- NetBSD Manual Pages
NPFCTL(8) NetBSD System Manager's Manual NPFCTL(8)
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
npfctl -- control NPF packet filter
npfctl command [arguments]
The npfctl command can be used to control the NPF packet filter. For a
description of NPF's configuration file, see npf.conf(5).
The first argument, command, specifies the action to take. Valid com-
start Enable packet inspection using the currently loaded configura-
tion, if any. Note that this command does not load or reload
the configuration, or affect existing connections.
stop Disable packet inspection. This command does not change the
currently loaded configuration, or affect existing connec-
Load or reload configuration from file. The configuration
file at /etc/npf.conf will be used unless a file is specified
by path. All connections will be preserved during the reload,
except those which will lose NAT policy due to removal. NAT
policy is determined by the translation type and address.
Note that change of filter criteria will not expire associated
connections. The reload operation (i.e., replacing the rule-
set, NAT policies and tables) is atomic.
flush Flush configuration. That is, remove all rules, tables and
expire all connections. This command does not disable packet
show Show the current state and configuration. Syntax of printed
configuration is for the user and may not match the
Validate the configuration file and the processed form. The
configuration file at /etc/npf.conf will be used unless a file
is specified by path.
rule name add <rule-syntax>
Add a rule to a dynamic ruleset specified by name. On suc-
cess, returns a unique identifier which can be used to remove
the rule with rem-id command. The identifier is alphanumeric
rule name rem <rule-syntax>
Remove a rule from a dynamic ruleset specified by name. This
method uses SHA1 hash computed on a rule to identify it.
Although very unlikely, it is subject to hash collisions. For
a fully reliable and more efficient method, it is recommended
to use rem-id command.
rule name rem-id <id>
Remove a rule specified by unique id from a dynamic ruleset
specified by name.
rule name list
List all rules in the dynamic ruleset specified by name.
rule name flush
Remove all rules from the dynamic ruleset specified by name.
table tid add <addr/mask>
In table tid, add the IP address and optionally netmask, spec-
ified by <addr/mask>. Only tree-type tables support masks.
table tid rem <addr/mask>
In table tid, remove the IP address and optionally netmask,
specified by <addr/mask>. Only tree-type tables support
table tid test <addr>
Query the table tid for a specific IP address, specified by
addr. If no mask is specified, a single host is assumed.
table tid list
List all entries in the currently loaded table specified by
tid. This operation is expensive and should be used with cau-
save Save the active configuration and a spanshot of the current
connections. The data will be stored in the /var/db/npf.db
file. Administrator may want to stop the packet inspection
load Load the saved configuration file and the connections from the
file. Note that any existing connections will be destroyed.
Administrator may want to start packet inspection after the
stats Print various statistics.
debug Process the configuration file, print the byte-code of each
rule and dump the raw configuration. This is primarily for
Reloading the configuration is a relatively expensive operation. There-
fore, frequent reloads should be avoided. Use of tables should be con-
sidered as an alternative design. See npf.conf(5) for details.
/dev/npf control device
/etc/npf.conf default configuration file
Starting the NPF packet filter:
# npfctl reload
# npfctl start
# npfctl show
Addition and removal of entries in the table whose ID is 2:
# npfctl table 2 add 10.0.0.1
# npfctl table 2 rem 188.8.131.52/24
bpf(4), npf.conf(5), npf(7)
NPF first appeared in NetBSD 6.0.
NPF was designed and implemented by Mindaugas Rasiukevicius.
NetBSD 7.0 August 2, 2014 NetBSD 7.0