From owner-p4-projects@FreeBSD.ORG  Tue Jul 29 15:07:21 2008
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id B02F71065673; Tue, 29 Jul 2008 15:07:21 +0000 (UTC)
Delivered-To: perforce@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5BFC41065696
	for <perforce@FreeBSD.org>; Tue, 29 Jul 2008 15:07:21 +0000 (UTC)
	(envelope-from gk@FreeBSD.org)
Received: from repoman.freebsd.org (repoman.freebsd.org
	[IPv6:2001:4f8:fff6::29])
	by mx1.freebsd.org (Postfix) with ESMTP id 49DE98FC1B
	for <perforce@FreeBSD.org>; Tue, 29 Jul 2008 15:07:21 +0000 (UTC)
	(envelope-from gk@FreeBSD.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.14.2/8.14.2) with ESMTP id m6TF7KjC034621
	for <perforce@FreeBSD.org>; Tue, 29 Jul 2008 15:07:20 GMT
	(envelope-from gk@FreeBSD.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m6TF7K8n034619
	for perforce@freebsd.org; Tue, 29 Jul 2008 15:07:20 GMT
	(envelope-from gk@FreeBSD.org)
Date: Tue, 29 Jul 2008 15:07:20 GMT
Message-Id: <200807291507.m6TF7K8n034619@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	gk@FreeBSD.org using -f
From: Gleb Kurtsou <gk@FreeBSD.org>
To: Perforce Change Reviews <perforce@FreeBSD.org>
Cc: 
Subject: PERFORCE change 146206 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jul 2008 15:07:22 -0000

http://perforce.freebsd.org/chv.cgi?CH=146206

Change 146206 by gk@gk_h1 on 2008/07/29 15:06:31

	update pf.conf.5 man page

Affected files ...

.. //depot/projects/soc2008/gk_l2filter/share-man-pf/pf.conf.5#2 edit

Differences ...

==== //depot/projects/soc2008/gk_l2filter/share-man-pf/pf.conf.5#2 (text+ko) ====

@@ -123,6 +123,7 @@
 rules and in the routing options of filter rules, but only for
 .Ar round-robin
 pools.
+Table entry can contain optional ethernet address (MAC address).
 .Pp
 Tables can be defined with any of the following
 .Xr pfctl 8
@@ -1485,6 +1486,10 @@
 This is especially useful with
 .Ar nat .
 .Pp
+Optional ethernet address (MAC address) can be assigned to addresses
+specified in CIDR notation (matching netblocks), as symbolic host names or
+interface names.
+.Pp
 Ports can be specified either by number or by name.
 For example, port 80 can be specified as
 .Em www .
@@ -2044,6 +2049,10 @@
 must be specified explicitly to apply options to a rule.
 .Pp
 .Bl -tag -width xxxx -compact
+.It Ar ether
+Enable layer 2 stateful filtering for a rule. Source and destination ethernet
+addresses (MAC addresses) are used create a state entry and to check if packet
+matches any state entry.
 .It Ar max Aq Ar number
 Limits the number of concurrent states the rule may create.
 When this limit is reached, further packets matching the rule that would
@@ -2735,6 +2744,9 @@
 block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \e
       to any port smtp
 
+pass in on $bridge_if proto tcp from 10.1.1.1 ether 00:11:11:11:11:11 \e
+      to ($int_if) ether 00:22:22:22:22:22 keep state (ether)
+
 # IPv6
 # pass in/out all IPv6 traffic: note that we have to enable this in two
 # different ways, on both our physical interface and our tunnel
@@ -2835,7 +2847,7 @@
 tableopts      = "persist" | "const" | "file" string |
                  "{" [ tableaddr-list ] "}"
 tableaddr-list = tableaddr-list [ "," ] tableaddr-spec | tableaddr-spec
-tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ]
+tableaddr-spec = [ "!" ] tableaddr [ "/" mask-bits ] [ "ether" ether-addr ]
 tableaddr      = hostname | ipv4-dotted-quad | ipv6-coloned-hex |
                  interface-name | "self"
 
@@ -2890,7 +2902,7 @@
 redirhost      = address [ "/" mask-bits ]
 routehost      = "(" interface-name [ address [ "/" mask-bits ] ] ")"
 address        = ( interface-name | "(" interface-name ")" | hostname |
-                 ipv4-dotted-quad | ipv6-coloned-hex )
+                 ipv4-dotted-quad | ipv6-coloned-hex ) [ "ether" ether-addr ]
 host-list      = host [ [ "," ] host-list ]
 redirhost-list = redirhost [ [ "," ] redirhost-list ]
 routehost-list = routehost [ [ "," ] routehost-list ]
@@ -2923,7 +2935,7 @@
                  [ "0x" ] number )
 
 state-opts     = state-opt [ [ "," ] state-opts ]
-state-opt      = ( "max" number | "no-sync" | timeout |
+state-opt      = ( "ether" | "max" number | "no-sync" | timeout |
                  "source-track" [ ( "rule" | "global" ) ] |
                  "max-src-nodes" number | "max-src-states" number |
                  "max-src-conn" number |