NPF(3)				   BSD Library Functions Manual 			   NPF(3)

     npf -- NPF packet filter library

     library ``libnpf''

     #include <npf.h>

     nl_config_t *

     npf_config_submit(nl_config_t *ncf, int fd);

     npf_config_destroy(nl_config_t *ncf);

     npf_config_flush(int fd);

     nl_rule_t *
     npf_rule_create(char *name, uint32_t attr, u_int if_idx);

     npf_rule_setcode(nl_rule_t *rl, int type, const void *code, size_t len);

     npf_rule_setkey(nl_rule_t *rl, int type, const void *code, size_t len);

     npf_rule_exists_p(nl_config_t *ncf, const char *name);

     npf_rule_insert(nl_config_t *ncf, nl_rule_t *parent, nl_rule_t *rl);

     npf_rule_setprio(nl_rule_t *rl, pri_t pri);

     npf_rule_setproc(nl_config_t *ncf, nl_rule_t *rl, const char *name);

     npf_rule_destroy(nl_rule_t *rl);

     nl_rproc_t *
     npf_rproc_create(char *name);

     npf_rproc_exists_p(nl_config_t *ncf, const char *name);

     npf_rproc_insert(nl_config_t *ncf, nl_rproc_t *rp);

     nl_nat_t *
     npf_nat_create(int type, u_int flags, u_int if_idx, npf_addr_t *addr, int af,
	 in_port_t port);

     npf_nat_insert(nl_config_t *ncf, nl_nat_t *nt, pri_t pri);

     nl_table_t *
     npf_table_create(u_int id, int type);

     npf_table_add_entry(nl_table_t *tl, int af, in_addr_t addr, in_addr_t mask);

     npf_table_exists_p(nl_config_t *ncf, u_int tid);

     npf_table_insert(nl_config_t *ncf, nl_table_t *tl);

     npf_table_destroy(nl_table_t *tl);

     The npf library provides an interface to create an NPF configuration having rules, tables,
     procedures, or translation policies.  The configuration can be submitted to the kernel.

	   Create a configuration.

     npf_config_submit(ncf, fd)
	   Submit configuration ncf to the kernel.

	   Destroy the configuration ncf.

	   Flush the current configuration.

   Rule interface
     npf_rule_create(name, attr, if_idx)
	   Create a rule with a given name, attribute and priorty.  Name can be NULL, in which
	   case rule has no unique identifier.	Otherwise, rules shall not have duplicate names.
	   The following attributes, which can be ORed, are available:

		   Decision of this rule is "pass".  If this attribute is not specified, then
		   packet "block" (drop) is the default.

		   Indicates that on rule match, further processing of the ruleset should be
		   stopped and this rule applied instantly.

		   Create a state (session) on match, track the connection and therefore pass the
		   backwards stream without inspection.

		   Return TCP RST packet in a case of packet block.

		   Return ICMP destination unreachable in a case of packet block.

		   Rule may match only if incoming packet.

		   Rule may match only if outgoing packet.

	   Interface is specified by if_idx, which is a numeral representation of an interface,
	   given by if_nametoindex(3).	Zero indicates any interface.

     npf_rule_setcode(rl, type, code, len)
	   Assign compiled code for the rule specified by rl, used for filter criteria.  Pointer
	   to the binary code is specified by code, and size of the memory area by len.  Type of
	   the code is specified by type.  Currently, only n-code is supported and NPF_CODE_NC
	   should be passed.

     npf_rule_setkey(rl, type, key, len)
	   Assign a key for the rule specified by rl.  Binary key is specified by key, and its
	   size by len.  The size shall not exceed NPF_RULE_MAXKEYLEN.

     npf_rule_insert(ncf, parent, rl)
	   Insert the rule into the set of parent rule specified by parent.  If value of parent
	   is NULL, then insert into the main ruleset.

     npf_rule_setprio(rl, pri)
	   Set priority to the rule.  Negative priorities are invalid.

	   Priority is the order of the rule in the ruleset.  Lower value means first to process,
	   higher value - last to process.  If multiple rules are inserted with the same prior-
	   ity, the order is unspecified.

	   The special constants NPF_PRI_FIRST and NPF_PRI_LAST can be passed to indicate that
	   the rule should be inserted into the beginning or the end of the priority level 0 in
	   the ruleset.  All rules inserted using these constants will have the priority 0
	   assigned and will share this level in the ordered way.

     npf_rule_setproc(ncf, rl, name)
	   Set a procedure for the specified rule.

	   Destroy the given rule.

   Rule procedure interface
	   Create a rule procedure with a given name.  Name must be unique for each procedure.

     npf_rproc_insert(ncf, rp)
	   Insert rule procedure into the specified configuration.

   Translation interface
     npf_nat_create(type, flags, if_idx, addr, af, port)
	   Create a NAT translation policy of a specified type.  There are two types:

	   NPF_NATIN	     Inbound NAT policy.

	   NPF_NATOUT	     Outbound NAT policy.

	   A bi-directional NAT is obtained by combining two policies.	The following flags are

	   NPF_NAT_PORTS     Indicates to perform port translation.  Otherwise, port translation
			     is not performed and port is ignored.

	   NPF_NAT_PORTMAP   Effective only if NPF_NAT_PORTS flag is set.  Indicates to create a
			     port map and select a random port for translation.  Otherwise, port
			     is translated to the value specified by port is used.

	   Translation address is specified by addr, and its family by af.  Family must be either
	   AF_INET for IPv4 or AF_INET6 for IPv6 address.

     npf_nat_insert(ncf, nt, pri)
	   Insert NAT policy, its rule, into the specified configuration.

   Table interface
     npf_table_create(index, type)
	   Create NPF table of specified type.	The following types are supported:

	   NPF_TABLE_HASH   Indicates to use hash table for storage.

	   NPF_TABLE_TREE   Indicates to use red-black tree for storage.  Table is identified by
			    index, which should be in the range between 1 and NPF_MAX_TABLE_ID.

     npf_table_add_entry(tl, af, addr, mask)
	   Add an entry of IP address and mask, specified by addr and mask, to the table speci-
	   fied by tl.	Family, specified by af, must be either AF_INET for IPv4 or AF_INET6 for
	   IPv6 address.

     npf_table_exists_p(ncf, name)
	   Determine whether table with ID tid exists in the configuration ncf.  Return true if
	   exists, and false otherwise.

     npf_table_insert(ncf, tl)
	   Insert table into set of configuration.  Routine performs a check for duplicate table

	   Destroy the specified table.

     npfctl(8), npf_ncode(9)

     The NPF library first appeared in NetBSD 6.0.

BSD					 January 5, 2013				      BSD
