document icmp type/code text abbreviations recognized by pfctl

prodded by John Ladwig <jladwig@mango.lioness.net>

ok deraadt jmc

3 files changed, 138 insertions, 5 deletions

diff --git a/share/man/man4/icmp.4 b/share/man/man4/icmp.4
index 188a2e95f57..703e34963f2 100644
--- a/share/man/man4/icmp.4
+++ b/share/man/man4/icmp.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: icmp.4,v 1.9 2003/06/02 23:30:12 millert Exp $
+.\"	$OpenBSD: icmp.4,v 1.10 2004/12/23 20:33:03 jaredy Exp $
 .\"	$NetBSD: icmp.4,v 1.3 1994/11/30 16:22:14 jtc Exp $
 .\"
 .\" Copyright (c) 1986, 1991, 1993
@@ -84,6 +84,76 @@ them (based on the destination address).
 Incoming packets are received with the
 .Tn IP
 header and options intact.
+.Ss Types
+ICMP messages are classified according to the type and code fields
+present in the ICMP header.
+The abbreviations for the types and codes may be used in rules in
+.Xr pf.conf 5 .
+The following types are defined:
+.Bl -column x xxxxxxxxxxxx -offset indent
+.It Sy Num Ta Sy Abbrev. Ta Sy Description
+.It 0 Ta echorep Ta "Echo reply"
+.It 3 Ta unreach Ta "Destination unreachable"
+.It 4 Ta squench Ta "Packet loss, slow down"
+.It 5 Ta redir Ta "Shorter route exists"
+.It 6 Ta althost Ta "Alternate host address"
+.It 8 Ta echoreq Ta "Echo request"
+.It 9 Ta routeradv Ta "Router advertisement"
+.It 10 Ta routersol Ta "Router solicitation"
+.It 11 Ta timex Ta "Time exceeded"
+.It 12 Ta paramprob Ta "Invalid IP header"
+.It 13 Ta timereq Ta "Timestamp request"
+.It 14 Ta timerep Ta "Timestamp reply"
+.It 15 Ta inforeq Ta "Information request"
+.It 16 Ta inforep Ta "Information reply"
+.It 17 Ta maskreq Ta "Address mask request"
+.It 18 Ta maskrep Ta "Address mask reply"
+.It 30 Ta trace Ta "Traceroute"
+.It 31 Ta dataconv Ta "Data conversion problem"
+.It 32 Ta mobredir Ta "Mobile host redirection"
+.It 33 Ta ipv6-where Ta "IPv6 where-are-you"
+.It 34 Ta ipv6-here Ta "IPv6 i-am-here"
+.It 35 Ta mobregreq Ta "Mobile registration request"
+.It 36 Ta mobregrep Ta "Mobile registration reply"
+.It 39 Ta skip Ta "SKIP"
+.It 40 Ta photuris Ta "Photuris"
+.El
+.Pp
+The following codes are defined:
+.Bl -column x xxxxxxxxxxxx xxxxxxx -offset indent
+.It Sy Num Ta Sy Abbrev. Ta Sy Type Ta
+.Sy Description
+.It 0 Ta net-unr Ta unreach Ta "Network unreachable"
+.It 1 Ta host-unr Ta unreach Ta "Host unreachable"
+.It 2 Ta proto-unr Ta unreach Ta "Protocol unreachable"
+.It 3 Ta port-unr Ta unreach Ta "Port unreachable"
+.It 4 Ta needfrag Ta unreach Ta "Fragmentation needed but DF bit set"
+.It 5 Ta srcfail Ta unreach Ta "Source routing failed"
+.It 6 Ta net-unk Ta unreach Ta "Network unknown"
+.It 7 Ta host-unk Ta unreach Ta "Host unknown"
+.It 8 Ta isolate Ta unreach Ta "Host isolated"
+.It 9 Ta net-prohib Ta unreach Ta "Network administratively prohibited"
+.It 10 Ta host-prohib Ta unreach Ta "Host administratively prohibited"
+.It 11 Ta net-tos Ta unreach Ta "Invalid TOS for network"
+.It 12 Ta host-tos Ta unreach Ta "Invalid TOS for host"
+.It 13 Ta filter-prohib Ta unreach Ta "Prohibited access"
+.It 14 Ta host-preced Ta unreach Ta "Precedence violation"
+.It 15 Ta cutoff-preced Ta unreac Ta "Precedence cutoff"
+.It 0 Ta redir-net Ta redir Ta "Shorter route for network"
+.It 1 Ta redir-host Ta redir Ta "Shorter route for host"
+.It 2 Ta redir-tos-net Ta redir Ta "Shorter route for TOS and network"
+.It 3 Ta redir-tos-host Ta redir Ta "Shorter route for TOS and host"
+.It 0 Ta normal-adv Ta routeradv Ta "Normal advertisement"
+.It 16 Ta common-adv Ta routeradv Ta "Selective advertisement"
+.It 0 Ta transit Ta timex Ta "Time exceeded in transit"
+.It 1 Ta reassemb Ta timex Ta "Time exceeded in reassembly"
+.It 0 Ta badhead Ta paramprob Ta "Invalid option pointer"
+.It 1 Ta optmiss Ta paramprob Ta "Missing option"
+.It 2 Ta badlen Ta paramprob Ta "Invalid length"
+.It 1 Ta unknown-ind Ta photuris Ta "Unknown security index"
+.It 2 Ta auth-fail Ta photuris Ta "Authentication failed"
+.It 3 Ta decrypt-fail Ta photuris Ta "Decryption failed"
+.El
 .Sh DIAGNOSTICS
 A socket operation may fail with one of the following errors returned:
 .Bl -tag -width [EADDRNOTAVAIL]
diff --git a/share/man/man4/icmp6.4 b/share/man/man4/icmp6.4
index b153767cbad..ccdcd5eda79 100644
--- a/share/man/man4/icmp6.4
+++ b/share/man/man4/icmp6.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: icmp6.4,v 1.18 2004/12/20 19:17:04 jaredy Exp $
+.\"	$OpenBSD: icmp6.4,v 1.19 2004/12/23 20:33:03 jaredy Exp $
 .\" Copyright (c) 1986, 1991, 1993
 .\"     The Regents of the University of California.  All rights reserved.
 .\"
@@ -74,7 +74,61 @@ Outgoing packets automatically have an IPv6 header prepended to them
 (based on the destination address).
 Incoming packets on the socket are received with the IPv6 header and any
 extension headers removed.
+.Ss Types
+ICMPv6 messages are classified according to the type and code fields
+present in the ICMPv6 header.
+The abbreviations for the types and codes may be used in rules in
+.Xr pf.conf 5 .
+The following types are defined:
+.Bl -column x xxxxxxxxxxxx -offset indent
+.It Sy Num Ta Sy Abbrev. Ta Sy Description
+.It 1 Ta unreach Ta "Destination unreachable"
+.It 2 Ta toobig Ta "Packet too big"
+.It 3 Ta timex Ta "Time exceeded"
+.It 4 Ta paramprob Ta "Invalid IPv6 header"
+.It 128 Ta echoreq Ta "Echo service request"
+.It 129 Ta echorep Ta "Echo service reply"
+.It 130 Ta groupqry Ta "Group membership query"
+.It 130 Ta listqry Ta "Multicast listener query"
+.It 131 Ta grouprep Ta "Group membership report"
+.It 131 Ta listenrep Ta "Multicast listener report"
+.It 132 Ta groupterm Ta "Group membership termination"
+.It 132 Ta listendone Ta "Multicast listerner done"
+.It 133 Ta routersol Ta "Router solicitation"
+.It 134 Ta routeradv Ta "Router advertisement"
+.It 135 Ta neighbrsol Ta "Neighbor solicitation"
+.It 136 Ta neighbradv Ta "Neighbor advertisement"
+.It 137 Ta redir Ta "Shorter route exists"
+.It 138 Ta routrrenum Ta "Route renumbering"
+.It 139 Ta fqdnreq Ta "FQDN query"
+.It 139 Ta niqry Ta "Node information query"
+.It 139 Ta wrureq Ta "Who-are-you request"
+.It 140 Ta fqdnrep Ta "FQDN reply"
+.It 140 Ta nirep Ta "Node information reply"
+.It 140 Ta wrurep Ta "Who-are-you reply"
+.It 200 Ta mtraceresp Ta "mtrace response"
+.It 201 Ta mtrace Ta "mtrace messages"
+.El
 .Pp
+The following codes are defined:
+.Bl -column x xxxxxxxxxxxx xxxxxxxx -offset indent
+.It Sy Num Ta Sy Abbrev. Ta Sy Type Ta
+.Sy Description
+.It 0 Ta noroute-unr Ta unreach Ta "No route to destination"
+.It 1 Ta admin-unr Ta unreach Ta "Administratively prohibited"
+.It 2 Ta beyond-unr Ta unreach Ta "Beyond scope of source address"
+.It 2 Ta notnbr-unr Ta unreach Ta "Not a neighbor (obselete)"
+.It 3 Ta addr-unr Ta unreach Ta "Address unreachable"
+.It 4 Ta port-unr Ta unreach Ta "Port unreachable"
+.It 0 Ta transit Ta timex Ta "Time exceeded in transit"
+.It 1 Ta reassemb Ta timex Ta "Time exceeded in reassembly"
+.It 0 Ta badhead Ta paramprob Ta "Erroneous header field"
+.It 1 Ta nxthdr Ta paramprob Ta "Unrecognized next header"
+.It 2 Ta "" Ta redir Ta "Unrecognized option"
+.It 0 Ta redironlink Ta redir Ta "Redirection to on-link node"
+.It 1 Ta redirrouter Ta redir Ta "Redirection to better router"
+.El
+.Ss Headers
 All ICMPv6 messages are prefixed with an ICMPv6 header.
 This header corresponds to the
 .Vt icmp6_hdr
@@ -112,7 +166,7 @@ describes the sub-type of the message and depends on
 contains the checksum for the message and is filled in by the
 kernel on outgoing messages.
 The other fields are used for type-specific purposes.
-.Pp
+.Ss Filters
 Because of the extra functionality of ICMPv6 in comparison to ICMPv4,
 a larger number of messages may be potentially received on an ICMPv6
 socket.
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index 762534c7ab7..8f82a9013b9 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.conf.5,v 1.320 2004/12/22 17:17:56 dhartmei Exp $
+.\"	$OpenBSD: pf.conf.5,v 1.321 2004/12/23 20:33:03 jaredy Exp $
 .\"
 .\" Copyright (c) 2002, Daniel Hartmeier
 .\" All rights reserved.
@@ -1458,9 +1458,18 @@ All of SYN, FIN, RST and ACK must be unset.
 .It Ar icmp6-type <type> code <code>
 This rule only applies to ICMP or ICMPv6 packets with the specified type
 and code.
+Text names for ICMP types and codes are listed in
+.Xr icmp 4
+and
+.Xr icmp6 4 .
 This parameter is only valid for rules that cover protocols ICMP or
 ICMP6.
-The protocol and the ICMP type indicator (icmp-type or icmp6-type)
+The protocol and the ICMP type indicator
+.Po
+.Ar icmp-type
+or
+.Ar icmp6-type
+.Pc
 must match.
 .It Ar allow-opts
 By default, packets which contain IP options are blocked.