The branch main has been updated by kp:
URL:
https://cgit.FreeBSD.org/src/commit/?id=05e99f5d175117fb095ee62352903d5157cb1796
commit 05e99f5d175117fb095ee62352903d5157cb1796
Author: Kristof Provost <k...@freebsd.org>
AuthorDate: 2025-08-25 09:21:49 +0000
Commit: Kristof Provost <k...@freebsd.org>
CommitDate: 2025-09-17 14:15:14 +0000
pfctl.8: omit preceding flag from command/modifier lists to get tags
reads odd to repeat, e.g. -F, when listing all its modifiers.
as a consequence, automatic tagging wouldn't work, e.g. no "zero"
tag would exist to jump to that -F modifier's definition.
also add manual tags for -R and -T as get explained together with
-s and -t, respectively, where only the first flag gets tagged.
Obtained from: OpenBSD, kn <k...@openbsd.org>, e08605c7f2
Sponsored by: Rubicon Communications, LLC ("Netgate")
---
sbin/pfctl/pfctl.8 | 92 +++++++++++++++++++++++++++---------------------------
1 file changed, 46 insertions(+), 46 deletions(-)
diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index 5a74a8fd3444..8e152f90d616 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -24,7 +24,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd August 5, 2025
+.Dd August 25, 2025
.Dt PFCTL 8
.Os
.Sh NAME
@@ -211,31 +211,31 @@ Flush the filter parameters specified by
.Ar modifier
(may be abbreviated):
.Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl F Cm nat
+.Bl -tag -width xxxxxxxxx -compact
+.It Cm nat
Flush the NAT rules.
-.It Fl F Cm queue
+.It Cm queue
Flush the queue rules.
-.It Fl F Cm ethernet
+.It Cm ethernet
Flush the Ethernet filter rules.
-.It Fl F Cm rules
+.It Cm rules
Flush the filter rules.
-.It Fl F Cm states
+.It Cm states
Flush the state table (NAT and filter).
-.It Fl F Cm Sources
+.It Cm Sources
Flush the source tracking table.
-.It Fl F Cm info
+.It Cm info
Flush the filter information (statistics that are not bound to rules).
-.It Fl F Cm Tables
+.It Cm Tables
Flush the tables.
-.It Fl F Cm osfp
+.It Cm osfp
Flush the passive operating system fingerprints.
-.It Fl F Cm Reset
+.It Cm Reset
Reset limits, timeouts and other options back to default settings.
See the OPTIONS section in
.Xr pf.conf 5
for details.
-.It Fl F Cm all
+.It Cm all
Flush all of the above.
.El
.Pp
@@ -401,13 +401,13 @@ Other rules and options are ignored.
.It Fl o Ar level
Control the ruleset optimizer, overriding any rule file settings.
.Pp
-.Bl -tag -width xxxxxxxxxxxx -compact
-.It Fl o Cm none
+.Bl -tag -width xxxxxxxxx -compact
+.It Cm none
Disable the ruleset optimizer.
-.It Fl o Cm basic
+.It Cm basic
Enable basic ruleset optimizations.
This is the default behaviour.
-.It Fl o Cm profile
+.It Cm profile
Enable basic ruleset optimizations with profiling.
.El
.Pp
@@ -437,10 +437,10 @@ Show the filter parameters specified by
.Ar modifier
(may be abbreviated):
.Pp
-.Bl -tag -width xxxxxxxxxxxxx -compact
-.It Fl s Cm nat
+.Bl -tag -width xxxxxxxxxxx -compact
+.It Cm nat
Show the currently loaded NAT rules.
-.It Fl s Cm queue
+.It Cm queue
Show the currently loaded queue rules.
When used together with
.Fl v ,
@@ -450,13 +450,13 @@ When used together with
.Nm
will loop and show updated queue statistics every five seconds, including
measured bandwidth and packets per second.
-.It Fl s Cm ether
+.It Cm ether
Show the currently loaded Ethernet rules.
When used together with
.Fl v ,
the per-rule statistics (number of evaluations,
packets, and bytes) are also shown.
-.It Fl s Cm rules
+.It Cm rules
Show the currently loaded filter rules.
When used together with
.Fl v ,
@@ -469,7 +469,7 @@ will skip evaluation of rules where possible.
Packets passed statefully are counted in the rule that created the state
(even though the rule is not evaluated more than once for the entire
connection).
-.It Fl s Cm Anchors
+.It Cm Anchors
Show the currently loaded anchors directly attached to the main ruleset.
If
.Fl a Ar anchor
@@ -480,11 +480,11 @@ If
.Fl v
is specified, all anchors attached under the target anchor will be
displayed recursively.
-.It Fl s Cm states
+.It Cm states
Show the contents of the state table.
-.It Fl s Cm Sources
+.It Cm Sources
Show the contents of the source tracking table.
-.It Fl s Cm info
+.It Cm info
Show filter information (statistics and counters).
When used together with
.Fl v ,
@@ -492,21 +492,21 @@ source tracking statistics, the firewall's 32-bit hostid
number and the
main ruleset's MD5 checksum for use with
.Xr pfsync 4
are also shown.
-.It Fl s Cm Running
+.It Cm Running
Show the running status and provide a non-zero exit status when disabled.
-.It Fl s Cm labels
+.It Cm labels
Show per-rule statistics (label, evaluations, packets total, bytes total,
packets in, bytes in, packets out, bytes out, state creations) of
filter rules with labels, useful for accounting.
-.It Fl s Cm timeouts
+.It Cm timeouts
Show the current global timeouts.
-.It Fl s Cm memory
+.It Cm memory
Show the current pool memory hard limits.
-.It Fl s Cm Tables
+.It Cm Tables
Show the list of tables.
-.It Fl s Cm osfp
+.It Cm osfp
Show the list of operating system fingerprints.
-.It Fl s Cm Interfaces
+.It Cm Interfaces
Show the list of interfaces and interface groups available to PF.
When used together with
.Fl v ,
@@ -516,7 +516,7 @@ When used together with
interface statistics are also shown.
.Fl i
can be used to select an interface or a group of interfaces.
-.It Fl s Cm all
+.It Cm all
Show all of the above, except for the lists of interfaces and operating
system fingerprints.
.El
@@ -571,38 +571,38 @@ Specify the
.Ar table .
Commands include:
.Pp
-.Bl -tag -width "-T expire number" -compact
-.It Fl T Cm add
+.Bl -tag -width "expire number" -compact
+.It Cm add
Add one or more addresses to a table.
Automatically create a persistent table if it does not exist.
-.It Fl T Cm delete
+.It Cm delete
Delete one or more addresses from a table.
-.It Fl T Cm expire Ar number
+.It Cm expire Ar number
Delete addresses which had their statistics cleared more than
.Ar number
seconds ago.
For entries which have never had their statistics cleared,
.Ar number
refers to the time they were added to the table.
-.It Fl T Cm flush
+.It Cm flush
Flush all addresses in a table.
-.It Fl T Cm kill
+.It Cm kill
Kill a table.
-.It Fl T Cm replace
+.It Cm replace
Replace the addresses of the table.
Automatically create a persistent table if it does not exist.
-.It Fl T Cm show
+.It Cm show
Show the content (addresses) of a table.
-.It Fl T Cm test
+.It Cm test
Test if the given addresses match a table.
-.It Fl T Cm zero Op Ar address ...
+.It Cm zero Op Ar address ...
Clear all the statistics of a table, or only for specified addresses.
-.It Fl T Cm reset
+.It Cm reset
Clear statistics only for addresses with non-zero statistics. Addresses
with counter values at zero and their
.Dq Cleared
timestamp are left untouched.
-.It Fl T Cm load
+.It Cm load
Load only the table definitions from
.Xr pf.conf 5 .
This is used in conjunction with the
