Open BSD packet filter
Packet Filter (from here on referred to as PF) is OpenBSD’s system for filtering TCP/IP traffic and doing Network Address Translation. PF is also capable of normalizing and conditioning TCP/IP traffic and providing bandwidth control and packet prioritization. PF has been a part of the GENERIC OpenBSD kernel since OpenBSD 3.0. Previous OpenBSD releases used a different firewall/NAT package which is no longer supported.PF was originally developed by Daniel Hartmeier and is now maintained and developed by the entire OpenBSD team. Packet filtering takes place in the kernel. A pseudo-device, /dev/pf, allows userland processes to control the behavior of the packet filter through an ioctl(2) interface. There are commands to enable and disable the filter, load rulesets, add and remove individual rules or state table entries, and retrieve statistics. The most commonly used functions are covered by pfctl(8).
Manipulations like loading a ruleset that involve more than a single ioctl(2) call require a so-called ticket, which prevents the occurrence of multiple concurrent manipulations.
Fields of ioctl(2) parameter structures that refer to packet data (like addresses and ports) are generally expected in network byte-order.
Rules and address tables are contained in so-called anchors. When servicing an ioctl(2) request, if the anchor field of the argument structure is empty, the kernel will use the default anchor (i.e., the main ruleset) in operations. Anchors are specified by name and may be nested, with components separated by ‘/’ characters, similar to how file system hierarchies are laid out. The final component of the anchor path is the anchor under which operations will be performed. Anchor names with characters after the terminating null byte are considered invalid; if used in an ioctl, EINVAL will be returned.