Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
bd3d17d9c3
NetBSD/usr.sbin/npf/npfctl/npfctl.8
rmind 3d9a792dd8 Major NPF improvements: 
- Convert NPF connection table to thmap.  State lookup is now lock-free.
- Improve connection state G/C: it is now incremental and tunable.
- Add support for dynamic NAT address.  Translation addresses can now be
  selected from a pool of addresses.  There are two selection algorithms,
  "ip-hash" and "round-robin" (see the man page).
- Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf
  to dynamically choose an IP from the interface address(es).
- Add support for the NETMAP algorithm with static NAT for net-to-net
  translation (it is equivalent to iptables NETMAP logic).
- Convert 'ipset' tables to use thmap; the table lookup is now lock-free.
- Misc improvements, bug fixes and more unit tests.
- Bump NPF_VERSION (will also bump libnpf).
2019-01-19 21:19:31 +00:00

216 lines
6.6 KiB
Groff
Raw Blame History

.\" $NetBSD: npfctl.8,v 1.21 2019/01/19 21:19:32 rmind Exp $
.\"
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This material is based upon work partially supported by The
.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd December 10, 2017
.Dt NPFCTL 8
.Os
.Sh NAME
.Nm npfctl
.Nd control NPF packet filter
.Sh SYNOPSIS
.Nm npfctl
.Ar command
.Op Ar arguments
.\" -----
.Sh DESCRIPTION
The
.Nm
command can be used to control the NPF packet filter.
For a description of NPF's configuration file, see
.Xr npf.conf 5 .
.Pp
The first argument,
.Ar command ,
specifies the action to take.
Valid commands are:
.Bl -tag -width reload -offset 3n
.It Ic start
Enable packet inspection using the currently loaded configuration, if any.
Note that this command does not load or reload the configuration,
or affect existing connections.
.It Ic stop
Disable packet inspection.
This command does not change the currently loaded configuration,
or affect existing connections.
.It Ic reload Op Ar path
Load or reload configuration from file.
The configuration file at
.Pa /etc/npf.conf
will be used unless a file is specified by
.Ar path .
All connections will be preserved during the reload, except those which
will lose NAT policy due to removal.
NAT policy is determined by the translation type and address.
Note that change of filter criteria will not expire associated connections.
The reload operation (i.e., replacing the ruleset, NAT policies and tables)
is atomic.
.It Ic flush
Flush configuration.
That is, remove all rules, tables and expire all connections.
This command does not disable packet inspection.
.It Ic show
Show the current state and configuration.
Syntax of printed configuration is for the user and may not match the
.Xr npf.conf 5
syntax.
.It Ic validate Op Ar path
Validate the configuration file and the processed form.
The configuration file at
.Pa /etc/npf.conf
will be used unless a file is specified by
.Ar path .
.\" ---
.It Ic rule Ar name Ic add Aq rule-syntax
Add a rule to a dynamic ruleset specified by
.Ar name .
On success, returns a unique identifier which can be used to remove
the rule with
.Ic rem-id
command.
The identifier is alphanumeric string.
.It Ic rule Ar name Ic rem Aq rule-syntax
Remove a rule from a dynamic ruleset specified by
.Ar name .
This method uses SHA1 hash computed on a rule to identify it.
Although very unlikely, it is subject to hash collisions.
For a fully reliable and more efficient method, it is recommended to use
.Ic rem-id
command.
.It Ic rule Ar name Ic rem-id Aq id
Remove a rule specified by unique
.Ar id
from a dynamic ruleset specified by
.Ar name .
.It Ic rule Ar name Ic list
List all rules in the dynamic ruleset specified by
.Ar name .
.It Ic rule Ar name Ic flush
Remove all rules from the dynamic ruleset specified by
.Ar name .
.\" ---
.It Ic table Ar tid Ic add Aq Ar addr/mask
In table
.Ar tid ,
add the IP address and optionally netmask, specified by
.Aq Ar addr/mask .
Only the tables of type "lpm" support masks.
.It Ic table Ar tid Ic rem Aq Ar addr/mask
In table
.Ar tid ,
remove the IP address and optionally netmask, specified by
.Aq Ar addr/mask .
Only the tables of type "lpm" support masks.
.It Ic table Ar tid Ic test Aq Ar addr
Query the table
.Ar tid
for a specific IP address, specified by
.Ar addr .
If no mask is specified, a single host is assumed.
.It Ic table Ar tid Ic list
List all entries in the currently loaded table specified by
.Ar tid .
This operation is expensive and should be used with caution.
.\" ---
.It Ic save
Save the active configuration and a snapshot of the current connections.
The data will be stored in the
.Pa /var/db/npf.db
file.
Administrator may want to stop the packet inspection before saving.
.It Ic load
Load the saved configuration file and the connections from the file.
Note that any existing connections will be destroyed.
Administrator may want to start packet inspection after the load.
.It Ic stats
Print various statistics.
.It Ic debug
Process the configuration file, print the byte-code of each rule
and dump the raw configuration.
This is primarily for developer use.
.It Ic list Oo Fl 46hNnw Oc Op Fl i Ar ifname
Display a list of tracked connections:
.Bl -tag -width xxxxxxxxx -compact -offset 3n
.It Fl 4
Display only IPv4 connections.
.It Fl 6
Display only IPv6 connections.
.It Fl h
Don't display a header.
.It Fl N
Try to resolve addresses.
.It Fl n
Only show NAT connections.
.It Fl w
Don't restrict display width.
.It Fl i Ar ifname
Display only connections through the named interface.
.El
.El
.Sh PERFORMANCE
Reloading the configuration is a relatively expensive operation.
Therefore, frequent reloads should be avoided.
Use of tables should be considered as an alternative design.
See
.Xr npf.conf 5
for details.
.\" -----
.Sh FILES
.Bl -tag -width /etc/npf.conf -compact
.It Pa /dev/npf
control device
.It Pa /etc/npf.conf
default configuration file
.El
.\" -----
.Sh EXAMPLES
Starting the NPF packet filter:
.Bd -literal -offset indent
# npfctl reload
# npfctl start
# npfctl show
.Ed
.Pp
Addition and removal of entries in the table whose ID is "vip":
.Bd -literal -offset indent
# npfctl table "vip" add 10.0.0.1
# npfctl table "vip" rem 182.168.0.0/24
.Ed
.\" -----
.Sh SEE ALSO
.Xr bpf 4 ,
.Xr npf.conf 5 ,
.Xr npf 7 ,
.Xr npfd 8
.Sh HISTORY
NPF first appeared in
.Nx 6.0 .
.Sh AUTHORS
NPF was designed and implemented by
.An Mindaugas Rasiukevicius .
Reference in New Issue View Git Blame Copy Permalink