diff options
Diffstat (limited to 'share/man/man4/pf.4')
| -rw-r--r-- | share/man/man4/pf.4 | 52 |
1 files changed, 41 insertions, 11 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4 index 9ab46558a2d6..03a4ba2bbe7f 100644 --- a/share/man/man4/pf.4 +++ b/share/man/man4/pf.4 @@ -26,7 +26,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd September 6, 2024 +.Dd July 2, 2025 .Dt PF 4 .Os .Sh NAME @@ -35,6 +35,23 @@ .Sh SYNOPSIS .Cd "device pf" .Cd "options PF_DEFAULT_TO_DROP" +.Pp +In +.Xr rc.conf 5 : +.Cd pf_enable="YES" +.Pp +In +.Xr loader.conf 5 : +.Cd net.pf.states_hashsize +.Cd net.pf.source_nodes_hashsize +.Cd net.pf.rule_tag_hashsize +.Cd net.pf.udpendpoint_hashsize +.Cd net.pf.default_to_drop +.Pp +In +.Xr sysctl.conf 5 : +.Cd net.pf.request_maxcount +.Cd net.pf.filter_local .Sh DESCRIPTION Packet filtering takes place in the kernel. A pseudo-device, @@ -74,10 +91,28 @@ separated by characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed. -.Sh SYSCTL VARIABLES AND LOADER TUNABLES -The following +.Sh SYSCTL VARIABLES +The following variables can be entered at the +.Xr loader 8 +prompt, set in +.Xr loader.conf 5 , +.Xr sysctl.conf 5 , +or changed at runtime with +.Xr sysctl 8 : +.Bl -tag -width indent +.It Va net.pf.filter_local +This tells +.Nm +to also filter on the loopback output hook. +This is typically used to allow redirect rules to adjust the source address. +.It Va net.pf.request_maxcount +The maximum number of items in a single ioctl call. +.El +.Sh LOADER TUNABLES +The following tunables can be entered at the .Xr loader 8 -tunables are available. +prompt, or set in +.Xr loader.conf 5 : .Bl -tag -width indent .It Va net.pf.states_hashsize Size of hash table that stores states. @@ -104,11 +139,6 @@ to also filter on the loopback output hook. This is typically used to allow redirect rules to adjust the source address. .It Va net.pf.request_maxcount The maximum number of items in a single ioctl call. -.It Va net.pf.rdr_srcport_rewrite_tries -The maximum number of times to try and find a free source port when handling -redirects. -Such rules are typically applied to external traffic, so an exhaustive search -may be too expensive. .El .Pp Read only @@ -1084,7 +1114,7 @@ will be set to the length of the buffer actually used. .It Dv DIOCCLRSRCNODES Clear the tree of source tracking nodes. .It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io" -Get the list of interfaces and interface drivers known to +Get the list of interfaces and interface groups known to .Nm . All the ioctls that manipulate interfaces use the same structure described below: @@ -1101,7 +1131,7 @@ struct pfioc_iface { .Pp If not empty, .Va pfiio_name -can be used to restrict the search to a specific interface or driver. +can be used to restrict the search to a specific interface or group. .Va pfiio_buffer[pfiio_size] is the user-supplied buffer for returning the data. On entry, |