npfctl(8) - NetBSD Manual Pages

Command: Section: Arch: Collection:  
NPFCTL(8)               NetBSD System Manager's Manual               NPFCTL(8)


NAME
npfctl -- control NPF packet filter
SYNOPSIS
npfctl command [arguments]
DESCRIPTION
The npfctl command can be used to control the NPF packet filter. For a description of NPF's configuration file, see npf.conf(5). The first argument, command, specifies the action to take. Valid com- mands are: start Enable packet inspection using the currently loaded configura- tion, if any. Note that this command does not load or reload the configuration, or affect existing connections. stop Disable packet inspection. This command does not change the currently loaded configuration, or affect existing connec- tions. reload [path] Load or reload configuration from file. The configuration file at /etc/npf.conf will be used unless a file is specified by path. All connections will be preserved during the reload, except those which will lose NAT policy due to removal. NAT policy is determined by the translation type and address. Note that change of filter criteria will not expire associated connections. The reload operation (i.e., replacing the rule- set, NAT policies and tables) is atomic. flush Flush configuration. That is, remove all rules, tables and expire all connections. This command does not disable packet inspection. show Show the current state and configuration. Syntax of printed configuration is for the user and may not match the npf.conf(5) syntax. validate [path] Validate the configuration file and the processed form. The configuration file at /etc/npf.conf will be used unless a file is specified by path. The path may also be set to "-" for reading from stdin. rule name add <rule-syntax> Add a rule to a dynamic ruleset specified by name. On suc- cess, returns a unique identifier which can be used to remove the rule with rem-id command. The identifier is alphanumeric string. rule name rem <rule-syntax> Remove a rule from a dynamic ruleset specified by name. This method uses SHA1 hash computed on a rule to identify it. Although very unlikely, it is subject to hash collisions. For a fully reliable and more efficient method, it is recommended to use rem-id command. rule name rem-id <id> Remove a rule specified by unique id from a dynamic ruleset specified by name. rule name list List all rules in the dynamic ruleset specified by name. rule name flush Remove all rules from the dynamic ruleset specified by name. table name add <addr/mask> In table name, add the IP address and optionally netmask, specified by <addr/mask>. Only the tables of type "lpm" sup- port masks. table name rem <addr/mask> In table name, remove the IP address and optionally netmask, specified by <addr/mask>. Only the tables of type "lpm" sup- port masks. table name test <addr> Query the table name for a specific IP address, specified by addr. If no mask is specified, a single host is assumed. table name list List all entries in the currently loaded table specified by name. This operation is expensive and should be used with caution. table name replace [-n newname] [-t type] <path> Replace the existing table specified by name with a new table built from the file specified by path. Optionally, the new table will: -n newname be named newname, effectively renaming the ta- ble. If not specified, the name of the table being replaced will be used. -t type be of type type; currently supported types are ipset, lpm, or const. If not specified, the type of the table being replaced will be used. save [path] Save the active configuration with a snapshot of the current connections. The data will be stored in the /var/db/npf.db file unless a file is specified by path. Administrator may want to stop the packet inspection before saving. load Load the saved configuration file and the connections from the file. Note that any existing connections will be destroyed. Administrator may want to start packet inspection after the load. stats Print various statistics. debug (-a | -b binary-config | -c config) [-o outfile] Process the active configuration (if -a is set), the given binary configuration (if -b is set) or the given the plain configuration (if -c is set). Print the byte-code of each rule and the encoded configuration data. Also, if -o is set, write the binary configuration data into the given file. This is primarily for developer use. list [-46hNnW] [-i ifname] Display a list of tracked connections: -4 Display only IPv4 connections. -6 Display only IPv6 connections. -h Don't display a header. -N Try to resolve addresses. -n Only show NAT connections. -W Restrict the display width. -i ifname Display only connections through the named interface.
PERFORMANCE
Reloading the configuration is a relatively expensive operation. There- fore, frequent reloads should be avoided. Use of tables should be con- sidered as an alternative design. See npf.conf(5) for details.
FILES
/dev/npf control device /etc/npf.conf default configuration file
EXAMPLES
Starting the NPF packet filter: # npfctl reload # npfctl start # npfctl show Addition and removal of entries in the table whose ID is "vip": # npfctl table "vip" add 10.0.0.1 # npfctl table "vip" rem 182.168.0.0/24 Replacing the existing table which has ID "svr" with a new const table populated from file "/tmp/npf_vps_new", and renamed to "vps": # npfctl table "svr" replace -n "vps" -t const "/tmp/npf_vps_new"
SEE ALSO
bpf(4), npf.conf(5), npf(7), npfd(8)
HISTORY
NPF first appeared in NetBSD 6.0.
AUTHORS
NPF was designed and implemented by Mindaugas Rasiukevicius. NetBSD 9.1 May 12, 2020 NetBSD 9.1
Powered by man-cgi (2024-03-20). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.