move pfctl options -t, -m, -O and -l to pf.conf. These are set using the

"set" keyword. example rulefile:

set optimization aggressive
set timeout { tcp.closing 6, tcp.opening 6 }
set limit { states 1000, frags 1000 }
set loginterface wi0
pass out all keep state label "$nr:$srcaddr:$srcport:$dstaddr:$dstport"
block in all

fries@ is working on an updated pf.conf(5)
discussed at c2k2 and on icb
ok dhartmei@, kjell@

1 files changed, 10 insertions, 124 deletions

diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index e2175b12f8a..7abe7e5687b 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.49 2002/06/11 06:49:19 kjell Exp $
+.\" $OpenBSD: pfctl.8,v 1.50 2002/06/25 08:13:25 henning Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -126,69 +126,21 @@ Example:
 .Ed
 .It Fl h
 Help.
-.It Fl l Ar interface
-Enable collection of packet and byte count statistics for interface named
-.Ar interface .
-These statistics can be viewed with the
-.Fl s Ar info
-option.
-.It Fl m Ar modifier
-Gets or sets hard limits on the memory pools used by the packet filter.
-See
-.Xr pool 9
-for an explanation of memory pools.
-The modifier has the form name[=limit], where name specifies one of the
-following pools and limit is either a positive integer (maximum number
-of pool entries) or the string "inf" (removes the limit):
-.Bl -tag -width "m states[=limit] " -compact
-.It Fl m Ar states[=limit]
-Maximum number of entries in the memory pool used by state table
-entries (generated by 'keep state' rules).
-.It Fl m Ar frags[=limit]
-Maximum number of entries in the memory pool used for fragment
-caching (generated by 'scrub' rules).
-.It Fl m Ar all
-Display all maxima, cannot be set.
-.El
 .It Fl n
 Do not actually load rules, just parse them.
 .It Fl N
-Load only the NAT rules present in the rule file. Filter rules are
+Load only the NAT rules present in the rule file. Filter rules and options are
 ignored
-.It Fl O Ar modifier
-Optimize the engine to one of the following network topographies or
-environments:
-.Bl -tag -width "O high-latency " -compact
-.It Fl O Ar default
-A normal network environment.
-Suitable for almost all networks.
-.It Fl O Ar normal
-Alias for
-.Em default
-.It Fl O Ar high-latency
-A high-latency environment (such as a satellite connection)
-.It Fl O Ar satellite
-Alias for
-.Em high-latency
-.It Fl O Ar aggressive
-Aggressively expire connections when they are likely no longer valid.
-This can greatly reduce the memory usage of the firewall at the cost of
-dropping idle connections early.
-.It Fl O Ar conservative
-Extremely conservative settings.
-Pains will be taken to avoid dropping legitimate connections at the
-expense of greater memory utilization (possibly much greater on a busy
-network) and slightly increased processor utilization.
-.El
-Currently the optimizations only encompass the state table timeouts but much
-more is planned in future revisions of the finite state machines (FSMs).
 .It Fl q
 Only print errors and warnings.
 .It Fl r
 Perform reverse DNS lookups on states when displaying them.
 .It Fl R
-Load only the filter rules present in the rule file. NAT rules are
+Load only the filter rules present in the rule file. NAT rules and options are
 ignored.
+.It Fl O
+Load only the options present in the rule file. Filter and NAT rules are
+ignored
 .It Fl s Ar modifier
 Show filter parameters.
 Modifier names may be abbreviated:
@@ -211,79 +163,13 @@ Show filter information (statistics and counters).
 .It Fl s Ar labels
 Show per-rule statistics (in terse format) of filter rules with labels,
 useful for accounting.
+.It Fl s Ar timeouts
+Show the current global timeouts.
+.It Fl s Ar memory
+Show the current pool memory hard limits.
 .It Fl s Ar all
 Show all of the above.
 .El
-.It Fl t Ar modifier
-Get a timeout or interval value.
-Any of the modifiers may be set, with the exception of
-.Em all ,
-by appending =<seconds> to the modifier without any whitespace seperating
-the modifier, the equals and the number of seconds.
-.Bl -tag -width "t interval " -compact
-.It Fl t Ar all
-Display all timeouts and intervals.
-.It Fl t Ar interval
-Interval between purging expired states and fragments.
-.It Fl t Ar frag
-Seconds before an unassembled fragment is expired.
-.El
-.Pp
-When a packet matches a stateful connection, the seconds to live of the
-connection will be updated to that of the proto.modifier which corresponds
-to the connection state.
-Each packet which matches this state will reset the TTL.
-Tuning these values may improve the performance of the
-firewall at the risk of dropping valid idled connections.
-.Bl -tag -width "t tcp.established " -compact
-.It Fl t Ar tcp.first
-The state after the first packet.
-.It Fl t Ar tcp.opening
-The state before the destination host ever sends a packet.
-.It Fl t Ar tcp.established
-The fully established state.
-.It Fl t Ar tcp.closing
-The state after the first FIN has been sent.
-.It Fl t Ar tcp.finwait
-The state after both FINs have been exchanged and the connection is closed.
-Some hosts (notably web servers on Solaris) send TCP packets even after closing
-the connection.
-Increasing tcp.finwait (and possibly tcp.closing) can prevent blocking of
-such packets.
-.It Fl t Ar tcp.closed
-The state after one endpoint sends a RST.
-.El
-.Pp
-ICMP and UDP are handled in a similar fashion to TCP but with a much more
-limited set of states:
-.Bl -tag -width "t udp.multiple " -compact
-.It Fl t Ar udp.first
-The state after the first packet.
-.It Fl t Ar udp.single
-The state if the source host sends more than one packet but the destination
-host has never sent one back.
-.It Fl t Ar udp.multiple
-The state if both hosts have sent packets.
-.It Fl t Ar icmp.first
-The state after the first packet.
-.It Fl t Ar icmp.error
-The state after an icmp error came back in response to an icmp packet.
-.El
-.Pp
-Other protocols are handled similarly to UDP:
-.Bl -tag -width "t other.multiple " -compact
-.It Fl t Ar other.first
-.It Fl t Ar other.single
-.It Fl t Ar other.multiple
-.El
-.Bd -literal
-Example:
-      Timeout established connections after an hour of inactivity
-    # pfctl -t tcp.established=3600
-
-      Display the current established idle timeout
-    # pfctl -t tcp.established
-.Ed
 .It Fl v
 Produce more verbose output.
 .It Fl x Ar level