diff options
author | Mike Frantzen <frantzen@cvs.openbsd.org> | 2001-09-15 03:54:41 +0000 |
---|---|---|
committer | Mike Frantzen <frantzen@cvs.openbsd.org> | 2001-09-15 03:54:41 +0000 |
commit | adeb7017dd09e40a6a27a4a9c5242c35377a7009 (patch) | |
tree | 4363966006567e7a4d76a052d57a7c3c54d56678 /share/man | |
parent | 30f56e676fcfe49de9e3435f2ddfdf2723c5c03d (diff) |
IPv6 support from Ryan McBride (mcbride@countersiege.com)
Diffstat (limited to 'share/man')
-rw-r--r-- | share/man/man4/pf.4 | 12 | ||||
-rw-r--r-- | share/man/man5/pf.conf.5 | 35 |
2 files changed, 31 insertions, 16 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 2d1baef5fb0..1edbd9a21e3 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.4,v 1.5 2001/09/05 12:34:44 dhartmei Exp $ +.\" $OpenBSD: pf.4,v 1.6 2001/09/15 03:54:40 frantzen Exp $ .\" .\" Copyright (C) 2001, Kjell Wooding. All rights reserved. .\" @@ -37,7 +37,7 @@ .Sh DESCRIPTION The .Nm -interface is a packet filter pseudo-device for IPv4. +interface is a packet filter pseudo-device for IPv4 and IPv6. .Pp .Nm is administered using the @@ -158,10 +158,10 @@ Gets the internal packet filter statistics. Looks up a state table entry by source and destination addresses and ports. .Bd -literal struct pfioc_natlook { - u_int32_t saddr; - u_int32_t daddr; - u_int32_t rsaddr; - u_int32_t rdaddr; + struct pf_addr saddr; + struct pf_addr daddr; + struct pf_addr rsaddr; + struct pf_addr rdaddr; u_int16_t sport; u_int16_t dport; u_int16_t rsport; diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index cfd0bc37d43..7c2279e6f2b 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.13 2001/08/28 08:48:57 dhartmei Exp $ +.\" $OpenBSD: pf.conf.5,v 1.14 2001/09/15 03:54:40 frantzen Exp $ .\" .\" Copyright (c) 2001, Daniel Hartmeier .\" All rights reserved. @@ -46,16 +46,19 @@ Syntax for filter rules in BNF: .Bd -literal rule = action ( "in" | "out" ) [ "log" | "log-all" ] [ "quick" ] - [ "on" interface-name ] + [ "on" interface-name ] [ af ] [ "proto" ( proto-name | proto-number | "{" proto-list "}" ) ] hosts - [ flags ] [ icmp-type ] [ "keep-state" ] [ "modulate-state" ] + [ flags ] ( [ icmp-type ] | [ ipv6-icmp-type ] ) + [ "keep-state" ] [ "modulate-state" ] [ "no-df" ] [ "min-ttl" number ] . action = "pass" | "block" [ return ] | "scrub" . return = "return-rst" | - "return-icmp" [ "(" ( icmp-code-name | icmp-code-number ) ")" ] . + "return-icmp" [ "(" ( icmp-code-name | icmp-code-number ) ")" ] | + "return-icmp6" [ "(" ( icmp-code-name | icmp-code-number ) ")" ] . +af = "inet" | "inet6" . proto-list = ( proto-name | proto-number ) [ "," proto-list ] . hosts = "all" | @@ -73,8 +76,12 @@ binary-op = port-number ( "<>" | "><" ) port-number . flags = "flags" ( flag-set | flag-set "/" flag-set | "/" flag-set ) . flag-set = [ "F" ] [ "S" ] [ "R" ] [ "P" ] [ "A" ] [ "U" ] . -icmp-type = "icmp-type" ( icmp-type-name | icmp-type-number ) - [ "code" ( icmp-code-name | icmp-code-number ) ] . +icmp-type = "icmp-type" ( icmp-type-code | "{" icmp-list "}" ) . +ipv6-icmp-type = "ipv6-icmp-type" ( icmp-type-code | "{" icmp-list "}" ) . +icmp-type-code = ( icmp-type-name | icmp-type-number ) + [ "code" ( icmp-code-name | icmp-code-number ) ] . +icmp-list = icmp-type-code [ "," icmp-list ] . + .Ed .Sh FILTER RULES Filter rules are typically manipulated using @@ -115,6 +122,7 @@ to the sender, where applicable. .It Em scrub The packet is run through normalization/defragmentation. Scrub rules are not considered last matching rules. +IPv6 packets are not defragmented. .El .Sh LOGGING .Bl -tag -width Fl @@ -160,9 +168,12 @@ To cover both directions, two rules are needed. .Ss on <interface> The rule applies only to packets coming in on or going out through this particular interface. +.Ss <af> +The rule applies only to packets of this address family. +Supported values are inet and inet6. .Ss proto <protocol> The rule applies only to packets of this protocol. -Common protocols used here are tcp, udp and icmp. +Common protocols used here are tcp, udp, icmp and ipv6-icmp. .Ss from <source> port <source> to <dest> port <dest> The rule applies only to packets with the specified source and destination addresses/ports. @@ -215,9 +226,13 @@ rule. This is more restrictive than the previous example. If the first set is not specified, it defaults to none. All of SYN, FIN, RST and ACK must be unset. .El -.Ss icmp-type <type> code <code> -The rule only applies to ICMP packets with the specified type and code. -This parameter is only valid for rules that cover protocol icmp. +.Ss icmp-type <type> code <code> and ipv6-icmp-type <type> code <code> +The rule only applies to ICMP or ICMPV6 packets with the specified type +and code. +This parameter is only valid for rules that cover protocols icmp or +ipv6-icmp. +The protocol and the icmp type indicator (icmp-type or ipv6-icmp-type) +must match. .Sh MACROS .Em pfctl supports macro definition and expansion like: |