| PF(4) | Kernel Interfaces Manual | PF(4) | 
Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations.
Fields of ioctl(2) parameter structures that refer to packet data (like addresses and ports) are generally expected in network byte-order.
Rules and address tables are contained in so-called anchors. When servicing an ioctl(2) request, if the anchor field of the argument structure is empty, the kernel will use the default anchor (i.e., the main ruleset) in operations. Anchors are specified by name and may be nested, with components separated by ‘/’ characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed.
struct pfioc_pooladdr { 
	u_int32_t		action; 
	u_int32_t		ticket; 
	u_int32_t		nr; 
	u_int32_t		r_num; 
	u_int8_t		r_action; 
	u_int8_t		r_last; 
	u_int8_t		af; 
	char			anchor[MAXPATHLEN]; 
	struct pf_pooladdr	addr; 
};
Clear the buffer address pool and get a ticket for subsequent DIOCADDADDR, DIOCADDRULE, and DIOCCHANGERULE calls.
Add the pool address addr to the buffer address pool to be used in the following DIOCADDRULE or DIOCCHANGERULE call. All other members of the structure are ignored.
struct pfioc_rule { 
	u_int32_t	action; 
	u_int32_t	ticket; 
	u_int32_t	pool_ticket; 
	u_int32_t	nr; 
	char		anchor[MAXPATHLEN]; 
	char		anchor_call[MAXPATHLEN]; 
	struct pf_rule	rule; 
};
Add rule at the end of the inactive ruleset. This call requires a ticket obtained through a preceding DIOCXBEGIN call and a pool_ticket obtained through a DIOCBEGINADDRS call. DIOCADDADDR must also be called if any pool addresses are required. The optional anchor name indicates the anchor in which to append the rule. nr and action are ignored.
struct pfioc_altq { 
	u_int32_t	action; 
	u_int32_t	ticket; 
	u_int32_t	nr; 
	struct pf_altq  altq; 
};
struct pfioc_qstats { 
	u_int32_t	 ticket; 
	u_int32_t	 nr; 
	void		*buf; 
	int		 nbytes; 
	u_int8_t	 scheduler; 
};
This call fills in a pointer to the buffer of statistics buf, of length nbytes, for the queue specified by nr.
struct pfioc_ruleset { 
	u_int32_t	 nr; 
	char		 path[MAXPATHLEN]; 
	char		 name[PF_ANCHOR_NAME_SIZE]; 
};
Get the number nr of rulesets (i.e., anchors) directly attached to the anchor named by path for use in subsequent DIOCGETRULESET calls. Nested anchors, since they are not directly attached to the given anchor, will not be included. This ioctl returns EINVAL if the given anchor does not exist.
struct pfioc_state { 
	u_int32_t	 nr; 
	struct pf_state	 state; 
};
struct pfioc_state_kill { 
	sa_family_t		psk_af; 
	int			psk_proto; 
	struct pf_rule_addr	psk_src; 
	struct pf_rule_addr	psk_dst; 
	char			psk_ifname[IFNAMSIZ]; 
};
struct pfioc_if { 
	char		 ifname[IFNAMSIZ]; 
};
struct pf_status { 
	u_int64_t	counters[PFRES_MAX]; 
	u_int64_t	lcounters[LCNT_MAX]; 
	u_int64_t	fcounters[FCNT_MAX]; 
	u_int64_t	scounters[SCNT_MAX]; 
	u_int64_t	pcounters[2][2][3]; 
	u_int64_t	bcounters[2][2]; 
	u_int64_t	stateid; 
	u_int32_t	running; 
	u_int32_t	states; 
	u_int32_t	src_nodes; 
	u_int32_t	since; 
	u_int32_t	debug; 
	u_int32_t	hostid; 
	char		ifname[IFNAMSIZ]; 
	u_int8_t	pf_chksum[MD5_DIGEST_LENGTH]; 
};
struct pfioc_natlook { 
	struct pf_addr	 saddr; 
	struct pf_addr	 daddr; 
	struct pf_addr	 rsaddr; 
	struct pf_addr	 rdaddr; 
	u_int16_t	 sport; 
	u_int16_t	 dport; 
	u_int16_t	 rsport; 
	u_int16_t	 rdport; 
	sa_family_t	 af; 
	u_int8_t	 proto; 
	u_int8_t	 direction; 
};
enum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, 
	  PF_DEBUG_NOISY };
struct pfioc_states { 
	int	ps_len; 
	union { 
		caddr_t		 psu_buf; 
		struct pf_state *psu_states; 
	} ps_u; 
#define ps_buf		ps_u.psu_buf 
#define ps_states	ps_u.psu_states 
};
If ps_len is non-zero on entry, as many states as possible that can fit into this size will be copied into the supplied buffer ps_states. On exit, ps_len is always set to the total size required to hold all state table entries (i.e., it is set to sizeof(struct pf_state) * nr).
The type of operation to be performed is indicated by action, which can be any of the following:
enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 
	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 
	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
ticket must be set to the value obtained with PF_CHANGE_GET_TICKET for all actions except PF_CHANGE_GET_TICKET. pool_ticket must be set to the value obtained with the DIOCBEGINADDRS call for all actions except PF_CHANGE_REMOVE and PF_CHANGE_GET_TICKET. anchor indicates to which anchor the operation applies. nr indicates the rule number against which PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, or PF_CHANGE_REMOVE actions are applied.
struct pfioc_tm { 
	int		 timeout; 
	int		 seconds; 
};
Set the state timeout of timeout to seconds. The old value will be placed into seconds. For possible values of timeout, consult the PFTM_* values in <net/pfvar.h>.
struct pfioc_limit { 
	int		index; 
	unsigned	limit; 
}; 
 
enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 
	  PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
struct pfioc_table { 
	struct pfr_table	 pfrio_table; 
	void			*pfrio_buffer; 
	int			 pfrio_esize; 
	int			 pfrio_size; 
	int			 pfrio_size2; 
	int			 pfrio_nadd; 
	int			 pfrio_ndel; 
	int			 pfrio_nchange; 
	int			 pfrio_flags; 
	u_int32_t		 pfrio_ticket; 
}; 
#define pfrio_exists    pfrio_nadd 
#define pfrio_nzero     pfrio_nadd 
#define pfrio_nmatch    pfrio_nadd 
#define pfrio_naddr     pfrio_size2 
#define pfrio_setflag   pfrio_size2 
#define pfrio_clrflag   pfrio_nadd
struct pfr_table { 
	char		pfrt_anchor[MAXPATHLEN]; 
	char		pfrt_name[PF_TABLE_NAME_SIZE]; 
	u_int32_t	pfrt_flags; 
	u_int8_t	pfrt_fback; 
};
struct pfr_tstats { 
	struct pfr_table pfrts_t; 
	u_int64_t	 pfrts_packets 
			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 
	u_int64_t	 pfrts_bytes 
			     [PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 
	u_int64_t	 pfrts_match; 
	u_int64_t	 pfrts_nomatch; 
	long		 pfrts_tzero; 
	int		 pfrts_cnt; 
	int		 pfrts_refcnt[PFR_REFCNT_MAX]; 
}; 
#define pfrts_name	 pfrts_t.pfrt_name 
#define pfrts_flags	 pfrts_t.pfrt_flags
struct pfr_addr { 
	union { 
		struct in_addr	 _pfra_ip4addr; 
		struct in6_addr	 _pfra_ip6addr; 
	}		 pfra_u; 
	u_int8_t	 pfra_af; 
	u_int8_t	 pfra_net; 
	u_int8_t	 pfra_not; 
	u_int8_t	 pfra_fback; 
}; 
#define pfra_ip4addr    pfra_u._pfra_ip4addr 
#define pfra_ip6addr    pfra_u._pfra_ip6addr
On entry, pfrio_table contains the table ID and pfrio_buffer must point to an array of struct pfr_addr containing at least pfrio_size elements which become the new contents of the table. pfrio_esize must be the size of struct pfr_addr. Additionally, if pfrio_size2 is non-zero, pfrio_buffer[pfrio_size..pfrio_size2] must be a writeable buffer, into which the kernel can copy the addresses that have been deleted during the replace operation. On exit, pfrio_ndel, pfrio_nadd, and pfrio_nchange contain the number of addresses deleted, added, and changed by the kernel. If pfrio_size2 was set on entry, pfrio_size2 will point to the size of the buffer used, exactly like DIOCRGETADDRS.
struct pfr_astats { 
	struct pfr_addr	 pfras_a; 
	u_int64_t	 pfras_packets 
			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 
	u_int64_t	 pfras_bytes 
			     [PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 
	long		 pfras_tzero; 
};
struct pfioc_trans { 
	int		 size;	/* number of elements */ 
	int		 esize;	/* size of each element in bytes */ 
	struct pfioc_trans_e { 
		int		rs_num; 
		char		anchor[MAXPATHLEN]; 
		u_int32_t	ticket; 
	}		*array; 
};
Clear all the inactive rulesets specified in the pfioc_trans_e array. For each ruleset, a ticket is returned for subsequent "add rule" ioctls, as well as for the DIOCXCOMMIT and DIOCXROLLBACK calls.
Ruleset types, identified by rs_num, include the following:
struct pf_osfp_ioctl { 
	struct pf_osfp_entry { 
		SLIST_ENTRY(pf_osfp_entry) fp_entry; 
		pf_osfp_t		fp_os; 
		char			fp_class_nm[PF_OSFP_LEN]; 
		char			fp_version_nm[PF_OSFP_LEN]; 
		char			fp_subtype_nm[PF_OSFP_LEN]; 
	} 			fp_os; 
	pf_tcpopts_t		fp_tcpopts; 
	u_int16_t		fp_wsize; 
	u_int16_t		fp_psize; 
	u_int16_t		fp_mss; 
	u_int16_t		fp_flags; 
	u_int8_t		fp_optcnt; 
	u_int8_t		fp_wscale; 
	u_int8_t		fp_ttl; 
	int			fp_getnum; 
};
Add a passive OS fingerprint to the table. Set fp_os.fp_os to the packed fingerprint, fp_os.fp_class_nm to the name of the class (Linux, Windows, etc), fp_os.fp_version_nm to the name of the version (NT, 95, 98), and fp_os.fp_subtype_nm to the name of the subtype or patchlevel. The members fp_mss, fp_wsize, fp_psize, fp_ttl, fp_optcnt, and fp_wscale are set to the TCP MSS, the TCP window size, the IP length, the IP TTL, the number of TCP options, and the TCP window scaling constant of the TCP SYN packet, respectively.
The fp_flags member is filled according to the <net/pfvar.h> include file PF_OSFP_* defines. The fp_tcpopts member contains packed TCP options. Each option uses PF_OSFP_TCPOPT_BITS bits in the packed value. Options include any of PF_OSFP_TCPOPT_NOP, PF_OSFP_TCPOPT_SACK, PF_OSFP_TCPOPT_WSCALE, PF_OSFP_TCPOPT_MSS, or PF_OSFP_TCPOPT_TS.
The fp_getnum member is not used with this ioctl.
The structure's slack space must be zeroed for correct operation; memset(3) the whole structure to zero before filling and sending to the kernel.
struct pfioc_src_nodes { 
	int	psn_len; 
	union { 
		caddr_t		psu_buf; 
		struct pf_src_node	*psu_src_nodes; 
	} psn_u; 
#define psn_buf		psn_u.psu_buf 
#define psn_src_nodes	psn_u.psu_src_nodes 
};
Get the list of source nodes kept by sticky addresses and source tracking. The ioctl must be called once with psn_len set to 0. If the ioctl returns without error, psn_len will be set to the size of the buffer required to hold all the pf_src_node structures held in the table. A buffer of this size should then be allocated, and a pointer to this buffer placed in psn_buf. The ioctl must then be called again to fill this buffer with the actual source node data. After that call, psn_len will be set to the length of the buffer actually used.
struct pfioc_iface { 
	char			 pfiio_name[IFNAMSIZ]; 
	void			*pfiio_buffer; 
	int			 pfiio_esize; 
	int			 pfiio_size; 
	int			 pfiio_nzero; 
	int			 pfiio_flags; 
};
If not empty, pfiio_name can be used to restrict the search to a specific interface or driver. pfiio_buffer[pfiio_size] is the user-supplied buffer for returning the data. On entry, pfiio_size contains the number of pfi_kif entries that can fit into the buffer. The kernel will replace this value by the real number of entries it wants to return. pfiio_esize should be set to sizeof(struct pfi_kif).
The data is returned in the pfi_kif structure described below:
struct pfi_kif { 
	RB_ENTRY(pfi_kif)		 pfik_tree; 
	char				 pfik_name[IFNAMSIZ]; 
	u_int64_t			 pfik_packets[2][2][2]; 
	u_int64_t			 pfik_bytes[2][2][2]; 
	u_int32_t			 pfik_tzero; 
	int				 pfik_flags; 
	struct pf_state_tree_lan_ext	 pfik_lan_ext; 
	struct pf_state_tree_ext_gwy	 pfik_ext_gwy; 
	TAILQ_ENTRY(pfi_kif)		 pfik_w_states; 
	void				*pfik_ah_cookie; 
	struct ifnet			*pfik_ifp; 
	struct ifg_group		*pfik_group; 
	int				 pfik_states; 
	int				 pfik_rules; 
	TAILQ_HEAD(, pfi_dynaddr)	 pfik_dynaddrs; 
};
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
#include <sys/types.h> 
#include <sys/socket.h> 
#include <sys/ioctl.h> 
#include <sys/fcntl.h> 
#include <net/if.h> 
#include <netinet/in.h> 
#include <net/pfvar.h> 
#include <err.h> 
#include <stdio.h> 
#include <stdlib.h> 
 
u_int32_t 
read_address(const char *s) 
{ 
	int a, b, c, d; 
 
	sscanf(s, "%i.%i.%i.%i", &a, &b, &c, &d); 
	return htonl(a << 24 | b << 16 | c << 8 | d); 
} 
 
void 
print_address(u_int32_t a) 
{ 
	a = ntohl(a); 
	printf("%d.%d.%d.%d", a >> 24 & 255, a >> 16 & 255, 
	    a >> 8 & 255, a & 255); 
} 
 
int 
main(int argc, char *argv[]) 
{ 
	struct pfioc_natlook nl; 
	int dev; 
 
	if (argc != 5) { 
		printf("%s <gwy addr> <gwy port> <ext addr> <ext port>\n", 
		    argv[0]); 
		return 1; 
	} 
 
	dev = open("/dev/pf", O_RDWR); 
	if (dev == -1) 
		err(1, "open(\"/dev/pf\") failed"); 
 
	memset(&nl, 0, sizeof(struct pfioc_natlook)); 
	nl.saddr.v4.s_addr	= read_address(argv[1]); 
	nl.sport		= htons(atoi(argv[2])); 
	nl.daddr.v4.s_addr	= read_address(argv[3]); 
	nl.dport		= htons(atoi(argv[4])); 
	nl.af			= AF_INET; 
	nl.proto		= IPPROTO_TCP; 
	nl.direction		= PF_IN; 
 
	if (ioctl(dev, DIOCNATLOOK, &nl)) 
		err(1, "DIOCNATLOOK"); 
 
	printf("internal host "); 
	print_address(nl.rsaddr.v4.s_addr); 
	printf(":%u\n", ntohs(nl.rsport)); 
	return 0; 
}
| December 19, 2009 | NetBSD 7.1 |