docs: Added All OpenBSD Manuals

1 files changed, 761 insertions, 0 deletions

diff --git a/static/openbsd/man8/pfctl.8 b/static/openbsd/man8/pfctl.8
new file mode 100644
index 00000000..3ce0d00f
--- /dev/null
+++ b/static/openbsd/man8/pfctl.8
@@ -0,0 +1,761 @@
+.\" $OpenBSD: pfctl.8,v 1.187 2025/11/11 04:06:20 dlg Exp $
+.\"
+.\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: November 11 2025 $
+.Dt PFCTL 8
+.Os
+.Sh NAME
+.Nm pfctl
+.Nd control the packet filter (PF) device
+.Sh SYNOPSIS
+.Nm pfctl
+.Bk -words
+.Op Fl deghNnPqrvz
+.Op Fl a Ar anchor
+.Op Fl D Ar macro Ns = Ns Ar value
+.Op Fl F Ar modifier
+.Op Fl f Ar file
+.Op Fl i Ar interface
+.Op Fl K Ar key
+.Op Fl k Ar key
+.Op Fl L Ar statefile
+.Op Fl o Ar level
+.Op Fl p Ar device
+.Op Fl S Ar statefile
+.Op Fl s Ar modifier Op Fl R Ar id
+.Op Fl t Ar table Fl T Ar command Op Ar address ...
+.Op Fl V Ar rdomain
+.Op Fl x Ar level
+.Ek
+.Sh DESCRIPTION
+The
+.Nm
+utility communicates with the packet filter device using the
+ioctl interface described in
+.Xr pf 4 .
+It allows ruleset and parameter configuration,
+and retrieval of status information from the packet filter.
+Packet filtering restricts the types of packets that pass through
+network interfaces entering or leaving the host based on filter
+rules as described in
+.Xr pf.conf 5 .
+The packet filter can also replace addresses and ports of packets.
+.Pp
+The packet filter is enabled by default.
+Should
+.Nm
+be unable to load a ruleset,
+an error occurs and the original ruleset remains in place.
+If this happens at system startup,
+the ruleset defined by the
+.Va RULES
+variable in
+.Xr rc 8
+remains in place.
+.Pp
+The packet filter does not itself forward packets between interfaces.
+Forwarding can be enabled by setting the
+.Xr sysctl 8
+variables
+.Em net.inet.ip.forwarding
+and/or
+.Em net.inet6.ip6.forwarding
+to 1.
+Set them permanently in
+.Xr sysctl.conf 5 .
+.Pp
+At least one option must be specified.
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl a Ar anchor
+Apply flags
+.Fl f ,
+.Fl F ,
+.Fl s ,
+.Fl T ,
+and
+.Fl z
+only to the rules in the specified
+.Ar anchor .
+In addition to the main ruleset,
+.Nm
+can load and manipulate additional rulesets by name,
+called anchors.
+The main ruleset is the default anchor.
+.Pp
+Anchors are referenced by name and may be nested,
+with the various components of the anchor path separated by
+.Sq /
+characters, similar to how file system hierarchies are laid out.
+The last component of the anchor path is where ruleset operations are
+performed.
+.Pp
+Evaluation of
+.Ar anchor
+rules from the main ruleset is described in
+.Xr pf.conf 5 .
+.Pp
+For example, the following will show all filter rules (see the
+.Fl s
+flag below) inside the anchor
+.Dq authpf/smith(1234) ,
+which would have been created for user
+.Dq smith
+by
+.Xr authpf 8 ,
+PID 1234:
+.Bd -literal -offset indent
+# pfctl -a "authpf/smith(1234)" -s rules
+.Ed
+.Pp
+Private tables can also be put inside anchors, either by having table
+statements in the
+.Xr pf.conf 5
+file that is loaded in the anchor, or by using regular table commands, as in:
+.Bd -literal -offset indent
+# pfctl -a foo/bar -t mytable -T add 1.2.3.4 5.6.7.8
+.Ed
+.Pp
+When a rule referring to a table is loaded in an anchor, the rule will use the
+private table if one is defined, and then fall back to the table defined in the
+main ruleset, if there is one.
+This is similar to C rules for variable scope.
+It is possible to create distinct tables with the same name in the global
+ruleset and in an anchor, but this is often bad design and a warning will be
+issued in that case.
+.Pp
+By default, recursive inline printing of anchors applies only to unnamed
+anchors specified inline in the ruleset.
+If the anchor name is terminated with a
+.Sq *
+character, the
+.Fl s
+flag will recursively print all anchors in a brace delimited block.
+For example the following will print the
+.Dq authpf
+ruleset recursively:
+.Bd -literal -offset indent
+# pfctl -a 'authpf/*' -sr
+.Ed
+.Pp
+To print the main ruleset recursively, specify only
+.Sq *
+as the anchor name:
+.Bd -literal -offset indent
+# pfctl -a '*' -sr
+.Ed
+.Pp
+To flush all rulesets and tables recursively, specify only
+.Sq *
+as the anchor name:
+.Bd -literal -offset indent
+# pfctl -a '*' -Fa
+.Ed
+.It Fl D Ar macro Ns = Ns Ar value
+Define
+.Ar macro
+to be set to
+.Ar value
+on the command line.
+Overrides the definition of
+.Ar macro
+in the ruleset.
+.It Fl d
+Disable the packet filter.
+.It Fl e
+Enable the packet filter.
+.It Fl F Ar modifier
+Flush the filter parameters specified by
+.Ar modifier
+(may be abbreviated):
+.Pp
+.Bl -tag -width xxxxxxxxx -compact
+.It Cm rules
+Flush the filter rules.
+.It Cm states
+Flush the state table (NAT and filter).
+.It Cm Sources
+Flush the source tracking table.
+.It Cm info
+Flush the filter information (statistics that are not bound to rules).
+.It Cm Tables
+Flush the tables.
+.It Cm osfp
+Flush the passive operating system fingerprints.
+.It Cm Reset
+Reset limits, timeouts and other options back to default settings.
+See the OPTIONS section in
+.Xr pf.conf 5
+for details.
+.It Cm all
+Flush all of the above.
+.El
+.Pp
+If
+.Fl a
+is specified as well and
+.Ar anchor
+is terminated with a
+.Sq *
+character,
+.Cm rules ,
+.Cm Tables
+and
+.Cm all
+flush the given anchor recursively.
+.It Fl f Ar file
+Replace the current ruleset with
+the rules contained in
+.Ar file .
+This
+.Ar file
+may contain macros, tables, options, and normalization, queueing,
+translation, and filtering rules.
+With the exception of macros and tables, the statements must appear in that
+order.
+.It Fl g
+Include output helpful for debugging.
+.It Fl h
+Help.
+.It Fl i Ar interface
+Restrict the operation to the given
+.Ar interface .
+.It Fl K Ar key
+Kill all of the source tracking entries originating from the
+host or network specified by
+.Ar key .
+A second
+.Fl K
+option may be specified, which will kill all the source tracking entries
+from the first host/network to the second.
+.It Fl k Ar key
+Kill all of the state entries originating from the
+host or network specified by
+.Ar key .
+A second
+.Fl k
+option may be specified, which will kill all the state entries
+from the first host/network to the second.
+.Pp
+A network prefix length of 0 can be used as a wildcard.
+To kill all states with the target
+.Dq host2 :
+.Pp
+.Dl # pfctl -k 0.0.0.0/0 -k host2
+.Pp
+It is also possible to kill states by rule label, state key, or state ID.
+In this mode the first
+.Fl k
+argument is used to specify the type;
+a second
+.Fl k
+gives the actual target.
+.Pp
+To kill states by rule label,
+use the
+.Cm label
+modifier.
+To kill all states created from rules carrying the label
+.Dq foobar :
+.Pp
+.Dl # pfctl -k label -k foobar
+.Pp
+To kill one specific state by its state key
+(as shown by pfctl -s state),
+use the
+.Cm key
+modifier.
+To kill a state originating from 10.0.0.101:32123 to 10.0.0.1:80,
+protocol TCP, use:
+.Pp
+.Dl # pfctl -k key -k 'tcp 10.0.0.1:80 <- 10.0.0.101:32123'
+.Pp
+To kill one specific state by its unique state ID
+(as shown by pfctl -s state -vv),
+use the
+.Cm id
+modifier.
+To kill a state with ID 4823e84500000003 use:
+.Pp
+.Dl # pfctl -k id -k 4823e84500000003
+.Pp
+To kill a state with ID 4823e84500000018 created from a backup
+firewall with hostid 00000002 use:
+.Pp
+.Dl # pfctl -k id -k 4823e84500000018/2
+.It Fl L Ar statefile
+Load pf states from the file specified by
+.Ar statefile .
+.It Fl N
+Do not perform domain name resolution.
+If a name cannot be resolved without DNS, an error will be reported.
+.It Fl n
+Do not actually load rules, just parse them.
+.It Fl o Ar level
+Control the ruleset optimizer, overriding any rule file settings.
+.Pp
+.Bl -tag -width xxxxxxxxx -compact
+.It Cm none
+Disable the ruleset optimizer.
+.It Cm basic
+Enable basic ruleset optimizations.
+This is the default behaviour.
+.It Cm profile
+Enable basic ruleset optimizations with profiling.
+.El
+.Pp
+For further information on the ruleset optimizer, see
+.Xr pf.conf 5 .
+.It Fl P
+Print ports using their names in
+.Pa /etc/services
+if available.
+.It Fl p Ar device
+Use the device file
+.Ar device
+instead of the default
+.Pa /dev/pf .
+.It Fl q
+Only print errors and warnings.
+.It Fl r
+Perform reverse DNS lookups on states and tables when displaying them.
+.Fl N
+and
+.Fl r
+are mutually exclusive.
+.It Fl S Ar statefile
+Store the pf state table in the file specified by
+.Ar statefile .
+.Tg R
+.It Fl s Ar modifier Op Fl R Ar id
+Show the filter parameters specified by
+.Ar modifier
+(may be abbreviated):
+.Pp
+.Bl -tag -width xxxxxxxxxxx -compact
+.It Cm queue
+Show the currently loaded queue definitions.
+When used together with
+.Fl v ,
+per-queue statistics are also shown.
+When used together with
+.Fl v v ,
+.Nm
+will loop and show updated queue statistics every five seconds, including
+measured bandwidth and packets per second.
+.It Cm rules
+Show the currently loaded filter rules.
+If
+.Fl R Ar id
+is specified as well,
+only the rule with the specified numeric ID is shown.
+When used together with
+.Fl v ,
+the per-rule statistics (number of evaluations,
+packets and bytes) are also shown.
+When used together with
+.Fl g
+or
+.Fl vv ,
+expired rules
+.Pq marked as Dq # expired
+are also shown.
+Note that the
+.Dq skip step
+optimization done automatically by the kernel
+will skip evaluation of rules where possible.
+Packets passed statefully are counted in the rule that created the state
+(even though the rule isn't evaluated more than once for the entire
+connection).
+.It Cm Anchors
+Show the currently loaded anchors directly attached to the main ruleset.
+If
+.Fl a Ar anchor
+is specified as well, the anchors loaded directly below the given
+.Ar anchor
+are shown instead.
+If
+.Fl v
+is specified, all anchors attached under the target anchor will be
+displayed recursively.
+.It Cm states
+Show the contents of the state table.
+If
+.Fl R Ar id
+is specified as well,
+only states created by the rule with the specified numeric ID are shown.
+.It Cm Sources
+Show the contents of the source tracking table.
+.It Cm info
+Show filter information (statistics and counters).
+When used together with
+.Fl v ,
+source tracking statistics, the firewall's 32-bit hostid number and the
+main ruleset's MD5 checksum for use with
+.Xr pfsync 4
+are also shown.
+.It Cm labels
+Show per-rule statistics (label, evaluations, packets total, bytes total,
+packets in, bytes in, packets out, bytes out, state creations) of
+filter rules with labels, useful for accounting.
+If
+.Fl R Ar id
+is specified as well,
+only the statistics for the rule with the specified numeric ID are shown.
+.It Cm timeouts
+Show the current global timeouts.
+.It Cm memory
+Show the current pool memory hard limits.
+.It Cm Tables
+Show the list of tables.
+.It Cm osfp
+Show the list of operating system fingerprints.
+.It Cm Interfaces
+Show the list of interfaces and interface groups available to PF.
+When used together with
+.Fl v ,
+it additionally lists which interfaces have skip rules activated.
+When used together with
+.Fl vv ,
+interface statistics are also shown.
+.Fl i
+can be used to select an interface or a group of interfaces.
+.It Cm Stlimiter
+Show information about state limiters.
+If
+.Fl R Ar id
+is specified as well,
+only the state limiter identified by
+.Ar id
+is shown.
+.It Cm Srclimiter
+Show information about source limiters.
+If
+.Fl R Ar id
+is specified as well,
+only the state limiter identified by
+.Ar id
+is shown.
+If
+.Fl v
+is specified,
+the address entries for the source pools are shown too.
+.It Cm all
+Show all of the above, except for the lists of interfaces and operating
+system fingerprints.
+.El
+.Pp
+Counters shown with
+.Fl s Cm info
+are:
+.Pp
+.Bl -tag -width xxxxxxxxxxxxxx -compact
+.It match
+explicit rule match
+.It bad-offset
+currently unused
+.It fragment
+invalid fragments dropped
+.It short
+short packets dropped
+.It normalize
+dropped by normalizer: illegal packets
+.It memory
+memory could not be allocated
+.It bad-timestamp
+bad TCP timestamp; RFC 1323
+.It congestion
+network interface queue congested
+.It ip-option
+bad IP/IPv6 options
+.It proto-cksum
+invalid protocol checksum
+.It state-mismatch
+packet was associated with a state entry, but sequence numbers did not match
+.It state-insert
+state insertion failure
+.It state-limit
+configured state limit was reached
+.It src-limit
+source node/connection limit
+.It synproxy
+dropped by synproxy
+.It translate
+no free ports in translation port range
+.It no-route
+dropped by no-route
+.El
+.Tg T
+.It Fl t Ar table Fl T Ar command Op Ar address ...
+Specify the
+.Ar command
+(may be abbreviated) to apply to
+.Ar table .
+Commands include:
+.Pp
+.Bl -tag -width "expire number" -compact
+.It Cm add
+Add one or more addresses to a table.
+Automatically create a persistent table if it does not exist.
+.It Cm delete
+Delete one or more addresses from a table.
+.It Cm expire Ar number
+Delete addresses which had their statistics cleared more than
+.Ar number
+seconds ago.
+For entries which have never had their statistics cleared,
+.Ar number
+refers to the time they were added to the table.
+.It Cm flush
+Flush all addresses in a table.
+.It Cm kill
+Kill a table.
+.It Cm replace
+Replace the addresses of the table.
+Automatically create a persistent table if it does not exist.
+.It Cm show
+Show the content (addresses) of a table.
+.It Cm test
+Test if the given addresses match a table.
+.It Cm zero
+Clear all the statistics of a table, or only for specified addresses.
+.El
+.Pp
+For the
+.Cm add ,
+.Cm delete ,
+.Cm replace ,
+and
+.Cm test
+commands, the list of addresses can be specified either directly on the command
+line and/or in an unformatted text file, using the
+.Fl f
+flag.
+Comments starting with a
+.Sq #
+are allowed in the text file.
+With these commands, the
+.Fl v
+flag can also be used once or twice, in which case
+.Nm
+will print the
+detailed result of the operation for each individual address, prefixed by
+one of the following letters:
+.Pp
+.Bl -tag -width XXX -compact
+.It A
+The address/network has been added.
+.It C
+The address/network has been changed (negated).
+.It D
+The address/network has been deleted.
+.It M
+The address matches
+.Po
+.Cm test
+operation only
+.Pc .
+.It X
+The address/network is duplicated and therefore ignored.
+.It Y
+The address/network cannot be added/deleted due to conflicting
+.Sq \&!
+attributes.
+.It Z
+The address/network has been cleared (statistics).
+.El
+.Pp
+Each table can maintain a set of counters that can be retrieved using the
+.Fl v
+flag of
+.Nm .
+For example, the following commands define a wide open firewall which will keep
+track of packets going to or coming from the
+.Ox
+FTP server.
+The following commands configure the firewall and send 10 pings to the FTP
+server:
+.Bd -literal -offset indent
+# printf "table <test> counters { ftp.openbsd.org }\en \e
+    pass out to <test>\en" | pfctl -f-
+# ping -qc10 ftp.openbsd.org
+.Ed
+.Pp
+We can now use the table
+.Cm show
+command to output, for each address and packet direction, the number of packets
+and bytes that are being passed, matched or blocked by rules referencing the
+table.
+Note that the match counters are incremented for every match rule in which
+they are referenced, meaning that a single packet may be counted multiple times.
+The time at which the current accounting started is also shown with the
+.Dq Cleared
+line.
+.Bd -literal -offset indent
+# pfctl -t test -vTshow
+   198.51.100.81
+        Cleared:        Fri Jun 28 11:17:37 2013
+        In/Block:       [ Packets: 0	Bytes: 0	]
+        In/Match        [ Packets: 54	Bytes: 10028	]
+        In/Pass:        [ Packets: 5	Bytes: 1949	]
+        Out/Block:      [ Packets: 0	Bytes: 0	]
+        Out/Match       [ Packets: 65	Bytes: 12684	]
+        Out/Pass:       [ Packets: 6	Bytes: 389	]
+.Ed
+.Pp
+Similarly, it is possible to view global information about the tables
+by using the
+.Fl v
+modifier twice and the
+.Fl s
+.Cm Tables
+command.
+This will display the number of addresses on each table,
+the number of rules which reference the table, and the global
+packet statistics for the whole table:
+.Bd -literal -offset indent
+# pfctl -vvsTables
+--a-r-C test
+        Addresses:   1
+        Cleared:     Fri Jun 28 11:17:37 2013
+        References:  [ Anchors: 0	Rules: 4	]
+        Evaluations: [ NoMatch: 35	Match: 8	]
+        In/Block:    [ Packets: 0	Bytes: 0	]
+        In/Match:    [ Packets: 54	Bytes: 10028	]
+        In/Pass:     [ Packets: 5	Bytes: 1949	]
+        In/XPass:    [ Packets: 0	Bytes: 0	]
+        Out/Block:   [ Packets: 0	Bytes: 0	]
+        Out/Match:   [ Packets: 65	Bytes: 12684	]
+        Out/Pass:    [ Packets: 6	Bytes: 389	]
+        Out/XPass:   [ Packets: 0	Bytes: 0	]
+.Ed
+.Pp
+Only packets creating state are matched in the Evaluations line,
+but all packets passing as a result of the state are correctly accounted for.
+Reloading the table(s) or ruleset will not affect packet accounting in any way.
+The two
+.Dq XPass
+counters are incremented instead of the
+.Dq Pass
+counters when a
+.Dq stateful
+packet is passed but doesn't match the table anymore.
+This will happen in our example if someone flushes the table while the
+.Xr ping 8
+command is running.
+.Pp
+When used with a single
+.Fl v ,
+.Nm
+will only display the first line containing the table flags and name.
+The flags are defined as follows:
+.Pp
+.Bl -tag -width XXX -compact
+.It c
+For constant tables, which cannot be altered outside
+.Xr pf.conf 5 .
+.It p
+For persistent tables, which don't get automatically killed when no rules
+refer to them.
+.It a
+For tables which are part of the
+.Em active
+tableset.
+Tables without this flag do not really exist, cannot contain addresses, and are
+only listed if the
+.Fl g
+flag is given.
+.It i
+For tables which are part of the
+.Em inactive
+tableset.
+This flag can only be witnessed briefly during the loading of
+.Xr pf.conf 5 .
+.It r
+For tables which are referenced (used) by rules.
+.It h
+This flag is set when a table in the main ruleset is hidden by one or more
+tables of the same name from anchors attached below it.
+.It C
+This flag is set when per-address counters are enabled on the table.
+.El
+.It Fl V Ar rdomain
+Select the routing domain to be used to kill states by host or by label.
+The rdomain of a state is displayed in parentheses before the host by
+.Fl s Cm states .
+.It Fl v
+Produce more verbose output.
+A second use of
+.Fl v
+will produce even more verbose output including ruleset warnings.
+See the previous section for its effect on table commands.
+.It Fl x Ar level
+Set the debug
+.Ar level ,
+which limits the severity of log messages printed by
+.Xr pf 4 .
+This should be a keyword from the following ordered list
+(highest to lowest):
+.Cm emerg ,
+.Cm alert ,
+.Cm crit ,
+.Cm err ,
+.Cm warning ,
+.Cm notice ,
+.Cm info ,
+and
+.Cm debug .
+These keywords correspond to the similar (LOG_) values specified to the
+.Xr syslog 3
+library routine,
+and may be abbreviated on the command line.
+.It Fl z
+Clear per-rule statistics.
+.El
+.Sh FILES
+.Bl -tag -width "/etc/pf.conf" -compact
+.It Pa /etc/pf.conf
+Packet filter rules file.
+.It Pa /etc/pf.os
+Passive operating system fingerprint database.
+.El
+.Sh SEE ALSO
+.Xr pf 4 ,
+.Xr pf.conf 5 ,
+.Xr pf.os 5 ,
+.Xr sysctl.conf 5 ,
+.Xr authpf 8 ,
+.Xr ftp-proxy 8 ,
+.Xr rc 8 ,
+.Xr rc.conf 8 ,
+.Xr sysctl 8
+.Sh HISTORY
+The
+.Nm
+program and the
+.Xr pf 4
+filter mechanism first appeared in
+.Ox 3.0 .