summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhilipp Buehler <pb@cvs.openbsd.org>2002-07-30 13:53:58 +0000
committerPhilipp Buehler <pb@cvs.openbsd.org>2002-07-30 13:53:58 +0000
commit80e26f661b15194045490a0805d3e8994b3ba682 (patch)
tree929991b3b9ea313238dd976b715416c1d4be2cdd
parent34991720682ea783b2e4d1e0798695118b46be4f (diff)
Merge filter and nat BNF for simplification:
- top of reduction is now 'line', better to add more keywords later on - reorder, group - remove double productions ok dhartmei@, henning@
-rw-r--r--share/man/man5/pf.conf.561
1 files changed, 21 insertions, 40 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index dcb9a9c66e9..f78ec1fd299 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.72 2002/07/30 11:55:31 pb Exp $
+.\" $OpenBSD: pf.conf.5,v 1.73 2002/07/30 13:53:57 pb Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -957,8 +957,12 @@ rdr on kue0 inet proto udp from any to (kue0) port 8080 -> 10.1.2.151 \\
rdr on fxp0 proto tcp from any to any port 21 -> 127.0.0.1 port 8081
.Ed
.Sh GRAMMAR
-Syntax for filter rules in BNF:
+Syntax for
+.Em pf.conf
+in BNF:
.Bd -literal
+line = ( option | pf_rule | nat_rule | binat_rule | rdr_rule )
+
option = set ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "optimization" [ "default" | "normal" |
"high-latency" | "satellite" |
@@ -966,12 +970,11 @@ option = set ( [ "timeout" ( timeout | "{" timeout-list "}" ) ] |
[ "limit" ( limit | "{" limit-list "}" ) ] |
[ "loginterface" ( interface-name | "none" ) ] ) .
-rule = action ( "in" | "out" )
+pf_rule = action ( "in" | "out" )
[ "log" | "log-all" ] [ "quick" ]
[ "on" ( interface-name | "{" interface-list "}" ) ]
[ route ] [ af ]
- [ "proto" ( proto-name | proto-number |
- "{" proto-list "}" ) ]
+ [ protospec ]
hosts
[ user ] [ group ] [ flags ]
[ icmp-type | ipv6-icmp-type ]
@@ -980,6 +983,15 @@ rule = action ( "in" | "out" )
[ "max-mss" number ] [ "allow-opts" ]
[ "label" string ] .
+nat_rule = [ "no" ] "nat" "on" [ "!" ] ifname [ protospec ] hosts
+ [ "->" address [ portspec ] ] .
+
+binat_rule = [ "no" ] "binat" "on" ifname [ "proto" ( proto-name |
+ proto-number ) ] "from" address "to" ipspec [ "->" address ] .
+
+rdr_rule = [ "no" ] "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec
+ "to" ipspec [ portspec ] [ "->" address [ portspec ] ] .
+
action = "pass" | "block" [ return ] | "scrub" .
return = "return-rst" [ "(" "ttl" number ")" ] |
"return-icmp"
@@ -994,6 +1006,8 @@ route = "fastroute" |
"dup-to" "(" interface-name address ")" |
"dup-to" interface-name
af = "inet" | "inet6" .
+
+protospec = "proto" ( proto-name | proto-number | "{" proto-list "}" ) .
proto-list = ( proto-name | proto-number ) [ "," proto-list ] .
hosts = "all" |
@@ -1002,12 +1016,14 @@ hosts = "all" |
"to" ( "any" | "no-route" | "self" | host |
"{" host-list "}" ) [ port ] .
+ipspec = "any" | host | "{" host-list "}" .
host = [ "!" ] address [ "/" mask-bits ] .
address = ( interface-name | "(" interface-name ")" | host-name |
ipv4-dotted-quad | ipv6-coloned-hex ) .
host-list = host [ "," host-list ] .
port = "port" ( unary-op | binary-op | "{" op-list "}" ) .
+portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] .
user = "user" ( unary-op | binary-op | "{" op-list "}" ) .
group = "group" ( unary-op | binary-op | "{" op-list "}" ) .
@@ -1041,41 +1057,6 @@ seconds = number .
limit-list = limit [ "," limit-list ] .
limit = ( "states" | "frags" ) number .
.Ed
-.Pp
-Syntax for translation rules in BNF:
-.Bd -literal
-rule = [ "no" ] ( nat_rule | binat_rule | rdr_rule ) .
-
-nat_rule = "nat" "on" [ "!" ] ifname [ protospec ] hosts
- [ "->" address [ portspec ] ] .
-
-binat_rule = "binat" "on" ifname [ protospec ] "from" address
- "to" ipspec [ "->" address ] .
-
-rdr_rule = "rdr" "on" [ "!" ] ifname [ protospec ] "from" ipspec
- "to" ipspec [ portspec ] [ "->" address [ portspec ] ] .
-
-protospec = "proto" ( number | "tcp" | "udp" | "icmp" ) .
-
-ipspec = "any" | host | "{" host-list "}" .
-
-portspec = "port" ( number | name ) [ ":" ( "*" | number | name ) ] .
-
-hosts = "all" |
- "from" ( "any" | host | "{" host-list "}" ) [ port ]
- "to" ( "any" | host | "{" host-list "}" ) [ port ] .
-
-host = [ "!" ] address [ "/" mask-bits ] .
-address = ( interface-name | "(" interface-name ")" | host-name |
- ipv4-dotted-quad | ipv6-coloned-hex ) .
-host-list = host [ "," host-list ] .
-
-port = "port" ( unary-op | binary-op | "{" op-list "}" ) .
-unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ]
- ( name | number ) .
-binary-op = number ( "<>" | "><" ) number .
-op-list = ( unary-op | binary-op ) [ "," op-list ] .
-.Ed
.Sh FILES
.Bl -tag -width "/etc/pf.conf" -compact
.It Pa /etc/hosts