
u_int32_t pfrio_ticket;
};
#define pfrio_exists pfrio_nadd
#define pfrio_nzero pfrio_nadd
#define pfrio_nmatch pfrio_nadd
#define pfrio_naddr pfrio_size2
#define pfrio_setflag pfrio_size2
#define pfrio_clrflag pfrio_nadd
DIOCRADDTABLES
struct pfioc_table *io
struct pfr_table {
char pfrt_anchor[MAXPATHLEN];
char pfrt_name[PF_TABLE_NAME_SIZE];
u_int32_t pfrt_flags;
u_int8_t pfrt_fback;
};
DIOCRDELTABLES
struct pfioc_table *io
DIOCRGETTABLES
struct pfioc_table *io
DIOCRGETTSTATS
struct pfioc_table *io
DIOCRGETTABLES
but is used to get an array of
structures.
struct pfr_tstats {
struct pfr_table pfrts_t;
u_int64_t pfrts_packets
[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
u_int64_t pfrts_bytes
[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
u_int64_t pfrts_match;
u_int64_t pfrts_nomatch;
long pfrts_tzero;
int pfrts_cnt;
int pfrts_refcnt[PFR_REFCNT_MAX];
};
#define pfrts_name pfrts_t.pfrt_name
#define pfrts_flags pfrts_t.pfrt_flags
DIOCRCLRTSTATS
struct pfioc_table *io
DIOCRCLRADDRS
struct pfioc_table *io
DIOCRADDADDRS
struct pfioc_table *io
struct pfr_addr {
union {
struct in_addr _pfra_ip4addr;
struct in6_addr _pfra_ip6addr;
} pfra_u;
u_int8_t pfra_af;
u_int8_t pfra_net;
u_int8_t pfra_not;
u_int8_t pfra_fback;
};
#define pfra_ip4addr pfra_u._pfra_ip4addr
#define pfra_ip6addr pfra_u._pfra_ip6addr
DIOCRDELADDRS
struct pfioc_table *io
DIOCRSETADDRS
struct pfioc_table *io
On entry,
pfrio_table
contains the table ID and
pfrio_buffer
must point to an array of
containing at least
elements which become the new contents of the table.
must be the size of
Additionally, if
pfrio_size2
is non-zero,
pfrio_buffer[pfrio_size..pfrio_size2]
must be a writeable buffer, into which the kernel can copy the
addresses that have been deleted during the replace operation.
On exit,
pfrio_ndel,
pfrio_nadd,
and
pfrio_nchange
contain the number of addresses deleted, added, and changed by the
kernel.
If
pfrio_size2
was set on entry,
pfrio_size2
will point to the size of the buffer used, exactly like
DIOCRGETADDRS
.
DIOCRGETADDRS
struct pfioc_table *io
DIOCRGETASTATS
struct pfioc_table *io
DIOCRGETADDRS
but is used to get an array of
structures.
struct pfr_astats {
struct pfr_addr pfras_a;
u_int64_t pfras_packets
[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
u_int64_t pfras_bytes
[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
long pfras_tzero;
};
DIOCRCLRASTATS
struct pfioc_table *io
DIOCRTSTADDRS
struct pfioc_table *io
DIOCRSETTFLAGS
struct pfioc_table *io
PFR_TFLAG_CONST
or
PFR_TFLAG_PERSIST
flags of a table.
On entry,
pfrio_buffer
must point to an array of
containing at least
elements.
pfrio_esize
must be the size of
pfrio_setflag
must contain the flags to add, while
pfrio_clrflag
must contain the flags to remove.
On exit,
pfrio_nchange
and
pfrio_ndel
contain the number of tables altered or deleted by the kernel.
Yes, tables can be deleted if one removes the
PFR_TFLAG_PERSIST
flag of an unreferenced table.
DIOCRINADEFINE
struct pfioc_table *io
DIOCXBEGIN
struct pfioc_trans *io
struct pfioc_trans {
int size; /* number of elements */
int esize; /* size of each element in bytes */
struct pfioc_trans_e {
int rs_num;
char anchor[MAXPATHLEN];
u_int32_t ticket;
} *array;
};
Clear all the inactive rulesets specified in the
array.
For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
as well as for the
DIOCXCOMMIT
and
DIOCXROLLBACK
calls.
Ruleset types, identified by rs_num, include the following:
PF_RULESET_SCRUB
PF_RULESET_FILTER
PF_RULESET_NAT
PF_RULESET_BINAT
PF_RULESET_RDR
PF_RULESET_ALTQ
PF_RULESET_TABLE
DIOCXCOMMIT
struct pfioc_trans *io
EBUSY
if another process is concurrently updating some of the same rulesets.
DIOCXROLLBACK
struct pfioc_trans *io
DIOCXBEGIN
.
DIOCXROLLBACK
will silently ignore rulesets for which the ticket is invalid.
DIOCSETHOSTID
u_int32_t *hostid
DIOCOSFPFLUSH
DIOCOSFPADD
struct pf_osfp_ioctl *io
struct pf_osfp_ioctl {
struct pf_osfp_entry {
SLIST_ENTRY(pf_osfp_entry) fp_entry;
pf_osfp_t fp_os;
char fp_class_nm[PF_OSFP_LEN];
char fp_version_nm[PF_OSFP_LEN];
char fp_subtype_nm[PF_OSFP_LEN];
} fp_os;
pf_tcpopts_t fp_tcpopts;
u_int16_t fp_wsize;
u_int16_t fp_psize;
u_int16_t fp_mss;
u_int16_t fp_flags;
u_int8_t fp_optcnt;
u_int8_t fp_wscale;
u_int8_t fp_ttl;
int fp_getnum;
};
Add a passive OS fingerprint to the table. Set fp_os.fp_os to the packed fingerprint, fp_os.fp_class_nm to the name of the class (Linux, Windows, etc), fp_os.fp_version_nm to the name of the version (NT, 95, 98), and fp_os.fp_subtype_nm to the name of the subtype or patchlevel. The members fp_mss, fp_wsize, fp_psize, fp_ttl, fp_optcnt, and fp_wscale are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, the number of TCP options, and the TCP window scaling constant of the TCP SYN packet, respectively.
The
fp_flags
member is filled according to the
<net/pfvar.h
>
include file
PF_OSFP_*
defines.
The
fp_tcpopts
member contains packed TCP options.
Each option uses
PF_OSFP_TCPOPT_BITS
bits in the packed value.
Options include any of
PF_OSFP_TCPOPT_NOP
,
PF_OSFP_TCPOPT_SACK
,
PF_OSFP_TCPOPT_WSCALE
,
PF_OSFP_TCPOPT_MSS
,
or
PF_OSFP_TCPOPT_TS
.
The fp_getnum member is not used with this ioctl.
The structure's slack space must be zeroed for correct operation; memset(3) the whole structure to zero before filling and sending to the kernel.
DIOCOSFPGET
struct pf_osfp_ioctl *io
EBUSY
.
DIOCGETSRCNODES
struct pfioc_src_nodes *psn
struct pfioc_src_nodes {
int psn_len;
union {
caddr_t psu_buf;
struct pf_src_node *psu_src_nodes;
} psn_u;
#define psn_buf psn_u.psu_buf
#define psn_src_nodes psn_u.psu_src_nodes
};
Get the list of source nodes kept by sticky addresses and source tracking. The ioctl must be called once with psn_len set to 0. If the ioctl returns without error, psn_len will be set to the size of the buffer required to hold all the pf_src_node structures held in the table. A buffer of this size should then be allocated, and a pointer to this buffer placed in psn_buf. The ioctl must then be called again to fill this buffer with the actual source node data. After that call, psn_len will be set to the length of the buffer actually used.
DIOCCLRSRCNODES
DIOCIGETIFACES
struct pfioc_iface *io
struct pfioc_iface {
char pfiio_name[IFNAMSIZ];
void *pfiio_buffer;
int pfiio_esize;
int pfiio_size;
int pfiio_nzero;
int pfiio_flags;
};
If not empty,
pfiio_name
can be used to restrict the search to a specific interface or driver.
pfiio_buffer[pfiio_size]
is the user-supplied buffer for returning the data.
On entry,
pfiio_size
contains the number of
entries that can fit into the buffer.
The kernel will replace this value by the real number of entries it wants
to return.
pfiio_esize
should be set to
sizeof(struct
pfi_kif)
.
The data is returned in the
structure described below:
struct pfi_kif {
RB_ENTRY(pfi_kif) pfik_tree;
char pfik_name[IFNAMSIZ];
u_int64_t pfik_packets[2][2][2];
u_int64_t pfik_bytes[2][2][2];
u_int32_t pfik_tzero;
int pfik_flags;
struct pf_state_tree_lan_ext pfik_lan_ext;
struct pf_state_tree_ext_gwy pfik_ext_gwy;
TAILQ_ENTRY(pfi_kif) pfik_w_states;
void *pfik_ah_cookie;
struct ifnet *pfik_ifp;
struct ifg_group *pfik_group;
int pfik_states;
int pfik_rules;
TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
};
DIOCSETIFFLAG
struct pfioc_iface *io
DIOCIGETIFACES
.
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
DIOCCLRIFFLAG
struct pfioc_iface *io
DIOCSETIFFLAG
above but clears the flags.
/dev/pf
DIOCNATLOOK
command to find the internal host/port of a NATed connection:
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
u_int32_t
read_address(const char *s)
{
int a, b, c, d;
sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
return htonl(a << 24 | b << 16 | c << 8 | d);
}
void
print_address(u_int32_t a)
{
a = ntohl(a);
printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
a >> 8 & 255, a & 255);
}
int
main(int argc, char *argv[])
{
struct pfioc_natlook nl;
int dev;
if (argc != 5) {
printf("%s \n",
argv[0]);
return 1;
}
dev = open("/dev/pf", O_RDWR);
if (dev == -1)
err(1, "open(\"/dev/pf\") failed");
memset(&nl, 0, sizeof(struct pfioc_natlook));
nl.saddr.v4.s_addr = read_address(argv[1]);
nl.sport = htons(atoi(argv[2]));
nl.daddr.v4.s_addr = read_address(argv[3]);
nl.dport = htons(atoi(argv[4]));
nl.af = AF_INET;
nl.proto = IPPROTO_TCP;
nl.direction = PF_IN;
if (ioctl(dev, DIOCNATLOOK, &nl))
err(1, "DIOCNATLOOK");
printf("internal host ");
print_address(nl.rsaddr.v4.s_addr);
printf(":%u\n", ntohs(nl.rsport));
return 0;
}