diff options
author | Christiano F. Haesbaert <haesbaert@cvs.openbsd.org> | 2012-02-10 00:08:21 +0000 |
---|---|---|
committer | Christiano F. Haesbaert <haesbaert@cvs.openbsd.org> | 2012-02-10 00:08:21 +0000 |
commit | b81a0c92860782ebd8168982fb34d62c4bff01f8 (patch) | |
tree | c9eae44750e7bc996d80fecc97256582f54a3965 /share/man | |
parent | 79eb7a428273715b4a82c35102dde9996b46940f (diff) |
Clarify pf manpage and change example from DIOCNATLOOK to DIOCGETLIMIT.
From Lawrence Teo, input from sthen@ and jmc@.
ok deraadt@
Diffstat (limited to 'share/man')
-rw-r--r-- | share/man/man4/pf.4 | 106 |
1 files changed, 68 insertions, 38 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 3568b5744d3..2a3d1439090 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.73 2011/12/23 17:00:47 jmc Exp $ +.\" $OpenBSD: pf.4,v 1.74 2012/02/10 00:08:20 haesbaert Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd $Mdocdate: December 23 2011 $ +.Dd $Mdocdate: February 10 2012 $ .Dt PF 4 .Os .Sh NAME @@ -314,6 +314,22 @@ struct pfioc_natlook { u_int8_t direction; }; .Ed +.Pp +This was primarily used to support transparent proxies with rdr-to rules. +New proxies should use divert-to rules instead. +These do not require access to the privileged +.Pa /dev/pf +device and preserve the original destination address for +.Xr getsockname 2 . +For +.Dv SOCK_DGRAM +sockets, the +.Xr ip 4 +socket options +.Dv IP_RECVDSTADDR +and +.Dv IP_RECVDSTPORT +can be used to retrieve the destination address and port. .It Dv DIOCSETDEBUG Fa "u_int32_t *level" Set the debug level. See the @@ -990,69 +1006,83 @@ packet filtering device. .El .Sh EXAMPLES The following example demonstrates how to use the -.Dv DIOCNATLOOK -command to find the internal host/port of a NATed connection: +.Dv DIOCGETLIMIT +command to show the hard limit of a memory pool used by the packet filter: .Bd -literal #include <sys/types.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <sys/fcntl.h> #include <net/if.h> -#include <netinet/in.h> #include <net/pfvar.h> -#include <err.h> #include <stdio.h> #include <stdlib.h> +#include <string.h> +#include <err.h> -u_int32_t -read_address(const char *s) -{ - int a, b, c, d; - - sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); - return htonl(a << 24 | b << 16 | c << 8 | d); -} +static const struct { + const char *name; + int index; +} pf_limits[] = { + { "states", PF_LIMIT_STATES }, + { "src-nodes", PF_LIMIT_SRC_NODES }, + { "frags", PF_LIMIT_FRAGS }, + { "tables", PF_LIMIT_TABLES }, + { "table-entries", PF_LIMIT_TABLE_ENTRIES }, + { NULL, 0 } +}; void -print_address(u_int32_t a) +usage(void) { - a = ntohl(a); - printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, - a >> 8 & 255, a & 255); + extern char *__progname; + int i; + + fprintf(stderr, "usage: %s [", __progname); + for (i = 0; pf_limits[i].name; i++) + fprintf(stderr, "%s%s", (i > 0 ? "|" : ""), pf_limits[i].name); + fprintf(stderr, "]\en"); + exit(1); } int main(int argc, char *argv[]) { - struct pfioc_natlook nl; - int dev; + struct pfioc_limit pl; + int i, dev; + int pool_index = -1; - if (argc != 5) { - printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\en", - argv[0]); - return 1; + if (argc != 2) + usage(); + + for (i = 0; pf_limits[i].name; i++) + if (!strcmp(argv[1], pf_limits[i].name)) { + pool_index = pf_limits[i].index; + break; + } + + if (pool_index == -1) { + warnx("no such memory pool: %s", argv[1]); + usage(); } dev = open("/dev/pf", O_RDWR); if (dev == -1) err(1, "open(\e"/dev/pf\e") failed"); - memset(&nl, 0, sizeof(struct pfioc_natlook)); - nl.saddr.v4.s_addr = read_address(argv[1]); - nl.sport = htons(atoi(argv[2])); - nl.daddr.v4.s_addr = read_address(argv[3]); - nl.dport = htons(atoi(argv[4])); - nl.af = AF_INET; - nl.proto = IPPROTO_TCP; - nl.direction = PF_IN; + bzero(&pl, sizeof(struct pfioc_limit)); + pl.index = pool_index; + + if (ioctl(dev, DIOCGETLIMIT, &pl)) + err(1, "DIOCGETLIMIT"); - if (ioctl(dev, DIOCNATLOOK, &nl)) - err(1, "DIOCNATLOOK"); + printf("The %s memory pool has ", pf_limits[i].name); + if (pl.limit == UINT_MAX) + printf("unlimited entries.\en"); + else + printf("a hard limit of %u entries.\en", pl.limit); - printf("internal host "); - print_address(nl.rsaddr.v4.s_addr); - printf(":%u\en", ntohs(nl.rsport)); - return 0; + return (0); } .Ed .Sh SEE ALSO |