Use 'offset indent' for the list of commands. Emphasize valid commands.
Remove PERFORMANCE (too small paragraph to warrant a section).
This commit is contained in:
jruoho
parent
b9f2143d66
commit
761da725b5
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: npfctl.8,v 1.4 2011/01/18 20:33:45 rmind Exp $
|
||||
.\" $NetBSD: npfctl.8,v 1.5 2011/03/22 07:40:10 jruoho Exp $
|
||||
.\"
|
||||
.\" Copyright (c) 2009-2011 The NetBSD Foundation, Inc.
|
||||
.\" All rights reserved.
|
||||
@ -27,7 +27,7 @@
|
||||
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.Dd January 18, 2011
|
||||
.Dd March 22, 2011
|
||||
.Dt NPFCTL 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -49,16 +49,16 @@ The first argument,
|
||||
.Ar command ,
|
||||
specifies the action to take.
|
||||
Valid commands are:
|
||||
.Bl -tag -width reload
|
||||
.It start
|
||||
.Bl -tag -width reload -offset 3n
|
||||
.It Ic start
|
||||
Enable packet inspection using the currently loaded configuration, if any.
|
||||
Note that this command does not load or reload the configuration,
|
||||
or affect existing sessions.
|
||||
.It stop
|
||||
.It Ic stop
|
||||
Disable packet inspection.
|
||||
This command does not change the currently loaded configuration,
|
||||
or affect existing sessions.
|
||||
.It reload Op Ar path
|
||||
.It Ic reload Op Ar path
|
||||
Load or reload configuration from file.
|
||||
The configuration file at
|
||||
.Pa /etc/npf.conf
|
||||
@ -70,46 +70,45 @@ NAT policy is determined by the translation type and address.
|
||||
Note that change of filter criteria will not expire associated sessions.
|
||||
The reload operation (i.e., replacing the ruleset, NAT policies and tables)
|
||||
is atomic.
|
||||
.It flush
|
||||
.It Ic flush
|
||||
Flush configuration.
|
||||
That is, remove all rules, tables and expire all sessions.
|
||||
This command does not disable packet inspection.
|
||||
.It table Ar tid
|
||||
.It Ic table Ar tid
|
||||
List all entries in the currently loaded table specified by
|
||||
.Ar tid .
|
||||
Fail if
|
||||
.Ar tid
|
||||
does not exist.
|
||||
.It table Ar tid Aq Ar addr/mask
|
||||
.It Ic table Ar tid Aq Ar addr/mask
|
||||
Query the table
|
||||
.Ar tid
|
||||
for a specific IPv4 CIDR, specified by
|
||||
.Ar addr/mask .
|
||||
If no mask is specified, a single host is assumed.
|
||||
.It table Ar tid Ar [ add | rem ] Aq Ar addr/mask
|
||||
.It Ic table Ar tid Ar [ add | rem ] Aq Ar addr/mask
|
||||
In table
|
||||
.Ar tid ,
|
||||
add or remove the IPv4 CIDR specified by
|
||||
.Aq Ar addr/mask .
|
||||
.It sess-save
|
||||
.It Ic sess-save
|
||||
Save all active sessions.
|
||||
The data will be stored in the
|
||||
.Pa /var/db/npf_sessions.db
|
||||
file.
|
||||
Administrator may want to stop the packet inspection before the
|
||||
session saving.
|
||||
.It sess-load
|
||||
.It Ic sess-load
|
||||
Load saved sessions from the file.
|
||||
Note that original configuration should be loaded before the session loading.
|
||||
In a case of NAT policy changes, sessions which lose an associated policy
|
||||
will not be loaded.
|
||||
Any existing sessions during the load operation will be expired.
|
||||
Administrator may want to start packet inspection after the session loading.
|
||||
.It stats
|
||||
.It Ic stats
|
||||
Print various statistics.
|
||||
.El
|
||||
.\" -----
|
||||
.Sh PERFORMANCE
|
||||
.Pp
|
||||
Reloading the configuration is a relatively expensive operation.
|
||||
Therefore, frequent reloads should be avoided.
|
||||
Use of tables should be considered as an alternative design.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user