NAME
npfctl —
control NPF packet
filter
SYNOPSIS
npfctl |
command
[arguments] |
DESCRIPTION
The
npfctl command can be used to control the NPF packet
filter. For a description of NPF's configuration file, see
npf.conf(5).
The first argument,
command, specifies the action to take.
Valid commands are:
-
-
- start
- Enable packet inspection using the currently loaded
configuration, if any. Note that this command does not load or reload the
configuration, or affect existing connections.
-
-
- stop
- Disable packet inspection. This command does not change the
currently loaded configuration, or affect existing connections.
-
-
- reload
[path]
- Load or reload configuration from file. The configuration
file at /etc/npf.conf will be used unless a file is
specified by path. All connections will be preserved
during the reload, except those which will lose NAT policy due to removal.
NAT policy is determined by the translation type and address. Note that
change of filter criteria will not expire associated connections. The
reload operation (i.e., replacing the ruleset, NAT policies and tables) is
atomic.
-
-
- flush
- Flush configuration. That is, remove all rules, tables and
expire all connections. This command does not disable packet
inspection.
-
-
- show
- Show the current state and configuration. Syntax of printed
configuration is for the user and may not match the
npf.conf(5) syntax.
-
-
- validate
[path]
- Validate the configuration file and the processed form. The
configuration file at /etc/npf.conf will be used unless
a file is specified by path.
-
-
- rule
name add
⟨rule-syntax⟩
- Add a rule to a dynamic ruleset specified by
name. On success, returns a unique identifier which
can be used to remove the rule with rem-id command. The
identifier is alphanumeric string.
-
-
- rule
name rem
⟨rule-syntax⟩
- Remove a rule from a dynamic ruleset specified by
name. This method uses SHA1 hash computed on a rule
to identify it. Although very unlikely, it is subject to hash collisions.
For a fully reliable and more efficient method, it is recommended to use
rem-id command.
-
-
- rule
name rem-id ⟨id⟩
- Remove a rule specified by unique id
from a dynamic ruleset specified by name.
-
-
- rule
name list
- List all rules in the dynamic ruleset specified by
name.
-
-
- rule
name flush
- Remove all rules from the dynamic ruleset specified by
name.
-
-
- table
tid add
⟨addr/mask⟩
- In table tid, add the IP address and
optionally netmask, specified by
⟨addr/mask⟩. Only tree-type tables
support masks.
-
-
- table
tid rem
⟨addr/mask⟩
- In table tid, remove the IP address
and optionally netmask, specified by
⟨addr/mask⟩. Only tree-type tables
support masks.
-
-
- table
tid test
⟨addr⟩
- Query the table tid for a specific IP
address, specified by addr. If no mask is specified,
a single host is assumed.
-
-
- table
tid list
- List all entries in the currently loaded table specified by
tid. This operation is expensive and should be used
with caution.
-
-
- save
- Save the active configuration and a snapshot of the current
connections. The data will be stored in the
/var/db/npf.db file. Administrator may want to stop the
packet inspection before saving.
-
-
- load
- Load the saved configuration file and the connections from
the file. Note that any existing connections will be destroyed.
Administrator may want to start packet inspection after the load.
-
-
- stats
- Print various statistics.
-
-
- debug
- Process the configuration file, print the byte-code of each
rule and dump the raw configuration. This is primarily for developer
use.
-
-
- list
[-46hNnw]
[-i
ifname]
- Display a list of tracked connections:
- -4
- Display only IPv4 connections.
- -6
- Display only IPv6 connections.
- -h
- Don't display a header.
- -N
- Try to resolve addresses.
- -n
- Only show NAT connections.
- -w
- Don't restrict display width.
- -i
ifname
- Display only connections through the named
interface.
Reloading the configuration is a relatively expensive operation. Therefore,
frequent reloads should be avoided. Use of tables should be considered as an
alternative design. See
npf.conf(5) for details.
FILES
- /dev/npf
- control device
- /etc/npf.conf
- default configuration file
EXAMPLES
Starting the NPF packet filter:
# npfctl reload
# npfctl start
# npfctl show
Addition and removal of entries in the table whose ID is 2:
# npfctl table 2 add 10.0.0.1
# npfctl table 2 rem 182.168.0.0/24
SEE ALSO
bpf(4),
npf.conf(5),
npf(7),
npfd(8)
HISTORY
NPF first appeared in
NetBSD 6.0.
AUTHORS
NPF was designed and implemented by
Mindaugas
Rasiukevicius.