Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   9087 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

NPFCTL(8)		  BSD System Manager's Manual		     NPFCTL(8)

NAME
     npfctl — control NPF packet filter

SYNOPSIS
     npfctl command [arguments]

DESCRIPTION
     The npfctl command can be used to control the NPF packet filter.  For a
     description of NPF's configuration file, see npf.conf(5).

     The first argument, command, specifies the action to take.	 Valid com‐
     mands are:

	start	Enable packet inspection using the currently loaded configura‐
		tion, if any.  Note that this command does not load or reload
		the configuration, or affect existing sessions.

	stop	Disable packet inspection.  This command does not change the
		currently loaded configuration, or affect existing sessions.

	reload [path]
		Load or reload configuration from file.	 The configuration
		file at /etc/npf.conf will be used unless a file is specified
		by path.  All sessions will be preserved during the reload,
		except those which will lose NAT policy due to removal.	 NAT
		policy is determined by the translation type and address.
		Note that change of filter criteria will not expire associated
		sessions.  The reload operation (i.e., replacing the ruleset,
		NAT policies and tables) is atomic.

	flush	Flush configuration.  That is, remove all rules, tables and
		expire all sessions.  This command does not disable packet
		inspection.

	show	Show the current state and configuration.  Syntax of printed
		configuration is for the user and may not match the
		npf.conf(5) syntax.

	validate [path]
		Validate the configuration file and the processed form.	 The
		configuration file at /etc/npf.conf will be used unless a file
		is specified by path.

	rule name add ⟨rule-syntax⟩
		Add a rule to a dynamic ruleset specified by name.  On suc‐
		cess, returns a unique identifier which can be used to remove
		the rule with rem-id command.  The identifier is alphanumeric
		string.

	rule name rem ⟨rule-syntax⟩
		Remove a rule from a dynamic ruleset specified by name.	 This
		method uses SHA1 hash computed on a rule to identify it.
		Although very unlikely, it is subject to hash collisions.  For
		a fully reliable and more efficient method, it is recommended
		to use rem-id command.

	rule name rem-id ⟨id⟩
		Remove a rule specified by unique id from a dynamic ruleset
		specified by name.

	rule name list
		List all rules in the dynamic ruleset specified by name.

	rule name flush
		Remove all rules from the dynamic ruleset specified by name.

	table tid add ⟨addr/mask⟩
		In table tid, add the IP address and optionally netmask, spec‐
		ified by ⟨addr/mask⟩.  Only tree-type tables support masks.

	table tid rem ⟨addr/mask⟩
		In table tid, remove the IP address and optionally netmask,
		specified by ⟨addr/mask⟩.  Only tree-type tables support
		masks.

	table tid test ⟨addr⟩
		Query the table tid for a specific IP address, specified by
		addr.  If no mask is specified, a single host is assumed.

	table tid list
		List all entries in the currently loaded table specified by
		tid.  This operation is expensive and should be used with cau‐
		tion.

	sess-save
		Save all active sessions.  The data will be stored in the
		/var/db/npf_sessions.db file.  Administrator may want to stop
		the packet inspection before the session saving.

	sess-load
		Load saved sessions from the file.  Note that original config‐
		uration should be loaded before the session loading.  In a
		case of NAT policy changes, sessions which lose an associated
		policy will not be loaded.  Any existing sessions during the
		load operation will be expired.	 Administrator may want to
		start packet inspection after the session loading.

	stats	Print various statistics.

	debug	Process the configuration file, print the n-code of each rule
		and dump the raw configuration.	 This is primarily for devel‐
		oper use.

PERFORMANCE
     Reloading the configuration is a relatively expensive operation.  There‐
     fore, frequent reloads should be avoided.	Use of tables should be con‐
     sidered as an alternative design.	See npf.conf(5) for details.

FILES
     /dev/npf	    control device
     /etc/npf.conf  default configuration file

EXAMPLES
     Starting the NPF packet filter:

	   # npfctl reload
	   # npfctl start
	   # npfctl show

     Addition and removal of entries in the table whose ID is 2:

	   # npfctl table 2 add 10.0.0.1
	   # npfctl table 2 rem 182.168.0.0/24

SEE ALSO
     npf.conf(5), npf_ncode(9)

HISTORY
     NPF first appeared in NetBSD 6.0.

AUTHORS
     NPF was designed and implemented by Mindaugas Rasiukevicius.

BSD			       February 16, 2013			   BSD

                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 

Vote for polarhome