summaryrefslogtreecommitdiff
path: root/share
diff options
context:
space:
mode:
Diffstat (limited to 'share')
-rw-r--r--share/man/man5/pf.conf.5212
1 files changed, 106 insertions, 106 deletions
diff --git a/share/man/man5/pf.conf.5 b/share/man/man5/pf.conf.5
index dd2a61220c5..319135b65c2 100644
--- a/share/man/man5/pf.conf.5
+++ b/share/man/man5/pf.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pf.conf.5,v 1.231 2003/05/10 16:46:53 pb Exp $
+.\" $OpenBSD: pf.conf.5,v 1.232 2003/05/10 22:38:04 pb Exp $
.\"
.\" Copyright (c) 2002, Daniel Hartmeier
.\" All rights reserved.
@@ -1972,170 +1972,170 @@ Syntax for
.Nm
in BNF:
.Bd -literal
-line = ( option | pf-rule | nat-rule | binat-rule | rdr-rule
- | antispoof-rule | altq-rule | queue-rule | anchor-rule
- | trans-anchors | load-anchors )
+line = ( OPTION | PF-RULE | NAT-RULE | BINAT-RULE | RDR-RULE
+ | ANTISPOOF-RULE | ALTQ-RULE | QUEUE-RULE | ANCHOR-RULE
+ | TRANS-ANCHORS | LOAD-ANCHORS )
-option = set ( [ timeout ( timeout | '{' timeout-list '}' ) ] |
+option = set ( [ TIMEOUT ( TIMEOUT | '{' TIMEOUT-LIST '}' ) ] |
[ optimization [ default | normal
| high-latency | satellite
| aggressive | conservative ] ]
- [ limit limit-list ] |
- [ loginterface ( interface-name | none ) ] |
+ [ limit LIMIT-LIST ] |
+ [ loginterface ( INTERFACE-NAME | none ) ] |
[ block-policy ( drop | return ) ] |
[ require-order ( yes | no ) ] )
-pf-rule = action [ ( in | out ) ]
+pf-rule = ACTION [ ( in | out ) ]
[ log | log-all ] [ quick ]
- [ on ifspec ] [ route ] [ af ] [ protospec ]
- hosts [ filteropt-list ]
+ [ on IFSPEC ] [ ROUTE ] [ AF ] [ PROTOSPEC ]
+ HOSTS [ FILTEROPT-LIST ]
-filteropt-list = filteropt-list filteropt | filteropt
-filteropt = user | group | flags | icmp-type | icmp6-type | tos |
- ( keep | modulate ) state [ '(' state-opts ')' ] |
- fragment | no-df | min-ttl number | max-mss number |
- random-id | fragmentation | allow-opts | label string |
- queue '(' string | ( string [ [ ',' ] string ] ) ')'
+filteropt-list = FILTEROPT-LIST FILTEROPT | FILTEROPT
+filteropt = USER | GROUP | FLAGS | ICMP-TYPE | ICMP6-TYPE | TOS |
+ ( keep | modulate ) state [ '(' STATE-OPTS ')' ] |
+ fragment | no-df | min-ttl NUMBER | max-mss NUMBER |
+ random-id | FRAGMENTATION | allow-opts | label STRING |
+ queue '(' STRING | ( STRING [ [ ',' ] STRING ] ) ')'
-nat-rule = [ no ] nat [ on ifspec ] [ af ] [ protospec ]
- hosts [ '->' ( redirhost | '{' redirhost-list '}' )
- [ portspec ] [ pooltype ] [ static-port ] ]
+nat-rule = [ no ] nat [ on IFSPEC ] [ AF ] [ PROTOSPEC ]
+ HOSTS [ '->' ( REDIRHOST | '{' REDIRHOST-LIST '}' )
+ [ PORTSPEC ] [ POOLTYPE ] [ static-port ] ]
-binat-rule = [ no ] binat [ on interface-name ] [ af ]
- [ proto ( proto-name | proto-number ) ]
- from address [ '/' mask-bits ] to ipspec
- [ '->' address [ '/' mask-bits ] ]
+binat-rule = [ no ] binat [ on INTERFACE-NAME ] [ AF ]
+ [ proto ( PROTO-NAME | PROTO-NUMBER ) ]
+ from ADDRESS [ '/' MASK-BITS ] to IPSPEC
+ [ '->' ADDRESS [ '/' MASK-BITS ] ]
-rdr-rule = [ no ] rdr [ on ifspec ] [ af ] [ protospec ]
- hosts [ '->' ( redirhost | '{' redirhost-list '}' )
- [ portspec ] [ pooltype ] ]
+rdr-rule = [ no ] rdr [ on IFSPEC ] [ AF ] [ PROTOSPEC ]
+ HOSTS [ '->' ( REDIRHOST | '{' REDIRHOST-LIST '}' )
+ [ PORTSPEC ] [ POOLTYPE ] ]
antispoof-rule = antispoof [ log ] [ quick ]
- for ( interface-name | '{' interface-list '}' )
- [ af ] [ label ]
+ for ( INTERFACE-NAME | '{' INTERFACE-LIST '}' )
+ [ AF ] [ label STRING ]
-table-rule = table '<' tablename '>' [ tableopts-list ]
-tableopts-list = tableopts-list tableopts | tableopts
-tableopts = persist | const | file "filename" | '{' [ tableaddr-list ] '}'
-tableaddr-list = tableaddr-list [ ',' ] tableaddr-spec | tableaddr-spec
-tableaddr-spec = [ '!' ] tableaddr [ '/' mask-bits ]
-tableaddr = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
- interface-name | self
+table-rule = table '<' STRING '>' [ TABLEOPTS-LIST ]
+tableopts-list = TABLEOPTS-LIST TABLEOPTS | TABLEOPTS
+tableopts = persist | const | file STRING | '{' [ TABLEADDR-LIST ] '}'
+tableaddr-list = TABLEADDR-LIST [ ',' ] TABLEADDR-SPEC | TABLEADDR-SPEC
+tableaddr-spec = [ '!' ] TABLEADDR [ '/' MASK-BITS ]
+tableaddr = HOSTNAME | IPV4-DOTTED-QUAD | IPV6-COLONED-HEX |
+ INTERFACE-NAME | self
-altq-rule = altq on interface-name queueopts-list
- queue queue-list
-queue-rule = queue string [ on interface-name ] queueopts-list
- queue-list
+altq-rule = altq on INTERFACE-NAME QUEUEOPTS-LIST
+ queue QUEUE-LIST
+queue-rule = queue STRING [ on INTERFACE-NAME ] QUEUEOPTS-LIST
+ QUEUE-LIST
-anchor-rule = anchor string [ ( in | out ) ] [ on ifspec ] [ af ]
- [ proto ] [ protospec ] [ hosts ]
+anchor-rule = anchor STRING [ ( in | out ) ] [ on IFSPEC ] [ AF ]
+ [ proto ] [ PROTOSPEC ] [ HOSTS ]
-trans-anchors = ( nat-anchor | rdr-anchor | binat-anchor ) string
- [ on ifspec ] [ af ] [ proto ] [ protospec ] [ hosts ]
+trans-anchors = ( nat-anchor | rdr-anchor | binat-anchor ) STRING
+ [ on IFSPEC ] [ AF ] [ proto ] [ PROTOSPEC ] [ HOSTS ]
load-anchor = load anchorname:rulesetname from filename
-queueopts-list = queueopts-list queueopts | queueopts
-queueopts = [ bandwidth bandwidth-spec ] |
- [ qlimit number ] | [ tbrsize number ] |
- [ priority number ] | [ schedulers ] |
- [ qlimit number ]
-schedulers = ( cbq-def | priq-def | hfsc-def )
+queueopts-list = QUEUEOPTS-LIST QUEUEOPTS | QUEUEOPTS
+queueopts = [ bandwidth BANDWIDTH-SPEC ] |
+ [ qlimit NUMBER ] | [ tbrsize NUMBER ] |
+ [ priority NUMBER ] | [ SCHEDULERS ] |
+ [ qlimit NUMBER ]
+schedulers = ( CBQ-DEF | PRIQ-DEF | HFSC-DEF )
bandwidth-spec = number ( b | Kb | Mb | Gb | '%' )
action = pass | block [ return ] | scrub
-return = drop | return | return-rst [ '(' ttl number ')' ]
- | return-icmp [ '(' icmpcode [',' icmp6code ] ')' ]
- | return-icmp6 [ '(' icmp6code ')' ]
-icmpcode = ( icmp-code-name | icmp-code-number )
-icmp6code = ( icmp6-code-name | icmp6-code-number )
+return = drop | return | return-rst [ '(' ttl NUMBER ')' ]
+ | return-icmp [ '(' ICMPCODE [',' ICMP6CODE ] ')' ]
+ | return-icmp6 [ '(' ICMP6CODE ')' ]
+icmpcode = ( ICMP-CODE-NAME | ICMP-CODE-NUMBER )
+icmp6code = ( ICMP6-CODE-NAME | ICMP6-CODE-NUMBER )
-ifspec = ( [ '!' ] interface-name ) | '{' interface-list '}'
-interface-list = [ '!' ] interface-name [ [ ',' ] interface-list ]
+ifspec = ( [ '!' ] INTERFACE-NAME ) | '{' INTERFACE-LIST '}'
+interface-list = [ '!' ] INTERFACE-NAME [ [ ',' ] INTERFACE-LIST ]
route = fastroute |
( route-to | reply-to | dup-to )
- ( routehost | '{' routehost-list '}' )
- [ pooltype ]
+ ( ROUTEHOST | '{' ROUTEHOST-LIST '}' )
+ [ POOLTYPE ]
af = inet | inet6
-protospec = proto ( proto-name | proto-number |
- '{' proto-list '}' )
-proto-list = ( proto-name | proto-number ) [ [ ',' ] proto-list ]
+protospec = proto ( PROTO-NAME | PROTO-NUMBER |
+ '{' PROTO-LIST '}' )
+proto-list = ( PROTO-NAME | PROTO-NUMBER ) [ [ ',' ] PROTO-LIST ]
hosts = all |
- from ( any | no-route | self | host |
- '{' host-list '}' ) [ port ]
- to ( any | no-route | self | host |
- '{' host-list '}' ) [ port ]
+ from ( any | no-route | self | HOST |
+ '{' HOST-LIST '}' ) [ PORT ]
+ to ( any | no-route | self | HOST |
+ '{' HOST-LIST '}' ) [ PORT ]
-ipspec = any | host | '{' host-list '}'
-host = [ '!' ] ( address [ '/' mask-bits ] | '<' table '>' )
-redirhost = address [ '/' mask-bits ]
-routehost = ( interface-name [ address [ '/' mask-bits ] ] )
-address = ( interface-name | '(' interface-name ')' | host-name
- | ipv4-dotted-quad | ipv6-coloned-hex )
-host-list = host [ [ ',' ] host-list ]
-redirhost-list = redirhost [ [ ',' ] redirhost-list ]
-routehost-list = routehost [ [ ',' ] routehost-list ]
+ipspec = any | HOST | '{' HOST-LIST '}'
+host = [ '!' ] ( ADDRESS [ '/' MASK-BITS ] | '<' STRING '>' )
+redirhost = ADDRESS [ '/' MASK-BITS ]
+routehost = ( INTERFACE-NAME [ ADDRESS [ '/' MASK-BITS ] ] )
+address = ( INTERFACE-NAME | '(' INTERFACE-NAME ')' | HOSTNAME
+ | IPV4-DOTTED-QUAD | IPV6-COLONED-HEX )
+host-list = HOST [ [ ',' ] HOST-LIST ]
+redirhost-list = REDIRHOST [ [ ',' ] REDIRHOST-LIST ]
+routehost-list = ROUTEHOST [ [ ',' ] ROUTEHOST-LIST ]
-port = port ( unary-op | binary-op | '{' op-list '}' )
-portspec = port ( number | name ) [ ':' ( '*' | number | name ) ]
-user = user ( unary-op | binary-op | '{' op-list '}' )
-group = group ( unary-op | binary-op | { op-list } )
+port = port ( UNARY-OP | BINARY-OP | '{' OP-LIST '}' )
+portspec = port ( NUMBER | NAME ) [ ':' ( '*' | NUMBER | NAME ) ]
+user = user ( UNARY-OP | BINARY-OP | '{' OP-LIST '}' )
+group = group ( UNARY-OP | BINARY-OP | '{' OP-LIST '}' )
unary-op = [ '=' | '!=' | '<' | '<=' | '>' | '>=' ]
- ( name | number )
-binary-op = number ( '<>' | '><' | ':' ) number
-op-list = ( unary-op | binary-op ) [ [ ',' ] op-list ]
+ ( NAME | NUMBER )
+binary-op = NUMBER ( '<>' | '><' | ':' ) NUMBER
+op-list = ( UNARY-OP | BINARY-OP ) [ [ ',' ] OP-LIST ]
-flags = flags [ flag-set ] '/' flag-set
+flags = flags [ FLAG-SET ] '/' FLAG-SET
flag-set = [ F ] [ S ] [ R ] [ P ] [ A ] [ U ] [ E ] [ W ]
-icmp-type = icmp-type ( icmp-type-code | { icmp-list } )
-icmp6-type = icmp6-type ( icmp-type-code | { icmp-list } )
-icmp-type-code = ( icmp-type-name | icmp-type-number )
- [ code ( icmp-code-name | icmp-code-number ) ]
-icmp-list = icmp-type-code [ [ ',' ] icmp-list ]
+icmp-type = icmp-type ( ICMP-TYPE-CODE | '{' ICMP-LIST '}' )
+icmp6-type = icmp6-type ( ICMP-TYPE-CODE | '{' ICMP-LIST '}')
+icmp-type-code = ( ICMP-TYPE-NAME | ICMP-TYPE-NUMBER )
+ [ code ( ICMP-CODE-NAME | ICMP-CODE-NUMBER ) ]
+icmp-list = ICMP-TYPE-CODE [ [ ',' ] ICMP-LIST ]
tos = tos ( lowdelay | throughput | reliability |
- [ 0x ] number )
+ [ 0x ] NUMBER )
-state-opts = state-opt [ [ ',' ] state-opts ]
-state-opt = ( max number ) | ( timeout seconds )
+state-opts = STATE-OPT [ [ ',' ] STATE-OPTS ]
+state-opt = ( max NUMBER ) | ( timeout SECONDS )
fragmentation = [ fragment reassemble | fragment crop
| fragment drop-ovl ]
-timeout-list = timeout [ [ ',' ] timeout-list ]
+timeout-list = TIMEOUT [ [ ',' ] TIMEOUT-LIST ]
timeout = ( tcp.first | tcp.opening | tcp.established
| tcp.closing | tcp.finwait | tcp.closed
| udp.first | udp.single | udp.multiple
| icmp.first | icmp.error
| other.first | other.single | other.multiple )
- seconds
-seconds = number
+ SECONDS
+seconds = NUMBER
-limit-list = limit-item [ [ ',' ] limit-list ]
-limit-item = ( states | frags ) number
+limit-list = LIMIT-ITEM [ [ ',' ] LIMIT-LIST ]
+limit-item = ( states | frags ) NUMBER
pooltype = ( bitmask | random
| source-hash [ ( hex-key | string-key ) ]
| round-robin )
-subqueue = string | '{' queue-list '}'
-queue-list = string [ [ ',' ] string ]
-cbq-def = cbq [ '(' cbq-opt [ [ ',' ] cbq-opt ] ')' ]
-priq-def = priq [ '(' priq-opt [ [ ',' ] priq-opt ] ')' ]
-hfsc-def = hfsc [ '(' hfsc-opt [ [ ',' ] hfsc-opt ] ')' ]
+subqueue = STRING | '{' QUEUE-LIST '}'
+queue-list = STRING [ [ ',' ] STRING ]
+cbq-def = cbq [ '(' CBQ-OPT [ [ ',' ] CBQ-OPT ] ')' ]
+priq-def = priq [ '(' PRIQ-OPT [ [ ',' ] PRIQ-OPT ] ')' ]
+hfsc-def = hfsc [ '(' HFSC-OPT [ [ ',' ] HFSC-OPT ] ')' ]
cbq-opt = ( default | borrow | red | ecn | rio )
priq-opt = ( default | red | ecn | rio )
hfsc-opt = ( default | red | ecn | rio
- | linkshare-sc | realtime-sc | upperlimit-sc )
-linkshare-sc = linkshare sc-spec
-realtime-sc = realtime sc-spec
-upperlimit-sc = upperlimit sc-spec
-sc-spec = ( bandwidth-spec
- | '(' bandwidth-spec number bandwidth-spec ')' )
+ | LINKSHARE-SC | REALTIME-SC | UPPERLIMIT-SC )
+linkshare-sc = linkshare SC-SPEC
+realtime-sc = realtime SC-SPEC
+upperlimit-sc = upperlimit SC-SPEC
+sc-spec = ( BANDWIDTH-SPEC
+ | '(' BANDWIDTH-SPEC NUMBER BANDWIDTH-SPEC ')' )
.Ed
.Sh FILES
.Bl -tag -width "/etc/protocols" -compact