Home Man
Today's Posts

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

NetBSD 6.1.5 - man page for npfctl (netbsd section 8)

NPFCTL(8)			   BSD System Manager's Manual				NPFCTL(8)

     npfctl -- control NPF packet filter

     npfctl command [arguments]

     The npfctl command can be used to control the NPF packet filter.  For a description of NPF's
     configuration file, see npf.conf(5).

     The first argument, command, specifies the action to take.  Valid commands are:

	start	Enable packet inspection using the currently loaded configuration, if any.  Note
		that this command does not load or reload the configuration, or affect existing

	stop	Disable packet inspection.  This command does not change the currently loaded
		configuration, or affect existing sessions.

	reload [path]
		Load or reload configuration from file.  The configuration file at /etc/npf.conf
		will be used unless a file is specified by path.  All sessions will be preserved
		during the reload, except those which will lose NAT policy due to removal.  NAT
		policy is determined by the translation type and address.  Note that change of
		filter criteria will not expire associated sessions.  The reload operation (i.e.,
		replacing the ruleset, NAT policies and tables) is atomic.

	flush	Flush configuration.  That is, remove all rules, tables and expire all sessions.
		This command does not disable packet inspection.

	show	Show the current state and configuration.  Syntax of printed configuration is for
		the user and may not match the npf.conf(5) syntax.

	validate [path]
		Validate the configuration file and the processed form.  The configuration file
		at /etc/npf.conf will be used unless a file is specified by path.

	rule name add <rule-syntax>
		Add a rule to a dynamic ruleset specified by name.  On success, returns a unique
		identifier which can be used to remove the rule with rem-id command.  The identi-
		fier is alphanumeric string.

	rule name rem <rule-syntax>
		Remove a rule from a dynamic ruleset specified by name.  This method uses SHA1
		hash computed on a rule to identify it.  Although very unlikely, it is subject to
		hash collisions.  For a fully reliable and more efficient method, it is recom-
		mended to use rem-id command.

	rule name rem-id <id>
		Remove a rule specified by unique id from a dynamic ruleset specified by name.

	rule name list
		List all rules in the dynamic ruleset specified by name.

	rule name flush
		Remove all rules from the dynamic ruleset specified by name.

	table tid add <addr/mask>
		In table tid, add the IP address and optionally netmask, specified by
		<addr/mask>.  Only tree-type tables support masks.

	table tid rem <addr/mask>
		In table tid, remove the IP address and optionally netmask, specified by
		<addr/mask>.  Only tree-type tables support masks.

	table tid test <addr>
		Query the table tid for a specific IP address, specified by addr.  If no mask is
		specified, a single host is assumed.

	table tid list
		List all entries in the currently loaded table specified by tid.  This operation
		is expensive and should be used with caution.

		Save all active sessions.  The data will be stored in the /var/db/npf_sessions.db
		file.  Administrator may want to stop the packet inspection before the session

		Load saved sessions from the file.  Note that original configuration should be
		loaded before the session loading.  In a case of NAT policy changes, sessions
		which lose an associated policy will not be loaded.  Any existing sessions during
		the load operation will be expired.  Administrator may want to start packet
		inspection after the session loading.

	stats	Print various statistics.

	debug	Process the configuration file, print the n-code of each rule and dump the raw
		configuration.	This is primarily for developer use.

     Reloading the configuration is a relatively expensive operation.  Therefore, frequent
     reloads should be avoided.  Use of tables should be considered as an alternative design.
     See npf.conf(5) for details.

     /dev/npf	    control device
     /etc/npf.conf  default configuration file

     Starting the NPF packet filter:

	   # npfctl reload
	   # npfctl start
	   # npfctl show

     Addition and removal of entries in the table whose ID is 2:

	   # npfctl table 2 add
	   # npfctl table 2 rem

     npf.conf(5), npf_ncode(9)

     NPF first appeared in NetBSD 6.0.

     NPF was designed and implemented by Mindaugas Rasiukevicius.

BSD					February 16, 2013				      BSD

All times are GMT -4. The time now is 01:31 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
Show Password