/dev/pf,
allows userland processes to control the
behavior of the packet filter through an
ioctl(2)
interface.
There are commands to enable and disable the filter, load rulesets,
add and remove individual rules or state table entries,
and retrieve statistics.
The most commonly used functions are covered by
pfctl(8).
Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations.
Fields of ioctl(2) parameter structures that refer to packet data (like addresses and ports) are generally expected in network byte-order.
Rules and address tables are contained in so-called anchors. When servicing an ioctl(2) request, if the anchor field of the argument structure is empty, the kernel will use the default anchor (i.e., the main ruleset) in operations. Anchors are specified by name and may be nested, with components separated by `/' characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed.
net/pfvar.h>:
DIOCSTARTDIOCSTOPDIOCSTARTALTQDIOCSTOPALTQDIOCBEGINADDRS struct pfioc_pooladdr *pp
struct pfioc_pooladdr {
u_int32_t action;
u_int32_t ticket;
u_int32_t nr;
u_int32_t r_num;
u_int8_t r_action;
u_int8_t r_last;
u_int8_t af;
char anchor[MAXPATHLEN];
struct pf_pooladdr addr;
};
Clear the buffer address pool and get a
ticket
for subsequent
DIOCADDADDR,
DIOCADDRULE,
and
DIOCCHANGERULE
calls.
DIOCADDADDR struct pfioc_pooladdr *pp
Add the pool address
addr
to the buffer address pool to be used in the following
DIOCADDRULE
or
DIOCCHANGERULE
call.
All other members of the structure are ignored.
DIOCADDRULE struct pfioc_rule *pr
struct pfioc_rule {
u_int32_t action;
u_int32_t ticket;
u_int32_t pool_ticket;
u_int32_t nr;
char anchor[MAXPATHLEN];
char anchor_call[MAXPATHLEN];
struct pf_rule rule;
};
Add
rule
at the end of the inactive ruleset.
This call requires a
ticket
obtained through a preceding
DIOCXBEGIN
call and a
pool_ticket
obtained through a
DIOCBEGINADDRS
call.
DIOCADDADDR
must also be called if any pool addresses are required.
The optional
anchor
name indicates the anchor in which to append the rule.
nr
and
action
are ignored.
DIOCADDALTQ struct pfioc_altq *pa
struct pfioc_altq {
u_int32_t action;
u_int32_t ticket;
u_int32_t nr;
struct pf_altq altq;
};
DIOCGETRULES struct pfioc_rule *prDIOCGETRULE
calls and the number
nr
of rules in the active ruleset.
DIOCGETRULE struct pfioc_rule *prDIOCGETRULES
call.
If
action
is set to
PF_GET_CLR_CNTR,
the per-rule statistics on the requested rule are cleared.
DIOCGETADDRS struct pfioc_pooladdr *ppDIOCGETADDR
calls and the number
nr
of pool addresses in the rule specified with
r_action,
r_num,
and
anchor.
DIOCGETADDR struct pfioc_pooladdr *ppDIOCGETADDRS
call.
DIOCGETALTQS struct pfioc_altq *paDIOCGETALTQ
calls and the number
nr
of queues in the active list.
DIOCGETALTQ struct pfioc_altq *paDIOCGETALTQS
call.
DIOCGETQSTATS struct pfioc_qstats *pq
struct pfioc_qstats {
u_int32_t ticket;
u_int32_t nr;
void *buf;
int nbytes;
u_int8_t scheduler;
};
This call fills in a pointer to the buffer of statistics buf, of length nbytes, for the queue specified by nr.
DIOCGETRULESETS struct pfioc_ruleset *pr
struct pfioc_ruleset {
u_int32_t nr;
char path[MAXPATHLEN];
char name[PF_ANCHOR_NAME_SIZE];
};
Get the number
nr
of rulesets (i.e., anchors) directly attached to the anchor named by
path
for use in subsequent
DIOCGETRULESET
calls.
Nested anchors, since they are not directly attached to the given
anchor, will not be included.
This ioctl returns
EINVAL
if the given anchor does not exist.
DIOCGETRULESET struct pfioc_ruleset *prDIOCGETRULESETS
call.
This ioctl returns
EINVAL
if the given anchor does not exist or
EBUSY
if another process is concurrently updating a ruleset.
DIOCADDSTATE struct pfioc_state *ps
struct pfioc_state {
u_int32_t nr;
struct pf_state state;
};
DIOCGETSTATE struct pfioc_state *psDIOCKILLSTATES struct pfioc_state_kill *psk
struct pfioc_state_kill {
sa_family_t psk_af;
int psk_proto;
struct pf_rule_addr psk_src;
struct pf_rule_addr psk_dst;
char psk_ifname[IFNAMSIZ];
};
DIOCCLRSTATES struct pfioc_state_kill *pskDIOCKILLSTATES,
but ignores the
psk_af,
psk_proto,
psk_src,
and
psk_dst
fields of the
structure.
DIOCSETSTATUSIF struct pfioc_if *pi
struct pfioc_if {
char ifname[IFNAMSIZ];
};
DIOCGETSTATUS struct pf_status *s
struct pf_status {
u_int64_t counters[PFRES_MAX];
u_int64_t lcounters[LCNT_MAX];
u_int64_t fcounters[FCNT_MAX];
u_int64_t scounters[SCNT_MAX];
u_int64_t pcounters[2][2][3];
u_int64_t bcounters[2][2];
u_int64_t stateid;
u_int32_t running;
u_int32_t states;
u_int32_t src_nodes;
u_int32_t since;
u_int32_t debug;
u_int32_t hostid;
char ifname[IFNAMSIZ];
u_int8_t pf_chksum[MD5_DIGEST_LENGTH];
};
DIOCCLRSTATUSDIOCNATLOOK struct pfioc_natlook *pnl
struct pfioc_natlook {
struct pf_addr saddr;
struct pf_addr daddr;
struct pf_addr rsaddr;
struct pf_addr rdaddr;
u_int16_t sport;
u_int16_t dport;
u_int16_t rsport;
u_int16_t rdport;
sa_family_t af;
u_int8_t proto;
u_int8_t direction;
};
DIOCSETDEBUG u_int32_t *level
enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC,
PF_DEBUG_NOISY };
DIOCGETSTATES struct pfioc_states *ps
struct pfioc_states {
int ps_len;
union {
caddr_t psu_buf;
struct pf_state *psu_states;
} ps_u;
#define ps_buf ps_u.psu_buf
#define ps_states ps_u.psu_states
};
If
ps_len
is non-zero on entry, as many states as possible that can fit into this
size will be copied into the supplied buffer
ps_states.
On exit,
ps_len
is always set to the total size required to hold all state table entries
(i.e., it is set to
sizeof(struct pf_state) * nr).
DIOCCHANGERULE struct pfioc_rule *pcr
The type of operation to be performed is indicated by
action,
which can be any of the following:
enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
ticket
must be set to the value obtained with
PF_CHANGE_GET_TICKET
for all actions except
PF_CHANGE_GET_TICKET.
pool_ticket
must be set to the value obtained with the
DIOCBEGINADDRS
call for all actions except
PF_CHANGE_REMOVE
and
PF_CHANGE_GET_TICKET.
anchor
indicates to which anchor the operation applies.
nr
indicates the rule number against which
PF_CHANGE_ADD_BEFORE,
PF_CHANGE_ADD_AFTER,
or
PF_CHANGE_REMOVE
actions are applied.
DIOCCHANGEADDR struct pfioc_pooladdr *pcaDIOCSETTIMEOUT struct pfioc_tm *pt
struct pfioc_tm {
int timeout;
int seconds;
};
Set the state timeout of
timeout
to
seconds.
The old value will be placed into
seconds.
For possible values of
timeout,
consult the
PFTM_*
values in
<net/pfvar.h>.
DIOCGETTIMEOUT struct pfioc_tm *ptDIOCCLRRULECTRSDIOCSETLIMIT struct pfioc_limit *pl
struct pfioc_limit {
int index;
unsigned limit;
};
enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
DIOCGETLIMIT struct pfioc_limit *plDIOCRCLRTABLES struct pfioc_table *ioDIOCRCLRTABLES,
pfrio_ndel
contains on exit the number of tables deleted.
struct pfioc_table {
struct pfr_table pfrio_table;
void *pfrio_buffer;
int pfrio_esize;
int pfrio_size;
int pfrio_size2;
int pfrio_nadd;
int pfrio_ndel;
int pfrio_nchange;
int pfrio_flags;
u_int32_t pfrio_ticket;
};
#define pfrio_exists pfrio_nadd
#define pfrio_nzero pfrio_nadd
#define pfrio_nmatch pfrio_nadd
#define pfrio_naddr pfrio_size2
#define pfrio_setflag pfrio_size2
#define pfrio_clrflag pfrio_nadd
DIOCRADDTABLES struct pfioc_table *io
struct pfr_table {
char pfrt_anchor[MAXPATHLEN];
char pfrt_name[PF_TABLE_NAME_SIZE];
u_int32_t pfrt_flags;
u_int8_t pfrt_fback;
};
DIOCRDELTABLES struct pfioc_table *ioDIOCRGETTABLES struct pfioc_table *ioDIOCRGETTSTATS struct pfioc_table *ioDIOCRGETTABLES
but is used to get an array of
structures.
struct pfr_tstats {
struct pfr_table pfrts_t;
u_int64_t pfrts_packets
[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
u_int64_t pfrts_bytes
[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
u_int64_t pfrts_match;
u_int64_t pfrts_nomatch;
long pfrts_tzero;
int pfrts_cnt;
int pfrts_refcnt[PFR_REFCNT_MAX];
};
#define pfrts_name pfrts_t.pfrt_name
#define pfrts_flags pfrts_t.pfrt_flags
DIOCRCLRTSTATS struct pfioc_table *ioDIOCRCLRADDRS struct pfioc_table *ioDIOCRADDADDRS struct pfioc_table *io
struct pfr_addr {
union {
struct in_addr _pfra_ip4addr;
struct in6_addr _pfra_ip6addr;
} pfra_u;
u_int8_t pfra_af;
u_int8_t pfra_net;
u_int8_t pfra_not;
u_int8_t pfra_fback;
};
#define pfra_ip4addr pfra_u._pfra_ip4addr
#define pfra_ip6addr pfra_u._pfra_ip6addr
DIOCRDELADDRS struct pfioc_table *ioDIOCRSETADDRS struct pfioc_table *io
On entry,
pfrio_table
contains the table ID and
pfrio_buffer
must point to an array of
containing at least
elements which become the new contents of the table.
must be the size of
Additionally, if
pfrio_size2
is non-zero,
pfrio_buffer[pfrio_size..pfrio_size2]
must be a writeable buffer, into which the kernel can copy the
addresses that have been deleted during the replace operation.
On exit,
pfrio_ndel,
pfrio_nadd,
and
pfrio_nchange
contain the number of addresses deleted, added, and changed by the
kernel.
If
pfrio_size2
was set on entry,
pfrio_size2
will point to the size of the buffer used, exactly like
DIOCRGETADDRS.
DIOCRGETADDRS struct pfioc_table *ioDIOCRGETASTATS struct pfioc_table *ioDIOCRGETADDRS
but is used to get an array of
structures.
struct pfr_astats {
struct pfr_addr pfras_a;
u_int64_t pfras_packets
[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
u_int64_t pfras_bytes
[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
long pfras_tzero;
};
DIOCRCLRASTATS struct pfioc_table *ioDIOCRTSTADDRS struct pfioc_table *ioDIOCRSETTFLAGS struct pfioc_table *ioPFR_TFLAG_CONST
or
PFR_TFLAG_PERSIST
flags of a table.
On entry,
pfrio_buffer
must point to an array of
containing at least
elements.
pfrio_esize
must be the size of
pfrio_setflag
must contain the flags to add, while
pfrio_clrflag
must contain the flags to remove.
On exit,
pfrio_nchange
and
pfrio_ndel
contain the number of tables altered or deleted by the kernel.
Yes, tables can be deleted if one removes the
PFR_TFLAG_PERSIST
flag of an unreferenced table.
DIOCRINADEFINE struct pfioc_table *ioDIOCXBEGIN struct pfioc_trans *io
struct pfioc_trans {
int size; /* number of elements */
int esize; /* size of each element in bytes */
struct pfioc_trans_e {
int rs_num;
char anchor[MAXPATHLEN];
u_int32_t ticket;
} *array;
};
Clear all the inactive rulesets specified in the
array.
For each ruleset, a ticket is returned for subsequent "add rule" ioctls,
as well as for the
DIOCXCOMMIT
and
DIOCXROLLBACK
calls.
Ruleset types, identified by rs_num, include the following:
PF_RULESET_SCRUBPF_RULESET_FILTERPF_RULESET_NATPF_RULESET_BINATPF_RULESET_RDRPF_RULESET_ALTQPF_RULESET_TABLEDIOCXCOMMIT struct pfioc_trans *ioEBUSY
if another process is concurrently updating some of the same rulesets.
DIOCXROLLBACK struct pfioc_trans *ioDIOCXBEGIN.
DIOCXROLLBACK
will silently ignore rulesets for which the ticket is invalid.
DIOCSETHOSTID u_int32_t *hostidDIOCOSFPFLUSHDIOCOSFPADD struct pf_osfp_ioctl *io
struct pf_osfp_ioctl {
struct pf_osfp_entry {
SLIST_ENTRY(pf_osfp_entry) fp_entry;
pf_osfp_t fp_os;
char fp_class_nm[PF_OSFP_LEN];
char fp_version_nm[PF_OSFP_LEN];
char fp_subtype_nm[PF_OSFP_LEN];
} fp_os;
pf_tcpopts_t fp_tcpopts;
u_int16_t fp_wsize;
u_int16_t fp_psize;
u_int16_t fp_mss;
u_int16_t fp_flags;
u_int8_t fp_optcnt;
u_int8_t fp_wscale;
u_int8_t fp_ttl;
int fp_getnum;
};
Add a passive OS fingerprint to the table. Set fp_os.fp_os to the packed fingerprint, fp_os.fp_class_nm to the name of the class (Linux, Windows, etc), fp_os.fp_version_nm to the name of the version (NT, 95, 98), and fp_os.fp_subtype_nm to the name of the subtype or patchlevel. The members fp_mss, fp_wsize, fp_psize, fp_ttl, fp_optcnt, and fp_wscale are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, the number of TCP options, and the TCP window scaling constant of the TCP SYN packet, respectively.
The
fp_flags
member is filled according to the
<net/pfvar.h>
include file
PF_OSFP_*
defines.
The
fp_tcpopts
member contains packed TCP options.
Each option uses
PF_OSFP_TCPOPT_BITS
bits in the packed value.
Options include any of
PF_OSFP_TCPOPT_NOP,
PF_OSFP_TCPOPT_SACK,
PF_OSFP_TCPOPT_WSCALE,
PF_OSFP_TCPOPT_MSS,
or
PF_OSFP_TCPOPT_TS.
The fp_getnum member is not used with this ioctl.
The structure's slack space must be zeroed for correct operation; memset(3) the whole structure to zero before filling and sending to the kernel.
DIOCOSFPGET struct pf_osfp_ioctl *ioEBUSY.
DIOCGETSRCNODES struct pfioc_src_nodes *psn
struct pfioc_src_nodes {
int psn_len;
union {
caddr_t psu_buf;
struct pf_src_node *psu_src_nodes;
} psn_u;
#define psn_buf psn_u.psu_buf
#define psn_src_nodes psn_u.psu_src_nodes
};
Get the list of source nodes kept by sticky addresses and source tracking. The ioctl must be called once with psn_len set to 0. If the ioctl returns without error, psn_len will be set to the size of the buffer required to hold all the pf_src_node structures held in the table. A buffer of this size should then be allocated, and a pointer to this buffer placed in psn_buf. The ioctl must then be called again to fill this buffer with the actual source node data. After that call, psn_len will be set to the length of the buffer actually used.
DIOCCLRSRCNODESDIOCIGETIFACES struct pfioc_iface *io
struct pfioc_iface {
char pfiio_name[IFNAMSIZ];
void *pfiio_buffer;
int pfiio_esize;
int pfiio_size;
int pfiio_nzero;
int pfiio_flags;
};
If not empty,
pfiio_name
can be used to restrict the search to a specific interface or driver.
pfiio_buffer[pfiio_size]
is the user-supplied buffer for returning the data.
On entry,
pfiio_size
contains the number of
entries that can fit into the buffer.
The kernel will replace this value by the real number of entries it wants
to return.
pfiio_esize
should be set to
sizeof(struct pfi_kif).
The data is returned in the
structure described below:
struct pfi_kif {
RB_ENTRY(pfi_kif) pfik_tree;
char pfik_name[IFNAMSIZ];
u_int64_t pfik_packets[2][2][2];
u_int64_t pfik_bytes[2][2][2];
u_int32_t pfik_tzero;
int pfik_flags;
struct pf_state_tree_lan_ext pfik_lan_ext;
struct pf_state_tree_ext_gwy pfik_ext_gwy;
TAILQ_ENTRY(pfi_kif) pfik_w_states;
void *pfik_ah_cookie;
struct ifnet *pfik_ifp;
struct ifg_group *pfik_group;
int pfik_states;
int pfik_rules;
TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
};
DIOCSETIFFLAG struct pfioc_iface *ioDIOCIGETIFACES.
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
DIOCCLRIFFLAG struct pfioc_iface *ioDIOCSETIFFLAG
above but clears the flags.
/dev/pfDIOCNATLOOK
command to find the internal host/port of a NATed connection:
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
u_int32_t
read_address(const char *s)
{
int a, b, c, d;
sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
return htonl(a << 24 | b << 16 | c << 8 | d);
}
void
print_address(u_int32_t a)
{
a = ntohl(a);
printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
a >> 8 & 255, a & 255);
}
int
main(int argc, char *argv[])
{
struct pfioc_natlook nl;
int dev;
if (argc != 5) {
printf("%s \n",
argv[0]);
return 1;
}
dev = open("/dev/pf", O_RDWR);
if (dev == -1)
err(1, "open(\"/dev/pf\") failed");
memset(&nl, 0, sizeof(struct pfioc_natlook));
nl.saddr.v4.s_addr = read_address(argv[1]);
nl.sport = htons(atoi(argv[2]));
nl.daddr.v4.s_addr = read_address(argv[3]);
nl.dport = htons(atoi(argv[4]));
nl.af = AF_INET;
nl.proto = IPPROTO_TCP;
nl.direction = PF_IN;
if (ioctl(dev, DIOCNATLOOK, &nl))
err(1, "DIOCNATLOOK");
printf("internal host ");
print_address(nl.rsaddr.v4.s_addr);
printf(":%u\n", ntohs(nl.rsport));
return 0;
}