usr.sbin/npf/npf-params.7

.\" $NetBSD: npf-params.7,v 1.9 2023/02/12 13:21:28 kardel Exp $
.\"
.\" Copyright (c) 2019 Mindaugas Rasiukevicius <rmind at netbsd org>
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.Dd May 31, 2020
.Dt NPF-PARAMS 7
.Os
.Sh NAME
.Nm npf-params
.Nd tunable NPF parameters
.Sh DESCRIPTION
NPF supports a set of dynamically tunable parameters.
.Pp
All parameter values are integers and should generally be between
zero and
.Dv INT_MAX ,
unless specified otherwise.
Some parameters values can be negative; such values would typically
have a special meaning.
Enable/disable switches should be represented as boolean values 0 ("off")
or 1 ("on").
.Sh PARAMETERS
.Bl -tag -width "123456"
.\" ---
.Bl -tag -width "123456"
.It Li bpf.jit
BPF just-in-time compilation: enables or disables
.Xr bpfjit 4
support.
Some machine architectures are not presently supported by
.Xr bpfjit 4 .
Setting this parameter to off stops NPF from trying to enable this
functionality, and generating a warning if it is unable to do so.
Default: 1.
.El
.\" ---
.Bl -tag -width "123456"
.It Li ip4.reassembly
Perform IPv4 reassembly before inspecting the packet.
Fragmentation is considered very harmful, so most networks are expected
to prevent it; reassembly is enabled by default.
However, while the packet should generally be reassembled at the receiver,
reassembly by the packet filter may be necessary in order to perform state
tracking.
Default: 1.
.It Li ip6.reassembly
Perform IPv6 reassembly before inspecting the packet.
Discouraged in general but not prohibited by RFC 8200.
Default: 0.
.El
.\" ---
.Bl -tag -width "123456"
.It Li gc.step
Number of connection state items to process in one garbage collection
(G/C) cycle.
Must be positive number.
Default: 256.
.It Li gc.interval_min
The lower bound for the sleep time of the G/C worker.
The worker is self-tuning and will wake up more frequently if there are
connections to expire; it will wake up less frequently, diverging towards
the upper bound, if it does not encounter expired connections.
Default: 50 (in milliseconds).
.It Li gc.interval_max
The upper bound for the sleep time of the G/C worker.
Default: 5000 (in milliseconds).
.El
.\" ---
.It Li state.key
The connection state is uniquely identified by an n-tuple.
The state behavior can be controlled by including (excluding)
some of the information in (from) the keys.
.Bl -tag -width "123456"
.It Li interface
Include interface identifier into the keys, making the connection
state strictly per-interface.
Default: 1.
.It Li direction
Include packet direction into the keys.
Default: 1.
.El
.\" ---
.It Li state.generic
Generic state tracking parameters for non-TCP flows.
All timeouts are in seconds and must be zero or positive.
.Bl -tag -width "123456"
.It Li timeout.new
Timeout for new ("unsynchronized") state.
Default: 30.
.It Li timeout.established
Timeout for established ("synchronized") state.
Default: 60.
.It Li timeout.closed
Timeout for closed state.
Default: 0.
.El
.\" ---
.It Li state.tcp
State tracking parameters for TCP connections.
All timeout values are in seconds.
.Bl -tag -width "123456"
.It Li max_ack_win
Maximum allowed ACK window.
Default: 66000.
.It Li strict_order_rst
Enforce strict order RST.
Default: 1.
.\" -
.It Li timeout.new
Timeout for a new connection in "unsynchronized" state.
Default: 30.
.It Li timeout.established
Timeout for an established connection ("synchronized" state).
Default: 86400.
.It Li timeout.half_close
Timeout for the half-close TCP states.
Default: 3600.
.It Li timeout.close
Timeout for the full close TCP states.
Default: 10.
.It Li timeout.time_wait
Timeout for the TCP time-wait state.
Default: 240.
.El
.\" ---
.It Li portmap.min_port
Lower bound of the port range used when selecting the port
for dynamic NAT with port translation enabled.
Default: 1024 (inclusive; also the lowest allowed value).
.It Li portmap.max_port
Upper bound of the port range as described above.
Default: 49151 (inclusive; 65535 is the highest allowed value).
.\" ---
.El
.\" -----
.Sh EXAMPLES
An example line in the
.Xr npf.conf 5
configuration file:
.Bd -literal -offset indent
set state.tcp.strict_order_rst on       # "on" can be used instead of 1
set state.tcp.timeout.time_wait 0       # destroy the state immediately
.Ed
.\" -----
.Sh SEE ALSO
.Xr libnpf 3 ,
.Xr npfkern 3 ,
.Xr bpfjit 4 ,
.Xr npf.conf 5 ,
.Xr pcap-filter 7 ,
.Xr npfctl 8
.\" -----
.Sh AUTHORS
NPF
was designed and implemented by
.An Mindaugas Rasiukevicius .