Packet Filter (pf) module: firewalls and NAT

Updated: April 19, 2023

The pfil interface is used by the Packet Filter (pf) to hook into the packet stream for implementing firewalls and NAT. This is a loadable module specific to either the v4 or v6 version of the stack (lsm-pf-v4.so or lsm-pf-v6.so). When loaded (e.g. mount -Tio-pkt /lib/dll/lsm-pf-v4.so), the module creates a pf pseudo-device.

The pf pseudo-device provides roughly the same functionality as ipfilter, another filtering and NAT suite that also uses the pfil hooks.

For more information, see the following in the Utilities Reference:

pf
Packet Filter pseudo-device
pf.conf
Configuration file for pf
pfctl
Control the packet filter and network address translation (NAT) device

To start pf, use the pfctl utility, which issues a DIOCSTART ioctl() command. This causes pf to call pf_pfil_attach(), which runs the necessary pfil attachment routines. The key routines after this are pf_test() and pf_test6(), which are called for IPv4 and IPv6 packets respectively. These functions test which packets should be sent, received, or dropped. The packet filter hooks, and therefore the whole of pf, are disabled with the DIOCSTOP ioctl() command, usually issued with pfctl -d.

For more information about using PF, see pf-faq at ftp://ftp3.usa.openbsd.org/pub/OpenBSD/doc/ in the OpenBSD documentation. Certain portions of the document (related to packet queueing, CARP and others) don't apply to our stack, but the general configuration information is relevant. This document covers both firewalling and NAT configurations that you can apply using PF.