npf-params(7)
- NetBSD Manual Pages
NPF-PARAMS(7) NetBSD Miscellaneous Information Manual NPF-PARAMS(7)
NAME
npf-params -- tunable NPF parameters
DESCRIPTION
NPF supports a set of dynamically tunable parameters.
All parameter values are integers and should generally be between zero
and INT_MAX, unless specified otherwise. Some parameters values can be
negative; such values would typically have a special meaning.
Enable/disable switches should be represented as boolean values 0 ("off")
or 1 ("on").
PARAMETERS
bpf.jit
BPF just-in-time compilation: enables or disables bpfjit(4) sup-
port. Some machine architectures are not presently supported by
bpfjit(4). Setting this parameter to off stops NPF from trying
to enable this functionality, and generating a warning if it is
unable to do so. Default: 1.
ip4.reassembly
Perform IPv4 reassembly before inspecting the packet. Fragmenta-
tion is considered very harmful, so most networks are expected to
prevent it; reassembly is enabled by default. However, while the
packet should generally be reassembled at the receiver, reassem-
bly by the packet filter may be necessary in order to perform
state tracking. Default: 1.
ip6.reassembly
Perform IPv6 reassembly before inspecting the packet. Discour-
aged in general but not prohibited by RFC 8200. Default: 0.
gc.step
Number of connection state items to process in one garbage col-
lection (G/C) cycle. Must be positive number. Default: 256.
gc.interval_min
The lower bound for the sleep time of the G/C worker. The worker
is self-tuning and will wake up more frequently if there are con-
nections to expire; it will wake up less frequently, diverging
towards the upper bound, if it does not encounter expired connec-
tions. Default: 50 (in milliseconds).
gc.interval_max
The upper bound for the sleep time of the G/C worker. Default:
5000 (in milliseconds).
state.key
The connection state is uniquely identified by an n-tuple. The
state behavior can be controlled by including (excluding) some of
the information in (from) the keys.
interface
Include interface identifier into the keys, making the
connection state strictly per-interface. Default: 1.
direction
Include packet direction into the keys. Default: 1.
state.generic
Generic state tracking parameters for non-TCP flows. All time-
outs are in seconds and must be zero or positive.
timeout.new
Timeout for new ("unsynchronized") state. Default: 30.
timeout.established
Timeout for established ("synchronized") state. Default:
60.
timeout.closed
Timeout for closed state. Default: 0.
state.tcp
State tracking parameters for TCP connections. All timeout val-
ues are in seconds.
max_ack_win
Maximum allowed ACK window. Default: 66000.
strict_order_rst
Enforce strict order RST. Default: 1.
timeout.new
Timeout for a new connection in "unsynchronized" state.
Default: 30.
timeout.established
Timeout for an established connection ("synchronized"
state). Default: 86400.
timeout.half_close
Timeout for the half-close TCP states. Default: 3600.
timeout.close
Timeout for the full close TCP states. Default: 10.
timeout.time_wait
Timeout for the TCP time-wait state. Default: 240.
portmap.min_port
Lower bound of the port range used when selecting the port for
dynamic NAT with port translation enabled. Default: 1024 (inclu-
sive; also the lowest allowed value).
portmap.max_port
Upper bound of the port range as described above. Default: 49151
(inclusive; 65535 is the highest allowed value).
EXAMPLES
An example line in the npf.conf(5) configuration file:
set state.tcp.strict_order_rst on # "on" can be used instead of 1
set state.tcp.timeout.time_wait 0 # destroy the state immediately
SEE ALSO
libnpf(3), npfkern(3), bpfjit(4), npf.conf(5), pcap-filter(7), npfctl(8)
AUTHORS
NPF was designed and implemented by Mindaugas Rasiukevicius.
NetBSD 10.99 May 31, 2020 NetBSD 10.99
Powered by man-cgi (2021-06-01).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.