aboutsummaryrefslogtreecommitdiff
path: root/share/man/man4/pf.4
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man4/pf.4')
-rw-r--r--share/man/man4/pf.452
1 files changed, 41 insertions, 11 deletions
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index 9ab46558a2d6..03a4ba2bbe7f 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -26,7 +26,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd September 6, 2024
+.Dd July 2, 2025
.Dt PF 4
.Os
.Sh NAME
@@ -35,6 +35,23 @@
.Sh SYNOPSIS
.Cd "device pf"
.Cd "options PF_DEFAULT_TO_DROP"
+.Pp
+In
+.Xr rc.conf 5 :
+.Cd pf_enable="YES"
+.Pp
+In
+.Xr loader.conf 5 :
+.Cd net.pf.states_hashsize
+.Cd net.pf.source_nodes_hashsize
+.Cd net.pf.rule_tag_hashsize
+.Cd net.pf.udpendpoint_hashsize
+.Cd net.pf.default_to_drop
+.Pp
+In
+.Xr sysctl.conf 5 :
+.Cd net.pf.request_maxcount
+.Cd net.pf.filter_local
.Sh DESCRIPTION
Packet filtering takes place in the kernel.
A pseudo-device,
@@ -74,10 +91,28 @@ separated by
characters, similar to how file system hierarchies are laid out.
The final component of the anchor path is the anchor under which
operations will be performed.
-.Sh SYSCTL VARIABLES AND LOADER TUNABLES
-The following
+.Sh SYSCTL VARIABLES
+The following variables can be entered at the
+.Xr loader 8
+prompt, set in
+.Xr loader.conf 5 ,
+.Xr sysctl.conf 5 ,
+or changed at runtime with
+.Xr sysctl 8 :
+.Bl -tag -width indent
+.It Va net.pf.filter_local
+This tells
+.Nm
+to also filter on the loopback output hook.
+This is typically used to allow redirect rules to adjust the source address.
+.It Va net.pf.request_maxcount
+The maximum number of items in a single ioctl call.
+.El
+.Sh LOADER TUNABLES
+The following tunables can be entered at the
.Xr loader 8
-tunables are available.
+prompt, or set in
+.Xr loader.conf 5 :
.Bl -tag -width indent
.It Va net.pf.states_hashsize
Size of hash table that stores states.
@@ -104,11 +139,6 @@ to also filter on the loopback output hook.
This is typically used to allow redirect rules to adjust the source address.
.It Va net.pf.request_maxcount
The maximum number of items in a single ioctl call.
-.It Va net.pf.rdr_srcport_rewrite_tries
-The maximum number of times to try and find a free source port when handling
-redirects.
-Such rules are typically applied to external traffic, so an exhaustive search
-may be too expensive.
.El
.Pp
Read only
@@ -1084,7 +1114,7 @@ will be set to the length of the buffer actually used.
.It Dv DIOCCLRSRCNODES
Clear the tree of source tracking nodes.
.It Dv DIOCIGETIFACES Fa "struct pfioc_iface *io"
-Get the list of interfaces and interface drivers known to
+Get the list of interfaces and interface groups known to
.Nm .
All the ioctls that manipulate interfaces
use the same structure described below:
@@ -1101,7 +1131,7 @@ struct pfioc_iface {
.Pp
If not empty,
.Va pfiio_name
-can be used to restrict the search to a specific interface or driver.
+can be used to restrict the search to a specific interface or group.
.Va pfiio_buffer[pfiio_size]
is the user-supplied buffer for returning the data.
On entry,