NPF-PARAMS(7) NetBSD Miscellaneous Information Manual NPF-PARAMS(7)
NAME
npf-params -- tunable NPF parameters
DESCRIPTION
NPF supports a set of dynamically tunable parameters. All parameter values are integers and should generally be between zero and INT_MAX, unless specified otherwise. Some parameters values can be negative; such values would typically have a special meaning. Enable/disable switches should be represented as boolean values 0 ("off") or 1 ("on").
PARAMETERS
bpf.jit BPF just-in-time compilation: enables or disables bpfjit(4) sup- port. Some machine architectures are not presently supported by bpfjit(4). Setting this parameter to off stops NPF from trying to enable this functionality, and generating a warning if it is unable to do so. Default: 1. ip4.reassembly Perform IPv4 reassembly before inspecting the packet. Fragmenta- tion is considered very harmful, so most networks are expected to prevent it; therefore, reassembly is disabled by default. How- ever, while the packet should generally be reassembled at the receiver, reassembly by the packet filter might be necessary in order to perform state tracking. Default: 0. ip6.reassembly Perform IPv6 reassembly before inspecting the packet. Discour- aged in general but not prohibited by RFC 8200. Default: 0. gc.step Number of connection state items to process in one garbage col- lection (G/C) cycle. Must be positive number. Default: 256. gc.interval_min The lower bound for the sleep time of the G/C worker. The worker is self-tuning and will wake up more frequently if there are con- nections to expire; it will wake up less frequently, diverging towards the upper bound, if it does not encounter expired connec- tions. Default: 50 (in milliseconds). gc.interval_min The upper bound for the sleep time of the G/C worker. Default: 5000 (in milliseconds). state.key The connection state is uniquely identified by an n-tuple. The state behavior can be controlled by including (excluding) some of the information in (from) the keys. interface Include interface identifier into the keys, making the connection state strictly per-interface. Default: 1. direction Include packet direction into the keys. Default: 1. state.generic Generic state tracking parameters for non-TCP flows. All time- outs are in seconds and must be zero or positive. timeout.new Timeout for new ("unsynchronized") state. Default: 30. timeout.established Timeout for established ("synchronized") state. Default: 60. timeout.closed Timeout for closed state. Default: 0. state.tcp State tracking parameters for TCP connections. All timeout val- ues are in seconds. max_ack_win Maximum allowed ACK window. Default: 66000. strict_order_rst Enforce strict order RST. Default: 1. timeout.new Timeout for a new connection in "unsynchronized" state. Default: 30. timeout.established Timeout for an established connection ("synchronized" state). Default: 86400. timeout.half_close Timeout for the half-close TCP states. Default: 3600. timeout.close Timeout for the full close TCP states. Default: 10. timeout.time_wait Timeout for the TCP time-wait state. Default: 240. portmap.min_port Lower bound of the port range used when selecting the port for dynamic NAT with port translation enabled. Default: 1024 (inclu- sive; also the lowest allowed value). portmap.max_port Upper bound of the port range as described above. Default: 49151 (inclusive; 65535 is the highest allowed value).
EXAMPLES
An example line in the npf.conf(5) configuration file: set state.tcp.strict_order_rst on # "on" can be used instead of 1 set state.tcp.timeout.time_wait 0 # destroy the state immediately
SEE ALSO
libnpf(3), npfkern(3), bpfjit(4), npf.conf(5), pcap-filter(7), npfctl(8)
AUTHORS
NPF was designed and implemented by Mindaugas Rasiukevicius. NetBSD 9.3 May 31, 2020 NetBSD 9.3
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.