3d9a792dd8
- Convert NPF connection table to thmap. State lookup is now lock-free. - Improve connection state G/C: it is now incremental and tunable. - Add support for dynamic NAT address. Translation addresses can now be selected from a pool of addresses. There are two selection algorithms, "ip-hash" and "round-robin" (see the man page). - Translation address can be specified as e.g. ifaddrs(wm0) in npf.conf to dynamically choose an IP from the interface address(es). - Add support for the NETMAP algorithm with static NAT for net-to-net translation (it is equivalent to iptables NETMAP logic). - Convert 'ipset' tables to use thmap; the table lookup is now lock-free. - Misc improvements, bug fixes and more unit tests. - Bump NPF_VERSION (will also bump libnpf).
99 lines
3.1 KiB
Groff
99 lines
3.1 KiB
Groff
.\" $NetBSD: npf.7,v 1.6 2019/01/19 21:19:32 rmind Exp $
|
|
.\"
|
|
.\" Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This material is based upon work partially supported by The
|
|
.\" NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.Dd December 29, 2018
|
|
.Dt NPF 7
|
|
.Os
|
|
.Sh NAME
|
|
.Nm NPF
|
|
.Nd NetBSD packet filter
|
|
.\" -----
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
is a layer 3 packet filter, supporting IPv4 and IPv6 as well as
|
|
layer 4 protocols such as TCP, UDP, and ICMP.
|
|
It was designed with a focus on high performance, scalability, and
|
|
modularity.
|
|
.\" -----
|
|
.Sh FEATURES
|
|
.Nm
|
|
offers the traditional set of features provided by packet filters.
|
|
Some key features are:
|
|
.Bl -bullet -offset indent
|
|
.It
|
|
Stateful inspection (connection tracking).
|
|
.It
|
|
Network address translation (NAT).
|
|
This includes static (stateless) and dynamic (stateful) translation,
|
|
port translation, bi-directional NAT, etc.
|
|
.It
|
|
IPv6-to-IPv6 network prefix translation (NPTv6).
|
|
.It
|
|
Tables for efficient IP sets.
|
|
.It
|
|
Application Level Gateways (e.g., to support traceroute).
|
|
.It
|
|
Use of BPF with just-in-time (JIT) compilation.
|
|
.It
|
|
Rule procedures and a framework for
|
|
.Nm
|
|
extensions.
|
|
.It
|
|
Traffic normalisation (extension).
|
|
.It
|
|
Packet logging (extension).
|
|
.El
|
|
.Pp
|
|
For a full set of features and their description, see the
|
|
.Nm
|
|
documentation website and other manual pages.
|
|
.\" -----
|
|
.Sh SEE ALSO
|
|
.Xr libnpf 3 ,
|
|
.Xr bpf 4 ,
|
|
.Xr bpfjit 4 ,
|
|
.Xr npf.conf 5 ,
|
|
.Xr pcap-filter 7 ,
|
|
.Xr npfctl 8 ,
|
|
.Xr npfd 8
|
|
.Pp
|
|
.Lk https://github.com/rmind/npf/ "NPF project page"
|
|
.Pp
|
|
.Lk http://rmind.github.io/npf/ "NPF documentation website"
|
|
.Sh HISTORY
|
|
.Nm
|
|
was written from scratch in 2009 and is distributed under the
|
|
2-clause BSD license.
|
|
It first appeared in
|
|
.Nx 6.0 .
|
|
.Sh AUTHORS
|
|
.Nm
|
|
was designed and implemented by
|
|
.An Mindaugas Rasiukevicius .
|