1.\" $NetBSD: npfctl.8,v 1.15 2013/09/20 21:30:49 wiz Exp $ 2.\" 3.\" Copyright (c) 2009-2013 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This material is based upon work partially supported by The 7.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd September 19, 2013 31.Dt NPFCTL 8 32.Os 33.Sh NAME 34.Nm npfctl 35.Nd control NPF packet filter 36.Sh SYNOPSIS 37.Nm npfctl 38.Ar command 39.Op Ar arguments 40.\" ----- 41.Sh DESCRIPTION 42The 43.Nm 44command can be used to control the NPF packet filter. 45For a description of NPF's configuration file, see 46.Xr npf.conf 5 . 47.Pp 48The first argument, 49.Ar command , 50specifies the action to take. 51Valid commands are: 52.Bl -tag -width reload -offset 3n 53.It Ic start 54Enable packet inspection using the currently loaded configuration, if any. 55Note that this command does not load or reload the configuration, 56or affect existing sessions. 57.It Ic stop 58Disable packet inspection. 59This command does not change the currently loaded configuration, 60or affect existing sessions. 61.It Ic reload Op Ar path 62Load or reload configuration from file. 63The configuration file at 64.Pa /etc/npf.conf 65will be used unless a file is specified by 66.Ar path . 67All sessions will be preserved during the reload, except those which 68will lose NAT policy due to removal. 69NAT policy is determined by the translation type and address. 70Note that change of filter criteria will not expire associated sessions. 71The reload operation (i.e., replacing the ruleset, NAT policies and tables) 72is atomic. 73.It Ic flush 74Flush configuration. 75That is, remove all rules, tables and expire all sessions. 76This command does not disable packet inspection. 77.It Ic show 78Show the current state and configuration. 79Syntax of printed configuration is for the user and may not match the 80.Xr npf.conf 5 81syntax. 82.It Ic validate Op Ar path 83Validate the configuration file and the processed form. 84The configuration file at 85.Pa /etc/npf.conf 86will be used unless a file is specified by 87.Ar path . 88.\" --- 89.It Ic rule Ar name Ic add Aq rule-syntax 90Add a rule to a dynamic ruleset specified by 91.Ar name . 92On success, returns a unique identifier which can be used to remove 93the rule with 94.Ic rem-id 95command. 96The identifier is alphanumeric string. 97.It Ic rule Ar name Ic rem Aq rule-syntax 98Remove a rule from a dynamic ruleset specified by 99.Ar name . 100This method uses SHA1 hash computed on a rule to identify it. 101Although very unlikely, it is subject to hash collisions. 102For a fully reliable and more efficient method, it is recommended to use 103.Ic rem-id 104command. 105.It Ic rule Ar name Ic rem-id Aq id 106Remove a rule specified by unique 107.Ar id 108from a dynamic ruleset specified by 109.Ar name . 110.It Ic rule Ar name Ic list 111List all rules in the dynamic ruleset specified by 112.Ar name . 113.It Ic rule Ar name Ic flush 114Remove all rules from the dynamic ruleset specified by 115.Ar name . 116.\" --- 117.It Ic table Ar tid Ic add Aq Ar addr/mask 118In table 119.Ar tid , 120add the IP address and optionally netmask, specified by 121.Aq Ar addr/mask . 122Only tree-type tables support masks. 123.It Ic table Ar tid Ic rem Aq Ar addr/mask 124In table 125.Ar tid , 126remove the IP address and optionally netmask, specified by 127.Aq Ar addr/mask . 128Only tree-type tables support masks. 129.It Ic table Ar tid Ic test Aq Ar addr 130Query the table 131.Ar tid 132for a specific IP address, specified by 133.Ar addr . 134If no mask is specified, a single host is assumed. 135.It Ic table Ar tid Ic list 136List all entries in the currently loaded table specified by 137.Ar tid . 138This operation is expensive and should be used with caution. 139.\" --- 140.It Ic sess-save 141Save all active sessions. 142The data will be stored in the 143.Pa /var/db/npf_sessions.db 144file. 145Administrator may want to stop the packet inspection before the 146session saving. 147.It Ic sess-load 148Load saved sessions from the file. 149Note that original configuration should be loaded before the session loading. 150In a case of NAT policy changes, sessions which lose an associated policy 151will not be loaded. 152Any existing sessions during the load operation will be expired. 153Administrator may want to start packet inspection after the session loading. 154.It Ic stats 155Print various statistics. 156.It Ic debug 157Process the configuration file, print the byte-code of each rule 158and dump the raw configuration. 159This is primarily for developer use. 160.El 161.Sh PERFORMANCE 162Reloading the configuration is a relatively expensive operation. 163Therefore, frequent reloads should be avoided. 164Use of tables should be considered as an alternative design. 165See 166.Xr npf.conf 5 167for details. 168.\" ----- 169.Sh FILES 170.Bl -tag -width /etc/npf.conf -compact 171.It Pa /dev/npf 172control device 173.It Pa /etc/npf.conf 174default configuration file 175.El 176.\" ----- 177.Sh EXAMPLES 178Starting the NPF packet filter: 179.Bd -literal -offset indent 180# npfctl reload 181# npfctl start 182# npfctl show 183.Ed 184.Pp 185Addition and removal of entries in the table whose ID is 2: 186.Bd -literal -offset indent 187# npfctl table 2 add 10.0.0.1 188# npfctl table 2 rem 182.168.0.0/24 189.Ed 190.\" ----- 191.Sh SEE ALSO 192.Xr bpf 4 , 193.Xr npf.conf 5 194.Sh HISTORY 195NPF first appeared in 196.Nx 6.0 . 197.Sh AUTHORS 198NPF was designed and implemented by 199.An Mindaugas Rasiukevicius . 200