Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.


NPFCTL(8)                   System Manager's Manual                  NPFCTL(8)

NAME
     npfctl - control NPF packet filter

SYNOPSIS
     npfctl command [arguments]

DESCRIPTION
     The npfctl command can be used to control the NPF packet filter.  For a
     description of NPF's configuration file, see npf.conf(5).

     The first argument, command, specifies the action to take.  Valid
     commands are:

        start   Enable packet inspection using the currently loaded
                configuration, if any.  Note that this command does not load
                or reload the configuration, or affect existing connections.

        stop    Disable packet inspection.  This command does not change the
                currently loaded configuration, or affect existing
                connections.

        reload [path]
                Load or reload configuration from file.  The configuration
                file at /etc/npf.conf will be used unless a file is specified
                by path.  All connections will be preserved during the reload,
                except those which will lose NAT policy due to removal.  NAT
                policy is determined by the translation type and address.
                Note that change of filter criteria will not expire associated
                connections.  The reload operation (i.e., replacing the
                ruleset, NAT policies and tables) is atomic.

        flush   Flush configuration.  That is, remove all rules, tables and
                expire all connections.  This command does not disable packet
                inspection.

        show    Show the current state and configuration.  Syntax of printed
                configuration is for the user and may not match the
                npf.conf(5) syntax.

        validate [path]
                Validate the configuration file and the processed form.  The
                configuration file at /etc/npf.conf will be used unless a file
                is specified by path.  The path may also be set to "-" for
                reading from stdin.

        rule name add <rule-syntax>
                Add a rule to a dynamic ruleset specified by name.  On
                success, returns a unique identifier which can be used to
                remove the rule with rem-id command.  The identifier is
                alphanumeric string.

        rule name rem <rule-syntax>
                Remove a rule from a dynamic ruleset specified by name.  This
                method uses SHA1 hash computed on a rule to identify it.
                Although very unlikely, it is subject to hash collisions.  For
                a fully reliable and more efficient method, it is recommended
                to use rem-id command.

        rule name rem-id <id>
                Remove a rule specified by unique id from a dynamic ruleset
                specified by name.

        rule name list
                List all rules in the dynamic ruleset specified by name.

        rule name flush
                Remove all rules from the dynamic ruleset specified by name.

        table name add <addr/mask>
                In table name, add the IP address and optionally netmask,
                specified by <addr/mask>.  Only the tables of type "lpm"
                support masks.

        table name rem <addr/mask>
                In table name, remove the IP address and optionally netmask,
                specified by <addr/mask>.  Only the tables of type "lpm"
                support masks.

        table name test <addr>
                Query the table name for a specific IP address, specified by
                addr.  If no mask is specified, a single host is assumed.

        table name list
                List all entries in the currently loaded table specified by
                name.  This operation is expensive and should be used with
                caution.

        table name replace [-n newname] [-t type] <path>
                Replace the existing table specified by name with a new table
                built from the file specified by path.  Optionally, the new
                table will:
                   -n newname  be named newname, effectively renaming the
                               table.  If not specified, the name of the table
                               being replaced will be used.
                   -t type     be of type type; currently supported types are
                               ipset, lpm, or const.  If not specified, the
                               type of the table being replaced will be used.

        save [path]
                Save the active configuration with a snapshot of the current
                connections.  The data will be stored in the /var/db/npf.db
                file unless a file is specified by path.  Administrator may
                want to stop the packet inspection before saving.

        load    Load the saved configuration file and the connections from the
                file.  Note that any existing connections will be destroyed.
                Administrator may want to start packet inspection after the
                load.

        stats   Print various statistics.

        debug (-a | -b binary-config | -c config) [-o outfile]
                Process the active configuration (if -a is set), the given
                binary configuration (if -b is set) or the given the plain
                configuration (if -c is set).  Print the byte-code of each
                rule and the encoded configuration data.  Also, if -o is set,
                write the binary configuration data into the given file.

                This is primarily for developer use.

        list [-46hNnW] [-i ifname]
                Display a list of tracked connections:
                   -4         Display only IPv4 connections.
                   -6         Display only IPv6 connections.
                   -h         Don't display a header.
                   -N         Try to resolve addresses.
                   -n         Only show NAT connections.
                   -W         Restrict the display width.
                   -i ifname  Display only connections through the named
                              interface.

PERFORMANCE
     Reloading the configuration is a relatively expensive operation.
     Therefore, frequent reloads should be avoided.  Use of tables should be
     considered as an alternative design.  See npf.conf(5) for details.

FILES
     /dev/npf                          control device
     /etc/npf.conf                     default configuration file

EXAMPLES
     Starting the NPF packet filter:

           # npfctl reload
           # npfctl start
           # npfctl show

     Addition and removal of entries in the table whose ID is "vip":

           # npfctl table "vip" add 10.0.0.1
           # npfctl table "vip" rem 182.168.0.0/24

     Replacing the existing table which has ID "svr" with a new const table
     populated from file "/tmp/npf_vps_new", and renamed to "vps":

           # npfctl table "svr" replace -n "vps" -t const "/tmp/npf_vps_new"

SEE ALSO
     bpf(4), npf.conf(5), npf(7), npfd(8)

HISTORY
     NPF first appeared in NetBSD 6.0.

AUTHORS
     NPF was designed and implemented by Mindaugas Rasiukevicius.

NetBSD 10.99                     May 12, 2020                     NetBSD 10.99