NPFCTL(8) NetBSD System Manager's Manual NPFCTL(8)
NAME
npfctl -- control NPF packet filter
SYNOPSIS
npfctl command [arguments]
DESCRIPTION
The npfctl command can be used to control the NPF packet filter. For a
description of NPF's configuration file, see npf.conf(5).
The first argument, command, specifies the action to take. Valid com-
mands are:
start Enable packet inspection using the currently loaded configura-
tion, if any. Note that this command does not load or reload
the configuration, or affect existing sessions.
stop Disable packet inspection. This command does not change the
currently loaded configuration, or affect existing sessions.
reload [path]
Load or reload configuration from file. The configuration
file at /etc/npf.conf will be used unless a file is specified
by path. All sessions will be preserved during the reload,
except those which will lose NAT policy due to removal. NAT
policy is determined by the translation type and address.
Note that change of filter criteria will not expire associated
sessions. The reload operation (i.e., replacing the ruleset,
NAT policies and tables) is atomic.
flush Flush configuration. That is, remove all rules, tables and
expire all sessions. This command does not disable packet
inspection.
table tid
List all entries in the currently loaded table specified by
tid. Fail if tid does not exist.
table tid <addr/mask>
Query the table tid for a specific IPv4 CIDR, specified by
addr/mask. If no mask is specified, a single host is assumed.
table tid [add | rem] <addr/mask>
In table tid, add or remove the IPv4 CIDR specified by
<addr/mask>.
sess-save
Save all active sessions. The data will be stored in the
/var/db/npf_sessions.db file. Administrator may want to stop
the packet inspection before the session saving.
sess-load
Load saved sessions from the file. Note that original config-
uration should be loaded before the session loading. In a
case of NAT policy changes, sessions which lose an associated
policy will not be loaded. Any existing sessions during the
load operation will be expired. Administrator may want to
start packet inspection after the session loading.
stats Print various statistics.
PERFORMANCE
Reloading the configuration is a relatively expensive operation. There-
fore, frequent reloads should be avoided. Use of tables should be con-
sidered as an alternative design. See npf.conf(5) for details.
FILES
/dev/npf control device
/etc/npf.conf default configuration file
EXAMPLES
Starting the NPF packet filter:
# npfctl reload
# npfctl start
Addition and removal of entries in the table whose ID is 2:
# npfctl table 2 add 10.0.0.1
# npfctl table 2 rem 182.168.0.0/24
SEE ALSO
npf.conf(5), npf_ncode(9)
HISTORY
NPF first appeared in NetBSD 6.0.
NetBSD 5.0 March 24, 2011 NetBSD 5.0
