diff options
-rw-r--r-- | share/man/man5/pf.conf.5 | 254 |
1 files changed, 144 insertions, 110 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index 8a844fe474f..4157afe870d 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.342 2006/03/14 11:09:44 djm Exp $ +.\" $OpenBSD: pf.conf.5,v 1.343 2006/04/30 10:12:21 jmc Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -181,9 +181,9 @@ when running with .Pp For example, .Bd -literal -offset indent -table <private> const { 10/8, 172.16/12, 192.168/16 } -table <badhosts> persist -block on fxp0 from { <private>, <badhosts> } to any +table \*(Ltprivate\*(Gt const { 10/8, 172.16/12, 192.168/16 } +table \*(Ltbadhosts\*(Gt persist +block on fxp0 from { \*(Ltprivate\*(Gt, \*(Ltbadhosts\*(Gt } to any .Ed .Pp creates a table called private, to hold RFC 1918 private network @@ -201,8 +201,8 @@ these hosts can be blocked by using A table can also be initialized with an address list specified in one or more external files, using the following syntax: .Bd -literal -offset indent -table <spam> persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" -block on fxp0 from <spam> to any +table \*(Ltspam\*(Gt persist file \&"/etc/spammers\&" file \&"/etc/openrelays\&" +block on fxp0 from \*(Ltspam\*(Gt to any .Ed .Pp The files @@ -491,7 +491,7 @@ For example: .Pp .Dl set fingerprints \&"/etc/pf.os.devel\&" .Pp -.It Ar set skip on <ifspec> +.It Ar set skip on Aq Ar ifspec List interfaces for which packets should not be filtered. Packets passing in or out on such interfaces are passed as if pf was disabled, i.e. pf does not process them in any way. @@ -558,9 +558,9 @@ Using the modifier (see below) is recommended in combination with the .Ar no-df modifier to ensure unique IP identifiers. -.It Ar min-ttl <number> +.It Ar min-ttl Aq Ar number Enforces a minimum TTL for matching IP packets. -.It Ar max-mss <number> +.It Ar max-mss Aq Ar number Enforces a maximum MSS for matching TCP packets. .It Ar random-id Replaces the IP identification field with random values to compensate @@ -771,9 +771,9 @@ declaration. .Ar altq on has the following keywords: .Bl -tag -width xxxx -.It Ar <interface> +.It Aq Ar interface Queueing is enabled on the named interface. -.It Ar <scheduler> +.It Aq Ar scheduler Specifies which queueing scheduler to use. Currently supported values are @@ -783,7 +783,7 @@ for Class Based Queueing, for Priority Queueing and .Ar hfsc for the Hierarchical Fair Service Curve scheduler. -.It Ar bandwidth <bw> +.It Ar bandwidth Aq Ar bw The maximum bitrate for all queues on an interface may be specified using the .Ar bandwidth @@ -802,14 +802,14 @@ The value must not exceed the interface bandwidth. If .Ar bandwidth is not specified, the interface bandwidth is used. -.It Ar qlimit <limit> +.It Ar qlimit Aq Ar limit The maximum number of packets held in the queue. The default is 50. -.It Ar tbrsize <size> +.It Ar tbrsize Aq Ar size Adjusts the size, in bytes, of the token bucket regulator. If not specified, heuristics based on the interface bandwidth are used to determine the size. -.It Ar queue <list> +.It Ar queue Aq Ar list Defines a list of subqueues to create on an interface. .El .Pp @@ -838,10 +838,10 @@ in a parent declaration. The following keywords can be used: .Bl -tag -width xxxx -.It Ar on <interface> +.It Ar on Aq Ar interface Specifies the interface the queue operates on. If not given, it operates on all matching interfaces. -.It Ar bandwidth <bw> +.It Ar bandwidth Aq Ar bw Specifies the maximum bitrate to be processed by the queue. This value must not exceed the value of the parent .Ar queue @@ -851,7 +851,7 @@ If not specified, defaults to 100% of the parent queue's bandwidth. The .Ar priq scheduler does not support bandwidth specification. -.It Ar priority <level> +.It Ar priority Aq Ar level Between queues a priority level can be set. For .Ar cbq @@ -867,7 +867,7 @@ queues with a higher priority are always served first. and .Ar Hfsc queues with a higher priority are preferred in the case of overload. -.It Ar qlimit <limit> +.It Ar qlimit Aq Ar limit The maximum number of packets held in the queue. The default is 50. .El @@ -875,7 +875,9 @@ The default is 50. The .Ar scheduler can get additional parameters with -.Ar <scheduler> Ns Li (\& Ar <parameters> No ) . +.Xo Aq Ar scheduler +.Pf ( Aq Ar parameters ) . +.Xc Parameters are as follows: .Bl -tag -width Fl .It Ar default @@ -909,15 +911,16 @@ The .Ar scheduler supports some additional options: .Bl -tag -width Fl -.It Ar realtime <sc> +.It Ar realtime Aq Ar sc The minimum required bandwidth for the queue. -.It Ar upperlimit <sc> +.It Ar upperlimit Aq Ar sc The maximum allowed bandwidth for the queue. -.It Ar linkshare <sc> +.It Ar linkshare Aq Ar sc The bandwidth share of a backlogged queue. .El .Pp -<sc> is an acronym for +.Aq Ar sc +is an acronym for .Ar service curve . .Pp The format for service curve specifications is @@ -1047,9 +1050,9 @@ The packet is redirected to another destination and possibly a different port. .Ar rdr rules can optionally specify port ranges instead of single ports. -rdr ... port 2000:2999 -> ... port 4000 +rdr ... port 2000:2999 -\*(Gt ... port 4000 redirects ports 2000 to 2999 (inclusive) to port 4000. -rdr ... port 2000:2999 -> ... port 4000:* +rdr ... port 2000:2999 -\*(Gt ... port 4000:* redirects port 2000 to 4000, 2001 to 4001, ..., 2999 to 4999. .El .Pp @@ -1094,7 +1097,7 @@ or to the firewall itself. Note that redirecting external incoming connections to the loopback address, as in .Bd -literal -offset indent -rdr on ne3 inet proto tcp to port spamd -> 127.0.0.1 port smtp +rdr on ne3 inet proto tcp to port spamd -\*(Gt 127.0.0.1 port smtp .Ed .Pp will effectively allow an external host to connect to daemons @@ -1253,16 +1256,16 @@ If a packet matches a rule which has the option set, this rule is considered the last matching rule, and evaluation of subsequent rules is skipped. -.It Ar on <interface> +.It Ar on Aq Ar interface This rule applies only to packets coming in on, or going out through, this particular interface or interface group. -.It Ar <af> +.It Aq Ar af This rule applies only to packets of this address family. Supported values are .Ar inet and .Ar inet6 . -.It Ar proto <protocol> +.It Ar proto Aq Ar protocol This rule applies only to packets of this protocol. Common protocols are .Xr icmp 4 , @@ -1275,8 +1278,11 @@ For a list of all the protocol name to number mappings used by see the file .Em /etc/protocols . .It Xo -.Ar from <source> port <source> os <source> -.Ar to <dest> port <dest> +.Ar from Aq Ar source +.Ar port Aq Ar source +.Ar os Aq Ar source +.Ar to Aq Ar dest +.Ar port Aq Ar dest .Xc This rule applies only to packets with the specified source and destination addresses and ports. @@ -1287,9 +1293,9 @@ symbolic host names or interface names, or as any of the following keywords: .Bl -tag -width xxxxxxxxxxxxxx -compact .It Ar any Any address. -.It Ar route <label> +.It Ar route Aq Ar label Any address whose associated route has label -.Ar <label> . +.Aq Ar label . See .Xr route 4 and @@ -1300,7 +1306,7 @@ Any address which is not currently routable. Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. -.It Ar <table> +.It Aq Ar table Any address that matches the given table. .El .Pp @@ -1347,30 +1353,33 @@ Ports and ranges of ports are specified by using these operators: .Bd -literal -offset indent = (equal) != (unequal) -< (less than) -<= (less than or equal) -> (greater than) ->= (greater than or equal) +\*(Lt (less than) +\*(Le (less than or equal) +\*(Gt (greater than) +\*(Ge (greater than or equal) : (range including boundaries) ->< (range excluding boundaries) -<> (except range) +\*(Gt\*(Lt (range excluding boundaries) +\*(Lt\*(Gt (except range) .Ed .Pp -><, <> and : +.Sq \*(Gt\*(Lt , +.Sq \*(Lt\*(Gt +and +.Sq \&: are binary operators (they take two arguments). For instance: .Bl -tag -width Fl .It Ar port 2000:2004 means -.Sq all ports >= 2000 and <= 2004 , +.Sq all ports \*(Ge 2000 and \*(Le 2004 , hence ports 2000, 2001, 2002, 2003 and 2004. -.It Ar port 2000 >< 2004 +.It Ar port 2000 \*(Gt\*(Lt 2004 means -.Sq all ports > 2000 and < 2004 , +.Sq all ports \*(Gt 2000 and \*(Lt 2004 , hence ports 2001, 2002 and 2003. -.It Ar port 2000 <> 2004 +.It Ar port 2000 \*(Lt\*(Gt 2004 means -.Sq all ports < 2000 or > 2004 , +.Sq all ports \*(Lt 2000 or \*(Gt 2004 , hence ports 1-1999 and 2005-65535. .El .Pp @@ -1386,20 +1395,20 @@ The host, port and OS specifications are optional, as in the following examples: .Bd -literal -offset indent pass in all pass in from any to any -pass in proto tcp from any port <= 1024 to any +pass in proto tcp from any port \*(Le 1024 to any pass in proto tcp from any to any port 25 -pass in proto tcp from 10.0.0.0/8 port > 1024 \e +pass in proto tcp from 10.0.0.0/8 port \*(Gt 1024 \e to ! 10.1.2.3 port != ssh pass in proto tcp from any os "OpenBSD" flags S/SA pass in proto tcp from route "DTAG" .Ed .It Ar all This is equivalent to "from any to any". -.It Ar group <group> +.It Ar group Aq Ar group Similar to .Ar user , this rule only applies to packets of sockets owned by the specified group. -.It Ar user <user> +.It Ar user Aq Ar user This rule only applies to packets of sockets owned by the specified user. For outgoing connections initiated from the firewall, this is the user that opened the connection. @@ -1432,7 +1441,7 @@ can only be used with the operators and .Cm != . Other constructs like -.Cm user >= unknown +.Cm user \*(Ge unknown are invalid. Forwarded packets with unknown user and group ID match only rules that explicitly compare against @@ -1442,22 +1451,25 @@ with the operators or .Cm != . For instance -.Cm user >= 0 +.Cm user \*(Ge 0 does not match forwarded packets. The following example allows only selected users to open outgoing connections: .Bd -literal -offset indent block out proto { tcp, udp } all pass out proto { tcp, udp } all \e - user { < 1000, dhartmei } keep state + user { \*(Lt 1000, dhartmei } keep state .Ed -.It Ar flags <a>/<b> | /<b> +.It Xo Ar flags Aq Ar a +.Pf / Ns Aq Ar b +.No \*(Ba / Ns Aq Ar b +.Xc This rule only applies to TCP packets that have the flags -.Ar <a> +.Aq Ar a set out of set -.Ar <b> . +.Aq Ar b . Flags not specified in -.Ar <b> +.Aq Ar b are ignored. The flags are: (F)IN, (S)YN, (R)ST, (P)USH, (A)CK, (U)RG, (E)CE, and C(W)R. .Bl -tag -width Fl @@ -1472,8 +1484,12 @@ This is more restrictive than the previous example. If the first set is not specified, it defaults to none. All of SYN, FIN, RST and ACK must be unset. .El -.It Ar icmp-type <type> code <code> -.It Ar icmp6-type <type> code <code> +.It Xo Ar icmp-type Aq Ar type +.Ar code Aq Ar code +.Xc +.It Xo Ar icmp6-type Aq Ar type +.Ar code Aq Ar code +.Xc This rule only applies to ICMP or ICMPv6 packets with the specified type and code. Text names for ICMP types and codes are listed in @@ -1503,7 +1519,7 @@ The implicit .Ar pass rule that is used when a packet does not match any rules does not allow IP options. -.It Ar label <string> +.It Ar label Aq Ar string Adds a label (name) to the rule, which can be used to identify the rule. For instance, pfctl -s labels @@ -1532,21 +1548,24 @@ For example: .Bd -literal -offset indent ips = \&"{ 1.2.3.4, 1.2.3.5 }\&" pass in proto tcp from any to $ips \e - port > 1023 label \&"$dstaddr:$dstport\&" + port \*(Gt 1023 label \&"$dstaddr:$dstport\&" .Ed .Pp expands to .Bd -literal -offset indent pass in inet proto tcp from any to 1.2.3.4 \e - port > 1023 label \&"1.2.3.4:>1023\&" + port \*(Gt 1023 label \&"1.2.3.4:\*(Gt1023\&" pass in inet proto tcp from any to 1.2.3.5 \e - port > 1023 label \&"1.2.3.5:>1023\&" + port \*(Gt 1023 label \&"1.2.3.5:\*(Gt1023\&" .Ed .Pp The macro expansion for the .Ar label directive occurs only at configuration file parse time, not during runtime. -.It Ar queue <queue> | ( <queue> , <queue> ) +.It Xo Ar queue Aq Ar queu +.No \*(Ba ( Aq Ar queue , +.Aq Ar queue ) +.Xc Packets matching this rule will be assigned to the specified queue. If two queues are given, packets which have a .Em tos @@ -1562,7 +1581,7 @@ For example: pass in proto tcp to port 25 queue mail pass in proto tcp to port 22 queue(ssh_bulk, ssh_prio) .Ed -.It Ar tag <string> +.It Ar tag Aq Ar string Packets matching this rule will be tagged with the specified string. The tag acts as an internal marker that can be used to @@ -1584,7 +1603,7 @@ or .Ar binat rules in addition to filter rules. Tags take the same macros as labels (see above). -.It Ar tagged <string> +.It Ar tagged Aq Ar string Used with filter or translation rules to specify that packets must already be tagged with the given tag in order to match the rule. Inverse tag matching can also be done @@ -1593,7 +1612,7 @@ by specifying the operator before the .Ar tagged keyword. -.It Ar probability <number> +.It Ar probability Aq Ar number A probability attribute can be attached to a rule, with a value set between 0 and 1, bounds not included. In that case, the rule will be honoured using the given probability value @@ -1932,7 +1951,7 @@ and support the following options: .Pp .Bl -tag -width xxxx -compact -.It Ar max <number> +.It Ar max Aq Ar number Limits the number of concurrent states the rule may create. When this limit is reached, further packets matching the rule that would create state are dropped, until existing states time out. @@ -1940,7 +1959,9 @@ create state are dropped, until existing states time out. Prevent state changes for states created by this rule from appearing on the .Xr pfsync 4 interface. -.It Ar <timeout> <seconds> +.It Xo Aq Ar timeout +.Aq Ar seconds +.Xc Changes the timeout values used for states created by this rule. For a list of all valid timeout names, see .Sx OPTIONS @@ -1981,10 +2002,10 @@ each individual rule's limits. The following limits can be set: .Pp .Bl -tag -width xxxx -compact -.It Ar max-src-nodes <number> +.It Ar max-src-nodes Aq Ar number Limits the maximum number of source addresses which can simultaneously have state table entries. -.It Ar max-src-states <number> +.It Ar max-src-states Aq Ar number Limits the maximum number of simultaneous state entries that a single source address can create with this rule. .El @@ -1994,10 +2015,12 @@ which have completed the TCP 3-way handshake) can also be enforced per source IP. .Pp .Bl -tag -width xxxx -compact -.It Ar max-src-conn <number> +.It Ar max-src-conn Aq Ar number Limits the maximum number of simultaneous TCP connections which have completed the 3-way handshake that a single host can make. -.It Ar max-src-conn-rate <number> / <seconds> +.It Xo Ar max-src-conn-rate Aq Ar number +.No / Aq Ar seconds +.Xc Limit the rate of new connections over a time interval. The connection rate is an approximation calculated as a moving average. .El @@ -2005,7 +2028,7 @@ The connection rate is an approximation calculated as a moving average. Because the 3-way handshake ensures that the source address is not being spoofed, more aggressive action can be taken based on these limits. With the -.Ar overload <table> +.Ar overload Aq Ar table state option, source IP addresses which hit either of the limits on established connections will be added to the named table. This table can be used in the ruleset to block further activity from @@ -2024,13 +2047,15 @@ offending host, regardless of which rule created the state. For example, the following rules will protect the webserver against hosts making more than 100 connections in 10 seconds. Any host which connects faster than this rate will have its address added -to the <bad_hosts> table and have all states originating from it flushed. +to the +.Aq bad_hosts +table and have all states originating from it flushed. Any new packets arriving from this host will be dropped unconditionally by the block rule. .Bd -literal -offset indent -block quick from <bad_hosts> +block quick from \*(Ltbad_hosts\*(Gt pass in on $ext_if proto tcp to $webserver port www flags S/SA keep state \e - (max-src-conn-rate 100/10, overload <bad_hosts> flush global) + (max-src-conn-rate 100/10, overload \*(Ltbad_hosts\*(Gt flush global) .Ed .Sh OPERATING SYSTEM FINGERPRINTING Passive OS Fingerprinting is a mechanism to inspect nuances of a TCP @@ -2043,17 +2068,23 @@ upon. The fingerprints may be specified by operating system class, by version, or by subtype/patchlevel. The class of an operating system is typically the vendor or genre -and would be OpenBSD for the +and would be +.Ox +for the .Xr pf 4 firewall itself. -The version of the oldest available OpenBSD release on the main ftp site +The version of the oldest available +.Ox +release on the main FTP site would be 2.6 and the fingerprint would be written .Pp .Dl \&"OpenBSD 2.6\&" .Pp The subtype of an operating system is typically used to describe the patchlevel if that patch led to changes in the TCP stack behavior. -In the case of OpenBSD, the only subtype is for a fingerprint that was +In the case of +.Ox , +the only subtype is for a fingerprint that was normalized by the .Ar no-df scrub option and would be specified as @@ -2235,25 +2266,28 @@ attachment point using the following kinds of rules: .Bl -tag -width xxxx -.It Ar nat-anchor <name> +.It Ar nat-anchor Aq Ar name Evaluates the .Ar nat rules in the specified .Ar anchor . -.It Ar rdr-anchor <name> +.It Ar rdr-anchor Aq Ar name Evaluates the .Ar rdr rules in the specified .Ar anchor . -.It Ar binat-anchor <name> +.It Ar binat-anchor Aq Ar name Evaluates the .Ar binat rules in the specified .Ar anchor . -.It Ar anchor <name> +.It Ar anchor Aq Ar name Evaluates the filter rules in the specified .Ar anchor . -.It Ar load anchor <name> from <file> +.It Xo Ar load anchor +.Aq Ar name +.Ar from Aq Ar file +.Xc Loads the rules from the specified file into the anchor .Ar name . @@ -2414,7 +2448,7 @@ and therefore lacks permission to bind to port 80). ext_if = \&"ne3\&" # map daemon on 8080 to appear to be on 80 -rdr on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080 +rdr on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 port 8080 .Ed .Pp If the @@ -2422,7 +2456,7 @@ If the modifier is given, packets matching the translation rule are passed without inspecting the filter rules: .Bd -literal -rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 \e +rdr pass on $ext_if proto tcp from any to any port 80 -\*(Gt 127.0.0.1 \e port 8080 .Ed .Pp @@ -2435,7 +2469,7 @@ network appear as though it is the Internet routable address for the nodes on vlan12. (Thus, 192.168.168.1 can talk to the 192.168.168.0/24 nodes.) .Bd -literal -nat on ! vlan12 from 192.168.168.0/24 to any -> 204.92.77.111 +nat on ! vlan12 from 192.168.168.0/24 to any -\*(Gt 204.92.77.111 .Ed .Pp In the example below, the machine sits between a fake internal 144.19.74.* @@ -2446,7 +2480,7 @@ rule excludes protocol AH from being translated. .Bd -literal # NO NAT no nat on $ext_if proto ah from 144.19.74.0/24 to any -nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 +nat on $ext_if from 144.19.74.0/24 to any -\*(Gt 204.92.77.100 .Ed .Pp In the example below, packets bound for one specific server, as well as those @@ -2455,7 +2489,7 @@ generated by the sysadmins are not proxied; all other connections are. # NO RDR no rdr on $int_if proto { tcp, udp } from any to $server port 80 no rdr on $int_if proto { tcp, udp } from $sysadmins to any port 80 -rdr on $int_if proto { tcp, udp } from any to any port 80 -> 127.0.0.1 \e +rdr on $int_if proto { tcp, udp } from any to any port 80 -\*(Gt 127.0.0.1 \e port 80 .Ed .Pp @@ -2473,33 +2507,33 @@ manpage. # NAT # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. -nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) +nat on $ext_if inet from ! ($ext_if) to any -\*(Gt ($ext_if) # NAT PROXYING # Map outgoing packets' source port to an assigned proxy port instead of # an arbitrary port. # In this case, proxy outgoing isakmp with port 500 on the gateway. -nat on $ext_if inet proto udp from any port = isakmp to any -> ($ext_if) \e +nat on $ext_if inet proto udp from any port = isakmp to any -\*(Gt ($ext_if) \e port 500 # BINAT # Translate outgoing packets' source address (any protocol). # Translate incoming packets' destination address to an internal machine # (bidirectional). -binat on $ext_if from 10.1.2.150 to any -> $ext_if +binat on $ext_if from 10.1.2.150 to any -\*(Gt $ext_if # RDR # Translate incoming packets' destination addresses. # As an example, redirect a TCP and UDP port to an internal machine. rdr on $ext_if inet proto tcp from any to ($ext_if) port 8080 \e - -> 10.1.2.151 port 22 + -\*(Gt 10.1.2.151 port 22 rdr on $ext_if inet proto udp from any to ($ext_if) port 8080 \e - -> 10.1.2.151 port 53 + -\*(Gt 10.1.2.151 port 53 # RDR # Translate outgoing ftp control connections to send them to localhost # for proxying with ftp-proxy(8) running on port 8021. -rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 +rdr on $int_if proto tcp from any to any port 21 -\*(Gt 127.0.0.1 port 8021 .Ed .Pp In this example, a NAT gateway is set up to translate internal addresses @@ -2511,13 +2545,13 @@ network. # Translate outgoing packets' source addresses using an address pool. # A given source address is always translated to the same pool address by # using the source-hash keyword. -nat on $ext_if inet from any to any -> 192.0.2.16/28 source-hash +nat on $ext_if inet from any to any -\*(Gt 192.0.2.16/28 source-hash # RDR ROUND ROBIN # Translate incoming web server connections to a group of web servers on # the internal network. rdr on $ext_if proto tcp from any to any port 80 \e - -> { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin + -\*(Gt { 10.1.2.155, 10.1.2.160, 10.1.2.161 } round-robin .Ed .Sh FILTER EXAMPLES .Bd -literal @@ -2537,7 +2571,7 @@ block return log on $ext_if all # block anything coming from source we have no back routes for block in from no-route to any -# block packets whose ingress interface does not match the one in +# block packets whose ingress interface does not match the one in # the route back to their source address block in from urpf-failed to any @@ -2610,8 +2644,8 @@ pass out on $ext_if proto tcp from any to any port 80 keep state # tag incoming packets as they are redirected to spamd(8). use the tag # to pass those packets through the packet filter. -rdr on $ext_if inet proto tcp from <spammers> to port smtp \e - tag SPAMD -> 127.0.0.1 port spamd +rdr on $ext_if inet proto tcp from \*(Ltspammers\*(Gt to port smtp \e + tag SPAMD -\*(Gt 127.0.0.1 port spamd block in on $ext_if pass in on $ext_if inet proto tcp tagged SPAMD keep state @@ -2660,7 +2694,7 @@ filteropt = user | group | flags | icmp-type | icmp6-type | tos | nat-rule = [ "no" ] "nat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] - [ "->" ( redirhost | "{" redirhost-list "}" ) + [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] [ "static-port" ] ] binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] @@ -2668,19 +2702,19 @@ binat-rule = [ "no" ] "binat" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "proto" ( proto-name | proto-number ) ] "from" address [ "/" mask-bits ] "to" ipspec [ "tag" string ] [ "tagged" string ] - [ "->" address [ "/" mask-bits ] ] + [ "-\*(Gt" address [ "/" mask-bits ] ] rdr-rule = [ "no" ] "rdr" [ "pass" [ "log" [ "(" logopts ")" ] ] ] [ "on" ifspec ] [ af ] [ protospec ] hosts [ "tag" string ] [ "tagged" string ] - [ "->" ( redirhost | "{" redirhost-list "}" ) + [ "-\*(Gt" ( redirhost | "{" redirhost-list "}" ) [ portspec ] [ pooltype ] ] antispoof-rule = "antispoof" [ "log" ] [ "quick" ] "for" ( interface-name | "{" interface-list "}" ) [ af ] [ "label" string ] -table-rule = "table" "<" string ">" [ tableopts-list ] +table-rule = "table" "\*(Lt" string "\*(Gt" [ tableopts-list ] tableopts-list = tableopts-list tableopts | tableopts tableopts = "persist" | "const" | "file" string | "{" [ tableaddr-list ] "}" @@ -2734,7 +2768,7 @@ hosts = "all" | "{" host-list "}" | "route" string ) [ port ] ipspec = "any" | host | "{" host-list "}" -host = [ "!" ] ( address [ "/" mask-bits ] | "<" string ">" ) +host = [ "!" ] ( address [ "/" mask-bits ] | "\*(Lt" string "\*(Gt" ) redirhost = address [ "/" mask-bits ] routehost = "(" interface-name [ address [ "/" mask-bits ] ] ")" address = ( interface-name | "(" interface-name ")" | hostname | @@ -2749,9 +2783,9 @@ os = "os" ( os-name | "{" os-list "}" ) user = "user" ( unary-op | binary-op | "{" op-list "}" ) group = "group" ( unary-op | binary-op | "{" op-list "}" ) -unary-op = [ "=" | "!=" | "<" | "<=" | ">" | ">=" ] +unary-op = [ "=" | "!=" | "\*(Lt" | "\*(Le" | "\*(Gt" | "\*(Ge" ] ( name | number ) -binary-op = number ( "<>" | "><" | ":" ) number +binary-op = number ( "\*(Lt\*(Gt" | "\*(Gt\*(Lt" | ":" ) number op-list = ( unary-op | binary-op ) [ [ "," ] op-list ] os-name = operating-system-name @@ -2776,7 +2810,7 @@ state-opt = ( "max" number | "no-sync" | timeout | "max-src-nodes" number | "max-src-states" number | "max-src-conn" number | "max-src-conn-rate" number "/" number | - "overload" "<" string ">" [ "flush" ] | + "overload" "\*(Lt" string "\*(Gt" [ "flush" ] | "if-bound" | "floating" ) fragmentation = [ "fragment reassemble" | "fragment crop" | |