aboutsummaryrefslogtreecommitdiff
path: root/sbin/pfctl/pfctl.8
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/pfctl/pfctl.8')
-rw-r--r--sbin/pfctl/pfctl.8241
1 files changed, 174 insertions, 67 deletions
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 41eb2bea9f94..58de54cdf923 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd February 22, 2021
+.Dd August 28, 2025
.Dt PFCTL 8
.Os
.Sh NAME
@@ -43,7 +43,7 @@
.Op Fl K Ar host | network
.Xo
.Oo Fl k
-.Ar host | network | label | id | gateway
+.Ar host | network | label | id | gateway | nat
.Oc Xc
.Op Fl o Ar level
.Op Fl p Ar device
@@ -82,7 +82,7 @@ Translation rules are described in
.Xr pf.conf 5 .
.Pp
When the variable
-.Va pf
+.Va pf_enable
is set to
.Dv YES
in
@@ -104,9 +104,7 @@ to 1.
Set them permanently in
.Xr sysctl.conf 5 .
.Pp
-The
-.Nm
-utility provides several commands.
+At least one option must be specified.
The options are as follows:
.Bl -tag -width Ds
.It Fl A
@@ -116,8 +114,10 @@ Other rules and options are ignored.
Apply flags
.Fl f ,
.Fl F ,
+.Fl s ,
+.Fl T ,
and
-.Fl s
+.Fl z
only to the rules in the specified
.Ar anchor .
In addition to the main ruleset,
@@ -187,6 +187,13 @@ as the anchor name:
.Bd -literal -offset indent
# pfctl -a '*' -sr
.Ed
+.Pp
+To flush all rulesets and tables recursively, specify only
+.Sq *
+as the anchor name:
+.Bd -literal -offset indent
+# pfctl -a '*' -Fa
+.Ed
.It Fl D Ar macro Ns = Ns Ar value
Define
.Ar macro
@@ -205,28 +212,46 @@ Flush the filter parameters specified by
.Ar modifier
(may be abbreviated):
.Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl F Cm nat
+.Bl -tag -width xxxxxxxxx -compact
+.It Cm nat
Flush the NAT rules.
-.It Fl F Cm queue
+.It Cm queue
Flush the queue rules.
-.It Fl F Cm ethernet
+.It Cm ethernet
Flush the Ethernet filter rules.
-.It Fl F Cm rules
+.It Cm rules
Flush the filter rules.
-.It Fl F Cm states
+.It Cm states
Flush the state table (NAT and filter).
-.It Fl F Cm Sources
+.It Cm Sources
Flush the source tracking table.
-.It Fl F Cm info
+.It Cm info
Flush the filter information (statistics that are not bound to rules).
-.It Fl F Cm Tables
+.It Cm Tables
Flush the tables.
-.It Fl F Cm osfp
+.It Cm osfp
Flush the passive operating system fingerprints.
-.It Fl F Cm all
+.It Cm Reset
+Reset limits, timeouts and other options back to default settings.
+See the OPTIONS section in
+.Xr pf.conf 5
+for details.
+.It Cm all
Flush all of the above.
.El
+.Pp
+If
+.Fl a
+is specified as well and
+.Ar anchor
+is terminated with a
+.Sq *
+character,
+.Cm rules ,
+.Cm Tables
+and
+.Cm all
+flush the given anchor recursively.
.It Fl f Ar file
Load the rules contained in
.Ar file .
@@ -256,15 +281,17 @@ option may be specified, which will kill all the source tracking
entries from the first host/network to the second.
.It Xo
.Fl k
-.Ar host | network | label | id | gateway
+.Ar host | network | label | id | key | gateway | nat
.Xc
Kill all of the state entries matching the specified
.Ar host ,
.Ar network ,
.Ar label ,
.Ar id ,
+.Ar key ,
+.Ar gateway,
or
-.Ar gateway.
+.Ar nat.
.Pp
For example, to kill all of the state entries originating from
.Dq host :
@@ -294,7 +321,7 @@ To kill all states with the target
.Pp
.Dl # pfctl -k 0.0.0.0/0 -k host2
.Pp
-It is also possible to kill states by rule label or state ID.
+It is also possible to kill states by rule label, state key or state ID.
In this mode the first
.Fl k
argument is used to specify the type
@@ -305,6 +332,17 @@ from rules carrying the label
.Pp
.Dl # pfctl -k label -k foobar
.Pp
+To kill one specific state by its key
+(protocol, host1, port1, direction, host2 and port2 in the same format
+of pfctl -s state),
+use the
+.Ar key
+modifier and as a second argument the state key.
+To kill a state whose protocol is TCP and originating from
+10.0.0.101:32123 to 10.0.0.1:80 use:
+.Pp
+.Dl # pfctl -k key -k 'tcp 10.0.0.1:80 <- 10.0.0.101:32123'
+.Pp
To kill one specific state by its unique state ID
(as shown by pfctl -s state -vv),
use the
@@ -332,6 +370,10 @@ To kill all states using a gateway in 192.168.0.0/24:
.Pp
.Dl # pfctl -k gateway -k 192.168.0.0/24
.Pp
+States can also be killed based on their pre-NAT address:
+.Pp
+.Dl # pfctl -k nat -k 192.168.0.1
+.Pp
.It Fl M
Kill matching states in the opposite direction (on other interfaces) when
killing states.
@@ -360,15 +402,16 @@ Other rules and options are ignored.
.It Fl o Ar level
Control the ruleset optimizer, overriding any rule file settings.
.Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl o Cm none
+.Bl -tag -width xxxxxxxxx -compact
+.It Cm none
Disable the ruleset optimizer.
-.It Fl o Cm basic
+.It Cm basic
Enable basic ruleset optimizations.
This is the default behaviour.
-.It Fl o Cm profile
+.It Cm profile
Enable basic ruleset optimizations with profiling.
.El
+.Pp
For further information on the ruleset optimizer, see
.Xr pf.conf 5 .
.It Fl P
@@ -385,16 +428,20 @@ Only print errors and warnings.
Load only the filter rules present in the rule file.
Other rules and options are ignored.
.It Fl r
-Perform reverse DNS lookups on states when displaying them.
-.It Fl s Ar modifier
+Perform reverse DNS lookups on states and tables when displaying them.
+.Fl N
+and
+.Fl r
+are mutually exclusive.
+.It Fl s Ar modifier Op Fl R Ar id
Show the filter parameters specified by
.Ar modifier
(may be abbreviated):
.Pp
-.Bl -tag -width xxxxxxxxxxxxx -compact
-.It Fl s Cm nat
+.Bl -tag -width xxxxxxxxxxx -compact
+.It Cm nat
Show the currently loaded NAT rules.
-.It Fl s Cm queue
+.It Cm queue
Show the currently loaded queue rules.
When used together with
.Fl v ,
@@ -404,18 +451,25 @@ When used together with
.Nm
will loop and show updated queue statistics every five seconds, including
measured bandwidth and packets per second.
-.It Fl s Cm ether
+.It Cm ether
Show the currently loaded Ethernet rules.
When used together with
.Fl v ,
the per-rule statistics (number of evaluations,
packets, and bytes) are also shown.
-.It Fl s Cm rules
+.It Cm rules
Show the currently loaded filter rules.
When used together with
.Fl v ,
the per-rule statistics (number of evaluations,
packets, and bytes) are also shown.
+When used together with
+.Fl g
+or
+.Fl vv ,
+expired rules
+.Pq marked as Dq # expired
+are also shown.
Note that the
.Dq skip step
optimization done automatically by the kernel
@@ -423,7 +477,7 @@ will skip evaluation of rules where possible.
Packets passed statefully are counted in the rule that created the state
(even though the rule is not evaluated more than once for the entire
connection).
-.It Fl s Cm Anchors
+.It Cm Anchors
Show the currently loaded anchors directly attached to the main ruleset.
If
.Fl a Ar anchor
@@ -434,31 +488,34 @@ If
.Fl v
is specified, all anchors attached under the target anchor will be
displayed recursively.
-.It Fl s Cm states
+.It Cm states
Show the contents of the state table.
-.It Fl s Cm Sources
+.It Cm Sources
Show the contents of the source tracking table.
-.It Fl s Cm info
+.It Cm info
Show filter information (statistics and counters).
When used together with
.Fl v ,
-source tracking statistics are also shown.
-.It Fl s Cm Running
+source tracking statistics, the firewall's 32-bit hostid number and the
+main ruleset's MD5 checksum for use with
+.Xr pfsync 4
+are also shown.
+.It Cm Running
Show the running status and provide a non-zero exit status when disabled.
-.It Fl s Cm labels
+.It Cm labels
Show per-rule statistics (label, evaluations, packets total, bytes total,
packets in, bytes in, packets out, bytes out, state creations) of
filter rules with labels, useful for accounting.
-.It Fl s Cm timeouts
+.It Cm timeouts
Show the current global timeouts.
-.It Fl s Cm memory
+.It Cm memory
Show the current pool memory hard limits.
-.It Fl s Cm Tables
+.It Cm Tables
Show the list of tables.
-.It Fl s Cm osfp
+.It Cm osfp
Show the list of operating system fingerprints.
-.It Fl s Cm Interfaces
-Show the list of interfaces and interface drivers available to PF.
+.It Cm Interfaces
+Show the list of interfaces and interface groups available to PF.
When used together with
.Fl v ,
it additionally lists which interfaces have skip rules activated.
@@ -467,43 +524,93 @@ When used together with
interface statistics are also shown.
.Fl i
can be used to select an interface or a group of interfaces.
-.It Fl s Cm all
+.It Cm all
Show all of the above, except for the lists of interfaces and operating
system fingerprints.
.El
-.It Fl T Ar command Op Ar address ...
+.Pp
+Counters shown with
+.Fl s Cm info
+are:
+.Pp
+.Bl -tag -width xxxxxxxxxxxxxx -compact
+.It match
+explicit rule match
+.It bad-offset
+currently unused
+.It fragment
+invalid fragments dropped
+.It short
+short packets dropped
+.It normalize
+dropped by normalizer: illegal packets
+.It memory
+memory could not be allocated
+.It bad-timestamp
+bad TCP timestamp; RFC 1323
+.It congestion
+network interface queue congested
+.It ip-option
+bad IP/IPv6 options
+.It proto-cksum
+invalid protocol checksum
+.It state-mismatch
+packet was associated with a state entry, but sequence numbers did not match
+.It state-insert
+state insertion failure
+.It state-limit
+configured state limit was reached
+.It src-limit
+source node/connection limit
+.It synproxy
+dropped by synproxy
+.It map-failed
+address mapping failed
+.It translate
+no free ports in translation port range
+.El
+.It Fl S
+Do not perform domain name resolution.
+If a name cannot be resolved without DNS, an error will be reported.
+.It Fl t Ar table Fl T Ar command Op Ar address ...
Specify the
.Ar command
-(may be abbreviated) to apply to the table.
+(may be abbreviated) to apply to
+.Ar table .
Commands include:
.Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl T Cm kill
-Kill a table.
-.It Fl T Cm flush
-Flush all addresses of a table.
-.It Fl T Cm add
-Add one or more addresses in a table.
-Automatically create a nonexisting table.
-.It Fl T Cm delete
+.Bl -tag -width "expire number" -compact
+.It Cm add
+Add one or more addresses to a table.
+Automatically create a persistent table if it does not exist.
+.It Cm delete
Delete one or more addresses from a table.
-.It Fl T Cm expire Ar number
+.It Cm expire Ar number
Delete addresses which had their statistics cleared more than
.Ar number
seconds ago.
For entries which have never had their statistics cleared,
.Ar number
refers to the time they were added to the table.
-.It Fl T Cm replace
+.It Cm flush
+Flush all addresses in a table.
+.It Cm kill
+Kill a table.
+.It Cm replace
Replace the addresses of the table.
-Automatically create a nonexisting table.
-.It Fl T Cm show
+Automatically create a persistent table if it does not exist.
+.It Cm show
Show the content (addresses) of a table.
-.It Fl T Cm test
+.It Cm test
Test if the given addresses match a table.
-.It Fl T Cm zero
-Clear all the statistics of a table.
-.It Fl T Cm load
+.It Cm zero Op Ar address ...
+Clear all the statistics of a table, or only for specified addresses.
+.It Cm reset
+Clear statistics only for addresses with non-zero statistics. Addresses
+with counter values at zero and their
+.Dq Cleared
+timestamp are left untouched.
+.It Cm load
Load only the table definitions from
.Xr pf.conf 5 .
This is used in conjunction with the
@@ -526,6 +633,8 @@ line and/or in an unformatted text file, using the
flag.
Comments starting with a
.Sq #
+or
+.Sq \;
are allowed in the text file.
With these commands, the
.Fl v
@@ -666,8 +775,6 @@ tables of the same name from anchors attached below it.
.It C
This flag is set when per-address counters are enabled on the table.
.El
-.It Fl t Ar table
-Specify the name of the table.
.It Fl v
Produce more verbose output.
A second use of
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-05 13:44:22 +0000