pfconfig(8c)pfconfig(8c)Namepfconfig - configure packet filter parameters
Syntax
/usr/etc/pfconfig [ +/-p[romisc] ] [ +/-c[opyall] ] [ -b[acklog] nnn ]
[ -a[ll] ] [interface-name ...]
Description
The command allows the system manager to configure certain parameters
of the packet filter driver (see These parameters are configured sepa‐
rately for each interface; the interfaces are specified by name on the
command line (for example, and If more than one interface is specified,
they are all given the same settings. Alternatively, you can specify
-all to configure all the packet-filter interfaces on the system.
You can set the following parameters with
+promisc Allows packet filter users to set the interface into promis‐
cuous mode (receives all packets). Whenever there is at
least one packet filter descriptor open with the ENPROMISC
mode bit set, the interface is put into promiscuous mode.
When no such descriptors are in use, the interface is
returned to normal mode.
-promisc The interface is no longer put into promiscuous mode on
behalf of packet filter users; if the interface is in promis‐
cuous mode when this command is given, it is returned to nor‐
mal mode. (The superuser may use to control promiscuous
mode, overriding the mode set by non-superusers. This is the
default setting.)
+copyall Allows packet filter users to set the interface into copy-all
mode (receives packets sent/received by the kernel-resident
protocol software [for example, IP, ARP, DECnet, LAT] on this
host). Whenever there is at least one packet filter descrip‐
tor open with the ENCOPYALL mode bit set, the interface is
put into copy-all mode. When no such descriptors are in use,
the interface is returned to normal mode.
-copyall The interface is no longer put into copy-all mode on behalf
of packet filter users; if the interface is in copy-all mode
when this command is given, it is returned to normal mode.
(The superuser may use to control copy-all mode, overriding
the mode set by non-superusers. This is the default set‐
ting.)
-backlog nnn
Sets the maximum backlog (packet filter input queue length)
for non-superuser descriptors to the specified number. When
a descriptor is opened, it is given a queue length limit of
two. An application can increase this backlog using the EIOC‐
SETW ioctl request. Superusers are allowed to increase their
backlog up to a system-wide maximum; non-superusers are
allowed to increase their backlog only up to the maximum set
by this program. Note that allowing too large a backlog may
result in vast amounts of kernel memory being tied up in the
packet filter driver queues.
If no configuration parameters are specified, the command displays the
current packet filter configuration for the network interface(s).
Only the superuser may use this command to change the configuration.
Examples
On a system used for network monitoring, one might put this line into
/usr/etc/pfconfig -a +promisc -backlog 64
This allows users to run promiscuous network monitoring applications,
with a maximum input queue length per application of 64 packets, on any
interface in the system.
/usr/etc/pfconfig -a +promisc +copyall -backlog 64
This allows promiscuous network monitoring applications to monitor com‐
munications to or from the local host, as well as the rest of the local
network.
Diagnostics
Messages indicating the specified interface do not exist; an attempt to
set a maximum backlog less than 1 or greater than the system-wide maxi‐
mum; the user tried to alter an interface's configuration but is not
privileged.
See Alsonetstat(1), intro(4n), packetfilter(4), ifconfig(8c), rc(8)pfconfig(8c)