summaryrefslogtreecommitdiff
path: root/share/man
diff options
context:
space:
mode:
authorChristiano F. Haesbaert <haesbaert@cvs.openbsd.org>2012-02-10 00:08:21 +0000
committerChristiano F. Haesbaert <haesbaert@cvs.openbsd.org>2012-02-10 00:08:21 +0000
commitb81a0c92860782ebd8168982fb34d62c4bff01f8 (patch)
treec9eae44750e7bc996d80fecc97256582f54a3965 /share/man
parent79eb7a428273715b4a82c35102dde9996b46940f (diff)
Clarify pf manpage and change example from DIOCNATLOOK to DIOCGETLIMIT.
From Lawrence Teo, input from sthen@ and jmc@. ok deraadt@
Diffstat (limited to 'share/man')
-rw-r--r--share/man/man4/pf.4106
1 files changed, 68 insertions, 38 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index 3568b5744d3..2a3d1439090 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.4,v 1.73 2011/12/23 17:00:47 jmc Exp $
+.\" $OpenBSD: pf.4,v 1.74 2012/02/10 00:08:20 haesbaert Exp $
.\"
.\" Copyright (C) 2001, Kjell Wooding. All rights reserved.
.\"
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd $Mdocdate: December 23 2011 $
+.Dd $Mdocdate: February 10 2012 $
.Dt PF 4
.Os
.Sh NAME
@@ -314,6 +314,22 @@ struct pfioc_natlook {
u_int8_t direction;
};
.Ed
+.Pp
+This was primarily used to support transparent proxies with rdr-to rules.
+New proxies should use divert-to rules instead.
+These do not require access to the privileged
+.Pa /dev/pf
+device and preserve the original destination address for
+.Xr getsockname 2 .
+For
+.Dv SOCK_DGRAM
+sockets, the
+.Xr ip 4
+socket options
+.Dv IP_RECVDSTADDR
+and
+.Dv IP_RECVDSTPORT
+can be used to retrieve the destination address and port.
.It Dv DIOCSETDEBUG Fa "u_int32_t *level"
Set the debug level.
See the
@@ -990,69 +1006,83 @@ packet filtering device.
.El
.Sh EXAMPLES
The following example demonstrates how to use the
-.Dv DIOCNATLOOK
-command to find the internal host/port of a NATed connection:
+.Dv DIOCGETLIMIT
+command to show the hard limit of a memory pool used by the packet filter:
.Bd -literal
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
-#include <netinet/in.h>
#include <net/pfvar.h>
-#include <err.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
+#include <err.h>
-u_int32_t
-read_address(const char *s)
-{
- int a, b, c, d;
-
- sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d);
- return htonl(a << 24 | b << 16 | c << 8 | d);
-}
+static const struct {
+ const char *name;
+ int index;
+} pf_limits[] = {
+ { "states", PF_LIMIT_STATES },
+ { "src-nodes", PF_LIMIT_SRC_NODES },
+ { "frags", PF_LIMIT_FRAGS },
+ { "tables", PF_LIMIT_TABLES },
+ { "table-entries", PF_LIMIT_TABLE_ENTRIES },
+ { NULL, 0 }
+};
void
-print_address(u_int32_t a)
+usage(void)
{
- a = ntohl(a);
- printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255,
- a >> 8 & 255, a & 255);
+ extern char *__progname;
+ int i;
+
+ fprintf(stderr, "usage: %s [", __progname);
+ for (i = 0; pf_limits[i].name; i++)
+ fprintf(stderr, "%s%s", (i > 0 ? "|" : ""), pf_limits[i].name);
+ fprintf(stderr, "]\en");
+ exit(1);
}
int
main(int argc, char *argv[])
{
- struct pfioc_natlook nl;
- int dev;
+ struct pfioc_limit pl;
+ int i, dev;
+ int pool_index = -1;
- if (argc != 5) {
- printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\en",
- argv[0]);
- return 1;
+ if (argc != 2)
+ usage();
+
+ for (i = 0; pf_limits[i].name; i++)
+ if (!strcmp(argv[1], pf_limits[i].name)) {
+ pool_index = pf_limits[i].index;
+ break;
+ }
+
+ if (pool_index == -1) {
+ warnx("no such memory pool: %s", argv[1]);
+ usage();
}
dev = open("/dev/pf", O_RDWR);
if (dev == -1)
err(1, "open(\e"/dev/pf\e") failed");
- memset(&nl, 0, sizeof(struct pfioc_natlook));
- nl.saddr.v4.s_addr = read_address(argv[1]);
- nl.sport = htons(atoi(argv[2]));
- nl.daddr.v4.s_addr = read_address(argv[3]);
- nl.dport = htons(atoi(argv[4]));
- nl.af = AF_INET;
- nl.proto = IPPROTO_TCP;
- nl.direction = PF_IN;
+ bzero(&pl, sizeof(struct pfioc_limit));
+ pl.index = pool_index;
+
+ if (ioctl(dev, DIOCGETLIMIT, &pl))
+ err(1, "DIOCGETLIMIT");
- if (ioctl(dev, DIOCNATLOOK, &nl))
- err(1, "DIOCNATLOOK");
+ printf("The %s memory pool has ", pf_limits[i].name);
+ if (pl.limit == UINT_MAX)
+ printf("unlimited entries.\en");
+ else
+ printf("a hard limit of %u entries.\en", pl.limit);
- printf("internal host ");
- print_address(nl.rsaddr.v4.s_addr);
- printf(":%u\en", ntohs(nl.rsport));
- return 0;
+ return (0);
}
.Ed
.Sh SEE ALSO