179 lines
5.6 KiB
Groff
179 lines
5.6 KiB
Groff
.\" $NetBSD: npf-params.7,v 1.2.2.3 2023/03/14 17:04:51 martin Exp $
|
|
.\"
|
|
.\" Copyright (c) 2019 Mindaugas Rasiukevicius <rmind at netbsd org>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd May 31, 2020
|
|
.Dt NPF-PARAMS 7
|
|
.Os
|
|
.Sh NAME
|
|
.Nm npf-params
|
|
.Nd tunable NPF parameters
|
|
.Sh DESCRIPTION
|
|
NPF supports a set of dynamically tunable parameters.
|
|
.Pp
|
|
All parameter values are integers and should generally be between
|
|
zero and
|
|
.Dv INT_MAX ,
|
|
unless specified otherwise.
|
|
Some parameters values can be negative; such values would typically
|
|
have a special meaning.
|
|
Enable/disable switches should be represented as boolean values 0 ("off")
|
|
or 1 ("on").
|
|
.Sh PARAMETERS
|
|
.Bl -tag -width "123456"
|
|
.\" ---
|
|
.Bl -tag -width "123456"
|
|
.It Li bpf.jit
|
|
BPF just-in-time compilation: enables or disables
|
|
.Xr bpfjit 4
|
|
support.
|
|
Some machine architectures are not presently supported by
|
|
.Xr bpfjit 4 .
|
|
Setting this parameter to off stops NPF from trying to enable this
|
|
functionality, and generating a warning if it is unable to do so.
|
|
Default: 1.
|
|
.El
|
|
.\" ---
|
|
.Bl -tag -width "123456"
|
|
.It Li ip4.reassembly
|
|
Perform IPv4 reassembly before inspecting the packet.
|
|
Fragmentation is considered very harmful, so most networks are expected
|
|
to prevent it; reassembly is enabled by default.
|
|
However, while the packet should generally be reassembled at the receiver,
|
|
reassembly by the packet filter may be necessary in order to perform state
|
|
tracking.
|
|
Default: 1.
|
|
.It Li ip6.reassembly
|
|
Perform IPv6 reassembly before inspecting the packet.
|
|
Discouraged in general but not prohibited by RFC 8200.
|
|
Default: 0.
|
|
.El
|
|
.\" ---
|
|
.Bl -tag -width "123456"
|
|
.It Li gc.step
|
|
Number of connection state items to process in one garbage collection
|
|
(G/C) cycle.
|
|
Must be positive number.
|
|
Default: 256.
|
|
.It Li gc.interval_min
|
|
The lower bound for the sleep time of the G/C worker.
|
|
The worker is self-tuning and will wake up more frequently if there are
|
|
connections to expire; it will wake up less frequently, diverging towards
|
|
the upper bound, if it does not encounter expired connections.
|
|
Default: 50 (in milliseconds).
|
|
.It Li gc.interval_min
|
|
The upper bound for the sleep time of the G/C worker.
|
|
Default: 5000 (in milliseconds).
|
|
.El
|
|
.\" ---
|
|
.It Li state.key
|
|
The connection state is uniquely identified by an n-tuple.
|
|
The state behavior can be controlled by including (excluding)
|
|
some of the information in (from) the keys.
|
|
.Bl -tag -width "123456"
|
|
.It Li interface
|
|
Include interface identifier into the keys, making the connection
|
|
state strictly per-interface.
|
|
Default: 1.
|
|
.It Li direction
|
|
Include packet direction into the keys.
|
|
Default: 1.
|
|
.El
|
|
.\" ---
|
|
.It Li state.generic
|
|
Generic state tracking parameters for non-TCP flows.
|
|
All timeouts are in seconds and must be zero or positive.
|
|
.Bl -tag -width "123456"
|
|
.It Li timeout.new
|
|
Timeout for new ("unsynchronized") state.
|
|
Default: 30.
|
|
.It Li timeout.established
|
|
Timeout for established ("synchronized") state.
|
|
Default: 60.
|
|
.It Li timeout.closed
|
|
Timeout for closed state.
|
|
Default: 0.
|
|
.El
|
|
.\" ---
|
|
.It Li state.tcp
|
|
State tracking parameters for TCP connections.
|
|
All timeout values are in seconds.
|
|
.Bl -tag -width "123456"
|
|
.It Li max_ack_win
|
|
Maximum allowed ACK window.
|
|
Default: 66000.
|
|
.It Li strict_order_rst
|
|
Enforce strict order RST.
|
|
Default: 1.
|
|
.\" -
|
|
.It Li timeout.new
|
|
Timeout for a new connection in "unsynchronized" state.
|
|
Default: 30.
|
|
.It Li timeout.established
|
|
Timeout for an established connection ("synchronized" state).
|
|
Default: 86400.
|
|
.It Li timeout.half_close
|
|
Timeout for the half-close TCP states.
|
|
Default: 3600.
|
|
.It Li timeout.close
|
|
Timeout for the full close TCP states.
|
|
Default: 10.
|
|
.It Li timeout.time_wait
|
|
Timeout for the TCP time-wait state.
|
|
Default: 240.
|
|
.El
|
|
.\" ---
|
|
.It Li portmap.min_port
|
|
Lower bound of the port range used when selecting the port
|
|
for dynamic NAT with port translation enabled.
|
|
Default: 1024 (inclusive; also the lowest allowed value).
|
|
.It Li portmap.max_port
|
|
Upper bound of the port range as described above.
|
|
Default: 49151 (inclusive; 65535 is the highest allowed value).
|
|
.\" ---
|
|
.El
|
|
.\" -----
|
|
.Sh EXAMPLES
|
|
An example line in the
|
|
.Xr npf.conf 5
|
|
configuration file:
|
|
.Bd -literal -offset indent
|
|
set state.tcp.strict_order_rst on # "on" can be used instead of 1
|
|
set state.tcp.timeout.time_wait 0 # destroy the state immediately
|
|
.Ed
|
|
.\" -----
|
|
.Sh SEE ALSO
|
|
.Xr libnpf 3 ,
|
|
.Xr npfkern 3 ,
|
|
.Xr bpfjit 4 ,
|
|
.Xr npf.conf 5 ,
|
|
.Xr pcap-filter 7 ,
|
|
.Xr npfctl 8
|
|
.\" -----
|
|
.Sh AUTHORS
|
|
NPF
|
|
was designed and implemented by
|
|
.An Mindaugas Rasiukevicius .
|