NPFCTL(8) |
NetBSD System Manager's Manual |
NPFCTL(8) |
NAME
npfctl — control NPF packet filter
SYNOPSIS
npfctl |
command [arguments] |
DESCRIPTION
The
npfctl command can be used to control the NPF packet filter. For a description of NPF's configuration file, see
npf.conf(5).
The first argument, command, specifies the action to take. Valid commands are:
-
start
-
Enable packet inspection using the currently loaded configuration, if any. Note that this command does not load or reload the configuration, or affect existing sessions.
-
stop
-
Disable packet inspection. This command does not change the currently loaded configuration, or affect existing sessions.
-
reload [path]
-
Load or reload configuration from file. The configuration file at /etc/npf.conf will be used unless a file is specified by path. All sessions will be preserved during the reload, except those which will lose NAT policy due to removal. NAT policy is determined by the translation type and address. Note that change of filter criteria will not expire associated sessions. The reload operation (i.e., replacing the ruleset, NAT policies and tables) is atomic.
-
flush
-
Flush configuration. That is, remove all rules, tables and expire all sessions. This command does not disable packet inspection.
-
table tid
-
List all entries in the currently loaded table specified by tid. Fail if tid does not exist.
-
table tid <addr/mask>
-
Query the table tid for a specific IPv4 CIDR, specified by addr/mask. If no mask is specified, a single host is assumed.
-
table tid [add | rem] <addr/mask>
-
In table tid, add or remove the IPv4 CIDR specified by <addr/mask>.
-
sess-save
-
Save all active sessions. The data will be stored in the /var/db/npf_sessions.db file. Administrator may want to stop the packet inspection before the session saving.
-
sess-load
-
Load saved sessions from the file. Note that original configuration should be loaded before the session loading. In a case of NAT policy changes, sessions which lose an associated policy will not be loaded. Any existing sessions during the load operation will be expired. Administrator may want to start packet inspection after the session loading.
-
stats
-
Print various statistics.
PERFORMANCE
Reloading the configuration is a relatively expensive operation. Therefore, frequent reloads should be avoided. Use of tables should be considered as an alternative design. See
npf.conf(5) for details.
FILES
-
/dev/npf
-
control device
-
/etc/npf.conf
-
default configuration file
EXAMPLES
Starting the NPF packet filter:
# npfctl reload
# npfctl start
Addition and removal of entries in the table whose ID is 2:
# npfctl table 2 add 10.0.0.1
# npfctl table 2 rem 182.168.0.0/24
HISTORY
NPF first appeared in NetBSD 6.0.