139 lines
4.2 KiB
Groff
139 lines
4.2 KiB
Groff
.\" $NetBSD: npf-params.7,v 1.3 2019/08/11 20:25:14 rmind Exp $
|
|
.\"
|
|
.\" Copyright (c) 2019 Mindaugas Rasiukevicius <rmind at netbsd org>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd August 3, 2019
|
|
.Dt NPF-PARAMS 7
|
|
.Os
|
|
.Sh NAME
|
|
.Nm npf-params
|
|
.Nd tunable NPF parameters
|
|
.Sh DESCRIPTION
|
|
NPF supports a set of dynamically tunable parameters.
|
|
.Pp
|
|
All parameter values are integers and should generally be between and INT_MAX,
|
|
unless specified otherwise.
|
|
Some parameters values can be negative; such values would typically
|
|
have a special meaning.
|
|
Enable/disable switches should be represented as boolean values 0 ("off")
|
|
or 1 ("on").
|
|
.Sh PARAMETERS
|
|
.Bl -tag -width "123456"
|
|
.\" ---
|
|
.Bl -tag -width "123456"
|
|
.It Li bpf.jit
|
|
BPF just-in-time compilation: enables or disables
|
|
.Xr bpfjit 4
|
|
support.
|
|
Some machine architectures are not presently supported by
|
|
.Xr bpfjit 4 .
|
|
Setting this parameter to off stops NPF from trying to enable this
|
|
functionality, and generating a warning if it is unable to do so.
|
|
Default: 1.
|
|
.El
|
|
.\" ---
|
|
.Bl -tag -width "123456"
|
|
.It Li gc.step
|
|
Number of connection state items to process in one garbage collection
|
|
(G/C) cycle.
|
|
Must be positive number.
|
|
Default: 256.
|
|
.El
|
|
.\" ---
|
|
.It Li state.generic
|
|
Generic state tracking parameters for non-TCP flows.
|
|
All timeouts are in seconds and must be zero or positive.
|
|
.Bl -tag -width "123456"
|
|
.It Li timeout.new
|
|
Timeout for new ("unsynchronized") state.
|
|
Default: 30.
|
|
.It Li timeout.established
|
|
Timeout for established ("synchronized") state.
|
|
Default: 60.
|
|
.It Li timeout.closed
|
|
Timeout for closed state.
|
|
Default: 0.
|
|
.El
|
|
.\" ---
|
|
.It Li state.tcp
|
|
State tracking parameters for TCP connections.
|
|
All timeout values are in seconds.
|
|
.Bl -tag -width "123456"
|
|
.It Li max_ack_win
|
|
Maximum allowed ACK window.
|
|
Default: 66000.
|
|
.It Li strict_order_rst
|
|
Enforce strict order RST.
|
|
Default: 1.
|
|
.\" -
|
|
.It Li timeout.new
|
|
Timeout for a new connection in "unsynchronized" state.
|
|
Default: 30.
|
|
.It Li timeout.established
|
|
Timeout for an established connection ("synchronized" state).
|
|
Default: 86400.
|
|
.It Li timeout.half_close
|
|
Timeout for the half-close TCP states.
|
|
Default: 3600.
|
|
.It Li timeout.close
|
|
Timeout for the full close TCP states.
|
|
Default: 10.
|
|
.It Li timeout.time_wait
|
|
Timeout for the TCP time-wait state.
|
|
Default: 240.
|
|
.El
|
|
.\" ---
|
|
.It Li portmap.min_port
|
|
Lower bound of the port range used when selecting the port for dynamic NAT
|
|
with port translation enabled.
|
|
Default: 1024 (also the lowest allowed value).
|
|
.It Li portmap.max_port
|
|
Upper bound of the port range as described above.
|
|
Default: 65535 (also the highest allowed value).
|
|
.\" ---
|
|
.El
|
|
.\" -----
|
|
.Sh EXAMPLES
|
|
An example line in the
|
|
.Xr npf.conf 5
|
|
configuration file:
|
|
.Bd -literal -offset indent
|
|
set state.tcp.strict_order_rst on # "on" can be used instead of 1
|
|
set state.tcp.timeout.time_wait 0 # destroy the state immediately
|
|
.Ed
|
|
.\" -----
|
|
.Sh SEE ALSO
|
|
.Xr libnpf 3 ,
|
|
.Xr npfkern 3 ,
|
|
.Xr bpfjit 4 ,
|
|
.Xr npf.conf 5 ,
|
|
.Xr pcap-filter 7 ,
|
|
.Xr npfctl 8
|
|
.\" -----
|
|
.Sh AUTHORS
|
|
NPF
|
|
was designed and implemented by
|
|
.An Mindaugas Rasiukevicius .
|