- NetBSD Manual Pages
NPF-PARAMS(7) NetBSD Miscellaneous Information Manual NPF-PARAMS(7)
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.
npf-params -- tunable NPF parameters
NPF supports a set of dynamically tunable parameters.
All parameter values are integers and should generally be between zero
and INT_MAX, unless specified otherwise. Some parameters values can be
negative; such values would typically have a special meaning.
Enable/disable switches should be represented as boolean values 0 ("off")
or 1 ("on").
BPF just-in-time compilation: enables or disables bpfjit(4) sup-
port. Some machine architectures are not presently supported by
bpfjit(4). Setting this parameter to off stops NPF from trying
to enable this functionality, and generating a warning if it is
unable to do so. Default: 1.
Perform IPv4 reassembly before inspecting the packet. Fragmenta-
tion is considered very harmful, so most networks are expected to
prevent it; therefore, reassembly is disabled by default. How-
ever, while the packet should generally be reassembled at the
receiver, reassembly by the packet filter might be necessary in
order to perform state tracking. Default: 0.
Perform IPv6 reassembly before inspecting the packet. Discour-
aged in general but not prohibited by RFC 8200. Default: 0.
Number of connection state items to process in one garbage col-
lection (G/C) cycle. Must be positive number. Default: 256.
The lower bound for the sleep time of the G/C worker. The worker
is self-tuning and will wake up more frequently if there are con-
nections to expire; it will wake up less frequently, diverging
towards the upper bound, if it does not encounter expired connec-
tions. Default: 50 (in milliseconds).
The upper bound for the sleep time of the G/C worker. Default:
5000 (in milliseconds).
The connection state is uniquely identified by an n-tuple. The
state behavior can be controlled by including (excluding) some of
the information in (from) the keys.
Include interface identifier into the keys, making the
connection state strictly per-interface. Default: 1.
Include packet direction into the keys. Default: 1.
Generic state tracking parameters for non-TCP flows. All time-
outs are in seconds and must be zero or positive.
Timeout for new ("unsynchronized") state. Default: 30.
Timeout for established ("synchronized") state. Default:
Timeout for closed state. Default: 0.
State tracking parameters for TCP connections. All timeout val-
ues are in seconds.
Maximum allowed ACK window. Default: 66000.
Enforce strict order RST. Default: 1.
Timeout for a new connection in "unsynchronized" state.
Timeout for an established connection ("synchronized"
state). Default: 86400.
Timeout for the half-close TCP states. Default: 3600.
Timeout for the full close TCP states. Default: 10.
Timeout for the TCP time-wait state. Default: 240.
Lower bound of the port range used when selecting the port for
dynamic NAT with port translation enabled. Default: 1024 (inclu-
sive; also the lowest allowed value).
Upper bound of the port range as described above. Default: 49151
(inclusive; 65535 is the highest allowed value).
An example line in the npf.conf(5) configuration file:
set state.tcp.strict_order_rst on # "on" can be used instead of 1
set state.tcp.timeout.time_wait 0 # destroy the state immediately
libnpf(3), npfkern(3), bpfjit(4), npf.conf(5), pcap-filter(7), npfctl(8)
NPF was designed and implemented by Mindaugas Rasiukevicius.
NetBSD 9.1 May 31, 2020 NetBSD 9.1