diff options
Diffstat (limited to 'share')
-rw-r--r-- | share/man/man5/pf.conf.5 | 212 |
1 files changed, 106 insertions, 106 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5 index dd2a61220c5..319135b65c2 100644 --- a/share/man/man5/pf.conf.5 +++ b/share/man/man5/pf.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pf.conf.5,v 1.231 2003/05/10 16:46:53 pb Exp $ +.\" $OpenBSD: pf.conf.5,v 1.232 2003/05/10 22:38:04 pb Exp $ .\" .\" Copyright (c) 2002, Daniel Hartmeier .\" All rights reserved. @@ -1972,170 +1972,170 @@ Syntax for .Nm in BNF: .Bd -literal -line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule - | antispoof-rule | altq-rule | queue-rule | anchor-rule - | trans-anchors | load-anchors ) +line = ( OPTION | PF-RULE | NAT-RULE | BINAT-RULE | RDR-RULE + | ANTISPOOF-RULE | ALTQ-RULE | QUEUE-RULE | ANCHOR-RULE + | TRANS-ANCHORS | LOAD-ANCHORS ) -option = set ( [ timeout ( timeout | '{' timeout-list '}' ) ] | +option = set ( [ TIMEOUT ( TIMEOUT | '{' TIMEOUT-LIST '}' ) ] | [ optimization [ default | normal | high-latency | satellite | aggressive | conservative ] ] - [ limit limit-list ] | - [ loginterface ( interface-name | none ) ] | + [ limit LIMIT-LIST ] | + [ loginterface ( INTERFACE-NAME | none ) ] | [ block-policy ( drop | return ) ] | [ require-order ( yes | no ) ] ) -pf-rule = action [ ( in | out ) ] +pf-rule = ACTION [ ( in | out ) ] [ log | log-all ] [ quick ] - [ on ifspec ] [ route ] [ af ] [ protospec ] - hosts [ filteropt-list ] + [ on IFSPEC ] [ ROUTE ] [ AF ] [ PROTOSPEC ] + HOSTS [ FILTEROPT-LIST ] -filteropt-list = filteropt-list filteropt | filteropt -filteropt = user | group | flags | icmp-type | icmp6-type | tos | - ( keep | modulate ) state [ '(' state-opts ')' ] | - fragment | no-df | min-ttl number | max-mss number | - random-id | fragmentation | allow-opts | label string | - queue '(' string | ( string [ [ ',' ] string ] ) ')' +filteropt-list = FILTEROPT-LIST FILTEROPT | FILTEROPT +filteropt = USER | GROUP | FLAGS | ICMP-TYPE | ICMP6-TYPE | TOS | + ( keep | modulate ) state [ '(' STATE-OPTS ')' ] | + fragment | no-df | min-ttl NUMBER | max-mss NUMBER | + random-id | FRAGMENTATION | allow-opts | label STRING | + queue '(' STRING | ( STRING [ [ ',' ] STRING ] ) ')' -nat-rule = [ no ] nat [ on ifspec ] [ af ] [ protospec ] - hosts [ '->' ( redirhost | '{' redirhost-list '}' ) - [ portspec ] [ pooltype ] [ static-port ] ] +nat-rule = [ no ] nat [ on IFSPEC ] [ AF ] [ PROTOSPEC ] + HOSTS [ '->' ( REDIRHOST | '{' REDIRHOST-LIST '}' ) + [ PORTSPEC ] [ POOLTYPE ] [ static-port ] ] -binat-rule = [ no ] binat [ on interface-name ] [ af ] - [ proto ( proto-name | proto-number ) ] - from address [ '/' mask-bits ] to ipspec - [ '->' address [ '/' mask-bits ] ] +binat-rule = [ no ] binat [ on INTERFACE-NAME ] [ AF ] + [ proto ( PROTO-NAME | PROTO-NUMBER ) ] + from ADDRESS [ '/' MASK-BITS ] to IPSPEC + [ '->' ADDRESS [ '/' MASK-BITS ] ] -rdr-rule = [ no ] rdr [ on ifspec ] [ af ] [ protospec ] - hosts [ '->' ( redirhost | '{' redirhost-list '}' ) - [ portspec ] [ pooltype ] ] +rdr-rule = [ no ] rdr [ on IFSPEC ] [ AF ] [ PROTOSPEC ] + HOSTS [ '->' ( REDIRHOST | '{' REDIRHOST-LIST '}' ) + [ PORTSPEC ] [ POOLTYPE ] ] antispoof-rule = antispoof [ log ] [ quick ] - for ( interface-name | '{' interface-list '}' ) - [ af ] [ label ] + for ( INTERFACE-NAME | '{' INTERFACE-LIST '}' ) + [ AF ] [ label STRING ] -table-rule = table '<' tablename '>' [ tableopts-list ] -tableopts-list = tableopts-list tableopts | tableopts -tableopts = persist | const | file "filename" | '{' [ tableaddr-list ] '}' -tableaddr-list = tableaddr-list [ ',' ] tableaddr-spec | tableaddr-spec -tableaddr-spec = [ '!' ] tableaddr [ '/' mask-bits ] -tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex | - interface-name | self +table-rule = table '<' STRING '>' [ TABLEOPTS-LIST ] +tableopts-list = TABLEOPTS-LIST TABLEOPTS | TABLEOPTS +tableopts = persist | const | file STRING | '{' [ TABLEADDR-LIST ] '}' +tableaddr-list = TABLEADDR-LIST [ ',' ] TABLEADDR-SPEC | TABLEADDR-SPEC +tableaddr-spec = [ '!' ] TABLEADDR [ '/' MASK-BITS ] +tableaddr = HOSTNAME | IPV4-DOTTED-QUAD | IPV6-COLONED-HEX | + INTERFACE-NAME | self -altq-rule = altq on interface-name queueopts-list - queue queue-list -queue-rule = queue string [ on interface-name ] queueopts-list - queue-list +altq-rule = altq on INTERFACE-NAME QUEUEOPTS-LIST + queue QUEUE-LIST +queue-rule = queue STRING [ on INTERFACE-NAME ] QUEUEOPTS-LIST + QUEUE-LIST -anchor-rule = anchor string [ ( in | out ) ] [ on ifspec ] [ af ] - [ proto ] [ protospec ] [ hosts ] +anchor-rule = anchor STRING [ ( in | out ) ] [ on IFSPEC ] [ AF ] + [ proto ] [ PROTOSPEC ] [ HOSTS ] -trans-anchors = ( nat-anchor | rdr-anchor | binat-anchor ) string - [ on ifspec ] [ af ] [ proto ] [ protospec ] [ hosts ] +trans-anchors = ( nat-anchor | rdr-anchor | binat-anchor ) STRING + [ on IFSPEC ] [ AF ] [ proto ] [ PROTOSPEC ] [ HOSTS ] load-anchor = load anchorname:rulesetname from filename -queueopts-list = queueopts-list queueopts | queueopts -queueopts = [ bandwidth bandwidth-spec ] | - [ qlimit number ] | [ tbrsize number ] | - [ priority number ] | [ schedulers ] | - [ qlimit number ] -schedulers = ( cbq-def | priq-def | hfsc-def ) +queueopts-list = QUEUEOPTS-LIST QUEUEOPTS | QUEUEOPTS +queueopts = [ bandwidth BANDWIDTH-SPEC ] | + [ qlimit NUMBER ] | [ tbrsize NUMBER ] | + [ priority NUMBER ] | [ SCHEDULERS ] | + [ qlimit NUMBER ] +schedulers = ( CBQ-DEF | PRIQ-DEF | HFSC-DEF ) bandwidth-spec = number ( b | Kb | Mb | Gb | '%' ) action = pass | block [ return ] | scrub -return = drop | return | return-rst [ '(' ttl number ')' ] - | return-icmp [ '(' icmpcode [',' icmp6code ] ')' ] - | return-icmp6 [ '(' icmp6code ')' ] -icmpcode = ( icmp-code-name | icmp-code-number ) -icmp6code = ( icmp6-code-name | icmp6-code-number ) +return = drop | return | return-rst [ '(' ttl NUMBER ')' ] + | return-icmp [ '(' ICMPCODE [',' ICMP6CODE ] ')' ] + | return-icmp6 [ '(' ICMP6CODE ')' ] +icmpcode = ( ICMP-CODE-NAME | ICMP-CODE-NUMBER ) +icmp6code = ( ICMP6-CODE-NAME | ICMP6-CODE-NUMBER ) -ifspec = ( [ '!' ] interface-name ) | '{' interface-list '}' -interface-list = [ '!' ] interface-name [ [ ',' ] interface-list ] +ifspec = ( [ '!' ] INTERFACE-NAME ) | '{' INTERFACE-LIST '}' +interface-list = [ '!' ] INTERFACE-NAME [ [ ',' ] INTERFACE-LIST ] route = fastroute | ( route-to | reply-to | dup-to ) - ( routehost | '{' routehost-list '}' ) - [ pooltype ] + ( ROUTEHOST | '{' ROUTEHOST-LIST '}' ) + [ POOLTYPE ] af = inet | inet6 -protospec = proto ( proto-name | proto-number | - '{' proto-list '}' ) -proto-list = ( proto-name | proto-number ) [ [ ',' ] proto-list ] +protospec = proto ( PROTO-NAME | PROTO-NUMBER | + '{' PROTO-LIST '}' ) +proto-list = ( PROTO-NAME | PROTO-NUMBER ) [ [ ',' ] PROTO-LIST ] hosts = all | - from ( any | no-route | self | host | - '{' host-list '}' ) [ port ] - to ( any | no-route | self | host | - '{' host-list '}' ) [ port ] + from ( any | no-route | self | HOST | + '{' HOST-LIST '}' ) [ PORT ] + to ( any | no-route | self | HOST | + '{' HOST-LIST '}' ) [ PORT ] -ipspec = any | host | '{' host-list '}' -host = [ '!' ] ( address [ '/' mask-bits ] | '<' table '>' ) -redirhost = address [ '/' mask-bits ] -routehost = ( interface-name [ address [ '/' mask-bits ] ] ) -address = ( interface-name | '(' interface-name ')' | host-name - | ipv4-dotted-quad | ipv6-coloned-hex ) -host-list = host [ [ ',' ] host-list ] -redirhost-list = redirhost [ [ ',' ] redirhost-list ] -routehost-list = routehost [ [ ',' ] routehost-list ] +ipspec = any | HOST | '{' HOST-LIST '}' +host = [ '!' ] ( ADDRESS [ '/' MASK-BITS ] | '<' STRING '>' ) +redirhost = ADDRESS [ '/' MASK-BITS ] +routehost = ( INTERFACE-NAME [ ADDRESS [ '/' MASK-BITS ] ] ) +address = ( INTERFACE-NAME | '(' INTERFACE-NAME ')' | HOSTNAME + | IPV4-DOTTED-QUAD | IPV6-COLONED-HEX ) +host-list = HOST [ [ ',' ] HOST-LIST ] +redirhost-list = REDIRHOST [ [ ',' ] REDIRHOST-LIST ] +routehost-list = ROUTEHOST [ [ ',' ] ROUTEHOST-LIST ] -port = port ( unary-op | binary-op | '{' op-list '}' ) -portspec = port ( number | name ) [ ':' ( '*' | number | name ) ] -user = user ( unary-op | binary-op | '{' op-list '}' ) -group = group ( unary-op | binary-op | { op-list } ) +port = port ( UNARY-OP | BINARY-OP | '{' OP-LIST '}' ) +portspec = port ( NUMBER | NAME ) [ ':' ( '*' | NUMBER | NAME ) ] +user = user ( UNARY-OP | BINARY-OP | '{' OP-LIST '}' ) +group = group ( UNARY-OP | BINARY-OP | '{' OP-LIST '}' ) unary-op = [ '=' | '!=' | '<' | '<=' | '>' | '>=' ] - ( name | number ) -binary-op = number ( '<>' | '><' | ':' ) number -op-list = ( unary-op | binary-op ) [ [ ',' ] op-list ] + ( NAME | NUMBER ) +binary-op = NUMBER ( '<>' | '><' | ':' ) NUMBER +op-list = ( UNARY-OP | BINARY-OP ) [ [ ',' ] OP-LIST ] -flags = flags [ flag-set ] '/' flag-set +flags = flags [ FLAG-SET ] '/' FLAG-SET flag-set = [ F ] [ S ] [ R ] [ P ] [ A ] [ U ] [ E ] [ W ] -icmp-type = icmp-type ( icmp-type-code | { icmp-list } ) -icmp6-type = icmp6-type ( icmp-type-code | { icmp-list } ) -icmp-type-code = ( icmp-type-name | icmp-type-number ) - [ code ( icmp-code-name | icmp-code-number ) ] -icmp-list = icmp-type-code [ [ ',' ] icmp-list ] +icmp-type = icmp-type ( ICMP-TYPE-CODE | '{' ICMP-LIST '}' ) +icmp6-type = icmp6-type ( ICMP-TYPE-CODE | '{' ICMP-LIST '}') +icmp-type-code = ( ICMP-TYPE-NAME | ICMP-TYPE-NUMBER ) + [ code ( ICMP-CODE-NAME | ICMP-CODE-NUMBER ) ] +icmp-list = ICMP-TYPE-CODE [ [ ',' ] ICMP-LIST ] tos = tos ( lowdelay | throughput | reliability | - [ 0x ] number ) + [ 0x ] NUMBER ) -state-opts = state-opt [ [ ',' ] state-opts ] -state-opt = ( max number ) | ( timeout seconds ) +state-opts = STATE-OPT [ [ ',' ] STATE-OPTS ] +state-opt = ( max NUMBER ) | ( timeout SECONDS ) fragmentation = [ fragment reassemble | fragment crop | fragment drop-ovl ] -timeout-list = timeout [ [ ',' ] timeout-list ] +timeout-list = TIMEOUT [ [ ',' ] TIMEOUT-LIST ] timeout = ( tcp.first | tcp.opening | tcp.established | tcp.closing | tcp.finwait | tcp.closed | udp.first | udp.single | udp.multiple | icmp.first | icmp.error | other.first | other.single | other.multiple ) - seconds -seconds = number + SECONDS +seconds = NUMBER -limit-list = limit-item [ [ ',' ] limit-list ] -limit-item = ( states | frags ) number +limit-list = LIMIT-ITEM [ [ ',' ] LIMIT-LIST ] +limit-item = ( states | frags ) NUMBER pooltype = ( bitmask | random | source-hash [ ( hex-key | string-key ) ] | round-robin ) -subqueue = string | '{' queue-list '}' -queue-list = string [ [ ',' ] string ] -cbq-def = cbq [ '(' cbq-opt [ [ ',' ] cbq-opt ] ')' ] -priq-def = priq [ '(' priq-opt [ [ ',' ] priq-opt ] ')' ] -hfsc-def = hfsc [ '(' hfsc-opt [ [ ',' ] hfsc-opt ] ')' ] +subqueue = STRING | '{' QUEUE-LIST '}' +queue-list = STRING [ [ ',' ] STRING ] +cbq-def = cbq [ '(' CBQ-OPT [ [ ',' ] CBQ-OPT ] ')' ] +priq-def = priq [ '(' PRIQ-OPT [ [ ',' ] PRIQ-OPT ] ')' ] +hfsc-def = hfsc [ '(' HFSC-OPT [ [ ',' ] HFSC-OPT ] ')' ] cbq-opt = ( default | borrow | red | ecn | rio ) priq-opt = ( default | red | ecn | rio ) hfsc-opt = ( default | red | ecn | rio - | linkshare-sc | realtime-sc | upperlimit-sc ) -linkshare-sc = linkshare sc-spec -realtime-sc = realtime sc-spec -upperlimit-sc = upperlimit sc-spec -sc-spec = ( bandwidth-spec - | '(' bandwidth-spec number bandwidth-spec ')' ) + | LINKSHARE-SC | REALTIME-SC | UPPERLIMIT-SC ) +linkshare-sc = linkshare SC-SPEC +realtime-sc = realtime SC-SPEC +upperlimit-sc = upperlimit SC-SPEC +sc-spec = ( BANDWIDTH-SPEC + | '(' BANDWIDTH-SPEC NUMBER BANDWIDTH-SPEC ')' ) .Ed .Sh FILES .Bl -tag -width "/etc/protocols" -compact |