1.\" $NetBSD: npfctl.8,v 1.6 2011/03/24 05:48:54 jruoho Exp $ 2.\" 3.\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc. 4.\" All rights reserved. 5.\" 6.\" This material is based upon work partially supported by The 7.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 19.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 20.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 21.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 22.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28.\" POSSIBILITY OF SUCH DAMAGE. 29.\" 30.Dd March 24, 2011 31.Dt NPFCTL 8 32.Os 33.Sh NAME 34.Nm npfctl 35.Nd control NPF packet filter 36.Sh SYNOPSIS 37.Nm npfctl 38.Ar command 39.Op Ar arguments 40.\" ----- 41.Sh DESCRIPTION 42The 43.Nm 44command can be used to control the NPF packet filter. 45For a description of NPF's configuration file, see 46.Xr npf.conf 5 . 47.Pp 48The first argument, 49.Ar command , 50specifies the action to take. 51Valid commands are: 52.Bl -tag -width reload -offset 3n 53.It Ic start 54Enable packet inspection using the currently loaded configuration, if any. 55Note that this command does not load or reload the configuration, 56or affect existing sessions. 57.It Ic stop 58Disable packet inspection. 59This command does not change the currently loaded configuration, 60or affect existing sessions. 61.It Ic reload Op Ar path 62Load or reload configuration from file. 63The configuration file at 64.Pa /etc/npf.conf 65will be used unless a file is specified by 66.Ar path . 67All sessions will be preserved during the reload, except those which 68will lose NAT policy due to removal. 69NAT policy is determined by the translation type and address. 70Note that change of filter criteria will not expire associated sessions. 71The reload operation (i.e., replacing the ruleset, NAT policies and tables) 72is atomic. 73.It Ic flush 74Flush configuration. 75That is, remove all rules, tables and expire all sessions. 76This command does not disable packet inspection. 77.It Ic table Ar tid 78List all entries in the currently loaded table specified by 79.Ar tid . 80Fail if 81.Ar tid 82does not exist. 83.It Ic table Ar tid Aq Ar addr/mask 84Query the table 85.Ar tid 86for a specific IPv4 CIDR, specified by 87.Ar addr/mask . 88If no mask is specified, a single host is assumed. 89.It Ic table Ar tid Ar [ add | rem ] Aq Ar addr/mask 90In table 91.Ar tid , 92add or remove the IPv4 CIDR specified by 93.Aq Ar addr/mask . 94.It Ic sess-save 95Save all active sessions. 96The data will be stored in the 97.Pa /var/db/npf_sessions.db 98file. 99Administrator may want to stop the packet inspection before the 100session saving. 101.It Ic sess-load 102Load saved sessions from the file. 103Note that original configuration should be loaded before the session loading. 104In a case of NAT policy changes, sessions which lose an associated policy 105will not be loaded. 106Any existing sessions during the load operation will be expired. 107Administrator may want to start packet inspection after the session loading. 108.It Ic stats 109Print various statistics. 110.El 111.Sh PERFORMANCE 112Reloading the configuration is a relatively expensive operation. 113Therefore, frequent reloads should be avoided. 114Use of tables should be considered as an alternative design. 115See 116.Xr npf.conf 5 117for details. 118.\" ----- 119.Sh FILES 120.Bl -tag -width /etc/npf.conf -compact 121.It Pa /dev/npf 122control device 123.It Pa /etc/npf.conf 124default configuration file 125.El 126.\" ----- 127.Sh EXAMPLES 128Starting the NPF packet filter: 129.Bd -literal -offset indent 130# npfctl reload 131# npfctl start 132.Ed 133.Pp 134Addition and removal of entries in the table whose ID is 2: 135.Bd -literal -offset indent 136# npfctl table 2 add 10.0.0.1 137# npfctl table 2 rem 182.168.0.0/24 138.Ed 139.\" ----- 140.Sh SEE ALSO 141.Xr npf.conf 5 , 142.Xr npf_ncode 9 143.Sh HISTORY 144NPF first appeared in 145.Nx 6.0 . 146